From 0fbf5238203041f734c51b49778223686f14366b Mon Sep 17 00:00:00 2001 From: Andrew Jones Date: Mon, 16 Mar 2015 12:30:46 +0000 Subject: [PATCH 1/7] target-arm: convert check_ap to ap_to_rw_prot Instead of mixing access permission checking with access permissions to page protection flags translation, just do the translation, and leave it to the caller to check the protection flags against the access type. Also rename to ap_to_rw_prot to better describe the new behavior. Signed-off-by: Andrew Jones Reviewed-by: Peter Maydell Message-id: 1426099139-14463-2-git-send-email-drjones@redhat.com Signed-off-by: Peter Maydell --- target-arm/helper.c | 47 +++++++++++++++++---------------------------- 1 file changed, 18 insertions(+), 29 deletions(-) diff --git a/target-arm/helper.c b/target-arm/helper.c index 3bc20af04f..d1e70a86a6 100644 --- a/target-arm/helper.c +++ b/target-arm/helper.c @@ -4903,34 +4903,23 @@ static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx) } } -/* Check section/page access permissions. - Returns the page protection flags, or zero if the access is not - permitted. */ -static inline int check_ap(CPUARMState *env, ARMMMUIdx mmu_idx, - int ap, int domain_prot, - int access_type) +/* Translate section/page access permissions to page + * R/W protection flags + */ +static inline int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, + int ap, int domain_prot) { - int prot_ro; bool is_user = regime_is_user(env, mmu_idx); if (domain_prot == 3) { return PAGE_READ | PAGE_WRITE; } - if (access_type == 1) { - prot_ro = 0; - } else { - prot_ro = PAGE_READ; - } - switch (ap) { case 0: if (arm_feature(env, ARM_FEATURE_V7)) { return 0; } - if (access_type == 1) { - return 0; - } switch (regime_sctlr(env, mmu_idx) & (SCTLR_S | SCTLR_R)) { case SCTLR_S: return is_user ? 0 : PAGE_READ; @@ -4943,7 +4932,7 @@ static inline int check_ap(CPUARMState *env, ARMMMUIdx mmu_idx, return is_user ? 0 : PAGE_READ | PAGE_WRITE; case 2: if (is_user) { - return prot_ro; + return PAGE_READ; } else { return PAGE_READ | PAGE_WRITE; } @@ -4952,16 +4941,16 @@ static inline int check_ap(CPUARMState *env, ARMMMUIdx mmu_idx, case 4: /* Reserved. */ return 0; case 5: - return is_user ? 0 : prot_ro; + return is_user ? 0 : PAGE_READ; case 6: - return prot_ro; + return PAGE_READ; case 7: if (!arm_feature(env, ARM_FEATURE_V6K)) { return 0; } - return prot_ro; + return PAGE_READ; default: - abort(); + g_assert_not_reached(); } } @@ -5083,12 +5072,12 @@ static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int access_type, } code = 15; } - *prot = check_ap(env, mmu_idx, ap, domain_prot, access_type); - if (!*prot) { + *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot); + *prot |= *prot ? PAGE_EXEC : 0; + if (!(*prot & (1 << access_type))) { /* Access permission fault. */ goto do_fault; } - *prot |= PAGE_EXEC; *phys_ptr = phys_addr; return 0; do_fault: @@ -5204,14 +5193,14 @@ static int get_phys_addr_v6(CPUARMState *env, uint32_t address, int access_type, code = (code == 15) ? 6 : 3; goto do_fault; } - *prot = check_ap(env, mmu_idx, ap, domain_prot, access_type); - if (!*prot) { + *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot); + if (*prot && !xn) { + *prot |= PAGE_EXEC; + } + if (!(*prot & (1 << access_type))) { /* Access permission fault. */ goto do_fault; } - if (!xn) { - *prot |= PAGE_EXEC; - } } *phys_ptr = phys_addr; return 0; From d76951b65dfb1be4e41cfae6abebf8db7a1243a3 Mon Sep 17 00:00:00 2001 From: Andrew Jones Date: Mon, 16 Mar 2015 12:30:46 +0000 Subject: [PATCH 2/7] target-arm: fix get_phys_addr_v6/SCTLR_AFE access check Introduce simple_ap_to_rw_prot(), which has the same behavior as ap_to_rw_prot(), but takes the 2-bit simple AP[2:1] instead of the 3-bit AP[2:0]. Use this in get_phys_addr_v6 when SCTLR_AFE is set, as that bit indicates we should be using the simple AP format. It's unlikely this path is getting used. I don't see CR_AFE getting used by Linux, so possibly not. If it had been, then the check would have been wrong for all but AP[2:1] = 0b11. Anyway, this should fix it up, in case it ever does get used. Signed-off-by: Andrew Jones Reviewed-by: Peter Maydell Message-id: 1426099139-14463-3-git-send-email-drjones@redhat.com Signed-off-by: Peter Maydell --- target-arm/helper.c | 49 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 7 deletions(-) diff --git a/target-arm/helper.c b/target-arm/helper.c index d1e70a86a6..d996659652 100644 --- a/target-arm/helper.c +++ b/target-arm/helper.c @@ -4905,6 +4905,11 @@ static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx) /* Translate section/page access permissions to page * R/W protection flags + * + * @env: CPUARMState + * @mmu_idx: MMU index indicating required translation regime + * @ap: The 3-bit access permissions (AP[2:0]) + * @domain_prot: The 2-bit domain access permissions */ static inline int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap, int domain_prot) @@ -4954,6 +4959,32 @@ static inline int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, } } +/* Translate section/page access permissions to page + * R/W protection flags. + * + * @env: CPUARMState + * @mmu_idx: MMU index indicating required translation regime + * @ap: The 2-bit simple AP (AP[2:1]) + */ +static inline int +simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap) +{ + bool is_user = regime_is_user(env, mmu_idx); + + switch (ap) { + case 0: + return is_user ? 0 : PAGE_READ | PAGE_WRITE; + case 1: + return PAGE_READ | PAGE_WRITE; + case 2: + return is_user ? 0 : PAGE_READ; + case 3: + return PAGE_READ; + default: + g_assert_not_reached(); + } +} + static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx, uint32_t *table, uint32_t address) { @@ -5186,14 +5217,18 @@ static int get_phys_addr_v6(CPUARMState *env, uint32_t address, int access_type, if (xn && access_type == 2) goto do_fault; - /* The simplified model uses AP[0] as an access control bit. */ - if ((regime_sctlr(env, mmu_idx) & SCTLR_AFE) - && (ap & 1) == 0) { - /* Access flag fault. */ - code = (code == 15) ? 6 : 3; - goto do_fault; + if (arm_feature(env, ARM_FEATURE_V6K) && + (regime_sctlr(env, mmu_idx) & SCTLR_AFE)) { + /* The simplified model uses AP[0] as an access control bit. */ + if ((ap & 1) == 0) { + /* Access flag fault. */ + code = (code == 15) ? 6 : 3; + goto do_fault; + } + *prot = simple_ap_to_rw_prot(env, mmu_idx, ap >> 1); + } else { + *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot); } - *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot); if (*prot && !xn) { *prot |= PAGE_EXEC; } From d8e052b387635639a6ba4a09a7874fd2f113b218 Mon Sep 17 00:00:00 2001 From: Andrew Jones Date: Mon, 16 Mar 2015 12:30:46 +0000 Subject: [PATCH 3/7] target-arm: get_phys_addr_lpae: more xn control This patch makes the following changes to the determination of whether an address is executable, when translating addresses using LPAE. 1. No longer assumes that PL0 can't execute when it can't read. It can in AArch64, a difference from AArch32. 2. Use va_size == 64 to determine we're in AArch64, rather than arm_feature(env, ARM_FEATURE_V8), which is insufficient. 3. Add additional XN determinants - NS && is_secure && (SCR & SCR_SIF) - WXN && (prot & PAGE_WRITE) - AArch64: (prot_PL0 & PAGE_WRITE) - AArch32: UWXN && (prot_PL0 & PAGE_WRITE) - XN determination should also work in secure mode (untested) - XN may even work in EL2 (currently impossible to test) 4. Cleans up the bloated PAGE_EXEC condition - by removing it. The helper get_S1prot is introduced. It may even work in EL2, when support for that comes, but, as the function name implies, it only works for stage 1 translations. Signed-off-by: Andrew Jones Message-id: 1426099139-14463-4-git-send-email-drjones@redhat.com Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- target-arm/helper.c | 130 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 100 insertions(+), 30 deletions(-) diff --git a/target-arm/helper.c b/target-arm/helper.c index d996659652..7fe3d14773 100644 --- a/target-arm/helper.c +++ b/target-arm/helper.c @@ -4962,15 +4962,11 @@ static inline int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, /* Translate section/page access permissions to page * R/W protection flags. * - * @env: CPUARMState - * @mmu_idx: MMU index indicating required translation regime * @ap: The 2-bit simple AP (AP[2:1]) + * @is_user: TRUE if accessing from PL0 */ -static inline int -simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap) +static inline int simple_ap_to_rw_prot_is_user(int ap, bool is_user) { - bool is_user = regime_is_user(env, mmu_idx); - switch (ap) { case 0: return is_user ? 0 : PAGE_READ | PAGE_WRITE; @@ -4985,6 +4981,93 @@ simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap) } } +static inline int +simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap) +{ + return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx)); +} + +/* Translate section/page access permissions to protection flags + * + * @env: CPUARMState + * @mmu_idx: MMU index indicating required translation regime + * @is_aa64: TRUE if AArch64 + * @ap: The 2-bit simple AP (AP[2:1]) + * @ns: NS (non-secure) bit + * @xn: XN (execute-never) bit + * @pxn: PXN (privileged execute-never) bit + */ +static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64, + int ap, int ns, int xn, int pxn) +{ + bool is_user = regime_is_user(env, mmu_idx); + int prot_rw, user_rw; + bool have_wxn; + int wxn = 0; + + assert(mmu_idx != ARMMMUIdx_S2NS); + + user_rw = simple_ap_to_rw_prot_is_user(ap, true); + if (is_user) { + prot_rw = user_rw; + } else { + prot_rw = simple_ap_to_rw_prot_is_user(ap, false); + } + + if (ns && arm_is_secure(env) && (env->cp15.scr_el3 & SCR_SIF)) { + return prot_rw; + } + + /* TODO have_wxn should be replaced with + * ARM_FEATURE_V8 || (ARM_FEATURE_V7 && ARM_FEATURE_EL2) + * when ARM_FEATURE_EL2 starts getting set. For now we assume all LPAE + * compatible processors have EL2, which is required for [U]WXN. + */ + have_wxn = arm_feature(env, ARM_FEATURE_LPAE); + + if (have_wxn) { + wxn = regime_sctlr(env, mmu_idx) & SCTLR_WXN; + } + + if (is_aa64) { + switch (regime_el(env, mmu_idx)) { + case 1: + if (!is_user) { + xn = pxn || (user_rw & PAGE_WRITE); + } + break; + case 2: + case 3: + break; + } + } else if (arm_feature(env, ARM_FEATURE_V7)) { + switch (regime_el(env, mmu_idx)) { + case 1: + case 3: + if (is_user) { + xn = xn || !(user_rw & PAGE_READ); + } else { + int uwxn = 0; + if (have_wxn) { + uwxn = regime_sctlr(env, mmu_idx) & SCTLR_UWXN; + } + xn = xn || !(prot_rw & PAGE_READ) || pxn || + (uwxn && (user_rw & PAGE_WRITE)); + } + break; + case 2: + break; + } + } else { + xn = wxn = 0; + } + + if (xn || (wxn && (prot_rw & PAGE_WRITE))) { + return prot_rw; + } + return prot_rw | PAGE_EXEC; +} + static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx, uint32_t *table, uint32_t address) { @@ -5273,8 +5356,8 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address, int32_t granule_sz = 9; int32_t va_size = 32; int32_t tbi = 0; - bool is_user; TCR *tcr = regime_tcr(env, mmu_idx); + int ap, ns, xn, pxn; /* TODO: * This code assumes we're either a 64-bit EL1 or a 32-bit PL1; @@ -5435,7 +5518,7 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address, if (extract32(tableattrs, 2, 1)) { attrs &= ~(1 << 4); } - /* Since we're always in the Non-secure state, NSTable is ignored. */ + attrs |= extract32(tableattrs, 4, 1) << 3; /* NS */ break; } /* Here descaddr is the final physical address, and attributes @@ -5446,31 +5529,18 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address, /* Access flag */ goto do_fault; } + + ap = extract32(attrs, 4, 2); + ns = extract32(attrs, 3, 1); + xn = extract32(attrs, 12, 1); + pxn = extract32(attrs, 11, 1); + + *prot = get_S1prot(env, mmu_idx, va_size == 64, ap, ns, xn, pxn); + fault_type = permission_fault; - is_user = regime_is_user(env, mmu_idx); - if (is_user && !(attrs & (1 << 4))) { - /* Unprivileged access not enabled */ + if (!(*prot & (1 << access_type))) { goto do_fault; } - *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; - if ((arm_feature(env, ARM_FEATURE_V8) && is_user && (attrs & (1 << 12))) || - (!arm_feature(env, ARM_FEATURE_V8) && (attrs & (1 << 12))) || - (!is_user && (attrs & (1 << 11)))) { - /* XN/UXN or PXN. Since we only implement EL0/EL1 we unconditionally - * treat XN/UXN as UXN for v8. - */ - if (access_type == 2) { - goto do_fault; - } - *prot &= ~PAGE_EXEC; - } - if (attrs & (1 << 5)) { - /* Write access forbidden */ - if (access_type == 1) { - goto do_fault; - } - *prot &= ~PAGE_WRITE; - } *phys_ptr = descaddr; *page_size_ptr = page_size; From f0bb55890a173cb1e9e87d608647cac70f8f9dd4 Mon Sep 17 00:00:00 2001 From: Eric Auger Date: Mon, 16 Mar 2015 12:30:47 +0000 Subject: [PATCH 4/7] hw/intc/arm_gic: Initialize the vgic in the realize function This patch forces vgic initialization in the vgic realize function. It uses a new group/attribute that allows such operation: KVM_DEV_ARM_VGIC_GRP_CTRL/KVM_DEV_ARM_VGIC_CTRL_INIT This earlier initialization allows, for example, to setup VFIO signaling and irqfd after vgic initialization, on a reset notifier. Signed-off-by: Eric Auger Message-id: 1426094226-8515-1-git-send-email-eric.auger@linaro.org Signed-off-by: Peter Maydell --- hw/intc/arm_gic_kvm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/intc/arm_gic_kvm.c b/hw/intc/arm_gic_kvm.c index 1ad3eb0ff8..0d207508a0 100644 --- a/hw/intc/arm_gic_kvm.c +++ b/hw/intc/arm_gic_kvm.c @@ -573,6 +573,13 @@ static void kvm_arm_gic_realize(DeviceState *dev, Error **errp) kvm_gic_access(s, KVM_DEV_ARM_VGIC_GRP_NR_IRQS, 0, 0, &numirqs, 1); } + /* Tell the kernel to complete VGIC initialization now */ + if (kvm_gic_supports_attr(s, KVM_DEV_ARM_VGIC_GRP_CTRL, + KVM_DEV_ARM_VGIC_CTRL_INIT)) { + kvm_gic_access(s, KVM_DEV_ARM_VGIC_GRP_CTRL, + KVM_DEV_ARM_VGIC_CTRL_INIT, 0, 0, 1); + } + /* Distributor */ memory_region_init_reservation(&s->iomem, OBJECT(s), "kvm-gic_dist", 0x1000); From da3e53ddcb0ca924da97ca5a35605fc554aa3e05 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 16 Mar 2015 12:30:47 +0000 Subject: [PATCH 5/7] target-arm: Fix handling of STM (user) with r15 in register list The A32 encoding of LDM distinguishes LDM (user) from LDM (exception return) based on whether r15 is in the register list. However for STM (user) there is no equivalent distinction. We were incorrectly treating "r15 in list" as indicating exception return for both LDM and STM, with the result that an STM (user) involving r15 went into an infinite loop. Fix this; note that the value stored for r15 in this case is the current PC regardless of our current mode. Signed-off-by: Peter Maydell Message-id: 1426015125-5521-1-git-send-email-peter.maydell@linaro.org --- target-arm/translate.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/target-arm/translate.c b/target-arm/translate.c index 381d89624f..9116529306 100644 --- a/target-arm/translate.c +++ b/target-arm/translate.c @@ -8859,17 +8859,23 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) case 0x08: case 0x09: { - int j, n, user, loaded_base; + int j, n, loaded_base; + bool exc_return = false; + bool is_load = extract32(insn, 20, 1); + bool user = false; TCGv_i32 loaded_var; /* load/store multiple words */ /* XXX: store correct base if write back */ - user = 0; if (insn & (1 << 22)) { + /* LDM (user), LDM (exception return) and STM (user) */ if (IS_USER(s)) goto illegal_op; /* only usable in supervisor mode */ - if ((insn & (1 << 15)) == 0) - user = 1; + if (is_load && extract32(insn, 15, 1)) { + exc_return = true; + } else { + user = true; + } } rn = (insn >> 16) & 0xf; addr = load_reg(s, rn); @@ -8903,7 +8909,7 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) j = 0; for(i=0;i<16;i++) { if (insn & (1 << i)) { - if (insn & (1 << 20)) { + if (is_load) { /* load */ tmp = tcg_temp_new_i32(); gen_aa32_ld32u(tmp, addr, get_mem_index(s)); @@ -8968,7 +8974,7 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) if (loaded_base) { store_reg(s, rn, loaded_var); } - if ((insn & (1 << 22)) && !user) { + if (exc_return) { /* Restore CPSR from SPSR. */ tmp = load_cpu_field(spsr); gen_set_cpsr(tmp, CPSR_ERET_MASK); From fcf83ab103dce6d2951f24f48e30820e7dbb3622 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 16 Mar 2015 12:30:47 +0000 Subject: [PATCH 6/7] target-arm: Ignore low bit of PC in M-profile exception return For the ARM M-profile cores, exception return pops various registers including the PC from the stack. The architecture defines that if the lowest bit in the new PC value is set (ie the PC is not halfword aligned) then behaviour is UNPREDICTABLE. In practice hardware implementations seem to simply ignore the low bit, and some buggy RTOSes incorrectly rely on this. QEMU's behaviour was architecturally permitted, but bringing QEMU into line with the hardware behaviour allows more guest code to run. We log the situation as a guest error. This was reported as LP:1428657. Reported-by: Anders Esbensen Signed-off-by: Peter Maydell --- target-arm/helper.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/target-arm/helper.c b/target-arm/helper.c index 7fe3d14773..10886c5281 100644 --- a/target-arm/helper.c +++ b/target-arm/helper.c @@ -4334,6 +4334,16 @@ static void do_v7m_exception_exit(CPUARMState *env) env->regs[12] = v7m_pop(env); env->regs[14] = v7m_pop(env); env->regs[15] = v7m_pop(env); + if (env->regs[15] & 1) { + qemu_log_mask(LOG_GUEST_ERROR, + "M profile return from interrupt with misaligned " + "PC is UNPREDICTABLE\n"); + /* Actual hardware seems to ignore the lsbit, and there are several + * RTOSes out there which incorrectly assume the r15 in the stack + * frame should be a Thumb-style "lsbit indicates ARM/Thumb" value. + */ + env->regs[15] &= ~1U; + } xpsr = v7m_pop(env); xpsr_write(env, xpsr, 0xfffffdff); /* Undo stack alignment. */ From b8d43285a4db12156c40ba6fdbd8002c383fcbca Mon Sep 17 00:00:00 2001 From: Mikhail Ilyin Date: Mon, 16 Mar 2015 12:30:47 +0000 Subject: [PATCH 7/7] linux-user: Access correct register for get/set_tls syscalls on ARM TZ CPUs When support was added for TrustZone to ARM CPU emulation, we failed to correctly update the support for the linux-user implementation of the get/set_tls syscalls. This meant that accesses to the TPIDRURO register via the syscalls were always using the non-secure copy of the register even if native MRC/MCR accesses were using the secure register. This inconsistency caused most binaries to segfault on startup if the CPU type was explicitly set to one of the TZ-enabled ones like cortex-a15. (The default "any" CPU doesn't have TZ enabled and so is not affected.) Use access_secure_reg() to determine whether we should be using the secure or the nonsecure copy of TPIDRURO when emulating these syscalls. Signed-off-by: Mikhail Ilyin Message-id: 1426505198-2411-1-git-send-email-m.ilin@samsung.com [PMM: rewrote commit message to more clearly explain the issue and its consequences.] Signed-off-by: Peter Maydell --- linux-user/arm/target_cpu.h | 15 ++++++++++++++- linux-user/main.c | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/linux-user/arm/target_cpu.h b/linux-user/arm/target_cpu.h index d8a534d7b1..6832262e39 100644 --- a/linux-user/arm/target_cpu.h +++ b/linux-user/arm/target_cpu.h @@ -29,7 +29,20 @@ static inline void cpu_clone_regs(CPUARMState *env, target_ulong newsp) static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls) { - env->cp15.tpidrro_el[0] = newtls; + if (access_secure_reg(env)) { + env->cp15.tpidruro_s = newtls; + } else { + env->cp15.tpidrro_el[0] = newtls; + } +} + +static inline target_ulong cpu_get_tls(CPUARMState *env) +{ + if (access_secure_reg(env)) { + return env->cp15.tpidruro_s; + } else { + return env->cp15.tpidrro_el[0]; + } } #endif diff --git a/linux-user/main.c b/linux-user/main.c index 6bd23af2ba..6e446de4dd 100644 --- a/linux-user/main.c +++ b/linux-user/main.c @@ -566,7 +566,7 @@ do_kernel_trap(CPUARMState *env) end_exclusive(); break; case 0xffff0fe0: /* __kernel_get_tls */ - env->regs[0] = env->cp15.tpidrro_el[0]; + env->regs[0] = cpu_get_tls(env); break; case 0xffff0f60: /* __kernel_cmpxchg64 */ arm_kernel_cmpxchg64_helper(env);