[Qemu-devel] [PATCH v4 0/3] target-arm: Add a few more S2 MMU input checks

[Qemu-devel] [PATCH v4 0/3] target-arm: Add a few more S2 MMU input checks

[Edgar E. Iglesias]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

This adds the inputsize > pamax check and also fixes the
startlevel checks to apply to the 64bit translations.

Comments welcome!

Cheers,
Edgar

ChangeLog:

v3 -> v4:
* Changed comment regarding our choice to fault
* Rename check_s2_startlevel to check_s2_mmu_setup
* Move inputsize check to check_s2_mmu_setup

v2 -> v3:
* Document pamax arg to check_s2_startlevel

v1 -> v2:
* inputsize > pmax check only applies to AArch64
* Fix commit message typo < should be >

Edgar E. Iglesias (3):
  target-arm: Apply S2 MMU startlevel table size check to AArch64
  target-arm: Rename check_s2_startlevel to check_s2_mmu_setup
  target-arm: Implement the S2 MMU inputsize > pamax check

 target-arm/helper.c | 36 ++++++++++++++++++++++--------------
 1 file changed, 22 insertions(+), 14 deletions(-)

-- 
1.9.1

[Qemu-devel] [PATCH v4 1/3] target-arm: Apply S2 MMU startlevel table size check to AArch64

[Edgar E. Iglesias]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

The S2 starting level table size check applies to both AArch32
and AArch64. Move it to common code.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
 target-arm/helper.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index ae02486..5d6f297 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -6775,11 +6775,19 @@ typedef enum {
 static bool check_s2_startlevel(ARMCPU *cpu, bool is_aa64, int level,
                                 int inputsize, int stride)
 {
+    const int grainsize = stride + 3;
+    int startsizecheck;
+
     /* Negative levels are never allowed.  */
     if (level < 0) {
         return false;
     }
 
+    startsizecheck = inputsize - ((3 - level) * stride + grainsize);
+    if (startsizecheck < 1 || startsizecheck > stride + 4) {
+        return false;
+    }
+
     if (is_aa64) {
         unsigned int pamax = arm_pamax(cpu);
 
@@ -6803,20 +6811,12 @@ static bool check_s2_startlevel(ARMCPU *cpu, bool is_aa64, int level,
             g_assert_not_reached();
         }
     } else {
-        const int grainsize = stride + 3;
-        int startsizecheck;
-
         /* AArch32 only supports 4KB pages. Assert on that.  */
         assert(stride == 9);
 
         if (level == 0) {
             return false;
         }
-
-        startsizecheck = inputsize - ((3 - level) * stride + grainsize);
-        if (startsizecheck < 1 || startsizecheck > stride + 4) {
-            return false;
-        }
     }
     return true;
 }
-- 
1.9.1

[Qemu-devel] [PATCH v4 2/3] target-arm: Rename check_s2_startlevel to check_s2_mmu_setup

[Edgar E. Iglesias]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Rename check_s2_startlevel to check_s2_mmu_setup in preparation
for additional checks.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
 target-arm/helper.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 5d6f297..13e9933 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -6763,17 +6763,18 @@ typedef enum {
 } MMUFaultType;
 
 /*
- * check_s2_startlevel
+ * check_s2_mmu_setup
  * @cpu:        ARMCPU
  * @is_aa64:    True if the translation regime is in AArch64 state
  * @startlevel: Suggested starting level
  * @inputsize:  Bitsize of IPAs
  * @stride:     Page-table stride (See the ARM ARM)
  *
- * Returns true if the suggested starting level is OK and false otherwise.
+ * Returns true if the suggested S2 translation parameters are OK and
+ * false otherwise.
  */
-static bool check_s2_startlevel(ARMCPU *cpu, bool is_aa64, int level,
-                                int inputsize, int stride)
+static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
+                               int inputsize, int stride)
 {
     const int grainsize = stride + 3;
     int startsizecheck;
@@ -7013,8 +7014,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
         }
 
         /* Check that the starting level is valid. */
-        ok = check_s2_startlevel(cpu, va_size == 64, level,
-                                 inputsize, stride);
+        ok = check_s2_mmu_setup(cpu, va_size == 64, level, inputsize, stride);
         if (!ok) {
             /* AArch64 reports these as level 0 faults.
              * AArch32 reports these as level 1 faults.
-- 
1.9.1

[Qemu-devel] [PATCH v4 3/3] target-arm: Implement the S2 MMU inputsize > pamax check

[Edgar E. Iglesias]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Implement the inputsize > pamax check for Stage 2 translations.
This is CONSTRAINED UNPREDICTABLE and we choose to fault.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
 target-arm/helper.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 13e9933..9f75840 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -6790,6 +6790,7 @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
     }
 
     if (is_aa64) {
+        CPUARMState *env = &cpu->env;
         unsigned int pamax = arm_pamax(cpu);
 
         switch (stride) {
@@ -6811,6 +6812,13 @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
         default:
             g_assert_not_reached();
         }
+
+        /* Inputsize checks.  */
+        if (inputsize > pamax &&
+            (arm_el_is_aa64(env, 1) || inputsize > 40)) {
+            /* This is CONSTRAINED UNPREDICTABLE and we choose to fault.  */
+            return false;
+        }
     } else {
         /* AArch32 only supports 4KB pages. Assert on that.  */
         assert(stride == 9);
-- 
1.9.1

Re: [Qemu-devel] [PATCH v4 2/3] target-arm: Rename check_s2_startlevel to check_s2_mmu_setup

[Alex Bennée]

Edgar E. Iglesias <edgar.iglesias@gmail.com> writes:

> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
>
> Rename check_s2_startlevel to check_s2_mmu_setup in preparation
> for additional checks.
>
> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>

> ---
>  target-arm/helper.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 5d6f297..13e9933 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -6763,17 +6763,18 @@ typedef enum {
>  } MMUFaultType;
>
>  /*
> - * check_s2_startlevel
> + * check_s2_mmu_setup
>   * @cpu:        ARMCPU
>   * @is_aa64:    True if the translation regime is in AArch64 state
>   * @startlevel: Suggested starting level
>   * @inputsize:  Bitsize of IPAs
>   * @stride:     Page-table stride (See the ARM ARM)
>   *
> - * Returns true if the suggested starting level is OK and false otherwise.
> + * Returns true if the suggested S2 translation parameters are OK and
> + * false otherwise.
>   */
> -static bool check_s2_startlevel(ARMCPU *cpu, bool is_aa64, int level,
> -                                int inputsize, int stride)
> +static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
> +                               int inputsize, int stride)
>  {
>      const int grainsize = stride + 3;
>      int startsizecheck;
> @@ -7013,8 +7014,7 @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
>          }
>
>          /* Check that the starting level is valid. */
> -        ok = check_s2_startlevel(cpu, va_size == 64, level,
> -                                 inputsize, stride);
> +        ok = check_s2_mmu_setup(cpu, va_size == 64, level, inputsize, stride);
>          if (!ok) {
>              /* AArch64 reports these as level 0 faults.
>               * AArch32 reports these as level 1 faults.


--
Alex Bennée

Re: [Qemu-devel] [PATCH v4 3/3] target-arm: Implement the S2 MMU inputsize > pamax check

[Alex Bennée]

Edgar E. Iglesias <edgar.iglesias@gmail.com> writes:

> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
>
> Implement the inputsize > pamax check for Stage 2 translations.
> This is CONSTRAINED UNPREDICTABLE and we choose to fault.
>
> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>

Much cleaner now, thanks.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>

> ---
>  target-arm/helper.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 13e9933..9f75840 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -6790,6 +6790,7 @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
>      }
>
>      if (is_aa64) {
> +        CPUARMState *env = &cpu->env;
>          unsigned int pamax = arm_pamax(cpu);
>
>          switch (stride) {
> @@ -6811,6 +6812,13 @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
>          default:
>              g_assert_not_reached();
>          }
> +
> +        /* Inputsize checks.  */
> +        if (inputsize > pamax &&
> +            (arm_el_is_aa64(env, 1) || inputsize > 40)) {
> +            /* This is CONSTRAINED UNPREDICTABLE and we choose to fault.  */
> +            return false;
> +        }
>      } else {
>          /* AArch32 only supports 4KB pages. Assert on that.  */
>          assert(stride == 9);


--
Alex Bennée

Re: [Qemu-devel] [PATCH v4 0/3] target-arm: Add a few more S2 MMU input checks

[Peter Maydell]

On 27 January 2016 at 22:16, Edgar E. Iglesias <edgar.iglesias@gmail.com> wrote:
> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
>
> This adds the inputsize > pamax check and also fixes the
> startlevel checks to apply to the 64bit translations.
>
> Comments welcome!

Thanks, applied to target-arm.next.

-- PMM