From: Richard Henderson <1907137@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1907137] Re: LDTR not properly emulated when MTE tag checks enabled at EL0
Date: Mon, 21 Dec 2020 19:41:52 -0000 [thread overview]
Message-ID: <160857971231.1935.13701705171857565666.malone@soybean.canonical.com> (raw)
In-Reply-To: 160737386315.5907.11436467204976213940.malonedeb@gac.canonical.com
Ok, I'll have a deeper look as well.
** Changed in: qemu
Status: Incomplete => In Progress
** Changed in: qemu
Assignee: (unassigned) => Richard Henderson (rth)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1907137
Title:
LDTR not properly emulated when MTE tag checks enabled at EL0
Status in QEMU:
In Progress
Bug description:
I am trying to boot Android (just the non-GUI parts for now) under
QEMU with MTE enabled. This can be done by following the instructions
here to build the fvp-eng target with MTE support:
https://cs.android.com/android/platform/superproject/+/master:device/generic/goldfish/fvpbase/
and launching QEMU with the following command:
qemu-system-aarch64 -kernel $ANDROID_PRODUCT_OUT/kernel -initrd
$ANDROID_PRODUCT_OUT/combined-ramdisk.img -machine virt,mte=on -cpu
max -drive driver=raw,file=$ANDROID_PRODUCT_OUT/system-
qemu.img,if=none,id=system -device virtio-blk-device,drive=system
-append "console=ttyAMA0 earlyprintk=ttyAMA0
androidboot.hardware=fvpbase
androidboot.boot_devices=a003e00.virtio_mmio loglevel=9
printk.devkmsg=on buildvariant=eng" -m 512 -nographic -no-reboot
If I do this then QEMU crashes like so:
**
ERROR:../target/arm/mte_helper.c:558:mte_check_fail: code should not be reached
Bail out! ERROR:../target/arm/mte_helper.c:558:mte_check_fail: code should not be reached
The error is caused by an MTE tag check fault from an LDTR instruction
in __arch_copy_from_user. At this point TCF=0 and TCF0=2.
I have this patch that gets me past the error but it is unclear
whether this is the correct fix since there may be other confusion
between TCF and TCF0 elsewhere.
diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
index 153bd1e9df..aa5db4eac4 100644
--- a/target/arm/mte_helper.c
+++ b/target/arm/mte_helper.c
@@ -552,10 +552,8 @@ static void mte_check_fail(CPUARMState *env, uint32_t desc,
case 0:
/*
* Tag check fail does not affect the PE.
- * We eliminate this case by not setting MTE_ACTIVE
- * in tb_flags, so that we never make this runtime call.
*/
- g_assert_not_reached();
+ break;
case 2:
/* Tag check fail causes asynchronous flag set. */
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1907137/+subscriptions
next prev parent reply other threads:[~2020-12-21 19:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-07 20:44 [Bug 1907137] [NEW] LDTR not properly emulated when MTE tag checks enabled at EL0 Peter Collingbourne
2020-12-18 0:24 ` [Bug 1907137] " Peter Collingbourne
2020-12-21 18:52 ` Richard Henderson
2020-12-21 19:12 ` Peter Collingbourne
2020-12-21 19:41 ` Richard Henderson [this message]
2020-12-21 20:36 ` Richard Henderson
2020-12-21 20:49 ` Peter Collingbourne
2020-12-22 0:03 ` Peter Collingbourne
2021-04-30 8:51 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=160857971231.1935.13701705171857565666.malone@soybean.canonical.com \
--to=1907137@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.