From: Andrew Jones <drjones@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH 1/2] tcg-aarch64: user doesn't need R/W access to exec
Date: Mon, 19 Jan 2015 18:25:48 +0100 [thread overview]
Message-ID: <20150119172548.GA32498@hawk.usersys.redhat.com> (raw)
In-Reply-To: <CAFEAcA_h3f7RapkRt3aqZa=5=ALmZYQ6A5SdEJsWXtHquZeLKg@mail.gmail.com>
On Fri, Jan 16, 2015 at 02:52:21PM +0000, Peter Maydell wrote:
> On 13 January 2015 at 15:48, Andrew Jones <drjones@redhat.com> wrote:
> > Table D4-32 shows that execute access from EL0 doesn't depend
> > on AP[1].
>
> This commit message is a bit sparse, which confused me
> for a bit. It would be worth beefing it up a bit:
>
> target-arm: 64-bit EL0 code can execute from unreadable pages
>
> In AArch64 mode, a page can be executable even if it is not
> readable (a difference from AArch32). Instead of bailing out
> early if the page is not readable, just add "32 bit and
> page not readable" to the list of conditions that make a
> page non-executable, and check whether the protections and
> the access type are compatible once at the end of the function.
OK
>
> > Signed-off-by: Andrew Jones <drjones@redhat.com>
> > ---
> > target-arm/helper.c | 27 ++++++++++++++++-----------
> > 1 file changed, 16 insertions(+), 11 deletions(-)
> >
> > diff --git a/target-arm/helper.c b/target-arm/helper.c
> > index 3ef0f1f38eda5..7c30a2669a0f2 100644
> > --- a/target-arm/helper.c
> > +++ b/target-arm/helper.c
> > @@ -4787,7 +4787,7 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address,
> > hwaddr descaddr, descmask;
> > uint32_t tableattrs;
> > target_ulong page_size;
> > - uint32_t attrs;
> > + uint32_t attrs, ap;
> > int32_t granule_sz = 9;
> > int32_t va_size = 32;
> > int32_t tbi = 0;
> > @@ -4952,14 +4952,20 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address,
> > /* Access flag */
> > goto do_fault;
> > }
> > +
> > fault_type = permission_fault;
> > - if (is_user && !(attrs & (1 << 4))) {
> > - /* Unprivileged access not enabled */
> > - goto do_fault;
> > + ap = extract32(attrs, 4, 2); /* AP[2:1] */
> > +
> > + *prot = 0;
> > + if (!is_user || (ap & 1)) {
> > + *prot |= PAGE_READ;
> > + *prot |= !(ap & 2) ? PAGE_WRITE : 0;
>
> Personally I would find
> if (!(ap & 2)) {
> *prot |= PAGE_WRITE;
> }
>
> clearer.
OK
>
> > }
> > - *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
> > +
> > + *prot |= PAGE_EXEC;
> > if ((arm_feature(env, ARM_FEATURE_V8) && is_user && (attrs & (1 << 12))) ||
> > (!arm_feature(env, ARM_FEATURE_V8) && (attrs & (1 << 12))) ||
> > + (!arm_el_is_aa64(env, 1) && is_user && !(ap & 1)) ||
> > (!is_user && (attrs & (1 << 11)))) {
> > /* XN/UXN or PXN. Since we only implement EL0/EL1 we unconditionally
> > * treat XN/UXN as UXN for v8.
> > @@ -4969,12 +4975,11 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address,
> > }
>
> There is a "if access_type == 2 goto do_fault" check just
> above this hunk which you can delete, because we're now
> doing that check in the code you add below.
Right. Will do, alternatively I should have brought the PAGE_EXEC
handling below in with patch 2/2, which was my plan, but forgot
to split it out.
>
> > *prot &= ~PAGE_EXEC;
> > }
> > - if (attrs & (1 << 5)) {
> > - /* Write access forbidden */
> > - if (access_type == 1) {
> > - goto do_fault;
> > - }
> > - *prot &= ~PAGE_WRITE;
> > +
> > + if ((*prot == 0)
> > + || (!(*prot & PAGE_WRITE) && access_type == 1)
> > + || (!(*prot & PAGE_EXEC) && access_type == 2)) {
> > + goto do_fault;
>
> Why isn't this just
> if (!(*prot & (1 << access_type))) {
yeah, that would be better
>
> ? (Or at least, why doesn't it treat PAGE_READ the same way
> as the other two bits?) As it is I think we'll treat a page
> that is marked exec-not-readable as if it were readable.
Oh yes, we should check PAGE_READ as well
Thanks for the review. I see from another mail that you'll be sending some
patches I should base the next version on. So I'll hold off on sending a
revised patch until I see that.
drew
next prev parent reply other threads:[~2015-01-19 17:26 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-13 15:48 [Qemu-devel] [PATCH 0/2] tcg-arm: fix and extend instruction execution control Andrew Jones
2015-01-13 15:48 ` [Qemu-devel] [PATCH 1/2] tcg-aarch64: user doesn't need R/W access to exec Andrew Jones
2015-01-16 14:52 ` Peter Maydell
2015-01-19 17:25 ` Andrew Jones [this message]
2015-01-13 15:48 ` [Qemu-devel] [PATCH 2/2] tcg-arm: more instruction execution control Andrew Jones
2015-01-16 16:16 ` Peter Maydell
2015-01-16 19:02 ` Peter Maydell
2015-01-19 17:40 ` Andrew Jones
2015-01-19 17:40 ` Andrew Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150119172548.GA32498@hawk.usersys.redhat.com \
--to=drjones@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.