[PATCH v2] target/xtensa: fix access ring in l32ex

From: Max Filippov <jcmvbkbc@gmail.com>
To: qemu-devel@nongnu.org
Cc: "Max Filippov" <jcmvbkbc@gmail.com>,
	"Joaquin de Andres" <me@xcancerberox.com.ar>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	qemu-stable@nongnu.org
Subject: [PATCH v2] target/xtensa: fix access ring in l32ex
Date: Wed, 19 May 2021 07:26:07 -0700	[thread overview]
Message-ID: <20210519142607.27190-1-jcmvbkbc@gmail.com> (raw)

l32ex does memory access as all regular load/store operations at CRING
level. Fix apparent pasto from l32e that caused it to use RING instead.

This is a correctness issue, not a security issue, because in the worst
case the privilege level of memory access may be lowered, resulting in
an exception when the correct implementation would've succeeded.
In no case it would allow memory access that would've raised an
exception in the correct implementation.

Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
---
Changes v1->v2:
- add correctness/security rationale to the patch description.

 target/xtensa/translate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index f93df87ec490..95f6b21c2a1e 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -1814,7 +1814,7 @@ static void translate_l32ex(DisasContext *dc, const OpcodeArg arg[],
     tcg_gen_mov_i32(addr, arg[1].in);
     gen_load_store_alignment(dc, 2, addr, true);
     gen_check_exclusive(dc, addr, false);
-    tcg_gen_qemu_ld_i32(arg[0].out, addr, dc->ring, MO_TEUL);
+    tcg_gen_qemu_ld_i32(arg[0].out, addr, dc->cring, MO_TEUL);
     tcg_gen_mov_i32(cpu_exclusive_addr, addr);
     tcg_gen_mov_i32(cpu_exclusive_val, arg[0].out);
     tcg_temp_free(addr);
-- 
2.20.1


