[Stable-7.2.7 48/62] target/arm: Don't allow stage 2 page table walks to

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Stable-7.2.7 48/62] target/arm: Don't allow stage 2 page table walks to

From:	Michael Tokarev
Subject:	[Stable-7.2.7 48/62] target/arm: Don't allow stage 2 page table walks to downgrade to NS
Date:	Thu, 9 Nov 2023 16:59:16 +0300

From: Peter Maydell <peter.maydell@linaro.org>

Bit 63 in a Table descriptor is only the NSTable bit for stage 1
translations; in stage 2 it is RES0.  We were incorrectly looking at
it all the time.

This causes problems if:
 * the stage 2 table descriptor was incorrectly setting the RES0 bit
 * we are doing a stage 2 translation in Secure address space for
   a NonSecure stage 1 regime -- in this case we would incorrectly
   do an immediate downgrade to NonSecure

A bug elsewhere in the code currently prevents us from getting
to the second situation, but when we fix that it will be possible.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230504135425.2748672-2-peter.maydell@linaro.org
(cherry picked from commit 21a4ab8318ba6f049aac244e237cd1557586e216)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index fa013044c1..e593bc339a 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -1382,17 +1382,18 @@ static bool get_phys_addr_lpae(CPUARMState *env, 
S1Translate *ptw,
     descaddrmask &= ~indexmask_grainsize;
 
     /*
-     * Secure accesses start with the page table in secure memory and
+     * Secure stage 1 accesses start with the page table in secure memory and
      * can be downgraded to non-secure at any step. Non-secure accesses
      * remain non-secure. We implement this by just ORing in the NSTable/NS
      * bits at each step.
+     * Stage 2 never gets this kind of downgrade.
      */
     tableattrs = is_secure ? 0 : (1 << 4);
 
  next_level:
     descaddr |= (address >> (stride * (4 - level))) & indexmask;
     descaddr &= ~7ULL;
-    nstable = extract32(tableattrs, 4, 1);
+    nstable = !regime_is_stage2(mmu_idx) && extract32(tableattrs, 4, 1);
     if (nstable) {
         /*
          * Stage2_S -> Stage2 or Phys_S -> Phys_NS
-- 
2.39.2

[Prev in Thread]

Current Thread

[Next in Thread]

[Stable-7.2.7 38/62] lasips2: LASI PS/2 devices are not user-createable, (continued)
- [Stable-7.2.7 38/62] lasips2: LASI PS/2 devices are not user-createable, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 41/62] tests/migration: Add -fno-stack-protector, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 44/62] qemu-iotests: 024: add rebasing test case for overlay_size > backing_size, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 39/62] hw/sd/sdhci: Block Size Register bits [14:12] is lost, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 42/62] tests/tcg: Add -fno-stack-protector, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 47/62] target/arm: Don't access TCG code when debugging with KVM, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 43/62] qemu-img: rebase: stop when reaching EOF of old backing file, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 51/62] block/nvme: nvme_process_completion() fix bound for cid, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 49/62] target/arm: Fix handling of SW and NSW bits for stage 2 walks, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 50/62] target/arm: Correctly propagate stage 1 BTI guarded bit in a two-stage walk, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 48/62] target/arm: Don't allow stage 2 page table walks to downgrade to NS, Michael Tokarev <=
- [Stable-7.2.7 52/62] ati-vga: Implement fallback for pixman routines, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 55/62] ui/gtk-egl: Check EGLSurface before doing scanout, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 54/62] ui/gtk-egl: apply scale factor when calculating window's dimension, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 56/62] target/mips: Fix MSA BZ/BNZ opcodes displacement, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 53/62] ui/gtk: force realization of drawing area, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 58/62] hw/ide: reset: cancel async DMA operation before resetting state, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 57/62] target/mips: Fix TX79 LQ/SQ opcodes, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 60/62] target/s390x: Fix LAALG not updating cc_src, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 62/62] hw/ide/ahci: trigger either error IRQ or regular IRQ, not both, Michael Tokarev, 2023/11/09
- [Stable-7.2.7 59/62] tests/qtest: ahci-test: add test exposing reset issue with pending callback, Michael Tokarev, 2023/11/09

Prev by Date: [Stable-7.2.7 50/62] target/arm: Correctly propagate stage 1 BTI guarded bit in a two-stage walk
Next by Date: [Stable-7.2.7 52/62] ati-vga: Implement fallback for pixman routines
Previous by thread: [Stable-7.2.7 50/62] target/arm: Correctly propagate stage 1 BTI guarded bit in a two-stage walk
Next by thread: [Stable-7.2.7 52/62] ati-vga: Implement fallback for pixman routines
Index(es):
- Date
- Thread