[PATCH v2 26/51] target/s390x/tcg: Fix and improve the SACF instruction

qemu-s390x

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 26/51] target/s390x/tcg: Fix and improve the SACF instruction

From:	Juan Quintela
Subject:	[PATCH v2 26/51] target/s390x/tcg: Fix and improve the SACF instruction
Date:	Mon, 5 Dec 2022 10:52:03 +0100

From: Thomas Huth <thuth@redhat.com>

The SET ADDRESS SPACE CONTROL FAST instruction is not privileged, it can be
used from problem space, too. Just the switching to the home address space
is privileged and should still generate a privilege exception. This bug is
e.g. causing programs like Java that use the "getcpu" vdso kernel function
to crash (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990417#26 ).

While we're at it, also check if DAT is not enabled. In that case the
instruction is supposed to generate a special operation exception.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/655
Message-Id: <20221201184443.136355-1-thuth@redhat.com>
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 target/s390x/tcg/insn-data.h.inc | 2 +-
 target/s390x/tcg/cc_helper.c     | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/target/s390x/tcg/insn-data.h.inc b/target/s390x/tcg/insn-data.h.inc
index 7e952bdfc8..54d4250c9f 100644
--- a/target/s390x/tcg/insn-data.h.inc
+++ b/target/s390x/tcg/insn-data.h.inc
@@ -1365,7 +1365,7 @@
 /* SERVICE CALL LOGICAL PROCESSOR (PV hypercall) */
     F(0xb220, SERVC,   RRE,   Z,   r1_o, r2_o, 0, 0, servc, 0, IF_PRIV | IF_IO)
 /* SET ADDRESS SPACE CONTROL FAST */
-    F(0xb279, SACF,    S,     Z,   0, a2, 0, 0, sacf, 0, IF_PRIV)
+    C(0xb279, SACF,    S,     Z,   0, a2, 0, 0, sacf, 0)
 /* SET CLOCK */
     F(0xb204, SCK,     S,     Z,   0, m2_64a, 0, 0, sck, 0, IF_PRIV | IF_IO)
 /* SET CLOCK COMPARATOR */
diff --git a/target/s390x/tcg/cc_helper.c b/target/s390x/tcg/cc_helper.c
index b2e8d3d9f5..b36f8cdc8b 100644
--- a/target/s390x/tcg/cc_helper.c
+++ b/target/s390x/tcg/cc_helper.c
@@ -487,6 +487,10 @@ void HELPER(sacf)(CPUS390XState *env, uint64_t a1)
 {
     HELPER_LOG("%s: %16" PRIx64 "\n", __func__, a1);
 
+    if (!(env->psw.mask & PSW_MASK_DAT)) {
+        tcg_s390_program_interrupt(env, PGM_SPECIAL_OP, GETPC());
+    }
+
     switch (a1 & 0xf00) {
     case 0x000:
         env->psw.mask &= ~PSW_MASK_ASC;
@@ -497,6 +501,9 @@ void HELPER(sacf)(CPUS390XState *env, uint64_t a1)
         env->psw.mask |= PSW_ASC_SECONDARY;
         break;
     case 0x300:
+        if ((env->psw.mask & PSW_MASK_PSTATE) != 0) {
+            tcg_s390_program_interrupt(env, PGM_PRIVILEGED, GETPC());
+        }
         env->psw.mask &= ~PSW_MASK_ASC;
         env->psw.mask |= PSW_ASC_HOME;
         break;
-- 
2.38.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2 16/51] include/hw: VM state takes precedence in virtio_device_should_start, (continued)
- [PATCH v2 16/51] include/hw: VM state takes precedence in virtio_device_should_start, Juan Quintela, 2022/12/05
- [PATCH v2 17/51] hw/nvme: fix aio cancel in format, Juan Quintela, 2022/12/05
- [PATCH v2 18/51] hw/nvme: fix aio cancel in flush, Juan Quintela, 2022/12/05
- [PATCH v2 19/51] hw/nvme: fix aio cancel in zone reset, Juan Quintela, 2022/12/05
- [PATCH v2 20/51] hw/nvme: fix aio cancel in dsm, Juan Quintela, 2022/12/05
- [PATCH v2 21/51] hw/nvme: remove copy bh scheduling, Juan Quintela, 2022/12/05
- [PATCH v2 23/51] target/i386: Always completely initialize TranslateFault, Juan Quintela, 2022/12/05
- [PATCH v2 22/51] target/i386: allow MMX instructions with CR4.OSFXSR=0, Juan Quintela, 2022/12/05
- [PATCH v2 24/51] hw/loongarch/virt: Add cfi01 pflash device, Juan Quintela, 2022/12/05
- [PATCH v2 25/51] tests/qtest/migration-test: Fix unlink error and memory leaks, Juan Quintela, 2022/12/05
- [PATCH v2 26/51] target/s390x/tcg: Fix and improve the SACF instruction, Juan Quintela <=
- [PATCH v2 27/51] hw/display/next-fb: Fix comment typo, Juan Quintela, 2022/12/05
- [PATCH v2 28/51] multifd: Create page_size fields into both MultiFD{Recv, Send}Params, Juan Quintela, 2022/12/05
- [PATCH v2 29/51] multifd: Create page_count fields into both MultiFD{Recv, Send}Params, Juan Quintela, 2022/12/05
- [PATCH v2 30/51] migration: Export ram_transferred_ram(), Juan Quintela, 2022/12/05
- [PATCH v2 31/51] migration: Export ram_release_page(), Juan Quintela, 2022/12/05
- Re: [PATCH v2 00/51] migration patches for VFIO, Juan Quintela, 2022/12/05
- [PATCH v2 32/51] migration: Take bitmap mutex when completing ram migration, Juan Quintela, 2022/12/05
- [PATCH v2 33/51] migration: Add postcopy_preempt_active(), Juan Quintela, 2022/12/05
- [PATCH v2 34/51] migration: Cleanup xbzrle zero page cache update logic, Juan Quintela, 2022/12/05
- [PATCH v2 36/51] migration: Remove RAMState.f references in compression code, Juan Quintela, 2022/12/05

Prev by Date: [PATCH v2 25/51] tests/qtest/migration-test: Fix unlink error and memory leaks
Next by Date: [PATCH v2 27/51] hw/display/next-fb: Fix comment typo
Previous by thread: [PATCH v2 25/51] tests/qtest/migration-test: Fix unlink error and memory leaks
Next by thread: [PATCH v2 27/51] hw/display/next-fb: Fix comment typo
Index(es):
- Date
- Thread