From 7871abb94c2f4adc39f2487f6edf5e69ba872a65 Mon Sep 17 00:00:00 2001 From: James Hogan Date: Tue, 17 Nov 2015 17:13:54 +0000 Subject: [PATCH 1/2] target-mips: Fix exceptions while UX=0 Commit 01f728857941 ("target-mips: Status.UX/SX/KX enable 32-bit address wrapping") added a new hflag MIPS_HFLAG_AWRAP, which indicates that 64-bit addressing is disallowed in the current mode, so hflag users don't need to worry about the complexities of working that out, for example checking both MIPS_HFLAG_KSU and MIPS_HFLAG_UX. However when exceptions are taken outside of exception level, mips_cpu_do_interrupt() manipulates the env->hflags directly rather than using compute_hflags() to update them, and this code wasn't updated accordingly. As a result, when UX is cleared, MIPS_HFLAG_AWRAP is set, but it doesn't get cleared on entry back into kernel mode due to an exception. Kernel mode then cannot access the 64-bit segments resulting in a nested exception loop. The same applies to errors and debug exceptions. Fix by updating mips_cpu_do_interrupt() to clear the MIPS_HFLAG_WRAP flag when necessary, according to compute_hflags(). Fixes: 01f728857941 ("target-mips: Status.UX/SX/KX enable 32-bit...") Signed-off-by: James Hogan Cc: Leon Alrae Cc: Aurelien Jarno Reviewed-by: Leon Alrae Signed-off-by: Leon Alrae --- target-mips/helper.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/target-mips/helper.c b/target-mips/helper.c index b3fe816fec..118072a9e7 100644 --- a/target-mips/helper.c +++ b/target-mips/helper.c @@ -524,6 +524,10 @@ void mips_cpu_do_interrupt(CPUState *cs) enter_debug_mode: if (env->insn_flags & ISA_MIPS3) { env->hflags |= MIPS_HFLAG_64; + if (!(env->insn_flags & ISA_MIPS64R6) || + env->CP0_Status & (1 << CP0St_KX)) { + env->hflags &= ~MIPS_HFLAG_AWRAP; + } } env->hflags |= MIPS_HFLAG_DM | MIPS_HFLAG_CP0; env->hflags &= ~(MIPS_HFLAG_KSU); @@ -548,6 +552,10 @@ void mips_cpu_do_interrupt(CPUState *cs) env->CP0_Status |= (1 << CP0St_ERL) | (1 << CP0St_BEV); if (env->insn_flags & ISA_MIPS3) { env->hflags |= MIPS_HFLAG_64; + if (!(env->insn_flags & ISA_MIPS64R6) || + env->CP0_Status & (1 << CP0St_KX)) { + env->hflags &= ~MIPS_HFLAG_AWRAP; + } } env->hflags |= MIPS_HFLAG_CP0; env->hflags &= ~(MIPS_HFLAG_KSU); @@ -725,6 +733,10 @@ void mips_cpu_do_interrupt(CPUState *cs) env->CP0_Status |= (1 << CP0St_EXL); if (env->insn_flags & ISA_MIPS3) { env->hflags |= MIPS_HFLAG_64; + if (!(env->insn_flags & ISA_MIPS64R6) || + env->CP0_Status & (1 << CP0St_KX)) { + env->hflags &= ~MIPS_HFLAG_AWRAP; + } } env->hflags |= MIPS_HFLAG_CP0; env->hflags &= ~(MIPS_HFLAG_KSU); From f93c3a8d0c0c1038dbe1e957eb8ab92671137975 Mon Sep 17 00:00:00 2001 From: Leon Alrae Date: Thu, 19 Nov 2015 19:15:35 +0000 Subject: [PATCH 2/2] target-mips: flush QEMU TLB when disabling 64-bit addressing CP0.Status.KX/SX/UX bits are responsible for enabling access to 64-bit Kernel/Supervisor/User Segments. If bit is cleared an access to corresponding segment should generate Address Error Exception. However, the guest may still be able to access some pages belonging to the disabled 64-bit segment because we forget to flush QEMU TLB. This patch fixes it. Signed-off-by: Leon Alrae --- target-mips/cpu.h | 18 +++++++++++++++++- target-mips/op_helper.c | 13 ------------- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/target-mips/cpu.h b/target-mips/cpu.h index fa919c1a13..89c01f7a38 100644 --- a/target-mips/cpu.h +++ b/target-mips/cpu.h @@ -961,6 +961,15 @@ static inline void compute_hflags(CPUMIPSState *env) } #ifndef CONFIG_USER_ONLY +static inline void cpu_mips_tlb_flush(CPUMIPSState *env, int flush_global) +{ + MIPSCPU *cpu = mips_env_get_cpu(env); + + /* Flush qemu's TLB and discard all shadowed entries. */ + tlb_flush(CPU(cpu), flush_global); + env->tlb->tlb_in_use = env->tlb->nb_tlb; +} + /* Called for updates to CP0_Status. */ static inline void sync_c0_status(CPUMIPSState *env, CPUMIPSState *cpu, int tc) { @@ -999,6 +1008,7 @@ static inline void sync_c0_status(CPUMIPSState *env, CPUMIPSState *cpu, int tc) static inline void cpu_mips_store_status(CPUMIPSState *env, target_ulong val) { uint32_t mask = env->CP0_Status_rw_bitmask; + target_ulong old = env->CP0_Status; if (env->insn_flags & ISA_MIPS32R6) { bool has_supervisor = extract32(mask, CP0St_KSU, 2) == 0x3; @@ -1014,7 +1024,13 @@ static inline void cpu_mips_store_status(CPUMIPSState *env, target_ulong val) mask &= ~(((1 << CP0St_SR) | (1 << CP0St_NMI)) & val); } - env->CP0_Status = (env->CP0_Status & ~mask) | (val & mask); + env->CP0_Status = (old & ~mask) | (val & mask); +#if defined(TARGET_MIPS64) + if ((env->CP0_Status ^ old) & (old & (7 << CP0St_UX))) { + /* Access to at least one of the 64-bit segments has been disabled */ + cpu_mips_tlb_flush(env, 1); + } +#endif if (env->CP0_Config3 & (1 << CP0C3_MT)) { sync_c0_status(env, env, env->current_tc); } else { diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c index 056d53b9ef..d2c98c9688 100644 --- a/target-mips/op_helper.c +++ b/target-mips/op_helper.c @@ -23,10 +23,6 @@ #include "exec/cpu_ldst.h" #include "sysemu/kvm.h" -#ifndef CONFIG_USER_ONLY -static inline void cpu_mips_tlb_flush (CPUMIPSState *env, int flush_global); -#endif - /*****************************************************************************/ /* Exceptions processing helpers */ @@ -1846,15 +1842,6 @@ target_ulong helper_yield(CPUMIPSState *env, target_ulong arg) #ifndef CONFIG_USER_ONLY /* TLB management */ -static void cpu_mips_tlb_flush (CPUMIPSState *env, int flush_global) -{ - MIPSCPU *cpu = mips_env_get_cpu(env); - - /* Flush qemu's TLB and discard all shadowed entries. */ - tlb_flush(CPU(cpu), flush_global); - env->tlb->tlb_in_use = env->tlb->nb_tlb; -} - static void r4k_mips_tlb_flush_extra (CPUMIPSState *env, int first) { /* Discard entries from env->tlb[first] onwards. */