target/i386: Generate #UD when applying LOCK to a register

Message ID	20181207170951.7307-1-richard.henderson@linaro.org
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; From: Richard Henderson <richard.henderson@linaro.org> To: qemu-devel@nongnu.org Date: Fri, 7 Dec 2018 11:09:51 -0600 Message-Id: <20181207170951.7307-1-richard.henderson@linaro.org> Subject: [Qemu-devel] [PATCH] target/i386: Generate #UD when applying LOCK to a register Precedence: list Cc: pbonzini@redhat.com Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Series	target/i386: Generate #UD when applying LOCK to a register \| expand target/i386: Generate #UD when applying LOCK to a register

Message ID

20181207170951.7307-1-richard.henderson@linaro.org

State

New

Headers

Received-SPF: pass (google.com: domain of
	qemu-devel-bounces+patch=linaro.org@nongnu.org designates
	2001:4830:134:3::11 as permitted sender)
	client-ip=2001:4830:134:3::11; 
From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Date: Fri,  7 Dec 2018 11:09:51 -0600
Message-Id: <20181207170951.7307-1-richard.henderson@linaro.org>
Subject: [Qemu-devel] [PATCH] target/i386: Generate #UD when applying LOCK
	to a register
Precedence: list
Cc: pbonzini@redhat.com
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>

Series

target/i386: Generate #UD when applying LOCK to a register | expand

Commit Message

Richard Henderson Dec. 7, 2018, 5:09 p.m. UTC

This covers inc, dec, and the bit test instructions.

I believe we've finally covered all of the cases for
which we have an atomic path that would use the cpu_A0
temp, which is only initialized for address sources.

Fixes: https://bugs.launchpad.net/qemu/+bug/1803160/comments/4
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

---
 target/i386/translate.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

-- 
2.17.2

Comments

Philippe Mathieu-Daudé Dec. 9, 2018, 7:48 p.m. UTC | #1

Cc'ing Alberto

On 12/7/18 6:09 PM, Richard Henderson wrote:
> This covers inc, dec, and the bit test instructions.

> 

> I believe we've finally covered all of the cases for

> which we have an atomic path that would use the cpu_A0

> temp, which is only initialized for address sources.

> 


Reported-by: Alberto Ortega <aortega.lms@gmail.com>

> Fixes: https://bugs.launchpad.net/qemu/+bug/1803160/comments/4

> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

> ---

>  target/i386/translate.c | 11 +++++++++++

>  1 file changed, 11 insertions(+)

> 

> diff --git a/target/i386/translate.c b/target/i386/translate.c

> index 0dd5fbe45c..eb52322a47 100644

> --- a/target/i386/translate.c

> +++ b/target/i386/translate.c

> @@ -1398,6 +1398,11 @@ static void gen_op(DisasContext *s1, int op, TCGMemOp ot, int d)

>  static void gen_inc(DisasContext *s1, TCGMemOp ot, int d, int c)

>  {

>      if (s1->prefix & PREFIX_LOCK) {

> +        if (d != OR_TMP0) {

> +            /* Lock prefix when destination is not memory.  */

> +            gen_illegal_opcode(s1);

> +            return;

> +        }

>          tcg_gen_movi_tl(s1->T0, c > 0 ? 1 : -1);

>          tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,

>                                      s1->mem_index, ot | MO_LE);

> @@ -6764,6 +6769,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)

>                  gen_op_ld_v(s, ot, s->T0, s->A0);

>              }

>          } else {

> +            if (s->prefix & PREFIX_LOCK) {

> +                goto illegal_op;

> +            }

>              gen_op_mov_v_reg(s, ot, s->T0, rm);

>          }

>          /* load shift */

> @@ -6803,6 +6811,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)

>                  gen_op_ld_v(s, ot, s->T0, s->A0);

>              }

>          } else {

> +            if (s->prefix & PREFIX_LOCK) {

> +                goto illegal_op;

> +            }

>              gen_op_mov_v_reg(s, ot, s->T0, rm);

>          }

>      bt_op:

>

Richard Henderson Feb. 6, 2019, 5:42 a.m. UTC | #2

Ping.

On 12/7/18 5:09 PM, Richard Henderson wrote:
> This covers inc, dec, and the bit test instructions.

> 

> I believe we've finally covered all of the cases for

> which we have an atomic path that would use the cpu_A0

> temp, which is only initialized for address sources.

> 

> Fixes: https://bugs.launchpad.net/qemu/+bug/1803160/comments/4

> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

> ---

>  target/i386/translate.c | 11 +++++++++++

>  1 file changed, 11 insertions(+)

> 

> diff --git a/target/i386/translate.c b/target/i386/translate.c

> index 0dd5fbe45c..eb52322a47 100644

> --- a/target/i386/translate.c

> +++ b/target/i386/translate.c

> @@ -1398,6 +1398,11 @@ static void gen_op(DisasContext *s1, int op, TCGMemOp ot, int d)

>  static void gen_inc(DisasContext *s1, TCGMemOp ot, int d, int c)

>  {

>      if (s1->prefix & PREFIX_LOCK) {

> +        if (d != OR_TMP0) {

> +            /* Lock prefix when destination is not memory.  */

> +            gen_illegal_opcode(s1);

> +            return;

> +        }

>          tcg_gen_movi_tl(s1->T0, c > 0 ? 1 : -1);

>          tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,

>                                      s1->mem_index, ot | MO_LE);

> @@ -6764,6 +6769,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)

>                  gen_op_ld_v(s, ot, s->T0, s->A0);

>              }

>          } else {

> +            if (s->prefix & PREFIX_LOCK) {

> +                goto illegal_op;

> +            }

>              gen_op_mov_v_reg(s, ot, s->T0, rm);

>          }

>          /* load shift */

> @@ -6803,6 +6811,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)

>                  gen_op_ld_v(s, ot, s->T0, s->A0);

>              }

>          } else {

> +            if (s->prefix & PREFIX_LOCK) {

> +                goto illegal_op;

> +            }

>              gen_op_mov_v_reg(s, ot, s->T0, rm);

>          }

>      bt_op:

>

Philippe Mathieu-Daudé Feb. 6, 2019, 3:59 p.m. UTC | #3

On 2/6/19 6:42 AM, Richard Henderson wrote:
> Ping.

> 

> On 12/7/18 5:09 PM, Richard Henderson wrote:

>> This covers inc, dec, and the bit test instructions.

>>

>> I believe we've finally covered all of the cases for

>> which we have an atomic path that would use the cpu_A0

>> temp, which is only initialized for address sources.

>>

>> Fixes: https://bugs.launchpad.net/qemu/+bug/1803160/comments/4


Reported-by: Alberto Ortega <aortega.lms@gmail.com>

>> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>


Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>


>> ---

>>  target/i386/translate.c | 11 +++++++++++

>>  1 file changed, 11 insertions(+)

>>

>> diff --git a/target/i386/translate.c b/target/i386/translate.c

>> index 0dd5fbe45c..eb52322a47 100644

>> --- a/target/i386/translate.c

>> +++ b/target/i386/translate.c

>> @@ -1398,6 +1398,11 @@ static void gen_op(DisasContext *s1, int op, TCGMemOp ot, int d)

>>  static void gen_inc(DisasContext *s1, TCGMemOp ot, int d, int c)

>>  {

>>      if (s1->prefix & PREFIX_LOCK) {

>> +        if (d != OR_TMP0) {

>> +            /* Lock prefix when destination is not memory.  */

>> +            gen_illegal_opcode(s1);

>> +            return;

>> +        }

>>          tcg_gen_movi_tl(s1->T0, c > 0 ? 1 : -1);

>>          tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,

>>                                      s1->mem_index, ot | MO_LE);

>> @@ -6764,6 +6769,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)

>>                  gen_op_ld_v(s, ot, s->T0, s->A0);

>>              }

>>          } else {

>> +            if (s->prefix & PREFIX_LOCK) {

>> +                goto illegal_op;

>> +            }

>>              gen_op_mov_v_reg(s, ot, s->T0, rm);

>>          }

>>          /* load shift */

>> @@ -6803,6 +6811,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)

>>                  gen_op_ld_v(s, ot, s->T0, s->A0);

>>              }

>>          } else {

>> +            if (s->prefix & PREFIX_LOCK) {

>> +                goto illegal_op;

>> +            }

>>              gen_op_mov_v_reg(s, ot, s->T0, rm);

>>          }

>>      bt_op:

>>

> 

>

Paolo Bonzini Feb. 12, 2019, 2:17 p.m. UTC | #4

On 07/12/18 18:09, Richard Henderson wrote:
> This covers inc, dec, and the bit test instructions.

> 

> I believe we've finally covered all of the cases for

> which we have an atomic path that would use the cpu_A0

> temp, which is only initialized for address sources.

> 

> Fixes: https://bugs.launchpad.net/qemu/+bug/1803160/comments/4

> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

> ---

>  target/i386/translate.c | 11 +++++++++++

>  1 file changed, 11 insertions(+)

> 

> diff --git a/target/i386/translate.c b/target/i386/translate.c

> index 0dd5fbe45c..eb52322a47 100644

> --- a/target/i386/translate.c

> +++ b/target/i386/translate.c

> @@ -1398,6 +1398,11 @@ static void gen_op(DisasContext *s1, int op, TCGMemOp ot, int d)

>  static void gen_inc(DisasContext *s1, TCGMemOp ot, int d, int c)

>  {

>      if (s1->prefix & PREFIX_LOCK) {

> +        if (d != OR_TMP0) {

> +            /* Lock prefix when destination is not memory.  */

> +            gen_illegal_opcode(s1);

> +            return;

> +        }

>          tcg_gen_movi_tl(s1->T0, c > 0 ? 1 : -1);

>          tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,

>                                      s1->mem_index, ot | MO_LE);

> @@ -6764,6 +6769,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)

>                  gen_op_ld_v(s, ot, s->T0, s->A0);

>              }

>          } else {

> +            if (s->prefix & PREFIX_LOCK) {

> +                goto illegal_op;

> +            }

>              gen_op_mov_v_reg(s, ot, s->T0, rm);

>          }

>          /* load shift */

> @@ -6803,6 +6811,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)

>                  gen_op_ld_v(s, ot, s->T0, s->A0);

>              }

>          } else {

> +            if (s->prefix & PREFIX_LOCK) {

> +                goto illegal_op;

> +            }

>              gen_op_mov_v_reg(s, ot, s->T0, rm);

>          }

>      bt_op:

> 


Queued, thanks.

Paolo

diff --git a/target/i386/translate.c b/target/i386/translate.c
index 0dd5fbe45c..eb52322a47 100644
--- a/target/i386/translate.c
+++ b/target/i386/translate.c
@@ -1398,6 +1398,11 @@  static void gen_op(DisasContext *s1, int op, TCGMemOp ot, int d)
 static void gen_inc(DisasContext *s1, TCGMemOp ot, int d, int c)
 {
     if (s1->prefix & PREFIX_LOCK) {
+        if (d != OR_TMP0) {
+            /* Lock prefix when destination is not memory.  */
+            gen_illegal_opcode(s1);
+            return;
+        }
         tcg_gen_movi_tl(s1->T0, c > 0 ? 1 : -1);
         tcg_gen_atomic_add_fetch_tl(s1->T0, s1->A0, s1->T0,
                                     s1->mem_index, ot | MO_LE);
@@ -6764,6 +6769,9 @@  static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
                 gen_op_ld_v(s, ot, s->T0, s->A0);
             }
         } else {
+            if (s->prefix & PREFIX_LOCK) {
+                goto illegal_op;
+            }
             gen_op_mov_v_reg(s, ot, s->T0, rm);
         }
         /* load shift */
@@ -6803,6 +6811,9 @@  static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
                 gen_op_ld_v(s, ot, s->T0, s->A0);
             }
         } else {
+            if (s->prefix & PREFIX_LOCK) {
+                goto illegal_op;
+            }
             gen_op_mov_v_reg(s, ot, s->T0, rm);
         }
     bt_op:

target/i386: Generate #UD when applying LOCK to a register

Commit Message

Comments

Patch