From patchwork Tue Nov 13 19:35:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Henderson X-Patchwork-Id: 151010 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp4820872ljp; Tue, 13 Nov 2018 11:52:06 -0800 (PST) X-Google-Smtp-Source: AJdET5cgxT725Dr2CeUbA+54lViXzCNN0FoBZ6sPWFF02oK4GYwN/FyfTSJ6Chaznjt4iAid8gwU X-Received: by 2002:ac8:21aa:: with SMTP id 39mr6519865qty.122.1542138726126; Tue, 13 Nov 2018 11:52:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542138726; cv=none; d=google.com; s=arc-20160816; b=Sz/bU0d/C8bAPUCHZnxpHESTn8tafQojRjAZ/A420agTTHfY/Arb2XJ4M8dMCPM+aV 0Z5SwSILCfuY1+npk/XGZiI5H/bAlnPZ1XSBv4ZAGD0mi6DEJ8oNTq7XXOhnhlKPlPLH FMM/7Iwl/3faX7+hXpE0nTo7M18NUUoEIFyLhnVSGxwLzXlJIgLhEryhhcRMi0bDKAFu 8lXbxhPcYjyHW2iHthkYFrmW4R88+8axQsA4JA7FA8nVfUu1CqMNygbQUvGKWsPEtsqY 4tGMgk/WLkg1ZbGIroQkEjlQ4VCshxf/x0gy4Q1P7W0WGVdIQXjJijgb8uMByAtCOQN6 XMuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:message-id:date:to:from :dkim-signature; bh=KEa2Vc8Smtt/fS8XzV0wnzF6UZAdillaG2wSBabpu+w=; b=JN1PSwzcJSuPC+nOIt/HbxUwOdztPEWP7LoDr54H7MhDUMRBamI//1/spc6FJYQ84k eU8puI8htnsaaxVt3pIMUgu5AqiIVTmmVadzoo9tObaQT8fi6ONVNku8uFQa7+XK5orP 21t1hlaazeEH45Zs4D6Ojwr7FRGDwf3eXfF93oFTipicqhhH2nhdGYHZj1iSEqS2KN79 5TBO+ciJam1Z4tO/+ZefDn4fDn2z6j/YbTcriELc9Ur86IWJTsEEeCcJMbqNHIxGnuM6 Vb4nz9RTxAW8BFuU8/f9uqTILhO6jbZvfX6dbfuOA7P1LmrzSR6MhGeIRKdhDEDzJW/7 knZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@linaro.org header.s=google header.b=CGxPtDUk; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id x45si1837682qtk.221.2018.11.13.11.52.05 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 13 Nov 2018 11:52:06 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Authentication-Results: mx.google.com; dkim=fail header.i=@linaro.org header.s=google header.b=CGxPtDUk; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:55882 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gMejF-0007ud-GH for patch@linaro.org; Tue, 13 Nov 2018 14:52:05 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51277) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gMeim-0007X4-Pp for qemu-devel@nongnu.org; Tue, 13 Nov 2018 14:51:41 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gMeTi-0005Xn-O1 for qemu-devel@nongnu.org; Tue, 13 Nov 2018 14:36:05 -0500 Received: from mail-wm1-x344.google.com ([2a00:1450:4864:20::344]:33231) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gMeTi-0005XZ-4j for qemu-devel@nongnu.org; Tue, 13 Nov 2018 14:36:02 -0500 Received: by mail-wm1-x344.google.com with SMTP id f19-v6so11922593wmb.0 for ; Tue, 13 Nov 2018 11:36:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=KEa2Vc8Smtt/fS8XzV0wnzF6UZAdillaG2wSBabpu+w=; b=CGxPtDUkCsgZxwKhz7nlFJ2XSApjbenbrloEgSOsvkVDPvu4NyPGXNIapcF/zHPanr p00QSRjJSNOGq4YqfVDEMzrlnb8r093zFPnM50zGZ1IRAX9A2MjqsyQpn4FnmB4bw7E0 8h0EERsRU+nlveVHAhOZipE7qW47RXCEzwiLU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=KEa2Vc8Smtt/fS8XzV0wnzF6UZAdillaG2wSBabpu+w=; b=daVfTkGnnYBOjHY5zfyRCDE795GW0wFVbHMrWR1G3CzJ0E5qU/fK8muxp0phh2p0Xt bgsS8B4wE2bMiTimdlonH5GjH9Dao5b77D7Ovi20f4LLnqU7gDGmR2j89PKXIebc2MT8 HbXUJQ6pe5axYbN0cizBr5SOihTWtW94DPML24wNQBmlm7JUSeZ3WzNoZDBNdQFsAWoH EDG1RzOJMOGCH1S1/3dew6XJNchx8FX/GrkTxXbc3Mk3aPDMXG2zx6L4eTKN0gZkbVQO Mzk3ow0N3L9purqjPOX4fRpIZi/51T+dgdnaAYOZlBu6/PWY6AT59Vwx3lVul8Q1skys 7XaA== X-Gm-Message-State: AGRZ1gLFUbg4NJ+n6ijGawoKnXgyaKDYqG6ML3qtx7c0MTBOEqqHfmeP IgXUOnmtkbtHRvA9ejS9DduWL3zY0aLTzg== X-Received: by 2002:a1c:13d2:: with SMTP id 201-v6mr4245311wmt.58.1542137760691; Tue, 13 Nov 2018 11:36:00 -0800 (PST) Received: from cloudburst.twiddle.net (26.red-176-87-105.dynamicip.rima-tde.net. [176.87.105.26]) by smtp.gmail.com with ESMTPSA id g5-v6sm25629445wrw.97.2018.11.13.11.35.59 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 13 Nov 2018 11:36:00 -0800 (PST) From: Richard Henderson To: qemu-devel@nongnu.org Date: Tue, 13 Nov 2018 20:35:10 +0100 Message-Id: <20181113193510.24862-1-richard.henderson@linaro.org> X-Mailer: git-send-email 2.17.2 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::344 Subject: [Qemu-devel] [PATCH] target/i386: Generate #UD when applying LOCK to a register destination X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pbonzini@redhat.com, f4bug@amsat.org, ehabkost@redhat.com Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" Fixes a TCG crash due to attempting the atomic operation without having set up the address first. This does not attempt to fix all of the other missing checks for LOCK. Fixes: a7cee522f35 Fixes: https://bugs.launchpad.net/qemu/+bug/1803160 Signed-off-by: Richard Henderson --- target/i386/translate.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) -- 2.17.2 diff --git a/target/i386/translate.c b/target/i386/translate.c index f8bc7680af..0dd5fbe45c 100644 --- a/target/i386/translate.c +++ b/target/i386/translate.c @@ -1268,10 +1268,30 @@ static void gen_helper_fp_arith_STN_ST0(int op, int opreg) } } +static void gen_exception(DisasContext *s, int trapno, target_ulong cur_eip) +{ + gen_update_cc_op(s); + gen_jmp_im(s, cur_eip); + gen_helper_raise_exception(cpu_env, tcg_const_i32(trapno)); + s->base.is_jmp = DISAS_NORETURN; +} + +/* Generate #UD for the current instruction. The assumption here is that + the instruction is known, but it isn't allowed in the current cpu mode. */ +static void gen_illegal_opcode(DisasContext *s) +{ + gen_exception(s, EXCP06_ILLOP, s->pc_start - s->cs_base); +} + /* if d == OR_TMP0, it means memory operand (address in A0) */ static void gen_op(DisasContext *s1, int op, TCGMemOp ot, int d) { if (d != OR_TMP0) { + if (s1->prefix & PREFIX_LOCK) { + /* Lock prefix when destination is not memory. */ + gen_illegal_opcode(s1); + return; + } gen_op_mov_v_reg(s1, ot, s1->T0, d); } else if (!(s1->prefix & PREFIX_LOCK)) { gen_op_ld_v(s1, ot, s1->T0, s1->A0); @@ -2469,21 +2489,6 @@ static void gen_leave(DisasContext *s) gen_op_mov_reg_v(s, a_ot, R_ESP, s->T1); } -static void gen_exception(DisasContext *s, int trapno, target_ulong cur_eip) -{ - gen_update_cc_op(s); - gen_jmp_im(s, cur_eip); - gen_helper_raise_exception(cpu_env, tcg_const_i32(trapno)); - s->base.is_jmp = DISAS_NORETURN; -} - -/* Generate #UD for the current instruction. The assumption here is that - the instruction is known, but it isn't allowed in the current cpu mode. */ -static void gen_illegal_opcode(DisasContext *s) -{ - gen_exception(s, EXCP06_ILLOP, s->pc_start - s->cs_base); -} - /* Similarly, except that the assumption here is that we don't decode the instruction at all -- either a missing opcode, an unimplemented feature, or just a bogus instruction stream. */