From patchwork Tue Mar 20 13:41:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 132145 Delivered-To: patches@linaro.org Received: by 10.46.84.29 with SMTP id i29csp880427ljb; Tue, 20 Mar 2018 06:41:17 -0700 (PDT) X-Google-Smtp-Source: AG47ELt2d78EZrfHJY0MoLdn5a1L0zX30atB0oBZWvkq8vqaY7FpOdTGjtZ0792EsMdoId1flcV1 X-Received: by 10.46.150.200 with SMTP id d8mr11434812ljj.136.1521553277905; Tue, 20 Mar 2018 06:41:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521553277; cv=none; d=google.com; s=arc-20160816; b=V4ccGb4DUAmftF5BuHdj690N/fyAoYPm6X/YKQS5x0NQpcXoOYgwO5N3HtYFTUxlAB fnRWv0B/peBGNuS8PIaU8K66f8krF8uitjXrtVlxvlw/jVoh5DjCVdYilKfcG2rtEI5w JpqSxJE6z5oiVb0GB+9dJKx184H3EjiE0XT1YIlbGcC5tE1D9583lt8zskc+qSW0mPFE Dbny9LT3obALqOOPFuMvJUw7Pf9YDPSo5mysCaGL8LihSvrElqJejSJwnIlj+q5pG85v jymRlSLOb4QomWwgs4onqZiaYPqqesP/COtZ83j8lRu+mhIGW7GKvlNb+669b1bvX0yO GslQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=o4nRWIPb9ruu30W/QmaR7hUnBzHJofdsGMUv+bXSGeo=; b=N0AohCO0LS3XJf0+/LC5cJTRhI2fbV6Yab+Ih88y6Bkhfrz5WIc+Mpdpz9C0bL5vcK kzF3HjcoMvhfoO+7445pIvN2yajPYOLsapLB2azbj/ajWYYFxuNHwtYABxgtkpUqn49r 4InhjO6+EX7xnQF/qX4T4D6K6+gvy4rMNApja+nVWuquy3EEfYA2PWiBCydTIpOJK1wO uHSBjxjx1lOVyzbFVIFuT8Ey1gzer1dW2sd2AXi6hECuGTeA2ta0jm1PMNxTMFLdsiY7 875GvMBTPnnU30Pk7ohIPr0H2o0YNhECJUOzdNEqyr+zNsT7q3uuEowEALqxc9WLSZKu kpLQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by mx.google.com with ESMTPS id w18-v6si722316lfk.169.2018.03.20.06.41.17 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Mar 2018 06:41:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1eyHVs-00044O-QV; Tue, 20 Mar 2018 13:41:16 +0000 From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: patches@linaro.org Subject: [PATCH for-2.12 1/4] target/arm: Honour MDCR_EL2.TDE when routing exceptions due to BKPT/BRK Date: Tue, 20 Mar 2018 13:41:11 +0000 Message-Id: <20180320134114.30418-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180320134114.30418-1-peter.maydell@linaro.org> References: <20180320134114.30418-1-peter.maydell@linaro.org> The MDCR_EL2.TDE bit allows the exception level targeted by debug exceptions to be set to EL2 for code executing at EL0. We handle this in the arm_debug_target_el() function, but this is only used for hardware breakpoint and watchpoint exceptions, not for the exception generated when the guest executes an AArch32 BKPT or AArch64 BRK instruction. We don't have enough information for a translate-time equivalent of arm_debug_target_el(), so instead make BKPT and BRK call a special purpose helper which can do the routing, rather than the generic exception_with_syndrome helper. Signed-off-by: Peter Maydell --- target/arm/helper.h | 1 + target/arm/op_helper.c | 8 ++++++++ target/arm/translate-a64.c | 15 +++++++++++++-- target/arm/translate.c | 19 ++++++++++++++----- 4 files changed, 36 insertions(+), 7 deletions(-) -- 2.16.2 Reviewed-by: Philippe Mathieu-Daudé diff --git a/target/arm/helper.h b/target/arm/helper.h index 0d2094f2be..34e8cc8904 100644 --- a/target/arm/helper.h +++ b/target/arm/helper.h @@ -47,6 +47,7 @@ DEF_HELPER_FLAGS_3(sel_flags, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32) DEF_HELPER_2(exception_internal, void, env, i32) DEF_HELPER_4(exception_with_syndrome, void, env, i32, i32, i32) +DEF_HELPER_2(exception_bkpt_insn, void, env, i32) DEF_HELPER_1(setend, void, env) DEF_HELPER_2(wfi, void, env, i32) DEF_HELPER_1(wfe, void, env) diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index 7a88fd2c92..4b123d2bd6 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -483,6 +483,14 @@ void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp, raise_exception(env, excp, syndrome, target_el); } +/* Raise an EXCP_BKPT with the specified syndrome register value, + * targeting the correct exception level for debug exceptions. + */ +void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) +{ + raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env)); +} + uint32_t HELPER(cpsr_read)(CPUARMState *env) { return cpsr_read(env) & ~(CPSR_EXEC | CPSR_RESERVED); diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c index 31ff0479e6..510951f7c7 100644 --- a/target/arm/translate-a64.c +++ b/target/arm/translate-a64.c @@ -321,6 +321,18 @@ static void gen_exception_insn(DisasContext *s, int offset, int excp, s->base.is_jmp = DISAS_NORETURN; } +static void gen_exception_bkpt_insn(DisasContext *s, int offset, + uint32_t syndrome) +{ + TCGv_i32 tcg_syn; + + gen_a64_set_pc_im(s->pc - offset); + tcg_syn = tcg_const_i32(syndrome); + gen_helper_exception_bkpt_insn(cpu_env, tcg_syn); + tcg_temp_free_i32(tcg_syn); + s->base.is_jmp = DISAS_NORETURN; +} + static void gen_ss_advance(DisasContext *s) { /* If the singlestep state is Active-not-pending, advance to @@ -1839,8 +1851,7 @@ static void disas_exc(DisasContext *s, uint32_t insn) break; } /* BRK */ - gen_exception_insn(s, 4, EXCP_BKPT, syn_aa64_bkpt(imm16), - default_exception_el(s)); + gen_exception_bkpt_insn(s, 4, syn_aa64_bkpt(imm16)); break; case 2: if (op2_ll != 0) { diff --git a/target/arm/translate.c b/target/arm/translate.c index ba6ab7d287..68f0c585f4 100644 --- a/target/arm/translate.c +++ b/target/arm/translate.c @@ -1248,6 +1248,18 @@ static void gen_exception_insn(DisasContext *s, int offset, int excp, s->base.is_jmp = DISAS_NORETURN; } +static void gen_exception_bkpt_insn(DisasContext *s, int offset, int syn) +{ + TCGv_i32 tcg_syn; + + gen_set_condexec(s); + gen_set_pc_im(s, s->pc - offset); + tcg_syn = tcg_const_i32(syn); + gen_helper_exception_bkpt_insn(cpu_env, tcg_syn); + tcg_temp_free_i32(tcg_syn); + s->base.is_jmp = DISAS_NORETURN; +} + /* Force a TB lookup after an instruction that changes the CPU state. */ static inline void gen_lookup_tb(DisasContext *s) { @@ -8774,9 +8786,7 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) case 1: /* bkpt */ ARCH(5); - gen_exception_insn(s, 4, EXCP_BKPT, - syn_aa32_bkpt(imm16, false), - default_exception_el(s)); + gen_exception_bkpt_insn(s, 4, syn_aa32_bkpt(imm16, false)); break; case 2: /* Hypervisor call (v7) */ @@ -11983,8 +11993,7 @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn) { int imm8 = extract32(insn, 0, 8); ARCH(5); - gen_exception_insn(s, 2, EXCP_BKPT, syn_aa32_bkpt(imm8, true), - default_exception_el(s)); + gen_exception_bkpt_insn(s, 2, syn_aa32_bkpt(imm8, true)); break; } From patchwork Tue Mar 20 13:41:12 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 132146 Delivered-To: patches@linaro.org Received: by 10.46.84.29 with SMTP id i29csp880437ljb; Tue, 20 Mar 2018 06:41:18 -0700 (PDT) X-Google-Smtp-Source: AG47ELuPsjdX1VndxQG6rsi+Joqrij3m8bsn+0YznoRE5lB8/hZ4D1/A7eGfNy+XXZ4ynefr+MSA X-Received: by 10.28.172.196 with SMTP id v187mr2347126wme.69.1521553278196; Tue, 20 Mar 2018 06:41:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521553278; cv=none; d=google.com; s=arc-20160816; b=KJIvDvaWjgXZhuwtyo2ieIQTfRbgHs+XxvBe/iX0yYFnKKODLtpav+2LuxLtP6fYvn IDfnpPeX/Pc2/8qxYCqL9KPe829T4FBtLaETkRhYz37JAsqIKNedTN/kt6KnpMsOXewg mGlCgmBsQzENhIlRcTIIN7GnZpCLGZ4GLI5IVSM1z2r/FAC83+CTebUdwSqAG/0KgmJ6 VZqwpCRLbJNh9PYXGEbqfyO0kuvS2iRocpMe2sfHy95zmYgYK1gdCG5N17Wa4A8h4Q3c EuCvO6QKpaEgJtCaUesRloWakcfdwdQdqClLNw1+Z/YL9Y/440ULgXlOyimzlEwg1WVt 7tDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=edgydhp+zW1vB7+kgJzn06q30B4HyUexobq4kbva/nc=; b=CrdoYMMqwU7ILE8YOWgUITVYrm4bPCTeGSNCBWYGJm5baewENxv9fA1QUH0ovZ+ANF eGudvm8oQd/9M2wMpQZ1SepeZRGyLTechn1MkxjnNVrZQGTaxR55CMNlrQHsxxp7o7eX URFIcu+OVC3e6i31kQfT+IoE0/nf2QWZDFDG5EKHSOOckernmJ3hlNkBIIfa+7jDZjVa dD4YpSIAlT4+O8MfV1abV5s0q1tYt/1YAVjRbumKaxzhaN+Mcp+fBEeiq/UeGLSkgE2Y 114RHqJRc8oXtTbOuXaw+Xxr9N6cm5a7ou4g8kDgoAG5kAQxWCqn1e1Z9ZH06a0OCmcv RP0g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by mx.google.com with ESMTPS id 198si1284822wmo.87.2018.03.20.06.41.18 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Mar 2018 06:41:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1eyHVt-00044f-Jw; Tue, 20 Mar 2018 13:41:17 +0000 From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: patches@linaro.org Subject: [PATCH for-2.12 2/4] target/arm: Factor out code to calculate FSR for debug exceptions Date: Tue, 20 Mar 2018 13:41:12 +0000 Message-Id: <20180320134114.30418-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180320134114.30418-1-peter.maydell@linaro.org> References: <20180320134114.30418-1-peter.maydell@linaro.org> When a debug exception is taken to AArch32, it appears as a Prefetch Abort, and the Instruction Fault Status Register (IFSR) must be set. The IFSR has two possible formats, depending on whether LPAE is in use. Factor out the code in arm_debug_excp_handler() which picks an FSR value into its own utility function, update it to use arm_fi_to_lfsc() and arm_fi_to_sfsc() rather than hard-coded constants, and use the correct condition to select long or short format. In particular this fixes a bug where we could select the short format because we're at EL0 and the EL1 translation regime is not using LPAE, but then route the debug exception to EL2 because of MDCR_EL2.TDE and hand EL2 the wrong format FSR. Signed-off-by: Peter Maydell --- target/arm/internals.h | 25 +++++++++++++++++++++++++ target/arm/op_helper.c | 12 ++---------- 2 files changed, 27 insertions(+), 10 deletions(-) -- 2.16.2 Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Philippe Mathieu-Daudé diff --git a/target/arm/internals.h b/target/arm/internals.h index 47cc224a46..8ce944b7a0 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -763,4 +763,29 @@ static inline bool regime_is_secure(CPUARMState *env, ARMMMUIdx mmu_idx) } } +/* Return the FSR value for a debug exception (watchpoint, hardware + * breakpoint or BKPT insn) targeting the specified exception level. + */ +static inline uint32_t arm_debug_exception_fsr(CPUARMState *env) +{ + ARMMMUFaultInfo fi = { .type = ARMFault_Debug }; + int target_el = arm_debug_target_el(env); + bool using_lpae = false; + + if (target_el == 2 || arm_el_is_aa64(env, target_el)) { + using_lpae = true; + } else { + if (arm_feature(env, ARM_FEATURE_LPAE) && + (env->cp15.tcr_el[target_el].raw_tcr & TTBCR_EAE)) { + using_lpae = true; + } + } + + if (using_lpae) { + return arm_fi_to_lfsc(&fi); + } else { + return arm_fi_to_sfsc(&fi); + } +} + #endif diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index 4b123d2bd6..75efff9edf 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -1330,11 +1330,7 @@ void arm_debug_excp_handler(CPUState *cs) cs->watchpoint_hit = NULL; - if (extended_addresses_enabled(env)) { - env->exception.fsr = (1 << 9) | 0x22; - } else { - env->exception.fsr = 0x2; - } + env->exception.fsr = arm_debug_exception_fsr(env); env->exception.vaddress = wp_hit->hitaddr; raise_exception(env, EXCP_DATA_ABORT, syn_watchpoint(same_el, 0, wnr), @@ -1354,11 +1350,7 @@ void arm_debug_excp_handler(CPUState *cs) return; } - if (extended_addresses_enabled(env)) { - env->exception.fsr = (1 << 9) | 0x22; - } else { - env->exception.fsr = 0x2; - } + env->exception.fsr = arm_debug_exception_fsr(env); /* FAR is UNKNOWN, so doesn't need setting */ raise_exception(env, EXCP_PREFETCH_ABORT, syn_breakpoint(same_el), From patchwork Tue Mar 20 13:41:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 132147 Delivered-To: patches@linaro.org Received: by 10.46.84.29 with SMTP id i29csp880456ljb; Tue, 20 Mar 2018 06:41:19 -0700 (PDT) X-Google-Smtp-Source: AG47ELui48NqGYSEr65z+1BevxvZMzQuj0JffcIDkBkdYQy9aSaO4v+NpVSalQzOEsXc4XdzuDG6 X-Received: by 10.223.209.132 with SMTP id h4mr2113514wri.12.1521553278931; Tue, 20 Mar 2018 06:41:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521553278; cv=none; d=google.com; s=arc-20160816; b=u4ZCodLFGYe6t4oqMIlnBuR8s3jRDw0yd40YO8GIrCkLr7sFRggq1h7idunikHErPZ 0iqasisZc163hvzhTcLIA4wwPQgNhCjoLfthzDTBho+iSftQmo4x0MwTZxLloZt1if9K JLCi7FdMKODuJdhqGTsJbBdQW6MySjqOpqFq8WbpDIZWDVOKn+uVhchG0xZDAVmIEJgL JAhOD9Qw969UTIAan8q4Jl+9fd98qJp0Jrij9ucZFVydTlV/Qkt6ZxcuOMQ0PvxZyzlj KndpPc9G4pjWwW6FwMrdkOH9Y0nZJtkPYGyR5ucddoehAxLfAE8RN2cz71Klue7vUENe R9JA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=W27jp9ZZKBsVTF4/ByPRGcfZ/hlRyxCxkyjcFXZiww4=; b=rb2v6+RMTzUEAcaixTUnYJ4Eh6aV/CVOYBn/9D1BqCvsojOQ8c3c/eZ++rlbEOC8JD kibUD7iJKkFK80INA6kAtwejJSTHHaFABi/nxmiC99XjwImcIc+NgGZOfRNtMdt9ziZD RZ7UjQxPV9+QOzqOicEJQXCCGE6WGi5TaAphJQkZV7ZGE7tomjsods7qTOKuDT5qWT3S l+jWjzLodnkY0PVE/dFLoiPTmEv59h2idYX4etp7zwciX0HzRvDZI35mR9j/Zs3qPDw6 hGL3lqTQiZN6V2L9IuXIw9xsl6t5cvQm4g/XW16KLUoCj+5sW8eZ1yI7L1U9o6xXH3hP gzDg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by mx.google.com with ESMTPS id 22si1425731wrw.420.2018.03.20.06.41.18 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Mar 2018 06:41:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1eyHVu-00045A-Fa; Tue, 20 Mar 2018 13:41:18 +0000 From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: patches@linaro.org Subject: [PATCH for-2.12 3/4] target/arm: Set FSR for BKPT, BRK when raising exception Date: Tue, 20 Mar 2018 13:41:13 +0000 Message-Id: <20180320134114.30418-4-peter.maydell@linaro.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180320134114.30418-1-peter.maydell@linaro.org> References: <20180320134114.30418-1-peter.maydell@linaro.org> Now that we have a helper function specifically for the BRK and BKPT instructions, we can set the exception.fsr there rather than in arm_cpu_do_interrupt_aarch32(). This allows us to use our new arm_debug_exception_fsr() helper. In particular this fixes a bug where we were hardcoding the short-form IFSR value, which is wrong if the target exception level has LPAE enabled. Fixes: https://bugs.launchpad.net/qemu/+bug/1756927 Signed-off-by: Peter Maydell --- target/arm/helper.c | 1 - target/arm/op_helper.c | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) -- 2.16.2 Reviewed-by: Philippe Mathieu-Daudé diff --git a/target/arm/helper.c b/target/arm/helper.c index 09893e3f72..dcb8476d9e 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -7910,7 +7910,6 @@ static void arm_cpu_do_interrupt_aarch32(CPUState *cs) offset = 0; break; case EXCP_BKPT: - env->exception.fsr = 2; /* Fall through to prefetch abort. */ case EXCP_PREFETCH_ABORT: A32_BANKED_CURRENT_REG_SET(env, ifsr, env->exception.fsr); diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index 75efff9edf..8e1e521193 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -488,6 +488,8 @@ void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp, */ void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) { + /* FSR will only be used if the debug target EL is AArch32. */ + env->exception.fsr = arm_debug_exception_fsr(env); raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env)); } From patchwork Tue Mar 20 13:41:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 132148 Delivered-To: patches@linaro.org Received: by 10.46.84.29 with SMTP id i29csp880480ljb; Tue, 20 Mar 2018 06:41:20 -0700 (PDT) X-Google-Smtp-Source: AG47ELv7j9zTID5XbSmZRg/fz/4IfLeO+qcG8pHB8Jf2zBnPjGs6eoXZ7JRtYgW9kFjJTGUO3b7l X-Received: by 10.223.142.164 with SMTP id q33mr12751306wrb.72.1521553280262; Tue, 20 Mar 2018 06:41:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521553280; cv=none; d=google.com; s=arc-20160816; b=BNNDbUQn4pLfUBtMOI/GYibvImKhQ0YD0DW8KlqcMOfDO3o2Db3ElrfpFPc29UFb6M DX71tYvNz3saDOJl8JNKF8aEsDtoDR3kiVK5cQ8RejfL3e3fQAAlqolCVDQkB9vW85pz 2P62xCJJ3B36yCkh447Fez55WFvpisB+ciu1v5yhsHoOaJel2vMGY3F3sUyAlfL3st8e 2C1zS5ysj/aAZTs8lP8apbYMw89T3t9jdkRb85RHUxBE/kSR2DiubnATAPvHS+dk4dlU l1fNozfz2rnU4qIFjt4Mnh6D2EHCroVNIku6XEZ7cVYAF0DrAocuvG0WEjdLAtDMlvyc KSWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=h03gLeAk29HQyplbx+UZ5O4iEAOgebznv2Fd3nAOsX4=; b=oA5UecAj/psjaIEGR5SIGjNcYixOf0xKHq08iXKDrsVHfLMoKOsD1sZcIMshcF789F A9Kp5R+zFVuAkYEP+VCo5ppRvymCqPrY9EbdL+3m+KQPepoPcNJU7KEjcHfHJ83X4IZu jm2I5gULVjX+wySgtAGRKq6lT7NYZ+2PY/iaC4KpFRdsARbA3BxLpNcJc/bfWyCVeAk8 YEMnuEqgxbmgVwc4hMt6S7SfmjwpUpouH2fYwg7qcYcgE/GaErEaKlTvkWLPsPnwHUHL dOwM0Rc67dZjszWAqBuiEGAS5GJhm8PQ63BmM+PY2vVPTHk41V4yR0DsUXWgBCZrpJyX FgvA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by mx.google.com with ESMTPS id t20si1263042wmd.258.2018.03.20.06.41.20 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Mar 2018 06:41:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1eyHVv-00045u-Pi; Tue, 20 Mar 2018 13:41:19 +0000 From: Peter Maydell To: qemu-arm@nongnu.org, qemu-devel@nongnu.org Cc: patches@linaro.org Subject: [PATCH for-2.12 4/4] target/arm: Always set FAR to a known unknown value for debug exceptions Date: Tue, 20 Mar 2018 13:41:14 +0000 Message-Id: <20180320134114.30418-5-peter.maydell@linaro.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180320134114.30418-1-peter.maydell@linaro.org> References: <20180320134114.30418-1-peter.maydell@linaro.org> For debug exceptions due to breakpoints or the BKPT instruction which are taken to AArch32, the Fault Address Register is architecturally UNKNOWN. We were using that as license to simply not set env->exception.vaddress, but this isn't correct, because it will expose to the guest whatever old value was in that field when arm_cpu_do_interrupt_aarch32() writes it to the guest IFSR. That old value might be a FAR for a previous guest EL2 or secure exception, in which case we shouldn't show it to an EL1 or non-secure exception handler. It might also be a non-deterministic value, which is bad for record-and-replay. Clear env->exception.vaddress before taking breakpoint debug exceptions, to avoid this minor information leak. Signed-off-by: Peter Maydell --- target/arm/op_helper.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) -- 2.16.2 Reviewed-by: Philippe Mathieu-Daudé diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index 8e1e521193..a266cc0116 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -490,6 +490,11 @@ void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) { /* FSR will only be used if the debug target EL is AArch32. */ env->exception.fsr = arm_debug_exception_fsr(env); + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing + * values to the guest that it shouldn't be able to see at its + * exception/security level. + */ + env->exception.vaddress = 0; raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env)); } @@ -1353,7 +1358,11 @@ void arm_debug_excp_handler(CPUState *cs) } env->exception.fsr = arm_debug_exception_fsr(env); - /* FAR is UNKNOWN, so doesn't need setting */ + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing + * values to the guest that it shouldn't be able to see at its + * exception/security level. + */ + env->exception.vaddress = 0; raise_exception(env, EXCP_PREFETCH_ABORT, syn_breakpoint(same_el), arm_debug_target_el(env));