[Qemu-devel] [PATCH 58/88] target-xtensa: add missing window check for e

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 58/88] target-xtensa: add missing window check for e

From:	Michael Roth
Subject:	[Qemu-devel] [PATCH 58/88] target-xtensa: add missing window check for entry
Date:	Thu, 8 Jan 2015 11:34:02 -0600

From: Max Filippov <address@hidden>

Entry opcode needs to check if moving to new register frame would cause
register window overflow. Entry used in function prologue never
overflows because preceding windowed call* opcode writes return address
to the target register window frame, causing overflow exceptions at the
point of call. But when a sequence of entry opcodes is used for register
window spilling there may not be a call or other opcode that would cause
window check between entries and they would not raise overflow exception
themselves resulting in data corruption.

Cc: address@hidden
Signed-off-by: Max Filippov <address@hidden>
(cherry picked from commit 1b3e71f8ee17ced609213d9b41758110f3c026e9)
Signed-off-by: Michael Roth <address@hidden>
---
 target-xtensa/cpu.h       | 6 ++++++
 target-xtensa/op_helper.c | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/target-xtensa/cpu.h b/target-xtensa/cpu.h
index d797d26..6e4e2b2 100644
--- a/target-xtensa/cpu.h
+++ b/target-xtensa/cpu.h
@@ -471,6 +471,12 @@ static inline xtensa_tlb_entry 
*xtensa_tlb_get_entry(CPUXtensaState *env,
         env->itlb[wi] + ei;
 }
 
+static inline uint32_t xtensa_replicate_windowstart(CPUXtensaState *env)
+{
+    return env->sregs[WINDOW_START] |
+        (env->sregs[WINDOW_START] << env->config->nareg / 4);
+}
+
 /* MMU modes definitions */
 #define MMU_MODE0_SUFFIX _ring0
 #define MMU_MODE1_SUFFIX _ring1
diff --git a/target-xtensa/op_helper.c b/target-xtensa/op_helper.c
index dae1386..872e5a8 100644
--- a/target-xtensa/op_helper.c
+++ b/target-xtensa/op_helper.c
@@ -235,6 +235,12 @@ void HELPER(entry)(CPUXtensaState *env, uint32_t pc, 
uint32_t s, uint32_t imm)
                 pc, env->sregs[PS]);
         HELPER(exception_cause)(env, pc, ILLEGAL_INSTRUCTION_CAUSE);
     } else {
+        uint32_t windowstart = xtensa_replicate_windowstart(env) >>
+            (env->sregs[WINDOW_BASE] + 1);
+
+        if (windowstart & ((1 << callinc) - 1)) {
+            HELPER(window_check)(env, pc, callinc);
+        }
         env->regs[(callinc << 2) | (s & 3)] = env->regs[s] - (imm << 3);
         rotate_window(env, callinc);
         env->sregs[WINDOW_START] |=
-- 
1.9.1

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH 45/88] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect, (continued)
- [Qemu-devel] [PATCH 45/88] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 51/88] virtio-scsi: sense in virtio_scsi_command_complete, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 52/88] tcg/mips: fix store softmmu slow path, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 47/88] qcow2: Do not overflow when writing an L1 sector, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 49/88] Make qemu_shutdown_requested signal-safe, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 54/88] hw/xtensa/xtfpga: treat uImage load address as virtual, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 53/88] hw/core/loader: implement address translation in uimage loader, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 57/88] esp-pci: fixup deadlock with linux, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 19/88] virtio-balloon: fix integer overflow in memory stats feature, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 56/88] hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 (g_hash_table_iter_*), Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 58/88] target-xtensa: add missing window check for entry, Michael Roth <=
- [Qemu-devel] [PATCH 21/88] ivshmem: Check ivshmem_read() size argument, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 23/88] ivshmem: Fix potential OOB r/w access, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 55/88] snapshot: add bdrv_drain_all() to bdrv_snapshot_delete() to avoid concurrency problem, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 61/88] libcacard: fix resource leak, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 59/88] kvm: Fix memory slot page alignment logic, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 62/88] l2tpv3: fix possible double free, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 60/88] virtio-scsi: work around bug in old BIOSes, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 64/88] hw/ide/core.c: Prevent SIGSEGV during migration, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 66/88] block: Make essential BlockDriver objects public, Michael Roth, 2015/01/08
- [Qemu-devel] [PATCH 63/88] exec: Handle multipage ranges in invalidate_and_set_dirty(), Michael Roth, 2015/01/08

Prev by Date: [Qemu-devel] [PATCH 56/88] hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 (g_hash_table_iter_*)
Next by Date: [Qemu-devel] [PATCH 21/88] ivshmem: Check ivshmem_read() size argument
Previous by thread: [Qemu-devel] [PATCH 56/88] hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 (g_hash_table_iter_*)
Next by thread: [Qemu-devel] [PATCH 21/88] ivshmem: Check ivshmem_read() size argument
Index(es):
- Date
- Thread