[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-stable] [PATCH 59/60] target-xtensa: fix ITLB/DTLB page protection
From: |
Michael Tokarev |
Subject: |
[Qemu-stable] [PATCH 59/60] target-xtensa: fix ITLB/DTLB page protection flags |
Date: |
Mon, 4 Feb 2013 14:41:09 +0400 |
From: Max Filippov <address@hidden>
With MMU option xtensa architecture has two TLBs: ITLB and DTLB. ITLB is
only used for code access, DTLB is only for data. However TLB entries in
both TLBs have attribute field controlling write and exec access. These
bits need to be properly masked off depending on TLB type before being
used as tlb_set_page prot argument. Otherwise the following happens:
(1) ITLB entry for some PFN gets invalidated
(2) DTLB entry for the same PFN gets updated, attributes allow code
execution
(3) code at the page with that PFN is executed (possible due to step 2),
entry for the TB is written into the jump cache
(4) QEMU TLB entry for the PFN gets replaced with an entry for some
other PFN
(5) code in the TB from step 3 is executed (possible due to jump cache)
and it accesses data, for which there's no DTLB entry, causing DTLB
miss exception
(6) re-translation of the TB from step 5 is attempted, but there's no
QEMU TLB entry nor xtensa ITLB entry for that PFN, which causes ITLB
miss exception at the TB start address
(7) ITLB miss exception is handled by the guest, but execution is
resumed from the beginning of the faulting TB (the point where ITLB
miss occured), not from the point where DTLB miss occured, which is
wrong.
With that fix the above scenario causes ITLB miss exception (that used
to be step 7) at step 3, right at the beginning of the TB.
Signed-off-by: Max Filippov <address@hidden>
Cc: address@hidden
Signed-off-by: Blue Swirl <address@hidden>
(cherry picked from commit 659f807c0a700317a7a0fae7a6e6ebfe68bfbbc4)
Signed-off-by: Michael Tokarev <address@hidden>
---
target-xtensa/helper.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/target-xtensa/helper.c b/target-xtensa/helper.c
index 8ebef72..c9d6f38 100644
--- a/target-xtensa/helper.c
+++ b/target-xtensa/helper.c
@@ -497,7 +497,8 @@ static int get_physical_addr_mmu(CPUXtensaState *env, bool
update_tlb,
INST_FETCH_PRIVILEGE_CAUSE;
}
- *access = mmu_attr_to_access(entry->attr);
+ *access = mmu_attr_to_access(entry->attr) &
+ ~(dtlb ? PAGE_EXEC : PAGE_READ | PAGE_WRITE);
if (!is_access_granted(*access, is_write)) {
return dtlb ?
(is_write ?
--
1.7.10.4
- [Qemu-stable] [PATCH 49/60] tap: reset vnet header size on open, (continued)
- [Qemu-stable] [PATCH 49/60] tap: reset vnet header size on open, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 19/60] fix entry pointer for ELF kernels loaded with -kernel option, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 18/60] e1000: flush queue whenever can_receive can go from false to true, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 27/60] x86: Fixed incorrect segment base address addition in 64-bits mode, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 09/60] ahci: properly reset PxCMD on HBA reset, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 60/60] migration: Fix madvise breakage if host and guest have different page sizes, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 39/60] m68k: Return semihosting errno values correctly, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 40/60] nbd: fixes to read-only handling, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 28/60] Fixes related to processing of qemu's -numa option, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 51/60] vmdk: Fix data corruption bug in WRITE and READ handling, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 59/60] target-xtensa: fix ITLB/DTLB page protection flags,
Michael Tokarev <=
- [Qemu-stable] [PATCH 55/60] arm_boot: Change initrd load address to "halfway through RAM", Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 34/60] memory: fix rendering of a region obscured by another, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 13/60] usb-audio: fix usb version, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 37/60] target-sparc64: disable VGA cirrus, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 14/60] fpu/softfloat.c: Return correctly signed values from uint64_to_float32, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 52/60] uhci: Don't queue up packets after one with the SPD flag set, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 08/60] eepro100: Fix network hang when rx buffers run out, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 53/60] hw/qxl: qxl_send_events: nop if stopped, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 12/60] intel_hda: do not call msi_reset when only device state needs resetting, Michael Tokarev, 2013/02/04
- [Qemu-stable] [PATCH 24/60] qxl: always update displaysurface on resize, Michael Tokarev, 2013/02/04