From patchwork Sat Nov 17 16:02:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luc Michel X-Patchwork-Id: 10687541 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2FEB213B5 for ; Sat, 17 Nov 2018 16:09:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1ED3C2AA2E for ; Sat, 17 Nov 2018 16:09:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0FEE42AA3E; Sat, 17 Nov 2018 16:09:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id CEDDF2AA2E for ; Sat, 17 Nov 2018 16:09:03 +0000 (UTC) Received: from localhost ([::1]:49749 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gO39a-0005JI-M8 for patchwork-qemu-devel@patchwork.kernel.org; Sat, 17 Nov 2018 11:09:02 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45809) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gO33e-0001m3-Ra for qemu-devel@nongnu.org; Sat, 17 Nov 2018 11:02:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gO33d-00049J-RK for qemu-devel@nongnu.org; Sat, 17 Nov 2018 11:02:54 -0500 Received: from greensocs.com ([193.104.36.180]:33677) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gO33Y-000441-T3; Sat, 17 Nov 2018 11:02:49 -0500 Received: from localhost (localhost [127.0.0.1]) by greensocs.com (Postfix) with ESMTP id 9B147556F9; Sat, 17 Nov 2018 17:02:38 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=greensocs.com; s=mail; t=1542470558; bh=9/+C8EhFGlAA+gk0k5h3+3ilqnF7Jrv6IXT4uwu9wiE=; h=From:To:Cc:Subject:Date; b=Rd56CaRQpYqKZu1syxlTv+iRl8c1vaJzmqEAYm69VycalcMZcOvytpfbkXJ0fy0Fy 56XGzVSavQ77RhZVH8bDMpOOJ+Wxm4LPWEBgcS1QxizBUH5m1FbLjD93oG6uX+HdHf F/qVZBIROLUJCUkMzqxiqPWfLMp87i729VG9wrd8= X-Virus-Scanned: amavisd-new at greensocs.com Authentication-Results: gs-01.greensocs.com (amavisd-new); dkim=pass (1024-bit key) header.d=greensocs.com header.b=SLKWS/sy; dkim=pass (1024-bit key) header.d=greensocs.com header.b=SLKWS/sy Received: from greensocs.com ([127.0.0.1]) by localhost (gs-01.greensocs.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Darx9NIDvAbF; Sat, 17 Nov 2018 17:02:37 +0100 (CET) Received: by greensocs.com (Postfix, from userid 998) id 9F2916FD8D; Sat, 17 Nov 2018 17:02:37 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=greensocs.com; s=mail; t=1542470557; bh=9/+C8EhFGlAA+gk0k5h3+3ilqnF7Jrv6IXT4uwu9wiE=; h=From:To:Cc:Subject:Date; b=SLKWS/syuSyVkkkkGiQZZ3wPPUoU6cztiu1rOJFwLOzyKh/qhgQDrB7ivKrXHl7Of 1BUilMnck6L1sAZflfyploUuOzUWLbbjmqL+RJMCmEay8ruDSLtWfqvGJ7sGiPGStf tAX8aVW7FYWKFRN6bERZMGya6L9GrFpxpqIQ3XXk= Received: from michell-laptop.hive.antfield.fr (lfbn-1-8165-82.w90-112.abo.wanadoo.fr [90.112.74.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: luc.michel@greensocs.com) by greensocs.com (Postfix) with ESMTPSA id 3F2D0556F9; Sat, 17 Nov 2018 17:02:37 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=greensocs.com; s=mail; t=1542470557; bh=9/+C8EhFGlAA+gk0k5h3+3ilqnF7Jrv6IXT4uwu9wiE=; h=From:To:Cc:Subject:Date; b=SLKWS/syuSyVkkkkGiQZZ3wPPUoU6cztiu1rOJFwLOzyKh/qhgQDrB7ivKrXHl7Of 1BUilMnck6L1sAZflfyploUuOzUWLbbjmqL+RJMCmEay8ruDSLtWfqvGJ7sGiPGStf tAX8aVW7FYWKFRN6bERZMGya6L9GrFpxpqIQ3XXk= From: Luc Michel To: qemu-devel@nongnu.org Date: Sat, 17 Nov 2018 17:02:13 +0100 Message-Id: <20181117160213.18995-1-luc.michel@greensocs.com> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 193.104.36.180 Subject: [Qemu-devel] [PATCH] target/arm: fix smc incorrectly trapping to EL3 when secure is off X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , qemu-arm@nongnu.org, Luc Michel Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP This commit fixes a case where the CPU would try to go to EL3 when executing an smc instruction, even though ARM_FEATURE_EL3 is false. This case is raised when the PSCI conduit is set to smc, but the smc instruction does not lead to a valid PSCI call. QEMU crashes with an assertion failure latter on because of incoherent mmu_idx. This commit refactors the pre_smc helper by enumerating all the possible way of handling an scm instruction, and covering the previously missing case leading to the crash. The following minimal test would crash before this commit: .global _start .text _start: ldr x0, =0xdeadbeef ; invalid PSCI call smc #0 run with the following command line: aarch64-linux-gnu-gcc -nostdinc -nostdlib -Wl,-Ttext=40000000 \ -o test test.s qemu-system-aarch64 -M virt,virtualization=on,secure=off \ -cpu cortex-a57 -kernel test Signed-off-by: Luc Michel --- target/arm/op_helper.c | 54 +++++++++++++++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 8 deletions(-) diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index eb6fb82fb8..0d6e89e474 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -937,43 +937,81 @@ void HELPER(pre_hvc)(CPUARMState *env) void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome) { ARMCPU *cpu = arm_env_get_cpu(env); int cur_el = arm_current_el(env); bool secure = arm_is_secure(env); - bool smd = env->cp15.scr_el3 & SCR_SMD; + bool smd_flag = env->cp15.scr_el3 & SCR_SMD; + + /* + * SMC behaviour is summarized in the following table. + * This helper handles the "Trap to EL2" and "Undef insn" cases. + * The "Trap to EL3" and "PSCI call" cases are handled in the exception + * helper. + * + * -> ARM_FEATURE_EL3 and !SMD + * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1 + * + * Conduit SMC, valid call Trap to EL2 PSCI Call + * Conduit SMC, inval call Trap to EL2 Trap to EL3 + * Conduit not SMC Trap to EL2 Trap to EL3 + * + * + * -> ARM_FEATURE_EL3 and SMD + * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1 + * + * Conduit SMC, valid call Trap to EL2 PSCI Call + * Conduit SMC, inval call Trap to EL2 Undef insn + * Conduit not SMC Trap to EL2 Undef insn + * + * + * -> !ARM_FEATURE_EL3 + * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1 + * + * Conduit SMC, valid call Trap to EL2 PSCI Call + * Conduit SMC, inval call Trap to EL2 Undef insn + * Conduit not SMC Undef insn Undef insn + */ + /* On ARMv8 with EL3 AArch64, SMD applies to both S and NS state. * On ARMv8 with EL3 AArch32, or ARMv7 with the Virtualization * extensions, SMD only applies to NS state. * On ARMv7 without the Virtualization extensions, the SMD bit * doesn't exist, but we forbid the guest to set it to 1 in scr_write(), * so we need not special case this here. */ - bool undef = arm_feature(env, ARM_FEATURE_AARCH64) ? smd : smd && !secure; + bool smd = arm_feature(env, ARM_FEATURE_AARCH64) ? smd_flag + : smd_flag && !secure; if (!arm_feature(env, ARM_FEATURE_EL3) && cpu->psci_conduit != QEMU_PSCI_CONDUIT_SMC) { /* If we have no EL3 then SMC always UNDEFs and can't be * trapped to EL2. PSCI-via-SMC is a sort of ersatz EL3 * firmware within QEMU, and we want an EL2 guest to be able * to forbid its EL1 from making PSCI calls into QEMU's * "firmware" via HCR.TSC, so for these purposes treat * PSCI-via-SMC as implying an EL3. + * This handles the very last line of the previous table. */ - undef = true; - } else if (!secure && cur_el == 1 && (env->cp15.hcr_el2 & HCR_TSC)) { + raise_exception(env, EXCP_UDEF, syn_uncategorized(), + exception_target_el(env)); + } + + if (!secure && cur_el == 1 && (env->cp15.hcr_el2 & HCR_TSC)) { /* In NS EL1, HCR controlled routing to EL2 has priority over SMD. * We also want an EL2 guest to be able to forbid its EL1 from * making PSCI calls into QEMU's "firmware" via HCR.TSC. + * This handles all the "Trap to EL2" cases of the previous table. */ raise_exception(env, EXCP_HYP_TRAP, syndrome, 2); } - /* If PSCI is enabled and this looks like a valid PSCI call then - * suppress the UNDEF -- we'll catch the SMC exception and - * implement the PSCI call behaviour there. + /* Catch the two remaining "Undef insn" cases of the previous table: + * - PSCI conduit is SMC but we don't have a valid PCSI call, + * - We don't have EL3 or SMD is set. */ - if (undef && !arm_is_psci_call(cpu, EXCP_SMC)) { + if (!arm_is_psci_call(cpu, EXCP_SMC) && + (smd || !arm_feature(env, ARM_FEATURE_EL3))) { raise_exception(env, EXCP_UDEF, syn_uncategorized(), exception_target_el(env)); } }