Skip to content
Snippets Groups Projects
  1. Feb 09, 2024
  2. Jan 29, 2024
  3. Jan 27, 2024
    • Peter Maydell's avatar
      target/arm: Fix incorrect aa64_tidcp1 feature check · 45b3ce5e
      Peter Maydell authored
      A typo in the implementation of isar_feature_aa64_tidcp1() means we
      were checking the field in the wrong ID register, so we might have
      provided the feature on CPUs that don't have it and not provided
      it on CPUs that should have it. Correct this bug.
      
      Cc: qemu-stable@nongnu.org
      Fixes: 9cd0c0de "target/arm: Implement FEAT_TIDCP1"
      Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2120
      
      
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: default avatarRichard Henderson <richard.henderson@linaro.org>
      Message-id: 20240123160333.958841-1-peter.maydell@linaro.org
      (cherry picked from commit ee0a2e3c9d2991a11c13ffadb15e4d0add43c257)
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      45b3ce5e
    • Peter Maydell's avatar
      target/arm: Fix A64 scalar SQSHRN and SQRSHRN · 570e6244
      Peter Maydell authored
      In commit 1b7bc9b5 we changed handle_vec_simd_sqshrn() so
      that instead of starting with a 0 value and depositing in each new
      element from the narrowing operation, it instead started with the raw
      result of the narrowing operation of the first element.
      
      This is fine in the vector case, because the deposit operations for
      the second and subsequent elements will always overwrite any higher
      bits that might have been in the first element's result value in
      tcg_rd.  However in the scalar case we only go through this loop
      once.  The effect is that for a signed narrowing operation, if the
      result is negative then we will now return a value where the bits
      above the first element are incorrectly 1 (because the narrowfn
      returns a sign-extended result, not one that is truncated to the
      element size).
      
      Fix this by using an extract operation to get exactly the correct
      bits of the output of the narrowfn for element 1, instead of a
      plain move.
      
      Cc: qemu-stable@nongnu.org
      Fixes: 1b7bc9b5 ("target/arm: Avoid tcg_const_ptr in handle_vec_simd_sqshrn")
      Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2089
      
      
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: default avatarRichard Henderson <richard.henderson@linaro.org>
      Message-id: 20240123153416.877308-1-peter.maydell@linaro.org
      (cherry picked from commit 6fffc8378562c7fea6290c430b4f653f830a4c1a)
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      570e6244
    • Max Filippov's avatar
      target/xtensa: fix OOB TLB entry access · 553e53b4
      Max Filippov authored
      
      r[id]tlb[01], [iw][id]tlb opcodes use TLB way index passed in a register
      by the guest. The host uses 3 bits of the index for ITLB indexing and 4
      bits for DTLB, but there's only 7 entries in the ITLB array and 10 in
      the DTLB array, so a malicious guest may trigger out-of-bound access to
      these arrays.
      
      Change split_tlb_entry_spec return type to bool to indicate whether TLB
      way passed to it is valid. Change get_tlb_entry to return NULL in case
      invalid TLB way is requested. Add assertion to xtensa_tlb_get_entry that
      requested TLB way and entry indices are valid. Add checks to the
      [rwi]tlb helpers that requested TLB way is valid and return 0 or do
      nothing when it's not.
      
      Cc: qemu-stable@nongnu.org
      Fixes: b67ea0cd ("target-xtensa: implement memory protection options")
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Message-id: 20231215120307.545381-1-jcmvbkbc@gmail.com
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      (cherry picked from commit 604927e357c2b292c70826e4ce42574ad126ef32)
      Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
      553e53b4
  4. Jan 26, 2024
Loading