[{"id":3687153,"web_url":"http://patchwork.ozlabs.org/comment/3687153/","msgid":"","list_archive_url":null,"date":"2026-05-06T14:58:39","subject":"Re: [PATCH v5 11/15] target/arm: skip tag bit bounds check if MTX is\n on","submitter":{"id":72104,"url":"http://patchwork.ozlabs.org/api/people/72104/","name":"Richard Henderson","email":"richard.henderson@linaro.org"},"content":"On 5/4/26 10:50, Gabriel Brookman wrote:\n> Virtual address canonicity checks should ignore mismatch in tag bits\n> during translation step if MTX is set. This mismatch is checked during\n> the tag check instead, in that case.\n> \n> Signed-off-by: Gabriel Brookman \n> ---\n> target/arm/helper.c | 6 +++++-\n> target/arm/internals.h | 1 +\n> target/arm/ptw.c | 29 ++++++++++++++++++++++++++---\n> 3 files changed, 32 insertions(+), 4 deletions(-)\n> \n> diff --git a/target/arm/helper.c b/target/arm/helper.c\n> index 18352bd186..0e70822d34 100644\n> --- a/target/arm/helper.c\n> +++ b/target/arm/helper.c\n> @@ -9693,7 +9693,7 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,\n> {\n> uint64_t tcr = regime_tcr(env, mmu_idx);\n> bool epd, hpd, tsz_oob, ds, ha, hd, pie = false;\n> - bool aie = false;\n> + bool mtx, aie = false;\n> int select, tsz, tbi, max_tsz, min_tsz, ps, sh;\n> ARMGranuleSize gran;\n> ARMCPU *cpu = env_archcpu(env);\n> @@ -9730,6 +9730,7 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,\n> ha = extract32(tcr, 21, 1) && cpu_isar_feature(aa64_hafs, cpu);\n> hd = extract32(tcr, 22, 1) && cpu_isar_feature(aa64_hdbs, cpu);\n> ds = extract64(tcr, 32, 1);\n> + mtx = extract64(tcr, 33, 1) && cpu_isar_feature(aa64_mte_mtx, cpu);\n> } else {\n> bool e0pd;\n> \n> @@ -9745,6 +9746,7 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,\n> sh = extract32(tcr, 12, 2);\n> hpd = extract64(tcr, 41, 1);\n> e0pd = extract64(tcr, 55, 1);\n> + mtx = extract64(tcr, 60, 1) && cpu_isar_feature(aa64_mte_mtx, cpu);\n> } else {\n> tsz = extract32(tcr, 16, 6);\n> gran = tg1_to_gran_size(extract32(tcr, 30, 2));\n> @@ -9752,6 +9754,7 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,\n> sh = extract32(tcr, 28, 2);\n> hpd = extract64(tcr, 42, 1);\n> e0pd = extract64(tcr, 56, 1);\n> + mtx = extract64(tcr, 61, 1) && cpu_isar_feature(aa64_mte_mtx, cpu);\n> }\n> ps = extract64(tcr, 32, 3);\n> ha = extract64(tcr, 39, 1) && cpu_isar_feature(aa64_hafs, cpu);\n> @@ -9851,6 +9854,7 @@ ARMVAParameters aa64_va_parameters(CPUARMState *env, uint64_t va,\n> .gran = gran,\n> .pie = pie,\n> .aie = aie,\n> + .mtx = mtx,\n> };\n> }\n> \n> diff --git a/target/arm/internals.h b/target/arm/internals.h\n> index 779eafabc8..d313d36603 100644\n> --- a/target/arm/internals.h\n> +++ b/target/arm/internals.h\n> @@ -1407,6 +1407,7 @@ typedef struct ARMVAParameters {\n> ARMGranuleSize gran : 2;\n> bool pie : 1;\n> bool aie : 1;\n> + bool mtx : 1;\n> } ARMVAParameters;\n> \n> /**\n> diff --git a/target/arm/ptw.c b/target/arm/ptw.c\n> index 4fdb27697d..4fa50d0320 100644\n> --- a/target/arm/ptw.c\n> +++ b/target/arm/ptw.c\n> @@ -1931,7 +1931,17 @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,\n> * validation to do here.\n> */\n> if (inputsize < addrsize) {\n> - uint64_t top_bits = sextract64(address, inputsize,\n> + /*\n> + * If MTX is enabled, bits 56-59 aren't checked for canonicity\n> + * during translation, since they will later be checked during\n> + * the tag check step.\n> + */\n> + uint64_t top_bits;\n> + uint64_t masked_address = address;\n> + if (param.mtx) {\n> + masked_address = deposit64(address, 56, 4, param.select * 0xf);\n> + }\n> + top_bits = sextract64(masked_address, inputsize,\n> addrsize - inputsize);\n> if (-top_bits != param.select) {\n\nHmm. I know AArch64_VAIsOutOfRange inserts bits just like this, but it isn't the most \nefficient way to ignore bits for comparison.\n\nPerhaps\n\n\tuint64_t cmp_mask = MAKE_64BIT_MASK(inputsize, addrsize - inputsize);\n\n if (param.mtx) {\n cmp_mask &= ~MAKE_64BIT_MASK(56, 4);\n }\n if ((address ^ -param.select) & cmp_mask) {\n\nis clearer?\n\n\n> /* The gap between the two regions is a Translation fault */\n> @@ -3492,15 +3502,28 @@ static bool get_phys_addr_disabled(CPUARMState *env,\n> if (arm_el_is_aa64(env, r_el)) {\n> int pamax = arm_pamax(env_archcpu(env));\n> uint64_t tcr = env->cp15.tcr_el[r_el];\n> - int addrtop, tbi;\n> + int addrtop, tbi, mtx;\n> + bool bit55;\n> \n> tbi = aa64_va_parameter_tbi(tcr, mmu_idx);\n> + mtx = aa64_va_parameter_mtx(tcr, mmu_idx);\n> if (access_type == MMU_INST_FETCH) {\n> tbi &= ~aa64_va_parameter_tbid(tcr, mmu_idx);\n> }\n> - tbi = (tbi >> extract64(address, 55, 1)) & 1;\n> + bit55 = extract64(address, 55, 1);\n> + tbi = (tbi >> bit55) & 1;\n> + mtx = (mtx >> bit55) & 1;\n> addrtop = (tbi ? 55 : 63);\n> \n> + /*\n> + * With MTX enabled, bits 56-59 are not checked according to\n> + * AArch64.S1DisabledOutput.\n> + */\n> + if (cpu_isar_feature(aa64_mte_mtx, env_archcpu(env)) && mtx &&\n> + access_type != MMU_INST_FETCH) {\n> + address = deposit64(address, 56, 4, bit55 * 0xF);\n> + }\n\nLikewise. And reorder things to avoid computing mtx unless required:\n\n uint64_t cmp_mask = MAKE_64BIT_MASK(pamax, addrtop - pamax + 1);\n\n if (access_type != MMU_INST_FETCH\n && cpu_isar_feature(aa64_mte_mtx, env_archcpu(env))) {\n int mtx = aa64_va_parameter_mtx(tcr, mmu_idx);\n if (mtx & (1 << bit55)) {\n cmp_mask &= ~MAKE_64BIT_MASK(56, 4);\n }\n }\n\n if (address & cmp_mask) {\n\n\nr~","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=sPwkl4I6;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9dnK2hkxz1y04\n\tfor ; Thu, 07 May 2026 00:59:01 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wKdi4-0000ZQ-Ev; Wed, 06 May 2026 10:58:48 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wKdi2-0000Yo-IU\n for qemu-devel@nongnu.org; Wed, 06 May 2026 10:58:46 -0400","from mail-oo1-xc2a.google.com ([2607:f8b0:4864:20::c2a])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from )\n id 1wKdi0-0007Tc-Ig\n for qemu-devel@nongnu.org; Wed, 06 May 2026 10:58:46 -0400","by mail-oo1-xc2a.google.com with SMTP id\n 006d021491bc7-66ee7b9af94so2751334eaf.0\n for ; Wed, 06 May 2026 07:58:44 -0700 (PDT)","from ?IPV6:2600:381:c938:6375:5307:cd92:1ec8:e891?\n ([2600:381:c938:6375:5307:cd92:1ec8:e891])\n by smtp.gmail.com with ESMTPSA id\n 586e51a60fabf-4347294b5afsm14516620fac.8.2026.05.06.07.58.41\n (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\n Wed, 06 May 2026 07:58:42 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1778079523; x=1778684323; darn=nongnu.org;\n h=content-transfer-encoding:in-reply-to:content-language:from\n :references:cc:to:subject:user-agent:mime-version:date:message-id\n :from:to:cc:subject:date:message-id:reply-to;\n bh=g0rg90ZocJHBJKvIpaOqgBFKQLqTHRAsXu1ufA5FD2A=;\n b=sPwkl4I6oltDn742j6SkBJ2PrVKWheAGyA7JuS6ZMXNj/iPvt797aQAGMFbj+FwrrB\n 8YaQ5i2w8z+Pu+O+2OmvRJe0/VTyRVeAndx4KSUH+LAx6Byiy+U83dsEWozzqEQn2acA\n PAMZHjyjQAezGVjRrKlKuU2XqrR3sDMmJ6yxrl+l2rxUHh475KctO5EVbBxGu3JgQ84U\n kIfKKQQqm5TMYzmDWnglZqHnpzr7VbrINdDuozvGyCqwSAN0s7FJqY0Six536LOrLUOX\n q4eF1kV/3/4xlFFPWxfTuG4sdoBu6m+0nd9hnGuhisHNdCv/9dczocURGTefis7rDAU7\n vBjw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1778079523; x=1778684323;\n h=content-transfer-encoding:in-reply-to:content-language:from\n :references:cc:to:subject:user-agent:mime-version:date:message-id\n :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=g0rg90ZocJHBJKvIpaOqgBFKQLqTHRAsXu1ufA5FD2A=;\n b=A/8lcE6gOw5Z0B85pbis+M679pynTyVK+cPWkiVwQs7380NY8mwILSCR01MunDRarI\n JJ2ylj2zdP2FcgDKrn5eNee3Arzr+VhgFIISVa4uCBppFT1t21CBfCHVQfIITWKfmq+e\n 0OOBn68Ur0bv7X9I59YMG176XPLsvBX1+g3B6vtD4apxDN9Po+616yFim4kwhI4faB4p\n AOo7j4PkfzRL5nbrp43b6BgRP2N2nwzXp35eMIrWupDeJE6ZD1IXX4DPMCYi96LEnThj\n P9SUjF17i4e4+bVKHsbMuJKviOAhgjiLVPsxeyjVZz4FB0M3ayOPuq6bDRdKrCONFrlr\n 6Rmw==","X-Forwarded-Encrypted":"i=1;\n AFNElJ8dL1cYjgYgXrWOdwgwZzb09vfYnxz+mUsqAncAx7uRyzQmJk5FCLa70zIxY9ifL9Hb25DWeYG9xs59@nongnu.org","X-Gm-Message-State":"AOJu0Yw61j5MOn4gI79XYMNd6uPxN3zNOiUzMP2WEZyepcOugL5mp1Xg\n HGHNxlI7XnyV9AQV0ZuNRbEadmYjRhUHDswqFhWB+M/sqdexilt4PNaMuqnriaJ76C4=","X-Gm-Gg":"AeBDievkPZFnHQQf+mBjfbAfw+h83qIShyqw2ut0aJdLG5c5dfSkl3d3e5Npr8ATlg0\n D4QqbfjdDqgDlScr/XOPGZT0RM/9ZPL27X5oMeiDwmPQn4yFaID8ildcWOIyCYR2zwdV7aaIykC\n SZU+iElIOb1Lyz+BrNdbU3rXeIu7bejBZ3LkXt1AjmFcJkLoXr10jkLtgEXIglQesIKtuQFi16f\n IWvuRY6tOeLhsvWUaFnkQB3uusjol2WpEF/KLpqExDm6iP2bo/n+Ivj64mPMq3WlGbZQiQ34yrn\n yX9nBTs6xLebfk0zg4UJi4TDM+MpuMg3IR1F9LpncQebTxGvdB24fNjlA+4auOJlRghKdWXYK6E\n w7auHWG+Ja7eW/X9h8TrjwfHf0ZFgLZhWSK0TqgA3UDR6KI0YEbf2YsZBqbUbnyqD/wEO1VUTT6\n 1pYFQ0aNHaOTP0XB8XpeU3NQC+U4zGZJk4o7Zdq2JhhMdROdLTnvGXGCQt4CePkFE1mq/U9/yyE\n zzZzvObm+ZcBA3OOPrq","X-Received":"by 2002:a05:6820:4dc4:b0:696:64ab:cd83 with SMTP id\n 006d021491bc7-69998d5dc0fmr1796434eaf.55.1778079522968;\n Wed, 06 May 2026 07:58:42 -0700 (PDT)","Message-ID":"","Date":"Wed, 6 May 2026 09:58:39 -0500","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH v5 11/15] target/arm: skip tag bit bounds check if MTX is\n on","To":"Gabriel Brookman , qemu-devel@nongnu.org","Cc":"Peter Maydell ,\n Gustavo Romero , qemu-arm@nongnu.org,\n Laurent Vivier , Helge Deller ,\n Pierrick Bouvier ","References":"<20260504-feat-mte4-v5-0-232a648e63c6@gmail.com>\n <20260504-feat-mte4-v5-11-232a648e63c6@gmail.com>","From":"Richard Henderson ","Content-Language":"en-US","In-Reply-To":"<20260504-feat-mte4-v5-11-232a648e63c6@gmail.com>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","Received-SPF":"pass client-ip=2607:f8b0:4864:20::c2a;\n envelope-from=richard.henderson@linaro.org; helo=mail-oo1-xc2a.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}}]