From patchwork Thu Dec 13 00:13:41 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Max Filippov <jcmvbkbc@gmail.com>
X-Patchwork-Id: 205695
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 3482B2C0087
	for <incoming@patchwork.ozlabs.org>;
	Thu, 13 Dec 2012 11:14:15 +1100 (EST)
Received: from localhost ([::1]:37675 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1TiwRJ-0000j3-9J
	for incoming@patchwork.ozlabs.org; Wed, 12 Dec 2012 19:14:13 -0500
Received: from eggs.gnu.org ([208.118.235.92]:60920)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcmvbkbc@gmail.com>) id 1TiwR5-0000XY-FQ
	for qemu-devel@nongnu.org; Wed, 12 Dec 2012 19:14:01 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jcmvbkbc@gmail.com>) id 1TiwR4-0000PX-Fk
	for qemu-devel@nongnu.org; Wed, 12 Dec 2012 19:13:59 -0500
Received: from mail-la0-f45.google.com ([209.85.215.45]:34168)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcmvbkbc@gmail.com>)
	id 1TiwR4-0000PT-7v; Wed, 12 Dec 2012 19:13:58 -0500
Received: by mail-la0-f45.google.com with SMTP id p9so1231879laa.4
	for <multiple recipients>; Wed, 12 Dec 2012 16:13:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer;
	bh=qnC5P540v/eiCvytTBknJwW57IadvjePiC4lcLF1mRI=;
	b=j/GOiBMGEwty9txSTsr6puWpcMYM8RNAtuCJKYf1x9Hp4gbz/qt3lSw8FBtIzTpEhw
	6mCglMp5kQamaYclwJHU3W6pylidfZxssTjbgwneBRgHpifop9xd3dSzWavQs97RK6SA
	xVPTS571Z1KikIieDZnSSmmYbJ7rGNQWGwAQsX4JOAIXizBC7M56cqVmEHJJCKKW0etm
	TRpgoyyFFqZkfpdWQy0i9HQjnKTVYR+jiMGaBmr22gMH6Gu5lz68p/2794agwTyCgQ7P
	GbLhg6q1Jzm+LMwouHNquD6Iyr9hWNPxwabIyjPhVKLxEl5RNwXokuzur5YBQUnrliZF
	39tw==
Received: by 10.112.29.104 with SMTP id j8mr161412lbh.0.1355357636701;
	Wed, 12 Dec 2012 16:13:56 -0800 (PST)
Received: from grizzly.metropolis ([188.134.19.124])
	by mx.google.com with ESMTPS id n7sm46521lbz.5.2012.12.12.16.13.54
	(version=TLSv1/SSLv3 cipher=OTHER);
	Wed, 12 Dec 2012 16:13:55 -0800 (PST)
From: Max Filippov <jcmvbkbc@gmail.com>
To: qemu-devel@nongnu.org
Date: Thu, 13 Dec 2012 04:13:41 +0400
Message-Id: <1355357621-25295-1-git-send-email-jcmvbkbc@gmail.com>
X-Mailer: git-send-email 1.7.7.6
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy]
X-Received-From: 209.85.215.45
Cc: Blue Swirl <blauwirbel@gmail.com>, Max Filippov <jcmvbkbc@gmail.com>,
	qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH] target-xtensa: fix ITLB/DTLB page protection
	flags
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

With MMU option xtensa architecture has two TLBs: ITLB and DTLB. ITLB is
only used for code access, DTLB is only for data. However TLB entries in
both TLBs have attribute field controlling write and exec access. These
bits need to be properly masked off depending on TLB type before being
used as tlb_set_page prot argument. Otherwise the following happens:

(1) ITLB entry for some PFN gets invalidated
(2) DTLB entry for the same PFN gets updated, attributes allow code
    execution
(3) code at the page with that PFN is executed (possible due to step 2),
    entry for the TB is written into the jump cache
(4) QEMU TLB entry for the PFN gets replaced with an entry for some
    other PFN
(5) code in the TB from step 3 is executed (possible due to jump cache)
    and it accesses data, for which there's no DTLB entry, causing DTLB
    miss exception
(6) re-translation of the TB from step 5 is attempted, but there's no
    QEMU TLB entry nor xtensa ITLB entry for that PFN, which causes ITLB
    miss exception at the TB start address
(7) ITLB miss exception is handled by the guest, but execution is
    resumed from the beginning of the faulting TB (the point where ITLB
    miss occured), not from the point where DTLB miss occured, which is
    wrong.

With that fix the above scenario causes ITLB miss exception (that used
to be step 7) at step 3, right at the beginning of the TB.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Cc: qemu-stable@nongnu.org
---
 target-xtensa/helper.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/target-xtensa/helper.c b/target-xtensa/helper.c
index 200fb43..bf05575 100644
--- a/target-xtensa/helper.c
+++ b/target-xtensa/helper.c
@@ -522,7 +522,8 @@ static int get_physical_addr_mmu(CPUXtensaState *env, bool update_tlb,
             INST_FETCH_PRIVILEGE_CAUSE;
     }
 
-    *access = mmu_attr_to_access(entry->attr);
+    *access = mmu_attr_to_access(entry->attr) &
+        ~(dtlb ? PAGE_EXEC : PAGE_READ | PAGE_WRITE);
     if (!is_access_granted(*access, is_write)) {
         return dtlb ?
             (is_write ?