[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-upstream-unstable] target-xtensa: fix ITLB/DTLB page protection flags

commit bfae9374f160f3fdf7dc550728111382703e56a7
Author:     Max Filippov <jcmvbkbc@xxxxxxxxx>
AuthorDate: Thu Dec 13 04:13:41 2012 +0400
Commit:     Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
CommitDate: Tue Jan 15 22:34:54 2013 -0600

    target-xtensa: fix ITLB/DTLB page protection flags
    With MMU option xtensa architecture has two TLBs: ITLB and DTLB. ITLB is
    only used for code access, DTLB is only for data. However TLB entries in
    both TLBs have attribute field controlling write and exec access. These
    bits need to be properly masked off depending on TLB type before being
    used as tlb_set_page prot argument. Otherwise the following happens:
    (1) ITLB entry for some PFN gets invalidated
    (2) DTLB entry for the same PFN gets updated, attributes allow code
    (3) code at the page with that PFN is executed (possible due to step 2),
        entry for the TB is written into the jump cache
    (4) QEMU TLB entry for the PFN gets replaced with an entry for some
        other PFN
    (5) code in the TB from step 3 is executed (possible due to jump cache)
        and it accesses data, for which there's no DTLB entry, causing DTLB
        miss exception
    (6) re-translation of the TB from step 5 is attempted, but there's no
        QEMU TLB entry nor xtensa ITLB entry for that PFN, which causes ITLB
        miss exception at the TB start address
    (7) ITLB miss exception is handled by the guest, but execution is
        resumed from the beginning of the faulting TB (the point where ITLB
        miss occured), not from the point where DTLB miss occured, which is
    With that fix the above scenario causes ITLB miss exception (that used
    to be step 7) at step 3, right at the beginning of the TB.
    Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>
    Cc: qemu-stable@xxxxxxxxxx
    Signed-off-by: Blue Swirl <blauwirbel@xxxxxxxxx>
    (cherry picked from commit 659f807c0a700317a7a0fae7a6e6ebfe68bfbbc4)
    Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
 target-xtensa/helper.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/target-xtensa/helper.c b/target-xtensa/helper.c
index d94bae2..7fa9ecc 100644
--- a/target-xtensa/helper.c
+++ b/target-xtensa/helper.c
@@ -486,7 +486,8 @@ static int get_physical_addr_mmu(CPUXtensaState *env, bool 
-    *access = mmu_attr_to_access(entry->attr);
+    *access = mmu_attr_to_access(entry->attr) &
+        ~(dtlb ? PAGE_EXEC : PAGE_READ | PAGE_WRITE);
     if (!is_access_granted(*access, is_write)) {
         return dtlb ?
             (is_write ?
generated by git-patchbot for /home/xen/git/qemu-upstream-unstable.git

Xen-changelog mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.