From 5242ef887dd06659e3d516cb4000c8ed3277fb08 Mon Sep 17 00:00:00 2001 From: Palmer Dabbelt Date: Wed, 30 Mar 2022 09:59:13 -0700 Subject: target/riscv: Avoid leaking "no translation" TLB entries The ISA doesn't allow bare mappings to be cached, as the caches are translations and bare mppings are not translated. We cache these translations in QEMU in order to utilize the TLB code, but that leaks out to the guest. Suggested-by: phantom@zju.edu.cn # no name in the From field Fixes: 1e0d985fa9 ("target/riscv: Only flush TLB if SATP.ASID changes") Signed-off-by: Palmer Dabbelt Reviewed-by: Alistair Francis Message-Id: <20220330165913.8836-1-palmer@rivosinc.com> Signed-off-by: Alistair Francis --- target/riscv/csr.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/target/riscv/csr.c b/target/riscv/csr.c index 0606cd0ea8..341c2e6f23 100644 --- a/target/riscv/csr.c +++ b/target/riscv/csr.c @@ -1844,7 +1844,7 @@ static RISCVException read_satp(CPURISCVState *env, int csrno, static RISCVException write_satp(CPURISCVState *env, int csrno, target_ulong val) { - target_ulong vm, mask, asid; + target_ulong vm, mask; if (!riscv_feature(env, RISCV_FEATURE_MMU)) { return RISCV_EXCP_NONE; @@ -1853,20 +1853,22 @@ static RISCVException write_satp(CPURISCVState *env, int csrno, if (riscv_cpu_mxl(env) == MXL_RV32) { vm = validate_vm(env, get_field(val, SATP32_MODE)); mask = (val ^ env->satp) & (SATP32_MODE | SATP32_ASID | SATP32_PPN); - asid = (val ^ env->satp) & SATP32_ASID; } else { vm = validate_vm(env, get_field(val, SATP64_MODE)); mask = (val ^ env->satp) & (SATP64_MODE | SATP64_ASID | SATP64_PPN); - asid = (val ^ env->satp) & SATP64_ASID; } if (vm && mask) { if (env->priv == PRV_S && get_field(env->mstatus, MSTATUS_TVM)) { return RISCV_EXCP_ILLEGAL_INST; } else { - if (asid) { - tlb_flush(env_cpu(env)); - } + /* + * The ISA defines SATP.MODE=Bare as "no translation", but we still + * pass these through QEMU's TLB emulation as it improves + * performance. Flushing the TLB on SATP writes with paging + * enabled avoids leaking those invalid cached mappings. + */ + tlb_flush(env_cpu(env)); env->satp = val; } } -- cgit v1.2.3 From 8ff8ac63298611c8373b294ec936475b1a33f63f Mon Sep 17 00:00:00 2001 From: "Yueh-Ting (eop) Chen" Date: Thu, 17 Mar 2022 00:09:09 -0700 Subject: target/riscv: rvv: Add missing early exit condition for whole register load/store MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit According to v-spec (section 7.9): The instructions operate with an effective vector length, evl=NFIELDS*VLEN/EEW, regardless of current settings in vtype and vl. The usual property that no elements are written if vstart ≥ vl does not apply to these instructions. Instead, no elements are written if vstart ≥ evl. Signed-off-by: eop Chen Reviewed-by: Frank Chang Reviewed-by: Alistair Francis Message-Id: <164762720573.18409.3931931227997483525-0@git.sr.ht> Signed-off-by: Alistair Francis --- target/riscv/insn_trans/trans_rvv.c.inc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/target/riscv/insn_trans/trans_rvv.c.inc b/target/riscv/insn_trans/trans_rvv.c.inc index 275fded6e4..4ea7e41e1a 100644 --- a/target/riscv/insn_trans/trans_rvv.c.inc +++ b/target/riscv/insn_trans/trans_rvv.c.inc @@ -1121,6 +1121,10 @@ static bool ldst_whole_trans(uint32_t vd, uint32_t rs1, uint32_t nf, gen_helper_ldst_whole *fn, DisasContext *s, bool is_store) { + uint32_t evl = (s->cfg_ptr->vlen / 8) * nf / (1 << s->sew); + TCGLabel *over = gen_new_label(); + tcg_gen_brcondi_tl(TCG_COND_GEU, cpu_vstart, evl, over); + TCGv_ptr dest; TCGv base; TCGv_i32 desc; @@ -1140,6 +1144,7 @@ static bool ldst_whole_trans(uint32_t vd, uint32_t rs1, uint32_t nf, if (!is_store) { mark_vs_dirty(s); } + gen_set_label(over); return true; } -- cgit v1.2.3