Re: [Qemu-arm] [PATCH v2] target-arm: Fix descriptor address masking in ARM address translation

[Peter Maydell]

On 18 April 2016 at 17:27, Sergey Sorokin <address@hidden> wrote:
> There is a bug in ARM address translation regime with a long-descriptor
> format. On the descriptor reading its address is formed from an index
> which is a part of the input address. And on the first iteration this index
> is incorrectly masked with 'grainsize' mask. But it can be wider according
> to pseudo-code.
> On the other hand on the iterations other than first the descriptor address
> is formed from the previous level descriptor by masking with 'descaddrmask'
> value. It always clears just 12 lower bits, but it must clear 'grainsize'
> lower bits instead according to pseudo-code.
> The patch fixes both cases.
>
> Signed-off-by: Sergey Sorokin <address@hidden>
>      /* The address field in the descriptor goes up to bit 39 for ARMv7
> -     * but up to bit 47 for ARMv8.
> +     * but up to bit 47 for ARMv8, but we use the descaddrmask
> +     * up to bit 39 for AArch32, because we don't need other bits in that 
> case
> +     * to construct next descriptor address (anyway they should be all 
> zeroes).
>       */
> -    if (arm_feature(env, ARM_FEATURE_V8)) {
> -        descaddrmask = 0xfffffffff000ULL;
> -    } else {
> -        descaddrmask = 0xfffffff000ULL;
> -    }
> +    descaddrmask = ((1ull << (va_size == 64 ? 48 : 40)) - 1) &
> +                   ~indexmask_grainsize;

I still think we are going to end up wanting to revert the
"look at va_size rather than ARM_FEATURE_V8" part of this when
we come to implement AddressSize faults, but let's get this
bug fix in for now rather than continuing to argue about it.

Applied to target-arm.next, thanks.

-- PMM