Table D4-32 shows that execute access from EL0 doesn't depend on AP[1]. Signed-off-by: Andrew Jones <drjo...@redhat.com> --- target-arm/helper.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/target-arm/helper.c b/target-arm/helper.c index 3ef0f1f38eda5..7c30a2669a0f2 100644 --- a/target-arm/helper.c +++ b/target-arm/helper.c @@ -4787,7 +4787,7 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address, hwaddr descaddr, descmask; uint32_t tableattrs; target_ulong page_size; - uint32_t attrs; + uint32_t attrs, ap; int32_t granule_sz = 9; int32_t va_size = 32; int32_t tbi = 0; @@ -4952,14 +4952,20 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address, /* Access flag */ goto do_fault; } + fault_type = permission_fault; - if (is_user && !(attrs & (1 << 4))) { - /* Unprivileged access not enabled */ - goto do_fault; + ap = extract32(attrs, 4, 2); /* AP[2:1] */ + + *prot = 0; + if (!is_user || (ap & 1)) { + *prot |= PAGE_READ; + *prot |= !(ap & 2) ? PAGE_WRITE : 0; } - *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; + + *prot |= PAGE_EXEC; if ((arm_feature(env, ARM_FEATURE_V8) && is_user && (attrs & (1 << 12))) || (!arm_feature(env, ARM_FEATURE_V8) && (attrs & (1 << 12))) || + (!arm_el_is_aa64(env, 1) && is_user && !(ap & 1)) || (!is_user && (attrs & (1 << 11)))) { /* XN/UXN or PXN. Since we only implement EL0/EL1 we unconditionally * treat XN/UXN as UXN for v8. @@ -4969,12 +4975,11 @@ static int get_phys_addr_lpae(CPUARMState *env, target_ulong address, } *prot &= ~PAGE_EXEC; } - if (attrs & (1 << 5)) { - /* Write access forbidden */ - if (access_type == 1) { - goto do_fault; - } - *prot &= ~PAGE_WRITE; + + if ((*prot == 0) + || (!(*prot & PAGE_WRITE) && access_type == 1) + || (!(*prot & PAGE_EXEC) && access_type == 2)) { + goto do_fault; } *phys_ptr = descaddr; -- 1.9.3