On 18 April 2016 at 17:27, Sergey Sorokin <afaral...@yandex.ru> wrote: > There is a bug in ARM address translation regime with a long-descriptor > format. On the descriptor reading its address is formed from an index > which is a part of the input address. And on the first iteration this index > is incorrectly masked with 'grainsize' mask. But it can be wider according > to pseudo-code. > On the other hand on the iterations other than first the descriptor address > is formed from the previous level descriptor by masking with 'descaddrmask' > value. It always clears just 12 lower bits, but it must clear 'grainsize' > lower bits instead according to pseudo-code. > The patch fixes both cases. > > Signed-off-by: Sergey Sorokin <afaral...@yandex.ru> > /* The address field in the descriptor goes up to bit 39 for ARMv7 > - * but up to bit 47 for ARMv8. > + * but up to bit 47 for ARMv8, but we use the descaddrmask > + * up to bit 39 for AArch32, because we don't need other bits in that > case > + * to construct next descriptor address (anyway they should be all > zeroes). > */ > - if (arm_feature(env, ARM_FEATURE_V8)) { > - descaddrmask = 0xfffffffff000ULL; > - } else { > - descaddrmask = 0xfffffff000ULL; > - } > + descaddrmask = ((1ull << (va_size == 64 ? 48 : 40)) - 1) & > + ~indexmask_grainsize;
I still think we are going to end up wanting to revert the "look at va_size rather than ARM_FEATURE_V8" part of this when we come to implement AddressSize faults, but let's get this bug fix in for now rather than continuing to argue about it. Applied to target-arm.next, thanks. -- PMM