qemu/target-ppc-Fix-lxv-stxv-MSR-facility-check.patch

From a8b171a0e5be721ee173a533f98594f62b0f0250 Mon Sep 17 00:00:00 2001
From: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
Date: Sun, 29 Sep 2024 07:07:36 -0400
Subject: [PATCH] target/ppc: Fix lxv/stxv MSR facility check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

cheery-pick from 2cc0e449d17310877fb28a942d4627ad22bb68ea

The move to decodetree flipped the inequality test for the VEC / VSX
MSR facility check.

This caused application crashes under Linux, where these facility
unavailable interrupts are used for lazy-switching of VEC/VSX register
sets. Getting the incorrect interrupt would result in wrong registers
being loaded, potentially overwriting live values and/or exposing
stale ones.

Cc: qemu-stable@nongnu.org
Reported-by: Joel Stanley <joel@jms.id.au>
Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Tested-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
 target/ppc/translate/vsx-impl.c.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
index 6db87ab336..0266f09119 100644
--- a/target/ppc/translate/vsx-impl.c.inc
+++ b/target/ppc/translate/vsx-impl.c.inc
@@ -2268,7 +2268,7 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ,
 
 static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired)
 {
-    if (paired || a->rt >= 32) {
+    if (paired || a->rt < 32) {
         REQUIRE_VSX(ctx);
     } else {
         REQUIRE_VECTOR(ctx);
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-21: - tests: bump QOS_PATH_MAX_ELEMENT_SIZE again - softmmu/physmem: fix memory leak in dirty_memory_extend() - crypto: run qcrypto_pbkdf2_count_iters in a new thread - hw/audio/virtio-sound: fix heap buffer overflow - hw/intc/arm_gic: fix spurious level triggered interrupts - ui/sdl2: set swap interval explicitly when OpenGL is enabled - target/riscv/kvm: tolerate KVM disable ext errors - virtio: remove virtio_tswap16s() call in vring_packed_event_read() - block: fix -Werror=maybe-uninitialized false-positive - hw/remote/vfio-user: Fix config space access byte order - hw/loongarch/virt: Fix memory leak - hw/intc/riscv_aplic: APLICs should add child earlier than realize - stdvga: fix screen blanking - ui/gtk: Draw guest frame at refresh cycle - target/i386: fix size of EBP writeback in gen_enter() - virtio-net: drop too short packets early - target/ppc: Fix lxv/stxv MSR facility check - target/ppc: Fix lxvx/stxvx facility check - virtio-snd: add max size bounds check in input cb(CVE-2024-7730) Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit e2eb79f1867bb8d8d870e758f06d2a32b3a4fc8a) 2024-11-07 09:21:18 +08:00			`From a8b171a0e5be721ee173a533f98594f62b0f0250 Mon Sep 17 00:00:00 2001`
			`From: qihao_yewu <qihao_yewu@cmss.chinamobile.com>`
			`Date: Sun, 29 Sep 2024 07:07:36 -0400`
			`Subject: [PATCH] target/ppc: Fix lxv/stxv MSR facility check`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`cheery-pick from 2cc0e449d17310877fb28a942d4627ad22bb68ea`

			`The move to decodetree flipped the inequality test for the VEC / VSX`
			`MSR facility check.`

			`This caused application crashes under Linux, where these facility`
			`unavailable interrupts are used for lazy-switching of VEC/VSX register`
			`sets. Getting the incorrect interrupt would result in wrong registers`
			`being loaded, potentially overwriting live values and/or exposing`
			`stale ones.`

			`Cc: qemu-stable@nongnu.org`
			`Reported-by: Joel Stanley <joel@jms.id.au>`
			`Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree")`
			`Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769`
			`Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>`
			`Tested-by: Harsh Prateek Bora <harshpb@linux.ibm.com>`
			`Reviewed-by: Cédric Le Goater <clg@kaod.org>`
			`Tested-by: Cédric Le Goater <clg@kaod.org>`
			`Signed-off-by: Nicholas Piggin <npiggin@gmail.com>`
			`Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>`
			`---`
			`target/ppc/translate/vsx-impl.c.inc \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc`
			`index 6db87ab336..0266f09119 100644`
			`--- a/target/ppc/translate/vsx-impl.c.inc`
			`+++ b/target/ppc/translate/vsx-impl.c.inc`
			`@@ -2268,7 +2268,7 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ,`

			`static bool do_lstxv_D(DisasContext ctx, arg_D a, bool store, bool paired)`
			`{`
			`- if (paired \|\| a->rt >= 32) {`
			`+ if (paired \|\| a->rt < 32) {`
			`REQUIRE_VSX(ctx);`
			`} else {`
			`REQUIRE_VECTOR(ctx);`
			`--`
			`2.41.0.windows.1`