qemu/hw-intc-arm_gic-Fix-handling-of-NS-view-of-GICC_APR-.patch

From 20541823659dc78a6a7be427f8fc03ccc58c88d1 Mon Sep 17 00:00:00 2001
From: Andrey Shumilin <shum.sdl@nppct.ru>
Date: Thu, 23 May 2024 16:06:20 +0100
Subject: [PATCH] hw/intc/arm_gic: Fix handling of NS view of GICC_APR<n>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In gic_cpu_read() and gic_cpu_write(), we delegate the handling of
reading and writing the Non-Secure view of the GICC_APR<n> registers
to functions gic_apr_ns_view() and gic_apr_write_ns_view().
Unfortunately we got the order of the arguments wrong, swapping the
CPU number and the register number (which the compiler doesn't catch
because they're both integers).

Most guests probably didn't notice this bug because directly
accessing the APR registers is typically something only done by
firmware when it is doing state save for going into a sleep mode.

Correct the mismatched call arguments.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Cc: qemu-stable@nongnu.org
Fixes: 51fd06e0ee ("hw/intc/arm_gic: Fix handling of GICC_APR<n>, GICC_NSAPR<n> registers")
Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru>
[PMM: Rewrote commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Alex Bennée<alex.bennee@linaro.org>
(cherry picked from commit daafa78b297291fea36fb4daeed526705fa7c035)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
 hw/intc/arm_gic.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index dfe7a0a729..f0582f7a49 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -1663,7 +1663,7 @@ static MemTxResult gic_cpu_read(GICState *s, int cpu, int offset,
             *data = s->h_apr[gic_get_vcpu_real_id(cpu)];
         } else if (gic_cpu_ns_access(s, cpu, attrs)) {
             /* NS view of GICC_APR<n> is the top half of GIC_NSAPR<n> */
-            *data = gic_apr_ns_view(s, regno, cpu);
+            *data = gic_apr_ns_view(s, cpu, regno);
         } else {
             *data = s->apr[regno][cpu];
         }
@@ -1751,7 +1751,7 @@ static MemTxResult gic_cpu_write(GICState *s, int cpu, int offset,
             s->h_apr[gic_get_vcpu_real_id(cpu)] = value;
         } else if (gic_cpu_ns_access(s, cpu, attrs)) {
             /* NS view of GICC_APR<n> is the top half of GIC_NSAPR<n> */
-            gic_apr_write_ns_view(s, regno, cpu, value);
+            gic_apr_write_ns_view(s, cpu, regno, value);
         } else {
             s->apr[regno][cpu] = value;
         }
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-26: - vdpa-dev: Fix initialisation order to restore VDUSE compatibility - tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc() - migration: fix-possible-int-overflow - target/m68k: Map FPU exceptions to FPSR register - qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo - hvf: arm: Fix encodings for ID_AA64PFR1_EL1 and debug System registers - hw/intc/arm_gic: Fix handling of NS view of GICC_APR<n> - qio: Inherit follow_coroutine_ctx across TLS - target/riscv: Fix the element agnostic function problem - accel/tcg: Fix typo causing tb->page_addr[1] to not be recorded - tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers - migration: Fix file migration with fdset - ui/vnc: don't return an empty SASL mechlist to the client - target/arm: Fix FJCVTZS vs flush-to-zero - hw/ppc/e500: Prefer QOM cast - sphinx/qapidoc: Fix to generate doc for explicit, unboxed arguments - hw/ppc/e500: Remove unused "irqs" parameter - hw/ppc/e500: Add missing device tree properties to i2c controller node - hw/i386/amd_iommu: Don't leak memory in amdvi_update_iotlb() - hw/arm/mps2-tz.c: fix RX/TX interrupts order - target/i386: csv: Add support to migrate the incoming context for CSV3 guest - target/i386: csv: Add support to migrate the outgoing context for CSV3 guest - target/i386: csv: Add support to migrate the incoming page for CSV3 guest - target/i386: csv: Add support to migrate the outgoing page for CSV3 guest - linux-headers: update kernel headers to include CSV3 migration cmds - vfio: Only map shared region for CSV3 virtual machine - vga: Force full update for CSV3 guest - target/i386: csv: Load initial image to private memory for CSV3 guest - target/i386: csv: Do not register/unregister guest secure memory for CSV3 guest - target/i386: cpu: Populate CPUID 0x8000_001F when CSV3 is active - target/i386: csv: Add command to load vmcb to CSV3 guest memory - target/i386: csv: Add command to load data to CSV3 guest memory - target/i386: csv: Add command to initialize CSV3 context - target/i386: csv: Add CSV3 context - next-kbd: convert to use qemu_input_handler_register() - qemu/bswap: Undefine CPU_CONVERT() once done - exec/memop: Remove unused memop_big_endian() helper - hw/nvme: fix handling of over-committed queues - 9pfs: fix crash on 'Treaddir' request - hw/misc/psp: Pin the hugepage memory specified by mem2 during use for psp - hw/misc: support tkm use mem2 memory - hw/i386: add mem2 option for qemu - kvm: add support for guest physical bits - target/i386: add guest-phys-bits cpu property Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit f45f35e88509a4ffa9f62332ee9601e9fe1f8d09) 2024-12-12 17:01:35 +08:00			`From 20541823659dc78a6a7be427f8fc03ccc58c88d1 Mon Sep 17 00:00:00 2001`
			`From: Andrey Shumilin <shum.sdl@nppct.ru>`
			`Date: Thu, 23 May 2024 16:06:20 +0100`
			`Subject: [PATCH] hw/intc/arm_gic: Fix handling of NS view of GICC_APR<n>`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`In gic_cpu_read() and gic_cpu_write(), we delegate the handling of`
			`reading and writing the Non-Secure view of the GICC_APR<n> registers`
			`to functions gic_apr_ns_view() and gic_apr_write_ns_view().`
			`Unfortunately we got the order of the arguments wrong, swapping the`
			`CPU number and the register number (which the compiler doesn't catch`
			`because they're both integers).`

			`Most guests probably didn't notice this bug because directly`
			`accessing the APR registers is typically something only done by`
			`firmware when it is doing state save for going into a sleep mode.`

			`Correct the mismatched call arguments.`

			`Found by Linux Verification Center (linuxtesting.org) with SVACE.`

			`Cc: qemu-stable@nongnu.org`
			`Fixes: 51fd06e0ee ("hw/intc/arm_gic: Fix handling of GICC_APR<n>, GICC_NSAPR<n> registers")`
			`Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru>`
			`[PMM: Rewrote commit message]`
			`Signed-off-by: Peter Maydell <peter.maydell@linaro.org>`
			`Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>`
			`Reviewed-by: Alex Bennée<alex.bennee@linaro.org>`
			`(cherry picked from commit daafa78b297291fea36fb4daeed526705fa7c035)`
			`Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>`
			`---`
			`hw/intc/arm_gic.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c`
			`index dfe7a0a729..f0582f7a49 100644`
			`--- a/hw/intc/arm_gic.c`
			`+++ b/hw/intc/arm_gic.c`
			`@@ -1663,7 +1663,7 @@ static MemTxResult gic_cpu_read(GICState *s, int cpu, int offset,`
			`*data = s->h_apr[gic_get_vcpu_real_id(cpu)];`
			`} else if (gic_cpu_ns_access(s, cpu, attrs)) {`
			`/* NS view of GICC_APR<n> is the top half of GIC_NSAPR<n> */`
			`- *data = gic_apr_ns_view(s, regno, cpu);`
			`+ *data = gic_apr_ns_view(s, cpu, regno);`
			`} else {`
			`*data = s->apr[regno][cpu];`
			`}`
			`@@ -1751,7 +1751,7 @@ static MemTxResult gic_cpu_write(GICState *s, int cpu, int offset,`
			`s->h_apr[gic_get_vcpu_real_id(cpu)] = value;`
			`} else if (gic_cpu_ns_access(s, cpu, attrs)) {`
			`/* NS view of GICC_APR<n> is the top half of GIC_NSAPR<n> */`
			`- gic_apr_write_ns_view(s, regno, cpu, value);`
			`+ gic_apr_write_ns_view(s, cpu, regno, value);`
			`} else {`
			`s->apr[regno][cpu] = value;`
			`}`
			`--`
			`2.41.0.windows.1`