qemu/tcg-Allow-top-bit-of-SIMD_DATA_BITS-to-be-set-in-sim.patch

From d0b24cfdeb8bd64fa55154d79574352be33ecc51 Mon Sep 17 00:00:00 2001
From: Peter Maydell <peter.maydell@linaro.org>
Date: Fri, 15 Nov 2024 17:25:15 +0000
Subject: [PATCH] tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc()

In simd_desc() we create a SIMD descriptor from various pieces
including an arbitrary data value from the caller.  We try to
sanitize these to make sure everything will fit: the 'data' value
needs to fit in the SIMD_DATA_BITS (== 22) sized field.  However we
do that sanitizing with:
   tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS));

This works for the case where the data is supposed to be considered
as a signed integer (which can then be returned via simd_data()).
However, some callers want to treat the data value as unsigned.

Specifically, for the Arm SVE operations, make_svemte_desc()
assembles a data value as a collection of fields, and it needs to use
all 22 bits.  Currently if MTE is enabled then its MTEDESC SIZEM1
field may have the most significant bit set, and then it will trip
this assertion.

Loosen the assertion so that we only check that the data value will
fit into the field in some way, either as a signed or as an unsigned
value.  This means we will fail to detect some kinds of bug in the
callers, but we won't spuriously assert for intentional use of the
data field as unsigned.

Cc: qemu-stable@nongnu.org
Fixes: db432672dc50e ("tcg: Add generic vector expanders")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2601
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-ID: <20241115172515.1229393-1-peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
---
 tcg/tcg-op-gvec.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
index bb88943f79..733b44f105 100644
--- a/tcg/tcg-op-gvec.c
+++ b/tcg/tcg-op-gvec.c
@@ -88,7 +88,20 @@ uint32_t simd_desc(uint32_t oprsz, uint32_t maxsz, int32_t data)
     uint32_t desc = 0;
 
     check_size_align(oprsz, maxsz, 0);
-    tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS));
+
+    /*
+     * We want to check that 'data' will fit into SIMD_DATA_BITS.
+     * However, some callers want to treat the data as a signed
+     * value (which they can later get back with simd_data())
+     * and some want to treat it as an unsigned value.
+     * So here we assert only that the data will fit into the
+     * field in at least one way. This means that some invalid
+     * values from the caller will not be detected, e.g. if the
+     * caller wants to handle the value as a signed integer but
+     * incorrectly passes us 1 << (SIMD_DATA_BITS - 1).
+     */
+    tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS) ||
+                     data == extract32(data, 0, SIMD_DATA_BITS));
 
     oprsz = (oprsz / 8) - 1;
     maxsz = (maxsz / 8) - 1;
-- 
2.41.0.windows.1
QEMU update to version 8.2.0-26: - vdpa-dev: Fix initialisation order to restore VDUSE compatibility - tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc() - migration: fix-possible-int-overflow - target/m68k: Map FPU exceptions to FPSR register - qemu-options: Fix CXL Fixed Memory Window interleave-granularity typo - hvf: arm: Fix encodings for ID_AA64PFR1_EL1 and debug System registers - hw/intc/arm_gic: Fix handling of NS view of GICC_APR<n> - qio: Inherit follow_coroutine_ctx across TLS - target/riscv: Fix the element agnostic function problem - accel/tcg: Fix typo causing tb->page_addr[1] to not be recorded - tcg/loongarch64: Fix tcg_out_movi vs some pcrel pointers - migration: Fix file migration with fdset - ui/vnc: don't return an empty SASL mechlist to the client - target/arm: Fix FJCVTZS vs flush-to-zero - hw/ppc/e500: Prefer QOM cast - sphinx/qapidoc: Fix to generate doc for explicit, unboxed arguments - hw/ppc/e500: Remove unused "irqs" parameter - hw/ppc/e500: Add missing device tree properties to i2c controller node - hw/i386/amd_iommu: Don't leak memory in amdvi_update_iotlb() - hw/arm/mps2-tz.c: fix RX/TX interrupts order - target/i386: csv: Add support to migrate the incoming context for CSV3 guest - target/i386: csv: Add support to migrate the outgoing context for CSV3 guest - target/i386: csv: Add support to migrate the incoming page for CSV3 guest - target/i386: csv: Add support to migrate the outgoing page for CSV3 guest - linux-headers: update kernel headers to include CSV3 migration cmds - vfio: Only map shared region for CSV3 virtual machine - vga: Force full update for CSV3 guest - target/i386: csv: Load initial image to private memory for CSV3 guest - target/i386: csv: Do not register/unregister guest secure memory for CSV3 guest - target/i386: cpu: Populate CPUID 0x8000_001F when CSV3 is active - target/i386: csv: Add command to load vmcb to CSV3 guest memory - target/i386: csv: Add command to load data to CSV3 guest memory - target/i386: csv: Add command to initialize CSV3 context - target/i386: csv: Add CSV3 context - next-kbd: convert to use qemu_input_handler_register() - qemu/bswap: Undefine CPU_CONVERT() once done - exec/memop: Remove unused memop_big_endian() helper - hw/nvme: fix handling of over-committed queues - 9pfs: fix crash on 'Treaddir' request - hw/misc/psp: Pin the hugepage memory specified by mem2 during use for psp - hw/misc: support tkm use mem2 memory - hw/i386: add mem2 option for qemu - kvm: add support for guest physical bits - target/i386: add guest-phys-bits cpu property Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit f45f35e88509a4ffa9f62332ee9601e9fe1f8d09) 2024-12-12 17:01:35 +08:00			`From d0b24cfdeb8bd64fa55154d79574352be33ecc51 Mon Sep 17 00:00:00 2001`
			`From: Peter Maydell <peter.maydell@linaro.org>`
			`Date: Fri, 15 Nov 2024 17:25:15 +0000`
			`Subject: [PATCH] tcg: Allow top bit of SIMD_DATA_BITS to be set in simd_desc()`

			`In simd_desc() we create a SIMD descriptor from various pieces`
			`including an arbitrary data value from the caller. We try to`
			`sanitize these to make sure everything will fit: the 'data' value`
			`needs to fit in the SIMD_DATA_BITS (== 22) sized field. However we`
			`do that sanitizing with:`
			`tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS));`

			`This works for the case where the data is supposed to be considered`
			`as a signed integer (which can then be returned via simd_data()).`
			`However, some callers want to treat the data value as unsigned.`

			`Specifically, for the Arm SVE operations, make_svemte_desc()`
			`assembles a data value as a collection of fields, and it needs to use`
			`all 22 bits. Currently if MTE is enabled then its MTEDESC SIZEM1`
			`field may have the most significant bit set, and then it will trip`
			`this assertion.`

			`Loosen the assertion so that we only check that the data value will`
			`fit into the field in some way, either as a signed or as an unsigned`
			`value. This means we will fail to detect some kinds of bug in the`
			`callers, but we won't spuriously assert for intentional use of the`
			`data field as unsigned.`

			`Cc: qemu-stable@nongnu.org`
			`Fixes: db432672dc50e ("tcg: Add generic vector expanders")`
			`Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2601`
			`Signed-off-by: Peter Maydell <peter.maydell@linaro.org>`
			`Message-ID: <20241115172515.1229393-1-peter.maydell@linaro.org>`
			`Reviewed-by: Richard Henderson <richard.henderson@linaro.org>`
			`Signed-off-by: Richard Henderson <richard.henderson@linaro.org>`
			`Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>`
			`---`
			`tcg/tcg-op-gvec.c \| 15 ++++++++++++++-`
			`1 file changed, 14 insertions(+), 1 deletion(-)`

			`diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c`
			`index bb88943f79..733b44f105 100644`
			`--- a/tcg/tcg-op-gvec.c`
			`+++ b/tcg/tcg-op-gvec.c`
			`@@ -88,7 +88,20 @@ uint32_t simd_desc(uint32_t oprsz, uint32_t maxsz, int32_t data)`
			`uint32_t desc = 0;`

			`check_size_align(oprsz, maxsz, 0);`
			`- tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS));`
			`+`
			`+ /*`
			`+ * We want to check that 'data' will fit into SIMD_DATA_BITS.`
			`+ * However, some callers want to treat the data as a signed`
			`+ * value (which they can later get back with simd_data())`
			`+ * and some want to treat it as an unsigned value.`
			`+ * So here we assert only that the data will fit into the`
			`+ * field in at least one way. This means that some invalid`
			`+ * values from the caller will not be detected, e.g. if the`
			`+ * caller wants to handle the value as a signed integer but`
			`+ * incorrectly passes us 1 << (SIMD_DATA_BITS - 1).`
			`+ */`
			`+ tcg_debug_assert(data == sextract32(data, 0, SIMD_DATA_BITS) \|\|`
			`+ data == extract32(data, 0, SIMD_DATA_BITS));`

			`oprsz = (oprsz / 8) - 1;`
			`maxsz = (maxsz / 8) - 1;`
			`--`
			`2.41.0.windows.1`