From d3327a38cda104dd292105b6b9d140f2158209f9 Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Sat, 12 Jun 2021 12:57:07 -0700 Subject: [PATCH] target/arm: Fix mte page crossing test The test was off-by-one, because tag_last points to the last byte of the tag to check, thus tag_last - prev_page will equal TARGET_PAGE_SIZE when we use the first byte of the next page. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/403 Reported-by: Peter Collingbourne Signed-off-by: Richard Henderson Message-id: 20210612195707.840217-1-richard.henderson@linaro.org Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell --- target/arm/mte_helper.c | 2 +- tests/tcg/aarch64/Makefile.target | 2 +- tests/tcg/aarch64/mte-7.c | 31 +++++++++++++++++++++++++++++++ 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 tests/tcg/aarch64/mte-7.c diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c index 166b9d260f..9e615cc513 100644 --- a/target/arm/mte_helper.c +++ b/target/arm/mte_helper.c @@ -730,7 +730,7 @@ static int mte_probe_int(CPUARMState *env, uint32_t desc, uint64_t ptr, prev_page = ptr & TARGET_PAGE_MASK; next_page = prev_page + TARGET_PAGE_SIZE; - if (likely(tag_last - prev_page <= TARGET_PAGE_SIZE)) { + if (likely(tag_last - prev_page < TARGET_PAGE_SIZE)) { /* Memory access stays on one page. */ tag_size = ((tag_byte_last - tag_byte_first) / (2 * TAG_GRANULE)) + 1; mem1 = allocation_tag_mem(env, mmu_idx, ptr, type, sizem1 + 1, diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target index 928357b10a..2c05c90d17 100644 --- a/tests/tcg/aarch64/Makefile.target +++ b/tests/tcg/aarch64/Makefile.target @@ -37,7 +37,7 @@ AARCH64_TESTS += bti-2 # MTE Tests ifneq ($(DOCKER_IMAGE)$(CROSS_CC_HAS_ARMV8_MTE),) -AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 +AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7 mte-%: CFLAGS += -march=armv8.5-a+memtag endif diff --git a/tests/tcg/aarch64/mte-7.c b/tests/tcg/aarch64/mte-7.c new file mode 100644 index 0000000000..a981de62d4 --- /dev/null +++ b/tests/tcg/aarch64/mte-7.c @@ -0,0 +1,31 @@ +/* + * Memory tagging, unaligned access crossing pages. + * https://gitlab.com/qemu-project/qemu/-/issues/403 + * + * Copyright (c) 2021 Linaro Ltd + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "mte.h" + +int main(int ac, char **av) +{ + void *p; + + enable_mte(PR_MTE_TCF_SYNC); + p = alloc_mte_mem(2 * 0x1000); + + /* Tag the pointer. */ + p = (void *)((unsigned long)p | (1ul << 56)); + + /* Store tag in sequential granules. */ + asm("stg %0, [%0]" : : "r"(p + 0x0ff0)); + asm("stg %0, [%0]" : : "r"(p + 0x1000)); + + /* + * Perform an unaligned store with tag 1 crossing the pages. + * Failure dies with SIGSEGV. + */ + asm("str %0, [%0]" : : "r"(p + 0x0ffc)); + return 0; +}