QEMU

ARM: HCR.TSW traps are not implemented

Bug #1863685 reported by Julien Freche on 2020-02-18

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Richard Henderson

Bug Description

On 32-bit and 64-bit ARM platforms, setting HCR.TSW is supposed to "Trap data or unified cache maintenance instructions that operate by Set/Way." Quoting the ARM manual:

If EL1 is using AArch64 state, accesses to DC ISW, DC CSW, DC CISW are trapped to EL2, reported using EC syndrome value 0x18.
If EL1 is using AArch32 state, accesses to DCISW, DCCSW, DCCISW are trapped to EL2, reported using EC syndrome value 0x03.

However, QEMU does not trap those instructions/registers. This was tested on the branch master of the git repo.

Richard Henderson (rth) on 2020-02-18

Changed in qemu:
status:	New → In Progress
assignee:	nobody → Richard Henderson (rth)

Revision history for this message

Richard Henderson (rth) wrote on 2020-02-18:

#1

Patch posted:
https://<email address hidden>/

Revision history for this message

Julien Freche (jfreche) wrote on 2020-02-18:

#2

Thanks for the quick turn around! I tested both your patches together (it's useful to have both to emulate set/way flushing inside a guest) and I am getting something unexpected. At some point, we are trapping on an access to DACR but ESR_EL2 doesn't seem to make a lot of sense: 0xfe00dc0. I am running a 32-bit Linux inside a VM.

Decoding it: Rt is set to 0xe which is LR_usr. Also, this is a read operation. So, essentially the guest seems to try to set DACR to LR_usr which seems unreasonable.

It could be an issue with the hypervisor on my side (I am running some custom code). But, it's not obvious to me and the code behaves fine on bare-metal. Is there a chance that ESR is not populated correctly?

In any case, I do see traps for set/way instructions so, from that point of view, the patch is good.

Revision history for this message

Julien Freche (jfreche) wrote on 2020-02-18:

#3

Sorry, I meant the operation is a write (TVM is on). The result of the operation is setting DACR to 0 so the guest stops progressing after that.

Anyway, since the issue could also be on my side, I don't want to block you with this.

Revision history for this message

Richard Henderson (rth) wrote on 2020-02-18:

#4

I can't think of any reason that DACR would have an incorrect
register value. It would be treated as any other system register,
and there's only one code path involved.

Revision history for this message

Julien Freche (jfreche) wrote on 2020-02-18:

#5

Makes sense. Debugging is on me then :) Both patches behave as expected, thanks!

Revision history for this message

Laurent Vivier (laurent-vivier) wrote on 2020-03-10:

#6

Fixed here:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1803d2713b29

Changed in qemu:
status:	In Progress → Fix Committed

Laurent Vivier (laurent-vivier) on 2020-04-30

Changed in qemu:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.