[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 009/114] target/arm: Use correct SP in M-profile exception return
|
From: |
Peter Maydell |
|
Subject: |
[PULL 009/114] target/arm: Use correct SP in M-profile exception return |
|
Date: |
Tue, 25 May 2021 16:01:39 +0100 |
When an M-profile CPU is restoring registers from the stack on
exception return, the stack pointer to use is determined based on
bits in the magic exception return type value. We were not getting
this logic entirely correct.
Whether we use one of the Secure stack pointers or one of the
Non-Secure stack pointers depends on the EXCRET.S bit. However,
whether we use the MSP or the PSP then depends on the SPSEL bit in
either the CONTROL_S or CONTROL_NS register. We were incorrectly
selecting MSP vs PSP based on the EXCRET.SPSEL bit.
(In the pseudocode this is in the PopStack() function, which calls
LookUpSp_with_security_mode() which in turn looks at the relevant
CONTROL.SPSEL bit.)
The buggy behaviour wasn't noticeable in most cases, because we write
EXCRET.SPSEL to the CONTROL.SPSEL bit for the S/NS register selected
by EXCRET.ES, so we only do the wrong thing when EXCRET.S and
EXCRET.ES are different. This will happen when secure code takes a
secure exception, which then tail-chains to a non-secure exception
which finally returns to the original secure code.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210520130905.2049-1-peter.maydell@linaro.org
---
target/arm/m_helper.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index d63ae465e1e..eda74e55450 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -1597,10 +1597,11 @@ static void do_v7m_exception_exit(ARMCPU *cpu)
* We use this limited C variable scope so we don't accidentally
* use 'frame_sp_p' after we do something that makes it invalid.
*/
+ bool spsel = env->v7m.control[return_to_secure] &
R_V7M_CONTROL_SPSEL_MASK;
uint32_t *frame_sp_p = get_v7m_sp_ptr(env,
return_to_secure,
!return_to_handler,
- return_to_sp_process);
+ spsel);
uint32_t frameptr = *frame_sp_p;
bool pop_ok = true;
ARMMMUIdx mmu_idx;
--
2.20.1
- [PULL 000/114] target-arm queue, Peter Maydell, 2021/05/25
- [PULL 001/114] hw/arm/smmuv3: Another range invalidation fix, Peter Maydell, 2021/05/25
- [PULL 003/114] hw/arm/mps2-tz: Don't duplicate modelling of SRAM in AN524, Peter Maydell, 2021/05/25
- [PULL 002/114] hw/intc/arm_gicv3_cpuif: Fix EOIR write access check logic, Peter Maydell, 2021/05/25
- [PULL 004/114] hw/arm/mps2-tz: Make SRAM_ADDR_WIDTH board-specific, Peter Maydell, 2021/05/25
- [PULL 009/114] target/arm: Use correct SP in M-profile exception return,
Peter Maydell <=
- [PULL 008/114] hw/arm: Model TCMs in the SSE-300, not the AN547, Peter Maydell, 2021/05/25
- [PULL 005/114] hw/arm/armsse.c: Correct modelling of SSE-300 internal SRAMs, Peter Maydell, 2021/05/25
- [PULL 007/114] hw/arm/mps2-tz: Allow board to specify a boot RAM size, Peter Maydell, 2021/05/25
- [PULL 011/114] accel/tcg: Pass length argument to tlb_flush_range_locked(), Peter Maydell, 2021/05/25
- [PULL 010/114] accel/tcg: Replace g_new() + memcpy() by g_memdup(), Peter Maydell, 2021/05/25
- [PULL 006/114] hw/arm/armsse: Convert armsse_realize() to use ERRP_GUARD, Peter Maydell, 2021/05/25
- [PULL 017/114] accel/tcg: Rename tlb_flush_page_bits -> range]_by_mmuidx_async_0, Peter Maydell, 2021/05/25
- [PULL 012/114] accel/tlb: Rename TLBFlushPageBitsByMMUIdxData -> TLBFlushRangeData, Peter Maydell, 2021/05/25
- [PULL 013/114] accel/tcg: Remove {encode,decode}_pbm_to_runon, Peter Maydell, 2021/05/25
- [PULL 016/114] accel/tlb: Add tlb_flush_range_by_mmuidx_all_cpus_synced(), Peter Maydell, 2021/05/25