mirror of
https://github.com/qemu/qemu.git
synced 2026-02-03 21:29:17 +00:00
854cd16e31
'CPUTLBEntryFull.xlat_section' stores section_index in last 12 bits to find the correct section when CPU access the IO region over the IOTLB. However, section_index is only unique inside single AddressSpace. If address space translation is over IOMMUMemoryRegion, it could return section from other AddressSpace. 'iotlb_to_section()' API only finds the sections from CPU's AddressSpace so that it couldn't find section in other AddressSpace. Thus, using 'iotlb_to_section()' API will find the wrong section and QEMU will have wrong load/store access. To fix this bug of iotlb_to_section(), store complete MemoryRegionSection pointer in CPUTLBEntryFull to replace the section_index in xlat_section. Rename 'xlat_section' to 'xlat' as we remove last 12 bits section_index inside. Also, since we directly use section pointer in the CPUTLBEntryFull (full->section), we can remove the unused functions: iotlb_to_section(), memory_region_section_get_iotlb(). This bug occurs only when (1) IOMMUMemoryRegion is in the path of CPU access. (2) IOMMUMemoryRegion returns different target_as and the section is in the IO region. Common IOMMU devices don't have this issue since they are only in the path of DMA access. Currently, the bug only occurs when ARM MPC device (hw/misc/tz-mpc.c) returns 'blocked_io_as' to emulate blocked access handling. Upcoming RISC-V wgChecker [1] and IOPMP [2] devices are also affected by this bug. [1] RISC-V WG: https://patchew.org/QEMU/20251021155548.584543-1-jim.shu@sifive.com/ [2] RISC-V IOPMP: https://patchew.org/QEMU/20250312093735.1517740-1-ethan84@andestech.com/ Signed-off-by: Jim Shu <jim.shu@sifive.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Tested-by: Mark Burton <mburton@qti.qualcomm.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Message-ID: <20260128152348.2095427-3-jim.shu@sifive.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>