Commit 32ebd6c09c for qemu.org
commit 32ebd6c09c18f860671030060cfedabd94c846fb
Author: Jose Martins <josemartins90@gmail.com>
Date: Tue Mar 24 14:02:29 2026 +0000
target/arm: fix s2prot not set for two-stage PMSA translations
Commit a811c5dafb7 ("target/arm: Implement get_S2prot_indirect")
changed get_phys_addr_twostage() to combine stage 1 and stage 2
permissions using the new s2prot field:
result->f.prot = s1_prot & result->s2prot;
The LPAE stage 2 path sets result->s2prot explicitly, but the PMSA
stage 2 path (get_phys_addr_pmsav8) only sets result->f.prot, leaving
s2prot at zero. This causes the combined permission to be zero,
resulting in addr_read being set to -1 in the TLB entry and triggering
an assertion in atomic_mmu_lookup() when the guest executes an atomic
instruction on a two-stage PMSA platform (e.g. Cortex-R52 with EL2).
Set s2prot from f.prot after the PMSA stage 2 lookup, consistent with
what the LPAE path does.
Cc: qemu-stable@nongnu.org
Fixes: a811c5dafb7 ("target/arm: Implement get_S2prot_indirect")
Signed-off-by: Jose Martins <josemartins90@gmail.com>
[PMM: refer to the right commit in the commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260321231916.2852653-1-josemartins90@gmail.com
Reviewed-by: Gustavo Romero <gustavo.romero@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 8b8dc09e72..e289f88124 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -3200,6 +3200,13 @@ static bool get_phys_addr_pmsav8(CPUARMState *env,
ret = pmsav8_mpu_lookup(env, address, access_type, ptw->in_prot_check,
mmu_idx, secure, result, fi, NULL);
+ /*
+ * For two-stage PMSA translations, s2prot holds the stage 2
+ * permissions to be combined with stage 1 in get_phys_addr_twostage().
+ */
+ if (regime_is_stage2(mmu_idx)) {
+ result->s2prot = result->f.prot;
+ }
if (sattrs.subpage) {
result->f.lg_page_size = 0;
}