On 10.03.2026 14:44, Song Gao wrote:
From: rail5 <[email protected]>
The LDPTE helper loads a page table entry (or huge page entry) from guest
memory and currently applies the PALEN mask to the whole 64-bit value.
That mask is intended to constrain the physical address bits, but masking
the full entry also clears upper permission bits in the PTE, including NX
(bit 62). As a result, LoongArch TCG can incorrectly allow instruction
fetches from NX mappings when translation is driven through software
page-walk.
Fix this by masking only the PPN/address field with PALEN while preserving
permission bits, and by clearing any non-architectural (software) bits
using a hardware PTE mask. LDDIR is unchanged since it returns the base
address of the next page table level.
Reported at: https://gitlab.com/qemu-project/qemu/-/issues/3319
Fixes: 56599a705f2 ("target/loongarch: Introduce loongarch_palen_mask()")
Cc: [email protected]
As far as I can see, 56599a705f2 is past 10.2.0 release, so is not
present in any released version of qemu. This commit also hasn't
been back-ported to any stable series.
So I'm not picking up this one, despite it is marked as for qemu-stable.
Please let me know if I should pick it up regardless.
Thanks,
/mjt
