On 8/29/23 07:35, Peter Maydell wrote:
+ /* See arch/arm64/mm/fault.c, set_thread_esr. */ + if (sig == TARGET_SIGSEGV || sig == TARGET_SIGBUS) { + return true; + }It's possible to get here without env->exception.syndrome being set correctly, I think, if we take a host SIGSEGV or SIGBUS and host_signal_handler() calls either cpu_loop_exit_sigsegv() or cpu_loop_exit_sigbus(). Can also happen for other places that call one of those two functions, like allocation_tag_mem(). At least, I can't see where we would be setting syndrome in that code path.
cpu_loop_exit_sig* go through arm_cpu_record_sigsegv and arm_cpu_record_sigbus, which use the normal fault processing paths to populate FAR_EL1 and ESR_EL1.
Maybe we should do the "sanitize ESR for fault addresses in the upper half of guest address space" logic that the kernel set_thread_esr() does?
I guess we could, though I'm not sure how such an address could occur. r~
