From: Richard Henderson <richard.henderson@linaro.org>
Date: Fri, 23 Jul 2021 20:33:42 +0000 (-1000)
Subject: target/arm: Correctly bound length in sve_zcr_get_valid_len
X-Git-Tag: v6.1.0-rc1~1^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc0bc8e7855643c4c2aaff74409bada9761b390e;p=thirdparty%2Fqemu.git

target/arm: Correctly bound length in sve_zcr_get_valid_len

Currently, our only caller is sve_zcr_len_for_el, which has
already masked the length extracted from ZCR_ELx, so the
masking done here is a nop.  But we will shortly have uses
from other locations, where the length will be unmasked.

Saturate the length to ARM_MAX_VQ instead of truncating to
the low 4 bits.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210723203344.968563-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---

diff --git a/target/arm/helper.c b/target/arm/helper.c
index 0c07ca98376..8c1d8dbce36 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -6461,7 +6461,9 @@ static uint32_t sve_zcr_get_valid_len(ARMCPU *cpu, uint32_t start_len)
 {
     uint32_t end_len;
 
-    end_len = start_len &= 0xf;
+    start_len = MIN(start_len, ARM_MAX_VQ - 1);
+    end_len = start_len;
+
     if (!test_bit(start_len, cpu->sve_vq_map)) {
         end_len = find_last_bit(cpu->sve_vq_map, start_len);
         assert(end_len < start_len);