target/riscv: Remove unconditional MENVCFG_CDE from mask

Currently, the MENVCFG_CDE (Counter Delegation Enable) bit is
unconditionally included in the base write mask for CSR_MENVCFG.
This make the subsequent conditional check
`(cfg->ext_smcdeleg ? MENVCFG_CDE : 0)` completely ineffective,
as a bitwise OR cannot clear a bit that is already set.

Fix this by removing MENVCFG_CDE from the initial base mask. The bit
will now only be writable when explicitly granted by the `ext_smcdeleg`
configuration.

This issue was discovered and reported by SpecHunter, an AI-driven
architecture specification analysis tool.

Link: https://github.com/yizishun/rv-isa-sec/blob/master/output/riscv-isa-manual/pr-2601/qemu.txt
Signed-off-by: Zishun Yi <vulab@iscas.ac.cn>
Reviewed-by: Daniel Henrique Barboza <daniel.barboza@oss.qualcomm.com>
Message-ID: <20260511040534.2862443-1-vulab@iscas.ac.cn>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

diff --git a/target/riscv/csr.c b/target/riscv/csr.c
index 60ac3070126910327fe5833ca3144cc1201fdc20..e041f5c16e028123e28582fee4b28d9a51057c2b 100644 (file)
--- a/target/riscv/csr.c
+++ b/target/riscv/csr.c
@@ -3177,7 +3177,7 @@ static RISCVException write_menvcfg(CPURISCVState *env, int csrno,
 {
     const RISCVCPUConfig *cfg = riscv_cpu_cfg(env);
     uint64_t mask = MENVCFG_FIOM | MENVCFG_CBIE | MENVCFG_CBCFE |
-                    MENVCFG_CBZE | MENVCFG_CDE;
+                    MENVCFG_CBZE;
     bool stce_changed = false;
 
     if (riscv_cpu_mxl(env) == MXL_RV64) {