Armv8-R PMSA incorrect address check for semihosting parameter blocks
Host environment
- Operating system: macOS 15.7.3
- OS/kernel version: Darwin Kernel Version 24.6.0: Wed Nov 5 21:30:44 PST 2025; root:xnu-11417.140.69.705.2~1/RELEASE_ARM64_T6041 arm64 arm Darwin
- Architecture: aarch64
- QEMU flavor: qemu-system-arm
- QEMU version: 10.2.0, but also reproduces on master 28a6ca268c2cd3718b
- QEMU command line:
qemu-system-arm -machine mps3-an536 \ -semihosting-config userspace=on \ -nographic -kernel bug.elf
Emulated/Virtualized environment
- Operating system: none
- OS/kernel version: n/a
- Architecture: Armv8-R
Description of problem
When making a SYS_EXIT_EXTENDED semihosting call with a parameter block that accessible in the active MPU configuration, the call will fail if the parameter block's address masked to a 1024-byte alignment is not accessible in the active MPU configuration, but Armv8-R MPU regions are only required to be 64-byte aligned, so this check is incorrect. Checks of normal guest accesses appear to be unaffected, only accesses to semihosting parameter blocks have this 1024-byte alignment occurring.
Steps to reproduce
- Run test.bash (it builds minimal example and runs it with some tracing options).
Additional information
See attached files for a minimal reproducing case. I used arm-none-eabi-gcc version 15.2.Rel1, but the reproducer is in assembly, so the toolchain version should not play much of a role. I've also attached the .elf for convenience.
If you remove the switch to user mode, the example succeeds (because the background region is enabled and the access check passes). If you change the memory region lower bound to be 0x2c00 (1kB aligned), the example also succeeds.