<!--This is the upstream QEMU issue tracker. If you are able to, it will greatly facilitate bug triage if you attempt to reproduce the problem with the latest qemu.git master built from source. See https://www.qemu.org/download/#source for instructions on how to do this. QEMU generally supports the last two releases advertised on https://www.qemu.org/. Problems with distro-packaged versions of QEMU older than this should be reported to the distribution instead. See https://www.qemu.org/contribute/report-a-bug/ for additional guidance. If this is a security issue, please consult https://www.qemu.org/contribute/security-process/--> ## Host environment - QEMU flavor: ``` qemu-system-riscv64 ``` - QEMU version: ``` v10.2.2 ``` - QEMU command line: ``` qemu-system-riscv64 -d in_asm,int,mmu,unimp,cpu,fpu,vpu,exec,nochain -D sv39_implicit_pma_perm.elf.trace.log -nographic -semihost ing -icount shift=1 -machine virt -cpu max,pmu-mask=0xfffffff8 -bios sv39_implicit_pma_perm.elf ``` ## Description of problem Attached elf performs a store using a virtual address. satp.MODE=sv39 and the PTEs are setup in such a way that level 2 PTE is a valid non-leaf PTE pointing to a physical address of 0x100 instead of the next (level 1) page table. During translation this implicit access to a region (0x100) without PMA permissions must raise an access fault. However, QEMU is raising a page fault. `RVCP: Test Info: "Mismatch in scause value! Trap was being handled in S-Mode." ` `RVCP: Instruction: 0x00050413 ` `RVCP: Approximate address (failure may be slightly after this): 0x0000000080001304 ` `RVCP: Register: x8 ` `RVCP: Bad Value: 0x000000000000000f ` `RVCP: Expected Value: 0x0000000000000007` It seems like QEMU is not checking PMA permissions and allowing the implicit read to 0x100 and then raising a page fault due to `PTE.V=0`. Section 12.3.2 of the Priv ISA Spec states that: > Let pte be the value of the PTE at address a+va.vpn\[i\]×PTESIZE. (For Sv32, PTESIZE=4.) If accessing pte violates a PMA or PMP check, raise an access-fault exception corresponding to the original access type. ## Attachments [sv39_implicit_pma_perm.elf](/uploads/f1c1445114c7d543f509aa38a4b03dcf/sv39_implicit_pma_perm.elf) [sv39_implicit_pma_perm.elf.trace.log](/uploads/9c6f6c44028ef8b768fbbef336f69b8b/sv39_implicit_pma_perm.elf.trace.log)