Merge tag 'pull-target-arm-20241119' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* hw/timer/exynos4210_mct: fix possible int overflow
* hw/net/rocker/rocker_o

Merge tag 'pull-target-arm-20241119' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* hw/timer/exynos4210_mct: fix possible int overflow
* hw/net/rocker/rocker_of_dpa.c: Remove superfluous error check
* hw/intc/openpic: Avoid taking address of out-of-bounds array index
* hw/watchdog/cmsdk_apb_watchdog: Fix INTEN issues
* arm/ptw: Honour WXN/UWXN and SIF in short-format descriptors
* hw/intc/loongarch_extioi: Use set_bit32() and clear_bit32() to avoid UB
* system/dma-helpers.c: Move trace events to system/trace-events
* target/arm/hvf: Add trace.h header
* trace: Don't include trace-root.h in control.c or control-target.c

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmc8nrwZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3n2nEACc4N7TI2QFbuqa1k4G+C5y
# 1bpWVnkPjeqnTGUyYshtl/ByZi+IH4RDFqlCJxUYgfSvfD74+u78haXcx/ukZL/x
# zNbNu/hjP0v6nQF+upzRcQip5PIBjkbIUJSC3ga90HbsNWv8rvTjVSwQmstQ2b8J
# 9mCNA2ri+NVJ4+kBL5xRSzDqxdu/7sC/eooYfcETlVXcnvL/oMWoF//iThvkaBve
# LyySM+PS1Ni4oApx6LY9VpLzabtaCXh5R4yDMsFW0WucKZf58lm9Z1yU2wdPjuwj
# uauHBbQnJy03LazprIyVNXlaT7SI2Qr+7CV4lAco66DoBsaIP16+Kby1XILbY8qo
# JjJmuNQ8DA9c7F9bPqagZ0PLVRy9Wj0UiXKuqaTHrnnKzbgBprPCApR8bj0XPISs
# xv6qsSrd4u9joSCkrD3XEC9ddzdWMi1xN1Hfw+lkuHOvnWKJJ7O3hortuupGhpeq
# h90VBQ8Gb9S15BlLPfSmSmiO+XjRWU53CcZasQew5bFBIMEha1sPnwz01/KrSZqG
# sN/nBBuVUhT6YjRY/7k7tqT1ATigXrEZPtRgCjap7W+zIILWaO9QUb2y2LlJfofp
# febu0L++xw1JvtHnNin1vImmM5rgCMLMLx3QQ5Kq9jc5ytKnZwzJarLV4LbqIpuv
# h1QzI2SJQXsL2zfBem/0yg==
# =lqA0
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 19 Nov 2024 14:20:44 GMT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20241119' of https://git.linaro.org/people/pmaydell/qemu-arm:
trace: Don't include trace-root.h in control.c or control-target.c
target/arm/hvf: Add trace.h header
system/dma-helpers.c: Move trace events to system/trace-events
hw/intc/loongarch_extioi: Use set_bit32() and clear_bit32() for s->isr
hw/intc/arm_gicv3: Use bitops.h uint32_t bit array functions
bitops.h: Define bit operations on 'uint32_t' arrays
arm/ptw: Honour WXN/UWXN and SIF in short-format descriptors
arm/ptw: Make get_S1prot accept decoded AP
tests/qtest/cmsdk-apb-watchdog-test: Test INTEN as counter enable
tests/qtest/cmsdk-apb-watchdog-test: Don't abort on assertion failure
tests/qtest/cmsdk-apb-watchdog-test: Parameterize tests
hw/watchdog/cmsdk_apb_watchdog: Fix INTEN issues
hw/intc/openpic: Avoid taking address of out-of-bounds array index
hw/net/rocker/rocker_of_dpa.c: Remove superfluous error check
hw/timer/exynos4210_mct: fix possible int overflow

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

arm/ptw: Honour WXN/UWXN and SIF in short-format descriptors

Currently the handling of page protection in the short-format
descriptor is open-coded. This means that we forgot to update
it to handle

arm/ptw: Honour WXN/UWXN and SIF in short-format descriptors

Currently the handling of page protection in the short-format
descriptor is open-coded. This means that we forgot to update
it to handle some newer architectural features, including:
* handling of SCTLR.{UWXN,WXN}
* handling of SCR.SIF

Make the short-format descriptor code call the same get_S1prot()
that we already use for the LPAE descriptor format. This makes
the code simpler and means it now correctly honours the WXN/UWXN
and SIF bits.

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Message-id: 20241118152537.45277-1-paskripkin@gmail.com
[PMM: fixed a couple of checkpatch nits, tweaked commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

arm/ptw: Make get_S1prot accept decoded AP

AP in armv7 short descriptor mode has 3 bits and also domain, which
makes it incompatible with other arm schemas.

To make it possible to share get_S1prot

arm/ptw: Make get_S1prot accept decoded AP

AP in armv7 short descriptor mode has 3 bits and also domain, which
makes it incompatible with other arm schemas.

To make it possible to share get_S1prot between armv8, armv7 long
format, armv7 short format and armv6 it's easier to make caller
decode AP.

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Message-id: 20241118152526.45185-1-paskripkin@gmail.com
[PMM: fixed checkpatch nit]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Add new MMU indexes for AArch32 Secure PL1&0

Our current usage of MMU indexes when EL3 is AArch32 is confused.
Architecturally, when EL3 is AArch32, all Secure code runs under the
Secure

target/arm: Add new MMU indexes for AArch32 Secure PL1&0

Our current usage of MMU indexes when EL3 is AArch32 is confused.
Architecturally, when EL3 is AArch32, all Secure code runs under the
Secure PL1&0 translation regime:
* code at EL3, which might be Mon, or SVC, or any of the
other privileged modes (PL1)
* code at EL0 (Secure PL0)

This is different from when EL3 is AArch64, in which case EL3 is its
own translation regime, and EL1 and EL0 (whether AArch32 or AArch64)
have their own regime.

We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't
do anything special about Secure PL0, which meant it used the same
ARMMMUIdx_EL10_0 that NonSecure PL0 does. This resulted in a bug
where arm_sctlr() incorrectly picked the NonSecure SCTLR as the
controlling register when in Secure PL0, which meant we were
spuriously generating alignment faults because we were looking at the
wrong SCTLR control bits.

The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that
we wouldn't honour the PAN bit for Secure PL1, because there's no
equivalent _PAN mmu index for it.

Fix this by adding two new MMU indexes:
* ARMMMUIdx_E30_0 is for Secure PL0
* ARMMMUIdx_E30_3_PAN is for Secure PL1 when PAN is enabled
The existing ARMMMUIdx_E3 is used to mean "Secure PL1 without PAN"
(and would be named ARMMMUIdx_E30_3 in an AArch32-centric scheme).

These extra two indexes bring us up to the maximum of 16 that the
core code can currently support.

This commit:
* adds the new MMU index handling to the various places
where we deal in MMU index values
* adds assertions that we aren't AArch32 EL3 in a couple of
places that currently use the E10 indexes, to document why
they don't also need to handle the E30 indexes
* documents in a comment why regime_has_2_ranges() doesn't need
updating

Notes for backporting: this commit depends on the preceding revert of
4c2c04746932; that revert and this commit should probably be
backported to everywhere that we originally backported 4c2c04746932.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2326
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2588
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20241101142845.1712482-3-peter.maydell@linaro.org
(cherry picked from commit efbe180ad2ed75d4cc64dfc6fb46a015eef713d1)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

show more ...

Revert "target/arm: Fix usage of MMU indexes when EL3 is AArch32"

This reverts commit 4c2c0474693229c1f533239bb983495c5427784d.

This commit tried to fix a problem with our usage of MMU indexes when

Revert "target/arm: Fix usage of MMU indexes when EL3 is AArch32"

This reverts commit 4c2c0474693229c1f533239bb983495c5427784d.

This commit tried to fix a problem with our usage of MMU indexes when
EL3 is AArch32, using what it described as a "more complicated
approach" where we share the same MMU index values for Secure PL1&0
and NonSecure PL1&0. In theory this should work, but the change
didn't account for (at least) two things:

(1) The design change means we need to flush the TLBs at any point
where the CPU state flips from one to the other. We already flush
the TLB when SCR.NS is changed, but we don't flush the TLB when we
take an exception from NS PL1&0 into Mon or when we return from Mon
to NS PL1&0, and the commit didn't add any code to do that.

(2) The ATS12NS* address translate instructions allow Mon code (which
is Secure) to do a stage 1+2 page table walk for NS. I thought this
was OK because do_ats_write() does a page table walk which doesn't
use the TLBs, so because it can pass both the MMU index and also an
ARMSecuritySpace argument we can tell the table walk that we want NS
stage1+2, not S. But that means that all the code within the ptw
that needs to find e.g. the regime EL cannot do so only with an
mmu_idx -- all these functions like regime_sctlr(), regime_el(), etc
would need to pass both an mmu_idx and the security_space, so they
can tell whether this is a translation regime controlled by EL1 or
EL3 (and so whether to look at SCTLR.S or SCTLR.NS, etc).

In particular, because regime_el() wasn't updated to look at the
ARMSecuritySpace it would return 1 even when the CPU was in Monitor
mode (and the controlling EL is 3). This meant that page table walks
in Monitor mode would look at the wrong SCTLR, TCR, etc and would
generally fault when they should not.

Rather than trying to make the complicated changes needed to rescue
the design of 4c2c04746932, we revert it in order to instead take the
route that that commit describes as "the most straightforward" fix,
where we add new MMU indexes EL30_0, EL30_3, EL30_3_PAN to correspond
to "Secure PL1&0 at PL0", "Secure PL1&0 at PL1", and "Secure PL1&0 at
PL1 with PAN".

This revert will re-expose the "spurious alignment faults in
Secure PL0" issue #2326; we'll fix it again in the next commit.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Message-id: 20241101142845.1712482-2-peter.maydell@linaro.org
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 056c5c90c171c4895b407af0cf3d198e1d44b40f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

show more ...

Merge tag 'pull-target-arm-20241105' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Fix MMU indexes for AArch32 Secure PL1&0 in a less complex and buggy way
*

Merge tag 'pull-target-arm-20241105' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* Fix MMU indexes for AArch32 Secure PL1&0 in a less complex and buggy way
* Fix SVE SDOT/UDOT/USDOT (4-way, indexed)
* softfloat: set 2-operand NaN propagation rule at runtime
* disas: Fix build against Capstone v6 (again)
* hw/rtc/ds1338: Trace send and receive operations
* hw/timer/imx_gpt: Convert DPRINTF to trace events
* hw/watchdog/wdt_imx2: Remove redundant assignment
* hw/sensor/tmp105: Convert printf() to trace event, add tracing for read/write access
* hw/net/npcm_gmac: Change error log to trace event
* target/arm: Enable FEAT_CMOW for -cpu max

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmcp/yoZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3ucMD/9pWk2ETLjdviPxlacs5IoM
# HvGn8Ll2BSMbeb4YdJc7oZ4YJchGpgHhocEwZuaU9HheWjSg+ZEbyhZgN4DdkT8J
# pYr+Rl0MgDNN219kYnO/yqnqlgHbtUpE7y57Li3ApoGNbWAVxsH0xoT45Lpi7DOd
# uvJfIy/xdaT3zu/4uBjj7c2VrD8wntEayLM8hpqlgeQZKRG3Wtlk/xrQFKOHPDPO
# MDbsGoc2FyogRQoo6WH+J6gkkR9PhqXe6Hbf6WIr1/uffZUZU4M8leSw2DgxrYHo
# Zf36AzttwO4GHyML/5SR7uvzfXl7OkGyjedLGCUa7INc3br2+GvLMltdLGGPM9cc
# ckMHOWd9ZQuSxcpbtPkSYRG0McRE1GLT+KV3BNOLnN9AJl3qv5Qa55iPrtpB08vX
# 3jN6H964w99+NoSB2tTHszpep+M7SRuw5QLsuk3tC/qnBMpzKRwZjGVUegNUtfi/
# Lg5ExF8B62K+xb5j5FmODbbXZmb5AD0rV2MGRIVHjiHdnf7J2FmWUJCe2sYFRnRm
# nzszhdOKw4PBhC2fb6Vb/DwCqdQy9vcITWpWBtcjkV5mAPhcBo/VNKNeKoc/tPNS
# H8FIFIJbtv5aIixqtKcUBUmrBCYy4EoiRMLkqfC09VW60wtWswAP4KBQxi1ogehV
# jJw8AgSLCl2MsVmyzgleZQ==
# =Woag
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 05 Nov 2024 11:19:06 GMT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20241105' of https://git.linaro.org/people/pmaydell/qemu-arm: (31 commits)
target/arm: Enable FEAT_CMOW for -cpu max
hw/net/npcm_gmac: Change error log to trace event
hw/sensor/tmp105: Convert printf() to trace event, add tracing for read/write access
hw/watchdog/wdt_imx2: Remove redundant assignment
hw/timer/imx_gpt: Convert DPRINTF to trace events
hw/rtc/ds1338: Trace send and receive operations
disas: Fix build against Capstone v6 (again)
target/arm: Fix SVE SDOT/UDOT/USDOT (4-way, indexed)
target/arm: Add new MMU indexes for AArch32 Secure PL1&0
Revert "target/arm: Fix usage of MMU indexes when EL3 is AArch32"
softfloat: Remove fallback rule from pickNaN()
target/rx: Explicitly set 2-NaN propagation rule
target/openrisc: Explicitly set 2-NaN propagation rule
target/microblaze: Explicitly set 2-NaN propagation rule
target/microblaze: Move setting of float rounding mode to reset
target/alpha: Explicitly set 2-NaN propagation rule
target/i386: Set 2-NaN propagation rule explicitly
target/xtensa: Explicitly set 2-NaN propagation rule
target/xtensa: Factor out calls to set_use_first_nan()
target/sparc: Explicitly set 2-NaN propagation rule
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Add new MMU indexes for AArch32 Secure PL1&0

Our current usage of MMU indexes when EL3 is AArch32 is confused.
Architecturally, when EL3 is AArch32, all Secure code runs under the
Secure

target/arm: Add new MMU indexes for AArch32 Secure PL1&0

Our current usage of MMU indexes when EL3 is AArch32 is confused.
Architecturally, when EL3 is AArch32, all Secure code runs under the
Secure PL1&0 translation regime:
* code at EL3, which might be Mon, or SVC, or any of the
other privileged modes (PL1)
* code at EL0 (Secure PL0)

This is different from when EL3 is AArch64, in which case EL3 is its
own translation regime, and EL1 and EL0 (whether AArch32 or AArch64)
have their own regime.

We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't
do anything special about Secure PL0, which meant it used the same
ARMMMUIdx_EL10_0 that NonSecure PL0 does. This resulted in a bug
where arm_sctlr() incorrectly picked the NonSecure SCTLR as the
controlling register when in Secure PL0, which meant we were
spuriously generating alignment faults because we were looking at the
wrong SCTLR control bits.

The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that
we wouldn't honour the PAN bit for Secure PL1, because there's no
equivalent _PAN mmu index for it.

Fix this by adding two new MMU indexes:
* ARMMMUIdx_E30_0 is for Secure PL0
* ARMMMUIdx_E30_3_PAN is for Secure PL1 when PAN is enabled
The existing ARMMMUIdx_E3 is used to mean "Secure PL1 without PAN"
(and would be named ARMMMUIdx_E30_3 in an AArch32-centric scheme).

These extra two indexes bring us up to the maximum of 16 that the
core code can currently support.

This commit:
* adds the new MMU index handling to the various places
where we deal in MMU index values
* adds assertions that we aren't AArch32 EL3 in a couple of
places that currently use the E10 indexes, to document why
they don't also need to handle the E30 indexes
* documents in a comment why regime_has_2_ranges() doesn't need
updating

Notes for backporting: this commit depends on the preceding revert of
4c2c04746932; that revert and this commit should probably be
backported to everywhere that we originally backported 4c2c04746932.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2326
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2588
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20241101142845.1712482-3-peter.maydell@linaro.org

show more ...

Revert "target/arm: Fix usage of MMU indexes when EL3 is AArch32"

This reverts commit 4c2c0474693229c1f533239bb983495c5427784d.

This commit tried to fix a problem with our usage of MMU indexes when

Revert "target/arm: Fix usage of MMU indexes when EL3 is AArch32"

This reverts commit 4c2c0474693229c1f533239bb983495c5427784d.

This commit tried to fix a problem with our usage of MMU indexes when
EL3 is AArch32, using what it described as a "more complicated
approach" where we share the same MMU index values for Secure PL1&0
and NonSecure PL1&0. In theory this should work, but the change
didn't account for (at least) two things:

(1) The design change means we need to flush the TLBs at any point
where the CPU state flips from one to the other. We already flush
the TLB when SCR.NS is changed, but we don't flush the TLB when we
take an exception from NS PL1&0 into Mon or when we return from Mon
to NS PL1&0, and the commit didn't add any code to do that.

(2) The ATS12NS* address translate instructions allow Mon code (which
is Secure) to do a stage 1+2 page table walk for NS. I thought this
was OK because do_ats_write() does a page table walk which doesn't
use the TLBs, so because it can pass both the MMU index and also an
ARMSecuritySpace argument we can tell the table walk that we want NS
stage1+2, not S. But that means that all the code within the ptw
that needs to find e.g. the regime EL cannot do so only with an
mmu_idx -- all these functions like regime_sctlr(), regime_el(), etc
would need to pass both an mmu_idx and the security_space, so they
can tell whether this is a translation regime controlled by EL1 or
EL3 (and so whether to look at SCTLR.S or SCTLR.NS, etc).

In particular, because regime_el() wasn't updated to look at the
ARMSecuritySpace it would return 1 even when the CPU was in Monitor
mode (and the controlling EL is 3). This meant that page table walks
in Monitor mode would look at the wrong SCTLR, TCR, etc and would
generally fault when they should not.

Rather than trying to make the complicated changes needed to rescue
the design of 4c2c04746932, we revert it in order to instead take the
route that that commit describes as "the most straightforward" fix,
where we add new MMU indexes EL30_0, EL30_3, EL30_3_PAN to correspond
to "Secure PL1&0 at PL0", "Secure PL1&0 at PL1", and "Secure PL1&0 at
PL1 with PAN".

This revert will re-expose the "spurious alignment faults in
Secure PL0" issue #2326; we'll fix it again in the next commit.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Message-id: 20241101142845.1712482-2-peter.maydell@linaro.org
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

Merge tag 'pull-tcg-20241013' of https://gitlab.com/rth7680/qemu into staging

linux-user/i386: Emulate orig_ax
linux-user/vm86: Fix compilation with Clang
tcg: remove singlestep_enabled from DisasCo

Merge tag 'pull-tcg-20241013' of https://gitlab.com/rth7680/qemu into staging

linux-user/i386: Emulate orig_ax
linux-user/vm86: Fix compilation with Clang
tcg: remove singlestep_enabled from DisasContextBase
accel/tcg: Add TCGCPUOps.tlb_fill_align
target/hppa: Handle alignment faults in hppa_get_physical_address
target/arm: Fix alignment fault priority in get_phys_addr_lpae

# -----BEGIN PGP SIGNATURE-----
#
# iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmcMRU4dHHJpY2hhcmQu
# aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV9dSQf+MUJq//oig+bDeUlQ
# v3uBMFVi1DBYI1Y/xVODADpn8Ltv5s9v7N+/phi+St2W65OzGNYviHvq/abeyhdo
# M40LGtOvjO6Mns+Z9NKTobtT8n4ap4JJyoFjuXFTHkMMDiQ/v7FkEJJoS3W2bemi
# zmKYF/vWe3bwI+d3+dyaUjA92gSs+Hlj8uEVBlzn3ubA19ZdvtyfKURPQynrkwlo
# dFtAOFRFBU6vrlJSBElxUfYO4jC4Cng19EOrWvIsuKAkACuhiHgah10i3WKw8Asz
# 1iRUYXe0EOlX2RYNTD+Oj5j0cViRylirgPtIhEIPBuDP7m1Jy1JO4dVARUJBBU71
# Zd4Uuw==
# =EX+a
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 13 Oct 2024 23:10:22 BST
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "richard.henderson@linaro.org"
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F

* tag 'pull-tcg-20241013' of https://gitlab.com/rth7680/qemu: (27 commits)
target/arm: Fix alignment fault priority in get_phys_addr_lpae
target/arm: Implement TCGCPUOps.tlb_fill_align
target/arm: Move device detection earlier in get_phys_addr_lpae
target/arm: Pass MemOp to get_phys_addr_lpae
target/arm: Pass MemOp through get_phys_addr_twostage
target/arm: Pass MemOp to get_phys_addr_nogpc
target/arm: Pass MemOp to get_phys_addr_gpc
target/arm: Pass MemOp to get_phys_addr_with_space_nogpc
target/arm: Pass MemOp to get_phys_addr
target/hppa: Implement TCGCPUOps.tlb_fill_align
target/hppa: Handle alignment faults in hppa_get_physical_address
target/hppa: Fix priority of T, D, and B page faults
target/hppa: Perform access rights before protection id check
target/hppa: Add MemOp argument to hppa_get_physical_address
accel/tcg: Use the alignment test in tlb_fill_align
accel/tcg: Add TCGCPUOps.tlb_fill_align
include/exec/memop: Introduce memop_atomicity_bits
include/exec/memop: Rename get_alignment_bits
include/exec/memop: Move get_alignment_bits from tcg.h
accel/tcg: Assert noreturn from write-only page for atomics
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Fix alignment fault priority in get_phys_addr_lpae

Now that we have the MemOp for the access, we can order
the alignment fault caused by memory type before the
permission fault for the p

target/arm: Fix alignment fault priority in get_phys_addr_lpae

Now that we have the MemOp for the access, we can order
the alignment fault caused by memory type before the
permission fault for the page.

For subsequent page hits, permission and stage 2 checks
are known to pass, and so the TLB_CHECK_ALIGNED fault
raised in generic code is not mis-ordered.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/arm: Move device detection earlier in get_phys_addr_lpae

Determine cache attributes, and thence Device vs Normal memory,
earlier in the function. We have an existing regime_is_stage2
if bloc

target/arm: Move device detection earlier in get_phys_addr_lpae

Determine cache attributes, and thence Device vs Normal memory,
earlier in the function. We have an existing regime_is_stage2
if block into which this can be slotted.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/arm: Pass MemOp to get_phys_addr_lpae

Pass the value through from get_phys_addr_nogpc.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Revie

target/arm: Pass MemOp to get_phys_addr_lpae

Pass the value through from get_phys_addr_nogpc.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/arm: Pass MemOp through get_phys_addr_twostage

Pass memop through get_phys_addr_twostage with its
recursion with get_phys_addr_nogpc.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: P

target/arm: Pass MemOp through get_phys_addr_twostage

Pass memop through get_phys_addr_twostage with its
recursion with get_phys_addr_nogpc.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/arm: Pass MemOp to get_phys_addr_nogpc

Zero is the safe do-nothing value for callers to use.
Pass the value through from get_phys_addr_gpc and
get_phys_addr_with_space_nogpc.

Reviewed-by: He

target/arm: Pass MemOp to get_phys_addr_nogpc

Zero is the safe do-nothing value for callers to use.
Pass the value through from get_phys_addr_gpc and
get_phys_addr_with_space_nogpc.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/arm: Pass MemOp to get_phys_addr_gpc

Zero is the safe do-nothing value for callers to use.
Pass the value through from get_phys_addr.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: P

target/arm: Pass MemOp to get_phys_addr_gpc

Zero is the safe do-nothing value for callers to use.
Pass the value through from get_phys_addr.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/arm: Pass MemOp to get_phys_addr_with_space_nogpc

Zero is the safe do-nothing value for callers to use.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@

target/arm: Pass MemOp to get_phys_addr_with_space_nogpc

Zero is the safe do-nothing value for callers to use.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/arm: Pass MemOp to get_phys_addr

Zero is the safe do-nothing value for callers to use.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signe

target/arm: Pass MemOp to get_phys_addr

Zero is the safe do-nothing value for callers to use.

Reviewed-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/arm: Avoid target_ulong for physical address lookups

target_ulong is typedef'ed as a 32-bit integer when building the
qemu-system-arm target, and this is smaller than the size of an
intermedi

target/arm: Avoid target_ulong for physical address lookups

target_ulong is typedef'ed as a 32-bit integer when building the
qemu-system-arm target, and this is smaller than the size of an
intermediate physical address when LPAE is being used.

Given that Linux may place leaf level user page tables in high memory
when built for LPAE, the kernel will crash with an external abort as
soon as it enters user space when running with more than ~3 GiB of
system RAM.

So replace target_ulong with vaddr in places where it may carry an
address value that is not representable in 32 bits.

Fixes: f3639a64f602ea ("target/arm: Use softmmu tlbs for page table walking")
Cc: qemu-stable@nongnu.org
Reported-by: Arnd Bergmann <arnd@arndb.de>
Tested-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Message-id: 20240927071051.1444768-1-ardb+git@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 67d762e716a7127ecc114e9708254316dd521911)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

show more ...

Merge tag 'pull-target-arm-20241001' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* MAINTAINERS: Update STM32L4x5 and B-L475E-IOT01A maintainers
* hw/arm/xlnx:

Merge tag 'pull-target-arm-20241001' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* MAINTAINERS: Update STM32L4x5 and B-L475E-IOT01A maintainers
* hw/arm/xlnx: Connect secondary CGEM IRQs
* m25p80: Add SFDP table for mt35xu01g flash
* target/arm: Avoid target_ulong for physical address lookups
* hw/ssi/xilinx_spips: Fix flash erase assert in dual parallel configuration
* hw: fix memory leak in IRQState allocation
* hw/sd/sdcard: Fix handling of disabled boot partitions
* arm: Remove deprecated board models

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmb8JW8ZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3m85D/9W5E4BQd4mG0JPT+OcCRP/
# MQGXsU6fOm3mtYfehXMwnJf2POOK0t/IC5W1mOGmIV6R4ABv2il3cXvQznCpcKY3
# eRmMLn4tfI2bn8zJmkIMY5am7j7G3RJzktz8iQ3bstNwD3pYU46tr36iup7vU71b
# Z5Q3+uauBoUo/9rw5jgjjoZ9Z3Ay2RECsZc/vD6NIN0kh2TYgdpitR47J8jhS3ZX
# +laqimnRl5wQpe0TIYzpdFr82CXfT62WfQ/+6D6xftbTrV1gfLWesc7hHsgw7Sem
# ST+nX+0Wr0UfBvsNN4ldi4jB4FfMeUCPX4wBbkKaYyD7bYFnoiz8RPYCxrHlKqeL
# 9P7+LuA+h+odIcsCza9zUSpQIu4gGIuovmnjz6rbD8m6poV0OmU/Ncj4JC9hGJNi
# Y1utyFELsvpdQhHP1M2K0qEgO3q/fJyzgA5LXkeXLVozjJM6DX7deVdXjwcBWqeI
# McJwe/C1TZ/WQlssrWmx6+naA8sygrsbo98a7X+DVsZ0ka6ofZSKkr7aHd3+dia+
# a4KbiMX6ChqZxPbIB+m4GnOkCDefu098rXlOu4gkMdzyQT/sm7wmVzQ3YsW3jVqx
# DNG6Mrg6OVvevXQysdLkJIemnM9YeLxf0lEJ/NpkyGQ7LlmdBws+p1ooCvuvg2Ua
# CRFY1tuUfWrshpziF1cT4A==
# =q4iF
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 01 Oct 2024 17:38:07 BST
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20241001' of https://git.linaro.org/people/pmaydell/qemu-arm: (54 commits)
hw: Remove omap2 specific defines and enums
hw/dma: Remove omap_dma4 device
hw/misc/omap_clk: Remove OMAP2-specifics
hw/misc: Remove omap_l4 device
hw/display: Remove omap_dss
hw/misc: Remove omap_tap device
hw/ssi: Remove omap_mcspi
hw/timer: Remove omap_synctimer
hw/timer: Remove omap_gptimer
hw/misc: Remove omap_gpmc
hw/misc: Remove omap_sdrc device
hw/sd: Remove omap2_mmc device
hw/intc: Remove omap2-intc device
hw/char: Remove omap2_uart
hw/gpio: Remove TYPE_OMAP2_GPIO
hw/arm: Remove omap2.c
docs: Document removal of old Arm boards
hw/usb: Remove MUSB USB host controller
hw/usb: Remove tusb6010 USB controller
hw/block: Remove OneNAND device
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

target/arm: Avoid target_ulong for physical address lookups

target_ulong is typedef'ed as a 32-bit integer when building the
qemu-system-arm target, and this is smaller than the size of an
intermedi

target/arm: Avoid target_ulong for physical address lookups

target_ulong is typedef'ed as a 32-bit integer when building the
qemu-system-arm target, and this is smaller than the size of an
intermediate physical address when LPAE is being used.

Given that Linux may place leaf level user page tables in high memory
when built for LPAE, the kernel will crash with an external abort as
soon as it enters user space when running with more than ~3 GiB of
system RAM.

So replace target_ulong with vaddr in places where it may carry an
address value that is not representable in 32 bits.

Fixes: f3639a64f602ea ("target/arm: Use softmmu tlbs for page table walking")
Cc: qemu-stable@nongnu.org
Reported-by: Arnd Bergmann <arnd@arndb.de>
Tested-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Message-id: 20240927071051.1444768-1-ardb+git@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge tag 'pull-target-arm-20240913' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* s390: convert s390 virtio-ccw and CPU to three-phase reset
* reset: remove

Merge tag 'pull-target-arm-20240913' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* s390: convert s390 virtio-ccw and CPU to three-phase reset
* reset: remove now-unused device_class_set_parent_reset()
* reset: introduce device_class_set_legacy_reset()
* reset: remove unneeded transitional machinery
* kvm: Use 'unsigned long' for request argument in functions wrapping ioctl()
* hvf: arm: Implement and use hvf_get_physical_address_range
so VMs can have larger-than-36-bit IPA spaces when the host
supports this
* target/arm/tcg: refine cache descriptions with a wrapper
* hw/net/can/xlnx-versal-canfd: fix various bugs
* MAINTAINERS: update versal, CAN maintainer entries
* hw/intc/arm_gic: fix spurious level triggered interrupts

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmbkVokZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3pR5D/0ZJzJi7C0HIa4KYuBkcpZQ
# M3iUa1uiZoCniXlWuKFt2rUBrmhbW30YHw5gQjnxoUO4VVqREkFi3e5nzUKRQmvP
# FRm8dnuC36qwQJFhm+rQqUb8/AyqrVFnIaHhn7dBKLwRFm9+kbZ0v9x1Eq1DZk3S
# mijBQRiOjrj+FRkmyNJLhylGpm+p9VRdnBjmUtN2Yw+2fPkHmUURRSUvhwCK4BB5
# AvKgMC0EIIsLJKLfrWzk/EsYC8ogrGitISzFt8iWLAqxuxtuhv1StstleD4mZMK8
# gH+ZH5tsls2IiTIKkHfcbUcA55efDrQHGDat7n1Q0EWqOjET0soES+GpS0Jj6IXK
# uOnsDZ7MLFU/SbpckicLQ/JwNi3HiIfQgBVB2aJZ+cg8CGqaQCI5ZvWs7XFpUgkb
# naA4IR5mdNgXJm7ttBKbWarPNcmdODqa/5YDjXdyHmMx3JD994k1y5LIi3o69TgI
# rgHzU8ChZqaBDEvNa5KGtadQPnaSBP15Yqbp5rn2knVRKjDdyCdB94aWO5tZkmaO
# ARFmNk6h5bhwXdXl2Hu67RS2Kd0/fHMFWsxyHAX4NYT+Vq+ZTjLdaPzwFdfA0yAz
# wXWn0EAeYQ5M2xOPfDM/JYSc1THSzhpwy/CBrRjrCRZMDE+bx9BRC7pUXwquE8xF
# CW1NUxkvZikQeiMzgEBbTA==
# =u6u8
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 13 Sep 2024 16:13:13 BST
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* tag 'pull-target-arm-20240913' of https://git.linaro.org/people/pmaydell/qemu-arm: (27 commits)
hw/intc/arm_gic: fix spurious level triggered interrupts
MAINTAINERS: Add my-self as CAN maintainer
MAINTAINERS: Update Xilinx Versal OSPI maintainer's email address
MAINTAINERS: Remove Vikram Garhwal as maintainer
hw/net/can/xlnx-versal-canfd: Fix FIFO issues
hw/net/can/xlnx-versal-canfd: Simplify DLC conversions
hw/net/can/xlnx-versal-canfd: Fix byte ordering
hw/net/can/xlnx-versal-canfd: Handle flags correctly
hw/net/can/xlnx-versal-canfd: Translate CAN ID registers
hw/net/can/xlnx-versal-canfd: Fix CAN FD flag check
hw/net/can/xlnx-versal-canfd: Fix interrupt level
target/arm/tcg: refine cache descriptions with a wrapper
hvf: arm: Implement and use hvf_get_physical_address_range
hvf: Split up hv_vm_create logic per arch
hw/boards: Add hvf_get_physical_address_range to MachineClass
kvm: Use 'unsigned long' for request argument in functions wrapping ioctl()
hw/core/resettable: Remove transitional_function machinery
hw/core/qdev: Simplify legacy_reset handling
hw: Remove device_phases_reset()
hw: Rename DeviceClass::reset field to legacy_reset
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

hvf: arm: Implement and use hvf_get_physical_address_range

This patch's main focus is to use the previously added
hvf_get_physical_address_range to inform VM creation
about the IPA size we need for

hvf: arm: Implement and use hvf_get_physical_address_range

This patch's main focus is to use the previously added
hvf_get_physical_address_range to inform VM creation
about the IPA size we need for the VM, so we can extend
the default 36b IPA size and support VMs with 64+GB of
RAM. This is done by freezing the memory map, computing
the highest GPA and then (depending on if the platform
supports an IPA size that large) telling the kernel to
use a size >= for the VM. In pursuit of this a couple of
things related to how we handle the physical address range
we expose to guests were altered, but for an explanation of
what we were doing:

Today, to get the IPA size we were reading id_aa64mmfr0_el1's
PARange field from a newly made vcpu. Unfortunately, HVF just
returns the hosts PARange directly for the initial value and
not the IPA size that will actually back the VM, so we believe
we have much more address space than we actually do today it seems.

Starting in macOS 13.0 some APIs were introduced to be able to
query the maximum IPA size the kernel supports, and to set the IPA
size for a given VM. However, this still has a couple of issues
on < macOS 15. Up until macOS 15 (and if the hardware supported
it) the max IPA size was 39 bits which is not a valid PARange
value, so we can't clamp down what we advertise in the vcpu's
id_aa64mmfr0_el1 to our IPA size. Starting in macOS 15 however,
the maximum IPA size is 40 bits (if it's supported in the hardware
as well) which is also a valid PARange value so we can set our IPA
size to the maximum as well as clamp down the PARange we advertise
to the guest. This allows VMs with 64+ GB of RAM and should fix the
oddness of the PARange situation as well.

Signed-off-by: Danny Canter <danny_canter@apple.com>
Message-id: 20240828111552.93482-4-danny_canter@apple.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge tag 'pull-target-arm-20240813' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values
* target

Merge tag 'pull-target-arm-20240813' of https://git.linaro.org/people/pmaydell/qemu-arm into staging

target-arm queue:
* hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values
* target/arm: Clear high SVE elements in handle_vec_simd_wshli
* target/arm: Fix usage of MMU indexes when EL3 is AArch32

# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAma7eSIZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3gbJEACHhZAvP4f1vic8DNGPw8Yr
# v+pRQON+vF+PDBSyNkYCRL5Gy1P257Aujw1ed2dpoDhMemC/co67W2zdzToCvDd5
# XZxlHb/iUCTeZbA/Zp66ZADlvVOdvvQL8EHbd4mSBEZp9rvPSmxatx4I5jstLiAV
# 5HimP+AjjGMfklMu+RelW7A7WDRJ0h7F4PwXCA8tLeHPH5XHSkweGYt3OVfSlUAs
# +RKiltByC/quujLHxrQcVtLZON1KKiB0P8VPRcaR1QIFARiR1IfLvzhKVpqyOlnV
# 3a+ZILtCJE1YEM+h7Aunz/l9MQ0DZe5DzbIdKOQ7NUkerlhq81kriPp67yLv25lk
# zgqkHGGDEnIGpSXdmbXTNLcGlH+5O+fWl2RMzYrSFJqvwyRu9egLLi6E0xaNCRvY
# gdb6CGPhhu21C1o5Nax0CiaZe3vzzRvC5QsIJ0yww6y7VaGFVt/XRaKBdLHB97nZ
# t/9ifa3fmhVEW6pQEy8VdAeFoxIT2lJ2xJgBdMwpZCJlCxB8xKU/rZfrXKS/UUqV
# 9Klbcfrx1WFT7zrAWS0Ig7nPttJ+XgjYfgHI3q2e80F6xRmAmaAjnbtVRS+L3It9
# eZ4SmuzurWipRLpdmxdOX1IXdZD9rJMzk9IUIZoklctlR/D+75Iuy0N7gY8G2dbp
# fmh38lEQZ0IC90VmNtWltw==
# =So/3
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed 14 Aug 2024 01:17:54 AM AEST
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]

* tag 'pull-target-arm-20240813' of https://git.linaro.org/people/pmaydell/qemu-arm:
target/arm: Fix usage of MMU indexes when EL3 is AArch32
target/arm: Update translation regime comment for new features
target/arm: Clear high SVE elements in handle_vec_simd_wshli
hw/misc/stm32l4x5_rcc: Add validation for MCOPRE and MCOSEL values

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

target/arm: Fix usage of MMU indexes when EL3 is AArch32

Our current usage of MMU indexes when EL3 is AArch32 is confused.
Architecturally, when EL3 is AArch32, all Secure code runs under the
Secure

target/arm: Fix usage of MMU indexes when EL3 is AArch32

Our current usage of MMU indexes when EL3 is AArch32 is confused.
Architecturally, when EL3 is AArch32, all Secure code runs under the
Secure PL1&0 translation regime:
* code at EL3, which might be Mon, or SVC, or any of the
other privileged modes (PL1)
* code at EL0 (Secure PL0)

This is different from when EL3 is AArch64, in which case EL3 is its
own translation regime, and EL1 and EL0 (whether AArch32 or AArch64)
have their own regime.

We claimed to be mapping Secure PL1 to our ARMMMUIdx_EL3, but didn't
do anything special about Secure PL0, which meant it used the same
ARMMMUIdx_EL10_0 that NonSecure PL0 does. This resulted in a bug
where arm_sctlr() incorrectly picked the NonSecure SCTLR as the
controlling register when in Secure PL0, which meant we were
spuriously generating alignment faults because we were looking at the
wrong SCTLR control bits.

The use of ARMMMUIdx_EL3 for Secure PL1 also resulted in the bug that
we wouldn't honour the PAN bit for Secure PL1, because there's no
equivalent _PAN mmu index for it.

We could fix this in one of two ways:
* The most straightforward is to add new MMU indexes EL30_0,
EL30_3, EL30_3_PAN to correspond to "Secure PL1&0 at PL0",
"Secure PL1&0 at PL1", and "Secure PL1&0 at PL1 with PAN".
This matches how we use indexes for the AArch64 regimes, and
preserves propirties like being able to determine the privilege
level from an MMU index without any other information. However
it would add two MMU indexes (we can share one with ARMMMUIdx_EL3),
and we are already using 14 of the 16 the core TLB code permits.

* The more complicated approach is the one we take here. We use
the same MMU indexes (E10_0, E10_1, E10_1_PAN) for Secure PL1&0
than we do for NonSecure PL1&0. This saves on MMU indexes, but
means we need to check in some places whether we're in the
Secure PL1&0 regime or not before we interpret an MMU index.

The changes in this commit were created by auditing all the places
where we use specific ARMMMUIdx_ values, and checking whether they
needed to be changed to handle the new index value usage.

Note for potential stable backports: taking also the previous
(comment-change-only) commit might make the backport easier.

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2326
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240809160430.1144805-3-peter.maydell@linaro.org

show more ...

Merge tag 'accel-20240506' of https://github.com/philmd/qemu into staging

Accelerator patches

- Extract page-protection definitions to page-protection.h
- Rework in accel/tcg in preparation of extr

Merge tag 'accel-20240506' of https://github.com/philmd/qemu into staging

Accelerator patches

- Extract page-protection definitions to page-protection.h
- Rework in accel/tcg in preparation of extracting TCG fields from CPUState
- More uses of get_task_state() in user emulation
- Xen refactors in preparation for adding multiple map caches (Juergen & Edgar)
- MAINTAINERS updates (Aleksandar and Bin)

# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAmY40CAACgkQ4+MsLN6t
# wN5drxAA1oIsuUzpAJmlMIxZwlzbICiuexgn/HH9DwWNlrarKo7V1l4YB8jd9WOg
# IKuj7c39kJKsDEB8BXApYwcly+l7DYdnAAI8Z7a+eN+ffKNl/0XBaLjsGf58RNwY
# fb39/cXWI9ZxKxsHMSyjpiu68gOGvZ5JJqa30Fr+eOGuug9Fn/fOe1zC6l/dMagy
# Dnym72stpD+hcsN5sVwohTBIk+7g9og1O/ctRx6Q3ZCOPz4p0+JNf8VUu43/reaR
# 294yRK++JrSMhOVFRzP+FH1G25NxiOrVCFXZsUTYU+qPDtdiKtjH1keI/sk7rwZ7
# U573lesl7ewQFf1PvMdaVf0TrQyOe6kUGr9Mn2k8+KgjYRAjTAQk8V4Ric/+xXSU
# 0rd7Cz7lyQ8jm0DoOElROv+lTDQs4dvm3BopF3Bojo4xHLHd3SFhROVPG4tvGQ3H
# 72Q5UPR2Jr2QZKiImvPceUOg0z5XxoN6KRUkSEpMFOiTRkbwnrH59z/qPijUpe6v
# 8l5IlI9GjwkL7pcRensp1VC6e9KC7F5Od1J/2RLDw3UQllMQXqVw2bxD3CEtDRJL
# QSZoS4d1jUCW4iAYdqh/8+2cOIPiCJ4ai5u7lSdjrIJkRErm32FV/pQLZauoHlT5
# eTPUgzDoRXVgI1X1slTpVXlEEvRNbhZqSkYLkXr80MLn5hTafo0=
# =3Qkg
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 06 May 2024 05:42:08 AM PDT
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]

* tag 'accel-20240506' of https://github.com/philmd/qemu: (28 commits)
MAINTAINERS: Update my email address
MAINTAINERS: Update Aleksandar Rikalo email
system: Pass RAM MemoryRegion and is_write in xen_map_cache()
xen: mapcache: Break out xen_map_cache_init_single()
xen: mapcache: Break out xen_invalidate_map_cache_single()
xen: mapcache: Refactor xen_invalidate_map_cache_entry_unlocked
xen: mapcache: Refactor xen_replace_cache_entry_unlocked
xen: mapcache: Break out xen_ram_addr_from_mapcache_single
xen: mapcache: Refactor xen_remap_bucket for multi-instance
xen: mapcache: Refactor xen_map_cache for multi-instance
xen: mapcache: Refactor lock functions for multi-instance
xen: let xen_ram_addr_from_mapcache() return -1 in case of not found entry
system: let qemu_map_ram_ptr() use qemu_ram_ptr_length()
user: Use get_task_state() helper
user: Declare get_task_state() once in 'accel/tcg/vcpu-state.h'
user: Forward declare TaskState type definition
accel/tcg: Move @plugin_mem_cbs from CPUState to CPUNegativeOffsetState
accel/tcg: Restrict cpu_plugin_mem_cbs_enabled() to TCG
accel/tcg: Restrict qemu_plugin_vcpu_exit_hook() to TCG plugins
accel/tcg: Update CPUNegativeOffsetState::can_do_io field documentation
...

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...