[Qemu-devel] [PULL 00/13] target-arm queue
[Qemu-devel] [PULL 00/10] target-arm queue
1
A random mix of items here, nothing very major.
1
target-arm queue for rc1 -- these are all bug fixes.
2
2
3
thanks
3
thanks
4
-- PMM
4
-- PMM
5
5
6
The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:
6
7
7
The following changes since commit d0dff238a87fa81393ed72754d4dc8b09e50b08b:
8
Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)
8
9
9
Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20170206' into staging (2017-02-07 15:29:26 +0000)
10
are available in the Git repository at:
10
11
11
are available in the git repository at:
12
https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715
12
13
13
git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170207
14
for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:
14
15
15
for you to fetch changes up to 7727b832886fafbdec7299eb7773dc9071bf4cdd:
16
target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)
16
17
stellaris: Use the 'unimplemented' device for parts we don't implement (2017-02-07 18:30:00 +0000)
18
17
19
----------------------------------------------------------------
18
----------------------------------------------------------------
20
target-arm:
19
target-arm queue:
21
* new "unimplemented" device for stubbing out devices in a
20
* report ARMv8-A FP support for AArch32 -cpu max
22
system model so accesses can be logged
21
* hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
23
* stellaris: document the SoC memory map
22
* hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
24
* arm: create instruction syndromes for AArch32 data aborts
23
* hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
25
* arm: Correctly handle watchpoints for BE32 CPUs
24
* hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
26
* Fix Thumb-1 BE32 execution and disassembly
25
* hw/arm/virt: Fix non-secure flash mode
27
* arm: Add cfgend parameter for ARM CPU selection
26
* pl031: Correctly migrate state when using -rtc clock=host
28
* sd: sdhci: check data length during dma_memory_read
27
* fix regression that meant arm926 and arm1026 lost VFP
29
* aspeed: add a watchdog controller
28
double-precision support
30
* integratorcp: adding vmstate for save/restore
29
* v8M: NS BusFault on vector table fetch escalates to NS HardFault
31
30
32
----------------------------------------------------------------
31
----------------------------------------------------------------
33
Cédric Le Goater (2):
32
Alex Bennée (1):
34
wdt: Add Aspeed watchdog device model
33
target/arm: report ARMv8-A FP support for AArch32 -cpu max
35
aspeed: add a watchdog controller
36
34
37
Julian Brown (4):
35
David Engraf (1):
38
hw/arm/integratorcp: Support specifying features via -cpu
36
hw/arm/virt: Fix non-secure flash mode
39
target/arm: Add cfgend parameter for ARM CPU selection.
40
Fix Thumb-1 BE32 execution and disassembly.
41
arm: Correctly handle watchpoints for BE32 CPUs
42
37
43
Pavel Dovgalyuk (1):
38
Peter Maydell (3):
44
integratorcp: adding vmstate for save/restore
39
pl031: Correctly migrate state when using -rtc clock=host
40
target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
41
target/arm: NS BusFault on vector table fetch escalates to NS HardFault
45
42
46
Peter Maydell (5):
43
Philippe Mathieu-Daudé (5):
47
target/arm: Abstract out pbit/wbit tests in ARM ldr/str decode
44
hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
48
target/arm: A32, T32: Create Instruction Syndromes for Data Aborts
45
hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
49
stellaris: Document memory map and which SoC devices are unimplemented
46
hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
50
hw/misc: New "unimplemented" sysbus device
47
hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
51
stellaris: Use the 'unimplemented' device for parts we don't implement
48
hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
52
49
53
Prasad J Pandit (1):
50
include/hw/timer/pl031.h | 2 ++
54
sd: sdhci: check data length during dma_memory_read
51
hw/arm/virt.c | 2 +-
52
hw/core/machine.c | 1 +
53
hw/display/xlnx_dp.c | 15 +++++---
54
hw/ssi/mss-spi.c | 8 ++++-
55
hw/ssi/xilinx_spips.c | 43 +++++++++++++++-------
56
hw/timer/pl031.c | 92 +++++++++++++++++++++++++++++++++++++++++++++---
57
target/arm/cpu.c | 16 +++++++++
58
target/arm/m_helper.c | 21 ++++++++---
59
9 files changed, 174 insertions(+), 26 deletions(-)
55
60
56
hw/misc/Makefile.objs | 2 +
57
hw/watchdog/Makefile.objs | 1 +
58
include/disas/bfd.h | 7 ++
59
include/hw/arm/aspeed_soc.h | 2 +
60
include/hw/misc/unimp.h | 39 +++++++
61
include/hw/watchdog/wdt_aspeed.h | 32 ++++++
62
include/qom/cpu.h | 3 +
63
target/arm/arm_ldst.h | 10 +-
64
target/arm/cpu.h | 7 ++
65
target/arm/internals.h | 5 +
66
target/arm/translate.h | 14 +++
67
disas.c | 1 +
68
exec.c | 1 +
69
hw/arm/aspeed_soc.c | 13 +++
70
hw/arm/integratorcp.c | 78 +++++++++++++-
71
hw/arm/stellaris.c | 48 +++++++++
72
hw/misc/unimp.c | 107 +++++++++++++++++++
73
hw/sd/sdhci.c | 2 +-
74
hw/watchdog/wdt_aspeed.c | 225 +++++++++++++++++++++++++++++++++++++++
75
qom/cpu.c | 6 ++
76
target/arm/cpu.c | 39 +++++++
77
target/arm/op_helper.c | 22 ++++
78
target/arm/translate-a64.c | 14 ---
79
target/arm/translate.c | 193 ++++++++++++++++++++++++---------
80
24 files changed, 801 insertions(+), 70 deletions(-)
81
create mode 100644 include/hw/misc/unimp.h
82
create mode 100644 include/hw/watchdog/wdt_aspeed.h
83
create mode 100644 hw/misc/unimp.c
84
create mode 100644 hw/watchdog/wdt_aspeed.c
85
diff view generated by jsdifflib
[Qemu-devel] [PULL 08/13] arm: Correctly handle watchpoints for BE32 CPUs
[Qemu-devel] [PULL 01/10] target/arm: report ARMv8-A FP support for AArch32 -cpu max
1
From: Julian Brown <julian@codesourcery.com>
1
From: Alex Bennée <alex.bennee@linaro.org>
2
2
3
In BE32 mode, sub-word size watchpoints can fail to trigger because the
3
When we converted to using feature bits in 602f6e42cfbf we missed out
4
address of the access is adjusted in the opcode helpers before being
4
the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
5
compared with the watchpoint registers. This patch reverses the address
5
-cpu max configurations. This caused a regression in the GCC test
6
adjustment before performing the comparison with the help of a new CPUClass
6
suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
7
hook.
7
report ARMv8-A with FP support (but not ARMv8.2-FP16).
8
8
9
This version of the patch augments and tidies up comments a little.
9
Fixes: https://bugs.launchpad.net/qemu/+bug/1836078
10
10
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
11
Signed-off-by: Julian Brown <julian@codesourcery.com>
11
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
12
Message-id: caaf64ffc72f6ae183015337b7afdbd4b8989cb6.1484929304.git.julian@codesourcery.com
12
Message-id: 20190711103737.10017-1-alex.bennee@linaro.org
13
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
14
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
13
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
15
---
14
---
16
include/qom/cpu.h | 3 +++
15
target/arm/cpu.c | 4 ++++
17
target/arm/internals.h | 5 +++++
16
1 file changed, 4 insertions(+)
18
exec.c | 1 +
19
qom/cpu.c | 6 ++++++
20
target/arm/cpu.c | 3 +++
21
target/arm/op_helper.c | 22 ++++++++++++++++++++++
22
6 files changed, 40 insertions(+)
23
17
24
diff --git a/include/qom/cpu.h b/include/qom/cpu.h
25
index XXXXXXX..XXXXXXX 100644
26
--- a/include/qom/cpu.h
27
+++ b/include/qom/cpu.h
28
@@ -XXX,XX +XXX,XX @@ struct TranslationBlock;
29
* @cpu_exec_exit: Callback for cpu_exec cleanup.
30
* @cpu_exec_interrupt: Callback for processing interrupts in cpu_exec.
31
* @disas_set_info: Setup architecture specific components of disassembly info
32
+ * @adjust_watchpoint_address: Perform a target-specific adjustment to an
33
+ * address before attempting to match it against watchpoints.
34
*
35
* Represents a CPU family or model.
36
*/
37
@@ -XXX,XX +XXX,XX @@ typedef struct CPUClass {
38
bool (*cpu_exec_interrupt)(CPUState *cpu, int interrupt_request);
39
40
void (*disas_set_info)(CPUState *cpu, disassemble_info *info);
41
+ vaddr (*adjust_watchpoint_address)(CPUState *cpu, vaddr addr, int len);
42
} CPUClass;
43
44
#ifdef HOST_WORDS_BIGENDIAN
45
diff --git a/target/arm/internals.h b/target/arm/internals.h
46
index XXXXXXX..XXXXXXX 100644
47
--- a/target/arm/internals.h
48
+++ b/target/arm/internals.h
49
@@ -XXX,XX +XXX,XX @@ void hw_breakpoint_update_all(ARMCPU *cpu);
50
/* Callback function for checking if a watchpoint should trigger. */
51
bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp);
52
53
+/* Adjust addresses (in BE32 mode) before testing against watchpoint
54
+ * addresses.
55
+ */
56
+vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len);
57
+
58
/* Callback function for when a watchpoint or breakpoint triggers. */
59
void arm_debug_excp_handler(CPUState *cs);
60
61
diff --git a/exec.c b/exec.c
62
index XXXXXXX..XXXXXXX 100644
63
--- a/exec.c
64
+++ b/exec.c
65
@@ -XXX,XX +XXX,XX @@ static void check_watchpoint(int offset, int len, MemTxAttrs attrs, int flags)
66
return;
67
}
68
vaddr = (cpu->mem_io_vaddr & TARGET_PAGE_MASK) + offset;
69
+ vaddr = cc->adjust_watchpoint_address(cpu, vaddr, len);
70
QTAILQ_FOREACH(wp, &cpu->watchpoints, entry) {
71
if (cpu_watchpoint_address_matches(wp, vaddr, len)
72
&& (wp->flags & flags)) {
73
diff --git a/qom/cpu.c b/qom/cpu.c
74
index XXXXXXX..XXXXXXX 100644
75
--- a/qom/cpu.c
76
+++ b/qom/cpu.c
77
@@ -XXX,XX +XXX,XX @@ static int64_t cpu_common_get_arch_id(CPUState *cpu)
78
return cpu->cpu_index;
79
}
80
81
+static vaddr cpu_adjust_watchpoint_address(CPUState *cpu, vaddr addr, int len)
82
+{
83
+ return addr;
84
+}
85
+
86
static void cpu_class_init(ObjectClass *klass, void *data)
87
{
88
DeviceClass *dc = DEVICE_CLASS(klass);
89
@@ -XXX,XX +XXX,XX @@ static void cpu_class_init(ObjectClass *klass, void *data)
90
k->cpu_exec_enter = cpu_common_noop;
91
k->cpu_exec_exit = cpu_common_noop;
92
k->cpu_exec_interrupt = cpu_common_exec_interrupt;
93
+ k->adjust_watchpoint_address = cpu_adjust_watchpoint_address;
94
set_bit(DEVICE_CATEGORY_CPU, dc->categories);
95
dc->realize = cpu_common_realizefn;
96
dc->unrealize = cpu_common_unrealizefn;
97
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
18
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
98
index XXXXXXX..XXXXXXX 100644
19
index XXXXXXX..XXXXXXX 100644
99
--- a/target/arm/cpu.c
20
--- a/target/arm/cpu.c
100
+++ b/target/arm/cpu.c
21
+++ b/target/arm/cpu.c
101
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
22
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
102
cc->gdb_stop_before_watchpoint = true;
23
t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
103
cc->debug_excp_handler = arm_debug_excp_handler;
24
cpu->isar.id_isar6 = t;
104
cc->debug_check_watchpoint = arm_debug_check_watchpoint;
25
105
+#if !defined(CONFIG_USER_ONLY)
26
+ t = cpu->isar.mvfr1;
106
+ cc->adjust_watchpoint_address = arm_adjust_watchpoint_address;
27
+ t = FIELD_DP32(t, MVFR1, FPHP, 2); /* v8.0 FP support */
107
+#endif
28
+ cpu->isar.mvfr1 = t;
108
109
cc->disas_set_info = arm_disas_set_info;
110
}
111
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
112
index XXXXXXX..XXXXXXX 100644
113
--- a/target/arm/op_helper.c
114
+++ b/target/arm/op_helper.c
115
@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
116
return check_watchpoints(cpu);
117
}
118
119
+vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
120
+{
121
+ ARMCPU *cpu = ARM_CPU(cs);
122
+ CPUARMState *env = &cpu->env;
123
+
29
+
124
+ /* In BE32 system mode, target memory is stored byteswapped (on a
30
t = cpu->isar.mvfr2;
125
+ * little-endian host system), and by the time we reach here (via an
31
t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
126
+ * opcode helper) the addresses of subword accesses have been adjusted
32
t = FIELD_DP32(t, MVFR2, FPMISC, 4); /* FP MaxNum */
127
+ * to account for that, which means that watchpoints will not match.
128
+ * Undo the adjustment here.
129
+ */
130
+ if (arm_sctlr_b(env)) {
131
+ if (len == 1) {
132
+ addr ^= 3;
133
+ } else if (len == 2) {
134
+ addr ^= 2;
135
+ }
136
+ }
137
+
138
+ return addr;
139
+}
140
+
141
void arm_debug_excp_handler(CPUState *cs)
142
{
143
/* Called by core code when a watchpoint or breakpoint fires;
144
--
33
--
145
2.7.4
34
2.20.1
146
35
147
36
diff view generated by jsdifflib
[Qemu-devel] [PULL 10/13] target/arm: A32, T32: Create Instruction Syndromes for Data Aborts
[Qemu-devel] [PULL 02/10] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
1
Add support for generating the ISS (Instruction Specific Syndrome)
1
From: Philippe Mathieu-Daudé <philmd@redhat.com>
2
for Data Abort exceptions taken from AArch32. These syndromes are
3
used by hypervisors for example to trap and emulate memory accesses.
4
2
5
This is the equivalent for AArch32 guests of the work done for AArch64
3
In the next commit we will implement the write_with_attrs()
6
guests in commit aaa1f954d4cab243.
4
handler. To avoid using different APIs, convert the read()
5
handler first.
7
6
7
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
8
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
9
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
8
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
10
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
9
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
10
---
11
---
11
target/arm/translate.h | 14 ++++
12
hw/ssi/xilinx_spips.c | 23 +++++++++++------------
12
target/arm/translate-a64.c | 14 ----
13
1 file changed, 11 insertions(+), 12 deletions(-)
13
target/arm/translate.c | 184 +++++++++++++++++++++++++++++++++------------
14
3 files changed, 149 insertions(+), 63 deletions(-)
15
14
16
diff --git a/target/arm/translate.h b/target/arm/translate.h
15
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
17
index XXXXXXX..XXXXXXX 100644
16
index XXXXXXX..XXXXXXX 100644
18
--- a/target/arm/translate.h
17
--- a/hw/ssi/xilinx_spips.c
19
+++ b/target/arm/translate.h
18
+++ b/hw/ssi/xilinx_spips.c
20
@@ -XXX,XX +XXX,XX @@ static inline int default_exception_el(DisasContext *s)
19
@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
21
? 3 : MAX(1, s->current_el);
22
}
23
24
+static void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
25
+{
26
+ /* We don't need to save all of the syndrome so we mask and shift
27
+ * out unneeded bits to help the sleb128 encoder do a better job.
28
+ */
29
+ syn &= ARM_INSN_START_WORD2_MASK;
30
+ syn >>= ARM_INSN_START_WORD2_SHIFT;
31
+
32
+ /* We check and clear insn_start_idx to catch multiple updates. */
33
+ assert(s->insn_start_idx != 0);
34
+ tcg_set_insn_param(s->insn_start_idx, 2, syn);
35
+ s->insn_start_idx = 0;
36
+}
37
+
38
/* target-specific extra values for is_jmp */
39
/* These instructions trap after executing, so the A32/T32 decoder must
40
* defer them until after the conditional execution state has been updated.
41
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
42
index XXXXXXX..XXXXXXX 100644
43
--- a/target/arm/translate-a64.c
44
+++ b/target/arm/translate-a64.c
45
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
46
}
20
}
47
}
21
}
48
22
49
-static void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
23
-static uint64_t
50
-{
24
-lqspi_read(void *opaque, hwaddr addr, unsigned int size)
51
- /* We don't need to save all of the syndrome so we mask and shift
25
+static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
52
- * out uneeded bits to help the sleb128 encoder do a better job.
26
+ unsigned size, MemTxAttrs attrs)
53
- */
54
- syn &= ARM_INSN_START_WORD2_MASK;
55
- syn >>= ARM_INSN_START_WORD2_SHIFT;
56
-
57
- /* We check and clear insn_start_idx to catch multiple updates. */
58
- assert(s->insn_start_idx != 0);
59
- tcg_set_insn_param(s->insn_start_idx, 2, syn);
60
- s->insn_start_idx = 0;
61
-}
62
-
63
static void unallocated_encoding(DisasContext *s)
64
{
27
{
65
/* Unallocated and reserved encodings are uncategorized */
28
- XilinxQSPIPS *q = opaque;
66
diff --git a/target/arm/translate.c b/target/arm/translate.c
29
- uint32_t ret;
67
index XXXXXXX..XXXXXXX 100644
30
+ XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
68
--- a/target/arm/translate.c
31
69
+++ b/target/arm/translate.c
32
if (addr >= q->lqspi_cached_addr &&
70
@@ -XXX,XX +XXX,XX @@ void arm_translate_init(void)
33
addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
71
a64_translate_init();
34
uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
35
- ret = cpu_to_le32(*(uint32_t *)retp);
36
- DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
37
- (unsigned)ret);
38
- return ret;
39
- } else {
40
- lqspi_load_cache(opaque, addr);
41
- return lqspi_read(opaque, addr, size);
42
+ *value = cpu_to_le32(*(uint32_t *)retp);
43
+ DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
44
+ addr, *value);
45
+ return MEMTX_OK;
46
}
47
+
48
+ lqspi_load_cache(opaque, addr);
49
+ return lqspi_read(opaque, addr, value, size, attrs);
72
}
50
}
73
51
74
+/* Flags for the disas_set_da_iss info argument:
52
static const MemoryRegionOps lqspi_ops = {
75
+ * lower bits hold the Rt register number, higher bits are flags.
53
- .read = lqspi_read,
76
+ */
54
+ .read_with_attrs = lqspi_read,
77
+typedef enum ISSInfo {
55
.endianness = DEVICE_NATIVE_ENDIAN,
78
+ ISSNone = 0,
56
.valid = {
79
+ ISSRegMask = 0x1f,
57
.min_access_size = 1,
80
+ ISSInvalid = (1 << 5),
81
+ ISSIsAcqRel = (1 << 6),
82
+ ISSIsWrite = (1 << 7),
83
+ ISSIs16Bit = (1 << 8),
84
+} ISSInfo;
85
+
86
+/* Save the syndrome information for a Data Abort */
87
+static void disas_set_da_iss(DisasContext *s, TCGMemOp memop, ISSInfo issinfo)
88
+{
89
+ uint32_t syn;
90
+ int sas = memop & MO_SIZE;
91
+ bool sse = memop & MO_SIGN;
92
+ bool is_acqrel = issinfo & ISSIsAcqRel;
93
+ bool is_write = issinfo & ISSIsWrite;
94
+ bool is_16bit = issinfo & ISSIs16Bit;
95
+ int srt = issinfo & ISSRegMask;
96
+
97
+ if (issinfo & ISSInvalid) {
98
+ /* Some callsites want to conditionally provide ISS info,
99
+ * eg "only if this was not a writeback"
100
+ */
101
+ return;
102
+ }
103
+
104
+ if (srt == 15) {
105
+ /* For AArch32, insns where the src/dest is R15 never generate
106
+ * ISS information. Catching that here saves checking at all
107
+ * the call sites.
108
+ */
109
+ return;
110
+ }
111
+
112
+ syn = syn_data_abort_with_iss(0, sas, sse, srt, 0, is_acqrel,
113
+ 0, 0, 0, is_write, 0, is_16bit);
114
+ disas_set_insn_syndrome(s, syn);
115
+}
116
+
117
static inline ARMMMUIdx get_a32_user_mem_index(DisasContext *s)
118
{
119
/* Return the mmu_idx to use for A32/T32 "unprivileged load/store"
120
@@ -XXX,XX +XXX,XX @@ static inline void gen_aa32_ld##SUFF(DisasContext *s, TCGv_i32 val, \
121
TCGv_i32 a32, int index) \
122
{ \
123
gen_aa32_ld_i32(s, val, a32, index, OPC | s->be_data); \
124
+} \
125
+static inline void gen_aa32_ld##SUFF##_iss(DisasContext *s, \
126
+ TCGv_i32 val, \
127
+ TCGv_i32 a32, int index, \
128
+ ISSInfo issinfo) \
129
+{ \
130
+ gen_aa32_ld_i32(s, val, a32, index, OPC | s->be_data); \
131
+ disas_set_da_iss(s, OPC, issinfo); \
132
}
133
134
#define DO_GEN_ST(SUFF, OPC) \
135
@@ -XXX,XX +XXX,XX @@ static inline void gen_aa32_st##SUFF(DisasContext *s, TCGv_i32 val, \
136
TCGv_i32 a32, int index) \
137
{ \
138
gen_aa32_st_i32(s, val, a32, index, OPC | s->be_data); \
139
+} \
140
+static inline void gen_aa32_st##SUFF##_iss(DisasContext *s, \
141
+ TCGv_i32 val, \
142
+ TCGv_i32 a32, int index, \
143
+ ISSInfo issinfo) \
144
+{ \
145
+ gen_aa32_st_i32(s, val, a32, index, OPC | s->be_data); \
146
+ disas_set_da_iss(s, OPC, issinfo | ISSIsWrite); \
147
}
148
149
static inline void gen_aa32_frob64(DisasContext *s, TCGv_i64 val)
150
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
151
tmp = tcg_temp_new_i32();
152
switch (op1) {
153
case 0: /* lda */
154
- gen_aa32_ld32u(s, tmp, addr,
155
- get_mem_index(s));
156
+ gen_aa32_ld32u_iss(s, tmp, addr,
157
+ get_mem_index(s),
158
+ rd | ISSIsAcqRel);
159
break;
160
case 2: /* ldab */
161
- gen_aa32_ld8u(s, tmp, addr,
162
- get_mem_index(s));
163
+ gen_aa32_ld8u_iss(s, tmp, addr,
164
+ get_mem_index(s),
165
+ rd | ISSIsAcqRel);
166
break;
167
case 3: /* ldah */
168
- gen_aa32_ld16u(s, tmp, addr,
169
- get_mem_index(s));
170
+ gen_aa32_ld16u_iss(s, tmp, addr,
171
+ get_mem_index(s),
172
+ rd | ISSIsAcqRel);
173
break;
174
default:
175
abort();
176
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
177
tmp = load_reg(s, rm);
178
switch (op1) {
179
case 0: /* stl */
180
- gen_aa32_st32(s, tmp, addr,
181
- get_mem_index(s));
182
+ gen_aa32_st32_iss(s, tmp, addr,
183
+ get_mem_index(s),
184
+ rm | ISSIsAcqRel);
185
break;
186
case 2: /* stlb */
187
- gen_aa32_st8(s, tmp, addr,
188
- get_mem_index(s));
189
+ gen_aa32_st8_iss(s, tmp, addr,
190
+ get_mem_index(s),
191
+ rm | ISSIsAcqRel);
192
break;
193
case 3: /* stlh */
194
- gen_aa32_st16(s, tmp, addr,
195
- get_mem_index(s));
196
+ gen_aa32_st16_iss(s, tmp, addr,
197
+ get_mem_index(s),
198
+ rm | ISSIsAcqRel);
199
break;
200
default:
201
abort();
202
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
203
bool wbit = insn & (1 << 21);
204
bool pbit = insn & (1 << 24);
205
bool doubleword = false;
206
+ ISSInfo issinfo;
207
+
208
/* Misc load/store */
209
rn = (insn >> 16) & 0xf;
210
rd = (insn >> 12) & 0xf;
211
212
+ /* ISS not valid if writeback */
213
+ issinfo = (pbit & !wbit) ? rd : ISSInvalid;
214
+
215
if (!load && (sh & 2)) {
216
/* doubleword */
217
ARCH(5TE);
218
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
219
tmp = tcg_temp_new_i32();
220
switch (sh) {
221
case 1:
222
- gen_aa32_ld16u(s, tmp, addr, get_mem_index(s));
223
+ gen_aa32_ld16u_iss(s, tmp, addr, get_mem_index(s),
224
+ issinfo);
225
break;
226
case 2:
227
- gen_aa32_ld8s(s, tmp, addr, get_mem_index(s));
228
+ gen_aa32_ld8s_iss(s, tmp, addr, get_mem_index(s),
229
+ issinfo);
230
break;
231
default:
232
case 3:
233
- gen_aa32_ld16s(s, tmp, addr, get_mem_index(s));
234
+ gen_aa32_ld16s_iss(s, tmp, addr, get_mem_index(s),
235
+ issinfo);
236
break;
237
}
238
} else {
239
/* store */
240
tmp = load_reg(s, rd);
241
- gen_aa32_st16(s, tmp, addr, get_mem_index(s));
242
+ gen_aa32_st16_iss(s, tmp, addr, get_mem_index(s), issinfo);
243
tcg_temp_free_i32(tmp);
244
}
245
/* Perform base writeback before the loaded value to
246
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
247
/* load */
248
tmp = tcg_temp_new_i32();
249
if (insn & (1 << 22)) {
250
- gen_aa32_ld8u(s, tmp, tmp2, i);
251
+ gen_aa32_ld8u_iss(s, tmp, tmp2, i, rd);
252
} else {
253
- gen_aa32_ld32u(s, tmp, tmp2, i);
254
+ gen_aa32_ld32u_iss(s, tmp, tmp2, i, rd);
255
}
256
} else {
257
/* store */
258
tmp = load_reg(s, rd);
259
if (insn & (1 << 22)) {
260
- gen_aa32_st8(s, tmp, tmp2, i);
261
+ gen_aa32_st8_iss(s, tmp, tmp2, i, rd);
262
} else {
263
- gen_aa32_st32(s, tmp, tmp2, i);
264
+ gen_aa32_st32_iss(s, tmp, tmp2, i, rd);
265
}
266
tcg_temp_free_i32(tmp);
267
}
268
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
269
tmp = tcg_temp_new_i32();
270
switch (op) {
271
case 0: /* ldab */
272
- gen_aa32_ld8u(s, tmp, addr, get_mem_index(s));
273
+ gen_aa32_ld8u_iss(s, tmp, addr, get_mem_index(s),
274
+ rs | ISSIsAcqRel);
275
break;
276
case 1: /* ldah */
277
- gen_aa32_ld16u(s, tmp, addr, get_mem_index(s));
278
+ gen_aa32_ld16u_iss(s, tmp, addr, get_mem_index(s),
279
+ rs | ISSIsAcqRel);
280
break;
281
case 2: /* lda */
282
- gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
283
+ gen_aa32_ld32u_iss(s, tmp, addr, get_mem_index(s),
284
+ rs | ISSIsAcqRel);
285
break;
286
default:
287
abort();
288
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
289
tmp = load_reg(s, rs);
290
switch (op) {
291
case 0: /* stlb */
292
- gen_aa32_st8(s, tmp, addr, get_mem_index(s));
293
+ gen_aa32_st8_iss(s, tmp, addr, get_mem_index(s),
294
+ rs | ISSIsAcqRel);
295
break;
296
case 1: /* stlh */
297
- gen_aa32_st16(s, tmp, addr, get_mem_index(s));
298
+ gen_aa32_st16_iss(s, tmp, addr, get_mem_index(s),
299
+ rs | ISSIsAcqRel);
300
break;
301
case 2: /* stl */
302
- gen_aa32_st32(s, tmp, addr, get_mem_index(s));
303
+ gen_aa32_st32_iss(s, tmp, addr, get_mem_index(s),
304
+ rs | ISSIsAcqRel);
305
break;
306
default:
307
abort();
308
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
309
int postinc = 0;
310
int writeback = 0;
311
int memidx;
312
+ ISSInfo issinfo;
313
+
314
if ((insn & 0x01100000) == 0x01000000) {
315
if (disas_neon_ls_insn(s, insn)) {
316
goto illegal_op;
317
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
318
}
319
}
320
}
321
+
322
+ issinfo = writeback ? ISSInvalid : rs;
323
+
324
if (insn & (1 << 20)) {
325
/* Load. */
326
tmp = tcg_temp_new_i32();
327
switch (op) {
328
case 0:
329
- gen_aa32_ld8u(s, tmp, addr, memidx);
330
+ gen_aa32_ld8u_iss(s, tmp, addr, memidx, issinfo);
331
break;
332
case 4:
333
- gen_aa32_ld8s(s, tmp, addr, memidx);
334
+ gen_aa32_ld8s_iss(s, tmp, addr, memidx, issinfo);
335
break;
336
case 1:
337
- gen_aa32_ld16u(s, tmp, addr, memidx);
338
+ gen_aa32_ld16u_iss(s, tmp, addr, memidx, issinfo);
339
break;
340
case 5:
341
- gen_aa32_ld16s(s, tmp, addr, memidx);
342
+ gen_aa32_ld16s_iss(s, tmp, addr, memidx, issinfo);
343
break;
344
case 2:
345
- gen_aa32_ld32u(s, tmp, addr, memidx);
346
+ gen_aa32_ld32u_iss(s, tmp, addr, memidx, issinfo);
347
break;
348
default:
349
tcg_temp_free_i32(tmp);
350
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
351
tmp = load_reg(s, rs);
352
switch (op) {
353
case 0:
354
- gen_aa32_st8(s, tmp, addr, memidx);
355
+ gen_aa32_st8_iss(s, tmp, addr, memidx, issinfo);
356
break;
357
case 1:
358
- gen_aa32_st16(s, tmp, addr, memidx);
359
+ gen_aa32_st16_iss(s, tmp, addr, memidx, issinfo);
360
break;
361
case 2:
362
- gen_aa32_st32(s, tmp, addr, memidx);
363
+ gen_aa32_st32_iss(s, tmp, addr, memidx, issinfo);
364
break;
365
default:
366
tcg_temp_free_i32(tmp);
367
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
368
addr = tcg_temp_new_i32();
369
tcg_gen_movi_i32(addr, val);
370
tmp = tcg_temp_new_i32();
371
- gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
372
+ gen_aa32_ld32u_iss(s, tmp, addr, get_mem_index(s),
373
+ rd | ISSIs16Bit);
374
tcg_temp_free_i32(addr);
375
store_reg(s, rd, tmp);
376
break;
377
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
378
379
switch (op) {
380
case 0: /* str */
381
- gen_aa32_st32(s, tmp, addr, get_mem_index(s));
382
+ gen_aa32_st32_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
383
break;
384
case 1: /* strh */
385
- gen_aa32_st16(s, tmp, addr, get_mem_index(s));
386
+ gen_aa32_st16_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
387
break;
388
case 2: /* strb */
389
- gen_aa32_st8(s, tmp, addr, get_mem_index(s));
390
+ gen_aa32_st8_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
391
break;
392
case 3: /* ldrsb */
393
- gen_aa32_ld8s(s, tmp, addr, get_mem_index(s));
394
+ gen_aa32_ld8s_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
395
break;
396
case 4: /* ldr */
397
- gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
398
+ gen_aa32_ld32u_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
399
break;
400
case 5: /* ldrh */
401
- gen_aa32_ld16u(s, tmp, addr, get_mem_index(s));
402
+ gen_aa32_ld16u_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
403
break;
404
case 6: /* ldrb */
405
- gen_aa32_ld8u(s, tmp, addr, get_mem_index(s));
406
+ gen_aa32_ld8u_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
407
break;
408
case 7: /* ldrsh */
409
- gen_aa32_ld16s(s, tmp, addr, get_mem_index(s));
410
+ gen_aa32_ld16s_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
411
break;
412
}
413
if (op >= 3) { /* load */
414
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
415
if (insn & (1 << 11)) {
416
/* load */
417
tmp = tcg_temp_new_i32();
418
- gen_aa32_ld8u(s, tmp, addr, get_mem_index(s));
419
+ gen_aa32_ld8u_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
420
store_reg(s, rd, tmp);
421
} else {
422
/* store */
423
tmp = load_reg(s, rd);
424
- gen_aa32_st8(s, tmp, addr, get_mem_index(s));
425
+ gen_aa32_st8_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
426
tcg_temp_free_i32(tmp);
427
}
428
tcg_temp_free_i32(addr);
429
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
430
if (insn & (1 << 11)) {
431
/* load */
432
tmp = tcg_temp_new_i32();
433
- gen_aa32_ld16u(s, tmp, addr, get_mem_index(s));
434
+ gen_aa32_ld16u_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
435
store_reg(s, rd, tmp);
436
} else {
437
/* store */
438
tmp = load_reg(s, rd);
439
- gen_aa32_st16(s, tmp, addr, get_mem_index(s));
440
+ gen_aa32_st16_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
441
tcg_temp_free_i32(tmp);
442
}
443
tcg_temp_free_i32(addr);
444
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
445
if (insn & (1 << 11)) {
446
/* load */
447
tmp = tcg_temp_new_i32();
448
- gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
449
+ gen_aa32_ld32u_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
450
store_reg(s, rd, tmp);
451
} else {
452
/* store */
453
tmp = load_reg(s, rd);
454
- gen_aa32_st32(s, tmp, addr, get_mem_index(s));
455
+ gen_aa32_st32_iss(s, tmp, addr, get_mem_index(s), rd | ISSIs16Bit);
456
tcg_temp_free_i32(tmp);
457
}
458
tcg_temp_free_i32(addr);
459
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
460
store_cpu_field(tmp, condexec_bits);
461
}
462
do {
463
+ dc->insn_start_idx = tcg_op_buf_count();
464
tcg_gen_insn_start(dc->pc,
465
(dc->condexec_cond << 4) | (dc->condexec_mask >> 1),
466
0);
467
--
58
--
468
2.7.4
59
2.20.1
469
60
470
61
diff view generated by jsdifflib
[Qemu-devel] [PULL 07/13] Fix Thumb-1 BE32 execution and disassembly.
[Qemu-devel] [PULL 03/10] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
1
From: Julian Brown <julian@codesourcery.com>
1
From: Philippe Mathieu-Daudé <philmd@redhat.com>
2
2
3
Thumb-1 code has some issues in BE32 mode (as currently implemented). In
3
Lei Sun found while auditing the code that a CPU write would
4
short, since bytes are swapped within words at load time for BE32
4
trigger a NULL pointer dereference.
5
executables, this also swaps pairs of adjacent Thumb-1 instructions.
6
5
7
This patch un-swaps those pairs of instructions again, both for execution,
6
>From UG1085 datasheet [*] AXI writes in this region are ignored
8
and for disassembly. (The previous version of the patch always read four
7
and generates an AXI Slave Error (SLVERR).
9
bytes in arm_read_memory_func and then extracted the proper two bytes,
10
in a probably misguided attempt to match the behaviour of actual hardware
11
as described by e.g. the ARM9TDMI TRM, section 3.3 "Endian effects for
12
instruction fetches". It's less complicated to just read the correct
13
two bytes though.)
14
8
15
Signed-off-by: Julian Brown <julian@codesourcery.com>
9
Fix by implementing the write_with_attrs() handler.
16
Message-id: ca20462a044848000370318a8bd41dd0a4ed273f.1484929304.git.julian@codesourcery.com
10
Return MEMTX_ERROR when the region is accessed (this error maps
17
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
11
to an AXI slave error).
12
13
[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
14
15
Reported-by: Lei Sun <slei.casper@gmail.com>
16
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
17
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
18
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
19
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
19
---
20
---
20
include/disas/bfd.h | 7 +++++++
21
hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
21
target/arm/arm_ldst.h | 10 +++++++++-
22
1 file changed, 16 insertions(+)
22
disas.c | 1 +
23
target/arm/cpu.c | 23 +++++++++++++++++++++++
24
4 files changed, 40 insertions(+), 1 deletion(-)
25
23
26
diff --git a/include/disas/bfd.h b/include/disas/bfd.h
24
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
27
index XXXXXXX..XXXXXXX 100644
25
index XXXXXXX..XXXXXXX 100644
28
--- a/include/disas/bfd.h
26
--- a/hw/ssi/xilinx_spips.c
29
+++ b/include/disas/bfd.h
27
+++ b/hw/ssi/xilinx_spips.c
30
@@ -XXX,XX +XXX,XX @@ typedef struct disassemble_info {
28
@@ -XXX,XX +XXX,XX @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
31
The bottom 16 bits are for the internal use of the disassembler. */
29
return lqspi_read(opaque, addr, value, size, attrs);
32
unsigned long flags;
30
}
33
#define INSN_HAS_RELOC    0x80000000
31
34
+#define INSN_ARM_BE32    0x00010000
32
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
35
PTR private_data;
33
+ unsigned size, MemTxAttrs attrs)
36
34
+{
37
/* Function used to get bytes to disassemble. MEMADDR is the
35
+ /*
38
@@ -XXX,XX +XXX,XX @@ typedef struct disassemble_info {
36
+ * From UG1085, Chapter 24 (Quad-SPI controllers):
39
(bfd_vma memaddr, bfd_byte *myaddr, int length,
37
+ * - Writes are ignored
40
     struct disassemble_info *info);
38
+ * - AXI writes generate an external AXI slave error (SLVERR)
41
39
+ */
42
+ /* A place to stash the real read_memory_func if read_memory_func wants to
40
+ qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
43
+ do some funky address arithmetic or similar (e.g. for ARM BE32 mode). */
41
+ " (value: 0x%" PRIx64 "\n",
44
+ int (*read_memory_inner_func)
42
+ __func__, size << 3, offset, value);
45
+ (bfd_vma memaddr, bfd_byte *myaddr, int length,
46
+ struct disassemble_info *info);
47
+
43
+
48
/* Function which should be called if we get an error that we can't
44
+ return MEMTX_ERROR;
49
recover from. STATUS is the errno value from read_memory_func and
50
MEMADDR is the address that we were trying to read. INFO is a
51
diff --git a/target/arm/arm_ldst.h b/target/arm/arm_ldst.h
52
index XXXXXXX..XXXXXXX 100644
53
--- a/target/arm/arm_ldst.h
54
+++ b/target/arm/arm_ldst.h
55
@@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_ldl_code(CPUARMState *env, target_ulong addr,
56
static inline uint16_t arm_lduw_code(CPUARMState *env, target_ulong addr,
57
bool sctlr_b)
58
{
59
- uint16_t insn = cpu_lduw_code(env, addr);
60
+ uint16_t insn;
61
+#ifndef CONFIG_USER_ONLY
62
+ /* In big-endian (BE32) mode, adjacent Thumb instructions have been swapped
63
+ within each word. Undo that now. */
64
+ if (sctlr_b) {
65
+ addr ^= 2;
66
+ }
67
+#endif
68
+ insn = cpu_lduw_code(env, addr);
69
if (bswap_code(sctlr_b)) {
70
return bswap16(insn);
71
}
72
diff --git a/disas.c b/disas.c
73
index XXXXXXX..XXXXXXX 100644
74
--- a/disas.c
75
+++ b/disas.c
76
@@ -XXX,XX +XXX,XX @@ void target_disas(FILE *out, CPUState *cpu, target_ulong code,
77
78
s.cpu = cpu;
79
s.info.read_memory_func = target_read_memory;
80
+ s.info.read_memory_inner_func = NULL;
81
s.info.buffer_vma = code;
82
s.info.buffer_length = size;
83
s.info.print_address_func = generic_print_address;
84
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
85
index XXXXXXX..XXXXXXX 100644
86
--- a/target/arm/cpu.c
87
+++ b/target/arm/cpu.c
88
@@ -XXX,XX +XXX,XX @@ print_insn_thumb1(bfd_vma pc, disassemble_info *info)
89
return print_insn_arm(pc | 1, info);
90
}
91
92
+static int arm_read_memory_func(bfd_vma memaddr, bfd_byte *b,
93
+ int length, struct disassemble_info *info)
94
+{
95
+ assert(info->read_memory_inner_func);
96
+ assert((info->flags & INSN_ARM_BE32) == 0 || length == 2 || length == 4);
97
+
98
+ if ((info->flags & INSN_ARM_BE32) != 0 && length == 2) {
99
+ assert(info->endian == BFD_ENDIAN_LITTLE);
100
+ return info->read_memory_inner_func(memaddr ^ 2, (bfd_byte *)b, 2,
101
+ info);
102
+ } else {
103
+ return info->read_memory_inner_func(memaddr, b, length, info);
104
+ }
105
+}
45
+}
106
+
46
+
107
static void arm_disas_set_info(CPUState *cpu, disassemble_info *info)
47
static const MemoryRegionOps lqspi_ops = {
108
{
48
.read_with_attrs = lqspi_read,
109
ARMCPU *ac = ARM_CPU(cpu);
49
+ .write_with_attrs = lqspi_write,
110
@@ -XXX,XX +XXX,XX @@ static void arm_disas_set_info(CPUState *cpu, disassemble_info *info)
50
.endianness = DEVICE_NATIVE_ENDIAN,
111
info->endian = BFD_ENDIAN_BIG;
51
.valid = {
112
#endif
52
.min_access_size = 1,
113
}
114
+ if (info->read_memory_inner_func == NULL) {
115
+ info->read_memory_inner_func = info->read_memory_func;
116
+ info->read_memory_func = arm_read_memory_func;
117
+ }
118
+ info->flags &= ~INSN_ARM_BE32;
119
+ if (arm_sctlr_b(env)) {
120
+ info->flags |= INSN_ARM_BE32;
121
+ }
122
}
123
124
static void arm_cpu_initfn(Object *obj)
125
--
53
--
126
2.7.4
54
2.20.1
127
55
128
56
diff view generated by jsdifflib
[Qemu-devel] [PULL 04/13] sd: sdhci: check data length during dma_memory_read
[Qemu-devel] [PULL 04/10] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
1
From: Prasad J Pandit <pjp@fedoraproject.org>
1
From: Philippe Mathieu-Daudé <philmd@redhat.com>
2
2
3
While doing multi block SDMA transfer in routine
3
Both lqspi_read() and lqspi_load_cache() expect a 32-bit
4
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
4
aligned address.
5
index 'begin' and data length 's->data_count' could end up to be same.
6
This could lead to an OOB access issue. Correct transfer data length
7
to avoid it.
8
5
9
Cc: qemu-stable@nongnu.org
6
>From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':
10
Reported-by: Jiang Xin <jiangxin1@huawei.com>
7
11
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
8
Transfer Size Limitations
12
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
9
13
Message-id: 20170130064736.9236-1-ppandit@redhat.com
10
Because of the 32-bit wide TX, RX, and generic FIFO, all
11
APB/AXI transfers must be an integer multiple of 4-bytes.
12
Shorter transfers are not possible.
13
14
Set MemoryRegionOps.impl values to force 32-bit accesses,
15
this way we are sure we do not access the lqspi_buf[] array
16
out of bound.
17
18
[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
19
20
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
21
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
22
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
14
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
23
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
15
---
24
---
16
hw/sd/sdhci.c | 2 +-
25
hw/ssi/xilinx_spips.c | 4 ++++
17
1 file changed, 1 insertion(+), 1 deletion(-)
26
1 file changed, 4 insertions(+)
18
27
19
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
28
diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
20
index XXXXXXX..XXXXXXX 100644
29
index XXXXXXX..XXXXXXX 100644
21
--- a/hw/sd/sdhci.c
30
--- a/hw/ssi/xilinx_spips.c
22
+++ b/hw/sd/sdhci.c
31
+++ b/hw/ssi/xilinx_spips.c
23
@@ -XXX,XX +XXX,XX @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
32
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps lqspi_ops = {
24
boundary_count -= block_size - begin;
33
.read_with_attrs = lqspi_read,
25
}
34
.write_with_attrs = lqspi_write,
26
dma_memory_read(&address_space_memory, s->sdmasysad,
35
.endianness = DEVICE_NATIVE_ENDIAN,
27
- &s->fifo_buffer[begin], s->data_count);
36
+ .impl = {
28
+ &s->fifo_buffer[begin], s->data_count - begin);
37
+ .min_access_size = 4,
29
s->sdmasysad += s->data_count - begin;
38
+ .max_access_size = 4,
30
if (s->data_count == block_size) {
39
+ },
31
for (n = 0; n < block_size; n++) {
40
.valid = {
41
.min_access_size = 1,
42
.max_access_size = 4
32
--
43
--
33
2.7.4
44
2.20.1
34
45
35
46
diff view generated by jsdifflib
[Qemu-devel] [PULL 03/13] aspeed: add a watchdog controller
[Qemu-devel] [PULL 05/10] hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
1
From: Cédric Le Goater <clg@kaod.org>
1
From: Philippe Mathieu-Daudé <philmd@redhat.com>
2
2
3
This enables reboot of a guest from U-Boot and Linux.
3
Reading the RX_DATA register when the RX_FIFO is empty triggers
4
an abort. This can be easily reproduced:
4
5
5
Signed-off-by: Cédric Le Goater <clg@kaod.org>
6
$ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
6
Reviewed-by: Joel Stanley <joel@jms.id.au>
7
QEMU 4.0.50 monitor - type 'help' for more information
7
Message-id: 1485452251-1593-3-git-send-email-clg@kaod.org
8
(qemu) x 0x40001010
9
Aborted (core dumped)
10
11
(gdb) bt
12
#1 0x00007f035874f895 in abort () at /lib64/libc.so.6
13
#2 0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
14
#3 0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
15
#4 0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
16
#5 0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
17
#6 0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
18
#7 0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
19
#8 0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
20
#9 0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
21
#10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
22
#11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
23
#12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
24
#13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
25
#14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
26
#15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
27
#16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082
28
29
From the datasheet "Actel SmartFusion Microcontroller Subsystem
30
User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
31
register has a reset value of 0.
32
33
Check the FIFO is not empty before accessing it, else log an
34
error message.
35
36
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
37
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
38
Message-id: 20190709113715.7761-3-philmd@redhat.com
8
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
39
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
9
---
40
---
10
include/hw/arm/aspeed_soc.h | 2 ++
41
hw/ssi/mss-spi.c | 8 +++++++-
11
hw/arm/aspeed_soc.c | 13 +++++++++++++
42
1 file changed, 7 insertions(+), 1 deletion(-)
12
2 files changed, 15 insertions(+)
13
43
14
diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
44
diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
15
index XXXXXXX..XXXXXXX 100644
45
index XXXXXXX..XXXXXXX 100644
16
--- a/include/hw/arm/aspeed_soc.h
46
--- a/hw/ssi/mss-spi.c
17
+++ b/include/hw/arm/aspeed_soc.h
47
+++ b/hw/ssi/mss-spi.c
18
@@ -XXX,XX +XXX,XX @@
48
@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
19
#include "hw/timer/aspeed_timer.h"
49
case R_SPI_RX:
20
#include "hw/i2c/aspeed_i2c.h"
50
s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
21
#include "hw/ssi/aspeed_smc.h"
51
s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
22
+#include "hw/watchdog/wdt_aspeed.h"
52
- ret = fifo32_pop(&s->rx_fifo);
23
53
+ if (fifo32_is_empty(&s->rx_fifo)) {
24
#define ASPEED_SPIS_NUM 2
54
+ qemu_log_mask(LOG_GUEST_ERROR,
25
55
+ "%s: Reading empty RX_FIFO\n",
26
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCState {
56
+ __func__);
27
AspeedSMCState fmc;
57
+ } else {
28
AspeedSMCState spi[ASPEED_SPIS_NUM];
58
+ ret = fifo32_pop(&s->rx_fifo);
29
AspeedSDMCState sdmc;
59
+ }
30
+ AspeedWDTState wdt;
60
if (fifo32_is_empty(&s->rx_fifo)) {
31
} AspeedSoCState;
61
s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
32
62
}
33
#define TYPE_ASPEED_SOC "aspeed-soc"
34
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
35
index XXXXXXX..XXXXXXX 100644
36
--- a/hw/arm/aspeed_soc.c
37
+++ b/hw/arm/aspeed_soc.c
38
@@ -XXX,XX +XXX,XX @@
39
#define ASPEED_SOC_SCU_BASE 0x1E6E2000
40
#define ASPEED_SOC_SRAM_BASE 0x1E720000
41
#define ASPEED_SOC_TIMER_BASE 0x1E782000
42
+#define ASPEED_SOC_WDT_BASE 0x1E785000
43
#define ASPEED_SOC_I2C_BASE 0x1E78A000
44
45
static const int uart_irqs[] = { 9, 32, 33, 34, 10 };
46
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
47
sc->info->silicon_rev);
48
object_property_add_alias(obj, "ram-size", OBJECT(&s->sdmc),
49
"ram-size", &error_abort);
50
+
51
+ object_initialize(&s->wdt, sizeof(s->wdt), TYPE_ASPEED_WDT);
52
+ object_property_add_child(obj, "wdt", OBJECT(&s->wdt), NULL);
53
+ qdev_set_parent_bus(DEVICE(&s->wdt), sysbus_get_default());
54
}
55
56
static void aspeed_soc_realize(DeviceState *dev, Error **errp)
57
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
58
return;
59
}
60
sysbus_mmio_map(SYS_BUS_DEVICE(&s->sdmc), 0, ASPEED_SOC_SDMC_BASE);
61
+
62
+ /* Watch dog */
63
+ object_property_set_bool(OBJECT(&s->wdt), true, "realized", &err);
64
+ if (err) {
65
+ error_propagate(errp, err);
66
+ return;
67
+ }
68
+ sysbus_mmio_map(SYS_BUS_DEVICE(&s->wdt), 0, ASPEED_SOC_WDT_BASE);
69
}
70
71
static void aspeed_soc_class_init(ObjectClass *oc, void *data)
72
--
63
--
73
2.7.4
64
2.20.1
74
65
75
66
diff view generated by jsdifflib
[Qemu-devel] [PULL 01/13] integratorcp: adding vmstate for save/restore
[Qemu-devel] [PULL 06/10] hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
1
From: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
1
From: Philippe Mathieu-Daudé <philmd@redhat.com>
2
2
3
VMState added by this patch preserves correct
3
In the previous commit we fixed a crash when the guest read a
4
loading of the integratorcp device state.
4
register that pop from an empty FIFO.
5
By auditing the repository, we found another similar use with
6
an easy way to reproduce:
5
7
6
Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@ispras.ru>
8
$ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
7
Message-id: 20170131114310.6768.79416.stgit@PASHA-ISP
9
QEMU 4.0.50 monitor - type 'help' for more information
8
[PMM: removed unnecessary minimum_version_id_old lines]
10
(qemu) xp/b 0xfd4a0134
9
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
11
Aborted (core dumped)
12
13
(gdb) bt
14
#0 0x00007f6936dea57f in raise () at /lib64/libc.so.6
15
#1 0x00007f6936dd4895 in abort () at /lib64/libc.so.6
16
#2 0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431
17
#3 0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667
18
#4 0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
19
#5 0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569
20
#6 0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420
21
#7 0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447
22
#8 0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385
23
#9 0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423
24
#10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436
25
#11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131
26
#12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723
27
#13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795
28
#14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082
29
30
Fix by checking the FIFO is not empty before popping from it.
31
32
The datasheet is not clear about the reset value of this register,
33
we choose to return '0'.
34
35
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
36
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
37
Message-id: 20190709113715.7761-4-philmd@redhat.com
10
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
38
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
11
---
39
---
12
hw/arm/integratorcp.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++
40
hw/display/xlnx_dp.c | 15 +++++++++++----
13
1 file changed, 59 insertions(+)
41
1 file changed, 11 insertions(+), 4 deletions(-)
14
42
15
diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
43
diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
16
index XXXXXXX..XXXXXXX 100644
44
index XXXXXXX..XXXXXXX 100644
17
--- a/hw/arm/integratorcp.c
45
--- a/hw/display/xlnx_dp.c
18
+++ b/hw/arm/integratorcp.c
46
+++ b/hw/display/xlnx_dp.c
19
@@ -XXX,XX +XXX,XX @@ static uint8_t integrator_spd[128] = {
47
@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
20
0xe, 4, 0x1c, 1, 2, 0x20, 0xc0, 0, 0, 0, 0, 0x30, 0x28, 0x30, 0x28, 0x40
48
uint8_t ret;
21
};
49
22
50
if (fifo8_is_empty(&s->rx_fifo)) {
23
+static const VMStateDescription vmstate_integratorcm = {
51
- DPRINTF("rx_fifo underflow..\n");
24
+ .name = "integratorcm",
52
- abort();
25
+ .version_id = 1,
53
+ qemu_log_mask(LOG_GUEST_ERROR,
26
+ .minimum_version_id = 1,
54
+ "%s: Reading empty RX_FIFO\n",
27
+ .fields = (VMStateField[]) {
55
+ __func__);
28
+ VMSTATE_UINT32(cm_osc, IntegratorCMState),
56
+ /*
29
+ VMSTATE_UINT32(cm_ctrl, IntegratorCMState),
57
+ * The datasheet is not clear about the reset value, it seems
30
+ VMSTATE_UINT32(cm_lock, IntegratorCMState),
58
+ * to be unspecified. We choose to return '0'.
31
+ VMSTATE_UINT32(cm_auxosc, IntegratorCMState),
59
+ */
32
+ VMSTATE_UINT32(cm_sdram, IntegratorCMState),
60
+ ret = 0;
33
+ VMSTATE_UINT32(cm_init, IntegratorCMState),
61
+ } else {
34
+ VMSTATE_UINT32(cm_flags, IntegratorCMState),
62
+ ret = fifo8_pop(&s->rx_fifo);
35
+ VMSTATE_UINT32(cm_nvflags, IntegratorCMState),
63
+ DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
36
+ VMSTATE_UINT32(int_level, IntegratorCMState),
64
}
37
+ VMSTATE_UINT32(irq_enabled, IntegratorCMState),
65
- ret = fifo8_pop(&s->rx_fifo);
38
+ VMSTATE_UINT32(fiq_enabled, IntegratorCMState),
66
- DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
39
+ VMSTATE_END_OF_LIST()
67
return ret;
40
+ }
41
+};
42
+
43
static uint64_t integratorcm_read(void *opaque, hwaddr offset,
44
unsigned size)
45
{
46
@@ -XXX,XX +XXX,XX @@ typedef struct icp_pic_state {
47
qemu_irq parent_fiq;
48
} icp_pic_state;
49
50
+static const VMStateDescription vmstate_icp_pic = {
51
+ .name = "icp_pic",
52
+ .version_id = 1,
53
+ .minimum_version_id = 1,
54
+ .fields = (VMStateField[]) {
55
+ VMSTATE_UINT32(level, icp_pic_state),
56
+ VMSTATE_UINT32(irq_enabled, icp_pic_state),
57
+ VMSTATE_UINT32(fiq_enabled, icp_pic_state),
58
+ VMSTATE_END_OF_LIST()
59
+ }
60
+};
61
+
62
static void icp_pic_update(icp_pic_state *s)
63
{
64
uint32_t flags;
65
@@ -XXX,XX +XXX,XX @@ typedef struct ICPCtrlRegsState {
66
#define ICP_INTREG_WPROT (1 << 0)
67
#define ICP_INTREG_CARDIN (1 << 3)
68
69
+static const VMStateDescription vmstate_icp_control = {
70
+ .name = "icp_control",
71
+ .version_id = 1,
72
+ .minimum_version_id = 1,
73
+ .fields = (VMStateField[]) {
74
+ VMSTATE_UINT32(intreg_state, ICPCtrlRegsState),
75
+ VMSTATE_END_OF_LIST()
76
+ }
77
+};
78
+
79
static uint64_t icp_control_read(void *opaque, hwaddr offset,
80
unsigned size)
81
{
82
@@ -XXX,XX +XXX,XX @@ static void core_class_init(ObjectClass *klass, void *data)
83
84
dc->props = core_properties;
85
dc->realize = integratorcm_realize;
86
+ dc->vmsd = &vmstate_integratorcm;
87
+}
88
+
89
+static void icp_pic_class_init(ObjectClass *klass, void *data)
90
+{
91
+ DeviceClass *dc = DEVICE_CLASS(klass);
92
+
93
+ dc->vmsd = &vmstate_icp_pic;
94
+}
95
+
96
+static void icp_control_class_init(ObjectClass *klass, void *data)
97
+{
98
+ DeviceClass *dc = DEVICE_CLASS(klass);
99
+
100
+ dc->vmsd = &vmstate_icp_control;
101
}
68
}
102
69
103
static const TypeInfo core_info = {
104
@@ -XXX,XX +XXX,XX @@ static const TypeInfo icp_pic_info = {
105
.parent = TYPE_SYS_BUS_DEVICE,
106
.instance_size = sizeof(icp_pic_state),
107
.instance_init = icp_pic_init,
108
+ .class_init = icp_pic_class_init,
109
};
110
111
static const TypeInfo icp_ctrl_regs_info = {
112
@@ -XXX,XX +XXX,XX @@ static const TypeInfo icp_ctrl_regs_info = {
113
.parent = TYPE_SYS_BUS_DEVICE,
114
.instance_size = sizeof(ICPCtrlRegsState),
115
.instance_init = icp_control_init,
116
+ .class_init = icp_control_class_init,
117
};
118
119
static void integratorcp_register_types(void)
120
--
70
--
121
2.7.4
71
2.20.1
122
72
123
73
diff view generated by jsdifflib
[Qemu-devel] [PULL 05/13] hw/arm/integratorcp: Support specifying features via -cpu
[Qemu-devel] [PULL 07/10] hw/arm/virt: Fix non-secure flash mode
1
From: Julian Brown <julian@codesourcery.com>
1
From: David Engraf <david.engraf@sysgo.com>
2
2
3
Since the integratorcp board creates the CPU object directly
3
Using the whole 128 MiB flash in non-secure mode is not working because
4
rather than via cpu_arm_init(), we have to call the CPU
4
virt_flash_fdt() expects the same address for secure_sysmem and sysmem.
5
class parse_features() method ourselves if we want to
5
This is not correctly handled by caller because it forwards NULL for
6
support the user passing features via the -cpu command
6
secure_sysmem in non-secure flash mode.
7
line argument as well as just the cpu name. Do so.
8
7
9
Signed-off-by: Julian Brown <julian@codesourcery.com>
8
Fixed by using sysmem when secure_sysmem is NULL.
10
[PMM: split out into its own patch]
9
10
Signed-off-by: David Engraf <david.engraf@sysgo.com>
11
Message-id: 20190712075002.14326-1-david.engraf@sysgo.com
11
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
12
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
12
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
13
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
13
---
14
---
14
hw/arm/integratorcp.c | 19 +++++++++++++++++--
15
hw/arm/virt.c | 2 +-
15
1 file changed, 17 insertions(+), 2 deletions(-)
16
1 file changed, 1 insertion(+), 1 deletion(-)
16
17
17
diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
18
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
18
index XXXXXXX..XXXXXXX 100644
19
index XXXXXXX..XXXXXXX 100644
19
--- a/hw/arm/integratorcp.c
20
--- a/hw/arm/virt.c
20
+++ b/hw/arm/integratorcp.c
21
+++ b/hw/arm/virt.c
21
@@ -XXX,XX +XXX,XX @@ static void integratorcp_init(MachineState *machine)
22
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
22
const char *kernel_filename = machine->kernel_filename;
23
&machine->device_memory->mr);
23
const char *kernel_cmdline = machine->kernel_cmdline;
24
const char *initrd_filename = machine->initrd_filename;
25
+ char **cpustr;
26
ObjectClass *cpu_oc;
27
+ CPUClass *cc;
28
Object *cpuobj;
29
ARMCPU *cpu;
30
+ const char *typename;
31
MemoryRegion *address_space_mem = get_system_memory();
32
MemoryRegion *ram = g_new(MemoryRegion, 1);
33
MemoryRegion *ram_alias = g_new(MemoryRegion, 1);
34
qemu_irq pic[32];
35
DeviceState *dev, *sic, *icp;
36
int i;
37
+ Error *err = NULL;
38
39
if (!cpu_model) {
40
cpu_model = "arm926";
41
}
24
}
42
25
43
- cpu_oc = cpu_class_by_name(TYPE_ARM_CPU, cpu_model);
26
- virt_flash_fdt(vms, sysmem, secure_sysmem);
44
+ cpustr = g_strsplit(cpu_model, ",", 2);
27
+ virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
45
+
28
46
+ cpu_oc = cpu_class_by_name(TYPE_ARM_CPU, cpustr[0]);
29
create_gic(vms, pic);
47
if (!cpu_oc) {
30
48
fprintf(stderr, "Unable to find CPU definition\n");
49
exit(1);
50
}
51
+ typename = object_class_get_name(cpu_oc);
52
+
53
+ cc = CPU_CLASS(cpu_oc);
54
+ cc->parse_features(typename, cpustr[1], &err);
55
+ g_strfreev(cpustr);
56
+ if (err) {
57
+ error_report_err(err);
58
+ exit(1);
59
+ }
60
61
- cpuobj = object_new(object_class_get_name(cpu_oc));
62
+ cpuobj = object_new(typename);
63
64
/* By default ARM1176 CPUs have EL3 enabled. This board does not
65
* currently support EL3 so the CPU EL3 property is disabled before
66
--
31
--
67
2.7.4
32
2.20.1
68
33
69
34
diff view generated by jsdifflib
[Qemu-devel] [PULL 02/13] wdt: Add Aspeed watchdog device model
[Qemu-devel] [PULL 08/10] pl031: Correctly migrate state when using -rtc clock=host
1
From: Cédric Le Goater <clg@kaod.org>
1
The PL031 RTC tracks the difference between the guest RTC
2
2
and the host RTC using a tick_offset field. For migration,
3
The Aspeed SoC includes a set of watchdog timers using 32-bit
3
however, we currently always migrate the offset between
4
decrement counters, which can be based either on the APB clock or
4
the guest and the vm_clock, even if the RTC clock is not
5
a 1 MHz clock.
5
the same as the vm_clock; this was an attempt to retain
6
6
migration backwards compatibility.
7
The watchdog timer is designed to prevent system deadlock and, in
7
8
general, it should be restarted before timeout. When a timeout occurs,
8
Unfortunately this results in the RTC behaving oddly across
9
different types of signals can be generated, ARM reset, SOC reset,
9
a VM state save and restore -- since the VM clock stands still
10
System reset, CPU Interrupt, external signal or boot from alternate
10
across save-then-restore, regardless of how much real world
11
block. The current model only performs the system reset function as
11
time has elapsed, the guest RTC ends up out of sync with the
12
this is used by U-Boot and Linux.
12
host RTC in the restored VM.
13
13
14
Signed-off-by: Joel Stanley <joel@jms.id.au>
14
Fix this by migrating the raw tick_offset. To retain migration
15
Message-id: 1485452251-1593-2-git-send-email-clg@kaod.org
15
compatibility as far as possible, we have a new property
16
[clg: - fixed compile breakage
16
migrate-tick-offset; by default this is 'true' and we will
17
- fixed io region size
17
migrate the true tick offset in a new subsection; if the
18
- added watchdog_perform_action() on timer expiry
18
incoming data has no subsection we fall back to the old
19
- wrote a commit log
19
vm_clock-based offset information, so old->new migration
20
- merged fixes from Andrew Jeffery to scale the reload value ]
20
compatibility is preserved. For complete new->old migration
21
Signed-off-by: Cédric Le Goater <clg@kaod.org>
21
compatibility, the property is set to 'false' for 4.0 and
22
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
22
earlier machine types (this will only affect 'virt-4.0'
23
and below, as none of the other pl031-using machines are
24
versioned).
25
26
Reported-by: Russell King <rmk@armlinux.org.uk>
23
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
27
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
28
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
29
Message-id: 20190709143912.28905-1-peter.maydell@linaro.org
24
---
30
---
25
hw/watchdog/Makefile.objs | 1 +
31
include/hw/timer/pl031.h | 2 +
26
include/hw/watchdog/wdt_aspeed.h | 32 ++++++
32
hw/core/machine.c | 1 +
27
hw/watchdog/wdt_aspeed.c | 225 +++++++++++++++++++++++++++++++++++++++
33
hw/timer/pl031.c | 92 ++++++++++++++++++++++++++++++++++++++--
28
3 files changed, 258 insertions(+)
34
3 files changed, 91 insertions(+), 4 deletions(-)
29
create mode 100644 include/hw/watchdog/wdt_aspeed.h
35
30
create mode 100644 hw/watchdog/wdt_aspeed.c
36
diff --git a/include/hw/timer/pl031.h b/include/hw/timer/pl031.h
31
32
diff --git a/hw/watchdog/Makefile.objs b/hw/watchdog/Makefile.objs
33
index XXXXXXX..XXXXXXX 100644
37
index XXXXXXX..XXXXXXX 100644
34
--- a/hw/watchdog/Makefile.objs
38
--- a/include/hw/timer/pl031.h
35
+++ b/hw/watchdog/Makefile.objs
39
+++ b/include/hw/timer/pl031.h
36
@@ -XXX,XX +XXX,XX @@ common-obj-y += watchdog.o
40
@@ -XXX,XX +XXX,XX @@ typedef struct PL031State {
37
common-obj-$(CONFIG_WDT_IB6300ESB) += wdt_i6300esb.o
41
*/
38
common-obj-$(CONFIG_WDT_IB700) += wdt_ib700.o
42
uint32_t tick_offset_vmstate;
39
common-obj-$(CONFIG_WDT_DIAG288) += wdt_diag288.o
43
uint32_t tick_offset;
40
+common-obj-$(CONFIG_ASPEED_SOC) += wdt_aspeed.o
44
+ bool tick_offset_migrated;
41
diff --git a/include/hw/watchdog/wdt_aspeed.h b/include/hw/watchdog/wdt_aspeed.h
45
+ bool migrate_tick_offset;
42
new file mode 100644
46
43
index XXXXXXX..XXXXXXX
47
uint32_t mr;
44
--- /dev/null
48
uint32_t lr;
45
+++ b/include/hw/watchdog/wdt_aspeed.h
49
diff --git a/hw/core/machine.c b/hw/core/machine.c
46
@@ -XXX,XX +XXX,XX @@
50
index XXXXXXX..XXXXXXX 100644
47
+/*
51
--- a/hw/core/machine.c
48
+ * ASPEED Watchdog Controller
52
+++ b/hw/core/machine.c
49
+ *
53
@@ -XXX,XX +XXX,XX @@ GlobalProperty hw_compat_4_0[] = {
50
+ * Copyright (C) 2016-2017 IBM Corp.
54
{ "virtio-gpu-pci", "edid", "false" },
51
+ *
55
{ "virtio-device", "use-started", "false" },
52
+ * This code is licensed under the GPL version 2 or later. See the
56
{ "virtio-balloon-device", "qemu-4-0-config-size", "true" },
53
+ * COPYING file in the top-level directory.
57
+ { "pl031", "migrate-tick-offset", "false" },
54
+ */
58
};
55
+#ifndef ASPEED_WDT_H
59
const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
56
+#define ASPEED_WDT_H
60
57
+
61
diff --git a/hw/timer/pl031.c b/hw/timer/pl031.c
58
+#include "hw/sysbus.h"
62
index XXXXXXX..XXXXXXX 100644
59
+
63
--- a/hw/timer/pl031.c
60
+#define TYPE_ASPEED_WDT "aspeed.wdt"
64
+++ b/hw/timer/pl031.c
61
+#define ASPEED_WDT(obj) \
65
@@ -XXX,XX +XXX,XX @@ static int pl031_pre_save(void *opaque)
62
+ OBJECT_CHECK(AspeedWDTState, (obj), TYPE_ASPEED_WDT)
66
{
63
+
67
PL031State *s = opaque;
64
+#define ASPEED_WDT_REGS_MAX (0x20 / 4)
68
65
+
69
- /* tick_offset is base_time - rtc_clock base time. Instead, we want to
66
+typedef struct AspeedWDTState {
70
- * store the base time relative to the QEMU_CLOCK_VIRTUAL for backwards-compatibility. */
67
+ /*< private >*/
71
+ /*
68
+ SysBusDevice parent_obj;
72
+ * The PL031 device model code uses the tick_offset field, which is
69
+ QEMUTimer *timer;
73
+ * the offset between what the guest RTC should read and what the
70
+
74
+ * QEMU rtc_clock reads:
71
+ /*< public >*/
75
+ * guest_rtc = rtc_clock + tick_offset
72
+ MemoryRegion iomem;
76
+ * and so
73
+ uint32_t regs[ASPEED_WDT_REGS_MAX];
77
+ * tick_offset = guest_rtc - rtc_clock
74
+
78
+ *
75
+ uint32_t pclk_freq;
79
+ * We want to migrate this offset, which sounds straightforward.
76
+} AspeedWDTState;
80
+ * Unfortunately older versions of QEMU migrated a conversion of this
77
+
81
+ * offset into an offset from the vm_clock. (This was in turn an
78
+#endif /* ASPEED_WDT_H */
82
+ * attempt to be compatible with even older QEMU versions, but it
79
diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
83
+ * has incorrect behaviour if the rtc_clock is not the same as the
80
new file mode 100644
84
+ * vm_clock.) So we put the actual tick_offset into a migration
81
index XXXXXXX..XXXXXXX
85
+ * subsection, and the backwards-compatible time-relative-to-vm_clock
82
--- /dev/null
86
+ * in the main migration state.
83
+++ b/hw/watchdog/wdt_aspeed.c
87
+ *
84
@@ -XXX,XX +XXX,XX @@
88
+ * Calculate base time relative to QEMU_CLOCK_VIRTUAL:
85
+/*
89
+ */
86
+ * ASPEED Watchdog Controller
90
int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
87
+ *
91
s->tick_offset_vmstate = s->tick_offset + delta / NANOSECONDS_PER_SECOND;
88
+ * Copyright (C) 2016-2017 IBM Corp.
92
89
+ *
93
return 0;
90
+ * This code is licensed under the GPL version 2 or later. See the
94
}
91
+ * COPYING file in the top-level directory.
95
92
+ */
96
+static int pl031_pre_load(void *opaque)
93
+
94
+#include "qemu/osdep.h"
95
+#include "qemu/log.h"
96
+#include "sysemu/watchdog.h"
97
+#include "hw/sysbus.h"
98
+#include "qemu/timer.h"
99
+#include "hw/watchdog/wdt_aspeed.h"
100
+
101
+#define WDT_STATUS (0x00 / 4)
102
+#define WDT_RELOAD_VALUE (0x04 / 4)
103
+#define WDT_RESTART (0x08 / 4)
104
+#define WDT_CTRL (0x0C / 4)
105
+#define WDT_CTRL_RESET_MODE_SOC (0x00 << 5)
106
+#define WDT_CTRL_RESET_MODE_FULL_CHIP (0x01 << 5)
107
+#define WDT_CTRL_1MHZ_CLK BIT(4)
108
+#define WDT_CTRL_WDT_EXT BIT(3)
109
+#define WDT_CTRL_WDT_INTR BIT(2)
110
+#define WDT_CTRL_RESET_SYSTEM BIT(1)
111
+#define WDT_CTRL_ENABLE BIT(0)
112
+
113
+#define WDT_TIMEOUT_STATUS (0x10 / 4)
114
+#define WDT_TIMEOUT_CLEAR (0x14 / 4)
115
+#define WDT_RESET_WDITH (0x18 / 4)
116
+
117
+#define WDT_RESTART_MAGIC 0x4755
118
+
119
+static bool aspeed_wdt_is_enabled(const AspeedWDTState *s)
120
+{
97
+{
121
+ return s->regs[WDT_CTRL] & WDT_CTRL_ENABLE;
98
+ PL031State *s = opaque;
99
+
100
+ s->tick_offset_migrated = false;
101
+ return 0;
122
+}
102
+}
123
+
103
+
124
+static uint64_t aspeed_wdt_read(void *opaque, hwaddr offset, unsigned size)
104
static int pl031_post_load(void *opaque, int version_id)
105
{
106
PL031State *s = opaque;
107
108
- int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
109
- s->tick_offset = s->tick_offset_vmstate - delta / NANOSECONDS_PER_SECOND;
110
+ /*
111
+ * If we got the tick_offset subsection, then we can just use
112
+ * the value in that. Otherwise the source is an older QEMU and
113
+ * has given us the offset from the vm_clock; convert it back to
114
+ * an offset from the rtc_clock. This will cause time to incorrectly
115
+ * go backwards compared to the host RTC, but this is unavoidable.
116
+ */
117
+
118
+ if (!s->tick_offset_migrated) {
119
+ int64_t delta = qemu_clock_get_ns(rtc_clock) -
120
+ qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
121
+ s->tick_offset = s->tick_offset_vmstate -
122
+ delta / NANOSECONDS_PER_SECOND;
123
+ }
124
pl031_set_alarm(s);
125
return 0;
126
}
127
128
+static int pl031_tick_offset_post_load(void *opaque, int version_id)
125
+{
129
+{
126
+ AspeedWDTState *s = ASPEED_WDT(opaque);
130
+ PL031State *s = opaque;
127
+
131
+
128
+ offset >>= 2;
132
+ s->tick_offset_migrated = true;
129
+
133
+ return 0;
130
+ switch (offset) {
131
+ case WDT_STATUS:
132
+ return s->regs[WDT_STATUS];
133
+ case WDT_RELOAD_VALUE:
134
+ return s->regs[WDT_RELOAD_VALUE];
135
+ case WDT_RESTART:
136
+ qemu_log_mask(LOG_GUEST_ERROR,
137
+ "%s: read from write-only reg at offset 0x%"
138
+ HWADDR_PRIx "\n", __func__, offset);
139
+ return 0;
140
+ case WDT_CTRL:
141
+ return s->regs[WDT_CTRL];
142
+ case WDT_TIMEOUT_STATUS:
143
+ case WDT_TIMEOUT_CLEAR:
144
+ case WDT_RESET_WDITH:
145
+ qemu_log_mask(LOG_UNIMP,
146
+ "%s: uninmplemented read at offset 0x%" HWADDR_PRIx "\n",
147
+ __func__, offset);
148
+ return 0;
149
+ default:
150
+ qemu_log_mask(LOG_GUEST_ERROR,
151
+ "%s: Out-of-bounds read at offset 0x%" HWADDR_PRIx "\n",
152
+ __func__, offset);
153
+ return 0;
154
+ }
155
+
156
+}
134
+}
157
+
135
+
158
+static void aspeed_wdt_reload(AspeedWDTState *s, bool pclk)
136
+static bool pl031_tick_offset_needed(void *opaque)
159
+{
137
+{
160
+ uint32_t reload;
138
+ PL031State *s = opaque;
161
+
139
+
162
+ if (pclk) {
140
+ return s->migrate_tick_offset;
163
+ reload = muldiv64(s->regs[WDT_RELOAD_VALUE], NANOSECONDS_PER_SECOND,
164
+ s->pclk_freq);
165
+ } else {
166
+ reload = s->regs[WDT_RELOAD_VALUE] * 1000;
167
+ }
168
+
169
+ if (aspeed_wdt_is_enabled(s)) {
170
+ timer_mod(s->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + reload);
171
+ }
172
+}
141
+}
173
+
142
+
174
+static void aspeed_wdt_write(void *opaque, hwaddr offset, uint64_t data,
143
+static const VMStateDescription vmstate_pl031_tick_offset = {
175
+ unsigned size)
144
+ .name = "pl031/tick-offset",
176
+{
145
+ .version_id = 1,
177
+ AspeedWDTState *s = ASPEED_WDT(opaque);
146
+ .minimum_version_id = 1,
178
+ bool enable = data & WDT_CTRL_ENABLE;
147
+ .needed = pl031_tick_offset_needed,
179
+
148
+ .post_load = pl031_tick_offset_post_load,
180
+ offset >>= 2;
181
+
182
+ switch (offset) {
183
+ case WDT_STATUS:
184
+ qemu_log_mask(LOG_GUEST_ERROR,
185
+ "%s: write to read-only reg at offset 0x%"
186
+ HWADDR_PRIx "\n", __func__, offset);
187
+ break;
188
+ case WDT_RELOAD_VALUE:
189
+ s->regs[WDT_RELOAD_VALUE] = data;
190
+ break;
191
+ case WDT_RESTART:
192
+ if ((data & 0xFFFF) == WDT_RESTART_MAGIC) {
193
+ s->regs[WDT_STATUS] = s->regs[WDT_RELOAD_VALUE];
194
+ aspeed_wdt_reload(s, !(data & WDT_CTRL_1MHZ_CLK));
195
+ }
196
+ break;
197
+ case WDT_CTRL:
198
+ if (enable && !aspeed_wdt_is_enabled(s)) {
199
+ s->regs[WDT_CTRL] = data;
200
+ aspeed_wdt_reload(s, !(data & WDT_CTRL_1MHZ_CLK));
201
+ } else if (!enable && aspeed_wdt_is_enabled(s)) {
202
+ s->regs[WDT_CTRL] = data;
203
+ timer_del(s->timer);
204
+ }
205
+ break;
206
+ case WDT_TIMEOUT_STATUS:
207
+ case WDT_TIMEOUT_CLEAR:
208
+ case WDT_RESET_WDITH:
209
+ qemu_log_mask(LOG_UNIMP,
210
+ "%s: uninmplemented write at offset 0x%" HWADDR_PRIx "\n",
211
+ __func__, offset);
212
+ break;
213
+ default:
214
+ qemu_log_mask(LOG_GUEST_ERROR,
215
+ "%s: Out-of-bounds write at offset 0x%" HWADDR_PRIx "\n",
216
+ __func__, offset);
217
+ }
218
+ return;
219
+}
220
+
221
+static WatchdogTimerModel model = {
222
+ .wdt_name = TYPE_ASPEED_WDT,
223
+ .wdt_description = "Aspeed watchdog device",
224
+};
225
+
226
+static const VMStateDescription vmstate_aspeed_wdt = {
227
+ .name = "vmstate_aspeed_wdt",
228
+ .version_id = 0,
229
+ .minimum_version_id = 0,
230
+ .fields = (VMStateField[]) {
149
+ .fields = (VMStateField[]) {
231
+ VMSTATE_TIMER_PTR(timer, AspeedWDTState),
150
+ VMSTATE_UINT32(tick_offset, PL031State),
232
+ VMSTATE_UINT32_ARRAY(regs, AspeedWDTState, ASPEED_WDT_REGS_MAX),
233
+ VMSTATE_END_OF_LIST()
151
+ VMSTATE_END_OF_LIST()
234
+ }
152
+ }
235
+};
153
+};
236
+
154
+
237
+static const MemoryRegionOps aspeed_wdt_ops = {
155
static const VMStateDescription vmstate_pl031 = {
238
+ .read = aspeed_wdt_read,
156
.name = "pl031",
239
+ .write = aspeed_wdt_write,
157
.version_id = 1,
240
+ .endianness = DEVICE_LITTLE_ENDIAN,
158
.minimum_version_id = 1,
241
+ .valid.min_access_size = 4,
159
.pre_save = pl031_pre_save,
242
+ .valid.max_access_size = 4,
160
+ .pre_load = pl031_pre_load,
243
+ .valid.unaligned = false,
161
.post_load = pl031_post_load,
162
.fields = (VMStateField[]) {
163
VMSTATE_UINT32(tick_offset_vmstate, PL031State),
164
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl031 = {
165
VMSTATE_UINT32(im, PL031State),
166
VMSTATE_UINT32(is, PL031State),
167
VMSTATE_END_OF_LIST()
168
+ },
169
+ .subsections = (const VMStateDescription*[]) {
170
+ &vmstate_pl031_tick_offset,
171
+ NULL
172
}
173
};
174
175
+static Property pl031_properties[] = {
176
+ /*
177
+ * True to correctly migrate the tick offset of the RTC. False to
178
+ * obtain backward migration compatibility with older QEMU versions,
179
+ * at the expense of the guest RTC going backwards compared with the
180
+ * host RTC when the VM is saved/restored if using -rtc host.
181
+ * (Even if set to 'true' older QEMU can migrate forward to newer QEMU;
182
+ * 'false' also permits newer QEMU to migrate to older QEMU.)
183
+ */
184
+ DEFINE_PROP_BOOL("migrate-tick-offset",
185
+ PL031State, migrate_tick_offset, true),
186
+ DEFINE_PROP_END_OF_LIST()
244
+};
187
+};
245
+
188
+
246
+static void aspeed_wdt_reset(DeviceState *dev)
189
static void pl031_class_init(ObjectClass *klass, void *data)
247
+{
190
{
248
+ AspeedWDTState *s = ASPEED_WDT(dev);
191
DeviceClass *dc = DEVICE_CLASS(klass);
249
+
192
250
+ s->regs[WDT_STATUS] = 0x3EF1480;
193
dc->vmsd = &vmstate_pl031;
251
+ s->regs[WDT_RELOAD_VALUE] = 0x03EF1480;
194
+ dc->props = pl031_properties;
252
+ s->regs[WDT_RESTART] = 0;
195
}
253
+ s->regs[WDT_CTRL] = 0;
196
254
+
197
static const TypeInfo pl031_info = {
255
+ timer_del(s->timer);
256
+}
257
+
258
+static void aspeed_wdt_timer_expired(void *dev)
259
+{
260
+ AspeedWDTState *s = ASPEED_WDT(dev);
261
+
262
+ qemu_log_mask(CPU_LOG_RESET, "Watchdog timer expired.\n");
263
+ watchdog_perform_action();
264
+ timer_del(s->timer);
265
+}
266
+
267
+#define PCLK_HZ 24000000
268
+
269
+static void aspeed_wdt_realize(DeviceState *dev, Error **errp)
270
+{
271
+ SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
272
+ AspeedWDTState *s = ASPEED_WDT(dev);
273
+
274
+ s->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, aspeed_wdt_timer_expired, dev);
275
+
276
+ /* FIXME: This setting should be derived from the SCU hw strapping
277
+ * register SCU70
278
+ */
279
+ s->pclk_freq = PCLK_HZ;
280
+
281
+ memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_wdt_ops, s,
282
+ TYPE_ASPEED_WDT, ASPEED_WDT_REGS_MAX * 4);
283
+ sysbus_init_mmio(sbd, &s->iomem);
284
+}
285
+
286
+static void aspeed_wdt_class_init(ObjectClass *klass, void *data)
287
+{
288
+ DeviceClass *dc = DEVICE_CLASS(klass);
289
+
290
+ dc->realize = aspeed_wdt_realize;
291
+ dc->reset = aspeed_wdt_reset;
292
+ set_bit(DEVICE_CATEGORY_MISC, dc->categories);
293
+ dc->vmsd = &vmstate_aspeed_wdt;
294
+}
295
+
296
+static const TypeInfo aspeed_wdt_info = {
297
+ .parent = TYPE_SYS_BUS_DEVICE,
298
+ .name = TYPE_ASPEED_WDT,
299
+ .instance_size = sizeof(AspeedWDTState),
300
+ .class_init = aspeed_wdt_class_init,
301
+};
302
+
303
+static void wdt_aspeed_register_types(void)
304
+{
305
+ watchdog_add_model(&model);
306
+ type_register_static(&aspeed_wdt_info);
307
+}
308
+
309
+type_init(wdt_aspeed_register_types)
310
--
198
--
311
2.7.4
199
2.20.1
312
200
313
201
diff view generated by jsdifflib
[Qemu-devel] [PULL 06/13] target/arm: Add cfgend parameter for ARM CPU selection.
[Qemu-devel] [PULL 09/10] target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
1
From: Julian Brown <julian@codesourcery.com>
1
The ARMv5 architecture didn't specify detailed per-feature ID
2
registers. Now that we're using the MVFR0 register fields to
3
gate the existence of VFP instructions, we need to set up
4
the correct values in the cpu->isar structure so that we still
5
provide an FPU to the guest.
2
6
3
Add a new "cfgend" property which selects whether the CPU resets into
7
This fixes a regression in the arm926 and arm1026 CPUs, which
4
big-endian mode or not. This setting affects whether we reset with
8
are the only ones that both have VFP and are ARMv5 or earlier.
5
SCTLR_B (ARMv6 and earlier) or SCTLR_EE (ARMv7 and later) set.
9
This regression was introduced by the VFP refactoring, and more
10
specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
11
which accidentally disabled VFP short-vector support and
12
double-precision support on these CPUs.
6
13
7
Signed-off-by: Julian Brown <julian@codesourcery.com>
14
Fixes: 1120827fa182f0e
8
Message-id: 11420d1c49636c1790e60578ee996e51f0f0b835.1484929304.git.julian@codesourcery.com
15
Fixes: 266bd25c485597c
9
[PMM: use error_report_err() rather than error_report();
16
Fixes: https://bugs.launchpad.net/qemu/+bug/1836192
10
move the integratorcp changes to their own patch;
17
Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
11
drop an unnecessary extra #include;
12
rephrase commit message accordingly;
13
move setting of reset_sctlr above registration of cpregs
14
so it actually has an effect]
15
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
16
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
18
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
19
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
20
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
21
Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
22
Message-id: 20190711131241.22231-1-peter.maydell@linaro.org
17
---
23
---
18
target/arm/cpu.h | 7 +++++++
24
target/arm/cpu.c | 12 ++++++++++++
19
target/arm/cpu.c | 13 +++++++++++++
25
1 file changed, 12 insertions(+)
20
2 files changed, 20 insertions(+)
21
26
22
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
23
index XXXXXXX..XXXXXXX 100644
24
--- a/target/arm/cpu.h
25
+++ b/target/arm/cpu.h
26
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
27
int gic_vpribits; /* number of virtual priority bits */
28
int gic_vprebits; /* number of virtual preemption bits */
29
30
+ /* Whether the cfgend input is high (i.e. this CPU should reset into
31
+ * big-endian mode). This setting isn't used directly: instead it modifies
32
+ * the reset_sctlr value to have SCTLR_B or SCTLR_EE set, depending on the
33
+ * architecture version.
34
+ */
35
+ bool cfgend;
36
+
37
ARMELChangeHook *el_change_hook;
38
void *el_change_hook_opaque;
39
};
40
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
27
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
41
index XXXXXXX..XXXXXXX 100644
28
index XXXXXXX..XXXXXXX 100644
42
--- a/target/arm/cpu.c
29
--- a/target/arm/cpu.c
43
+++ b/target/arm/cpu.c
30
+++ b/target/arm/cpu.c
44
@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_has_el2_property =
31
@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
45
static Property arm_cpu_has_el3_property =
32
* set the field to indicate Jazelle support within QEMU.
46
DEFINE_PROP_BOOL("has_el3", ARMCPU, has_el3, true);
33
*/
47
34
cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
48
+static Property arm_cpu_cfgend_property =
35
+ /*
49
+ DEFINE_PROP_BOOL("cfgend", ARMCPU, cfgend, false);
36
+ * Similarly, we need to set MVFR0 fields to enable double precision
50
+
37
+ * and short vector support even though ARMv5 doesn't have this register.
51
/* use property name "pmu" to match other archs and virt tools */
38
+ */
52
static Property arm_cpu_has_pmu_property =
39
+ cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
53
DEFINE_PROP_BOOL("pmu", ARMCPU, has_pmu, true);
40
+ cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
54
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_post_init(Object *obj)
55
}
56
}
57
58
+ qdev_property_add_static(DEVICE(obj), &arm_cpu_cfgend_property,
59
+ &error_abort);
60
}
41
}
61
42
62
static void arm_cpu_finalizefn(Object *obj)
43
static void arm946_initfn(Object *obj)
63
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
44
@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
64
cpu->reset_sctlr |= (1 << 13);
45
* set the field to indicate Jazelle support within QEMU.
65
}
46
*/
66
47
cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
67
+ if (cpu->cfgend) {
48
+ /*
68
+ if (arm_feature(&cpu->env, ARM_FEATURE_V7)) {
49
+ * Similarly, we need to set MVFR0 fields to enable double precision
69
+ cpu->reset_sctlr |= SCTLR_EE;
50
+ * and short vector support even though ARMv5 doesn't have this register.
70
+ } else {
51
+ */
71
+ cpu->reset_sctlr |= SCTLR_B;
52
+ cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
72
+ }
53
+ cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
73
+ }
54
74
+
55
{
75
if (!cpu->has_el3) {
56
/* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
76
/* If the has_el3 CPU property is disabled then we need to disable the
77
* feature.
78
--
57
--
79
2.7.4
58
2.20.1
80
59
81
60
diff view generated by jsdifflib
[Qemu-devel] [PULL 09/13] target/arm: Abstract out pbit/wbit tests in ARM ldr/str decode
Deleted patch
1
In the ARM ldr/str decode path, rather than directly testing
2
"insn & (1 << 21)" and "insn & (1 << 24)", abstract these
3
bits out into wbit and pbit local flags. (We will want to
4
do more tests against them to determine whether we need to
5
provide syndrome information.)
6
1
7
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
8
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
9
---
10
target/arm/translate.c | 9 ++++++---
11
1 file changed, 6 insertions(+), 3 deletions(-)
12
13
diff --git a/target/arm/translate.c b/target/arm/translate.c
14
index XXXXXXX..XXXXXXX 100644
15
--- a/target/arm/translate.c
16
+++ b/target/arm/translate.c
17
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
18
} else {
19
int address_offset;
20
bool load = insn & (1 << 20);
21
+ bool wbit = insn & (1 << 21);
22
+ bool pbit = insn & (1 << 24);
23
bool doubleword = false;
24
/* Misc load/store */
25
rn = (insn >> 16) & 0xf;
26
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
27
}
28
29
addr = load_reg(s, rn);
30
- if (insn & (1 << 24))
31
+ if (pbit) {
32
gen_add_datah_offset(s, insn, 0, addr);
33
+ }
34
address_offset = 0;
35
36
if (doubleword) {
37
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
38
ensure correct behavior with overlapping index registers.
39
ldrd with base writeback is undefined if the
40
destination and index registers overlap. */
41
- if (!(insn & (1 << 24))) {
42
+ if (!pbit) {
43
gen_add_datah_offset(s, insn, address_offset, addr);
44
store_reg(s, rn, addr);
45
- } else if (insn & (1 << 21)) {
46
+ } else if (wbit) {
47
if (address_offset)
48
tcg_gen_addi_i32(addr, addr, address_offset);
49
store_reg(s, rn, addr);
50
--
51
2.7.4
52
53
diff view generated by jsdifflib
[Qemu-devel] [PULL 11/13] stellaris: Document memory map and which SoC devices are unimplemented
Deleted patch
1
Add a comment documenting the memory map of the SoC devices and which
2
are not implemented.
3
1
4
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5
Message-id: 1484247815-15279-2-git-send-email-peter.maydell@linaro.org
6
---
7
hw/arm/stellaris.c | 34 ++++++++++++++++++++++++++++++++++
8
1 file changed, 34 insertions(+)
9
10
diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
11
index XXXXXXX..XXXXXXX 100644
12
--- a/hw/arm/stellaris.c
13
+++ b/hw/arm/stellaris.c
14
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(const char *kernel_filename, const char *cpu_model,
15
0x40024000, 0x40025000, 0x40026000};
16
static const int gpio_irq[7] = {0, 1, 2, 3, 4, 30, 31};
17
18
+ /* Memory map of SoC devices, from
19
+ * Stellaris LM3S6965 Microcontroller Data Sheet (rev I)
20
+ * http://www.ti.com/lit/ds/symlink/lm3s6965.pdf
21
+ *
22
+ * 40000000 wdtimer (unimplemented)
23
+ * 40002000 i2c (unimplemented)
24
+ * 40004000 GPIO
25
+ * 40005000 GPIO
26
+ * 40006000 GPIO
27
+ * 40007000 GPIO
28
+ * 40008000 SSI
29
+ * 4000c000 UART
30
+ * 4000d000 UART
31
+ * 4000e000 UART
32
+ * 40020000 i2c
33
+ * 40021000 i2c (unimplemented)
34
+ * 40024000 GPIO
35
+ * 40025000 GPIO
36
+ * 40026000 GPIO
37
+ * 40028000 PWM (unimplemented)
38
+ * 4002c000 QEI (unimplemented)
39
+ * 4002d000 QEI (unimplemented)
40
+ * 40030000 gptimer
41
+ * 40031000 gptimer
42
+ * 40032000 gptimer
43
+ * 40033000 gptimer
44
+ * 40038000 ADC
45
+ * 4003c000 analogue comparator (unimplemented)
46
+ * 40048000 ethernet
47
+ * 400fc000 hibernation module (unimplemented)
48
+ * 400fd000 flash memory control (unimplemented)
49
+ * 400fe000 system control
50
+ */
51
+
52
DeviceState *gpio_dev[7], *nvic;
53
qemu_irq gpio_in[7][8];
54
qemu_irq gpio_out[7][8];
55
--
56
2.7.4
57
58
diff view generated by jsdifflib
[Qemu-devel] [PULL 12/13] hw/misc: New "unimplemented" sysbus device
Deleted patch
1
Create a new "unimplemented" sysbus device, which simply accepts
2
all read and write accesses, and implements them as read-as-zero,
3
write-ignored, with logging of the access as LOG_UNIMP.
4
1
5
This is useful for stubbing out bits of an SoC or board model
6
which haven't been written yet.
7
8
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
9
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
10
Message-id: 1484247815-15279-3-git-send-email-peter.maydell@linaro.org
11
---
12
hw/misc/Makefile.objs | 2 +
13
include/hw/misc/unimp.h | 39 ++++++++++++++++++
14
hw/misc/unimp.c | 107 ++++++++++++++++++++++++++++++++++++++++++++++++
15
3 files changed, 148 insertions(+)
16
create mode 100644 include/hw/misc/unimp.h
17
create mode 100644 hw/misc/unimp.c
18
19
diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
20
index XXXXXXX..XXXXXXX 100644
21
--- a/hw/misc/Makefile.objs
22
+++ b/hw/misc/Makefile.objs
23
@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_SGA) += sga.o
24
common-obj-$(CONFIG_ISA_TESTDEV) += pc-testdev.o
25
common-obj-$(CONFIG_PCI_TESTDEV) += pci-testdev.o
26
27
+common-obj-y += unimp.o
28
+
29
obj-$(CONFIG_VMPORT) += vmport.o
30
31
# ARM devices
32
diff --git a/include/hw/misc/unimp.h b/include/hw/misc/unimp.h
33
new file mode 100644
34
index XXXXXXX..XXXXXXX
35
--- /dev/null
36
+++ b/include/hw/misc/unimp.h
37
@@ -XXX,XX +XXX,XX @@
38
+/*
39
+ * "Unimplemented" device
40
+ *
41
+ * Copyright Linaro Limited, 2017
42
+ * Written by Peter Maydell
43
+ */
44
+
45
+#ifndef HW_MISC_UNIMP_H
46
+#define HW_MISC_UNIMP_H
47
+
48
+#define TYPE_UNIMPLEMENTED_DEVICE "unimplemented-device"
49
+
50
+/**
51
+ * create_unimplemented_device: create and map a dummy device
52
+ * @name: name of the device for debug logging
53
+ * @base: base address of the device's MMIO region
54
+ * @size: size of the device's MMIO region
55
+ *
56
+ * This utility function creates and maps an instance of unimplemented-device,
57
+ * which is a dummy device which simply logs all guest accesses to
58
+ * it via the qemu_log LOG_UNIMP debug log.
59
+ * The device is mapped at priority -1000, which means that you can
60
+ * use it to cover a large region and then map other devices on top of it
61
+ * if necessary.
62
+ */
63
+static inline void create_unimplemented_device(const char *name,
64
+ hwaddr base,
65
+ hwaddr size)
66
+{
67
+ DeviceState *dev = qdev_create(NULL, TYPE_UNIMPLEMENTED_DEVICE);
68
+
69
+ qdev_prop_set_string(dev, "name", name);
70
+ qdev_prop_set_uint64(dev, "size", size);
71
+ qdev_init_nofail(dev);
72
+
73
+ sysbus_mmio_map_overlap(SYS_BUS_DEVICE(dev), 0, base, -1000);
74
+}
75
+
76
+#endif
77
diff --git a/hw/misc/unimp.c b/hw/misc/unimp.c
78
new file mode 100644
79
index XXXXXXX..XXXXXXX
80
--- /dev/null
81
+++ b/hw/misc/unimp.c
82
@@ -XXX,XX +XXX,XX @@
83
+/* "Unimplemented" device
84
+ *
85
+ * This is a dummy device which accepts and logs all accesses.
86
+ * It's useful for stubbing out regions of an SoC or board
87
+ * map which correspond to devices that have not yet been
88
+ * implemented. This is often sufficient to placate initial
89
+ * guest device driver probing such that the system will
90
+ * come up.
91
+ *
92
+ * Copyright Linaro Limited, 2017
93
+ * Written by Peter Maydell
94
+ */
95
+
96
+#include "qemu/osdep.h"
97
+#include "hw/hw.h"
98
+#include "hw/sysbus.h"
99
+#include "hw/misc/unimp.h"
100
+#include "qemu/log.h"
101
+#include "qapi/error.h"
102
+
103
+#define UNIMPLEMENTED_DEVICE(obj) \
104
+ OBJECT_CHECK(UnimplementedDeviceState, (obj), TYPE_UNIMPLEMENTED_DEVICE)
105
+
106
+typedef struct {
107
+ SysBusDevice parent_obj;
108
+ MemoryRegion iomem;
109
+ char *name;
110
+ uint64_t size;
111
+} UnimplementedDeviceState;
112
+
113
+static uint64_t unimp_read(void *opaque, hwaddr offset, unsigned size)
114
+{
115
+ UnimplementedDeviceState *s = UNIMPLEMENTED_DEVICE(opaque);
116
+
117
+ qemu_log_mask(LOG_UNIMP, "%s: unimplemented device read "
118
+ "(size %d, offset 0x%" HWADDR_PRIx ")\n",
119
+ s->name, size, offset);
120
+ return 0;
121
+}
122
+
123
+static void unimp_write(void *opaque, hwaddr offset,
124
+ uint64_t value, unsigned size)
125
+{
126
+ UnimplementedDeviceState *s = UNIMPLEMENTED_DEVICE(opaque);
127
+
128
+ qemu_log_mask(LOG_UNIMP, "%s: unimplemented device write "
129
+ "(size %d, value 0x%" PRIx64
130
+ ", offset 0x%" HWADDR_PRIx ")\n",
131
+ s->name, size, value, offset);
132
+}
133
+
134
+static const MemoryRegionOps unimp_ops = {
135
+ .read = unimp_read,
136
+ .write = unimp_write,
137
+ .impl.min_access_size = 1,
138
+ .impl.max_access_size = 8,
139
+ .valid.min_access_size = 1,
140
+ .valid.max_access_size = 8,
141
+ .endianness = DEVICE_NATIVE_ENDIAN,
142
+};
143
+
144
+static void unimp_realize(DeviceState *dev, Error **errp)
145
+{
146
+ UnimplementedDeviceState *s = UNIMPLEMENTED_DEVICE(dev);
147
+
148
+ if (s->size == 0) {
149
+ error_setg(errp, "property 'size' not specified or zero");
150
+ return;
151
+ }
152
+
153
+ if (s->name == NULL) {
154
+ error_setg(errp, "property 'name' not specified");
155
+ return;
156
+ }
157
+
158
+ memory_region_init_io(&s->iomem, OBJECT(s), &unimp_ops, s,
159
+ s->name, s->size);
160
+ sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem);
161
+}
162
+
163
+static Property unimp_properties[] = {
164
+ DEFINE_PROP_UINT64("size", UnimplementedDeviceState, size, 0),
165
+ DEFINE_PROP_STRING("name", UnimplementedDeviceState, name),
166
+ DEFINE_PROP_END_OF_LIST(),
167
+};
168
+
169
+static void unimp_class_init(ObjectClass *klass, void *data)
170
+{
171
+ DeviceClass *dc = DEVICE_CLASS(klass);
172
+
173
+ dc->realize = unimp_realize;
174
+ dc->props = unimp_properties;
175
+}
176
+
177
+static const TypeInfo unimp_info = {
178
+ .name = TYPE_UNIMPLEMENTED_DEVICE,
179
+ .parent = TYPE_SYS_BUS_DEVICE,
180
+ .instance_size = sizeof(UnimplementedDeviceState),
181
+ .class_init = unimp_class_init,
182
+};
183
+
184
+static void unimp_register_types(void)
185
+{
186
+ type_register_static(&unimp_info);
187
+}
188
+
189
+type_init(unimp_register_types)
190
--
191
2.7.4
192
193
diff view generated by jsdifflib
[Qemu-devel] [PULL 13/13] stellaris: Use the 'unimplemented' device for parts we don't implement
[Qemu-devel] [PULL 10/10] target/arm: NS BusFault on vector table fetch escalates to NS HardFault
1
Use the 'unimplemented' dummy device to cover regions of the
1
In the M-profile architecture, when we do a vector table fetch and it
2
SoC device memory map which we don't have proper device
2
fails, we need to report a HardFault. Whether this is a Secure HF or
3
implementations for yet.
3
a NonSecure HF depends on several things. If AIRCR.BFHFNMINS is 0
4
then HF is always Secure, because there is no NonSecure HardFault.
5
Otherwise, the answer depends on whether the 'underlying exception'
6
(MemManage, BusFault, SecureFault) targets Secure or NonSecure. (In
7
the pseudocode, this is handled in the Vector() function: the final
8
exc.isSecure is calculated by looking at the exc.isSecure from the
9
exception returned from the memory access, not the isSecure input
10
argument.)
11
12
We weren't doing this correctly, because we were looking at
13
the target security domain of the exception we were trying to
14
load the vector table entry for. This produces errors of two kinds:
15
* a load from the NS vector table which hits the "NS access
16
to S memory" SecureFault should end up as a Secure HardFault,
17
but we were raising an NS HardFault
18
* a load from the S vector table which causes a BusFault
19
should raise an NS HardFault if BFHFNMINS == 1 (because
20
in that case all BusFaults are NonSecure), but we were raising
21
a Secure HardFault
22
23
Correct the logic.
24
25
We also fix a comment error where we claimed that we might
26
be escalating MemManage to HardFault, and forgot about SecureFault.
27
(Vector loads can never hit MPU access faults, because they're
28
always aligned and always use the default address map.)
4
29
5
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
30
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
6
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
31
Message-id: 20190705094823.28905-1-peter.maydell@linaro.org
7
Message-id: 1484247815-15279-4-git-send-email-peter.maydell@linaro.org
8
---
32
---
9
hw/arm/stellaris.c | 14 ++++++++++++++
33
target/arm/m_helper.c | 21 +++++++++++++++++----
10
1 file changed, 14 insertions(+)
34
1 file changed, 17 insertions(+), 4 deletions(-)
11
35
12
diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
36
diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
13
index XXXXXXX..XXXXXXX 100644
37
index XXXXXXX..XXXXXXX 100644
14
--- a/hw/arm/stellaris.c
38
--- a/target/arm/m_helper.c
15
+++ b/hw/arm/stellaris.c
39
+++ b/target/arm/m_helper.c
16
@@ -XXX,XX +XXX,XX @@
40
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
17
#include "exec/address-spaces.h"
41
if (sattrs.ns) {
18
#include "sysemu/sysemu.h"
42
attrs.secure = false;
19
#include "hw/char/pl011.h"
43
} else if (!targets_secure) {
20
+#include "hw/misc/unimp.h"
44
- /* NS access to S memory */
21
45
+ /*
22
#define GPIO_A 0
46
+ * NS access to S memory: the underlying exception which we escalate
23
#define GPIO_B 1
47
+ * to HardFault is SecureFault, which always targets Secure.
24
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(const char *kernel_filename, const char *cpu_model,
48
+ */
25
}
49
+ exc_secure = true;
50
goto load_fail;
26
}
51
}
27
}
52
}
28
+
53
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
29
+ /* Add dummy regions for the devices we don't implement yet,
54
vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
30
+ * so guest accesses don't cause unlogged crashes.
55
attrs, &result);
31
+ */
56
if (result != MEMTX_OK) {
32
+ create_unimplemented_device("wdtimer", 0x40000000, 0x1000);
57
+ /*
33
+ create_unimplemented_device("i2c-0", 0x40002000, 0x1000);
58
+ * Underlying exception is BusFault: its target security state
34
+ create_unimplemented_device("i2c-2", 0x40021000, 0x1000);
59
+ * depends on BFHFNMINS.
35
+ create_unimplemented_device("PWM", 0x40028000, 0x1000);
60
+ */
36
+ create_unimplemented_device("QEI-0", 0x4002c000, 0x1000);
61
+ exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
37
+ create_unimplemented_device("QEI-1", 0x4002d000, 0x1000);
62
goto load_fail;
38
+ create_unimplemented_device("analogue-comparator", 0x4003c000, 0x1000);
63
}
39
+ create_unimplemented_device("hibernation", 0x400fc000, 0x1000);
64
*pvec = vector_entry;
40
+ create_unimplemented_device("flash-control", 0x400fd000, 0x1000);
65
@@ -XXX,XX +XXX,XX @@ load_fail:
41
}
66
/*
42
67
* All vector table fetch fails are reported as HardFault, with
43
/* FIXME: Figure out how to generate these from stellaris_boards. */
68
* HFSR.VECTTBL and .FORCED set. (FORCED is set because
69
- * technically the underlying exception is a MemManage or BusFault
70
+ * technically the underlying exception is a SecureFault or BusFault
71
* that is escalated to HardFault.) This is a terminal exception,
72
* so we will either take the HardFault immediately or else enter
73
* lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
74
+ * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
75
+ * secure); otherwise it targets the same security state as the
76
+ * underlying exception.
77
*/
78
- exc_secure = targets_secure ||
79
- !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
80
+ if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
81
+ exc_secure = true;
82
+ }
83
env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
84
armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
85
return false;
44
--
86
--
45
2.7.4
87
2.20.1
46
88
47
89
diff view generated by jsdifflib

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.