ARM queue for 2.10: all M profile bugfixes... thanks -- PMM The following changes since commit 25dd0e77898c3e10796d4cbeb35e8af5ba6ce975: Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-fetch' into staging (2017-07-31 11:27:43 +0100) are available in the git repository at: git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170731 for you to fetch changes up to 89cbc3778a3d61761e2231e740269218c9a8a41d: hw/mps2_scc: fix incorrect properties (2017-07-31 13:11:56 +0100) ---------------------------------------------------------------- target-arm queue: * fix broken properties on MPS2 SCC device * fix MPU trace handling of write vs exec * fix MPU M profile bugs: - not handling system space or PPB region correctly - not resetting state - not migrating MPU_RNR ---------------------------------------------------------------- Peter Maydell (6): target/arm: Correct MPU trace handling of write vs execute target/arm: Don't do MPU lookups for addresses in M profile PPB region target/arm: Don't allow guest to make System space executable for M profile target/arm: Rename cp15.c6_rgnr to pmsav7.rnr target/arm: Move PMSAv7 reset into arm_cpu_reset() so M profile MPUs get reset target/arm: Migrate MPU_RNR register state for M profile cores Philippe Mathieu-Daudé (1): hw/mps2_scc: fix incorrect properties target/arm/cpu.h | 3 +-- hw/intc/armv7m_nvic.c | 14 +++++----- hw/misc/mps2-scc.c | 4 +-- target/arm/cpu.c | 14 ++++++++++ target/arm/helper.c | 71 ++++++++++++++++++++++++++++++++++----------------- target/arm/machine.c | 30 +++++++++++++++++++++- 6 files changed, 101 insertions(+), 35 deletions(-) Correct off-by-one bug in the PSMAv7 MPU tracing where it would print a write access as "reading", an insn fetch as "writing", and a read access as "execute". Since we have an MMUAccessType enum now, we can make the code clearer in the process by using that rather than the raw 0/1/2 values. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <rth@twiddle.net> Message-id: 1500906792-18010-1-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, phys_ptr, prot, fsr); qemu_log_mask(CPU_LOG_MMU, "PMSAv7 MPU lookup for %s at 0x%08" PRIx32 " mmu_idx %u -> %s (prot %c%c%c)\n", - access_type == 1 ? "reading" : - (access_type == 2 ? "writing" : "execute"), + access_type == MMU_DATA_LOAD ? "reading" : + (access_type == MMU_DATA_STORE ? "writing" : "execute"), (uint32_t)address, mmu_idx, ret ? "Miss" : "Hit", *prot & PAGE_READ ? 'r' : '-', -- 2.7.4 The M profile PMSAv7 specification says that if the address being looked up is in the PPB region (0xe0000000 - 0xe00fffff) then we do not use the MPU regions but always use the default memory map. Implement this (we were previously behaving like an R profile PMSAv7, which does not special case this). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1501153150-19984-2-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static bool pmsav7_use_background_region(ARMCPU *cpu, } } +static inline bool m_is_ppb_region(CPUARMState *env, uint32_t address) +{ + /* True if address is in the M profile PPB region 0xe0000000 - 0xe00fffff */ + return arm_feature(env, ARM_FEATURE_M) && + extract32(address, 20, 12) == 0xe00; +} + static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address, int access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, int *prot, uint32_t *fsr) @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address, *phys_ptr = address; *prot = 0; - if (regime_translation_disabled(env, mmu_idx)) { /* MPU disabled */ + if (regime_translation_disabled(env, mmu_idx) || + m_is_ppb_region(env, address)) { + /* MPU disabled or M profile PPB access: use default memory map. + * The other case which uses the default memory map in the + * v7M ARM ARM pseudocode is exception vector reads from the vector + * table. In QEMU those accesses are done in arm_v7m_load_vector(), + * which always does a direct read using address_space_ldl(), rather + * than going via this function, so we don't need to check that here. + */ get_phys_addr_pmsav7_default(env, mmu_idx, address, prot); } else { /* MPU enabled */ for (n = (int)cpu->pmsav7_dregion - 1; n >= 0; n--) { -- 2.7.4 For an M profile v7PMSA, the system space (0xe0000000 - 0xffffffff) can never be executable, even if the guest tries to set the MPU registers up that way. Enforce this restriction. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1501153150-19984-3-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static inline bool m_is_ppb_region(CPUARMState *env, uint32_t address) extract32(address, 20, 12) == 0xe00; } +static inline bool m_is_system_region(CPUARMState *env, uint32_t address) +{ + /* True if address is in the M profile system region + * 0xe0000000 - 0xffffffff + */ + return arm_feature(env, ARM_FEATURE_M) && extract32(address, 29, 3) == 0x7; +} + static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address, int access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, int *prot, uint32_t *fsr) @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address, get_phys_addr_pmsav7_default(env, mmu_idx, address, prot); } else { /* a MPU hit! */ uint32_t ap = extract32(env->pmsav7.dracr[n], 8, 3); + uint32_t xn = extract32(env->pmsav7.dracr[n], 12, 1); + + if (m_is_system_region(env, address)) { + /* System space is always execute never */ + xn = 1; + } if (is_user) { /* User mode AP bit decoding */ switch (ap) { @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address, } /* execute never */ - if (env->pmsav7.dracr[n] & (1 << 12)) { + if (xn) { *prot &= ~PAGE_EXEC; } } -- 2.7.4 Almost all of the PMSAv7 state is in the pmsav7 substruct of the ARM CPU state structure. The exception is the region number register, which is in cp15.c6_rgnr. This exception is a bit odd for M profile, which otherwise generally does not store state in the cp15 substruct. Rename cp15.c6_rgnr to pmsav7.rnr accordingly. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1501153150-19984-4-git-send-email-peter.maydell@linaro.org --- target/arm/cpu.h | 3 +-- hw/intc/armv7m_nvic.c | 14 +++++++------- target/arm/helper.c | 6 +++--- target/arm/machine.c | 2 +- 4 files changed, 12 insertions(+), 13 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState { uint64_t par_el[4]; }; - uint32_t c6_rgnr; - uint32_t c9_insn; /* Cache lockdown registers. */ uint32_t c9_data; uint64_t c9_pmcr; /* performance monitor control register */ @@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState { uint32_t *drbar; uint32_t *drsr; uint32_t *dracr; + uint32_t rnr; } pmsav7; void *nvic; diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c index XXXXXXX..XXXXXXX 100644 --- a/hw/intc/armv7m_nvic.c +++ b/hw/intc/armv7m_nvic.c @@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset) case 0xd94: /* MPU_CTRL */ return cpu->env.v7m.mpu_ctrl; case 0xd98: /* MPU_RNR */ - return cpu->env.cp15.c6_rgnr; + return cpu->env.pmsav7.rnr; case 0xd9c: /* MPU_RBAR */ case 0xda4: /* MPU_RBAR_A1 */ case 0xdac: /* MPU_RBAR_A2 */ case 0xdb4: /* MPU_RBAR_A3 */ { - int region = cpu->env.cp15.c6_rgnr; + int region = cpu->env.pmsav7.rnr; if (region >= cpu->pmsav7_dregion) { return 0; @@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset) case 0xdb0: /* MPU_RASR_A2 */ case 0xdb8: /* MPU_RASR_A3 */ { - int region = cpu->env.cp15.c6_rgnr; + int region = cpu->env.pmsav7.rnr; if (region >= cpu->pmsav7_dregion) { return 0; @@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value) PRIu32 "/%" PRIu32 "\n", value, cpu->pmsav7_dregion); } else { - cpu->env.cp15.c6_rgnr = value; + cpu->env.pmsav7.rnr = value; } break; case 0xd9c: /* MPU_RBAR */ @@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value) region, cpu->pmsav7_dregion); return; } - cpu->env.cp15.c6_rgnr = region; + cpu->env.pmsav7.rnr = region; } else { - region = cpu->env.cp15.c6_rgnr; + region = cpu->env.pmsav7.rnr; } if (region >= cpu->pmsav7_dregion) { @@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value) case 0xdb0: /* MPU_RASR_A2 */ case 0xdb8: /* MPU_RASR_A3 */ { - int region = cpu->env.cp15.c6_rgnr; + int region = cpu->env.pmsav7.rnr; if (region >= cpu->pmsav7_dregion) { return; diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static uint64_t pmsav7_read(CPUARMState *env, const ARMCPRegInfo *ri) return 0; } - u32p += env->cp15.c6_rgnr; + u32p += env->pmsav7.rnr; return *u32p; } @@ -XXX,XX +XXX,XX @@ static void pmsav7_write(CPUARMState *env, const ARMCPRegInfo *ri, return; } - u32p += env->cp15.c6_rgnr; + u32p += env->pmsav7.rnr; tlb_flush(CPU(cpu)); /* Mappings may have changed - purge! */ *u32p = value; } @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pmsav7_cp_reginfo[] = { .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset }, { .name = "RGNR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 2, .opc2 = 0, .access = PL1_RW, - .fieldoffset = offsetof(CPUARMState, cp15.c6_rgnr), + .fieldoffset = offsetof(CPUARMState, pmsav7.rnr), .writefn = pmsav7_rgnr_write }, REGINFO_SENTINEL }; diff --git a/target/arm/machine.c b/target/arm/machine.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/machine.c +++ b/target/arm/machine.c @@ -XXX,XX +XXX,XX @@ static bool pmsav7_rgnr_vmstate_validate(void *opaque, int version_id) { ARMCPU *cpu = opaque; - return cpu->env.cp15.c6_rgnr < cpu->pmsav7_dregion; + return cpu->env.pmsav7.rnr < cpu->pmsav7_dregion; } static const VMStateDescription vmstate_pmsav7 = { -- 2.7.4 When the PMSAv7 implementation was originally added it was for R profile CPUs only, and reset was handled using the cpreg .resetfn hooks. Unfortunately for M profile cores this doesn't work, because they do not register any cpregs. Move the reset handling into arm_cpu_reset(), where it will work for both R profile and M profile cores. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1501153150-19984-5-git-send-email-peter.maydell@linaro.org --- target/arm/cpu.c | 14 ++++++++++++++ target/arm/helper.c | 28 ++++++++++++---------------- 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s) env->vfp.xregs[ARM_VFP_FPEXC] = 0; #endif + + if (arm_feature(env, ARM_FEATURE_PMSA) && + arm_feature(env, ARM_FEATURE_V7)) { + if (cpu->pmsav7_dregion > 0) { + memset(env->pmsav7.drbar, 0, + sizeof(*env->pmsav7.drbar) * cpu->pmsav7_dregion); + memset(env->pmsav7.drsr, 0, + sizeof(*env->pmsav7.drsr) * cpu->pmsav7_dregion); + memset(env->pmsav7.dracr, 0, + sizeof(*env->pmsav7.dracr) * cpu->pmsav7_dregion); + } + env->pmsav7.rnr = 0; + } + set_flush_to_zero(1, &env->vfp.standard_fp_status); set_flush_inputs_to_zero(1, &env->vfp.standard_fp_status); set_default_nan_mode(1, &env->vfp.standard_fp_status); diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static void pmsav7_write(CPUARMState *env, const ARMCPRegInfo *ri, *u32p = value; } -static void pmsav7_reset(CPUARMState *env, const ARMCPRegInfo *ri) -{ - ARMCPU *cpu = arm_env_get_cpu(env); - uint32_t *u32p = *(uint32_t **)raw_ptr(env, ri); - - if (!u32p) { - return; - } - - memset(u32p, 0, sizeof(*u32p) * cpu->pmsav7_dregion); -} - static void pmsav7_rgnr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { @@ -XXX,XX +XXX,XX @@ static void pmsav7_rgnr_write(CPUARMState *env, const ARMCPRegInfo *ri, } static const ARMCPRegInfo pmsav7_cp_reginfo[] = { + /* Reset for all these registers is handled in arm_cpu_reset(), + * because the PMSAv7 is also used by M-profile CPUs, which do + * not register cpregs but still need the state to be reset. + */ { .name = "DRBAR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 0, .access = PL1_RW, .type = ARM_CP_NO_RAW, .fieldoffset = offsetof(CPUARMState, pmsav7.drbar), - .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset }, + .readfn = pmsav7_read, .writefn = pmsav7_write, + .resetfn = arm_cp_reset_ignore }, { .name = "DRSR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 2, .access = PL1_RW, .type = ARM_CP_NO_RAW, .fieldoffset = offsetof(CPUARMState, pmsav7.drsr), - .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset }, + .readfn = pmsav7_read, .writefn = pmsav7_write, + .resetfn = arm_cp_reset_ignore }, { .name = "DRACR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 1, .opc2 = 4, .access = PL1_RW, .type = ARM_CP_NO_RAW, .fieldoffset = offsetof(CPUARMState, pmsav7.dracr), - .readfn = pmsav7_read, .writefn = pmsav7_write, .resetfn = pmsav7_reset }, + .readfn = pmsav7_read, .writefn = pmsav7_write, + .resetfn = arm_cp_reset_ignore }, { .name = "RGNR", .cp = 15, .crn = 6, .opc1 = 0, .crm = 2, .opc2 = 0, .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, pmsav7.rnr), - .writefn = pmsav7_rgnr_write }, + .writefn = pmsav7_rgnr_write, + .resetfn = arm_cp_reset_ignore }, REGINFO_SENTINEL }; -- 2.7.4 The PMSAv7 region number register is migrated for R profile cores using the cpreg scheme, but M profile doesn't use cpregs, and so we weren't migrating the MPU_RNR register state at all. Fix that by adding a migration subsection for the M profile case. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1501153150-19984-6-git-send-email-peter.maydell@linaro.org --- target/arm/machine.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/target/arm/machine.c b/target/arm/machine.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/machine.c +++ b/target/arm/machine.c @@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pmsav7 = { } }; +static bool pmsav7_rnr_needed(void *opaque) +{ + ARMCPU *cpu = opaque; + CPUARMState *env = &cpu->env; + + /* For R profile cores pmsav7.rnr is migrated via the cpreg + * "RGNR" definition in helper.h. For M profile we have to + * migrate it separately. + */ + return arm_feature(env, ARM_FEATURE_M); +} + +static const VMStateDescription vmstate_pmsav7_rnr = { + .name = "cpu/pmsav7-rnr", + .version_id = 1, + .minimum_version_id = 1, + .needed = pmsav7_rnr_needed, + .fields = (VMStateField[]) { + VMSTATE_UINT32(env.pmsav7.rnr, ARMCPU), + VMSTATE_END_OF_LIST() + } +}; + static int get_cpsr(QEMUFile *f, void *opaque, size_t size, VMStateField *field) { @@ -XXX,XX +XXX,XX @@ const VMStateDescription vmstate_arm_cpu = { &vmstate_iwmmxt, &vmstate_m, &vmstate_thumb2ee, + /* pmsav7_rnr must come before pmsav7 so that we have the + * region number before we test it in the VMSTATE_VALIDATE + * in vmstate_pmsav7. + */ + &vmstate_pmsav7_rnr, &vmstate_pmsav7, NULL } -- 2.7.4 From: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20170729234930.725-1-f4bug@amsat.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/misc/mps2-scc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/misc/mps2-scc.c b/hw/misc/mps2-scc.c index XXXXXXX..XXXXXXX 100644 --- a/hw/misc/mps2-scc.c +++ b/hw/misc/mps2-scc.c @@ -XXX,XX +XXX,XX @@ static Property mps2_scc_properties[] = { /* Values for various read-only ID registers (which are specific * to the board model or FPGA image) */ - DEFINE_PROP_UINT32("scc-cfg4", MPS2SCC, aid, 0), + DEFINE_PROP_UINT32("scc-cfg4", MPS2SCC, cfg4, 0), DEFINE_PROP_UINT32("scc-aid", MPS2SCC, aid, 0), - DEFINE_PROP_UINT32("scc-id", MPS2SCC, aid, 0), + DEFINE_PROP_UINT32("scc-id", MPS2SCC, id, 0), /* These are the initial settings for the source clocks on the board. * In hardware they can be configured via a config file read by the * motherboard configuration controller to suit the FPGA image. -- 2.7.4 First arm pullreq for the 2.12 cycle, with all the things that queued up during the release phase. 2.11 isn't quite released yet, but might as well put the pullreq on the mailing list :-) thanks -- PMM The following changes since commit 0a0dc59d27527b78a195c2d838d28b7b49e5a639: Update version for v2.11.0 release (2017-12-13 14:31:09 +0000) are available in the git repository at: git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20171213 for you to fetch changes up to d3c348b6e3af3598bfcb755d59f8f4de80a2228a: xilinx_spips: Use memset instead of a for loop to zero registers (2017-12-13 17:59:26 +0000) ---------------------------------------------------------------- target-arm queue: * xilinx_spips: set reset values correctly * MAINTAINERS: fix an email address * hw/display/tc6393xb: limit irq handler index to TC6393XB_GPIOS * nvic: Make systick banked for v8M * refactor get_phys_addr() so we can return the right format PAR for ATS operations * implement v8M TT instruction * fix some minor v8M bugs * Implement reset for GICv3 ITS * xlnx-zcu102: Add support for the ZynqMP QSPI ---------------------------------------------------------------- Alistair Francis (3): xilinx_spips: Update the QSPI Mod ID reset value xilinx_spips: Set all of the reset values xilinx_spips: Use memset instead of a for loop to zero registers Edgar E. Iglesias (1): target/arm: Extend PAR format determination Eric Auger (4): hw/intc/arm_gicv3_its: Don't call post_load on reset hw/intc/arm_gicv3_its: Implement a minimalist reset linux-headers: update to 4.15-rc1 hw/intc/arm_gicv3_its: Implement full reset Francisco Iglesias (13): m25p80: Add support for continuous read out of RDSR and READ_FSR m25p80: Add support for SST READ ID 0x90/0xAB commands m25p80: Add support for BRRD/BRWR and BULK_ERASE (0x60) m25p80: Add support for n25q512a11 and n25q512a13 xilinx_spips: Move FlashCMD, XilinxQSPIPS and XilinxSPIPSClass xilinx_spips: Update striping to be big-endian bit order xilinx_spips: Add support for RX discard and RX drain xilinx_spips: Make tx/rx_data_bytes more generic and reusable xilinx_spips: Add support for zero pumping xilinx_spips: Add support for 4 byte addresses in the LQSPI xilinx_spips: Don't set TX FIFO UNDERFLOW at cmd done xilinx_spips: Add support for the ZynqMP Generic QSPI xlnx-zcu102: Add support for the ZynqMP QSPI Peter Maydell (20): target/arm: Handle SPSEL and current stack being out of sync in MSP/PSP reads target/arm: Allow explicit writes to CONTROL.SPSEL in Handler mode target/arm: Add missing M profile case to regime_is_user() target/arm: Split M profile MNegPri mmu index into user and priv target/arm: Create new arm_v7m_mmu_idx_for_secstate_and_priv() target/arm: Factor MPU lookup code out of get_phys_addr_pmsav8() target/arm: Implement TT instruction target/arm: Provide fault type enum and FSR conversion functions target/arm: Remove fsr argument from arm_ld*_ptw() target/arm: Convert get_phys_addr_v5() to not return FSC values target/arm: Convert get_phys_addr_v6() to not return FSC values target/arm: Convert get_phys_addr_lpae() to not return FSC values target/arm: Convert get_phys_addr_pmsav5() to not return FSC values target/arm: Convert get_phys_addr_pmsav7() to not return FSC values target/arm: Convert get_phys_addr_pmsav8() to not return FSC values target/arm: Use ARMMMUFaultInfo in deliver_fault() target/arm: Ignore fsr from get_phys_addr() in do_ats_write() target/arm: Remove fsr argument from get_phys_addr() and arm_tlb_fill() nvic: Make nvic_sysreg_ns_ops work with any MemoryRegion nvic: Make systick banked Prasad J Pandit (1): hw/display/tc6393xb: limit irq handler index to TC6393XB_GPIOS Zhaoshenglong (1): MAINTAINERS: replace the unavailable email address include/hw/arm/xlnx-zynqmp.h | 5 + include/hw/intc/armv7m_nvic.h | 4 +- include/hw/ssi/xilinx_spips.h | 74 +- include/standard-headers/asm-s390/virtio-ccw.h | 1 + include/standard-headers/asm-x86/hyperv.h | 394 +-------- include/standard-headers/linux/input-event-codes.h | 2 + include/standard-headers/linux/input.h | 1 + include/standard-headers/linux/pci_regs.h | 45 +- linux-headers/asm-arm/kvm.h | 8 + linux-headers/asm-arm/kvm_para.h | 1 + linux-headers/asm-arm/unistd.h | 2 + linux-headers/asm-arm64/kvm.h | 8 + linux-headers/asm-arm64/unistd.h | 1 + linux-headers/asm-powerpc/epapr_hcalls.h | 1 + linux-headers/asm-powerpc/kvm.h | 1 + linux-headers/asm-powerpc/kvm_para.h | 1 + linux-headers/asm-powerpc/unistd.h | 1 + linux-headers/asm-s390/kvm.h | 1 + linux-headers/asm-s390/kvm_para.h | 1 + linux-headers/asm-s390/unistd.h | 4 +- linux-headers/asm-x86/kvm.h | 1 + linux-headers/asm-x86/kvm_para.h | 2 +- linux-headers/asm-x86/unistd.h | 1 + linux-headers/linux/kvm.h | 2 + linux-headers/linux/kvm_para.h | 1 + linux-headers/linux/psci.h | 1 + linux-headers/linux/userfaultfd.h | 1 + linux-headers/linux/vfio.h | 1 + linux-headers/linux/vfio_ccw.h | 1 + linux-headers/linux/vhost.h | 1 + target/arm/cpu.h | 73 +- target/arm/helper.h | 2 + target/arm/internals.h | 193 ++++- hw/arm/xlnx-zcu102.c | 23 + hw/arm/xlnx-zynqmp.c | 26 + hw/block/m25p80.c | 80 +- hw/display/tc6393xb.c | 1 + hw/intc/arm_gicv3_its_common.c | 2 - hw/intc/arm_gicv3_its_kvm.c | 53 +- hw/intc/armv7m_nvic.c | 100 ++- hw/ssi/xilinx_spips.c | 928 +++++++++++++++++---- target/arm/helper.c | 489 +++++++---- target/arm/op_helper.c | 82 +- target/arm/translate.c | 37 +- MAINTAINERS | 2 +- default-configs/arm-softmmu.mak | 2 +- 46 files changed, 1833 insertions(+), 828 deletions(-) From: Francisco Iglesias <frasse.iglesias@gmail.com> Add support for continuous read out of the RDSR and READ_FSR status registers until the chip select is deasserted. This feature is supported by amongst others 1 or more flashtypes manufactured by Numonyx (Micron), Windbond, SST, Gigadevice, Eon and Macronix. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Acked-by: Marcin Krzemiński<mar.krzeminski@gmail.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-2-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/block/m25p80.c | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index XXXXXXX..XXXXXXX 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -XXX,XX +XXX,XX @@ typedef struct Flash { uint8_t data[M25P80_INTERNAL_DATA_BUFFER_SZ]; uint32_t len; uint32_t pos; + bool data_read_loop; uint8_t needed_bytes; uint8_t cmd_in_progress; uint32_t cur_addr; @@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value) } s->pos = 0; s->len = 1; + s->data_read_loop = true; s->state = STATE_READING_DATA; break; @@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value) } s->pos = 0; s->len = 1; + s->data_read_loop = true; s->state = STATE_READING_DATA; break; @@ -XXX,XX +XXX,XX @@ static int m25p80_cs(SSISlave *ss, bool select) s->pos = 0; s->state = STATE_IDLE; flash_sync_dirty(s, -1); + s->data_read_loop = false; } DB_PRINT_L(0, "%sselect\n", select ? "de" : ""); @@ -XXX,XX +XXX,XX @@ static uint32_t m25p80_transfer8(SSISlave *ss, uint32_t tx) s->pos++; if (s->pos == s->len) { s->pos = 0; - s->state = STATE_IDLE; + if (!s->data_read_loop) { + s->state = STATE_IDLE; + } } break; @@ -XXX,XX +XXX,XX @@ static Property m25p80_properties[] = { DEFINE_PROP_END_OF_LIST(), }; +static int m25p80_pre_load(void *opaque) +{ + Flash *s = (Flash *)opaque; + + s->data_read_loop = false; + return 0; +} + +static bool m25p80_data_read_loop_needed(void *opaque) +{ + Flash *s = (Flash *)opaque; + + return s->data_read_loop; +} + +static const VMStateDescription vmstate_m25p80_data_read_loop = { + .name = "m25p80/data_read_loop", + .version_id = 1, + .minimum_version_id = 1, + .needed = m25p80_data_read_loop_needed, + .fields = (VMStateField[]) { + VMSTATE_BOOL(data_read_loop, Flash), + VMSTATE_END_OF_LIST() + } +}; + static const VMStateDescription vmstate_m25p80 = { .name = "m25p80", .version_id = 0, .minimum_version_id = 0, .pre_save = m25p80_pre_save, + .pre_load = m25p80_pre_load, .fields = (VMStateField[]) { VMSTATE_UINT8(state, Flash), VMSTATE_UINT8_ARRAY(data, Flash, M25P80_INTERNAL_DATA_BUFFER_SZ), @@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_m25p80 = { VMSTATE_UINT8(spansion_cr3nv, Flash), VMSTATE_UINT8(spansion_cr4nv, Flash), VMSTATE_END_OF_LIST() + }, + .subsections = (const VMStateDescription * []) { + &vmstate_m25p80_data_read_loop, + NULL } }; -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Add support for SST READ ID 0x90/0xAB commands for reading out the flash manufacturer ID and device ID. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20171126231634.9531-3-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/block/m25p80.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index XXXXXXX..XXXXXXX 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -XXX,XX +XXX,XX @@ typedef enum { DPP = 0xa2, QPP = 0x32, QPP_4 = 0x34, + RDID_90 = 0x90, + RDID_AB = 0xab, ERASE_4K = 0x20, ERASE4_4K = 0x21, @@ -XXX,XX +XXX,XX @@ typedef enum { MAN_MACRONIX, MAN_NUMONYX, MAN_WINBOND, + MAN_SST, MAN_GENERIC, } Manufacturer; @@ -XXX,XX +XXX,XX @@ static inline Manufacturer get_man(Flash *s) return MAN_SPANSION; case 0xC2: return MAN_MACRONIX; + case 0xBF: + return MAN_SST; default: return MAN_GENERIC; } @@ -XXX,XX +XXX,XX @@ static void complete_collecting_data(Flash *s) case WEVCR: s->enh_volatile_cfg = s->data[0]; break; + case RDID_90: + case RDID_AB: + if (get_man(s) == MAN_SST) { + if (s->cur_addr <= 1) { + if (s->cur_addr) { + s->data[0] = s->pi->id[2]; + s->data[1] = s->pi->id[0]; + } else { + s->data[0] = s->pi->id[0]; + s->data[1] = s->pi->id[2]; + } + s->pos = 0; + s->len = 2; + s->data_read_loop = true; + s->state = STATE_READING_DATA; + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "M25P80: Invalid read id address\n"); + } + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "M25P80: Read id (command 0x90/0xAB) is not supported" + " by device\n"); + } + break; default: break; } @@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value) case PP4: case PP4_4: case DIE_ERASE: + case RDID_90: + case RDID_AB: s->needed_bytes = get_addr_length(s); s->pos = 0; s->len = 0; -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Add support for the bank address register access commands (BRRD/BRWR) and the BULK_ERASE (0x60) command. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Acked-by: Marcin Krzemiński <mar.krzeminski@gmail.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-4-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/block/m25p80.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index XXXXXXX..XXXXXXX 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -XXX,XX +XXX,XX @@ typedef enum { WRDI = 0x4, RDSR = 0x5, WREN = 0x6, + BRRD = 0x16, + BRWR = 0x17, JEDEC_READ = 0x9f, + BULK_ERASE_60 = 0x60, BULK_ERASE = 0xc7, READ_FSR = 0x70, RDCR = 0x15, @@ -XXX,XX +XXX,XX @@ static void complete_collecting_data(Flash *s) s->write_enable = false; } break; + case BRWR: case EXTEND_ADDR_WRITE: s->ear = s->data[0]; break; @@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value) s->state = STATE_READING_DATA; break; + case BULK_ERASE_60: case BULK_ERASE: if (s->write_enable) { DB_PRINT_L(0, "chip erase\n"); @@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value) case EX_4BYTE_ADDR: s->four_bytes_address_mode = false; break; + case BRRD: case EXTEND_ADDR_READ: s->data[0] = s->ear; s->pos = 0; s->len = 1; s->state = STATE_READING_DATA; break; + case BRWR: case EXTEND_ADDR_WRITE: if (s->write_enable) { s->needed_bytes = 1; -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Add support for Micron (Numonyx) n25q512a11 and n25q512a13 flashes. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Acked-by: Marcin Krzemiński <mar.krzeminski@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-5-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/block/m25p80.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c index XXXXXXX..XXXXXXX 100644 --- a/hw/block/m25p80.c +++ b/hw/block/m25p80.c @@ -XXX,XX +XXX,XX @@ static const FlashPartInfo known_devices[] = { { INFO("n25q128a13", 0x20ba18, 0, 64 << 10, 256, ER_4K) }, { INFO("n25q256a11", 0x20bb19, 0, 64 << 10, 512, ER_4K) }, { INFO("n25q256a13", 0x20ba19, 0, 64 << 10, 512, ER_4K) }, + { INFO("n25q512a11", 0x20bb20, 0, 64 << 10, 1024, ER_4K) }, + { INFO("n25q512a13", 0x20ba20, 0, 64 << 10, 1024, ER_4K) }, { INFO("n25q128", 0x20ba18, 0, 64 << 10, 256, 0) }, { INFO("n25q256a", 0x20ba19, 0, 64 << 10, 512, ER_4K) }, { INFO("n25q512a", 0x20ba20, 0, 64 << 10, 1024, ER_4K) }, -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Move the FlashCMD enum, XilinxQSPIPS and XilinxSPIPSClass structures to the header for consistency (struct XilinxSPIPS is found there). Also move out a define and remove two double included headers (while touching the code). Finally, add 4 byte address commands to the FlashCMD enum. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-6-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/ssi/xilinx_spips.h | 34 ++++++++++++++++++++++++++++++++++ hw/ssi/xilinx_spips.c | 35 ----------------------------------- 2 files changed, 34 insertions(+), 35 deletions(-) diff --git a/include/hw/ssi/xilinx_spips.h b/include/hw/ssi/xilinx_spips.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/ssi/xilinx_spips.h +++ b/include/hw/ssi/xilinx_spips.h @@ -XXX,XX +XXX,XX @@ typedef struct XilinxSPIPS XilinxSPIPS; #define XLNX_SPIPS_R_MAX (0x100 / 4) +/* Bite off 4k chunks at a time */ +#define LQSPI_CACHE_SIZE 1024 + +typedef enum { + READ = 0x3, READ_4 = 0x13, + FAST_READ = 0xb, FAST_READ_4 = 0x0c, + DOR = 0x3b, DOR_4 = 0x3c, + QOR = 0x6b, QOR_4 = 0x6c, + DIOR = 0xbb, DIOR_4 = 0xbc, + QIOR = 0xeb, QIOR_4 = 0xec, + + PP = 0x2, PP_4 = 0x12, + DPP = 0xa2, + QPP = 0x32, QPP_4 = 0x34, +} FlashCMD; + struct XilinxSPIPS { SysBusDevice parent_obj; @@ -XXX,XX +XXX,XX @@ struct XilinxSPIPS { uint32_t regs[XLNX_SPIPS_R_MAX]; }; +typedef struct { + XilinxSPIPS parent_obj; + + uint8_t lqspi_buf[LQSPI_CACHE_SIZE]; + hwaddr lqspi_cached_addr; + Error *migration_blocker; + bool mmio_execution_enabled; +} XilinxQSPIPS; + +typedef struct XilinxSPIPSClass { + SysBusDeviceClass parent_class; + + const MemoryRegionOps *reg_ops; + + uint32_t rx_fifo_size; + uint32_t tx_fifo_size; +} XilinxSPIPSClass; + #define TYPE_XILINX_SPIPS "xlnx.ps7-spi" #define TYPE_XILINX_QSPIPS "xlnx.ps7-qspi" diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ #include "sysemu/sysemu.h" #include "hw/ptimer.h" #include "qemu/log.h" -#include "qemu/fifo8.h" -#include "hw/ssi/ssi.h" #include "qemu/bitops.h" #include "hw/ssi/xilinx_spips.h" #include "qapi/error.h" @@ -XXX,XX +XXX,XX @@ /* 16MB per linear region */ #define LQSPI_ADDRESS_BITS 24 -/* Bite off 4k chunks at a time */ -#define LQSPI_CACHE_SIZE 1024 #define SNOOP_CHECKING 0xFF #define SNOOP_NONE 0xFE #define SNOOP_STRIPING 0 -typedef enum { - READ = 0x3, - FAST_READ = 0xb, - DOR = 0x3b, - QOR = 0x6b, - DIOR = 0xbb, - QIOR = 0xeb, - - PP = 0x2, - DPP = 0xa2, - QPP = 0x32, -} FlashCMD; - -typedef struct { - XilinxSPIPS parent_obj; - - uint8_t lqspi_buf[LQSPI_CACHE_SIZE]; - hwaddr lqspi_cached_addr; - Error *migration_blocker; - bool mmio_execution_enabled; -} XilinxQSPIPS; - -typedef struct XilinxSPIPSClass { - SysBusDeviceClass parent_class; - - const MemoryRegionOps *reg_ops; - - uint32_t rx_fifo_size; - uint32_t tx_fifo_size; -} XilinxSPIPSClass; - static inline int num_effective_busses(XilinxSPIPS *s) { return (s->regs[R_LQSPI_CFG] & LQSPI_CFG_SEP_BUS && -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Update striping functionality to be big-endian bit order (as according to the Zynq-7000 Technical Reference Manual). Output thereafter the even bits into the flash memory connected to the lower QSPI bus and the odd bits into the flash memory connected to the upper QSPI bus. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Acked-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-7-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/ssi/xilinx_spips.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_reset(DeviceState *d) xilinx_spips_update_cs_lines(s); } -/* N way (num) in place bit striper. Lay out row wise bits (LSB to MSB) +/* N way (num) in place bit striper. Lay out row wise bits (MSB to LSB) * column wise (from element 0 to N-1). num is the length of x, and dir * reverses the direction of the transform. Best illustrated by example: * Each digit in the below array is a single bit (num == 3): * - * {{ 76543210, } ----- stripe (dir == false) -----> {{ FCheb630, } - * { hgfedcba, } { GDAfc741, } - * { HGFEDCBA, }} <---- upstripe (dir == true) ----- { HEBgda52, }} + * {{ 76543210, } ----- stripe (dir == false) -----> {{ 741gdaFC, } + * { hgfedcba, } { 630fcHEB, } + * { HGFEDCBA, }} <---- upstripe (dir == true) ----- { 52hebGDA, }} */ static inline void stripe8(uint8_t *x, int num, bool dir) @@ -XXX,XX +XXX,XX @@ static inline void stripe8(uint8_t *x, int num, bool dir) uint8_t r[num]; memset(r, 0, sizeof(uint8_t) * num); int idx[2] = {0, 0}; - int bit[2] = {0, 0}; + int bit[2] = {0, 7}; int d = dir; for (idx[0] = 0; idx[0] < num; ++idx[0]) { - for (bit[0] = 0; bit[0] < 8; ++bit[0]) { - r[idx[d]] |= x[idx[!d]] & 1 << bit[!d] ? 1 << bit[d] : 0; + for (bit[0] = 7; bit[0] >= 0; bit[0]--) { + r[idx[!d]] |= x[idx[d]] & 1 << bit[d] ? 1 << bit[!d] : 0; idx[1] = (idx[1] + 1) % num; if (!idx[1]) { - bit[1]++; + bit[1]--; } } } @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) } for (i = 0; i < num_effective_busses(s); ++i) { + int bus = num_effective_busses(s) - 1 - i; DB_PRINT_L(debug_level, "tx = %02x\n", tx_rx[i]); - tx_rx[i] = ssi_transfer(s->spi[i], (uint32_t)tx_rx[i]); + tx_rx[i] = ssi_transfer(s->spi[bus], (uint32_t)tx_rx[i]); DB_PRINT_L(debug_level, "rx = %02x\n", tx_rx[i]); } -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Add support for the RX discard and RX drain functionality. Also transmit one byte per dummy cycle (to the flash memories) with commands that require these. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-8-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/ssi/xilinx_spips.h | 6 ++ hw/ssi/xilinx_spips.c | 167 +++++++++++++++++++++++++++++++++++++----- 2 files changed, 155 insertions(+), 18 deletions(-) diff --git a/include/hw/ssi/xilinx_spips.h b/include/hw/ssi/xilinx_spips.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/ssi/xilinx_spips.h +++ b/include/hw/ssi/xilinx_spips.h @@ -XXX,XX +XXX,XX @@ struct XilinxSPIPS { uint8_t num_busses; uint8_t snoop_state; + int cmd_dummies; + uint8_t link_state; + uint8_t link_state_next; + uint8_t link_state_next_when; qemu_irq *cs_lines; + bool *cs_lines_state; SSIBus **spi; Fifo8 rx_fifo; Fifo8 tx_fifo; uint8_t num_txrx_bytes; + uint32_t rx_discard; uint32_t regs[XLNX_SPIPS_R_MAX]; }; diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ #include "qemu/bitops.h" #include "hw/ssi/xilinx_spips.h" #include "qapi/error.h" +#include "hw/register.h" #include "migration/blocker.h" #ifndef XILINX_SPIPS_ERR_DEBUG @@ -XXX,XX +XXX,XX @@ #define LQSPI_CFG_DUMMY_SHIFT 8 #define LQSPI_CFG_INST_CODE 0xFF +#define R_CMND (0xc0 / 4) + #define R_CMND_RXFIFO_DRAIN (1 << 19) + FIELD(CMND, PARTIAL_BYTE_LEN, 16, 3) +#define R_CMND_EXT_ADD (1 << 15) + FIELD(CMND, RX_DISCARD, 8, 7) + FIELD(CMND, DUMMY_CYCLES, 2, 6) +#define R_CMND_DMA_EN (1 << 1) +#define R_CMND_PUSH_WAIT (1 << 0) #define R_LQSPI_STS (0xA4 / 4) #define LQSPI_STS_WR_RECVD (1 << 1) @@ -XXX,XX +XXX,XX @@ #define LQSPI_ADDRESS_BITS 24 #define SNOOP_CHECKING 0xFF -#define SNOOP_NONE 0xFE +#define SNOOP_ADDR 0xF0 +#define SNOOP_NONE 0xEE #define SNOOP_STRIPING 0 static inline int num_effective_busses(XilinxSPIPS *s) @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_update_cs_lines(XilinxSPIPS *s) if (xilinx_spips_cs_is_set(s, i, field) && !found) { DB_PRINT_L(0, "selecting slave %d\n", i); qemu_set_irq(s->cs_lines[cs_to_set], 0); + if (s->cs_lines_state[cs_to_set]) { + s->cs_lines_state[cs_to_set] = false; + s->rx_discard = ARRAY_FIELD_EX32(s->regs, CMND, RX_DISCARD); + } } else { DB_PRINT_L(0, "deselecting slave %d\n", i); qemu_set_irq(s->cs_lines[cs_to_set], 1); + s->cs_lines_state[cs_to_set] = true; } } if (xilinx_spips_cs_is_set(s, i, field)) { @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_update_cs_lines(XilinxSPIPS *s) } if (!found) { s->snoop_state = SNOOP_CHECKING; + s->cmd_dummies = 0; + s->link_state = 1; + s->link_state_next = 1; + s->link_state_next_when = 0; DB_PRINT_L(1, "moving to snoop check state\n"); } } @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_reset(DeviceState *d) /* FIXME: move magic number definition somewhere sensible */ s->regs[R_MOD_ID] = 0x01090106; s->regs[R_LQSPI_CFG] = R_LQSPI_CFG_RESET; + s->link_state = 1; + s->link_state_next = 1; + s->link_state_next_when = 0; s->snoop_state = SNOOP_CHECKING; + s->cmd_dummies = 0; xilinx_spips_update_ixr(s); xilinx_spips_update_cs_lines(s); } @@ -XXX,XX +XXX,XX @@ static inline void stripe8(uint8_t *x, int num, bool dir) memcpy(x, r, sizeof(uint8_t) * num); } +static int xilinx_spips_num_dummies(XilinxQSPIPS *qs, uint8_t command) +{ + if (!qs) { + /* The SPI device is not a QSPI device */ + return -1; + } + + switch (command) { /* check for dummies */ + case READ: /* no dummy bytes/cycles */ + case PP: + case DPP: + case QPP: + case READ_4: + case PP_4: + case QPP_4: + return 0; + case FAST_READ: + case DOR: + case QOR: + case DOR_4: + case QOR_4: + return 1; + case DIOR: + case FAST_READ_4: + case DIOR_4: + return 2; + case QIOR: + case QIOR_4: + return 5; + default: + return -1; + } +} + +static inline uint8_t get_addr_length(XilinxSPIPS *s, uint8_t cmd) +{ + switch (cmd) { + case PP_4: + case QPP_4: + case READ_4: + case QIOR_4: + case FAST_READ_4: + case DOR_4: + case QOR_4: + case DIOR_4: + return 4; + default: + return (s->regs[R_CMND] & R_CMND_EXT_ADD) ? 4 : 3; + } +} + static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) { int debug_level = 0; + XilinxQSPIPS *q = (XilinxQSPIPS *) object_dynamic_cast(OBJECT(s), + TYPE_XILINX_QSPIPS); for (;;) { int i; uint8_t tx = 0; uint8_t tx_rx[num_effective_busses(s)]; + uint8_t dummy_cycles = 0; + uint8_t addr_length; if (fifo8_is_empty(&s->tx_fifo)) { if (!(s->regs[R_LQSPI_CFG] & LQSPI_CFG_LQ_MODE)) { @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) tx_rx[i] = fifo8_pop(&s->tx_fifo); } stripe8(tx_rx, num_effective_busses(s), false); - } else { + } else if (s->snoop_state >= SNOOP_ADDR) { tx = fifo8_pop(&s->tx_fifo); for (i = 0; i < num_effective_busses(s); ++i) { tx_rx[i] = tx; } + } else { + /* Extract a dummy byte and generate dummy cycles according to the + * link state */ + tx = fifo8_pop(&s->tx_fifo); + dummy_cycles = 8 / s->link_state; } for (i = 0; i < num_effective_busses(s); ++i) { int bus = num_effective_busses(s) - 1 - i; - DB_PRINT_L(debug_level, "tx = %02x\n", tx_rx[i]); - tx_rx[i] = ssi_transfer(s->spi[bus], (uint32_t)tx_rx[i]); - DB_PRINT_L(debug_level, "rx = %02x\n", tx_rx[i]); + if (dummy_cycles) { + int d; + for (d = 0; d < dummy_cycles; ++d) { + tx_rx[0] = ssi_transfer(s->spi[bus], (uint32_t)tx_rx[0]); + } + } else { + DB_PRINT_L(debug_level, "tx = %02x\n", tx_rx[i]); + tx_rx[i] = ssi_transfer(s->spi[bus], (uint32_t)tx_rx[i]); + DB_PRINT_L(debug_level, "rx = %02x\n", tx_rx[i]); + } } - if (fifo8_is_full(&s->rx_fifo)) { + if (s->regs[R_CMND] & R_CMND_RXFIFO_DRAIN) { + DB_PRINT_L(debug_level, "dircarding drained rx byte\n"); + /* Do nothing */ + } else if (s->rx_discard) { + DB_PRINT_L(debug_level, "dircarding discarded rx byte\n"); + s->rx_discard -= 8 / s->link_state; + } else if (fifo8_is_full(&s->rx_fifo)) { s->regs[R_INTR_STATUS] |= IXR_RX_FIFO_OVERFLOW; DB_PRINT_L(0, "rx FIFO overflow"); } else if (s->snoop_state == SNOOP_STRIPING) { stripe8(tx_rx, num_effective_busses(s), true); for (i = 0; i < num_effective_busses(s); ++i) { fifo8_push(&s->rx_fifo, (uint8_t)tx_rx[i]); + DB_PRINT_L(debug_level, "pushing striped rx byte\n"); } } else { + DB_PRINT_L(debug_level, "pushing unstriped rx byte\n"); fifo8_push(&s->rx_fifo, (uint8_t)tx_rx[0]); } + if (s->link_state_next_when) { + s->link_state_next_when--; + if (!s->link_state_next_when) { + s->link_state = s->link_state_next; + } + } + DB_PRINT_L(debug_level, "initial snoop state: %x\n", (unsigned)s->snoop_state); switch (s->snoop_state) { case (SNOOP_CHECKING): - switch (tx) { /* new instruction code */ - case READ: /* 3 address bytes, no dummy bytes/cycles */ - case PP: + /* Store the count of dummy bytes in the txfifo */ + s->cmd_dummies = xilinx_spips_num_dummies(q, tx); + addr_length = get_addr_length(s, tx); + if (s->cmd_dummies < 0) { + s->snoop_state = SNOOP_NONE; + } else { + s->snoop_state = SNOOP_ADDR + addr_length - 1; + } + switch (tx) { case DPP: - case QPP: - s->snoop_state = 3; - break; - case FAST_READ: /* 3 address bytes, 1 dummy byte */ case DOR: + case DOR_4: + s->link_state_next = 2; + s->link_state_next_when = addr_length + s->cmd_dummies; + break; + case QPP: + case QPP_4: case QOR: - case DIOR: /* FIXME: these vary between vendor - set to spansion */ - s->snoop_state = 4; + case QOR_4: + s->link_state_next = 4; + s->link_state_next_when = addr_length + s->cmd_dummies; + break; + case DIOR: + case DIOR_4: + s->link_state = 2; break; - case QIOR: /* 3 address bytes, 2 dummy bytes */ - s->snoop_state = 6; + case QIOR: + case QIOR_4: + s->link_state = 4; break; - default: + } + break; + case (SNOOP_ADDR): + /* Address has been transmitted, transmit dummy cycles now if + * needed */ + if (s->cmd_dummies < 0) { s->snoop_state = SNOOP_NONE; + } else { + s->snoop_state = s->cmd_dummies; } break; case (SNOOP_STRIPING): @@ -XXX,XX +XXX,XX @@ static void xilinx_qspips_write(void *opaque, hwaddr addr, uint64_t value, unsigned size) { XilinxQSPIPS *q = XILINX_QSPIPS(opaque); + XilinxSPIPS *s = XILINX_SPIPS(opaque); xilinx_spips_write(opaque, addr, value, size); addr >>= 2; @@ -XXX,XX +XXX,XX @@ static void xilinx_qspips_write(void *opaque, hwaddr addr, if (addr == R_LQSPI_CFG) { xilinx_qspips_invalidate_mmio_ptr(q); } + if (s->regs[R_CMND] & R_CMND_RXFIFO_DRAIN) { + fifo8_reset(&s->rx_fifo); + } } static const MemoryRegionOps qspips_ops = { @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp) } s->cs_lines = g_new0(qemu_irq, s->num_cs * s->num_busses); + s->cs_lines_state = g_new0(bool, s->num_cs * s->num_busses); for (i = 0, cs = s->cs_lines; i < s->num_busses; ++i, cs += s->num_cs) { ssi_auto_connect_slaves(DEVICE(s), cs, s->spi[i]); } -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Make tx/rx_data_bytes more generic so they can be reused (when adding support for the Zynqmp Generic QSPI). Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-9-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/ssi/xilinx_spips.c | 64 +++++++++++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 27 deletions(-) diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ /* config register */ #define R_CONFIG (0x00 / 4) #define IFMODE (1U << 31) -#define ENDIAN (1 << 26) +#define R_CONFIG_ENDIAN (1 << 26) #define MODEFAIL_GEN_EN (1 << 17) #define MAN_START_COM (1 << 16) #define MAN_START_EN (1 << 15) @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) } } -static inline void rx_data_bytes(XilinxSPIPS *s, uint8_t *value, int max) +static inline void tx_data_bytes(Fifo8 *fifo, uint32_t value, int num, bool be) { int i; + for (i = 0; i < num && !fifo8_is_full(fifo); ++i) { + if (be) { + fifo8_push(fifo, (uint8_t)(value >> 24)); + value <<= 8; + } else { + fifo8_push(fifo, (uint8_t)value); + value >>= 8; + } + } +} - for (i = 0; i < max && !fifo8_is_empty(&s->rx_fifo); ++i) { - value[i] = fifo8_pop(&s->rx_fifo); +static inline int rx_data_bytes(Fifo8 *fifo, uint8_t *value, int max) +{ + int i; + + for (i = 0; i < max && !fifo8_is_empty(fifo); ++i) { + value[i] = fifo8_pop(fifo); } + return max - i; } static uint64_t xilinx_spips_read(void *opaque, hwaddr addr, @@ -XXX,XX +XXX,XX @@ static uint64_t xilinx_spips_read(void *opaque, hwaddr addr, uint32_t mask = ~0; uint32_t ret; uint8_t rx_buf[4]; + int shortfall; addr >>= 2; switch (addr) { @@ -XXX,XX +XXX,XX @@ static uint64_t xilinx_spips_read(void *opaque, hwaddr addr, break; case R_RX_DATA: memset(rx_buf, 0, sizeof(rx_buf)); - rx_data_bytes(s, rx_buf, s->num_txrx_bytes); - ret = s->regs[R_CONFIG] & ENDIAN ? cpu_to_be32(*(uint32_t *)rx_buf) - : cpu_to_le32(*(uint32_t *)rx_buf); + shortfall = rx_data_bytes(&s->rx_fifo, rx_buf, s->num_txrx_bytes); + ret = s->regs[R_CONFIG] & R_CONFIG_ENDIAN ? + cpu_to_be32(*(uint32_t *)rx_buf) : + cpu_to_le32(*(uint32_t *)rx_buf); + if (!(s->regs[R_CONFIG] & R_CONFIG_ENDIAN)) { + ret <<= 8 * shortfall; + } DB_PRINT_L(0, "addr=" TARGET_FMT_plx " = %x\n", addr * 4, ret); xilinx_spips_update_ixr(s); return ret; @@ -XXX,XX +XXX,XX @@ static uint64_t xilinx_spips_read(void *opaque, hwaddr addr, } -static inline void tx_data_bytes(XilinxSPIPS *s, uint32_t value, int num) -{ - int i; - for (i = 0; i < num && !fifo8_is_full(&s->tx_fifo); ++i) { - if (s->regs[R_CONFIG] & ENDIAN) { - fifo8_push(&s->tx_fifo, (uint8_t)(value >> 24)); - value <<= 8; - } else { - fifo8_push(&s->tx_fifo, (uint8_t)value); - value >>= 8; - } - } -} - static void xilinx_spips_write(void *opaque, hwaddr addr, uint64_t value, unsigned size) { @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_write(void *opaque, hwaddr addr, mask = 0; break; case R_TX_DATA: - tx_data_bytes(s, (uint32_t)value, s->num_txrx_bytes); + tx_data_bytes(&s->tx_fifo, (uint32_t)value, s->num_txrx_bytes, + s->regs[R_CONFIG] & R_CONFIG_ENDIAN); goto no_reg_update; case R_TXD1: - tx_data_bytes(s, (uint32_t)value, 1); + tx_data_bytes(&s->tx_fifo, (uint32_t)value, 1, + s->regs[R_CONFIG] & R_CONFIG_ENDIAN); goto no_reg_update; case R_TXD2: - tx_data_bytes(s, (uint32_t)value, 2); + tx_data_bytes(&s->tx_fifo, (uint32_t)value, 2, + s->regs[R_CONFIG] & R_CONFIG_ENDIAN); goto no_reg_update; case R_TXD3: - tx_data_bytes(s, (uint32_t)value, 3); + tx_data_bytes(&s->tx_fifo, (uint32_t)value, 3, + s->regs[R_CONFIG] & R_CONFIG_ENDIAN); goto no_reg_update; } s->regs[addr] = (s->regs[addr] & ~mask) | (value & mask); @@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr) while (cache_entry < LQSPI_CACHE_SIZE) { for (i = 0; i < 64; ++i) { - tx_data_bytes(s, 0, 1); + tx_data_bytes(&s->tx_fifo, 0, 1, false); } xilinx_spips_flush_txfifo(s); for (i = 0; i < 64; ++i) { - rx_data_bytes(s, &q->lqspi_buf[cache_entry++], 1); + rx_data_bytes(&s->rx_fifo, &q->lqspi_buf[cache_entry++], 1); } } -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Add support for zero pumping according to the transfer size register. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-10-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/ssi/xilinx_spips.h | 2 ++ hw/ssi/xilinx_spips.c | 47 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 42 insertions(+), 7 deletions(-) diff --git a/include/hw/ssi/xilinx_spips.h b/include/hw/ssi/xilinx_spips.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/ssi/xilinx_spips.h +++ b/include/hw/ssi/xilinx_spips.h @@ -XXX,XX +XXX,XX @@ struct XilinxSPIPS { uint32_t rx_discard; uint32_t regs[XLNX_SPIPS_R_MAX]; + + bool man_start_com; }; typedef struct { diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ FIELD(CMND, DUMMY_CYCLES, 2, 6) #define R_CMND_DMA_EN (1 << 1) #define R_CMND_PUSH_WAIT (1 << 0) +#define R_TRANSFER_SIZE (0xc4 / 4) #define R_LQSPI_STS (0xA4 / 4) #define LQSPI_STS_WR_RECVD (1 << 1) @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_reset(DeviceState *d) s->link_state_next_when = 0; s->snoop_state = SNOOP_CHECKING; s->cmd_dummies = 0; + s->man_start_com = false; xilinx_spips_update_ixr(s); xilinx_spips_update_cs_lines(s); } @@ -XXX,XX +XXX,XX @@ static inline void tx_data_bytes(Fifo8 *fifo, uint32_t value, int num, bool be) } } +static void xilinx_spips_check_zero_pump(XilinxSPIPS *s) +{ + if (!s->regs[R_TRANSFER_SIZE]) { + return; + } + if (!fifo8_is_empty(&s->tx_fifo) && s->regs[R_CMND] & R_CMND_PUSH_WAIT) { + return; + } + /* + * The zero pump must never fill tx fifo such that rx overflow is + * possible + */ + while (s->regs[R_TRANSFER_SIZE] && + s->rx_fifo.num + s->tx_fifo.num < RXFF_A_Q - 3) { + /* endianess just doesn't matter when zero pumping */ + tx_data_bytes(&s->tx_fifo, 0, 4, false); + s->regs[R_TRANSFER_SIZE] &= ~0x03ull; + s->regs[R_TRANSFER_SIZE] -= 4; + } +} + +static void xilinx_spips_check_flush(XilinxSPIPS *s) +{ + if (s->man_start_com || + (!fifo8_is_empty(&s->tx_fifo) && + !(s->regs[R_CONFIG] & MAN_START_EN))) { + xilinx_spips_check_zero_pump(s); + xilinx_spips_flush_txfifo(s); + } + if (fifo8_is_empty(&s->tx_fifo) && !s->regs[R_TRANSFER_SIZE]) { + s->man_start_com = false; + } + xilinx_spips_update_ixr(s); +} + static inline int rx_data_bytes(Fifo8 *fifo, uint8_t *value, int max) { int i; @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_write(void *opaque, hwaddr addr, uint64_t value, unsigned size) { int mask = ~0; - int man_start_com = 0; XilinxSPIPS *s = opaque; DB_PRINT_L(0, "addr=" TARGET_FMT_plx " = %x\n", addr, (unsigned)value); @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_write(void *opaque, hwaddr addr, switch (addr) { case R_CONFIG: mask = ~(R_CONFIG_RSVD | MAN_START_COM); - if (value & MAN_START_COM) { - man_start_com = 1; + if ((value & MAN_START_COM) && (s->regs[R_CONFIG] & MAN_START_EN)) { + s->man_start_com = true; } break; case R_INTR_STATUS: @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_write(void *opaque, hwaddr addr, s->regs[addr] = (s->regs[addr] & ~mask) | (value & mask); no_reg_update: xilinx_spips_update_cs_lines(s); - if ((man_start_com && s->regs[R_CONFIG] & MAN_START_EN) || - (fifo8_is_empty(&s->tx_fifo) && s->regs[R_CONFIG] & MAN_START_EN)) { - xilinx_spips_flush_txfifo(s); - } + xilinx_spips_check_flush(s); xilinx_spips_update_cs_lines(s); xilinx_spips_update_ixr(s); } -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Add support for 4 byte addresses in the LQSPI and correct LQSPI_CFG_SEP_BUS. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-11-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/ssi/xilinx_spips.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ #define R_LQSPI_CFG_RESET 0x03A002EB #define LQSPI_CFG_LQ_MODE (1U << 31) #define LQSPI_CFG_TWO_MEM (1 << 30) -#define LQSPI_CFG_SEP_BUS (1 << 30) +#define LQSPI_CFG_SEP_BUS (1 << 29) #define LQSPI_CFG_U_PAGE (1 << 28) +#define LQSPI_CFG_ADDR4 (1 << 27) #define LQSPI_CFG_MODE_EN (1 << 25) #define LQSPI_CFG_MODE_WIDTH 8 #define LQSPI_CFG_MODE_SHIFT 16 @@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr) fifo8_push(&s->tx_fifo, s->regs[R_LQSPI_CFG] & LQSPI_CFG_INST_CODE); /* read address */ DB_PRINT_L(0, "pushing read address %06x\n", flash_addr); + if (s->regs[R_LQSPI_CFG] & LQSPI_CFG_ADDR4) { + fifo8_push(&s->tx_fifo, (uint8_t)(flash_addr >> 24)); + } fifo8_push(&s->tx_fifo, (uint8_t)(flash_addr >> 16)); fifo8_push(&s->tx_fifo, (uint8_t)(flash_addr >> 8)); fifo8_push(&s->tx_fifo, (uint8_t)flash_addr); -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Don't set TX FIFO UNDERFLOW interrupt after transmitting the commands. Also update interrupts after reading out the interrupt status. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Acked-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-12-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/ssi/xilinx_spips.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s) uint8_t addr_length; if (fifo8_is_empty(&s->tx_fifo)) { - if (!(s->regs[R_LQSPI_CFG] & LQSPI_CFG_LQ_MODE)) { - s->regs[R_INTR_STATUS] |= IXR_TX_FIFO_UNDERFLOW; - } xilinx_spips_update_ixr(s); return; } else if (s->snoop_state == SNOOP_STRIPING) { @@ -XXX,XX +XXX,XX @@ static uint64_t xilinx_spips_read(void *opaque, hwaddr addr, ret = s->regs[addr] & IXR_ALL; s->regs[addr] = 0; DB_PRINT_L(0, "addr=" TARGET_FMT_plx " = %x\n", addr * 4, ret); + xilinx_spips_update_ixr(s); return ret; case R_INTR_MASK: mask = IXR_ALL; -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Add support for the Zynq Ultrascale MPSoc Generic QSPI. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-id: 20171126231634.9531-13-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/ssi/xilinx_spips.h | 32 ++- hw/ssi/xilinx_spips.c | 579 ++++++++++++++++++++++++++++++++++++---- default-configs/arm-softmmu.mak | 2 +- 3 files changed, 564 insertions(+), 49 deletions(-) diff --git a/include/hw/ssi/xilinx_spips.h b/include/hw/ssi/xilinx_spips.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/ssi/xilinx_spips.h +++ b/include/hw/ssi/xilinx_spips.h @@ -XXX,XX +XXX,XX @@ #define XILINX_SPIPS_H #include "hw/ssi/ssi.h" -#include "qemu/fifo8.h" +#include "qemu/fifo32.h" +#include "hw/stream.h" typedef struct XilinxSPIPS XilinxSPIPS; #define XLNX_SPIPS_R_MAX (0x100 / 4) +#define XLNX_ZYNQMP_SPIPS_R_MAX (0x200 / 4) /* Bite off 4k chunks at a time */ #define LQSPI_CACHE_SIZE 1024 @@ -XXX,XX +XXX,XX @@ typedef struct { bool mmio_execution_enabled; } XilinxQSPIPS; +typedef struct { + XilinxQSPIPS parent_obj; + + StreamSlave *dma; + uint8_t dma_buf[4]; + int gqspi_irqline; + + uint32_t regs[XLNX_ZYNQMP_SPIPS_R_MAX]; + + /* GQSPI has seperate tx/rx fifos */ + Fifo8 rx_fifo_g; + Fifo8 tx_fifo_g; + Fifo32 fifo_g; + /* + * At the end of each generic command, misaligned extra bytes are discard + * or padded to tx and rx respectively to round it out (and avoid need for + * individual byte access. Since we use byte fifos, keep track of the + * alignment WRT to word access. + */ + uint8_t rx_fifo_g_align; + uint8_t tx_fifo_g_align; + bool man_start_com_g; +} XlnxZynqMPQSPIPS; + typedef struct XilinxSPIPSClass { SysBusDeviceClass parent_class; @@ -XXX,XX +XXX,XX @@ typedef struct XilinxSPIPSClass { #define TYPE_XILINX_SPIPS "xlnx.ps7-spi" #define TYPE_XILINX_QSPIPS "xlnx.ps7-qspi" +#define TYPE_XLNX_ZYNQMP_QSPIPS "xlnx.usmp-gqspi" #define XILINX_SPIPS(obj) \ OBJECT_CHECK(XilinxSPIPS, (obj), TYPE_XILINX_SPIPS) @@ -XXX,XX +XXX,XX @@ typedef struct XilinxSPIPSClass { #define XILINX_QSPIPS(obj) \ OBJECT_CHECK(XilinxQSPIPS, (obj), TYPE_XILINX_QSPIPS) +#define XLNX_ZYNQMP_QSPIPS(obj) \ + OBJECT_CHECK(XlnxZynqMPQSPIPS, (obj), TYPE_XLNX_ZYNQMP_QSPIPS) + #endif /* XILINX_SPIPS_H */ diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ #include "hw/ssi/xilinx_spips.h" #include "qapi/error.h" #include "hw/register.h" +#include "sysemu/dma.h" #include "migration/blocker.h" #ifndef XILINX_SPIPS_ERR_DEBUG @@ -XXX,XX +XXX,XX @@ #define R_INTR_DIS (0x0C / 4) #define R_INTR_MASK (0x10 / 4) #define IXR_TX_FIFO_UNDERFLOW (1 << 6) +/* Poll timeout not implemented */ +#define IXR_RX_FIFO_EMPTY (1 << 11) +#define IXR_GENERIC_FIFO_FULL (1 << 10) +#define IXR_GENERIC_FIFO_NOT_FULL (1 << 9) +#define IXR_TX_FIFO_EMPTY (1 << 8) +#define IXR_GENERIC_FIFO_EMPTY (1 << 7) #define IXR_RX_FIFO_FULL (1 << 5) #define IXR_RX_FIFO_NOT_EMPTY (1 << 4) #define IXR_TX_FIFO_FULL (1 << 3) #define IXR_TX_FIFO_NOT_FULL (1 << 2) #define IXR_TX_FIFO_MODE_FAIL (1 << 1) #define IXR_RX_FIFO_OVERFLOW (1 << 0) -#define IXR_ALL ((IXR_TX_FIFO_UNDERFLOW<<1)-1) +#define IXR_ALL ((1 << 13) - 1) +#define GQSPI_IXR_MASK 0xFBE +#define IXR_SELF_CLEAR \ +(IXR_GENERIC_FIFO_EMPTY \ +| IXR_GENERIC_FIFO_FULL \ +| IXR_GENERIC_FIFO_NOT_FULL \ +| IXR_TX_FIFO_EMPTY \ +| IXR_TX_FIFO_FULL \ +| IXR_TX_FIFO_NOT_FULL \ +| IXR_RX_FIFO_EMPTY \ +| IXR_RX_FIFO_FULL \ +| IXR_RX_FIFO_NOT_EMPTY) #define R_EN (0x14 / 4) #define R_DELAY (0x18 / 4) @@ -XXX,XX +XXX,XX @@ #define R_MOD_ID (0xFC / 4) +#define R_GQSPI_SELECT (0x144 / 4) + FIELD(GQSPI_SELECT, GENERIC_QSPI_EN, 0, 1) +#define R_GQSPI_ISR (0x104 / 4) +#define R_GQSPI_IER (0x108 / 4) +#define R_GQSPI_IDR (0x10c / 4) +#define R_GQSPI_IMR (0x110 / 4) +#define R_GQSPI_TX_THRESH (0x128 / 4) +#define R_GQSPI_RX_THRESH (0x12c / 4) +#define R_GQSPI_CNFG (0x100 / 4) + FIELD(GQSPI_CNFG, MODE_EN, 30, 2) + FIELD(GQSPI_CNFG, GEN_FIFO_START_MODE, 29, 1) + FIELD(GQSPI_CNFG, GEN_FIFO_START, 28, 1) + FIELD(GQSPI_CNFG, ENDIAN, 26, 1) + /* Poll timeout not implemented */ + FIELD(GQSPI_CNFG, EN_POLL_TIMEOUT, 20, 1) + /* QEMU doesnt care about any of these last three */ + FIELD(GQSPI_CNFG, BR, 3, 3) + FIELD(GQSPI_CNFG, CPH, 2, 1) + FIELD(GQSPI_CNFG, CPL, 1, 1) +#define R_GQSPI_GEN_FIFO (0x140 / 4) +#define R_GQSPI_TXD (0x11c / 4) +#define R_GQSPI_RXD (0x120 / 4) +#define R_GQSPI_FIFO_CTRL (0x14c / 4) + FIELD(GQSPI_FIFO_CTRL, RX_FIFO_RESET, 2, 1) + FIELD(GQSPI_FIFO_CTRL, TX_FIFO_RESET, 1, 1) + FIELD(GQSPI_FIFO_CTRL, GENERIC_FIFO_RESET, 0, 1) +#define R_GQSPI_GFIFO_THRESH (0x150 / 4) +#define R_GQSPI_DATA_STS (0x15c / 4) +/* We use the snapshot register to hold the core state for the currently + * or most recently executed command. So the generic fifo format is defined + * for the snapshot register + */ +#define R_GQSPI_GF_SNAPSHOT (0x160 / 4) + FIELD(GQSPI_GF_SNAPSHOT, POLL, 19, 1) + FIELD(GQSPI_GF_SNAPSHOT, STRIPE, 18, 1) + FIELD(GQSPI_GF_SNAPSHOT, RECIEVE, 17, 1) + FIELD(GQSPI_GF_SNAPSHOT, TRANSMIT, 16, 1) + FIELD(GQSPI_GF_SNAPSHOT, DATA_BUS_SELECT, 14, 2) + FIELD(GQSPI_GF_SNAPSHOT, CHIP_SELECT, 12, 2) + FIELD(GQSPI_GF_SNAPSHOT, SPI_MODE, 10, 2) + FIELD(GQSPI_GF_SNAPSHOT, EXPONENT, 9, 1) + FIELD(GQSPI_GF_SNAPSHOT, DATA_XFER, 8, 1) + FIELD(GQSPI_GF_SNAPSHOT, IMMEDIATE_DATA, 0, 8) +#define R_GQSPI_MOD_ID (0x168 / 4) +#define R_GQSPI_MOD_ID_VALUE 0x010A0000 /* size of TXRX FIFOs */ -#define RXFF_A 32 -#define TXFF_A 32 +#define RXFF_A (128) +#define TXFF_A (128) #define RXFF_A_Q (64 * 4) #define TXFF_A_Q (64 * 4) @@ -XXX,XX +XXX,XX @@ static inline int num_effective_busses(XilinxSPIPS *s) s->regs[R_LQSPI_CFG] & LQSPI_CFG_TWO_MEM) ? s->num_busses : 1; } -static inline bool xilinx_spips_cs_is_set(XilinxSPIPS *s, int i, int field) -{ - return ~field & (1 << i) && (s->regs[R_CONFIG] & MANUAL_CS - || !fifo8_is_empty(&s->tx_fifo)); -} - -static void xilinx_spips_update_cs_lines(XilinxSPIPS *s) +static void xilinx_spips_update_cs(XilinxSPIPS *s, int field) { - int i, j; - bool found = false; - int field = s->regs[R_CONFIG] >> CS_SHIFT; + int i; for (i = 0; i < s->num_cs; i++) { - for (j = 0; j < num_effective_busses(s); j++) { - int upage = !!(s->regs[R_LQSPI_STS] & LQSPI_CFG_U_PAGE); - int cs_to_set = (j * s->num_cs + i + upage) % - (s->num_cs * s->num_busses); - - if (xilinx_spips_cs_is_set(s, i, field) && !found) { - DB_PRINT_L(0, "selecting slave %d\n", i); - qemu_set_irq(s->cs_lines[cs_to_set], 0); - if (s->cs_lines_state[cs_to_set]) { - s->cs_lines_state[cs_to_set] = false; - s->rx_discard = ARRAY_FIELD_EX32(s->regs, CMND, RX_DISCARD); - } - } else { - DB_PRINT_L(0, "deselecting slave %d\n", i); - qemu_set_irq(s->cs_lines[cs_to_set], 1); - s->cs_lines_state[cs_to_set] = true; - } - } - if (xilinx_spips_cs_is_set(s, i, field)) { - found = true; + bool old_state = s->cs_lines_state[i]; + bool new_state = field & (1 << i); + + if (old_state != new_state) { + s->cs_lines_state[i] = new_state; + s->rx_discard = ARRAY_FIELD_EX32(s->regs, CMND, RX_DISCARD); + DB_PRINT_L(1, "%sselecting slave %d\n", new_state ? "" : "de", i); } + qemu_set_irq(s->cs_lines[i], !new_state); } - if (!found) { + if (!(field & ((1 << s->num_cs) - 1))) { s->snoop_state = SNOOP_CHECKING; s->cmd_dummies = 0; s->link_state = 1; @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_update_cs_lines(XilinxSPIPS *s) } } +static void xlnx_zynqmp_qspips_update_cs_lines(XlnxZynqMPQSPIPS *s) +{ + if (s->regs[R_GQSPI_GF_SNAPSHOT]) { + int field = ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, CHIP_SELECT); + xilinx_spips_update_cs(XILINX_SPIPS(s), field); + } +} + +static void xilinx_spips_update_cs_lines(XilinxSPIPS *s) +{ + int field = ~((s->regs[R_CONFIG] & CS) >> CS_SHIFT); + + /* In dual parallel, mirror low CS to both */ + if (num_effective_busses(s) == 2) { + /* Single bit chip-select for qspi */ + field &= 0x1; + field |= field << 1; + /* Dual stack U-Page */ + } else if (s->regs[R_LQSPI_CFG] & LQSPI_CFG_TWO_MEM && + s->regs[R_LQSPI_STS] & LQSPI_CFG_U_PAGE) { + /* Single bit chip-select for qspi */ + field &= 0x1; + /* change from CS0 to CS1 */ + field <<= 1; + } + /* Auto CS */ + if (!(s->regs[R_CONFIG] & MANUAL_CS) && + fifo8_is_empty(&s->tx_fifo)) { + field = 0; + } + xilinx_spips_update_cs(s, field); +} + static void xilinx_spips_update_ixr(XilinxSPIPS *s) { - if (s->regs[R_LQSPI_CFG] & LQSPI_CFG_LQ_MODE) { - return; + if (!(s->regs[R_LQSPI_CFG] & LQSPI_CFG_LQ_MODE)) { + s->regs[R_INTR_STATUS] &= ~IXR_SELF_CLEAR; + s->regs[R_INTR_STATUS] |= + (fifo8_is_full(&s->rx_fifo) ? IXR_RX_FIFO_FULL : 0) | + (s->rx_fifo.num >= s->regs[R_RX_THRES] ? + IXR_RX_FIFO_NOT_EMPTY : 0) | + (fifo8_is_full(&s->tx_fifo) ? IXR_TX_FIFO_FULL : 0) | + (fifo8_is_empty(&s->tx_fifo) ? IXR_TX_FIFO_EMPTY : 0) | + (s->tx_fifo.num < s->regs[R_TX_THRES] ? IXR_TX_FIFO_NOT_FULL : 0); } - /* These are set/cleared as they occur */ - s->regs[R_INTR_STATUS] &= (IXR_TX_FIFO_UNDERFLOW | IXR_RX_FIFO_OVERFLOW | - IXR_TX_FIFO_MODE_FAIL); - /* these are pure functions of fifo state, set them here */ - s->regs[R_INTR_STATUS] |= - (fifo8_is_full(&s->rx_fifo) ? IXR_RX_FIFO_FULL : 0) | - (s->rx_fifo.num >= s->regs[R_RX_THRES] ? IXR_RX_FIFO_NOT_EMPTY : 0) | - (fifo8_is_full(&s->tx_fifo) ? IXR_TX_FIFO_FULL : 0) | - (s->tx_fifo.num < s->regs[R_TX_THRES] ? IXR_TX_FIFO_NOT_FULL : 0); - /* drive external interrupt pin */ int new_irqline = !!(s->regs[R_INTR_MASK] & s->regs[R_INTR_STATUS] & IXR_ALL); if (new_irqline != s->irqline) { @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_update_ixr(XilinxSPIPS *s) } } +static void xlnx_zynqmp_qspips_update_ixr(XlnxZynqMPQSPIPS *s) +{ + uint32_t gqspi_int; + int new_irqline; + + s->regs[R_GQSPI_ISR] &= ~IXR_SELF_CLEAR; + s->regs[R_GQSPI_ISR] |= + (fifo32_is_empty(&s->fifo_g) ? IXR_GENERIC_FIFO_EMPTY : 0) | + (fifo32_is_full(&s->fifo_g) ? IXR_GENERIC_FIFO_FULL : 0) | + (s->fifo_g.fifo.num < s->regs[R_GQSPI_GFIFO_THRESH] ? + IXR_GENERIC_FIFO_NOT_FULL : 0) | + (fifo8_is_empty(&s->rx_fifo_g) ? IXR_RX_FIFO_EMPTY : 0) | + (fifo8_is_full(&s->rx_fifo_g) ? IXR_RX_FIFO_FULL : 0) | + (s->rx_fifo_g.num >= s->regs[R_GQSPI_RX_THRESH] ? + IXR_RX_FIFO_NOT_EMPTY : 0) | + (fifo8_is_empty(&s->tx_fifo_g) ? IXR_TX_FIFO_EMPTY : 0) | + (fifo8_is_full(&s->tx_fifo_g) ? IXR_TX_FIFO_FULL : 0) | + (s->tx_fifo_g.num < s->regs[R_GQSPI_TX_THRESH] ? + IXR_TX_FIFO_NOT_FULL : 0); + + /* GQSPI Interrupt Trigger Status */ + gqspi_int = (~s->regs[R_GQSPI_IMR]) & s->regs[R_GQSPI_ISR] & GQSPI_IXR_MASK; + new_irqline = !!(gqspi_int & IXR_ALL); + + /* drive external interrupt pin */ + if (new_irqline != s->gqspi_irqline) { + s->gqspi_irqline = new_irqline; + qemu_set_irq(XILINX_SPIPS(s)->irq, s->gqspi_irqline); + } +} + static void xilinx_spips_reset(DeviceState *d) { XilinxSPIPS *s = XILINX_SPIPS(d); @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_reset(DeviceState *d) xilinx_spips_update_cs_lines(s); } +static void xlnx_zynqmp_qspips_reset(DeviceState *d) +{ + XlnxZynqMPQSPIPS *s = XLNX_ZYNQMP_QSPIPS(d); + int i; + + xilinx_spips_reset(d); + + for (i = 0; i < XLNX_ZYNQMP_SPIPS_R_MAX; i++) { + s->regs[i] = 0; + } + fifo8_reset(&s->rx_fifo_g); + fifo8_reset(&s->rx_fifo_g); + fifo32_reset(&s->fifo_g); + s->regs[R_GQSPI_TX_THRESH] = 1; + s->regs[R_GQSPI_RX_THRESH] = 1; + s->regs[R_GQSPI_GFIFO_THRESH] = 1; + s->regs[R_GQSPI_IMR] = GQSPI_IXR_MASK; + s->man_start_com_g = false; + s->gqspi_irqline = 0; + xlnx_zynqmp_qspips_update_ixr(s); +} + /* N way (num) in place bit striper. Lay out row wise bits (MSB to LSB) * column wise (from element 0 to N-1). num is the length of x, and dir * reverses the direction of the transform. Best illustrated by example: @@ -XXX,XX +XXX,XX @@ static inline void stripe8(uint8_t *x, int num, bool dir) memcpy(x, r, sizeof(uint8_t) * num); } +static void xlnx_zynqmp_qspips_flush_fifo_g(XlnxZynqMPQSPIPS *s) +{ + while (s->regs[R_GQSPI_DATA_STS] || !fifo32_is_empty(&s->fifo_g)) { + uint8_t tx_rx[2] = { 0 }; + int num_stripes = 1; + uint8_t busses; + int i; + + if (!s->regs[R_GQSPI_DATA_STS]) { + uint8_t imm; + + s->regs[R_GQSPI_GF_SNAPSHOT] = fifo32_pop(&s->fifo_g); + DB_PRINT_L(0, "GQSPI command: %x\n", s->regs[R_GQSPI_GF_SNAPSHOT]); + if (!s->regs[R_GQSPI_GF_SNAPSHOT]) { + DB_PRINT_L(0, "Dummy GQSPI Delay Command Entry, Do nothing"); + continue; + } + xlnx_zynqmp_qspips_update_cs_lines(s); + + imm = ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, IMMEDIATE_DATA); + if (!ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, DATA_XFER)) { + /* immedate transfer */ + if (ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, TRANSMIT) || + ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, RECIEVE)) { + s->regs[R_GQSPI_DATA_STS] = 1; + /* CS setup/hold - do nothing */ + } else { + s->regs[R_GQSPI_DATA_STS] = 0; + } + } else if (ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, EXPONENT)) { + if (imm > 31) { + qemu_log_mask(LOG_UNIMP, "QSPI exponential transfer too" + " long - 2 ^ %" PRId8 " requested\n", imm); + } + s->regs[R_GQSPI_DATA_STS] = 1ul << imm; + } else { + s->regs[R_GQSPI_DATA_STS] = imm; + } + } + /* Zero length transfer check */ + if (!s->regs[R_GQSPI_DATA_STS]) { + continue; + } + if (ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, RECIEVE) && + fifo8_is_full(&s->rx_fifo_g)) { + /* No space in RX fifo for transfer - try again later */ + return; + } + if (ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, STRIPE) && + (ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, TRANSMIT) || + ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, RECIEVE))) { + num_stripes = 2; + } + if (!ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, DATA_XFER)) { + tx_rx[0] = ARRAY_FIELD_EX32(s->regs, + GQSPI_GF_SNAPSHOT, IMMEDIATE_DATA); + } else if (ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, TRANSMIT)) { + for (i = 0; i < num_stripes; ++i) { + if (!fifo8_is_empty(&s->tx_fifo_g)) { + tx_rx[i] = fifo8_pop(&s->tx_fifo_g); + s->tx_fifo_g_align++; + } else { + return; + } + } + } + if (num_stripes == 1) { + /* mirror */ + tx_rx[1] = tx_rx[0]; + } + busses = ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, DATA_BUS_SELECT); + for (i = 0; i < 2; ++i) { + DB_PRINT_L(1, "bus %d tx = %02x\n", i, tx_rx[i]); + tx_rx[i] = ssi_transfer(XILINX_SPIPS(s)->spi[i], tx_rx[i]); + DB_PRINT_L(1, "bus %d rx = %02x\n", i, tx_rx[i]); + } + if (s->regs[R_GQSPI_DATA_STS] > 1 && + busses == 0x3 && num_stripes == 2) { + s->regs[R_GQSPI_DATA_STS] -= 2; + } else if (s->regs[R_GQSPI_DATA_STS] > 0) { + s->regs[R_GQSPI_DATA_STS]--; + } + if (ARRAY_FIELD_EX32(s->regs, GQSPI_GF_SNAPSHOT, RECIEVE)) { + for (i = 0; i < 2; ++i) { + if (busses & (1 << i)) { + DB_PRINT_L(1, "bus %d push_byte = %02x\n", i, tx_rx[i]); + fifo8_push(&s->rx_fifo_g, tx_rx[i]); + s->rx_fifo_g_align++; + } + } + } + if (!s->regs[R_GQSPI_DATA_STS]) { + for (; s->tx_fifo_g_align % 4; s->tx_fifo_g_align++) { + fifo8_pop(&s->tx_fifo_g); + } + for (; s->rx_fifo_g_align % 4; s->rx_fifo_g_align++) { + fifo8_push(&s->rx_fifo_g, 0); + } + } + } +} + static int xilinx_spips_num_dummies(XilinxQSPIPS *qs, uint8_t command) { if (!qs) { @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_check_flush(XilinxSPIPS *s) xilinx_spips_update_ixr(s); } +static void xlnx_zynqmp_qspips_check_flush(XlnxZynqMPQSPIPS *s) +{ + bool gqspi_has_work = s->regs[R_GQSPI_DATA_STS] || + !fifo32_is_empty(&s->fifo_g); + + if (ARRAY_FIELD_EX32(s->regs, GQSPI_SELECT, GENERIC_QSPI_EN)) { + if (s->man_start_com_g || (gqspi_has_work && + !ARRAY_FIELD_EX32(s->regs, GQSPI_CNFG, GEN_FIFO_START_MODE))) { + xlnx_zynqmp_qspips_flush_fifo_g(s); + } + } else { + xilinx_spips_check_flush(XILINX_SPIPS(s)); + } + if (!gqspi_has_work) { + s->man_start_com_g = false; + } + xlnx_zynqmp_qspips_update_ixr(s); +} + static inline int rx_data_bytes(Fifo8 *fifo, uint8_t *value, int max) { int i; @@ -XXX,XX +XXX,XX @@ static inline int rx_data_bytes(Fifo8 *fifo, uint8_t *value, int max) return max - i; } +static const void *pop_buf(Fifo8 *fifo, uint32_t max, uint32_t *num) +{ + void *ret; + + if (max == 0 || max > fifo->num) { + abort(); + } + *num = MIN(fifo->capacity - fifo->head, max); + ret = &fifo->data[fifo->head]; + fifo->head += *num; + fifo->head %= fifo->capacity; + fifo->num -= *num; + return ret; +} + +static void xlnx_zynqmp_qspips_notify(void *opaque) +{ + XlnxZynqMPQSPIPS *rq = XLNX_ZYNQMP_QSPIPS(opaque); + XilinxSPIPS *s = XILINX_SPIPS(rq); + Fifo8 *recv_fifo; + + if (ARRAY_FIELD_EX32(rq->regs, GQSPI_SELECT, GENERIC_QSPI_EN)) { + if (!(ARRAY_FIELD_EX32(rq->regs, GQSPI_CNFG, MODE_EN) == 2)) { + return; + } + recv_fifo = &rq->rx_fifo_g; + } else { + if (!(s->regs[R_CMND] & R_CMND_DMA_EN)) { + return; + } + recv_fifo = &s->rx_fifo; + } + while (recv_fifo->num >= 4 + && stream_can_push(rq->dma, xlnx_zynqmp_qspips_notify, rq)) + { + size_t ret; + uint32_t num; + const void *rxd = pop_buf(recv_fifo, 4, &num); + + memcpy(rq->dma_buf, rxd, num); + + ret = stream_push(rq->dma, rq->dma_buf, 4); + assert(ret == 4); + xlnx_zynqmp_qspips_check_flush(rq); + } +} + static uint64_t xilinx_spips_read(void *opaque, hwaddr addr, unsigned size) { @@ -XXX,XX +XXX,XX @@ static uint64_t xilinx_spips_read(void *opaque, hwaddr addr, ret <<= 8 * shortfall; } DB_PRINT_L(0, "addr=" TARGET_FMT_plx " = %x\n", addr * 4, ret); + xilinx_spips_check_flush(s); xilinx_spips_update_ixr(s); return ret; } @@ -XXX,XX +XXX,XX @@ static uint64_t xilinx_spips_read(void *opaque, hwaddr addr, } +static uint64_t xlnx_zynqmp_qspips_read(void *opaque, + hwaddr addr, unsigned size) +{ + XlnxZynqMPQSPIPS *s = XLNX_ZYNQMP_QSPIPS(opaque); + uint32_t reg = addr / 4; + uint32_t ret; + uint8_t rx_buf[4]; + int shortfall; + + if (reg <= R_MOD_ID) { + return xilinx_spips_read(opaque, addr, size); + } else { + switch (reg) { + case R_GQSPI_RXD: + if (fifo8_is_empty(&s->rx_fifo_g)) { + qemu_log_mask(LOG_GUEST_ERROR, + "Read from empty GQSPI RX FIFO\n"); + return 0; + } + memset(rx_buf, 0, sizeof(rx_buf)); + shortfall = rx_data_bytes(&s->rx_fifo_g, rx_buf, + XILINX_SPIPS(s)->num_txrx_bytes); + ret = ARRAY_FIELD_EX32(s->regs, GQSPI_CNFG, ENDIAN) ? + cpu_to_be32(*(uint32_t *)rx_buf) : + cpu_to_le32(*(uint32_t *)rx_buf); + if (!ARRAY_FIELD_EX32(s->regs, GQSPI_CNFG, ENDIAN)) { + ret <<= 8 * shortfall; + } + xlnx_zynqmp_qspips_check_flush(s); + xlnx_zynqmp_qspips_update_ixr(s); + return ret; + default: + return s->regs[reg]; + } + } +} + static void xilinx_spips_write(void *opaque, hwaddr addr, uint64_t value, unsigned size) { @@ -XXX,XX +XXX,XX @@ static void xilinx_qspips_write(void *opaque, hwaddr addr, } } +static void xlnx_zynqmp_qspips_write(void *opaque, hwaddr addr, + uint64_t value, unsigned size) +{ + XlnxZynqMPQSPIPS *s = XLNX_ZYNQMP_QSPIPS(opaque); + uint32_t reg = addr / 4; + + if (reg <= R_MOD_ID) { + xilinx_qspips_write(opaque, addr, value, size); + } else { + switch (reg) { + case R_GQSPI_CNFG: + if (FIELD_EX32(value, GQSPI_CNFG, GEN_FIFO_START) && + ARRAY_FIELD_EX32(s->regs, GQSPI_CNFG, GEN_FIFO_START_MODE)) { + s->man_start_com_g = true; + } + s->regs[reg] = value & ~(R_GQSPI_CNFG_GEN_FIFO_START_MASK); + break; + case R_GQSPI_GEN_FIFO: + if (!fifo32_is_full(&s->fifo_g)) { + fifo32_push(&s->fifo_g, value); + } + break; + case R_GQSPI_TXD: + tx_data_bytes(&s->tx_fifo_g, (uint32_t)value, 4, + ARRAY_FIELD_EX32(s->regs, GQSPI_CNFG, ENDIAN)); + break; + case R_GQSPI_FIFO_CTRL: + if (FIELD_EX32(value, GQSPI_FIFO_CTRL, GENERIC_FIFO_RESET)) { + fifo32_reset(&s->fifo_g); + } + if (FIELD_EX32(value, GQSPI_FIFO_CTRL, TX_FIFO_RESET)) { + fifo8_reset(&s->tx_fifo_g); + } + if (FIELD_EX32(value, GQSPI_FIFO_CTRL, RX_FIFO_RESET)) { + fifo8_reset(&s->rx_fifo_g); + } + break; + case R_GQSPI_IDR: + s->regs[R_GQSPI_IMR] |= value; + break; + case R_GQSPI_IER: + s->regs[R_GQSPI_IMR] &= ~value; + break; + case R_GQSPI_ISR: + s->regs[R_GQSPI_ISR] &= ~value; + break; + case R_GQSPI_IMR: + case R_GQSPI_RXD: + case R_GQSPI_GF_SNAPSHOT: + case R_GQSPI_MOD_ID: + break; + default: + s->regs[reg] = value; + break; + } + xlnx_zynqmp_qspips_update_cs_lines(s); + xlnx_zynqmp_qspips_check_flush(s); + xlnx_zynqmp_qspips_update_cs_lines(s); + xlnx_zynqmp_qspips_update_ixr(s); + } + xlnx_zynqmp_qspips_notify(s); +} + static const MemoryRegionOps qspips_ops = { .read = xilinx_spips_read, .write = xilinx_qspips_write, .endianness = DEVICE_LITTLE_ENDIAN, }; +static const MemoryRegionOps xlnx_zynqmp_qspips_ops = { + .read = xlnx_zynqmp_qspips_read, + .write = xlnx_zynqmp_qspips_write, + .endianness = DEVICE_LITTLE_ENDIAN, +}; + #define LQSPI_CACHE_SIZE 1024 static void lqspi_load_cache(void *opaque, hwaddr addr) @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_realize(DeviceState *dev, Error **errp) } memory_region_init_io(&s->iomem, OBJECT(s), xsc->reg_ops, s, - "spi", XLNX_SPIPS_R_MAX * 4); + "spi", XLNX_ZYNQMP_SPIPS_R_MAX * 4); sysbus_init_mmio(sbd, &s->iomem); s->irqline = -1; @@ -XXX,XX +XXX,XX @@ static void xilinx_qspips_realize(DeviceState *dev, Error **errp) } } +static void xlnx_zynqmp_qspips_realize(DeviceState *dev, Error **errp) +{ + XlnxZynqMPQSPIPS *s = XLNX_ZYNQMP_QSPIPS(dev); + XilinxSPIPSClass *xsc = XILINX_SPIPS_GET_CLASS(s); + + xilinx_qspips_realize(dev, errp); + fifo8_create(&s->rx_fifo_g, xsc->rx_fifo_size); + fifo8_create(&s->tx_fifo_g, xsc->tx_fifo_size); + fifo32_create(&s->fifo_g, 32); +} + +static void xlnx_zynqmp_qspips_init(Object *obj) +{ + XlnxZynqMPQSPIPS *rq = XLNX_ZYNQMP_QSPIPS(obj); + + object_property_add_link(obj, "stream-connected-dma", TYPE_STREAM_SLAVE, + (Object **)&rq->dma, + object_property_allow_set_link, + OBJ_PROP_LINK_UNREF_ON_RELEASE, + NULL); +} + static int xilinx_spips_post_load(void *opaque, int version_id) { xilinx_spips_update_ixr((XilinxSPIPS *)opaque); @@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_xilinx_spips = { } }; +static int xlnx_zynqmp_qspips_post_load(void *opaque, int version_id) +{ + XlnxZynqMPQSPIPS *s = (XlnxZynqMPQSPIPS *)opaque; + XilinxSPIPS *qs = XILINX_SPIPS(s); + + if (ARRAY_FIELD_EX32(s->regs, GQSPI_SELECT, GENERIC_QSPI_EN) && + fifo8_is_empty(&qs->rx_fifo) && fifo8_is_empty(&qs->tx_fifo)) { + xlnx_zynqmp_qspips_update_ixr(s); + xlnx_zynqmp_qspips_update_cs_lines(s); + } + return 0; +} + +static const VMStateDescription vmstate_xilinx_qspips = { + .name = "xilinx_qspips", + .version_id = 1, + .minimum_version_id = 1, + .fields = (VMStateField[]) { + VMSTATE_STRUCT(parent_obj, XilinxQSPIPS, 0, + vmstate_xilinx_spips, XilinxSPIPS), + VMSTATE_END_OF_LIST() + } +}; + +static const VMStateDescription vmstate_xlnx_zynqmp_qspips = { + .name = "xlnx_zynqmp_qspips", + .version_id = 1, + .minimum_version_id = 1, + .post_load = xlnx_zynqmp_qspips_post_load, + .fields = (VMStateField[]) { + VMSTATE_STRUCT(parent_obj, XlnxZynqMPQSPIPS, 0, + vmstate_xilinx_qspips, XilinxQSPIPS), + VMSTATE_FIFO8(tx_fifo_g, XlnxZynqMPQSPIPS), + VMSTATE_FIFO8(rx_fifo_g, XlnxZynqMPQSPIPS), + VMSTATE_FIFO32(fifo_g, XlnxZynqMPQSPIPS), + VMSTATE_UINT32_ARRAY(regs, XlnxZynqMPQSPIPS, XLNX_ZYNQMP_SPIPS_R_MAX), + VMSTATE_END_OF_LIST() + } +}; + static Property xilinx_qspips_properties[] = { /* We had to turn this off for 2.10 as it is not compatible with migration. * It can be enabled but will prevent the device to be migrated. @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_class_init(ObjectClass *klass, void *data) xsc->tx_fifo_size = TXFF_A; } +static void xlnx_zynqmp_qspips_class_init(ObjectClass *klass, void * data) +{ + DeviceClass *dc = DEVICE_CLASS(klass); + XilinxSPIPSClass *xsc = XILINX_SPIPS_CLASS(klass); + + dc->realize = xlnx_zynqmp_qspips_realize; + dc->reset = xlnx_zynqmp_qspips_reset; + dc->vmsd = &vmstate_xlnx_zynqmp_qspips; + xsc->reg_ops = &xlnx_zynqmp_qspips_ops; + xsc->rx_fifo_size = RXFF_A_Q; + xsc->tx_fifo_size = TXFF_A_Q; +} + static const TypeInfo xilinx_spips_info = { .name = TYPE_XILINX_SPIPS, .parent = TYPE_SYS_BUS_DEVICE, @@ -XXX,XX +XXX,XX @@ static const TypeInfo xilinx_qspips_info = { .class_init = xilinx_qspips_class_init, }; +static const TypeInfo xlnx_zynqmp_qspips_info = { + .name = TYPE_XLNX_ZYNQMP_QSPIPS, + .parent = TYPE_XILINX_QSPIPS, + .instance_size = sizeof(XlnxZynqMPQSPIPS), + .instance_init = xlnx_zynqmp_qspips_init, + .class_init = xlnx_zynqmp_qspips_class_init, +}; + static void xilinx_spips_register_types(void) { type_register_static(&xilinx_spips_info); type_register_static(&xilinx_qspips_info); + type_register_static(&xlnx_zynqmp_qspips_info); } type_init(xilinx_spips_register_types) diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak index XXXXXXX..XXXXXXX 100644 --- a/default-configs/arm-softmmu.mak +++ b/default-configs/arm-softmmu.mak @@ -XXX,XX +XXX,XX @@ CONFIG_SMBIOS=y CONFIG_ASPEED_SOC=y CONFIG_GPIO_KEY=y CONFIG_MSF2=y - CONFIG_FW_CFG_DMA=y +CONFIG_XILINX_AXI=y -- 2.7.4 From: Francisco Iglesias <frasse.iglesias@gmail.com> Add support for the ZynqMP QSPI (consisting of the Generic QSPI and Legacy QSPI) and connect Numonyx n25q512a11 flashes to it. Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20171126231634.9531-14-frasse.iglesias@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/arm/xlnx-zynqmp.h | 5 +++++ hw/arm/xlnx-zcu102.c | 23 +++++++++++++++++++++++ hw/arm/xlnx-zynqmp.c | 26 ++++++++++++++++++++++++++ 3 files changed, 54 insertions(+) diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/xlnx-zynqmp.h +++ b/include/hw/arm/xlnx-zynqmp.h @@ -XXX,XX +XXX,XX @@ #define XLNX_ZYNQMP_NUM_SDHCI 2 #define XLNX_ZYNQMP_NUM_SPIS 2 +#define XLNX_ZYNQMP_NUM_QSPI_BUS 2 +#define XLNX_ZYNQMP_NUM_QSPI_BUS_CS 2 +#define XLNX_ZYNQMP_NUM_QSPI_FLASH 4 + #define XLNX_ZYNQMP_NUM_OCM_BANKS 4 #define XLNX_ZYNQMP_OCM_RAM_0_ADDRESS 0xFFFC0000 #define XLNX_ZYNQMP_OCM_RAM_SIZE 0x10000 @@ -XXX,XX +XXX,XX @@ typedef struct XlnxZynqMPState { SysbusAHCIState sata; SDHCIState sdhci[XLNX_ZYNQMP_NUM_SDHCI]; XilinxSPIPS spi[XLNX_ZYNQMP_NUM_SPIS]; + XlnxZynqMPQSPIPS qspi; XlnxDPState dp; XlnxDPDMAState dpdma; diff --git a/hw/arm/xlnx-zcu102.c b/hw/arm/xlnx-zcu102.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/xlnx-zcu102.c +++ b/hw/arm/xlnx-zcu102.c @@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_init(XlnxZCU102 *s, MachineState *machine) sysbus_connect_irq(SYS_BUS_DEVICE(&s->soc.spi[i]), 1, cs_line); } + for (i = 0; i < XLNX_ZYNQMP_NUM_QSPI_FLASH; i++) { + SSIBus *spi_bus; + DeviceState *flash_dev; + qemu_irq cs_line; + DriveInfo *dinfo = drive_get_next(IF_MTD); + int bus = i / XLNX_ZYNQMP_NUM_QSPI_BUS_CS; + gchar *bus_name = g_strdup_printf("qspi%d", bus); + + spi_bus = (SSIBus *)qdev_get_child_bus(DEVICE(&s->soc), bus_name); + g_free(bus_name); + + flash_dev = ssi_create_slave_no_init(spi_bus, "n25q512a11"); + if (dinfo) { + qdev_prop_set_drive(flash_dev, "drive", blk_by_legacy_dinfo(dinfo), + &error_fatal); + } + qdev_init_nofail(flash_dev); + + cs_line = qdev_get_gpio_in_named(flash_dev, SSI_GPIO_CS, 0); + + sysbus_connect_irq(SYS_BUS_DEVICE(&s->soc.qspi), i + 1, cs_line); + } + /* TODO create and connect IDE devices for ide_drive_get() */ xlnx_zcu102_binfo.ram_size = ram_size; diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/xlnx-zynqmp.c +++ b/hw/arm/xlnx-zynqmp.c @@ -XXX,XX +XXX,XX @@ #define SATA_ADDR 0xFD0C0000 #define SATA_NUM_PORTS 2 +#define QSPI_ADDR 0xff0f0000 +#define LQSPI_ADDR 0xc0000000 +#define QSPI_IRQ 15 + #define DP_ADDR 0xfd4a0000 #define DP_IRQ 113 @@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_init(Object *obj) qdev_set_parent_bus(DEVICE(&s->spi[i]), sysbus_get_default()); } + object_initialize(&s->qspi, sizeof(s->qspi), TYPE_XLNX_ZYNQMP_QSPIPS); + qdev_set_parent_bus(DEVICE(&s->qspi), sysbus_get_default()); + object_initialize(&s->dp, sizeof(s->dp), TYPE_XLNX_DP); qdev_set_parent_bus(DEVICE(&s->dp), sysbus_get_default()); @@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp) g_free(bus_name); } + object_property_set_bool(OBJECT(&s->qspi), true, "realized", &err); + sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 0, QSPI_ADDR); + sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 1, LQSPI_ADDR); + sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0, gic_spi[QSPI_IRQ]); + + for (i = 0; i < XLNX_ZYNQMP_NUM_QSPI_BUS; i++) { + gchar *bus_name; + gchar *target_bus; + + /* Alias controller SPI bus to the SoC itself */ + bus_name = g_strdup_printf("qspi%d", i); + target_bus = g_strdup_printf("spi%d", i); + object_property_add_alias(OBJECT(s), bus_name, + OBJECT(&s->qspi), target_bus, + &error_abort); + g_free(bus_name); + g_free(target_bus); + } + object_property_set_bool(OBJECT(&s->dp), true, "realized", &err); if (err) { error_propagate(errp, err); -- 2.7.4 From: Eric Auger <eric.auger@redhat.com> From the very beginning, post_load() was called from common reset. This is not standard and obliged to discriminate the reset case from the restore case using the iidr value. Let's get rid of that call. Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1511883692-11511-2-git-send-email-eric.auger@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/intc/arm_gicv3_its_common.c | 2 -- hw/intc/arm_gicv3_its_kvm.c | 4 ---- 2 files changed, 6 deletions(-) diff --git a/hw/intc/arm_gicv3_its_common.c b/hw/intc/arm_gicv3_its_common.c index XXXXXXX..XXXXXXX 100644 --- a/hw/intc/arm_gicv3_its_common.c +++ b/hw/intc/arm_gicv3_its_common.c @@ -XXX,XX +XXX,XX @@ static void gicv3_its_common_reset(DeviceState *dev) s->creadr = 0; s->iidr = 0; memset(&s->baser, 0, sizeof(s->baser)); - - gicv3_its_post_load(s, 0); } static void gicv3_its_common_class_init(ObjectClass *klass, void *data) diff --git a/hw/intc/arm_gicv3_its_kvm.c b/hw/intc/arm_gicv3_its_kvm.c index XXXXXXX..XXXXXXX 100644 --- a/hw/intc/arm_gicv3_its_kvm.c +++ b/hw/intc/arm_gicv3_its_kvm.c @@ -XXX,XX +XXX,XX @@ static void kvm_arm_its_post_load(GICv3ITSState *s) { int i; - if (!s->iidr) { - return; - } - kvm_device_access(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_ITS_REGS, GITS_IIDR, &s->iidr, true, &error_abort); -- 2.7.4 From: Eric Auger <eric.auger@redhat.com> At the moment the ITS is not properly reset and this causes various bugs on save/restore. We implement a minimalist reset through individual register writes but for kernel versions before v4.15 this fails voiding the vITS cache. We cannot claim we have a comprehensive reset (hence the error message) but that's better than nothing. Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1511883692-11511-3-git-send-email-eric.auger@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/intc/arm_gicv3_its_kvm.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/hw/intc/arm_gicv3_its_kvm.c b/hw/intc/arm_gicv3_its_kvm.c index XXXXXXX..XXXXXXX 100644 --- a/hw/intc/arm_gicv3_its_kvm.c +++ b/hw/intc/arm_gicv3_its_kvm.c @@ -XXX,XX +XXX,XX @@ #define TYPE_KVM_ARM_ITS "arm-its-kvm" #define KVM_ARM_ITS(obj) OBJECT_CHECK(GICv3ITSState, (obj), TYPE_KVM_ARM_ITS) +#define KVM_ARM_ITS_CLASS(klass) \ + OBJECT_CLASS_CHECK(KVMARMITSClass, (klass), TYPE_KVM_ARM_ITS) +#define KVM_ARM_ITS_GET_CLASS(obj) \ + OBJECT_GET_CLASS(KVMARMITSClass, (obj), TYPE_KVM_ARM_ITS) + +typedef struct KVMARMITSClass { + GICv3ITSCommonClass parent_class; + void (*parent_reset)(DeviceState *dev); +} KVMARMITSClass; + static int kvm_its_send_msi(GICv3ITSState *s, uint32_t value, uint16_t devid) { @@ -XXX,XX +XXX,XX @@ static void kvm_arm_its_post_load(GICv3ITSState *s) GITS_CTLR, &s->ctlr, true, &error_abort); } +static void kvm_arm_its_reset(DeviceState *dev) +{ + GICv3ITSState *s = ARM_GICV3_ITS_COMMON(dev); + KVMARMITSClass *c = KVM_ARM_ITS_GET_CLASS(s); + int i; + + c->parent_reset(dev); + + error_report("ITS KVM: full reset is not supported by QEMU"); + + if (!kvm_device_check_attr(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_ITS_REGS, + GITS_CTLR)) { + return; + } + + kvm_device_access(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_ITS_REGS, + GITS_CTLR, &s->ctlr, true, &error_abort); + + kvm_device_access(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_ITS_REGS, + GITS_CBASER, &s->cbaser, true, &error_abort); + + for (i = 0; i < 8; i++) { + kvm_device_access(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_ITS_REGS, + GITS_BASER + i * 8, &s->baser[i], true, + &error_abort); + } +} + static Property kvm_arm_its_props[] = { DEFINE_PROP_LINK("parent-gicv3", GICv3ITSState, gicv3, "kvm-arm-gicv3", GICv3State *), @@ -XXX,XX +XXX,XX @@ static void kvm_arm_its_class_init(ObjectClass *klass, void *data) { DeviceClass *dc = DEVICE_CLASS(klass); GICv3ITSCommonClass *icc = ARM_GICV3_ITS_COMMON_CLASS(klass); + KVMARMITSClass *ic = KVM_ARM_ITS_CLASS(klass); dc->realize = kvm_arm_its_realize; dc->props = kvm_arm_its_props; + ic->parent_reset = dc->reset; icc->send_msi = kvm_its_send_msi; icc->pre_save = kvm_arm_its_pre_save; icc->post_load = kvm_arm_its_post_load; + dc->reset = kvm_arm_its_reset; } static const TypeInfo kvm_arm_its_info = { @@ -XXX,XX +XXX,XX @@ static const TypeInfo kvm_arm_its_info = { .parent = TYPE_ARM_GICV3_ITS_COMMON, .instance_size = sizeof(GICv3ITSState), .class_init = kvm_arm_its_class_init, + .class_size = sizeof(KVMARMITSClass), }; static void kvm_arm_its_register_types(void) -- 2.7.4 From: Eric Auger <eric.auger@redhat.com> Update headers against v4.15-rc1. Signed-off-by: Eric Auger <eric.auger@redhat.com> Message-id: 1511883692-11511-4-git-send-email-eric.auger@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/standard-headers/asm-s390/virtio-ccw.h | 1 + include/standard-headers/asm-x86/hyperv.h | 394 +-------------------- include/standard-headers/linux/input-event-codes.h | 2 + include/standard-headers/linux/input.h | 1 + include/standard-headers/linux/pci_regs.h | 45 ++- linux-headers/asm-arm/kvm.h | 8 + linux-headers/asm-arm/kvm_para.h | 1 + linux-headers/asm-arm/unistd.h | 2 + linux-headers/asm-arm64/kvm.h | 8 + linux-headers/asm-arm64/unistd.h | 1 + linux-headers/asm-powerpc/epapr_hcalls.h | 1 + linux-headers/asm-powerpc/kvm.h | 1 + linux-headers/asm-powerpc/kvm_para.h | 1 + linux-headers/asm-powerpc/unistd.h | 1 + linux-headers/asm-s390/kvm.h | 1 + linux-headers/asm-s390/kvm_para.h | 1 + linux-headers/asm-s390/unistd.h | 4 +- linux-headers/asm-x86/kvm.h | 1 + linux-headers/asm-x86/kvm_para.h | 2 +- linux-headers/asm-x86/unistd.h | 1 + linux-headers/linux/kvm.h | 2 + linux-headers/linux/kvm_para.h | 1 + linux-headers/linux/psci.h | 1 + linux-headers/linux/userfaultfd.h | 1 + linux-headers/linux/vfio.h | 1 + linux-headers/linux/vfio_ccw.h | 1 + linux-headers/linux/vhost.h | 1 + 27 files changed, 74 insertions(+), 411 deletions(-) diff --git a/include/standard-headers/asm-s390/virtio-ccw.h b/include/standard-headers/asm-s390/virtio-ccw.h index XXXXXXX..XXXXXXX 100644 --- a/include/standard-headers/asm-s390/virtio-ccw.h +++ b/include/standard-headers/asm-s390/virtio-ccw.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * Definitions for virtio-ccw devices. * diff --git a/include/standard-headers/asm-x86/hyperv.h b/include/standard-headers/asm-x86/hyperv.h index XXXXXXX..XXXXXXX 100644 --- a/include/standard-headers/asm-x86/hyperv.h +++ b/include/standard-headers/asm-x86/hyperv.h @@ -1,393 +1 @@ -#ifndef _ASM_X86_HYPERV_H -#define _ASM_X86_HYPERV_H - -#include "standard-headers/linux/types.h" - -/* - * The below CPUID leaves are present if VersionAndFeatures.HypervisorPresent - * is set by CPUID(HvCpuIdFunctionVersionAndFeatures). - */ -#define HYPERV_CPUID_VENDOR_AND_MAX_FUNCTIONS 0x40000000 -#define HYPERV_CPUID_INTERFACE 0x40000001 -#define HYPERV_CPUID_VERSION 0x40000002 -#define HYPERV_CPUID_FEATURES 0x40000003 -#define HYPERV_CPUID_ENLIGHTMENT_INFO 0x40000004 -#define HYPERV_CPUID_IMPLEMENT_LIMITS 0x40000005 - -#define HYPERV_HYPERVISOR_PRESENT_BIT 0x80000000 -#define HYPERV_CPUID_MIN 0x40000005 -#define HYPERV_CPUID_MAX 0x4000ffff - -/* - * Feature identification. EAX indicates which features are available - * to the partition based upon the current partition privileges. - */ - -/* VP Runtime (HV_X64_MSR_VP_RUNTIME) available */ -#define HV_X64_MSR_VP_RUNTIME_AVAILABLE (1 << 0) -/* Partition Reference Counter (HV_X64_MSR_TIME_REF_COUNT) available*/ -#define HV_X64_MSR_TIME_REF_COUNT_AVAILABLE (1 << 1) -/* Partition reference TSC MSR is available */ -#define HV_X64_MSR_REFERENCE_TSC_AVAILABLE (1 << 9) - -/* A partition's reference time stamp counter (TSC) page */ -#define HV_X64_MSR_REFERENCE_TSC 0x40000021 - -/* - * There is a single feature flag that signifies if the partition has access - * to MSRs with local APIC and TSC frequencies. - */ -#define HV_X64_ACCESS_FREQUENCY_MSRS (1 << 11) - -/* - * Basic SynIC MSRs (HV_X64_MSR_SCONTROL through HV_X64_MSR_EOM - * and HV_X64_MSR_SINT0 through HV_X64_MSR_SINT15) available - */ -#define HV_X64_MSR_SYNIC_AVAILABLE (1 << 2) -/* - * Synthetic Timer MSRs (HV_X64_MSR_STIMER0_CONFIG through - * HV_X64_MSR_STIMER3_COUNT) available - */ -#define HV_X64_MSR_SYNTIMER_AVAILABLE (1 << 3) -/* - * APIC access MSRs (HV_X64_MSR_EOI, HV_X64_MSR_ICR and HV_X64_MSR_TPR) - * are available - */ -#define HV_X64_MSR_APIC_ACCESS_AVAILABLE (1 << 4) -/* Hypercall MSRs (HV_X64_MSR_GUEST_OS_ID and HV_X64_MSR_HYPERCALL) available*/ -#define HV_X64_MSR_HYPERCALL_AVAILABLE (1 << 5) -/* Access virtual processor index MSR (HV_X64_MSR_VP_INDEX) available*/ -#define HV_X64_MSR_VP_INDEX_AVAILABLE (1 << 6) -/* Virtual system reset MSR (HV_X64_MSR_RESET) is available*/ -#define HV_X64_MSR_RESET_AVAILABLE (1 << 7) - /* - * Access statistics pages MSRs (HV_X64_MSR_STATS_PARTITION_RETAIL_PAGE, - * HV_X64_MSR_STATS_PARTITION_INTERNAL_PAGE, HV_X64_MSR_STATS_VP_RETAIL_PAGE, - * HV_X64_MSR_STATS_VP_INTERNAL_PAGE) available - */ -#define HV_X64_MSR_STAT_PAGES_AVAILABLE (1 << 8) - -/* Frequency MSRs available */ -#define HV_FEATURE_FREQUENCY_MSRS_AVAILABLE (1 << 8) - -/* Crash MSR available */ -#define HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE (1 << 10) - -/* - * Feature identification: EBX indicates which flags were specified at - * partition creation. The format is the same as the partition creation - * flag structure defined in section Partition Creation Flags. - */ -#define HV_X64_CREATE_PARTITIONS (1 << 0) -#define HV_X64_ACCESS_PARTITION_ID (1 << 1) -#define HV_X64_ACCESS_MEMORY_POOL (1 << 2) -#define HV_X64_ADJUST_MESSAGE_BUFFERS (1 << 3) -#define HV_X64_POST_MESSAGES (1 << 4) -#define HV_X64_SIGNAL_EVENTS (1 << 5) -#define HV_X64_CREATE_PORT (1 << 6) -#define HV_X64_CONNECT_PORT (1 << 7) -#define HV_X64_ACCESS_STATS (1 << 8) -#define HV_X64_DEBUGGING (1 << 11) -#define HV_X64_CPU_POWER_MANAGEMENT (1 << 12) -#define HV_X64_CONFIGURE_PROFILER (1 << 13) - -/* - * Feature identification. EDX indicates which miscellaneous features - * are available to the partition. - */ -/* The MWAIT instruction is available (per section MONITOR / MWAIT) */ -#define HV_X64_MWAIT_AVAILABLE (1 << 0) -/* Guest debugging support is available */ -#define HV_X64_GUEST_DEBUGGING_AVAILABLE (1 << 1) -/* Performance Monitor support is available*/ -#define HV_X64_PERF_MONITOR_AVAILABLE (1 << 2) -/* Support for physical CPU dynamic partitioning events is available*/ -#define HV_X64_CPU_DYNAMIC_PARTITIONING_AVAILABLE (1 << 3) -/* - * Support for passing hypercall input parameter block via XMM - * registers is available - */ -#define HV_X64_HYPERCALL_PARAMS_XMM_AVAILABLE (1 << 4) -/* Support for a virtual guest idle state is available */ -#define HV_X64_GUEST_IDLE_STATE_AVAILABLE (1 << 5) -/* Guest crash data handler available */ -#define HV_X64_GUEST_CRASH_MSR_AVAILABLE (1 << 10) - -/* - * Implementation recommendations. Indicates which behaviors the hypervisor - * recommends the OS implement for optimal performance. - */ - /* - * Recommend using hypercall for address space switches rather - * than MOV to CR3 instruction - */ -#define HV_X64_AS_SWITCH_RECOMMENDED (1 << 0) -/* Recommend using hypercall for local TLB flushes rather - * than INVLPG or MOV to CR3 instructions */ -#define HV_X64_LOCAL_TLB_FLUSH_RECOMMENDED (1 << 1) -/* - * Recommend using hypercall for remote TLB flushes rather - * than inter-processor interrupts - */ -#define HV_X64_REMOTE_TLB_FLUSH_RECOMMENDED (1 << 2) -/* - * Recommend using MSRs for accessing APIC registers - * EOI, ICR and TPR rather than their memory-mapped counterparts - */ -#define HV_X64_APIC_ACCESS_RECOMMENDED (1 << 3) -/* Recommend using the hypervisor-provided MSR to initiate a system RESET */ -#define HV_X64_SYSTEM_RESET_RECOMMENDED (1 << 4) -/* - * Recommend using relaxed timing for this partition. If used, - * the VM should disable any watchdog timeouts that rely on the - * timely delivery of external interrupts - */ -#define HV_X64_RELAXED_TIMING_RECOMMENDED (1 << 5) - -/* - * Virtual APIC support - */ -#define HV_X64_DEPRECATING_AEOI_RECOMMENDED (1 << 9) - -/* Recommend using the newer ExProcessorMasks interface */ -#define HV_X64_EX_PROCESSOR_MASKS_RECOMMENDED (1 << 11) - -/* - * Crash notification flag. - */ -#define HV_CRASH_CTL_CRASH_NOTIFY (1ULL << 63) - -/* MSR used to identify the guest OS. */ -#define HV_X64_MSR_GUEST_OS_ID 0x40000000 - -/* MSR used to setup pages used to communicate with the hypervisor. */ -#define HV_X64_MSR_HYPERCALL 0x40000001 - -/* MSR used to provide vcpu index */ -#define HV_X64_MSR_VP_INDEX 0x40000002 - -/* MSR used to reset the guest OS. */ -#define HV_X64_MSR_RESET 0x40000003 - -/* MSR used to provide vcpu runtime in 100ns units */ -#define HV_X64_MSR_VP_RUNTIME 0x40000010 - -/* MSR used to read the per-partition time reference counter */ -#define HV_X64_MSR_TIME_REF_COUNT 0x40000020 - -/* MSR used to retrieve the TSC frequency */ -#define HV_X64_MSR_TSC_FREQUENCY 0x40000022 - -/* MSR used to retrieve the local APIC timer frequency */ -#define HV_X64_MSR_APIC_FREQUENCY 0x40000023 - -/* Define the virtual APIC registers */ -#define HV_X64_MSR_EOI 0x40000070 -#define HV_X64_MSR_ICR 0x40000071 -#define HV_X64_MSR_TPR 0x40000072 -#define HV_X64_MSR_APIC_ASSIST_PAGE 0x40000073 - -/* Define synthetic interrupt controller model specific registers. */ -#define HV_X64_MSR_SCONTROL 0x40000080 -#define HV_X64_MSR_SVERSION 0x40000081 -#define HV_X64_MSR_SIEFP 0x40000082 -#define HV_X64_MSR_SIMP 0x40000083 -#define HV_X64_MSR_EOM 0x40000084 -#define HV_X64_MSR_SINT0 0x40000090 -#define HV_X64_MSR_SINT1 0x40000091 -#define HV_X64_MSR_SINT2 0x40000092 -#define HV_X64_MSR_SINT3 0x40000093 -#define HV_X64_MSR_SINT4 0x40000094 -#define HV_X64_MSR_SINT5 0x40000095 -#define HV_X64_MSR_SINT6 0x40000096 -#define HV_X64_MSR_SINT7 0x40000097 -#define HV_X64_MSR_SINT8 0x40000098 -#define HV_X64_MSR_SINT9 0x40000099 -#define HV_X64_MSR_SINT10 0x4000009A -#define HV_X64_MSR_SINT11 0x4000009B -#define HV_X64_MSR_SINT12 0x4000009C -#define HV_X64_MSR_SINT13 0x4000009D -#define HV_X64_MSR_SINT14 0x4000009E -#define HV_X64_MSR_SINT15 0x4000009F - -/* - * Synthetic Timer MSRs. Four timers per vcpu. - */ -#define HV_X64_MSR_STIMER0_CONFIG 0x400000B0 -#define HV_X64_MSR_STIMER0_COUNT 0x400000B1 -#define HV_X64_MSR_STIMER1_CONFIG 0x400000B2 -#define HV_X64_MSR_STIMER1_COUNT 0x400000B3 -#define HV_X64_MSR_STIMER2_CONFIG 0x400000B4 -#define HV_X64_MSR_STIMER2_COUNT 0x400000B5 -#define HV_X64_MSR_STIMER3_CONFIG 0x400000B6 -#define HV_X64_MSR_STIMER3_COUNT 0x400000B7 - -/* Hyper-V guest crash notification MSR's */ -#define HV_X64_MSR_CRASH_P0 0x40000100 -#define HV_X64_MSR_CRASH_P1 0x40000101 -#define HV_X64_MSR_CRASH_P2 0x40000102 -#define HV_X64_MSR_CRASH_P3 0x40000103 -#define HV_X64_MSR_CRASH_P4 0x40000104 -#define HV_X64_MSR_CRASH_CTL 0x40000105 -#define HV_X64_MSR_CRASH_CTL_NOTIFY (1ULL << 63) -#define HV_X64_MSR_CRASH_PARAMS \ - (1 + (HV_X64_MSR_CRASH_P4 - HV_X64_MSR_CRASH_P0)) - -#define HV_X64_MSR_HYPERCALL_ENABLE 0x00000001 -#define HV_X64_MSR_HYPERCALL_PAGE_ADDRESS_SHIFT 12 -#define HV_X64_MSR_HYPERCALL_PAGE_ADDRESS_MASK \ - (~((1ull << HV_X64_MSR_HYPERCALL_PAGE_ADDRESS_SHIFT) - 1)) - -/* Declare the various hypercall operations. */ -#define HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE 0x0002 -#define HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST 0x0003 -#define HVCALL_NOTIFY_LONG_SPIN_WAIT 0x0008 -#define HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX 0x0013 -#define HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX 0x0014 -#define HVCALL_POST_MESSAGE 0x005c -#define HVCALL_SIGNAL_EVENT 0x005d - -#define HV_X64_MSR_APIC_ASSIST_PAGE_ENABLE 0x00000001 -#define HV_X64_MSR_APIC_ASSIST_PAGE_ADDRESS_SHIFT 12 -#define HV_X64_MSR_APIC_ASSIST_PAGE_ADDRESS_MASK \ - (~((1ull << HV_X64_MSR_APIC_ASSIST_PAGE_ADDRESS_SHIFT) - 1)) - -#define HV_X64_MSR_TSC_REFERENCE_ENABLE 0x00000001 -#define HV_X64_MSR_TSC_REFERENCE_ADDRESS_SHIFT 12 - -#define HV_PROCESSOR_POWER_STATE_C0 0 -#define HV_PROCESSOR_POWER_STATE_C1 1 -#define HV_PROCESSOR_POWER_STATE_C2 2 -#define HV_PROCESSOR_POWER_STATE_C3 3 - -#define HV_FLUSH_ALL_PROCESSORS BIT(0) -#define HV_FLUSH_ALL_VIRTUAL_ADDRESS_SPACES BIT(1) -#define HV_FLUSH_NON_GLOBAL_MAPPINGS_ONLY BIT(2) -#define HV_FLUSH_USE_EXTENDED_RANGE_FORMAT BIT(3) - -enum HV_GENERIC_SET_FORMAT { - HV_GENERIC_SET_SPARCE_4K, - HV_GENERIC_SET_ALL, -}; - -/* hypercall status code */ -#define HV_STATUS_SUCCESS 0 -#define HV_STATUS_INVALID_HYPERCALL_CODE 2 -#define HV_STATUS_INVALID_HYPERCALL_INPUT 3 -#define HV_STATUS_INVALID_ALIGNMENT 4 -#define HV_STATUS_INSUFFICIENT_MEMORY 11 -#define HV_STATUS_INVALID_CONNECTION_ID 18 -#define HV_STATUS_INSUFFICIENT_BUFFERS 19 - -typedef struct _HV_REFERENCE_TSC_PAGE { - uint32_t tsc_sequence; - uint32_t res1; - uint64_t tsc_scale; - int64_t tsc_offset; -} HV_REFERENCE_TSC_PAGE, *PHV_REFERENCE_TSC_PAGE; - -/* Define the number of synthetic interrupt sources. */ -#define HV_SYNIC_SINT_COUNT (16) -/* Define the expected SynIC version. */ -#define HV_SYNIC_VERSION_1 (0x1) - -#define HV_SYNIC_CONTROL_ENABLE (1ULL << 0) -#define HV_SYNIC_SIMP_ENABLE (1ULL << 0) -#define HV_SYNIC_SIEFP_ENABLE (1ULL << 0) -#define HV_SYNIC_SINT_MASKED (1ULL << 16) -#define HV_SYNIC_SINT_AUTO_EOI (1ULL << 17) -#define HV_SYNIC_SINT_VECTOR_MASK (0xFF) - -#define HV_SYNIC_STIMER_COUNT (4) - -/* Define synthetic interrupt controller message constants. */ -#define HV_MESSAGE_SIZE (256) -#define HV_MESSAGE_PAYLOAD_BYTE_COUNT (240) -#define HV_MESSAGE_PAYLOAD_QWORD_COUNT (30) - -/* Define hypervisor message types. */ -enum hv_message_type { - HVMSG_NONE = 0x00000000, - - /* Memory access messages. */ - HVMSG_UNMAPPED_GPA = 0x80000000, - HVMSG_GPA_INTERCEPT = 0x80000001, - - /* Timer notification messages. */ - HVMSG_TIMER_EXPIRED = 0x80000010, - - /* Error messages. */ - HVMSG_INVALID_VP_REGISTER_VALUE = 0x80000020, - HVMSG_UNRECOVERABLE_EXCEPTION = 0x80000021, - HVMSG_UNSUPPORTED_FEATURE = 0x80000022, - - /* Trace buffer complete messages. */ - HVMSG_EVENTLOG_BUFFERCOMPLETE = 0x80000040, - - /* Platform-specific processor intercept messages. */ - HVMSG_X64_IOPORT_INTERCEPT = 0x80010000, - HVMSG_X64_MSR_INTERCEPT = 0x80010001, - HVMSG_X64_CPUID_INTERCEPT = 0x80010002, - HVMSG_X64_EXCEPTION_INTERCEPT = 0x80010003, - HVMSG_X64_APIC_EOI = 0x80010004, - HVMSG_X64_LEGACY_FP_ERROR = 0x80010005 -}; - -/* Define synthetic interrupt controller message flags. */ -union hv_message_flags { - uint8_t asu8; - struct { - uint8_t msg_pending:1; - uint8_t reserved:7; - }; -}; - -/* Define port identifier type. */ -union hv_port_id { - uint32_t asu32; - struct { - uint32_t id:24; - uint32_t reserved:8; - } u; -}; - -/* Define synthetic interrupt controller message header. */ -struct hv_message_header { - uint32_t message_type; - uint8_t payload_size; - union hv_message_flags message_flags; - uint8_t reserved[2]; - union { - uint64_t sender; - union hv_port_id port; - }; -}; - -/* Define synthetic interrupt controller message format. */ -struct hv_message { - struct hv_message_header header; - union { - uint64_t payload[HV_MESSAGE_PAYLOAD_QWORD_COUNT]; - } u; -}; - -/* Define the synthetic interrupt message page layout. */ -struct hv_message_page { - struct hv_message sint_message[HV_SYNIC_SINT_COUNT]; -}; - -/* Define timer message payload structure. */ -struct hv_timer_message_payload { - uint32_t timer_index; - uint32_t reserved; - uint64_t expiration_time; /* When the timer expired */ - uint64_t delivery_time; /* When the message was delivered */ -}; - -#define HV_STIMER_ENABLE (1ULL << 0) -#define HV_STIMER_PERIODIC (1ULL << 1) -#define HV_STIMER_LAZY (1ULL << 2) -#define HV_STIMER_AUTOENABLE (1ULL << 3) -#define HV_STIMER_SINT(config) (uint8_t)(((config) >> 16) & 0x0F) - -#endif + /* this is a temporary placeholder until kvm_para.h stops including it */ diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h index XXXXXXX..XXXXXXX 100644 --- a/include/standard-headers/linux/input-event-codes.h +++ b/include/standard-headers/linux/input-event-codes.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * Input event codes * @@ -XXX,XX +XXX,XX @@ #define BTN_TOOL_MOUSE 0x146 #define BTN_TOOL_LENS 0x147 #define BTN_TOOL_QUINTTAP 0x148 /* Five fingers on trackpad */ +#define BTN_STYLUS3 0x149 #define BTN_TOUCH 0x14a #define BTN_STYLUS 0x14b #define BTN_STYLUS2 0x14c diff --git a/include/standard-headers/linux/input.h b/include/standard-headers/linux/input.h index XXXXXXX..XXXXXXX 100644 --- a/include/standard-headers/linux/input.h +++ b/include/standard-headers/linux/input.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * Copyright (c) 1999-2002 Vojtech Pavlik * diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h index XXXXXXX..XXXXXXX 100644 --- a/include/standard-headers/linux/pci_regs.h +++ b/include/standard-headers/linux/pci_regs.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * pci_regs.h * @@ -XXX,XX +XXX,XX @@ #define PCI_ERR_ROOT_FIRST_FATAL 0x00000010 /* First UNC is Fatal */ #define PCI_ERR_ROOT_NONFATAL_RCV 0x00000020 /* Non-Fatal Received */ #define PCI_ERR_ROOT_FATAL_RCV 0x00000040 /* Fatal Received */ +#define PCI_ERR_ROOT_AER_IRQ 0xf8000000 /* Advanced Error Interrupt Message Number */ #define PCI_ERR_ROOT_ERR_SRC 52 /* Error Source Identification */ /* Virtual Channel */ @@ -XXX,XX +XXX,XX @@ #define PCI_SATA_SIZEOF_LONG 16 /* Resizable BARs */ +#define PCI_REBAR_CAP 4 /* capability register */ +#define PCI_REBAR_CAP_SIZES 0x00FFFFF0 /* supported BAR sizes */ #define PCI_REBAR_CTRL 8 /* control register */ -#define PCI_REBAR_CTRL_NBAR_MASK (7 << 5) /* mask for # bars */ -#define PCI_REBAR_CTRL_NBAR_SHIFT 5 /* shift for # bars */ +#define PCI_REBAR_CTRL_BAR_IDX 0x00000007 /* BAR index */ +#define PCI_REBAR_CTRL_NBAR_MASK 0x000000E0 /* # of resizable BARs */ +#define PCI_REBAR_CTRL_NBAR_SHIFT 5 /* shift for # of BARs */ +#define PCI_REBAR_CTRL_BAR_SIZE 0x00001F00 /* BAR size */ /* Dynamic Power Allocation */ #define PCI_DPA_CAP 4 /* capability register */ @@ -XXX,XX +XXX,XX @@ /* Downstream Port Containment */ #define PCI_EXP_DPC_CAP 4 /* DPC Capability */ +#define PCI_EXP_DPC_IRQ 0x1f /* DPC Interrupt Message Number */ #define PCI_EXP_DPC_CAP_RP_EXT 0x20 /* Root Port Extensions for DPC */ #define PCI_EXP_DPC_CAP_POISONED_TLP 0x40 /* Poisoned TLP Egress Blocking Supported */ #define PCI_EXP_DPC_CAP_SW_TRIGGER 0x80 /* Software Triggering Supported */ @@ -XXX,XX +XXX,XX @@ #define PCI_PTM_CTRL_ENABLE 0x00000001 /* PTM enable */ #define PCI_PTM_CTRL_ROOT 0x00000002 /* Root select */ -/* L1 PM Substates */ -#define PCI_L1SS_CAP 4 /* capability register */ -#define PCI_L1SS_CAP_PCIPM_L1_2 1 /* PCI PM L1.2 Support */ -#define PCI_L1SS_CAP_PCIPM_L1_1 2 /* PCI PM L1.1 Support */ -#define PCI_L1SS_CAP_ASPM_L1_2 4 /* ASPM L1.2 Support */ -#define PCI_L1SS_CAP_ASPM_L1_1 8 /* ASPM L1.1 Support */ -#define PCI_L1SS_CAP_L1_PM_SS 16 /* L1 PM Substates Support */ -#define PCI_L1SS_CTL1 8 /* Control Register 1 */ -#define PCI_L1SS_CTL1_PCIPM_L1_2 1 /* PCI PM L1.2 Enable */ -#define PCI_L1SS_CTL1_PCIPM_L1_1 2 /* PCI PM L1.1 Support */ -#define PCI_L1SS_CTL1_ASPM_L1_2 4 /* ASPM L1.2 Support */ -#define PCI_L1SS_CTL1_ASPM_L1_1 8 /* ASPM L1.1 Support */ -#define PCI_L1SS_CTL1_L1SS_MASK 0x0000000F -#define PCI_L1SS_CTL2 0xC /* Control Register 2 */ +/* ASPM L1 PM Substates */ +#define PCI_L1SS_CAP 0x04 /* Capabilities Register */ +#define PCI_L1SS_CAP_PCIPM_L1_2 0x00000001 /* PCI-PM L1.2 Supported */ +#define PCI_L1SS_CAP_PCIPM_L1_1 0x00000002 /* PCI-PM L1.1 Supported */ +#define PCI_L1SS_CAP_ASPM_L1_2 0x00000004 /* ASPM L1.2 Supported */ +#define PCI_L1SS_CAP_ASPM_L1_1 0x00000008 /* ASPM L1.1 Supported */ +#define PCI_L1SS_CAP_L1_PM_SS 0x00000010 /* L1 PM Substates Supported */ +#define PCI_L1SS_CAP_CM_RESTORE_TIME 0x0000ff00 /* Port Common_Mode_Restore_Time */ +#define PCI_L1SS_CAP_P_PWR_ON_SCALE 0x00030000 /* Port T_POWER_ON scale */ +#define PCI_L1SS_CAP_P_PWR_ON_VALUE 0x00f80000 /* Port T_POWER_ON value */ +#define PCI_L1SS_CTL1 0x08 /* Control 1 Register */ +#define PCI_L1SS_CTL1_PCIPM_L1_2 0x00000001 /* PCI-PM L1.2 Enable */ +#define PCI_L1SS_CTL1_PCIPM_L1_1 0x00000002 /* PCI-PM L1.1 Enable */ +#define PCI_L1SS_CTL1_ASPM_L1_2 0x00000004 /* ASPM L1.2 Enable */ +#define PCI_L1SS_CTL1_ASPM_L1_1 0x00000008 /* ASPM L1.1 Enable */ +#define PCI_L1SS_CTL1_L1SS_MASK 0x0000000f +#define PCI_L1SS_CTL1_CM_RESTORE_TIME 0x0000ff00 /* Common_Mode_Restore_Time */ +#define PCI_L1SS_CTL1_LTR_L12_TH_VALUE 0x03ff0000 /* LTR_L1.2_THRESHOLD_Value */ +#define PCI_L1SS_CTL1_LTR_L12_TH_SCALE 0xe0000000 /* LTR_L1.2_THRESHOLD_Scale */ +#define PCI_L1SS_CTL2 0x0c /* Control 2 Register */ #endif /* LINUX_PCI_REGS_H */ diff --git a/linux-headers/asm-arm/kvm.h b/linux-headers/asm-arm/kvm.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-arm/kvm.h +++ b/linux-headers/asm-arm/kvm.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * Copyright (C) 2012 - Virtual Open Systems and Columbia University * Author: Christoffer Dall <c.dall@virtualopensystems.com> @@ -XXX,XX +XXX,XX @@ struct kvm_arch_memory_slot { (__ARM_CP15_REG(op1, 0, crm, 0) | KVM_REG_SIZE_U64) #define ARM_CP15_REG64(...) __ARM_CP15_REG64(__VA_ARGS__) +/* PL1 Physical Timer Registers */ +#define KVM_REG_ARM_PTIMER_CTL ARM_CP15_REG32(0, 14, 2, 1) +#define KVM_REG_ARM_PTIMER_CNT ARM_CP15_REG64(0, 14) +#define KVM_REG_ARM_PTIMER_CVAL ARM_CP15_REG64(2, 14) + +/* Virtual Timer Registers */ #define KVM_REG_ARM_TIMER_CTL ARM_CP15_REG32(0, 14, 3, 1) #define KVM_REG_ARM_TIMER_CNT ARM_CP15_REG64(1, 14) #define KVM_REG_ARM_TIMER_CVAL ARM_CP15_REG64(3, 14) @@ -XXX,XX +XXX,XX @@ struct kvm_arch_memory_slot { #define KVM_DEV_ARM_ITS_SAVE_TABLES 1 #define KVM_DEV_ARM_ITS_RESTORE_TABLES 2 #define KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES 3 +#define KVM_DEV_ARM_ITS_CTRL_RESET 4 /* KVM_IRQ_LINE irq field index values */ #define KVM_ARM_IRQ_TYPE_SHIFT 24 diff --git a/linux-headers/asm-arm/kvm_para.h b/linux-headers/asm-arm/kvm_para.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-arm/kvm_para.h +++ b/linux-headers/asm-arm/kvm_para.h @@ -1 +1,2 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #include <asm-generic/kvm_para.h> diff --git a/linux-headers/asm-arm/unistd.h b/linux-headers/asm-arm/unistd.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-arm/unistd.h +++ b/linux-headers/asm-arm/unistd.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * arch/arm/include/asm/unistd.h * @@ -XXX,XX +XXX,XX @@ #define __ARM_NR_usr26 (__ARM_NR_BASE+3) #define __ARM_NR_usr32 (__ARM_NR_BASE+4) #define __ARM_NR_set_tls (__ARM_NR_BASE+5) +#define __ARM_NR_get_tls (__ARM_NR_BASE+6) #endif /* __ASM_ARM_UNISTD_H */ diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-arm64/kvm.h +++ b/linux-headers/asm-arm64/kvm.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * Copyright (C) 2012,2013 - ARM Ltd * Author: Marc Zyngier <marc.zyngier@arm.com> @@ -XXX,XX +XXX,XX @@ struct kvm_arch_memory_slot { #define ARM64_SYS_REG(...) (__ARM64_SYS_REG(__VA_ARGS__) | KVM_REG_SIZE_U64) +/* Physical Timer EL0 Registers */ +#define KVM_REG_ARM_PTIMER_CTL ARM64_SYS_REG(3, 3, 14, 2, 1) +#define KVM_REG_ARM_PTIMER_CVAL ARM64_SYS_REG(3, 3, 14, 2, 2) +#define KVM_REG_ARM_PTIMER_CNT ARM64_SYS_REG(3, 3, 14, 0, 1) + +/* EL0 Virtual Timer Registers */ #define KVM_REG_ARM_TIMER_CTL ARM64_SYS_REG(3, 3, 14, 3, 1) #define KVM_REG_ARM_TIMER_CNT ARM64_SYS_REG(3, 3, 14, 3, 2) #define KVM_REG_ARM_TIMER_CVAL ARM64_SYS_REG(3, 3, 14, 0, 2) @@ -XXX,XX +XXX,XX @@ struct kvm_arch_memory_slot { #define KVM_DEV_ARM_ITS_SAVE_TABLES 1 #define KVM_DEV_ARM_ITS_RESTORE_TABLES 2 #define KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES 3 +#define KVM_DEV_ARM_ITS_CTRL_RESET 4 /* Device Control API on vcpu fd */ #define KVM_ARM_VCPU_PMU_V3_CTRL 0 diff --git a/linux-headers/asm-arm64/unistd.h b/linux-headers/asm-arm64/unistd.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-arm64/unistd.h +++ b/linux-headers/asm-arm64/unistd.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * Copyright (C) 2012 ARM Ltd. * diff --git a/linux-headers/asm-powerpc/epapr_hcalls.h b/linux-headers/asm-powerpc/epapr_hcalls.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-powerpc/epapr_hcalls.h +++ b/linux-headers/asm-powerpc/epapr_hcalls.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) */ /* * ePAPR hcall interface * diff --git a/linux-headers/asm-powerpc/kvm.h b/linux-headers/asm-powerpc/kvm.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-powerpc/kvm.h +++ b/linux-headers/asm-powerpc/kvm.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License, version 2, as diff --git a/linux-headers/asm-powerpc/kvm_para.h b/linux-headers/asm-powerpc/kvm_para.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-powerpc/kvm_para.h +++ b/linux-headers/asm-powerpc/kvm_para.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License, version 2, as diff --git a/linux-headers/asm-powerpc/unistd.h b/linux-headers/asm-powerpc/unistd.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-powerpc/unistd.h +++ b/linux-headers/asm-powerpc/unistd.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */ /* * This file contains the system call numbers. * diff --git a/linux-headers/asm-s390/kvm.h b/linux-headers/asm-s390/kvm.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-s390/kvm.h +++ b/linux-headers/asm-s390/kvm.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef __LINUX_KVM_S390_H #define __LINUX_KVM_S390_H /* diff --git a/linux-headers/asm-s390/kvm_para.h b/linux-headers/asm-s390/kvm_para.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-s390/kvm_para.h +++ b/linux-headers/asm-s390/kvm_para.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * User API definitions for paravirtual devices on s390 * diff --git a/linux-headers/asm-s390/unistd.h b/linux-headers/asm-s390/unistd.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-s390/unistd.h +++ b/linux-headers/asm-s390/unistd.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * S390 version * @@ -XXX,XX +XXX,XX @@ #define __NR_pwritev2 377 #define __NR_s390_guarded_storage 378 #define __NR_statx 379 -#define NR_syscalls 380 +#define __NR_s390_sthyi 380 +#define NR_syscalls 381 /* * There are some system calls that are not present on 64 bit, some diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-x86/kvm.h +++ b/linux-headers/asm-x86/kvm.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef _ASM_X86_KVM_H #define _ASM_X86_KVM_H diff --git a/linux-headers/asm-x86/kvm_para.h b/linux-headers/asm-x86/kvm_para.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-x86/kvm_para.h +++ b/linux-headers/asm-x86/kvm_para.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef _ASM_X86_KVM_PARA_H #define _ASM_X86_KVM_PARA_H @@ -XXX,XX +XXX,XX @@ struct kvm_vcpu_pv_apf_data { #define KVM_PV_EOI_ENABLED KVM_PV_EOI_MASK #define KVM_PV_EOI_DISABLED 0x0 - #endif /* _ASM_X86_KVM_PARA_H */ diff --git a/linux-headers/asm-x86/unistd.h b/linux-headers/asm-x86/unistd.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/asm-x86/unistd.h +++ b/linux-headers/asm-x86/unistd.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef _ASM_X86_UNISTD_H #define _ASM_X86_UNISTD_H diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/linux/kvm.h +++ b/linux-headers/linux/kvm.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef __LINUX_KVM_H #define __LINUX_KVM_H @@ -XXX,XX +XXX,XX @@ struct kvm_ppc_resize_hpt { #define KVM_CAP_PPC_SMT_POSSIBLE 147 #define KVM_CAP_HYPERV_SYNIC2 148 #define KVM_CAP_HYPERV_VP_INDEX 149 +#define KVM_CAP_S390_AIS_MIGRATION 150 #ifdef KVM_CAP_IRQ_ROUTING diff --git a/linux-headers/linux/kvm_para.h b/linux-headers/linux/kvm_para.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/linux/kvm_para.h +++ b/linux-headers/linux/kvm_para.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef __LINUX_KVM_PARA_H #define __LINUX_KVM_PARA_H diff --git a/linux-headers/linux/psci.h b/linux-headers/linux/psci.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/linux/psci.h +++ b/linux-headers/linux/psci.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * ARM Power State and Coordination Interface (PSCI) header * diff --git a/linux-headers/linux/userfaultfd.h b/linux-headers/linux/userfaultfd.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/linux/userfaultfd.h +++ b/linux-headers/linux/userfaultfd.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * include/linux/userfaultfd.h * diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/linux/vfio.h +++ b/linux-headers/linux/vfio.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * VFIO API definition * diff --git a/linux-headers/linux/vfio_ccw.h b/linux-headers/linux/vfio_ccw.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/linux/vfio_ccw.h +++ b/linux-headers/linux/vfio_ccw.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ /* * Interfaces for vfio-ccw * diff --git a/linux-headers/linux/vhost.h b/linux-headers/linux/vhost.h index XXXXXXX..XXXXXXX 100644 --- a/linux-headers/linux/vhost.h +++ b/linux-headers/linux/vhost.h @@ -XXX,XX +XXX,XX @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef _LINUX_VHOST_H #define _LINUX_VHOST_H /* Userspace interface for in-kernel virtio accelerators. */ -- 2.7.4 From: Eric Auger <eric.auger@redhat.com> Voiding the ITS caches is not supposed to happen via individual register writes. So we introduced a dedicated ITS KVM device ioctl to perform a cold reset of the ITS: KVM_DEV_ARM_VGIC_GRP_CTRL/KVM_DEV_ARM_ITS_CTRL_RESET. Let's use this latter if the kernel supports it. Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1511883692-11511-5-git-send-email-eric.auger@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/intc/arm_gicv3_its_kvm.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hw/intc/arm_gicv3_its_kvm.c b/hw/intc/arm_gicv3_its_kvm.c index XXXXXXX..XXXXXXX 100644 --- a/hw/intc/arm_gicv3_its_kvm.c +++ b/hw/intc/arm_gicv3_its_kvm.c @@ -XXX,XX +XXX,XX @@ static void kvm_arm_its_reset(DeviceState *dev) c->parent_reset(dev); - error_report("ITS KVM: full reset is not supported by QEMU"); + if (kvm_device_check_attr(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_CTRL, + KVM_DEV_ARM_ITS_CTRL_RESET)) { + kvm_device_access(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_CTRL, + KVM_DEV_ARM_ITS_CTRL_RESET, NULL, true, &error_abort); + return; + } + + error_report("ITS KVM: full reset is not supported by the host kernel"); if (!kvm_device_check_attr(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_ITS_REGS, GITS_CTLR)) { -- 2.7.4 For v8M it is possible for the CONTROL.SPSEL bit value and the current stack to be out of sync. This means we need to update the checks used in reads and writes of the PSP and MSP special registers to use v7m_using_psp() rather than directly checking the SPSEL bit in the control register. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 1512153879-5291-2-git-send-email-peter.maydell@linaro.org Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> --- target/arm/helper.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg) switch (reg) { case 8: /* MSP */ - return (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_SPSEL_MASK) ? - env->v7m.other_sp : env->regs[13]; + return v7m_using_psp(env) ? env->v7m.other_sp : env->regs[13]; case 9: /* PSP */ - return (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_SPSEL_MASK) ? - env->regs[13] : env->v7m.other_sp; + return v7m_using_psp(env) ? env->regs[13] : env->v7m.other_sp; case 16: /* PRIMASK */ return env->v7m.primask[env->v7m.secure]; case 17: /* BASEPRI */ @@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val) } break; case 8: /* MSP */ - if (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_SPSEL_MASK) { + if (v7m_using_psp(env)) { env->v7m.other_sp = val; } else { env->regs[13] = val; } break; case 9: /* PSP */ - if (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_SPSEL_MASK) { + if (v7m_using_psp(env)) { env->regs[13] = val; } else { env->v7m.other_sp = val; -- 2.7.4 In ARMv7M the CPU ignores explicit writes to CONTROL.SPSEL in Handler mode. In v8M the behaviour is slightly different: writes to the bit are permitted but will have no effect. We've already done the hard work to handle the value in CONTROL.SPSEL being out of sync with what stack pointer is actually in use, so all we need to do to fix this last loose end is to update the condition we use to guard whether we call write_v7m_control_spsel() on the register write. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 1512153879-5291-3-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val) * thread mode; other bits can be updated by any privileged code. * write_v7m_control_spsel() deals with updating the SPSEL bit in * env->v7m.control, so we only need update the others. + * For v7M, we must just ignore explicit writes to SPSEL in handler + * mode; for v8M the write is permitted but will have no effect. */ - if (!arm_v7m_is_handler_mode(env)) { + if (arm_feature(env, ARM_FEATURE_V8) || + !arm_v7m_is_handler_mode(env)) { write_v7m_control_spsel(env, (val & R_V7M_CONTROL_SPSEL_MASK) != 0); } env->v7m.control[env->v7m.secure] &= ~R_V7M_CONTROL_NPRIV_MASK; -- 2.7.4 When we added the ARMMMUIdx_MSUser MMU index we forgot to add it to the case statement in regime_is_user(), so we weren't treating it as unprivileged when doing MPU lookups. Correct the omission. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 1512153879-5291-4-git-send-email-peter.maydell@linaro.org Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> --- target/arm/helper.c | 1 + 1 file changed, 1 insertion(+) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx) case ARMMMUIdx_S1SE0: case ARMMMUIdx_S1NSE0: case ARMMMUIdx_MUser: + case ARMMMUIdx_MSUser: return true; default: return false; -- 2.7.4 For M profile, we currently have an mmu index MNegPri for "requested execution priority negative". This fails to distinguish "requested execution priority negative, privileged" from "requested execution priority negative, usermode", but the two can return different results for MPU lookups. Fix this by splitting MNegPri into MNegPriPriv and MNegPriUser, and similarly for the Secure equivalent MSNegPri. This takes us from 6 M profile MMU modes to 8, which means we need to bump NB_MMU_MODES; this is OK since the point where we are forced to reduce TLB sizes is 9 MMU modes. (It would in theory be possible to stick with 6 MMU indexes: {mpu-disabled,user,privileged} x {secure,nonsecure} since in the MPU-disabled case the result of an MPU lookup is always the same for both user and privileged code. However we would then need to rework the TB flags handling to put user/priv into the TB flags separately from the mmuidx. Adding an extra couple of mmu indexes is simpler.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 1512153879-5291-5-git-send-email-peter.maydell@linaro.org --- target/arm/cpu.h | 54 ++++++++++++++++++++++++++++++-------------------- target/arm/internals.h | 6 ++++-- target/arm/helper.c | 11 ++++++---- target/arm/translate.c | 8 ++++++-- 4 files changed, 50 insertions(+), 29 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ enum { #define ARM_CPU_VIRQ 2 #define ARM_CPU_VFIQ 3 -#define NB_MMU_MODES 7 +#define NB_MMU_MODES 8 /* ARM-specific extra insn start words: * 1: Conditional execution bits * 2: Partial exception syndrome for data aborts @@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx, * They have the following different MMU indexes: * User * Privileged - * Execution priority negative (this is like privileged, but the - * MPU HFNMIENA bit means that it may have different access permission - * check results to normal privileged code, so can't share a TLB). + * User, execution priority negative (ie the MPU HFNMIENA bit may apply) + * Privileged, execution priority negative (ditto) * If the CPU supports the v8M Security Extension then there are also: * Secure User * Secure Privileged - * Secure, execution priority negative + * Secure User, execution priority negative + * Secure Privileged, execution priority negative * * The ARMMMUIdx and the mmu index value used by the core QEMU TLB code * are not quite the same -- different CPU types (most notably M profile @@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx, * The constant names here are patterned after the general style of the names * of the AT/ATS operations. * The values used are carefully arranged to make mmu_idx => EL lookup easy. + * For M profile we arrange them to have a bit for priv, a bit for negpri + * and a bit for secure. */ #define ARM_MMU_IDX_A 0x10 /* A profile */ #define ARM_MMU_IDX_NOTLB 0x20 /* does not have a TLB */ #define ARM_MMU_IDX_M 0x40 /* M profile */ +/* meanings of the bits for M profile mmu idx values */ +#define ARM_MMU_IDX_M_PRIV 0x1 +#define ARM_MMU_IDX_M_NEGPRI 0x2 +#define ARM_MMU_IDX_M_S 0x4 + #define ARM_MMU_IDX_TYPE_MASK (~0x7) #define ARM_MMU_IDX_COREIDX_MASK 0x7 @@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx { ARMMMUIdx_S2NS = 6 | ARM_MMU_IDX_A, ARMMMUIdx_MUser = 0 | ARM_MMU_IDX_M, ARMMMUIdx_MPriv = 1 | ARM_MMU_IDX_M, - ARMMMUIdx_MNegPri = 2 | ARM_MMU_IDX_M, - ARMMMUIdx_MSUser = 3 | ARM_MMU_IDX_M, - ARMMMUIdx_MSPriv = 4 | ARM_MMU_IDX_M, - ARMMMUIdx_MSNegPri = 5 | ARM_MMU_IDX_M, + ARMMMUIdx_MUserNegPri = 2 | ARM_MMU_IDX_M, + ARMMMUIdx_MPrivNegPri = 3 | ARM_MMU_IDX_M, + ARMMMUIdx_MSUser = 4 | ARM_MMU_IDX_M, + ARMMMUIdx_MSPriv = 5 | ARM_MMU_IDX_M, + ARMMMUIdx_MSUserNegPri = 6 | ARM_MMU_IDX_M, + ARMMMUIdx_MSPrivNegPri = 7 | ARM_MMU_IDX_M, /* Indexes below here don't have TLBs and are used only for AT system * instructions or for the first stage of an S12 page table walk. */ @@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdxBit { ARMMMUIdxBit_S2NS = 1 << 6, ARMMMUIdxBit_MUser = 1 << 0, ARMMMUIdxBit_MPriv = 1 << 1, - ARMMMUIdxBit_MNegPri = 1 << 2, - ARMMMUIdxBit_MSUser = 1 << 3, - ARMMMUIdxBit_MSPriv = 1 << 4, - ARMMMUIdxBit_MSNegPri = 1 << 5, + ARMMMUIdxBit_MUserNegPri = 1 << 2, + ARMMMUIdxBit_MPrivNegPri = 1 << 3, + ARMMMUIdxBit_MSUser = 1 << 4, + ARMMMUIdxBit_MSPriv = 1 << 5, + ARMMMUIdxBit_MSUserNegPri = 1 << 6, + ARMMMUIdxBit_MSPrivNegPri = 1 << 7, } ARMMMUIdxBit; #define MMU_USER_IDX 0 @@ -XXX,XX +XXX,XX @@ static inline int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx) case ARM_MMU_IDX_A: return mmu_idx & 3; case ARM_MMU_IDX_M: - return (mmu_idx == ARMMMUIdx_MUser || mmu_idx == ARMMMUIdx_MSUser) - ? 0 : 1; + return mmu_idx & ARM_MMU_IDX_M_PRIV; default: g_assert_not_reached(); } @@ -XXX,XX +XXX,XX @@ static inline ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate) { int el = arm_current_el(env); - ARMMMUIdx mmu_idx; + ARMMMUIdx mmu_idx = ARM_MMU_IDX_M; - if (el == 0) { - mmu_idx = secstate ? ARMMMUIdx_MSUser : ARMMMUIdx_MUser; - } else { - mmu_idx = secstate ? ARMMMUIdx_MSPriv : ARMMMUIdx_MPriv; + if (el != 0) { + mmu_idx |= ARM_MMU_IDX_M_PRIV; } if (armv7m_nvic_neg_prio_requested(env->nvic, secstate)) { - mmu_idx = secstate ? ARMMMUIdx_MSNegPri : ARMMMUIdx_MNegPri; + mmu_idx |= ARM_MMU_IDX_M_NEGPRI; + } + + if (secstate) { + mmu_idx |= ARM_MMU_IDX_M_S; } return mmu_idx; diff --git a/target/arm/internals.h b/target/arm/internals.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -XXX,XX +XXX,XX @@ static inline bool regime_is_secure(CPUARMState *env, ARMMMUIdx mmu_idx) case ARMMMUIdx_S1NSE1: case ARMMMUIdx_S1E2: case ARMMMUIdx_S2NS: + case ARMMMUIdx_MPrivNegPri: + case ARMMMUIdx_MUserNegPri: case ARMMMUIdx_MPriv: - case ARMMMUIdx_MNegPri: case ARMMMUIdx_MUser: return false; case ARMMMUIdx_S1E3: case ARMMMUIdx_S1SE0: case ARMMMUIdx_S1SE1: + case ARMMMUIdx_MSPrivNegPri: + case ARMMMUIdx_MSUserNegPri: case ARMMMUIdx_MSPriv: - case ARMMMUIdx_MSNegPri: case ARMMMUIdx_MSUser: return true; default: diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx) case ARMMMUIdx_S1SE1: case ARMMMUIdx_S1NSE0: case ARMMMUIdx_S1NSE1: + case ARMMMUIdx_MPrivNegPri: + case ARMMMUIdx_MUserNegPri: case ARMMMUIdx_MPriv: - case ARMMMUIdx_MNegPri: case ARMMMUIdx_MUser: + case ARMMMUIdx_MSPrivNegPri: + case ARMMMUIdx_MSUserNegPri: case ARMMMUIdx_MSPriv: - case ARMMMUIdx_MSNegPri: case ARMMMUIdx_MSUser: return 1; default: @@ -XXX,XX +XXX,XX @@ static inline bool regime_translation_disabled(CPUARMState *env, (R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK)) { case R_V7M_MPU_CTRL_ENABLE_MASK: /* Enabled, but not for HardFault and NMI */ - return mmu_idx == ARMMMUIdx_MNegPri || - mmu_idx == ARMMMUIdx_MSNegPri; + return mmu_idx & ARM_MMU_IDX_M_NEGPRI; case R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK: /* Enabled for all cases */ return false; @@ -XXX,XX +XXX,XX @@ static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx) case ARMMMUIdx_S1NSE0: case ARMMMUIdx_MUser: case ARMMMUIdx_MSUser: + case ARMMMUIdx_MUserNegPri: + case ARMMMUIdx_MSUserNegPri: return true; default: return false; diff --git a/target/arm/translate.c b/target/arm/translate.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/translate.c +++ b/target/arm/translate.c @@ -XXX,XX +XXX,XX @@ static inline int get_a32_user_mem_index(DisasContext *s) return arm_to_core_mmu_idx(ARMMMUIdx_S1SE0); case ARMMMUIdx_MUser: case ARMMMUIdx_MPriv: - case ARMMMUIdx_MNegPri: return arm_to_core_mmu_idx(ARMMMUIdx_MUser); + case ARMMMUIdx_MUserNegPri: + case ARMMMUIdx_MPrivNegPri: + return arm_to_core_mmu_idx(ARMMMUIdx_MUserNegPri); case ARMMMUIdx_MSUser: case ARMMMUIdx_MSPriv: - case ARMMMUIdx_MSNegPri: return arm_to_core_mmu_idx(ARMMMUIdx_MSUser); + case ARMMMUIdx_MSUserNegPri: + case ARMMMUIdx_MSPrivNegPri: + return arm_to_core_mmu_idx(ARMMMUIdx_MSUserNegPri); case ARMMMUIdx_S2NS: default: g_assert_not_reached(); -- 2.7.4 The TT instruction is going to need to look up the MMU index for a specified security and privilege state. Refactor the existing arm_v7m_mmu_idx_for_secstate() into a version that lets you specify the privilege state and one that uses the current state of the CPU. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 1512153879-5291-6-git-send-email-peter.maydell@linaro.org Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> --- target/arm/cpu.h | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ static inline int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx) } } -/* Return the MMU index for a v7M CPU in the specified security state */ -static inline ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, - bool secstate) +/* Return the MMU index for a v7M CPU in the specified security and + * privilege state + */ +static inline ARMMMUIdx arm_v7m_mmu_idx_for_secstate_and_priv(CPUARMState *env, + bool secstate, + bool priv) { - int el = arm_current_el(env); ARMMMUIdx mmu_idx = ARM_MMU_IDX_M; - if (el != 0) { + if (priv) { mmu_idx |= ARM_MMU_IDX_M_PRIV; } @@ -XXX,XX +XXX,XX @@ static inline ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, return mmu_idx; } +/* Return the MMU index for a v7M CPU in the specified security state */ +static inline ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, + bool secstate) +{ + bool priv = arm_current_el(env) != 0; + + return arm_v7m_mmu_idx_for_secstate_and_priv(env, secstate, priv); +} + /* Determine the current mmu_idx to use for normal loads/stores */ static inline int cpu_mmu_index(CPUARMState *env, bool ifetch) { -- 2.7.4 For the TT instruction we're going to need to do an MPU lookup that also tells us which MPU region the access hit. This requires us to do the MPU lookup without first doing the SAU security access check, so pull the MPU lookup parts of get_phys_addr_pmsav8() out into their own function. The TT instruction also needs to know the MPU region number which the lookup hit, so provide this information to the caller of the MPU lookup code, even though get_phys_addr_pmsav8() doesn't need to know it. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 1512153879-5291-7-git-send-email-peter.maydell@linaro.org Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> --- target/arm/helper.c | 130 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 79 insertions(+), 51 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static void v8m_security_lookup(CPUARMState *env, uint32_t address, } } -static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address, - MMUAccessType access_type, ARMMMUIdx mmu_idx, - hwaddr *phys_ptr, MemTxAttrs *txattrs, - int *prot, uint32_t *fsr) +static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, + MMUAccessType access_type, ARMMMUIdx mmu_idx, + hwaddr *phys_ptr, MemTxAttrs *txattrs, + int *prot, uint32_t *fsr, uint32_t *mregion) { + /* Perform a PMSAv8 MPU lookup (without also doing the SAU check + * that a full phys-to-virt translation does). + * mregion is (if not NULL) set to the region number which matched, + * or -1 if no region number is returned (MPU off, address did not + * hit a region, address hit in multiple regions). + */ ARMCPU *cpu = arm_env_get_cpu(env); bool is_user = regime_is_user(env, mmu_idx); uint32_t secure = regime_is_secure(env, mmu_idx); int n; int matchregion = -1; bool hit = false; - V8M_SAttributes sattrs = {}; *phys_ptr = address; *prot = 0; - - if (arm_feature(env, ARM_FEATURE_M_SECURITY)) { - v8m_security_lookup(env, address, access_type, mmu_idx, &sattrs); - if (access_type == MMU_INST_FETCH) { - /* Instruction fetches always use the MMU bank and the - * transaction attribute determined by the fetch address, - * regardless of CPU state. This is painful for QEMU - * to handle, because it would mean we need to encode - * into the mmu_idx not just the (user, negpri) information - * for the current security state but also that for the - * other security state, which would balloon the number - * of mmu_idx values needed alarmingly. - * Fortunately we can avoid this because it's not actually - * possible to arbitrarily execute code from memory with - * the wrong security attribute: it will always generate - * an exception of some kind or another, apart from the - * special case of an NS CPU executing an SG instruction - * in S&NSC memory. So we always just fail the translation - * here and sort things out in the exception handler - * (including possibly emulating an SG instruction). - */ - if (sattrs.ns != !secure) { - *fsr = sattrs.nsc ? M_FAKE_FSR_NSC_EXEC : M_FAKE_FSR_SFAULT; - return true; - } - } else { - /* For data accesses we always use the MMU bank indicated - * by the current CPU state, but the security attributes - * might downgrade a secure access to nonsecure. - */ - if (sattrs.ns) { - txattrs->secure = false; - } else if (!secure) { - /* NS access to S memory must fault. - * Architecturally we should first check whether the - * MPU information for this address indicates that we - * are doing an unaligned access to Device memory, which - * should generate a UsageFault instead. QEMU does not - * currently check for that kind of unaligned access though. - * If we added it we would need to do so as a special case - * for M_FAKE_FSR_SFAULT in arm_v7m_cpu_do_interrupt(). - */ - *fsr = M_FAKE_FSR_SFAULT; - return true; - } - } + if (mregion) { + *mregion = -1; } /* Unlike the ARM ARM pseudocode, we don't need to check whether this @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address, /* We don't need to look the attribute up in the MAIR0/MAIR1 * registers because that only tells us about cacheability. */ + if (mregion) { + *mregion = matchregion; + } } *fsr = 0x00d; /* Permission fault */ return !(*prot & (1 << access_type)); } + +static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address, + MMUAccessType access_type, ARMMMUIdx mmu_idx, + hwaddr *phys_ptr, MemTxAttrs *txattrs, + int *prot, uint32_t *fsr) +{ + uint32_t secure = regime_is_secure(env, mmu_idx); + V8M_SAttributes sattrs = {}; + + if (arm_feature(env, ARM_FEATURE_M_SECURITY)) { + v8m_security_lookup(env, address, access_type, mmu_idx, &sattrs); + if (access_type == MMU_INST_FETCH) { + /* Instruction fetches always use the MMU bank and the + * transaction attribute determined by the fetch address, + * regardless of CPU state. This is painful for QEMU + * to handle, because it would mean we need to encode + * into the mmu_idx not just the (user, negpri) information + * for the current security state but also that for the + * other security state, which would balloon the number + * of mmu_idx values needed alarmingly. + * Fortunately we can avoid this because it's not actually + * possible to arbitrarily execute code from memory with + * the wrong security attribute: it will always generate + * an exception of some kind or another, apart from the + * special case of an NS CPU executing an SG instruction + * in S&NSC memory. So we always just fail the translation + * here and sort things out in the exception handler + * (including possibly emulating an SG instruction). + */ + if (sattrs.ns != !secure) { + *fsr = sattrs.nsc ? M_FAKE_FSR_NSC_EXEC : M_FAKE_FSR_SFAULT; + *phys_ptr = address; + *prot = 0; + return true; + } + } else { + /* For data accesses we always use the MMU bank indicated + * by the current CPU state, but the security attributes + * might downgrade a secure access to nonsecure. + */ + if (sattrs.ns) { + txattrs->secure = false; + } else if (!secure) { + /* NS access to S memory must fault. + * Architecturally we should first check whether the + * MPU information for this address indicates that we + * are doing an unaligned access to Device memory, which + * should generate a UsageFault instead. QEMU does not + * currently check for that kind of unaligned access though. + * If we added it we would need to do so as a special case + * for M_FAKE_FSR_SFAULT in arm_v7m_cpu_do_interrupt(). + */ + *fsr = M_FAKE_FSR_SFAULT; + *phys_ptr = address; + *prot = 0; + return true; + } + } + } + + return pmsav8_mpu_lookup(env, address, access_type, mmu_idx, phys_ptr, + txattrs, prot, fsr, NULL); +} + static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address, MMUAccessType access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, int *prot, uint32_t *fsr) -- 2.7.4 Implement the TT instruction which queries the security state and access permissions of a memory location. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 1512153879-5291-8-git-send-email-peter.maydell@linaro.org --- target/arm/helper.h | 2 + target/arm/helper.c | 108 +++++++++++++++++++++++++++++++++++++++++++++++++ target/arm/translate.c | 29 ++++++++++++- 3 files changed, 138 insertions(+), 1 deletion(-) diff --git a/target/arm/helper.h b/target/arm/helper.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.h +++ b/target/arm/helper.h @@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(v7m_mrs, i32, env, i32) DEF_HELPER_2(v7m_bxns, void, env, i32) DEF_HELPER_2(v7m_blxns, void, env, i32) +DEF_HELPER_3(v7m_tt, i32, env, i32, i32) + DEF_HELPER_4(access_check_cp_reg, void, env, ptr, i32, i32) DEF_HELPER_3(set_cp_reg, void, env, ptr, i32) DEF_HELPER_2(get_cp_reg, i32, env, ptr) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest) g_assert_not_reached(); } +uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op) +{ + /* The TT instructions can be used by unprivileged code, but in + * user-only emulation we don't have the MPU. + * Luckily since we know we are NonSecure unprivileged (and that in + * turn means that the A flag wasn't specified), all the bits in the + * register must be zero: + * IREGION: 0 because IRVALID is 0 + * IRVALID: 0 because NS + * S: 0 because NS + * NSRW: 0 because NS + * NSR: 0 because NS + * RW: 0 because unpriv and A flag not set + * R: 0 because unpriv and A flag not set + * SRVALID: 0 because NS + * MRVALID: 0 because unpriv and A flag not set + * SREGION: 0 becaus SRVALID is 0 + * MREGION: 0 because MRVALID is 0 + */ + return 0; +} + void switch_mode(CPUARMState *env, int mode) { ARMCPU *cpu = arm_env_get_cpu(env); @@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val) } } +uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op) +{ + /* Implement the TT instruction. op is bits [7:6] of the insn. */ + bool forceunpriv = op & 1; + bool alt = op & 2; + V8M_SAttributes sattrs = {}; + uint32_t tt_resp; + bool r, rw, nsr, nsrw, mrvalid; + int prot; + MemTxAttrs attrs = {}; + hwaddr phys_addr; + uint32_t fsr; + ARMMMUIdx mmu_idx; + uint32_t mregion; + bool targetpriv; + bool targetsec = env->v7m.secure; + + /* Work out what the security state and privilege level we're + * interested in is... + */ + if (alt) { + targetsec = !targetsec; + } + + if (forceunpriv) { + targetpriv = false; + } else { + targetpriv = arm_v7m_is_handler_mode(env) || + !(env->v7m.control[targetsec] & R_V7M_CONTROL_NPRIV_MASK); + } + + /* ...and then figure out which MMU index this is */ + mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targetsec, targetpriv); + + /* We know that the MPU and SAU don't care about the access type + * for our purposes beyond that we don't want to claim to be + * an insn fetch, so we arbitrarily call this a read. + */ + + /* MPU region info only available for privileged or if + * inspecting the other MPU state. + */ + if (arm_current_el(env) != 0 || alt) { + /* We can ignore the return value as prot is always set */ + pmsav8_mpu_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, + &phys_addr, &attrs, &prot, &fsr, &mregion); + if (mregion == -1) { + mrvalid = false; + mregion = 0; + } else { + mrvalid = true; + } + r = prot & PAGE_READ; + rw = prot & PAGE_WRITE; + } else { + r = false; + rw = false; + mrvalid = false; + mregion = 0; + } + + if (env->v7m.secure) { + v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, &sattrs); + nsr = sattrs.ns && r; + nsrw = sattrs.ns && rw; + } else { + sattrs.ns = true; + nsr = false; + nsrw = false; + } + + tt_resp = (sattrs.iregion << 24) | + (sattrs.irvalid << 23) | + ((!sattrs.ns) << 22) | + (nsrw << 21) | + (nsr << 20) | + (rw << 19) | + (r << 18) | + (sattrs.srvalid << 17) | + (mrvalid << 16) | + (sattrs.sregion << 8) | + mregion; + + return tt_resp; +} + #endif void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in) diff --git a/target/arm/translate.c b/target/arm/translate.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/translate.c +++ b/target/arm/translate.c @@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn) if (insn & (1 << 22)) { /* 0b1110_100x_x1xx_xxxx_xxxx_xxxx_xxxx_xxxx * - load/store doubleword, load/store exclusive, ldacq/strel, - * table branch. + * table branch, TT. */ if (insn == 0xe97fe97f && arm_dc_feature(s, ARM_FEATURE_M) && arm_dc_feature(s, ARM_FEATURE_V8)) { @@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn) } else if ((insn & (1 << 23)) == 0) { /* 0b1110_1000_010x_xxxx_xxxx_xxxx_xxxx_xxxx * - load/store exclusive word + * - TT (v8M only) */ if (rs == 15) { + if (!(insn & (1 << 20)) && + arm_dc_feature(s, ARM_FEATURE_M) && + arm_dc_feature(s, ARM_FEATURE_V8)) { + /* 0b1110_1000_0100_xxxx_1111_xxxx_xxxx_xxxx + * - TT (v8M only) + */ + bool alt = insn & (1 << 7); + TCGv_i32 addr, op, ttresp; + + if ((insn & 0x3f) || rd == 13 || rd == 15 || rn == 15) { + /* we UNDEF for these UNPREDICTABLE cases */ + goto illegal_op; + } + + if (alt && !s->v8m_secure) { + goto illegal_op; + } + + addr = load_reg(s, rn); + op = tcg_const_i32(extract32(insn, 6, 2)); + ttresp = tcg_temp_new_i32(); + gen_helper_v7m_tt(ttresp, cpu_env, addr, op); + tcg_temp_free_i32(addr); + tcg_temp_free_i32(op); + store_reg(s, rd, ttresp); + } goto illegal_op; } addr = tcg_temp_local_new_i32(); -- 2.7.4 Currently get_phys_addr() and its various subfunctions return a hard-coded fault status register value for translation failures. This is awkward because FSR values these days may be either long-descriptor format or short-descriptor format. Worse, the right FSR type to use doesn't depend only on the translation table being walked -- some cases, like fault info reported to AArch32 EL2 for some kinds of ATS operation, must be in long-descriptor format even if the translation table being walked was short format. We can't get those cases right with our current approach. Provide fields in the ARMMMUFaultInfo struct which allow get_phys_addr() to provide sufficient information for a caller to construct an FSR value themselves, and utility functions which do this for both long and short format FSR values, as a first step in switching get_phys_addr() and its children to only returning the failure cause in the ARMMMUFaultInfo struct. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-2-git-send-email-peter.maydell@linaro.org --- target/arm/internals.h | 185 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) diff --git a/target/arm/internals.h b/target/arm/internals.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -XXX,XX +XXX,XX @@ static inline void arm_clear_exclusive(CPUARMState *env) } /** + * ARMFaultType: type of an ARM MMU fault + * This corresponds to the v8A pseudocode's Fault enumeration, + * with extensions for QEMU internal conditions. + */ +typedef enum ARMFaultType { + ARMFault_None, + ARMFault_AccessFlag, + ARMFault_Alignment, + ARMFault_Background, + ARMFault_Domain, + ARMFault_Permission, + ARMFault_Translation, + ARMFault_AddressSize, + ARMFault_SyncExternal, + ARMFault_SyncExternalOnWalk, + ARMFault_SyncParity, + ARMFault_SyncParityOnWalk, + ARMFault_AsyncParity, + ARMFault_AsyncExternal, + ARMFault_Debug, + ARMFault_TLBConflict, + ARMFault_Lockdown, + ARMFault_Exclusive, + ARMFault_ICacheMaint, + ARMFault_QEMU_NSCExec, /* v8M: NS executing in S&NSC memory */ + ARMFault_QEMU_SFault, /* v8M: SecureFault INVTRAN, INVEP or AUVIOL */ +} ARMFaultType; + +/** * ARMMMUFaultInfo: Information describing an ARM MMU Fault + * @type: Type of fault + * @level: Table walk level (for translation, access flag and permission faults) + * @domain: Domain of the fault address (for non-LPAE CPUs only) * @s2addr: Address that caused a fault at stage 2 * @stage2: True if we faulted at stage 2 * @s1ptw: True if we faulted at stage 2 while doing a stage 1 page-table walk @@ -XXX,XX +XXX,XX @@ static inline void arm_clear_exclusive(CPUARMState *env) */ typedef struct ARMMMUFaultInfo ARMMMUFaultInfo; struct ARMMMUFaultInfo { + ARMFaultType type; target_ulong s2addr; + int level; + int domain; bool stage2; bool s1ptw; bool ea; }; +/** + * arm_fi_to_sfsc: Convert fault info struct to short-format FSC + * Compare pseudocode EncodeSDFSC(), though unlike that function + * we set up a whole FSR-format code including domain field and + * putting the high bit of the FSC into bit 10. + */ +static inline uint32_t arm_fi_to_sfsc(ARMMMUFaultInfo *fi) +{ + uint32_t fsc; + + switch (fi->type) { + case ARMFault_None: + return 0; + case ARMFault_AccessFlag: + fsc = fi->level == 1 ? 0x3 : 0x6; + break; + case ARMFault_Alignment: + fsc = 0x1; + break; + case ARMFault_Permission: + fsc = fi->level == 1 ? 0xd : 0xf; + break; + case ARMFault_Domain: + fsc = fi->level == 1 ? 0x9 : 0xb; + break; + case ARMFault_Translation: + fsc = fi->level == 1 ? 0x5 : 0x7; + break; + case ARMFault_SyncExternal: + fsc = 0x8 | (fi->ea << 12); + break; + case ARMFault_SyncExternalOnWalk: + fsc = fi->level == 1 ? 0xc : 0xe; + fsc |= (fi->ea << 12); + break; + case ARMFault_SyncParity: + fsc = 0x409; + break; + case ARMFault_SyncParityOnWalk: + fsc = fi->level == 1 ? 0x40c : 0x40e; + break; + case ARMFault_AsyncParity: + fsc = 0x408; + break; + case ARMFault_AsyncExternal: + fsc = 0x406 | (fi->ea << 12); + break; + case ARMFault_Debug: + fsc = 0x2; + break; + case ARMFault_TLBConflict: + fsc = 0x400; + break; + case ARMFault_Lockdown: + fsc = 0x404; + break; + case ARMFault_Exclusive: + fsc = 0x405; + break; + case ARMFault_ICacheMaint: + fsc = 0x4; + break; + case ARMFault_Background: + fsc = 0x0; + break; + case ARMFault_QEMU_NSCExec: + fsc = M_FAKE_FSR_NSC_EXEC; + break; + case ARMFault_QEMU_SFault: + fsc = M_FAKE_FSR_SFAULT; + break; + default: + /* Other faults can't occur in a context that requires a + * short-format status code. + */ + g_assert_not_reached(); + } + + fsc |= (fi->domain << 4); + return fsc; +} + +/** + * arm_fi_to_lfsc: Convert fault info struct to long-format FSC + * Compare pseudocode EncodeLDFSC(), though unlike that function + * we fill in also the LPAE bit 9 of a DFSR format. + */ +static inline uint32_t arm_fi_to_lfsc(ARMMMUFaultInfo *fi) +{ + uint32_t fsc; + + switch (fi->type) { + case ARMFault_None: + return 0; + case ARMFault_AddressSize: + fsc = fi->level & 3; + break; + case ARMFault_AccessFlag: + fsc = (fi->level & 3) | (0x2 << 2); + break; + case ARMFault_Permission: + fsc = (fi->level & 3) | (0x3 << 2); + break; + case ARMFault_Translation: + fsc = (fi->level & 3) | (0x1 << 2); + break; + case ARMFault_SyncExternal: + fsc = 0x10 | (fi->ea << 12); + break; + case ARMFault_SyncExternalOnWalk: + fsc = (fi->level & 3) | (0x5 << 2) | (fi->ea << 12); + break; + case ARMFault_SyncParity: + fsc = 0x18; + break; + case ARMFault_SyncParityOnWalk: + fsc = (fi->level & 3) | (0x7 << 2); + break; + case ARMFault_AsyncParity: + fsc = 0x19; + break; + case ARMFault_AsyncExternal: + fsc = 0x11 | (fi->ea << 12); + break; + case ARMFault_Alignment: + fsc = 0x21; + break; + case ARMFault_Debug: + fsc = 0x22; + break; + case ARMFault_TLBConflict: + fsc = 0x30; + break; + case ARMFault_Lockdown: + fsc = 0x34; + break; + case ARMFault_Exclusive: + fsc = 0x35; + break; + default: + /* Other faults can't occur in a context that requires a + * long-format status code. + */ + g_assert_not_reached(); + } + + fsc |= 1 << 9; + return fsc; +} + /* Do a page table walk and add page to TLB if possible */ bool arm_tlb_fill(CPUState *cpu, vaddr address, MMUAccessType access_type, int mmu_idx, -- 2.7.4 All the callers of arm_ldq_ptw() and arm_ldl_ptw() ignore the value that those functions store in the fsr argument on failure: if they return failure to their callers they will always overwrite the fsr value with something else. Remove the argument from these functions and S1_ptw_translate(). This will simplify removing fsr from the calling functions. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-3-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx, /* Translate a S1 pagetable walk through S2 if needed. */ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx, hwaddr addr, MemTxAttrs txattrs, - uint32_t *fsr, ARMMMUFaultInfo *fi) { if ((mmu_idx == ARMMMUIdx_S1NSE0 || mmu_idx == ARMMMUIdx_S1NSE1) && @@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx, hwaddr s2pa; int s2prot; int ret; + uint32_t fsr; ret = get_phys_addr_lpae(env, addr, 0, ARMMMUIdx_S2NS, &s2pa, - &txattrs, &s2prot, &s2size, fsr, fi, NULL); + &txattrs, &s2prot, &s2size, &fsr, fi, NULL); if (ret) { fi->s2addr = addr; fi->stage2 = true; @@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx, * (but not if it was for a debug access). */ static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure, - ARMMMUIdx mmu_idx, uint32_t *fsr, - ARMMMUFaultInfo *fi) + ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi) { ARMCPU *cpu = ARM_CPU(cs); CPUARMState *env = &cpu->env; @@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure, attrs.secure = is_secure; as = arm_addressspace(cs, attrs); - addr = S1_ptw_translate(env, mmu_idx, addr, attrs, fsr, fi); + addr = S1_ptw_translate(env, mmu_idx, addr, attrs, fi); if (fi->s1ptw) { return 0; } @@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure, } static uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure, - ARMMMUIdx mmu_idx, uint32_t *fsr, - ARMMMUFaultInfo *fi) + ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi) { ARMCPU *cpu = ARM_CPU(cs); CPUARMState *env = &cpu->env; @@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure, attrs.secure = is_secure; as = arm_addressspace(cs, attrs); - addr = S1_ptw_translate(env, mmu_idx, addr, attrs, fsr, fi); + addr = S1_ptw_translate(env, mmu_idx, addr, attrs, fi); if (fi->s1ptw) { return 0; } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address, goto do_fault; } desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx), - mmu_idx, fsr, fi); + mmu_idx, fi); type = (desc & 3); domain = (desc >> 5) & 0x0f; if (regime_el(env, mmu_idx) == 1) { @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address, table = (desc & 0xfffff000) | ((address >> 8) & 0xffc); } desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx), - mmu_idx, fsr, fi); + mmu_idx, fi); switch (desc & 3) { case 0: /* Page translation fault. */ code = 7; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, goto do_fault; } desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx), - mmu_idx, fsr, fi); + mmu_idx, fi); type = (desc & 3); if (type == 0 || (type == 3 && !arm_feature(env, ARM_FEATURE_PXN))) { /* Section translation fault, or attempt to use the encoding @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, /* Lookup l2 entry. */ table = (desc & 0xfffffc00) | ((address >> 10) & 0x3fc); desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx), - mmu_idx, fsr, fi); + mmu_idx, fi); ap = ((desc >> 4) & 3) | ((desc >> 7) & 4); switch (desc & 3) { case 0: /* Page translation fault. */ @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, descaddr |= (address >> (stride * (4 - level))) & indexmask; descaddr &= ~7ULL; nstable = extract32(tableattrs, 4, 1); - descriptor = arm_ldq_ptw(cs, descaddr, !nstable, mmu_idx, fsr, fi); + descriptor = arm_ldq_ptw(cs, descaddr, !nstable, mmu_idx, fi); if (fi->s1ptw) { goto do_fault; } -- 2.7.4 Make get_phys_addr_v5() return a fault type in the ARMMMUFaultInfo structure, which we convert to the FSC at the callsite. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-4-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure, static bool get_phys_addr_v5(CPUARMState *env, uint32_t address, MMUAccessType access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, int *prot, - target_ulong *page_size, uint32_t *fsr, + target_ulong *page_size, ARMMMUFaultInfo *fi) { CPUState *cs = CPU(arm_env_get_cpu(env)); - int code; + int level = 1; uint32_t table; uint32_t desc; int type; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address, /* Lookup l1 descriptor. */ if (!get_level1_table_address(env, mmu_idx, &table, address)) { /* Section translation fault if page walk is disabled by PD0 or PD1 */ - code = 5; + fi->type = ARMFault_Translation; goto do_fault; } desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx), @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address, domain_prot = (dacr >> (domain * 2)) & 3; if (type == 0) { /* Section translation fault. */ - code = 5; + fi->type = ARMFault_Translation; goto do_fault; } + if (type != 2) { + level = 2; + } if (domain_prot == 0 || domain_prot == 2) { - if (type == 2) - code = 9; /* Section domain fault. */ - else - code = 11; /* Page domain fault. */ + fi->type = ARMFault_Domain; goto do_fault; } if (type == 2) { /* 1Mb section. */ phys_addr = (desc & 0xfff00000) | (address & 0x000fffff); ap = (desc >> 10) & 3; - code = 13; *page_size = 1024 * 1024; } else { /* Lookup l2 entry. */ @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address, mmu_idx, fi); switch (desc & 3) { case 0: /* Page translation fault. */ - code = 7; + fi->type = ARMFault_Translation; goto do_fault; case 1: /* 64k page. */ phys_addr = (desc & 0xffff0000) | (address & 0xffff); @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address, /* UNPREDICTABLE in ARMv5; we choose to take a * page translation fault. */ - code = 7; + fi->type = ARMFault_Translation; goto do_fault; } } else { @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address, /* Never happens, but compiler isn't smart enough to tell. */ abort(); } - code = 15; } *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot); *prot |= *prot ? PAGE_EXEC : 0; if (!(*prot & (1 << access_type))) { /* Access permission fault. */ + fi->type = ARMFault_Permission; goto do_fault; } *phys_ptr = phys_addr; return false; do_fault: - *fsr = code | (domain << 4); + fi->domain = domain; + fi->level = level; return true; } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, return get_phys_addr_v6(env, address, access_type, mmu_idx, phys_ptr, attrs, prot, page_size, fsr, fi); } else { - return get_phys_addr_v5(env, address, access_type, mmu_idx, phys_ptr, - prot, page_size, fsr, fi); + bool ret = get_phys_addr_v5(env, address, access_type, mmu_idx, + phys_ptr, prot, page_size, fi); + + *fsr = arm_fi_to_sfsc(fi); + return ret; } } -- 2.7.4 Make get_phys_addr_v6() return a fault type in the ARMMMUFaultInfo structure, which we convert to the FSC at the callsite. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-5-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ do_fault: static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, MMUAccessType access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot, - target_ulong *page_size, uint32_t *fsr, - ARMMMUFaultInfo *fi) + target_ulong *page_size, ARMMMUFaultInfo *fi) { CPUState *cs = CPU(arm_env_get_cpu(env)); - int code; + int level = 1; uint32_t table; uint32_t desc; uint32_t xn; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, /* Lookup l1 descriptor. */ if (!get_level1_table_address(env, mmu_idx, &table, address)) { /* Section translation fault if page walk is disabled by PD0 or PD1 */ - code = 5; + fi->type = ARMFault_Translation; goto do_fault; } desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx), @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, /* Section translation fault, or attempt to use the encoding * which is Reserved on implementations without PXN. */ - code = 5; + fi->type = ARMFault_Translation; goto do_fault; } if ((type == 1) || !(desc & (1 << 18))) { @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, } else { dacr = env->cp15.dacr_s; } + if (type == 1) { + level = 2; + } domain_prot = (dacr >> (domain * 2)) & 3; if (domain_prot == 0 || domain_prot == 2) { - if (type != 1) { - code = 9; /* Section domain fault. */ - } else { - code = 11; /* Page domain fault. */ - } + /* Section or Page domain fault */ + fi->type = ARMFault_Domain; goto do_fault; } if (type != 1) { @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, ap = ((desc >> 10) & 3) | ((desc >> 13) & 4); xn = desc & (1 << 4); pxn = desc & 1; - code = 13; ns = extract32(desc, 19, 1); } else { if (arm_feature(env, ARM_FEATURE_PXN)) { @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, ap = ((desc >> 4) & 3) | ((desc >> 7) & 4); switch (desc & 3) { case 0: /* Page translation fault. */ - code = 7; + fi->type = ARMFault_Translation; goto do_fault; case 1: /* 64k page. */ phys_addr = (desc & 0xffff0000) | (address & 0xffff); @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, /* Never happens, but compiler isn't smart enough to tell. */ abort(); } - code = 15; } if (domain_prot == 3) { *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, if (pxn && !regime_is_user(env, mmu_idx)) { xn = 1; } - if (xn && access_type == MMU_INST_FETCH) + if (xn && access_type == MMU_INST_FETCH) { + fi->type = ARMFault_Permission; goto do_fault; + } if (arm_feature(env, ARM_FEATURE_V6K) && (regime_sctlr(env, mmu_idx) & SCTLR_AFE)) { /* The simplified model uses AP[0] as an access control bit. */ if ((ap & 1) == 0) { /* Access flag fault. */ - code = (code == 15) ? 6 : 3; + fi->type = ARMFault_AccessFlag; goto do_fault; } *prot = simple_ap_to_rw_prot(env, mmu_idx, ap >> 1); @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, } if (!(*prot & (1 << access_type))) { /* Access permission fault. */ + fi->type = ARMFault_Permission; goto do_fault; } } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address, *phys_ptr = phys_addr; return false; do_fault: - *fsr = code | (domain << 4); + fi->domain = domain; + fi->level = level; return true; } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, return get_phys_addr_lpae(env, address, access_type, mmu_idx, phys_ptr, attrs, prot, page_size, fsr, fi, cacheattrs); } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) { - return get_phys_addr_v6(env, address, access_type, mmu_idx, phys_ptr, - attrs, prot, page_size, fsr, fi); + bool ret = get_phys_addr_v6(env, address, access_type, mmu_idx, + phys_ptr, attrs, prot, page_size, fi); + + *fsr = arm_fi_to_sfsc(fi); + return ret; } else { bool ret = get_phys_addr_v5(env, address, access_type, mmu_idx, phys_ptr, prot, page_size, fi); -- 2.7.4 Make get_phys_addr_v6() return a fault type in the ARMMMUFaultInfo structure, which we convert to the FSC at the callsite. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-6-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 41 ++++++++++++++++++----------------------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, MMUAccessType access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot, - target_ulong *page_size_ptr, uint32_t *fsr, + target_ulong *page_size_ptr, ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs); /* Security attributes for an address, as returned by v8m_security_lookup. */ @@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx, hwaddr s2pa; int s2prot; int ret; - uint32_t fsr; ret = get_phys_addr_lpae(env, addr, 0, ARMMMUIdx_S2NS, &s2pa, - &txattrs, &s2prot, &s2size, &fsr, fi, NULL); + &txattrs, &s2prot, &s2size, fi, NULL); if (ret) { fi->s2addr = addr; fi->stage2 = true; @@ -XXX,XX +XXX,XX @@ do_fault: return true; } -/* Fault type for long-descriptor MMU fault reporting; this corresponds - * to bits [5..2] in the STATUS field in long-format DFSR/IFSR. - */ -typedef enum { - translation_fault = 1, - access_fault = 2, - permission_fault = 3, -} MMUFaultType; - /* * check_s2_mmu_setup * @cpu: ARMCPU @@ -XXX,XX +XXX,XX @@ static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs) static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, MMUAccessType access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot, - target_ulong *page_size_ptr, uint32_t *fsr, + target_ulong *page_size_ptr, ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs) { ARMCPU *cpu = arm_env_get_cpu(env); CPUState *cs = CPU(cpu); /* Read an LPAE long-descriptor translation table. */ - MMUFaultType fault_type = translation_fault; + ARMFaultType fault_type = ARMFault_Translation; uint32_t level; uint32_t epd = 0; int32_t t0sz, t1sz; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, ttbr_select = 1; } else { /* in the gap between the two regions, this is a Translation fault */ - fault_type = translation_fault; + fault_type = ARMFault_Translation; goto do_fault; } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, ok = check_s2_mmu_setup(cpu, aarch64, startlevel, inputsize, stride); if (!ok) { - fault_type = translation_fault; + fault_type = ARMFault_Translation; goto do_fault; } level = startlevel; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, /* Here descaddr is the final physical address, and attributes * are all in attrs. */ - fault_type = access_fault; + fault_type = ARMFault_AccessFlag; if ((attrs & (1 << 8)) == 0) { /* Access flag */ goto do_fault; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, *prot = get_S1prot(env, mmu_idx, aarch64, ap, ns, xn, pxn); } - fault_type = permission_fault; + fault_type = ARMFault_Permission; if (!(*prot & (1 << access_type))) { goto do_fault; } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, return false; do_fault: - /* Long-descriptor format IFSR/DFSR value */ - *fsr = (1 << 9) | (fault_type << 2) | level; + fi->type = fault_type; + fi->level = level; /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2. */ fi->stage2 = fi->s1ptw || (mmu_idx == ARMMMUIdx_S2NS); return true; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, /* S1 is done. Now do S2 translation. */ ret = get_phys_addr_lpae(env, ipa, access_type, ARMMMUIdx_S2NS, phys_ptr, attrs, &s2_prot, - page_size, fsr, fi, + page_size, fi, cacheattrs != NULL ? &cacheattrs2 : NULL); + *fsr = arm_fi_to_lfsc(fi); fi->s2addr = ipa; /* Combine the S1 and S2 perms. */ *prot &= s2_prot; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, } if (regime_using_lpae_format(env, mmu_idx)) { - return get_phys_addr_lpae(env, address, access_type, mmu_idx, phys_ptr, - attrs, prot, page_size, fsr, fi, cacheattrs); + bool ret = get_phys_addr_lpae(env, address, access_type, mmu_idx, + phys_ptr, attrs, prot, page_size, + fi, cacheattrs); + + *fsr = arm_fi_to_lfsc(fi); + return ret; } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) { bool ret = get_phys_addr_v6(env, address, access_type, mmu_idx, phys_ptr, attrs, prot, page_size, fi); -- 2.7.4 Make get_phys_addr_pmsav5() return a fault type in the ARMMMUFaultInfo structure, which we convert to the FSC at the callsite. Note that PMSAv5 does not define any guest-visible fault status register, so the different "fsr" values we were previously returning are entirely arbitrary. So we can just switch to using the most appropriae fi->type values without worrying that we need to special-case FaultInfo->FSC conversion for PMSAv5. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-7-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address, static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address, MMUAccessType access_type, ARMMMUIdx mmu_idx, - hwaddr *phys_ptr, int *prot, uint32_t *fsr) + hwaddr *phys_ptr, int *prot, + ARMMMUFaultInfo *fi) { int n; uint32_t mask; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address, } } if (n < 0) { - *fsr = 2; + fi->type = ARMFault_Background; return true; } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address, mask = (mask >> (n * 4)) & 0xf; switch (mask) { case 0: - *fsr = 1; + fi->type = ARMFault_Permission; + fi->level = 1; return true; case 1: if (is_user) { - *fsr = 1; + fi->type = ARMFault_Permission; + fi->level = 1; return true; } *prot = PAGE_READ | PAGE_WRITE; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address, break; case 5: if (is_user) { - *fsr = 1; + fi->type = ARMFault_Permission; + fi->level = 1; return true; } *prot = PAGE_READ; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address, break; default: /* Bad permission. */ - *fsr = 1; + fi->type = ARMFault_Permission; + fi->level = 1; return true; } *prot |= PAGE_EXEC; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, } else { /* Pre-v7 MPU */ ret = get_phys_addr_pmsav5(env, address, access_type, mmu_idx, - phys_ptr, prot, fsr); + phys_ptr, prot, fi); + *fsr = arm_fi_to_sfsc(fi); } qemu_log_mask(CPU_LOG_MMU, "PMSA MPU lookup for %s at 0x%08" PRIx32 " mmu_idx %u -> %s (prot %c%c%c)\n", -- 2.7.4 Make get_phys_addr_pmsav7() return a fault type in the ARMMMUFaultInfo structure, which we convert to the FSC at the callsite. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-8-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static inline bool m_is_system_region(CPUARMState *env, uint32_t address) static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address, MMUAccessType access_type, ARMMMUIdx mmu_idx, - hwaddr *phys_ptr, int *prot, uint32_t *fsr) + hwaddr *phys_ptr, int *prot, + ARMMMUFaultInfo *fi) { ARMCPU *cpu = arm_env_get_cpu(env); int n; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address, if (n == -1) { /* no hits */ if (!pmsav7_use_background_region(cpu, mmu_idx, is_user)) { /* background fault */ - *fsr = 0; + fi->type = ARMFault_Background; return true; } get_phys_addr_pmsav7_default(env, mmu_idx, address, prot); @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address, } } - *fsr = 0x00d; /* Permission fault */ + fi->type = ARMFault_Permission; + fi->level = 1; return !(*prot & (1 << access_type)); } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, } else if (arm_feature(env, ARM_FEATURE_V7)) { /* PMSAv7 */ ret = get_phys_addr_pmsav7(env, address, access_type, mmu_idx, - phys_ptr, prot, fsr); + phys_ptr, prot, fi); + *fsr = arm_fi_to_sfsc(fi); } else { /* Pre-v7 MPU */ ret = get_phys_addr_pmsav5(env, address, access_type, mmu_idx, -- 2.7.4 Make get_phys_addr_pmsav8() return a fault type in the ARMMMUFaultInfo structure, which we convert to the FSC at the callsite. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-9-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static void v8m_security_lookup(CPUARMState *env, uint32_t address, static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, MMUAccessType access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, MemTxAttrs *txattrs, - int *prot, uint32_t *fsr, uint32_t *mregion) + int *prot, ARMMMUFaultInfo *fi, uint32_t *mregion) { /* Perform a PMSAv8 MPU lookup (without also doing the SAU check * that a full phys-to-virt translation does). @@ -XXX,XX +XXX,XX @@ static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, /* Multiple regions match -- always a failure (unlike * PMSAv7 where highest-numbered-region wins) */ - *fsr = 0x00d; /* permission fault */ + fi->type = ARMFault_Permission; + fi->level = 1; return true; } @@ -XXX,XX +XXX,XX @@ static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, if (!hit) { /* background fault */ - *fsr = 0; + fi->type = ARMFault_Background; return true; } @@ -XXX,XX +XXX,XX @@ static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, } } - *fsr = 0x00d; /* Permission fault */ + fi->type = ARMFault_Permission; + fi->level = 1; return !(*prot & (1 << access_type)); } @@ -XXX,XX +XXX,XX @@ static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address, static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address, MMUAccessType access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, MemTxAttrs *txattrs, - int *prot, uint32_t *fsr) + int *prot, ARMMMUFaultInfo *fi) { uint32_t secure = regime_is_secure(env, mmu_idx); V8M_SAttributes sattrs = {}; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address, * (including possibly emulating an SG instruction). */ if (sattrs.ns != !secure) { - *fsr = sattrs.nsc ? M_FAKE_FSR_NSC_EXEC : M_FAKE_FSR_SFAULT; + if (sattrs.nsc) { + fi->type = ARMFault_QEMU_NSCExec; + } else { + fi->type = ARMFault_QEMU_SFault; + } *phys_ptr = address; *prot = 0; return true; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address, * If we added it we would need to do so as a special case * for M_FAKE_FSR_SFAULT in arm_v7m_cpu_do_interrupt(). */ - *fsr = M_FAKE_FSR_SFAULT; + fi->type = ARMFault_QEMU_SFault; *phys_ptr = address; *prot = 0; return true; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address, } return pmsav8_mpu_lookup(env, address, access_type, mmu_idx, phys_ptr, - txattrs, prot, fsr, NULL); + txattrs, prot, fi, NULL); } static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address, @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, if (arm_feature(env, ARM_FEATURE_V8)) { /* PMSAv8 */ ret = get_phys_addr_pmsav8(env, address, access_type, mmu_idx, - phys_ptr, attrs, prot, fsr); + phys_ptr, attrs, prot, fi); + *fsr = arm_fi_to_sfsc(fi); } else if (arm_feature(env, ARM_FEATURE_V7)) { /* PMSAv7 */ ret = get_phys_addr_pmsav7(env, address, access_type, mmu_idx, @@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op) uint32_t tt_resp; bool r, rw, nsr, nsrw, mrvalid; int prot; + ARMMMUFaultInfo fi = {}; MemTxAttrs attrs = {}; hwaddr phys_addr; - uint32_t fsr; ARMMMUIdx mmu_idx; uint32_t mregion; bool targetpriv; @@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op) if (arm_current_el(env) != 0 || alt) { /* We can ignore the return value as prot is always set */ pmsav8_mpu_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, - &phys_addr, &attrs, &prot, &fsr, &mregion); + &phys_addr, &attrs, &prot, &fi, &mregion); if (mregion == -1) { mrvalid = false; mregion = 0; -- 2.7.4 Now that ARMMMUFaultInfo is guaranteed to have enough information to construct a fault status code, we can pass it in to the deliver_fault() function and let it generate the correct type of FSR for the destination, rather than relying on the value provided by get_phys_addr(). I don't think there are any cases the old code was getting wrong, but this is more obviously correct. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-10-git-send-email-peter.maydell@linaro.org --- target/arm/op_helper.c | 79 ++++++++++++++------------------------------------ 1 file changed, 22 insertions(+), 57 deletions(-) diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn, } static void deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type, - uint32_t fsr, uint32_t fsc, ARMMMUFaultInfo *fi) + int mmu_idx, ARMMMUFaultInfo *fi) { CPUARMState *env = &cpu->env; int target_el; bool same_el; - uint32_t syn, exc; + uint32_t syn, exc, fsr, fsc; + ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx); target_el = exception_target_el(env); if (fi->stage2) { @@ -XXX,XX +XXX,XX @@ static void deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type, } same_el = (arm_current_el(env) == target_el); - if (fsc == 0x3f) { - /* Caller doesn't have a long-format fault status code. This - * should only happen if this fault will never actually be reported - * to an EL that uses a syndrome register. Check that here. - * 0x3f is a (currently) reserved FSC code, in case the constructed - * syndrome does leak into the guest somehow. + if (target_el == 2 || arm_el_is_aa64(env, target_el) || + arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) { + /* LPAE format fault status register : bottom 6 bits are + * status code in the same form as needed for syndrome + */ + fsr = arm_fi_to_lfsc(fi); + fsc = extract32(fsr, 0, 6); + } else { + fsr = arm_fi_to_sfsc(fi); + /* Short format FSR : this fault will never actually be reported + * to an EL that uses a syndrome register. Use a (currently) + * reserved FSR code in case the constructed syndrome does leak + * into the guest somehow. */ - assert(target_el != 2 && !arm_el_is_aa64(env, target_el)); + fsc = 0x3f; } if (access_type == MMU_INST_FETCH) { @@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, MMUAccessType access_type, ret = arm_tlb_fill(cs, addr, access_type, mmu_idx, &fsr, &fi); if (unlikely(ret)) { ARMCPU *cpu = ARM_CPU(cs); - uint32_t fsc; if (retaddr) { /* now we have a real cpu fault */ cpu_restore_state(cs, retaddr); } - if (fsr & (1 << 9)) { - /* LPAE format fault status register : bottom 6 bits are - * status code in the same form as needed for syndrome - */ - fsc = extract32(fsr, 0, 6); - } else { - /* Short format FSR : this fault will never actually be reported - * to an EL that uses a syndrome register. Use a (currently) - * reserved FSR code in case the constructed syndrome does leak - * into the guest somehow. deliver_fault will assert that - * we don't target an EL using the syndrome. - */ - fsc = 0x3f; - } - - deliver_fault(cpu, addr, access_type, fsr, fsc, &fi); + deliver_fault(cpu, addr, access_type, mmu_idx, &fi); } } @@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr, int mmu_idx, uintptr_t retaddr) { ARMCPU *cpu = ARM_CPU(cs); - CPUARMState *env = &cpu->env; - uint32_t fsr, fsc; ARMMMUFaultInfo fi = {}; - ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx); if (retaddr) { /* now we have a real cpu fault */ cpu_restore_state(cs, retaddr); } - /* the DFSR for an alignment fault depends on whether we're using - * the LPAE long descriptor format, or the short descriptor format - */ - if (arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) { - fsr = (1 << 9) | 0x21; - } else { - fsr = 0x1; - } - fsc = 0x21; - - deliver_fault(cpu, vaddr, access_type, fsr, fsc, &fi); + fi.type = ARMFault_Alignment; + deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi); } /* arm_cpu_do_transaction_failed: handle a memory system error response @@ -XXX,XX +XXX,XX @@ void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr, MemTxResult response, uintptr_t retaddr) { ARMCPU *cpu = ARM_CPU(cs); - CPUARMState *env = &cpu->env; - uint32_t fsr, fsc; ARMMMUFaultInfo fi = {}; - ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx); if (retaddr) { /* now we have a real cpu fault */ @@ -XXX,XX +XXX,XX @@ void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr, * Slave error (1); in QEMU we follow that. */ fi.ea = (response != MEMTX_DECODE_ERROR); - - /* The fault status register format depends on whether we're using - * the LPAE long descriptor format, or the short descriptor format. - */ - if (arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) { - /* long descriptor form, STATUS 0b010000: synchronous ext abort */ - fsr = (fi.ea << 12) | (1 << 9) | 0x10; - } else { - /* short descriptor form, FSR 0b01000 : synchronous ext abort */ - fsr = (fi.ea << 12) | 0x8; - } - fsc = 0x10; - - deliver_fault(cpu, addr, access_type, fsr, fsc, &fi); + fi.type = ARMFault_SyncExternal; + deliver_fault(cpu, addr, access_type, mmu_idx, &fi); } #endif /* !defined(CONFIG_USER_ONLY) */ -- 2.7.4 In do_ats_write(), rather than using the FSR value from get_phys_addr(), construct the PAR values using the information in the ARMMMUFaultInfo struct. This allows us to create a PAR of the correct format regardless of what the translation table format is. For the moment we leave the condition for "when should this be a 64 bit PAR" as it was previously; this will need to be fixed to properly support AArch32 Hyp mode. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-11-git-send-email-peter.maydell@linaro.org --- target/arm/helper.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, hwaddr phys_addr; target_ulong page_size; int prot; - uint32_t fsr; + uint32_t fsr_unused; bool ret; uint64_t par64; MemTxAttrs attrs = {}; @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, ARMCacheAttrs cacheattrs = {}; ret = get_phys_addr(env, value, access_type, mmu_idx, &phys_addr, &attrs, - &prot, &page_size, &fsr, &fi, &cacheattrs); + &prot, &page_size, &fsr_unused, &fi, &cacheattrs); + /* TODO: this is not the correct condition to use to decide whether + * to report a PAR in 64-bit or 32-bit format. + */ if (arm_s1_regime_using_lpae_format(env, mmu_idx)) { - /* fsr is a DFSR/IFSR value for the long descriptor - * translation table format, but with WnR always clear. - * Convert it to a 64-bit PAR. - */ + /* Create a 64-bit PAR */ par64 = (1 << 11); /* LPAE bit always set */ if (!ret) { par64 |= phys_addr & ~0xfffULL; @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, par64 |= (uint64_t)cacheattrs.attrs << 56; /* ATTR */ par64 |= cacheattrs.shareability << 7; /* SH */ } else { + uint32_t fsr = arm_fi_to_lfsc(&fi); + par64 |= 1; /* F */ par64 |= (fsr & 0x3f) << 1; /* FS */ /* Note that S2WLK and FSTAGE are always zero, because we don't @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, par64 |= (1 << 9); /* NS */ } } else { + uint32_t fsr = arm_fi_to_sfsc(&fi); + par64 = ((fsr & (1 << 10)) >> 5) | ((fsr & (1 << 12)) >> 6) | ((fsr & 0xf) << 1) | 1; } -- 2.7.4 All of the callers of get_phys_addr() and arm_tlb_fill() now ignore the FSR values they return, so we can just remove the argument entirely. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Message-id: 1512503192-2239-12-git-send-email-peter.maydell@linaro.org --- target/arm/internals.h | 2 +- target/arm/helper.c | 45 ++++++++++++++------------------------------- target/arm/op_helper.c | 3 +-- 3 files changed, 16 insertions(+), 34 deletions(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -XXX,XX +XXX,XX @@ static inline uint32_t arm_fi_to_lfsc(ARMMMUFaultInfo *fi) /* Do a page table walk and add page to TLB if possible */ bool arm_tlb_fill(CPUState *cpu, vaddr address, MMUAccessType access_type, int mmu_idx, - uint32_t *fsr, ARMMMUFaultInfo *fi); + ARMMMUFaultInfo *fi); /* Return true if the stage 1 translation regime is using LPAE format page * tables */ diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ typedef struct ARMCacheAttrs { static bool get_phys_addr(CPUARMState *env, target_ulong address, MMUAccessType access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot, - target_ulong *page_size, uint32_t *fsr, + target_ulong *page_size, ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs); static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, hwaddr phys_addr; target_ulong page_size; int prot; - uint32_t fsr_unused; bool ret; uint64_t par64; MemTxAttrs attrs = {}; @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, ARMCacheAttrs cacheattrs = {}; ret = get_phys_addr(env, value, access_type, mmu_idx, &phys_addr, &attrs, - &prot, &page_size, &fsr_unused, &fi, &cacheattrs); + &prot, &page_size, &fi, &cacheattrs); /* TODO: this is not the correct condition to use to decide whether * to report a PAR in 64-bit or 32-bit format. */ @@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx, target_ulong page_size; hwaddr physaddr; int prot; - uint32_t fsr; v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs); if (!sattrs.nsc || sattrs.ns) { @@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx, return false; } if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx, - &physaddr, &attrs, &prot, &page_size, &fsr, &fi, NULL)) { + &physaddr, &attrs, &prot, &page_size, &fi, NULL)) { /* the MPU lookup failed */ env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK; armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure); @@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(ARMCacheAttrs s1, ARMCacheAttrs s2) * @attrs: set to the memory transaction attributes to use * @prot: set to the permissions for the page containing phys_ptr * @page_size: set to the size of the page containing phys_ptr - * @fsr: set to the DFSR/IFSR value on failure * @fi: set to fault info if the translation fails * @cacheattrs: (if non-NULL) set to the cacheability/shareability attributes */ static bool get_phys_addr(CPUARMState *env, target_ulong address, MMUAccessType access_type, ARMMMUIdx mmu_idx, hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot, - target_ulong *page_size, uint32_t *fsr, + target_ulong *page_size, ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs) { if (mmu_idx == ARMMMUIdx_S12NSE0 || mmu_idx == ARMMMUIdx_S12NSE1) { @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, ret = get_phys_addr(env, address, access_type, stage_1_mmu_idx(mmu_idx), &ipa, attrs, - prot, page_size, fsr, fi, cacheattrs); + prot, page_size, fi, cacheattrs); /* If S1 fails or S2 is disabled, return early. */ if (ret || regime_translation_disabled(env, ARMMMUIdx_S2NS)) { @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, phys_ptr, attrs, &s2_prot, page_size, fi, cacheattrs != NULL ? &cacheattrs2 : NULL); - *fsr = arm_fi_to_lfsc(fi); fi->s2addr = ipa; /* Combine the S1 and S2 perms. */ *prot &= s2_prot; @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, /* PMSAv8 */ ret = get_phys_addr_pmsav8(env, address, access_type, mmu_idx, phys_ptr, attrs, prot, fi); - *fsr = arm_fi_to_sfsc(fi); } else if (arm_feature(env, ARM_FEATURE_V7)) { /* PMSAv7 */ ret = get_phys_addr_pmsav7(env, address, access_type, mmu_idx, phys_ptr, prot, fi); - *fsr = arm_fi_to_sfsc(fi); } else { /* Pre-v7 MPU */ ret = get_phys_addr_pmsav5(env, address, access_type, mmu_idx, phys_ptr, prot, fi); - *fsr = arm_fi_to_sfsc(fi); } qemu_log_mask(CPU_LOG_MMU, "PMSA MPU lookup for %s at 0x%08" PRIx32 " mmu_idx %u -> %s (prot %c%c%c)\n", @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, } if (regime_using_lpae_format(env, mmu_idx)) { - bool ret = get_phys_addr_lpae(env, address, access_type, mmu_idx, - phys_ptr, attrs, prot, page_size, - fi, cacheattrs); - - *fsr = arm_fi_to_lfsc(fi); - return ret; + return get_phys_addr_lpae(env, address, access_type, mmu_idx, + phys_ptr, attrs, prot, page_size, + fi, cacheattrs); } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) { - bool ret = get_phys_addr_v6(env, address, access_type, mmu_idx, - phys_ptr, attrs, prot, page_size, fi); - - *fsr = arm_fi_to_sfsc(fi); - return ret; + return get_phys_addr_v6(env, address, access_type, mmu_idx, + phys_ptr, attrs, prot, page_size, fi); } else { - bool ret = get_phys_addr_v5(env, address, access_type, mmu_idx, + return get_phys_addr_v5(env, address, access_type, mmu_idx, phys_ptr, prot, page_size, fi); - - *fsr = arm_fi_to_sfsc(fi); - return ret; } } @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address, * fsr with ARM DFSR/IFSR fault register format value on failure. */ bool arm_tlb_fill(CPUState *cs, vaddr address, - MMUAccessType access_type, int mmu_idx, uint32_t *fsr, + MMUAccessType access_type, int mmu_idx, ARMMMUFaultInfo *fi) { ARMCPU *cpu = ARM_CPU(cs); @@ -XXX,XX +XXX,XX @@ bool arm_tlb_fill(CPUState *cs, vaddr address, ret = get_phys_addr(env, address, access_type, core_to_arm_mmu_idx(env, mmu_idx), &phys_addr, - &attrs, &prot, &page_size, fsr, fi, NULL); + &attrs, &prot, &page_size, fi, NULL); if (!ret) { /* Map a single [sub]page. */ phys_addr &= TARGET_PAGE_MASK; @@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr, target_ulong page_size; int prot; bool ret; - uint32_t fsr; ARMMMUFaultInfo fi = {}; ARMMMUIdx mmu_idx = core_to_arm_mmu_idx(env, cpu_mmu_index(env, false)); *attrs = (MemTxAttrs) {}; ret = get_phys_addr(env, addr, 0, mmu_idx, &phys_addr, - attrs, &prot, &page_size, &fsr, &fi, NULL); + attrs, &prot, &page_size, &fi, NULL); if (ret) { return -1; diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, MMUAccessType access_type, int mmu_idx, uintptr_t retaddr) { bool ret; - uint32_t fsr = 0; ARMMMUFaultInfo fi = {}; - ret = arm_tlb_fill(cs, addr, access_type, mmu_idx, &fsr, &fi); + ret = arm_tlb_fill(cs, addr, access_type, mmu_idx, &fi); if (unlikely(ret)) { ARMCPU *cpu = ARM_CPU(cs); -- 2.7.4 From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com> Now that do_ats_write() is entirely in control of whether to generate a 32-bit PAR or a 64-bit PAR, we can make it use the correct (complicated) condition for doing so. Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Tested-by: Stefano Stabellini <sstabellini@kernel.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1512503192-2239-13-git-send-email-peter.maydell@linaro.org [PMM: Rebased Edgar's patch on top of get_phys_addr() refactoring; use arm_s1_regime_using_lpae_format() rather than regime_using_lpae_format() because the latter will assert if passed ARMMMUIdx_S12NSE0 or ARMMMUIdx_S12NSE1; updated commit message appropriately] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value, int prot; bool ret; uint64_t par64; + bool format64 = false; MemTxAttrs attrs = {}; ARMMMUFaultInfo fi = {}; ARMCacheAttrs cacheattrs = {}; ret = get_phys_addr(env, value, access_type, mmu_idx, &phys_addr, &attrs, &prot, &page_size, &fi, &cacheattrs); - /* TODO: this is not the correct condition to use to decide whether - * to report a PAR in 64-bit or 32-bit format. - */ - if (arm_s1_regime_using_lpae_format(env, mmu_idx)) { + + if (is_a64(env)) { + format64 = true; + } else if (arm_feature(env, ARM_FEATURE_LPAE)) { + /* + * ATS1Cxx: + * * TTBCR.EAE determines whether the result is returned using the + * 32-bit or the 64-bit PAR format + * * Instructions executed in Hyp mode always use the 64bit format + * + * ATS1S2NSOxx uses the 64bit format if any of the following is true: + * * The Non-secure TTBCR.EAE bit is set to 1 + * * The implementation includes EL2, and the value of HCR.VM is 1 + * + * ATS1Hx always uses the 64bit format (not supported yet). + */ + format64 = arm_s1_regime_using_lpae_format(env, mmu_idx); + + if (arm_feature(env, ARM_FEATURE_EL2)) { + if (mmu_idx == ARMMMUIdx_S12NSE0 || mmu_idx == ARMMMUIdx_S12NSE1) { + format64 |= env->cp15.hcr_el2 & HCR_VM; + } else { + format64 |= arm_current_el(env) == 2; + } + } + } + + if (format64) { /* Create a 64-bit PAR */ par64 = (1 << 11); /* LPAE bit always set */ if (!ret) { -- 2.7.4 Generalize nvic_sysreg_ns_ops so that we can pass it an arbitrary MemoryRegion which it will use as the underlying register implementation to apply the NS-alias behaviour to. We'll want this so we can do the same with systick. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1512154296-5652-2-git-send-email-peter.maydell@linaro.org --- hw/intc/armv7m_nvic.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c index XXXXXXX..XXXXXXX 100644 --- a/hw/intc/armv7m_nvic.c +++ b/hw/intc/armv7m_nvic.c @@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_ns_write(void *opaque, hwaddr addr, uint64_t value, unsigned size, MemTxAttrs attrs) { + MemoryRegion *mr = opaque; + if (attrs.secure) { /* S accesses to the alias act like NS accesses to the real region */ attrs.secure = 0; - return nvic_sysreg_write(opaque, addr, value, size, attrs); + return memory_region_dispatch_write(mr, addr, value, size, attrs); } else { /* NS attrs are RAZ/WI for privileged, and BusFault for user */ if (attrs.user) { @@ -XXX,XX +XXX,XX @@ static MemTxResult nvic_sysreg_ns_read(void *opaque, hwaddr addr, uint64_t *data, unsigned size, MemTxAttrs attrs) { + MemoryRegion *mr = opaque; + if (attrs.secure) { /* S accesses to the alias act like NS accesses to the real region */ attrs.secure = 0; - return nvic_sysreg_read(opaque, addr, data, size, attrs); + return memory_region_dispatch_read(mr, addr, data, size, attrs); } else { /* NS attrs are RAZ/WI for privileged, and BusFault for user */ if (attrs.user) { @@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_realize(DeviceState *dev, Error **errp) if (arm_feature(&s->cpu->env, ARM_FEATURE_V8)) { memory_region_init_io(&s->sysreg_ns_mem, OBJECT(s), - &nvic_sysreg_ns_ops, s, + &nvic_sysreg_ns_ops, &s->sysregmem, "nvic_sysregs_ns", 0x1000); memory_region_add_subregion(&s->container, 0x20000, &s->sysreg_ns_mem); } -- 2.7.4 For the v8M security extension, there should be two systick devices, which use separate banked systick exceptions. The register interface is banked in the same way as for other banked registers, including the existence of an NS alias region for secure code to access the nonsecure timer. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 1512154296-5652-3-git-send-email-peter.maydell@linaro.org --- include/hw/intc/armv7m_nvic.h | 4 +- hw/intc/armv7m_nvic.c | 90 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 80 insertions(+), 14 deletions(-) diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/intc/armv7m_nvic.h +++ b/include/hw/intc/armv7m_nvic.h @@ -XXX,XX +XXX,XX @@ typedef struct NVICState { MemoryRegion sysregmem; MemoryRegion sysreg_ns_mem; + MemoryRegion systickmem; + MemoryRegion systick_ns_mem; MemoryRegion container; uint32_t num_irq; qemu_irq excpout; qemu_irq sysresetreq; - SysTickState systick; + SysTickState systick[M_REG_NUM_BANKS]; } NVICState; #endif diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c index XXXXXXX..XXXXXXX 100644 --- a/hw/intc/armv7m_nvic.c +++ b/hw/intc/armv7m_nvic.c @@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps nvic_sysreg_ns_ops = { .endianness = DEVICE_NATIVE_ENDIAN, }; +static MemTxResult nvic_systick_write(void *opaque, hwaddr addr, + uint64_t value, unsigned size, + MemTxAttrs attrs) +{ + NVICState *s = opaque; + MemoryRegion *mr; + + /* Direct the access to the correct systick */ + mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->systick[attrs.secure]), 0); + return memory_region_dispatch_write(mr, addr, value, size, attrs); +} + +static MemTxResult nvic_systick_read(void *opaque, hwaddr addr, + uint64_t *data, unsigned size, + MemTxAttrs attrs) +{ + NVICState *s = opaque; + MemoryRegion *mr; + + /* Direct the access to the correct systick */ + mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->systick[attrs.secure]), 0); + return memory_region_dispatch_read(mr, addr, data, size, attrs); +} + +static const MemoryRegionOps nvic_systick_ops = { + .read_with_attrs = nvic_systick_read, + .write_with_attrs = nvic_systick_write, + .endianness = DEVICE_NATIVE_ENDIAN, +}; + static int nvic_post_load(void *opaque, int version_id) { NVICState *s = opaque; @@ -XXX,XX +XXX,XX @@ static void nvic_systick_trigger(void *opaque, int n, int level) /* SysTick just asked us to pend its exception. * (This is different from an external interrupt line's * behaviour.) - * TODO: when we implement the banked systicks we must make - * this pend the correct banked exception. + * n == 0 : NonSecure systick + * n == 1 : Secure systick */ - armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK, false); + armv7m_nvic_set_pending(s, ARMV7M_EXCP_SYSTICK, n); } } static void armv7m_nvic_realize(DeviceState *dev, Error **errp) { NVICState *s = NVIC(dev); - SysBusDevice *systick_sbd; Error *err = NULL; int regionlen; @@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_realize(DeviceState *dev, Error **errp) /* include space for internal exception vectors */ s->num_irq += NVIC_FIRST_IRQ; - object_property_set_bool(OBJECT(&s->systick), true, "realized", &err); + object_property_set_bool(OBJECT(&s->systick[M_REG_NS]), true, + "realized", &err); if (err != NULL) { error_propagate(errp, err); return; } - systick_sbd = SYS_BUS_DEVICE(&s->systick); - sysbus_connect_irq(systick_sbd, 0, - qdev_get_gpio_in_named(dev, "systick-trigger", 0)); + sysbus_connect_irq(SYS_BUS_DEVICE(&s->systick[M_REG_NS]), 0, + qdev_get_gpio_in_named(dev, "systick-trigger", + M_REG_NS)); + + if (arm_feature(&s->cpu->env, ARM_FEATURE_M_SECURITY)) { + /* We couldn't init the secure systick device in instance_init + * as we didn't know then if the CPU had the security extensions; + * so we have to do it here. + */ + object_initialize(&s->systick[M_REG_S], sizeof(s->systick[M_REG_S]), + TYPE_SYSTICK); + qdev_set_parent_bus(DEVICE(&s->systick[M_REG_S]), sysbus_get_default()); + + object_property_set_bool(OBJECT(&s->systick[M_REG_S]), true, + "realized", &err); + if (err != NULL) { + error_propagate(errp, err); + return; + } + sysbus_connect_irq(SYS_BUS_DEVICE(&s->systick[M_REG_S]), 0, + qdev_get_gpio_in_named(dev, "systick-trigger", + M_REG_S)); + } /* The NVIC and System Control Space (SCS) starts at 0xe000e000 * and looks like this: @@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_realize(DeviceState *dev, Error **errp) memory_region_init_io(&s->sysregmem, OBJECT(s), &nvic_sysreg_ops, s, "nvic_sysregs", 0x1000); memory_region_add_subregion(&s->container, 0, &s->sysregmem); + + memory_region_init_io(&s->systickmem, OBJECT(s), + &nvic_systick_ops, s, + "nvic_systick", 0xe0); + memory_region_add_subregion_overlap(&s->container, 0x10, - sysbus_mmio_get_region(systick_sbd, 0), - 1); + &s->systickmem, 1); if (arm_feature(&s->cpu->env, ARM_FEATURE_V8)) { memory_region_init_io(&s->sysreg_ns_mem, OBJECT(s), &nvic_sysreg_ns_ops, &s->sysregmem, "nvic_sysregs_ns", 0x1000); memory_region_add_subregion(&s->container, 0x20000, &s->sysreg_ns_mem); + memory_region_init_io(&s->systick_ns_mem, OBJECT(s), + &nvic_sysreg_ns_ops, &s->systickmem, + "nvic_systick_ns", 0xe0); + memory_region_add_subregion_overlap(&s->container, 0x20010, + &s->systick_ns_mem, 1); } sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->container); @@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_instance_init(Object *obj) NVICState *nvic = NVIC(obj); SysBusDevice *sbd = SYS_BUS_DEVICE(obj); - object_initialize(&nvic->systick, sizeof(nvic->systick), TYPE_SYSTICK); - qdev_set_parent_bus(DEVICE(&nvic->systick), sysbus_get_default()); + object_initialize(&nvic->systick[M_REG_NS], + sizeof(nvic->systick[M_REG_NS]), TYPE_SYSTICK); + qdev_set_parent_bus(DEVICE(&nvic->systick[M_REG_NS]), sysbus_get_default()); + /* We can't initialize the secure systick here, as we don't know + * yet if we need it. + */ sysbus_init_irq(sbd, &nvic->excpout); qdev_init_gpio_out_named(dev, &nvic->sysresetreq, "SYSRESETREQ", 1); - qdev_init_gpio_in_named(dev, nvic_systick_trigger, "systick-trigger", 1); + qdev_init_gpio_in_named(dev, nvic_systick_trigger, "systick-trigger", + M_REG_NUM_BANKS); } static void armv7m_nvic_class_init(ObjectClass *klass, void *data) -- 2.7.4 From: Prasad J Pandit <pjp@fedoraproject.org> The ctz32() routine could return a value greater than TC6393XB_GPIOS=16, because the device has 24 GPIO level bits but we only implement 16 outgoing lines. This could lead to an OOB array access. Mask 'level' to avoid it. Reported-by: Moguofang <moguofang@huawei.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 20171212041539.25700-1-ppandit@redhat.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/display/tc6393xb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/display/tc6393xb.c b/hw/display/tc6393xb.c index XXXXXXX..XXXXXXX 100644 --- a/hw/display/tc6393xb.c +++ b/hw/display/tc6393xb.c @@ -XXX,XX +XXX,XX @@ static void tc6393xb_gpio_handler_update(TC6393xbState *s) int bit; level = s->gpio_level & s->gpio_dir; + level &= MAKE_64BIT_MASK(0, TC6393XB_GPIOS); for (diff = s->prev_level ^ level; diff; diff ^= 1 << bit) { bit = ctz32(diff); -- 2.7.4 From: Zhaoshenglong <zhaoshenglong@huawei.com> Since I'm not working as an assignee in Linaro, replace the Linaro email address with my personal one. Signed-off-by: Zhaoshenglong <zhaoshenglong@huawei.com> Message-id: 1513058845-9768-1-git-send-email-zhaoshenglong@huawei.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index XXXXXXX..XXXXXXX 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -XXX,XX +XXX,XX @@ F: include/hw/*/xlnx*.h ARM ACPI Subsystem M: Shannon Zhao <zhaoshenglong@huawei.com> -M: Shannon Zhao <shannon.zhao@linaro.org> +M: Shannon Zhao <shannon.zhaosl@gmail.com> L: qemu-arm@nongnu.org S: Maintained F: hw/arm/virt-acpi-build.c -- 2.7.4 From: Alistair Francis <alistair.francis@xilinx.com> Update the reset value to match the latest ZynqMP register spec. Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> Message-id: c03e51d041db7f055596084891aeb1e856e32b9f.1513104804.git.alistair.francis@xilinx.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/ssi/xilinx_spips.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_qspips_reset(DeviceState *d) s->regs[R_GQSPI_RX_THRESH] = 1; s->regs[R_GQSPI_GFIFO_THRESH] = 1; s->regs[R_GQSPI_IMR] = GQSPI_IXR_MASK; + s->regs[R_MOD_ID] = 0x01090101; s->man_start_com_g = false; s->gqspi_irqline = 0; xlnx_zynqmp_qspips_update_ixr(s); -- 2.7.4 From: Alistair Francis <alistair.francis@xilinx.com> Following the ZynqMP register spec let's ensure that all reset values are set. Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> Message-id: 19836f3e0a298b13343c5a59c87425355e7fd8bd.1513104804.git.alistair.francis@xilinx.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/ssi/xilinx_spips.h | 2 +- hw/ssi/xilinx_spips.c | 35 ++++++++++++++++++++++++++++++----- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/include/hw/ssi/xilinx_spips.h b/include/hw/ssi/xilinx_spips.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/ssi/xilinx_spips.h +++ b/include/hw/ssi/xilinx_spips.h @@ -XXX,XX +XXX,XX @@ typedef struct XilinxSPIPS XilinxSPIPS; #define XLNX_SPIPS_R_MAX (0x100 / 4) -#define XLNX_ZYNQMP_SPIPS_R_MAX (0x200 / 4) +#define XLNX_ZYNQMP_SPIPS_R_MAX (0x830 / 4) /* Bite off 4k chunks at a time */ #define LQSPI_CACHE_SIZE 1024 diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ /* interrupt mechanism */ #define R_INTR_STATUS (0x04 / 4) +#define R_INTR_STATUS_RESET (0x104) #define R_INTR_EN (0x08 / 4) #define R_INTR_DIS (0x0C / 4) #define R_INTR_MASK (0x10 / 4) @@ -XXX,XX +XXX,XX @@ #define R_SLAVE_IDLE_COUNT (0x24 / 4) #define R_TX_THRES (0x28 / 4) #define R_RX_THRES (0x2C / 4) +#define R_GPIO (0x30 / 4) +#define R_LPBK_DLY_ADJ (0x38 / 4) +#define R_LPBK_DLY_ADJ_RESET (0x33) #define R_TXD1 (0x80 / 4) #define R_TXD2 (0x84 / 4) #define R_TXD3 (0x88 / 4) @@ -XXX,XX +XXX,XX @@ #define R_GQSPI_IER (0x108 / 4) #define R_GQSPI_IDR (0x10c / 4) #define R_GQSPI_IMR (0x110 / 4) +#define R_GQSPI_IMR_RESET (0xfbe) #define R_GQSPI_TX_THRESH (0x128 / 4) #define R_GQSPI_RX_THRESH (0x12c / 4) +#define R_GQSPI_GPIO (0x130 / 4) +#define R_GQSPI_LPBK_DLY_ADJ (0x138 / 4) +#define R_GQSPI_LPBK_DLY_ADJ_RESET (0x33) #define R_GQSPI_CNFG (0x100 / 4) FIELD(GQSPI_CNFG, MODE_EN, 30, 2) FIELD(GQSPI_CNFG, GEN_FIFO_START_MODE, 29, 1) @@ -XXX,XX +XXX,XX @@ FIELD(GQSPI_GF_SNAPSHOT, EXPONENT, 9, 1) FIELD(GQSPI_GF_SNAPSHOT, DATA_XFER, 8, 1) FIELD(GQSPI_GF_SNAPSHOT, IMMEDIATE_DATA, 0, 8) -#define R_GQSPI_MOD_ID (0x168 / 4) -#define R_GQSPI_MOD_ID_VALUE 0x010A0000 +#define R_GQSPI_MOD_ID (0x1fc / 4) +#define R_GQSPI_MOD_ID_RESET (0x10a0000) + +#define R_QSPIDMA_DST_CTRL (0x80c / 4) +#define R_QSPIDMA_DST_CTRL_RESET (0x803ffa00) +#define R_QSPIDMA_DST_I_MASK (0x820 / 4) +#define R_QSPIDMA_DST_I_MASK_RESET (0xfe) +#define R_QSPIDMA_DST_CTRL2 (0x824 / 4) +#define R_QSPIDMA_DST_CTRL2_RESET (0x081bfff8) + /* size of TXRX FIFOs */ #define RXFF_A (128) #define TXFF_A (128) @@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_qspips_reset(DeviceState *d) fifo8_reset(&s->rx_fifo_g); fifo8_reset(&s->rx_fifo_g); fifo32_reset(&s->fifo_g); + s->regs[R_INTR_STATUS] = R_INTR_STATUS_RESET; + s->regs[R_GPIO] = 1; + s->regs[R_LPBK_DLY_ADJ] = R_LPBK_DLY_ADJ_RESET; + s->regs[R_GQSPI_GFIFO_THRESH] = 0x10; + s->regs[R_MOD_ID] = 0x01090101; + s->regs[R_GQSPI_IMR] = R_GQSPI_IMR_RESET; s->regs[R_GQSPI_TX_THRESH] = 1; s->regs[R_GQSPI_RX_THRESH] = 1; - s->regs[R_GQSPI_GFIFO_THRESH] = 1; - s->regs[R_GQSPI_IMR] = GQSPI_IXR_MASK; - s->regs[R_MOD_ID] = 0x01090101; + s->regs[R_GQSPI_GPIO] = 1; + s->regs[R_GQSPI_LPBK_DLY_ADJ] = R_GQSPI_LPBK_DLY_ADJ_RESET; + s->regs[R_GQSPI_MOD_ID] = R_GQSPI_MOD_ID_RESET; + s->regs[R_QSPIDMA_DST_CTRL] = R_QSPIDMA_DST_CTRL_RESET; + s->regs[R_QSPIDMA_DST_I_MASK] = R_QSPIDMA_DST_I_MASK_RESET; + s->regs[R_QSPIDMA_DST_CTRL2] = R_QSPIDMA_DST_CTRL2_RESET; s->man_start_com_g = false; s->gqspi_irqline = 0; xlnx_zynqmp_qspips_update_ixr(s); -- 2.7.4 From: Alistair Francis <alistair.francis@xilinx.com> Use memset() instead of a for loop to zero all of the registers. Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> Message-id: c076e907f355923864cb1afde31b938ffb677778.1513104804.git.alistair.francis@xilinx.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/ssi/xilinx_spips.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index XXXXXXX..XXXXXXX 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_reset(DeviceState *d) { XilinxSPIPS *s = XILINX_SPIPS(d); - int i; - for (i = 0; i < XLNX_SPIPS_R_MAX; i++) { - s->regs[i] = 0; - } + memset(s->regs, 0, sizeof(s->regs)); fifo8_reset(&s->rx_fifo); fifo8_reset(&s->rx_fifo); @@ -XXX,XX +XXX,XX @@ static void xilinx_spips_reset(DeviceState *d) static void xlnx_zynqmp_qspips_reset(DeviceState *d) { XlnxZynqMPQSPIPS *s = XLNX_ZYNQMP_QSPIPS(d); - int i; xilinx_spips_reset(d); - for (i = 0; i < XLNX_ZYNQMP_SPIPS_R_MAX; i++) { - s->regs[i] = 0; - } + memset(s->regs, 0, sizeof(s->regs)); + fifo8_reset(&s->rx_fifo_g); fifo8_reset(&s->rx_fifo_g); fifo32_reset(&s->fifo_g); -- 2.7.4