Arm patch queue -- these are all bug fix patches but we might as well put them in to rc0... thanks -- PMM The following changes since commit 2c8cfc0b52b5a4d123c26c0b5fdf941be24805be: Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2018-03-19 11:44:26 +0000) are available in the Git repository at: git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180319 for you to fetch changes up to ff72cb6b46b95bb530787add5277c211af3d31c6: hw/arm/raspi: Provide spin-loop code for AArch64 CPUs (2018-03-19 18:23:24 +0000) ---------------------------------------------------------------- target-arm queue: * fsl-imx6: Fix incorrect Ethernet interrupt defines * dump: Update correct kdump phys_base field for AArch64 * char: i.MX: Add support for "TX complete" interrupt * bcm2836/raspi: Fix various bugs resulting in panics trying to boot a Debian Linux kernel on raspi3 ---------------------------------------------------------------- Andrey Smirnov (2): char: i.MX: Simplify imx_update() char: i.MX: Add support for "TX complete" interrupt Guenter Roeck (1): fsl-imx6: Swap Ethernet interrupt defines Peter Maydell (9): hw/arm/raspi: Don't do board-setup or secure-boot for raspi3 hw/arm/boot: assert that secure_boot and secure_board_setup are false for AArch64 hw/arm/boot: If booting a kernel in EL2, set SCR_EL3.HCE hw/arm/bcm2386: Fix parent type of bcm2386 hw/arm/bcm2836: Rename bcm2836 type/struct to bcm283x hw/arm/bcm2836: Create proper bcm2837 device hw/arm/bcm2836: Use correct affinity values for BCM2837 hw/arm/bcm2836: Hardcode correct CPU type hw/arm/raspi: Provide spin-loop code for AArch64 CPUs Wei Huang (1): dump: Update correct kdump phys_base field for AArch64 include/hw/arm/bcm2836.h | 31 +++++++++++++--- include/hw/arm/fsl-imx6.h | 4 +- include/hw/char/imx_serial.h | 3 ++ dump.c | 14 +++++-- hw/arm/bcm2836.c | 87 +++++++++++++++++++++++++++++++------------- hw/arm/boot.c | 12 ++++++ hw/arm/raspi.c | 77 +++++++++++++++++++++++++++++++-------- hw/char/imx_serial.c | 44 ++++++++++++++++------ hw/net/imx_fec.c | 28 +++++++++++++- 9 files changed, 237 insertions(+), 63 deletions(-) From: Guenter Roeck <linux@roeck-us.net> The sabrelite machine model used by qemu-system-arm is based on the Freescale/NXP i.MX6Q processor. This SoC has an on-board ethernet controller which is supported in QEMU using the imx_fec.c module (actually called imx.enet for this model.) The include/hw/arm/fsm-imx6.h file defines the interrupt vectors for the imx.enet device like this: #define FSL_IMX6_ENET_MAC_1588_IRQ 118 #define FSL_IMX6_ENET_MAC_IRQ 119 According to https://www.nxp.com/docs/en/reference-manual/IMX6DQRM.pdf, page 225, in Table 3-1. ARM Cortex A9 domain interrupt summary, interrupts are as follows. 150 ENET MAC 0 IRQ 151 ENET MAC 0 1588 Timer interrupt where 150 - 32 == 118 151 - 32 == 119 In other words, the vector definitions in the fsl-imx6.h file are reversed. Fixing the interrupts alone causes problems with older Linux kernels: The Ethernet interface will fail to probe with Linux v4.9 and earlier. Linux v4.1 and earlier will crash due to a bug in Ethernet driver probe error handling. This is a Linux kernel problem, not a qemu problem: the Linux kernel only worked by accident since it requested both interrupts. For backward compatibility, generate the Ethernet interrupt on both interrupt lines. This was shown to work from all Linux kernel releases starting with v3.16. Link: https://bugs.launchpad.net/qemu/+bug/1753309 Signed-off-by: Guenter Roeck <linux@roeck-us.net> Message-id: 1520723090-22130-1-git-send-email-linux@roeck-us.net Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/arm/fsl-imx6.h | 4 ++-- hw/net/imx_fec.c | 28 +++++++++++++++++++++++++++- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/include/hw/arm/fsl-imx6.h b/include/hw/arm/fsl-imx6.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/fsl-imx6.h +++ b/include/hw/arm/fsl-imx6.h @@ -XXX,XX +XXX,XX @@ typedef struct FslIMX6State { #define FSL_IMX6_HDMI_MASTER_IRQ 115 #define FSL_IMX6_HDMI_CEC_IRQ 116 #define FSL_IMX6_MLB150_LOW_IRQ 117 -#define FSL_IMX6_ENET_MAC_1588_IRQ 118 -#define FSL_IMX6_ENET_MAC_IRQ 119 +#define FSL_IMX6_ENET_MAC_IRQ 118 +#define FSL_IMX6_ENET_MAC_1588_IRQ 119 #define FSL_IMX6_PCIE1_IRQ 120 #define FSL_IMX6_PCIE2_IRQ 121 #define FSL_IMX6_PCIE3_IRQ 122 diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c index XXXXXXX..XXXXXXX 100644 --- a/hw/net/imx_fec.c +++ b/hw/net/imx_fec.c @@ -XXX,XX +XXX,XX @@ static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr) static void imx_eth_update(IMXFECState *s) { - if (s->regs[ENET_EIR] & s->regs[ENET_EIMR] & ENET_INT_TS_TIMER) { + /* + * Previous versions of qemu had the ENET_INT_MAC and ENET_INT_TS_TIMER + * interrupts swapped. This worked with older versions of Linux (4.14 + * and older) since Linux associated both interrupt lines with Ethernet + * MAC interrupts. Specifically, + * - Linux 4.15 and later have separate interrupt handlers for the MAC and + * timer interrupts. Those versions of Linux fail with versions of QEMU + * with swapped interrupt assignments. + * - In linux 4.14, both interrupt lines were registered with the Ethernet + * MAC interrupt handler. As a result, all versions of qemu happen to + * work, though that is accidental. + * - In Linux 4.9 and older, the timer interrupt was registered directly + * with the Ethernet MAC interrupt handler. The MAC interrupt was + * redirected to a GPIO interrupt to work around erratum ERR006687. + * This was implemented using the SOC's IOMUX block. In qemu, this GPIO + * interrupt never fired since IOMUX is currently not supported in qemu. + * Linux instead received MAC interrupts on the timer interrupt. + * As a result, qemu versions with the swapped interrupt assignment work, + * albeit accidentally, but qemu versions with the correct interrupt + * assignment fail. + * + * To ensure that all versions of Linux work, generate ENET_INT_MAC + * interrrupts on both interrupt lines. This should be changed if and when + * qemu supports IOMUX. + */ + if (s->regs[ENET_EIR] & s->regs[ENET_EIMR] & + (ENET_INT_MAC | ENET_INT_TS_TIMER)) { qemu_set_irq(s->irq[1], 1); } else { qemu_set_irq(s->irq[1], 0); -- 2.16.2 From: Wei Huang <wei@redhat.com> For guest kernel that supports KASLR, the load address can change every time when guest VM runs. To find the physical base address correctly, current QEMU dump searches VMCOREINFO for the string "NUMBER(phys_base)=". However this string pattern is only available on x86_64. AArch64 uses a different field, called "NUMBER(PHYS_OFFSET)=". This patch makes sure QEMU dump uses the correct string on AArch64. Signed-off-by: Wei Huang <wei@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 1520615003-20869-1-git-send-email-wei@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- dump.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/dump.c b/dump.c index XXXXXXX..XXXXXXX 100644 --- a/dump.c +++ b/dump.c @@ -XXX,XX +XXX,XX @@ static void vmcoreinfo_update_phys_base(DumpState *s) lines = g_strsplit((char *)vmci, "\n", -1); for (i = 0; lines[i]; i++) { - if (g_str_has_prefix(lines[i], "NUMBER(phys_base)=")) { - if (qemu_strtou64(lines[i] + 18, NULL, 16, + const char *prefix = NULL; + + if (s->dump_info.d_machine == EM_X86_64) { + prefix = "NUMBER(phys_base)="; + } else if (s->dump_info.d_machine == EM_AARCH64) { + prefix = "NUMBER(PHYS_OFFSET)="; + } + + if (prefix && g_str_has_prefix(lines[i], prefix)) { + if (qemu_strtou64(lines[i] + strlen(prefix), NULL, 16, &phys_base) < 0) { - warn_report("Failed to read NUMBER(phys_base)="); + warn_report("Failed to read %s", prefix); } else { s->dump_info.phys_base = phys_base; } -- 2.16.2 From: Andrey Smirnov <andrew.smirnov@gmail.com> Code of imx_update() is slightly confusing since the "flags" variable doesn't really corespond to anything in real hardware and server as a kitchensink accumulating events normally reported via USR1 and USR2 registers. Change the code to explicitly evaluate state of interrupts reported via USR1 and USR2 against corresponding masking bits and use the to detemine if IRQ line should be asserted or not. NOTE: Check for UTS1_TXEMPTY being set has been dropped for two reasons: 1. Emulation code implements a single character FIFO, so this flag will always be set since characters are trasmitted as a part of the code emulating "push" into the FIFO 2. imx_update() is really just a function doing ORing and maksing of reported events, so checking for UTS1_TXEMPTY should happen, if it's ever really needed should probably happen outside of it. Cc: qemu-devel@nongnu.org Cc: qemu-arm@nongnu.org Cc: Bill Paul <wpaul@windriver.com> Cc: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com> Message-id: 20180315191141.6789-1-andrew.smirnov@gmail.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/char/imx_serial.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/hw/char/imx_serial.c b/hw/char/imx_serial.c index XXXXXXX..XXXXXXX 100644 --- a/hw/char/imx_serial.c +++ b/hw/char/imx_serial.c @@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_imx_serial = { static void imx_update(IMXSerialState *s) { - uint32_t flags; + uint32_t usr1; + uint32_t usr2; + uint32_t mask; - flags = (s->usr1 & s->ucr1) & (USR1_TRDY|USR1_RRDY); - if (s->ucr1 & UCR1_TXMPTYEN) { - flags |= (s->uts1 & UTS1_TXEMPTY); - } else { - flags &= ~USR1_TRDY; - } + /* + * Lucky for us TRDY and RRDY has the same offset in both USR1 and + * UCR1, so we can get away with something as simple as the + * following: + */ + usr1 = s->usr1 & s->ucr1 & (USR1_TRDY | USR1_RRDY); + /* + * Bits that we want in USR2 are not as conveniently laid out, + * unfortunately. + */ + mask = (s->ucr1 & UCR1_TXMPTYEN) ? USR2_TXFE : 0; + usr2 = s->usr2 & mask; - qemu_set_irq(s->irq, !!flags); + qemu_set_irq(s->irq, usr1 || usr2); } static void imx_serial_reset(IMXSerialState *s) -- 2.16.2 From: Andrey Smirnov <andrew.smirnov@gmail.com> Add support for "TX complete"/TXDC interrupt generate by real HW since it is needed to support guests other than Linux. Based on the patch by Bill Paul as found here: https://bugs.launchpad.net/qemu/+bug/1753314 Cc: qemu-devel@nongnu.org Cc: qemu-arm@nongnu.org Cc: Bill Paul <wpaul@windriver.com> Cc: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Bill Paul <wpaul@windriver.com> Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com> Message-id: 20180315191141.6789-2-andrew.smirnov@gmail.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/char/imx_serial.h | 3 +++ hw/char/imx_serial.c | 20 +++++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/include/hw/char/imx_serial.h b/include/hw/char/imx_serial.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/char/imx_serial.h +++ b/include/hw/char/imx_serial.h @@ -XXX,XX +XXX,XX @@ #define UCR2_RXEN (1<<1) /* Receiver enable */ #define UCR2_SRST (1<<0) /* Reset complete */ +#define UCR4_TCEN BIT(3) /* TX complete interrupt enable */ + #define UTS1_TXEMPTY (1<<6) #define UTS1_RXEMPTY (1<<5) #define UTS1_TXFULL (1<<4) @@ -XXX,XX +XXX,XX @@ typedef struct IMXSerialState { uint32_t ubmr; uint32_t ubrc; uint32_t ucr3; + uint32_t ucr4; qemu_irq irq; CharBackend chr; diff --git a/hw/char/imx_serial.c b/hw/char/imx_serial.c index XXXXXXX..XXXXXXX 100644 --- a/hw/char/imx_serial.c +++ b/hw/char/imx_serial.c @@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_imx_serial = { .name = TYPE_IMX_SERIAL, - .version_id = 1, - .minimum_version_id = 1, + .version_id = 2, + .minimum_version_id = 2, .fields = (VMStateField[]) { VMSTATE_INT32(readbuff, IMXSerialState), VMSTATE_UINT32(usr1, IMXSerialState), @@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_imx_serial = { VMSTATE_UINT32(ubmr, IMXSerialState), VMSTATE_UINT32(ubrc, IMXSerialState), VMSTATE_UINT32(ucr3, IMXSerialState), + VMSTATE_UINT32(ucr4, IMXSerialState), VMSTATE_END_OF_LIST() }, }; @@ -XXX,XX +XXX,XX @@ static void imx_update(IMXSerialState *s) * unfortunately. */ mask = (s->ucr1 & UCR1_TXMPTYEN) ? USR2_TXFE : 0; + /* + * TCEN and TXDC are both bit 3 + */ + mask |= s->ucr4 & UCR4_TCEN; + usr2 = s->usr2 & mask; qemu_set_irq(s->irq, usr1 || usr2); @@ -XXX,XX +XXX,XX @@ static uint64_t imx_serial_read(void *opaque, hwaddr offset, return s->ucr3; case 0x23: /* UCR4 */ + return s->ucr4; + case 0x29: /* BRM Incremental */ return 0x0; /* TODO */ @@ -XXX,XX +XXX,XX @@ static void imx_serial_write(void *opaque, hwaddr offset, * qemu_chr_fe_write and background I/O callbacks */ qemu_chr_fe_write_all(&s->chr, &ch, 1); s->usr1 &= ~USR1_TRDY; + s->usr2 &= ~USR2_TXDC; imx_update(s); s->usr1 |= USR1_TRDY; + s->usr2 |= USR2_TXDC; imx_update(s); } break; @@ -XXX,XX +XXX,XX @@ static void imx_serial_write(void *opaque, hwaddr offset, s->ucr3 = value & 0xffff; break; - case 0x2d: /* UTS1 */ case 0x23: /* UCR4 */ + s->ucr4 = value & 0xffff; + imx_update(s); + break; + + case 0x2d: /* UTS1 */ qemu_log_mask(LOG_UNIMP, "[%s]%s: Unimplemented reg 0x%" HWADDR_PRIx "\n", TYPE_IMX_SERIAL, __func__, offset); /* TODO */ -- 2.16.2 For the rpi1 and 2 we want to boot the Linux kernel via some custom setup code that makes sure that the SMC instruction acts as a no-op, because it's used for cache maintenance. The rpi3 boots AArch64 kernels, which don't need SMC for cache maintenance and always expect to be booted non-secure. Don't fill in the aarch32-specific parts of the binfo struct. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180313153458.26822-2-peter.maydell@linaro.org --- hw/arm/raspi.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/raspi.c +++ b/hw/arm/raspi.c @@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size) binfo.board_id = raspi_boardid[version]; binfo.ram_size = ram_size; binfo.nb_cpus = smp_cpus; - binfo.board_setup_addr = BOARDSETUP_ADDR; - binfo.write_board_setup = write_board_setup; - binfo.secure_board_setup = true; - binfo.secure_boot = true; + + if (version <= 2) { + /* The rpi1 and 2 require some custom setup code to run in Secure + * mode before booting a kernel (to set up the SMC vectors so + * that we get a no-op SMC; this is used by Linux to call the + * firmware for some cache maintenance operations. + * The rpi3 doesn't need this. + */ + binfo.board_setup_addr = BOARDSETUP_ADDR; + binfo.write_board_setup = write_board_setup; + binfo.secure_board_setup = true; + binfo.secure_boot = true; + } /* Pi2 and Pi3 requires SMP setup */ if (version >= 2) { -- 2.16.2 Add some assertions that if we're about to boot an AArch64 kernel, the board code has not mistakenly set either secure_boot or secure_board_setup. It doesn't make sense to set secure_boot, because all AArch64 kernels must be booted in non-secure mode. It might in theory make sense to set secure_board_setup, but we don't currently support that, because only the AArch32 bootloader[] code calls this hook; bootloader_aarch64[] does not. Since we don't have a current need for this functionality, just assert that we don't try to use it. If it's needed we'll add it later. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180313153458.26822-3-peter.maydell@linaro.org --- hw/arm/boot.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/arm/boot.c b/hw/arm/boot.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/boot.c +++ b/hw/arm/boot.c @@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque) } else { env->pstate = PSTATE_MODE_EL1h; } + /* AArch64 kernels never boot in secure mode */ + assert(!info->secure_boot); + /* This hook is only supported for AArch32 currently: + * bootloader_aarch64[] will not call the hook, and + * the code above has already dropped us into EL2 or EL1. + */ + assert(!info->secure_board_setup); } /* Set to non-secure if not a secure boot */ -- 2.16.2 If we're directly booting a Linux kernel and the CPU supports both EL3 and EL2, we start the kernel in EL2, as it expects. We must also set the SCR_EL3.HCE bit in this situation, so that the HVC instruction is enabled rather than UNDEFing. Otherwise at least some kernels will panic when trying to initialize KVM in the guest. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20180313153458.26822-4-peter.maydell@linaro.org --- hw/arm/boot.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/arm/boot.c b/hw/arm/boot.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/boot.c +++ b/hw/arm/boot.c @@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque) assert(!info->secure_board_setup); } + if (arm_feature(env, ARM_FEATURE_EL2)) { + /* If we have EL2 then Linux expects the HVC insn to work */ + env->cp15.scr_el3 |= SCR_HCE; + } + /* Set to non-secure if not a secure boot */ if (!info->secure_boot && (cs != first_cpu || !info->secure_board_setup)) { -- 2.16.2 The TypeInfo and state struct for bcm2386 disagree about what the parent class is -- the TypeInfo says it's TYPE_SYS_BUS_DEVICE, but the BCM2386State struct only defines the parent_obj field as DeviceState. This would have caused problems if anything actually tried to treat the object as a TYPE_SYS_BUS_DEVICE. Fix the TypeInfo to use TYPE_DEVICE as the parent, since we don't need any of the additional functionality TYPE_SYS_BUS_DEVICE provides. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180313153458.26822-5-peter.maydell@linaro.org --- hw/arm/bcm2836.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/bcm2836.c +++ b/hw/arm/bcm2836.c @@ -XXX,XX +XXX,XX @@ static void bcm2836_class_init(ObjectClass *oc, void *data) static const TypeInfo bcm2836_type_info = { .name = TYPE_BCM2836, - .parent = TYPE_SYS_BUS_DEVICE, + .parent = TYPE_DEVICE, .instance_size = sizeof(BCM2836State), .instance_init = bcm2836_init, .class_init = bcm2836_class_init, -- 2.16.2 Our BCM2836 type is really a generic one that can be any of the bcm283x family. Rename it accordingly. We change only the names which are visible via the header file to the rest of the QEMU code, leaving private function names in bcm2836.c as they are. This is a preliminary to making bcm283x be an abstract parent class to specific types for the bcm2836 and bcm2837. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180313153458.26822-6-peter.maydell@linaro.org --- include/hw/arm/bcm2836.h | 12 ++++++------ hw/arm/bcm2836.c | 17 +++++++++-------- hw/arm/raspi.c | 16 ++++++++-------- 3 files changed, 23 insertions(+), 22 deletions(-) diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/bcm2836.h +++ b/include/hw/arm/bcm2836.h @@ -XXX,XX +XXX,XX @@ #include "hw/arm/bcm2835_peripherals.h" #include "hw/intc/bcm2836_control.h" -#define TYPE_BCM2836 "bcm2836" -#define BCM2836(obj) OBJECT_CHECK(BCM2836State, (obj), TYPE_BCM2836) +#define TYPE_BCM283X "bcm283x" +#define BCM283X(obj) OBJECT_CHECK(BCM283XState, (obj), TYPE_BCM283X) -#define BCM2836_NCPUS 4 +#define BCM283X_NCPUS 4 -typedef struct BCM2836State { +typedef struct BCM283XState { /*< private >*/ DeviceState parent_obj; /*< public >*/ @@ -XXX,XX +XXX,XX @@ typedef struct BCM2836State { char *cpu_type; uint32_t enabled_cpus; - ARMCPU cpus[BCM2836_NCPUS]; + ARMCPU cpus[BCM283X_NCPUS]; BCM2836ControlState control; BCM2835PeripheralState peripherals; -} BCM2836State; +} BCM283XState; #endif /* BCM2836_H */ diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/bcm2836.c +++ b/hw/arm/bcm2836.c @@ -XXX,XX +XXX,XX @@ static void bcm2836_init(Object *obj) { - BCM2836State *s = BCM2836(obj); + BCM283XState *s = BCM283X(obj); object_initialize(&s->control, sizeof(s->control), TYPE_BCM2836_CONTROL); object_property_add_child(obj, "control", OBJECT(&s->control), NULL); @@ -XXX,XX +XXX,XX @@ static void bcm2836_init(Object *obj) static void bcm2836_realize(DeviceState *dev, Error **errp) { - BCM2836State *s = BCM2836(dev); + BCM283XState *s = BCM283X(dev); Object *obj; Error *err = NULL; int n; @@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp) /* common peripherals from bcm2835 */ obj = OBJECT(dev); - for (n = 0; n < BCM2836_NCPUS; n++) { + for (n = 0; n < BCM283X_NCPUS; n++) { object_initialize(&s->cpus[n], sizeof(s->cpus[n]), s->cpu_type); object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]), @@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp) sysbus_connect_irq(SYS_BUS_DEVICE(&s->peripherals), 1, qdev_get_gpio_in_named(DEVICE(&s->control), "gpu-fiq", 0)); - for (n = 0; n < BCM2836_NCPUS; n++) { + for (n = 0; n < BCM283X_NCPUS; n++) { /* Mirror bcm2836, which has clusterid set to 0xf * TODO: this should be converted to a property of ARM_CPU */ @@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp) } static Property bcm2836_props[] = { - DEFINE_PROP_STRING("cpu-type", BCM2836State, cpu_type), - DEFINE_PROP_UINT32("enabled-cpus", BCM2836State, enabled_cpus, BCM2836_NCPUS), + DEFINE_PROP_STRING("cpu-type", BCM283XState, cpu_type), + DEFINE_PROP_UINT32("enabled-cpus", BCM283XState, enabled_cpus, + BCM283X_NCPUS), DEFINE_PROP_END_OF_LIST() }; @@ -XXX,XX +XXX,XX @@ static void bcm2836_class_init(ObjectClass *oc, void *data) } static const TypeInfo bcm2836_type_info = { - .name = TYPE_BCM2836, + .name = TYPE_BCM283X, .parent = TYPE_DEVICE, - .instance_size = sizeof(BCM2836State), + .instance_size = sizeof(BCM283XState), .instance_init = bcm2836_init, .class_init = bcm2836_class_init, }; diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/raspi.c +++ b/hw/arm/raspi.c @@ -XXX,XX +XXX,XX @@ static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43, [3] = 0xc44}; typedef struct RasPiState { - BCM2836State soc; + BCM283XState soc; MemoryRegion ram; } RasPiState; @@ -XXX,XX +XXX,XX @@ static void raspi_init(MachineState *machine, int version) BusState *bus; DeviceState *carddev; - object_initialize(&s->soc, sizeof(s->soc), TYPE_BCM2836); + object_initialize(&s->soc, sizeof(s->soc), TYPE_BCM283X); object_property_add_child(OBJECT(machine), "soc", OBJECT(&s->soc), &error_abort); @@ -XXX,XX +XXX,XX @@ static void raspi2_machine_init(MachineClass *mc) mc->no_floppy = 1; mc->no_cdrom = 1; mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a15"); - mc->max_cpus = BCM2836_NCPUS; - mc->min_cpus = BCM2836_NCPUS; - mc->default_cpus = BCM2836_NCPUS; + mc->max_cpus = BCM283X_NCPUS; + mc->min_cpus = BCM283X_NCPUS; + mc->default_cpus = BCM283X_NCPUS; mc->default_ram_size = 1024 * 1024 * 1024; mc->ignore_memory_transaction_failures = true; }; @@ -XXX,XX +XXX,XX @@ static void raspi3_machine_init(MachineClass *mc) mc->no_floppy = 1; mc->no_cdrom = 1; mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a53"); - mc->max_cpus = BCM2836_NCPUS; - mc->min_cpus = BCM2836_NCPUS; - mc->default_cpus = BCM2836_NCPUS; + mc->max_cpus = BCM283X_NCPUS; + mc->min_cpus = BCM283X_NCPUS; + mc->default_cpus = BCM283X_NCPUS; mc->default_ram_size = 1024 * 1024 * 1024; } DEFINE_MACHINE("raspi3", raspi3_machine_init) -- 2.16.2 The bcm2837 is pretty similar to the bcm2836, but it does have some differences. Notably, the MPIDR affinity aff1 values it sets for the CPUs are 0x0, rather than the 0xf that the bcm2836 uses, and if this is wrong Linux will not boot. Rather than trying to have one device with properties that configure it differently for the two cases, create two separate QOM devices for the two SoCs. We use the same approach as hw/arm/aspeed_soc.c and share code and have a data table that might differ per-SoC. For the moment the two types don't actually have different behaviour. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180313153458.26822-7-peter.maydell@linaro.org --- include/hw/arm/bcm2836.h | 19 +++++++++++++++++++ hw/arm/bcm2836.c | 37 ++++++++++++++++++++++++++++++++----- hw/arm/raspi.c | 3 ++- 3 files changed, 53 insertions(+), 6 deletions(-) diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/bcm2836.h +++ b/include/hw/arm/bcm2836.h @@ -XXX,XX +XXX,XX @@ #define BCM283X_NCPUS 4 +/* These type names are for specific SoCs; other than instantiating + * them, code using these devices should always handle them via the + * BCM283x base class, so they have no BCM2836(obj) etc macros. + */ +#define TYPE_BCM2836 "bcm2836" +#define TYPE_BCM2837 "bcm2837" + typedef struct BCM283XState { /*< private >*/ DeviceState parent_obj; @@ -XXX,XX +XXX,XX @@ typedef struct BCM283XState { BCM2835PeripheralState peripherals; } BCM283XState; +typedef struct BCM283XInfo BCM283XInfo; + +typedef struct BCM283XClass { + DeviceClass parent_class; + const BCM283XInfo *info; +} BCM283XClass; + +#define BCM283X_CLASS(klass) \ + OBJECT_CLASS_CHECK(BCM283XClass, (klass), TYPE_BCM283X) +#define BCM283X_GET_CLASS(obj) \ + OBJECT_GET_CLASS(BCM283XClass, (obj), TYPE_BCM283X) + #endif /* BCM2836_H */ diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/bcm2836.c +++ b/hw/arm/bcm2836.c @@ -XXX,XX +XXX,XX @@ /* "QA7" (Pi2) interrupt controller and mailboxes etc. */ #define BCM2836_CONTROL_BASE 0x40000000 +struct BCM283XInfo { + const char *name; +}; + +static const BCM283XInfo bcm283x_socs[] = { + { + .name = TYPE_BCM2836, + }, + { + .name = TYPE_BCM2837, + }, +}; + static void bcm2836_init(Object *obj) { BCM283XState *s = BCM283X(obj); @@ -XXX,XX +XXX,XX @@ static Property bcm2836_props[] = { DEFINE_PROP_END_OF_LIST() }; -static void bcm2836_class_init(ObjectClass *oc, void *data) +static void bcm283x_class_init(ObjectClass *oc, void *data) { DeviceClass *dc = DEVICE_CLASS(oc); + BCM283XClass *bc = BCM283X_CLASS(oc); - dc->props = bcm2836_props; + bc->info = data; dc->realize = bcm2836_realize; + dc->props = bcm2836_props; } -static const TypeInfo bcm2836_type_info = { +static const TypeInfo bcm283x_type_info = { .name = TYPE_BCM283X, .parent = TYPE_DEVICE, .instance_size = sizeof(BCM283XState), .instance_init = bcm2836_init, - .class_init = bcm2836_class_init, + .class_size = sizeof(BCM283XClass), + .abstract = true, }; static void bcm2836_register_types(void) { - type_register_static(&bcm2836_type_info); + int i; + + type_register_static(&bcm283x_type_info); + for (i = 0; i < ARRAY_SIZE(bcm283x_socs); i++) { + TypeInfo ti = { + .name = bcm283x_socs[i].name, + .parent = TYPE_BCM283X, + .class_init = bcm283x_class_init, + .class_data = (void *) &bcm283x_socs[i], + }; + type_register(&ti); + } } type_init(bcm2836_register_types) diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/raspi.c +++ b/hw/arm/raspi.c @@ -XXX,XX +XXX,XX @@ static void raspi_init(MachineState *machine, int version) BusState *bus; DeviceState *carddev; - object_initialize(&s->soc, sizeof(s->soc), TYPE_BCM283X); + object_initialize(&s->soc, sizeof(s->soc), + version == 3 ? TYPE_BCM2837 : TYPE_BCM2836); object_property_add_child(OBJECT(machine), "soc", OBJECT(&s->soc), &error_abort); -- 2.16.2 The BCM2837 sets the Aff1 field of the MPIDR affinity values for the CPUs to 0, whereas the BCM2836 uses 0xf. Set this correctly, as it is required for Linux to boot. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180313153458.26822-8-peter.maydell@linaro.org --- hw/arm/bcm2836.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/bcm2836.c +++ b/hw/arm/bcm2836.c @@ -XXX,XX +XXX,XX @@ struct BCM283XInfo { const char *name; + int clusterid; }; static const BCM283XInfo bcm283x_socs[] = { { .name = TYPE_BCM2836, + .clusterid = 0xf, }, { .name = TYPE_BCM2837, + .clusterid = 0x0, }, }; @@ -XXX,XX +XXX,XX @@ static void bcm2836_init(Object *obj) static void bcm2836_realize(DeviceState *dev, Error **errp) { BCM283XState *s = BCM283X(dev); + BCM283XClass *bc = BCM283X_GET_CLASS(dev); + const BCM283XInfo *info = bc->info; Object *obj; Error *err = NULL; int n; @@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp) qdev_get_gpio_in_named(DEVICE(&s->control), "gpu-fiq", 0)); for (n = 0; n < BCM283X_NCPUS; n++) { - /* Mirror bcm2836, which has clusterid set to 0xf - * TODO: this should be converted to a property of ARM_CPU - */ - s->cpus[n].mp_affinity = 0xF00 | n; + /* TODO: this should be converted to a property of ARM_CPU */ + s->cpus[n].mp_affinity = (info->clusterid << 8) | n; /* set periphbase/CBAR value for CPU-local registers */ object_property_set_int(OBJECT(&s->cpus[n]), -- 2.16.2 Now we have separate types for BCM2386 and BCM2387, we might as well just hard-code the CPU type they use rather than having it passed through as an object property. This then lets us put the initialization of the CPU object in init rather than realize. Note that this change means that it's no longer possible on the command line to use -cpu to ask for a different kind of CPU than the SoC supports. This was never a supported thing to do anyway; we were just not sanity-checking the command line. This does require us to only build the bcm2837 object on TARGET_AARCH64 configs, since otherwise it won't instantiate due to the missing cortex-a53 device and "make check" will fail. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180313153458.26822-9-peter.maydell@linaro.org --- hw/arm/bcm2836.c | 24 +++++++++++++++--------- hw/arm/raspi.c | 2 -- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/bcm2836.c +++ b/hw/arm/bcm2836.c @@ -XXX,XX +XXX,XX @@ struct BCM283XInfo { const char *name; + const char *cpu_type; int clusterid; }; static const BCM283XInfo bcm283x_socs[] = { { .name = TYPE_BCM2836, + .cpu_type = ARM_CPU_TYPE_NAME("cortex-a15"), .clusterid = 0xf, }, +#ifdef TARGET_AARCH64 { .name = TYPE_BCM2837, + .cpu_type = ARM_CPU_TYPE_NAME("cortex-a53"), .clusterid = 0x0, }, +#endif }; static void bcm2836_init(Object *obj) { BCM283XState *s = BCM283X(obj); + BCM283XClass *bc = BCM283X_GET_CLASS(obj); + const BCM283XInfo *info = bc->info; + int n; + + for (n = 0; n < BCM283X_NCPUS; n++) { + object_initialize(&s->cpus[n], sizeof(s->cpus[n]), + info->cpu_type); + object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]), + &error_abort); + } object_initialize(&s->control, sizeof(s->control), TYPE_BCM2836_CONTROL); object_property_add_child(obj, "control", OBJECT(&s->control), NULL); @@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp) /* common peripherals from bcm2835 */ - obj = OBJECT(dev); - for (n = 0; n < BCM283X_NCPUS; n++) { - object_initialize(&s->cpus[n], sizeof(s->cpus[n]), - s->cpu_type); - object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]), - &error_abort); - } - obj = object_property_get_link(OBJECT(dev), "ram", &err); if (obj == NULL) { error_setg(errp, "%s: required ram link not found: %s", @@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp) } static Property bcm2836_props[] = { - DEFINE_PROP_STRING("cpu-type", BCM283XState, cpu_type), DEFINE_PROP_UINT32("enabled-cpus", BCM283XState, enabled_cpus, BCM283X_NCPUS), DEFINE_PROP_END_OF_LIST() diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/raspi.c +++ b/hw/arm/raspi.c @@ -XXX,XX +XXX,XX @@ static void raspi_init(MachineState *machine, int version) /* Setup the SOC */ object_property_add_const_link(OBJECT(&s->soc), "ram", OBJECT(&s->ram), &error_abort); - object_property_set_str(OBJECT(&s->soc), machine->cpu_type, "cpu-type", - &error_abort); object_property_set_int(OBJECT(&s->soc), smp_cpus, "enabled-cpus", &error_abort); int board_rev = version == 3 ? 0xa02082 : 0xa21041; -- 2.16.2 The raspi3 has AArch64 CPUs, which means that our smpboot code for keeping the secondary CPUs in a pen needs to have a version for A64 as well as A32. Without this, the secondary CPUs go into an infinite loop of taking undefined instruction exceptions. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180313153458.26822-10-peter.maydell@linaro.org --- hw/arm/raspi.c | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/raspi.c +++ b/hw/arm/raspi.c @@ -XXX,XX +XXX,XX @@ #define BOARDSETUP_ADDR (MVBAR_ADDR + 0x20) /* board setup code */ #define FIRMWARE_ADDR_2 0x8000 /* Pi 2 loads kernel.img here by default */ #define FIRMWARE_ADDR_3 0x80000 /* Pi 3 loads kernel.img here by default */ +#define SPINTABLE_ADDR 0xd8 /* Pi 3 bootloader spintable */ /* Table of Linux board IDs for different Pi versions */ static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43, [3] = 0xc44}; @@ -XXX,XX +XXX,XX @@ static void write_smpboot(ARMCPU *cpu, const struct arm_boot_info *info) info->smp_loader_start); } +static void write_smpboot64(ARMCPU *cpu, const struct arm_boot_info *info) +{ + /* Unlike the AArch32 version we don't need to call the board setup hook. + * The mechanism for doing the spin-table is also entirely different. + * We must have four 64-bit fields at absolute addresses + * 0xd8, 0xe0, 0xe8, 0xf0 in RAM, which are the flag variables for + * our CPUs, and which we must ensure are zero initialized before + * the primary CPU goes into the kernel. We put these variables inside + * a rom blob, so that the reset for ROM contents zeroes them for us. + */ + static const uint32_t smpboot[] = { + 0xd2801b05, /* mov x5, 0xd8 */ + 0xd53800a6, /* mrs x6, mpidr_el1 */ + 0x924004c6, /* and x6, x6, #0x3 */ + 0xd503205f, /* spin: wfe */ + 0xf86678a4, /* ldr x4, [x5,x6,lsl #3] */ + 0xb4ffffc4, /* cbz x4, spin */ + 0xd2800000, /* mov x0, #0x0 */ + 0xd2800001, /* mov x1, #0x0 */ + 0xd2800002, /* mov x2, #0x0 */ + 0xd2800003, /* mov x3, #0x0 */ + 0xd61f0080, /* br x4 */ + }; + + static const uint64_t spintables[] = { + 0, 0, 0, 0 + }; + + rom_add_blob_fixed("raspi_smpboot", smpboot, sizeof(smpboot), + info->smp_loader_start); + rom_add_blob_fixed("raspi_spintables", spintables, sizeof(spintables), + SPINTABLE_ADDR); +} + static void write_board_setup(ARMCPU *cpu, const struct arm_boot_info *info) { arm_write_secure_board_setup_dummy_smc(cpu, info, MVBAR_ADDR); @@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size) /* Pi2 and Pi3 requires SMP setup */ if (version >= 2) { binfo.smp_loader_start = SMPBOOT_ADDR; - binfo.write_secondary_boot = write_smpboot; + if (version == 2) { + binfo.write_secondary_boot = write_smpboot; + } else { + binfo.write_secondary_boot = write_smpboot64; + } binfo.secondary_cpu_reset_hook = reset_secondary; } -- 2.16.2 Nothing much exciting here, but it's 37 patches worth... thanks -- PMM The following changes since commit e64a62df378a746c0b257105959613c9f8122e59: Merge remote-tracking branch 'remotes/stsquad/tags/pull-testing-040320-1' into staging (2020-03-05 12:13:51 +0000) are available in the Git repository at: https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200305 for you to fetch changes up to 597d61a3b1f94c53a3aaa77671697c0c5f797dbf: target/arm: Clean address for DC ZVA (2020-03-05 16:09:21 +0000) ---------------------------------------------------------------- * versal: Implement ADMA * Implement (trivially) ARMv8.2-TTCNP * hw/arm/smmu-common: a fix to smmu_find_smmu_pcibus * Remove unnecessary endianness-handling on some boards * Avoid minor memory leaks from timer_new in some devices * Honour more of the HCR_EL2 trap bits * Complain rather than ignoring bad command line options for cubieboard * Honour TBI for DC ZVA and exception return ---------------------------------------------------------------- Edgar E. Iglesias (2): hw/arm: versal: Add support for the LPD ADMAs hw/arm: versal: Generate xlnx-versal-virt zdma FDT nodes Eric Auger (1): hw/arm/smmu-common: a fix to smmu_find_smmu_pcibus Niek Linnenbank (4): hw/arm/cubieboard: use ARM Cortex-A8 as the default CPU in machine definition hw/arm/cubieboard: restrict allowed CPU type to ARM Cortex-A8 hw/arm/cubieboard: restrict allowed RAM size to 512MiB and 1GiB hw/arm/cubieboard: report error when using unsupported -bios argument Pan Nengyuan (4): hw/arm/pxa2xx: move timer_new from init() into realize() to avoid memleaks hw/arm/spitz: move timer_new from init() into realize() to avoid memleaks hw/arm/strongarm: move timer_new from init() into realize() to avoid memleaks hw/timer/cadence_ttc: move timer_new from init() into realize() to avoid memleaks Peter Maydell (1): target/arm: Implement (trivially) ARMv8.2-TTCNP Philippe Mathieu-Daudé (6): hw/arm/smmu-common: Simplify smmu_find_smmu_pcibus() logic hw/arm/gumstix: Simplify since the machines are little-endian only hw/arm/mainstone: Simplify since the machines are little-endian only hw/arm/omap_sx1: Simplify since the machines are little-endian only hw/arm/z2: Simplify since the machines are little-endian only hw/arm/musicpal: Simplify since the machines are little-endian only Richard Henderson (19): target/arm: Improve masking of HCR/HCR2 RES0 bits target/arm: Add HCR_EL2 bit definitions from ARMv8.6 target/arm: Disable has_el2 and has_el3 for user-only target/arm: Remove EL2 and EL3 setup from user-only target/arm: Improve masking in arm_hcr_el2_eff target/arm: Honor the HCR_EL2.{TVM,TRVM} bits target/arm: Honor the HCR_EL2.TSW bit target/arm: Honor the HCR_EL2.TACR bit target/arm: Honor the HCR_EL2.TPCP bit target/arm: Honor the HCR_EL2.TPU bit target/arm: Honor the HCR_EL2.TTLB bit tests/tcg/aarch64: Add newline in pauth-1 printf target/arm: Replicate TBI/TBID bits for single range regimes target/arm: Optimize cpu_mmu_index target/arm: Introduce core_to_aa64_mmu_idx target/arm: Apply TBI to ESR_ELx in helper_exception_return target/arm: Move helper_dc_zva to helper-a64.c target/arm: Use DEF_HELPER_FLAGS for helper_dc_zva target/arm: Clean address for DC ZVA include/hw/arm/xlnx-versal.h | 6 + target/arm/cpu.h | 30 ++-- target/arm/helper-a64.h | 1 + target/arm/helper.h | 1 - target/arm/internals.h | 6 + hw/arm/cubieboard.c | 29 +++- hw/arm/gumstix.c | 16 +- hw/arm/mainstone.c | 8 +- hw/arm/musicpal.c | 10 -- hw/arm/omap_sx1.c | 11 +- hw/arm/pxa2xx.c | 17 +- hw/arm/smmu-common.c | 20 +-- hw/arm/spitz.c | 8 +- hw/arm/strongarm.c | 18 ++- hw/arm/xlnx-versal-virt.c | 28 ++++ hw/arm/xlnx-versal.c | 24 +++ hw/arm/z2.c | 8 +- hw/timer/cadence_ttc.c | 18 ++- target/arm/cpu.c | 13 +- target/arm/cpu64.c | 2 + target/arm/helper-a64.c | 114 ++++++++++++- target/arm/helper.c | 373 ++++++++++++++++++++++++++++++------------- target/arm/op_helper.c | 93 ----------- target/arm/translate-a64.c | 4 +- tests/tcg/aarch64/pauth-1.c | 2 +- 25 files changed, 551 insertions(+), 309 deletions(-) From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com> Add support for the Versal LPD ADMAs. Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Reviewed-by: Luc Michel <luc.michel@greensocs.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- include/hw/arm/xlnx-versal.h | 6 ++++++ hw/arm/xlnx-versal.c | 24 ++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h index XXXXXXX..XXXXXXX 100644 --- a/include/hw/arm/xlnx-versal.h +++ b/include/hw/arm/xlnx-versal.h @@ -XXX,XX +XXX,XX @@ #define XLNX_VERSAL_NR_ACPUS 2 #define XLNX_VERSAL_NR_UARTS 2 #define XLNX_VERSAL_NR_GEMS 2 +#define XLNX_VERSAL_NR_ADMAS 8 #define XLNX_VERSAL_NR_IRQS 192 typedef struct Versal { @@ -XXX,XX +XXX,XX @@ typedef struct Versal { struct { SysBusDevice *uart[XLNX_VERSAL_NR_UARTS]; SysBusDevice *gem[XLNX_VERSAL_NR_GEMS]; + SysBusDevice *adma[XLNX_VERSAL_NR_ADMAS]; } iou; } lpd; @@ -XXX,XX +XXX,XX @@ typedef struct Versal { #define VERSAL_GEM0_WAKE_IRQ_0 57 #define VERSAL_GEM1_IRQ_0 58 #define VERSAL_GEM1_WAKE_IRQ_0 59 +#define VERSAL_ADMA_IRQ_0 60 /* Architecturally reserved IRQs suitable for virtualization. */ #define VERSAL_RSVD_IRQ_FIRST 111 @@ -XXX,XX +XXX,XX @@ typedef struct Versal { #define MM_GEM1 0xff0d0000U #define MM_GEM1_SIZE 0x10000 +#define MM_ADMA_CH0 0xffa80000U +#define MM_ADMA_CH0_SIZE 0x10000 + #define MM_OCM 0xfffc0000U #define MM_OCM_SIZE 0x40000 diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/xlnx-versal.c +++ b/hw/arm/xlnx-versal.c @@ -XXX,XX +XXX,XX @@ static void versal_create_gems(Versal *s, qemu_irq *pic) } } +static void versal_create_admas(Versal *s, qemu_irq *pic) +{ + int i; + + for (i = 0; i < ARRAY_SIZE(s->lpd.iou.adma); i++) { + char *name = g_strdup_printf("adma%d", i); + DeviceState *dev; + MemoryRegion *mr; + + dev = qdev_create(NULL, "xlnx.zdma"); + s->lpd.iou.adma[i] = SYS_BUS_DEVICE(dev); + object_property_add_child(OBJECT(s), name, OBJECT(dev), &error_fatal); + qdev_init_nofail(dev); + + mr = sysbus_mmio_get_region(s->lpd.iou.adma[i], 0); + memory_region_add_subregion(&s->mr_ps, + MM_ADMA_CH0 + i * MM_ADMA_CH0_SIZE, mr); + + sysbus_connect_irq(s->lpd.iou.adma[i], 0, pic[VERSAL_ADMA_IRQ_0 + i]); + g_free(name); + } +} + /* This takes the board allocated linear DDR memory and creates aliases * for each split DDR range/aperture on the Versal address map. */ @@ -XXX,XX +XXX,XX @@ static void versal_realize(DeviceState *dev, Error **errp) versal_create_apu_gic(s, pic); versal_create_uarts(s, pic); versal_create_gems(s, pic); + versal_create_admas(s, pic); versal_map_ddr(s); versal_unimp(s); -- 2.20.1 From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com> Generate xlnx-versal-virt zdma FDT nodes. Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> Reviewed-by: KONRAD Frederic <frederic.konrad@adacore.com> Reviewed-by: Luc Michel <luc.michel@greensocs.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/xlnx-versal-virt.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/xlnx-versal-virt.c +++ b/hw/arm/xlnx-versal-virt.c @@ -XXX,XX +XXX,XX @@ static void fdt_add_gem_nodes(VersalVirt *s) } } +static void fdt_add_zdma_nodes(VersalVirt *s) +{ + const char clocknames[] = "clk_main\0clk_apb"; + const char compat[] = "xlnx,zynqmp-dma-1.0"; + int i; + + for (i = XLNX_VERSAL_NR_ADMAS - 1; i >= 0; i--) { + uint64_t addr = MM_ADMA_CH0 + MM_ADMA_CH0_SIZE * i; + char *name = g_strdup_printf("/dma@%" PRIx64, addr); + + qemu_fdt_add_subnode(s->fdt, name); + + qemu_fdt_setprop_cell(s->fdt, name, "xlnx,bus-width", 64); + qemu_fdt_setprop_cells(s->fdt, name, "clocks", + s->phandle.clk_25Mhz, s->phandle.clk_25Mhz); + qemu_fdt_setprop(s->fdt, name, "clock-names", + clocknames, sizeof(clocknames)); + qemu_fdt_setprop_cells(s->fdt, name, "interrupts", + GIC_FDT_IRQ_TYPE_SPI, VERSAL_ADMA_IRQ_0 + i, + GIC_FDT_IRQ_FLAGS_LEVEL_HI); + qemu_fdt_setprop_sized_cells(s->fdt, name, "reg", + 2, addr, 2, 0x1000); + qemu_fdt_setprop(s->fdt, name, "compatible", compat, sizeof(compat)); + g_free(name); + } +} + static void fdt_nop_memory_nodes(void *fdt, Error **errp) { Error *err = NULL; @@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine) fdt_add_uart_nodes(s); fdt_add_gic_nodes(s); fdt_add_timer_nodes(s); + fdt_add_zdma_nodes(s); fdt_add_cpu_nodes(s, psci_conduit); fdt_add_clk_node(s, "/clk125", 125000000, s->phandle.clk_125Mhz); fdt_add_clk_node(s, "/clk25", 25000000, s->phandle.clk_25Mhz); -- 2.20.1 The ARMv8.2-TTCNP extension allows an implementation to optimize by sharing TLB entries between multiple cores, provided that software declares that it's ready to deal with this by setting a CnP bit in the TTBRn_ELx. It is mandatory from ARMv8.2 onward. For QEMU's TLB implementation, sharing TLB entries between different cores would not really benefit us and would be a lot of work to implement. So we implement this extension in the "trivial" manner: we allow the guest to set and read back the CnP bit, but don't change our behaviour (this is an architecturally valid implementation choice). The only code path which looks at the TTBRn_ELx values for the long-descriptor format where the CnP bit is defined is already doing enough masking to not get confused when the CnP bit at the bottom of the register is set, so we can simply add a comment noting why we're relying on that mask. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200225193822.18874-1-peter.maydell@linaro.org --- target/arm/cpu.c | 1 + target/arm/cpu64.c | 2 ++ target/arm/helper.c | 4 ++++ 3 files changed, 7 insertions(+) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj) t = cpu->isar.id_mmfr4; t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */ t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */ + t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */ cpu->isar.id_mmfr4 = t; } #endif diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu64.c +++ b/target/arm/cpu64.c @@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj) t = cpu->isar.id_aa64mmfr2; t = FIELD_DP64(t, ID_AA64MMFR2, UAO, 1); + t = FIELD_DP64(t, ID_AA64MMFR2, CNP, 1); /* TTCNP */ cpu->isar.id_aa64mmfr2 = t; /* Replicate the same data to the 32-bit id registers. */ @@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj) u = cpu->isar.id_mmfr4; u = FIELD_DP32(u, ID_MMFR4, HPDS, 1); /* AA32HPD */ u = FIELD_DP32(u, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */ + u = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */ cpu->isar.id_mmfr4 = u; u = cpu->isar.id_aa64dfr0; diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address, /* Now we can extract the actual base address from the TTBR */ descaddr = extract64(ttbr, 0, 48); + /* + * We rely on this masking to clear the RES0 bits at the bottom of the TTBR + * and also to mask out CnP (bit 0) which could validly be non-zero. + */ descaddr &= ~indexmask; /* The address field in the descriptor goes up to bit 39 for ARMv7 -- 2.20.1 From: Eric Auger <eric.auger@redhat.com> Make sure a null SMMUPciBus is returned in case we were not able to identify a pci bus matching the @bus_num. This matches the fix done on intel iommu in commit: a2e1cd41ccfe796529abfd1b6aeb1dd4393762a2 Signed-off-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Message-Id: <20200226172628.17449-1-eric.auger@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/smmu-common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/smmu-common.c +++ b/hw/arm/smmu-common.c @@ -XXX,XX +XXX,XX @@ SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num) return smmu_pci_bus; } } + smmu_pci_bus = NULL; } return smmu_pci_bus; } -- 2.20.1 From: Philippe Mathieu-Daudé <philmd@redhat.com> The smmu_find_smmu_pcibus() function was introduced (in commit cac994ef43b) in a code format that could return an incorrect pointer, which was then fixed by the previous commit. We could have avoided this by writing the if() statement differently. Do it now, in case this function is re-used. The code is easier to review (harder to miss bugs). Acked-by: Eric Auger <eric.auger@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/smmu-common.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/smmu-common.c +++ b/hw/arm/smmu-common.c @@ -XXX,XX +XXX,XX @@ inline int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm, SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num) { SMMUPciBus *smmu_pci_bus = s->smmu_pcibus_by_bus_num[bus_num]; + GHashTableIter iter; - if (!smmu_pci_bus) { - GHashTableIter iter; - - g_hash_table_iter_init(&iter, s->smmu_pcibus_by_busptr); - while (g_hash_table_iter_next(&iter, NULL, (void **)&smmu_pci_bus)) { - if (pci_bus_num(smmu_pci_bus->bus) == bus_num) { - s->smmu_pcibus_by_bus_num[bus_num] = smmu_pci_bus; - return smmu_pci_bus; - } - } - smmu_pci_bus = NULL; + if (smmu_pci_bus) { + return smmu_pci_bus; } - return smmu_pci_bus; + + g_hash_table_iter_init(&iter, s->smmu_pcibus_by_busptr); + while (g_hash_table_iter_next(&iter, NULL, (void **)&smmu_pci_bus)) { + if (pci_bus_num(smmu_pci_bus->bus) == bus_num) { + s->smmu_pcibus_by_bus_num[bus_num] = smmu_pci_bus; + return smmu_pci_bus; + } + } + + return NULL; } static AddressSpace *smmu_find_add_as(PCIBus *bus, void *opaque, int devfn) -- 2.20.1 From: Philippe Mathieu-Daudé <f4bug@amsat.org> As the Connex and Verdex machines only boot in little-endian, we can simplify the code. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/gumstix.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/hw/arm/gumstix.c b/hw/arm/gumstix.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/gumstix.c +++ b/hw/arm/gumstix.c @@ -XXX,XX +XXX,XX @@ static void connex_init(MachineState *machine) { PXA2xxState *cpu; DriveInfo *dinfo; - int be; MemoryRegion *address_space_mem = get_system_memory(); uint32_t connex_rom = 0x01000000; @@ -XXX,XX +XXX,XX @@ static void connex_init(MachineState *machine) exit(1); } -#ifdef TARGET_WORDS_BIGENDIAN - be = 1; -#else - be = 0; -#endif if (!pflash_cfi01_register(0x00000000, "connext.rom", connex_rom, dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, - sector_len, 2, 0, 0, 0, 0, be)) { + sector_len, 2, 0, 0, 0, 0, 0)) { error_report("Error registering flash memory"); exit(1); } @@ -XXX,XX +XXX,XX @@ static void verdex_init(MachineState *machine) { PXA2xxState *cpu; DriveInfo *dinfo; - int be; MemoryRegion *address_space_mem = get_system_memory(); uint32_t verdex_rom = 0x02000000; @@ -XXX,XX +XXX,XX @@ static void verdex_init(MachineState *machine) exit(1); } -#ifdef TARGET_WORDS_BIGENDIAN - be = 1; -#else - be = 0; -#endif if (!pflash_cfi01_register(0x00000000, "verdex.rom", verdex_rom, dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, - sector_len, 2, 0, 0, 0, 0, be)) { + sector_len, 2, 0, 0, 0, 0, 0)) { error_report("Error registering flash memory"); exit(1); } -- 2.20.1 From: Philippe Mathieu-Daudé <philmd@redhat.com> We only build the little-endian softmmu configurations. Checking for big endian is pointless, remove the unused code. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/mainstone.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/hw/arm/mainstone.c b/hw/arm/mainstone.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/mainstone.c +++ b/hw/arm/mainstone.c @@ -XXX,XX +XXX,XX @@ static void mainstone_common_init(MemoryRegion *address_space_mem, DeviceState *mst_irq; DriveInfo *dinfo; int i; - int be; MemoryRegion *rom = g_new(MemoryRegion, 1); /* Setup CPU & memory */ @@ -XXX,XX +XXX,XX @@ static void mainstone_common_init(MemoryRegion *address_space_mem, memory_region_set_readonly(rom, true); memory_region_add_subregion(address_space_mem, 0, rom); -#ifdef TARGET_WORDS_BIGENDIAN - be = 1; -#else - be = 0; -#endif /* There are two 32MiB flash devices on the board */ for (i = 0; i < 2; i ++) { dinfo = drive_get(IF_PFLASH, 0, i); @@ -XXX,XX +XXX,XX @@ static void mainstone_common_init(MemoryRegion *address_space_mem, i ? "mainstone.flash1" : "mainstone.flash0", MAINSTONE_FLASH, dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, - sector_len, 4, 0, 0, 0, 0, be)) { + sector_len, 4, 0, 0, 0, 0, 0)) { error_report("Error registering flash memory"); exit(1); } -- 2.20.1 From: Philippe Mathieu-Daudé <philmd@redhat.com> We only build the little-endian softmmu configurations. Checking for big endian is pointless, remove the unused code. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/omap_sx1.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/hw/arm/omap_sx1.c b/hw/arm/omap_sx1.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/omap_sx1.c +++ b/hw/arm/omap_sx1.c @@ -XXX,XX +XXX,XX @@ static void sx1_init(MachineState *machine, const int version) DriveInfo *dinfo; int fl_idx; uint32_t flash_size = flash0_size; - int be; if (machine->ram_size != mc->default_ram_size) { char *sz = size_to_str(mc->default_ram_size); @@ -XXX,XX +XXX,XX @@ static void sx1_init(MachineState *machine, const int version) OMAP_CS2_BASE, &cs[3]); fl_idx = 0; -#ifdef TARGET_WORDS_BIGENDIAN - be = 1; -#else - be = 0; -#endif - if ((dinfo = drive_get(IF_PFLASH, 0, fl_idx)) != NULL) { if (!pflash_cfi01_register(OMAP_CS0_BASE, "omap_sx1.flash0-1", flash_size, blk_by_legacy_dinfo(dinfo), - sector_size, 4, 0, 0, 0, 0, be)) { + sector_size, 4, 0, 0, 0, 0, 0)) { fprintf(stderr, "qemu: Error registering flash memory %d.\n", fl_idx); } @@ -XXX,XX +XXX,XX @@ static void sx1_init(MachineState *machine, const int version) if (!pflash_cfi01_register(OMAP_CS1_BASE, "omap_sx1.flash1-1", flash1_size, blk_by_legacy_dinfo(dinfo), - sector_size, 4, 0, 0, 0, 0, be)) { + sector_size, 4, 0, 0, 0, 0, 0)) { fprintf(stderr, "qemu: Error registering flash memory %d.\n", fl_idx); } -- 2.20.1 From: Philippe Mathieu-Daudé <philmd@redhat.com> We only build the little-endian softmmu configurations. Checking for big endian is pointless, remove the unused code. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/z2.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/hw/arm/z2.c b/hw/arm/z2.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/z2.c +++ b/hw/arm/z2.c @@ -XXX,XX +XXX,XX @@ static void z2_init(MachineState *machine) uint32_t sector_len = 0x10000; PXA2xxState *mpu; DriveInfo *dinfo; - int be; void *z2_lcd; I2CBus *bus; DeviceState *wm; @@ -XXX,XX +XXX,XX @@ static void z2_init(MachineState *machine) /* Setup CPU & memory */ mpu = pxa270_init(address_space_mem, z2_binfo.ram_size, machine->cpu_type); -#ifdef TARGET_WORDS_BIGENDIAN - be = 1; -#else - be = 0; -#endif dinfo = drive_get(IF_PFLASH, 0, 0); if (!pflash_cfi01_register(Z2_FLASH_BASE, "z2.flash0", Z2_FLASH_SIZE, dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, - sector_len, 4, 0, 0, 0, 0, be)) { + sector_len, 4, 0, 0, 0, 0, 0)) { error_report("Error registering flash memory"); exit(1); } -- 2.20.1 From: Philippe Mathieu-Daudé <philmd@redhat.com> We only build the little-endian softmmu configurations. Checking for big endian is pointless, remove the unused code. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/musicpal.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/musicpal.c +++ b/hw/arm/musicpal.c @@ -XXX,XX +XXX,XX @@ static void musicpal_init(MachineState *machine) * 0xFF800000 (if there is 8 MB flash). So remap flash access if the * image is smaller than 32 MB. */ -#ifdef TARGET_WORDS_BIGENDIAN - pflash_cfi02_register(0x100000000ULL - MP_FLASH_SIZE_MAX, - "musicpal.flash", flash_size, - blk, 0x10000, - MP_FLASH_SIZE_MAX / flash_size, - 2, 0x00BF, 0x236D, 0x0000, 0x0000, - 0x5555, 0x2AAA, 1); -#else pflash_cfi02_register(0x100000000ULL - MP_FLASH_SIZE_MAX, "musicpal.flash", flash_size, blk, 0x10000, MP_FLASH_SIZE_MAX / flash_size, 2, 0x00BF, 0x236D, 0x0000, 0x0000, 0x5555, 0x2AAA, 0); -#endif - } sysbus_create_simple(TYPE_MV88W8618_FLASHCFG, MP_FLASHCFG_BASE, NULL); -- 2.20.1 From: Pan Nengyuan <pannengyuan@huawei.com> There are some memleaks when we call 'device_list_properties'. This patch move timer_new from init into realize to fix it. Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com> Message-id: 20200227025055.14341-3-pannengyuan@huawei.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/pxa2xx.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/pxa2xx.c +++ b/hw/arm/pxa2xx.c @@ -XXX,XX +XXX,XX @@ static void pxa2xx_rtc_init(Object *obj) s->last_rtcpicr = 0; s->last_hz = s->last_sw = s->last_pi = qemu_clock_get_ms(rtc_clock); + sysbus_init_irq(dev, &s->rtc_irq); + + memory_region_init_io(&s->iomem, obj, &pxa2xx_rtc_ops, s, + "pxa2xx-rtc", 0x10000); + sysbus_init_mmio(dev, &s->iomem); +} + +static void pxa2xx_rtc_realize(DeviceState *dev, Error **errp) +{ + PXA2xxRTCState *s = PXA2XX_RTC(dev); s->rtc_hz = timer_new_ms(rtc_clock, pxa2xx_rtc_hz_tick, s); s->rtc_rdal1 = timer_new_ms(rtc_clock, pxa2xx_rtc_rdal1_tick, s); s->rtc_rdal2 = timer_new_ms(rtc_clock, pxa2xx_rtc_rdal2_tick, s); s->rtc_swal1 = timer_new_ms(rtc_clock, pxa2xx_rtc_swal1_tick, s); s->rtc_swal2 = timer_new_ms(rtc_clock, pxa2xx_rtc_swal2_tick, s); s->rtc_pi = timer_new_ms(rtc_clock, pxa2xx_rtc_pi_tick, s); - - sysbus_init_irq(dev, &s->rtc_irq); - - memory_region_init_io(&s->iomem, obj, &pxa2xx_rtc_ops, s, - "pxa2xx-rtc", 0x10000); - sysbus_init_mmio(dev, &s->iomem); } static int pxa2xx_rtc_pre_save(void *opaque) @@ -XXX,XX +XXX,XX @@ static void pxa2xx_rtc_sysbus_class_init(ObjectClass *klass, void *data) dc->desc = "PXA2xx RTC Controller"; dc->vmsd = &vmstate_pxa2xx_rtc_regs; + dc->realize = pxa2xx_rtc_realize; } static const TypeInfo pxa2xx_rtc_sysbus_info = { -- 2.20.1 From: Pan Nengyuan <pannengyuan@huawei.com> There are some memleaks when we call 'device_list_properties'. This patch move timer_new from init into realize to fix it. Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com> Message-id: 20200227025055.14341-4-pannengyuan@huawei.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/spitz.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/spitz.c +++ b/hw/arm/spitz.c @@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_init(Object *obj) spitz_keyboard_pre_map(s); - s->kbdtimer = timer_new_ns(QEMU_CLOCK_VIRTUAL, spitz_keyboard_tick, s); qdev_init_gpio_in(dev, spitz_keyboard_strobe, SPITZ_KEY_STROBE_NUM); qdev_init_gpio_out(dev, s->sense, SPITZ_KEY_SENSE_NUM); } +static void spitz_keyboard_realize(DeviceState *dev, Error **errp) +{ + SpitzKeyboardState *s = SPITZ_KEYBOARD(dev); + s->kbdtimer = timer_new_ns(QEMU_CLOCK_VIRTUAL, spitz_keyboard_tick, s); +} + /* LCD backlight controller */ #define LCDTG_RESCTL 0x00 @@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_class_init(ObjectClass *klass, void *data) DeviceClass *dc = DEVICE_CLASS(klass); dc->vmsd = &vmstate_spitz_kbd; + dc->realize = spitz_keyboard_realize; } static const TypeInfo spitz_keyboard_info = { -- 2.20.1 From: Pan Nengyuan <pannengyuan@huawei.com> There are some memleaks when we call 'device_list_properties'. This patch move timer_new from init into realize to fix it. Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com> Message-id: 20200227025055.14341-5-pannengyuan@huawei.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/strongarm.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/strongarm.c +++ b/hw/arm/strongarm.c @@ -XXX,XX +XXX,XX @@ static void strongarm_rtc_init(Object *obj) s->last_rcnr = (uint32_t) mktimegm(&tm); s->last_hz = qemu_clock_get_ms(rtc_clock); - s->rtc_alarm = timer_new_ms(rtc_clock, strongarm_rtc_alarm_tick, s); - s->rtc_hz = timer_new_ms(rtc_clock, strongarm_rtc_hz_tick, s); - sysbus_init_irq(dev, &s->rtc_irq); sysbus_init_irq(dev, &s->rtc_hz_irq); @@ -XXX,XX +XXX,XX @@ static void strongarm_rtc_init(Object *obj) sysbus_init_mmio(dev, &s->iomem); } +static void strongarm_rtc_realize(DeviceState *dev, Error **errp) +{ + StrongARMRTCState *s = STRONGARM_RTC(dev); + s->rtc_alarm = timer_new_ms(rtc_clock, strongarm_rtc_alarm_tick, s); + s->rtc_hz = timer_new_ms(rtc_clock, strongarm_rtc_hz_tick, s); +} + static int strongarm_rtc_pre_save(void *opaque) { StrongARMRTCState *s = opaque; @@ -XXX,XX +XXX,XX @@ static void strongarm_rtc_sysbus_class_init(ObjectClass *klass, void *data) dc->desc = "StrongARM RTC Controller"; dc->vmsd = &vmstate_strongarm_rtc_regs; + dc->realize = strongarm_rtc_realize; } static const TypeInfo strongarm_rtc_sysbus_info = { @@ -XXX,XX +XXX,XX @@ static void strongarm_uart_init(Object *obj) "uart", 0x10000); sysbus_init_mmio(dev, &s->iomem); sysbus_init_irq(dev, &s->irq); - - s->rx_timeout_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, strongarm_uart_rx_to, s); - s->tx_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, strongarm_uart_tx, s); } static void strongarm_uart_realize(DeviceState *dev, Error **errp) { StrongARMUARTState *s = STRONGARM_UART(dev); + s->rx_timeout_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, + strongarm_uart_rx_to, + s); + s->tx_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, strongarm_uart_tx, s); qemu_chr_fe_set_handlers(&s->chr, strongarm_uart_can_receive, strongarm_uart_receive, -- 2.20.1 From: Pan Nengyuan <pannengyuan@huawei.com> There are some memleaks when we call 'device_list_properties'. This patch move timer_new from init into realize to fix it. Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-id: 20200227025055.14341-7-pannengyuan@huawei.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/timer/cadence_ttc.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/hw/timer/cadence_ttc.c b/hw/timer/cadence_ttc.c index XXXXXXX..XXXXXXX 100644 --- a/hw/timer/cadence_ttc.c +++ b/hw/timer/cadence_ttc.c @@ -XXX,XX +XXX,XX @@ static void cadence_timer_init(uint32_t freq, CadenceTimerState *s) static void cadence_ttc_init(Object *obj) { CadenceTTCState *s = CADENCE_TTC(obj); - int i; - - for (i = 0; i < 3; ++i) { - cadence_timer_init(133000000, &s->timer[i]); - sysbus_init_irq(SYS_BUS_DEVICE(obj), &s->timer[i].irq); - } memory_region_init_io(&s->iomem, obj, &cadence_ttc_ops, s, "timer", 0x1000); sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->iomem); } +static void cadence_ttc_realize(DeviceState *dev, Error **errp) +{ + CadenceTTCState *s = CADENCE_TTC(dev); + int i; + + for (i = 0; i < 3; ++i) { + cadence_timer_init(133000000, &s->timer[i]); + sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->timer[i].irq); + } +} + static int cadence_timer_pre_save(void *opaque) { cadence_timer_sync((CadenceTimerState *)opaque); @@ -XXX,XX +XXX,XX @@ static void cadence_ttc_class_init(ObjectClass *klass, void *data) DeviceClass *dc = DEVICE_CLASS(klass); dc->vmsd = &vmstate_cadence_ttc; + dc->realize = cadence_ttc_realize; } static const TypeInfo cadence_ttc_info = { -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> Don't merely start with v8.0, handle v7VE as well. Ensure that writes from aarch32 mode do not change bits in the other half of the register. Protect reads of aa64 id registers with ARM_FEATURE_AARCH64. Suggested-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-2-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_v8_cp_reginfo[] = { REGINFO_SENTINEL }; -static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) +static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask) { ARMCPU *cpu = env_archcpu(env); - /* Begin with bits defined in base ARMv8.0. */ - uint64_t valid_mask = MAKE_64BIT_MASK(0, 34); + + if (arm_feature(env, ARM_FEATURE_V8)) { + valid_mask |= MAKE_64BIT_MASK(0, 34); /* ARMv8.0 */ + } else { + valid_mask |= MAKE_64BIT_MASK(0, 28); /* ARMv7VE */ + } if (arm_feature(env, ARM_FEATURE_EL3)) { valid_mask &= ~HCR_HCD; @@ -XXX,XX +XXX,XX @@ static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) */ valid_mask &= ~HCR_TSC; } - if (cpu_isar_feature(aa64_vh, cpu)) { - valid_mask |= HCR_E2H; - } - if (cpu_isar_feature(aa64_lor, cpu)) { - valid_mask |= HCR_TLOR; - } - if (cpu_isar_feature(aa64_pauth, cpu)) { - valid_mask |= HCR_API | HCR_APK; + + if (arm_feature(env, ARM_FEATURE_AARCH64)) { + if (cpu_isar_feature(aa64_vh, cpu)) { + valid_mask |= HCR_E2H; + } + if (cpu_isar_feature(aa64_lor, cpu)) { + valid_mask |= HCR_TLOR; + } + if (cpu_isar_feature(aa64_pauth, cpu)) { + valid_mask |= HCR_API | HCR_APK; + } } /* Clear RES0 bits. */ @@ -XXX,XX +XXX,XX @@ static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) arm_cpu_update_vfiq(cpu); } +static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) +{ + do_hcr_write(env, value, 0); +} + static void hcr_writehigh(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { /* Handle HCR2 write, i.e. write to high half of HCR_EL2 */ value = deposit64(env->cp15.hcr_el2, 32, 32, value); - hcr_write(env, NULL, value); + do_hcr_write(env, value, MAKE_64BIT_MASK(0, 32)); } static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri, @@ -XXX,XX +XXX,XX @@ static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri, { /* Handle HCR write, i.e. write to low half of HCR_EL2 */ value = deposit64(env->cp15.hcr_el2, 0, 32, value); - hcr_write(env, NULL, value); + do_hcr_write(env, value, MAKE_64BIT_MASK(32, 32)); } /* -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-3-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask) #define HCR_TERR (1ULL << 36) #define HCR_TEA (1ULL << 37) #define HCR_MIOCNCE (1ULL << 38) +/* RES0 bit 39 */ #define HCR_APK (1ULL << 40) #define HCR_API (1ULL << 41) #define HCR_NV (1ULL << 42) @@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask) #define HCR_NV2 (1ULL << 45) #define HCR_FWB (1ULL << 46) #define HCR_FIEN (1ULL << 47) +/* RES0 bit 48 */ #define HCR_TID4 (1ULL << 49) #define HCR_TICAB (1ULL << 50) +#define HCR_AMVOFFEN (1ULL << 51) #define HCR_TOCU (1ULL << 52) +#define HCR_ENSCXT (1ULL << 53) #define HCR_TTLBIS (1ULL << 54) #define HCR_TTLBOS (1ULL << 55) #define HCR_ATA (1ULL << 56) #define HCR_DCT (1ULL << 57) +#define HCR_TID5 (1ULL << 58) +#define HCR_TWEDEN (1ULL << 59) +#define HCR_TWEDEL MAKE_64BIT_MASK(60, 4) #define SCR_NS (1U << 0) #define SCR_IRQ (1U << 1) -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> In arm_cpu_reset, we configure many system registers so that user-only behaves as it should with a minimum of ifdefs. However, we do not set all of the system registers as required for a cpu with EL2 and EL3. Disabling EL2 and EL3 mean that we will not look at those registers, which means that we don't have to worry about configuring them. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-4-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -XXX,XX +XXX,XX @@ static Property arm_cpu_reset_hivecs_property = static Property arm_cpu_rvbar_property = DEFINE_PROP_UINT64("rvbar", ARMCPU, rvbar, 0); +#ifndef CONFIG_USER_ONLY static Property arm_cpu_has_el2_property = DEFINE_PROP_BOOL("has_el2", ARMCPU, has_el2, true); static Property arm_cpu_has_el3_property = DEFINE_PROP_BOOL("has_el3", ARMCPU, has_el3, true); +#endif static Property arm_cpu_cfgend_property = DEFINE_PROP_BOOL("cfgend", ARMCPU, cfgend, false); @@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj) qdev_property_add_static(DEVICE(obj), &arm_cpu_rvbar_property); } +#ifndef CONFIG_USER_ONLY if (arm_feature(&cpu->env, ARM_FEATURE_EL3)) { /* Add the has_el3 state CPU property only if EL3 is allowed. This will * prevent "has_el3" from existing on CPUs which cannot support EL3. */ qdev_property_add_static(DEVICE(obj), &arm_cpu_has_el3_property); -#ifndef CONFIG_USER_ONLY object_property_add_link(obj, "secure-memory", TYPE_MEMORY_REGION, (Object **)&cpu->secure_memory, qdev_prop_allow_set_link_before_realize, OBJ_PROP_LINK_STRONG, &error_abort); -#endif } if (arm_feature(&cpu->env, ARM_FEATURE_EL2)) { qdev_property_add_static(DEVICE(obj), &arm_cpu_has_el2_property); } +#endif if (arm_feature(&cpu->env, ARM_FEATURE_PMU)) { cpu->has_pmu = true; -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> We have disabled EL2 and EL3 for user-only, which means that these registers "don't exist" and should not be set. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-5-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/target/arm/cpu.c b/target/arm/cpu.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s) /* Enable all PAC keys. */ env->cp15.sctlr_el[1] |= (SCTLR_EnIA | SCTLR_EnIB | SCTLR_EnDA | SCTLR_EnDB); - /* Enable all PAC instructions */ - env->cp15.hcr_el2 |= HCR_API; - env->cp15.scr_el3 |= SCR_API; /* and to the FP/Neon instructions */ env->cp15.cpacr_el1 = deposit64(env->cp15.cpacr_el1, 20, 2, 3); /* and to the SVE instructions */ env->cp15.cpacr_el1 = deposit64(env->cp15.cpacr_el1, 16, 2, 3); - env->cp15.cptr_el[3] |= CPTR_EZ; /* with maximum vector length */ env->vfp.zcr_el[1] = cpu_isar_feature(aa64_sve, cpu) ? cpu->sve_max_vq - 1 : 0; - env->vfp.zcr_el[2] = env->vfp.zcr_el[1]; - env->vfp.zcr_el[3] = env->vfp.zcr_el[1]; /* * Enable TBI0 and TBI1. While the real kernel only enables TBI0, * turning on both here will produce smaller code and otherwise -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> Update the {TGE,E2H} == '11' masking to ARMv8.6. If EL2 is configured for aarch32, disable all of the bits that are RES0 in aarch32 mode. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-6-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ uint64_t arm_hcr_el2_eff(CPUARMState *env) * Since the v8.4 language applies to the entire register, and * appears to be backward compatible, use that. */ - ret = 0; - } else if (ret & HCR_TGE) { - /* These bits are up-to-date as of ARMv8.4. */ + return 0; + } + + /* + * For a cpu that supports both aarch64 and aarch32, we can set bits + * in HCR_EL2 (e.g. via EL3) that are RES0 when we enter EL2 as aa32. + * Ignore all of the bits in HCR+HCR2 that are not valid for aarch32. + */ + if (!arm_el_is_aa64(env, 2)) { + uint64_t aa32_valid; + + /* + * These bits are up-to-date as of ARMv8.6. + * For HCR, it's easiest to list just the 2 bits that are invalid. + * For HCR2, list those that are valid. + */ + aa32_valid = MAKE_64BIT_MASK(0, 32) & ~(HCR_RW | HCR_TDZ); + aa32_valid |= (HCR_CD | HCR_ID | HCR_TERR | HCR_TEA | HCR_MIOCNCE | + HCR_TID4 | HCR_TICAB | HCR_TOCU | HCR_TTLBIS); + ret &= aa32_valid; + } + + if (ret & HCR_TGE) { + /* These bits are up-to-date as of ARMv8.6. */ if (ret & HCR_E2H) { ret &= ~(HCR_VM | HCR_FMO | HCR_IMO | HCR_AMO | HCR_BSU_MASK | HCR_DC | HCR_TWI | HCR_TWE | HCR_TID0 | HCR_TID2 | HCR_TPCP | HCR_TPU | - HCR_TDZ | HCR_CD | HCR_ID | HCR_MIOCNCE); + HCR_TDZ | HCR_CD | HCR_ID | HCR_MIOCNCE | + HCR_TID4 | HCR_TICAB | HCR_TOCU | HCR_ENSCXT | + HCR_TTLBIS | HCR_TTLBOS | HCR_TID5); } else { ret |= HCR_FMO | HCR_IMO | HCR_AMO; } -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> These bits trap EL1 access to various virtual memory controls. Buglink: https://bugs.launchpad.net/bugs/1855072 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-7-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 82 ++++++++++++++++++++++++++++++--------------- 1 file changed, 55 insertions(+), 27 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tpm(CPUARMState *env, const ARMCPRegInfo *ri, return CP_ACCESS_OK; } +/* Check for traps from EL1 due to HCR_EL2.TVM and HCR_EL2.TRVM. */ +static CPAccessResult access_tvm_trvm(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + if (arm_current_el(env) == 1) { + uint64_t trap = isread ? HCR_TRVM : HCR_TVM; + if (arm_hcr_el2_eff(env) & trap) { + return CP_ACCESS_TRAP_EL2; + } + } + return CP_ACCESS_OK; +} + static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { ARMCPU *cpu = env_archcpu(env); @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cp_reginfo[] = { */ { .name = "CONTEXTIDR_EL1", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1, - .access = PL1_RW, .secure = ARM_CP_SECSTATE_NS, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .secure = ARM_CP_SECSTATE_NS, .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[1]), .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, }, { .name = "CONTEXTIDR_S", .state = ARM_CP_STATE_AA32, .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1, - .access = PL1_RW, .secure = ARM_CP_SECSTATE_S, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .secure = ARM_CP_SECSTATE_S, .fieldoffset = offsetof(CPUARMState, cp15.contextidr_s), .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, }, REGINFO_SENTINEL @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo not_v8_cp_reginfo[] = { /* MMU Domain access control / MPU write buffer control */ { .name = "DACR", .cp = 15, .opc1 = CP_ANY, .crn = 3, .crm = CP_ANY, .opc2 = CP_ANY, - .access = PL1_RW, .resetvalue = 0, + .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0, .writefn = dacr_write, .raw_writefn = raw_write, .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s), offsetoflow32(CPUARMState, cp15.dacr_ns) } }, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = { { .name = "DMB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 5, .access = PL0_W, .type = ARM_CP_NOP }, { .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 2, - .access = PL1_RW, + .access = PL1_RW, .accessfn = access_tvm_trvm, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ifar_s), offsetof(CPUARMState, cp15.ifar_ns) }, .resetvalue = 0, }, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = { */ { .name = "AFSR0_EL1", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 0, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .type = ARM_CP_CONST, .resetvalue = 0 }, { .name = "AFSR1_EL1", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 1, - .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 }, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .type = ARM_CP_CONST, .resetvalue = 0 }, /* MAIR can just read-as-written because we don't implement caches * and so don't need to care about memory attributes. */ { .name = "MAIR_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0, - .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[1]), + .access = PL1_RW, .accessfn = access_tvm_trvm, + .fieldoffset = offsetof(CPUARMState, cp15.mair_el[1]), .resetvalue = 0 }, { .name = "MAIR_EL3", .state = ARM_CP_STATE_AA64, .opc0 = 3, .opc1 = 6, .crn = 10, .crm = 2, .opc2 = 0, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = { * handled in the field definitions. */ { .name = "MAIR0", .state = ARM_CP_STATE_AA32, - .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0, .access = PL1_RW, + .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0, + .access = PL1_RW, .accessfn = access_tvm_trvm, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair0_s), offsetof(CPUARMState, cp15.mair0_ns) }, .resetfn = arm_cp_reset_ignore }, { .name = "MAIR1", .state = ARM_CP_STATE_AA32, - .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 1, .access = PL1_RW, + .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 1, + .access = PL1_RW, .accessfn = access_tvm_trvm, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair1_s), offsetof(CPUARMState, cp15.mair1_ns) }, .resetfn = arm_cp_reset_ignore }, @@ -XXX,XX +XXX,XX @@ static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri, static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = { { .name = "DFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0, - .access = PL1_RW, .type = ARM_CP_ALIAS, + .access = PL1_RW, .accessfn = access_tvm_trvm, .type = ARM_CP_ALIAS, .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dfsr_s), offsetoflow32(CPUARMState, cp15.dfsr_ns) }, }, { .name = "IFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1, - .access = PL1_RW, .resetvalue = 0, + .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0, .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.ifsr_s), offsetoflow32(CPUARMState, cp15.ifsr_ns) } }, { .name = "DFAR", .cp = 15, .opc1 = 0, .crn = 6, .crm = 0, .opc2 = 0, - .access = PL1_RW, .resetvalue = 0, + .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.dfar_s), offsetof(CPUARMState, cp15.dfar_ns) } }, { .name = "FAR_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 0, - .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[1]), + .access = PL1_RW, .accessfn = access_tvm_trvm, + .fieldoffset = offsetof(CPUARMState, cp15.far_el[1]), .resetvalue = 0, }, REGINFO_SENTINEL }; @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = { static const ARMCPRegInfo vmsa_cp_reginfo[] = { { .name = "ESR_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .crn = 5, .crm = 2, .opc1 = 0, .opc2 = 0, - .access = PL1_RW, + .access = PL1_RW, .accessfn = access_tvm_trvm, .fieldoffset = offsetof(CPUARMState, cp15.esr_el[1]), .resetvalue = 0, }, { .name = "TTBR0_EL1", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0, - .access = PL1_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .writefn = vmsa_ttbr_write, .resetvalue = 0, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s), offsetof(CPUARMState, cp15.ttbr0_ns) } }, { .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1, - .access = PL1_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .writefn = vmsa_ttbr_write, .resetvalue = 0, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s), offsetof(CPUARMState, cp15.ttbr1_ns) } }, { .name = "TCR_EL1", .state = ARM_CP_STATE_AA64, .opc0 = 3, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2, - .access = PL1_RW, .writefn = vmsa_tcr_el12_write, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .writefn = vmsa_tcr_el12_write, .resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write, .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[1]) }, { .name = "TTBCR", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2, - .access = PL1_RW, .type = ARM_CP_ALIAS, .writefn = vmsa_ttbcr_write, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .type = ARM_CP_ALIAS, .writefn = vmsa_ttbcr_write, .raw_writefn = vmsa_ttbcr_raw_write, .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tcr_el[3]), offsetoflow32(CPUARMState, cp15.tcr_el[1])} }, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = { */ static const ARMCPRegInfo ttbcr2_reginfo = { .name = "TTBCR2", .cp = 15, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 3, - .access = PL1_RW, .type = ARM_CP_ALIAS, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .type = ARM_CP_ALIAS, .bank_fieldoffsets = { offsetofhigh32(CPUARMState, cp15.tcr_el[3]), offsetofhigh32(CPUARMState, cp15.tcr_el[1]) }, }; @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo lpae_cp_reginfo[] = { /* NOP AMAIR0/1 */ { .name = "AMAIR0", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 0, - .access = PL1_RW, .type = ARM_CP_CONST, - .resetvalue = 0 }, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .type = ARM_CP_CONST, .resetvalue = 0 }, /* AMAIR1 is mapped to AMAIR_EL1[63:32] */ { .name = "AMAIR1", .cp = 15, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 1, - .access = PL1_RW, .type = ARM_CP_CONST, - .resetvalue = 0 }, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .type = ARM_CP_CONST, .resetvalue = 0 }, { .name = "PAR", .cp = 15, .crm = 7, .opc1 = 0, .access = PL1_RW, .type = ARM_CP_64BIT, .resetvalue = 0, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.par_s), offsetof(CPUARMState, cp15.par_ns)} }, { .name = "TTBR0", .cp = 15, .crm = 2, .opc1 = 0, - .access = PL1_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .type = ARM_CP_64BIT | ARM_CP_ALIAS, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s), offsetof(CPUARMState, cp15.ttbr0_ns) }, .writefn = vmsa_ttbr_write, }, { .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1, - .access = PL1_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS, + .access = PL1_RW, .accessfn = access_tvm_trvm, + .type = ARM_CP_64BIT | ARM_CP_ALIAS, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s), offsetof(CPUARMState, cp15.ttbr1_ns) }, .writefn = vmsa_ttbr_write, }, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { .type = ARM_CP_NOP, .access = PL1_W }, /* MMU Domain access control / MPU write buffer control */ { .name = "DACR", .cp = 15, .opc1 = 0, .crn = 3, .crm = 0, .opc2 = 0, - .access = PL1_RW, .resetvalue = 0, + .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0, .writefn = dacr_write, .raw_writefn = raw_write, .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s), offsetoflow32(CPUARMState, cp15.dacr_ns) } }, @@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu) ARMCPRegInfo sctlr = { .name = "SCTLR", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0, - .access = PL1_RW, + .access = PL1_RW, .accessfn = access_tvm_trvm, .bank_fieldoffsets = { offsetof(CPUARMState, cp15.sctlr_s), offsetof(CPUARMState, cp15.sctlr_ns) }, .writefn = sctlr_write, .resetvalue = cpu->reset_sctlr, -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> These bits trap EL1 access to set/way cache maintenance insns. Buglink: https://bugs.launchpad.net/bugs/1863685 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-8-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tvm_trvm(CPUARMState *env, const ARMCPRegInfo *ri, return CP_ACCESS_OK; } +/* Check for traps from EL1 due to HCR_EL2.TSW. */ +static CPAccessResult access_tsw(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TSW)) { + return CP_ACCESS_TRAP_EL2; + } + return CP_ACCESS_OK; +} + static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { ARMCPU *cpu = env_archcpu(env); @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { .access = PL1_W, .type = ARM_CP_NOP }, { .name = "DC_ISW", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2, - .access = PL1_W, .type = ARM_CP_NOP }, + .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP }, { .name = "DC_CVAC", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 1, .access = PL0_W, .type = ARM_CP_NOP, .accessfn = aa64_cacheop_access }, { .name = "DC_CSW", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2, - .access = PL1_W, .type = ARM_CP_NOP }, + .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP }, { .name = "DC_CVAU", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 11, .opc2 = 1, .access = PL0_W, .type = ARM_CP_NOP, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { .accessfn = aa64_cacheop_access }, { .name = "DC_CISW", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2, - .access = PL1_W, .type = ARM_CP_NOP }, + .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP }, /* TLBI operations */ { .name = "TLBI_VMALLE1IS", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { { .name = "DCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1, .type = ARM_CP_NOP, .access = PL1_W }, { .name = "DCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, { .name = "DCCMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 1, .type = ARM_CP_NOP, .access = PL1_W }, { .name = "DCCSW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, { .name = "DCCMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 11, .opc2 = 1, .type = ARM_CP_NOP, .access = PL1_W }, { .name = "DCCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 1, .type = ARM_CP_NOP, .access = PL1_W }, { .name = "DCCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, /* MMU Domain access control / MPU write buffer control */ { .name = "DACR", .cp = 15, .opc1 = 0, .crn = 3, .crm = 0, .opc2 = 0, .access = PL1_RW, .accessfn = access_tvm_trvm, .resetvalue = 0, -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> This bit traps EL1 access to the auxiliary control registers. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-9-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tsw(CPUARMState *env, const ARMCPRegInfo *ri, return CP_ACCESS_OK; } +/* Check for traps from EL1 due to HCR_EL2.TACR. */ +static CPAccessResult access_tacr(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TACR)) { + return CP_ACCESS_TRAP_EL2; + } + return CP_ACCESS_OK; +} + static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { ARMCPU *cpu = env_archcpu(env); @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ats1cp_reginfo[] = { static const ARMCPRegInfo actlr2_hactlr2_reginfo[] = { { .name = "ACTLR2", .state = ARM_CP_STATE_AA32, .cp = 15, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 3, - .access = PL1_RW, .type = ARM_CP_CONST, - .resetvalue = 0 }, + .access = PL1_RW, .accessfn = access_tacr, + .type = ARM_CP_CONST, .resetvalue = 0 }, { .name = "HACTLR2", .state = ARM_CP_STATE_AA32, .cp = 15, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 3, .access = PL2_RW, .type = ARM_CP_CONST, @@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu) ARMCPRegInfo auxcr_reginfo[] = { { .name = "ACTLR_EL1", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 1, - .access = PL1_RW, .type = ARM_CP_CONST, - .resetvalue = cpu->reset_auxcr }, + .access = PL1_RW, .accessfn = access_tacr, + .type = ARM_CP_CONST, .resetvalue = cpu->reset_auxcr }, { .name = "ACTLR_EL2", .state = ARM_CP_STATE_BOTH, .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 1, .access = PL2_RW, .type = ARM_CP_CONST, -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> This bit traps EL1 access to cache maintenance insns that operate to the point of coherency or persistence. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-10-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 39 +++++++++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 8 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static CPAccessResult aa64_cacheop_access(CPUARMState *env, return CP_ACCESS_OK; } +static CPAccessResult aa64_cacheop_poc_access(CPUARMState *env, + const ARMCPRegInfo *ri, + bool isread) +{ + /* Cache invalidate/clean to Point of Coherency or Persistence... */ + switch (arm_current_el(env)) { + case 0: + /* ... EL0 must UNDEF unless SCTLR_EL1.UCI is set. */ + if (!(arm_sctlr(env, 0) & SCTLR_UCI)) { + return CP_ACCESS_TRAP; + } + /* fall through */ + case 1: + /* ... EL1 must trap to EL2 if HCR_EL2.TPCP is set. */ + if (arm_hcr_el2_eff(env) & HCR_TPCP) { + return CP_ACCESS_TRAP_EL2; + } + break; + } + return CP_ACCESS_OK; +} + /* See: D4.7.2 TLB maintenance requirements and the TLB maintenance instructions * Page D4-1736 (DDI0487A.b) */ @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { .accessfn = aa64_cacheop_access }, { .name = "DC_IVAC", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1, - .access = PL1_W, .type = ARM_CP_NOP }, + .access = PL1_W, .accessfn = aa64_cacheop_poc_access, + .type = ARM_CP_NOP }, { .name = "DC_ISW", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2, .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP }, { .name = "DC_CVAC", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 1, .access = PL0_W, .type = ARM_CP_NOP, - .accessfn = aa64_cacheop_access }, + .accessfn = aa64_cacheop_poc_access }, { .name = "DC_CSW", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2, .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP }, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { { .name = "DC_CIVAC", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 1, .access = PL0_W, .type = ARM_CP_NOP, - .accessfn = aa64_cacheop_access }, + .accessfn = aa64_cacheop_poc_access }, { .name = "DC_CISW", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2, .access = PL1_W, .accessfn = access_tsw, .type = ARM_CP_NOP }, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { { .name = "BPIMVA", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 7, .type = ARM_CP_NOP, .access = PL1_W }, { .name = "DCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access }, { .name = "DCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2, .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, { .name = "DCCMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 1, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access }, { .name = "DCCSW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2, .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, { .name = "DCCMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 11, .opc2 = 1, .type = ARM_CP_NOP, .access = PL1_W }, { .name = "DCCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 1, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access }, { .name = "DCCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2, .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, /* MMU Domain access control / MPU write buffer control */ @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo dcpop_reg[] = { { .name = "DC_CVAP", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 12, .opc2 = 1, .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END, - .accessfn = aa64_cacheop_access, .writefn = dccvap_writefn }, + .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn }, REGINFO_SENTINEL }; @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo dcpodp_reg[] = { { .name = "DC_CVADP", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 13, .opc2 = 1, .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END, - .accessfn = aa64_cacheop_access, .writefn = dccvap_writefn }, + .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn }, REGINFO_SENTINEL }; #endif /*CONFIG_USER_ONLY*/ -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> This bit traps EL1 access to cache maintenance insns that operate to the point of unification. There are no longer any references to plain aa64_cacheop_access, so remove it. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-11-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 53 +++++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 21 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo uao_reginfo = { .readfn = aa64_uao_read, .writefn = aa64_uao_write }; -static CPAccessResult aa64_cacheop_access(CPUARMState *env, - const ARMCPRegInfo *ri, - bool isread) -{ - /* Cache invalidate/clean: NOP, but EL0 must UNDEF unless - * SCTLR_EL1.UCI is set. - */ - if (arm_current_el(env) == 0 && !(arm_sctlr(env, 0) & SCTLR_UCI)) { - return CP_ACCESS_TRAP; - } - return CP_ACCESS_OK; -} - static CPAccessResult aa64_cacheop_poc_access(CPUARMState *env, const ARMCPRegInfo *ri, bool isread) @@ -XXX,XX +XXX,XX @@ static CPAccessResult aa64_cacheop_poc_access(CPUARMState *env, return CP_ACCESS_OK; } +static CPAccessResult aa64_cacheop_pou_access(CPUARMState *env, + const ARMCPRegInfo *ri, + bool isread) +{ + /* Cache invalidate/clean to Point of Unification... */ + switch (arm_current_el(env)) { + case 0: + /* ... EL0 must UNDEF unless SCTLR_EL1.UCI is set. */ + if (!(arm_sctlr(env, 0) & SCTLR_UCI)) { + return CP_ACCESS_TRAP; + } + /* fall through */ + case 1: + /* ... EL1 must trap to EL2 if HCR_EL2.TPU is set. */ + if (arm_hcr_el2_eff(env) & HCR_TPU) { + return CP_ACCESS_TRAP_EL2; + } + break; + } + return CP_ACCESS_OK; +} + /* See: D4.7.2 TLB maintenance requirements and the TLB maintenance instructions * Page D4-1736 (DDI0487A.b) */ @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { /* Cache ops: all NOPs since we don't emulate caches */ { .name = "IC_IALLUIS", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0, - .access = PL1_W, .type = ARM_CP_NOP }, + .access = PL1_W, .type = ARM_CP_NOP, + .accessfn = aa64_cacheop_pou_access }, { .name = "IC_IALLU", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0, - .access = PL1_W, .type = ARM_CP_NOP }, + .access = PL1_W, .type = ARM_CP_NOP, + .accessfn = aa64_cacheop_pou_access }, { .name = "IC_IVAU", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 5, .opc2 = 1, .access = PL0_W, .type = ARM_CP_NOP, - .accessfn = aa64_cacheop_access }, + .accessfn = aa64_cacheop_pou_access }, { .name = "DC_IVAC", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1, .access = PL1_W, .accessfn = aa64_cacheop_poc_access, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { { .name = "DC_CVAU", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 11, .opc2 = 1, .access = PL0_W, .type = ARM_CP_NOP, - .accessfn = aa64_cacheop_access }, + .accessfn = aa64_cacheop_pou_access }, { .name = "DC_CIVAC", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 1, .access = PL0_W, .type = ARM_CP_NOP, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { .writefn = tlbiipas2_is_write }, /* 32 bit cache operations */ { .name = "ICIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_pou_access }, { .name = "BPIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 6, .type = ARM_CP_NOP, .access = PL1_W }, { .name = "ICIALLU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_pou_access }, { .name = "ICIMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 1, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_pou_access }, { .name = "BPIALL", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 6, .type = ARM_CP_NOP, .access = PL1_W }, { .name = "BPIMVA", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 7, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { { .name = "DCCSW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2, .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw }, { .name = "DCCMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 11, .opc2 = 1, - .type = ARM_CP_NOP, .access = PL1_W }, + .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_pou_access }, { .name = "DCCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 1, .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_poc_access }, { .name = "DCCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2, -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> This bit traps EL1 access to tlb maintenance insns. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-12-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 85 +++++++++++++++++++++++++++++---------------- 1 file changed, 55 insertions(+), 30 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static CPAccessResult access_tacr(CPUARMState *env, const ARMCPRegInfo *ri, return CP_ACCESS_OK; } +/* Check for traps from EL1 due to HCR_EL2.TTLB. */ +static CPAccessResult access_ttlb(CPUARMState *env, const ARMCPRegInfo *ri, + bool isread) +{ + if (arm_current_el(env) == 1 && (arm_hcr_el2_eff(env) & HCR_TTLB)) { + return CP_ACCESS_TRAP_EL2; + } + return CP_ACCESS_OK; +} + static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value) { ARMCPU *cpu = env_archcpu(env); @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = { .type = ARM_CP_NO_RAW, .access = PL1_R, .readfn = isr_read }, /* 32 bit ITLB invalidates */ { .name = "ITLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 0, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbiall_write }, { .name = "ITLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 1, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbimva_write }, { .name = "ITLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 2, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbiasid_write }, /* 32 bit DTLB invalidates */ { .name = "DTLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 0, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbiall_write }, { .name = "DTLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 1, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbimva_write }, { .name = "DTLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 2, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbiasid_write }, /* 32 bit TLB invalidates */ { .name = "TLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbiall_write }, { .name = "TLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbimva_write }, { .name = "TLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbiasid_write }, { .name = "TLBIMVAA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimvaa_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbimvaa_write }, REGINFO_SENTINEL }; static const ARMCPRegInfo v7mp_cp_reginfo[] = { /* 32 bit TLB invalidates, Inner Shareable */ { .name = "TLBIALLIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_is_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbiall_is_write }, { .name = "TLBIMVAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_is_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbimva_is_write }, { .name = "TLBIASIDIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2, - .type = ARM_CP_NO_RAW, .access = PL1_W, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, .writefn = tlbiasid_is_write }, { .name = "TLBIMVAAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3, - .type = ARM_CP_NO_RAW, .access = PL1_W, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, .writefn = tlbimvaa_is_write }, REGINFO_SENTINEL }; @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { /* TLBI operations */ { .name = "TLBI_VMALLE1IS", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vmalle1is_write }, { .name = "TLBI_VAE1IS", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vae1is_write }, { .name = "TLBI_ASIDE1IS", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vmalle1is_write }, { .name = "TLBI_VAAE1IS", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vae1is_write }, { .name = "TLBI_VALE1IS", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vae1is_write }, { .name = "TLBI_VAALE1IS", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vae1is_write }, { .name = "TLBI_VMALLE1", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vmalle1_write }, { .name = "TLBI_VAE1", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vae1_write }, { .name = "TLBI_ASIDE1", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vmalle1_write }, { .name = "TLBI_VAAE1", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vae1_write }, { .name = "TLBI_VALE1", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vae1_write }, { .name = "TLBI_VAALE1", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7, - .access = PL1_W, .type = ARM_CP_NO_RAW, + .access = PL1_W, .accessfn = access_ttlb, .type = ARM_CP_NO_RAW, .writefn = tlbi_aa64_vae1_write }, { .name = "TLBI_IPAS2E1IS", .state = ARM_CP_STATE_AA64, .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 1, @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = { #endif /* TLB invalidate last level of translation table walk */ { .name = "TLBIMVALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_is_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbimva_is_write }, { .name = "TLBIMVAALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7, - .type = ARM_CP_NO_RAW, .access = PL1_W, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, .writefn = tlbimvaa_is_write }, { .name = "TLBIMVAL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbimva_write }, { .name = "TLBIMVAAL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7, - .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimvaa_write }, + .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb, + .writefn = tlbimvaa_write }, { .name = "TLBIMVALH", .cp = 15, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 5, .type = ARM_CP_NO_RAW, .access = PL2_W, .writefn = tlbimva_hyp_write }, -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> Make the output just a bit prettier when running by hand. Cc: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200229012811.24129-13-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- tests/tcg/aarch64/pauth-1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/tcg/aarch64/pauth-1.c b/tests/tcg/aarch64/pauth-1.c index XXXXXXX..XXXXXXX 100644 --- a/tests/tcg/aarch64/pauth-1.c +++ b/tests/tcg/aarch64/pauth-1.c @@ -XXX,XX +XXX,XX @@ int main() } perc = (float) count / (float) (TESTS * 2); - printf("Ptr Check: %0.2f%%", perc * 100.0); + printf("Ptr Check: %0.2f%%\n", perc * 100.0); assert(perc > 0.95); return 0; } -- 2.20.1 From: Niek Linnenbank <nieklinnenbank@gmail.com> The Cubieboard is a singleboard computer with an Allwinner A10 System-on-Chip [1]. As documented in the Allwinner A10 User Manual V1.5 [2], the SoC has an ARM Cortex-A8 processor. Currently the Cubieboard machine definition specifies the ARM Cortex-A9 in its description and as the default CPU. This patch corrects the Cubieboard machine definition to use the ARM Cortex-A8. The only user-visible effect is that our textual description of the machine was wrong, because hw/arm/allwinner-a10.c always creates a Cortex-A8 CPU regardless of the default value in the MachineClass struct. [1] http://docs.cubieboard.org/products/start#cubieboard1 [2] https://linux-sunxi.org/File:Allwinner_A10_User_manual_V1.5.pdf Fixes: 8a863c8120994981a099 Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com> Message-id: 20200227220149.6845-2-nieklinnenbank@gmail.com Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> [note in commit message that the bug didn't have much visible effect] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/cubieboard.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/cubieboard.c +++ b/hw/arm/cubieboard.c @@ -XXX,XX +XXX,XX @@ static void cubieboard_init(MachineState *machine) static void cubieboard_machine_init(MachineClass *mc) { - mc->desc = "cubietech cubieboard (Cortex-A9)"; - mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a9"); + mc->desc = "cubietech cubieboard (Cortex-A8)"; + mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a8"); mc->init = cubieboard_init; mc->block_default_type = IF_IDE; mc->units_per_default_bus = 1; -- 2.20.1 From: Niek Linnenbank <nieklinnenbank@gmail.com> The Cubieboard has an ARM Cortex-A8. Instead of simply ignoring a bogus -cpu option provided by the user, give them an error message so they know their command line is wrong. Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com> Message-id: 20200227220149.6845-3-nieklinnenbank@gmail.com Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> [PMM: tweaked commit message] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/cubieboard.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/cubieboard.c +++ b/hw/arm/cubieboard.c @@ -XXX,XX +XXX,XX @@ static struct arm_boot_info cubieboard_binfo = { static void cubieboard_init(MachineState *machine) { - AwA10State *a10 = AW_A10(object_new(TYPE_AW_A10)); + AwA10State *a10; Error *err = NULL; + /* Only allow Cortex-A8 for this board */ + if (strcmp(machine->cpu_type, ARM_CPU_TYPE_NAME("cortex-a8")) != 0) { + error_report("This board can only be used with cortex-a8 CPU"); + exit(1); + } + + a10 = AW_A10(object_new(TYPE_AW_A10)); + object_property_set_int(OBJECT(&a10->emac), 1, "phy-addr", &err); if (err != NULL) { error_reportf_err(err, "Couldn't set phy address: "); -- 2.20.1 From: Niek Linnenbank <nieklinnenbank@gmail.com> The Cubieboard contains either 512MiB or 1GiB of onboard RAM [1]. Prevent changing RAM to a different size which could break user programs. [1] http://linux-sunxi.org/Cubieboard Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com> Message-id: 20200227220149.6845-4-nieklinnenbank@gmail.com Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/cubieboard.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/cubieboard.c +++ b/hw/arm/cubieboard.c @@ -XXX,XX +XXX,XX @@ static void cubieboard_init(MachineState *machine) AwA10State *a10; Error *err = NULL; + /* This board has fixed size RAM (512MiB or 1GiB) */ + if (machine->ram_size != 512 * MiB && + machine->ram_size != 1 * GiB) { + error_report("This machine can only be used with 512MiB or 1GiB RAM"); + exit(1); + } + /* Only allow Cortex-A8 for this board */ if (strcmp(machine->cpu_type, ARM_CPU_TYPE_NAME("cortex-a8")) != 0) { error_report("This board can only be used with cortex-a8 CPU"); @@ -XXX,XX +XXX,XX @@ static void cubieboard_machine_init(MachineClass *mc) { mc->desc = "cubietech cubieboard (Cortex-A8)"; mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a8"); + mc->default_ram_size = 1 * GiB; mc->init = cubieboard_init; mc->block_default_type = IF_IDE; mc->units_per_default_bus = 1; -- 2.20.1 From: Niek Linnenbank <nieklinnenbank@gmail.com> The Cubieboard machine does not support the -bios argument. Report an error when -bios is used and exit immediately. Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com> Message-id: 20200227220149.6845-5-nieklinnenbank@gmail.com Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- hw/arm/cubieboard.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c index XXXXXXX..XXXXXXX 100644 --- a/hw/arm/cubieboard.c +++ b/hw/arm/cubieboard.c @@ -XXX,XX +XXX,XX @@ #include "exec/address-spaces.h" #include "qapi/error.h" #include "cpu.h" +#include "sysemu/sysemu.h" #include "hw/sysbus.h" #include "hw/boards.h" #include "hw/arm/allwinner-a10.h" @@ -XXX,XX +XXX,XX @@ static void cubieboard_init(MachineState *machine) AwA10State *a10; Error *err = NULL; + /* BIOS is not supported by this board */ + if (bios_name) { + error_report("BIOS not supported for this machine"); + exit(1); + } + /* This board has fixed size RAM (512MiB or 1GiB) */ if (machine->ram_size != 512 * MiB && machine->ram_size != 1 * GiB) { -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> Replicate the single TBI bit from TCR_EL2 and TCR_EL3 so that we can unconditionally use pointer bit 55 to index into our composite TBI1:TBI0 field. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20200302175829.2183-2-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ static int aa64_va_parameter_tbi(uint64_t tcr, ARMMMUIdx mmu_idx) } else if (mmu_idx == ARMMMUIdx_Stage2) { return 0; /* VTCR_EL2 */ } else { - return extract32(tcr, 20, 1); + /* Replicate the single TBI bit so we always have 2 bits. */ + return extract32(tcr, 20, 1) * 3; } } @@ -XXX,XX +XXX,XX @@ static int aa64_va_parameter_tbid(uint64_t tcr, ARMMMUIdx mmu_idx) } else if (mmu_idx == ARMMMUIdx_Stage2) { return 0; /* VTCR_EL2 */ } else { - return extract32(tcr, 29, 1); + /* Replicate the single TBID bit so we always have 2 bits. */ + return extract32(tcr, 29, 1) * 3; } } -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> We now cache the core mmu_idx in env->hflags. Rather than recompute from scratch, extract the field. All of the uses of cpu_mmu_index within target/arm are within helpers, and env->hflags is always stable within a translation block from whence helpers are called. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20200302175829.2183-3-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/cpu.h | 23 +++++++++++++---------- target/arm/helper.c | 5 ----- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/target/arm/cpu.h b/target/arm/cpu.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/cpu.h +++ b/target/arm/cpu.h @@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdxBit { #define MMU_USER_IDX 0 -/** - * cpu_mmu_index: - * @env: The cpu environment - * @ifetch: True for code access, false for data access. - * - * Return the core mmu index for the current translation regime. - * This function is used by generic TCG code paths. - */ -int cpu_mmu_index(CPUARMState *env, bool ifetch); - /* Indexes used when registering address spaces with cpu_address_space_init */ typedef enum ARMASIdx { ARMASIdx_NS = 0, @@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A64, BTYPE, 10, 2) /* Not cached. */ FIELD(TBFLAG_A64, TBID, 12, 2) FIELD(TBFLAG_A64, UNPRIV, 14, 1) +/** + * cpu_mmu_index: + * @env: The cpu environment + * @ifetch: True for code access, false for data access. + * + * Return the core mmu index for the current translation regime. + * This function is used by generic TCG code paths. + */ +static inline int cpu_mmu_index(CPUARMState *env, bool ifetch) +{ + return FIELD_EX32(env->hflags, TBFLAG_ANY, MMUIDX); +} + static inline bool bswap_code(bool sctlr_b) { #ifdef CONFIG_USER_ONLY diff --git a/target/arm/helper.c b/target/arm/helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.c +++ b/target/arm/helper.c @@ -XXX,XX +XXX,XX @@ ARMMMUIdx arm_mmu_idx(CPUARMState *env) return arm_mmu_idx_el(env, arm_current_el(env)); } -int cpu_mmu_index(CPUARMState *env, bool ifetch) -{ - return arm_to_core_mmu_idx(arm_mmu_idx(env)); -} - #ifndef CONFIG_USER_ONLY ARMMMUIdx arm_stage1_mmu_idx(CPUARMState *env) { -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> If by context we know that we're in AArch64 mode, we need not test for M-profile when reconstructing the full ARMMMUIdx. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20200302175829.2183-4-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/internals.h | 6 ++++++ target/arm/translate-a64.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/target/arm/internals.h b/target/arm/internals.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/internals.h +++ b/target/arm/internals.h @@ -XXX,XX +XXX,XX @@ static inline ARMMMUIdx core_to_arm_mmu_idx(CPUARMState *env, int mmu_idx) } } +static inline ARMMMUIdx core_to_aa64_mmu_idx(int mmu_idx) +{ + /* AArch64 is always a-profile. */ + return mmu_idx | ARM_MMU_IDX_A; +} + int arm_mmu_idx_to_el(ARMMMUIdx mmu_idx); /* diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/translate-a64.c +++ b/target/arm/translate-a64.c @@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase, dc->condexec_mask = 0; dc->condexec_cond = 0; core_mmu_idx = FIELD_EX32(tb_flags, TBFLAG_ANY, MMUIDX); - dc->mmu_idx = core_to_arm_mmu_idx(env, core_mmu_idx); + dc->mmu_idx = core_to_aa64_mmu_idx(core_mmu_idx); dc->tbii = FIELD_EX32(tb_flags, TBFLAG_A64, TBII); dc->tbid = FIELD_EX32(tb_flags, TBFLAG_A64, TBID); dc->current_el = arm_mmu_idx_to_el(dc->mmu_idx); -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> We missed this case within AArch64.ExceptionReturn. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20200302175829.2183-5-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper-a64.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper-a64.c +++ b/target/arm/helper-a64.c @@ -XXX,XX +XXX,XX @@ void HELPER(exception_return)(CPUARMState *env, uint64_t new_pc) "AArch32 EL%d PC 0x%" PRIx32 "\n", cur_el, new_el, env->regs[15]); } else { + int tbii; + env->aarch64 = 1; spsr &= aarch64_pstate_valid_mask(&env_archcpu(env)->isar); pstate_write(env, spsr); @@ -XXX,XX +XXX,XX @@ void HELPER(exception_return)(CPUARMState *env, uint64_t new_pc) env->pstate &= ~PSTATE_SS; } aarch64_restore_sp(env, new_el); - env->pc = new_pc; helper_rebuild_hflags_a64(env, new_el); + + /* + * Apply TBI to the exception return address. We had to delay this + * until after we selected the new EL, so that we could select the + * correct TBI+TBID bits. This is made easier by waiting until after + * the hflags rebuild, since we can pull the composite TBII field + * from there. + */ + tbii = FIELD_EX32(env->hflags, TBFLAG_A64, TBII); + if ((tbii >> extract64(new_pc, 55, 1)) & 1) { + /* TBI is enabled. */ + int core_mmu_idx = cpu_mmu_index(env, false); + if (regime_has_2_ranges(core_to_aa64_mmu_idx(core_mmu_idx))) { + new_pc = sextract64(new_pc, 0, 56); + } else { + new_pc = extract64(new_pc, 0, 56); + } + } + env->pc = new_pc; + qemu_log_mask(CPU_LOG_INT, "Exception return from AArch64 EL%d to " "AArch64 EL%d PC 0x%" PRIx64 "\n", cur_el, new_el, env->pc); -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> This is an aarch64-only function. Move it out of the shared file. This patch is code movement only. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20200302175829.2183-6-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper-a64.h | 1 + target/arm/helper.h | 1 - target/arm/helper-a64.c | 91 ++++++++++++++++++++++++++++++++++++++++ target/arm/op_helper.c | 93 ----------------------------------------- 4 files changed, 92 insertions(+), 94 deletions(-) diff --git a/target/arm/helper-a64.h b/target/arm/helper-a64.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper-a64.h +++ b/target/arm/helper-a64.h @@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(advsimd_f16touinth, i32, f16, ptr) DEF_HELPER_2(sqrt_f16, f16, f16, ptr) DEF_HELPER_2(exception_return, void, env, i64) +DEF_HELPER_2(dc_zva, void, env, i64) DEF_HELPER_FLAGS_3(pacia, TCG_CALL_NO_WG, i64, env, i64, i64) DEF_HELPER_FLAGS_3(pacib, TCG_CALL_NO_WG, i64, env, i64, i64) diff --git a/target/arm/helper.h b/target/arm/helper.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper.h +++ b/target/arm/helper.h @@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(crypto_sm4ekey, TCG_CALL_NO_RWG, void, ptr, ptr, ptr) DEF_HELPER_FLAGS_3(crc32, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32) DEF_HELPER_FLAGS_3(crc32c, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32) -DEF_HELPER_2(dc_zva, void, env, i64) DEF_HELPER_FLAGS_5(gvec_qrdmlah_s16, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32) diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper-a64.c +++ b/target/arm/helper-a64.c @@ -XXX,XX +XXX,XX @@ */ #include "qemu/osdep.h" +#include "qemu/units.h" #include "cpu.h" #include "exec/gdbstub.h" #include "exec/helper-proto.h" @@ -XXX,XX +XXX,XX @@ uint32_t HELPER(sqrt_f16)(uint32_t a, void *fpstp) return float16_sqrt(a, s); } +void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in) +{ + /* + * Implement DC ZVA, which zeroes a fixed-length block of memory. + * Note that we do not implement the (architecturally mandated) + * alignment fault for attempts to use this on Device memory + * (which matches the usual QEMU behaviour of not implementing either + * alignment faults or any memory attribute handling). + */ + ARMCPU *cpu = env_archcpu(env); + uint64_t blocklen = 4 << cpu->dcz_blocksize; + uint64_t vaddr = vaddr_in & ~(blocklen - 1); + +#ifndef CONFIG_USER_ONLY + { + /* + * Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than + * the block size so we might have to do more than one TLB lookup. + * We know that in fact for any v8 CPU the page size is at least 4K + * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only + * 1K as an artefact of legacy v5 subpage support being present in the + * same QEMU executable. So in practice the hostaddr[] array has + * two entries, given the current setting of TARGET_PAGE_BITS_MIN. + */ + int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE); + void *hostaddr[DIV_ROUND_UP(2 * KiB, 1 << TARGET_PAGE_BITS_MIN)]; + int try, i; + unsigned mmu_idx = cpu_mmu_index(env, false); + TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx); + + assert(maxidx <= ARRAY_SIZE(hostaddr)); + + for (try = 0; try < 2; try++) { + + for (i = 0; i < maxidx; i++) { + hostaddr[i] = tlb_vaddr_to_host(env, + vaddr + TARGET_PAGE_SIZE * i, + 1, mmu_idx); + if (!hostaddr[i]) { + break; + } + } + if (i == maxidx) { + /* + * If it's all in the TLB it's fair game for just writing to; + * we know we don't need to update dirty status, etc. + */ + for (i = 0; i < maxidx - 1; i++) { + memset(hostaddr[i], 0, TARGET_PAGE_SIZE); + } + memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE)); + return; + } + /* + * OK, try a store and see if we can populate the tlb. This + * might cause an exception if the memory isn't writable, + * in which case we will longjmp out of here. We must for + * this purpose use the actual register value passed to us + * so that we get the fault address right. + */ + helper_ret_stb_mmu(env, vaddr_in, 0, oi, GETPC()); + /* Now we can populate the other TLB entries, if any */ + for (i = 0; i < maxidx; i++) { + uint64_t va = vaddr + TARGET_PAGE_SIZE * i; + if (va != (vaddr_in & TARGET_PAGE_MASK)) { + helper_ret_stb_mmu(env, va, 0, oi, GETPC()); + } + } + } + + /* + * Slow path (probably attempt to do this to an I/O device or + * similar, or clearing of a block of code we have translations + * cached for). Just do a series of byte writes as the architecture + * demands. It's not worth trying to use a cpu_physical_memory_map(), + * memset(), unmap() sequence here because: + * + we'd need to account for the blocksize being larger than a page + * + the direct-RAM access case is almost always going to be dealt + * with in the fastpath code above, so there's no speed benefit + * + we would have to deal with the map returning NULL because the + * bounce buffer was in use + */ + for (i = 0; i < blocklen; i++) { + helper_ret_stb_mmu(env, vaddr + i, 0, oi, GETPC()); + } + } +#else + memset(g2h(vaddr), 0, blocklen); +#endif +} diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/op_helper.c +++ b/target/arm/op_helper.c @@ -XXX,XX +XXX,XX @@ * License along with this library; if not, see <http://www.gnu.org/licenses/>. */ #include "qemu/osdep.h" -#include "qemu/units.h" #include "qemu/log.h" #include "qemu/main-loop.h" #include "cpu.h" @@ -XXX,XX +XXX,XX @@ uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i) return ((uint32_t)x >> shift) | (x << (32 - shift)); } } - -void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in) -{ - /* - * Implement DC ZVA, which zeroes a fixed-length block of memory. - * Note that we do not implement the (architecturally mandated) - * alignment fault for attempts to use this on Device memory - * (which matches the usual QEMU behaviour of not implementing either - * alignment faults or any memory attribute handling). - */ - - ARMCPU *cpu = env_archcpu(env); - uint64_t blocklen = 4 << cpu->dcz_blocksize; - uint64_t vaddr = vaddr_in & ~(blocklen - 1); - -#ifndef CONFIG_USER_ONLY - { - /* - * Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than - * the block size so we might have to do more than one TLB lookup. - * We know that in fact for any v8 CPU the page size is at least 4K - * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only - * 1K as an artefact of legacy v5 subpage support being present in the - * same QEMU executable. So in practice the hostaddr[] array has - * two entries, given the current setting of TARGET_PAGE_BITS_MIN. - */ - int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE); - void *hostaddr[DIV_ROUND_UP(2 * KiB, 1 << TARGET_PAGE_BITS_MIN)]; - int try, i; - unsigned mmu_idx = cpu_mmu_index(env, false); - TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx); - - assert(maxidx <= ARRAY_SIZE(hostaddr)); - - for (try = 0; try < 2; try++) { - - for (i = 0; i < maxidx; i++) { - hostaddr[i] = tlb_vaddr_to_host(env, - vaddr + TARGET_PAGE_SIZE * i, - 1, mmu_idx); - if (!hostaddr[i]) { - break; - } - } - if (i == maxidx) { - /* - * If it's all in the TLB it's fair game for just writing to; - * we know we don't need to update dirty status, etc. - */ - for (i = 0; i < maxidx - 1; i++) { - memset(hostaddr[i], 0, TARGET_PAGE_SIZE); - } - memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE)); - return; - } - /* - * OK, try a store and see if we can populate the tlb. This - * might cause an exception if the memory isn't writable, - * in which case we will longjmp out of here. We must for - * this purpose use the actual register value passed to us - * so that we get the fault address right. - */ - helper_ret_stb_mmu(env, vaddr_in, 0, oi, GETPC()); - /* Now we can populate the other TLB entries, if any */ - for (i = 0; i < maxidx; i++) { - uint64_t va = vaddr + TARGET_PAGE_SIZE * i; - if (va != (vaddr_in & TARGET_PAGE_MASK)) { - helper_ret_stb_mmu(env, va, 0, oi, GETPC()); - } - } - } - - /* - * Slow path (probably attempt to do this to an I/O device or - * similar, or clearing of a block of code we have translations - * cached for). Just do a series of byte writes as the architecture - * demands. It's not worth trying to use a cpu_physical_memory_map(), - * memset(), unmap() sequence here because: - * + we'd need to account for the blocksize being larger than a page - * + the direct-RAM access case is almost always going to be dealt - * with in the fastpath code above, so there's no speed benefit - * + we would have to deal with the map returning NULL because the - * bounce buffer was in use - */ - for (i = 0; i < blocklen; i++) { - helper_ret_stb_mmu(env, vaddr + i, 0, oi, GETPC()); - } - } -#else - memset(g2h(vaddr), 0, blocklen); -#endif -} -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> The function does not write registers, and only reads them by implication via the exception path. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20200302175829.2183-7-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/helper-a64.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/arm/helper-a64.h b/target/arm/helper-a64.h index XXXXXXX..XXXXXXX 100644 --- a/target/arm/helper-a64.h +++ b/target/arm/helper-a64.h @@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(advsimd_f16touinth, i32, f16, ptr) DEF_HELPER_2(sqrt_f16, f16, f16, ptr) DEF_HELPER_2(exception_return, void, env, i64) -DEF_HELPER_2(dc_zva, void, env, i64) +DEF_HELPER_FLAGS_2(dc_zva, TCG_CALL_NO_WG, void, env, i64) DEF_HELPER_FLAGS_3(pacia, TCG_CALL_NO_WG, i64, env, i64, i64) DEF_HELPER_FLAGS_3(pacib, TCG_CALL_NO_WG, i64, env, i64, i64) -- 2.20.1 From: Richard Henderson <richard.henderson@linaro.org> This data access was forgotten when we added support for cleaning addresses of TBI information. Fixes: 3a471103ac1823ba Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20200302175829.2183-8-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org> --- target/arm/translate-a64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c index XXXXXXX..XXXXXXX 100644 --- a/target/arm/translate-a64.c +++ b/target/arm/translate-a64.c @@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread, return; case ARM_CP_DC_ZVA: /* Writes clear the aligned block of memory which rt points into. */ - tcg_rt = cpu_reg(s, rt); + tcg_rt = clean_data_tbi(s, cpu_reg(s, rt)); gen_helper_dc_zva(cpu_env, tcg_rt); return; default: -- 2.20.1