| 1 | Ten arm-related bug fixes for 2.12... | 1 | Squashed in a trivial fix for 32-bit hosts: |
|---|---|---|---|
| 2 | 2 | ||
| 3 | thanks | 3 | --- a/target/arm/mve_helper.c |
| 4 | +++ b/target/arm/mve_helper.c | ||
| 5 | @@ -XXX,XX +XXX,XX @@ DO_LDAV(vmlsldavxsw, 4, int32_t, true, +=, -=) | ||
| 6 | acc = EVENACC(acc, TO128(n[H##ESIZE(e + 1 * XCHG)] * \ | ||
| 7 | m[H##ESIZE(e)])); \ | ||
| 8 | } \ | ||
| 9 | - acc = int128_add(acc, 1 << 7); \ | ||
| 10 | + acc = int128_add(acc, int128_make64(1 << 7)); \ | ||
| 11 | } \ | ||
| 12 | } \ | ||
| 13 | mve_advance_vpt(env); \ | ||
| 14 | |||
| 4 | -- PMM | 15 | -- PMM |
| 5 | 16 | ||
| 6 | The following changes since commit 4c2c1015905fa1d616750dfe024b4c0b35875950: | 17 | The following changes since commit 53f306f316549d20c76886903181413d20842423: |
| 7 | 18 | ||
| 8 | Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20180323' into staging (2018-03-23 10:20:54 +0000) | 19 | Merge remote-tracking branch 'remotes/ehabkost-gl/tags/x86-next-pull-request' into staging (2021-06-21 11:26:04 +0100) |
| 9 | 20 | ||
| 10 | are available in the Git repository at: | 21 | are available in the Git repository at: |
| 11 | 22 | ||
| 12 | git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180323 | 23 | https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210624 |
| 13 | 24 | ||
| 14 | for you to fetch changes up to 548f514cf89dd9ab39c0cb4c063097bccf141fdd: | 25 | for you to fetch changes up to 90a76c6316cfe6416fc33814a838fb3928f746ee: |
| 15 | 26 | ||
| 16 | target/arm: Always set FAR to a known unknown value for debug exceptions (2018-03-23 18:26:46 +0000) | 27 | docs/system: arm: Add nRF boards description (2021-06-24 14:58:48 +0100) |
| 17 | 28 | ||
| 18 | ---------------------------------------------------------------- | 29 | ---------------------------------------------------------------- |
| 19 | target-arm queue: | 30 | target-arm queue: |
| 20 | * arm/translate-a64: don't lose interrupts after unmasking via write to DAIF | 31 | * Don't require 'virt' board to be compiled in for ACPI GHES code |
| 21 | * sdhci: fix incorrect use of Error * | 32 | * docs: Document which architecture extensions we emulate |
| 22 | * hw/intc/arm_gicv3: Fix secure-GIC NS ICC_PMR and ICC_RPR accesses | 33 | * Fix bugs in M-profile FPCXT_NS accesses |
| 23 | * hw/arm/bcm2836: Use the Cortex-A7 instead of Cortex-A15 | 34 | * First slice of MVE patches |
| 24 | * i.MX: Support serial RS-232 break properly | 35 | * Implement MTE3 |
| 25 | * mach-virt: Set VM's SMBIOS system version to mc->name | 36 | * docs/system: arm: Add nRF boards description |
| 26 | * target/arm: Honour MDCR_EL2.TDE when routing exceptions due to BKPT/BRK | ||
| 27 | * target/arm: Factor out code to calculate FSR for debug exceptions | ||
| 28 | * target/arm: Set FSR for BKPT, BRK when raising exception | ||
| 29 | * target/arm: Always set FAR to a known unknown value for debug exceptions | ||
| 30 | 37 | ||
| 31 | ---------------------------------------------------------------- | 38 | ---------------------------------------------------------------- |
| 32 | Paolo Bonzini (1): | 39 | Alexandre Iooss (1): |
| 33 | sdhci: fix incorrect use of Error * | 40 | docs/system: arm: Add nRF boards description |
| 34 | 41 | ||
| 35 | Peter Maydell (6): | 42 | Peter Collingbourne (1): |
| 36 | hw/intc/arm_gicv3: Fix secure-GIC NS ICC_PMR and ICC_RPR accesses | 43 | target/arm: Implement MTE3 |
| 37 | hw/arm/bcm2836: Use the Cortex-A7 instead of Cortex-A15 | ||
| 38 | target/arm: Honour MDCR_EL2.TDE when routing exceptions due to BKPT/BRK | ||
| 39 | target/arm: Factor out code to calculate FSR for debug exceptions | ||
| 40 | target/arm: Set FSR for BKPT, BRK when raising exception | ||
| 41 | target/arm: Always set FAR to a known unknown value for debug exceptions | ||
| 42 | 44 | ||
| 43 | Trent Piepho (1): | 45 | Peter Maydell (55): |
| 44 | i.MX: Support serial RS-232 break properly | 46 | hw/acpi: Provide stub version of acpi_ghes_record_errors() |
| 47 | hw/acpi: Provide function acpi_ghes_present() | ||
| 48 | target/arm: Use acpi_ghes_present() to see if we report ACPI memory errors | ||
| 49 | docs/system/arm: Document which architecture extensions we emulate | ||
| 50 | target/arm/translate-vfp.c: Whitespace fixes | ||
| 51 | target/arm: Handle FPU being disabled in FPCXT_NS accesses | ||
| 52 | target/arm: Don't NOCP fault for FPCXT_NS accesses | ||
| 53 | target/arm: Handle writeback in VLDR/VSTR sysreg with no memory access | ||
| 54 | target/arm: Factor FP context update code out into helper function | ||
| 55 | target/arm: Split vfp_access_check() into A and M versions | ||
| 56 | target/arm: Handle FPU check for FPCXT_NS insns via vfp_access_check_m() | ||
| 57 | target/arm: Implement MVE VLDR/VSTR (non-widening forms) | ||
| 58 | target/arm: Implement widening/narrowing MVE VLDR/VSTR insns | ||
| 59 | target/arm: Implement MVE VCLZ | ||
| 60 | target/arm: Implement MVE VCLS | ||
| 61 | target/arm: Implement MVE VREV16, VREV32, VREV64 | ||
| 62 | target/arm: Implement MVE VMVN (register) | ||
| 63 | target/arm: Implement MVE VABS | ||
| 64 | target/arm: Implement MVE VNEG | ||
| 65 | tcg: Make gen_dup_i32/i64() public as tcg_gen_dup_i32/i64 | ||
| 66 | target/arm: Implement MVE VDUP | ||
| 67 | target/arm: Implement MVE VAND, VBIC, VORR, VORN, VEOR | ||
| 68 | target/arm: Implement MVE VADD, VSUB, VMUL | ||
| 69 | target/arm: Implement MVE VMULH | ||
| 70 | target/arm: Implement MVE VRMULH | ||
| 71 | target/arm: Implement MVE VMAX, VMIN | ||
| 72 | target/arm: Implement MVE VABD | ||
| 73 | target/arm: Implement MVE VHADD, VHSUB | ||
| 74 | target/arm: Implement MVE VMULL | ||
| 75 | target/arm: Implement MVE VMLALDAV | ||
| 76 | target/arm: Implement MVE VMLSLDAV | ||
| 77 | target/arm: Implement MVE VRMLALDAVH, VRMLSLDAVH | ||
| 78 | target/arm: Implement MVE VADD (scalar) | ||
| 79 | target/arm: Implement MVE VSUB, VMUL (scalar) | ||
| 80 | target/arm: Implement MVE VHADD, VHSUB (scalar) | ||
| 81 | target/arm: Implement MVE VBRSR | ||
| 82 | target/arm: Implement MVE VPST | ||
| 83 | target/arm: Implement MVE VQADD and VQSUB | ||
| 84 | target/arm: Implement MVE VQDMULH and VQRDMULH (scalar) | ||
| 85 | target/arm: Implement MVE VQDMULL scalar | ||
| 86 | target/arm: Implement MVE VQDMULH, VQRDMULH (vector) | ||
| 87 | target/arm: Implement MVE VQADD, VQSUB (vector) | ||
| 88 | target/arm: Implement MVE VQSHL (vector) | ||
| 89 | target/arm: Implement MVE VQRSHL | ||
| 90 | target/arm: Implement MVE VSHL insn | ||
| 91 | target/arm: Implement MVE VRSHL | ||
| 92 | target/arm: Implement MVE VQDMLADH and VQRDMLADH | ||
| 93 | target/arm: Implement MVE VQDMLSDH and VQRDMLSDH | ||
| 94 | target/arm: Implement MVE VQDMULL (vector) | ||
| 95 | target/arm: Implement MVE VRHADD | ||
| 96 | target/arm: Implement MVE VADC, VSBC | ||
| 97 | target/arm: Implement MVE VCADD | ||
| 98 | target/arm: Implement MVE VHCADD | ||
| 99 | target/arm: Implement MVE VADDV | ||
| 100 | target/arm: Make VMOV scalar <-> gpreg beatwise for MVE | ||
| 45 | 101 | ||
| 46 | Victor Kamensky (1): | 102 | docs/system/arm/emulation.rst | 103 ++++ |
| 47 | arm/translate-a64: treat DISAS_UPDATE as variant of DISAS_EXIT | 103 | docs/system/arm/nrf.rst | 51 ++ |
| 104 | docs/system/target-arm.rst | 7 + | ||
| 105 | include/hw/acpi/ghes.h | 9 + | ||
| 106 | include/tcg/tcg-op.h | 8 + | ||
| 107 | include/tcg/tcg.h | 1 - | ||
| 108 | target/arm/helper-mve.h | 357 +++++++++++++ | ||
| 109 | target/arm/helper.h | 2 + | ||
| 110 | target/arm/internals.h | 11 + | ||
| 111 | target/arm/translate-a32.h | 3 + | ||
| 112 | target/arm/translate.h | 10 + | ||
| 113 | target/arm/m-nocp.decode | 24 + | ||
| 114 | target/arm/mve.decode | 240 +++++++++ | ||
| 115 | target/arm/vfp.decode | 14 - | ||
| 116 | hw/acpi/ghes-stub.c | 22 + | ||
| 117 | hw/acpi/ghes.c | 17 + | ||
| 118 | target/arm/cpu64.c | 2 +- | ||
| 119 | target/arm/kvm64.c | 6 +- | ||
| 120 | target/arm/mte_helper.c | 82 +-- | ||
| 121 | target/arm/mve_helper.c | 1160 +++++++++++++++++++++++++++++++++++++++++ | ||
| 122 | target/arm/translate-m-nocp.c | 550 +++++++++++++++++++ | ||
| 123 | target/arm/translate-mve.c | 759 +++++++++++++++++++++++++++ | ||
| 124 | target/arm/translate-vfp.c | 741 +++++++------------------- | ||
| 125 | tcg/tcg-op-gvec.c | 20 +- | ||
| 126 | MAINTAINERS | 1 + | ||
| 127 | hw/acpi/meson.build | 6 +- | ||
| 128 | target/arm/meson.build | 1 + | ||
| 129 | 27 files changed, 3578 insertions(+), 629 deletions(-) | ||
| 130 | create mode 100644 docs/system/arm/emulation.rst | ||
| 131 | create mode 100644 docs/system/arm/nrf.rst | ||
| 132 | create mode 100644 target/arm/helper-mve.h | ||
| 133 | create mode 100644 hw/acpi/ghes-stub.c | ||
| 134 | create mode 100644 target/arm/mve_helper.c | ||
| 48 | 135 | ||
| 49 | Wei Huang (1): | ||
| 50 | mach-virt: Set VM's SMBIOS system version to mc->name | ||
| 51 | |||
| 52 | include/hw/arm/virt.h | 1 + | ||
| 53 | include/hw/char/imx_serial.h | 1 + | ||
| 54 | target/arm/helper.h | 1 + | ||
| 55 | target/arm/internals.h | 25 +++++++++++++++++++++++++ | ||
| 56 | hw/arm/bcm2836.c | 2 +- | ||
| 57 | hw/arm/raspi.c | 2 +- | ||
| 58 | hw/arm/virt.c | 8 +++++++- | ||
| 59 | hw/char/imx_serial.c | 5 ++++- | ||
| 60 | hw/intc/arm_gicv3_cpuif.c | 6 +++--- | ||
| 61 | hw/sd/sdhci.c | 4 ++-- | ||
| 62 | target/arm/helper.c | 1 - | ||
| 63 | target/arm/op_helper.c | 33 ++++++++++++++++++++++----------- | ||
| 64 | target/arm/translate-a64.c | 21 ++++++++++++++++----- | ||
| 65 | target/arm/translate.c | 19 ++++++++++++++----- | ||
| 66 | 14 files changed, 98 insertions(+), 31 deletions(-) | ||
| 67 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | From: Victor Kamensky <kamensky@cisco.com> | ||
| 2 | 1 | ||
| 3 | In OE project 4.15 linux kernel boot hang was observed under | ||
| 4 | single cpu aarch64 qemu. Kernel code was in a loop waiting for | ||
| 5 | vtimer arrival, spinning in TC generated blocks, while interrupt | ||
| 6 | was pending unprocessed. This happened because when qemu tried to | ||
| 7 | handle vtimer interrupt target had interrupts disabled, as | ||
| 8 | result flag indicating TCG exit, cpu->icount_decr.u16.high, | ||
| 9 | was cleared but arm_cpu_exec_interrupt function did not call | ||
| 10 | arm_cpu_do_interrupt to process interrupt. Later when target | ||
| 11 | reenabled interrupts, it happened without exit into main loop, so | ||
| 12 | following code that waited for result of interrupt execution | ||
| 13 | run in infinite loop. | ||
| 14 | |||
| 15 | To solve the problem instructions that operate on CPU sys state | ||
| 16 | (i.e enable/disable interrupt), and marked as DISAS_UPDATE, | ||
| 17 | should be considered as DISAS_EXIT variant, and should be | ||
| 18 | forced to exit back to main loop so qemu will have a chance | ||
| 19 | processing pending CPU state updates, including pending | ||
| 20 | interrupts. | ||
| 21 | |||
| 22 | This change brings consistency with how DISAS_UPDATE is treated | ||
| 23 | in aarch32 case. | ||
| 24 | |||
| 25 | CC: Peter Maydell <peter.maydell@linaro.org> | ||
| 26 | CC: Alex Bennée <alex.bennee@linaro.org> | ||
| 27 | CC: qemu-stable@nongnu.org | ||
| 28 | Suggested-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 29 | Signed-off-by: Victor Kamensky <kamensky@cisco.com> | ||
| 30 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
| 31 | Message-id: 1521526368-1996-1-git-send-email-kamensky@cisco.com | ||
| 32 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 33 | --- | ||
| 34 | target/arm/translate-a64.c | 6 +++--- | ||
| 35 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
| 36 | |||
| 37 | diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c | ||
| 38 | index XXXXXXX..XXXXXXX 100644 | ||
| 39 | --- a/target/arm/translate-a64.c | ||
| 40 | +++ b/target/arm/translate-a64.c | ||
| 41 | @@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu) | ||
| 42 | case DISAS_UPDATE: | ||
| 43 | gen_a64_set_pc_im(dc->pc); | ||
| 44 | /* fall through */ | ||
| 45 | - case DISAS_JUMP: | ||
| 46 | - tcg_gen_lookup_and_goto_ptr(); | ||
| 47 | - break; | ||
| 48 | case DISAS_EXIT: | ||
| 49 | tcg_gen_exit_tb(0); | ||
| 50 | break; | ||
| 51 | + case DISAS_JUMP: | ||
| 52 | + tcg_gen_lookup_and_goto_ptr(); | ||
| 53 | + break; | ||
| 54 | case DISAS_NORETURN: | ||
| 55 | case DISAS_SWI: | ||
| 56 | break; | ||
| 57 | -- | ||
| 58 | 2.16.2 | ||
| 59 | |||
| 60 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | From: Paolo Bonzini <pbonzini@redhat.com> | ||
| 2 | 1 | ||
| 3 | Detected by Coverity (CID 1386072, 1386073, 1386076, 1386077). local_err | ||
| 4 | was unused, and this made the static analyzer unhappy. | ||
| 5 | |||
| 6 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
| 7 | Message-id: 20180320151355.25854-1-pbonzini@redhat.com | ||
| 8 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 9 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 10 | --- | ||
| 11 | hw/sd/sdhci.c | 4 ++-- | ||
| 12 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c | ||
| 15 | index XXXXXXX..XXXXXXX 100644 | ||
| 16 | --- a/hw/sd/sdhci.c | ||
| 17 | +++ b/hw/sd/sdhci.c | ||
| 18 | @@ -XXX,XX +XXX,XX @@ static void sdhci_pci_realize(PCIDevice *dev, Error **errp) | ||
| 19 | Error *local_err = NULL; | ||
| 20 | |||
| 21 | sdhci_initfn(s); | ||
| 22 | - sdhci_common_realize(s, errp); | ||
| 23 | + sdhci_common_realize(s, &local_err); | ||
| 24 | if (local_err) { | ||
| 25 | error_propagate(errp, local_err); | ||
| 26 | return; | ||
| 27 | @@ -XXX,XX +XXX,XX @@ static void sdhci_sysbus_realize(DeviceState *dev, Error ** errp) | ||
| 28 | SysBusDevice *sbd = SYS_BUS_DEVICE(dev); | ||
| 29 | Error *local_err = NULL; | ||
| 30 | |||
| 31 | - sdhci_common_realize(s, errp); | ||
| 32 | + sdhci_common_realize(s, &local_err); | ||
| 33 | if (local_err) { | ||
| 34 | error_propagate(errp, local_err); | ||
| 35 | return; | ||
| 36 | -- | ||
| 37 | 2.16.2 | ||
| 38 | |||
| 39 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | If the GIC has the security extension support enabled, then a | ||
| 2 | non-secure access to ICC_PMR must take account of the non-secure | ||
| 3 | view of interrupt priorities, where real priorities 0x00..0x7f | ||
| 4 | are secure-only and not visible to the non-secure guest, and | ||
| 5 | priorities 0x80..0xff are shown to the guest as if they were | ||
| 6 | 0x00..0xff. We had the logic here wrong: | ||
| 7 | * on reads, the priority is in the secure range if bit 7 | ||
| 8 | is clear, not if it is set | ||
| 9 | * on writes, we want to set bit 7, not mask everything else | ||
| 10 | 1 | ||
| 11 | Our ICC_RPR read code had the same error as ICC_PMR. | ||
| 12 | |||
| 13 | (Compare the GICv3 spec pseudocode functions ICC_RPR_EL1 | ||
| 14 | and ICC_PMR_EL1.) | ||
| 15 | |||
| 16 | Fixes: https://bugs.launchpad.net/qemu/+bug/1748434 | ||
| 17 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 18 | Reviewed-by: Andrew Jones <drjones@redhat.com> | ||
| 19 | Message-id: 20180315133441.24149-1-peter.maydell@linaro.org | ||
| 20 | --- | ||
| 21 | hw/intc/arm_gicv3_cpuif.c | 6 +++--- | ||
| 22 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c | ||
| 25 | index XXXXXXX..XXXXXXX 100644 | ||
| 26 | --- a/hw/intc/arm_gicv3_cpuif.c | ||
| 27 | +++ b/hw/intc/arm_gicv3_cpuif.c | ||
| 28 | @@ -XXX,XX +XXX,XX @@ static uint64_t icc_pmr_read(CPUARMState *env, const ARMCPRegInfo *ri) | ||
| 29 | /* NS access and Group 0 is inaccessible to NS: return the | ||
| 30 | * NS view of the current priority | ||
| 31 | */ | ||
| 32 | - if (value & 0x80) { | ||
| 33 | + if ((value & 0x80) == 0) { | ||
| 34 | /* Secure priorities not visible to NS */ | ||
| 35 | value = 0; | ||
| 36 | } else if (value != 0xff) { | ||
| 37 | @@ -XXX,XX +XXX,XX @@ static void icc_pmr_write(CPUARMState *env, const ARMCPRegInfo *ri, | ||
| 38 | /* Current PMR in the secure range, don't allow NS to change it */ | ||
| 39 | return; | ||
| 40 | } | ||
| 41 | - value = (value >> 1) & 0x80; | ||
| 42 | + value = (value >> 1) | 0x80; | ||
| 43 | } | ||
| 44 | cs->icc_pmr_el1 = value; | ||
| 45 | gicv3_cpuif_update(cs); | ||
| 46 | @@ -XXX,XX +XXX,XX @@ static uint64_t icc_rpr_read(CPUARMState *env, const ARMCPRegInfo *ri) | ||
| 47 | if (arm_feature(env, ARM_FEATURE_EL3) && | ||
| 48 | !arm_is_secure(env) && (env->cp15.scr_el3 & SCR_FIQ)) { | ||
| 49 | /* NS GIC access and Group 0 is inaccessible to NS */ | ||
| 50 | - if (prio & 0x80) { | ||
| 51 | + if ((prio & 0x80) == 0) { | ||
| 52 | /* NS mustn't see priorities in the Secure half of the range */ | ||
| 53 | prio = 0; | ||
| 54 | } else if (prio != 0xff) { | ||
| 55 | -- | ||
| 56 | 2.16.2 | ||
| 57 | |||
| 58 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | The BCM2836 uses a Cortex-A7, not a Cortex-A15. Update the device to | ||
| 2 | use the correct CPU. | ||
| 3 | https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2836/QA7_rev3.4.pdf | ||
| 4 | 1 | ||
| 5 | When the BCM2836 was introduced (bad5623690b) the Cortex-A7 was not | ||
| 6 | available, so the very similar Cortex-A15 was used. Since dcf578ed8ce | ||
| 7 | we can model the correct core. | ||
| 8 | |||
| 9 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 10 | Reviewed-by: Alistair Francis <alistair@alistair23.me> | ||
| 11 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
| 12 | Message-id: 20180319110215.16755-1-peter.maydell@linaro.org | ||
| 13 | --- | ||
| 14 | hw/arm/bcm2836.c | 2 +- | ||
| 15 | hw/arm/raspi.c | 2 +- | ||
| 16 | 2 files changed, 2 insertions(+), 2 deletions(-) | ||
| 17 | |||
| 18 | diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c | ||
| 19 | index XXXXXXX..XXXXXXX 100644 | ||
| 20 | --- a/hw/arm/bcm2836.c | ||
| 21 | +++ b/hw/arm/bcm2836.c | ||
| 22 | @@ -XXX,XX +XXX,XX @@ struct BCM283XInfo { | ||
| 23 | static const BCM283XInfo bcm283x_socs[] = { | ||
| 24 | { | ||
| 25 | .name = TYPE_BCM2836, | ||
| 26 | - .cpu_type = ARM_CPU_TYPE_NAME("cortex-a15"), | ||
| 27 | + .cpu_type = ARM_CPU_TYPE_NAME("cortex-a7"), | ||
| 28 | .clusterid = 0xf, | ||
| 29 | }, | ||
| 30 | #ifdef TARGET_AARCH64 | ||
| 31 | diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c | ||
| 32 | index XXXXXXX..XXXXXXX 100644 | ||
| 33 | --- a/hw/arm/raspi.c | ||
| 34 | +++ b/hw/arm/raspi.c | ||
| 35 | @@ -XXX,XX +XXX,XX @@ static void raspi2_machine_init(MachineClass *mc) | ||
| 36 | mc->no_parallel = 1; | ||
| 37 | mc->no_floppy = 1; | ||
| 38 | mc->no_cdrom = 1; | ||
| 39 | - mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a15"); | ||
| 40 | + mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a7"); | ||
| 41 | mc->max_cpus = BCM283X_NCPUS; | ||
| 42 | mc->min_cpus = BCM283X_NCPUS; | ||
| 43 | mc->default_cpus = BCM283X_NCPUS; | ||
| 44 | -- | ||
| 45 | 2.16.2 | ||
| 46 | |||
| 47 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | From: Trent Piepho <tpiepho@impinj.com> | ||
| 2 | 1 | ||
| 3 | Linux does not detect a break from this IMX serial driver as a magic | ||
| 4 | sysrq. Nor does it note a break in the port error counts. | ||
| 5 | |||
| 6 | The former is because the Linux driver uses the BRCD bit in the USR2 | ||
| 7 | register to trigger the RS-232 break handler in the kernel, which is | ||
| 8 | where sysrq hooks in. The emulated UART was not setting this status | ||
| 9 | bit. | ||
| 10 | |||
| 11 | The latter is because the Linux driver expects, in addition to the BRK | ||
| 12 | bit, that the ERR bit is set when a break is read in the FIFO. A break | ||
| 13 | should also count as a frame error, so add that bit too. | ||
| 14 | |||
| 15 | Cc: Andrey Smirnov <andrew.smirnov@gmail.com> | ||
| 16 | Signed-off-by: Trent Piepho <tpiepho@impinj.com> | ||
| 17 | Message-id: 20180320013657.25038-1-tpiepho@impinj.com | ||
| 18 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 19 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 20 | --- | ||
| 21 | include/hw/char/imx_serial.h | 1 + | ||
| 22 | hw/char/imx_serial.c | 5 ++++- | ||
| 23 | 2 files changed, 5 insertions(+), 1 deletion(-) | ||
| 24 | |||
| 25 | diff --git a/include/hw/char/imx_serial.h b/include/hw/char/imx_serial.h | ||
| 26 | index XXXXXXX..XXXXXXX 100644 | ||
| 27 | --- a/include/hw/char/imx_serial.h | ||
| 28 | +++ b/include/hw/char/imx_serial.h | ||
| 29 | @@ -XXX,XX +XXX,XX @@ | ||
| 30 | |||
| 31 | #define URXD_CHARRDY (1<<15) /* character read is valid */ | ||
| 32 | #define URXD_ERR (1<<14) /* Character has error */ | ||
| 33 | +#define URXD_FRMERR (1<<12) /* Character has frame error */ | ||
| 34 | #define URXD_BRK (1<<11) /* Break received */ | ||
| 35 | |||
| 36 | #define USR1_PARTYER (1<<15) /* Parity Error */ | ||
| 37 | diff --git a/hw/char/imx_serial.c b/hw/char/imx_serial.c | ||
| 38 | index XXXXXXX..XXXXXXX 100644 | ||
| 39 | --- a/hw/char/imx_serial.c | ||
| 40 | +++ b/hw/char/imx_serial.c | ||
| 41 | @@ -XXX,XX +XXX,XX @@ static void imx_put_data(void *opaque, uint32_t value) | ||
| 42 | s->usr2 |= USR2_RDR; | ||
| 43 | s->uts1 &= ~UTS1_RXEMPTY; | ||
| 44 | s->readbuff = value; | ||
| 45 | + if (value & URXD_BRK) { | ||
| 46 | + s->usr2 |= USR2_BRCD; | ||
| 47 | + } | ||
| 48 | imx_update(s); | ||
| 49 | } | ||
| 50 | |||
| 51 | @@ -XXX,XX +XXX,XX @@ static void imx_receive(void *opaque, const uint8_t *buf, int size) | ||
| 52 | static void imx_event(void *opaque, int event) | ||
| 53 | { | ||
| 54 | if (event == CHR_EVENT_BREAK) { | ||
| 55 | - imx_put_data(opaque, URXD_BRK); | ||
| 56 | + imx_put_data(opaque, URXD_BRK | URXD_FRMERR | URXD_ERR); | ||
| 57 | } | ||
| 58 | } | ||
| 59 | |||
| 60 | -- | ||
| 61 | 2.16.2 | ||
| 62 | |||
| 63 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | From: Wei Huang <wei@redhat.com> | ||
| 2 | 1 | ||
| 3 | Instead of using "1.0" as the system version of SMBIOS, we should use | ||
| 4 | mc->name for mach-virt machine type to be consistent other architectures. | ||
| 5 | With this patch, "dmidecode -t 1" (e.g., "-M virt-2.12,accel=kvm") will | ||
| 6 | show: | ||
| 7 | |||
| 8 | Handle 0x0100, DMI type 1, 27 bytes | ||
| 9 | System Information | ||
| 10 | Manufacturer: QEMU | ||
| 11 | Product Name: KVM Virtual Machine | ||
| 12 | Version: virt-2.12 | ||
| 13 | Serial Number: Not Specified | ||
| 14 | ... | ||
| 15 | |||
| 16 | instead of: | ||
| 17 | |||
| 18 | Handle 0x0100, DMI type 1, 27 bytes | ||
| 19 | System Information | ||
| 20 | Manufacturer: QEMU | ||
| 21 | Product Name: KVM Virtual Machine | ||
| 22 | Version: 1.0 | ||
| 23 | Serial Number: Not Specified | ||
| 24 | ... | ||
| 25 | |||
| 26 | For backward compatibility, we allow older machine types to keep "1.0" | ||
| 27 | as the default system version. | ||
| 28 | |||
| 29 | Signed-off-by: Wei Huang <wei@redhat.com> | ||
| 30 | Reviewed-by: Andrew Jones <drjones@redhat.com> | ||
| 31 | Message-id: 20180322212318.7182-1-wei@redhat.com | ||
| 32 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 33 | --- | ||
| 34 | include/hw/arm/virt.h | 1 + | ||
| 35 | hw/arm/virt.c | 8 +++++++- | ||
| 36 | 2 files changed, 8 insertions(+), 1 deletion(-) | ||
| 37 | |||
| 38 | diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h | ||
| 39 | index XXXXXXX..XXXXXXX 100644 | ||
| 40 | --- a/include/hw/arm/virt.h | ||
| 41 | +++ b/include/hw/arm/virt.h | ||
| 42 | @@ -XXX,XX +XXX,XX @@ typedef struct { | ||
| 43 | bool no_its; | ||
| 44 | bool no_pmu; | ||
| 45 | bool claim_edge_triggered_timers; | ||
| 46 | + bool smbios_old_sys_ver; | ||
| 47 | } VirtMachineClass; | ||
| 48 | |||
| 49 | typedef struct { | ||
| 50 | diff --git a/hw/arm/virt.c b/hw/arm/virt.c | ||
| 51 | index XXXXXXX..XXXXXXX 100644 | ||
| 52 | --- a/hw/arm/virt.c | ||
| 53 | +++ b/hw/arm/virt.c | ||
| 54 | @@ -XXX,XX +XXX,XX @@ static void *machvirt_dtb(const struct arm_boot_info *binfo, int *fdt_size) | ||
| 55 | |||
| 56 | static void virt_build_smbios(VirtMachineState *vms) | ||
| 57 | { | ||
| 58 | + MachineClass *mc = MACHINE_GET_CLASS(vms); | ||
| 59 | + VirtMachineClass *vmc = VIRT_MACHINE_GET_CLASS(vms); | ||
| 60 | uint8_t *smbios_tables, *smbios_anchor; | ||
| 61 | size_t smbios_tables_len, smbios_anchor_len; | ||
| 62 | const char *product = "QEMU Virtual Machine"; | ||
| 63 | @@ -XXX,XX +XXX,XX @@ static void virt_build_smbios(VirtMachineState *vms) | ||
| 64 | } | ||
| 65 | |||
| 66 | smbios_set_defaults("QEMU", product, | ||
| 67 | - "1.0", false, true, SMBIOS_ENTRY_POINT_30); | ||
| 68 | + vmc->smbios_old_sys_ver ? "1.0" : mc->name, false, | ||
| 69 | + true, SMBIOS_ENTRY_POINT_30); | ||
| 70 | |||
| 71 | smbios_get_tables(NULL, 0, &smbios_tables, &smbios_tables_len, | ||
| 72 | &smbios_anchor, &smbios_anchor_len); | ||
| 73 | @@ -XXX,XX +XXX,XX @@ static void virt_2_11_instance_init(Object *obj) | ||
| 74 | |||
| 75 | static void virt_machine_2_11_options(MachineClass *mc) | ||
| 76 | { | ||
| 77 | + VirtMachineClass *vmc = VIRT_MACHINE_CLASS(OBJECT_CLASS(mc)); | ||
| 78 | + | ||
| 79 | virt_machine_2_12_options(mc); | ||
| 80 | SET_MACHINE_COMPAT(mc, VIRT_COMPAT_2_11); | ||
| 81 | + vmc->smbios_old_sys_ver = true; | ||
| 82 | } | ||
| 83 | DEFINE_VIRT_MACHINE(2, 11) | ||
| 84 | |||
| 85 | -- | ||
| 86 | 2.16.2 | ||
| 87 | |||
| 88 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | The MDCR_EL2.TDE bit allows the exception level targeted by debug | ||
| 2 | exceptions to be set to EL2 for code executing at EL0. We handle | ||
| 3 | this in the arm_debug_target_el() function, but this is only used for | ||
| 4 | hardware breakpoint and watchpoint exceptions, not for the exception | ||
| 5 | generated when the guest executes an AArch32 BKPT or AArch64 BRK | ||
| 6 | instruction. We don't have enough information for a translate-time | ||
| 7 | equivalent of arm_debug_target_el(), so instead make BKPT and BRK | ||
| 8 | call a special purpose helper which can do the routing, rather than | ||
| 9 | the generic exception_with_syndrome helper. | ||
| 10 | 1 | ||
| 11 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 12 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
| 13 | Message-id: 20180320134114.30418-2-peter.maydell@linaro.org | ||
| 14 | --- | ||
| 15 | target/arm/helper.h | 1 + | ||
| 16 | target/arm/op_helper.c | 8 ++++++++ | ||
| 17 | target/arm/translate-a64.c | 15 +++++++++++++-- | ||
| 18 | target/arm/translate.c | 19 ++++++++++++++----- | ||
| 19 | 4 files changed, 36 insertions(+), 7 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/target/arm/helper.h b/target/arm/helper.h | ||
| 22 | index XXXXXXX..XXXXXXX 100644 | ||
| 23 | --- a/target/arm/helper.h | ||
| 24 | +++ b/target/arm/helper.h | ||
| 25 | @@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(sel_flags, TCG_CALL_NO_RWG_SE, | ||
| 26 | i32, i32, i32, i32) | ||
| 27 | DEF_HELPER_2(exception_internal, void, env, i32) | ||
| 28 | DEF_HELPER_4(exception_with_syndrome, void, env, i32, i32, i32) | ||
| 29 | +DEF_HELPER_2(exception_bkpt_insn, void, env, i32) | ||
| 30 | DEF_HELPER_1(setend, void, env) | ||
| 31 | DEF_HELPER_2(wfi, void, env, i32) | ||
| 32 | DEF_HELPER_1(wfe, void, env) | ||
| 33 | diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c | ||
| 34 | index XXXXXXX..XXXXXXX 100644 | ||
| 35 | --- a/target/arm/op_helper.c | ||
| 36 | +++ b/target/arm/op_helper.c | ||
| 37 | @@ -XXX,XX +XXX,XX @@ void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp, | ||
| 38 | raise_exception(env, excp, syndrome, target_el); | ||
| 39 | } | ||
| 40 | |||
| 41 | +/* Raise an EXCP_BKPT with the specified syndrome register value, | ||
| 42 | + * targeting the correct exception level for debug exceptions. | ||
| 43 | + */ | ||
| 44 | +void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) | ||
| 45 | +{ | ||
| 46 | + raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env)); | ||
| 47 | +} | ||
| 48 | + | ||
| 49 | uint32_t HELPER(cpsr_read)(CPUARMState *env) | ||
| 50 | { | ||
| 51 | return cpsr_read(env) & ~(CPSR_EXEC | CPSR_RESERVED); | ||
| 52 | diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c | ||
| 53 | index XXXXXXX..XXXXXXX 100644 | ||
| 54 | --- a/target/arm/translate-a64.c | ||
| 55 | +++ b/target/arm/translate-a64.c | ||
| 56 | @@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, int offset, int excp, | ||
| 57 | s->base.is_jmp = DISAS_NORETURN; | ||
| 58 | } | ||
| 59 | |||
| 60 | +static void gen_exception_bkpt_insn(DisasContext *s, int offset, | ||
| 61 | + uint32_t syndrome) | ||
| 62 | +{ | ||
| 63 | + TCGv_i32 tcg_syn; | ||
| 64 | + | ||
| 65 | + gen_a64_set_pc_im(s->pc - offset); | ||
| 66 | + tcg_syn = tcg_const_i32(syndrome); | ||
| 67 | + gen_helper_exception_bkpt_insn(cpu_env, tcg_syn); | ||
| 68 | + tcg_temp_free_i32(tcg_syn); | ||
| 69 | + s->base.is_jmp = DISAS_NORETURN; | ||
| 70 | +} | ||
| 71 | + | ||
| 72 | static void gen_ss_advance(DisasContext *s) | ||
| 73 | { | ||
| 74 | /* If the singlestep state is Active-not-pending, advance to | ||
| 75 | @@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn) | ||
| 76 | break; | ||
| 77 | } | ||
| 78 | /* BRK */ | ||
| 79 | - gen_exception_insn(s, 4, EXCP_BKPT, syn_aa64_bkpt(imm16), | ||
| 80 | - default_exception_el(s)); | ||
| 81 | + gen_exception_bkpt_insn(s, 4, syn_aa64_bkpt(imm16)); | ||
| 82 | break; | ||
| 83 | case 2: | ||
| 84 | if (op2_ll != 0) { | ||
| 85 | diff --git a/target/arm/translate.c b/target/arm/translate.c | ||
| 86 | index XXXXXXX..XXXXXXX 100644 | ||
| 87 | --- a/target/arm/translate.c | ||
| 88 | +++ b/target/arm/translate.c | ||
| 89 | @@ -XXX,XX +XXX,XX @@ static void gen_exception_insn(DisasContext *s, int offset, int excp, | ||
| 90 | s->base.is_jmp = DISAS_NORETURN; | ||
| 91 | } | ||
| 92 | |||
| 93 | +static void gen_exception_bkpt_insn(DisasContext *s, int offset, uint32_t syn) | ||
| 94 | +{ | ||
| 95 | + TCGv_i32 tcg_syn; | ||
| 96 | + | ||
| 97 | + gen_set_condexec(s); | ||
| 98 | + gen_set_pc_im(s, s->pc - offset); | ||
| 99 | + tcg_syn = tcg_const_i32(syn); | ||
| 100 | + gen_helper_exception_bkpt_insn(cpu_env, tcg_syn); | ||
| 101 | + tcg_temp_free_i32(tcg_syn); | ||
| 102 | + s->base.is_jmp = DISAS_NORETURN; | ||
| 103 | +} | ||
| 104 | + | ||
| 105 | /* Force a TB lookup after an instruction that changes the CPU state. */ | ||
| 106 | static inline void gen_lookup_tb(DisasContext *s) | ||
| 107 | { | ||
| 108 | @@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) | ||
| 109 | case 1: | ||
| 110 | /* bkpt */ | ||
| 111 | ARCH(5); | ||
| 112 | - gen_exception_insn(s, 4, EXCP_BKPT, | ||
| 113 | - syn_aa32_bkpt(imm16, false), | ||
| 114 | - default_exception_el(s)); | ||
| 115 | + gen_exception_bkpt_insn(s, 4, syn_aa32_bkpt(imm16, false)); | ||
| 116 | break; | ||
| 117 | case 2: | ||
| 118 | /* Hypervisor call (v7) */ | ||
| 119 | @@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn) | ||
| 120 | { | ||
| 121 | int imm8 = extract32(insn, 0, 8); | ||
| 122 | ARCH(5); | ||
| 123 | - gen_exception_insn(s, 2, EXCP_BKPT, syn_aa32_bkpt(imm8, true), | ||
| 124 | - default_exception_el(s)); | ||
| 125 | + gen_exception_bkpt_insn(s, 2, syn_aa32_bkpt(imm8, true)); | ||
| 126 | break; | ||
| 127 | } | ||
| 128 | |||
| 129 | -- | ||
| 130 | 2.16.2 | ||
| 131 | |||
| 132 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | When a debug exception is taken to AArch32, it appears as a Prefetch | ||
| 2 | Abort, and the Instruction Fault Status Register (IFSR) must be set. | ||
| 3 | The IFSR has two possible formats, depending on whether LPAE is in | ||
| 4 | use. Factor out the code in arm_debug_excp_handler() which picks | ||
| 5 | an FSR value into its own utility function, update it to use | ||
| 6 | arm_fi_to_lfsc() and arm_fi_to_sfsc() rather than hard-coded constants, | ||
| 7 | and use the correct condition to select long or short format. | ||
| 8 | 1 | ||
| 9 | In particular this fixes a bug where we could select the short | ||
| 10 | format because we're at EL0 and the EL1 translation regime is | ||
| 11 | not using LPAE, but then route the debug exception to EL2 because | ||
| 12 | of MDCR_EL2.TDE and hand EL2 the wrong format FSR. | ||
| 13 | |||
| 14 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 15 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
| 16 | Message-id: 20180320134114.30418-3-peter.maydell@linaro.org | ||
| 17 | --- | ||
| 18 | target/arm/internals.h | 25 +++++++++++++++++++++++++ | ||
| 19 | target/arm/op_helper.c | 12 ++---------- | ||
| 20 | 2 files changed, 27 insertions(+), 10 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/target/arm/internals.h b/target/arm/internals.h | ||
| 23 | index XXXXXXX..XXXXXXX 100644 | ||
| 24 | --- a/target/arm/internals.h | ||
| 25 | +++ b/target/arm/internals.h | ||
| 26 | @@ -XXX,XX +XXX,XX @@ static inline bool regime_is_secure(CPUARMState *env, ARMMMUIdx mmu_idx) | ||
| 27 | } | ||
| 28 | } | ||
| 29 | |||
| 30 | +/* Return the FSR value for a debug exception (watchpoint, hardware | ||
| 31 | + * breakpoint or BKPT insn) targeting the specified exception level. | ||
| 32 | + */ | ||
| 33 | +static inline uint32_t arm_debug_exception_fsr(CPUARMState *env) | ||
| 34 | +{ | ||
| 35 | + ARMMMUFaultInfo fi = { .type = ARMFault_Debug }; | ||
| 36 | + int target_el = arm_debug_target_el(env); | ||
| 37 | + bool using_lpae = false; | ||
| 38 | + | ||
| 39 | + if (target_el == 2 || arm_el_is_aa64(env, target_el)) { | ||
| 40 | + using_lpae = true; | ||
| 41 | + } else { | ||
| 42 | + if (arm_feature(env, ARM_FEATURE_LPAE) && | ||
| 43 | + (env->cp15.tcr_el[target_el].raw_tcr & TTBCR_EAE)) { | ||
| 44 | + using_lpae = true; | ||
| 45 | + } | ||
| 46 | + } | ||
| 47 | + | ||
| 48 | + if (using_lpae) { | ||
| 49 | + return arm_fi_to_lfsc(&fi); | ||
| 50 | + } else { | ||
| 51 | + return arm_fi_to_sfsc(&fi); | ||
| 52 | + } | ||
| 53 | +} | ||
| 54 | + | ||
| 55 | #endif | ||
| 56 | diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c | ||
| 57 | index XXXXXXX..XXXXXXX 100644 | ||
| 58 | --- a/target/arm/op_helper.c | ||
| 59 | +++ b/target/arm/op_helper.c | ||
| 60 | @@ -XXX,XX +XXX,XX @@ void arm_debug_excp_handler(CPUState *cs) | ||
| 61 | |||
| 62 | cs->watchpoint_hit = NULL; | ||
| 63 | |||
| 64 | - if (extended_addresses_enabled(env)) { | ||
| 65 | - env->exception.fsr = (1 << 9) | 0x22; | ||
| 66 | - } else { | ||
| 67 | - env->exception.fsr = 0x2; | ||
| 68 | - } | ||
| 69 | + env->exception.fsr = arm_debug_exception_fsr(env); | ||
| 70 | env->exception.vaddress = wp_hit->hitaddr; | ||
| 71 | raise_exception(env, EXCP_DATA_ABORT, | ||
| 72 | syn_watchpoint(same_el, 0, wnr), | ||
| 73 | @@ -XXX,XX +XXX,XX @@ void arm_debug_excp_handler(CPUState *cs) | ||
| 74 | return; | ||
| 75 | } | ||
| 76 | |||
| 77 | - if (extended_addresses_enabled(env)) { | ||
| 78 | - env->exception.fsr = (1 << 9) | 0x22; | ||
| 79 | - } else { | ||
| 80 | - env->exception.fsr = 0x2; | ||
| 81 | - } | ||
| 82 | + env->exception.fsr = arm_debug_exception_fsr(env); | ||
| 83 | /* FAR is UNKNOWN, so doesn't need setting */ | ||
| 84 | raise_exception(env, EXCP_PREFETCH_ABORT, | ||
| 85 | syn_breakpoint(same_el), | ||
| 86 | -- | ||
| 87 | 2.16.2 | ||
| 88 | |||
| 89 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | Now that we have a helper function specifically for the BRK and | ||
| 2 | BKPT instructions, we can set the exception.fsr there rather | ||
| 3 | than in arm_cpu_do_interrupt_aarch32(). This allows us to | ||
| 4 | use our new arm_debug_exception_fsr() helper. | ||
| 5 | 1 | ||
| 6 | In particular this fixes a bug where we were hardcoding the | ||
| 7 | short-form IFSR value, which is wrong if the target exception | ||
| 8 | level has LPAE enabled. | ||
| 9 | |||
| 10 | Fixes: https://bugs.launchpad.net/qemu/+bug/1756927 | ||
| 11 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 12 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
| 13 | Message-id: 20180320134114.30418-4-peter.maydell@linaro.org | ||
| 14 | --- | ||
| 15 | target/arm/helper.c | 1 - | ||
| 16 | target/arm/op_helper.c | 2 ++ | ||
| 17 | 2 files changed, 2 insertions(+), 1 deletion(-) | ||
| 18 | |||
| 19 | diff --git a/target/arm/helper.c b/target/arm/helper.c | ||
| 20 | index XXXXXXX..XXXXXXX 100644 | ||
| 21 | --- a/target/arm/helper.c | ||
| 22 | +++ b/target/arm/helper.c | ||
| 23 | @@ -XXX,XX +XXX,XX @@ static void arm_cpu_do_interrupt_aarch32(CPUState *cs) | ||
| 24 | offset = 0; | ||
| 25 | break; | ||
| 26 | case EXCP_BKPT: | ||
| 27 | - env->exception.fsr = 2; | ||
| 28 | /* Fall through to prefetch abort. */ | ||
| 29 | case EXCP_PREFETCH_ABORT: | ||
| 30 | A32_BANKED_CURRENT_REG_SET(env, ifsr, env->exception.fsr); | ||
| 31 | diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c | ||
| 32 | index XXXXXXX..XXXXXXX 100644 | ||
| 33 | --- a/target/arm/op_helper.c | ||
| 34 | +++ b/target/arm/op_helper.c | ||
| 35 | @@ -XXX,XX +XXX,XX @@ void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp, | ||
| 36 | */ | ||
| 37 | void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) | ||
| 38 | { | ||
| 39 | + /* FSR will only be used if the debug target EL is AArch32. */ | ||
| 40 | + env->exception.fsr = arm_debug_exception_fsr(env); | ||
| 41 | raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env)); | ||
| 42 | } | ||
| 43 | |||
| 44 | -- | ||
| 45 | 2.16.2 | ||
| 46 | |||
| 47 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | For debug exceptions due to breakpoints or the BKPT instruction which | ||
| 2 | are taken to AArch32, the Fault Address Register is architecturally | ||
| 3 | UNKNOWN. We were using that as license to simply not set | ||
| 4 | env->exception.vaddress, but this isn't correct, because it will | ||
| 5 | expose to the guest whatever old value was in that field when | ||
| 6 | arm_cpu_do_interrupt_aarch32() writes it to the guest IFSR. That old | ||
| 7 | value might be a FAR for a previous guest EL2 or secure exception, in | ||
| 8 | which case we shouldn't show it to an EL1 or non-secure exception | ||
| 9 | handler. It might also be a non-deterministic value, which is bad | ||
| 10 | for record-and-replay. | ||
| 11 | 1 | ||
| 12 | Clear env->exception.vaddress before taking breakpoint debug | ||
| 13 | exceptions, to avoid this minor information leak. | ||
| 14 | |||
| 15 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 16 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
| 17 | Message-id: 20180320134114.30418-5-peter.maydell@linaro.org | ||
| 18 | --- | ||
| 19 | target/arm/op_helper.c | 11 ++++++++++- | ||
| 20 | 1 file changed, 10 insertions(+), 1 deletion(-) | ||
| 21 | |||
| 22 | diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c | ||
| 23 | index XXXXXXX..XXXXXXX 100644 | ||
| 24 | --- a/target/arm/op_helper.c | ||
| 25 | +++ b/target/arm/op_helper.c | ||
| 26 | @@ -XXX,XX +XXX,XX @@ void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome) | ||
| 27 | { | ||
| 28 | /* FSR will only be used if the debug target EL is AArch32. */ | ||
| 29 | env->exception.fsr = arm_debug_exception_fsr(env); | ||
| 30 | + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing | ||
| 31 | + * values to the guest that it shouldn't be able to see at its | ||
| 32 | + * exception/security level. | ||
| 33 | + */ | ||
| 34 | + env->exception.vaddress = 0; | ||
| 35 | raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env)); | ||
| 36 | } | ||
| 37 | |||
| 38 | @@ -XXX,XX +XXX,XX @@ void arm_debug_excp_handler(CPUState *cs) | ||
| 39 | } | ||
| 40 | |||
| 41 | env->exception.fsr = arm_debug_exception_fsr(env); | ||
| 42 | - /* FAR is UNKNOWN, so doesn't need setting */ | ||
| 43 | + /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing | ||
| 44 | + * values to the guest that it shouldn't be able to see at its | ||
| 45 | + * exception/security level. | ||
| 46 | + */ | ||
| 47 | + env->exception.vaddress = 0; | ||
| 48 | raise_exception(env, EXCP_PREFETCH_ABORT, | ||
| 49 | syn_breakpoint(same_el), | ||
| 50 | arm_debug_target_el(env)); | ||
| 51 | -- | ||
| 52 | 2.16.2 | ||
| 53 | |||
| 54 | diff view generated by jsdifflib |