Series comparison

-[Qemu-devel] [PULL 0/8] target-arm queue
+[PULL 0/5] target-arm queue
-target-arm queue: a smallish set of patches for rc1 tomorrow.
+Handful of arm fixes for the rc.
 I've included the tcg patches because RTH has no others that
 would merit a pullreq.
-I haven't included Thomas Huth's 17-patch set to deal with
+The following changes since commit 555249a59e9cdd6b58da103aba5cf3a2d45c899f:
 the introspection crashes, to give that a little more time
 on-list for review.
-thanks
+  Merge remote-tracking branch 'remotes/ehabkost-gl/tags/x86-next-pull-request' into staging (2021-04-10 16:58:56 +0100)
 -- PMM
 The following changes since commit 102ad0a80f5110483efd06877c29c4236be267f9:
   Merge remote-tracking branch 'remotes/armbru/tags/pull-misc-2018-07-16' into staging (2018-07-16 15:34:38 +0100)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180716
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210412
-for you to fetch changes up to 3474c98a2a2afcefa7c665f02ad2bed2a43ab0f7:
+for you to fetch changes up to 52c01ada86611136e3122dd139788dbcbc292d86:
-  accel/tcg: Assert that tlb fill gave us a valid TLB entry (2018-07-16 17:26:01 +0100)
+  exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1 (2021-04-12 11:06:24 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * accel/tcg: Use correct test when looking in victim TLB for code
+ * hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync} interrupts
- * bcm2835_aux: Swap RX and TX interrupt assignments
+ * hw/arm/smmuv3: Emulate CFGI_STE_RANGE for an aligned range of StreamIDs
- * hw/arm/bcm2836: Mark the bcm2836 / bcm2837 devices with user_creatable = false
+ * accel/tcg: Preserve PAGE_ANON when changing page permissions
- * hw/intc/arm_gic: Fix handling of GICD_ITARGETSR
+ * target/arm: Check PAGE_WRITE_ORG for MTE writeability
- * hw/intc/arm_gic: Check interrupt number in gic_deactivate_irq()
+ * exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1
  * aspeed: Implement write-1-{set, clear} for AST2500 strapping
  * target/arm: Fix LD1W and LDFF1W (scalar plus vector)
 ----------------------------------------------------------------
-Andrew Jeffery (1):
+Richard Henderson (3):
-      aspeed: Implement write-1-{set, clear} for AST2500 strapping
+      accel/tcg: Preserve PAGE_ANON when changing page permissions
       target/arm: Check PAGE_WRITE_ORG for MTE writeability
       exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1
-Guenter Roeck (1):
+Zenghui Yu (2):
-      bcm2835_aux: Swap RX and TX interrupt assignments
+      hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync} interrupts
       hw/arm/smmuv3: Emulate CFGI_STE_RANGE for an aligned range of StreamIDs
-Peter Maydell (4):
+ include/exec/cpu-all.h            |  4 ++--
-      hw/intc/arm_gic: Check interrupt number in gic_deactivate_irq()
+ tests/tcg/aarch64/mte.h           |  3 ++-
-      hw/intc/arm_gic: Fix handling of GICD_ITARGETSR
+ accel/tcg/translate-all.c         |  9 ++++++--
-      accel/tcg: Use correct test when looking in victim TLB for code
+ hw/arm/smmuv3.c                   | 12 +++++++----
-      accel/tcg: Assert that tlb fill gave us a valid TLB entry
+ hw/arm/virt-acpi-build.c          |  4 ++--
  target/arm/mte_helper.c           |  2 +-
  tests/tcg/aarch64/mte-6.c         | 43 +++++++++++++++++++++++++++++++++++++++
  tests/tcg/aarch64/Makefile.target |  2 +-
 files changed, 66 insertions(+), 13 deletions(-)
  create mode 100644 tests/tcg/aarch64/mte-6.c
-Richard Henderson (1):
-      target/arm: Fix LD1W and LDFF1W (scalar plus vector)
-Thomas Huth (1):
-      hw/arm/bcm2836: Mark the bcm2836 / bcm2837 devices with user_creatable = false
- include/hw/misc/aspeed_scu.h |  2 ++
- accel/tcg/cputlb.c           |  6 +++---
- hw/arm/bcm2836.c             |  2 ++
- hw/char/bcm2835_aux.c        |  4 ++--
- hw/intc/arm_gic.c            | 22 +++++++++++++++++++---
- hw/misc/aspeed_scu.c         | 19 +++++++++++++++++--
- target/arm/sve_helper.c      |  4 ++--
-files changed, 47 insertions(+), 12 deletions(-)

-[Qemu-devel] [PULL 8/8] accel/tcg: Assert that tlb fill gave us a valid TLB entry
+[PULL 1/5] hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync} interrupts
-In commit 4b1a3e1e34ad97 we added a check for whether the TLB entry
+From: Zenghui Yu <yuzenghui@huawei.com>
 we had following a tlb_fill had the INVALID bit set.  This could
 happen in some circumstances because a stale or wrong TLB entry was
 pulled out of the victim cache.  However, after commit
 fea038553039e (which prevents stale entries being in the victim
 cache) and the previous commit (which ensures we don't incorrectly
 hit in the victim cache)) this should never be possible.
-Drop the check on TLB_INVALID_MASK from the "is this a TLB_RECHECK?"
+The GSIV values in SMMUv3 IORT node are not correct as they don't match
-condition, and instead assert that the tlb fill procedure has given
+the SMMUIrq enumeration, which describes the IRQ<->PIN mapping used by
-us a valid TLB entry (or longjumped out with a guest exception).
+our emulated vSMMU.
+Fixes: a703b4f6c1ee ("hw/arm/virt-acpi-build: Add smmuv3 node in IORT table")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Acked-by: Eric Auger <eric.auger@redhat.com>
+Message-id: 20210402084731.93-1-yuzenghui@huawei.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180713141636.18665-3-peter.maydell@linaro.org
 ---
- accel/tcg/cputlb.c | 4 ++--
+ hw/arm/virt-acpi-build.c | 4 ++--
 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/hw/arm/virt-acpi-build.c
-+++ b/accel/tcg/cputlb.c
++++ b/hw/arm/virt-acpi-build.c
-@@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
+@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-         if (!VICTIM_TLB_HIT(addr_code, addr)) {
+         smmu->flags = cpu_to_le32(ACPI_IORT_SMMU_V3_COHACC_OVERRIDE);
-             tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
+         smmu->event_gsiv = cpu_to_le32(irq);
-         }
+         smmu->pri_gsiv = cpu_to_le32(irq + 1);
-+        assert(tlb_hit(env->tlb_table[mmu_idx][index].addr_code, addr));
+-        smmu->gerr_gsiv = cpu_to_le32(irq + 2);
-     }
+-        smmu->sync_gsiv = cpu_to_le32(irq + 3);
++        smmu->sync_gsiv = cpu_to_le32(irq + 2);
--    if (unlikely((env->tlb_table[mmu_idx][index].addr_code &
++        smmu->gerr_gsiv = cpu_to_le32(irq + 3);
--                  (TLB_RECHECK | TLB_INVALID_MASK)) == TLB_RECHECK)) {
-+    if (unlikely(env->tlb_table[mmu_idx][index].addr_code & TLB_RECHECK)) {
+         /* Identity RID mapping covering the whole input RID range */
-         /*
+         idmap = &smmu->id_mapping_array[0];
           * This is a TLB_RECHECK access, where the MMU protection
           * covers a smaller range than a target page, and we must
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 2/8] aspeed: Implement write-1-{set, clear} for AST2500 strapping
+[PULL 2/5] hw/arm/smmuv3: Emulate CFGI_STE_RANGE for an aligned range of StreamIDs
-From: Andrew Jeffery <andrew@aj.id.au>
+From: Zenghui Yu <yuzenghui@huawei.com>
-The AST2500 SoC family changes the runtime behaviour of the hardware
+In emulation of the CFGI_STE_RANGE command, we now take StreamID as the
-strapping register (SCU70) to write-1-set/write-1-clear, with
+start of the invalidation range, regardless of whatever the Range is,
-write-1-clear implemented on the "read-only" SoC revision register
+whilst the spec clearly states that
 (SCU7C). For the the AST2400, the hardware strapping is
 runtime-configured with read-modify-write semantics.
-Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
+ - "Invalidation is performed for an *aligned* range of 2^(Range+1)
-Reviewed-by: Joel Stanley <joel@jms.id.au>
+    StreamIDs."
-Message-id: 20180709143524.17480-1-andrew@aj.id.au
  - "The bottom Range+1 bits of the StreamID parameter are IGNORED,
     aligning the range to its size."
 Take CFGI_ALL (where Range == 31) as an example, if there are some random
 bits in the StreamID field, we'll fail to perform the full invalidation but
 get a strange range (e.g., SMMUSIDRange={.start=1, .end=0}) instead. Rework
 the emulation a bit to get rid of the discrepancy with the spec.
 Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
 Acked-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 20210402100449.528-1-yuzenghui@huawei.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/misc/aspeed_scu.h |  2 ++
+ hw/arm/smmuv3.c | 12 ++++++++----
- hw/misc/aspeed_scu.c         | 19 +++++++++++++++++--
+file changed, 8 insertions(+), 4 deletions(-)
 files changed, 19 insertions(+), 2 deletions(-)
-diff --git a/include/hw/misc/aspeed_scu.h b/include/hw/misc/aspeed_scu.h
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/misc/aspeed_scu.h
+--- a/hw/arm/smmuv3.c
-+++ b/include/hw/misc/aspeed_scu.h
++++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSCUState {
+@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
- #define AST2500_A0_SILICON_REV   0x04000303U
+         }
- #define AST2500_A1_SILICON_REV   0x04010303U
+         case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */
+         {
-+#define ASPEED_IS_AST2500(si_rev)     ((((si_rev) >> 24) & 0xff) == 0x04)
+-            uint32_t start = CMD_SID(&cmd);
 +            uint32_t sid = CMD_SID(&cmd), mask;
              uint8_t range = CMD_STE_RANGE(&cmd);
 -            uint64_t end = start + (1ULL << (range + 1)) - 1;
 -            SMMUSIDRange sid_range = {start, end};
 +            SMMUSIDRange sid_range;
              if (CMD_SSEC(&cmd)) {
                  cmd_error = SMMU_CERROR_ILL;
                  break;
              }
 -            trace_smmuv3_cmdq_cfgi_ste_range(start, end);
 +
- extern bool is_supported_silicon_rev(uint32_t silicon_rev);
++            mask = (1ULL << (range + 1)) - 1;
++            sid_range.start = sid & ~mask;
- #define ASPEED_SCU_PROT_KEY      0x1688A8A8
++            sid_range.end = sid_range.start + mask;
-diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c
++
-index XXXXXXX..XXXXXXX 100644
++            trace_smmuv3_cmdq_cfgi_ste_range(sid_range.start, sid_range.end);
---- a/hw/misc/aspeed_scu.c
+             g_hash_table_foreach_remove(bs->configs, smmuv3_invalidate_ste,
-+++ b/hw/misc/aspeed_scu.c
+                                         &sid_range);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_scu_write(void *opaque, hwaddr offset, uint64_t data,
+             break;
          s->regs[reg] = data;
          aspeed_scu_set_apb_freq(s);
          break;
 -
 +    case HW_STRAP1:
 +        if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) {
 +            s->regs[HW_STRAP1] |= data;
 +            return;
 +        }
 +        /* Jump to assignment below */
 +        break;
 +    case SILICON_REV:
 +        if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) {
 +            s->regs[HW_STRAP1] &= ~data;
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
 +                          __func__, offset);
 +        }
 +        /* Avoid assignment below, we've handled everything */
 +        return;
      case FREQ_CNTR_EVAL:
      case VGA_SCRATCH1 ... VGA_SCRATCH8:
      case RNG_DATA:
 -    case SILICON_REV:
      case FREE_CNTR4:
      case FREE_CNTR4_EXT:
          qemu_log_mask(LOG_GUEST_ERROR,
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 5/8] hw/arm/bcm2836: Mark the bcm2836 / bcm2837 devices with user_creatable = false
+[PULL 3/5] accel/tcg: Preserve PAGE_ANON when changing page permissions
-From: Thomas Huth <thuth@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-These devices are currently causing some problems when a user is trying
+Using mprotect() to change PROT_* does not change the MAP_ANON
-to hot-plug or introspect them during runtime. Since these devices can
+previously set with mmap().  Our linux-user version of MTE only
-not be instantiated by the user at all (they need to be wired up in code
+works with MAP_ANON pages, so losing PAGE_ANON caused MTE to
-instead), we should mark them with user_creatable = false anyway, then we
+stop working.
 avoid at least the crashes with the hot-plugging. The introspection problem
 will be handled by a separate patch.
-Signed-off-by: Thomas Huth <thuth@redhat.com>
+Reported-by: Stephen Long <steplong@quicinc.com>
-Message-id: 1531415537-26037-1-git-send-email-thuth@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Tested-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/bcm2836.c | 2 ++
+ tests/tcg/aarch64/mte.h           |  3 ++-
-file changed, 2 insertions(+)
+ accel/tcg/translate-all.c         |  9 +++++--
  tests/tcg/aarch64/mte-6.c         | 43 +++++++++++++++++++++++++++++++
  tests/tcg/aarch64/Makefile.target |  2 +-
 files changed, 53 insertions(+), 4 deletions(-)
  create mode 100644 tests/tcg/aarch64/mte-6.c
-diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
+diff --git a/tests/tcg/aarch64/mte.h b/tests/tcg/aarch64/mte.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/bcm2836.c
+--- a/tests/tcg/aarch64/mte.h
-+++ b/hw/arm/bcm2836.c
++++ b/tests/tcg/aarch64/mte.h
-@@ -XXX,XX +XXX,XX @@ static void bcm283x_class_init(ObjectClass *oc, void *data)
+@@ -XXX,XX +XXX,XX @@ static void enable_mte(int tcf)
-     bc->info = data;
+     }
      dc->realize = bcm2836_realize;
      dc->props = bcm2836_props;
 +    /* Reason: Must be wired up in code (see raspi_init() function) */
 +    dc->user_creatable = false;
  }
- static const TypeInfo bcm283x_type_info = {
+-static void *alloc_mte_mem(size_t size)
 +static void * alloc_mte_mem(size_t size) __attribute__((unused));
 +static void * alloc_mte_mem(size_t size)
  {
      void *p = mmap(NULL, size, PROT_READ | PROT_WRITE | PROT_MTE,
                     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ void page_set_flags(target_ulong start, target_ulong end, int flags)
         a missing call to h2g_valid.  */
      assert(end - 1 <= GUEST_ADDR_MAX);
      assert(start < end);
 +    /* Only set PAGE_ANON with new mappings. */
 +    assert(!(flags & PAGE_ANON) || (flags & PAGE_RESET));
      assert_memory_lock();
      start = start & TARGET_PAGE_MASK;
@@ -XXX,XX +XXX,XX @@ void page_set_flags(target_ulong start, target_ulong end, int flags)
              p->first_tb) {
              tb_invalidate_phys_page(addr, 0);
          }
 -        if (reset_target_data && p->target_data) {
 +        if (reset_target_data) {
              g_free(p->target_data);
              p->target_data = NULL;
 +            p->flags = flags;
 +        } else {
 +            /* Using mprotect on a page does not change MAP_ANON. */
 +            p->flags = (p->flags & PAGE_ANON) | flags;
          }
 -        p->flags = flags;
      }
  }
 diff --git a/tests/tcg/aarch64/mte-6.c b/tests/tcg/aarch64/mte-6.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/tcg/aarch64/mte-6.c
@@ -XXX,XX +XXX,XX @@
 +#include "mte.h"
 +
 +void pass(int sig, siginfo_t *info, void *uc)
 +{
 +    assert(info->si_code == SEGV_MTESERR);
 +    exit(0);
 +}
 +
 +int main(void)
 +{
 +    enable_mte(PR_MTE_TCF_SYNC);
 +
 +    void *brk = sbrk(16);
 +    if (brk == (void *)-1) {
 +        perror("sbrk");
 +        return 2;
 +    }
 +
 +    if (mprotect(brk, 16, PROT_READ | PROT_WRITE | PROT_MTE)) {
 +        perror("mprotect");
 +        return 2;
 +    }
 +
 +    int *p1, *p2;
 +    long excl = 1;
 +
 +    asm("irg %0,%1,%2" : "=r"(p1) : "r"(brk), "r"(excl));
 +    asm("gmi %0,%1,%0" : "+r"(excl) : "r"(p1));
 +    asm("irg %0,%1,%2" : "=r"(p2) : "r"(brk), "r"(excl));
 +    asm("stg %0,[%0]" : : "r"(p1));
 +
 +    *p1 = 0;
 +
 +    struct sigaction sa;
 +    memset(&sa, 0, sizeof(sa));
 +    sa.sa_sigaction = pass;
 +    sa.sa_flags = SA_SIGINFO;
 +    sigaction(SIGSEGV, &sa, NULL);
 +
 +    *p2 = 0;
 +
 +    abort();
 +}
 diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/tcg/aarch64/Makefile.target
 +++ b/tests/tcg/aarch64/Makefile.target
@@ -XXX,XX +XXX,XX @@ AARCH64_TESTS += bti-2
  # MTE Tests
  ifneq ($(DOCKER_IMAGE)$(CROSS_CC_HAS_ARMV8_MTE),)
 -AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4
 +AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-6
  mte-%: CFLAGS += -march=armv8.5-a+memtag
  endif
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 1/8] target/arm: Fix LD1W and LDFF1W (scalar plus vector)
+[PULL 4/5] target/arm: Check PAGE_WRITE_ORG for MTE writeability
 From: Richard Henderson <richard.henderson@linaro.org>
-'I' was being double-incremented; correctly within the inner loop
+We can remove PAGE_WRITE when (internally) marking a page
-and incorrectly within the outer loop.
+read-only because it contains translated code.
 This can be triggered by tests/tcg/aarch64/bti-2, after
 having serviced SIGILL trampolines on the stack.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20180711103957.3040-1-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 4 ++--
+ target/arm/mte_helper.c | 2 +-
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/target/arm/mte_helper.c
-+++ b/target/arm/sve_helper.c
++++ b/target/arm/mte_helper.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(NAME)(CPUARMState *env, void *vd, void *vg, void *vm,       \
+@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
-     intptr_t i, oprsz = simd_oprsz(desc);                               \
+     uint8_t *tags;
-     unsigned scale = simd_data(desc);                                   \
+     uintptr_t index;
-     uintptr_t ra = GETPC();                                             \
--    for (i = 0; i < oprsz; i++) {                                       \
+-    if (!(flags & (ptr_access == MMU_DATA_STORE ? PAGE_WRITE : PAGE_READ))) {
-+    for (i = 0; i < oprsz; ) {                                          \
++    if (!(flags & (ptr_access == MMU_DATA_STORE ? PAGE_WRITE_ORG : PAGE_READ))) {
-         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
+         /* SIGSEGV */
-         do {                                                            \
+         arm_cpu_tlb_fill(env_cpu(env), ptr, ptr_size, ptr_access,
-             TYPEM m = 0;                                                \
+                          ptr_mmu_idx, false, ra);
@@ -XXX,XX +XXX,XX @@ void HELPER(NAME)(CPUARMState *env, void *vd, void *vg, void *vm,       \
      uintptr_t ra = GETPC();                                             \
      bool first = true;                                                  \
      mmap_lock();                                                        \
 -    for (i = 0; i < oprsz; i++) {                                       \
 +    for (i = 0; i < oprsz; ) {                                          \
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
          do {                                                            \
              TYPEM m = 0;                                                \
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 3/8] hw/intc/arm_gic: Check interrupt number in gic_deactivate_irq()
+Deleted patch
-In gic_deactivate_irq() the interrupt number comes from the guest
-(on a write to the GICC_DIR register), so we need to sanity check
-that it isn't out of range before we use it as an array index.
-Handle this in a similar manner to the check we do in
-gic_complete_irq() for the GICC_EOI register.
-The array overrun is not disastrous because the calling code
-uses (value & 0x3ff) to extract the interrupt field, so the
-only out-of-range values possible are 1020..1023, which allow
-overrunning only from irq_state[] into the following
-irq_target[] array which the guest can already manipulate.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Luc Michel <luc.michel@greensocs.com>
-Message-id: 20180712154152.32183-2-peter.maydell@linaro.org
----
- hw/intc/arm_gic.c | 16 +++++++++++++++-
-file changed, 15 insertions(+), 1 deletion(-)
-diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gic.c
-+++ b/hw/intc/arm_gic.c
-@@ -XXX,XX +XXX,XX @@ static bool gic_eoi_split(GICState *s, int cpu, MemTxAttrs attrs)
- static void gic_deactivate_irq(GICState *s, int cpu, int irq, MemTxAttrs attrs)
- {
-     int cm = 1 << cpu;
--    int group = gic_has_groups(s) && GIC_TEST_GROUP(irq, cm);
-+    int group;
-+
-+    if (irq >= s->num_irq) {
-+        /*
-+         * This handles two cases:
-+         * 1. If software writes the ID of a spurious interrupt [ie 1023]
-+         * to the GICC_DIR, the GIC ignores that write.
-+         * 2. If software writes the number of a non-existent interrupt
-+         * this must be a subcase of "value written is not an active interrupt"
-+         * and so this is UNPREDICTABLE. We choose to ignore it.
-+         */
-+        return;
-+    }
-+
-+    group = gic_has_groups(s) && GIC_TEST_GROUP(irq, cm);
-     if (!gic_eoi_split(s, cpu, attrs)) {
-         /* This is UNPREDICTABLE; we choose to ignore it */
---
-.17.1

-[Qemu-devel] [PULL 4/8] hw/intc/arm_gic: Fix handling of GICD_ITARGETSR
+Deleted patch
-The GICD_ITARGETSR implementation still has some 11MPCore behaviour
-that we were incorrectly using in our GICv1 and GICv2 implementations
-for the case where the interrupt number is less than GIC_INTERNAL.
-The desired behaviour here is:
- * for 11MPCore: RAZ/WI for irqs 0..28; read a number matching the
-   CPU doing the read for irqs 29..31
- * for GICv1 and v2: RAZ/WI if uniprocessor; otherwise read a
-   number matching the CPU doing the read for all irqs < 32
-Stop squashing GICD_ITARGETSR to 0 for IRQs 0..28 unless this
-is an 11MPCore GIC.
-Reported-by: Jan Kiszka <jan.kiszka@web.de>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Luc Michel <luc.michel@greensocs.com>
-Message-id: 20180712154152.32183-3-peter.maydell@linaro.org
----
- hw/intc/arm_gic.c | 6 ++++--
-file changed, 4 insertions(+), 2 deletions(-)
-diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gic.c
-+++ b/hw/intc/arm_gic.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
-             if (irq >= s->num_irq) {
-                 goto bad_reg;
-             }
--            if (irq >= 29 && irq <= 31) {
-+            if (irq < 29 && s->revision == REV_11MPCORE) {
-+                res = 0;
-+            } else if (irq < GIC_INTERNAL) {
-                 res = cm;
-             } else {
-                 res = GIC_TARGET(irq);
-@@ -XXX,XX +XXX,XX @@ static void gic_dist_writeb(void *opaque, hwaddr offset,
-             if (irq >= s->num_irq) {
-                 goto bad_reg;
-             }
--            if (irq < 29) {
-+            if (irq < 29 && s->revision == REV_11MPCORE) {
-                 value = 0;
-             } else if (irq < GIC_INTERNAL) {
-                 value = ALL_CPU_MASK;
---
-.17.1

-[Qemu-devel] [PULL 6/8] bcm2835_aux: Swap RX and TX interrupt assignments
+[PULL 5/5] exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1
-From: Guenter Roeck <linux@roeck-us.net>
+From: Richard Henderson <richard.henderson@linaro.org>
-RX and TX interrupt bits were reversed, resulting in an endless sequence
+Unfortuately, the elements of PAGE_* were not in numerical
-of serial interupts in the emulated system and the following repeated
+order and so PAGE_ANON was added to an "unused" bit.
-error message when booting Linux.
+As an arbitrary choice, move PAGE_TARGET_{1,2} together.
-serial8250: too much work for irq61
+Cc: Laurent Vivier <laurent@vivier.eu>
+Fixes: 26bab757d41b ("linux-user: Introduce PAGE_ANON")
-This results in a boot failure most of the time.
+Buglink: https://bugs.launchpad.net/bugs/1922617
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Qemu command line used to reproduce the problem:
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Laurent Vivier <laurent@vivier.eu>
-    qemu-system-aarch64 -M raspi3 -m 1024 \
+Tested-by: Laurent Vivier <laurent@vivier.eu>
-    -kernel arch/arm64/boot/Image \
+Tested-by: Nathan Chancellor <nathan@kernel.org>
     --append "rdinit=/sbin/init console=ttyS1,115200"
     -initrd rootfs.cpio \
     -dtb arch/arm64/boot/dts/broadcom/bcm2837-rpi-3-b.dtb \
     -nographic -monitor null -serial null -serial stdio
 This is with arm64:defconfig. The root file system was generated using
 buildroot.
 NB that this error likely arises from an erratum in the
 BCM2835 datasheet where the TX and RX bits were swapped
 in the AU_MU_IER_REG description (but correct for IIR):
  https://elinux.org/BCM2835_datasheet_errata#p12
 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
 Message-id: 1529355846-25102-1-git-send-email-linux@roeck-us.net
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 [PMM: added NB about datasheet]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/char/bcm2835_aux.c | 4 ++--
+ include/exec/cpu-all.h | 4 ++--
 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c
+diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/char/bcm2835_aux.c
+--- a/include/exec/cpu-all.h
-+++ b/hw/char/bcm2835_aux.c
++++ b/include/exec/cpu-all.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ extern intptr_t qemu_host_page_mask;
- #define AUX_MU_BAUD_REG 0x68
+ #define PAGE_RESERVED  0x0100
+ #endif
- /* bits in IER/IIR registers */
+ /* Target-specific bits that will be used via page_get_flags().  */
--#define TX_INT  0x1
+-#define PAGE_TARGET_1  0x0080
--#define RX_INT  0x2
+-#define PAGE_TARGET_2  0x0200
-+#define RX_INT  0x1
++#define PAGE_TARGET_1  0x0200
-+#define TX_INT  0x2
++#define PAGE_TARGET_2  0x0400
- static void bcm2835_aux_update(BCM2835AuxState *s)
+ #if defined(CONFIG_USER_ONLY)
- {
+ void page_dump(FILE *f);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 7/8] accel/tcg: Use correct test when looking in victim TLB for code
+Deleted patch
-In get_page_addr_code(), we were incorrectly looking in the victim
-TLB for an entry which matched the target address for reads, not
-for code accesses. This meant that we could hit on a victim TLB
-entry that indicated that the address was readable but not
-executable, and incorrectly bypass the call to tlb_fill() which
-should generate the guest MMU exception. Fix this bug.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180713141636.18665-2-peter.maydell@linaro.org
----
- accel/tcg/cputlb.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
-+++ b/accel/tcg/cputlb.c
-@@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
-     index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
-     mmu_idx = cpu_mmu_index(env, true);
-     if (unlikely(!tlb_hit(env->tlb_table[mmu_idx][index].addr_code, addr))) {
--        if (!VICTIM_TLB_HIT(addr_read, addr)) {
-+        if (!VICTIM_TLB_HIT(addr_code, addr)) {
-             tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
-         }
-     }
---
-.17.1

target-arm queue: a smallish set of patches for rc1 tomorrow.
I've included the tcg patches because RTH has no others that
would merit a pullreq.

I haven't included Thomas Huth's 17-patch set to deal with
the introspection crashes, to give that a little more time
on-list for review.

thanks
-- PMM

The following changes since commit 102ad0a80f5110483efd06877c29c4236be267f9:

Merge remote-tracking branch 'remotes/armbru/tags/pull-misc-2018-07-16' into staging (2018-07-16 15:34:38 +0100)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180716

for you to fetch changes up to 3474c98a2a2afcefa7c665f02ad2bed2a43ab0f7:

accel/tcg: Assert that tlb fill gave us a valid TLB entry (2018-07-16 17:26:01 +0100)

----------------------------------------------------------------
target-arm queue:
 * accel/tcg: Use correct test when looking in victim TLB for code
 * bcm2835_aux: Swap RX and TX interrupt assignments
 * hw/arm/bcm2836: Mark the bcm2836 / bcm2837 devices with user_creatable = false
 * hw/intc/arm_gic: Fix handling of GICD_ITARGETSR
 * hw/intc/arm_gic: Check interrupt number in gic_deactivate_irq()
 * aspeed: Implement write-1-{set, clear} for AST2500 strapping
 * target/arm: Fix LD1W and LDFF1W (scalar plus vector)

----------------------------------------------------------------
Andrew Jeffery (1):
      aspeed: Implement write-1-{set, clear} for AST2500 strapping

Guenter Roeck (1):
      bcm2835_aux: Swap RX and TX interrupt assignments

Peter Maydell (4):
      hw/intc/arm_gic: Check interrupt number in gic_deactivate_irq()
      hw/intc/arm_gic: Fix handling of GICD_ITARGETSR
      accel/tcg: Use correct test when looking in victim TLB for code
      accel/tcg: Assert that tlb fill gave us a valid TLB entry

Richard Henderson (1):
      target/arm: Fix LD1W and LDFF1W (scalar plus vector)

Thomas Huth (1):
      hw/arm/bcm2836: Mark the bcm2836 / bcm2837 devices with user_creatable = false

From: Richard Henderson <richard.henderson@linaro.org>

'I' was being double-incremented; correctly within the inner loop
and incorrectly within the outer loop.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180711103957.3040-1-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(NAME)(CPUARMState *env, void *vd, void *vg, void *vm,       \
     intptr_t i, oprsz = simd_oprsz(desc);                               \
     unsigned scale = simd_data(desc);                                   \
     uintptr_t ra = GETPC();                                             \
-    for (i = 0; i < oprsz; i++) {                                       \
+    for (i = 0; i < oprsz; ) {                                          \
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
         do {                                                            \
             TYPEM m = 0;                                                \
@@ -XXX,XX +XXX,XX @@ void HELPER(NAME)(CPUARMState *env, void *vd, void *vg, void *vm,       \
     uintptr_t ra = GETPC();                                             \
     bool first = true;                                                  \
     mmap_lock();                                                        \
-    for (i = 0; i < oprsz; i++) {                                       \
+    for (i = 0; i < oprsz; ) {                                          \
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
         do {                                                            \
             TYPEM m = 0;                                                \
-- 
2.17.1

From: Andrew Jeffery <andrew@aj.id.au>

The AST2500 SoC family changes the runtime behaviour of the hardware
strapping register (SCU70) to write-1-set/write-1-clear, with
write-1-clear implemented on the "read-only" SoC revision register
(SCU7C). For the the AST2400, the hardware strapping is
runtime-configured with read-modify-write semantics.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20180709143524.17480-1-andrew@aj.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/misc/aspeed_scu.h |  2 ++
 hw/misc/aspeed_scu.c         | 19 +++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/include/hw/misc/aspeed_scu.h b/include/hw/misc/aspeed_scu.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/misc/aspeed_scu.h
+++ b/include/hw/misc/aspeed_scu.h
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSCUState {
 #define AST2500_A0_SILICON_REV   0x04000303U
 #define AST2500_A1_SILICON_REV   0x04010303U
 
+#define ASPEED_IS_AST2500(si_rev)     ((((si_rev) >> 24) & 0xff) == 0x04)
+
 extern bool is_supported_silicon_rev(uint32_t silicon_rev);
 
 #define ASPEED_SCU_PROT_KEY      0x1688A8A8
diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/aspeed_scu.c
+++ b/hw/misc/aspeed_scu.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_scu_write(void *opaque, hwaddr offset, uint64_t data,
         s->regs[reg] = data;
         aspeed_scu_set_apb_freq(s);
         break;
-
+    case HW_STRAP1:
+        if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) {
+            s->regs[HW_STRAP1] |= data;
+            return;
+        }
+        /* Jump to assignment below */
+        break;
+    case SILICON_REV:
+        if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) {
+            s->regs[HW_STRAP1] &= ~data;
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n",
+                          __func__, offset);
+        }
+        /* Avoid assignment below, we've handled everything */
+        return;
     case FREQ_CNTR_EVAL:
     case VGA_SCRATCH1 ... VGA_SCRATCH8:
     case RNG_DATA:
-    case SILICON_REV:
     case FREE_CNTR4:
     case FREE_CNTR4_EXT:
         qemu_log_mask(LOG_GUEST_ERROR,
-- 
2.17.1

In gic_deactivate_irq() the interrupt number comes from the guest
(on a write to the GICC_DIR register), so we need to sanity check
that it isn't out of range before we use it as an array index.
Handle this in a similar manner to the check we do in
gic_complete_irq() for the GICC_EOI register.

The array overrun is not disastrous because the calling code
uses (value & 0x3ff) to extract the interrupt field, so the
only out-of-range values possible are 1020..1023, which allow
overrunning only from irq_state[] into the following
irq_target[] array which the guest can already manipulate.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Luc Michel <luc.michel@greensocs.com>
Message-id: 20180712154152.32183-2-peter.maydell@linaro.org
---
 hw/intc/arm_gic.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -XXX,XX +XXX,XX @@ static bool gic_eoi_split(GICState *s, int cpu, MemTxAttrs attrs)
 static void gic_deactivate_irq(GICState *s, int cpu, int irq, MemTxAttrs attrs)
 {
     int cm = 1 << cpu;
-    int group = gic_has_groups(s) && GIC_TEST_GROUP(irq, cm);
+    int group;
+
+    if (irq >= s->num_irq) {
+        /*
+         * This handles two cases:
+         * 1. If software writes the ID of a spurious interrupt [ie 1023]
+         * to the GICC_DIR, the GIC ignores that write.
+         * 2. If software writes the number of a non-existent interrupt
+         * this must be a subcase of "value written is not an active interrupt"
+         * and so this is UNPREDICTABLE. We choose to ignore it.
+         */
+        return;
+    }
+
+    group = gic_has_groups(s) && GIC_TEST_GROUP(irq, cm);
 
     if (!gic_eoi_split(s, cpu, attrs)) {
         /* This is UNPREDICTABLE; we choose to ignore it */
-- 
2.17.1

The GICD_ITARGETSR implementation still has some 11MPCore behaviour
that we were incorrectly using in our GICv1 and GICv2 implementations
for the case where the interrupt number is less than GIC_INTERNAL.
The desired behaviour here is:
 * for 11MPCore: RAZ/WI for irqs 0..28; read a number matching the
   CPU doing the read for irqs 29..31
 * for GICv1 and v2: RAZ/WI if uniprocessor; otherwise read a
   number matching the CPU doing the read for all irqs < 32

Stop squashing GICD_ITARGETSR to 0 for IRQs 0..28 unless this
is an 11MPCore GIC.

Reported-by: Jan Kiszka <jan.kiszka@web.de>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Luc Michel <luc.michel@greensocs.com>
Message-id: 20180712154152.32183-3-peter.maydell@linaro.org
---
 hw/intc/arm_gic.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
             if (irq >= s->num_irq) {
                 goto bad_reg;
             }
-            if (irq >= 29 && irq <= 31) {
+            if (irq < 29 && s->revision == REV_11MPCORE) {
+                res = 0;
+            } else if (irq < GIC_INTERNAL) {
                 res = cm;
             } else {
                 res = GIC_TARGET(irq);
@@ -XXX,XX +XXX,XX @@ static void gic_dist_writeb(void *opaque, hwaddr offset,
             if (irq >= s->num_irq) {
                 goto bad_reg;
             }
-            if (irq < 29) {
+            if (irq < 29 && s->revision == REV_11MPCORE) {
                 value = 0;
             } else if (irq < GIC_INTERNAL) {
                 value = ALL_CPU_MASK;
-- 
2.17.1

From: Thomas Huth <thuth@redhat.com>

These devices are currently causing some problems when a user is trying
to hot-plug or introspect them during runtime. Since these devices can
not be instantiated by the user at all (they need to be wired up in code
instead), we should mark them with user_creatable = false anyway, then we
avoid at least the crashes with the hot-plugging. The introspection problem
will be handled by a separate patch.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1531415537-26037-1-git-send-email-thuth@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/bcm2836.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/bcm2836.c
+++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@ static void bcm283x_class_init(ObjectClass *oc, void *data)
     bc->info = data;
     dc->realize = bcm2836_realize;
     dc->props = bcm2836_props;
+    /* Reason: Must be wired up in code (see raspi_init() function) */
+    dc->user_creatable = false;
 }
 
 static const TypeInfo bcm283x_type_info = {
-- 
2.17.1

From: Guenter Roeck <linux@roeck-us.net>

RX and TX interrupt bits were reversed, resulting in an endless sequence
of serial interupts in the emulated system and the following repeated
error message when booting Linux.

serial8250: too much work for irq61

This results in a boot failure most of the time.

Qemu command line used to reproduce the problem:

qemu-system-aarch64 -M raspi3 -m 1024 \
	-kernel arch/arm64/boot/Image \
	--append "rdinit=/sbin/init console=ttyS1,115200"
	-initrd rootfs.cpio \
	-dtb arch/arm64/boot/dts/broadcom/bcm2837-rpi-3-b.dtb \
	-nographic -monitor null -serial null -serial stdio

This is with arm64:defconfig. The root file system was generated using
buildroot.

NB that this error likely arises from an erratum in the
BCM2835 datasheet where the TX and RX bits were swapped
in the AU_MU_IER_REG description (but correct for IIR):
 https://elinux.org/BCM2835_datasheet_errata#p12

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Message-id: 1529355846-25102-1-git-send-email-linux@roeck-us.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: added NB about datasheet]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/bcm2835_aux.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/bcm2835_aux.c
+++ b/hw/char/bcm2835_aux.c
@@ -XXX,XX +XXX,XX @@
 #define AUX_MU_BAUD_REG 0x68
 
 /* bits in IER/IIR registers */
-#define TX_INT  0x1
-#define RX_INT  0x2
+#define RX_INT  0x1
+#define TX_INT  0x2
 
 static void bcm2835_aux_update(BCM2835AuxState *s)
 {
-- 
2.17.1

In get_page_addr_code(), we were incorrectly looking in the victim
TLB for an entry which matched the target address for reads, not
for code accesses. This meant that we could hit on a victim TLB
entry that indicated that the address was readable but not
executable, and incorrectly bypass the call to tlb_fill() which
should generate the guest MMU exception. Fix this bug.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180713141636.18665-2-peter.maydell@linaro.org
---
 accel/tcg/cputlb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
     index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
     mmu_idx = cpu_mmu_index(env, true);
     if (unlikely(!tlb_hit(env->tlb_table[mmu_idx][index].addr_code, addr))) {
-        if (!VICTIM_TLB_HIT(addr_read, addr)) {
+        if (!VICTIM_TLB_HIT(addr_code, addr)) {
             tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
         }
     }
-- 
2.17.1

In commit 4b1a3e1e34ad97 we added a check for whether the TLB entry
we had following a tlb_fill had the INVALID bit set.  This could
happen in some circumstances because a stale or wrong TLB entry was
pulled out of the victim cache.  However, after commit
68fea038553039e (which prevents stale entries being in the victim
cache) and the previous commit (which ensures we don't incorrectly
hit in the victim cache)) this should never be possible.

Drop the check on TLB_INVALID_MASK from the "is this a TLB_RECHECK?"
condition, and instead assert that the tlb fill procedure has given
us a valid TLB entry (or longjumped out with a guest exception).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180713141636.18665-3-peter.maydell@linaro.org
---
 accel/tcg/cputlb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
         if (!VICTIM_TLB_HIT(addr_code, addr)) {
             tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
         }
+        assert(tlb_hit(env->tlb_table[mmu_idx][index].addr_code, addr));
     }
 
-    if (unlikely((env->tlb_table[mmu_idx][index].addr_code &
-                  (TLB_RECHECK | TLB_INVALID_MASK)) == TLB_RECHECK)) {
+    if (unlikely(env->tlb_table[mmu_idx][index].addr_code & TLB_RECHECK)) {
         /*
          * This is a TLB_RECHECK access, where the MMU protection
          * covers a smaller range than a target page, and we must
-- 
2.17.1

Handful of arm fixes for the rc.

The following changes since commit 555249a59e9cdd6b58da103aba5cf3a2d45c899f:

Merge remote-tracking branch 'remotes/ehabkost-gl/tags/x86-next-pull-request' into staging (2021-04-10 16:58:56 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210412

for you to fetch changes up to 52c01ada86611136e3122dd139788dbcbc292d86:

exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1 (2021-04-12 11:06:24 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync} interrupts
 * hw/arm/smmuv3: Emulate CFGI_STE_RANGE for an aligned range of StreamIDs
 * accel/tcg: Preserve PAGE_ANON when changing page permissions
 * target/arm: Check PAGE_WRITE_ORG for MTE writeability
 * exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1

----------------------------------------------------------------
Richard Henderson (3):
      accel/tcg: Preserve PAGE_ANON when changing page permissions
      target/arm: Check PAGE_WRITE_ORG for MTE writeability
      exec: Fix overlap of PAGE_ANON and PAGE_TARGET_1

Zenghui Yu (2):
      hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync} interrupts
      hw/arm/smmuv3: Emulate CFGI_STE_RANGE for an aligned range of StreamIDs

include/exec/cpu-all.h            |  4 ++--
 tests/tcg/aarch64/mte.h           |  3 ++-
 accel/tcg/translate-all.c         |  9 ++++++--
 hw/arm/smmuv3.c                   | 12 +++++++----
 hw/arm/virt-acpi-build.c          |  4 ++--
 target/arm/mte_helper.c           |  2 +-
 tests/tcg/aarch64/mte-6.c         | 43 +++++++++++++++++++++++++++++++++++++++
 tests/tcg/aarch64/Makefile.target |  2 +-
 8 files changed, 66 insertions(+), 13 deletions(-)
 create mode 100644 tests/tcg/aarch64/mte-6.c

From: Zenghui Yu <yuzenghui@huawei.com>

The GSIV values in SMMUv3 IORT node are not correct as they don't match
the SMMUIrq enumeration, which describes the IRQ<->PIN mapping used by
our emulated vSMMU.

Fixes: a703b4f6c1ee ("hw/arm/virt-acpi-build: Add smmuv3 node in IORT table")
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Acked-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20210402084731.93-1-yuzenghui@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
         smmu->flags = cpu_to_le32(ACPI_IORT_SMMU_V3_COHACC_OVERRIDE);
         smmu->event_gsiv = cpu_to_le32(irq);
         smmu->pri_gsiv = cpu_to_le32(irq + 1);
-        smmu->gerr_gsiv = cpu_to_le32(irq + 2);
-        smmu->sync_gsiv = cpu_to_le32(irq + 3);
+        smmu->sync_gsiv = cpu_to_le32(irq + 2);
+        smmu->gerr_gsiv = cpu_to_le32(irq + 3);
 
         /* Identity RID mapping covering the whole input RID range */
         idmap = &smmu->id_mapping_array[0];
-- 
2.20.1

From: Zenghui Yu <yuzenghui@huawei.com>

In emulation of the CFGI_STE_RANGE command, we now take StreamID as the
start of the invalidation range, regardless of whatever the Range is,
whilst the spec clearly states that

- "Invalidation is performed for an *aligned* range of 2^(Range+1)
    StreamIDs."

- "The bottom Range+1 bits of the StreamID parameter are IGNORED,
    aligning the range to its size."

Take CFGI_ALL (where Range == 31) as an example, if there are some random
bits in the StreamID field, we'll fail to perform the full invalidation but
get a strange range (e.g., SMMUSIDRange={.start=1, .end=0}) instead. Rework
the emulation a bit to get rid of the discrepancy with the spec.

Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Acked-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20210402100449.528-1-yuzenghui@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
         }
         case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */
         {
-            uint32_t start = CMD_SID(&cmd);
+            uint32_t sid = CMD_SID(&cmd), mask;
             uint8_t range = CMD_STE_RANGE(&cmd);
-            uint64_t end = start + (1ULL << (range + 1)) - 1;
-            SMMUSIDRange sid_range = {start, end};
+            SMMUSIDRange sid_range;
 
             if (CMD_SSEC(&cmd)) {
                 cmd_error = SMMU_CERROR_ILL;
                 break;
             }
-            trace_smmuv3_cmdq_cfgi_ste_range(start, end);
+
+            mask = (1ULL << (range + 1)) - 1;
+            sid_range.start = sid & ~mask;
+            sid_range.end = sid_range.start + mask;
+
+            trace_smmuv3_cmdq_cfgi_ste_range(sid_range.start, sid_range.end);
             g_hash_table_foreach_remove(bs->configs, smmuv3_invalidate_ste,
                                         &sid_range);
             break;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Using mprotect() to change PROT_* does not change the MAP_ANON
previously set with mmap().  Our linux-user version of MTE only
works with MAP_ANON pages, so losing PAGE_ANON caused MTE to
stop working.

Reported-by: Stephen Long <steplong@quicinc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/tcg/aarch64/mte.h           |  3 ++-
 accel/tcg/translate-all.c         |  9 +++++--
 tests/tcg/aarch64/mte-6.c         | 43 +++++++++++++++++++++++++++++++
 tests/tcg/aarch64/Makefile.target |  2 +-
 4 files changed, 53 insertions(+), 4 deletions(-)
 create mode 100644 tests/tcg/aarch64/mte-6.c

diff --git a/tests/tcg/aarch64/mte.h b/tests/tcg/aarch64/mte.h
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/mte.h
+++ b/tests/tcg/aarch64/mte.h
@@ -XXX,XX +XXX,XX @@ static void enable_mte(int tcf)
     }
 }
 
-static void *alloc_mte_mem(size_t size)
+static void * alloc_mte_mem(size_t size) __attribute__((unused));
+static void * alloc_mte_mem(size_t size)
 {
     void *p = mmap(NULL, size, PROT_READ | PROT_WRITE | PROT_MTE,
                    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ void page_set_flags(target_ulong start, target_ulong end, int flags)
        a missing call to h2g_valid.  */
     assert(end - 1 <= GUEST_ADDR_MAX);
     assert(start < end);
+    /* Only set PAGE_ANON with new mappings. */
+    assert(!(flags & PAGE_ANON) || (flags & PAGE_RESET));
     assert_memory_lock();
 
     start = start & TARGET_PAGE_MASK;
@@ -XXX,XX +XXX,XX @@ void page_set_flags(target_ulong start, target_ulong end, int flags)
             p->first_tb) {
             tb_invalidate_phys_page(addr, 0);
         }
-        if (reset_target_data && p->target_data) {
+        if (reset_target_data) {
             g_free(p->target_data);
             p->target_data = NULL;
+            p->flags = flags;
+        } else {
+            /* Using mprotect on a page does not change MAP_ANON. */
+            p->flags = (p->flags & PAGE_ANON) | flags;
         }
-        p->flags = flags;
     }
 }
 
diff --git a/tests/tcg/aarch64/mte-6.c b/tests/tcg/aarch64/mte-6.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/aarch64/mte-6.c
@@ -XXX,XX +XXX,XX @@
+#include "mte.h"
+
+void pass(int sig, siginfo_t *info, void *uc)
+{
+    assert(info->si_code == SEGV_MTESERR);
+    exit(0);
+}
+
+int main(void)
+{
+    enable_mte(PR_MTE_TCF_SYNC);
+
+    void *brk = sbrk(16);
+    if (brk == (void *)-1) {
+        perror("sbrk");
+        return 2;
+    }
+
+    if (mprotect(brk, 16, PROT_READ | PROT_WRITE | PROT_MTE)) {
+        perror("mprotect");
+        return 2;
+    }
+
+    int *p1, *p2;
+    long excl = 1;
+
+    asm("irg %0,%1,%2" : "=r"(p1) : "r"(brk), "r"(excl));
+    asm("gmi %0,%1,%0" : "+r"(excl) : "r"(p1));
+    asm("irg %0,%1,%2" : "=r"(p2) : "r"(brk), "r"(excl));
+    asm("stg %0,[%0]" : : "r"(p1));
+
+    *p1 = 0;
+
+    struct sigaction sa;
+    memset(&sa, 0, sizeof(sa));
+    sa.sa_sigaction = pass;
+    sa.sa_flags = SA_SIGINFO;
+    sigaction(SIGSEGV, &sa, NULL);
+
+    *p2 = 0;
+
+    abort();
+}
diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -XXX,XX +XXX,XX @@ AARCH64_TESTS += bti-2
 
 # MTE Tests
 ifneq ($(DOCKER_IMAGE)$(CROSS_CC_HAS_ARMV8_MTE),)
-AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4
+AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-6
 mte-%: CFLAGS += -march=armv8.5-a+memtag
 endif
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

We can remove PAGE_WRITE when (internally) marking a page
read-only because it contains translated code.

This can be triggered by tests/tcg/aarch64/bti-2, after
having serviced SIGILL trampolines on the stack.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/mte_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/mte_helper.c
+++ b/target/arm/mte_helper.c
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
     uint8_t *tags;
     uintptr_t index;
 
-    if (!(flags & (ptr_access == MMU_DATA_STORE ? PAGE_WRITE : PAGE_READ))) {
+    if (!(flags & (ptr_access == MMU_DATA_STORE ? PAGE_WRITE_ORG : PAGE_READ))) {
         /* SIGSEGV */
         arm_cpu_tlb_fill(env_cpu(env), ptr, ptr_size, ptr_access,
                          ptr_mmu_idx, false, ra);
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Unfortuately, the elements of PAGE_* were not in numerical
order and so PAGE_ANON was added to an "unused" bit.
As an arbitrary choice, move PAGE_TARGET_{1,2} together.

Cc: Laurent Vivier <laurent@vivier.eu>
Fixes: 26bab757d41b ("linux-user: Introduce PAGE_ANON")
Buglink: https://bugs.launchpad.net/bugs/1922617
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Tested-by: Laurent Vivier <laurent@vivier.eu>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/exec/cpu-all.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -XXX,XX +XXX,XX @@ extern intptr_t qemu_host_page_mask;
 #define PAGE_RESERVED  0x0100
 #endif
 /* Target-specific bits that will be used via page_get_flags().  */
-#define PAGE_TARGET_1  0x0080
-#define PAGE_TARGET_2  0x0200
+#define PAGE_TARGET_1  0x0200
+#define PAGE_TARGET_2  0x0400
 
 #if defined(CONFIG_USER_ONLY)
 void page_dump(FILE *f);
-- 
2.20.1