A set of small bugfixes for arm for 3.0; the "migration was

broken" fixes for SMMUv3 and v7M NVIC with security extensions

are the most significant.

The following changes since commit 6d9dd5fb9d0e9f4a174f53a0e20a39fbe809c71e:

Merge remote-tracking branch 'remotes/armbru/tags/pull-qobject-2018-07-27-v2' into staging (2018-07-30 09:55:47 +0100)

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180730

for you to fetch changes up to 0261fb805c00a6f97d143235e7b06b0906bdf898:

target/arm: Remove duplicate 'host' entry in '-cpu ?' output (2018-07-30 15:07:08 +0100)

* arm/smmuv3: Fix broken VM state migration

* armv7m_nvic: Fix broken VM state migration

* hw/arm/sysbus-fdt: Fix assertion in copy_properties_from_host()

* hw/arm/iotkit: Fix IRQ number for timer1

* hw/misc/tz-mpc: Zero the LUT on initialization, not just reset

* target/arm: Remove duplicate 'host' entry in '-cpu ?' output

Dr. David Alan Gilbert (1):

arm/smmuv3: Fix missing VMSD terminator

Geert Uytterhoeven (1):

hw/arm/sysbus-fdt: Fix assertion in copy_properties_from_host()

Peter Maydell (3):

armv7m_nvic: Fix m-security subsection name

hw/arm/iotkit: Fix IRQ number for timer1

hw/misc/tz-mpc: Zero the LUT on initialization, not just reset

target/arm: Remove duplicate 'host' entry in '-cpu ?' output

hw/arm/iotkit.c | 2 +-

hw/arm/smmuv3.c | 1 +

hw/arm/sysbus-fdt.c | 1 +

hw/intc/armv7m_nvic.c | 2 +-

hw/misc/tz-mpc.c | 2 +-

target/arm/helper.c | 6 ------

6 files changed, 5 insertions(+), 9 deletions(-)

From: Geert Uytterhoeven <geert+renesas@glider.be>

When copy_properties_from_host() ignores the error for an optional

property, it frees the error, but fails to reset it.

Hence if two or more optional properties are missing, an assertion is

triggered:

util/error.c:57: error_setv: Assertion `*errp == NULL' failed.

Fis this by resetting err to NULL after ignoring the error.

Fixes: 9481cf2e5f2f2bb6 ("hw/arm/sysbus-fdt: helpers for clock node generation")

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>

Message-id: 20180725113000.11014-1-geert+renesas@glider.be

hw/arm/sysbus-fdt.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/hw/arm/sysbus-fdt.c b/hw/arm/sysbus-fdt.c

--- a/hw/arm/sysbus-fdt.c

+++ b/hw/arm/sysbus-fdt.c

@@ -XXX,XX +XXX,XX @@ static void copy_properties_from_host(HostProperty *props, int nb_props,

/* mandatory property not found: bail out */

exit(1);

}

+ err = NULL;

}

2.17.1

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

The 'vmstate_smmuv3_queue' is missing the end-of-list marker.

Fixes: 10a83cb9887

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

Message-id: 20180727135406.15132-1-dgilbert@redhat.com

hw/arm/smmuv3.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c

--- a/hw/arm/smmuv3.c

+++ b/hw/arm/smmuv3.c

@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_smmuv3_queue = {

VMSTATE_UINT32(prod, SMMUQueue),

VMSTATE_UINT32(cons, SMMUQueue),

VMSTATE_UINT8(log2size, SMMUQueue),

+ VMSTATE_END_OF_LIST(),

},

};

2.17.1

Since 86f0a186d6f the TYPE_ARM_HOST_CPU is only compiled when CONFIG_KVM

is enabled.

Remove the now redundant special-case introduced in a96c0514ab7, to avoid:

$ qemu-system-aarch64 -machine virt -cpu \? | fgrep host

host

host (only available in KVM mode)

target/arm/helper.c | 6 ------

1 file changed, 6 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c

--- a/target/arm/helper.c

+++ b/target/arm/helper.c

@@ -XXX,XX +XXX,XX @@ void arm_cpu_list(FILE *f, fprintf_function cpu_fprintf)

(*cpu_fprintf)(f, "Available CPUs:\n");

g_slist_foreach(list, arm_cpu_list_entry, &s);

g_slist_free(list);

-#ifdef CONFIG_KVM

- /* The 'host' CPU type is dynamically registered only if KVM is

- * enabled, so we have to special-case it here:

- */

- (*cpu_fprintf)(f, " host (only available in KVM mode)\n");

-#endif

2.17.1

A cut-and-paste error meant we were incorrectly wiring up the timer1

IRQ to IRQ3. IRQ3 is the interrupt for timer0 -- move timer0 to

IRQ4 where it belongs.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

Message-id: 20180727113854.20283-3-peter.maydell@linaro.org

hw/arm/iotkit.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/iotkit.c b/hw/arm/iotkit.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/iotkit.c

+++ b/hw/arm/iotkit.c

@@ -XXX,XX +XXX,XX @@ static void iotkit_realize(DeviceState *dev, Error **errp)

return;

}

sysbus_connect_irq(SYS_BUS_DEVICE(&s->timer1), 0,

- qdev_get_gpio_in(DEVICE(&s->armv7m), 3));

+ qdev_get_gpio_in(DEVICE(&s->armv7m), 4));

mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->timer1), 0);

object_property_set_link(OBJECT(&s->apb_ppc0), OBJECT(mr), "port[1]", &err);

if (err) {

2.17.1

In the tz-mpc device we allocate a data block for the LUT,

which we then clear to zero in the device's reset method.

This is conceptually fine, but unfortunately results in a

valgrind complaint about use of uninitialized data on startup:

==30906== Conditional jump or move depends on uninitialised value(s)

==30906== at 0x503609: tz_mpc_translate (tz-mpc.c:439)

==30906== by 0x3F3D90: address_space_translate_iommu (exec.c:511)

==30906== by 0x3F3FF8: flatview_do_translate (exec.c:584)

==30906== by 0x3F4292: flatview_translate (exec.c:644)

==30906== by 0x3F2120: address_space_translate (memory.h:1962)

==30906== by 0x3FB753: address_space_ldl_internal (memory_ldst.inc.c:36)

==30906== by 0x3FB8A6: address_space_ldl (memory_ldst.inc.c:80)

==30906== by 0x619037: ldl_phys (memory_ldst_phys.inc.h:25)

==30906== by 0x61985D: arm_cpu_reset (cpu.c:255)

==30906== by 0x98791B: cpu_reset (cpu.c:249)

==30906== by 0x57FFDB: armv7m_reset (armv7m.c:265)

==30906== by 0x7B1775: qemu_devices_reset (reset.c:69)

This is because of a reset ordering problem -- the TZ MPC

resets after the CPU, but an M-profile CPU's reset function

includes memory loads to get the initial PC and SP, which

then go through an MPC that hasn't yet been reset.

The simplest fix for this is to zero the LUT when we

initialize the data, which will result in the MPC's

translate function giving the right answers for these

early memory accesses.

Reported-by: Thomas Huth <thuth@redhat.com>

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Tested-by: Thomas Huth <thuth@redhat.com>

Message-id: 20180724153616.32352-1-peter.maydell@linaro.org

---

hw/misc/tz-mpc.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/misc/tz-mpc.c b/hw/misc/tz-mpc.c

--- a/hw/misc/tz-mpc.c

+++ b/hw/misc/tz-mpc.c

@@ -XXX,XX +XXX,XX @@ static void tz_mpc_realize(DeviceState *dev, Error **errp)

address_space_init(&s->blocked_io_as, &s->blocked_io,

"tz-mpc-blocked-io");

- s->blk_lut = g_new(uint32_t, s->blk_max);

+ s->blk_lut = g_new0(uint32_t, s->blk_max);

2.17.1

The vmstate save/load code insists that subsections of a VMState must

have names which include their parent VMState's name as a leading

substring. Unfortunately it neither documents this nor checks it on

device init or state save, but instead fails state load with a

confusing error message ("Missing section footer for armv7m_nvic").

Fix the name of the m-security subsection of the NVIC, so that

state save/load works correctly for the security-enabled NVIC.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20180727113854.20283-2-peter.maydell@linaro.org

hw/intc/armv7m_nvic.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c

--- a/hw/intc/armv7m_nvic.c

+++ b/hw/intc/armv7m_nvic.c

@@ -XXX,XX +XXX,XX @@ static int nvic_security_post_load(void *opaque, int version_id)

static const VMStateDescription vmstate_nvic_security = {

- .name = "nvic/m-security",

+ .name = "armv7m_nvic/m-security",

.version_id = 1,

.minimum_version_id = 1,

.needed = nvic_security_needed,

2.17.1