| 1 | A set of small bugfixes for arm for 3.0; the "migration was | 1 | A last small test of bug fixes before rc1. |
|---|---|---|---|
| 2 | broken" fixes for SMMUv3 and v7M NVIC with security extensions | ||
| 3 | are the most significant. | ||
| 4 | 2 | ||
| 5 | thanks | 3 | thanks |
| 6 | -- PMM | 4 | -- PMM |
| 7 | 5 | ||
| 8 | The following changes since commit 6d9dd5fb9d0e9f4a174f53a0e20a39fbe809c71e: | 6 | The following changes since commit ed8ad9728a9c0eec34db9dff61dfa2f1dd625637: |
| 9 | 7 | ||
| 10 | Merge remote-tracking branch 'remotes/armbru/tags/pull-qobject-2018-07-27-v2' into staging (2018-07-30 09:55:47 +0100) | 8 | Merge tag 'pull-tpm-2023-07-14-1' of https://github.com/stefanberger/qemu-tpm into staging (2023-07-15 14:54:04 +0100) |
| 11 | 9 | ||
| 12 | are available in the Git repository at: | 10 | are available in the Git repository at: |
| 13 | 11 | ||
| 14 | git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180730 | 12 | https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230717 |
| 15 | 13 | ||
| 16 | for you to fetch changes up to 0261fb805c00a6f97d143235e7b06b0906bdf898: | 14 | for you to fetch changes up to c2c1c4a35c7c2b1a4140b0942b9797c857e476a4: |
| 17 | 15 | ||
| 18 | target/arm: Remove duplicate 'host' entry in '-cpu ?' output (2018-07-30 15:07:08 +0100) | 16 | hw/nvram: Avoid unnecessary Xilinx eFuse backstore write (2023-07-17 11:05:52 +0100) |
| 19 | 17 | ||
| 20 | ---------------------------------------------------------------- | 18 | ---------------------------------------------------------------- |
| 21 | target-arm queue: | 19 | target-arm queue: |
| 22 | * arm/smmuv3: Fix broken VM state migration | 20 | * hw/arm/sbsa-ref: set 'slots' property of xhci |
| 23 | * armv7m_nvic: Fix broken VM state migration | 21 | * linux-user: Remove pointless NULL check in clock_adjtime handling |
| 24 | * hw/arm/sysbus-fdt: Fix assertion in copy_properties_from_host() | 22 | * ptw: Fix S1_ptw_translate() debug path |
| 25 | * hw/arm/iotkit: Fix IRQ number for timer1 | 23 | * ptw: Account for FEAT_RME when applying {N}SW, SA bits |
| 26 | * hw/misc/tz-mpc: Zero the LUT on initialization, not just reset | 24 | * accel/tcg: Zero-pad PC in TCG CPU exec trace lines |
| 27 | * target/arm: Remove duplicate 'host' entry in '-cpu ?' output | 25 | * hw/nvram: Avoid unnecessary Xilinx eFuse backstore write |
| 28 | 26 | ||
| 29 | ---------------------------------------------------------------- | 27 | ---------------------------------------------------------------- |
| 30 | Dr. David Alan Gilbert (1): | 28 | Peter Maydell (5): |
| 31 | arm/smmuv3: Fix missing VMSD terminator | 29 | linux-user: Remove pointless NULL check in clock_adjtime handling |
| 30 | target/arm/ptw.c: Add comments to S1Translate struct fields | ||
| 31 | target/arm: Fix S1_ptw_translate() debug path | ||
| 32 | target/arm/ptw.c: Account for FEAT_RME when applying {N}SW, SA bits | ||
| 33 | accel/tcg: Zero-pad PC in TCG CPU exec trace lines | ||
| 32 | 34 | ||
| 33 | Geert Uytterhoeven (1): | 35 | Tong Ho (1): |
| 34 | hw/arm/sysbus-fdt: Fix assertion in copy_properties_from_host() | 36 | hw/nvram: Avoid unnecessary Xilinx eFuse backstore write |
| 35 | 37 | ||
| 36 | Peter Maydell (3): | 38 | Yuquan Wang (1): |
| 37 | armv7m_nvic: Fix m-security subsection name | 39 | hw/arm/sbsa-ref: set 'slots' property of xhci |
| 38 | hw/arm/iotkit: Fix IRQ number for timer1 | ||
| 39 | hw/misc/tz-mpc: Zero the LUT on initialization, not just reset | ||
| 40 | 40 | ||
| 41 | Philippe Mathieu-Daudé (1): | 41 | accel/tcg/cpu-exec.c | 4 +-- |
| 42 | target/arm: Remove duplicate 'host' entry in '-cpu ?' output | 42 | accel/tcg/translate-all.c | 2 +- |
| 43 | 43 | hw/arm/sbsa-ref.c | 1 + | |
| 44 | hw/arm/iotkit.c | 2 +- | 44 | hw/nvram/xlnx-efuse.c | 11 ++++-- |
| 45 | hw/arm/smmuv3.c | 1 + | 45 | linux-user/syscall.c | 12 +++---- |
| 46 | hw/arm/sysbus-fdt.c | 1 + | 46 | target/arm/ptw.c | 90 +++++++++++++++++++++++++++++++++++++++++------ |
| 47 | hw/intc/armv7m_nvic.c | 2 +- | 47 | 6 files changed, 98 insertions(+), 22 deletions(-) |
| 48 | hw/misc/tz-mpc.c | 2 +- | ||
| 49 | target/arm/helper.c | 6 ------ | ||
| 50 | 6 files changed, 5 insertions(+), 9 deletions(-) | ||
| 51 | diff view generated by jsdifflib |
| 1 | From: Geert Uytterhoeven <geert+renesas@glider.be> | 1 | From: Yuquan Wang <wangyuquan1236@phytium.com.cn> |
|---|---|---|---|
| 2 | 2 | ||
| 3 | When copy_properties_from_host() ignores the error for an optional | 3 | This extends the slots of xhci to 64, since the default xhci_sysbus |
| 4 | property, it frees the error, but fails to reset it. | 4 | just supports one slot. |
| 5 | 5 | ||
| 6 | Hence if two or more optional properties are missing, an assertion is | 6 | Signed-off-by: Wang Yuquan <wangyuquan1236@phytium.com.cn> |
| 7 | triggered: | 7 | Signed-off-by: Chen Baozi <chenbaozi@phytium.com.cn> |
| 8 | 8 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | |
| 9 | util/error.c:57: error_setv: Assertion `*errp == NULL' failed. | 9 | Reviewed-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org> |
| 10 | 10 | Tested-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org> | |
| 11 | Fis this by resetting err to NULL after ignoring the error. | 11 | Message-id: 20230710063750.473510-2-wangyuquan1236@phytium.com.cn |
| 12 | |||
| 13 | Fixes: 9481cf2e5f2f2bb6 ("hw/arm/sysbus-fdt: helpers for clock node generation") | ||
| 14 | Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> | ||
| 15 | Message-id: 20180725113000.11014-1-geert+renesas@glider.be | ||
| 16 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 17 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 12 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
| 18 | --- | 13 | --- |
| 19 | hw/arm/sysbus-fdt.c | 1 + | 14 | hw/arm/sbsa-ref.c | 1 + |
| 20 | 1 file changed, 1 insertion(+) | 15 | 1 file changed, 1 insertion(+) |
| 21 | 16 | ||
| 22 | diff --git a/hw/arm/sysbus-fdt.c b/hw/arm/sysbus-fdt.c | 17 | diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c |
| 23 | index XXXXXXX..XXXXXXX 100644 | 18 | index XXXXXXX..XXXXXXX 100644 |
| 24 | --- a/hw/arm/sysbus-fdt.c | 19 | --- a/hw/arm/sbsa-ref.c |
| 25 | +++ b/hw/arm/sysbus-fdt.c | 20 | +++ b/hw/arm/sbsa-ref.c |
| 26 | @@ -XXX,XX +XXX,XX @@ static void copy_properties_from_host(HostProperty *props, int nb_props, | 21 | @@ -XXX,XX +XXX,XX @@ static void create_xhci(const SBSAMachineState *sms) |
| 27 | /* mandatory property not found: bail out */ | 22 | hwaddr base = sbsa_ref_memmap[SBSA_XHCI].base; |
| 28 | exit(1); | 23 | int irq = sbsa_ref_irqmap[SBSA_XHCI]; |
| 29 | } | 24 | DeviceState *dev = qdev_new(TYPE_XHCI_SYSBUS); |
| 30 | + err = NULL; | 25 | + qdev_prop_set_uint32(dev, "slots", XHCI_MAXSLOTS); |
| 31 | } | 26 | |
| 32 | } | 27 | sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); |
| 33 | } | 28 | sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base); |
| 34 | -- | 29 | -- |
| 35 | 2.17.1 | 30 | 2.34.1 |
| 36 | |||
| 37 | diff view generated by jsdifflib |
| 1 | A cut-and-paste error meant we were incorrectly wiring up the timer1 | 1 | In the code for TARGET_NR_clock_adjtime, we set the pointer phtx to |
|---|---|---|---|
| 2 | IRQ to IRQ3. IRQ3 is the interrupt for timer0 -- move timer0 to | 2 | the address of the local variable htx. This means it can never be |
| 3 | IRQ4 where it belongs. | 3 | NULL, but later in the code we check it for NULL anyway. Coverity |
| 4 | complains about this (CID 1507683) because the NULL check comes after | ||
| 5 | a call to clock_adjtime() that assumes it is non-NULL. | ||
| 6 | |||
| 7 | Since phtx is always &htx, and is used only in three places, it's not | ||
| 8 | really necessary. Remove it, bringing the code structure in to line | ||
| 9 | with that for TARGET_NR_clock_adjtime64, which already uses a simple | ||
| 10 | '&htx' when it wants a pointer to 'htx'. | ||
| 4 | 11 | ||
| 5 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 12 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
| 6 | Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | 13 | Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> |
| 7 | Message-id: 20180727113854.20283-3-peter.maydell@linaro.org | 14 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> |
| 15 | Message-id: 20230623144410.1837261-1-peter.maydell@linaro.org | ||
| 8 | --- | 16 | --- |
| 9 | hw/arm/iotkit.c | 2 +- | 17 | linux-user/syscall.c | 12 +++++------- |
| 10 | 1 file changed, 1 insertion(+), 1 deletion(-) | 18 | 1 file changed, 5 insertions(+), 7 deletions(-) |
| 11 | 19 | ||
| 12 | diff --git a/hw/arm/iotkit.c b/hw/arm/iotkit.c | 20 | diff --git a/linux-user/syscall.c b/linux-user/syscall.c |
| 13 | index XXXXXXX..XXXXXXX 100644 | 21 | index XXXXXXX..XXXXXXX 100644 |
| 14 | --- a/hw/arm/iotkit.c | 22 | --- a/linux-user/syscall.c |
| 15 | +++ b/hw/arm/iotkit.c | 23 | +++ b/linux-user/syscall.c |
| 16 | @@ -XXX,XX +XXX,XX @@ static void iotkit_realize(DeviceState *dev, Error **errp) | 24 | @@ -XXX,XX +XXX,XX @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1, |
| 17 | return; | 25 | #if defined(TARGET_NR_clock_adjtime) && defined(CONFIG_CLOCK_ADJTIME) |
| 18 | } | 26 | case TARGET_NR_clock_adjtime: |
| 19 | sysbus_connect_irq(SYS_BUS_DEVICE(&s->timer1), 0, | 27 | { |
| 20 | - qdev_get_gpio_in(DEVICE(&s->armv7m), 3)); | 28 | - struct timex htx, *phtx = &htx; |
| 21 | + qdev_get_gpio_in(DEVICE(&s->armv7m), 4)); | 29 | + struct timex htx; |
| 22 | mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->timer1), 0); | 30 | |
| 23 | object_property_set_link(OBJECT(&s->apb_ppc0), OBJECT(mr), "port[1]", &err); | 31 | - if (target_to_host_timex(phtx, arg2) != 0) { |
| 24 | if (err) { | 32 | + if (target_to_host_timex(&htx, arg2) != 0) { |
| 33 | return -TARGET_EFAULT; | ||
| 34 | } | ||
| 35 | - ret = get_errno(clock_adjtime(arg1, phtx)); | ||
| 36 | - if (!is_error(ret) && phtx) { | ||
| 37 | - if (host_to_target_timex(arg2, phtx) != 0) { | ||
| 38 | - return -TARGET_EFAULT; | ||
| 39 | - } | ||
| 40 | + ret = get_errno(clock_adjtime(arg1, &htx)); | ||
| 41 | + if (!is_error(ret) && host_to_target_timex(arg2, &htx)) { | ||
| 42 | + return -TARGET_EFAULT; | ||
| 43 | } | ||
| 44 | } | ||
| 45 | return ret; | ||
| 25 | -- | 46 | -- |
| 26 | 2.17.1 | 47 | 2.34.1 |
| 27 | 48 | ||
| 28 | 49 | diff view generated by jsdifflib |
New patch | |||
|---|---|---|---|
| 1 | Add comments to the in_* fields in the S1Translate struct | ||
| 2 | that explain what they're doing. | ||
| 1 | 3 | ||
| 4 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 5 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
| 6 | Message-id: 20230710152130.3928330-2-peter.maydell@linaro.org | ||
| 7 | --- | ||
| 8 | target/arm/ptw.c | 40 ++++++++++++++++++++++++++++++++++++++++ | ||
| 9 | 1 file changed, 40 insertions(+) | ||
| 10 | |||
| 11 | diff --git a/target/arm/ptw.c b/target/arm/ptw.c | ||
| 12 | index XXXXXXX..XXXXXXX 100644 | ||
| 13 | --- a/target/arm/ptw.c | ||
| 14 | +++ b/target/arm/ptw.c | ||
| 15 | @@ -XXX,XX +XXX,XX @@ | ||
| 16 | #endif | ||
| 17 | |||
| 18 | typedef struct S1Translate { | ||
| 19 | + /* | ||
| 20 | + * in_mmu_idx : specifies which TTBR, TCR, etc to use for the walk. | ||
| 21 | + * Together with in_space, specifies the architectural translation regime. | ||
| 22 | + */ | ||
| 23 | ARMMMUIdx in_mmu_idx; | ||
| 24 | + /* | ||
| 25 | + * in_ptw_idx: specifies which mmuidx to use for the actual | ||
| 26 | + * page table descriptor load operations. This will be one of the | ||
| 27 | + * ARMMMUIdx_Stage2* or one of the ARMMMUIdx_Phys_* indexes. | ||
| 28 | + * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit, | ||
| 29 | + * this field is updated accordingly. | ||
| 30 | + */ | ||
| 31 | ARMMMUIdx in_ptw_idx; | ||
| 32 | + /* | ||
| 33 | + * in_space: the security space for this walk. This plus | ||
| 34 | + * the in_mmu_idx specify the architectural translation regime. | ||
| 35 | + * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit, | ||
| 36 | + * this field is updated accordingly. | ||
| 37 | + * | ||
| 38 | + * Note that the security space for the in_ptw_idx may be different | ||
| 39 | + * from that for the in_mmu_idx. We do not need to explicitly track | ||
| 40 | + * the in_ptw_idx security space because: | ||
| 41 | + * - if the in_ptw_idx is an ARMMMUIdx_Phys_* then the mmuidx | ||
| 42 | + * itself specifies the security space | ||
| 43 | + * - if the in_ptw_idx is an ARMMMUIdx_Stage2* then the security | ||
| 44 | + * space used for ptw reads is the same as that of the security | ||
| 45 | + * space of the stage 1 translation for all cases except where | ||
| 46 | + * stage 1 is Secure; in that case the only possibilities for | ||
| 47 | + * the ptw read are Secure and NonSecure, and the in_ptw_idx | ||
| 48 | + * value being Stage2 vs Stage2_S distinguishes those. | ||
| 49 | + */ | ||
| 50 | ARMSecuritySpace in_space; | ||
| 51 | + /* | ||
| 52 | + * in_secure: whether the translation regime is a Secure one. | ||
| 53 | + * This is always equal to arm_space_is_secure(in_space). | ||
| 54 | + * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit, | ||
| 55 | + * this field is updated accordingly. | ||
| 56 | + */ | ||
| 57 | bool in_secure; | ||
| 58 | + /* | ||
| 59 | + * in_debug: is this a QEMU debug access (gdbstub, etc)? Debug | ||
| 60 | + * accesses will not update the guest page table access flags | ||
| 61 | + * and will not change the state of the softmmu TLBs. | ||
| 62 | + */ | ||
| 63 | bool in_debug; | ||
| 64 | /* | ||
| 65 | * If this is stage 2 of a stage 1+2 page table walk, then this must | ||
| 66 | -- | ||
| 67 | 2.34.1 | diff view generated by jsdifflib |
| 1 | From: Philippe Mathieu-Daudé <f4bug@amsat.org> | 1 | In commit fe4a5472ccd6 we rearranged the logic in S1_ptw_translate() |
|---|---|---|---|
| 2 | so that the debug-access "call get_phys_addr_*" codepath is used both | ||
| 3 | when S1 is doing ptw reads from stage 2 and when it is doing ptw | ||
| 4 | reads from physical memory. However, we didn't update the | ||
| 5 | calculation of s2ptw->in_space and s2ptw->in_secure to account for | ||
| 6 | the "ptw reads from physical memory" case. This meant that debug | ||
| 7 | accesses when in Secure state broke. | ||
| 2 | 8 | ||
| 3 | Since 86f0a186d6f the TYPE_ARM_HOST_CPU is only compiled when CONFIG_KVM | 9 | Create a new function S2_security_space() which returns the |
| 4 | is enabled. | 10 | correct security space to use for the ptw load, and use it to |
| 11 | determine the correct .in_secure and .in_space fields for the | ||
| 12 | stage 2 lookup for the ptw load. | ||
| 5 | 13 | ||
| 6 | Remove the now redundant special-case introduced in a96c0514ab7, to avoid: | 14 | Reported-by: Jean-Philippe Brucker <jean-philippe@linaro.org> |
| 7 | 15 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | |
| 8 | $ qemu-system-aarch64 -machine virt -cpu \? | fgrep host | 16 | Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org> |
| 9 | host | 17 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> |
| 10 | host (only available in KVM mode) | 18 | Message-id: 20230710152130.3928330-3-peter.maydell@linaro.org |
| 11 | 19 | Fixes: fe4a5472ccd6 ("target/arm: Use get_phys_addr_with_struct in S1_ptw_translate") | |
| 12 | Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> | ||
| 13 | Message-id: 20180727132311.2777-1-f4bug@amsat.org | ||
| 14 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 15 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 20 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
| 16 | --- | 21 | --- |
| 17 | target/arm/helper.c | 6 ------ | 22 | target/arm/ptw.c | 37 ++++++++++++++++++++++++++++++++----- |
| 18 | 1 file changed, 6 deletions(-) | 23 | 1 file changed, 32 insertions(+), 5 deletions(-) |
| 19 | 24 | ||
| 20 | diff --git a/target/arm/helper.c b/target/arm/helper.c | 25 | diff --git a/target/arm/ptw.c b/target/arm/ptw.c |
| 21 | index XXXXXXX..XXXXXXX 100644 | 26 | index XXXXXXX..XXXXXXX 100644 |
| 22 | --- a/target/arm/helper.c | 27 | --- a/target/arm/ptw.c |
| 23 | +++ b/target/arm/helper.c | 28 | +++ b/target/arm/ptw.c |
| 24 | @@ -XXX,XX +XXX,XX @@ void arm_cpu_list(FILE *f, fprintf_function cpu_fprintf) | 29 | @@ -XXX,XX +XXX,XX @@ static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs) |
| 25 | (*cpu_fprintf)(f, "Available CPUs:\n"); | 30 | } |
| 26 | g_slist_foreach(list, arm_cpu_list_entry, &s); | ||
| 27 | g_slist_free(list); | ||
| 28 | -#ifdef CONFIG_KVM | ||
| 29 | - /* The 'host' CPU type is dynamically registered only if KVM is | ||
| 30 | - * enabled, so we have to special-case it here: | ||
| 31 | - */ | ||
| 32 | - (*cpu_fprintf)(f, " host (only available in KVM mode)\n"); | ||
| 33 | -#endif | ||
| 34 | } | 31 | } |
| 35 | 32 | ||
| 36 | static void arm_cpu_add_definition(gpointer data, gpointer user_data) | 33 | +static ARMSecuritySpace S2_security_space(ARMSecuritySpace s1_space, |
| 34 | + ARMMMUIdx s2_mmu_idx) | ||
| 35 | +{ | ||
| 36 | + /* | ||
| 37 | + * Return the security space to use for stage 2 when doing | ||
| 38 | + * the S1 page table descriptor load. | ||
| 39 | + */ | ||
| 40 | + if (regime_is_stage2(s2_mmu_idx)) { | ||
| 41 | + /* | ||
| 42 | + * The security space for ptw reads is almost always the same | ||
| 43 | + * as that of the security space of the stage 1 translation. | ||
| 44 | + * The only exception is when stage 1 is Secure; in that case | ||
| 45 | + * the ptw read might be to the Secure or the NonSecure space | ||
| 46 | + * (but never Realm or Root), and the s2_mmu_idx tells us which. | ||
| 47 | + * Root translations are always single-stage. | ||
| 48 | + */ | ||
| 49 | + if (s1_space == ARMSS_Secure) { | ||
| 50 | + return arm_secure_to_space(s2_mmu_idx == ARMMMUIdx_Stage2_S); | ||
| 51 | + } else { | ||
| 52 | + assert(s2_mmu_idx != ARMMMUIdx_Stage2_S); | ||
| 53 | + assert(s1_space != ARMSS_Root); | ||
| 54 | + return s1_space; | ||
| 55 | + } | ||
| 56 | + } else { | ||
| 57 | + /* ptw loads are from phys: the mmu idx itself says which space */ | ||
| 58 | + return arm_phys_to_space(s2_mmu_idx); | ||
| 59 | + } | ||
| 60 | +} | ||
| 61 | + | ||
| 62 | /* Translate a S1 pagetable walk through S2 if needed. */ | ||
| 63 | static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, | ||
| 64 | hwaddr addr, ARMMMUFaultInfo *fi) | ||
| 65 | { | ||
| 66 | - ARMSecuritySpace space = ptw->in_space; | ||
| 67 | bool is_secure = ptw->in_secure; | ||
| 68 | ARMMMUIdx mmu_idx = ptw->in_mmu_idx; | ||
| 69 | ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx; | ||
| 70 | @@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw, | ||
| 71 | * From gdbstub, do not use softmmu so that we don't modify the | ||
| 72 | * state of the cpu at all, including softmmu tlb contents. | ||
| 73 | */ | ||
| 74 | + ARMSecuritySpace s2_space = S2_security_space(ptw->in_space, s2_mmu_idx); | ||
| 75 | S1Translate s2ptw = { | ||
| 76 | .in_mmu_idx = s2_mmu_idx, | ||
| 77 | .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx), | ||
| 78 | - .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S, | ||
| 79 | - .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure | ||
| 80 | - : space == ARMSS_Realm ? ARMSS_Realm | ||
| 81 | - : ARMSS_NonSecure), | ||
| 82 | + .in_secure = arm_space_is_secure(s2_space), | ||
| 83 | + .in_space = s2_space, | ||
| 84 | .in_debug = true, | ||
| 85 | }; | ||
| 86 | GetPhysAddrResult s2 = { }; | ||
| 37 | -- | 87 | -- |
| 38 | 2.17.1 | 88 | 2.34.1 |
| 39 | |||
| 40 | diff view generated by jsdifflib |
| 1 | The vmstate save/load code insists that subsections of a VMState must | 1 | In get_phys_addr_twostage() the code that applies the effects of |
|---|---|---|---|
| 2 | have names which include their parent VMState's name as a leading | 2 | VSTCR.{SA,SW} and VTCR.{NSA,NSW} only updates result->f.attrs.secure. |
| 3 | substring. Unfortunately it neither documents this nor checks it on | 3 | Now we also have f.attrs.space for FEAT_RME, we need to keep the two |
| 4 | device init or state save, but instead fails state load with a | 4 | in sync. |
| 5 | confusing error message ("Missing section footer for armv7m_nvic"). | ||
| 6 | 5 | ||
| 7 | Fix the name of the m-security subsection of the NVIC, so that | 6 | These bits only have an effect for Secure space translations, not |
| 8 | state save/load works correctly for the security-enabled NVIC. | 7 | for Root, so use the input in_space field to determine whether to |
| 8 | apply them rather than the input is_secure. This doesn't actually | ||
| 9 | make a difference because Root translations are never two-stage, | ||
| 10 | but it's a little clearer. | ||
| 9 | 11 | ||
| 10 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 12 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
| 11 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | 13 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> |
| 12 | Message-id: 20180727113854.20283-2-peter.maydell@linaro.org | 14 | Message-id: 20230710152130.3928330-4-peter.maydell@linaro.org |
| 13 | --- | 15 | --- |
| 14 | hw/intc/armv7m_nvic.c | 2 +- | 16 | target/arm/ptw.c | 13 ++++++++----- |
| 15 | 1 file changed, 1 insertion(+), 1 deletion(-) | 17 | 1 file changed, 8 insertions(+), 5 deletions(-) |
| 16 | 18 | ||
| 17 | diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c | 19 | diff --git a/target/arm/ptw.c b/target/arm/ptw.c |
| 18 | index XXXXXXX..XXXXXXX 100644 | 20 | index XXXXXXX..XXXXXXX 100644 |
| 19 | --- a/hw/intc/armv7m_nvic.c | 21 | --- a/target/arm/ptw.c |
| 20 | +++ b/hw/intc/armv7m_nvic.c | 22 | +++ b/target/arm/ptw.c |
| 21 | @@ -XXX,XX +XXX,XX @@ static int nvic_security_post_load(void *opaque, int version_id) | 23 | @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw, |
| 24 | hwaddr ipa; | ||
| 25 | int s1_prot, s1_lgpgsz; | ||
| 26 | bool is_secure = ptw->in_secure; | ||
| 27 | + ARMSecuritySpace in_space = ptw->in_space; | ||
| 28 | bool ret, ipa_secure; | ||
| 29 | ARMCacheAttrs cacheattrs1; | ||
| 30 | ARMSecuritySpace ipa_space; | ||
| 31 | @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw, | ||
| 32 | * Check if IPA translates to secure or non-secure PA space. | ||
| 33 | * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA. | ||
| 34 | */ | ||
| 35 | - result->f.attrs.secure = | ||
| 36 | - (is_secure | ||
| 37 | - && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW)) | ||
| 38 | - && (ipa_secure | ||
| 39 | - || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW)))); | ||
| 40 | + if (in_space == ARMSS_Secure) { | ||
| 41 | + result->f.attrs.secure = | ||
| 42 | + !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW)) | ||
| 43 | + && (ipa_secure | ||
| 44 | + || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))); | ||
| 45 | + result->f.attrs.space = arm_secure_to_space(result->f.attrs.secure); | ||
| 46 | + } | ||
| 47 | |||
| 48 | return false; | ||
| 22 | } | 49 | } |
| 23 | |||
| 24 | static const VMStateDescription vmstate_nvic_security = { | ||
| 25 | - .name = "nvic/m-security", | ||
| 26 | + .name = "armv7m_nvic/m-security", | ||
| 27 | .version_id = 1, | ||
| 28 | .minimum_version_id = 1, | ||
| 29 | .needed = nvic_security_needed, | ||
| 30 | -- | 50 | -- |
| 31 | 2.17.1 | 51 | 2.34.1 |
| 32 | |||
| 33 | diff view generated by jsdifflib |
| 1 | In the tz-mpc device we allocate a data block for the LUT, | 1 | In commit f0a08b0913befbd we changed the type of the PC from |
|---|---|---|---|
| 2 | which we then clear to zero in the device's reset method. | 2 | target_ulong to vaddr. In doing so we inadvertently dropped the |
| 3 | This is conceptually fine, but unfortunately results in a | 3 | zero-padding on the PC in trace lines (the second item inside the [] |
| 4 | valgrind complaint about use of uninitialized data on startup: | 4 | in these lines). They used to look like this on AArch64, for |
| 5 | instance: | ||
| 5 | 6 | ||
| 6 | ==30906== Conditional jump or move depends on uninitialised value(s) | 7 | Trace 0: 0x7f2260000100 [00000000/0000000040000000/00000061/ff200000] |
| 7 | ==30906== at 0x503609: tz_mpc_translate (tz-mpc.c:439) | ||
| 8 | ==30906== by 0x3F3D90: address_space_translate_iommu (exec.c:511) | ||
| 9 | ==30906== by 0x3F3FF8: flatview_do_translate (exec.c:584) | ||
| 10 | ==30906== by 0x3F4292: flatview_translate (exec.c:644) | ||
| 11 | ==30906== by 0x3F2120: address_space_translate (memory.h:1962) | ||
| 12 | ==30906== by 0x3FB753: address_space_ldl_internal (memory_ldst.inc.c:36) | ||
| 13 | ==30906== by 0x3FB8A6: address_space_ldl (memory_ldst.inc.c:80) | ||
| 14 | ==30906== by 0x619037: ldl_phys (memory_ldst_phys.inc.h:25) | ||
| 15 | ==30906== by 0x61985D: arm_cpu_reset (cpu.c:255) | ||
| 16 | ==30906== by 0x98791B: cpu_reset (cpu.c:249) | ||
| 17 | ==30906== by 0x57FFDB: armv7m_reset (armv7m.c:265) | ||
| 18 | ==30906== by 0x7B1775: qemu_devices_reset (reset.c:69) | ||
| 19 | 8 | ||
| 20 | This is because of a reset ordering problem -- the TZ MPC | 9 | and now they look like this: |
| 21 | resets after the CPU, but an M-profile CPU's reset function | 10 | Trace 0: 0x7f4f50000100 [00000000/40000000/00000061/ff200000] |
| 22 | includes memory loads to get the initial PC and SP, which | ||
| 23 | then go through an MPC that hasn't yet been reset. | ||
| 24 | 11 | ||
| 25 | The simplest fix for this is to zero the LUT when we | 12 | and if the PC happens to be somewhere low like 0x5000 |
| 26 | initialize the data, which will result in the MPC's | 13 | then the field is shown as /5000/. |
| 27 | translate function giving the right answers for these | ||
| 28 | early memory accesses. | ||
| 29 | 14 | ||
| 30 | Reported-by: Thomas Huth <thuth@redhat.com> | 15 | This is because TARGET_FMT_lx is a "%08x" or "%016x" specifier, |
| 16 | depending on TARGET_LONG_SIZE, whereas VADDR_PRIx is just PRIx64 | ||
| 17 | with no width specifier. | ||
| 18 | |||
| 19 | Restore the zero-padding by adding an 016 width specifier to | ||
| 20 | this tracing and a couple of others that were similarly recently | ||
| 21 | changed to use VADDR_PRIx without a width specifier. | ||
| 22 | |||
| 23 | We can't unfortunately restore the "32-bit guests are padded to | ||
| 24 | 8 hex digits and 64-bit guests to 16 hex digits" behaviour so | ||
| 25 | easily. | ||
| 26 | |||
| 27 | Fixes: f0a08b0913befbd ("accel/tcg/cpu-exec.c: Widen pc to vaddr") | ||
| 31 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 28 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
| 32 | Tested-by: Thomas Huth <thuth@redhat.com> | 29 | Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> |
| 33 | Message-id: 20180724153616.32352-1-peter.maydell@linaro.org | 30 | Reviewed-by: Anton Johansson <anjo@rev.ng> |
| 31 | Message-id: 20230711165434.4123674-1-peter.maydell@linaro.org | ||
| 34 | --- | 32 | --- |
| 35 | hw/misc/tz-mpc.c | 2 +- | 33 | accel/tcg/cpu-exec.c | 4 ++-- |
| 36 | 1 file changed, 1 insertion(+), 1 deletion(-) | 34 | accel/tcg/translate-all.c | 2 +- |
| 35 | 2 files changed, 3 insertions(+), 3 deletions(-) | ||
| 37 | 36 | ||
| 38 | diff --git a/hw/misc/tz-mpc.c b/hw/misc/tz-mpc.c | 37 | diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c |
| 39 | index XXXXXXX..XXXXXXX 100644 | 38 | index XXXXXXX..XXXXXXX 100644 |
| 40 | --- a/hw/misc/tz-mpc.c | 39 | --- a/accel/tcg/cpu-exec.c |
| 41 | +++ b/hw/misc/tz-mpc.c | 40 | +++ b/accel/tcg/cpu-exec.c |
| 42 | @@ -XXX,XX +XXX,XX @@ static void tz_mpc_realize(DeviceState *dev, Error **errp) | 41 | @@ -XXX,XX +XXX,XX @@ static void log_cpu_exec(vaddr pc, CPUState *cpu, |
| 43 | address_space_init(&s->blocked_io_as, &s->blocked_io, | 42 | if (qemu_log_in_addr_range(pc)) { |
| 44 | "tz-mpc-blocked-io"); | 43 | qemu_log_mask(CPU_LOG_EXEC, |
| 45 | 44 | "Trace %d: %p [%08" PRIx64 | |
| 46 | - s->blk_lut = g_new(uint32_t, s->blk_max); | 45 | - "/%" VADDR_PRIx "/%08x/%08x] %s\n", |
| 47 | + s->blk_lut = g_new0(uint32_t, s->blk_max); | 46 | + "/%016" VADDR_PRIx "/%08x/%08x] %s\n", |
| 48 | } | 47 | cpu->cpu_index, tb->tc.ptr, tb->cs_base, pc, |
| 49 | 48 | tb->flags, tb->cflags, lookup_symbol(pc)); | |
| 50 | static int tz_mpc_post_load(void *opaque, int version_id) | 49 | |
| 50 | @@ -XXX,XX +XXX,XX @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit) | ||
| 51 | if (qemu_loglevel_mask(CPU_LOG_EXEC)) { | ||
| 52 | vaddr pc = log_pc(cpu, last_tb); | ||
| 53 | if (qemu_log_in_addr_range(pc)) { | ||
| 54 | - qemu_log("Stopped execution of TB chain before %p [%" | ||
| 55 | + qemu_log("Stopped execution of TB chain before %p [%016" | ||
| 56 | VADDR_PRIx "] %s\n", | ||
| 57 | last_tb->tc.ptr, pc, lookup_symbol(pc)); | ||
| 58 | } | ||
| 59 | diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c | ||
| 60 | index XXXXXXX..XXXXXXX 100644 | ||
| 61 | --- a/accel/tcg/translate-all.c | ||
| 62 | +++ b/accel/tcg/translate-all.c | ||
| 63 | @@ -XXX,XX +XXX,XX @@ void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr) | ||
| 64 | if (qemu_loglevel_mask(CPU_LOG_EXEC)) { | ||
| 65 | vaddr pc = log_pc(cpu, tb); | ||
| 66 | if (qemu_log_in_addr_range(pc)) { | ||
| 67 | - qemu_log("cpu_io_recompile: rewound execution of TB to %" | ||
| 68 | + qemu_log("cpu_io_recompile: rewound execution of TB to %016" | ||
| 69 | VADDR_PRIx "\n", pc); | ||
| 70 | } | ||
| 71 | } | ||
| 51 | -- | 72 | -- |
| 52 | 2.17.1 | 73 | 2.34.1 |
| 53 | 74 | ||
| 54 | 75 | diff view generated by jsdifflib |
| 1 | From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> | 1 | From: Tong Ho <tong.ho@amd.com> |
|---|---|---|---|
| 2 | 2 | ||
| 3 | The 'vmstate_smmuv3_queue' is missing the end-of-list marker. | 3 | Add a check in the bit-set operation to write the backstore |
| 4 | only if the affected bit is 0 before. | ||
| 4 | 5 | ||
| 5 | Fixes: 10a83cb9887 | 6 | With this in place, there will be no need for callers to |
| 6 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | 7 | do the checking in order to avoid unnecessary writes. |
| 7 | Message-id: 20180727135406.15132-1-dgilbert@redhat.com | 8 | |
| 8 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | 9 | Signed-off-by: Tong Ho <tong.ho@amd.com> |
| 9 | [PMM: dropped stray blank line] | 10 | Reviewed-by: Alistair Francis <alistair.francis@wdc.com> |
| 11 | Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com> | ||
| 12 | Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> | ||
| 10 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | 13 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> |
| 11 | --- | 14 | --- |
| 12 | hw/arm/smmuv3.c | 1 + | 15 | hw/nvram/xlnx-efuse.c | 11 +++++++++-- |
| 13 | 1 file changed, 1 insertion(+) | 16 | 1 file changed, 9 insertions(+), 2 deletions(-) |
| 14 | 17 | ||
| 15 | diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c | 18 | diff --git a/hw/nvram/xlnx-efuse.c b/hw/nvram/xlnx-efuse.c |
| 16 | index XXXXXXX..XXXXXXX 100644 | 19 | index XXXXXXX..XXXXXXX 100644 |
| 17 | --- a/hw/arm/smmuv3.c | 20 | --- a/hw/nvram/xlnx-efuse.c |
| 18 | +++ b/hw/arm/smmuv3.c | 21 | +++ b/hw/nvram/xlnx-efuse.c |
| 19 | @@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_smmuv3_queue = { | 22 | @@ -XXX,XX +XXX,XX @@ static bool efuse_ro_bits_find(XlnxEFuse *s, uint32_t k) |
| 20 | VMSTATE_UINT32(prod, SMMUQueue), | 23 | |
| 21 | VMSTATE_UINT32(cons, SMMUQueue), | 24 | bool xlnx_efuse_set_bit(XlnxEFuse *s, unsigned int bit) |
| 22 | VMSTATE_UINT8(log2size, SMMUQueue), | 25 | { |
| 23 | + VMSTATE_END_OF_LIST(), | 26 | + uint32_t set, *row; |
| 24 | }, | 27 | + |
| 25 | }; | 28 | if (efuse_ro_bits_find(s, bit)) { |
| 29 | g_autofree char *path = object_get_canonical_path(OBJECT(s)); | ||
| 30 | |||
| 31 | @@ -XXX,XX +XXX,XX @@ bool xlnx_efuse_set_bit(XlnxEFuse *s, unsigned int bit) | ||
| 32 | return false; | ||
| 33 | } | ||
| 34 | |||
| 35 | - s->fuse32[bit / 32] |= 1 << (bit % 32); | ||
| 36 | - efuse_bdrv_sync(s, bit); | ||
| 37 | + /* Avoid back-end write unless there is a real update */ | ||
| 38 | + row = &s->fuse32[bit / 32]; | ||
| 39 | + set = 1 << (bit % 32); | ||
| 40 | + if (!(set & *row)) { | ||
| 41 | + *row |= set; | ||
| 42 | + efuse_bdrv_sync(s, bit); | ||
| 43 | + } | ||
| 44 | return true; | ||
| 45 | } | ||
| 26 | 46 | ||
| 27 | -- | 47 | -- |
| 28 | 2.17.1 | 48 | 2.34.1 |
| 29 | 49 | ||
| 30 | 50 | diff view generated by jsdifflib |