Series comparison

-[Qemu-devel] [PULL 00/17] target-arm queue
+[PULL 0/2] target-arm queue
-v2: dropped a couple of cadence_gem changes to ID regs that
+Hi; this pull request has a couple of fixes for bugs in
-caused new clang sanitizer warnings.
+the Arm page-table-walk code, which arrived in the last
 day or so.
+I'm sending this out now in the hope it might just sneak
+in before rc2 gets tagged, so the fixes can get more
+testing time before the 7.2 release; but if they don't
+make it then this should go into rc3.
+thanks
 -- PMM
-The following changes since commit dddb37495b844270088e68e3bf30b764d48d863f:
+The following changes since commit 6d71357a3b651ec9db126e4862b77e13165427f5:
-  Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20181015.0' into staging (2018-10-15 18:44:04 +0100)
+  rtl8139: honor large send MSS value (2022-11-21 09:28:43 -0500)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20181016-1
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221122
-for you to fetch changes up to 2ef297af07196c29446556537861f8e7dfeeae7b:
+for you to fetch changes up to 15f8f4671afd22491ce99d28a296514717fead4f:
-  coccinelle: new inplace-byteswaps.cocci to remove inplace-byteswapping calls (2018-10-16 17:14:55 +0100)
+  target/arm: Use signed quantity to represent VMSAv8-64 translation level (2022-11-22 16:10:25 +0000)
 ----------------------------------------------------------------
-target-arm queue:
+target-arm:
- * hw/arm/virt: add DT property /secure-chosen/stdout-path indicating secure UART
+ * Fix broken 5-level pagetable handling
- * target/arm: Fix aarch64_sve_change_el wrt EL0
+ * Fix debug accesses when EL2 is present
  * target/arm: Define fields of ISAR registers
  * target/arm: Align cortex-r5 id_isar0
  * target/arm: Fix cortex-a7 id_isar0
  * net/cadence_gem: Fix various bugs, add support for new
    features that will be used by the Xilinx Versal board
  * target-arm: powerctl: Enable HVC when starting CPUs to EL2
  * target/arm: Add the Cortex-A72
  * target/arm: Mark PMINTENCLR and PMINTENCLR_EL1 accesses as possibly doing IO
  * target/arm: Mask PMOVSR writes based on supported counters
  * target/arm: Initialize ARMMMUFaultInfo in v7m_stack_read/write
  * coccinelle: new inplace-byteswaps.cocci to remove inplace-byteswapping calls
 ----------------------------------------------------------------
-Aaron Lindsay (2):
+Ard Biesheuvel (1):
-      target/arm: Mark PMINTENCLR and PMINTENCLR_EL1 accesses as possibly doing IO
+      target/arm: Use signed quantity to represent VMSAv8-64 translation level
       target/arm: Mask PMOVSR writes based on supported counters
-Edgar E. Iglesias (8):
+Peter Maydell (1):
-      net: cadence_gem: Disable TSU feature bit
+      target/arm: Don't do two-stage lookup if stage 2 is disabled
       net: cadence_gem: Use uint32_t for 32bit descriptor words
       net: cadence_gem: Add macro with max number of descriptor words
       net: cadence_gem: Add support for extended descriptors
       net: cadence_gem: Add support for selecting the DMA MemoryRegion
       net: cadence_gem: Implement support for 64bit descriptor addresses
       target-arm: powerctl: Enable HVC when starting CPUs to EL2
       target/arm: Add the Cortex-A72
-Jerome Forissier (1):
+ target/arm/ptw.c | 11 ++++++-----
-      hw/arm/virt: add DT property /secure-chosen/stdout-path indicating secure UART
+file changed, 6 insertions(+), 5 deletions(-)
 Peter Maydell (2):
       target/arm: Initialize ARMMMUFaultInfo in v7m_stack_read/write
       coccinelle: new inplace-byteswaps.cocci to remove inplace-byteswapping calls
 Richard Henderson (4):
       target/arm: Fix aarch64_sve_change_el wrt EL0
       target/arm: Define fields of ISAR registers
       target/arm: Align cortex-r5 id_isar0
       target/arm: Fix cortex-a7 id_isar0
  include/hw/net/cadence_gem.h               |   7 +-
  target/arm/cpu.h                           |  95 ++++++++++++++-
  hw/arm/virt.c                              |   4 +
  hw/net/cadence_gem.c                       | 185 ++++++++++++++++++++---------
  target/arm/arm-powerctl.c                  |  10 ++
  target/arm/cpu.c                           |   7 +-
  target/arm/cpu64.c                         |  66 +++++++++-
  target/arm/helper.c                        |  27 +++--
  target/arm/op_helper.c                     |   6 +-
  scripts/coccinelle/inplace-byteswaps.cocci |  65 ++++++++++
 files changed, 402 insertions(+), 70 deletions(-)
  create mode 100644 scripts/coccinelle/inplace-byteswaps.cocci

-New patch
+[PULL 1/2] target/arm: Don't do two-stage lookup if stage 2 is disabled
+In get_phys_addr_with_struct(), we call get_phys_addr_twostage() if
+the CPU supports EL2.  However, we don't check here that stage 2 is
+actually enabled.  Instead we only check that inside
+get_phys_addr_twostage() to skip stage 2 translation.  This means
+that even if stage 2 is disabled we still tell the stage 1 lookup to
+do its page table walks via stage 2.
+This works by luck for normal CPU accesses, but it breaks for debug
+accesses, which are used by the disassembler and also by semihosting
+file reads and writes, because the debug case takes a different code
+path inside S1_ptw_translate().
+This means that setups that use semihosting for file loads are broken
+(a regression since 7.1, introduced in recent ptw refactoring), and
+that sometimes disassembly in debug logs reports "unable to read
+memory" rather than showing the guest insns.
+Fix the bug by hoisting the "is stage 2 enabled?" check up to
+get_phys_addr_with_struct(), so that we handle S2 disabled the same
+way we do the "no EL2" case, with a simple single stage lookup.
+Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20221121212404.1450382-1-peter.maydell@linaro.org
+---
+ target/arm/ptw.c | 7 ++++---
+file changed, 4 insertions(+), 3 deletions(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+     ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
+-    /* If S1 fails or S2 is disabled, return early.  */
+-    if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
++    /* If S1 fails, return early.  */
++    if (ret) {
+         return ret;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
+          * Otherwise, a stage1+stage2 translation is just stage 1.
+          */
+         ptw->in_mmu_idx = mmu_idx = s1_mmu_idx;
+-        if (arm_feature(env, ARM_FEATURE_EL2)) {
++        if (arm_feature(env, ARM_FEATURE_EL2) &&
++            !regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
+             return get_phys_addr_twostage(env, ptw, address, access_type,
+                                           result, fi);
+         }
+--
+.25.1

-New patch
+[PULL 2/2] target/arm: Use signed quantity to represent VMSAv8-64 translation level
+From: Ard Biesheuvel <ardb@kernel.org>
+The LPA2 extension implements 52-bit virtual addressing for 4k and 16k
+translation granules, and for the former, this means an additional level
+of translation is needed. This means we start counting at -1 instead of
+when doing a walk, and so 'level' is now a signed quantity, and should
+be typed as such. So turn it from uint32_t into int32_t.
+This avoids a level of -1 getting misinterpreted as being >= 3, and
+terminating a page table walk prematurely with a bogus output address.
+Cc: Peter Maydell <peter.maydell@linaro.org>
+Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Cc: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/ptw.c | 4 ++--
+file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+     ARMCPU *cpu = env_archcpu(env);
+     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
+     bool is_secure = ptw->in_secure;
+-    uint32_t level;
++    int32_t level;
+     ARMVAParameters param;
+     uint64_t ttbr;
+     hwaddr descaddr, indexmask, indexmask_grainsize;
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+          */
+         uint32_t sl0 = extract32(tcr, 6, 2);
+         uint32_t sl2 = extract64(tcr, 33, 1);
+-        uint32_t startlevel;
++        int32_t startlevel;
+         bool ok;
+         /* SL2 is RES0 unless DS=1 & 4kb granule. */
+--
+.25.1

v2: dropped a couple of cadence_gem changes to ID regs that
caused new clang sanitizer warnings.

-- PMM

The following changes since commit dddb37495b844270088e68e3bf30b764d48d863f:

Merge remote-tracking branch 'remotes/awilliam/tags/vfio-updates-20181015.0' into staging (2018-10-15 18:44:04 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20181016-1

for you to fetch changes up to 2ef297af07196c29446556537861f8e7dfeeae7b:

coccinelle: new inplace-byteswaps.cocci to remove inplace-byteswapping calls (2018-10-16 17:14:55 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/virt: add DT property /secure-chosen/stdout-path indicating secure UART
 * target/arm: Fix aarch64_sve_change_el wrt EL0
 * target/arm: Define fields of ISAR registers
 * target/arm: Align cortex-r5 id_isar0
 * target/arm: Fix cortex-a7 id_isar0
 * net/cadence_gem: Fix various bugs, add support for new
   features that will be used by the Xilinx Versal board
 * target-arm: powerctl: Enable HVC when starting CPUs to EL2
 * target/arm: Add the Cortex-A72
 * target/arm: Mark PMINTENCLR and PMINTENCLR_EL1 accesses as possibly doing IO
 * target/arm: Mask PMOVSR writes based on supported counters
 * target/arm: Initialize ARMMMUFaultInfo in v7m_stack_read/write
 * coccinelle: new inplace-byteswaps.cocci to remove inplace-byteswapping calls

----------------------------------------------------------------
Aaron Lindsay (2):
      target/arm: Mark PMINTENCLR and PMINTENCLR_EL1 accesses as possibly doing IO
      target/arm: Mask PMOVSR writes based on supported counters

Edgar E. Iglesias (8):
      net: cadence_gem: Disable TSU feature bit
      net: cadence_gem: Use uint32_t for 32bit descriptor words
      net: cadence_gem: Add macro with max number of descriptor words
      net: cadence_gem: Add support for extended descriptors
      net: cadence_gem: Add support for selecting the DMA MemoryRegion
      net: cadence_gem: Implement support for 64bit descriptor addresses
      target-arm: powerctl: Enable HVC when starting CPUs to EL2
      target/arm: Add the Cortex-A72

Jerome Forissier (1):
      hw/arm/virt: add DT property /secure-chosen/stdout-path indicating secure UART

Peter Maydell (2):
      target/arm: Initialize ARMMMUFaultInfo in v7m_stack_read/write
      coccinelle: new inplace-byteswaps.cocci to remove inplace-byteswapping calls

Richard Henderson (4):
      target/arm: Fix aarch64_sve_change_el wrt EL0
      target/arm: Define fields of ISAR registers
      target/arm: Align cortex-r5 id_isar0
      target/arm: Fix cortex-a7 id_isar0

include/hw/net/cadence_gem.h               |   7 +-
 target/arm/cpu.h                           |  95 ++++++++++++++-
 hw/arm/virt.c                              |   4 +
 hw/net/cadence_gem.c                       | 185 ++++++++++++++++++++---------
 target/arm/arm-powerctl.c                  |  10 ++
 target/arm/cpu.c                           |   7 +-
 target/arm/cpu64.c                         |  66 +++++++++-
 target/arm/helper.c                        |  27 +++--
 target/arm/op_helper.c                     |   6 +-
 scripts/coccinelle/inplace-byteswaps.cocci |  65 ++++++++++
 10 files changed, 402 insertions(+), 70 deletions(-)
 create mode 100644 scripts/coccinelle/inplace-byteswaps.cocci

Hi; this pull request has a couple of fixes for bugs in
the Arm page-table-walk code, which arrived in the last
day or so.

I'm sending this out now in the hope it might just sneak
in before rc2 gets tagged, so the fixes can get more
testing time before the 7.2 release; but if they don't
make it then this should go into rc3.

thanks
-- PMM

The following changes since commit 6d71357a3b651ec9db126e4862b77e13165427f5:

rtl8139: honor large send MSS value (2022-11-21 09:28:43 -0500)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221122

for you to fetch changes up to 15f8f4671afd22491ce99d28a296514717fead4f:

target/arm: Use signed quantity to represent VMSAv8-64 translation level (2022-11-22 16:10:25 +0000)

----------------------------------------------------------------
target-arm:
 * Fix broken 5-level pagetable handling
 * Fix debug accesses when EL2 is present

----------------------------------------------------------------
Ard Biesheuvel (1):
      target/arm: Use signed quantity to represent VMSAv8-64 translation level

Peter Maydell (1):
      target/arm: Don't do two-stage lookup if stage 2 is disabled

target/arm/ptw.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

In get_phys_addr_with_struct(), we call get_phys_addr_twostage() if
the CPU supports EL2.  However, we don't check here that stage 2 is
actually enabled.  Instead we only check that inside
get_phys_addr_twostage() to skip stage 2 translation.  This means
that even if stage 2 is disabled we still tell the stage 1 lookup to
do its page table walks via stage 2.

This works by luck for normal CPU accesses, but it breaks for debug
accesses, which are used by the disassembler and also by semihosting
file reads and writes, because the debug case takes a different code
path inside S1_ptw_translate().

This means that setups that use semihosting for file loads are broken
(a regression since 7.1, introduced in recent ptw refactoring), and
that sometimes disassembly in debug logs reports "unable to read
memory" rather than showing the guest insns.

Fix the bug by hoisting the "is stage 2 enabled?" check up to
get_phys_addr_with_struct(), so that we handle S2 disabled the same
way we do the "no EL2" case, with a simple single stage lookup.

Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221121212404.1450382-1-peter.maydell@linaro.org
---
 target/arm/ptw.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
 
     ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
 
-    /* If S1 fails or S2 is disabled, return early.  */
-    if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
+    /* If S1 fails, return early.  */
+    if (ret) {
         return ret;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
          * Otherwise, a stage1+stage2 translation is just stage 1.
          */
         ptw->in_mmu_idx = mmu_idx = s1_mmu_idx;
-        if (arm_feature(env, ARM_FEATURE_EL2)) {
+        if (arm_feature(env, ARM_FEATURE_EL2) &&
+            !regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
             return get_phys_addr_twostage(env, ptw, address, access_type,
                                           result, fi);
         }
-- 
2.25.1

From: Ard Biesheuvel <ardb@kernel.org>

The LPA2 extension implements 52-bit virtual addressing for 4k and 16k
translation granules, and for the former, this means an additional level
of translation is needed. This means we start counting at -1 instead of
0 when doing a walk, and so 'level' is now a signed quantity, and should
be typed as such. So turn it from uint32_t into int32_t.

This avoids a level of -1 getting misinterpreted as being >= 3, and
terminating a page table walk prematurely with a bogus output address.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     ARMCPU *cpu = env_archcpu(env);
     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
     bool is_secure = ptw->in_secure;
-    uint32_t level;
+    int32_t level;
     ARMVAParameters param;
     uint64_t ttbr;
     hwaddr descaddr, indexmask, indexmask_grainsize;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          */
         uint32_t sl0 = extract32(tcr, 6, 2);
         uint32_t sl2 = extract64(tcr, 33, 1);
-        uint32_t startlevel;
+        int32_t startlevel;
         bool ok;
 
         /* SL2 is RES0 unless DS=1 & 4kb granule. */
-- 
2.25.1