target-arm queue for rc1 -- these are all bug fixes.

The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:

Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715

for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:

target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)

* report ARMv8-A FP support for AArch32 -cpu max

* hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory

* hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]

* hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO

* hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO

* hw/arm/virt: Fix non-secure flash mode

* pl031: Correctly migrate state when using -rtc clock=host

* fix regression that meant arm926 and arm1026 lost VFP

double-precision support

* v8M: NS BusFault on vector table fetch escalates to NS HardFault

Alex Bennée (1):

target/arm: report ARMv8-A FP support for AArch32 -cpu max

David Engraf (1):

hw/arm/virt: Fix non-secure flash mode

Peter Maydell (3):

pl031: Correctly migrate state when using -rtc clock=host

target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026

target/arm: NS BusFault on vector table fetch escalates to NS HardFault

Philippe Mathieu-Daudé (5):

hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs

hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory

hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]

hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO

hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO

include/hw/timer/pl031.h | 2 ++

hw/arm/virt.c | 2 +-

hw/core/machine.c | 1 +

hw/display/xlnx_dp.c | 15 +++++---

hw/ssi/mss-spi.c | 8 ++++-

hw/ssi/xilinx_spips.c | 43 +++++++++++++++-------

hw/timer/pl031.c | 92 +++++++++++++++++++++++++++++++++++++++++++++---

target/arm/cpu.c | 16 +++++++++

target/arm/m_helper.c | 21 ++++++++---

9 files changed, 174 insertions(+), 26 deletions(-)

From: David Engraf <david.engraf@sysgo.com>

Using the whole 128 MiB flash in non-secure mode is not working because

virt_flash_fdt() expects the same address for secure_sysmem and sysmem.

This is not correctly handled by caller because it forwards NULL for

secure_sysmem in non-secure flash mode.

Fixed by using sysmem when secure_sysmem is NULL.

Signed-off-by: David Engraf <david.engraf@sysgo.com>

Message-id: 20190712075002.14326-1-david.engraf@sysgo.com

hw/arm/virt.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)

&machine->device_memory->mr);

- virt_flash_fdt(vms, sysmem, secure_sysmem);

+ virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);

create_gic(vms, pic);

2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the previous commit we fixed a crash when the guest read a

register that pop from an empty FIFO.

By auditing the repository, we found another similar use with

an easy way to reproduce:

$ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S

QEMU 4.0.50 monitor - type 'help' for more information

(qemu) xp/b 0xfd4a0134

Aborted (core dumped)

(gdb) bt

#0 0x00007f6936dea57f in raise () at /lib64/libc.so.6

#1 0x00007f6936dd4895 in abort () at /lib64/libc.so.6

#2 0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431

#3 0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667

#4 0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439

#5 0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569

#6 0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420

#7 0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447

#8 0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385

#9 0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423

#10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436

#11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131

#12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723

#13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795

#14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082

Fix by checking the FIFO is not empty before popping from it.

The datasheet is not clear about the reset value of this register,

we choose to return '0'.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Message-id: 20190709113715.7761-4-philmd@redhat.com

hw/display/xlnx_dp.c | 15 +++++++++++----

1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c

--- a/hw/display/xlnx_dp.c

+++ b/hw/display/xlnx_dp.c

@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)

uint8_t ret;

if (fifo8_is_empty(&s->rx_fifo)) {

- DPRINTF("rx_fifo underflow..\n");

- abort();

+ qemu_log_mask(LOG_GUEST_ERROR,

+ "%s: Reading empty RX_FIFO\n",

+ __func__);

+ /*

+ * The datasheet is not clear about the reset value, it seems

+ * to be unspecified. We choose to return '0'.

+ */

+ ret = 0;

+ } else {

+ ret = fifo8_pop(&s->rx_fifo);

+ DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);

2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Reading the RX_DATA register when the RX_FIFO is empty triggers

an abort. This can be easily reproduced:

$ qemu-system-arm -M emcraft-sf2 -monitor stdio -S

QEMU 4.0.50 monitor - type 'help' for more information

(qemu) x 0x40001010

Aborted (core dumped)

(gdb) bt

#1 0x00007f035874f895 in abort () at /lib64/libc.so.6

#2 0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66

#3 0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137

#4 0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168

#5 0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439

#6 0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569

#7 0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420

#8 0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447

#9 0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385

#10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423

#11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436

#12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466

#13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976

#14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730

#15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785

#16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082

From the datasheet "Actel SmartFusion Microcontroller Subsystem

User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this

register has a reset value of 0.

Check the FIFO is not empty before accessing it, else log an

error message.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>

Message-id: 20190709113715.7761-3-philmd@redhat.com

hw/ssi/mss-spi.c | 8 +++++++-

1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c

--- a/hw/ssi/mss-spi.c

+++ b/hw/ssi/mss-spi.c

@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)

case R_SPI_RX:

s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;

s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;

- ret = fifo32_pop(&s->rx_fifo);

+ if (fifo32_is_empty(&s->rx_fifo)) {

+ qemu_log_mask(LOG_GUEST_ERROR,

+ "%s: Reading empty RX_FIFO\n",

+ __func__);

+ } else {

+ ret = fifo32_pop(&s->rx_fifo);

+ }

if (fifo32_is_empty(&s->rx_fifo)) {

s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;

}

2.20.1

In the M-profile architecture, when we do a vector table fetch and it

fails, we need to report a HardFault. Whether this is a Secure HF or

a NonSecure HF depends on several things. If AIRCR.BFHFNMINS is 0

then HF is always Secure, because there is no NonSecure HardFault.

Otherwise, the answer depends on whether the 'underlying exception'

(MemManage, BusFault, SecureFault) targets Secure or NonSecure. (In

the pseudocode, this is handled in the Vector() function: the final

exc.isSecure is calculated by looking at the exc.isSecure from the

exception returned from the memory access, not the isSecure input

argument.)

We weren't doing this correctly, because we were looking at

the target security domain of the exception we were trying to

load the vector table entry for. This produces errors of two kinds:

* a load from the NS vector table which hits the "NS access

to S memory" SecureFault should end up as a Secure HardFault,

but we were raising an NS HardFault

* a load from the S vector table which causes a BusFault

should raise an NS HardFault if BFHFNMINS == 1 (because

in that case all BusFaults are NonSecure), but we were raising

a Secure HardFault

Correct the logic.

We also fix a comment error where we claimed that we might

be escalating MemManage to HardFault, and forgot about SecureFault.

(Vector loads can never hit MPU access faults, because they're

always aligned and always use the default address map.)

Message-id: 20190705094823.28905-1-peter.maydell@linaro.org

target/arm/m_helper.c | 21 +++++++++++++++++----

1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c

--- a/target/arm/m_helper.c

+++ b/target/arm/m_helper.c

@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,

if (sattrs.ns) {

attrs.secure = false;

} else if (!targets_secure) {

- /* NS access to S memory */

+ * NS access to S memory: the underlying exception which we escalate

+ * to HardFault is SecureFault, which always targets Secure.

+ */

+ exc_secure = true;

goto load_fail;

}

@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,

vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,

attrs, &result);

if (result != MEMTX_OK) {

+ /*

+ * Underlying exception is BusFault: its target security state

+ * depends on BFHFNMINS.

+ */

+ exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);

goto load_fail;

}

*pvec = vector_entry;

@@ -XXX,XX +XXX,XX @@ load_fail:

/*

* All vector table fetch fails are reported as HardFault, with

* HFSR.VECTTBL and .FORCED set. (FORCED is set because

- * technically the underlying exception is a MemManage or BusFault

+ * technically the underlying exception is a SecureFault or BusFault

* that is escalated to HardFault.) This is a terminal exception,

* so we will either take the HardFault immediately or else enter

* lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).

+ * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are

+ * secure); otherwise it targets the same security state as the

+ * underlying exception.

*/

- exc_secure = targets_secure ||

- !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);

+ if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {

+ exc_secure = true;

+ }

env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;

armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);

return false;

2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the next commit we will implement the write_with_attrs()

handler. To avoid using different APIs, convert the read()

handler first.

hw/ssi/xilinx_spips.c | 23 +++++++++++------------

1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c

--- a/hw/ssi/xilinx_spips.c

+++ b/hw/ssi/xilinx_spips.c

@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)

-static uint64_t