Series comparison

-[PULL 0/7] target-arm queue
+[PULL 0/3] target-arm queue
-Just some bugfixes this time around.
+Only thing for Arm for rc1 is RTH's fix for the KVM SVE probe code.
 -- PMM
-The following changes since commit 4215d3413272ad6d1c6c9d0234450b602e46a74c:
+The following changes since commit 4e06b3fc1b5e1ec03f22190eabe56891dc9c2236:
-  Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-5.1-20200727' into staging (2020-07-27 09:33:04 +0100)
+  Merge tag 'pull-hex-20220731' of https://github.com/quic/qemu into staging (2022-07-31 21:38:54 -0700)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200727
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220801
-for you to fetch changes up to d4f6dda182e19afa75706936805e18397cb95f07:
+for you to fetch changes up to 5265d24c981dfdda8d29b44f7e84a514da75eedc:
-  target/arm: Improve IMPDEF algorithm for IRG (2020-07-27 16:12:11 +0100)
+  target/arm: Move sve probe inside kvm >= 4.15 branch (2022-08-01 16:21:18 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * ACPI: Assert that we don't run out of the preallocated memory
+ * Fix KVM SVE ID register probe code
  * hw/misc/aspeed_sdmc: Fix incorrect memory size
  * target/arm: Always pass cacheattr in S1_ptw_translate
  * docs/system/arm/virt: Document 'mte' machine option
  * hw/arm/boot: Fix PAUTH, MTE for EL3 direct kernel boot
  * target/arm: Improve IMPDEF algorithm for IRG
 ----------------------------------------------------------------
-Dongjiu Geng (1):
+Richard Henderson (3):
-      ACPI: Assert that we don't run out of the preallocated memory
+      target/arm: Use kvm_arm_sve_supported in kvm_arm_get_host_cpu_features
       target/arm: Set KVM_ARM_VCPU_SVE while probing the host
       target/arm: Move sve probe inside kvm >= 4.15 branch
-Peter Maydell (1):
+ target/arm/kvm64.c | 45 ++++++++++++++++++++++-----------------------
-      docs/system/arm/virt: Document 'mte' machine option
+file changed, 22 insertions(+), 23 deletions(-)
 Philippe Mathieu-Daudé (1):
       hw/misc/aspeed_sdmc: Fix incorrect memory size
 Richard Henderson (4):
       target/arm: Always pass cacheattr in S1_ptw_translate
       hw/arm/boot: Fix PAUTH for EL3 direct kernel boot
       hw/arm/boot: Fix MTE for EL3 direct kernel boot
       target/arm: Improve IMPDEF algorithm for IRG
  docs/system/arm/virt.rst |  4 ++++
  hw/acpi/ghes.c           | 12 ++++--------
  hw/arm/boot.c            |  6 ++++++
  hw/misc/aspeed_sdmc.c    |  7 ++++---
  target/arm/helper.c      | 19 ++++++-------------
  target/arm/mte_helper.c  | 37 ++++++++++++++++++++++++++++++-------
 files changed, 54 insertions(+), 31 deletions(-)

-[PULL 1/7] ACPI: Assert that we don't run out of the preallocated memory
+Deleted patch
-From: Dongjiu Geng <gengdongjiu@huawei.com>
-data_length is a constant value, so we use assert instead of
-condition check.
-Signed-off-by: Dongjiu Geng <gengdongjiu@huawei.com>
-Message-id: 20200622113146.33421-1-gengdongjiu@huawei.com
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/acpi/ghes.c | 12 ++++--------
-file changed, 4 insertions(+), 8 deletions(-)
-diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/acpi/ghes.c
-+++ b/hw/acpi/ghes.c
-@@ -XXX,XX +XXX,XX @@ static int acpi_ghes_record_mem_error(uint64_t error_block_address,
-     /* This is the length if adding a new generic error data entry*/
-     data_length = ACPI_GHES_DATA_LENGTH + ACPI_GHES_MEM_CPER_LENGTH;
--
-     /*
--     * Check whether it will run out of the preallocated memory if adding a new
--     * generic error data entry
-+     * It should not run out of the preallocated memory if adding a new generic
-+     * error data entry
-      */
--    if ((data_length + ACPI_GHES_GESB_SIZE) > ACPI_GHES_MAX_RAW_DATA_LENGTH) {
--        error_report("Not enough memory to record new CPER!!!");
--        g_array_free(block, true);
--        return -1;
--    }
-+    assert((data_length + ACPI_GHES_GESB_SIZE) <=
-+            ACPI_GHES_MAX_RAW_DATA_LENGTH);
-     /* Build the new generic error status block header */
-     acpi_ghes_generic_error_status(block, ACPI_GEBS_UNCORRECTABLE,
---
-.20.1

-[PULL 2/7] hw/misc/aspeed_sdmc: Fix incorrect memory size
+Deleted patch
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
-The SDRAM Memory Controller has a 32-bit address bus, thus
-supports up to 4 GiB of DRAM. There is a signed to unsigned
-conversion error with the AST2600 maximum memory size:
-  (uint64_t)(2048 << 20) = (uint64_t)(-2147483648)
-                         = 0xffffffff40000000
-                         = 16 EiB - 2 GiB
-Fix by using the IEC suffixes which are usually safer, and add
-an assertion check to verify the memory is valid. This would have
-caught this bug:
-  $ qemu-system-arm -M ast2600-evb
-  qemu-system-arm: hw/misc/aspeed_sdmc.c:258: aspeed_sdmc_realize: Assertion `asc->max_ram_size < 4 * GiB' failed.
-  Aborted (core dumped)
-Fixes: 1550d72679 ("aspeed/sdmc: Add AST2600 support")
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/misc/aspeed_sdmc.c | 7 ++++---
-file changed, 4 insertions(+), 3 deletions(-)
-diff --git a/hw/misc/aspeed_sdmc.c b/hw/misc/aspeed_sdmc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/aspeed_sdmc.c
-+++ b/hw/misc/aspeed_sdmc.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_sdmc_realize(DeviceState *dev, Error **errp)
-     AspeedSDMCState *s = ASPEED_SDMC(dev);
-     AspeedSDMCClass *asc = ASPEED_SDMC_GET_CLASS(s);
-+    assert(asc->max_ram_size < 4 * GiB); /* 32-bit address bus */
-     s->max_ram_size = asc->max_ram_size;
-     memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_sdmc_ops, s,
-@@ -XXX,XX +XXX,XX @@ static void aspeed_2400_sdmc_class_init(ObjectClass *klass, void *data)
-     AspeedSDMCClass *asc = ASPEED_SDMC_CLASS(klass);
-     dc->desc = "ASPEED 2400 SDRAM Memory Controller";
--    asc->max_ram_size = 512 << 20;
-+    asc->max_ram_size = 512 * MiB;
-     asc->compute_conf = aspeed_2400_sdmc_compute_conf;
-     asc->write = aspeed_2400_sdmc_write;
-     asc->valid_ram_sizes = aspeed_2400_ram_sizes;
-@@ -XXX,XX +XXX,XX @@ static void aspeed_2500_sdmc_class_init(ObjectClass *klass, void *data)
-     AspeedSDMCClass *asc = ASPEED_SDMC_CLASS(klass);
-     dc->desc = "ASPEED 2500 SDRAM Memory Controller";
--    asc->max_ram_size = 1024 << 20;
-+    asc->max_ram_size = 1 * GiB;
-     asc->compute_conf = aspeed_2500_sdmc_compute_conf;
-     asc->write = aspeed_2500_sdmc_write;
-     asc->valid_ram_sizes = aspeed_2500_ram_sizes;
-@@ -XXX,XX +XXX,XX @@ static void aspeed_2600_sdmc_class_init(ObjectClass *klass, void *data)
-     AspeedSDMCClass *asc = ASPEED_SDMC_CLASS(klass);
-     dc->desc = "ASPEED 2600 SDRAM Memory Controller";
--    asc->max_ram_size = 2048 << 20;
-+    asc->max_ram_size = 2 * GiB;
-     asc->compute_conf = aspeed_2600_sdmc_compute_conf;
-     asc->write = aspeed_2600_sdmc_write;
-     asc->valid_ram_sizes = aspeed_2600_ram_sizes;
---
-.20.1

-[PULL 3/7] target/arm: Always pass cacheattr in S1_ptw_translate
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-When we changed the interface of get_phys_addr_lpae to require
-the cacheattr parameter, this spot was missed.  The compiler is
-unable to detect the use of NULL vs the nonnull attribute here.
-Fixes: 7e98e21c098
-Reported-by: Jan Kiszka <jan.kiszka@siemens.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Jan Kiszka <jan.kiskza@siemens.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 19 ++++++-------------
-file changed, 6 insertions(+), 13 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-         int s2prot;
-         int ret;
-         ARMCacheAttrs cacheattrs = {};
--        ARMCacheAttrs *pcacheattrs = NULL;
--
--        if (env->cp15.hcr_el2 & HCR_PTW) {
--            /*
--             * PTW means we must fault if this S1 walk touches S2 Device
--             * memory; otherwise we don't care about the attributes and can
--             * save the S2 translation the effort of computing them.
--             */
--            pcacheattrs = &cacheattrs;
--        }
-         ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, ARMMMUIdx_Stage2,
-                                  false,
-                                  &s2pa, &txattrs, &s2prot, &s2size, fi,
--                                 pcacheattrs);
-+                                 &cacheattrs);
-         if (ret) {
-             assert(fi->type != ARMFault_None);
-             fi->s2addr = addr;
-@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-             fi->s1ptw = true;
-             return ~0;
-         }
--        if (pcacheattrs && (pcacheattrs->attrs & 0xf0) == 0) {
--            /* Access was to Device memory: generate Permission fault */
-+        if ((env->cp15.hcr_el2 & HCR_PTW) && (cacheattrs.attrs & 0xf0) == 0) {
-+            /*
-+             * PTW set and S1 walk touched S2 Device memory:
-+             * generate Permission fault.
-+             */
-             fi->type = ARMFault_Permission;
-             fi->s2addr = addr;
-             fi->stage2 = true;
---
-.20.1

-[PULL 4/7] docs/system/arm/virt: Document 'mte' machine option
+Deleted patch
-Commit 6a0b7505f1fd6769c which added documentation of the virt board
-crossed in the post with commit 6f4e1405b91da0d0 which added a new
-'mte' machine option. Update the docs to include the new option.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
----
- docs/system/arm/virt.rst | 4 ++++
-file changed, 4 insertions(+)
-diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/virt.rst
-+++ b/docs/system/arm/virt.rst
-@@ -XXX,XX +XXX,XX @@ virtualization
-   Set ``on``/``off`` to enable/disable emulating a guest CPU which implements the
-   Arm Virtualization Extensions. The default is ``off``.
-+mte
-+  Set ``on``/``off`` to enable/disable emulating a guest CPU which implements the
-+  Arm Memory Tagging Extensions. The default is ``off``.
-+
- highmem
-   Set ``on``/``off`` to enable/disable placing devices and RAM in physical
-   address space above 32 bits. The default is ``on`` for machine types
---
-.20.1

-[PULL 6/7] hw/arm/boot: Fix MTE for EL3 direct kernel boot
+[PULL 1/3] target/arm: Use kvm_arm_sve_supported in kvm_arm_get_host_cpu_features
 From: Richard Henderson <richard.henderson@linaro.org>
-When booting an EL3 cpu with -kernel, we set up EL3 and then
+Indication for support for SVE will not depend on whether we
-drop down to EL2.  We need to enable access to v8.5-MemTag
+perform the query on the main kvm_state or the temp vcpu.
 tag allocation at EL3 before doing so.
-Reported-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200724163853.504655-3-richard.henderson@linaro.org
+Message-id: 20220726045828.53697-2-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/boot.c | 3 +++
+ target/arm/kvm64.c | 2 +-
-file changed, 3 insertions(+)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/target/arm/kvm64.c
-+++ b/hw/arm/boot.c
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-                     if (cpu_isar_feature(aa64_pauth, cpu)) {
+         }
-                         env->cp15.scr_el3 |= SCR_API | SCR_APK;
+     }
-                     }
-+                    if (cpu_isar_feature(aa64_mte, cpu)) {
+-    sve_supported = ioctl(fdarray[0], KVM_CHECK_EXTENSION, KVM_CAP_ARM_SVE) > 0;
-+                        env->cp15.scr_el3 |= SCR_ATA;
++    sve_supported = kvm_arm_sve_supported();
-+                    }
-                     /* AArch64 kernels never boot in secure mode */
+     /* Add feature bits that can't appear until after VCPU init. */
-                     assert(!info->secure_boot);
+     if (sve_supported) {
                      /* This hook is only supported for AArch32 currently:
 --
-.20.1
+.25.1

-[PULL 7/7] target/arm: Improve IMPDEF algorithm for IRG
+[PULL 2/3] target/arm: Set KVM_ARM_VCPU_SVE while probing the host
 From: Richard Henderson <richard.henderson@linaro.org>
-When GCR_EL1.RRND==1, the choosing of the random value is IMPDEF,
+Because we weren't setting this flag, our probe of ID_AA64ZFR0
-and the kernel is not expected to have set RGSR_EL1.  Force a
+was always returning zero.  This also obviates the adjustment
-non-zero value into SEED, so that we do not continually return
+of ID_AA64PFR0, which had sanitized the SVE field.
 the same tag.
-Reported-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+The effects of the bug are not visible, because the only thing that
 ID_AA64ZFR0 is used for within qemu at present is tcg translation.
 The other tests for SVE within KVM are via ID_AA64PFR0.SVE.
 Reported-by: Zenghui Yu <yuzenghui@huawei.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200724163853.504655-4-richard.henderson@linaro.org
+Message-id: 20220726045828.53697-3-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/mte_helper.c | 37 ++++++++++++++++++++++++++++++-------
+ target/arm/kvm64.c | 27 +++++++++++++--------------
-file changed, 30 insertions(+), 7 deletions(-)
+file changed, 13 insertions(+), 14 deletions(-)
-diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/mte_helper.c
+--- a/target/arm/kvm64.c
-+++ b/target/arm/mte_helper.c
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
- #include "exec/ram_addr.h"
+     bool sve_supported;
- #include "exec/cpu_ldst.h"
+     bool pmu_supported = false;
- #include "exec/helper-proto.h"
+     uint64_t features = 0;
-+#include "qapi/error.h"
+-    uint64_t t;
-+#include "qemu/guest-random.h"
+     int err;
+     /* Old kernels may not know about the PREFERRED_TARGET ioctl: however
- static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
+     struct kvm_vcpu_init init = { .target = -1, };
- uint64_t HELPER(irg)(CPUARMState *env, uint64_t rn, uint64_t rm)
+     /*
- {
+-     * Ask for Pointer Authentication if supported. We can't play the
--    int rtag;
+-     * SVE trick of synthesising the ID reg as KVM won't tell us
--
+-     * whether we have the architected or IMPDEF version of PAuth, so
--    /*
+-     * we have to use the actual ID regs.
--     * Our IMPDEF choice for GCR_EL1.RRND==1 is to behave as if
++     * Ask for SVE if supported, so that we can query ID_AA64ZFR0,
--     * GCR_EL1.RRND==0, always producing deterministic results.
++     * which is otherwise RAZ.
--     */
++     */
-     uint16_t exclude = extract32(rm | env->cp15.gcr_el1, 0, 16);
++    sve_supported = kvm_arm_sve_supported();
-+    int rrnd = extract32(env->cp15.gcr_el1, 16, 1);
++    if (sve_supported) {
-     int start = extract32(env->cp15.rgsr_el1, 0, 4);
++        init.features[0] |= 1 << KVM_ARM_VCPU_SVE;
-     int seed = extract32(env->cp15.rgsr_el1, 8, 16);
++    }
 -    int offset, i;
 +    int offset, i, rtag;
 +
 +    /*
-+     * Our IMPDEF choice for GCR_EL1.RRND==1 is to continue to use the
++     * Ask for Pointer Authentication if supported, so that we get
-+     * deterministic algorithm.  Except that with RRND==1 the kernel is
++     * the unsanitized field values for AA64ISAR1_EL1.
-+     * not required to have set RGSR_EL1.SEED != 0, which is required for
+      */
-+     * the deterministic algorithm to function.  So we force a non-zero
+     if (kvm_arm_pauth_supported()) {
-+     * SEED for that case.
+         init.features[0] |= (1 << KVM_ARM_VCPU_PTRAUTH_ADDRESS |
-+     */
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-+    if (unlikely(seed == 0) && rrnd) {
+         }
-+        do {
+     }
-+            Error *err = NULL;
-+            uint16_t two;
+-    sve_supported = kvm_arm_sve_supported();
-+
+-
-+            if (qemu_guest_getrandom(&two, sizeof(two), &err) < 0) {
+-    /* Add feature bits that can't appear until after VCPU init. */
-+                /*
+     if (sve_supported) {
-+                 * Failed, for unknown reasons in the crypto subsystem.
+-        t = ahcf->isar.id_aa64pfr0;
-+                 * Best we can do is log the reason and use a constant seed.
+-        t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
-+                 */
+-        ahcf->isar.id_aa64pfr0 = t;
-+                qemu_log_mask(LOG_UNIMP, "IRG: Crypto failure: %s\n",
+-
-+                              error_get_pretty(err));
+         /*
-+                error_free(err);
+          * There is a range of kernels between kernel commit 73433762fcae
-+                two = 1;
+          * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
-+            }
+          * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
-+            seed = two;
+-         * SVE support, so we only read it here, rather than together with all
-+        } while (seed == 0);
+-         * the other ID registers earlier.
-+    }
++         * SVE support, which resulted in an error rather than RAZ.
++         * So only read the register if we set KVM_ARM_VCPU_SVE above.
-     /* RandomTag */
+          */
-     for (i = offset = 0; i < 4; ++i) {
+         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
                                ARM64_SYS_REG(3, 0, 0, 4, 4));
 --
-.20.1
+.25.1

-[PULL 5/7] hw/arm/boot: Fix PAUTH for EL3 direct kernel boot
+[PULL 3/3] target/arm: Move sve probe inside kvm >= 4.15 branch
 From: Richard Henderson <richard.henderson@linaro.org>
-When booting an EL3 cpu with -kernel, we set up EL3 and then
+The test for the IF block indicates no ID registers are exposed, much
-drop down to EL2.  We need to enable access to v8.3-PAuth
+less host support for SVE.  Move the SVE probe into the ELSE block.
 keys and instructions at EL3 before doing so.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200724163853.504655-2-richard.henderson@linaro.org
+Message-id: 20220726045828.53697-4-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/boot.c | 3 +++
+ target/arm/kvm64.c | 22 +++++++++++-----------
-file changed, 3 insertions(+)
+file changed, 11 insertions(+), 11 deletions(-)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/target/arm/kvm64.c
-+++ b/hw/arm/boot.c
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-                     } else {
+             err |= read_sys_reg64(fdarray[2], &ahcf->isar.reset_pmcr_el0,
-                         env->pstate = PSTATE_MODE_EL1h;
+                                   ARM64_SYS_REG(3, 3, 9, 12, 0));
-                     }
+         }
-+                    if (cpu_isar_feature(aa64_pauth, cpu)) {
+-    }
-+                        env->cp15.scr_el3 |= SCR_API | SCR_APK;
-+                    }
+-    if (sve_supported) {
-                     /* AArch64 kernels never boot in secure mode */
+-        /*
-                     assert(!info->secure_boot);
+-         * There is a range of kernels between kernel commit 73433762fcae
-                     /* This hook is only supported for AArch32 currently:
+-         * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
 -         * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
 -         * SVE support, which resulted in an error rather than RAZ.
 -         * So only read the register if we set KVM_ARM_VCPU_SVE above.
 -         */
 -        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
 -                              ARM64_SYS_REG(3, 0, 0, 4, 4));
 +        if (sve_supported) {
 +            /*
 +             * There is a range of kernels between kernel commit 73433762fcae
 +             * and f81cb2c3ad41 which have a bug where the kernel doesn't
 +             * expose SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has
 +             * enabled SVE support, which resulted in an error rather than RAZ.
 +             * So only read the register if we set KVM_ARM_VCPU_SVE above.
 +             */
 +            err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
 +                                  ARM64_SYS_REG(3, 0, 0, 4, 4));
 +        }
      }
      kvm_arm_destroy_scratch_host_vcpu(fdarray);
 --
-.20.1
+.25.1

Just some bugfixes this time around.

-- PMM

The following changes since commit 4215d3413272ad6d1c6c9d0234450b602e46a74c:

Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-5.1-20200727' into staging (2020-07-27 09:33:04 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200727

for you to fetch changes up to d4f6dda182e19afa75706936805e18397cb95f07:

target/arm: Improve IMPDEF algorithm for IRG (2020-07-27 16:12:11 +0100)

----------------------------------------------------------------
target-arm queue:
 * ACPI: Assert that we don't run out of the preallocated memory
 * hw/misc/aspeed_sdmc: Fix incorrect memory size
 * target/arm: Always pass cacheattr in S1_ptw_translate
 * docs/system/arm/virt: Document 'mte' machine option
 * hw/arm/boot: Fix PAUTH, MTE for EL3 direct kernel boot
 * target/arm: Improve IMPDEF algorithm for IRG

----------------------------------------------------------------
Dongjiu Geng (1):
      ACPI: Assert that we don't run out of the preallocated memory

Peter Maydell (1):
      docs/system/arm/virt: Document 'mte' machine option

Philippe Mathieu-Daudé (1):
      hw/misc/aspeed_sdmc: Fix incorrect memory size

Richard Henderson (4):
      target/arm: Always pass cacheattr in S1_ptw_translate
      hw/arm/boot: Fix PAUTH for EL3 direct kernel boot
      hw/arm/boot: Fix MTE for EL3 direct kernel boot
      target/arm: Improve IMPDEF algorithm for IRG

From: Dongjiu Geng <gengdongjiu@huawei.com>

data_length is a constant value, so we use assert instead of
condition check.

Signed-off-by: Dongjiu Geng <gengdongjiu@huawei.com>
Message-id: 20200622113146.33421-1-gengdongjiu@huawei.com
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/acpi/ghes.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/hw/acpi/ghes.c b/hw/acpi/ghes.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/acpi/ghes.c
+++ b/hw/acpi/ghes.c
@@ -XXX,XX +XXX,XX @@ static int acpi_ghes_record_mem_error(uint64_t error_block_address,
 
     /* This is the length if adding a new generic error data entry*/
     data_length = ACPI_GHES_DATA_LENGTH + ACPI_GHES_MEM_CPER_LENGTH;
-
     /*
-     * Check whether it will run out of the preallocated memory if adding a new
-     * generic error data entry
+     * It should not run out of the preallocated memory if adding a new generic
+     * error data entry
      */
-    if ((data_length + ACPI_GHES_GESB_SIZE) > ACPI_GHES_MAX_RAW_DATA_LENGTH) {
-        error_report("Not enough memory to record new CPER!!!");
-        g_array_free(block, true);
-        return -1;
-    }
+    assert((data_length + ACPI_GHES_GESB_SIZE) <=
+            ACPI_GHES_MAX_RAW_DATA_LENGTH);
 
     /* Build the new generic error status block header */
     acpi_ghes_generic_error_status(block, ACPI_GEBS_UNCORRECTABLE,
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The SDRAM Memory Controller has a 32-bit address bus, thus
supports up to 4 GiB of DRAM. There is a signed to unsigned
conversion error with the AST2600 maximum memory size:

(uint64_t)(2048 << 20) = (uint64_t)(-2147483648)
                         = 0xffffffff40000000
                         = 16 EiB - 2 GiB

Fix by using the IEC suffixes which are usually safer, and add
an assertion check to verify the memory is valid. This would have
caught this bug:

$ qemu-system-arm -M ast2600-evb
  qemu-system-arm: hw/misc/aspeed_sdmc.c:258: aspeed_sdmc_realize: Assertion `asc->max_ram_size < 4 * GiB' failed.
  Aborted (core dumped)

Fixes: 1550d72679 ("aspeed/sdmc: Add AST2600 support")
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/aspeed_sdmc.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/misc/aspeed_sdmc.c b/hw/misc/aspeed_sdmc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/aspeed_sdmc.c
+++ b/hw/misc/aspeed_sdmc.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_sdmc_realize(DeviceState *dev, Error **errp)
     AspeedSDMCState *s = ASPEED_SDMC(dev);
     AspeedSDMCClass *asc = ASPEED_SDMC_GET_CLASS(s);
 
+    assert(asc->max_ram_size < 4 * GiB); /* 32-bit address bus */
     s->max_ram_size = asc->max_ram_size;
 
     memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_sdmc_ops, s,
@@ -XXX,XX +XXX,XX @@ static void aspeed_2400_sdmc_class_init(ObjectClass *klass, void *data)
     AspeedSDMCClass *asc = ASPEED_SDMC_CLASS(klass);
 
     dc->desc = "ASPEED 2400 SDRAM Memory Controller";
-    asc->max_ram_size = 512 << 20;
+    asc->max_ram_size = 512 * MiB;
     asc->compute_conf = aspeed_2400_sdmc_compute_conf;
     asc->write = aspeed_2400_sdmc_write;
     asc->valid_ram_sizes = aspeed_2400_ram_sizes;
@@ -XXX,XX +XXX,XX @@ static void aspeed_2500_sdmc_class_init(ObjectClass *klass, void *data)
     AspeedSDMCClass *asc = ASPEED_SDMC_CLASS(klass);
 
     dc->desc = "ASPEED 2500 SDRAM Memory Controller";
-    asc->max_ram_size = 1024 << 20;
+    asc->max_ram_size = 1 * GiB;
     asc->compute_conf = aspeed_2500_sdmc_compute_conf;
     asc->write = aspeed_2500_sdmc_write;
     asc->valid_ram_sizes = aspeed_2500_ram_sizes;
@@ -XXX,XX +XXX,XX @@ static void aspeed_2600_sdmc_class_init(ObjectClass *klass, void *data)
     AspeedSDMCClass *asc = ASPEED_SDMC_CLASS(klass);
 
     dc->desc = "ASPEED 2600 SDRAM Memory Controller";
-    asc->max_ram_size = 2048 << 20;
+    asc->max_ram_size = 2 * GiB;
     asc->compute_conf = aspeed_2600_sdmc_compute_conf;
     asc->write = aspeed_2600_sdmc_write;
     asc->valid_ram_sizes = aspeed_2600_ram_sizes;
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

When we changed the interface of get_phys_addr_lpae to require
the cacheattr parameter, this spot was missed.  The compiler is
unable to detect the use of NULL vs the nonnull attribute here.

Fixes: 7e98e21c098
Reported-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Jan Kiszka <jan.kiskza@siemens.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
         int s2prot;
         int ret;
         ARMCacheAttrs cacheattrs = {};
-        ARMCacheAttrs *pcacheattrs = NULL;
-
-        if (env->cp15.hcr_el2 & HCR_PTW) {
-            /*
-             * PTW means we must fault if this S1 walk touches S2 Device
-             * memory; otherwise we don't care about the attributes and can
-             * save the S2 translation the effort of computing them.
-             */
-            pcacheattrs = &cacheattrs;
-        }
 
         ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, ARMMMUIdx_Stage2,
                                  false,
                                  &s2pa, &txattrs, &s2prot, &s2size, fi,
-                                 pcacheattrs);
+                                 &cacheattrs);
         if (ret) {
             assert(fi->type != ARMFault_None);
             fi->s2addr = addr;
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
             fi->s1ptw = true;
             return ~0;
         }
-        if (pcacheattrs && (pcacheattrs->attrs & 0xf0) == 0) {
-            /* Access was to Device memory: generate Permission fault */
+        if ((env->cp15.hcr_el2 & HCR_PTW) && (cacheattrs.attrs & 0xf0) == 0) {
+            /*
+             * PTW set and S1 walk touched S2 Device memory:
+             * generate Permission fault.
+             */
             fi->type = ARMFault_Permission;
             fi->s2addr = addr;
             fi->stage2 = true;
-- 
2.20.1

Commit 6a0b7505f1fd6769c which added documentation of the virt board
crossed in the post with commit 6f4e1405b91da0d0 which added a new
'mte' machine option. Update the docs to include the new option.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 docs/system/arm/virt.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/virt.rst
+++ b/docs/system/arm/virt.rst
@@ -XXX,XX +XXX,XX @@ virtualization
   Set ``on``/``off`` to enable/disable emulating a guest CPU which implements the
   Arm Virtualization Extensions. The default is ``off``.
 
+mte
+  Set ``on``/``off`` to enable/disable emulating a guest CPU which implements the
+  Arm Memory Tagging Extensions. The default is ``off``.
+
 highmem
   Set ``on``/``off`` to enable/disable placing devices and RAM in physical
   address space above 32 bits. The default is ``on`` for machine types
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

When booting an EL3 cpu with -kernel, we set up EL3 and then
drop down to EL2.  We need to enable access to v8.3-PAuth
keys and instructions at EL3 before doing so.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200724163853.504655-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
                     } else {
                         env->pstate = PSTATE_MODE_EL1h;
                     }
+                    if (cpu_isar_feature(aa64_pauth, cpu)) {
+                        env->cp15.scr_el3 |= SCR_API | SCR_APK;
+                    }
                     /* AArch64 kernels never boot in secure mode */
                     assert(!info->secure_boot);
                     /* This hook is only supported for AArch32 currently:
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

When booting an EL3 cpu with -kernel, we set up EL3 and then
drop down to EL2.  We need to enable access to v8.5-MemTag
tag allocation at EL3 before doing so.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200724163853.504655-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
                     if (cpu_isar_feature(aa64_pauth, cpu)) {
                         env->cp15.scr_el3 |= SCR_API | SCR_APK;
                     }
+                    if (cpu_isar_feature(aa64_mte, cpu)) {
+                        env->cp15.scr_el3 |= SCR_ATA;
+                    }
                     /* AArch64 kernels never boot in secure mode */
                     assert(!info->secure_boot);
                     /* This hook is only supported for AArch32 currently:
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

When GCR_EL1.RRND==1, the choosing of the random value is IMPDEF,
and the kernel is not expected to have set RGSR_EL1.  Force a
non-zero value into SEED, so that we do not continually return
the same tag.

Reported-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200724163853.504655-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/mte_helper.c | 37 ++++++++++++++++++++++++++++++-------
 1 file changed, 30 insertions(+), 7 deletions(-)

diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/mte_helper.c
+++ b/target/arm/mte_helper.c
@@ -XXX,XX +XXX,XX @@
 #include "exec/ram_addr.h"
 #include "exec/cpu_ldst.h"
 #include "exec/helper-proto.h"
+#include "qapi/error.h"
+#include "qemu/guest-random.h"
 
 
 static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
 
 uint64_t HELPER(irg)(CPUARMState *env, uint64_t rn, uint64_t rm)
 {
-    int rtag;
-
-    /*
-     * Our IMPDEF choice for GCR_EL1.RRND==1 is to behave as if
-     * GCR_EL1.RRND==0, always producing deterministic results.
-     */
     uint16_t exclude = extract32(rm | env->cp15.gcr_el1, 0, 16);
+    int rrnd = extract32(env->cp15.gcr_el1, 16, 1);
     int start = extract32(env->cp15.rgsr_el1, 0, 4);
     int seed = extract32(env->cp15.rgsr_el1, 8, 16);
-    int offset, i;
+    int offset, i, rtag;
+
+    /*
+     * Our IMPDEF choice for GCR_EL1.RRND==1 is to continue to use the
+     * deterministic algorithm.  Except that with RRND==1 the kernel is
+     * not required to have set RGSR_EL1.SEED != 0, which is required for
+     * the deterministic algorithm to function.  So we force a non-zero
+     * SEED for that case.
+     */
+    if (unlikely(seed == 0) && rrnd) {
+        do {
+            Error *err = NULL;
+            uint16_t two;
+
+            if (qemu_guest_getrandom(&two, sizeof(two), &err) < 0) {
+                /*
+                 * Failed, for unknown reasons in the crypto subsystem.
+                 * Best we can do is log the reason and use a constant seed.
+                 */
+                qemu_log_mask(LOG_UNIMP, "IRG: Crypto failure: %s\n",
+                              error_get_pretty(err));
+                error_free(err);
+                two = 1;
+            }
+            seed = two;
+        } while (seed == 0);
+    }
 
     /* RandomTag */
     for (i = offset = 0; i < 4; ++i) {
-- 
2.20.1

Only thing for Arm for rc1 is RTH's fix for the KVM SVE probe code.

-- PMM

The following changes since commit 4e06b3fc1b5e1ec03f22190eabe56891dc9c2236:

Merge tag 'pull-hex-20220731' of https://github.com/quic/qemu into staging (2022-07-31 21:38:54 -0700)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220801

for you to fetch changes up to 5265d24c981dfdda8d29b44f7e84a514da75eedc:

target/arm: Move sve probe inside kvm >= 4.15 branch (2022-08-01 16:21:18 +0100)

----------------------------------------------------------------
target-arm queue:
 * Fix KVM SVE ID register probe code

----------------------------------------------------------------
Richard Henderson (3):
      target/arm: Use kvm_arm_sve_supported in kvm_arm_get_host_cpu_features
      target/arm: Set KVM_ARM_VCPU_SVE while probing the host
      target/arm: Move sve probe inside kvm >= 4.15 branch

target/arm/kvm64.c | 45 ++++++++++++++++++++++-----------------------
 1 file changed, 22 insertions(+), 23 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Because we weren't setting this flag, our probe of ID_AA64ZFR0
was always returning zero.  This also obviates the adjustment
of ID_AA64PFR0, which had sanitized the SVE field.

The effects of the bug are not visible, because the only thing that
ID_AA64ZFR0 is used for within qemu at present is tcg translation.
The other tests for SVE within KVM are via ID_AA64PFR0.SVE.

Reported-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220726045828.53697-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm64.c | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     bool sve_supported;
     bool pmu_supported = false;
     uint64_t features = 0;
-    uint64_t t;
     int err;
 
     /* Old kernels may not know about the PREFERRED_TARGET ioctl: however
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     struct kvm_vcpu_init init = { .target = -1, };
 
     /*
-     * Ask for Pointer Authentication if supported. We can't play the
-     * SVE trick of synthesising the ID reg as KVM won't tell us
-     * whether we have the architected or IMPDEF version of PAuth, so
-     * we have to use the actual ID regs.
+     * Ask for SVE if supported, so that we can query ID_AA64ZFR0,
+     * which is otherwise RAZ.
+     */
+    sve_supported = kvm_arm_sve_supported();
+    if (sve_supported) {
+        init.features[0] |= 1 << KVM_ARM_VCPU_SVE;
+    }
+
+    /*
+     * Ask for Pointer Authentication if supported, so that we get
+     * the unsanitized field values for AA64ISAR1_EL1.
      */
     if (kvm_arm_pauth_supported()) {
         init.features[0] |= (1 << KVM_ARM_VCPU_PTRAUTH_ADDRESS |
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
         }
     }
 
-    sve_supported = kvm_arm_sve_supported();
-
-    /* Add feature bits that can't appear until after VCPU init. */
     if (sve_supported) {
-        t = ahcf->isar.id_aa64pfr0;
-        t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
-        ahcf->isar.id_aa64pfr0 = t;
-
         /*
          * There is a range of kernels between kernel commit 73433762fcae
          * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
          * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
-         * SVE support, so we only read it here, rather than together with all
-         * the other ID registers earlier.
+         * SVE support, which resulted in an error rather than RAZ.
+         * So only read the register if we set KVM_ARM_VCPU_SVE above.
          */
         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
                               ARM64_SYS_REG(3, 0, 0, 4, 4));
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The test for the IF block indicates no ID registers are exposed, much
less host support for SVE.  Move the SVE probe into the ELSE block.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220726045828.53697-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm64.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
             err |= read_sys_reg64(fdarray[2], &ahcf->isar.reset_pmcr_el0,
                                   ARM64_SYS_REG(3, 3, 9, 12, 0));
         }
-    }
 
-    if (sve_supported) {
-        /*
-         * There is a range of kernels between kernel commit 73433762fcae
-         * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
-         * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
-         * SVE support, which resulted in an error rather than RAZ.
-         * So only read the register if we set KVM_ARM_VCPU_SVE above.
-         */
-        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
-                              ARM64_SYS_REG(3, 0, 0, 4, 4));
+        if (sve_supported) {
+            /*
+             * There is a range of kernels between kernel commit 73433762fcae
+             * and f81cb2c3ad41 which have a bug where the kernel doesn't
+             * expose SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has
+             * enabled SVE support, which resulted in an error rather than RAZ.
+             * So only read the register if we set KVM_ARM_VCPU_SVE above.
+             */
+            err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
+                                  ARM64_SYS_REG(3, 0, 0, 4, 4));
+        }
     }
 
     kvm_arm_destroy_scratch_host_vcpu(fdarray);
-- 
2.25.1