Small pullreq with some bug fixes to go into rc1.

The following changes since commit 5ca634afcf83215a9a54ca6e66032325b5ffb5f6:

Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210322' into staging (2021-03-22 18:50:25 +0000)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210323

for you to fetch changes up to dad90de78e9e9d47cefcbcd30115706b98e6ec87:

target/arm: Set ARMMMUFaultInfo.level in user-only arm_cpu_tlb_fill (2021-03-23 14:07:55 +0000)

* hw/arm/virt: Disable pl011 clock migration if needed

* target/arm: Make M-profile VTOR loads on reset handle memory aliasing

* target/arm: Set ARMMMUFaultInfo.level in user-only arm_cpu_tlb_fill

Gavin Shan (1):

hw/arm/virt: Disable pl011 clock migration if needed

Peter Maydell (5):

memory: Make flatview_cb return bool, not int

memory: Document flatview_for_each_range()

memory: Add offset_in_region to flatview_cb arguments

hw/core/loader: Add new function rom_ptr_for_as()

target/arm: Make M-profile VTOR loads on reset handle memory aliasing

Richard Henderson (1):

target/arm: Set ARMMMUFaultInfo.level in user-only arm_cpu_tlb_fill

The return value of the flatview_cb callback passed to the

flatview_for_each_range() function is zero if the iteration through

the ranges should continue, or non-zero to break out of it. Use a

bool for this rather than int.

include/exec/memory.h | 6 +++---

tests/qtest/fuzz/generic_fuzz.c | 8 ++++----

2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h

--- a/include/exec/memory.h

+++ b/include/exec/memory.h

@@ -XXX,XX +XXX,XX @@ static inline FlatView *address_space_to_flatview(AddressSpace *as)

return qatomic_rcu_read(&as->current_map);

-typedef int (*flatview_cb)(Int128 start,

- Int128 len,

- const MemoryRegion*, void*);

+typedef bool (*flatview_cb)(Int128 start,

+ Int128 len,

+ const MemoryRegion*, void*);

void flatview_for_each_range(FlatView *fv, flatview_cb cb , void *opaque);

diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c

--- a/tests/qtest/fuzz/generic_fuzz.c

+++ b/tests/qtest/fuzz/generic_fuzz.c

@@ -XXX,XX +XXX,XX @@ struct get_io_cb_info {

address_range result;

-static int get_io_address_cb(Int128 start, Int128 size,

- const MemoryRegion *mr, void *opaque) {

+static bool get_io_address_cb(Int128 start, Int128 size,

+ const MemoryRegion *mr, void *opaque) {

struct get_io_cb_info *info = opaque;

if (g_hash_table_lookup(fuzzable_memoryregions, mr)) {

if (info->index == 0) {

info->result.addr = (ram_addr_t)start;

info->result.size = (ram_addr_t)size;

info->found = 1;

- return 1;

+ return true;

}

info->index--;

- return 0;

+ return false;

}

/*

2.20.1

For accesses to rom blob data before or during reset, we have a

function rom_ptr() which looks for a rom blob that would be loaded to

the specified address, and returns a pointer into the rom blob data

corresponding to that address. This allows board or CPU code to say

"what is the data that is going to be loaded to this address?".

However, this function does not take account of memory region

aliases. If for instance a machine model has RAM at address

0x0000_0000 which is aliased to also appear at 0x1000_0000, a

rom_ptr() query for address 0x0000_0000 will only return a match if

the guest image provided by the user was loaded at 0x0000_0000 and

not if it was loaded at 0x1000_0000, even though they are the same

RAM and a run-time guest CPU read of 0x0000_0000 will read the data

loaded to 0x1000_0000.

Provide a new function rom_ptr_for_as() which takes an AddressSpace

argument, so that it can check whether the MemoryRegion corresponding

to the address is also mapped anywhere else in the AddressSpace and

look for rom blobs that loaded to that alias.

include/hw/loader.h | 31 +++++++++++++++++++

hw/core/loader.c | 75 +++++++++++++++++++++++++++++++++++++++++++++

2 files changed, 106 insertions(+)

diff --git a/include/hw/loader.h b/include/hw/loader.h

--- a/include/hw/loader.h

+++ b/include/hw/loader.h

@@ -XXX,XX +XXX,XX @@ void rom_transaction_end(bool commit);

int rom_copy(uint8_t *dest, hwaddr addr, size_t size);

void *rom_ptr(hwaddr addr, size_t size);

+/**

+ * rom_ptr_for_as: Return a pointer to ROM blob data for the address

+ * @as: AddressSpace to look for the ROM blob in

+ * @addr: Address within @as

+ * @size: size of data required in bytes

+ *

+ * Returns: pointer into the data which backs the matching ROM blob,

+ * or NULL if no blob covers the address range.

+ *

+ * This function looks for a ROM blob which covers the specified range

+ * of bytes of length @size starting at @addr within the address space

+ * @as. This is useful for code which runs as part of board

+ * initialization or CPU reset which wants to read data that is part

+ * of a user-supplied guest image or other guest memory contents, but

+ * which runs before the ROM loader's reset function has copied the

+ * blobs into guest memory.

+ *

+ * rom_ptr_for_as() will look not just for blobs loaded directly to

+ * the specified address, but also for blobs which were loaded to an

+ * alias of the region at a different location in the AddressSpace.

+ * In other words, if a machine model has RAM at address 0x0000_0000

+ * which is aliased to also appear at 0x1000_0000, rom_ptr_for_as()

+ * will return the correct data whether the guest image was linked and

+ * loaded at 0x0000_0000 or 0x1000_0000. Contrast rom_ptr(), which

+ * will only return data if the image load address is an exact match

+ * with the queried address.

+ *

+ * New code should prefer to use rom_ptr_for_as() instead of

+ * rom_ptr().

+ */

+void *rom_ptr_for_as(AddressSpace *as, hwaddr addr, size_t size);

void hmp_info_roms(Monitor *mon, const QDict *qdict);

#define rom_add_file_fixed(_f, _a, _i) \

diff --git a/hw/core/loader.c b/hw/core/loader.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/core/loader.c

+++ b/hw/core/loader.c

@@ -XXX,XX +XXX,XX @@ void *rom_ptr(hwaddr addr, size_t size)

return rom->data + (addr - rom->addr);

+typedef struct FindRomCBData {

+ size_t size; /* Amount of data we want from ROM, in bytes */

+ MemoryRegion *mr; /* MR at the unaliased guest addr */

+ hwaddr xlat; /* Offset of addr within mr */

+ void *rom; /* Output: rom data pointer, if found */

+} FindRomCBData;

+

+static bool find_rom_cb(Int128 start, Int128 len, const MemoryRegion *mr,

+ hwaddr offset_in_region, void *opaque)

+{

+ FindRomCBData *cbdata = opaque;

+ hwaddr alias_addr;

+

+ if (mr != cbdata->mr) {

+ return false;

+ }

+

+ alias_addr = int128_get64(start) + cbdata->xlat - offset_in_region;

+ cbdata->rom = rom_ptr(alias_addr, cbdata->size);

+ if (!cbdata->rom) {

+ return false;

+ }

+ /* Found a match, stop iterating */

+ return true;

+}

+

+void *rom_ptr_for_as(AddressSpace *as, hwaddr addr, size_t size)

+{

+ /*

+ * Find any ROM data for the given guest address range. If there

+ * is a ROM blob then return a pointer to the host memory

+ * corresponding to 'addr'; otherwise return NULL.

+ *

+ * We look not only for ROM blobs that were loaded directly to

+ * addr, but also for ROM blobs that were loaded to aliases of

+ * that memory at other addresses within the AddressSpace.

+ *

+ * Note that we do not check @as against the 'as' member in the

+ * 'struct Rom' returned by rom_ptr(). The Rom::as is the

+ * AddressSpace which the rom blob should be written to, whereas

+ * our @as argument is the AddressSpace which we are (effectively)

+ * reading from, and the same underlying RAM will often be visible

+ * in multiple AddressSpaces. (A common example is a ROM blob

+ * written to the 'system' address space but then read back via a

+ * CPU's cpu->as pointer.) This does mean we might potentially

+ * return a false-positive match if a ROM blob was loaded into an

+ * AS which is entirely separate and distinct from the one we're

+ * querying, but this issue exists also for rom_ptr() and hasn't

+ * caused any problems in practice.

+ */

+ FlatView *fv;

+ void *rom;

+ hwaddr len_unused;

+ FindRomCBData cbdata = {};

+

+ /* Easy case: there's data at the actual address */

+ rom = rom_ptr(addr, size);

+ if (rom) {

+ return rom;

+ }

+

+ RCU_READ_LOCK_GUARD();

+

+ fv = address_space_to_flatview(as);

+ cbdata.mr = flatview_translate(fv, addr, &cbdata.xlat, &len_unused,

+ false, MEMTXATTRS_UNSPECIFIED);

+ if (!cbdata.mr) {

+ /* Nothing at this address, so there can't be any aliasing */

+ return NULL;

+ }

+ cbdata.size = size;

+ flatview_for_each_range(fv, find_rom_cb, &cbdata);

+ return cbdata.rom;

+}

+

void hmp_info_roms(Monitor *mon, const QDict *qdict)

{

Rom *rom;

2.20.1

The function flatview_for_each_range() calls a callback for each

range in a FlatView. Currently the callback gets the start and

length of the range and the MemoryRegion involved, but not the offset

within the MemoryRegion. Add this to the callback's arguments; we're

going to want it for a new use in the next commit.

include/exec/memory.h | 2 ++

softmmu/memory.c | 4 +++-

tests/qtest/fuzz/generic_fuzz.c | 5 ++++-

3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h

index XXXXXXX..XXXXXXX 100644

--- a/include/exec/memory.h

+++ b/include/exec/memory.h

@@ -XXX,XX +XXX,XX @@ static inline FlatView *address_space_to_flatview(AddressSpace *as)

* @start: start address of the range within the FlatView

* @len: length of the range in bytes

* @mr: MemoryRegion covering this range

+ * @offset_in_region: offset of the first byte of the range within @mr

* @opaque: data pointer passed to flatview_for_each_range()

*

* Returns: true to stop the iteration, false to keep going.

@@ -XXX,XX +XXX,XX @@ static inline FlatView *address_space_to_flatview(AddressSpace *as)

typedef bool (*flatview_cb)(Int128 start,

Int128 len,

const MemoryRegion *mr,

+ hwaddr offset_in_region,

void *opaque);

/**

diff --git a/softmmu/memory.c b/softmmu/memory.c

index XXXXXXX..XXXXXXX 100644

--- a/softmmu/memory.c

+++ b/softmmu/memory.c

@@ -XXX,XX +XXX,XX @@ void flatview_for_each_range(FlatView *fv, flatview_cb cb , void *opaque)

assert(cb);

FOR_EACH_FLAT_RANGE(fr, fv) {

- if (cb(fr->addr.start, fr->addr.size, fr->mr, opaque))

+ if (cb(fr->addr.start, fr->addr.size, fr->mr,

+ fr->offset_in_region, opaque)) {

break;

+ }

diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c

index XXXXXXX..XXXXXXX 100644

--- a/tests/qtest/fuzz/generic_fuzz.c

+++ b/tests/qtest/fuzz/generic_fuzz.c

@@ -XXX,XX +XXX,XX @@ struct get_io_cb_info {

};

static bool get_io_address_cb(Int128 start, Int128 size,

- const MemoryRegion *mr, void *opaque) {

+ const MemoryRegion *mr,

+ hwaddr offset_in_region,

+ void *opaque)

+{

struct get_io_cb_info *info = opaque;

if (g_hash_table_lookup(fuzzable_memoryregions, mr)) {

if (info->index == 0) {

2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Pretend the fault always happens at page table level 3.

Failure to set this leaves level = 0, which is impossible for

ARMFault_Permission, and produces an invalid syndrome, which

reaches g_assert_not_reached in cpu_loop.

Fixes: 8db94ab4e5db ("linux-user/aarch64: Pass syndrome to EXC_*_ABORT")

Reported-by: Laurent Vivier <laurent@vivier.eu>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20210320000606.1788699-1-richard.henderson@linaro.org

target/arm/tlb_helper.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c

--- a/target/arm/tlb_helper.c

+++ b/target/arm/tlb_helper.c

@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,

} else {

fi.type = ARMFault_Translation;

}

+ fi.level = 3;

/* now we have a real cpu fault */

cpu_restore_state(cs, retaddr, true);

2.20.1