Series comparison

-[PULL 0/5] target-arm queue
+[PULL 0/3] target-arm queue
-Hi; this is a collection of mostly GIC related patches for rc3.
+Only thing for Arm for rc1 is RTH's fix for the KVM SVE probe code.
 The "Update cached state after LPI state changes" fix is important
 and fixes what would otherwise be a regression since we enable the
 ITS by default in the virt board now. The others are not regressions
 but I think are OK for rc3 as they're fairly self contained (and two
 of them are fixes to new-in-6.2 functionality).
-thanks
 -- PMM
-The following changes since commit dd4b0de45965538f19bb40c7ddaaba384a8c613a:
+The following changes since commit 4e06b3fc1b5e1ec03f22190eabe56891dc9c2236:
-  Fix version for v6.2.0-rc2 release (2021-11-26 11:58:54 +0100)
+  Merge tag 'pull-hex-20220731' of https://github.com/quic/qemu into staging (2022-07-31 21:38:54 -0700)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211129
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220801
-for you to fetch changes up to 90feffad2aafe856ed2af75313b2c1669ba671e9:
+for you to fetch changes up to 5265d24c981dfdda8d29b44f7e84a514da75eedc:
-  hw/intc/arm_gicv3: fix handling of LPIs in list registers (2021-11-29 10:10:21 +0000)
+  target/arm: Move sve probe inside kvm >= 4.15 branch (2022-08-01 16:21:18 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * virt: Diagnose attempts to enable MTE or virt when using HVF accelerator
+ * Fix KVM SVE ID register probe code
  * GICv3 ITS: Allow clearing of ITS CTLR Enabled bit
  * GICv3: Update cached state after LPI state changes
  * GICv3: Fix handling of LPIs in list registers
 ----------------------------------------------------------------
-Alexander Graf (1):
+Richard Henderson (3):
-      hw/arm/virt: Extend nested and mte checks to hvf
+      target/arm: Use kvm_arm_sve_supported in kvm_arm_get_host_cpu_features
       target/arm: Set KVM_ARM_VCPU_SVE while probing the host
       target/arm: Move sve probe inside kvm >= 4.15 branch
-Peter Maydell (3):
+ target/arm/kvm64.c | 45 ++++++++++++++++++++++-----------------------
-      hw/intc/arm_gicv3: Update cached state after LPI state changes
+file changed, 22 insertions(+), 23 deletions(-)
       hw/intc/arm_gicv3: Add new gicv3_intid_is_special() function
       hw/intc/arm_gicv3: fix handling of LPIs in list registers
 Shashi Mallela (1):
       hw/intc: cannot clear GICv3 ITS CTLR[Enabled] bit
  hw/intc/gicv3_internal.h   | 30 ++++++++++++++++++++++++++++++
  hw/arm/virt.c              | 15 +++++++++------
  hw/intc/arm_gicv3.c        |  6 ++++--
  hw/intc/arm_gicv3_cpuif.c  |  9 ++++-----
  hw/intc/arm_gicv3_its.c    |  7 ++++---
  hw/intc/arm_gicv3_redist.c | 14 ++++++++++----
 files changed, 61 insertions(+), 20 deletions(-)

-[PULL 5/5] hw/intc/arm_gicv3: fix handling of LPIs in list registers
+[PULL 1/3] target/arm: Use kvm_arm_sve_supported in kvm_arm_get_host_cpu_features
-It is valid for an OS to put virtual interrupt ID values into the
+From: Richard Henderson <richard.henderson@linaro.org>
 list registers ICH_LR<n> which are greater than 1023.  This
 corresponds to (for example) KVM using the in-kernel emulated ITS to
 give a (nested) guest an ITS.  LPIs are delivered by the L1 kernel to
 the L2 guest via the list registers in the same way as non-LPI
 interrupts.
-QEMU's code for handling writes to ICV_IARn (which happen when the L2
+Indication for support for SVE will not depend on whether we
-guest acknowledges an interrupt) and to ICV_EOIRn (which happen at
+perform the query on the main kvm_state or the temp vcpu.
 the end of the interrupt) did not consider LPIs, so it would
 incorrectly treat interrupt IDs above 1023 as invalid.  Fix this by
 using the correct condition, which is gicv3_intid_is_special().
-Note that the condition in icv_dir_write() is correct -- LPIs
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-are not valid there and so we want to ignore both "special" ID
+Message-id: 20220726045828.53697-2-richard.henderson@linaro.org
-values and LPIs.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/kvm64.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-(In the pseudocode this logic is in:
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
  - VirtualReadIAR0(), VirtualReadIAR1(), which call IsSpecial()
  - VirtualWriteEOIR0(), VirtualWriteEOIR1(), which call
      VirtualIdentifierValid(data, TRUE) meaning "LPIs OK"
  - VirtualWriteDIR(), which calls VirtualIdentifierValid(data, FALSE)
      meaning "LPIs not OK")
 This bug doesn't seem to have any visible effect on Linux L2 guests
 most of the time, because the two bugs cancel each other out: we
 neither mark the interrupt active nor deactivate it.  However it does
 mean that the L2 vCPU priority while the LPI handler is running will
 not be correct, so the interrupt handler could be unexpectedly
 interrupted by a different interrupt.
 (NB: this has nothing to do with using QEMU's emulated ITS.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Marc Zyngier <maz@kernel.org>
 ---
  hw/intc/arm_gicv3_cpuif.c | 5 ++---
 file changed, 2 insertions(+), 3 deletions(-)
 diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_cpuif.c
+--- a/target/arm/kvm64.c
-+++ b/hw/intc/arm_gicv3_cpuif.c
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t icv_iar_read(CPUARMState *env, const ARMCPRegInfo *ri)
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
+         }
          if (thisgrp == grp && icv_hppi_can_preempt(cs, lr)) {
              intid = ich_lr_vintid(lr);
 -            if (intid < INTID_SECURE) {
 +            if (!gicv3_intid_is_special(intid)) {
                  icv_activate_irq(cs, idx, grp);
              } else {
                  /* Interrupt goes from Pending to Invalid */
@@ -XXX,XX +XXX,XX @@ static void icv_eoir_write(CPUARMState *env, const ARMCPRegInfo *ri,
      trace_gicv3_icv_eoir_write(ri->crm == 8 ? 0 : 1,
                                 gicv3_redist_affid(cs), value);
 -    if (irq >= GICV3_MAXIRQ) {
 -        /* Also catches special interrupt numbers and LPIs */
 +    if (gicv3_intid_is_special(irq)) {
          return;
      }
+-    sve_supported = ioctl(fdarray[0], KVM_CHECK_EXTENSION, KVM_CAP_ARM_SVE) > 0;
++    sve_supported = kvm_arm_sve_supported();
+     /* Add feature bits that can't appear until after VCPU init. */
+     if (sve_supported) {
 --
 .25.1

-[PULL 4/5] hw/intc/arm_gicv3: Add new gicv3_intid_is_special() function
+[PULL 2/3] target/arm: Set KVM_ARM_VCPU_SVE while probing the host
-The GICv3/v4 pseudocode has a function IsSpecial() which returns true
+From: Richard Henderson <richard.henderson@linaro.org>
 if passed a "special" interrupt ID number (anything between 1020 and
 inclusive).  We open-code this condition in a couple of places,
 so abstract it out into a new function gicv3_intid_is_special().
+Because we weren't setting this flag, our probe of ID_AA64ZFR0
+was always returning zero.  This also obviates the adjustment
+of ID_AA64PFR0, which had sanitized the SVE field.
+The effects of the bug are not visible, because the only thing that
+ID_AA64ZFR0 is used for within qemu at present is tcg translation.
+The other tests for SVE within KVM are via ID_AA64PFR0.SVE.
+Reported-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220726045828.53697-3-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Marc Zyngier <maz@kernel.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 ---
- hw/intc/gicv3_internal.h  | 13 +++++++++++++
+ target/arm/kvm64.c | 27 +++++++++++++--------------
- hw/intc/arm_gicv3_cpuif.c |  4 ++--
+file changed, 13 insertions(+), 14 deletions(-)
 files changed, 15 insertions(+), 2 deletions(-)
-diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/gicv3_internal.h
+--- a/target/arm/kvm64.c
-+++ b/hw/intc/gicv3_internal.h
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ FIELD(MAPC, RDBASE, 16, 32)
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
+     bool sve_supported;
- /* Functions internal to the emulated GICv3 */
+     bool pmu_supported = false;
+     uint64_t features = 0;
-+/**
+-    uint64_t t;
-+ * gicv3_intid_is_special:
+     int err;
-+ * @intid: interrupt ID
-+ *
+     /* Old kernels may not know about the PREFERRED_TARGET ioctl: however
-+ * Return true if @intid is a special interrupt ID (1020 to
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-+ * 1023 inclusive). This corresponds to the GIC spec pseudocode
+     struct kvm_vcpu_init init = { .target = -1, };
-+ * IsSpecial() function.
-+ */
+     /*
-+static inline bool gicv3_intid_is_special(int intid)
+-     * Ask for Pointer Authentication if supported. We can't play the
-+{
+-     * SVE trick of synthesising the ID reg as KVM won't tell us
-+    return intid >= INTID_SECURE && intid <= INTID_SPURIOUS;
+-     * whether we have the architected or IMPDEF version of PAuth, so
-+}
+-     * we have to use the actual ID regs.
 +     * Ask for SVE if supported, so that we can query ID_AA64ZFR0,
 +     * which is otherwise RAZ.
 +     */
 +    sve_supported = kvm_arm_sve_supported();
 +    if (sve_supported) {
 +        init.features[0] |= 1 << KVM_ARM_VCPU_SVE;
 +    }
 +
- /**
++    /*
-  * gicv3_redist_update:
++     * Ask for Pointer Authentication if supported, so that we get
-  * @cs: GICv3CPUState for this redistributor
++     * the unsanitized field values for AA64ISAR1_EL1.
-diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+      */
-index XXXXXXX..XXXXXXX 100644
+     if (kvm_arm_pauth_supported()) {
---- a/hw/intc/arm_gicv3_cpuif.c
+         init.features[0] |= (1 << KVM_ARM_VCPU_PTRAUTH_ADDRESS |
-+++ b/hw/intc/arm_gicv3_cpuif.c
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-@@ -XXX,XX +XXX,XX @@ static uint64_t icc_iar0_read(CPUARMState *env, const ARMCPRegInfo *ri)
+         }
          intid = icc_hppir0_value(cs, env);
      }
--    if (!(intid >= INTID_SECURE && intid <= INTID_SPURIOUS)) {
+-    sve_supported = kvm_arm_sve_supported();
-+    if (!gicv3_intid_is_special(intid)) {
+-
-         icc_activate_irq(cs, intid);
+-    /* Add feature bits that can't appear until after VCPU init. */
-     }
+     if (sve_supported) {
+-        t = ahcf->isar.id_aa64pfr0;
-@@ -XXX,XX +XXX,XX @@ static uint64_t icc_iar1_read(CPUARMState *env, const ARMCPRegInfo *ri)
+-        t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
-         intid = icc_hppir1_value(cs, env);
+-        ahcf->isar.id_aa64pfr0 = t;
-     }
+-
+         /*
--    if (!(intid >= INTID_SECURE && intid <= INTID_SPURIOUS)) {
+          * There is a range of kernels between kernel commit 73433762fcae
-+    if (!gicv3_intid_is_special(intid)) {
+          * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
-         icc_activate_irq(cs, intid);
+          * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
-     }
+-         * SVE support, so we only read it here, rather than together with all
+-         * the other ID registers earlier.
 +         * SVE support, which resulted in an error rather than RAZ.
 +         * So only read the register if we set KVM_ARM_VCPU_SVE above.
           */
          err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
                                ARM64_SYS_REG(3, 0, 0, 4, 4));
 --
 .25.1

-[PULL 1/5] hw/arm/virt: Extend nested and mte checks to hvf
+[PULL 3/3] target/arm: Move sve probe inside kvm >= 4.15 branch
-From: Alexander Graf <agraf@csgraf.de>
+From: Richard Henderson <richard.henderson@linaro.org>
-The virt machine has properties to enable MTE and Nested Virtualization
+The test for the IF block indicates no ID registers are exposed, much
-support. However, its check to ensure the backing accel implementation
+less host support for SVE.  Move the SVE probe into the ELSE block.
 supports it today only looks for KVM and bails out if it finds it.
-Extend the checks to HVF as well as it does not support either today.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-This will cause QEMU to print a useful error message rather than
+Message-id: 20220726045828.53697-4-richard.henderson@linaro.org
 silently ignoring the attempt by the user to enable either MTE or
 the Virtualization extensions.
 Reported-by: saar amar <saaramar5@gmail.com>
 Signed-off-by: Alexander Graf <agraf@csgraf.de>
 Message-id: 20211123122859.22452-1-agraf@csgraf.de
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 15 +++++++++------
+ target/arm/kvm64.c | 22 +++++++++++-----------
-file changed, 9 insertions(+), 6 deletions(-)
+file changed, 11 insertions(+), 11 deletions(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/target/arm/kvm64.c
-+++ b/hw/arm/virt.c
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
- #include "sysemu/runstate.h"
+             err |= read_sys_reg64(fdarray[2], &ahcf->isar.reset_pmcr_el0,
- #include "sysemu/tpm.h"
+                                   ARM64_SYS_REG(3, 3, 9, 12, 0));
- #include "sysemu/kvm.h"
+         }
-+#include "sysemu/hvf.h"
+-    }
- #include "hw/loader.h"
- #include "qapi/error.h"
+-    if (sve_supported) {
- #include "qemu/bitops.h"
+-        /*
-@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
+-         * There is a range of kernels between kernel commit 73433762fcae
-         exit(1);
+-         * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
 -         * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
 -         * SVE support, which resulted in an error rather than RAZ.
 -         * So only read the register if we set KVM_ARM_VCPU_SVE above.
 -         */
 -        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
 -                              ARM64_SYS_REG(3, 0, 0, 4, 4));
 +        if (sve_supported) {
 +            /*
 +             * There is a range of kernels between kernel commit 73433762fcae
 +             * and f81cb2c3ad41 which have a bug where the kernel doesn't
 +             * expose SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has
 +             * enabled SVE support, which resulted in an error rather than RAZ.
 +             * So only read the register if we set KVM_ARM_VCPU_SVE above.
 +             */
 +            err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
 +                                  ARM64_SYS_REG(3, 0, 0, 4, 4));
 +        }
      }
--    if (vms->virt && kvm_enabled()) {
+     kvm_arm_destroy_scratch_host_vcpu(fdarray);
 -        error_report("mach-virt: KVM does not support providing "
 -                     "Virtualization extensions to the guest CPU");
 +    if (vms->virt && (kvm_enabled() || hvf_enabled())) {
 +        error_report("mach-virt: %s does not support providing "
 +                     "Virtualization extensions to the guest CPU",
 +                     kvm_enabled() ? "KVM" : "HVF");
          exit(1);
      }
 -    if (vms->mte && kvm_enabled()) {
 -        error_report("mach-virt: KVM does not support providing "
 -                     "MTE to the guest CPU");
 +    if (vms->mte && (kvm_enabled() || hvf_enabled())) {
 +        error_report("mach-virt: %s does not support providing "
 +                     "MTE to the guest CPU",
 +                     kvm_enabled() ? "KVM" : "HVF");
          exit(1);
      }
 --
 .25.1

-[PULL 2/5] hw/intc: cannot clear GICv3 ITS CTLR[Enabled] bit
+Deleted patch
-From: Shashi Mallela <shashi.mallela@linaro.org>
-When Enabled bit is cleared in GITS_CTLR,ITS feature continues
-to be enabled.This patch fixes the issue.
-Signed-off-by: Shashi Mallela <shashi.mallela@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20211124182246.67691-1-shashi.mallela@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/intc/arm_gicv3_its.c | 7 ++++---
-file changed, 4 insertions(+), 3 deletions(-)
-diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_its.c
-+++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@ static bool its_writel(GICv3ITSState *s, hwaddr offset,
-     switch (offset) {
-     case GITS_CTLR:
--        s->ctlr |= (value & ~(s->ctlr));
--
--        if (s->ctlr & ITS_CTLR_ENABLED) {
-+        if (value & R_GITS_CTLR_ENABLED_MASK) {
-+            s->ctlr |= ITS_CTLR_ENABLED;
-             extract_table_params(s);
-             extract_cmdq_params(s);
-             s->creadr = 0;
-             process_cmdq(s);
-+        } else {
-+            s->ctlr &= ~ITS_CTLR_ENABLED;
-         }
-         break;
-     case GITS_CBASER:
---
-.25.1

-[PULL 3/5] hw/intc/arm_gicv3: Update cached state after LPI state changes
+Deleted patch
-The logic of gicv3_redist_update() is as follows:
- * it must be called in any code path that changes the state of
-   (only) redistributor interrupts
- * if it finds a redistributor interrupt that is (now) higher
-   priority than the previous highest-priority pending interrupt,
-   then this must be the new highest-priority pending interrupt
- * if it does *not* find a better redistributor interrupt, then:
-    - if the previous state was "no interrupts pending" then
-      the new state is still "no interrupts pending"
-    - if the previous best interrupt was not a redistributor
-      interrupt then that remains the best interrupt
-    - if the previous best interrupt *was* a redistributor interrupt,
-      then the new best interrupt must be some non-redistributor
-      interrupt, but we don't know which so must do a full scan
-In commit 17fb5e36aabd4b2c125 we effectively added the LPI interrupts
-as a kind of "redistributor interrupt" for this purpose, by adding
-cs->hpplpi to the set of things that gicv3_redist_update() considers
-before it gives up and decides to do a full scan of distributor
-interrupts. However we didn't quite get this right:
- * the condition check for "was the previous best interrupt a
-   redistributor interrupt" must be updated to include LPIs
-   in what it considers to be redistributor interrupts
- * every code path which updates the LPI state which
-   gicv3_redist_update() checks must also call gicv3_redist_update():
-   this is cs->hpplpi and the GICR_CTLR ENABLE_LPIS bit
-This commit fixes this by:
- * correcting the test on cs->hppi.irq in gicv3_redist_update()
- * making gicv3_redist_update_lpi() always call gicv3_redist_update()
- * introducing a new gicv3_redist_update_lpi_only() for the one
-   callsite (the post-load hook) which must not call
-   gicv3_redist_update()
- * making gicv3_redist_lpi_pending() always call gicv3_redist_update(),
-   either directly or via gicv3_redist_update_lpi()
- * removing a couple of now-unnecessary calls to gicv3_redist_update()
-   from some callers of those two functions
- * calling gicv3_redist_update() when the GICR_CTLR ENABLE_LPIS
-   bit is cleared
-(This means that the not-file-local gicv3_redist_* LPI related
-functions now all take care of the updates of internally cached
-GICv3 information, in the same way the older functions
-gicv3_redist_set_irq() and gicv3_redist_send_sgi() do.)
-The visible effect of this bug was that when the guest acknowledged
-an LPI by reading ICC_IAR1_EL1, we marked it as not pending in the
-LPI data structure but still left it in cs->hppi so we would offer it
-to the guest again.  In particular for setups using an emulated GICv3
-and ITS and using devices which use LPIs (ie PCI devices) a Linux
-guest would complain "irq 54: nobody cared" and then hang.  (The hang
-was intermittent, presumably depending on the timing between
-different interrupts arriving and being completed.)
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Tested-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20211124202005.989935-1-peter.maydell@linaro.org
----
- hw/intc/gicv3_internal.h   | 17 +++++++++++++++++
- hw/intc/arm_gicv3.c        |  6 ++++--
- hw/intc/arm_gicv3_redist.c | 14 ++++++++++----
-files changed, 31 insertions(+), 6 deletions(-)
-diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/gicv3_internal.h
-+++ b/hw/intc/gicv3_internal.h
-@@ -XXX,XX +XXX,XX @@ void gicv3_dist_set_irq(GICv3State *s, int irq, int level);
- void gicv3_redist_set_irq(GICv3CPUState *cs, int irq, int level);
- void gicv3_redist_process_lpi(GICv3CPUState *cs, int irq, int level);
- void gicv3_redist_lpi_pending(GICv3CPUState *cs, int irq, int level);
-+/**
-+ * gicv3_redist_update_lpi:
-+ * @cs: GICv3CPUState
-+ *
-+ * Scan the LPI pending table and recalculate the highest priority
-+ * pending LPI and also the overall highest priority pending interrupt.
-+ */
- void gicv3_redist_update_lpi(GICv3CPUState *cs);
-+/**
-+ * gicv3_redist_update_lpi_only:
-+ * @cs: GICv3CPUState
-+ *
-+ * Scan the LPI pending table and recalculate cs->hpplpi only,
-+ * without calling gicv3_redist_update() to recalculate the overall
-+ * highest priority pending interrupt. This should be called after
-+ * an incoming migration has loaded new state.
-+ */
-+void gicv3_redist_update_lpi_only(GICv3CPUState *cs);
- void gicv3_redist_send_sgi(GICv3CPUState *cs, int grp, int irq, bool ns);
- void gicv3_init_cpuif(GICv3State *s);
-diff --git a/hw/intc/arm_gicv3.c b/hw/intc/arm_gicv3.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3.c
-+++ b/hw/intc/arm_gicv3.c
-@@ -XXX,XX +XXX,XX @@ static void gicv3_redist_update_noirqset(GICv3CPUState *cs)
-      * interrupt has reduced in priority and any other interrupt could
-      * now be the new best one).
-      */
--    if (!seenbetter && cs->hppi.prio != 0xff && cs->hppi.irq < GIC_INTERNAL) {
-+    if (!seenbetter && cs->hppi.prio != 0xff &&
-+        (cs->hppi.irq < GIC_INTERNAL ||
-+         cs->hppi.irq >= GICV3_LPI_INTID_START)) {
-         gicv3_full_update_noirqset(cs->gic);
-     }
- }
-@@ -XXX,XX +XXX,XX @@ static void arm_gicv3_post_load(GICv3State *s)
-      * pending interrupt, but don't set IRQ or FIQ lines.
-      */
-     for (i = 0; i < s->num_cpu; i++) {
--        gicv3_redist_update_lpi(&s->cpu[i]);
-+        gicv3_redist_update_lpi_only(&s->cpu[i]);
-     }
-     gicv3_full_update_noirqset(s);
-     /* Repopulate the cache of GICv3CPUState pointers for target CPUs */
-diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_redist.c
-+++ b/hw/intc/arm_gicv3_redist.c
-@@ -XXX,XX +XXX,XX @@ static MemTxResult gicr_writel(GICv3CPUState *cs, hwaddr offset,
-                 cs->gicr_ctlr |= GICR_CTLR_ENABLE_LPIS;
-                 /* Check for any pending interr in pending table */
-                 gicv3_redist_update_lpi(cs);
--                gicv3_redist_update(cs);
-             } else {
-                 cs->gicr_ctlr &= ~GICR_CTLR_ENABLE_LPIS;
-+                /* cs->hppi might have been an LPI; recalculate */
-+                gicv3_redist_update(cs);
-             }
-         }
-         return MEMTX_OK;
-@@ -XXX,XX +XXX,XX @@ static void gicv3_redist_check_lpi_priority(GICv3CPUState *cs, int irq)
-     }
- }
--void gicv3_redist_update_lpi(GICv3CPUState *cs)
-+void gicv3_redist_update_lpi_only(GICv3CPUState *cs)
- {
-     /*
-      * This function scans the LPI pending table and for each pending
-@@ -XXX,XX +XXX,XX @@ void gicv3_redist_update_lpi(GICv3CPUState *cs)
-     }
- }
-+void gicv3_redist_update_lpi(GICv3CPUState *cs)
-+{
-+    gicv3_redist_update_lpi_only(cs);
-+    gicv3_redist_update(cs);
-+}
-+
- void gicv3_redist_lpi_pending(GICv3CPUState *cs, int irq, int level)
- {
-     /*
-@@ -XXX,XX +XXX,XX @@ void gicv3_redist_lpi_pending(GICv3CPUState *cs, int irq, int level)
-      */
-     if (level) {
-         gicv3_redist_check_lpi_priority(cs, irq);
-+        gicv3_redist_update(cs);
-     } else {
-         if (irq == cs->hpplpi.irq) {
-             gicv3_redist_update_lpi(cs);
-@@ -XXX,XX +XXX,XX @@ void gicv3_redist_process_lpi(GICv3CPUState *cs, int irq, int level)
-     /* set/clear the pending bit for this irq */
-     gicv3_redist_lpi_pending(cs, irq, level);
--
--    gicv3_redist_update(cs);
- }
- void gicv3_redist_set_irq(GICv3CPUState *cs, int irq, int level)
---
-.25.1

Hi; this is a collection of mostly GIC related patches for rc3.
The "Update cached state after LPI state changes" fix is important
and fixes what would otherwise be a regression since we enable the
ITS by default in the virt board now. The others are not regressions
but I think are OK for rc3 as they're fairly self contained (and two
of them are fixes to new-in-6.2 functionality).

thanks
-- PMM

The following changes since commit dd4b0de45965538f19bb40c7ddaaba384a8c613a:

Fix version for v6.2.0-rc2 release (2021-11-26 11:58:54 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211129

for you to fetch changes up to 90feffad2aafe856ed2af75313b2c1669ba671e9:

hw/intc/arm_gicv3: fix handling of LPIs in list registers (2021-11-29 10:10:21 +0000)

----------------------------------------------------------------
target-arm queue:
 * virt: Diagnose attempts to enable MTE or virt when using HVF accelerator
 * GICv3 ITS: Allow clearing of ITS CTLR Enabled bit
 * GICv3: Update cached state after LPI state changes
 * GICv3: Fix handling of LPIs in list registers

----------------------------------------------------------------
Alexander Graf (1):
      hw/arm/virt: Extend nested and mte checks to hvf

Peter Maydell (3):
      hw/intc/arm_gicv3: Update cached state after LPI state changes
      hw/intc/arm_gicv3: Add new gicv3_intid_is_special() function
      hw/intc/arm_gicv3: fix handling of LPIs in list registers

Shashi Mallela (1):
      hw/intc: cannot clear GICv3 ITS CTLR[Enabled] bit

hw/intc/gicv3_internal.h   | 30 ++++++++++++++++++++++++++++++
 hw/arm/virt.c              | 15 +++++++++------
 hw/intc/arm_gicv3.c        |  6 ++++--
 hw/intc/arm_gicv3_cpuif.c  |  9 ++++-----
 hw/intc/arm_gicv3_its.c    |  7 ++++---
 hw/intc/arm_gicv3_redist.c | 14 ++++++++++----
 6 files changed, 61 insertions(+), 20 deletions(-)

From: Alexander Graf <agraf@csgraf.de>

The virt machine has properties to enable MTE and Nested Virtualization
support. However, its check to ensure the backing accel implementation
supports it today only looks for KVM and bails out if it finds it.

Extend the checks to HVF as well as it does not support either today.
This will cause QEMU to print a useful error message rather than
silently ignoring the attempt by the user to enable either MTE or
the Virtualization extensions.

Reported-by: saar amar <saaramar5@gmail.com>
Signed-off-by: Alexander Graf <agraf@csgraf.de>
Message-id: 20211123122859.22452-1-agraf@csgraf.de
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/runstate.h"
 #include "sysemu/tpm.h"
 #include "sysemu/kvm.h"
+#include "sysemu/hvf.h"
 #include "hw/loader.h"
 #include "qapi/error.h"
 #include "qemu/bitops.h"
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
         exit(1);
     }
 
-    if (vms->virt && kvm_enabled()) {
-        error_report("mach-virt: KVM does not support providing "
-                     "Virtualization extensions to the guest CPU");
+    if (vms->virt && (kvm_enabled() || hvf_enabled())) {
+        error_report("mach-virt: %s does not support providing "
+                     "Virtualization extensions to the guest CPU",
+                     kvm_enabled() ? "KVM" : "HVF");
         exit(1);
     }
 
-    if (vms->mte && kvm_enabled()) {
-        error_report("mach-virt: KVM does not support providing "
-                     "MTE to the guest CPU");
+    if (vms->mte && (kvm_enabled() || hvf_enabled())) {
+        error_report("mach-virt: %s does not support providing "
+                     "MTE to the guest CPU",
+                     kvm_enabled() ? "KVM" : "HVF");
         exit(1);
     }
 
-- 
2.25.1

From: Shashi Mallela <shashi.mallela@linaro.org>

When Enabled bit is cleared in GITS_CTLR,ITS feature continues
to be enabled.This patch fixes the issue.

Signed-off-by: Shashi Mallela <shashi.mallela@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211124182246.67691-1-shashi.mallela@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_its.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static bool its_writel(GICv3ITSState *s, hwaddr offset,
 
     switch (offset) {
     case GITS_CTLR:
-        s->ctlr |= (value & ~(s->ctlr));
-
-        if (s->ctlr & ITS_CTLR_ENABLED) {
+        if (value & R_GITS_CTLR_ENABLED_MASK) {
+            s->ctlr |= ITS_CTLR_ENABLED;
             extract_table_params(s);
             extract_cmdq_params(s);
             s->creadr = 0;
             process_cmdq(s);
+        } else {
+            s->ctlr &= ~ITS_CTLR_ENABLED;
         }
         break;
     case GITS_CBASER:
-- 
2.25.1

The logic of gicv3_redist_update() is as follows:
 * it must be called in any code path that changes the state of
   (only) redistributor interrupts
 * if it finds a redistributor interrupt that is (now) higher
   priority than the previous highest-priority pending interrupt,
   then this must be the new highest-priority pending interrupt
 * if it does *not* find a better redistributor interrupt, then:
    - if the previous state was "no interrupts pending" then
      the new state is still "no interrupts pending"
    - if the previous best interrupt was not a redistributor
      interrupt then that remains the best interrupt
    - if the previous best interrupt *was* a redistributor interrupt,
      then the new best interrupt must be some non-redistributor
      interrupt, but we don't know which so must do a full scan

In commit 17fb5e36aabd4b2c125 we effectively added the LPI interrupts
as a kind of "redistributor interrupt" for this purpose, by adding
cs->hpplpi to the set of things that gicv3_redist_update() considers
before it gives up and decides to do a full scan of distributor
interrupts. However we didn't quite get this right:
 * the condition check for "was the previous best interrupt a
   redistributor interrupt" must be updated to include LPIs
   in what it considers to be redistributor interrupts
 * every code path which updates the LPI state which
   gicv3_redist_update() checks must also call gicv3_redist_update():
   this is cs->hpplpi and the GICR_CTLR ENABLE_LPIS bit

This commit fixes this by:
 * correcting the test on cs->hppi.irq in gicv3_redist_update()
 * making gicv3_redist_update_lpi() always call gicv3_redist_update()
 * introducing a new gicv3_redist_update_lpi_only() for the one
   callsite (the post-load hook) which must not call
   gicv3_redist_update()
 * making gicv3_redist_lpi_pending() always call gicv3_redist_update(),
   either directly or via gicv3_redist_update_lpi()
 * removing a couple of now-unnecessary calls to gicv3_redist_update()
   from some callers of those two functions
 * calling gicv3_redist_update() when the GICR_CTLR ENABLE_LPIS
   bit is cleared

(This means that the not-file-local gicv3_redist_* LPI related
functions now all take care of the updates of internally cached
GICv3 information, in the same way the older functions
gicv3_redist_set_irq() and gicv3_redist_send_sgi() do.)

The visible effect of this bug was that when the guest acknowledged
an LPI by reading ICC_IAR1_EL1, we marked it as not pending in the
LPI data structure but still left it in cs->hppi so we would offer it
to the guest again.  In particular for setups using an emulated GICv3
and ITS and using devices which use LPIs (ie PCI devices) a Linux
guest would complain "irq 54: nobody cared" and then hang.  (The hang
was intermittent, presumably depending on the timing between
different interrupts arriving and being completed.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20211124202005.989935-1-peter.maydell@linaro.org
---
 hw/intc/gicv3_internal.h   | 17 +++++++++++++++++
 hw/intc/arm_gicv3.c        |  6 ++++--
 hw/intc/arm_gicv3_redist.c | 14 ++++++++++----
 3 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/gicv3_internal.h
+++ b/hw/intc/gicv3_internal.h
@@ -XXX,XX +XXX,XX @@ void gicv3_dist_set_irq(GICv3State *s, int irq, int level);
 void gicv3_redist_set_irq(GICv3CPUState *cs, int irq, int level);
 void gicv3_redist_process_lpi(GICv3CPUState *cs, int irq, int level);
 void gicv3_redist_lpi_pending(GICv3CPUState *cs, int irq, int level);
+/**
+ * gicv3_redist_update_lpi:
+ * @cs: GICv3CPUState
+ *
+ * Scan the LPI pending table and recalculate the highest priority
+ * pending LPI and also the overall highest priority pending interrupt.
+ */
 void gicv3_redist_update_lpi(GICv3CPUState *cs);
+/**
+ * gicv3_redist_update_lpi_only:
+ * @cs: GICv3CPUState
+ *
+ * Scan the LPI pending table and recalculate cs->hpplpi only,
+ * without calling gicv3_redist_update() to recalculate the overall
+ * highest priority pending interrupt. This should be called after
+ * an incoming migration has loaded new state.
+ */
+void gicv3_redist_update_lpi_only(GICv3CPUState *cs);
 void gicv3_redist_send_sgi(GICv3CPUState *cs, int grp, int irq, bool ns);
 void gicv3_init_cpuif(GICv3State *s);
 
diff --git a/hw/intc/arm_gicv3.c b/hw/intc/arm_gicv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3.c
+++ b/hw/intc/arm_gicv3.c
@@ -XXX,XX +XXX,XX @@ static void gicv3_redist_update_noirqset(GICv3CPUState *cs)
      * interrupt has reduced in priority and any other interrupt could
      * now be the new best one).
      */
-    if (!seenbetter && cs->hppi.prio != 0xff && cs->hppi.irq < GIC_INTERNAL) {
+    if (!seenbetter && cs->hppi.prio != 0xff &&
+        (cs->hppi.irq < GIC_INTERNAL ||
+         cs->hppi.irq >= GICV3_LPI_INTID_START)) {
         gicv3_full_update_noirqset(cs->gic);
     }
 }
@@ -XXX,XX +XXX,XX @@ static void arm_gicv3_post_load(GICv3State *s)
      * pending interrupt, but don't set IRQ or FIQ lines.
      */
     for (i = 0; i < s->num_cpu; i++) {
-        gicv3_redist_update_lpi(&s->cpu[i]);
+        gicv3_redist_update_lpi_only(&s->cpu[i]);
     }
     gicv3_full_update_noirqset(s);
     /* Repopulate the cache of GICv3CPUState pointers for target CPUs */
diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_redist.c
+++ b/hw/intc/arm_gicv3_redist.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult gicr_writel(GICv3CPUState *cs, hwaddr offset,
                 cs->gicr_ctlr |= GICR_CTLR_ENABLE_LPIS;
                 /* Check for any pending interr in pending table */
                 gicv3_redist_update_lpi(cs);
-                gicv3_redist_update(cs);
             } else {
                 cs->gicr_ctlr &= ~GICR_CTLR_ENABLE_LPIS;
+                /* cs->hppi might have been an LPI; recalculate */
+                gicv3_redist_update(cs);
             }
         }
         return MEMTX_OK;
@@ -XXX,XX +XXX,XX @@ static void gicv3_redist_check_lpi_priority(GICv3CPUState *cs, int irq)
     }
 }
 
-void gicv3_redist_update_lpi(GICv3CPUState *cs)
+void gicv3_redist_update_lpi_only(GICv3CPUState *cs)
 {
     /*
      * This function scans the LPI pending table and for each pending
@@ -XXX,XX +XXX,XX @@ void gicv3_redist_update_lpi(GICv3CPUState *cs)
     }
 }
 
+void gicv3_redist_update_lpi(GICv3CPUState *cs)
+{
+    gicv3_redist_update_lpi_only(cs);
+    gicv3_redist_update(cs);
+}
+
 void gicv3_redist_lpi_pending(GICv3CPUState *cs, int irq, int level)
 {
     /*
@@ -XXX,XX +XXX,XX @@ void gicv3_redist_lpi_pending(GICv3CPUState *cs, int irq, int level)
      */
     if (level) {
         gicv3_redist_check_lpi_priority(cs, irq);
+        gicv3_redist_update(cs);
     } else {
         if (irq == cs->hpplpi.irq) {
             gicv3_redist_update_lpi(cs);
@@ -XXX,XX +XXX,XX @@ void gicv3_redist_process_lpi(GICv3CPUState *cs, int irq, int level)
 
     /* set/clear the pending bit for this irq */
     gicv3_redist_lpi_pending(cs, irq, level);
-
-    gicv3_redist_update(cs);
 }
 
 void gicv3_redist_set_irq(GICv3CPUState *cs, int irq, int level)
-- 
2.25.1

The GICv3/v4 pseudocode has a function IsSpecial() which returns true
if passed a "special" interrupt ID number (anything between 1020 and
1023 inclusive).  We open-code this condition in a couple of places,
so abstract it out into a new function gicv3_intid_is_special().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
---
 hw/intc/gicv3_internal.h  | 13 +++++++++++++
 hw/intc/arm_gicv3_cpuif.c |  4 ++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/gicv3_internal.h
+++ b/hw/intc/gicv3_internal.h
@@ -XXX,XX +XXX,XX @@ FIELD(MAPC, RDBASE, 16, 32)
 
 /* Functions internal to the emulated GICv3 */
 
+/**
+ * gicv3_intid_is_special:
+ * @intid: interrupt ID
+ *
+ * Return true if @intid is a special interrupt ID (1020 to
+ * 1023 inclusive). This corresponds to the GIC spec pseudocode
+ * IsSpecial() function.
+ */
+static inline bool gicv3_intid_is_special(int intid)
+{
+    return intid >= INTID_SECURE && intid <= INTID_SPURIOUS;
+}
+
 /**
  * gicv3_redist_update:
  * @cs: GICv3CPUState for this redistributor
diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static uint64_t icc_iar0_read(CPUARMState *env, const ARMCPRegInfo *ri)
         intid = icc_hppir0_value(cs, env);
     }
 
-    if (!(intid >= INTID_SECURE && intid <= INTID_SPURIOUS)) {
+    if (!gicv3_intid_is_special(intid)) {
         icc_activate_irq(cs, intid);
     }
 
@@ -XXX,XX +XXX,XX @@ static uint64_t icc_iar1_read(CPUARMState *env, const ARMCPRegInfo *ri)
         intid = icc_hppir1_value(cs, env);
     }
 
-    if (!(intid >= INTID_SECURE && intid <= INTID_SPURIOUS)) {
+    if (!gicv3_intid_is_special(intid)) {
         icc_activate_irq(cs, intid);
     }
 
-- 
2.25.1

It is valid for an OS to put virtual interrupt ID values into the
list registers ICH_LR<n> which are greater than 1023.  This
corresponds to (for example) KVM using the in-kernel emulated ITS to
give a (nested) guest an ITS.  LPIs are delivered by the L1 kernel to
the L2 guest via the list registers in the same way as non-LPI
interrupts.

QEMU's code for handling writes to ICV_IARn (which happen when the L2
guest acknowledges an interrupt) and to ICV_EOIRn (which happen at
the end of the interrupt) did not consider LPIs, so it would
incorrectly treat interrupt IDs above 1023 as invalid.  Fix this by
using the correct condition, which is gicv3_intid_is_special().

Note that the condition in icv_dir_write() is correct -- LPIs
are not valid there and so we want to ignore both "special" ID
values and LPIs.

(In the pseudocode this logic is in:
 - VirtualReadIAR0(), VirtualReadIAR1(), which call IsSpecial()
 - VirtualWriteEOIR0(), VirtualWriteEOIR1(), which call
     VirtualIdentifierValid(data, TRUE) meaning "LPIs OK"
 - VirtualWriteDIR(), which calls VirtualIdentifierValid(data, FALSE)
     meaning "LPIs not OK")

This bug doesn't seem to have any visible effect on Linux L2 guests
most of the time, because the two bugs cancel each other out: we
neither mark the interrupt active nor deactivate it.  However it does
mean that the L2 vCPU priority while the LPI handler is running will
not be correct, so the interrupt handler could be unexpectedly
interrupted by a different interrupt.

(NB: this has nothing to do with using QEMU's emulated ITS.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
---
 hw/intc/arm_gicv3_cpuif.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static uint64_t icv_iar_read(CPUARMState *env, const ARMCPRegInfo *ri)
 
         if (thisgrp == grp && icv_hppi_can_preempt(cs, lr)) {
             intid = ich_lr_vintid(lr);
-            if (intid < INTID_SECURE) {
+            if (!gicv3_intid_is_special(intid)) {
                 icv_activate_irq(cs, idx, grp);
             } else {
                 /* Interrupt goes from Pending to Invalid */
@@ -XXX,XX +XXX,XX @@ static void icv_eoir_write(CPUARMState *env, const ARMCPRegInfo *ri,
     trace_gicv3_icv_eoir_write(ri->crm == 8 ? 0 : 1,
                                gicv3_redist_affid(cs), value);
 
-    if (irq >= GICV3_MAXIRQ) {
-        /* Also catches special interrupt numbers and LPIs */
+    if (gicv3_intid_is_special(irq)) {
         return;
     }
 
-- 
2.25.1

Only thing for Arm for rc1 is RTH's fix for the KVM SVE probe code.

-- PMM

The following changes since commit 4e06b3fc1b5e1ec03f22190eabe56891dc9c2236:

Merge tag 'pull-hex-20220731' of https://github.com/quic/qemu into staging (2022-07-31 21:38:54 -0700)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220801

for you to fetch changes up to 5265d24c981dfdda8d29b44f7e84a514da75eedc:

target/arm: Move sve probe inside kvm >= 4.15 branch (2022-08-01 16:21:18 +0100)

----------------------------------------------------------------
target-arm queue:
 * Fix KVM SVE ID register probe code

----------------------------------------------------------------
Richard Henderson (3):
      target/arm: Use kvm_arm_sve_supported in kvm_arm_get_host_cpu_features
      target/arm: Set KVM_ARM_VCPU_SVE while probing the host
      target/arm: Move sve probe inside kvm >= 4.15 branch

target/arm/kvm64.c | 45 ++++++++++++++++++++++-----------------------
 1 file changed, 22 insertions(+), 23 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Because we weren't setting this flag, our probe of ID_AA64ZFR0
was always returning zero.  This also obviates the adjustment
of ID_AA64PFR0, which had sanitized the SVE field.

The effects of the bug are not visible, because the only thing that
ID_AA64ZFR0 is used for within qemu at present is tcg translation.
The other tests for SVE within KVM are via ID_AA64PFR0.SVE.

Reported-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220726045828.53697-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm64.c | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     bool sve_supported;
     bool pmu_supported = false;
     uint64_t features = 0;
-    uint64_t t;
     int err;
 
     /* Old kernels may not know about the PREFERRED_TARGET ioctl: however
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     struct kvm_vcpu_init init = { .target = -1, };
 
     /*
-     * Ask for Pointer Authentication if supported. We can't play the
-     * SVE trick of synthesising the ID reg as KVM won't tell us
-     * whether we have the architected or IMPDEF version of PAuth, so
-     * we have to use the actual ID regs.
+     * Ask for SVE if supported, so that we can query ID_AA64ZFR0,
+     * which is otherwise RAZ.
+     */
+    sve_supported = kvm_arm_sve_supported();
+    if (sve_supported) {
+        init.features[0] |= 1 << KVM_ARM_VCPU_SVE;
+    }
+
+    /*
+     * Ask for Pointer Authentication if supported, so that we get
+     * the unsanitized field values for AA64ISAR1_EL1.
      */
     if (kvm_arm_pauth_supported()) {
         init.features[0] |= (1 << KVM_ARM_VCPU_PTRAUTH_ADDRESS |
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
         }
     }
 
-    sve_supported = kvm_arm_sve_supported();
-
-    /* Add feature bits that can't appear until after VCPU init. */
     if (sve_supported) {
-        t = ahcf->isar.id_aa64pfr0;
-        t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
-        ahcf->isar.id_aa64pfr0 = t;
-
         /*
          * There is a range of kernels between kernel commit 73433762fcae
          * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
          * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
-         * SVE support, so we only read it here, rather than together with all
-         * the other ID registers earlier.
+         * SVE support, which resulted in an error rather than RAZ.
+         * So only read the register if we set KVM_ARM_VCPU_SVE above.
          */
         err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
                               ARM64_SYS_REG(3, 0, 0, 4, 4));
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The test for the IF block indicates no ID registers are exposed, much
less host support for SVE.  Move the SVE probe into the ELSE block.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220726045828.53697-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm64.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
             err |= read_sys_reg64(fdarray[2], &ahcf->isar.reset_pmcr_el0,
                                   ARM64_SYS_REG(3, 3, 9, 12, 0));
         }
-    }
 
-    if (sve_supported) {
-        /*
-         * There is a range of kernels between kernel commit 73433762fcae
-         * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
-         * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
-         * SVE support, which resulted in an error rather than RAZ.
-         * So only read the register if we set KVM_ARM_VCPU_SVE above.
-         */
-        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
-                              ARM64_SYS_REG(3, 0, 0, 4, 4));
+        if (sve_supported) {
+            /*
+             * There is a range of kernels between kernel commit 73433762fcae
+             * and f81cb2c3ad41 which have a bug where the kernel doesn't
+             * expose SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has
+             * enabled SVE support, which resulted in an error rather than RAZ.
+             * So only read the register if we set KVM_ARM_VCPU_SVE above.
+             */
+            err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
+                                  ARM64_SYS_REG(3, 0, 0, 4, 4));
+        }
     }
 
     kvm_arm_destroy_scratch_host_vcpu(fdarray);
-- 
2.25.1