Series comparison

-[PULL 0/1] target-arm queue
+[PULL 0/2] target-arm queue
-Just one bugfix patch for this rc:
+This bug seemed worth fixing for 8.0 since we need an rc4 anyway:
 we were using uninitialized data for the guarded bit when
 combining stage 1 and stage 2 attrs.
-The following changes since commit ca5f3d4df1b47d7f66a109cdb504e83dfd7ec433:
+thanks
 -- PMM
-  Merge tag 'pull-la-20220808' of https://gitlab.com/rth7680/qemu into staging (2022-08-08 19:51:12 -0700)
+The following changes since commit 08dede07030973c1053868bc64de7e10bfa02ad6:
   Merge tag 'pull-ppc-20230409' of https://github.com/legoater/qemu into staging (2023-04-10 11:47:52 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220809
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230410
-for you to fetch changes up to c7f26ded6d5065e4116f630f6a490b55f6c5f58e:
+for you to fetch changes up to 8539dc00552e8ea60420856fc1262c8299bc6308:
-  icount: Take iothread lock when running QEMU timers (2022-08-09 10:55:14 +0100)
+  target/arm: Copy guarded bit in combine_cacheattrs (2023-04-10 14:31:40 +0100)
 ----------------------------------------------------------------
-target-arm queue:
+target-arm: Fix bug where we weren't initializing
- * icount: Take iothread lock when running QEMU timers
+            guarded bit state when combining S1/S2 attrs
 ----------------------------------------------------------------
-Peter Maydell (1):
+Richard Henderson (2):
-      icount: Take iothread lock when running QEMU timers
+      target/arm: PTE bit GP only applies to stage1
       target/arm: Copy guarded bit in combine_cacheattrs
- accel/tcg/tcg-accel-ops-icount.c | 6 ++++++
+ target/arm/ptw.c | 11 ++++++-----
-file changed, 6 insertions(+)
+file changed, 6 insertions(+), 5 deletions(-)

-New patch
+[PULL 1/2] target/arm: PTE bit GP only applies to stage1
+From: Richard Henderson <richard.henderson@linaro.org>
+Only perform the extract of GP during the stage1 walk.
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230407185149.3253946-2-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/ptw.c | 10 +++++-----
+file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+         result->f.attrs.secure = false;
+     }
+-    /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB.  */
+-    if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
+-        result->f.guarded = extract64(attrs, 50, 1); /* GP */
+-    }
+-
+     if (regime_is_stage2(mmu_idx)) {
+         result->cacheattrs.is_s2_format = true;
+         result->cacheattrs.attrs = extract32(attrs, 2, 4);
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+         assert(attrindx <= 7);
+         result->cacheattrs.is_s2_format = false;
+         result->cacheattrs.attrs = extract64(mair, attrindx * 8, 8);
++
++        /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB. */
++        if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
++            result->f.guarded = extract64(attrs, 50, 1); /* GP */
++        }
+     }
+     /*
+--
+.34.1

-[PULL 1/1] icount: Take iothread lock when running QEMU timers
+[PULL 2/2] target/arm: Copy guarded bit in combine_cacheattrs
-The function icount_prepare_for_run() is called with the iothread
+From: Richard Henderson <richard.henderson@linaro.org>
 unlocked, but it can call icount_notify_aio_contexts() which will
 run qemu timer handlers. Those are supposed to be run only with
 the iothread lock held, so take the lock while we do that.
-Since icount mode runs everything on a single thread anyway,
+The guarded bit comes from the stage1 walk.
 not holding the lock is likely mostly not going to introduce
 races, but it can cause us to trip over assertions that we
 do hold the lock, such as the one reported in issue 1130.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1130
+Fixes: Coverity CID 1507929
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20230407185149.3253946-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
-Message-id: 20220801164527.3134765-1-peter.maydell@linaro.org
 ---
- accel/tcg/tcg-accel-ops-icount.c | 6 ++++++
+ target/arm/ptw.c | 1 +
-file changed, 6 insertions(+)
+file changed, 1 insertion(+)
-diff --git a/accel/tcg/tcg-accel-ops-icount.c b/accel/tcg/tcg-accel-ops-icount.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/tcg-accel-ops-icount.c
+--- a/target/arm/ptw.c
-+++ b/accel/tcg/tcg-accel-ops-icount.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ void icount_prepare_for_run(CPUState *cpu)
+@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(uint64_t hcr,
-     replay_mutex_lock();
+     assert(!s1.is_s2_format);
-     if (cpu->icount_budget == 0) {
+     ret.is_s2_format = false;
-+        /*
++    ret.guarded = s1.guarded;
-+         * We're called without the iothread lock, so must take it while
-+         * we're calling timer handlers.
+     if (s1.attrs == 0xf0) {
-+         */
+         tagged = true;
 +        qemu_mutex_lock_iothread();
          icount_notify_aio_contexts();
 +        qemu_mutex_unlock_iothread();
      }
  }
 --
-.25.1
+.34.1

The function icount_prepare_for_run() is called with the iothread
unlocked, but it can call icount_notify_aio_contexts() which will
run qemu timer handlers. Those are supposed to be run only with
the iothread lock held, so take the lock while we do that.

Since icount mode runs everything on a single thread anyway,
not holding the lock is likely mostly not going to introduce
races, but it can cause us to trip over assertions that we
do hold the lock, such as the one reported in issue 1130.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1130
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
Message-id: 20220801164527.3134765-1-peter.maydell@linaro.org
---
 accel/tcg/tcg-accel-ops-icount.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/accel/tcg/tcg-accel-ops-icount.c b/accel/tcg/tcg-accel-ops-icount.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-accel-ops-icount.c
+++ b/accel/tcg/tcg-accel-ops-icount.c
@@ -XXX,XX +XXX,XX @@ void icount_prepare_for_run(CPUState *cpu)
     replay_mutex_lock();
 
     if (cpu->icount_budget == 0) {
+        /*
+         * We're called without the iothread lock, so must take it while
+         * we're calling timer handlers.
+         */
+        qemu_mutex_lock_iothread();
         icount_notify_aio_contexts();
+        qemu_mutex_unlock_iothread();
     }
 }
 
-- 
2.25.1

This bug seemed worth fixing for 8.0 since we need an rc4 anyway:
we were using uninitialized data for the guarded bit when
combining stage 1 and stage 2 attrs.

thanks
-- PMM

The following changes since commit 08dede07030973c1053868bc64de7e10bfa02ad6:

Merge tag 'pull-ppc-20230409' of https://github.com/legoater/qemu into staging (2023-04-10 11:47:52 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230410

for you to fetch changes up to 8539dc00552e8ea60420856fc1262c8299bc6308:

target/arm: Copy guarded bit in combine_cacheattrs (2023-04-10 14:31:40 +0100)

----------------------------------------------------------------
target-arm: Fix bug where we weren't initializing
            guarded bit state when combining S1/S2 attrs

----------------------------------------------------------------
Richard Henderson (2):
      target/arm: PTE bit GP only applies to stage1
      target/arm: Copy guarded bit in combine_cacheattrs

target/arm/ptw.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Only perform the extract of GP during the stage1 walk.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230407185149.3253946-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         result->f.attrs.secure = false;
     }
 
-    /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB.  */
-    if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
-        result->f.guarded = extract64(attrs, 50, 1); /* GP */
-    }
-
     if (regime_is_stage2(mmu_idx)) {
         result->cacheattrs.is_s2_format = true;
         result->cacheattrs.attrs = extract32(attrs, 2, 4);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         assert(attrindx <= 7);
         result->cacheattrs.is_s2_format = false;
         result->cacheattrs.attrs = extract64(mair, attrindx * 8, 8);
+
+        /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB. */
+        if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
+            result->f.guarded = extract64(attrs, 50, 1); /* GP */
+        }
     }
 
     /*
-- 
2.34.1