Series comparison

-[PULL 0/1] target-arm queue
+[PULL 0/2] target-arm queue
-Just one bugfix patch for this rc:
+Two bug fixes for 9.0...
-The following changes since commit ca5f3d4df1b47d7f66a109cdb504e83dfd7ec433:
+-- PMM
-  Merge tag 'pull-la-20220808' of https://gitlab.com/rth7680/qemu into staging (2022-08-08 19:51:12 -0700)
+The following changes since commit ce64e6224affb8b4e4b019f76d2950270b391af5:
   Merge tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu into staging (2024-04-04 15:28:06 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220809
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240408
-for you to fetch changes up to c7f26ded6d5065e4116f630f6a490b55f6c5f58e:
+for you to fetch changes up to 19b254e86a900dc5ee332e3ac0baf9c521301abf:
-  icount: Take iothread lock when running QEMU timers (2022-08-09 10:55:14 +0100)
+  target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 (2024-04-08 15:38:53 +0100)
 ----------------------------------------------------------------
-target-arm queue:
+target-arm:
- * icount: Take iothread lock when running QEMU timers
+ * Use correct SecuritySpace for AArch64 AT ops at EL3
  * Fix CNTPOFF_EL2 trap to missing EL3
 ----------------------------------------------------------------
 Peter Maydell (1):
-      icount: Take iothread lock when running QEMU timers
+      target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3
- accel/tcg/tcg-accel-ops-icount.c | 6 ++++++
+Pierre-Clément Tosi (1):
-file changed, 6 insertions(+)
+      target/arm: Fix CNTPOFF_EL2 trap to missing EL3
  target/arm/helper.c | 10 +++++++---
 file changed, 7 insertions(+), 3 deletions(-)

-New patch
+[PULL 1/2] target/arm: Fix CNTPOFF_EL2 trap to missing EL3
+From: Pierre-Clément Tosi <ptosi@google.com>
+EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is
+present, as described by the reference manual (for MRS):
+  /* ... */
+  elsif PSTATE.EL == EL2 then
+      if Halted() && HaveEL(EL3) && /*...*/ then
+          UNDEFINED;
+      elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then
+          /* ... */
+      else
+          X[t, 64] = CNTPOFF_EL2;
+However, the existing implementation of gt_cntpoff_access() always
+returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In
+pseudo-code terminology, this corresponds to assuming that HaveEL(EL3)
+is always true, which is wrong. As a result, QEMU panics in
+access_check_cp_reg() when started without EL3 and running EL2 code
+accessing the register (e.g. any recent KVM booting a guest).
+Therefore, add the HaveEL(EL3) check to gt_cntpoff_access().
+Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling")
+Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
+Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper.c | 3 ++-
+file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_cntpoff_access(CPUARMState *env,
+                                         const ARMCPRegInfo *ri,
+                                         bool isread)
+ {
+-    if (arm_current_el(env) == 2 && !(env->cp15.scr_el3 & SCR_ECVEN)) {
++    if (arm_current_el(env) == 2 && arm_feature(env, ARM_FEATURE_EL3) &&
++        !(env->cp15.scr_el3 & SCR_ECVEN)) {
+         return CP_ACCESS_TRAP_EL3;
+     }
+     return CP_ACCESS_OK;
+--
+.34.1

-[PULL 1/1] icount: Take iothread lock when running QEMU timers
+[PULL 2/2] target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3
-The function icount_prepare_for_run() is called with the iothread
+When we do an AT address translation operation, the page table walk
-unlocked, but it can call icount_notify_aio_contexts() which will
+is supposed to be performed in the context of the EL we're doing the
-run qemu timer handlers. Those are supposed to be run only with
+walk for, so for instance an AT S1E2R walk is done for EL2.  In the
-the iothread lock held, so take the lock while we do that.
+pseudocode an EL is passed to AArch64.AT(), which calls
 SecurityStateAtEL() to find the security state that we should be
 doing the walk with.
-Since icount mode runs everything on a single thread anyway,
+In ats_write64() we get this wrong, instead using the current
-not holding the lock is likely mostly not going to introduce
+security space always.  This is fine for AT operations performed from
-races, but it can cause us to trip over assertions that we
+EL1 and EL2, because there the current security state and the
-do hold the lock, such as the one reported in issue 1130.
+security state for the lower EL are the same.  But for AT operations
 performed from EL3, the current security state is always either
 Secure or Root, whereas we want to use the security state defined by
 SCR_EL3.{NS,NSE} for the walk. This affects not just guests using
 FEAT_RME but also ones where EL3 is Secure state and the EL3 code
 is trying to do an AT for a NonSecure EL2 or EL1.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1130
+Use arm_security_space_below_el3() to get the SecuritySpace to
 pass to do_ats_write() for all AT operations except the
 AT S1E3* operations.
 Cc: qemu-stable@nongnu.org
 Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions")
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Tested-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
+Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org
 Message-id: 20220801164527.3134765-1-peter.maydell@linaro.org
 ---
- accel/tcg/tcg-accel-ops-icount.c | 6 ++++++
+ target/arm/helper.c | 7 +++++--
-file changed, 6 insertions(+)
+file changed, 5 insertions(+), 2 deletions(-)
-diff --git a/accel/tcg/tcg-accel-ops-icount.c b/accel/tcg/tcg-accel-ops-icount.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/tcg-accel-ops-icount.c
+--- a/target/arm/helper.c
-+++ b/accel/tcg/tcg-accel-ops-icount.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void icount_prepare_for_run(CPUState *cpu)
+@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-     replay_mutex_lock();
+     ARMMMUIdx mmu_idx;
+     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
-     if (cpu->icount_budget == 0) {
+     bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE);
-+        /*
++    bool for_el3 = false;
-+         * We're called without the iothread lock, so must take it while
++    ARMSecuritySpace ss;
-+         * we're calling timer handlers.
-+         */
+     switch (ri->opc2 & 6) {
-+        qemu_mutex_lock_iothread();
+     case 0:
-         icount_notify_aio_contexts();
+@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
-+        qemu_mutex_unlock_iothread();
+             break;
          case 6: /* AT S1E3R, AT S1E3W */
              mmu_idx = ARMMMUIdx_E3;
 +            for_el3 = true;
              break;
          default:
              g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
          g_assert_not_reached();
      }
- }
+-    env->cp15.par_el[1] = do_ats_write(env, value, access_type,
 -                                       mmu_idx, arm_security_space(env));
 +    ss = for_el3 ? arm_security_space(env) : arm_security_space_below_el3(env);
 +    env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx, ss);
  #else
      /* Handled by hardware accelerator. */
      g_assert_not_reached();
 --
-.25.1
+.34.1

The function icount_prepare_for_run() is called with the iothread
unlocked, but it can call icount_notify_aio_contexts() which will
run qemu timer handlers. Those are supposed to be run only with
the iothread lock held, so take the lock while we do that.

Since icount mode runs everything on a single thread anyway,
not holding the lock is likely mostly not going to introduce
races, but it can cause us to trip over assertions that we
do hold the lock, such as the one reported in issue 1130.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1130
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
Message-id: 20220801164527.3134765-1-peter.maydell@linaro.org
---
 accel/tcg/tcg-accel-ops-icount.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/accel/tcg/tcg-accel-ops-icount.c b/accel/tcg/tcg-accel-ops-icount.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-accel-ops-icount.c
+++ b/accel/tcg/tcg-accel-ops-icount.c
@@ -XXX,XX +XXX,XX @@ void icount_prepare_for_run(CPUState *cpu)
     replay_mutex_lock();
 
     if (cpu->icount_budget == 0) {
+        /*
+         * We're called without the iothread lock, so must take it while
+         * we're calling timer handlers.
+         */
+        qemu_mutex_lock_iothread();
         icount_notify_aio_contexts();
+        qemu_mutex_unlock_iothread();
     }
 }
 
-- 
2.25.1

Two bug fixes for 9.0...

-- PMM

The following changes since commit ce64e6224affb8b4e4b019f76d2950270b391af5:

Merge tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu into staging (2024-04-04 15:28:06 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240408

for you to fetch changes up to 19b254e86a900dc5ee332e3ac0baf9c521301abf:

target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 (2024-04-08 15:38:53 +0100)

----------------------------------------------------------------
target-arm:
 * Use correct SecuritySpace for AArch64 AT ops at EL3
 * Fix CNTPOFF_EL2 trap to missing EL3

----------------------------------------------------------------
Peter Maydell (1):
      target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3

Pierre-Clément Tosi (1):
      target/arm: Fix CNTPOFF_EL2 trap to missing EL3

target/arm/helper.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

From: Pierre-Clément Tosi <ptosi@google.com>

EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is
present, as described by the reference manual (for MRS):

/* ... */
  elsif PSTATE.EL == EL2 then
      if Halted() && HaveEL(EL3) && /*...*/ then
          UNDEFINED;
      elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then
          /* ... */
      else
          X[t, 64] = CNTPOFF_EL2;

However, the existing implementation of gt_cntpoff_access() always
returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In
pseudo-code terminology, this corresponds to assuming that HaveEL(EL3)
is always true, which is wrong. As a result, QEMU panics in
access_check_cp_reg() when started without EL3 and running EL2 code
accessing the register (e.g. any recent KVM booting a guest).

Therefore, add the HaveEL(EL3) check to gt_cntpoff_access().

Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling")
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_cntpoff_access(CPUARMState *env,
                                         const ARMCPRegInfo *ri,
                                         bool isread)
 {
-    if (arm_current_el(env) == 2 && !(env->cp15.scr_el3 & SCR_ECVEN)) {
+    if (arm_current_el(env) == 2 && arm_feature(env, ARM_FEATURE_EL3) &&
+        !(env->cp15.scr_el3 & SCR_ECVEN)) {
         return CP_ACCESS_TRAP_EL3;
     }
     return CP_ACCESS_OK;
-- 
2.34.1

When we do an AT address translation operation, the page table walk
is supposed to be performed in the context of the EL we're doing the
walk for, so for instance an AT S1E2R walk is done for EL2.  In the
pseudocode an EL is passed to AArch64.AT(), which calls
SecurityStateAtEL() to find the security state that we should be
doing the walk with.

In ats_write64() we get this wrong, instead using the current
security space always.  This is fine for AT operations performed from
EL1 and EL2, because there the current security state and the
security state for the lower EL are the same.  But for AT operations
performed from EL3, the current security state is always either
Secure or Root, whereas we want to use the security state defined by
SCR_EL3.{NS,NSE} for the walk. This affects not just guests using
FEAT_RME but also ones where EL3 is Secure state and the EL3 code
is trying to do an AT for a NonSecure EL2 or EL1.

Use arm_security_space_below_el3() to get the SecuritySpace to
pass to do_ats_write() for all AT operations except the
AT S1E3* operations.

Cc: qemu-stable@nongnu.org
Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
     ARMMMUIdx mmu_idx;
     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
     bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE);
+    bool for_el3 = false;
+    ARMSecuritySpace ss;
 
     switch (ri->opc2 & 6) {
     case 0:
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
             break;
         case 6: /* AT S1E3R, AT S1E3W */
             mmu_idx = ARMMMUIdx_E3;
+            for_el3 = true;
             break;
         default:
             g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
         g_assert_not_reached();
     }
 
-    env->cp15.par_el[1] = do_ats_write(env, value, access_type,
-                                       mmu_idx, arm_security_space(env));
+    ss = for_el3 ? arm_security_space(env) : arm_security_space_below_el3(env);
+    env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx, ss);
 #else
     /* Handled by hardware accelerator. */
     g_assert_not_reached();
-- 
2.34.1