Series comparison

-[PULL 0/5] target-arm queue
+[PULL 0/2] target-arm queue
-Hi; here's a collection of Arm bug fixes for rc2.
+This bug seemed worth fixing for 8.0 since we need an rc4 anyway:
 we were using uninitialized data for the guarded bit when
 combining stage 1 and stage 2 attrs.
 thanks
 -- PMM
-The following changes since commit a082fab9d259473a9d5d53307cf83b1223301181:
+The following changes since commit 08dede07030973c1053868bc64de7e10bfa02ad6:
-  Merge tag 'pull-ppc-20221117' of https://gitlab.com/danielhb/qemu into staging (2022-11-17 12:39:38 -0500)
+  Merge tag 'pull-ppc-20230409' of https://github.com/legoater/qemu into staging (2023-04-10 11:47:52 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221121
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230410
-for you to fetch changes up to 312b71abce3005ca7294dc0db7d548dc7cc41fbf:
+for you to fetch changes up to 8539dc00552e8ea60420856fc1262c8299bc6308:
-  target/arm: Limit LPA2 effective output address when TCR.DS == 0 (2022-11-21 11:46:46 +0000)
+  target/arm: Copy guarded bit in combine_cacheattrs (2023-04-10 14:31:40 +0100)
 ----------------------------------------------------------------
-target-arm queue:
+target-arm: Fix bug where we weren't initializing
- * hw/sd: Fix sun4i allwinner-sdhost for U-Boot
+            guarded bit state when combining S1/S2 attrs
  * hw/intc: add implementation of GICD_IIDR to Arm GIC
  * tests/avocado/boot_linux.py: Bump aarch64 virt test timeout
  * target/arm: Limit LPA2 effective output address when TCR.DS == 0
 ----------------------------------------------------------------
-Alex Bennée (2):
+Richard Henderson (2):
-      hw/intc: clean-up access to GIC multi-byte registers
+      target/arm: PTE bit GP only applies to stage1
-      hw/intc: add implementation of GICD_IIDR to Arm GIC
+      target/arm: Copy guarded bit in combine_cacheattrs
-Ard Biesheuvel (1):
+ target/arm/ptw.c | 11 ++++++-----
-      target/arm: Limit LPA2 effective output address when TCR.DS == 0
+file changed, 6 insertions(+), 5 deletions(-)
 Peter Maydell (1):
       tests/avocado/boot_linux.py: Bump aarch64 virt test timeout to 720s
 Strahinja Jankovic (1):
       hw/sd: Fix sun4i allwinner-sdhost for U-Boot
  include/hw/sd/allwinner-sdhost.h |  1 +
  hw/intc/arm_gic.c                | 28 ++++++++++++-----
  hw/sd/allwinner-sdhost.c         | 67 +++++++++++++++++++++++++++-------------
  target/arm/ptw.c                 |  8 +++++
  tests/avocado/boot_linux.py      |  2 +-
 files changed, 77 insertions(+), 29 deletions(-)

-[PULL 5/5] target/arm: Limit LPA2 effective output address when TCR.DS == 0
+[PULL 1/2] target/arm: PTE bit GP only applies to stage1
-From: Ard Biesheuvel <ardb@kernel.org>
+From: Richard Henderson <richard.henderson@linaro.org>
-With LPA2, the effective output address size is at most 48 bits when
+Only perform the extract of GP during the stage1 walk.
 TCR.DS == 0. This case is currently unhandled in the page table walker,
 where we happily assume LVA/64k granule when outputsize > 48 and
 param.ds == 0, resulting in the wrong conversion to be used from a
 page table descriptor to a physical address.
-    if (outputsize > 48) {
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
-        if (param.ds) {
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-            descaddr |= extract64(descriptor, 8, 2) << 50;
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-        } else {
+Message-id: 20230407185149.3253946-2-richard.henderson@linaro.org
             descaddr |= extract64(descriptor, 12, 4) << 48;
         }
 So cap the outputsize to 48 when TCR.DS is cleared, as per the
 architecture.
 Cc: Peter Maydell <peter.maydell@linaro.org>
 Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Cc: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20221116170316.259695-1-ardb@kernel.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/ptw.c | 8 ++++++++
+ target/arm/ptw.c | 10 +++++-----
-file changed, 8 insertions(+)
+file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/ptw.c
 +++ b/target/arm/ptw.c
 @@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-         ps = MIN(ps, param.ps);
+         result->f.attrs.secure = false;
-         assert(ps < ARRAY_SIZE(pamax_map));
+     }
-         outputsize = pamax_map[ps];
 -    /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB.  */
 -    if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
 -        result->f.guarded = extract64(attrs, 50, 1); /* GP */
 -    }
 -
      if (regime_is_stage2(mmu_idx)) {
          result->cacheattrs.is_s2_format = true;
          result->cacheattrs.attrs = extract32(attrs, 2, 4);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          assert(attrindx <= 7);
          result->cacheattrs.is_s2_format = false;
          result->cacheattrs.attrs = extract64(mair, attrindx * 8, 8);
 +
-+        /*
++        /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB. */
-+         * With LPA2, the effective output address (OA) size is at most 48 bits
++        if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
-+         * unless TCR.DS == 1
++            result->f.guarded = extract64(attrs, 50, 1); /* GP */
 +         */
 +        if (!param.ds && param.gran != Gran64K) {
 +            outputsize = MIN(outputsize, 48);
 +        }
-     } else {
+     }
-         param = aa32_va_parameters(env, address, mmu_idx);
-         level = 1;
+     /*
 --
-.25.1
+.34.1

-[PULL 1/5] hw/sd: Fix sun4i allwinner-sdhost for U-Boot
+[PULL 2/2] target/arm: Copy guarded bit in combine_cacheattrs
-From: Strahinja Jankovic <strahinjapjankovic@gmail.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Trying to run U-Boot for Cubieboard (Allwinner A10) fails because it cannot
+The guarded bit comes from the stage1 walk.
 access SD card. The problem is that FIFO register in current
 allwinner-sdhost implementation is at the address corresponding to
 Allwinner H3, but not A10.
 Linux kernel is not affected since Linux driver uses DMA access and does
 not use FIFO register for reading/writing.
-This patch adds new class parameter `is_sun4i` and based on that
+Fixes: Coverity CID 1507929
-parameter uses register at offset 0x100 either as FIFO register (if
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 sun4i) or as threshold register (if not sun4i; in this case register at
 x200 is FIFO register).
 Tested with U-Boot and Linux kernel image built for Cubieboard and
 OrangePi PC.
 Signed-off-by: Strahinja Jankovic <strahinja.p.jankovic@gmail.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20221112214900.24152-1-strahinja.p.jankovic@gmail.com
+Message-id: 20230407185149.3253946-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/sd/allwinner-sdhost.h |  1 +
+ target/arm/ptw.c | 1 +
- hw/sd/allwinner-sdhost.c         | 67 ++++++++++++++++++++++----------
+file changed, 1 insertion(+)
 files changed, 47 insertions(+), 21 deletions(-)
-diff --git a/include/hw/sd/allwinner-sdhost.h b/include/hw/sd/allwinner-sdhost.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/sd/allwinner-sdhost.h
+--- a/target/arm/ptw.c
-+++ b/include/hw/sd/allwinner-sdhost.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ struct AwSdHostClass {
+@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(uint64_t hcr,
-     /** Maximum buffer size in bytes per DMA descriptor */
+     assert(!s1.is_s2_format);
-     size_t max_desc_size;
+     ret.is_s2_format = false;
-+    bool   is_sun4i;
++    ret.guarded = s1.guarded;
- };
+     if (s1.attrs == 0xf0) {
+         tagged = true;
 diff --git a/hw/sd/allwinner-sdhost.c b/hw/sd/allwinner-sdhost.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/sd/allwinner-sdhost.c
 +++ b/hw/sd/allwinner-sdhost.c
@@ -XXX,XX +XXX,XX @@ enum {
      REG_SD_DLBA       = 0x84,  /* Descriptor List Base Address */
      REG_SD_IDST       = 0x88,  /* Internal DMA Controller Status */
      REG_SD_IDIE       = 0x8C,  /* Internal DMA Controller IRQ Enable */
 -    REG_SD_THLDC      = 0x100, /* Card Threshold Control */
 +    REG_SD_THLDC      = 0x100, /* Card Threshold Control / FIFO (sun4i only)*/
      REG_SD_DSBD       = 0x10C, /* eMMC DDR Start Bit Detection Control */
      REG_SD_RES_CRC    = 0x110, /* Response CRC from card/eMMC */
      REG_SD_DATA7_CRC  = 0x114, /* CRC Data 7 from card/eMMC */
@@ -XXX,XX +XXX,XX @@ static void allwinner_sdhost_dma(AwSdHostState *s)
      }
  }
 +static uint32_t allwinner_sdhost_fifo_read(AwSdHostState *s)
 +{
 +    uint32_t res = 0;
 +
 +    if (sdbus_data_ready(&s->sdbus)) {
 +        sdbus_read_data(&s->sdbus, &res, sizeof(uint32_t));
 +        le32_to_cpus(&res);
 +        allwinner_sdhost_update_transfer_cnt(s, sizeof(uint32_t));
 +        allwinner_sdhost_auto_stop(s);
 +        allwinner_sdhost_update_irq(s);
 +    } else {
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: no data ready on SD bus\n",
 +                      __func__);
 +    }
 +
 +    return res;
 +}
 +
  static uint64_t allwinner_sdhost_read(void *opaque, hwaddr offset,
                                        unsigned size)
  {
      AwSdHostState *s = AW_SDHOST(opaque);
 +    AwSdHostClass *sc = AW_SDHOST_GET_CLASS(s);
      uint32_t res = 0;
      switch (offset) {
@@ -XXX,XX +XXX,XX @@ static uint64_t allwinner_sdhost_read(void *opaque, hwaddr offset,
      case REG_SD_IDIE:      /* Internal DMA Controller Interrupt Enable */
          res = s->dmac_irq;
          break;
 -    case REG_SD_THLDC:     /* Card Threshold Control */
 -        res = s->card_threshold;
 +    case REG_SD_THLDC:     /* Card Threshold Control or FIFO register (sun4i) */
 +        if (sc->is_sun4i) {
 +            res = allwinner_sdhost_fifo_read(s);
 +        } else {
 +            res = s->card_threshold;
 +        }
          break;
      case REG_SD_DSBD:      /* eMMC DDR Start Bit Detection Control */
          res = s->startbit_detect;
@@ -XXX,XX +XXX,XX @@ static uint64_t allwinner_sdhost_read(void *opaque, hwaddr offset,
          res = s->status_crc;
          break;
      case REG_SD_FIFO:      /* Read/Write FIFO */
 -        if (sdbus_data_ready(&s->sdbus)) {
 -            sdbus_read_data(&s->sdbus, &res, sizeof(uint32_t));
 -            le32_to_cpus(&res);
 -            allwinner_sdhost_update_transfer_cnt(s, sizeof(uint32_t));
 -            allwinner_sdhost_auto_stop(s);
 -            allwinner_sdhost_update_irq(s);
 -        } else {
 -            qemu_log_mask(LOG_GUEST_ERROR, "%s: no data ready on SD bus\n",
 -                          __func__);
 -        }
 +        res = allwinner_sdhost_fifo_read(s);
          break;
      default:
          qemu_log_mask(LOG_GUEST_ERROR, "%s: out-of-bounds offset %"
@@ -XXX,XX +XXX,XX @@ static uint64_t allwinner_sdhost_read(void *opaque, hwaddr offset,
      return res;
  }
 +static void allwinner_sdhost_fifo_write(AwSdHostState *s, uint64_t value)
 +{
 +    uint32_t u32 = cpu_to_le32(value);
 +    sdbus_write_data(&s->sdbus, &u32, sizeof(u32));
 +    allwinner_sdhost_update_transfer_cnt(s, sizeof(u32));
 +    allwinner_sdhost_auto_stop(s);
 +    allwinner_sdhost_update_irq(s);
 +}
 +
  static void allwinner_sdhost_write(void *opaque, hwaddr offset,
                                     uint64_t value, unsigned size)
  {
      AwSdHostState *s = AW_SDHOST(opaque);
 -    uint32_t u32;
 +    AwSdHostClass *sc = AW_SDHOST_GET_CLASS(s);
      trace_allwinner_sdhost_write(offset, value, size);
@@ -XXX,XX +XXX,XX @@ static void allwinner_sdhost_write(void *opaque, hwaddr offset,
          s->dmac_irq = value;
          allwinner_sdhost_update_irq(s);
          break;
 -    case REG_SD_THLDC:     /* Card Threshold Control */
 -        s->card_threshold = value;
 +    case REG_SD_THLDC:     /* Card Threshold Control or FIFO (sun4i) */
 +        if (sc->is_sun4i) {
 +            allwinner_sdhost_fifo_write(s, value);
 +        } else {
 +            s->card_threshold = value;
 +        }
          break;
      case REG_SD_DSBD:      /* eMMC DDR Start Bit Detection Control */
          s->startbit_detect = value;
          break;
      case REG_SD_FIFO:      /* Read/Write FIFO */
 -        u32 = cpu_to_le32(value);
 -        sdbus_write_data(&s->sdbus, &u32, sizeof(u32));
 -        allwinner_sdhost_update_transfer_cnt(s, sizeof(u32));
 -        allwinner_sdhost_auto_stop(s);
 -        allwinner_sdhost_update_irq(s);
 +        allwinner_sdhost_fifo_write(s, value);
          break;
      case REG_SD_RES_CRC:   /* Response CRC from card/eMMC */
      case REG_SD_DATA7_CRC: /* CRC Data 7 from card/eMMC */
@@ -XXX,XX +XXX,XX @@ static void allwinner_sdhost_sun4i_class_init(ObjectClass *klass, void *data)
  {
      AwSdHostClass *sc = AW_SDHOST_CLASS(klass);
      sc->max_desc_size = 8 * KiB;
 +    sc->is_sun4i = true;
  }
  static void allwinner_sdhost_sun5i_class_init(ObjectClass *klass, void *data)
  {
      AwSdHostClass *sc = AW_SDHOST_CLASS(klass);
      sc->max_desc_size = 64 * KiB;
 +    sc->is_sun4i = false;
  }
  static const TypeInfo allwinner_sdhost_info = {
 --
-.25.1
+.34.1

-[PULL 2/5] hw/intc: clean-up access to GIC multi-byte registers
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-gic_dist_readb was returning a word value which just happened to work
-as a result of the way we OR the data together. Lets fix it so only
-the explicit byte is returned for each part of GICD_TYPER. I've
-changed the return type to uint8_t although the overflow is only
-detected with an explicit -Wconversion.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/intc/arm_gic.c | 16 ++++++++++------
-file changed, 10 insertions(+), 6 deletions(-)
-diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gic.c
-+++ b/hw/intc/arm_gic.c
-@@ -XXX,XX +XXX,XX @@ static void gic_complete_irq(GICState *s, int cpu, int irq, MemTxAttrs attrs)
-     gic_update(s);
- }
--static uint32_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
-+static uint8_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
- {
-     GICState *s = (GICState *)opaque;
-     uint32_t res;
-@@ -XXX,XX +XXX,XX @@ static uint32_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
-     cm = 1 << cpu;
-     if (offset < 0x100) {
-         if (offset == 0) {      /* GICD_CTLR */
-+            /* We rely here on the only non-zero bits being in byte 0 */
-             if (s->security_extn && !attrs.secure) {
-                 /* The NS bank of this register is just an alias of the
-                  * EnableGrp1 bit in the S bank version.
-@@ -XXX,XX +XXX,XX @@ static uint32_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
-                 return s->ctlr;
-             }
-         }
--        if (offset == 4)
--            /* Interrupt Controller Type Register */
--            return ((s->num_irq / 32) - 1)
--                    | ((s->num_cpu - 1) << 5)
--                    | (s->security_extn << 10);
-+        if (offset == 4) {
-+            /* GICD_TYPER byte 0 */
-+            return ((s->num_irq / 32) - 1) | ((s->num_cpu - 1) << 5);
-+        }
-+        if (offset == 5) {
-+            /* GICD_TYPER byte 1 */
-+            return (s->security_extn << 2);
-+        }
-         if (offset < 0x08)
-             return 0;
-         if (offset >= 0x80) {
---
-.25.1

-[PULL 3/5] hw/intc: add implementation of GICD_IIDR to Arm GIC
+Deleted patch
-From: Alex Bennée <alex.bennee@linaro.org>
-a66a24585f (hw/intc/arm_gic: Implement read of GICC_IIDR) implemented
-this for the CPU interface register. The fact we don't implement it
-shows up when running Xen with -d guest_error which is definitely
-wrong because the guest is perfectly entitled to read it.
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/intc/arm_gic.c | 12 +++++++++++-
-file changed, 11 insertions(+), 1 deletion(-)
-diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gic.c
-+++ b/hw/intc/arm_gic.c
-@@ -XXX,XX +XXX,XX @@ static uint8_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
-             /* GICD_TYPER byte 1 */
-             return (s->security_extn << 2);
-         }
--        if (offset < 0x08)
-+        if (offset == 8) {
-+            /* GICD_IIDR byte 0 */
-+            return 0x3b; /* Arm JEP106 identity */
-+        }
-+        if (offset == 9) {
-+            /* GICD_IIDR byte 1 */
-+            return 0x04; /* Arm JEP106 identity */
-+        }
-+        if (offset < 0x0c) {
-+            /* All other bytes in this range are RAZ */
-             return 0;
-+        }
-         if (offset >= 0x80) {
-             /* Interrupt Group Registers: these RAZ/WI if this is an NS
-              * access to a GIC with the security extensions, or if the GIC
---
-.25.1

-[PULL 4/5] tests/avocado/boot_linux.py: Bump aarch64 virt test timeout to 720s
+Deleted patch
-The two tests
-tests/avocado/boot_linux.py:BootLinuxAarch64.test_virt_tcg_gicv2
-tests/avocado/boot_linux.py:BootLinuxAarch64.test_virt_tcg_gicv3
-take quite a long time to run, and the current timeout of 240s
-is not enough for the tests to complete on slow machines:
-we've seen these tests time out in the gitlab CI in the
-'avocado-system-alpine' CI job, for instance. The timeout
-is also insufficient for running the test with a debug build
-of QEMU: on my machine the tests take over 10 minutes to run
-in that config.
-Push the timeout up to 720s so that the test definitely has
-enough time to complete.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
----
- tests/avocado/boot_linux.py | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/tests/avocado/boot_linux.py b/tests/avocado/boot_linux.py
-index XXXXXXX..XXXXXXX 100644
---- a/tests/avocado/boot_linux.py
-+++ b/tests/avocado/boot_linux.py
-@@ -XXX,XX +XXX,XX @@ class BootLinuxAarch64(LinuxTest):
-     :avocado: tags=machine:virt
-     :avocado: tags=machine:gic-version=2
-     """
--    timeout = 240
-+    timeout = 720
-     def add_common_args(self):
-         self.vm.add_args('-bios',
---
-.25.1

Hi; here's a collection of Arm bug fixes for rc2.

thanks
-- PMM

The following changes since commit a082fab9d259473a9d5d53307cf83b1223301181:

Merge tag 'pull-ppc-20221117' of https://gitlab.com/danielhb/qemu into staging (2022-11-17 12:39:38 -0500)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221121

for you to fetch changes up to 312b71abce3005ca7294dc0db7d548dc7cc41fbf:

target/arm: Limit LPA2 effective output address when TCR.DS == 0 (2022-11-21 11:46:46 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/sd: Fix sun4i allwinner-sdhost for U-Boot
 * hw/intc: add implementation of GICD_IIDR to Arm GIC
 * tests/avocado/boot_linux.py: Bump aarch64 virt test timeout
 * target/arm: Limit LPA2 effective output address when TCR.DS == 0

----------------------------------------------------------------
Alex Bennée (2):
      hw/intc: clean-up access to GIC multi-byte registers
      hw/intc: add implementation of GICD_IIDR to Arm GIC

Ard Biesheuvel (1):
      target/arm: Limit LPA2 effective output address when TCR.DS == 0

Peter Maydell (1):
      tests/avocado/boot_linux.py: Bump aarch64 virt test timeout to 720s

Strahinja Jankovic (1):
      hw/sd: Fix sun4i allwinner-sdhost for U-Boot

include/hw/sd/allwinner-sdhost.h |  1 +
 hw/intc/arm_gic.c                | 28 ++++++++++++-----
 hw/sd/allwinner-sdhost.c         | 67 +++++++++++++++++++++++++++-------------
 target/arm/ptw.c                 |  8 +++++
 tests/avocado/boot_linux.py      |  2 +-
 5 files changed, 77 insertions(+), 29 deletions(-)

From: Strahinja Jankovic <strahinjapjankovic@gmail.com>

Trying to run U-Boot for Cubieboard (Allwinner A10) fails because it cannot
access SD card. The problem is that FIFO register in current
allwinner-sdhost implementation is at the address corresponding to
Allwinner H3, but not A10.
Linux kernel is not affected since Linux driver uses DMA access and does
not use FIFO register for reading/writing.

This patch adds new class parameter `is_sun4i` and based on that
parameter uses register at offset 0x100 either as FIFO register (if
sun4i) or as threshold register (if not sun4i; in this case register at
0x200 is FIFO register).

Tested with U-Boot and Linux kernel image built for Cubieboard and
OrangePi PC.

Signed-off-by: Strahinja Jankovic <strahinja.p.jankovic@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221112214900.24152-1-strahinja.p.jankovic@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/sd/allwinner-sdhost.h |  1 +
 hw/sd/allwinner-sdhost.c         | 67 ++++++++++++++++++++++----------
 2 files changed, 47 insertions(+), 21 deletions(-)

diff --git a/include/hw/sd/allwinner-sdhost.h b/include/hw/sd/allwinner-sdhost.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/sd/allwinner-sdhost.h
+++ b/include/hw/sd/allwinner-sdhost.h
@@ -XXX,XX +XXX,XX @@ struct AwSdHostClass {
 
     /** Maximum buffer size in bytes per DMA descriptor */
     size_t max_desc_size;
+    bool   is_sun4i;
 
 };
 
diff --git a/hw/sd/allwinner-sdhost.c b/hw/sd/allwinner-sdhost.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/allwinner-sdhost.c
+++ b/hw/sd/allwinner-sdhost.c
@@ -XXX,XX +XXX,XX @@ enum {
     REG_SD_DLBA       = 0x84,  /* Descriptor List Base Address */
     REG_SD_IDST       = 0x88,  /* Internal DMA Controller Status */
     REG_SD_IDIE       = 0x8C,  /* Internal DMA Controller IRQ Enable */
-    REG_SD_THLDC      = 0x100, /* Card Threshold Control */
+    REG_SD_THLDC      = 0x100, /* Card Threshold Control / FIFO (sun4i only)*/
     REG_SD_DSBD       = 0x10C, /* eMMC DDR Start Bit Detection Control */
     REG_SD_RES_CRC    = 0x110, /* Response CRC from card/eMMC */
     REG_SD_DATA7_CRC  = 0x114, /* CRC Data 7 from card/eMMC */
@@ -XXX,XX +XXX,XX @@ static void allwinner_sdhost_dma(AwSdHostState *s)
     }
 }
 
+static uint32_t allwinner_sdhost_fifo_read(AwSdHostState *s)
+{
+    uint32_t res = 0;
+
+    if (sdbus_data_ready(&s->sdbus)) {
+        sdbus_read_data(&s->sdbus, &res, sizeof(uint32_t));
+        le32_to_cpus(&res);
+        allwinner_sdhost_update_transfer_cnt(s, sizeof(uint32_t));
+        allwinner_sdhost_auto_stop(s);
+        allwinner_sdhost_update_irq(s);
+    } else {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: no data ready on SD bus\n",
+                      __func__);
+    }
+
+    return res;
+}
+
 static uint64_t allwinner_sdhost_read(void *opaque, hwaddr offset,
                                       unsigned size)
 {
     AwSdHostState *s = AW_SDHOST(opaque);
+    AwSdHostClass *sc = AW_SDHOST_GET_CLASS(s);
     uint32_t res = 0;
 
     switch (offset) {
@@ -XXX,XX +XXX,XX @@ static uint64_t allwinner_sdhost_read(void *opaque, hwaddr offset,
     case REG_SD_IDIE:      /* Internal DMA Controller Interrupt Enable */
         res = s->dmac_irq;
         break;
-    case REG_SD_THLDC:     /* Card Threshold Control */
-        res = s->card_threshold;
+    case REG_SD_THLDC:     /* Card Threshold Control or FIFO register (sun4i) */
+        if (sc->is_sun4i) {
+            res = allwinner_sdhost_fifo_read(s);
+        } else {
+            res = s->card_threshold;
+        }
         break;
     case REG_SD_DSBD:      /* eMMC DDR Start Bit Detection Control */
         res = s->startbit_detect;
@@ -XXX,XX +XXX,XX @@ static uint64_t allwinner_sdhost_read(void *opaque, hwaddr offset,
         res = s->status_crc;
         break;
     case REG_SD_FIFO:      /* Read/Write FIFO */
-        if (sdbus_data_ready(&s->sdbus)) {
-            sdbus_read_data(&s->sdbus, &res, sizeof(uint32_t));
-            le32_to_cpus(&res);
-            allwinner_sdhost_update_transfer_cnt(s, sizeof(uint32_t));
-            allwinner_sdhost_auto_stop(s);
-            allwinner_sdhost_update_irq(s);
-        } else {
-            qemu_log_mask(LOG_GUEST_ERROR, "%s: no data ready on SD bus\n",
-                          __func__);
-        }
+        res = allwinner_sdhost_fifo_read(s);
         break;
     default:
         qemu_log_mask(LOG_GUEST_ERROR, "%s: out-of-bounds offset %"
@@ -XXX,XX +XXX,XX @@ static uint64_t allwinner_sdhost_read(void *opaque, hwaddr offset,
     return res;
 }
 
+static void allwinner_sdhost_fifo_write(AwSdHostState *s, uint64_t value)
+{
+    uint32_t u32 = cpu_to_le32(value);
+    sdbus_write_data(&s->sdbus, &u32, sizeof(u32));
+    allwinner_sdhost_update_transfer_cnt(s, sizeof(u32));
+    allwinner_sdhost_auto_stop(s);
+    allwinner_sdhost_update_irq(s);
+}
+
 static void allwinner_sdhost_write(void *opaque, hwaddr offset,
                                    uint64_t value, unsigned size)
 {
     AwSdHostState *s = AW_SDHOST(opaque);
-    uint32_t u32;
+    AwSdHostClass *sc = AW_SDHOST_GET_CLASS(s);
 
     trace_allwinner_sdhost_write(offset, value, size);
 
@@ -XXX,XX +XXX,XX @@ static void allwinner_sdhost_write(void *opaque, hwaddr offset,
         s->dmac_irq = value;
         allwinner_sdhost_update_irq(s);
         break;
-    case REG_SD_THLDC:     /* Card Threshold Control */
-        s->card_threshold = value;
+    case REG_SD_THLDC:     /* Card Threshold Control or FIFO (sun4i) */
+        if (sc->is_sun4i) {
+            allwinner_sdhost_fifo_write(s, value);
+        } else {
+            s->card_threshold = value;
+        }
         break;
     case REG_SD_DSBD:      /* eMMC DDR Start Bit Detection Control */
         s->startbit_detect = value;
         break;
     case REG_SD_FIFO:      /* Read/Write FIFO */
-        u32 = cpu_to_le32(value);
-        sdbus_write_data(&s->sdbus, &u32, sizeof(u32));
-        allwinner_sdhost_update_transfer_cnt(s, sizeof(u32));
-        allwinner_sdhost_auto_stop(s);
-        allwinner_sdhost_update_irq(s);
+        allwinner_sdhost_fifo_write(s, value);
         break;
     case REG_SD_RES_CRC:   /* Response CRC from card/eMMC */
     case REG_SD_DATA7_CRC: /* CRC Data 7 from card/eMMC */
@@ -XXX,XX +XXX,XX @@ static void allwinner_sdhost_sun4i_class_init(ObjectClass *klass, void *data)
 {
     AwSdHostClass *sc = AW_SDHOST_CLASS(klass);
     sc->max_desc_size = 8 * KiB;
+    sc->is_sun4i = true;
 }
 
 static void allwinner_sdhost_sun5i_class_init(ObjectClass *klass, void *data)
 {
     AwSdHostClass *sc = AW_SDHOST_CLASS(klass);
     sc->max_desc_size = 64 * KiB;
+    sc->is_sun4i = false;
 }
 
 static const TypeInfo allwinner_sdhost_info = {
-- 
2.25.1

From: Alex Bennée <alex.bennee@linaro.org>

gic_dist_readb was returning a word value which just happened to work
as a result of the way we OR the data together. Lets fix it so only
the explicit byte is returned for each part of GICD_TYPER. I've
changed the return type to uint8_t although the overflow is only
detected with an explicit -Wconversion.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gic.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -XXX,XX +XXX,XX @@ static void gic_complete_irq(GICState *s, int cpu, int irq, MemTxAttrs attrs)
     gic_update(s);
 }
 
-static uint32_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
+static uint8_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
 {
     GICState *s = (GICState *)opaque;
     uint32_t res;
@@ -XXX,XX +XXX,XX @@ static uint32_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
     cm = 1 << cpu;
     if (offset < 0x100) {
         if (offset == 0) {      /* GICD_CTLR */
+            /* We rely here on the only non-zero bits being in byte 0 */
             if (s->security_extn && !attrs.secure) {
                 /* The NS bank of this register is just an alias of the
                  * EnableGrp1 bit in the S bank version.
@@ -XXX,XX +XXX,XX @@ static uint32_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
                 return s->ctlr;
             }
         }
-        if (offset == 4)
-            /* Interrupt Controller Type Register */
-            return ((s->num_irq / 32) - 1)
-                    | ((s->num_cpu - 1) << 5)
-                    | (s->security_extn << 10);
+        if (offset == 4) {
+            /* GICD_TYPER byte 0 */
+            return ((s->num_irq / 32) - 1) | ((s->num_cpu - 1) << 5);
+        }
+        if (offset == 5) {
+            /* GICD_TYPER byte 1 */
+            return (s->security_extn << 2);
+        }
         if (offset < 0x08)
             return 0;
         if (offset >= 0x80) {
-- 
2.25.1

From: Alex Bennée <alex.bennee@linaro.org>

a66a24585f (hw/intc/arm_gic: Implement read of GICC_IIDR) implemented
this for the CPU interface register. The fact we don't implement it
shows up when running Xen with -d guest_error which is definitely
wrong because the guest is perfectly entitled to read it.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gic.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -XXX,XX +XXX,XX @@ static uint8_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs)
             /* GICD_TYPER byte 1 */
             return (s->security_extn << 2);
         }
-        if (offset < 0x08)
+        if (offset == 8) {
+            /* GICD_IIDR byte 0 */
+            return 0x3b; /* Arm JEP106 identity */
+        }
+        if (offset == 9) {
+            /* GICD_IIDR byte 1 */
+            return 0x04; /* Arm JEP106 identity */
+        }
+        if (offset < 0x0c) {
+            /* All other bytes in this range are RAZ */
             return 0;
+        }
         if (offset >= 0x80) {
             /* Interrupt Group Registers: these RAZ/WI if this is an NS
              * access to a GIC with the security extensions, or if the GIC
-- 
2.25.1

The two tests
tests/avocado/boot_linux.py:BootLinuxAarch64.test_virt_tcg_gicv2
tests/avocado/boot_linux.py:BootLinuxAarch64.test_virt_tcg_gicv3

take quite a long time to run, and the current timeout of 240s
is not enough for the tests to complete on slow machines:
we've seen these tests time out in the gitlab CI in the
'avocado-system-alpine' CI job, for instance. The timeout
is also insufficient for running the test with a debug build
of QEMU: on my machine the tests take over 10 minutes to run
in that config.

Push the timeout up to 720s so that the test definitely has
enough time to complete.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 tests/avocado/boot_linux.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/avocado/boot_linux.py b/tests/avocado/boot_linux.py
index XXXXXXX..XXXXXXX 100644
--- a/tests/avocado/boot_linux.py
+++ b/tests/avocado/boot_linux.py
@@ -XXX,XX +XXX,XX @@ class BootLinuxAarch64(LinuxTest):
     :avocado: tags=machine:virt
     :avocado: tags=machine:gic-version=2
     """
-    timeout = 240
+    timeout = 720
 
     def add_common_args(self):
         self.vm.add_args('-bios',
-- 
2.25.1

From: Ard Biesheuvel <ardb@kernel.org>

With LPA2, the effective output address size is at most 48 bits when
TCR.DS == 0. This case is currently unhandled in the page table walker,
where we happily assume LVA/64k granule when outputsize > 48 and
param.ds == 0, resulting in the wrong conversion to be used from a
page table descriptor to a physical address.

if (outputsize > 48) {
        if (param.ds) {
            descaddr |= extract64(descriptor, 8, 2) << 50;
        } else {
            descaddr |= extract64(descriptor, 12, 4) << 48;
        }

So cap the outputsize to 48 when TCR.DS is cleared, as per the
architecture.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221116170316.259695-1-ardb@kernel.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         ps = MIN(ps, param.ps);
         assert(ps < ARRAY_SIZE(pamax_map));
         outputsize = pamax_map[ps];
+
+        /*
+         * With LPA2, the effective output address (OA) size is at most 48 bits
+         * unless TCR.DS == 1
+         */
+        if (!param.ds && param.gran != Gran64K) {
+            outputsize = MIN(outputsize, 48);
+        }
     } else {
         param = aa32_va_parameters(env, address, mmu_idx);
         level = 1;
-- 
2.25.1

This bug seemed worth fixing for 8.0 since we need an rc4 anyway:
we were using uninitialized data for the guarded bit when
combining stage 1 and stage 2 attrs.

thanks
-- PMM

The following changes since commit 08dede07030973c1053868bc64de7e10bfa02ad6:

Merge tag 'pull-ppc-20230409' of https://github.com/legoater/qemu into staging (2023-04-10 11:47:52 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230410

for you to fetch changes up to 8539dc00552e8ea60420856fc1262c8299bc6308:

target/arm: Copy guarded bit in combine_cacheattrs (2023-04-10 14:31:40 +0100)

----------------------------------------------------------------
target-arm: Fix bug where we weren't initializing
            guarded bit state when combining S1/S2 attrs

----------------------------------------------------------------
Richard Henderson (2):
      target/arm: PTE bit GP only applies to stage1
      target/arm: Copy guarded bit in combine_cacheattrs

target/arm/ptw.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Only perform the extract of GP during the stage1 walk.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230407185149.3253946-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         result->f.attrs.secure = false;
     }
 
-    /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB.  */
-    if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
-        result->f.guarded = extract64(attrs, 50, 1); /* GP */
-    }
-
     if (regime_is_stage2(mmu_idx)) {
         result->cacheattrs.is_s2_format = true;
         result->cacheattrs.attrs = extract32(attrs, 2, 4);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
         assert(attrindx <= 7);
         result->cacheattrs.is_s2_format = false;
         result->cacheattrs.attrs = extract64(mair, attrindx * 8, 8);
+
+        /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB. */
+        if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
+            result->f.guarded = extract64(attrs, 50, 1); /* GP */
+        }
     }
 
     /*
-- 
2.34.1