Series comparison

-[PULL 0/2] target-arm queue
+[PULL v2 00/29] target-arm queue
-Hi; this pull request has a couple of fixes for bugs in
+v2: drop pvpanic-pci patches.
 the Arm page-table-walk code, which arrived in the last
 day or so.
-I'm sending this out now in the hope it might just sneak
+The following changes since commit f1fcb6851aba6dd9838886dc179717a11e344a1c:
 in before rc2 gets tagged, so the fixes can get more
 testing time before the 7.2 release; but if they don't
 make it then this should go into rc3.
-thanks
+  Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2021-01-19' into staging (2021-01-19 11:57:07 +0000)
 -- PMM
 The following changes since commit 6d71357a3b651ec9db126e4862b77e13165427f5:
   rtl8139: honor large send MSS value (2022-11-21 09:28:43 -0500)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221122
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210119-1
-for you to fetch changes up to 15f8f4671afd22491ce99d28a296514717fead4f:
+for you to fetch changes up to b93f4fbdc48283a39089469c44a5529d79dc40a8:
-  target/arm: Use signed quantity to represent VMSAv8-64 translation level (2022-11-22 16:10:25 +0000)
+  docs: Build and install all the docs in a single manual (2021-01-19 15:45:14 +0000)
 ----------------------------------------------------------------
-target-arm:
+target-arm queue:
- * Fix broken 5-level pagetable handling
+ * Implement IMPDEF pauth algorithm
- * Fix debug accesses when EL2 is present
+ * Support ARMv8.4-SEL2
  * Fix bug where we were truncating predicate vector lengths in SVE insns
  * npcm7xx_adc-test: Fix memleak in adc_qom_set
  * target/arm/m_helper: Silence GCC 10 maybe-uninitialized error
  * docs: Build and install all the docs in a single manual
 ----------------------------------------------------------------
-Ard Biesheuvel (1):
+Gan Qixin (1):
-      target/arm: Use signed quantity to represent VMSAv8-64 translation level
+      npcm7xx_adc-test: Fix memleak in adc_qom_set
 Peter Maydell (1):
-      target/arm: Don't do two-stage lookup if stage 2 is disabled
+      docs: Build and install all the docs in a single manual
- target/arm/ptw.c | 11 ++++++-----
+Philippe Mathieu-Daudé (1):
-file changed, 6 insertions(+), 5 deletions(-)
+      target/arm/m_helper: Silence GCC 10 maybe-uninitialized error
 Richard Henderson (7):
       target/arm: Implement an IMPDEF pauth algorithm
       target/arm: Add cpu properties to control pauth
       target/arm: Use object_property_add_bool for "sve" property
       target/arm: Introduce PREDDESC field definitions
       target/arm: Update PFIRST, PNEXT for pred_desc
       target/arm: Update ZIP, UZP, TRN for pred_desc
       target/arm: Update REV, PUNPK for pred_desc
 Rémi Denis-Courmont (19):
       target/arm: remove redundant tests
       target/arm: add arm_is_el2_enabled() helper
       target/arm: use arm_is_el2_enabled() where applicable
       target/arm: use arm_hcr_el2_eff() where applicable
       target/arm: factor MDCR_EL2 common handling
       target/arm: Define isar_feature function to test for presence of SEL2
       target/arm: add 64-bit S-EL2 to EL exception table
       target/arm: add MMU stage 1 for Secure EL2
       target/arm: add ARMv8.4-SEL2 system registers
       target/arm: handle VMID change in secure state
       target/arm: do S1_ptw_translate() before address space lookup
       target/arm: translate NS bit in page-walks
       target/arm: generalize 2-stage page-walk condition
       target/arm: secure stage 2 translation regime
       target/arm: set HPFAR_EL2.NS on secure stage 2 faults
       target/arm: revector to run-time pick target EL
       target/arm: Implement SCR_EL2.EEL2
       target/arm: enable Secure EL2 in max CPU
       target/arm: refactor vae1_tlbmask()
  docs/conf.py                     |  46 ++++-
  docs/devel/conf.py               |  15 --
  docs/index.html.in               |  17 --
  docs/interop/conf.py             |  28 ---
  docs/meson.build                 |  64 +++---
  docs/specs/conf.py               |  16 --
  docs/system/arm/cpu-features.rst |  21 ++
  docs/system/conf.py              |  28 ---
  docs/tools/conf.py               |  37 ----
  docs/user/conf.py                |  15 --
  include/qemu/xxhash.h            |  98 +++++++++
  target/arm/cpu-param.h           |   2 +-
  target/arm/cpu.h                 | 107 ++++++++--
  target/arm/internals.h           |  45 +++++
  target/arm/cpu.c                 |  23 ++-
  target/arm/cpu64.c               |  65 ++++--
  target/arm/helper-a64.c          |   8 +-
  target/arm/helper.c              | 414 ++++++++++++++++++++++++++-------------
  target/arm/m_helper.c            |   2 +-
  target/arm/monitor.c             |   1 +
  target/arm/op_helper.c           |   4 +-
  target/arm/pauth_helper.c        |  27 ++-
  target/arm/sve_helper.c          |  33 ++--
  target/arm/tlb_helper.c          |   3 +
  target/arm/translate-a64.c       |   4 +
  target/arm/translate-sve.c       |  31 ++-
  target/arm/translate.c           |  36 +++-
  tests/qtest/arm-cpu-features.c   |  13 ++
  tests/qtest/npcm7xx_adc-test.c   |   1 +
  .gitlab-ci.yml                   |   4 +-
 files changed, 770 insertions(+), 438 deletions(-)
  delete mode 100644 docs/devel/conf.py
  delete mode 100644 docs/index.html.in
  delete mode 100644 docs/interop/conf.py
  delete mode 100644 docs/specs/conf.py
  delete mode 100644 docs/system/conf.py
  delete mode 100644 docs/tools/conf.py
  delete mode 100644 docs/user/conf.py

-[PULL 1/2] target/arm: Don't do two-stage lookup if stage 2 is disabled
+Deleted patch
-In get_phys_addr_with_struct(), we call get_phys_addr_twostage() if
-the CPU supports EL2.  However, we don't check here that stage 2 is
-actually enabled.  Instead we only check that inside
-get_phys_addr_twostage() to skip stage 2 translation.  This means
-that even if stage 2 is disabled we still tell the stage 1 lookup to
-do its page table walks via stage 2.
-This works by luck for normal CPU accesses, but it breaks for debug
-accesses, which are used by the disassembler and also by semihosting
-file reads and writes, because the debug case takes a different code
-path inside S1_ptw_translate().
-This means that setups that use semihosting for file loads are broken
-(a regression since 7.1, introduced in recent ptw refactoring), and
-that sometimes disassembly in debug logs reports "unable to read
-memory" rather than showing the guest insns.
-Fix the bug by hoisting the "is stage 2 enabled?" check up to
-get_phys_addr_with_struct(), so that we handle S2 disabled the same
-way we do the "no EL2" case, with a simple single stage lookup.
-Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20221121212404.1450382-1-peter.maydell@linaro.org
----
- target/arm/ptw.c | 7 ++++---
-file changed, 4 insertions(+), 3 deletions(-)
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
-+++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
-     ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
--    /* If S1 fails or S2 is disabled, return early.  */
--    if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
-+    /* If S1 fails, return early.  */
-+    if (ret) {
-         return ret;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
-          * Otherwise, a stage1+stage2 translation is just stage 1.
-          */
-         ptw->in_mmu_idx = mmu_idx = s1_mmu_idx;
--        if (arm_feature(env, ARM_FEATURE_EL2)) {
-+        if (arm_feature(env, ARM_FEATURE_EL2) &&
-+            !regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
-             return get_phys_addr_twostage(env, ptw, address, access_type,
-                                           result, fi);
-         }
---
-.25.1

-[PULL 2/2] target/arm: Use signed quantity to represent VMSAv8-64 translation level
+Deleted patch
-From: Ard Biesheuvel <ardb@kernel.org>
-The LPA2 extension implements 52-bit virtual addressing for 4k and 16k
-translation granules, and for the former, this means an additional level
-of translation is needed. This means we start counting at -1 instead of
-when doing a walk, and so 'level' is now a signed quantity, and should
-be typed as such. So turn it from uint32_t into int32_t.
-This avoids a level of -1 getting misinterpreted as being >= 3, and
-terminating a page table walk prematurely with a bogus output address.
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Cc: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/ptw.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/ptw.c
-+++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     ARMCPU *cpu = env_archcpu(env);
-     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
-     bool is_secure = ptw->in_secure;
--    uint32_t level;
-+    int32_t level;
-     ARMVAParameters param;
-     uint64_t ttbr;
-     hwaddr descaddr, indexmask, indexmask_grainsize;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-          */
-         uint32_t sl0 = extract32(tcr, 6, 2);
-         uint32_t sl2 = extract64(tcr, 33, 1);
--        uint32_t startlevel;
-+        int32_t startlevel;
-         bool ok;
-         /* SL2 is RES0 unless DS=1 & 4kb granule. */
---
-.25.1

Hi; this pull request has a couple of fixes for bugs in
the Arm page-table-walk code, which arrived in the last
day or so.

I'm sending this out now in the hope it might just sneak
in before rc2 gets tagged, so the fixes can get more
testing time before the 7.2 release; but if they don't
make it then this should go into rc3.

thanks
-- PMM

The following changes since commit 6d71357a3b651ec9db126e4862b77e13165427f5:

rtl8139: honor large send MSS value (2022-11-21 09:28:43 -0500)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221122

for you to fetch changes up to 15f8f4671afd22491ce99d28a296514717fead4f:

target/arm: Use signed quantity to represent VMSAv8-64 translation level (2022-11-22 16:10:25 +0000)

----------------------------------------------------------------
target-arm:
 * Fix broken 5-level pagetable handling
 * Fix debug accesses when EL2 is present

----------------------------------------------------------------
Ard Biesheuvel (1):
      target/arm: Use signed quantity to represent VMSAv8-64 translation level

Peter Maydell (1):
      target/arm: Don't do two-stage lookup if stage 2 is disabled

target/arm/ptw.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

In get_phys_addr_with_struct(), we call get_phys_addr_twostage() if
the CPU supports EL2.  However, we don't check here that stage 2 is
actually enabled.  Instead we only check that inside
get_phys_addr_twostage() to skip stage 2 translation.  This means
that even if stage 2 is disabled we still tell the stage 1 lookup to
do its page table walks via stage 2.

This works by luck for normal CPU accesses, but it breaks for debug
accesses, which are used by the disassembler and also by semihosting
file reads and writes, because the debug case takes a different code
path inside S1_ptw_translate().

This means that setups that use semihosting for file loads are broken
(a regression since 7.1, introduced in recent ptw refactoring), and
that sometimes disassembly in debug logs reports "unable to read
memory" rather than showing the guest insns.

Fix the bug by hoisting the "is stage 2 enabled?" check up to
get_phys_addr_with_struct(), so that we handle S2 disabled the same
way we do the "no EL2" case, with a simple single stage lookup.

Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221121212404.1450382-1-peter.maydell@linaro.org
---
 target/arm/ptw.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
 
     ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
 
-    /* If S1 fails or S2 is disabled, return early.  */
-    if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
+    /* If S1 fails, return early.  */
+    if (ret) {
         return ret;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
          * Otherwise, a stage1+stage2 translation is just stage 1.
          */
         ptw->in_mmu_idx = mmu_idx = s1_mmu_idx;
-        if (arm_feature(env, ARM_FEATURE_EL2)) {
+        if (arm_feature(env, ARM_FEATURE_EL2) &&
+            !regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
             return get_phys_addr_twostage(env, ptw, address, access_type,
                                           result, fi);
         }
-- 
2.25.1

From: Ard Biesheuvel <ardb@kernel.org>

The LPA2 extension implements 52-bit virtual addressing for 4k and 16k
translation granules, and for the former, this means an additional level
of translation is needed. This means we start counting at -1 instead of
0 when doing a walk, and so 'level' is now a signed quantity, and should
be typed as such. So turn it from uint32_t into int32_t.

This avoids a level of -1 getting misinterpreted as being >= 3, and
terminating a page table walk prematurely with a bogus output address.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
     ARMCPU *cpu = env_archcpu(env);
     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
     bool is_secure = ptw->in_secure;
-    uint32_t level;
+    int32_t level;
     ARMVAParameters param;
     uint64_t ttbr;
     hwaddr descaddr, indexmask, indexmask_grainsize;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
          */
         uint32_t sl0 = extract32(tcr, 6, 2);
         uint32_t sl2 = extract64(tcr, 33, 1);
-        uint32_t startlevel;
+        int32_t startlevel;
         bool ok;
 
         /* SL2 is RES0 unless DS=1 & 4kb granule. */
-- 
2.25.1

v2: drop pvpanic-pci patches.

The following changes since commit f1fcb6851aba6dd9838886dc179717a11e344a1c:

Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2021-01-19' into staging (2021-01-19 11:57:07 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210119-1

for you to fetch changes up to b93f4fbdc48283a39089469c44a5529d79dc40a8:

docs: Build and install all the docs in a single manual (2021-01-19 15:45:14 +0000)

----------------------------------------------------------------
target-arm queue:
 * Implement IMPDEF pauth algorithm
 * Support ARMv8.4-SEL2
 * Fix bug where we were truncating predicate vector lengths in SVE insns
 * npcm7xx_adc-test: Fix memleak in adc_qom_set
 * target/arm/m_helper: Silence GCC 10 maybe-uninitialized error
 * docs: Build and install all the docs in a single manual

----------------------------------------------------------------
Gan Qixin (1):
      npcm7xx_adc-test: Fix memleak in adc_qom_set

Peter Maydell (1):
      docs: Build and install all the docs in a single manual

Philippe Mathieu-Daudé (1):
      target/arm/m_helper: Silence GCC 10 maybe-uninitialized error

Richard Henderson (7):
      target/arm: Implement an IMPDEF pauth algorithm
      target/arm: Add cpu properties to control pauth
      target/arm: Use object_property_add_bool for "sve" property
      target/arm: Introduce PREDDESC field definitions
      target/arm: Update PFIRST, PNEXT for pred_desc
      target/arm: Update ZIP, UZP, TRN for pred_desc
      target/arm: Update REV, PUNPK for pred_desc

Rémi Denis-Courmont (19):
      target/arm: remove redundant tests
      target/arm: add arm_is_el2_enabled() helper
      target/arm: use arm_is_el2_enabled() where applicable
      target/arm: use arm_hcr_el2_eff() where applicable
      target/arm: factor MDCR_EL2 common handling
      target/arm: Define isar_feature function to test for presence of SEL2
      target/arm: add 64-bit S-EL2 to EL exception table
      target/arm: add MMU stage 1 for Secure EL2
      target/arm: add ARMv8.4-SEL2 system registers
      target/arm: handle VMID change in secure state
      target/arm: do S1_ptw_translate() before address space lookup
      target/arm: translate NS bit in page-walks
      target/arm: generalize 2-stage page-walk condition
      target/arm: secure stage 2 translation regime
      target/arm: set HPFAR_EL2.NS on secure stage 2 faults
      target/arm: revector to run-time pick target EL
      target/arm: Implement SCR_EL2.EEL2
      target/arm: enable Secure EL2 in max CPU
      target/arm: refactor vae1_tlbmask()