| 1 | Two bug fixes for 9.0... | 1 | v2: fix compile issue when building user-mode emulators with clang |
|---|---|---|---|
| 2 | 2 | ||
| 3 | -- PMM | 3 | -- PMM |
| 4 | 4 | ||
| 5 | The following changes since commit ce64e6224affb8b4e4b019f76d2950270b391af5: | 5 | The following changes since commit 4cc10cae64c51e17844dc4358481c393d7bf1ed4: |
| 6 | 6 | ||
| 7 | Merge tag 'qemu-sparc-20240404' of https://github.com/mcayland/qemu into staging (2024-04-04 15:28:06 +0100) | 7 | Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging (2021-05-06 18:56:17 +0100) |
| 8 | 8 | ||
| 9 | are available in the Git repository at: | 9 | are available in the Git repository at: |
| 10 | 10 | ||
| 11 | https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240408 | 11 | https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210510-1 |
| 12 | 12 | ||
| 13 | for you to fetch changes up to 19b254e86a900dc5ee332e3ac0baf9c521301abf: | 13 | for you to fetch changes up to c3080fbdaa381012666428fef2e5f7ce422ecfee: |
| 14 | 14 | ||
| 15 | target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 (2024-04-08 15:38:53 +0100) | 15 | hw/arm/xlnx: Fix PHY address for xilinx-zynq-a9 (2021-05-10 17:21:54 +0100) |
| 16 | 16 | ||
| 17 | ---------------------------------------------------------------- | 17 | ---------------------------------------------------------------- |
| 18 | target-arm: | 18 | target-arm queue: |
| 19 | * Use correct SecuritySpace for AArch64 AT ops at EL3 | 19 | * docs: fix link in sbsa description |
| 20 | * Fix CNTPOFF_EL2 trap to missing EL3 | 20 | * linux-user/aarch64: Enable hwcap for RND, BTI, and MTE |
| 21 | * target/arm: Fix tlbbits calculation in tlbi_aa64_vae2is_write() | ||
| 22 | * target/arm: Split neon and vfp translation to their own | ||
| 23 | compilation units | ||
| 24 | * target/arm: Make WFI a NOP for userspace emulators | ||
| 25 | * hw/sd/omap_mmc: Use device_cold_reset() instead of | ||
| 26 | device_legacy_reset() | ||
| 27 | * include: More fixes for 'extern "C"' block use | ||
| 28 | * hw/arm/imx25_pdk: Fix error message for invalid RAM size | ||
| 29 | * hw/arm/mps2-tz: Implement AN524 memory remapping via machine property | ||
| 30 | * hw/arm/xlnx: Fix PHY address for xilinx-zynq-a9 | ||
| 21 | 31 | ||
| 22 | ---------------------------------------------------------------- | 32 | ---------------------------------------------------------------- |
| 23 | Peter Maydell (1): | 33 | Alex Bennée (1): |
| 24 | target/arm: Use correct SecuritySpace for AArch64 AT ops at EL3 | 34 | docs: fix link in sbsa description |
| 25 | 35 | ||
| 26 | Pierre-Clément Tosi (1): | 36 | Guenter Roeck (1): |
| 27 | target/arm: Fix CNTPOFF_EL2 trap to missing EL3 | 37 | hw/arm/xlnx: Fix PHY address for xilinx-zynq-a9 |
| 28 | 38 | ||
| 29 | target/arm/helper.c | 10 +++++++--- | 39 | Peter Maydell (22): |
| 30 | 1 file changed, 7 insertions(+), 3 deletions(-) | 40 | target/arm: Fix tlbbits calculation in tlbi_aa64_vae2is_write() |
| 41 | target/arm: Move constant expanders to translate.h | ||
| 42 | target/arm: Share unallocated_encoding() and gen_exception_insn() | ||
| 43 | target/arm: Make functions used by m-nocp global | ||
| 44 | target/arm: Split m-nocp trans functions into their own file | ||
| 45 | target/arm: Move gen_aa32 functions to translate-a32.h | ||
| 46 | target/arm: Move vfp_{load, store}_reg{32, 64} to translate-vfp.c.inc | ||
| 47 | target/arm: Make functions used by translate-vfp global | ||
| 48 | target/arm: Make translate-vfp.c.inc its own compilation unit | ||
| 49 | target/arm: Move vfp_reg_ptr() to translate-neon.c.inc | ||
| 50 | target/arm: Delete unused typedef | ||
| 51 | target/arm: Move NeonGenThreeOpEnvFn typedef to translate.h | ||
| 52 | target/arm: Make functions used by translate-neon global | ||
| 53 | target/arm: Make translate-neon.c.inc its own compilation unit | ||
| 54 | target/arm: Make WFI a NOP for userspace emulators | ||
| 55 | hw/sd/omap_mmc: Use device_cold_reset() instead of device_legacy_reset() | ||
| 56 | osdep: Make os-win32.h and os-posix.h handle 'extern "C"' themselves | ||
| 57 | include/qemu/bswap.h: Handle being included outside extern "C" block | ||
| 58 | include/disas/dis-asm.h: Handle being included outside 'extern "C"' | ||
| 59 | hw/misc/mps2-scc: Add "QEMU interface" comment | ||
| 60 | hw/misc/mps2-scc: Support using CFG0 bit 0 for remapping | ||
| 61 | hw/arm/mps2-tz: Implement AN524 memory remapping via machine property | ||
| 31 | 62 | ||
| 63 | Philippe Mathieu-Daudé (1): | ||
| 64 | hw/arm/imx25_pdk: Fix error message for invalid RAM size | ||
| 65 | |||
| 66 | Richard Henderson (1): | ||
| 67 | linux-user/aarch64: Enable hwcap for RND, BTI, and MTE | ||
| 68 | |||
| 69 | docs/system/arm/mps2.rst | 10 + | ||
| 70 | docs/system/arm/sbsa.rst | 2 +- | ||
| 71 | include/disas/dis-asm.h | 12 +- | ||
| 72 | include/hw/misc/mps2-scc.h | 21 ++ | ||
| 73 | include/qemu/bswap.h | 26 ++- | ||
| 74 | include/qemu/osdep.h | 8 +- | ||
| 75 | include/sysemu/os-posix.h | 8 + | ||
| 76 | include/sysemu/os-win32.h | 8 + | ||
| 77 | target/arm/translate-a32.h | 144 +++++++++++++ | ||
| 78 | target/arm/translate-a64.h | 2 - | ||
| 79 | target/arm/translate.h | 29 +++ | ||
| 80 | hw/arm/imx25_pdk.c | 5 +- | ||
| 81 | hw/arm/mps2-tz.c | 108 +++++++++- | ||
| 82 | hw/arm/xilinx_zynq.c | 2 +- | ||
| 83 | hw/misc/mps2-scc.c | 13 +- | ||
| 84 | hw/sd/omap_mmc.c | 2 +- | ||
| 85 | linux-user/elfload.c | 13 ++ | ||
| 86 | target/arm/helper.c | 2 +- | ||
| 87 | target/arm/op_helper.c | 14 ++ | ||
| 88 | target/arm/translate-a64.c | 15 -- | ||
| 89 | target/arm/translate-m-nocp.c | 221 ++++++++++++++++++++ | ||
| 90 | .../arm/{translate-neon.c.inc => translate-neon.c} | 19 +- | ||
| 91 | .../arm/{translate-vfp.c.inc => translate-vfp.c} | 230 +++------------------ | ||
| 92 | target/arm/translate.c | 200 ++++-------------- | ||
| 93 | disas/arm-a64.cc | 2 - | ||
| 94 | disas/nanomips.cpp | 2 - | ||
| 95 | target/arm/meson.build | 15 +- | ||
| 96 | 27 files changed, 720 insertions(+), 413 deletions(-) | ||
| 97 | create mode 100644 target/arm/translate-a32.h | ||
| 98 | create mode 100644 target/arm/translate-m-nocp.c | ||
| 99 | rename target/arm/{translate-neon.c.inc => translate-neon.c} (99%) | ||
| 100 | rename target/arm/{translate-vfp.c.inc => translate-vfp.c} (94%) | ||
| 101 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | From: Pierre-Clément Tosi <ptosi@google.com> | ||
| 2 | 1 | ||
| 3 | EL2 accesses to CNTPOFF_EL2 should only ever trap to EL3 if EL3 is | ||
| 4 | present, as described by the reference manual (for MRS): | ||
| 5 | |||
| 6 | /* ... */ | ||
| 7 | elsif PSTATE.EL == EL2 then | ||
| 8 | if Halted() && HaveEL(EL3) && /*...*/ then | ||
| 9 | UNDEFINED; | ||
| 10 | elsif HaveEL(EL3) && SCR_EL3.ECVEn == '0' then | ||
| 11 | /* ... */ | ||
| 12 | else | ||
| 13 | X[t, 64] = CNTPOFF_EL2; | ||
| 14 | |||
| 15 | However, the existing implementation of gt_cntpoff_access() always | ||
| 16 | returns CP_ACCESS_TRAP_EL3 for EL2 accesses with SCR_EL3.ECVEn unset. In | ||
| 17 | pseudo-code terminology, this corresponds to assuming that HaveEL(EL3) | ||
| 18 | is always true, which is wrong. As a result, QEMU panics in | ||
| 19 | access_check_cp_reg() when started without EL3 and running EL2 code | ||
| 20 | accessing the register (e.g. any recent KVM booting a guest). | ||
| 21 | |||
| 22 | Therefore, add the HaveEL(EL3) check to gt_cntpoff_access(). | ||
| 23 | |||
| 24 | Fixes: 2808d3b38a52 ("target/arm: Implement FEAT_ECV CNTPOFF_EL2 handling") | ||
| 25 | Signed-off-by: Pierre-Clément Tosi <ptosi@google.com> | ||
| 26 | Message-id: m3al6amhdkmsiy2f62w72ufth6dzn45xg5cz6xljceyibphnf4@ezmmpwk4tnhl | ||
| 27 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 28 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 29 | --- | ||
| 30 | target/arm/helper.c | 3 ++- | ||
| 31 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 32 | |||
| 33 | diff --git a/target/arm/helper.c b/target/arm/helper.c | ||
| 34 | index XXXXXXX..XXXXXXX 100644 | ||
| 35 | --- a/target/arm/helper.c | ||
| 36 | +++ b/target/arm/helper.c | ||
| 37 | @@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_cntpoff_access(CPUARMState *env, | ||
| 38 | const ARMCPRegInfo *ri, | ||
| 39 | bool isread) | ||
| 40 | { | ||
| 41 | - if (arm_current_el(env) == 2 && !(env->cp15.scr_el3 & SCR_ECVEN)) { | ||
| 42 | + if (arm_current_el(env) == 2 && arm_feature(env, ARM_FEATURE_EL3) && | ||
| 43 | + !(env->cp15.scr_el3 & SCR_ECVEN)) { | ||
| 44 | return CP_ACCESS_TRAP_EL3; | ||
| 45 | } | ||
| 46 | return CP_ACCESS_OK; | ||
| 47 | -- | ||
| 48 | 2.34.1 | ||
| 49 | |||
| 50 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | When we do an AT address translation operation, the page table walk | ||
| 2 | is supposed to be performed in the context of the EL we're doing the | ||
| 3 | walk for, so for instance an AT S1E2R walk is done for EL2. In the | ||
| 4 | pseudocode an EL is passed to AArch64.AT(), which calls | ||
| 5 | SecurityStateAtEL() to find the security state that we should be | ||
| 6 | doing the walk with. | ||
| 7 | 1 | ||
| 8 | In ats_write64() we get this wrong, instead using the current | ||
| 9 | security space always. This is fine for AT operations performed from | ||
| 10 | EL1 and EL2, because there the current security state and the | ||
| 11 | security state for the lower EL are the same. But for AT operations | ||
| 12 | performed from EL3, the current security state is always either | ||
| 13 | Secure or Root, whereas we want to use the security state defined by | ||
| 14 | SCR_EL3.{NS,NSE} for the walk. This affects not just guests using | ||
| 15 | FEAT_RME but also ones where EL3 is Secure state and the EL3 code | ||
| 16 | is trying to do an AT for a NonSecure EL2 or EL1. | ||
| 17 | |||
| 18 | Use arm_security_space_below_el3() to get the SecuritySpace to | ||
| 19 | pass to do_ats_write() for all AT operations except the | ||
| 20 | AT S1E3* operations. | ||
| 21 | |||
| 22 | Cc: qemu-stable@nongnu.org | ||
| 23 | Fixes: e1ee56ec2383 ("target/arm: Pass security space rather than flag for AT instructions") | ||
| 24 | Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2250 | ||
| 25 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
| 26 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
| 27 | Message-id: 20240405180232.3570066-1-peter.maydell@linaro.org | ||
| 28 | --- | ||
| 29 | target/arm/helper.c | 7 +++++-- | ||
| 30 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/target/arm/helper.c b/target/arm/helper.c | ||
| 33 | index XXXXXXX..XXXXXXX 100644 | ||
| 34 | --- a/target/arm/helper.c | ||
| 35 | +++ b/target/arm/helper.c | ||
| 36 | @@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, | ||
| 37 | ARMMMUIdx mmu_idx; | ||
| 38 | uint64_t hcr_el2 = arm_hcr_el2_eff(env); | ||
| 39 | bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE); | ||
| 40 | + bool for_el3 = false; | ||
| 41 | + ARMSecuritySpace ss; | ||
| 42 | |||
| 43 | switch (ri->opc2 & 6) { | ||
| 44 | case 0: | ||
| 45 | @@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, | ||
| 46 | break; | ||
| 47 | case 6: /* AT S1E3R, AT S1E3W */ | ||
| 48 | mmu_idx = ARMMMUIdx_E3; | ||
| 49 | + for_el3 = true; | ||
| 50 | break; | ||
| 51 | default: | ||
| 52 | g_assert_not_reached(); | ||
| 53 | @@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri, | ||
| 54 | g_assert_not_reached(); | ||
| 55 | } | ||
| 56 | |||
| 57 | - env->cp15.par_el[1] = do_ats_write(env, value, access_type, | ||
| 58 | - mmu_idx, arm_security_space(env)); | ||
| 59 | + ss = for_el3 ? arm_security_space(env) : arm_security_space_below_el3(env); | ||
| 60 | + env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx, ss); | ||
| 61 | #else | ||
| 62 | /* Handled by hardware accelerator. */ | ||
| 63 | g_assert_not_reached(); | ||
| 64 | -- | ||
| 65 | 2.34.1 | diff view generated by jsdifflib |