bwlp/qemu.git/target/arm, branch spice_video_codecs

target/arm: Set TCGCPUOps.restore_state_to_opc for v7m

2022-11-29T23:15:26+00:00

This setting got missed, breaking v7m. Fixes: 56c6c98df85c ("target/arm: Convert to tcg_ops restore_state_to_opc") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1347 Signed-off-by: Richard Henderson Signed-off-by: Evgeny Ermakov Signed-off-by: Stefan Hajnoczi Message-Id: <20221129204146.550394-1-richard.henderson@linaro.org>

target/arm: Use signed quantity to represent VMSAv8-64 translation level

2022-11-22T16:10:25+00:00

The LPA2 extension implements 52-bit virtual addressing for 4k and 16k translation granules, and for the former, this means an additional level of translation is needed. This means we start counting at -1 instead of 0 when doing a walk, and so 'level' is now a signed quantity, and should be typed as such. So turn it from uint32_t into int32_t. This avoids a level of -1 getting misinterpreted as being >= 3, and terminating a page table walk prematurely with a bogus output address. Cc: Peter Maydell Cc: Philippe Mathieu-Daudé Cc: Richard Henderson Signed-off-by: Ard Biesheuvel Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell

target/arm: Don't do two-stage lookup if stage 2 is disabled

2022-11-22T13:18:22+00:00

In get_phys_addr_with_struct(), we call get_phys_addr_twostage() if the CPU supports EL2. However, we don't check here that stage 2 is actually enabled. Instead we only check that inside get_phys_addr_twostage() to skip stage 2 translation. This means that even if stage 2 is disabled we still tell the stage 1 lookup to do its page table walks via stage 2. This works by luck for normal CPU accesses, but it breaks for debug accesses, which are used by the disassembler and also by semihosting file reads and writes, because the debug case takes a different code path inside S1_ptw_translate(). This means that setups that use semihosting for file loads are broken (a regression since 7.1, introduced in recent ptw refactoring), and that sometimes disassembly in debug logs reports "unable to read memory" rather than showing the guest insns. Fix the bug by hoisting the "is stage 2 enabled?" check up to get_phys_addr_with_struct(), so that we handle S2 disabled the same way we do the "no EL2" case, with a simple single stage lookup. Reported-by: Jens Wiklander Reviewed-by: Richard Henderson Signed-off-by: Peter Maydell Message-id: 20221121212404.1450382-1-peter.maydell@linaro.org

target/arm: Limit LPA2 effective output address when TCR.DS == 0

2022-11-21T11:46:46+00:00

With LPA2, the effective output address size is at most 48 bits when TCR.DS == 0. This case is currently unhandled in the page table walker, where we happily assume LVA/64k granule when outputsize > 48 and param.ds == 0, resulting in the wrong conversion to be used from a page table descriptor to a physical address. if (outputsize > 48) { if (param.ds) { descaddr |= extract64(descriptor, 8, 2) << 50; } else { descaddr |= extract64(descriptor, 12, 4) << 48; } So cap the outputsize to 48 when TCR.DS is cleared, as per the architecture. Cc: Peter Maydell Cc: Philippe Mathieu-Daudé Cc: Richard Henderson Signed-off-by: Ard Biesheuvel Reviewed-by: Richard Henderson Message-id: 20221116170316.259695-1-ardb@kernel.org Signed-off-by: Peter Maydell

target/arm: Two fixes for secure ptw

2022-11-04T10:58:58+00:00

Reversed the sense of non-secure in get_phys_addr_lpae, and failed to initialize attrs.secure for ARMMMUIdx_Phys_S. Fixes: 48da29e4 ("target/arm: Add ptw_idx to S1Translate") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1293 Signed-off-by: Richard Henderson Tested-by: Philippe Mathieu-Daudé Reviewed-by: Peter Maydell Signed-off-by: Peter Maydell

target/arm: Honor HCR_E2H and HCR_TGE in ats_write64()

2022-11-04T10:58:58+00:00

We need to check HCR_E2H and HCR_TGE to select the right MMU index for the correct translation regime. To check for EL2&0 translation regime: - For S1E0*, S1E1* and S12E* ops, check both HCR_E2H and HCR_TGE - For S1E2* ops, check only HCR_E2H Signed-off-by: Ake Koomsin Message-id: 20221101064250.12444-1-ake@igel.co.jp Reviewed-by: Richard Henderson Signed-off-by: Peter Maydell

target/arm: Copy the entire vector in DO_ZIP

2022-11-04T10:58:58+00:00

With odd_ofs set, we weren't copying enough data. Fixes: 09eb6d7025d1 ("target/arm: Move sve zip high_ofs into simd_data") Reported-by: Idan Horowitz Signed-off-by: Richard Henderson Reviewed-by: Philippe Mathieu-Daudé Message-id: 20221031054144.3574-1-richard.henderson@linaro.org Signed-off-by: Peter Maydell

target/arm: Fix Privileged Access Never (PAN) for aarch32

2022-11-04T10:58:58+00:00

When we implemented the PAN support we theoretically wanted to support it for both AArch32 and AArch64, but in practice several bugs made it essentially unusable with an AArch32 guest. Fix all those problems: - Use CPSR.PAN to check for PAN state in aarch32 mode - throw permission fault during address translation when PAN is enabled and kernel tries to access user acessible page - ignore SCTLR_XP bit for armv7 and armv8 (conflicts with SCTLR_SPAN). Signed-off-by: Timofey Kutergin Reviewed-by: Peter Maydell Message-id: 20221027112619.2205229-1-tkutergin@gmail.com [PMM: tweak commit message] Signed-off-by: Peter Maydell

target/arm: Make TLBIOS and TLBIRANGE ops trap on HCR_EL2.TTLB

2022-11-04T10:58:58+00:00

The HCR_EL2.TTLB bit is supposed to trap all EL1 execution of TLB maintenance instructions. However we have added new TLB insns for FEAT_TLBIOS and FEAT_TLBIRANGE, and forgot to set their accessfn to access_ttlb. Add the missing accessfns. Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson

accel/tcg: Remove will_exit argument from cpu_restore_state

2022-10-31T21:31:41+00:00

The value passed is always true, and if the target's synchronize_from_tb hook is non-trivial, not exiting may be erroneous. Reviewed-by: Claudio Fontana Signed-off-by: Richard Henderson