From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CCB24CD98C5 for ; Mon, 15 Jun 2026 00:09:28 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wYusg-0001Fq-76; Sun, 14 Jun 2026 20:08:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wYusf-0001Fa-JT for qemu-arm@nongnu.org; Sun, 14 Jun 2026 20:08:45 -0400 Received: from mail-yw1-x1133.google.com ([2607:f8b0:4864:20::1133]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wYusd-0001xV-OF for qemu-arm@nongnu.org; Sun, 14 Jun 2026 20:08:45 -0400 Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-7dfceeaf168so27000367b3.0 for ; Sun, 14 Jun 2026 17:08:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781482122; x=1782086922; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0itSddNhXHUQmdf83KRdnrOB89AyIQq3+Tsy42l9m4E=; b=otyAaiUYnLTem2U1KOpRPDxiJC9DGLcywCXjMLHllI9rCb9a6tA9hxU2a3OuSTVl1c m0fyStH/hkN/yNwIxsNuvIK7WVErEok9tmu275T/XTD40oCLsTpa7Cc+iBuHXHTWx8RI rqXDl14Q9L7dVcdccGA0jJAb+Eg6f8/32R/9rLkDQV5HlAsZUH0gl49z2IVe5VbitwRz Bqx8yYJV9e7rtC8on3W671OQUdX3FFH4/Er3MsQyYOhojU9M1ZL6d4UcV5onBwZjJ9/6 nFxudt4dzIRv4b5SVc+V9iR2QXofonUD8Q3aNUZxjaHSFjrbiH7kFgyCIKyRyKDUMXab MRIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781482122; x=1782086922; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0itSddNhXHUQmdf83KRdnrOB89AyIQq3+Tsy42l9m4E=; b=OyQD+3DeeHIOTMLCII4mWBENu7EnrEtx3k0KJ7U6o3FuPUKoRbKxmfccCTKzKJYGkB IbyqMJsQOiOWB9ftNb/0Lj+jXLvES3ismnu1Y86b09YzMNUd6PZBVh+Ma2sC00V1+m/G prunAc/Ci9oAn1LK0Fa18KvKwfvDbLmF4sIvarUjkXf7cav9OQIclD0hHHPsKiJCDEiF o344NqAeXFIqVnGxdwkuMRRW04VZnXGOVGKV9VyUCol8gr2AoTPXBp0hs2NLq1TUs/II yb5mLLGGBhQsnV4uTCLt6YNADctTamc/AleOPoeAucmlkh5z1CGdW8ew/ymDcpAfqAoP Lpvg== X-Gm-Message-State: AOJu0YyW+afDdFtfnpieiasEWIz0ZYbrBaFobItfwT2LiFQwHx1bWJG3 0QL2Aj1Qeip4wRsaU+h+cslN/QGdkIN7fBwfRf+XuNagnoYLBUG5v0uj X-Gm-Gg: Acq92OF9WJWbcvzh5oVskWCU4KU4epHIkyFs+cO2sBgtOqgA390rr0+P9ueY/e+Pf3x a7ObDB+NqwlEQCa2VJihea4T9jZ3SsHJ3XvO481WTexlzUQ9nB8zaLoWyoQ6BwzI1d+dGdwn29k Hv7LHXq/JVP27SBeFHE3qGOmkJwIkYocqEhZ4k6x9AwZmUmOJGtrn5IxiL1jNc5LuO6aW6s31aW yRUYyHFU0g4AkEGb+ZRF5iKJlHcQq0Moj0/iHeBloTOEn+s4x0FsL9AzyKlnfJ0rQ/7xehU6JZt 8C8p+UwG6pUwo/H6hFANBfiA1RwoeImbl9420UCZYJnwkeMnKP2vH+RzdS3x11Thhl3hgkuRjJy qUneu/XwP4JuVwN4CAlYktuFt7Yfi7C51dRdTSfIsg0+dIrvpfHQ0DZ5PFlLj1zBkLnew0fq7Sq 8g/a0LFU7Gv6IlyMK3uUx9JyKq8FqH0448/dEcHz4P+6Q+pJGZdDw6M9xj5xgMsUCGSy/qCDDmX jS2qosBkPKSoIJViR07T0B6 X-Received: by 2002:a05:690c:4a11:b0:7bd:5af9:f0a2 with SMTP id 00721157ae682-7f7b5f52026mr122891037b3.14.1781482121917; Sun, 14 Jun 2026 17:08:41 -0700 (PDT) Received: from skippy.tail1682c8.ts.net (99-61-67-1.lightspeed.austtx.sbcglobal.net. [99.61.67.1]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7f76e2b578asm38654607b3.3.2026.06.14.17.08.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 Jun 2026 17:08:41 -0700 (PDT) From: Kyle Fox To: Peter Maydell Cc: qemu-arm@nongnu.org, qemu-devel@nongnu.org, Kyle Fox Subject: [PATCH v2] target/arm: honour CCR.BFHFNMIGN for probed data BusFaults Date: Sun, 14 Jun 2026 19:08:35 -0500 Message-Id: <20260615000835.996870-1-kylefoxaustin.github@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260605035012.2876664-1-kylefoxaustin.github@gmail.com> References: <20260605035012.2876664-1-kylefoxaustin.github@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::1133; envelope-from=kylefoxaustin.github@gmail.com; helo=mail-yw1-x1133.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-arm@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-arm-bounces+qemu-arm=archiver.kernel.org@nongnu.org Sender: qemu-arm-bounces+qemu-arm=archiver.kernel.org@nongnu.org M-profile CCR.BFHFNMIGN lets software executing at a negative execution priority (in HardFault/NMI, or with FAULTMASK set) suppress precise data BusFaults caused by load/store instructions: the access completes returning UNKNOWN data, the fault status is recorded in BFSR/BFAR, but no BusFault exception is taken. Software uses this to probe for the presence of a device. QEMU stored CCR.BFHFNMIGN but never consumed it: arm_cpu_do_transaction_ failed() always raised the external abort, which arm_v7m_cpu_do_interrupt() pended as a BusFault and then escalated to a HardFault it could not take at priority -1, aborting the VM with "Lockup: can't escalate 3 to HardFault". Honour the bit in arm_cpu_do_transaction_failed(): when the access is a data access from M-profile code at negative priority with BFHFNMIGN set, record PRECISERR/BFARVALID and BFAR and return without raising, so the faulting instruction completes instead of re-faulting forever. Instruction fetches are unaffected, since BFHFNMIGN applies only to data accesses. The SG instruction's stack-word load is also an AccType_NORMAL data access that must honour BFHFNMIGN, but QEMU performs it manually in v7m_read_sg_stack_word() (outside the TCG TLB, so it never reaches arm_cpu_do_transaction_failed()). Apply the same suppression there: on a BusFault, record the status and, when BFHFNMIGN is set at negative priority, return the UNKNOWN data instead of pending ARMV7M_EXCP_BUS. The remaining manual EXCP_BUS sites (vector-table loads, stacking, unstacking) are AccType_VECTABLE/STACK/UNSTACK and are not required to honour the bit, so they are left unchanged. This surfaced running the real NXP i.MX 95 System Manager firmware on the emulated Cortex-M33: its SystemMemoryProbe() (set BFHFNMIGN + FAULTMASK, do the access, test CFSR.BFARVALID) locked up the VM. With this change the SM's debug-monitor memory-probe commands run and recover correctly. Signed-off-by: Kyle Fox --- v2: - Also honour BFHFNMIGN for the SG instruction's stack-word load in v7m_read_sg_stack_word() (an AccType_NORMAL access performed manually, outside the TCG TLB), per review. The vector-table/stacking/unstacking EXCP_BUS sites are left unchanged (AccType_VECTABLE/STACK/UNSTACK). target/arm/tcg/m_helper.c | 12 ++++++++++++ target/arm/tcg/tlb_helper.c | 24 ++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/target/arm/tcg/m_helper.c b/target/arm/tcg/m_helper.c index f2059ed8b03..ba101ecb953 100644 --- a/target/arm/tcg/m_helper.c +++ b/target/arm/tcg/m_helper.c @@ -2086,6 +2086,18 @@ static bool v7m_read_sg_stack_word(ARMCPU *cpu, ARMMMUIdx mmu_idx, env->v7m.cfsr[M_REG_NS] |= (R_V7M_CFSR_PRECISERR_MASK | R_V7M_CFSR_BFARVALID_MASK); env->v7m.bfar = addr; + /* + * The SG instruction's stack-word load is an AccType_NORMAL data + * access, so CCR.BFHFNMIGN applies: at negative execution priority + * with BFHFNMIGN set, the BusFault is suppressed -- the access + * completes returning UNKNOWN data (status recorded above), with no + * BusFault exception pended. + */ + if ((env->v7m.ccr[M_REG_NS] & R_V7M_CCR_BFHFNMIGN_MASK) && + armv7m_nvic_neg_prio_requested(env->nvic, env->v7m.secure)) { + *spdata = value; + return true; + } armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false); return false; } diff --git a/target/arm/tcg/tlb_helper.c b/target/arm/tcg/tlb_helper.c index bbe1e70bc43..452688010f5 100644 --- a/target/arm/tcg/tlb_helper.c +++ b/target/arm/tcg/tlb_helper.c @@ -10,6 +10,7 @@ #include "helper.h" #include "internals.h" #include "cpu-features.h" +#include "hw/intc/armv7m_nvic.h" /* * Returns true if the stage 1 translation regime is using LPAE format page @@ -318,8 +319,31 @@ void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr, MemTxResult response, uintptr_t retaddr) { ARMCPU *cpu = ARM_CPU(cs); + CPUARMState *env = &cpu->env; ARMMMUFaultInfo fi = {}; + /* + * For M-profile, CCR.BFHFNMIGN lets software executing at a negative + * priority (in HardFault/NMI, or with FAULTMASK set) suppress precise + * data BusFaults from load/store instructions: the access completes + * returning UNKNOWN data (the store is dropped), the fault status is + * recorded in BFSR/BFAR, but no BusFault exception is taken. This is + * the mechanism software uses to probe for the presence of a device + * (e.g. the NXP System Manager's SystemMemoryProbe). Honour it by + * recording the status and returning without raising, so the faulting + * instruction completes rather than re-faulting forever. BFHFNMIGN + * applies only to data accesses, so instruction fetches are unaffected. + */ + if (arm_feature(env, ARM_FEATURE_M) && + access_type != MMU_INST_FETCH && + (env->v7m.ccr[M_REG_NS] & R_V7M_CCR_BFHFNMIGN_MASK) && + armv7m_nvic_neg_prio_requested(env->nvic, env->v7m.secure)) { + env->v7m.cfsr[M_REG_NS] |= + (R_V7M_CFSR_PRECISERR_MASK | R_V7M_CFSR_BFARVALID_MASK); + env->v7m.bfar = addr; + return; + } + /* now we have a real cpu fault */ cpu_restore_state(cs, retaddr); -- 2.34.1