[PATCH-for-10.1 0/9] target/arm: Remove some TARGET_AARCH64 uses (MTE & gdbstub)

[PATCH-for-10.1 0/9] target/arm: Remove some TARGET_AARCH64 uses (MTE & gdbstub)

[Philippe Mathieu-Daudé]

We'd like to reduce the use on TARGET_$arch definitions.
This series convert few to runtime checks, mostly in
MTE and gdbstub.

Philippe Mathieu-Daudé (9):
  target/arm: Remove uses of TARGET_AARCH64 in arch_dump.c
  target/arm: Remove use of TARGET_AARCH64 in dump.c
  target/arm: Remove use of TARGET_AARCH64 in arm_cpu_initfn()
  target/arm/mte: Include missing headers for GETPC()
  target/arm/mte: Reduce address_with_allocation_tag() scope
  target/arm/mte: Rename 'mte_helper.h' as generic 'mte.h'
  target/arm/mte: Restrict MTE declarations
  linux-user/arm: Implement MTE stubs for 32-bit user emulation
  target/arm: Build Aarch64 gdbstub helpers indistinctly

 linux-user/aarch64/mte_user_helper.h |  27 +---
 linux-user/arm/mte_user_helper.h     |  34 +++++
 target/arm/internals.h               | 128 +-----------------
 target/arm/tcg/mte.h                 | 190 +++++++++++++++++++++++++++
 target/arm/tcg/mte_helper.h          |  66 ----------
 target/arm/tcg/sve_ldst_internal.h   |   1 +
 linux-user/arm/mte_user_helper.c     |  13 ++
 target/arm/arch_dump.c               |   6 -
 target/arm/cpu.c                     |  38 +++---
 target/arm/gdbstub.c                 |   4 -
 target/arm/gdbstub64.c               |   2 +-
 target/arm/tcg/helper-a64.c          |   1 +
 target/arm/tcg/mte.c                 | 175 ++++++++++++++++++++++++
 target/arm/tcg/mte_helper.c          | 170 ++----------------------
 target/arm/tcg/sve_helper.c          |   1 +
 target/arm/tcg/translate-a64.c       |   1 +
 target/arm/tcg/translate-sve.c       |   1 +
 linux-user/arm/meson.build           |   2 +
 target/arm/meson.build               |   2 +-
 target/arm/tcg/meson.build           |   1 +
 20 files changed, 450 insertions(+), 413 deletions(-)
 create mode 100644 linux-user/arm/mte_user_helper.h
 create mode 100644 target/arm/tcg/mte.h
 delete mode 100644 target/arm/tcg/mte_helper.h
 create mode 100644 linux-user/arm/mte_user_helper.c
 create mode 100644 target/arm/tcg/mte.c

-- 
2.47.1

[PATCH-for-10.1 1/9] target/arm: Remove uses of TARGET_AARCH64 in arch_dump.c

[Philippe Mathieu-Daudé]

It is safe to remove TARGET_AARCH64 #ifdef'ry for code
guarded by runtime check on aa64_sve ISA feature, which
is only available for Aarch64 CPUs.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/arm/arch_dump.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/target/arm/arch_dump.c b/target/arm/arch_dump.c
index c40df4e7fd7..1dd79849c13 100644
--- a/target/arm/arch_dump.c
+++ b/target/arm/arch_dump.c
@@ -143,7 +143,6 @@ static int aarch64_write_elf64_prfpreg(WriteCoreDumpFunction f,
     return 0;
 }
 
-#ifdef TARGET_AARCH64
 static off_t sve_zreg_offset(uint32_t vq, int n)
 {
     off_t off = sizeof(struct aarch64_user_sve_header);
@@ -231,7 +230,6 @@ static int aarch64_write_elf64_sve(WriteCoreDumpFunction f,
 
     return 0;
 }
-#endif
 
 int arm_cpu_write_elf64_note(WriteCoreDumpFunction f, CPUState *cs,
                              int cpuid, DumpState *s)
@@ -273,11 +271,9 @@ int arm_cpu_write_elf64_note(WriteCoreDumpFunction f, CPUState *cs,
         return ret;
     }
 
-#ifdef TARGET_AARCH64
     if (cpu_isar_feature(aa64_sve, cpu)) {
         ret = aarch64_write_elf64_sve(f, env, cpuid, s);
     }
-#endif
 
     return ret;
 }
@@ -451,11 +447,9 @@ ssize_t cpu_get_note_size(int class, int machine, int nr_cpus)
     if (class == ELFCLASS64) {
         note_size = AARCH64_PRSTATUS_NOTE_SIZE;
         note_size += AARCH64_PRFPREG_NOTE_SIZE;
-#ifdef TARGET_AARCH64
         if (cpu_isar_feature(aa64_sve, cpu)) {
             note_size += AARCH64_SVE_NOTE_SIZE(&cpu->env);
         }
-#endif
     } else {
         note_size = ARM_PRSTATUS_NOTE_SIZE;
         if (cpu_isar_feature(aa32_vfp_simd, cpu)) {
-- 
2.47.1

[PATCH-for-10.1 2/9] target/arm: Remove use of TARGET_AARCH64 in dump.c

[Philippe Mathieu-Daudé]

It is safe to remove TARGET_AARCH64 #ifdef'ry for code
guarded by runtime check on aa64_sve ISA feature, which
is only available for Aarch64 CPUs.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/arm/cpu.c | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 377791c84dd..95afa9b72f1 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -1213,8 +1213,6 @@ static void arm_disas_set_info(CPUState *cpu, disassemble_info *info)
 #endif
 }
 
-#ifdef TARGET_AARCH64
-
 static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 {
     ARMCPU *cpu = ARM_CPU(cs);
@@ -1372,15 +1370,6 @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
     }
 }
 
-#else
-
-static inline void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-{
-    g_assert_not_reached();
-}
-
-#endif
-
 static void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 {
     ARMCPU *cpu = ARM_CPU(cs);
-- 
2.47.1

[PATCH-for-10.1 3/9] target/arm: Remove use of TARGET_AARCH64 in arm_cpu_initfn()

[Philippe Mathieu-Daudé]

Introduce the QOM arm_cpu_is_64bit() helper, which checks
whether a vCPU parent class is TYPE_AARCH64_CPU. Use it in
arm_cpu_initfn() to remove a TARGET_AARCH64 definition use.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/arm/cpu.c | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 95afa9b72f1..ef95f31f249 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -1471,6 +1471,13 @@ uint64_t arm_cpu_mp_affinity(ARMCPU *cpu)
     return cpu->mp_affinity;
 }
 
+#ifdef CONFIG_USER_ONLY
+static bool arm_cpu_is_64bit(ARMCPU *cpu)
+{
+    return !!object_dynamic_cast(OBJECT(cpu), TYPE_AARCH64_CPU);
+}
+#endif
+
 static void arm_cpu_initfn(Object *obj)
 {
     ARMCPU *cpu = ARM_CPU(obj);
@@ -1482,16 +1489,16 @@ static void arm_cpu_initfn(Object *obj)
     QLIST_INIT(&cpu->el_change_hooks);
 
 #ifdef CONFIG_USER_ONLY
-# ifdef TARGET_AARCH64
-    /*
-     * The linux kernel defaults to 512-bit for SVE, and 256-bit for SME.
-     * These values were chosen to fit within the default signal frame.
-     * See documentation for /proc/sys/abi/{sve,sme}_default_vector_length,
-     * and our corresponding cpu property.
-     */
-    cpu->sve_default_vq = 4;
-    cpu->sme_default_vq = 2;
-# endif
+    if (arm_cpu_is_64bit(cpu)) {
+        /*
+         * The linux kernel defaults to 512-bit for SVE, and 256-bit for SME.
+         * These values were chosen to fit within the default signal frame.
+         * See documentation for /proc/sys/abi/{sve,sme}_default_vector_length,
+         * and our corresponding cpu property.
+         */
+        cpu->sve_default_vq = 4;
+        cpu->sme_default_vq = 2;
+    }
 #else
     /* Our inbound IRQ and FIQ lines */
     if (kvm_enabled()) {
-- 
2.47.1

[PATCH-for-10.1 4/9] target/arm/mte: Include missing headers for GETPC()

[Philippe Mathieu-Daudé]

Some headers are indirectly pulled in. Make their inclusion
explicit, otherwise next commit triggers:

  target/arm/tcg/mte_helper.c:188:26: error: call to undeclared function 'GETPC' [-Wimplicit-function-declaration]
    188 |     do_stg(env, ptr, xt, GETPC(), store_tag1);
        |                          ^

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/arm/tcg/mte_helper.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
index 7dc5fb776b3..9dcdc1d91c1 100644
--- a/target/arm/tcg/mte_helper.c
+++ b/target/arm/tcg/mte_helper.c
@@ -22,7 +22,7 @@
 #include "cpu.h"
 #include "internals.h"
 #include "exec/exec-all.h"
-#include "exec/page-protection.h"
+#include "exec/target_page.h"
 #ifdef CONFIG_USER_ONLY
 #include "user/cpu_loop.h"
 #include "user/page-protection.h"
@@ -33,6 +33,7 @@
 #include "exec/helper-proto.h"
 #include "exec/tlb-flags.h"
 #include "accel/tcg/cpu-ops.h"
+#include "accel/tcg/getpc.h"
 #include "qapi/error.h"
 #include "qemu/guest-random.h"
 #include "mte_helper.h"
-- 
2.47.1

[PATCH-for-10.1 5/9] target/arm/mte: Reduce address_with_allocation_tag() scope

[Philippe Mathieu-Daudé]

address_with_allocation_tag() is only used in mte_helper.c,
move it there.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/arm/internals.h      | 5 -----
 target/arm/tcg/mte_helper.c | 5 +++++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 01408e40a34..0728e5c5348 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1701,11 +1701,6 @@ static inline int allocation_tag_from_addr(uint64_t ptr)
     return extract64(ptr, 56, 4);
 }
 
-static inline uint64_t address_with_allocation_tag(uint64_t ptr, int rtag)
-{
-    return deposit64(ptr, 56, 4, rtag);
-}
-
 /* Return true if tbi bits mean that the access is checked.  */
 static inline bool tbi_check(uint32_t desc, int bit55)
 {
diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
index 9dcdc1d91c1..8a6e6e4719d 100644
--- a/target/arm/tcg/mte_helper.c
+++ b/target/arm/tcg/mte_helper.c
@@ -205,6 +205,11 @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
                                     ptr_size, tag_access, false, ra);
 }
 
+static inline uint64_t address_with_allocation_tag(uint64_t ptr, int rtag)
+{
+    return deposit64(ptr, 56, 4, rtag);
+}
+
 uint64_t HELPER(irg)(CPUARMState *env, uint64_t rn, uint64_t rm)
 {
     uint16_t exclude = extract32(rm | env->cp15.gcr_el1, 0, 16);
-- 
2.47.1

[PATCH-for-10.1 6/9] target/arm/mte: Rename 'mte_helper.h' as generic 'mte.h'

[Philippe Mathieu-Daudé]

"tcg/mte_helper.h" header name is a bit misleading, since it
isn't restricted to TCG helpers. Rename it as "tcg/mte.h"
which is a bit more generic.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/arm/tcg/{mte_helper.h => mte.h} | 0
 target/arm/gdbstub64.c                 | 2 +-
 target/arm/tcg/mte_helper.c            | 2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename target/arm/tcg/{mte_helper.h => mte.h} (100%)

diff --git a/target/arm/tcg/mte_helper.h b/target/arm/tcg/mte.h
similarity index 100%
rename from target/arm/tcg/mte_helper.h
rename to target/arm/tcg/mte.h
diff --git a/target/arm/gdbstub64.c b/target/arm/gdbstub64.c
index 64ee9b3b567..65540cffd2c 100644
--- a/target/arm/gdbstub64.c
+++ b/target/arm/gdbstub64.c
@@ -22,7 +22,6 @@
 #include "internals.h"
 #include "gdbstub/helpers.h"
 #include "gdbstub/commands.h"
-#include "tcg/mte_helper.h"
 #if defined(CONFIG_USER_ONLY) && defined(CONFIG_LINUX)
 #include <sys/prctl.h>
 #include "mte_user_helper.h"
@@ -30,6 +29,7 @@
 #ifdef CONFIG_TCG
 #include "accel/tcg/cpu-mmu-index.h"
 #include "exec/target_page.h"
+#include "tcg/mte.h"
 #endif
 
 int aarch64_cpu_gdb_read_register(CPUState *cs, GByteArray *mem_buf, int n)
diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
index 8a6e6e4719d..b70f23e2047 100644
--- a/target/arm/tcg/mte_helper.c
+++ b/target/arm/tcg/mte_helper.c
@@ -36,7 +36,7 @@
 #include "accel/tcg/getpc.h"
 #include "qapi/error.h"
 #include "qemu/guest-random.h"
-#include "mte_helper.h"
+#include "mte.h"
 
 
 static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
-- 
2.47.1

[PATCH-for-10.1 7/9] target/arm/mte: Restrict MTE declarations

[Philippe Mathieu-Daudé]

Move MTE declarations out of "internals.h" to TCG "mte.h".
Include "mte.h" when necessary.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/arm/internals.h             | 121 --------------------
 target/arm/tcg/mte.h               | 124 ++++++++++++++++++++
 target/arm/tcg/sve_ldst_internal.h |   1 +
 target/arm/tcg/helper-a64.c        |   1 +
 target/arm/tcg/mte.c               | 175 +++++++++++++++++++++++++++++
 target/arm/tcg/mte_helper.c        | 160 +-------------------------
 target/arm/tcg/sve_helper.c        |   1 +
 target/arm/tcg/translate-a64.c     |   1 +
 target/arm/tcg/translate-sve.c     |   1 +
 target/arm/tcg/meson.build         |   1 +
 10 files changed, 306 insertions(+), 280 deletions(-)
 create mode 100644 target/arm/tcg/mte.c

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 0728e5c5348..5e549b95e14 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1624,127 +1624,6 @@ FIELD(PREDDESC, OPRSZ, 0, 6)
 FIELD(PREDDESC, ESZ, 6, 2)
 FIELD(PREDDESC, DATA, 8, 24)
 
-/*
- * The SVE simd_data field, for memory ops, contains either
- * rd (5 bits) or a shift count (2 bits).
- */
-#define SVE_MTEDESC_SHIFT 5
-
-/* Bits within a descriptor passed to the helper_mte_check* functions. */
-FIELD(MTEDESC, MIDX,  0, 4)
-FIELD(MTEDESC, TBI,   4, 2)
-FIELD(MTEDESC, TCMA,  6, 2)
-FIELD(MTEDESC, WRITE, 8, 1)
-FIELD(MTEDESC, ALIGN, 9, 3)
-FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - SVE_MTEDESC_SHIFT - 12)  /* size - 1 */
-
-bool mte_probe(CPUARMState *env, uint32_t desc, uint64_t ptr);
-uint64_t mte_check(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);
-
-/**
- * mte_mops_probe: Check where the next MTE failure is for a FEAT_MOPS operation
- * @env: CPU env
- * @ptr: start address of memory region (dirty pointer)
- * @size: length of region (guaranteed not to cross a page boundary)
- * @desc: MTEDESC descriptor word (0 means no MTE checks)
- * Returns: the size of the region that can be copied without hitting
- *          an MTE tag failure
- *
- * Note that we assume that the caller has already checked the TBI
- * and TCMA bits with mte_checks_needed() and an MTE check is definitely
- * required.
- */
-uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
-                        uint32_t desc);
-
-/**
- * mte_mops_probe_rev: Check where the next MTE failure is for a FEAT_MOPS
- *                     operation going in the reverse direction
- * @env: CPU env
- * @ptr: *end* address of memory region (dirty pointer)
- * @size: length of region (guaranteed not to cross a page boundary)
- * @desc: MTEDESC descriptor word (0 means no MTE checks)
- * Returns: the size of the region that can be copied without hitting
- *          an MTE tag failure
- *
- * Note that we assume that the caller has already checked the TBI
- * and TCMA bits with mte_checks_needed() and an MTE check is definitely
- * required.
- */
-uint64_t mte_mops_probe_rev(CPUARMState *env, uint64_t ptr, uint64_t size,
-                            uint32_t desc);
-
-/**
- * mte_check_fail: Record an MTE tag check failure
- * @env: CPU env
- * @desc: MTEDESC descriptor word
- * @dirty_ptr: Failing dirty address
- * @ra: TCG retaddr
- *
- * This may never return (if the MTE tag checks are configured to fault).
- */
-void mte_check_fail(CPUARMState *env, uint32_t desc,
-                    uint64_t dirty_ptr, uintptr_t ra);
-
-/**
- * mte_mops_set_tags: Set MTE tags for a portion of a FEAT_MOPS operation
- * @env: CPU env
- * @dirty_ptr: Start address of memory region (dirty pointer)
- * @size: length of region (guaranteed not to cross page boundary)
- * @desc: MTEDESC descriptor word
- */
-void mte_mops_set_tags(CPUARMState *env, uint64_t dirty_ptr, uint64_t size,
-                       uint32_t desc);
-
-static inline int allocation_tag_from_addr(uint64_t ptr)
-{
-    return extract64(ptr, 56, 4);
-}
-
-/* Return true if tbi bits mean that the access is checked.  */
-static inline bool tbi_check(uint32_t desc, int bit55)
-{
-    return (desc >> (R_MTEDESC_TBI_SHIFT + bit55)) & 1;
-}
-
-/* Return true if tcma bits mean that the access is unchecked.  */
-static inline bool tcma_check(uint32_t desc, int bit55, int ptr_tag)
-{
-    /*
-     * We had extracted bit55 and ptr_tag for other reasons, so fold
-     * (ptr<59:55> == 00000 || ptr<59:55> == 11111) into a single test.
-     */
-    bool match = ((ptr_tag + bit55) & 0xf) == 0;
-    bool tcma = (desc >> (R_MTEDESC_TCMA_SHIFT + bit55)) & 1;
-    return tcma && match;
-}
-
-/*
- * For TBI, ideally, we would do nothing.  Proper behaviour on fault is
- * for the tag to be present in the FAR_ELx register.  But for user-only
- * mode, we do not have a TLB with which to implement this, so we must
- * remove the top byte.
- */
-static inline uint64_t useronly_clean_ptr(uint64_t ptr)
-{
-#ifdef CONFIG_USER_ONLY
-    /* TBI0 is known to be enabled, while TBI1 is disabled. */
-    ptr &= sextract64(ptr, 0, 56);
-#endif
-    return ptr;
-}
-
-static inline uint64_t useronly_maybe_clean_ptr(uint32_t desc, uint64_t ptr)
-{
-#ifdef CONFIG_USER_ONLY
-    int64_t clean_ptr = sextract64(ptr, 0, 56);
-    if (tbi_check(desc, clean_ptr < 0)) {
-        ptr = clean_ptr;
-    }
-#endif
-    return ptr;
-}
-
 /* Values for M-profile PSR.ECI for MVE insns */
 enum MVEECIState {
     ECI_NONE = 0, /* No completed beats */
diff --git a/target/arm/tcg/mte.h b/target/arm/tcg/mte.h
index 1f471fb69b1..ecb0fc76b03 100644
--- a/target/arm/tcg/mte.h
+++ b/target/arm/tcg/mte.h
@@ -9,7 +9,24 @@
 #ifndef TARGET_ARM_MTE_H
 #define TARGET_ARM_MTE_H
 
+#include "qemu/bitops.h"
 #include "exec/mmu-access-type.h"
+#include "tcg/tcg-gvec-desc.h"
+#include "hw/registerfields.h"
+
+/*
+ * The SVE simd_data field, for memory ops, contains either
+ * rd (5 bits) or a shift count (2 bits).
+ */
+#define SVE_MTEDESC_SHIFT 5
+
+/* Bits within a descriptor passed to the helper_mte_check* functions. */
+FIELD(MTEDESC, MIDX,  0, 4)
+FIELD(MTEDESC, TBI,   4, 2)
+FIELD(MTEDESC, TCMA,  6, 2)
+FIELD(MTEDESC, WRITE, 8, 1)
+FIELD(MTEDESC, ALIGN, 9, 3)
+FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - SVE_MTEDESC_SHIFT - 12)  /* size - 1 */
 
 /**
  * allocation_tag_mem_probe:
@@ -63,4 +80,111 @@ int load_tag1(uint64_t ptr, uint8_t *mem);
  */
 void store_tag1(uint64_t ptr, uint8_t *mem, int tag);
 
+bool mte_probe(CPUARMState *env, uint32_t desc, uint64_t ptr);
+uint64_t mte_check(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);
+
+/**
+ * mte_mops_probe: Check where the next MTE failure is for a FEAT_MOPS operation
+ * @env: CPU env
+ * @ptr: start address of memory region (dirty pointer)
+ * @size: length of region (guaranteed not to cross a page boundary)
+ * @desc: MTEDESC descriptor word (0 means no MTE checks)
+ * Returns: the size of the region that can be copied without hitting
+ *          an MTE tag failure
+ *
+ * Note that we assume that the caller has already checked the TBI
+ * and TCMA bits with mte_checks_needed() and an MTE check is definitely
+ * required.
+ */
+uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
+                        uint32_t desc);
+
+/**
+ * mte_mops_probe_rev: Check where the next MTE failure is for a FEAT_MOPS
+ *                     operation going in the reverse direction
+ * @env: CPU env
+ * @ptr: *end* address of memory region (dirty pointer)
+ * @size: length of region (guaranteed not to cross a page boundary)
+ * @desc: MTEDESC descriptor word (0 means no MTE checks)
+ * Returns: the size of the region that can be copied without hitting
+ *          an MTE tag failure
+ *
+ * Note that we assume that the caller has already checked the TBI
+ * and TCMA bits with mte_checks_needed() and an MTE check is definitely
+ * required.
+ */
+uint64_t mte_mops_probe_rev(CPUARMState *env, uint64_t ptr, uint64_t size,
+                            uint32_t desc);
+
+/**
+ * mte_check_fail: Record an MTE tag check failure
+ * @env: CPU env
+ * @desc: MTEDESC descriptor word
+ * @dirty_ptr: Failing dirty address
+ * @ra: TCG retaddr
+ *
+ * This may never return (if the MTE tag checks are configured to fault).
+ */
+void mte_check_fail(CPUARMState *env, uint32_t desc,
+                    uint64_t dirty_ptr, uintptr_t ra);
+
+/**
+ * mte_mops_set_tags: Set MTE tags for a portion of a FEAT_MOPS operation
+ * @env: CPU env
+ * @dirty_ptr: Start address of memory region (dirty pointer)
+ * @size: length of region (guaranteed not to cross page boundary)
+ * @desc: MTEDESC descriptor word
+ */
+void mte_mops_set_tags(CPUARMState *env, uint64_t dirty_ptr, uint64_t size,
+                       uint32_t desc);
+
+static inline int allocation_tag_from_addr(uint64_t ptr)
+{
+    return extract64(ptr, 56, 4);
+}
+
+/* Return true if tbi bits mean that the access is checked.  */
+static inline bool tbi_check(uint32_t desc, int bit55)
+{
+    return (desc >> (R_MTEDESC_TBI_SHIFT + bit55)) & 1;
+}
+
+/* Return true if tcma bits mean that the access is unchecked.  */
+static inline bool tcma_check(uint32_t desc, int bit55, int ptr_tag)
+{
+    /*
+     * We had extracted bit55 and ptr_tag for other reasons, so fold
+     * (ptr<59:55> == 00000 || ptr<59:55> == 11111) into a single test.
+     */
+    bool match = ((ptr_tag + bit55) & 0xf) == 0;
+    bool tcma = (desc >> (R_MTEDESC_TCMA_SHIFT + bit55)) & 1;
+    return tcma && match;
+}
+
+/*
+ * For TBI, ideally, we would do nothing.  Proper behaviour on fault is
+ * for the tag to be present in the FAR_ELx register.  But for user-only
+ * mode, we do not have a TLB with which to implement this, so we must
+ * remove the top byte.
+ */
+static inline uint64_t useronly_clean_ptr(uint64_t ptr)
+{
+#ifdef CONFIG_USER_ONLY
+    /* TBI0 is known to be enabled, while TBI1 is disabled. */
+    ptr &= sextract64(ptr, 0, 56);
+#endif
+    return ptr;
+}
+
+static inline uint64_t useronly_maybe_clean_ptr(uint32_t desc, uint64_t ptr)
+{
+#ifdef CONFIG_USER_ONLY
+    int64_t clean_ptr = sextract64(ptr, 0, 56);
+    if (tbi_check(desc, clean_ptr < 0)) {
+        ptr = clean_ptr;
+    }
+#endif
+    return ptr;
+}
+
 #endif /* TARGET_ARM_MTE_H */
diff --git a/target/arm/tcg/sve_ldst_internal.h b/target/arm/tcg/sve_ldst_internal.h
index f2243daf370..a201f6b0393 100644
--- a/target/arm/tcg/sve_ldst_internal.h
+++ b/target/arm/tcg/sve_ldst_internal.h
@@ -21,6 +21,7 @@
 #define TARGET_ARM_SVE_LDST_INTERNAL_H
 
 #include "accel/tcg/cpu-ldst.h"
+#include "mte.h"
 
 /*
  * Load one element into @vd + @reg_off from @host.
diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c
index 08d8f63ffea..bcd116e2a16 100644
--- a/target/arm/tcg/helper-a64.c
+++ b/target/arm/tcg/helper-a64.c
@@ -41,6 +41,7 @@
 #include "user/page-protection.h"
 #endif
 #include "vec_internal.h"
+#include "mte.h"
 
 /* C2.4.7 Multiply and divide */
 /* special cases for 0 and LLONG_MIN are mandated by the standard */
diff --git a/target/arm/tcg/mte.c b/target/arm/tcg/mte.c
new file mode 100644
index 00000000000..d80465b08e9
--- /dev/null
+++ b/target/arm/tcg/mte.c
@@ -0,0 +1,175 @@
+/*
+ * ARM v8.5-MemTag Operations
+ *
+ * Copyright (c) 2020 Linaro, Ltd.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "exec/exec-all.h"
+#include "exec/target_page.h"
+#ifdef CONFIG_USER_ONLY
+#include "user/cpu_loop.h"
+#include "user/page-protection.h"
+#else
+#include "system/memory.h"
+#include "system/ram_addr.h"
+#endif
+#include "exec/tlb-flags.h"
+#include "accel/tcg/cpu-ops.h"
+#include "cpu.h"
+#include "mte.h"
+
+uint8_t *allocation_tag_mem_probe(CPUARMState *env, int ptr_mmu_idx,
+                                  uint64_t ptr, MMUAccessType ptr_access,
+                                  int ptr_size, MMUAccessType tag_access,
+                                  bool probe, uintptr_t ra)
+{
+#ifdef CONFIG_USER_ONLY
+    uint64_t clean_ptr = useronly_clean_ptr(ptr);
+    int flags = page_get_flags(clean_ptr);
+    uint8_t *tags;
+    uintptr_t index;
+
+    assert(!(probe && ra));
+
+    if (!(flags & (ptr_access == MMU_DATA_STORE ? PAGE_WRITE_ORG : PAGE_READ))) {
+        if (probe) {
+            return NULL;
+        }
+        cpu_loop_exit_sigsegv(env_cpu(env), ptr, ptr_access,
+                              !(flags & PAGE_VALID), ra);
+    }
+
+    /* Require both MAP_ANON and PROT_MTE for the page. */
+    if (!(flags & PAGE_ANON) || !(flags & PAGE_MTE)) {
+        return NULL;
+    }
+
+    tags = page_get_target_data(clean_ptr);
+
+    index = extract32(ptr, LOG2_TAG_GRANULE + 1,
+                      TARGET_PAGE_BITS - LOG2_TAG_GRANULE - 1);
+    return tags + index;
+#else
+    CPUTLBEntryFull *full;
+    MemTxAttrs attrs;
+    int in_page, flags;
+    hwaddr ptr_paddr, tag_paddr, xlat;
+    MemoryRegion *mr;
+    ARMASIdx tag_asi;
+    AddressSpace *tag_as;
+    void *host;
+
+    /*
+     * Probe the first byte of the virtual address.  This raises an
+     * exception for inaccessible pages, and resolves the virtual address
+     * into the softmmu tlb.
+     *
+     * When RA == 0, this is either a pure probe or a no-fault-expected probe.
+     * Indicate to probe_access_flags no-fault, then either return NULL
+     * for the pure probe, or assert that we received a valid page for the
+     * no-fault-expected probe.
+     */
+    flags = probe_access_full(env, ptr, 0, ptr_access, ptr_mmu_idx,
+                              ra == 0, &host, &full, ra);
+    if (probe && (flags & TLB_INVALID_MASK)) {
+        return NULL;
+    }
+    assert(!(flags & TLB_INVALID_MASK));
+
+    /* If the virtual page MemAttr != Tagged, access unchecked. */
+    if (full->extra.arm.pte_attrs != 0xf0) {
+        return NULL;
+    }
+
+    /*
+     * If not backed by host ram, there is no tag storage: access unchecked.
+     * This is probably a guest os bug though, so log it.
+     */
+    if (unlikely(flags & TLB_MMIO)) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "Page @ 0x%" PRIx64 " indicates Tagged Normal memory "
+                      "but is not backed by host ram\n", ptr);
+        return NULL;
+    }
+
+    /*
+     * Remember these values across the second lookup below,
+     * which may invalidate this pointer via tlb resize.
+     */
+    ptr_paddr = full->phys_addr | (ptr & ~TARGET_PAGE_MASK);
+    attrs = full->attrs;
+    full = NULL;
+
+    /*
+     * The Normal memory access can extend to the next page.  E.g. a single
+     * 8-byte access to the last byte of a page will check only the last
+     * tag on the first page.
+     * Any page access exception has priority over tag check exception.
+     */
+    in_page = -(ptr | TARGET_PAGE_MASK);
+    if (unlikely(ptr_size > in_page)) {
+        flags |= probe_access_full(env, ptr + in_page, 0, ptr_access,
+                                   ptr_mmu_idx, ra == 0, &host, &full, ra);
+        assert(!(flags & TLB_INVALID_MASK));
+    }
+
+    /* Any debug exception has priority over a tag check exception. */
+    if (!probe && unlikely(flags & TLB_WATCHPOINT)) {
+        int wp = ptr_access == MMU_DATA_LOAD ? BP_MEM_READ : BP_MEM_WRITE;
+        assert(ra != 0);
+        cpu_check_watchpoint(env_cpu(env), ptr, ptr_size, attrs, wp, ra);
+    }
+
+    /* Convert to the physical address in tag space.  */
+    tag_paddr = ptr_paddr >> (LOG2_TAG_GRANULE + 1);
+
+    /* Look up the address in tag space. */
+    tag_asi = attrs.secure ? ARMASIdx_TagS : ARMASIdx_TagNS;
+    tag_as = cpu_get_address_space(env_cpu(env), tag_asi);
+    mr = address_space_translate(tag_as, tag_paddr, &xlat, NULL,
+                                 tag_access == MMU_DATA_STORE, attrs);
+
+    /*
+     * Note that @mr will never be NULL.  If there is nothing in the address
+     * space at @tag_paddr, the translation will return the unallocated memory
+     * region.  For our purposes, the result must be ram.
+     */
+    if (unlikely(!memory_region_is_ram(mr))) {
+        /* ??? Failure is a board configuration error. */
+        qemu_log_mask(LOG_UNIMP,
+                      "Tag Memory @ 0x%" HWADDR_PRIx " not found for "
+                      "Normal Memory @ 0x%" HWADDR_PRIx "\n",
+                      tag_paddr, ptr_paddr);
+        return NULL;
+    }
+
+    /*
+     * Ensure the tag memory is dirty on write, for migration.
+     * Tag memory can never contain code or display memory (vga).
+     */
+    if (tag_access == MMU_DATA_STORE) {
+        ram_addr_t tag_ra = memory_region_get_ram_addr(mr) + xlat;
+        cpu_physical_memory_set_dirty_flag(tag_ra, DIRTY_MEMORY_MIGRATION);
+    }
+
+    return memory_region_get_ram_ptr(mr) + xlat;
+#endif
+}
+
+int load_tag1(uint64_t ptr, uint8_t *mem)
+{
+    int ofs = extract32(ptr, LOG2_TAG_GRANULE, 1) * 4;
+    return extract32(*mem, ofs, 4);
+}
+
+/* For use in a non-parallel context, store to the given nibble.  */
+void store_tag1(uint64_t ptr, uint8_t *mem, int tag)
+{
+    int ofs = extract32(ptr, LOG2_TAG_GRANULE, 1) * 4;
+    *mem = deposit32(*mem, ofs, 4, tag);
+}
+
diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
index b70f23e2047..4ab9b858e12 100644
--- a/target/arm/tcg/mte_helper.c
+++ b/target/arm/tcg/mte_helper.c
@@ -1,5 +1,5 @@
 /*
- * ARM v8.5-MemTag Operations
+ * ARM v8.5-MemTag helpers
  *
  * Copyright (c) 2020 Linaro, Ltd.
  *
@@ -23,16 +23,9 @@
 #include "internals.h"
 #include "exec/exec-all.h"
 #include "exec/target_page.h"
-#ifdef CONFIG_USER_ONLY
-#include "user/cpu_loop.h"
-#include "user/page-protection.h"
-#else
-#include "system/ram_addr.h"
-#endif
 #include "accel/tcg/cpu-ldst.h"
 #include "exec/helper-proto.h"
 #include "exec/tlb-flags.h"
-#include "accel/tcg/cpu-ops.h"
 #include "accel/tcg/getpc.h"
 #include "qapi/error.h"
 #include "qemu/guest-random.h"
@@ -58,144 +51,6 @@ static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
     return tag;
 }
 
-uint8_t *allocation_tag_mem_probe(CPUARMState *env, int ptr_mmu_idx,
-                                  uint64_t ptr, MMUAccessType ptr_access,
-                                  int ptr_size, MMUAccessType tag_access,
-                                  bool probe, uintptr_t ra)
-{
-#ifdef CONFIG_USER_ONLY
-    uint64_t clean_ptr = useronly_clean_ptr(ptr);
-    int flags = page_get_flags(clean_ptr);
-    uint8_t *tags;
-    uintptr_t index;
-
-    assert(!(probe && ra));
-
-    if (!(flags & (ptr_access == MMU_DATA_STORE ? PAGE_WRITE_ORG : PAGE_READ))) {
-        if (probe) {
-            return NULL;
-        }
-        cpu_loop_exit_sigsegv(env_cpu(env), ptr, ptr_access,
-                              !(flags & PAGE_VALID), ra);
-    }
-
-    /* Require both MAP_ANON and PROT_MTE for the page. */
-    if (!(flags & PAGE_ANON) || !(flags & PAGE_MTE)) {
-        return NULL;
-    }
-
-    tags = page_get_target_data(clean_ptr);
-
-    index = extract32(ptr, LOG2_TAG_GRANULE + 1,
-                      TARGET_PAGE_BITS - LOG2_TAG_GRANULE - 1);
-    return tags + index;
-#else
-    CPUTLBEntryFull *full;
-    MemTxAttrs attrs;
-    int in_page, flags;
-    hwaddr ptr_paddr, tag_paddr, xlat;
-    MemoryRegion *mr;
-    ARMASIdx tag_asi;
-    AddressSpace *tag_as;
-    void *host;
-
-    /*
-     * Probe the first byte of the virtual address.  This raises an
-     * exception for inaccessible pages, and resolves the virtual address
-     * into the softmmu tlb.
-     *
-     * When RA == 0, this is either a pure probe or a no-fault-expected probe.
-     * Indicate to probe_access_flags no-fault, then either return NULL
-     * for the pure probe, or assert that we received a valid page for the
-     * no-fault-expected probe.
-     */
-    flags = probe_access_full(env, ptr, 0, ptr_access, ptr_mmu_idx,
-                              ra == 0, &host, &full, ra);
-    if (probe && (flags & TLB_INVALID_MASK)) {
-        return NULL;
-    }
-    assert(!(flags & TLB_INVALID_MASK));
-
-    /* If the virtual page MemAttr != Tagged, access unchecked. */
-    if (full->extra.arm.pte_attrs != 0xf0) {
-        return NULL;
-    }
-
-    /*
-     * If not backed by host ram, there is no tag storage: access unchecked.
-     * This is probably a guest os bug though, so log it.
-     */
-    if (unlikely(flags & TLB_MMIO)) {
-        qemu_log_mask(LOG_GUEST_ERROR,
-                      "Page @ 0x%" PRIx64 " indicates Tagged Normal memory "
-                      "but is not backed by host ram\n", ptr);
-        return NULL;
-    }
-
-    /*
-     * Remember these values across the second lookup below,
-     * which may invalidate this pointer via tlb resize.
-     */
-    ptr_paddr = full->phys_addr | (ptr & ~TARGET_PAGE_MASK);
-    attrs = full->attrs;
-    full = NULL;
-
-    /*
-     * The Normal memory access can extend to the next page.  E.g. a single
-     * 8-byte access to the last byte of a page will check only the last
-     * tag on the first page.
-     * Any page access exception has priority over tag check exception.
-     */
-    in_page = -(ptr | TARGET_PAGE_MASK);
-    if (unlikely(ptr_size > in_page)) {
-        flags |= probe_access_full(env, ptr + in_page, 0, ptr_access,
-                                   ptr_mmu_idx, ra == 0, &host, &full, ra);
-        assert(!(flags & TLB_INVALID_MASK));
-    }
-
-    /* Any debug exception has priority over a tag check exception. */
-    if (!probe && unlikely(flags & TLB_WATCHPOINT)) {
-        int wp = ptr_access == MMU_DATA_LOAD ? BP_MEM_READ : BP_MEM_WRITE;
-        assert(ra != 0);
-        cpu_check_watchpoint(env_cpu(env), ptr, ptr_size, attrs, wp, ra);
-    }
-
-    /* Convert to the physical address in tag space.  */
-    tag_paddr = ptr_paddr >> (LOG2_TAG_GRANULE + 1);
-
-    /* Look up the address in tag space. */
-    tag_asi = attrs.secure ? ARMASIdx_TagS : ARMASIdx_TagNS;
-    tag_as = cpu_get_address_space(env_cpu(env), tag_asi);
-    mr = address_space_translate(tag_as, tag_paddr, &xlat, NULL,
-                                 tag_access == MMU_DATA_STORE, attrs);
-
-    /*
-     * Note that @mr will never be NULL.  If there is nothing in the address
-     * space at @tag_paddr, the translation will return the unallocated memory
-     * region.  For our purposes, the result must be ram.
-     */
-    if (unlikely(!memory_region_is_ram(mr))) {
-        /* ??? Failure is a board configuration error. */
-        qemu_log_mask(LOG_UNIMP,
-                      "Tag Memory @ 0x%" HWADDR_PRIx " not found for "
-                      "Normal Memory @ 0x%" HWADDR_PRIx "\n",
-                      tag_paddr, ptr_paddr);
-        return NULL;
-    }
-
-    /*
-     * Ensure the tag memory is dirty on write, for migration.
-     * Tag memory can never contain code or display memory (vga).
-     */
-    if (tag_access == MMU_DATA_STORE) {
-        ram_addr_t tag_ra = memory_region_get_ram_addr(mr) + xlat;
-        cpu_physical_memory_set_dirty_flag(tag_ra, DIRTY_MEMORY_MIGRATION);
-    }
-
-    return memory_region_get_ram_ptr(mr) + xlat;
-#endif
-}
-
 static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
                                    uint64_t ptr, MMUAccessType ptr_access,
                                    int ptr_size, MMUAccessType tag_access,
@@ -268,12 +123,6 @@ uint64_t HELPER(addsubg)(CPUARMState *env, uint64_t ptr,
     return address_with_allocation_tag(ptr + offset, rtag);
 }
 
-int load_tag1(uint64_t ptr, uint8_t *mem)
-{
-    int ofs = extract32(ptr, LOG2_TAG_GRANULE, 1) * 4;
-    return extract32(*mem, ofs, 4);
-}
-
 uint64_t HELPER(ldg)(CPUARMState *env, uint64_t ptr, uint64_t xt)
 {
     int mmu_idx = arm_env_mmu_index(env);
@@ -301,13 +150,6 @@ static void check_tag_aligned(CPUARMState *env, uint64_t ptr, uintptr_t ra)
     }
 }
 
-/* For use in a non-parallel context, store to the given nibble.  */
-void store_tag1(uint64_t ptr, uint8_t *mem, int tag)
-{
-    int ofs = extract32(ptr, LOG2_TAG_GRANULE, 1) * 4;
-    *mem = deposit32(*mem, ofs, 4, tag);
-}
-
 /* For use in a parallel context, atomically store to the given nibble.  */
 static void store_tag1_parallel(uint64_t ptr, uint8_t *mem, int tag)
 {
diff --git a/target/arm/tcg/sve_helper.c b/target/arm/tcg/sve_helper.c
index 87b6b4b3e64..19b09d9f33f 100644
--- a/target/arm/tcg/sve_helper.c
+++ b/target/arm/tcg/sve_helper.c
@@ -35,6 +35,7 @@
 #ifdef CONFIG_USER_ONLY
 #include "user/page-protection.h"
 #endif
+#include "mte.h"
 
 
 /* Return a value for NZCV as per the ARM PredTest pseudofunction.
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index 43408c71bbd..c320501c507 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -25,6 +25,7 @@
 #include "arm_ldst.h"
 #include "semihosting/semihost.h"
 #include "cpregs.h"
+#include "mte.h"
 
 static TCGv_i64 cpu_X[32];
 static TCGv_i64 cpu_pc;
diff --git a/target/arm/tcg/translate-sve.c b/target/arm/tcg/translate-sve.c
index d23be477b4d..7f91874abd2 100644
--- a/target/arm/tcg/translate-sve.c
+++ b/target/arm/tcg/translate-sve.c
@@ -21,6 +21,7 @@
 #include "translate.h"
 #include "translate-a64.h"
 #include "fpu/softfloat.h"
+#include "mte.h"
 
 
 typedef void GVecGen2sFn(unsigned, uint32_t, uint32_t,
diff --git a/target/arm/tcg/meson.build b/target/arm/tcg/meson.build
index dd12ccedb18..72750d57a7d 100644
--- a/target/arm/tcg/meson.build
+++ b/target/arm/tcg/meson.build
@@ -34,6 +34,7 @@ arm_ss.add(files(
   'hflags.c',
   'iwmmxt_helper.c',
   'm_helper.c',
+  'mte.c',
   'mve_helper.c',
   'neon_helper.c',
   'op_helper.c',
-- 
2.47.1

[PATCH-for-10.1 8/9] linux-user/arm: Implement MTE stubs for 32-bit user emulation

[Philippe Mathieu-Daudé]

We want to build MTE code once, but on linux-user it calls
arm_set_mte_tcf0() which is only defined for Aarch64.
Expose the declaration on 32-bit ARM by renaming
aarch64/mte_user_helper.h -> arm/mte_user_helper.h, then
add a stub in arm/mte_user_helper.c.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 linux-user/aarch64/mte_user_helper.h | 27 +---------------------
 linux-user/arm/mte_user_helper.h     | 34 ++++++++++++++++++++++++++++
 linux-user/arm/mte_user_helper.c     | 13 +++++++++++
 linux-user/arm/meson.build           |  2 ++
 4 files changed, 50 insertions(+), 26 deletions(-)
 create mode 100644 linux-user/arm/mte_user_helper.h
 create mode 100644 linux-user/arm/mte_user_helper.c

diff --git a/linux-user/aarch64/mte_user_helper.h b/linux-user/aarch64/mte_user_helper.h
index 0c53abda222..63f63abff62 100644
--- a/linux-user/aarch64/mte_user_helper.h
+++ b/linux-user/aarch64/mte_user_helper.h
@@ -6,29 +6,4 @@
  * SPDX-License-Identifier: LGPL-2.1-or-later
  */
 
-#ifndef AARCH64_MTE_USER_HELPER_H
-#define AARCH64_MTE USER_HELPER_H
-
-#include "user/abitypes.h"
-
-#ifndef PR_MTE_TCF_SHIFT
-# define PR_MTE_TCF_SHIFT       1
-# define PR_MTE_TCF_NONE        (0UL << PR_MTE_TCF_SHIFT)
-# define PR_MTE_TCF_SYNC        (1UL << PR_MTE_TCF_SHIFT)
-# define PR_MTE_TCF_ASYNC       (2UL << PR_MTE_TCF_SHIFT)
-# define PR_MTE_TCF_MASK        (3UL << PR_MTE_TCF_SHIFT)
-# define PR_MTE_TAG_SHIFT       3
-# define PR_MTE_TAG_MASK        (0xffffUL << PR_MTE_TAG_SHIFT)
-#endif
-
-/**
- * arm_set_mte_tcf0 - Set TCF0 field in SCTLR_EL1 register
- * @env: The CPU environment
- * @value: The value to be set for the Tag Check Fault in EL0 field.
- *
- * Only SYNC and ASYNC modes can be selected. If ASYMM mode is given, the SYNC
- * mode is selected instead. So, there is no way to set the ASYMM mode.
- */
-void arm_set_mte_tcf0(CPUArchState *env, abi_long value);
-
-#endif /* AARCH64_MTE_USER_HELPER_H */
+#include "../arm/mte_user_helper.h"
diff --git a/linux-user/arm/mte_user_helper.h b/linux-user/arm/mte_user_helper.h
new file mode 100644
index 00000000000..0c53abda222
--- /dev/null
+++ b/linux-user/arm/mte_user_helper.h
@@ -0,0 +1,34 @@
+/*
+ * ARM MemTag convenience functions.
+ *
+ * This code is licensed under the GNU GPL v2 or later.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ */
+
+#ifndef AARCH64_MTE_USER_HELPER_H
+#define AARCH64_MTE USER_HELPER_H
+
+#include "user/abitypes.h"
+
+#ifndef PR_MTE_TCF_SHIFT
+# define PR_MTE_TCF_SHIFT       1
+# define PR_MTE_TCF_NONE        (0UL << PR_MTE_TCF_SHIFT)
+# define PR_MTE_TCF_SYNC        (1UL << PR_MTE_TCF_SHIFT)
+# define PR_MTE_TCF_ASYNC       (2UL << PR_MTE_TCF_SHIFT)
+# define PR_MTE_TCF_MASK        (3UL << PR_MTE_TCF_SHIFT)
+# define PR_MTE_TAG_SHIFT       3
+# define PR_MTE_TAG_MASK        (0xffffUL << PR_MTE_TAG_SHIFT)
+#endif
+
+/**
+ * arm_set_mte_tcf0 - Set TCF0 field in SCTLR_EL1 register
+ * @env: The CPU environment
+ * @value: The value to be set for the Tag Check Fault in EL0 field.
+ *
+ * Only SYNC and ASYNC modes can be selected. If ASYMM mode is given, the SYNC
+ * mode is selected instead. So, there is no way to set the ASYMM mode.
+ */
+void arm_set_mte_tcf0(CPUArchState *env, abi_long value);
+
+#endif /* AARCH64_MTE_USER_HELPER_H */
diff --git a/linux-user/arm/mte_user_helper.c b/linux-user/arm/mte_user_helper.c
new file mode 100644
index 00000000000..6fd19dc1073
--- /dev/null
+++ b/linux-user/arm/mte_user_helper.c
@@ -0,0 +1,13 @@
+/*
+ * ARM ARM MemTag user emulation stubs.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "mte_user_helper.h"
+
+void arm_set_mte_tcf0(CPUArchState *env, abi_long value)
+{
+    g_assert_not_reached();
+}
diff --git a/linux-user/arm/meson.build b/linux-user/arm/meson.build
index 348ffb810d7..95e8c078e29 100644
--- a/linux-user/arm/meson.build
+++ b/linux-user/arm/meson.build
@@ -24,3 +24,5 @@ vdso_le_inc = gen_vdso.process('vdso-le.so',
 linux_user_ss.add(when: 'TARGET_ARM', if_true: [
     vdso_be8_inc, vdso_be32_inc, vdso_le_inc
 ])
+
+linux_user_ss.add(when: 'TARGET_ARM', if_true: [files('mte_user_helper.c')])
-- 
2.47.1

[PATCH-for-10.1 9/9] target/arm: Build Aarch64 gdbstub helpers indistinctly

[Philippe Mathieu-Daudé]

The Aarch64 gdbstub code is guarded by checks on ARM_FEATURE_AARCH64
and isar_feature_aa64_sve(), only enabled for Aarch64 CPUs.
Remove TARGET_AARCH64 #ifdef'ry and build gdbstub64.c once.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/arm/internals.h | 2 +-
 target/arm/gdbstub.c   | 4 ----
 target/arm/meson.build | 2 +-
 3 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index 5e549b95e14..5fd2631e8e2 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1682,7 +1682,6 @@ static inline uint64_t pmu_counter_mask(CPUARMState *env)
   return (1ULL << 31) | ((1ULL << pmu_num_counters(env)) - 1);
 }
 
-#ifdef TARGET_AARCH64
 GDBFeature *arm_gen_dynamic_svereg_feature(CPUState *cpu, int base_reg);
 int aarch64_gdb_get_sve_reg(CPUState *cs, GByteArray *buf, int reg);
 int aarch64_gdb_set_sve_reg(CPUState *cs, uint8_t *buf, int reg);
@@ -1692,6 +1691,7 @@ int aarch64_gdb_get_pauth_reg(CPUState *cs, GByteArray *buf, int reg);
 int aarch64_gdb_set_pauth_reg(CPUState *cs, uint8_t *buf, int reg);
 int aarch64_gdb_get_tag_ctl_reg(CPUState *cs, GByteArray *buf, int reg);
 int aarch64_gdb_set_tag_ctl_reg(CPUState *cs, uint8_t *buf, int reg);
+#ifdef TARGET_AARCH64
 void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp);
 void arm_cpu_sme_finalize(ARMCPU *cpu, Error **errp);
 void arm_cpu_pauth_finalize(ARMCPU *cpu, Error **errp);
diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index 30068c22627..e76142e8ddb 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -482,10 +482,8 @@ void arm_cpu_register_gdb_commands(ARMCPU *cpu)
     g_autoptr(GString) qsupported_features = g_string_new(NULL);
 
     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
-    #ifdef TARGET_AARCH64
         aarch64_cpu_register_gdb_commands(cpu, qsupported_features, query_table,
                                           set_table);
-    #endif
     }
 
     /* Set arch-specific handlers for 'q' commands. */
@@ -514,7 +512,6 @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
          * The lower part of each SVE register aliases to the FPU
          * registers so we don't need to include both.
          */
-#ifdef TARGET_AARCH64
         if (isar_feature_aa64_sve(&cpu->isar)) {
             GDBFeature *feature = arm_gen_dynamic_svereg_feature(cs, cs->gdb_num_regs);
             gdb_register_coprocessor(cs, aarch64_gdb_get_sve_reg,
@@ -546,7 +543,6 @@ void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
                                      gdb_find_static_feature("aarch64-mte.xml"),
                                      0);
         }
-#endif
 #endif
     } else {
         if (arm_feature(env, ARM_FEATURE_NEON)) {
diff --git a/target/arm/meson.build b/target/arm/meson.build
index 3065081d241..503d106b588 100644
--- a/target/arm/meson.build
+++ b/target/arm/meson.build
@@ -3,6 +3,7 @@ arm_ss.add(files(
   'cpu.c',
   'debug_helper.c',
   'gdbstub.c',
+  'gdbstub64.c',
   'helper.c',
   'vfp_fpscr.c',
 ))
@@ -13,7 +14,6 @@ arm_ss.add(when: 'CONFIG_HVF', if_true: files('hyp_gdbstub.c'))
 
 arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
   'cpu64.c',
-  'gdbstub64.c',
 ))
 
 arm_system_ss = ss.source_set()
-- 
2.47.1

Re: [PATCH-for-10.1 1/9] target/arm: Remove uses of TARGET_AARCH64 in arch_dump.c

[Richard Henderson]

On 4/4/25 15:35, Philippe Mathieu-Daudé wrote:
> It is safe to remove TARGET_AARCH64 #ifdef'ry for code
> guarded by runtime check on aa64_sve ISA feature, which
> is only available for Aarch64 CPUs.
> 
> Signed-off-by: Philippe Mathieu-Daudé<philmd@linaro.org>
> ---
>   target/arm/arch_dump.c | 6 ------
>   1 file changed, 6 deletions(-)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~

Re: [PATCH-for-10.1 2/9] target/arm: Remove use of TARGET_AARCH64 in dump.c

[Richard Henderson]

On 4/4/25 15:35, Philippe Mathieu-Daudé wrote:
> It is safe to remove TARGET_AARCH64 #ifdef'ry for code
> guarded by runtime check on aa64_sve ISA feature, which
> is only available for Aarch64 CPUs.
> 
> Signed-off-by: Philippe Mathieu-Daudé<philmd@linaro.org>
> ---
>   target/arm/cpu.c | 11 -----------
>   1 file changed, 11 deletions(-)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~

Re: [PATCH-for-10.1 3/9] target/arm: Remove use of TARGET_AARCH64 in arm_cpu_initfn()

[Richard Henderson]

On 4/4/25 15:35, Philippe Mathieu-Daudé wrote:
>   static void arm_cpu_initfn(Object *obj)
>   {
>       ARMCPU *cpu = ARM_CPU(obj);
> @@ -1482,16 +1489,16 @@ static void arm_cpu_initfn(Object *obj)
>       QLIST_INIT(&cpu->el_change_hooks);
>   
>   #ifdef CONFIG_USER_ONLY
> -# ifdef TARGET_AARCH64
> -    /*
> -     * The linux kernel defaults to 512-bit for SVE, and 256-bit for SME.
> -     * These values were chosen to fit within the default signal frame.
> -     * See documentation for /proc/sys/abi/{sve,sme}_default_vector_length,
> -     * and our corresponding cpu property.
> -     */
> -    cpu->sve_default_vq = 4;
> -    cpu->sme_default_vq = 2;
> -# endif
> +    if (arm_cpu_is_64bit(cpu)) {

     arm_feature(&cpu->env, ARM_FEATURE_AARCH64)

is a better test, but env->features is initialized by the child instance_init.
We could move this to arm_cpu_post_init, so that features is initialized.

Alternately, we could just make this unconditional, since these fields are always present 
but only read from aarch64 code.


r~

Re: [PATCH-for-10.1 4/9] target/arm/mte: Include missing headers for GETPC()

[Richard Henderson]

On 4/4/25 15:35, Philippe Mathieu-Daudé wrote:
> Some headers are indirectly pulled in. Make their inclusion
> explicit, otherwise next commit triggers:
> 
>    target/arm/tcg/mte_helper.c:188:26: error: call to undeclared function 'GETPC' [-Wimplicit-function-declaration]
>      188 |     do_stg(env, ptr, xt, GETPC(), store_tag1);
>          |                          ^
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>   target/arm/tcg/mte_helper.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
> index 7dc5fb776b3..9dcdc1d91c1 100644
> --- a/target/arm/tcg/mte_helper.c
> +++ b/target/arm/tcg/mte_helper.c
> @@ -22,7 +22,7 @@
>   #include "cpu.h"
>   #include "internals.h"
>   #include "exec/exec-all.h"
> -#include "exec/page-protection.h"
> +#include "exec/target_page.h"
>   #ifdef CONFIG_USER_ONLY
>   #include "user/cpu_loop.h"
>   #include "user/page-protection.h"
> @@ -33,6 +33,7 @@
>   #include "exec/helper-proto.h"
>   #include "exec/tlb-flags.h"
>   #include "accel/tcg/cpu-ops.h"
> +#include "accel/tcg/getpc.h"
>   #include "qapi/error.h"
>   #include "qemu/guest-random.h"
>   #include "mte_helper.h"

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~

Re: [PATCH-for-10.1 5/9] target/arm/mte: Reduce address_with_allocation_tag() scope

[Richard Henderson]

On 4/4/25 15:35, Philippe Mathieu-Daudé wrote:
> address_with_allocation_tag() is only used in mte_helper.c,
> move it there.
> 
> Signed-off-by: Philippe Mathieu-Daudé<philmd@linaro.org>
> ---
>   target/arm/internals.h      | 5 -----
>   target/arm/tcg/mte_helper.c | 5 +++++
>   2 files changed, 5 insertions(+), 5 deletions(-)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

Re: [PATCH-for-10.1 6/9] target/arm/mte: Rename 'mte_helper.h' as generic 'mte.h'

[Richard Henderson]

On 4/4/25 15:35, Philippe Mathieu-Daudé wrote:
> "tcg/mte_helper.h" header name is a bit misleading, since it
> isn't restricted to TCG helpers. Rename it as "tcg/mte.h"
> which is a bit more generic.
> 
> Signed-off-by: Philippe Mathieu-Daudé<philmd@linaro.org>
> ---
>   target/arm/tcg/{mte_helper.h => mte.h} | 0
>   target/arm/gdbstub64.c                 | 2 +-
>   target/arm/tcg/mte_helper.c            | 2 +-
>   3 files changed, 2 insertions(+), 2 deletions(-)
>   rename target/arm/tcg/{mte_helper.h => mte.h} (100%)

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

r~

Re: [PATCH-for-10.1 9/9] target/arm: Build Aarch64 gdbstub helpers indistinctly

[Richard Henderson]

On 4/4/25 15:35, Philippe Mathieu-Daudé wrote:
> diff --git a/target/arm/meson.build b/target/arm/meson.build
> index 3065081d241..503d106b588 100644
> --- a/target/arm/meson.build
> +++ b/target/arm/meson.build
> @@ -3,6 +3,7 @@ arm_ss.add(files(
>     'cpu.c',
>     'debug_helper.c',
>     'gdbstub.c',
> +  'gdbstub64.c',
>     'helper.c',
>     'vfp_fpscr.c',
>   ))
> @@ -13,7 +14,6 @@ arm_ss.add(when: 'CONFIG_HVF', if_true: files('hyp_gdbstub.c'))
>   
>   arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
>     'cpu64.c',
> -  'gdbstub64.c',
>   ))

This doesn't do what you say is does.  The object file is still in arm_ss, though 
unconditionally instead of conditionally.  Which causes all of the other follow-on 
problems you saw.

I'm not fond of either this or the previous patch.  I'm surprised that you're touching 
anything wrt CONFIG_USER_ONLY.


r~

Re: [PATCH-for-10.1 7/9] target/arm/mte: Restrict MTE declarations

[Richard Henderson]

On 4/4/25 15:35, Philippe Mathieu-Daudé wrote:
> Move MTE declarations out of "internals.h" to TCG "mte.h".
> Include "mte.h" when necessary.
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>   target/arm/internals.h             | 121 --------------------
>   target/arm/tcg/mte.h               | 124 ++++++++++++++++++++
>   target/arm/tcg/sve_ldst_internal.h |   1 +
>   target/arm/tcg/helper-a64.c        |   1 +
>   target/arm/tcg/mte.c               | 175 +++++++++++++++++++++++++++++
>   target/arm/tcg/mte_helper.c        | 160 +-------------------------
This moves more than declarations...


r~