[Qemu-devel] [PATCH v1 0/4] Mixed ARM A64 fixes

[Qemu-devel] [PATCH v1 0/4] Mixed ARM A64 fixes

[Edgar E. Iglesias]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Hi Peter,

This series fixes a few things I've noticed when running and looking at
the aarch64 port.

Cheers,
Edgar

Edgar E. Iglesias (4):
  target-arm: Make vbar_write 64bit friendly on 32bit hosts
  target-arm: A64: Handle blr lr
  target-arm: A64: Fix a typo when declaring TLBI ops
  target-arm: Correct a comment refering to EL0

 target-arm/helper.c        | 26 +++++++++++++-------------
 target-arm/op_helper.c     |  2 +-
 target-arm/translate-a64.c |  3 ++-
 3 files changed, 16 insertions(+), 15 deletions(-)

-- 
1.8.3.2

[Qemu-devel] [PATCH v1 1/4] target-arm: Make vbar_write 64bit friendly on 32bit hosts

[Edgar E. Iglesias]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
 target-arm/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 43c1b4f..330bfc7 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -657,7 +657,7 @@ static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
      * contexts. (ARMv8 would permit us to do no masking at all, but ARMv7
      * requires the bottom five bits to be RAZ/WI because they're UNK/SBZP.)
      */
-    env->cp15.c12_vbar = value & ~0x1Ful;
+    env->cp15.c12_vbar = value & ~0x1FULL;
 }
 
 static uint64_t ccsidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
-- 
1.8.3.2

Re: [Qemu-devel] [PATCH v1 1/4] target-arm: Make vbar_write 64bitfriendly on 32bit hostss

[Alex Bennée]

Edgar E. Iglesias <edgar.iglesias@gmail.com> writes:

> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
>
> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>

> ---
>  target-arm/helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 43c1b4f..330bfc7 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -657,7 +657,7 @@ static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
>       * contexts. (ARMv8 would permit us to do no masking at all, but ARMv7
>       * requires the bottom five bits to be RAZ/WI because they're UNK/SBZP.)
>       */
> -    env->cp15.c12_vbar = value & ~0x1Ful;
> +    env->cp15.c12_vbar = value & ~0x1FULL;
>  }
>  
>  static uint64_t ccsidr_read(CPUARMState *env, const ARMCPRegInfo *ri)

-- 
Alex Bennée

Re: [Qemu-devel] [PATCH v1 1/4] target-arm: Make vbar_write 64bit friendly on 32bit hosts

[Peter Crosthwaite]

On Thu, May 1, 2014 at 4:34 PM, Edgar E. Iglesias
<edgar.iglesias@gmail.com> wrote:
> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
>
> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>

Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>

> ---
>  target-arm/helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 43c1b4f..330bfc7 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -657,7 +657,7 @@ static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
>       * contexts. (ARMv8 would permit us to do no masking at all, but ARMv7
>       * requires the bottom five bits to be RAZ/WI because they're UNK/SBZP.)
>       */
> -    env->cp15.c12_vbar = value & ~0x1Ful;
> +    env->cp15.c12_vbar = value & ~0x1FULL;
>  }
>
>  static uint64_t ccsidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
> --
> 1.8.3.2
>
>

[Qemu-devel] [PATCH v1 2/4] target-arm: A64: Handle blr lr

[Edgar E. Iglesias]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

For linked branches, updates to the link register happen
conceptually after the read of the branch target register.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
 target-arm/translate-a64.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target-arm/translate-a64.c b/target-arm/translate-a64.c
index d86b8ff..0862e54 100644
--- a/target-arm/translate-a64.c
+++ b/target-arm/translate-a64.c
@@ -1507,8 +1507,10 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
     switch (opc) {
     case 0: /* BR */
     case 2: /* RET */
+        tcg_gen_mov_i64(cpu_pc, cpu_reg(s, rn));
         break;
     case 1: /* BLR */
+        tcg_gen_mov_i64(cpu_pc, cpu_reg(s, rn));
         tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
         break;
     case 4: /* ERET */
@@ -1527,7 +1529,6 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         return;
     }
 
-    tcg_gen_mov_i64(cpu_pc, cpu_reg(s, rn));
     s->is_jmp = DISAS_JUMP;
 }
 
-- 
1.8.3.2

Re: [Qemu-devel] [PATCH v1 2/4] target-arm: A64: Handle blr lr

[Alex Bennée]

Edgar E. Iglesias <edgar.iglesias@gmail.com> writes:

> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
>
> For linked branches, updates to the link register happen
> conceptually after the read of the branch target register.
>
> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>

I'm trying to think of a case where this could actually cause a problem
but I can't. However from a clarity/correctness point of view it's
better.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>

> ---
>  target-arm/translate-a64.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/target-arm/translate-a64.c b/target-arm/translate-a64.c
> index d86b8ff..0862e54 100644
> --- a/target-arm/translate-a64.c
> +++ b/target-arm/translate-a64.c
> @@ -1507,8 +1507,10 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
>      switch (opc) {
>      case 0: /* BR */
>      case 2: /* RET */
> +        tcg_gen_mov_i64(cpu_pc, cpu_reg(s, rn));
>          break;
>      case 1: /* BLR */
> +        tcg_gen_mov_i64(cpu_pc, cpu_reg(s, rn));
>          tcg_gen_movi_i64(cpu_reg(s, 30), s->pc);
>          break;
>      case 4: /* ERET */
> @@ -1527,7 +1529,6 @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
>          return;
>      }
>  
> -    tcg_gen_mov_i64(cpu_pc, cpu_reg(s, rn));
>      s->is_jmp = DISAS_JUMP;
>  }

-- 
Alex Bennée

Re: [Qemu-devel] [PATCH v1 2/4] target-arm: A64: Handle blr lr

[Peter Maydell]

On 1 May 2014 10:02, Alex Bennée <alex.bennee@linaro.org> wrote:
>
> Edgar E. Iglesias <edgar.iglesias@gmail.com> writes:
>
>> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
>>
>> For linked branches, updates to the link register happen
>> conceptually after the read of the branch target register.
>>
>> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
>
> I'm trying to think of a case where this could actually cause a problem
> but I can't. However from a clarity/correctness point of view it's
> better.

Well, we actually misexecute "BLR LR" otherwise, right?
That's probably not very common but there's no reason it
might not occur (eg call to a function pointer from a
function where LR has been saved on entry and is free
for use as a generic tempreg).

Cc: qemu-stable@nongnu.org

thanks
-- PMM

Re: [Qemu-devel] [PATCH v1 2/4] target-arm: A64: Handle blr lr

[Edgar E. Iglesias]

On Thu, May 01, 2014 at 10:31:06AM +0100, Peter Maydell wrote:
> On 1 May 2014 10:02, Alex Bennée <alex.bennee@linaro.org> wrote:
> >
> > Edgar E. Iglesias <edgar.iglesias@gmail.com> writes:
> >
> >> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
> >>
> >> For linked branches, updates to the link register happen
> >> conceptually after the read of the branch target register.
> >>
> >> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
> >
> > I'm trying to think of a case where this could actually cause a problem
> > but I can't. However from a clarity/correctness point of view it's
> > better.
> 
> Well, we actually misexecute "BLR LR" otherwise, right?
> That's probably not very common but there's no reason it
> might not occur (eg call to a function pointer from a
> function where LR has been saved on entry and is free
> for use as a generic tempreg).

Right. For example, the kernel/kvm actually does this in
arch/arm64/kvm/hyp.S:773:       blr     lr

Thanks,
Edgar

Re: [Qemu-devel] [PATCH v1 2/4] target-arm: A64: Handle blr lr

[Alex Bennée]

Edgar E. Iglesias <edgar.iglesias@gmail.com> writes:

> On Thu, May 01, 2014 at 10:31:06AM +0100, Peter Maydell wrote:
>> On 1 May 2014 10:02, Alex Bennée <alex.bennee@linaro.org> wrote:
>> >
>> > Edgar E. Iglesias <edgar.iglesias@gmail.com> writes:
>> >
>> >> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
>> >>
>> >> For linked branches, updates to the link register happen
>> >> conceptually after the read of the branch target register.
>> >>
>> >> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
>> >
>> > I'm trying to think of a case where this could actually cause a problem
>> > but I can't. However from a clarity/correctness point of view it's
>> > better.
>> 
>> Well, we actually misexecute "BLR LR" otherwise, right?
>> That's probably not very common but there's no reason it
>> might not occur (eg call to a function pointer from a
>> function where LR has been saved on entry and is free
>> for use as a generic tempreg).
>
> Right. For example, the kernel/kvm actually does this in
> arch/arm64/kvm/hyp.S:773:       blr     lr

Of course, I see know ;-)

-- 
Alex Bennée

[Qemu-devel] [PATCH v1 3/4] target-arm: A64: Fix a typo when declaring TLBI ops

[Edgar E. Iglesias]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Harmless typo as opc1 defaults to zero and opc2 gets
re-declared to its correct value.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
 target-arm/helper.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 330bfc7..0b8e8aa 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -1893,51 +1893,51 @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .access = PL1_W, .type = ARM_CP_NOP },
     /* TLBI operations */
     { .name = "TLBI_VMALLE1IS", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 0,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbiall_write },
     { .name = "TLBI_VAE1IS", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 1,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_va_write },
     { .name = "TLBI_ASIDE1IS", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 2,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_asid_write },
     { .name = "TLBI_VAAE1IS", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 3,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_vaa_write },
     { .name = "TLBI_VALE1IS", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 5,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_va_write },
     { .name = "TLBI_VAALE1IS", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 7,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_vaa_write },
     { .name = "TLBI_VMALLE1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 0,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbiall_write },
     { .name = "TLBI_VAE1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 1,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_va_write },
     { .name = "TLBI_ASIDE1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 2,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_asid_write },
     { .name = "TLBI_VAAE1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 3,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_vaa_write },
     { .name = "TLBI_VALE1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 5,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_va_write },
     { .name = "TLBI_VAALE1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 7,
+      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7,
       .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
       .writefn = tlbi_aa64_vaa_write },
 #ifndef CONFIG_USER_ONLY
-- 
1.8.3.2

Re: [Qemu-devel] [PATCH v1 3/4] target-arm: A64: Fix a typo whendeclaring TLBI opss

[Alex Bennée]

Edgar E. Iglesias <edgar.iglesias@gmail.com> writes:

> From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
>
> Harmless typo as opc1 defaults to zero and opc2 gets
> re-declared to its correct value.
>
> Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>

> ---
>  target-arm/helper.c | 24 ++++++++++++------------
>  1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/target-arm/helper.c b/target-arm/helper.c
> index 330bfc7..0b8e8aa 100644
> --- a/target-arm/helper.c
> +++ b/target-arm/helper.c
> @@ -1893,51 +1893,51 @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
>        .access = PL1_W, .type = ARM_CP_NOP },
>      /* TLBI operations */
>      { .name = "TLBI_VMALLE1IS", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 0,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbiall_write },
>      { .name = "TLBI_VAE1IS", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 1,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_va_write },
>      { .name = "TLBI_ASIDE1IS", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 2,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_asid_write },
>      { .name = "TLBI_VAAE1IS", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 3,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_vaa_write },
>      { .name = "TLBI_VALE1IS", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 5,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_va_write },
>      { .name = "TLBI_VAALE1IS", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 3, .opc2 = 7,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_vaa_write },
>      { .name = "TLBI_VMALLE1", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 0,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbiall_write },
>      { .name = "TLBI_VAE1", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 1,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_va_write },
>      { .name = "TLBI_ASIDE1", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 2,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_asid_write },
>      { .name = "TLBI_VAAE1", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 3,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_vaa_write },
>      { .name = "TLBI_VALE1", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 5,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_va_write },
>      { .name = "TLBI_VAALE1", .state = ARM_CP_STATE_AA64,
> -      .opc0 = 1, .opc2 = 0, .crn = 8, .crm = 7, .opc2 = 7,
> +      .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7,
>        .access = PL1_W, .type = ARM_CP_NO_MIGRATE,
>        .writefn = tlbi_aa64_vaa_write },
>  #ifndef CONFIG_USER_ONLY

-- 
Alex Bennée

[Qemu-devel] [PATCH v1 4/4] target-arm: Correct a comment refering to EL0

[Edgar E. Iglesias]

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
---
 target-arm/op_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index 57e7d9c..fb90676 100644
--- a/target-arm/op_helper.c
+++ b/target-arm/op_helper.c
@@ -418,7 +418,7 @@ void HELPER(exception_return)(CPUARMState *env)
             goto illegal_return;
         }
         if (new_el == 0 && (spsr & PSTATE_SP)) {
-            /* Return to EL1 with M[0] bit set */
+            /* Return to EL0 with M[0] bit set */
             goto illegal_return;
         }
         env->aarch64 = 1;
-- 
1.8.3.2