[PULL 0/7] target-arm queue

[PULL 0/7] target-arm queue

[Peter Maydell]

Target-arm queue for rc2 -- just some minor bugfixes.

thanks
-- PMM

The following changes since commit 6e5d4999c761ffa082f60d72a14e5c953515b417:

  Merge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2019-11-19' into staging (2019-11-19 11:29:01 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191119

for you to fetch changes up to 04c9c81b8fa2ee33f59a26265700fae6fc646062:

  target/arm: Support EL0 v7m msr/mrs for CONFIG_USER_ONLY (2019-11-19 13:20:28 +0000)

----------------------------------------------------------------
target-arm queue:
 * Support EL0 v7m msr/mrs for CONFIG_USER_ONLY
 * Relax r13 restriction for ldrex/strex for v8.0
 * Do not reject rt == rt2 for strexd
 * net/cadence_gem: Set PHY autonegotiation restart status
 * ssi: xilinx_spips: Skip spi bus update for a few register writes
 * pl031: Expose RTCICR as proper WC register

----------------------------------------------------------------
Alexander Graf (1):
      pl031: Expose RTCICR as proper WC register

Linus Ziegert (1):
      net/cadence_gem: Set PHY autonegotiation restart status

Richard Henderson (4):
      target/arm: Merge arm_cpu_vq_map_next_smaller into sole caller
      target/arm: Do not reject rt == rt2 for strexd
      target/arm: Relax r13 restriction for ldrex/strex for v8.0
      target/arm: Support EL0 v7m msr/mrs for CONFIG_USER_ONLY

Sai Pavan Boddu (1):
      ssi: xilinx_spips: Skip spi bus update for a few register writes

 target/arm/cpu.h       |   5 +--
 hw/net/cadence_gem.c   |   9 ++--
 hw/rtc/pl031.c         |   6 +--
 hw/ssi/xilinx_spips.c  |  22 ++++++++--
 target/arm/cpu64.c     |  15 -------
 target/arm/helper.c    |   9 +++-
 target/arm/m_helper.c  | 114 ++++++++++++++++++++++++++++++-------------------
 target/arm/translate.c |  14 +++---
 8 files changed, 113 insertions(+), 81 deletions(-)

Re: [PULL 0/7] target-arm queue

[Peter Maydell]

On Tue, 19 Nov 2019 at 13:31, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> Target-arm queue for rc2 -- just some minor bugfixes.
>
> thanks
> -- PMM
>
> The following changes since commit 6e5d4999c761ffa082f60d72a14e5c953515b417:
>
>   Merge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2019-11-19' into staging (2019-11-19 11:29:01 +0000)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191119
>
> for you to fetch changes up to 04c9c81b8fa2ee33f59a26265700fae6fc646062:
>
>   target/arm: Support EL0 v7m msr/mrs for CONFIG_USER_ONLY (2019-11-19 13:20:28 +0000)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * Support EL0 v7m msr/mrs for CONFIG_USER_ONLY
>  * Relax r13 restriction for ldrex/strex for v8.0
>  * Do not reject rt == rt2 for strexd
>  * net/cadence_gem: Set PHY autonegotiation restart status
>  * ssi: xilinx_spips: Skip spi bus update for a few register writes
>  * pl031: Expose RTCICR as proper WC register
>



Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/4.2
for any user-visible changes.

-- PMM

[PULL 0/7] target-arm queue

[Peter Maydell]

Just some bugfixes this time around.

-- PMM

The following changes since commit 4215d3413272ad6d1c6c9d0234450b602e46a74c:

  Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-5.1-20200727' into staging (2020-07-27 09:33:04 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200727

for you to fetch changes up to d4f6dda182e19afa75706936805e18397cb95f07:

  target/arm: Improve IMPDEF algorithm for IRG (2020-07-27 16:12:11 +0100)

----------------------------------------------------------------
target-arm queue:
 * ACPI: Assert that we don't run out of the preallocated memory
 * hw/misc/aspeed_sdmc: Fix incorrect memory size
 * target/arm: Always pass cacheattr in S1_ptw_translate
 * docs/system/arm/virt: Document 'mte' machine option
 * hw/arm/boot: Fix PAUTH, MTE for EL3 direct kernel boot
 * target/arm: Improve IMPDEF algorithm for IRG

----------------------------------------------------------------
Dongjiu Geng (1):
      ACPI: Assert that we don't run out of the preallocated memory

Peter Maydell (1):
      docs/system/arm/virt: Document 'mte' machine option

Philippe Mathieu-Daudé (1):
      hw/misc/aspeed_sdmc: Fix incorrect memory size

Richard Henderson (4):
      target/arm: Always pass cacheattr in S1_ptw_translate
      hw/arm/boot: Fix PAUTH for EL3 direct kernel boot
      hw/arm/boot: Fix MTE for EL3 direct kernel boot
      target/arm: Improve IMPDEF algorithm for IRG

 docs/system/arm/virt.rst |  4 ++++
 hw/acpi/ghes.c           | 12 ++++--------
 hw/arm/boot.c            |  6 ++++++
 hw/misc/aspeed_sdmc.c    |  7 ++++---
 target/arm/helper.c      | 19 ++++++-------------
 target/arm/mte_helper.c  | 37 ++++++++++++++++++++++++++++++-------
 6 files changed, 54 insertions(+), 31 deletions(-)

Re: [PULL 0/7] target-arm queue

[Peter Maydell]

On Mon, 27 Jul 2020 at 16:19, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> Just some bugfixes this time around.
>
> -- PMM
>
> The following changes since commit 4215d3413272ad6d1c6c9d0234450b602e46a74c:
>
>   Merge remote-tracking branch 'remotes/dgibson/tags/ppc-for-5.1-20200727' into staging (2020-07-27 09:33:04 +0100)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200727
>
> for you to fetch changes up to d4f6dda182e19afa75706936805e18397cb95f07:
>
>   target/arm: Improve IMPDEF algorithm for IRG (2020-07-27 16:12:11 +0100)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * ACPI: Assert that we don't run out of the preallocated memory
>  * hw/misc/aspeed_sdmc: Fix incorrect memory size
>  * target/arm: Always pass cacheattr in S1_ptw_translate
>  * docs/system/arm/virt: Document 'mte' machine option
>  * hw/arm/boot: Fix PAUTH, MTE for EL3 direct kernel boot
>  * target/arm: Improve IMPDEF algorithm for IRG
>

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1
for any user-visible changes.

-- PMM

[PULL 0/7] target-arm queue

[Peter Maydell]

Small pullreq with some bug fixes to go into rc1.

-- PMM

The following changes since commit 5ca634afcf83215a9a54ca6e66032325b5ffb5f6:

  Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210322' into staging (2021-03-22 18:50:25 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210323

for you to fetch changes up to dad90de78e9e9d47cefcbcd30115706b98e6ec87:

  target/arm: Set ARMMMUFaultInfo.level in user-only arm_cpu_tlb_fill (2021-03-23 14:07:55 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/virt: Disable pl011 clock migration if needed
 * target/arm: Make M-profile VTOR loads on reset handle memory aliasing
 * target/arm: Set ARMMMUFaultInfo.level in user-only arm_cpu_tlb_fill

----------------------------------------------------------------
Gavin Shan (1):
      hw/arm/virt: Disable pl011 clock migration if needed

Peter Maydell (5):
      memory: Make flatview_cb return bool, not int
      memory: Document flatview_for_each_range()
      memory: Add offset_in_region to flatview_cb arguments
      hw/core/loader: Add new function rom_ptr_for_as()
      target/arm: Make M-profile VTOR loads on reset handle memory aliasing

Richard Henderson (1):
      target/arm: Set ARMMMUFaultInfo.level in user-only arm_cpu_tlb_fill

 include/exec/memory.h           | 32 +++++++++++++++---
 include/hw/char/pl011.h         |  1 +
 include/hw/loader.h             | 31 +++++++++++++++++
 hw/char/pl011.c                 |  9 +++++
 hw/core/loader.c                | 75 +++++++++++++++++++++++++++++++++++++++++
 hw/core/machine.c               |  1 +
 softmmu/memory.c                |  4 ++-
 target/arm/cpu.c                |  2 +-
 target/arm/tlb_helper.c         |  1 +
 tests/qtest/fuzz/generic_fuzz.c | 11 +++---
 10 files changed, 157 insertions(+), 10 deletions(-)

Re: [PULL 0/7] target-arm queue

[Peter Maydell]

On Tue, 23 Mar 2021 at 14:26, Peter Maydell <peter.maydell@linaro.org> wrote:
>
> Small pullreq with some bug fixes to go into rc1.
>
> -- PMM
>
> The following changes since commit 5ca634afcf83215a9a54ca6e66032325b5ffb5f6:
>
>   Merge remote-tracking branch 'remotes/philmd/tags/sdmmc-20210322' into staging (2021-03-22 18:50:25 +0000)
>
> are available in the Git repository at:
>
>   https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210323
>
> for you to fetch changes up to dad90de78e9e9d47cefcbcd30115706b98e6ec87:
>
>   target/arm: Set ARMMMUFaultInfo.level in user-only arm_cpu_tlb_fill (2021-03-23 14:07:55 +0000)
>
> ----------------------------------------------------------------
> target-arm queue:
>  * hw/arm/virt: Disable pl011 clock migration if needed
>  * target/arm: Make M-profile VTOR loads on reset handle memory aliasing
>  * target/arm: Set ARMMMUFaultInfo.level in user-only arm_cpu_tlb_fill
>
> ----------------------------------------------------------------


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.0
for any user-visible changes.

-- PMM

[PULL 0/7] target-arm queue

[Peter Maydell]

Hi; this pull request has a collection of bug fixes for rc0.
The big one is the trusted firmware boot regression fix.

thanks
-- PMM

The following changes since commit ece5f8374d0416a339f0c0a9399faa2c42d4ad6f:

  Merge tag 'linux-user-for-7.2-pull-request' of https://gitlab.com/laurent_vivier/qemu into staging (2022-11-03 10:55:05 -0400)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221104

for you to fetch changes up to cead7fa4c06087c86c67c5ce815cc1ff0bfeac3a:

  target/arm: Two fixes for secure ptw (2022-11-04 10:58:58 +0000)

----------------------------------------------------------------
target-arm queue:
 * Fix regression booting Trusted Firmware
 * Honor HCR_E2H and HCR_TGE in ats_write64()
 * Copy the entire vector in DO_ZIP
 * Fix Privileged Access Never (PAN) for aarch32
 * Make TLBIOS and TLBIRANGE ops trap on HCR_EL2.TTLB
 * Set SCR_EL3.HXEn when direct booting kernel
 * Set SME and SVE EL3 vector lengths when direct booting kernel

----------------------------------------------------------------
Ake Koomsin (1):
      target/arm: Honor HCR_E2H and HCR_TGE in ats_write64()

Peter Maydell (3):
      hw/arm/boot: Set SME and SVE EL3 vector lengths when booting kernel
      hw/arm/boot: Set SCR_EL3.HXEn when booting kernel
      target/arm: Make TLBIOS and TLBIRANGE ops trap on HCR_EL2.TTLB

Richard Henderson (2):
      target/arm: Copy the entire vector in DO_ZIP
      target/arm: Two fixes for secure ptw

Timofey Kutergin (1):
      target/arm: Fix Privileged Access Never (PAN) for aarch32

 hw/arm/boot.c           |  5 ++++
 target/arm/helper.c     | 64 +++++++++++++++++++++++++++++--------------------
 target/arm/ptw.c        | 50 ++++++++++++++++++++++++++++----------
 target/arm/sve_helper.c |  4 ++--
 4 files changed, 83 insertions(+), 40 deletions(-)

Re: [PULL 0/7] target-arm queue

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/7.2 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[PULL 0/7] target-arm queue

[Peter Maydell]

A last small test of bug fixes before rc1.

thanks
-- PMM

The following changes since commit ed8ad9728a9c0eec34db9dff61dfa2f1dd625637:

  Merge tag 'pull-tpm-2023-07-14-1' of https://github.com/stefanberger/qemu-tpm into staging (2023-07-15 14:54:04 +0100)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230717

for you to fetch changes up to c2c1c4a35c7c2b1a4140b0942b9797c857e476a4:

  hw/nvram: Avoid unnecessary Xilinx eFuse backstore write (2023-07-17 11:05:52 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/sbsa-ref: set 'slots' property of xhci
 * linux-user: Remove pointless NULL check in clock_adjtime handling
 * ptw: Fix S1_ptw_translate() debug path
 * ptw: Account for FEAT_RME when applying {N}SW, SA bits
 * accel/tcg: Zero-pad PC in TCG CPU exec trace lines
 * hw/nvram: Avoid unnecessary Xilinx eFuse backstore write

----------------------------------------------------------------
Peter Maydell (5):
      linux-user: Remove pointless NULL check in clock_adjtime handling
      target/arm/ptw.c: Add comments to S1Translate struct fields
      target/arm: Fix S1_ptw_translate() debug path
      target/arm/ptw.c: Account for FEAT_RME when applying {N}SW, SA bits
      accel/tcg: Zero-pad PC in TCG CPU exec trace lines

Tong Ho (1):
      hw/nvram: Avoid unnecessary Xilinx eFuse backstore write

Yuquan Wang (1):
      hw/arm/sbsa-ref: set 'slots' property of xhci

 accel/tcg/cpu-exec.c      |  4 +--
 accel/tcg/translate-all.c |  2 +-
 hw/arm/sbsa-ref.c         |  1 +
 hw/nvram/xlnx-efuse.c     | 11 ++++--
 linux-user/syscall.c      | 12 +++----
 target/arm/ptw.c          | 90 +++++++++++++++++++++++++++++++++++++++++------
 6 files changed, 98 insertions(+), 22 deletions(-)

[PULL 1/7] hw/arm/sbsa-ref: set 'slots' property of xhci

[Peter Maydell]

From: Yuquan Wang <wangyuquan1236@phytium.com.cn>

This extends the slots of xhci to 64, since the default xhci_sysbus
just supports one slot.

Signed-off-by: Wang Yuquan <wangyuquan1236@phytium.com.cn>
Signed-off-by: Chen Baozi <chenbaozi@phytium.com.cn>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Tested-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Message-id: 20230710063750.473510-2-wangyuquan1236@phytium.com.cn
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/sbsa-ref.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index 64e1cbce171..bc89eb48062 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -611,6 +611,7 @@ static void create_xhci(const SBSAMachineState *sms)
     hwaddr base = sbsa_ref_memmap[SBSA_XHCI].base;
     int irq = sbsa_ref_irqmap[SBSA_XHCI];
     DeviceState *dev = qdev_new(TYPE_XHCI_SYSBUS);
+    qdev_prop_set_uint32(dev, "slots", XHCI_MAXSLOTS);
 
     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
-- 
2.34.1

[PULL 2/7] linux-user: Remove pointless NULL check in clock_adjtime handling

[Peter Maydell]

In the code for TARGET_NR_clock_adjtime, we set the pointer phtx to
the address of the local variable htx.  This means it can never be
NULL, but later in the code we check it for NULL anyway.  Coverity
complains about this (CID 1507683) because the NULL check comes after
a call to clock_adjtime() that assumes it is non-NULL.

Since phtx is always &htx, and is used only in three places, it's not
really necessary.  Remove it, bringing the code structure in to line
with that for TARGET_NR_clock_adjtime64, which already uses a simple
'&htx' when it wants a pointer to 'htx'.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230623144410.1837261-1-peter.maydell@linaro.org
---
 linux-user/syscall.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 14641518262..c99ef9c01ef 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -11190,16 +11190,14 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
 #if defined(TARGET_NR_clock_adjtime) && defined(CONFIG_CLOCK_ADJTIME)
     case TARGET_NR_clock_adjtime:
         {
-            struct timex htx, *phtx = &htx;
+            struct timex htx;
 
-            if (target_to_host_timex(phtx, arg2) != 0) {
+            if (target_to_host_timex(&htx, arg2) != 0) {
                 return -TARGET_EFAULT;
             }
-            ret = get_errno(clock_adjtime(arg1, phtx));
-            if (!is_error(ret) && phtx) {
-                if (host_to_target_timex(arg2, phtx) != 0) {
-                    return -TARGET_EFAULT;
-                }
+            ret = get_errno(clock_adjtime(arg1, &htx));
+            if (!is_error(ret) && host_to_target_timex(arg2, &htx)) {
+                return -TARGET_EFAULT;
             }
         }
         return ret;
-- 
2.34.1

[PULL 3/7] target/arm/ptw.c: Add comments to S1Translate struct fields

[Peter Maydell]

Add comments to the in_* fields in the S1Translate struct
that explain what they're doing.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230710152130.3928330-2-peter.maydell@linaro.org
---
 target/arm/ptw.c | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 9aaff1546a6..21749375f97 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -19,10 +19,50 @@
 #endif
 
 typedef struct S1Translate {
+    /*
+     * in_mmu_idx : specifies which TTBR, TCR, etc to use for the walk.
+     * Together with in_space, specifies the architectural translation regime.
+     */
     ARMMMUIdx in_mmu_idx;
+    /*
+     * in_ptw_idx: specifies which mmuidx to use for the actual
+     * page table descriptor load operations. This will be one of the
+     * ARMMMUIdx_Stage2* or one of the ARMMMUIdx_Phys_* indexes.
+     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
+     * this field is updated accordingly.
+     */
     ARMMMUIdx in_ptw_idx;
+    /*
+     * in_space: the security space for this walk. This plus
+     * the in_mmu_idx specify the architectural translation regime.
+     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
+     * this field is updated accordingly.
+     *
+     * Note that the security space for the in_ptw_idx may be different
+     * from that for the in_mmu_idx. We do not need to explicitly track
+     * the in_ptw_idx security space because:
+     *  - if the in_ptw_idx is an ARMMMUIdx_Phys_* then the mmuidx
+     *    itself specifies the security space
+     *  - if the in_ptw_idx is an ARMMMUIdx_Stage2* then the security
+     *    space used for ptw reads is the same as that of the security
+     *    space of the stage 1 translation for all cases except where
+     *    stage 1 is Secure; in that case the only possibilities for
+     *    the ptw read are Secure and NonSecure, and the in_ptw_idx
+     *    value being Stage2 vs Stage2_S distinguishes those.
+     */
     ARMSecuritySpace in_space;
+    /*
+     * in_secure: whether the translation regime is a Secure one.
+     * This is always equal to arm_space_is_secure(in_space).
+     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
+     * this field is updated accordingly.
+     */
     bool in_secure;
+    /*
+     * in_debug: is this a QEMU debug access (gdbstub, etc)? Debug
+     * accesses will not update the guest page table access flags
+     * and will not change the state of the softmmu TLBs.
+     */
     bool in_debug;
     /*
      * If this is stage 2 of a stage 1+2 page table walk, then this must
-- 
2.34.1

[PULL 4/7] target/arm: Fix S1_ptw_translate() debug path

[Peter Maydell]

In commit fe4a5472ccd6 we rearranged the logic in S1_ptw_translate()
so that the debug-access "call get_phys_addr_*" codepath is used both
when S1 is doing ptw reads from stage 2 and when it is doing ptw
reads from physical memory.  However, we didn't update the
calculation of s2ptw->in_space and s2ptw->in_secure to account for
the "ptw reads from physical memory" case.  This meant that debug
accesses when in Secure state broke.

Create a new function S2_security_space() which returns the
correct security space to use for the ptw load, and use it to
determine the correct .in_secure and .in_space fields for the
stage 2 lookup for the ptw load.

Reported-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230710152130.3928330-3-peter.maydell@linaro.org
Fixes: fe4a5472ccd6 ("target/arm: Use get_phys_addr_with_struct in S1_ptw_translate")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 37 ++++++++++++++++++++++++++++++++-----
 1 file changed, 32 insertions(+), 5 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index 21749375f97..c0b9cee5843 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -485,11 +485,39 @@ static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
     }
 }
 
+static ARMSecuritySpace S2_security_space(ARMSecuritySpace s1_space,
+                                          ARMMMUIdx s2_mmu_idx)
+{
+    /*
+     * Return the security space to use for stage 2 when doing
+     * the S1 page table descriptor load.
+     */
+    if (regime_is_stage2(s2_mmu_idx)) {
+        /*
+         * The security space for ptw reads is almost always the same
+         * as that of the security space of the stage 1 translation.
+         * The only exception is when stage 1 is Secure; in that case
+         * the ptw read might be to the Secure or the NonSecure space
+         * (but never Realm or Root), and the s2_mmu_idx tells us which.
+         * Root translations are always single-stage.
+         */
+        if (s1_space == ARMSS_Secure) {
+            return arm_secure_to_space(s2_mmu_idx == ARMMMUIdx_Stage2_S);
+        } else {
+            assert(s2_mmu_idx != ARMMMUIdx_Stage2_S);
+            assert(s1_space != ARMSS_Root);
+            return s1_space;
+        }
+    } else {
+        /* ptw loads are from phys: the mmu idx itself says which space */
+        return arm_phys_to_space(s2_mmu_idx);
+    }
+}
+
 /* Translate a S1 pagetable walk through S2 if needed.  */
 static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
                              hwaddr addr, ARMMMUFaultInfo *fi)
 {
-    ARMSecuritySpace space = ptw->in_space;
     bool is_secure = ptw->in_secure;
     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
     ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
@@ -502,13 +530,12 @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
          * From gdbstub, do not use softmmu so that we don't modify the
          * state of the cpu at all, including softmmu tlb contents.
          */
+        ARMSecuritySpace s2_space = S2_security_space(ptw->in_space, s2_mmu_idx);
         S1Translate s2ptw = {
             .in_mmu_idx = s2_mmu_idx,
             .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
-            .in_secure = s2_mmu_idx == ARMMMUIdx_Stage2_S,
-            .in_space = (s2_mmu_idx == ARMMMUIdx_Stage2_S ? ARMSS_Secure
-                         : space == ARMSS_Realm ? ARMSS_Realm
-                         : ARMSS_NonSecure),
+            .in_secure = arm_space_is_secure(s2_space),
+            .in_space = s2_space,
             .in_debug = true,
         };
         GetPhysAddrResult s2 = { };
-- 
2.34.1

[PULL 5/7] target/arm/ptw.c: Account for FEAT_RME when applying {N}SW, SA bits

[Peter Maydell]

In get_phys_addr_twostage() the code that applies the effects of
VSTCR.{SA,SW} and VTCR.{NSA,NSW} only updates result->f.attrs.secure.
Now we also have f.attrs.space for FEAT_RME, we need to keep the two
in sync.

These bits only have an effect for Secure space translations, not
for Root, so use the input in_space field to determine whether to
apply them rather than the input is_secure. This doesn't actually
make a difference because Root translations are never two-stage,
but it's a little clearer.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230710152130.3928330-4-peter.maydell@linaro.org
---
 target/arm/ptw.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index c0b9cee5843..8f94100c61f 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -3118,6 +3118,7 @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
     hwaddr ipa;
     int s1_prot, s1_lgpgsz;
     bool is_secure = ptw->in_secure;
+    ARMSecuritySpace in_space = ptw->in_space;
     bool ret, ipa_secure;
     ARMCacheAttrs cacheattrs1;
     ARMSecuritySpace ipa_space;
@@ -3200,11 +3201,13 @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
      * Check if IPA translates to secure or non-secure PA space.
      * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
      */
-    result->f.attrs.secure =
-        (is_secure
-         && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
-         && (ipa_secure
-             || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
+    if (in_space == ARMSS_Secure) {
+        result->f.attrs.secure =
+            !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
+            && (ipa_secure
+                || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW)));
+        result->f.attrs.space = arm_secure_to_space(result->f.attrs.secure);
+    }
 
     return false;
 }
-- 
2.34.1

[PULL 6/7] accel/tcg: Zero-pad PC in TCG CPU exec trace lines

[Peter Maydell]

In commit f0a08b0913befbd we changed the type of the PC from
target_ulong to vaddr.  In doing so we inadvertently dropped the
zero-padding on the PC in trace lines (the second item inside the []
in these lines).  They used to look like this on AArch64, for
instance:

Trace 0: 0x7f2260000100 [00000000/0000000040000000/00000061/ff200000]

and now they look like this:
Trace 0: 0x7f4f50000100 [00000000/40000000/00000061/ff200000]

and if the PC happens to be somewhere low like 0x5000
then the field is shown as /5000/.

This is because TARGET_FMT_lx is a "%08x" or "%016x" specifier,
depending on TARGET_LONG_SIZE, whereas VADDR_PRIx is just PRIx64
with no width specifier.

Restore the zero-padding by adding an 016 width specifier to
this tracing and a couple of others that were similarly recently
changed to use VADDR_PRIx without a width specifier.

We can't unfortunately restore the "32-bit guests are padded to
8 hex digits and 64-bit guests to 16 hex digits" behaviour so
easily.

Fixes: f0a08b0913befbd ("accel/tcg/cpu-exec.c: Widen pc to vaddr")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Anton Johansson <anjo@rev.ng>
Message-id: 20230711165434.4123674-1-peter.maydell@linaro.org
---
 accel/tcg/cpu-exec.c      | 4 ++--
 accel/tcg/translate-all.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index fdd6d3e0e44..e2c494e75ef 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -298,7 +298,7 @@ static void log_cpu_exec(vaddr pc, CPUState *cpu,
     if (qemu_log_in_addr_range(pc)) {
         qemu_log_mask(CPU_LOG_EXEC,
                       "Trace %d: %p [%08" PRIx64
-                      "/%" VADDR_PRIx "/%08x/%08x] %s\n",
+                      "/%016" VADDR_PRIx "/%08x/%08x] %s\n",
                       cpu->cpu_index, tb->tc.ptr, tb->cs_base, pc,
                       tb->flags, tb->cflags, lookup_symbol(pc));
 
@@ -487,7 +487,7 @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit)
         if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
             vaddr pc = log_pc(cpu, last_tb);
             if (qemu_log_in_addr_range(pc)) {
-                qemu_log("Stopped execution of TB chain before %p [%"
+                qemu_log("Stopped execution of TB chain before %p [%016"
                          VADDR_PRIx "] %s\n",
                          last_tb->tc.ptr, pc, lookup_symbol(pc));
             }
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index 4c17474fa22..a1782db5dd7 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -637,7 +637,7 @@ void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
     if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
         vaddr pc = log_pc(cpu, tb);
         if (qemu_log_in_addr_range(pc)) {
-            qemu_log("cpu_io_recompile: rewound execution of TB to %"
+            qemu_log("cpu_io_recompile: rewound execution of TB to %016"
                      VADDR_PRIx "\n", pc);
         }
     }
-- 
2.34.1

[PULL 7/7] hw/nvram: Avoid unnecessary Xilinx eFuse backstore write

[Peter Maydell]

From: Tong Ho <tong.ho@amd.com>

Add a check in the bit-set operation to write the backstore
only if the affected bit is 0 before.

With this in place, there will be no need for callers to
do the checking in order to avoid unnecessary writes.

Signed-off-by: Tong Ho <tong.ho@amd.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/nvram/xlnx-efuse.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/hw/nvram/xlnx-efuse.c b/hw/nvram/xlnx-efuse.c
index fdfffaab99c..655c40b8d1e 100644
--- a/hw/nvram/xlnx-efuse.c
+++ b/hw/nvram/xlnx-efuse.c
@@ -143,6 +143,8 @@ static bool efuse_ro_bits_find(XlnxEFuse *s, uint32_t k)
 
 bool xlnx_efuse_set_bit(XlnxEFuse *s, unsigned int bit)
 {
+    uint32_t set, *row;
+
     if (efuse_ro_bits_find(s, bit)) {
         g_autofree char *path = object_get_canonical_path(OBJECT(s));
 
@@ -152,8 +154,13 @@ bool xlnx_efuse_set_bit(XlnxEFuse *s, unsigned int bit)
         return false;
     }
 
-    s->fuse32[bit / 32] |= 1 << (bit % 32);
-    efuse_bdrv_sync(s, bit);
+    /* Avoid back-end write unless there is a real update */
+    row = &s->fuse32[bit / 32];
+    set = 1 << (bit % 32);
+    if (!(set & *row)) {
+        *row |= set;
+        efuse_bdrv_sync(s, bit);
+    }
     return true;
 }
 
-- 
2.34.1

Re: [PULL 0/7] target-arm queue

[Richard Henderson]

On 7/17/23 13:47, Peter Maydell wrote:
> A last small test of bug fixes before rc1.
> 
> thanks
> -- PMM
> 
> The following changes since commit ed8ad9728a9c0eec34db9dff61dfa2f1dd625637:
> 
>    Merge tag 'pull-tpm-2023-07-14-1' ofhttps://github.com/stefanberger/qemu-tpm  into staging (2023-07-15 14:54:04 +0100)
> 
> are available in the Git repository at:
> 
>    https://git.linaro.org/people/pmaydell/qemu-arm.git  tags/pull-target-arm-20230717
> 
> for you to fetch changes up to c2c1c4a35c7c2b1a4140b0942b9797c857e476a4:
> 
>    hw/nvram: Avoid unnecessary Xilinx eFuse backstore write (2023-07-17 11:05:52 +0100)
> 
> ----------------------------------------------------------------
> target-arm queue:
>   * hw/arm/sbsa-ref: set 'slots' property of xhci
>   * linux-user: Remove pointless NULL check in clock_adjtime handling
>   * ptw: Fix S1_ptw_translate() debug path
>   * ptw: Account for FEAT_RME when applying {N}SW, SA bits
>   * accel/tcg: Zero-pad PC in TCG CPU exec trace lines
>   * hw/nvram: Avoid unnecessary Xilinx eFuse backstore write

Applied, thanks.  Please update https://wiki.qemu.org/ChangeLog/8.1 as appropriate.


r~

[PULL 0/7] target-arm queue

[Peter Maydell]

It's been quiet on the arm front this week, so all I have is
these coverity fixes I posted a while back...

-- PMM

The following changes since commit 853546f8128476eefb701d4a55b2781bb3a46faa:

  Merge tag 'pull-loongarch-20240322' of https://gitlab.com/gaosong/qemu into staging (2024-03-22 10:59:57 +0000)

are available in the Git repository at:

  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20240325

for you to fetch changes up to 55c79639d553c1b7a82b4cde781ad5f316f45b0e:

  tests/qtest/libqtest.c: Check for g_setenv() failure (2024-03-25 10:41:01 +0000)

----------------------------------------------------------------
target-arm queue:
 * Fixes for seven minor coverity issues

----------------------------------------------------------------
Peter Maydell (7):
      tests/qtest/npcm7xx_emc_test: Don't leak cmd_line
      tests/unit/socket-helpers: Don't close(-1)
      net/af-xdp.c: Don't leak sock_fds array in net_init_af_xdp()
      hw/misc/pca9554: Correct error check bounds in get/set pin functions
      hw/nvram/mac_nvram: Report failure to write data
      tests/unit/test-throttle: Avoid unintended integer division
      tests/qtest/libqtest.c: Check for g_setenv() failure

 hw/misc/pca9554.c              | 4 ++--
 hw/nvram/mac_nvram.c           | 5 ++++-
 net/af-xdp.c                   | 3 +--
 tests/qtest/libqtest.c         | 6 +++++-
 tests/qtest/npcm7xx_emc-test.c | 4 ++--
 tests/unit/socket-helpers.c    | 4 +++-
 tests/unit/test-throttle.c     | 4 ++--
 7 files changed, 19 insertions(+), 11 deletions(-)