The SET ADDRESS SPACE CONTROL FAST instruction is not privileged, it can be
used from problem space, too. Just the switching to the home address space
is privileged and should still generate a privilege exception. This bug is
e.g. causing programs like Java that use the "getcpu" vdso kernel function
to crash (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990417#26 ).
While we're at it, also check if DAT is not enabled. In that case the
instruction is supposed to generate a special operation exception.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/655
Message-Id: <20221201184443.136355-1-thuth@redhat.com>
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
In get_physical_address, the canonical address check failed to
set TranslateFault.stage2, which resulted in an uninitialized
read from the struct when reporting the fault in x86_cpu_tlb_fill.
Adjust all error paths to use structure assignment so that the
entire struct is always initialized.
Reported-by: Daniel Hoffman <dhoff749@gmail.com>
Fixes: 9bbcf37219 ("target/i386: Reorg GET_HPHYS")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20221201074522.178498-1-richard.henderson@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1324
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
MMX state is saved/restored by FSAVE/FRSTOR so the instructions are
not illegal opcodes even if CR4.OSFXSR=0. Make sure that validate_vex
takes into account the prefix and only checks HF_OSFXSR_MASK in the
presence of an SSE instruction.
Fixes: 20581aadec ("target/i386: validate VEX prefixes via the instructions' exception classes", 2022-10-18)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1350
Reported-by: Helge Konetzka (@hejko on gitlab.com)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The LPA2 extension implements 52-bit virtual addressing for 4k and 16k
translation granules, and for the former, this means an additional level
of translation is needed. This means we start counting at -1 instead of
0 when doing a walk, and so 'level' is now a signed quantity, and should
be typed as such. So turn it from uint32_t into int32_t.
This avoids a level of -1 getting misinterpreted as being >= 3, and
terminating a page table walk prematurely with a bogus output address.
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
In get_phys_addr_with_struct(), we call get_phys_addr_twostage() if
the CPU supports EL2. However, we don't check here that stage 2 is
actually enabled. Instead we only check that inside
get_phys_addr_twostage() to skip stage 2 translation. This means
that even if stage 2 is disabled we still tell the stage 1 lookup to
do its page table walks via stage 2.
This works by luck for normal CPU accesses, but it breaks for debug
accesses, which are used by the disassembler and also by semihosting
file reads and writes, because the debug case takes a different code
path inside S1_ptw_translate().
This means that setups that use semihosting for file loads are broken
(a regression since 7.1, introduced in recent ptw refactoring), and
that sometimes disassembly in debug logs reports "unable to read
memory" rather than showing the guest insns.
Fix the bug by hoisting the "is stage 2 enabled?" check up to
get_phys_addr_with_struct(), so that we handle S2 disabled the same
way we do the "no EL2" case, with a simple single stage lookup.
Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221121212404.1450382-1-peter.maydell@linaro.org
With LPA2, the effective output address size is at most 48 bits when
TCR.DS == 0. This case is currently unhandled in the page table walker,
where we happily assume LVA/64k granule when outputsize > 48 and
param.ds == 0, resulting in the wrong conversion to be used from a
page table descriptor to a physical address.
if (outputsize > 48) {
if (param.ds) {
descaddr |= extract64(descriptor, 8, 2) << 50;
} else {
descaddr |= extract64(descriptor, 12, 4) << 48;
}
So cap the outputsize to 48 when TCR.DS is cleared, as per the
architecture.
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221116170316.259695-1-ardb@kernel.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Short queue with a build regression fix when using --disable-tcg.
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQQX6/+ZI9AYAK8oOBk82cqW3gMxZAUCY3ZP3wAKCRA82cqW3gMx
ZB7uAPwN3C8R0YeL+NR44ZlzJVM75TjT1sDYD3oZjEraIfAz9AD7BKRNMPXmmF3A
sIHlbhVWquFU07ZDq5UmMfa2WudFZgc=
=z2+u
-----END PGP SIGNATURE-----
Merge tag 'pull-ppc-20221117' of https://gitlab.com/danielhb/qemu into staging
ppc patch queue for 2022-11-17:
Short queue with a build regression fix when using --disable-tcg.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQQX6/+ZI9AYAK8oOBk82cqW3gMxZAUCY3ZP3wAKCRA82cqW3gMx
# ZB7uAPwN3C8R0YeL+NR44ZlzJVM75TjT1sDYD3oZjEraIfAz9AD7BKRNMPXmmF3A
# sIHlbhVWquFU07ZDq5UmMfa2WudFZgc=
# =z2+u
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 17 Nov 2022 10:14:39 EST
# gpg: using EDDSA key 17EBFF9923D01800AF2838193CD9CA96DE033164
# gpg: Good signature from "Daniel Henrique Barboza <danielhb413@gmail.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 17EB FF99 23D0 1800 AF28 3819 3CD9 CA96 DE03 3164
* tag 'pull-ppc-20221117' of https://gitlab.com/danielhb/qemu:
target/ppc: Fix build warnings when building with 'disable-tcg'
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Kowshik reported that building qemu with GCC 12.2.1 for 'ppc64-softmmu'
target is failing due to following build warnings:
<snip>
../target/ppc/cpu_init.c:7018:13: error: 'ppc_restore_state_to_opc' defined but not used [-Werror=unused-function]
7018 | static void ppc_restore_state_to_opc(CPUState *cs,
<snip>
Fix this by wrapping these function definitions in 'ifdef CONFIG_TCG' so that
they are only defined if qemu is compiled with '--enable-tcg'
Reported-by: Kowshik Jois B S <kowsjois@linux.ibm.com>
Fixes: 61bd1d2942 ("target/ppc: Convert to tcg_ops restore_state_to_opc")
Fixes: 670f1da374 ("target/ppc: Implement hashst and hashchk")
Fixes: 53ae2aeb94 ("target/ppc: Implement hashstp and hashchkp")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1319
Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Kowshik Jois B S <kowsjois@linux.vnet.ibm.com>
Message-Id: <20221116131743.658708-1-vaibhav@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Fix typos (discovered with the 'codespell' utility).
Note: Though "migrateable" still seems to be a valid spelling, we change
it to "migratable" since this is the way more common spelling here.
Message-Id: <20221111182828.282251-1-thuth@redhat.com>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
When translating code that is using LAHF and SAHF in combination with the
REX prefix, the instructions should not use any other register than AH;
however, QEMU selects SPL (SP being register 4, just like AH) if the
REX prefix is present. To fix this, use deposit directly without
going through gen_op_mov_v_reg and gen_op_mov_reg_v.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/130
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Unlike the memory case, where "the destination operand receives a write
cycle without regard to the result of the comparison", rm must not be
touched altogether if the write fails, including not zero-extending
it on 64-bit processors. This is not how the movcond currently works,
because it is always followed by a gen_op_mov_reg_v to rm.
To fix it, introduce a new function that is similar to gen_op_mov_reg_v
but writes to a TCG temporary.
Considering that gen_extu(ot, oldv) is not needed in the memory case
either, the two cases for register and memory destinations are different
enough that one might as well fuse the two "if (mod == 3)" into one.
So do that too.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/508
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[rth: Add a test case ]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Some implementations (i.e. Loongson-2F) may decide to implement
a 64 bit FPU without implementing COP1X instructions.
As the eligibility of 64 bit FP instructions is already determined
by CP0St_FR, there is no need to check for COP1X again.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20221102165719.190378-1-jiaxun.yang@flygoat.com>
[PMD: Add missing trailing parenthesis (buildfix)]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
I don't have access to Octeon68XX hardware but according
to my investigation Octeon never had DSP ASE support.
As per "Cavium Networks OCTEON Plus CN50XX Hardware Reference
Manual" CP0C3_DSPP is reserved bit and read as 0. Also I do have
access to a Ubiquiti Edgerouter 4 which has Octeon CN7130 processor
and I can confirm CP0C3_DSPP is read as 0 on that processor.
Further more, in linux kernel:
arch/mips/include/asm/mach-cavium-octeon/cpu-feature-overrides.h
cpu_has_dsp is overridden as 0.
So I believe we shouldn't emulate DSP in QEMU as well.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
Message-Id: <20221031132531.18122-4-jiaxun.yang@flygoat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
This patch changes condition and function name for enabling
indexed load instructions for Octeon vCPUs. Octeons do not
have DSP extension, but implement LBX-and-others.
Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <166728058455.229236.13834649461181619195.stgit@pasha-ThinkPad-X280>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
As per "Cavium Networks OCTEON Plus CN50XX Hardware Reference
Manual" offset field is signed 16 bit value. However arg_BBIT.offset
is unsigned. We need to cast it as signed to do address calculation.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20221031132531.18122-3-jiaxun.yang@flygoat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
As per an unpublished document, in later reversion of chips
CP0St_{KX, SX, UX} is not writeable and hardcoded to 1.
Without those bits set, kernel is unable to access XKPHYS address
segment. So just set them up on CPU reset.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20221031132531.18122-2-jiaxun.yang@flygoat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-----BEGIN PGP SIGNATURE-----
iLMEAAEIAB0WIQS4/x2g0v3LLaCcbCxAov/yOSY+3wUCY2hz5gAKCRBAov/yOSY+
31ESA/9ppQVu70y8AnA/aYCzC6koQxxAsaD/lvwc7M1xzeZnjwOsVnsFLpZITTJj
2+2O/BlEO3uRvAtV6E7Vtu9D/+Cc+HQ7yOFnwbY0jZmePThp3YYtTg6o+2T7/9ya
RMicgny1SYjsOjG8/Uam9+dRbH5QheNFwid0BWFhMts9MDB3Mg==
=zZ8m
-----END PGP SIGNATURE-----
Merge tag 'pull-loongarch-20221107' of https://gitlab.com/gaosong/qemu into staging
pull-loongarch-20221107
# -----BEGIN PGP SIGNATURE-----
#
# iLMEAAEIAB0WIQS4/x2g0v3LLaCcbCxAov/yOSY+3wUCY2hz5gAKCRBAov/yOSY+
# 31ESA/9ppQVu70y8AnA/aYCzC6koQxxAsaD/lvwc7M1xzeZnjwOsVnsFLpZITTJj
# 2+2O/BlEO3uRvAtV6E7Vtu9D/+Cc+HQ7yOFnwbY0jZmePThp3YYtTg6o+2T7/9ya
# RMicgny1SYjsOjG8/Uam9+dRbH5QheNFwid0BWFhMts9MDB3Mg==
# =zZ8m
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 06 Nov 2022 21:56:38 EST
# gpg: using RSA key B8FF1DA0D2FDCB2DA09C6C2C40A2FFF239263EDF
# gpg: Good signature from "Song Gao <m17746591750@163.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B8FF 1DA0 D2FD CB2D A09C 6C2C 40A2 FFF2 3926 3EDF
* tag 'pull-loongarch-20221107' of https://gitlab.com/gaosong/qemu:
target/loongarch: Fix return value of CHECK_FPE
target/loongarch: Separate the hardware flags into MMU index and PLV
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Regarding the patchset v3 has been merged into main line, and not
approved, this patch updates to patchset v4.
Fixes: 2419978c ("target/loongarch: Fix emulation of float-point disable exception")
Link: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg00808.html
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Rui Wang <wangrui@loongson.cn>
Message-Id: <20221107024526.702297-3-wangrui@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
Regarding the patchset v3 has been merged into main line, and not
approved, this patch updates to patchset v4.
Fixes: b4bda200 ("target/loongarch: Adjust the layout of hardware flags bit fields")
Link: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg00808.html
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Rui Wang <wangrui@loongson.cn>
Message-Id: <20221107024526.702297-2-wangrui@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
We use the .h.inc extension to include C headers. To be consistent
with the rest of the codebase, rename the C headers using the .def
extension.
IDE/tools using our .editorconfig / .gitattributes will leverage
this consistency.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20221025235006.7215-4-philmd@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
We use the .h.inc extension to include C headers. To be consistent
with the rest of the codebase, rename the C headers using the .def
extension.
IDE/tools using our .editorconfig / .gitattributes will leverage
this consistency.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20221025235006.7215-3-philmd@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
We use the .h.inc extension to include C headers. To be consistent
with the rest of the codebase, rename the C headers using the .def
extension.
IDE/tools using our .editorconfig / .gitattributes will leverage
this consistency.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20221025235006.7215-2-philmd@linaro.org>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
* Fix regression booting Trusted Firmware
* Honor HCR_E2H and HCR_TGE in ats_write64()
* Copy the entire vector in DO_ZIP
* Fix Privileged Access Never (PAN) for aarch32
* Make TLBIOS and TLBIRANGE ops trap on HCR_EL2.TTLB
* Set SCR_EL3.HXEn when direct booting kernel
* Set SME and SVE EL3 vector lengths when direct booting kernel
-----BEGIN PGP SIGNATURE-----
iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmNk+KkZHHBldGVyLm1h
eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3vUsD/9SYZP3ne2OZxBe8he98jJ5
6apODiBksBLUM+1bKEoYW8Kw4XpS10I1Tbnxe7n0bNAfIiZlsZ7HJAJaYWy4MX4k
Bq0v1EIFo+Obumocc14ZzWcw9yPpHOGavKHXfPxTtIw0amtOmh3aMBPuOZKiMSaq
TdI/8654DbAOY3Hp/r6WnXwEgAc23kx/PtGhQFdU4iWhzTdeQeFkgCCsVMO02zFQ
ZM4wiAATpfNfgf5+Wxoin6RQ8nI9PF+Xf7HhN3d1CiXju3vOl+geYNkubJzIopv1
itLcnvduYE6+5oJsnXZ4FDNO6/nnqWRNqtyDf0/NjLROfj84BPJpZqMX+FR6Q0I0
d+4/oEw4A46qfaS5b4/YelbJOiUgiViWU1Xs3g2dkeTMT8CyGfDrJ2HRDKN7AaHo
llL7s1calkX2oSs+gU0BAw8xRETGwMBSOpF6JmPVh277LjvWfN1vsJzVUG3wrSXL
G7qa2h+fHV5Xu876sc/i0+d4qHuqcE/EU86VQ6X40f+dRzN02rkSCPAxzGFwLXOr
8fl5MsX6z5pqcubnzxkhi66ZHc6fXsvtUjKBxyrVpMyjMlV9PTJ2Q1RCgVctErXk
lDzsLuplzPSjZBy3Peib/rLnmYUxJHyPe0RFYIumzZv/UHwL4GjZgkI842UVBpAL
FvIGblcCXHhdP4UFvqgZhw==
=Fcb4
-----END PGP SIGNATURE-----
Merge tag 'pull-target-arm-20221104' of https://git.linaro.org/people/pmaydell/qemu-arm into staging
target-arm queue:
* Fix regression booting Trusted Firmware
* Honor HCR_E2H and HCR_TGE in ats_write64()
* Copy the entire vector in DO_ZIP
* Fix Privileged Access Never (PAN) for aarch32
* Make TLBIOS and TLBIRANGE ops trap on HCR_EL2.TTLB
* Set SCR_EL3.HXEn when direct booting kernel
* Set SME and SVE EL3 vector lengths when direct booting kernel
# -----BEGIN PGP SIGNATURE-----
#
# iQJNBAABCAA3FiEE4aXFk81BneKOgxXPPCUl7RQ2DN4FAmNk+KkZHHBldGVyLm1h
# eWRlbGxAbGluYXJvLm9yZwAKCRA8JSXtFDYM3vUsD/9SYZP3ne2OZxBe8he98jJ5
# 6apODiBksBLUM+1bKEoYW8Kw4XpS10I1Tbnxe7n0bNAfIiZlsZ7HJAJaYWy4MX4k
# Bq0v1EIFo+Obumocc14ZzWcw9yPpHOGavKHXfPxTtIw0amtOmh3aMBPuOZKiMSaq
# TdI/8654DbAOY3Hp/r6WnXwEgAc23kx/PtGhQFdU4iWhzTdeQeFkgCCsVMO02zFQ
# ZM4wiAATpfNfgf5+Wxoin6RQ8nI9PF+Xf7HhN3d1CiXju3vOl+geYNkubJzIopv1
# itLcnvduYE6+5oJsnXZ4FDNO6/nnqWRNqtyDf0/NjLROfj84BPJpZqMX+FR6Q0I0
# d+4/oEw4A46qfaS5b4/YelbJOiUgiViWU1Xs3g2dkeTMT8CyGfDrJ2HRDKN7AaHo
# llL7s1calkX2oSs+gU0BAw8xRETGwMBSOpF6JmPVh277LjvWfN1vsJzVUG3wrSXL
# G7qa2h+fHV5Xu876sc/i0+d4qHuqcE/EU86VQ6X40f+dRzN02rkSCPAxzGFwLXOr
# 8fl5MsX6z5pqcubnzxkhi66ZHc6fXsvtUjKBxyrVpMyjMlV9PTJ2Q1RCgVctErXk
# lDzsLuplzPSjZBy3Peib/rLnmYUxJHyPe0RFYIumzZv/UHwL4GjZgkI842UVBpAL
# FvIGblcCXHhdP4UFvqgZhw==
# =Fcb4
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 04 Nov 2022 07:34:01 EDT
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [full]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [full]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [full]
# gpg: aka "Peter Maydell <peter@archaic.org.uk>" [unknown]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* tag 'pull-target-arm-20221104' of https://git.linaro.org/people/pmaydell/qemu-arm:
target/arm: Two fixes for secure ptw
target/arm: Honor HCR_E2H and HCR_TGE in ats_write64()
target/arm: Copy the entire vector in DO_ZIP
target/arm: Fix Privileged Access Never (PAN) for aarch32
target/arm: Make TLBIOS and TLBIRANGE ops trap on HCR_EL2.TTLB
hw/arm/boot: Set SCR_EL3.HXEn when booting kernel
hw/arm/boot: Set SME and SVE EL3 vector lengths when booting kernel
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reversed the sense of non-secure in get_phys_addr_lpae,
and failed to initialize attrs.secure for ARMMMUIdx_Phys_S.
Fixes: 48da29e4 ("target/arm: Add ptw_idx to S1Translate")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1293
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
We need to check HCR_E2H and HCR_TGE to select the right MMU index for
the correct translation regime.
To check for EL2&0 translation regime:
- For S1E0*, S1E1* and S12E* ops, check both HCR_E2H and HCR_TGE
- For S1E2* ops, check only HCR_E2H
Signed-off-by: Ake Koomsin <ake@igel.co.jp>
Message-id: 20221101064250.12444-1-ake@igel.co.jp
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
With odd_ofs set, we weren't copying enough data.
Fixes: 09eb6d7025 ("target/arm: Move sve zip high_ofs into simd_data")
Reported-by: Idan Horowitz <idan.horowitz@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20221031054144.3574-1-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
When we implemented the PAN support we theoretically wanted
to support it for both AArch32 and AArch64, but in practice
several bugs made it essentially unusable with an AArch32
guest. Fix all those problems:
- Use CPSR.PAN to check for PAN state in aarch32 mode
- throw permission fault during address translation when PAN is
enabled and kernel tries to access user acessible page
- ignore SCTLR_XP bit for armv7 and armv8 (conflicts with SCTLR_SPAN).
Signed-off-by: Timofey Kutergin <tkutergin@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221027112619.2205229-1-tkutergin@gmail.com
[PMM: tweak commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
The HCR_EL2.TTLB bit is supposed to trap all EL1 execution of TLB
maintenance instructions. However we have added new TLB insns for
FEAT_TLBIOS and FEAT_TLBIRANGE, and forgot to set their accessfn to
access_ttlb. Add the missing accessfns.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
We need to emulate it to generate a floating point disable exception
when CSR.EUEN.FPE is zero.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Rui Wang <wangrui@loongson.cn>
Message-Id: <20221104040517.222059-3-wangrui@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Song Gao <gaosong@loongson.cn>
Signed-off-by: Rui Wang <wangrui@loongson.cn>
Message-Id: <20221104040517.222059-2-wangrui@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
When the address is invalid address, We should set exception_index
according to MMUAccessType, and EXCCODE_ADEF need't update badinstr.
Otherwise, The system enters an infinite loop. e.g:
run test.c on system mode
test.c:
#include<stdio.h>
void (*func)(int *);
int main()
{
int i = 8;
void *ptr = (void *)0x4000000000000000;
func = ptr;
func(&i);
return 0;
}
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20221101073210.3934280-2-gaosong@loongson.cn>
We need subcodes to distinguish the same excode cs->exception_indexs,
such as EXCCODE_ADEF/EXCCODE_ADEM.
Signed-off-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-ID: <20221101073210.3934280-1-gaosong@loongson.cn>
1. When cpu read or write extioi COREISR reg, it should access
the reg belonged to itself, so the cpu index of 's->coreisr'
is current cpu number. Using MemTxAttrs' requester_id to get
the cpu index.
2. it need not to mask 0x1f when calculate the coreisr array index.
Signed-off-by: Xiaojuan Yang <yangxiaojuan@loongson.cn>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20221021015307.2570844-3-yangxiaojuan@loongson.cn>
Signed-off-by: Song Gao <gaosong@loongson.cn>
If CR0.PG is unset, pg_mode will be zero, but it will also be zero
for non-PAE/non-PSE page tables with CR0.WP=0. Restore the
correct test for paging enabled.
Fixes: 98281984a3 ("target/i386: Add MMU_PHYS_IDX and MMU_NESTED_IDX")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1269
Reported-by: Andreas Gustafsson <gson@gson.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20221102091232.1092552-1-richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
- cleanup win32/64 docker files
- update test-mingw test
- add flex/bison to debian-all-test
- handle --enable-static/--disable-pie in config
- extend timeouts on x86_64 avocado tests
- add flex/bison to debian-hexagon-cross
- use regular semihosting for nios2 check-tcg
- fix obscure linker error to nios2 softmmu tests
- various windows portability fixes for tests
- clean-up of MAINTAINERS
- use -machine none when appropriate in avocado
- make raspi2_initrd test detect shutdown
- disable sh4 rd2 tests on gitlab
- re-enable threadcount/linux-test for sh4
- clean-up s390x handling of "ex" instruction
- better handle new CPUs in execlog plugin
- pass CONFIG_DEBUG_TCG to plugin builds
- try and avoid races in test-io-channel-command
- speed up ssh key checking for tests/vm
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmNhI/MACgkQ+9DbCVqe
KkSFXggAg0HIpBDcNz0V5Mh5p69F14pwbDSygKqGDFBebdOHeL7f+WCvQPUGEWxp
814zjvRY3SC4Mo4mtzguRvNu0styaUpemvRw5FDYK48GpEjg2eVxTnAFD4nr7ud0
dhw3iaHP+RjA6s3EpPUqQ5nlZEgFJ+Tvkckk3wKSpksBYA4tJra6Uey5kpZ27x0T
KOzB2P6w+9B/B11n/aeSxvRPZdnXt2MyfS/3pwwfoFYioEyaEQ3Ie6ooachtdSL3
PEvnJVK0VVYbZQwBXJlycNLlK/D++s4AEwmnZ5GmvDFuXlkRO9YMy9Wa5TKJl7gz
76Aw1KHsE03SyAPvH4bE7eGkIwhJOQ==
=6hXE
-----END PGP SIGNATURE-----
Merge tag 'pull-testing-for-7.2-011122-3' of https://github.com/stsquad/qemu into staging
testing and plugin updates for 7.2:
- cleanup win32/64 docker files
- update test-mingw test
- add flex/bison to debian-all-test
- handle --enable-static/--disable-pie in config
- extend timeouts on x86_64 avocado tests
- add flex/bison to debian-hexagon-cross
- use regular semihosting for nios2 check-tcg
- fix obscure linker error to nios2 softmmu tests
- various windows portability fixes for tests
- clean-up of MAINTAINERS
- use -machine none when appropriate in avocado
- make raspi2_initrd test detect shutdown
- disable sh4 rd2 tests on gitlab
- re-enable threadcount/linux-test for sh4
- clean-up s390x handling of "ex" instruction
- better handle new CPUs in execlog plugin
- pass CONFIG_DEBUG_TCG to plugin builds
- try and avoid races in test-io-channel-command
- speed up ssh key checking for tests/vm
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCgAdFiEEZoWumedRZ7yvyN81+9DbCVqeKkQFAmNhI/MACgkQ+9DbCVqe
# KkSFXggAg0HIpBDcNz0V5Mh5p69F14pwbDSygKqGDFBebdOHeL7f+WCvQPUGEWxp
# 814zjvRY3SC4Mo4mtzguRvNu0styaUpemvRw5FDYK48GpEjg2eVxTnAFD4nr7ud0
# dhw3iaHP+RjA6s3EpPUqQ5nlZEgFJ+Tvkckk3wKSpksBYA4tJra6Uey5kpZ27x0T
# KOzB2P6w+9B/B11n/aeSxvRPZdnXt2MyfS/3pwwfoFYioEyaEQ3Ie6ooachtdSL3
# PEvnJVK0VVYbZQwBXJlycNLlK/D++s4AEwmnZ5GmvDFuXlkRO9YMy9Wa5TKJl7gz
# 76Aw1KHsE03SyAPvH4bE7eGkIwhJOQ==
# =6hXE
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 01 Nov 2022 09:49:39 EDT
# gpg: using RSA key 6685AE99E75167BCAFC8DF35FBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8 DF35 FBD0 DB09 5A9E 2A44
* tag 'pull-testing-for-7.2-011122-3' of https://github.com/stsquad/qemu: (31 commits)
tests/vm: use -o IdentitiesOnly=yes for ssh
tests/unit: cleanups for test-io-channel-command
contrib/plugins: protect execlog's last_exec expansion
contrib/plugins: enable debug on CONFIG_DEBUG_TCG
tests/tcg: include CONFIG_PLUGIN in config-host.mak
target/s390x: fake instruction loading when handling 'ex'
target/s390x: don't probe next pc for EXecuted insns
target/s390x: don't use ld_code2 to probe next pc
tests/tcg: re-enable threadcount for sh4
tests/tcg: re-enable linux-test for sh4
tests/avocado: disable sh4 rd2 tests on Gitlab
tests/avocado: raspi2_initrd: Wait for guest shutdown message before stopping
tests/avocado: set -machine none for userfwd and vnc tests
MAINTAINERS: fix-up for check-tcg Makefile changes
MAINTAINERS: add features_to_c.sh to gdbstub files
MAINTAINERS: add entries for the key build bits
hw/usb: dev-mtp: Use g_mkdir()
block/vvfat: Unify the mkdir() call
tcg: Avoid using hardcoded /tmp
semihosting/arm-compat-semi: Avoid using hardcoded /tmp
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
The helpers for reset_rf, cli, sti, clac, stac are
completely trivial; implement them inline.
Drop some nearby #if 0 code.
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
The value passed is always true, and if the target's
synchronize_from_tb hook is non-trivial, not exiting
may be erroneous.
Reviewed-by: Claudio Fontana <cfontana@suse.de>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Since we do not plan to exit, use cpu_unwind_state_data
and extract exactly the data requested.
This is a bug fix, in that we no longer clobber dflag.
Consider:
l.j L2 // branch
l.mfspr r1, ppc // delay
L1: boom
L2: l.lwa r3, (r4)
Here, dflag would be set by cpu_restore_state (because that is the current
state of the cpu), but but not cleared by tb_stop on exiting the TB
(because DisasContext has recorded the current value as zero).
The next TB begins at L2 with dflag incorrectly set. If the load has a
tlb miss, then the exception will be delivered as per a delay slot:
with DSX set in the status register and PC decremented (delay slots
restart by re-executing the branch). This will cause the return from
interrupt to go to L1, and boom!
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
We have called cpu_restore_state asserting will_exit.
Do not go back on that promise. This affects icount.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Avoid cpu_restore_state, and modifying env->eip out from
underneath the translator with TARGET_TB_PCREL. There is
some slight duplication from x86_restore_state_to_opc,
but it's just a few lines.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1269
Reviewed-by: Claudio Fontana <cfontana@suse.de>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
The s390x EXecute instruction is a bit weird as we synthesis the
executed instruction from what we have stored in memory. This missed
the plugin instrumentation.
Work around this with a special helper to inform the rest of the
translator about the instruction so things stay consistent.
Reviewed-by: David Hildenbrand <david@redhat.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20221027183637.2772968-26-alex.bennee@linaro.org>
We have finished the TB anyway so we can shortcut the other tests by
checking dc->ex_value first.
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20221027183637.2772968-25-alex.bennee@linaro.org>
This isn't an translator picking up an instruction so we shouldn't use
the translator_lduw function which has side effects for plugins.
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20221027183637.2772968-24-alex.bennee@linaro.org>