From 1d675e59ea194fc918fe0f553eb79209b3fb3a8f Mon Sep 17 00:00:00 2001 From: Jean-Philippe Brucker Date: Fri, 10 Nov 2023 09:05:58 +0000 Subject: [PATCH 1/4] hw/arm/virt: fix GIC maintenance IRQ registration Since commit 9036e917f8 ("{include/}hw/arm: refactor virt PPI logic"), GIC maintenance IRQ registration fails on arm64: [ 0.979743] kvm [1]: Cannot register interrupt 9 That commit re-defined VIRTUAL_PMU_IRQ to be a INTID but missed a case where the maintenance IRQ is actually referred by its PPI index. Just like commit fa68ecb330db ("hw/arm/virt: fix PMU IRQ registration"), use INITID_TO_PPI(). A search of "GIC_FDT_IRQ_TYPE_PPI" indicates that there shouldn't be more similar issues. Fixes: 9036e917f8 ("{include/}hw/arm: refactor virt PPI logic") Signed-off-by: Jean-Philippe Brucker Message-id: 20231110090557.3219206-2-jean-philippe@linaro.org Signed-off-by: Peter Maydell --- hw/arm/virt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/arm/virt.c b/hw/arm/virt.c index 85e3c5ba9d..be2856c018 100644 --- a/hw/arm/virt.c +++ b/hw/arm/virt.c @@ -576,7 +576,8 @@ static void fdt_add_gic_node(VirtMachineState *vms) if (vms->virt) { qemu_fdt_setprop_cells(ms->fdt, nodename, "interrupts", - GIC_FDT_IRQ_TYPE_PPI, ARCH_GIC_MAINT_IRQ, + GIC_FDT_IRQ_TYPE_PPI, + INTID_TO_PPI(ARCH_GIC_MAINT_IRQ), GIC_FDT_IRQ_FLAGS_LEVEL_HI); } } else { @@ -600,7 +601,8 @@ static void fdt_add_gic_node(VirtMachineState *vms) 2, vms->memmap[VIRT_GIC_VCPU].base, 2, vms->memmap[VIRT_GIC_VCPU].size); qemu_fdt_setprop_cells(ms->fdt, nodename, "interrupts", - GIC_FDT_IRQ_TYPE_PPI, ARCH_GIC_MAINT_IRQ, + GIC_FDT_IRQ_TYPE_PPI, + INTID_TO_PPI(ARCH_GIC_MAINT_IRQ), GIC_FDT_IRQ_FLAGS_LEVEL_HI); } } From fc58891d0422607d172a3d6b3158798f2556aef1 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Thu, 9 Nov 2023 15:19:17 +0000 Subject: [PATCH 2/4] target/arm: HVC at EL3 should go to EL3, not EL2 AArch64 permits code at EL3 to use the HVC instruction; however the exception we take should go to EL3, not down to EL2 (see the pseudocode AArch64.CallHypervisor()). Fix the target EL. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell Reviewed-by: Edgar E. Iglesias Message-id: 20231109151917.1925107-1-peter.maydell@linaro.org --- target/arm/tcg/translate-a64.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c index 41484d8ae5..a2e49c39f9 100644 --- a/target/arm/tcg/translate-a64.c +++ b/target/arm/tcg/translate-a64.c @@ -2351,6 +2351,8 @@ static bool trans_SVC(DisasContext *s, arg_i *a) static bool trans_HVC(DisasContext *s, arg_i *a) { + int target_el = s->current_el == 3 ? 3 : 2; + if (s->current_el == 0) { unallocated_encoding(s); return true; @@ -2363,7 +2365,7 @@ static bool trans_HVC(DisasContext *s, arg_i *a) gen_helper_pre_hvc(tcg_env); /* Architecture requires ss advance before we do the actual work */ gen_ss_advance(s); - gen_exception_insn_el(s, 4, EXCP_HVC, syn_aa64_hvc(a->imm), 2); + gen_exception_insn_el(s, 4, EXCP_HVC, syn_aa64_hvc(a->imm), target_el); return true; } From 4d044472ab7666adf99d4daa0cc90b7502b90109 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 10 Nov 2023 16:25:46 +0000 Subject: [PATCH 3/4] target/arm: Correct MTE tag checking for reverse-copy MOPS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When we are doing a FEAT_MOPS copy that must be performed backwards, we call mte_mops_probe_rev(), passing it the address of the last byte in the region we are probing. However, allocation_tag_mem_probe() wants the address of the first byte to get the tag memory for. Because we passed it (ptr, size) we could incorrectly trip the allocation_tag_mem_probe() check for "does this access run across to the following page", and if that following page happened not to be valid then we would assert. We know we will always be only dealing with a single page because the code that calls mte_mops_probe_rev() ensures that. We could make mte_mops_probe_rev() pass 'ptr - (size - 1)' to allocation_tag_mem_probe(), but then we would have to adjust the returned 'mem' pointer to get back to the tag RAM for the last byte of the region. It's simpler to just pass in a size of 1 byte, because we know that allocation_tag_mem_probe() in pure-probe single-page mode doesn't care about the size. Fixes: 69c51dc3723b ("target/arm: Implement MTE tag-checking functions for FEAT_MOPS copies") Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Acked-by: Richard Henderson Message-id: 20231110162546.2192512-1-peter.maydell@linaro.org --- target/arm/tcg/mte_helper.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c index 70ac876105..ffb8ea1c34 100644 --- a/target/arm/tcg/mte_helper.c +++ b/target/arm/tcg/mte_helper.c @@ -1101,10 +1101,18 @@ uint64_t mte_mops_probe_rev(CPUARMState *env, uint64_t ptr, uint64_t size, uint32_t n; mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX); - /* True probe; this will never fault */ + /* + * True probe; this will never fault. Note that our caller passes + * us a pointer to the end of the region, but allocation_tag_mem_probe() + * wants a pointer to the start. Because we know we don't span a page + * boundary and that allocation_tag_mem_probe() doesn't otherwise care + * about the size, pass in a size of 1 byte. This is simpler than + * adjusting the ptr to point to the start of the region and then having + * to adjust the returned 'mem' to get the end of the tag memory. + */ mem = allocation_tag_mem_probe(env, mmu_idx, ptr, w ? MMU_DATA_STORE : MMU_DATA_LOAD, - size, MMU_DATA_LOAD, true, 0); + 1, MMU_DATA_LOAD, true, 0); if (!mem) { return size; } From f6e8d1ef05a126de796ae03dd81e048e3ff48ff1 Mon Sep 17 00:00:00 2001 From: Nikita Ostrenkov Date: Sun, 12 Nov 2023 16:56:58 +0000 Subject: [PATCH 4/4] target/arm/tcg: enable PMU feature for Cortex-A8 and A9 According to the technical reference manual, the Cortex-A9 has a Perfomance Unit Monitor (PMU): https://developer.arm.com/documentation/100511/0401/performance-monitoring-unit/about-the-performance-monitoring-unit The Cortex-A8 does also. We already already define the PMU registers when emulating the Cortex-A8 and Cortex-A9, because we put them in v7_cp_reginfo[] rather than guarding them behind ARM_FEATURE_PMU. So the only thing that setting the feature bit changes is that the registers actually do something. Enable ARM_FEATURE_PMU for Cortex-A8 and Cortex-A9, to avoid this anomaly. (The A8 and A9 PMU predates the standardisation of ID_DFR0.PerfMon, so the field there is 0, but the PMU is still present.) Signed-off-by: Nikita Ostrenkov Message-id: 20231112165658.2335-1-n.ostrenkov@gmail.com Reviewed-by: Peter Maydell [PMM: tweaked commit message; also enable PMU for A8] Signed-off-by: Peter Maydell --- target/arm/tcg/cpu32.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/target/arm/tcg/cpu32.c b/target/arm/tcg/cpu32.c index 0d5d8e307d..d9e0e2a4dd 100644 --- a/target/arm/tcg/cpu32.c +++ b/target/arm/tcg/cpu32.c @@ -351,6 +351,7 @@ static void cortex_a8_initfn(Object *obj) set_feature(&cpu->env, ARM_FEATURE_THUMB2EE); set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS); set_feature(&cpu->env, ARM_FEATURE_EL3); + set_feature(&cpu->env, ARM_FEATURE_PMU); cpu->midr = 0x410fc080; cpu->reset_fpsid = 0x410330c0; cpu->isar.mvfr0 = 0x11110222; @@ -418,6 +419,7 @@ static void cortex_a9_initfn(Object *obj) set_feature(&cpu->env, ARM_FEATURE_NEON); set_feature(&cpu->env, ARM_FEATURE_THUMB2EE); set_feature(&cpu->env, ARM_FEATURE_EL3); + set_feature(&cpu->env, ARM_FEATURE_PMU); /* * Note that A9 supports the MP extensions even for * A9UP and single-core A9MP (which are both different