From 628fc75f3a3bb115de3b445c1a18547c44613cfe Mon Sep 17 00:00:00 2001 From: Richard Henderson Date: Mon, 16 Jul 2018 17:18:41 +0100 Subject: [PATCH 1/8] target/arm: Fix LD1W and LDFF1W (scalar plus vector) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'I' was being double-incremented; correctly within the inner loop and incorrectly within the outer loop. Signed-off-by: Richard Henderson Reviewed-by: Laurent Desnogues Reviewed-by: Alex Bennée Tested-by: Alex Bennée Message-id: 20180711103957.3040-1-richard.henderson@linaro.org Signed-off-by: Peter Maydell --- target/arm/sve_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c index a03ca77354..54795c9194 100644 --- a/target/arm/sve_helper.c +++ b/target/arm/sve_helper.c @@ -4459,7 +4459,7 @@ void HELPER(NAME)(CPUARMState *env, void *vd, void *vg, void *vm, \ intptr_t i, oprsz = simd_oprsz(desc); \ unsigned scale = simd_data(desc); \ uintptr_t ra = GETPC(); \ - for (i = 0; i < oprsz; i++) { \ + for (i = 0; i < oprsz; ) { \ uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3)); \ do { \ TYPEM m = 0; \ @@ -4540,7 +4540,7 @@ void HELPER(NAME)(CPUARMState *env, void *vd, void *vg, void *vm, \ uintptr_t ra = GETPC(); \ bool first = true; \ mmap_lock(); \ - for (i = 0; i < oprsz; i++) { \ + for (i = 0; i < oprsz; ) { \ uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3)); \ do { \ TYPEM m = 0; \ From 333b9c8a684c58f6711521e446e4b26de5addadc Mon Sep 17 00:00:00 2001 From: Andrew Jeffery Date: Mon, 16 Jul 2018 17:18:41 +0100 Subject: [PATCH 2/8] aspeed: Implement write-1-{set, clear} for AST2500 strapping The AST2500 SoC family changes the runtime behaviour of the hardware strapping register (SCU70) to write-1-set/write-1-clear, with write-1-clear implemented on the "read-only" SoC revision register (SCU7C). For the the AST2400, the hardware strapping is runtime-configured with read-modify-write semantics. Signed-off-by: Andrew Jeffery Reviewed-by: Joel Stanley Message-id: 20180709143524.17480-1-andrew@aj.id.au Signed-off-by: Peter Maydell --- hw/misc/aspeed_scu.c | 19 +++++++++++++++++-- include/hw/misc/aspeed_scu.h | 2 ++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c index 59333b50ab..c8217740ef 100644 --- a/hw/misc/aspeed_scu.c +++ b/hw/misc/aspeed_scu.c @@ -247,11 +247,26 @@ static void aspeed_scu_write(void *opaque, hwaddr offset, uint64_t data, s->regs[reg] = data; aspeed_scu_set_apb_freq(s); break; - + case HW_STRAP1: + if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) { + s->regs[HW_STRAP1] |= data; + return; + } + /* Jump to assignment below */ + break; + case SILICON_REV: + if (ASPEED_IS_AST2500(s->regs[SILICON_REV])) { + s->regs[HW_STRAP1] &= ~data; + } else { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: Write to read-only offset 0x%" HWADDR_PRIx "\n", + __func__, offset); + } + /* Avoid assignment below, we've handled everything */ + return; case FREQ_CNTR_EVAL: case VGA_SCRATCH1 ... VGA_SCRATCH8: case RNG_DATA: - case SILICON_REV: case FREE_CNTR4: case FREE_CNTR4_EXT: qemu_log_mask(LOG_GUEST_ERROR, diff --git a/include/hw/misc/aspeed_scu.h b/include/hw/misc/aspeed_scu.h index f662c38188..38996adc59 100644 --- a/include/hw/misc/aspeed_scu.h +++ b/include/hw/misc/aspeed_scu.h @@ -41,6 +41,8 @@ typedef struct AspeedSCUState { #define AST2500_A0_SILICON_REV 0x04000303U #define AST2500_A1_SILICON_REV 0x04010303U +#define ASPEED_IS_AST2500(si_rev) ((((si_rev) >> 24) & 0xff) == 0x04) + extern bool is_supported_silicon_rev(uint32_t silicon_rev); #define ASPEED_SCU_PROT_KEY 0x1688A8A8 From ee03cca88ec2e4cd1ffd319764cced1cab707ee2 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 16 Jul 2018 17:18:41 +0100 Subject: [PATCH 3/8] hw/intc/arm_gic: Check interrupt number in gic_deactivate_irq() In gic_deactivate_irq() the interrupt number comes from the guest (on a write to the GICC_DIR register), so we need to sanity check that it isn't out of range before we use it as an array index. Handle this in a similar manner to the check we do in gic_complete_irq() for the GICC_EOI register. The array overrun is not disastrous because the calling code uses (value & 0x3ff) to extract the interrupt field, so the only out-of-range values possible are 1020..1023, which allow overrunning only from irq_state[] into the following irq_target[] array which the guest can already manipulate. Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Reviewed-by: Luc Michel Message-id: 20180712154152.32183-2-peter.maydell@linaro.org --- hw/intc/arm_gic.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c index ea0323f969..b0a69d6386 100644 --- a/hw/intc/arm_gic.c +++ b/hw/intc/arm_gic.c @@ -543,7 +543,21 @@ static bool gic_eoi_split(GICState *s, int cpu, MemTxAttrs attrs) static void gic_deactivate_irq(GICState *s, int cpu, int irq, MemTxAttrs attrs) { int cm = 1 << cpu; - int group = gic_has_groups(s) && GIC_TEST_GROUP(irq, cm); + int group; + + if (irq >= s->num_irq) { + /* + * This handles two cases: + * 1. If software writes the ID of a spurious interrupt [ie 1023] + * to the GICC_DIR, the GIC ignores that write. + * 2. If software writes the number of a non-existent interrupt + * this must be a subcase of "value written is not an active interrupt" + * and so this is UNPREDICTABLE. We choose to ignore it. + */ + return; + } + + group = gic_has_groups(s) && GIC_TEST_GROUP(irq, cm); if (!gic_eoi_split(s, cpu, attrs)) { /* This is UNPREDICTABLE; we choose to ignore it */ From 7995206d057409cff9d4e850bdc8296c8fc21d38 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Mon, 16 Jul 2018 17:18:41 +0100 Subject: [PATCH 4/8] hw/intc/arm_gic: Fix handling of GICD_ITARGETSR The GICD_ITARGETSR implementation still has some 11MPCore behaviour that we were incorrectly using in our GICv1 and GICv2 implementations for the case where the interrupt number is less than GIC_INTERNAL. The desired behaviour here is: * for 11MPCore: RAZ/WI for irqs 0..28; read a number matching the CPU doing the read for irqs 29..31 * for GICv1 and v2: RAZ/WI if uniprocessor; otherwise read a number matching the CPU doing the read for all irqs < 32 Stop squashing GICD_ITARGETSR to 0 for IRQs 0..28 unless this is an 11MPCore GIC. Reported-by: Jan Kiszka Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Reviewed-by: Luc Michel Message-id: 20180712154152.32183-3-peter.maydell@linaro.org --- hw/intc/arm_gic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c index b0a69d6386..34dc84ae81 100644 --- a/hw/intc/arm_gic.c +++ b/hw/intc/arm_gic.c @@ -751,7 +751,9 @@ static uint32_t gic_dist_readb(void *opaque, hwaddr offset, MemTxAttrs attrs) if (irq >= s->num_irq) { goto bad_reg; } - if (irq >= 29 && irq <= 31) { + if (irq < 29 && s->revision == REV_11MPCORE) { + res = 0; + } else if (irq < GIC_INTERNAL) { res = cm; } else { res = GIC_TARGET(irq); @@ -1014,7 +1016,7 @@ static void gic_dist_writeb(void *opaque, hwaddr offset, if (irq >= s->num_irq) { goto bad_reg; } - if (irq < 29) { + if (irq < 29 && s->revision == REV_11MPCORE) { value = 0; } else if (irq < GIC_INTERNAL) { value = ALL_CPU_MASK; From cccf96c3d4263125e6d2c23ad264001ca2e6fffa Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Mon, 16 Jul 2018 17:18:41 +0100 Subject: [PATCH 5/8] hw/arm/bcm2836: Mark the bcm2836 / bcm2837 devices with user_creatable = false These devices are currently causing some problems when a user is trying to hot-plug or introspect them during runtime. Since these devices can not be instantiated by the user at all (they need to be wired up in code instead), we should mark them with user_creatable = false anyway, then we avoid at least the crashes with the hot-plugging. The introspection problem will be handled by a separate patch. Signed-off-by: Thomas Huth Message-id: 1531415537-26037-1-git-send-email-thuth@redhat.com Reviewed-by: Peter Maydell Reviewed-by: Markus Armbruster Signed-off-by: Peter Maydell --- hw/arm/bcm2836.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c index 6805a7d7c8..45d9e40c45 100644 --- a/hw/arm/bcm2836.c +++ b/hw/arm/bcm2836.c @@ -185,6 +185,8 @@ static void bcm283x_class_init(ObjectClass *oc, void *data) bc->info = data; dc->realize = bcm2836_realize; dc->props = bcm2836_props; + /* Reason: Must be wired up in code (see raspi_init() function) */ + dc->user_creatable = false; } static const TypeInfo bcm283x_type_info = { From 65e9f27f22ba273672a1960cabad0e6aae0fbba2 Mon Sep 17 00:00:00 2001 From: Guenter Roeck Date: Mon, 16 Jul 2018 17:18:42 +0100 Subject: [PATCH 6/8] bcm2835_aux: Swap RX and TX interrupt assignments RX and TX interrupt bits were reversed, resulting in an endless sequence of serial interupts in the emulated system and the following repeated error message when booting Linux. serial8250: too much work for irq61 This results in a boot failure most of the time. Qemu command line used to reproduce the problem: qemu-system-aarch64 -M raspi3 -m 1024 \ -kernel arch/arm64/boot/Image \ --append "rdinit=/sbin/init console=ttyS1,115200" -initrd rootfs.cpio \ -dtb arch/arm64/boot/dts/broadcom/bcm2837-rpi-3-b.dtb \ -nographic -monitor null -serial null -serial stdio This is with arm64:defconfig. The root file system was generated using buildroot. NB that this error likely arises from an erratum in the BCM2835 datasheet where the TX and RX bits were swapped in the AU_MU_IER_REG description (but correct for IIR): https://elinux.org/BCM2835_datasheet_errata#p12 Signed-off-by: Guenter Roeck Message-id: 1529355846-25102-1-git-send-email-linux@roeck-us.net Reviewed-by: Peter Maydell [PMM: added NB about datasheet] Signed-off-by: Peter Maydell --- hw/char/bcm2835_aux.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c index 370dc7e296..0364596c55 100644 --- a/hw/char/bcm2835_aux.c +++ b/hw/char/bcm2835_aux.c @@ -39,8 +39,8 @@ #define AUX_MU_BAUD_REG 0x68 /* bits in IER/IIR registers */ -#define TX_INT 0x1 -#define RX_INT 0x2 +#define RX_INT 0x1 +#define TX_INT 0x2 static void bcm2835_aux_update(BCM2835AuxState *s) { From b493ccf1fc82674ef73564b3c61e309105c9336b Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 13 Jul 2018 15:16:35 +0100 Subject: [PATCH 7/8] accel/tcg: Use correct test when looking in victim TLB for code In get_page_addr_code(), we were incorrectly looking in the victim TLB for an entry which matched the target address for reads, not for code accesses. This meant that we could hit on a victim TLB entry that indicated that the address was readable but not executable, and incorrectly bypass the call to tlb_fill() which should generate the guest MMU exception. Fix this bug. Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-id: 20180713141636.18665-2-peter.maydell@linaro.org --- accel/tcg/cputlb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index 20c147d655..2d5fb15d9a 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -967,7 +967,7 @@ tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr) index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); mmu_idx = cpu_mmu_index(env, true); if (unlikely(!tlb_hit(env->tlb_table[mmu_idx][index].addr_code, addr))) { - if (!VICTIM_TLB_HIT(addr_read, addr)) { + if (!VICTIM_TLB_HIT(addr_code, addr)) { tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0); } } From 3474c98a2a2afcefa7c665f02ad2bed2a43ab0f7 Mon Sep 17 00:00:00 2001 From: Peter Maydell Date: Fri, 13 Jul 2018 15:16:36 +0100 Subject: [PATCH 8/8] accel/tcg: Assert that tlb fill gave us a valid TLB entry In commit 4b1a3e1e34ad97 we added a check for whether the TLB entry we had following a tlb_fill had the INVALID bit set. This could happen in some circumstances because a stale or wrong TLB entry was pulled out of the victim cache. However, after commit 68fea038553039e (which prevents stale entries being in the victim cache) and the previous commit (which ensures we don't incorrectly hit in the victim cache)) this should never be possible. Drop the check on TLB_INVALID_MASK from the "is this a TLB_RECHECK?" condition, and instead assert that the tlb fill procedure has given us a valid TLB entry (or longjumped out with a guest exception). Signed-off-by: Peter Maydell Reviewed-by: Richard Henderson Message-id: 20180713141636.18665-3-peter.maydell@linaro.org --- accel/tcg/cputlb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index 2d5fb15d9a..563fa30117 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -970,10 +970,10 @@ tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr) if (!VICTIM_TLB_HIT(addr_code, addr)) { tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0); } + assert(tlb_hit(env->tlb_table[mmu_idx][index].addr_code, addr)); } - if (unlikely((env->tlb_table[mmu_idx][index].addr_code & - (TLB_RECHECK | TLB_INVALID_MASK)) == TLB_RECHECK)) { + if (unlikely(env->tlb_table[mmu_idx][index].addr_code & TLB_RECHECK)) { /* * This is a TLB_RECHECK access, where the MMU protection * covers a smaller range than a target page, and we must