aboutsummaryrefslogtreecommitdiff
path: root/target
AgeCommit message (Collapse)Author
2024-03-05target/arm: Do memory type alignment check when translation enabledRichard Henderson
If translation is enabled, and the PTE memory type is Device, enable checking alignment via TLB_CHECK_ALIGNMENT. While the check is done later than it should be per the ARM, it's better than not performing the check at all. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240301204110.656742-7-richard.henderson@linaro.org [PMM: tweaks to comment text] Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2024-03-05target/arm: Do memory type alignment check when translation disabledRichard Henderson
If translation is disabled, the default memory type is Device, which requires alignment checking. This is more optimally done early via the MemOp given to the TCG memory operation. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reported-by: Idan Horowitz <idan.horowitz@gmail.com> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240301204110.656742-6-richard.henderson@linaro.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1204 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-03-05accel/tcg: Add tlb_fill_flags to CPUTLBEntryFullRichard Henderson
Allow the target to set tlb flags to apply to all of the comparators. Remove MemTxAttrs.byte_swap, as the bit is not relevant to memory transactions, only the page mapping. Adjust target/sparc to set TLB_BSWAP directly. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240301204110.656742-4-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-03-05target/arm: Support 32-byte alignment in pow2_alignRichard Henderson
Now that we have removed TARGET_PAGE_BITS_MIN-6 from TLB_FLAGS_MASK, we can test for 32-byte alignment. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240301204110.656742-2-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-03-05Merge tag 'pull-tcg-20240301' of https://gitlab.com/rth7680/qemu into stagingPeter Maydell
linux-user: Rewrite elf coredump tcg/aarch64: Apple does not align __int128_t in even registers accel/tcg: Fixes for page tables in mmio memory linux-user: Remove qemu_host_page_{size,mask}, HOST_PAGE_ALIGN migration: Remove qemu_host_page_size hw/tpm: Remove qemu_host_page_size softmmu: Remove qemu_host_page_{size,mask}, HOST_PAGE_ALIGN linux-user: Split and reorganize target_mmap. *-user: Deprecate and disable -p pagesize linux-user: Allow TARGET_PAGE_BITS_VARY target/alpha: Enable TARGET_PAGE_BITS_VARY for user-only target/arm: Enable TARGET_PAGE_BITS_VARY for AArch64 user-only target/ppc: Enable TARGET_PAGE_BITS_VARY for user-only linux-user: Remove pgb_dynamic alignment assertion tcg/optimize: fix uninitialized variable linux-user: Rewrite shmat # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmXiXxQdHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV/H3QgApu4OgadviJuOBenT # yaGiq+iG4wTL5vVZFK8CgMtq59dJbgJSCooh7U8dn5hIhVuvOU7odUm6embt+4WZ # 0fDZIjrRvdDMM3LdLFhfdZszMNg6w2ceN9dn5iLkW3wxjRBpTzZNbxhh2Sg308+Q # oNd+MlYLijDvQP97+tlQ/PBtndLfV5FkpU74ZinWRgcpcT6oH9sP6TRlAVttefy7 # 3GsIXhDKGoDa/0Jpy86qE//3FUaVRqqcNlAIPXMf47ABQ2y2lZlwsfyty7s55sVW # KgdXdH1GiCgxIonVg4bYvovnwKVH5xHlpsJY48jQtBXR/4exPBFBpeTc422E0Sed # swpayg== # =W3pb # -----END PGP SIGNATURE----- # gpg: Signature made Fri 01 Mar 2024 23:04:52 GMT # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "richard.henderson@linaro.org" # gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [full] # Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F * tag 'pull-tcg-20240301' of https://gitlab.com/rth7680/qemu: (60 commits) tests/tcg: Check that shmat() does not break /proc/self/maps linux-user: Rewrite target_shmat linux-user: Add strace for shmat linux-user/loongarch64: Remove TARGET_FORCE_SHMLBA linux-user/x86_64: Handle the vsyscall page in open_self_maps_{2,4} tcg/optimize: fix uninitialized variable linux-user: Remove pgb_dynamic alignment assertion target/alpha: Enable TARGET_PAGE_BITS_VARY for user-only target/ppc: Enable TARGET_PAGE_BITS_VARY for user-only linux-user: Bound mmap_min_addr by host page size target/arm: Enable TARGET_PAGE_BITS_VARY for AArch64 user-only linux-user: Allow TARGET_PAGE_BITS_VARY accel/tcg: Disconnect TargetPageDataNode from page size cpu: Remove page_size_init *-user: Deprecate and disable -p pagesize tests/tcg: Extend file in linux-madvise.c tests/tcg: Remove run-test-mmap-* linux-user: Split out mmap_h_gt_g linux-user: Split out mmap_h_lt_g linux-user: Split out mmap_h_eq_g ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-03-03target/hppa: Restore unwind_breg before calculating iorHelge Deller
When calculating the IOR for the exception handlers, the current unwind_breg value is needed on 64-bit hppa machines. Restore that value by calling cpu_restore_state() earlier, which in turn calls hppa_restore_state_to_opc() which restores the unwind_breg for the current instruction. Signed-off-by: Helge Deller <deller@gmx.de> Fixes: 3824e0d643f3 ("target/hppa: Export function hppa_set_ior_and_isr()") Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2024-03-03target: hppa: Fix unaligned double word accesses for hppa64Guenter Roeck
Unaligned 64-bit accesses were found in Linux to clobber carry bits, resulting in bad results if an arithmetic operation involving a carry bit was executed after an unaligned 64-bit operation. hppa 2.0 defines additional carry bits in PSW register bits 32..39. When restoring PSW after executing an unaligned instruction trap, those bits were not cleared and ended up to be active all the time. Since there are no bits other than the upper carry bits needed in the upper 32 bit of env->psw and since those are stored in env->psw_cb, just clear the entire upper 32 bit when storing psw to solve the problem unconditionally. Fixes: 931adff31478 ("target/hppa: Update cpu_hppa_get/put_psw for hppa64") Cc: Richard Henderson <richard.henderson@linaro.org> Cc: Charlie Jenkins <charlie@rivosinc.com> Cc: Helge Deller <deller@gmx.de> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Helge Deller <deller@gmx.de>
2024-02-29target/alpha: Enable TARGET_PAGE_BITS_VARY for user-onlyRichard Henderson
Since alpha binaries are generally built for multiple page sizes, it is trivial to allow the page size to vary. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com> Acked-by: Helge Deller <deller@gmx.de> Message-Id: <20240102015808.132373-34-richard.henderson@linaro.org>
2024-02-29target/ppc: Enable TARGET_PAGE_BITS_VARY for user-onlyRichard Henderson
Since ppc binaries are generally built for multiple page sizes, it is trivial to allow the page size to vary. Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com> Acked-by: Helge Deller <deller@gmx.de> Message-Id: <20240102015808.132373-33-richard.henderson@linaro.org>
2024-02-29target/arm: Enable TARGET_PAGE_BITS_VARY for AArch64 user-onlyRichard Henderson
Since aarch64 binaries are generally built for multiple page sizes, it is trivial to allow the page size to vary. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Acked-by: Helge Deller <deller@gmx.de> Message-Id: <20240102015808.132373-31-richard.henderson@linaro.org>
2024-02-28Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into stagingPeter Maydell
* target/i386: Fix physical address truncation on 32-bit PAE * Remove globals for options -no-fd-bootchk and -win2k-hack # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmXebwQUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroPozAf/Vgc9u6C+8PcPDrol6qxjI+EOHLNy # 7M3/OFpUkwLXuOSawb6syYxHpLS38fKRcsb2ninngUmbRWA6p+KNUizlAFMj7op5 # wJmtdamCwCwXXaw20SfWxx2Ih0JS7FQsRsU94HTOdaDB17C9+hBcYwcggsOAXCmq # gyVenEF1mov2A4jLMhdVIRX784AAoEP+QAuhBKQBrQwRLCTTyNdHl7jXdB9w+2sh # KafokoFLcozJHz/tN3AhRKy6zjPugJyQmJwBRuj9tstCILtXpvf/ZE/3pUq5l3ZY # A6dCI0zWAlGNTkpKRXsMFozNIVP2htnyidy29XHptlY5acfjtQ++rMu3BQ== # =WY4H # -----END PGP SIGNATURE----- # gpg: Signature made Tue 27 Feb 2024 23:23:48 GMT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: ide, vl: turn -win2k-hack into a property on IDE devices ide: collapse parameters to ide_init_drive target/i386: leave the A20 bit set in the final NPT walk target/i386: remove unnecessary/wrong application of the A20 mask target/i386: Fix physical address truncation target/i386: use separate MMU indexes for 32-bit accesses target/i386: introduce function to query MMU indices target/i386: check validity of VMCB addresses target/i386: mask high bits of CR3 in 32-bit mode vl, pc: turn -no-fd-bootchk into a machine property Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-02-28gdbstub: Add members to identify registers to GDBFeatureAkihiko Odaki
These members will be used to help plugins to identify registers. The added members in instances of GDBFeature dynamically generated by CPUs will be filled in later changes. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-Id: <20231213-gdb-v17-10-777047380591@daynix.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-15-alex.bennee@linaro.org>
2024-02-28hw/core/cpu: Remove gdb_get_dynamic_xml memberAkihiko Odaki
This function is no longer used. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20231213-gdb-v17-9-777047380591@daynix.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-14-alex.bennee@linaro.org>
2024-02-28gdbstub: Infer number of core registers from XMLAkihiko Odaki
GDBFeature has the num_regs member so use it where applicable to remove magic numbers. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-Id: <20231213-gdb-v17-8-777047380591@daynix.com> [AJB: remove core reg check from microblaze read reg] Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-13-alex.bennee@linaro.org>
2024-02-28gdbstub: Change gdb_get_reg_cb and gdb_set_reg_cbAkihiko Odaki
Align the parameters of gdb_get_reg_cb and gdb_set_reg_cb with the gdb_read_register and gdb_write_register members of CPUClass to allow to unify the logic to access registers of the core and coprocessors in the future. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20231213-gdb-v17-6-777047380591@daynix.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-11-alex.bennee@linaro.org>
2024-02-28gdbstub: Use GDBFeature for gdb_register_coprocessorAkihiko Odaki
This is a tree-wide change to introduce GDBFeature parameter to gdb_register_coprocessor(). The new parameter just replaces num_regs and xml parameters for now. GDBFeature will be utilized to simplify XML lookup in a following change. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Acked-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20231213-gdb-v17-4-777047380591@daynix.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-9-alex.bennee@linaro.org>
2024-02-28target/riscv: Use GDBFeature for dynamic XMLAkihiko Odaki
In preparation for a change to use GDBFeature as a parameter of gdb_register_coprocessor(), convert the internal representation of dynamic feature from plain XML to GDBFeature. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-Id: <20231213-gdb-v17-3-777047380591@daynix.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-8-alex.bennee@linaro.org>
2024-02-28target/ppc: Use GDBFeature for dynamic XMLAkihiko Odaki
In preparation for a change to use GDBFeature as a parameter of gdb_register_coprocessor(), convert the internal representation of dynamic feature from plain XML to GDBFeature. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20231213-gdb-v17-2-777047380591@daynix.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-7-alex.bennee@linaro.org>
2024-02-28target/arm: Use GDBFeature for dynamic XMLAkihiko Odaki
In preparation for a change to use GDBFeature as a parameter of gdb_register_coprocessor(), convert the internal representation of dynamic feature from plain XML to GDBFeature. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Acked-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20231213-gdb-v17-1-777047380591@daynix.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20240227144335.1196131-6-alex.bennee@linaro.org>
2024-02-28target/i386: leave the A20 bit set in the final NPT walkPaolo Bonzini
The A20 mask is only applied to the final memory access. Nested page tables are always walked with the raw guest-physical address. Unlike the previous patch, in this one the masking must be kept, but it was done too early. Cc: qemu-stable@nongnu.org Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-02-28target/i386: remove unnecessary/wrong application of the A20 maskPaolo Bonzini
If ptw_translate() does a MMU_PHYS_IDX access, the A20 mask is already applied in get_physical_address(), which is called via probe_access_full() and x86_cpu_tlb_fill(). If ptw_translate() on the other hand does a MMU_NESTED_IDX access, the A20 mask must not be applied to the address that is looked up in the nested page tables; it must be applied only to the addresses that hold the NPT entries (which is achieved via MMU_PHYS_IDX, per the previous paragraph). Therefore, we can remove A20 masking from the computation of the page table entry's address, and let get_physical_address() or mmu_translate() apply it when they know they are returning a host-physical address. Cc: qemu-stable@nongnu.org Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-02-28target/i386: Fix physical address truncationPaolo Bonzini
The address translation logic in get_physical_address() will currently truncate physical addresses to 32 bits unless long mode is enabled. This is incorrect when using physical address extensions (PAE) outside of long mode, with the result that a 32-bit operating system using PAE to access memory above 4G will experience undefined behaviour. The truncation code was originally introduced in commit 33dfdb5 ("x86: only allow real mode to access 32bit without LMA"), where it applied only to translations performed while paging is disabled (and so cannot affect guests using PAE). Commit 9828198 ("target/i386: Add MMU_PHYS_IDX and MMU_NESTED_IDX") rearranged the code such that the truncation also applied to the use of MMU_PHYS_IDX and MMU_NESTED_IDX. Commit 4a1e9d4 ("target/i386: Use atomic operations for pte updates") brought this truncation into scope for page table entry accesses, and is the first commit for which a Windows 10 32-bit guest will reliably fail to boot if memory above 4G is present. The truncation code however is not completely redundant. Even though the maximum address size for any executed instruction is 32 bits, helpers for operations such as BOUND, FSAVE or XSAVE may ask get_physical_address() to translate an address outside of the 32-bit range, if invoked with an argument that is close to the 4G boundary. Likewise for processor accesses, for example TSS or IDT accesses, when EFER.LMA==0. So, move the address truncation in get_physical_address() so that it applies to 32-bit MMU indexes, but not to MMU_PHYS_IDX and MMU_NESTED_IDX. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2040 Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Cc: qemu-stable@nongnu.org Co-developed-by: Michael Brown <mcb30@ipxe.org> Signed-off-by: Michael Brown <mcb30@ipxe.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-02-28target/i386: use separate MMU indexes for 32-bit accessesPaolo Bonzini
Accesses from a 32-bit environment (32-bit code segment for instruction accesses, EFER.LMA==0 for processor accesses) have to mask away the upper 32 bits of the address. While a bit wasteful, the easiest way to do so is to use separate MMU indexes. These days, QEMU anyway is compiled with a fixed value for NB_MMU_MODES. Split MMU_USER_IDX, MMU_KSMAP_IDX and MMU_KNOSMAP_IDX in two. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-02-28target/i386: introduce function to query MMU indicesPaolo Bonzini
Remove knowledge of specific MMU indexes (other than MMU_NESTED_IDX and MMU_PHYS_IDX) from mmu_translate(). This will make it possible to split 32-bit and 64-bit MMU indexes. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-02-28target/i386: check validity of VMCB addressesPaolo Bonzini
MSR_VM_HSAVE_PA bits 0-11 are reserved, as are the bits above the maximum physical address width of the processor. Setting them to 1 causes a #GP (see "15.30.4 VM_HSAVE_PA MSR" in the AMD manual). The same is true of VMCB addresses passed to VMRUN/VMLOAD/VMSAVE, even though the manual is not clear on that. Cc: qemu-stable@nongnu.org Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-02-28target/i386: mask high bits of CR3 in 32-bit modePaolo Bonzini
CR3 bits 63:32 are ignored in 32-bit mode (either legacy 2-level paging or PAE paging). Do this in mmu_translate() to remove the last where get_physical_address() meaningfully drops the high bits of the address. Cc: qemu-stable@nongnu.org Suggested-by: Richard Henderson <richard.henderson@linaro.org> Fixes: 4a1e9d4d11c ("target/i386: Use atomic operations for pte updates", 2022-10-18) Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-02-27arm/ptw: Handle atomic updates of page tables entries in MMIO during PTW.Jonathan Cameron
I'm far from confident this handling here is correct. Hence RFC. In particular not sure on what locks I should hold for this to be even moderately safe. The function already appears to be inconsistent in what it returns as the CONFIG_ATOMIC64 block returns the endian converted 'eventual' value of the cmpxchg whereas the TCG_OVERSIZED_GUEST case returns the previous value. Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Message-id: 20240219161229.11776-1-Jonathan.Cameron@huawei.com Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-02-27target/arm: Advertise Cortex-A53 erratum #843419 fix via REVIDRArd Biesheuvel
The Cortex-A53 r0p4 revision that QEMU emulates is affected by a CatA erratum #843419 (i.e., the most severe), which requires workarounds in the toolchain as well as the OS. Since the emulation is obviously not affected in the same way, we can indicate this via REVIDR bit #8, which on r0p4 has the meaning that no workarounds for erratum #843419 are needed. Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20240215160202.2803452-1-ardb+git@google.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-02-24Merge tag 'pull-request-2024-02-23' of https://gitlab.com/thuth/qemu into ↵Peter Maydell
staging * m68k: Fix exception frame format for 68010 * Add cdrom test for LoongArch virt machine * Fix qtests when using --without-default-devices * Enable -Wvla * Windows 32-bit removal * Silence warnings in the test-x86-cpuid-compat qtest # -----BEGIN PGP SIGNATURE----- # # iQJFBAABCAAvFiEEJ7iIR+7gJQEY8+q5LtnXdP5wLbUFAmXY7MMRHHRodXRoQHJl # ZGhhdC5jb20ACgkQLtnXdP5wLbWkRg//TCprQ7Gesex/yvMFIZuZk+poEaibxGXU # cWp6hneV8selTzBKzBC3VS1n31shd9astNRE95N2fSIfCV6R22y2tfZF2rSOoeog # bvqX7KoaEnSsrDS054EGAnuvYQpOGLGth/3Mc9Z791r5I1tYZPJocVnAyi/OB+3q # Gr5WzXj6Z/QD7c0f6vZ943wRBO/zc1729KikDUSyfS3Tua+15mAuUIUQdlLNNPct # 6aT5e6c967mAYh93AUevd3hgVYXH2W4fH7s1q2pap2hMBw2a43XvlMKJ9CvXPFPg # eU6knRPES16BSC2TTphNCBQi9n3rQdion01VsoQEetVBfFa4yA1Ys7ofF5vCa2l8 # 5EO5X3VQfZeq0ktmrLM7qAO0OMnolIqbeNS97ggOiyL0Q3YXim6cNWf8+OZbGoFR # OK88ndmzEXrZq+5w4QBDGLHFU3u8ZeWAM6p7Ht/ZN89ndDYT5bGBwkjVRW5hVgck # fmGhgutSqP2/DN5/4nMn8jtmGc65H/rBRilttW8W2JF72rQJYduDnx/A4KUatkHT # tC58NwLarF3kF7cebhWvNQDD74ia/35n+fEAmtIHF42YHE6aifss91QrgT+qGG5+ # GG12JIoFVDCgE1pkNU7GO53Uqo94Ej8TUOxwF9QfftxnqiktMG7Y/KQRcSA5VvHr # laagGgDzHP0= # =1hu9 # -----END PGP SIGNATURE----- # gpg: Signature made Fri 23 Feb 2024 19:06:43 GMT # gpg: using RSA key 27B88847EEE0250118F3EAB92ED9D774FE702DB5 # gpg: issuer "thuth@redhat.com" # gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full] # gpg: aka "Thomas Huth <thuth@redhat.com>" [full] # gpg: aka "Thomas Huth <huth@tuxfamily.org>" [full] # gpg: aka "Thomas Huth <th.huth@posteo.de>" [unknown] # Primary key fingerprint: 27B8 8847 EEE0 2501 18F3 EAB9 2ED9 D774 FE70 2DB5 * tag 'pull-request-2024-02-23' of https://gitlab.com/thuth/qemu: target/i386: do not filter processor tracing features except on KVM .gitlab-ci.d/windows.yml: Remove shared-msys2 abstraction .gitlab-ci.d: Drop cross-win32-system job docs: Document that 32-bit Windows is unsupported meson: Enable -Wvla target/ppc/kvm: Replace variable length array in kvmppc_read_hptes() target/ppc/kvm: Replace variable length array in kvmppc_save_htab() tests: skip dbus-display tests that need a console tests/qtest: Fix boot-serial-test when using --without-default-devices tests/cdrom-test: Add cdrom test for LoongArch virt machine target/m68k: Fix exception frame format for 68010 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2024-02-23target/ppc: optimise ppcemb_tlb_t flushingNicholas Piggin
Filter TLB flushing by PID and mmuidx. Zoltan reports that, together with the previous TLB flush changes, performance of a sam460ex machine running 'lame' to convert a wav to mp3 is improved nearly 10%: CPU time TLB partial flushes TLB elided flushes Before 37s 508238 7680722 After 34s 73 1143 Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Acked-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: 440 optimise tlbwe TLB flushingNicholas Piggin
Have 440 tlbwe flush only the range corresponding to the addresses covered by the software TLB entry being modified rather than the entire TLB. This matches what 4xx does. Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Acked-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: 4xx optimise tlbwe_lo TLB flushingNicholas Piggin
Rather than tlbwe_lo always flushing all TCG TLBs, have it flush just those corresponding to the old software TLB, and only if it was valid. Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Acked-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: 4xx don't flush TLB for a newly written software TLB entryNicholas Piggin
BookE software TLB is implemented by flushing old translations from the relevant TCG TLB whenever software TLB entries change. This means a new software TLB entry should not have any corresponding cached TCG TLB translations, so there is nothing to flush. The exception is multiple software TLBs that cover the same address and address space, but that is a programming error and results in undefined behaviour, and flushing does not give an obviously better outcome in that case either. Remove the unnecessary flush of a newly written software TLB entry. Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Acked-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Factor out 4xx ppcemb_tlb_t flushingNicholas Piggin
Flushing the TCG TLB pages that cache a software TLB is a common operation, factor it into its own function. Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Acked-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Fix 440 tlbwe TLB invalidation gapsNicholas Piggin
The 440 tlbwe (write entry) instruction misses several cases that must flush the TCG TLB: - If the new size is smaller than the existing size, the EA no longer covered should be flushed. This looks like an inverted inequality test. - If the TLB PID changes. - If the TLB attr bit 0 (translation address space) changes. - If low prot (access control) bits change. Fix this by removing tricks to avoid TLB flushes, and just invalidate the TLB if any valid entry is being changed, similarly to 4xx. Optimisations will be introduced in subsequent changes. Tested-by: BALATON Zoltan <balaton@eik.bme.hu> Acked-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Add SMT support to time facilitiesNicholas Piggin
The TB, VTB, PURR, HDEC SPRs are per-LPAR registers, and the TFMR is a per-core register. Add the necessary SMT synchronisation and value sharing. The TFMR can only drive the timebase state machine via thread 0 of the core, which is almost certainly not right, but it is enough for skiboot and certain other proprietary firmware. Acked-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Implement core timebase state machine and TFMRNicholas Piggin
This implements the core timebase state machine, which is the core side of the time-of-day system in POWER processors. This facility is operated by control fields in the TFMR register, which also contains status fields. The core timebase interacts with the chiptod hardware, primarily to receive TOD updates, to synchronise timebase with other cores. This model does not actually update TB values with TOD or updates received from the chiptod, as timebases are always synchronised. It does step through the states required to perform the update. There are several asynchronous state transitions. These are modelled using using mfTFMR to drive state changes, because it is expected that firmware poll the register to wait for those states. This is good enough to test basic firmware behaviour without adding real timers. The values chosen are arbitrary. Acked-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23ppc/pnv: Implement the ChipTOD to Core transferNicholas Piggin
One of the functions of the ChipTOD is to transfer TOD to the Core (aka PC - Pervasive Core) timebase facility. The ChipTOD can be programmed with a target address to send the TOD value to. The hardware implementation seems to perform this by sending the TOD value to a SCOM address. This implementation grabs the core directly and manipulates the timebase facility state in the core. This is a hack, but it works enough for now. A better implementation would implement the transfer to the PnvCore xscom register and drive the timebase state machine from there. Reviewed-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Fix move-to timebase SPR access permissionsNicholas Piggin
The move-to timebase registers TBU and TBL can not be read, and they can not be written in supervisor mode on hypervisor-capable CPUs. Reviewed-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Improve timebase register defines namingNicholas Piggin
The timebase in ppc started out with the mftb instruction which is like mfspr but addressed timebase registers (TBRs) rather than SPRs. These instructions could be used to read TB and TBU at 268 and 269. Timebase could be written via the TBL and TBU SPRs at 284 and 285. The ISA changed around v2.03 to bring TB and TBU reads into the SPR space at 268 and 269 (access via mftb TBR-space is still supported but will be phased out). Later, VTB was added which is an entirely different register. The SPR number defines in QEMU are understandably inconsistently named. Change SPR 268, 269, 284, 285 to TBL, TBU, WR_TBL, WR_TBU, respectively. Reviewed-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Rename TBL to TB on 64-bitNicholas Piggin
From the earliest PowerPC ISA, TBR (later SPR) 268 has been called TB and accessed with mftb instruction. The problem is that TB is the name of the 64-bit register, and 32-bit implementations can only read the lower half with one instruction, so 268 has also been called TBL and it does only read TBL on 32-bit. Change SPR 268 to be called TB on 64-bit implementations. Reviewed-by: Cédric Le Goater <clg@redhat.com> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Update gdbstub to read SPR's CFAR, DEC, HDEC, TB-L/USaif Abrar
SPR's CFAR, DEC, HDEC, TB-L/U are not implemented as part of CPUPPCState. Hence, gdbstub is not able to access them using (CPUPPCState *)env->spr[] array. Update gdb_get_spr_reg() method to handle these SPR's specifically. Reviewed-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Saif Abrar <saif.abrar@linux.vnet.ibm.com> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23hw/ppc/spapr_hcall: Allow elision of softmmu_resize_hpt_prepPhilippe Mathieu-Daudé
Check tcg_enabled() before calling softmmu_resize_hpt_prepare() and softmmu_resize_hpt_commit() to allow the compiler to elide their calls. The stubs are then unnecessary, remove them. Reviewed-by: Nicholas Piggin <npiggin@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Rename registers to match ISANicholas Piggin
Several registers have names that don't match the ISA (or convention with other QEMU PPC registers), making them unintuitive to use with GDB. Fortunately most of these registers are obscure and/or have not been correctly implemented in the gdb server (e.g., DEC, TB, CFAR), so risk of breaking users should be low. QEMU should follow the ISA for register name convention (where there is no established GDB name). Acked-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Fix crash on machine check caused by ifetchNicholas Piggin
is_prefix_insn_excp() loads the first word of the instruction address which caused an exception, to determine whether or not it was prefixed so the prefix bit can be set in [H]SRR1. This works if the instruction image can be loaded, but if the exception was caused by an ifetch, this load could fail and cause a recursive exception and crash. Machine checks caused by ifetch are not excluded from the prefix check and can crash (see issue 2108 for an example). Fix this by excluding machine checks caused by ifetch from the prefix check. Cc: qemu-stable@nongnu.org Acked-by: Cédric Le Goater <clg@kaod.org> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2108 Fixes: 55a7fa34f89 ("target/ppc: Machine check on invalid real address access on POWER9/10") Fixes: 5a5d3b23cb2 ("target/ppc: Add SRR1 prefix indication to interrupt handlers") Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/ppc: Fix lxv/stxv MSR facility checkNicholas Piggin
The move to decodetree flipped the inequality test for the VEC / VSX MSR facility check. This caused application crashes under Linux, where these facility unavailable interrupts are used for lazy-switching of VEC/VSX register sets. Getting the incorrect interrupt would result in wrong registers being loaded, potentially overwriting live values and/or exposing stale ones. Cc: qemu-stable@nongnu.org Reported-by: Joel Stanley <joel@jms.id.au> Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769 Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Tested-by: Harsh Prateek Bora <harshpb@linux.ibm.com> Reviewed-by: Cédric Le Goater <clg@kaod.org> Tested-by: Cédric Le Goater <clg@kaod.org> Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
2024-02-23target/i386: do not filter processor tracing features except on KVMPaolo Bonzini
The processor tracing features in cpu_x86_cpuid() are hardcoded to a set that should be safe on all processor that support PT virtualization. But as an additional check, x86_cpu_filter_features() also checks that the accelerator supports that safe subset, and if not it marks CPUID_7_0_EBX_INTEL_PT as unavailable. This check fails on accelerators other than KVM, but it is actually unnecessary to do it because KVM is the only accelerator that uses the safe subset. Everything else just provides nonzero values for CPUID leaf 0x14 (TCG/HVF because processor tracing is not supported; qtest because nothing is able to read CPUID anyway). Restricting the check to KVM fixes a warning with the qtest accelerator: $ qemu-system-x86_64 -display none -cpu max,mmx=off -accel qtest qemu-system-x86_64: warning: TCG doesn't support requested feature: CPUID.07H:EBX.intel-pt [bit 25] The warning also happens in the test-x86-cpuid-compat qtest. Reported-by: Peter Maydell <peter.maydell@linaro.org> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2096 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-ID: <20240221162910.101327-1-pbonzini@redhat.com> Fixes: d047402436 ("target/i386: Call accel-agnostic x86_cpu_get_supported_cpuid()") Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-02-23target/ppc/kvm: Replace variable length array in kvmppc_read_hptes()Thomas Huth
HPTES_PER_GROUP is 8 and HASH_PTE_SIZE_64 is 16, so we don't waste too many bytes by always allocating the maximum amount of bytes on the stack here to get rid of the variable length array. Suggested-by: Peter Maydell <peter.maydell@linaro.org> Message-ID: <20240221162636.173136-3-thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-02-23target/ppc/kvm: Replace variable length array in kvmppc_save_htab()Thomas Huth
To be able to compile QEMU with -Wvla (to prevent potential security issues), we need to get rid of the variable length array in the kvmppc_save_htab() function. Replace it with a heap allocation instead. Message-ID: <20240221162636.173136-2-thuth@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-02-23target/m68k: Fix exception frame format for 68010Daniel Palmer
From the 68010 a word with the frame format and exception vector are placed on the stack before the PC and SR. M68K_FEATURE_QUAD_MULDIV is currently checked to workout if to do this or not for the configured CPU but that flag isn't set for 68010 so currently the exception stack when 68010 is configured is incorrect. It seems like checking M68K_FEATURE_MOVEFROMSR_PRIV would do but adding a new flag that shows exactly what is going on here is maybe clearer. Add a new flag for the behaviour, M68K_FEATURE_EXCEPTION_FORMAT_VEC, and set it for 68010 and above, and then use it to control if the format and vector word are pushed/pop during exception entry/exit. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2164 Signed-off-by: Daniel Palmer <daniel@0x0f.com> Message-ID: <20240115101643.2165387-1-daniel@0x0f.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>