1. 17 1月, 2020 1 次提交
  2. 16 12月, 2019 1 次提交
    • M
      target/arm: Handle AArch32 CP15 trapping via HSTR_EL2 · 5bb0a20b
      Marc Zyngier 提交于
      HSTR_EL2 offers a way to trap ranges of CP15 system register
      accesses to EL2, and it looks like this register is completely
      ignored by QEMU.
      
      To avoid adding extra .accessfn filters all over the place (which
      would have a direct performance impact), let's add a new TB flag
      that gets set whenever HSTR_EL2 is non-zero and that QEMU translates
      a context where this trap has a chance to apply, and only generate
      the extra access check if the hypervisor is actively using this feature.
      
      Tested with a hand-crafted KVM guest accessing CBAR.
      Signed-off-by: NMarc Zyngier <maz@kernel.org>
      Reviewed-by: NRichard Henderson <richard.henderson@linaro.org>
      Message-id: 20191201122018.25808-5-maz@kernel.org
      [PMM: use is_a64(); fix comment syntax]
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      5bb0a20b
  3. 25 10月, 2019 2 次提交
  4. 16 8月, 2019 1 次提交
  5. 31 7月, 2019 1 次提交
  6. 05 7月, 2019 1 次提交
  7. 02 7月, 2019 3 次提交
  8. 10 6月, 2019 1 次提交
  9. 11 5月, 2019 1 次提交
  10. 05 3月, 2019 2 次提交
  11. 21 1月, 2019 2 次提交
  12. 13 12月, 2018 1 次提交
  13. 19 11月, 2018 1 次提交
    • L
      target/arm: fix smc incorrectly trapping to EL3 when secure is off · 7760da72
      Luc Michel 提交于
      This commit fixes a case where the CPU would try to go to EL3 when
      executing an smc instruction, even though ARM_FEATURE_EL3 is false. This
      case is raised when the PSCI conduit is set to smc, but the smc
      instruction does not lead to a valid PSCI call.
      
      QEMU crashes with an assertion failure latter on because of incoherent
      mmu_idx.
      
      This commit refactors the pre_smc helper by enumerating all the possible
      way of handling an scm instruction, and covering the previously missing
      case leading to the crash.
      
      The following minimal test would crash before this commit:
      
      .global _start
          .text
      _start:
          ldr x0, =0xdeadbeef  ; invalid PSCI call
          smc #0
      
      run with the following command line:
      
      aarch64-linux-gnu-gcc -nostdinc -nostdlib -Wl,-Ttext=40000000 \
                            -o test test.s
      
      qemu-system-aarch64 -M virt,virtualization=on,secure=off \
                          -cpu cortex-a57 -kernel test
      Signed-off-by: NLuc Michel <luc.michel@greensocs.com>
      Message-id: 20181117160213.18995-1-luc.michel@greensocs.com
      Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      7760da72
  14. 13 11月, 2018 1 次提交
    • P
      target/arm: Hyp mode R14 is shared with User and System · 593cfa2b
      Peter Maydell 提交于
      Hyp mode is an exception to the general rule that each AArch32
      mode has its own r13, r14 and SPSR -- it has a banked r13 and
      SPSR but shares its r14 with User and System mode. We were
      incorrectly implementing it as banked, which meant that on
      entry to Hyp mode r14 was 0 rather than the USR/SYS r14.
      
      We provide a new function r14_bank_number() which is like
      the existing bank_number() but provides the index into
      env->banked_r14[]; bank_number() provides the index to use
      for env->banked_r13[] and env->banked_cpsr[].
      
      All the points in the code that were using bank_number()
      to index into env->banked_r14[] are updated for consintency:
       * switch_mode() -- this is the only place where we fix
         an actual bug
       * aarch64_sync_32_to_64() and aarch64_sync_64_to_32():
         no behavioural change as we already special-cased Hyp R14
       * kvm32.c: no behavioural change since the guest can't ever
         be in Hyp mode, but conceptually the right thing to do
       * msr_banked()/mrs_banked(): we can never get to the case
         that accesses banked_r14[] with tgtmode == ARM_CPU_MODE_HYP,
         so no behavioural change
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
      Reviewed-by: NAlex Bennée <alex.bennee@linaro.org>
      Message-id: 20181109173553.22341-2-peter.maydell@linaro.org
      593cfa2b
  15. 24 10月, 2018 1 次提交
  16. 16 10月, 2018 1 次提交
  17. 08 10月, 2018 3 次提交
  18. 20 8月, 2018 1 次提交
  19. 15 8月, 2018 1 次提交
  20. 26 4月, 2018 1 次提交
  21. 11 4月, 2018 1 次提交
    • P
      icount: fix cpu_restore_state_from_tb for non-tb-exit cases · afd46fca
      Pavel Dovgalyuk 提交于
      In icount mode, instructions that access io memory spaces in the middle
      of the translation block invoke TB recompilation.  After recompilation,
      such instructions become last in the TB and are allowed to access io
      memory spaces.
      
      When the code includes instruction like i386 'xchg eax, 0xffffd080'
      which accesses APIC, QEMU goes into an infinite loop of the recompilation.
      
      This instruction includes two memory accesses - one read and one write.
      After the first access, APIC calls cpu_report_tpr_access, which restores
      the CPU state to get the current eip.  But cpu_restore_state_from_tb
      resets the cpu->can_do_io flag which makes the second memory access invalid.
      Therefore the second memory access causes a recompilation of the block.
      Then these operations repeat again and again.
      
      This patch moves resetting cpu->can_do_io flag from
      cpu_restore_state_from_tb to cpu_loop_exit* functions.
      
      It also adds a parameter for cpu_restore_state which controls restoring
      icount.  There is no need to restore icount when we only query CPU state
      without breaking the TB.  Restoring it in such cases leads to the
      incorrect flow of the virtual time.
      
      In most cases new parameter is true (icount should be recalculated).
      But there are two cases in i386 and openrisc when the CPU state is only
      queried without the need to break the TB.  This patch fixes both of
      these cases.
      Signed-off-by: NPavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
      Message-Id: <20180409091320.12504.35329.stgit@pasha-VirtualBox>
      [rth: Make can_do_io setting unconditional; move from cpu_exec;
      make cpu_loop_exit_{noexc,restore} call cpu_loop_exit.]
      Signed-off-by: NRichard Henderson <richard.henderson@linaro.org>
      afd46fca
  22. 24 3月, 2018 4 次提交
    • P
      target/arm: Always set FAR to a known unknown value for debug exceptions · 548f514c
      Peter Maydell 提交于
      For debug exceptions due to breakpoints or the BKPT instruction which
      are taken to AArch32, the Fault Address Register is architecturally
      UNKNOWN.  We were using that as license to simply not set
      env->exception.vaddress, but this isn't correct, because it will
      expose to the guest whatever old value was in that field when
      arm_cpu_do_interrupt_aarch32() writes it to the guest IFSR.  That old
      value might be a FAR for a previous guest EL2 or secure exception, in
      which case we shouldn't show it to an EL1 or non-secure exception
      handler. It might also be a non-deterministic value, which is bad
      for record-and-replay.
      
      Clear env->exception.vaddress before taking breakpoint debug
      exceptions, to avoid this minor information leak.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-id: 20180320134114.30418-5-peter.maydell@linaro.org
      548f514c
    • P
      target/arm: Set FSR for BKPT, BRK when raising exception · 62b94f31
      Peter Maydell 提交于
      Now that we have a helper function specifically for the BRK and
      BKPT instructions, we can set the exception.fsr there rather
      than in arm_cpu_do_interrupt_aarch32(). This allows us to
      use our new arm_debug_exception_fsr() helper.
      
      In particular this fixes a bug where we were hardcoding the
      short-form IFSR value, which is wrong if the target exception
      level has LPAE enabled.
      
      Fixes: https://bugs.launchpad.net/qemu/+bug/1756927Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-id: 20180320134114.30418-4-peter.maydell@linaro.org
      62b94f31
    • P
      target/arm: Factor out code to calculate FSR for debug exceptions · 81621d9a
      Peter Maydell 提交于
      When a debug exception is taken to AArch32, it appears as a Prefetch
      Abort, and the Instruction Fault Status Register (IFSR) must be set.
      The IFSR has two possible formats, depending on whether LPAE is in
      use. Factor out the code in arm_debug_excp_handler() which picks
      an FSR value into its own utility function, update it to use
      arm_fi_to_lfsc() and arm_fi_to_sfsc() rather than hard-coded constants,
      and use the correct condition to select long or short format.
      
      In particular this fixes a bug where we could select the short
      format because we're at EL0 and the EL1 translation regime is
      not using LPAE, but then route the debug exception to EL2 because
      of MDCR_EL2.TDE and hand EL2 the wrong format FSR.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-id: 20180320134114.30418-3-peter.maydell@linaro.org
      81621d9a
    • P
      target/arm: Honour MDCR_EL2.TDE when routing exceptions due to BKPT/BRK · c900a2e6
      Peter Maydell 提交于
      The MDCR_EL2.TDE bit allows the exception level targeted by debug
      exceptions to be set to EL2 for code executing at EL0.  We handle
      this in the arm_debug_target_el() function, but this is only used for
      hardware breakpoint and watchpoint exceptions, not for the exception
      generated when the guest executes an AArch32 BKPT or AArch64 BRK
      instruction.  We don't have enough information for a translate-time
      equivalent of arm_debug_target_el(), so instead make BKPT and BRK
      call a special purpose helper which can do the routing, rather than
      the generic exception_with_syndrome helper.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Message-id: 20180320134114.30418-2-peter.maydell@linaro.org
      c900a2e6
  23. 25 1月, 2018 2 次提交
  24. 16 1月, 2018 1 次提交
    • P
      target/arm: Handle page table walk load failures correctly · 3b39d734
      Peter Maydell 提交于
      Instead of ignoring the response from address_space_ld*()
      (indicating an attempt to read a page table descriptor from
      an invalid physical address), use it to report the failure
      correctly.
      
      Since this is another couple of locations where we need to
      decide the value of the ARMMMUFaultInfo ea bit based on a
      MemTxResult, we factor out that operation into a helper
      function.
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      3b39d734
  25. 28 12月, 2017 1 次提交
  26. 14 12月, 2017 2 次提交
  27. 31 10月, 2017 1 次提交
  28. 25 10月, 2017 1 次提交