aboutsummaryrefslogtreecommitdiff
path: root/hw/intc
AgeCommit message (Collapse)AuthorFilesLines
2022-03-14ppc/xive2: Make type Xive2EndSource not user creatableCédric Le Goater1-0/+1
Xive2EndSource objects can only be instantiated through a Xive2Router (PnvXive2). Reported-by: Thomas Huth <thuth@redhat.com> Fixes: f8a233dedf25 ("ppc/xive2: Introduce a XIVE2 core framework") Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-07hw/intc/arm_gicv3_cpuif: Fix register names in ICV_HPPIR read trace eventPeter Maydell1-1/+2
The trace_gicv3_icv_hppir_read trace event takes an integer value which it uses to form the register name, which should be either ICV_HPPIR0 or ICV_HPPIR1. We were passing in the 'grp' variable for this, but that is either GICV3_G0 or GICV3_G1NS, which happen to be 0 and 2, which meant that tracing for the ICV_HPPIR1 register was incorrectly printed as ICV_HPPIR2. Use the same approach we do for all the other similar trace events, and pass in 'ri->crm == 8 ? 0 : 1', deriving the index value directly from the ARMCPRegInfo struct. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220303202341.2232284-6-peter.maydell@linaro.org
2022-03-07hw/intc/arm_gicv3: Fix missing spaces in error log messagesPeter Maydell2-4/+4
We forgot a space in some log messages, so the output ended up looking like gicv3_dist_write: invalid guest write at offset 0000000000008000size 8 with a missing space before "size". Add the missing spaces. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220303202341.2232284-5-peter.maydell@linaro.org
2022-03-07hw/intc/arm_gicv3: Specify valid and impl in MemoryRegionOpsPeter Maydell1-0/+8
The GICv3 has some registers that support byte accesses, and some that support 8-byte accesses. Our TCG implementation implements all of this, switching on the 'size' argument and handling the registers that must support reads of that size while logging an error for attempted accesses to registers that do not support that size access. However we forgot to tell the core memory subsystem about this by specifying the .impl and .valid fields in the MemoryRegionOps struct, so the core was happily simulating 8 byte accesses by combining two 4 byte accesses. This doesn't have much guest-visible effect, since there aren't many 8 byte registers and they all support being written in two 4 byte parts. Set the .impl and .valid fields to say that all sizes from 1 to 8 bytes are both valid and implemented by the device. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220303202341.2232284-4-peter.maydell@linaro.org
2022-03-07hw/intc/arm_gicv3_its: Add trace events for table reads and writesPeter Maydell2-6/+40
For debugging guest use of the ITS, it can be helpful to trace when the ITS reads and writes the in-memory tables. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220303202341.2232284-3-peter.maydell@linaro.org
2022-03-07hw/intc/arm_gicv3_its: Add trace events for commandsPeter Maydell2-2/+38
When debugging code that's using the ITS, it's helpful to see tracing of the ITS commands that the guest executes. Add suitable trace events. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220303202341.2232284-2-peter.maydell@linaro.org
2022-03-03hw/intc: Add RISC-V AIA IMSIC device emulationAnup Patel3-0/+452
The RISC-V AIA (Advanced Interrupt Architecture) defines a new interrupt controller for MSIs (message signal interrupts) called IMSIC (Incoming Message Signal Interrupt Controller). The IMSIC is per-HART device and also suppport virtualizaiton of MSIs using dedicated VS-level guest interrupt files. This patch adds device emulation for RISC-V AIA IMSIC which supports M-level, S-level, and VS-level MSIs. Signed-off-by: Anup Patel <anup.patel@wdc.com> Signed-off-by: Anup Patel <anup@brainfault.org> Reviewed-by: Frank Chang <frank.chang@sifive.com> Message-Id: <20220220085526.808674-3-anup@brainfault.org> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
2022-03-02pnv/xive2: Add support for 8bits thread idCédric Le Goater2-1/+7
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02pnv/xive2: Add support for automatic save&restoreCédric Le Goater3-6/+141
The XIVE interrupt controller on P10 can automatically save and restore the state of the interrupt registers under the internal NVP structure representing the VCPU. This saves a costly store/load in guest entries and exits. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02xive2: Add a get_config() handler for the router configurationCédric Le Goater2-0/+20
Add GEN1 config even if we don't use it yet in the core framework. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02pnv/xive2: Add support XIVE2 P9-compat mode (or Gen1)Cédric Le Goater2-5/+23
The thread interrupt management area (TIMA) is a set of pages mapped in the Hypervisor and in the guest OS address space giving access to the interrupt thread context registers for interrupt management, ACK, EOI, CPPR, etc. XIVE2 changes slightly the TIMA layout with extra bits for the new features, larger CAM lines and the controller provides configuration switches for backward compatibility. This is called the XIVE2 P9-compat mode, of Gen1 TIMA. It impacts the layout of the TIMA and the availability of the internal features associated with it, Automatic Save & Restore for instance. Using a P9 layout also means setting the controller in such a mode at init time. As the OPAL driver initializes the XIVE2 controller with a XIVE2/P10 TIMA directly, the XIVE2 model only has a simple support for the compat mode in the OS TIMA. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02ppc/pnv: add XIVE Gen2 TIMA supportCédric Le Goater2-2/+120
Only the CAM line updates done by the hypervisor are specific to POWER10. Instead of duplicating the TM ops table, we handle these commands locally under the PowerNV XIVE2 model. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02pnv/xive2: Introduce new capability bitsCédric Le Goater2-2/+7
These bits control the availability of interrupt features : StoreEOI, PHB PQ_disable, PHB Address-Based Trigger and the overall XIVE exploitation mode. These bits can be set at early boot time of the system to activate/deactivate a feature for testing purposes. The default value should be '1'. The 'XIVE exploitation mode' bit is a software bit that skiboot could use to disable the XIVE OS interface and propose a P8 style XICS interface instead. There are no plans for that for the moment. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02ppc/pnv: Add support for PQ offload on PHB5Cédric Le Goater1-1/+21
The PQ_disable configuration bit disables the check done on the PQ state bits when processing new MSI interrupts. When bit 9 is enabled, the PHB forwards any MSI trigger to the XIVE interrupt controller without checking the PQ state bits. The XIVE IC knows from the trigger message that the PQ bits have not been checked and performs the check locally. This configuration bit only applies to MSIs and LSIs are still checked on the PHB to handle the assertion level. PQ_disable enablement is a requirement for StoreEOI. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02ppc/xive: Add support for PQ state bits offloadCédric Le Goater5-14/+175
The trigger message coming from a HW source contains a special bit informing the XIVE interrupt controller that the PQ bits have been checked at the source or not. Depending on the value, the IC can perform the check and the state transition locally using its own PQ state bits. The following changes add new accessors to the XiveRouter required to query and update the PQ state bits. This only applies to the PowerNV machine. sPAPR accessors are provided but the pSeries machine should not be concerned by such complex configuration for the moment. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02ppc/xive2: Add support for notification injection on ESB pagesCédric Le Goater2-0/+19
This is an internal offset used to inject triggers when the PQ state bits are not controlled locally. Such as for LSIs when the PHB5 are using the Address-Based Interrupt Trigger mode and on the END. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02ppc/pnv: Add a XIVE2 controller to the POWER10 chipCédric Le Goater3-1/+2457
The XIVE2 interrupt controller of the POWER10 processor follows the same logic than on POWER9 but the HW interface has been largely reviewed. It has a new register interface, different BARs, extra VSDs, new layout for the XIVE2 structures, and a set of new features which are described below. This is a model of the POWER10 XIVE2 interrupt controller for the PowerNV machine. It focuses primarily on the needs of the skiboot firmware but some initial hypervisor support is implemented for KVM use (escalation). Support for new features will be implemented in time and will require new support from the OS. * XIVE2 BARS The interrupt controller BARs have a different layout outlined below. Each sub-engine has now own its range and the indirect TIMA access was replaced with a set of pages, one per CPU, under the IC BAR: - IC BAR (Interrupt Controller) . 4 pages, one per sub-engine . 128 indirect TIMA pages - TM BAR (Thread Interrupt Management Area) . 4 pages - ESB BAR (ESB pages for IPIs) . up to 1TB - END BAR (ESB pages for ENDs) . up to 2TB - NVC BAR (Notification Virtual Crowd) . up to 128 - NVPG BAR (Notification Virtual Process and Group) . up to 1TB - Direct mapped Thread Context Area (reads & writes) OPAL does not use the grouping and crowd capability. * Virtual Structure Tables XIVE2 adds new tables types and also changes the field layout of the END and NVP Virtualization Structure Descriptors. - EAS - END new layout - NVT was splitted in : . NVP (Processor), 32B . NVG (Group), 32B . NVC (Crowd == P9 block group) 32B - IC for remote configuration - SYNC for cache injection - ERQ for event input queue The setup is slighly different on XIVE2 because the indexing has changed for some of the tables, block ID or the chip topology ID can be used. * XIVE2 features SCOM and MMIO registers have a new layout and XIVE2 adds a new global capability and configuration registers. The lowlevel hardware offers a set of new features among which : - a configurable number of priorities : 1 - 8 - StoreEOI with load-after-store ordering is activated by default - Gen2 TIMA layout - A P9-compat mode, or Gen1, TIMA toggle bit for SW compatibility - increase to 24bit for VP number Other features will have some impact on the Hypervisor and guest OS when activated, but this is not required for initial support of the controller. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02ppc/xive2: Introduce a presenter matching routineCédric Le Goater1-0/+82
The VP space is larger in XIVE2 (P10), 24 bits instead of 19bits on XIVE (P9), and the CAM line can use a 7bits or 8bits thread id. For now, we only use 7bits thread ids, same as P9, but because of the change of the size of the VP space, the CAM matching routine is different between P9 and P10. It is easier to duplicate the whole routine than to add extra handlers in xive_presenter_tctx_match() used for P9. We might come with a better solution later on, after we have added some more support for the XIVE2 controller. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-03-02ppc/xive2: Introduce a XIVE2 core frameworkCédric Le Goater2-1/+668
The XIVE2 interrupt controller of the POWER10 processor as the same logic as on POWER9 but its SW interface has been largely reworked. The interrupt controller has a new register interface, different BARs, extra VSDs. These will be described when we add the device model for the baremetal machine. The XIVE internal structures for the EAS, END, NVT have different layouts which is a problem for the current core XIVE framework. To avoid adding too much complexity in the XIVE models, a new XIVE2 core framework is introduced. It duplicates the models which are closely linked to the XIVE internal structures : Xive2Router and Xive2ENDSource and reuses the XiveSource, XivePresenter, XiveTCTX models, as they are more generic. Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com> Signed-off-by: Cédric Le Goater <clg@kaod.org>
2022-02-21Mark remaining global TypeInfo instances as constBernhard Beschow2-2/+2
More than 1k of TypeInfo instances are already marked as const. Mark the remaining ones, too. This commit was created with: git grep -z -l 'static TypeInfo' -- '*.c' | \ xargs -0 sed -i 's/static TypeInfo/static const TypeInfo/' Signed-off-by: Bernhard Beschow <shentey@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Acked-by: Corey Minyard <cminyard@mvista.com> Message-id: 20220117145805.173070-2-shentey@gmail.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-02-16hw/intc: Add RISC-V AIA APLIC device emulationAnup Patel3-0/+982
The RISC-V AIA (Advanced Interrupt Architecture) defines a new interrupt controller for wired interrupts called APLIC (Advanced Platform Level Interrupt Controller). The APLIC is capabable of forwarding wired interupts to RISC-V HARTs directly or as MSIs (Message Signaled Interupts). This patch adds device emulation for RISC-V AIA APLIC. Signed-off-by: Anup Patel <anup.patel@wdc.com> Signed-off-by: Anup Patel <anup@brainfault.org> Reviewed-by: Frank Chang <frank.chang@sifive.com> Message-id: 20220204174700.534953-19-anup@brainfault.org Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
2022-02-08hw/intc/arm_gicv3_its: Split error checksPeter Maydell1-21/+31
In most of the ITS command processing, we check different error possibilities one at a time and log them appropriately. In process_mapti() and process_mapd() we have code which checks multiple error cases at once, which means the logging is less specific than it could be. Split those cases up. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-14-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Don't allow intid 1023 in MAPI/MAPTIPeter Maydell1-2/+1
When handling MAPI/MAPTI, we allow the supplied interrupt ID to be either 1023 or something in the valid LPI range. This is a mistake: only a real valid LPI is allowed. (The general behaviour of the ITS is that most interrupt ID fields require a value in the LPI range; the exception is that fields specifying a doorbell value, which are all in GICv4 commands, allow also 1023 to mean "no doorbell".) Remove the condition that incorrectly allows 1023 here. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-13-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: In MAPC with V=0, don't check rdbase fieldPeter Maydell1-12/+12
In the MAPC command, if V=0 this is a request to delete a collection table entry and the rdbase field of the command packet will not be used. In particular, the specification says that the "UNPREDICTABLE if rdbase is not valid" only applies for V=1. We were doing a check-and-log-guest-error on rdbase regardless of whether the V bit was set, and also (harmlessly but confusingly) storing the contents of the rdbase field into the updated collection table entry. Update the code so that if V=0 we don't check or use the rdbase field value. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-12-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Drop TableDesc and CmdQDesc valid fieldsPeter Maydell1-17/+14
Currently we track in the TableDesc and CmdQDesc structs the state of the GITS_BASER<n> and GITS_CBASER Valid bits. However we aren't very consistent abut checking the valid field: we test it in update_cte() and update_dte(), but not anywhere else we look things up in tables. The GIC specification says that it is UNPREDICTABLE if a guest fails to set any of these Valid bits before enabling the ITS via GITS_CTLR.Enabled. So we can choose to handle Valid == 0 as equivalent to a zero-length table. This is in fact how we're already catching this case in most of the table-access paths: when Valid is 0 we leave the num_entries fields in TableDesc or CmdQDesc set to zero, and then the out-of-bounds check "index >= num_entries" that we have to do anyway before doing any of these table lookups will always be true, catching the no-valid-table case without any extra code. So we can remove the checks on the valid field from update_cte() and update_dte(): since these happen after the bounds check there was never any case when the test could fail. That means the valid fields would be entirely unused, so just remove them. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-11-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Make update_ite() use ITEntryPeter Maydell1-30/+32
Make the update_ite() struct use the new ITEntry struct, so that callers don't need to assemble the in-memory ITE data themselves, and only get_ite() and update_ite() need to care about that in-memory layout. We can then drop the no-longer-used IteEntry struct definition. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-10-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Pass ITE values back from get_ite() via a structPeter Maydell1-47/+55
In get_ite() we currently return the caller some of the fields of an Interrupt Table Entry via a set of pointer arguments, and validate some of them internally (interrupt type and valid bit) to return a simple true/false 'valid' indication. Define a new ITEntry struct which has all the fields that the in-memory ITE has, and bring the get_ite() function in to line with get_dte() and get_cte(). This paves the way for handling virtual interrupts, which will want a different subset of the fields in the ITE. Handling them under the old "lots of pointer arguments" scheme would have meant a confusingly large set of arguments for this function. The new struct ITEntry is obviously confusably similar to the existing IteEntry struct, whose fields are the raw 12 bytes of the in-memory ITE. In the next commit we will make update_ite() use ITEntry instead of IteEntry, which will allow us to delete the IteEntry struct and remove the confusion. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-9-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Avoid nested ifs in get_ite()Peter Maydell1-13/+15
The get_ite() code has some awkward nested if statements; clean them up by returning early if the memory accesses fail. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-8-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Fix address calculation in get_ite() and update_ite()Peter Maydell2-26/+21
In get_ite() and update_ite() we work with a 12-byte in-guest-memory table entry, which we intend to handle as an 8-byte value followed by a 4-byte value. Unfortunately the calculation of the address of the 4-byte value is wrong, because we write it as: table_base_address + (index * entrysize) + 4 (obfuscated by the way the expression has been written) when it should be + 8. This bug meant that we overwrote the top bytes of the 8-byte value with the 4-byte value. There are no guest-visible effects because the top half of the 8-byte value contains only the doorbell interrupt field, which is used only in GICv4, and the two bugs in the "write ITE" and "read ITE" codepaths cancel each other out. We can't simply change the calculation, because this would break migration of a (TCG) guest from the old version of QEMU which had in-guest-memory interrupt tables written using the buggy version of update_ite(). We must also at the same time change the layout of the fields within the ITE_L and ITE_H values so that the in-memory locations of the fields we care about (VALID, INTTYPE, INTID and ICID) stay the same. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-7-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Pass CTEntry to update_cte()Peter Maydell1-15/+17
Make update_cte() take a CTEntry struct rather than all the fields of the new CTE as separate arguments. This brings it into line with the update_dte() API. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-6-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Keep CTEs as a struct, not a raw uint64_tPeter Maydell1-44/+52
In the ITS, a CTE is an entry in the collection table, which contains multiple fields. Currently the function get_cte() which reads one entry from the device table returns a success/failure boolean and passes back the raw 64-bit integer CTE value via a pointer argument. We then extract fields from the CTE as we need them. Create a real C struct with the same fields as the CTE, and populate it in get_cte(), so that that function and update_cte() are the only ones which need to care about the in-guest-memory format of the CTE. This brings get_cte()'s API into line with get_dte(). Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-5-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Pass DTEntry to update_dte()Peter Maydell1-17/+18
Make update_dte() take a DTEntry struct rather than all the fields of the new DTE as separate arguments. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-4-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Keep DTEs as a struct, not a raw uint64_tPeter Maydell1-55/+56
In the ITS, a DTE is an entry in the device table, which contains multiple fields. Currently the function get_dte() which reads one entry from the device table returns it as a raw 64-bit integer, which we then pass around in that form, only extracting fields from it as we need them. Create a real C struct with the same fields as the DTE, and populate it in get_dte(), so that that function and update_dte() are the only ones that need to care about the in-guest-memory format of the DTE. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-3-peter.maydell@linaro.org
2022-02-08hw/intc/arm_gicv3_its: Use address_space_map() to access command queue packetsPeter Maydell2-149/+61
Currently the ITS accesses each 8-byte doubleword in a 4-doubleword command packet with a separate address_space_ldq_le() call. This is awkward because the individual command processing functions have ended up with code to handle "load more doublewords out of the packet", which is both unwieldy and also a potential source of bugs because it's not obvious when looking at a line that pulls a field out of the 'value' variable which of the 4 doublewords that variable currently holds. Switch to using address_space_map() to map the whole command packet at once and fish the four doublewords out of it. Then each process_* function can start with a few lines of code that extract the fields it cares about. This requires us to split out the guts of process_its_cmd() into a new do_process_its_cmd(), because we were previously overloading the value and offset arguments as a backdoor way to directly pass the devid and eventid from a write to GITS_TRANSLATER. The new do_process_its_cmd() takes those arguments directly, and process_its_cmd() is just a wrapper that does the "read fields from command packet" part. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220201193207.2771604-2-peter.maydell@linaro.org
2022-01-31Merge remote-tracking branch 'remotes/legoater/tags/pull-ppc-20220130' into ↵Peter Maydell1-4/+18
staging ppc 7.0 queue: * Exception and TLB fixes for the 405 CPU (Fabiano and Cedric) * spapr fixes (Alexey and Daniel) * PowerNV PHB3/4 fixes (Frederic and Daniel) * PowerNV XIVE improvements (Cedric) * 603 CPUs fixes (Christophe) * Book-E exception fixes (Vitaly) * Misc compile issues (Philippe and Fabiano) * Exception model rework for the BookS CPUs (Fabiano) * Exception model rework for the 74xx CPUs (Fabiano) * Removal of 602 CPUs # gpg: Signature made Sun 30 Jan 2022 17:42:23 GMT # gpg: using RSA key A0F66548F04895EBFE6B0B6051A343C7CFFBECA1 # gpg: Good signature from "Cédric Le Goater <clg@kaod.org>" [undefined] # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: A0F6 6548 F048 95EB FE6B 0B60 51A3 43C7 CFFB ECA1 * remotes/legoater/tags/pull-ppc-20220130: (41 commits) target/ppc: Remove support for the PowerPC 602 CPU target/ppc: 74xx: Set SRRs directly in exception code target/ppc: 74xx: System Reset interrupt cleanup target/ppc: 74xx: System Call exception cleanup target/ppc: 74xx: Program exception cleanup target/ppc: 74xx: External interrupt cleanup target/ppc: 74xx: Machine Check exception cleanup target/ppc: Simplify powerpc_excp_74xx target/ppc: Introduce powerpc_excp_74xx target/ppc: books: Program exception cleanup target/ppc: books: External interrupt cleanup target/ppc: books: Machine Check exception cleanup target/ppc: Simplify powerpc_excp_books target/ppc: Introduce powerpc_excp_books target/ppc: 405: Watchdog timer exception cleanup target/ppc: 405: Program exception cleanup target/ppc: 405: Instruction storage interrupt cleanup target/ppc: 405: Data Storage exception cleanup target/ppc: 405: Debug exception cleanup target/ppc: 405: Alignment exception cleanup ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-01-28Merge remote-tracking branch ↵Peter Maydell6-26/+408
'remotes/pmaydell/tags/pull-target-arm-20220128' into staging target-arm queue: * Update copyright dates to 2022 * hw/armv7m: Fix broken VMStateDescription * hw/char/exynos4210_uart: Fix crash on trying to load VM state * rtc: Move RTC function prototypes to their own header * xlnx-versal-virt: Support PMC SLCR * xlnx-versal-virt: Support OSPI flash memory controller * scripts: Explain the difference between linux-headers and standard-headers * target/arm: Log CPU index in 'Taking exception' log * arm_gicv3_its: Various bugfixes and cleanups * arm_gicv3_its: Implement the missing MOVI and MOVALL commands * ast2600: Fix address mapping of second SPI controller * target/arm: Use correct entrypoint for SVC taken from Hyp to Hyp # gpg: Signature made Fri 28 Jan 2022 15:29:36 GMT # gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE # gpg: issuer "peter.maydell@linaro.org" # gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate] # gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate] # Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE * remotes/pmaydell/tags/pull-target-arm-20220128: (32 commits) target/arm: Use correct entrypoint for SVC taken from Hyp to Hyp hw/arm: ast2600: Fix address mapping of second SPI controller hw/intc/arm_gicv3_its: Implement MOVI hw/intc/arm_gicv3_its: Implement MOVALL hw/intc/arm_gicv3_its: Check table bounds against correct limit hw/intc/arm_gicv3_its: Make GITS_BASER<n> RAZ/WI for unimplemented registers hw/intc/arm_gicv3_its: Provide read accessor for translation_ops hw/intc/arm_gicv3: Set GICR_CTLR.CES if LPIs are supported hw/intc/arm_gicv3_redist: Remove unnecessary zero checks hw/intc/arm_gicv3_its: Sort ITS command list into numeric order hw/intc/arm_gicv3: Honour GICD_CTLR.EnableGrp1NS for LPIs hw/intc/arm_gicv3_its: Don't clear GITS_CWRITER on writes to GITS_CBASER hw/intc/arm_gicv3_its: Don't clear GITS_CREADR when GITS_CTLR.ENABLED is set hw/intc/arm_gicv3: Initialise dma_as in GIC, not ITS hw/intc/arm_gicv3_its: Add tracepoints target/arm: Log CPU index in 'Taking exception' log scripts: Explain the difference between linux-headers and standard-headers MAINTAINERS: Remove myself (for raspi). MAINTAINERS: Add an entry for Xilinx Versal OSPI hw/arm/xlnx-versal-virt: Connect mt35xu01g flashes to the OSPI ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-01-28hw/intc/arm_gicv3_its: Implement MOVIPeter Maydell3-0/+215
Implement the ITS MOVI command. This command specifies a (physical) LPI by DeviceID and EventID and provides a new ICID for it. The ITS must find the interrupt translation table entry for the LPI, which will tell it the old ICID. It then moves the pending state of the LPI from the old redistributor to the new one and updates the ICID field in the translation table entry. This is another GICv3 ITS command that we forgot to implement. Linux does use this one, but only if the guest powers off one of its CPUs. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-15-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3_its: Implement MOVALLPeter Maydell3-0/+125
Implement the ITS MOVALL command, which takes all the pending interrupts on a source redistributor and makes the not-pending on that source redistributor and pending on a destination redistributor. This is a GICv3 ITS command which we forgot to implement. (It is not used by Linux guests.) Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-14-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3_its: Check table bounds against correct limitPeter Maydell1-9/+9
Currently when we fill in a TableDesc based on the value the guest has written to the GITS_BASER<n> register, we calculate both: * num_entries : the number of entries in the table, constrained by the amount of memory the guest has given it * num_ids : the number of IDs we support for this table, constrained by the implementation choices and the architecture (eg DeviceIDs are 16 bits, so num_ids is 1 << 16) When validating ITS commands, however, we check only num_ids, thus allowing a broken guest to specify table entries that index off the end of it. This will only corrupt guest memory, but the ITS is supposed to reject such commands as invalid. Instead of calculating both num_entries and num_ids, set num_entries to the minimum of the two limits, and check that. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-13-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3_its: Make GITS_BASER<n> RAZ/WI for unimplemented registersPeter Maydell1-0/+8
The ITS has a bank of 8 GITS_BASER<n> registers, which allow the guest to specify the base address of various data tables. Each register has a read-only type field indicating which table it is for and a read-write field where the guest can write in the base address (among other things). We currently allow the guest to write the writeable fields for all eight registers, even if the type field is 0 indicating "Unimplemented". This means the guest can provoke QEMU into asserting by writing an address into one of these unimplemented base registers, which bypasses the "if (!value) continue" check in extract_table_params() and lets us hit the assertion that the type field is one of the permitted table types. Prevent the assertion by not allowing the guest to write to the unimplemented base registers. This means their value will remain 0 and extract_table_params() will ignore them. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-12-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3_its: Provide read accessor for translation_opsPeter Maydell1-0/+13
The MemoryRegionOps gicv3_its_translation_ops currently provides only a .write_with_attrs function, because the only register in this region is the write-only GITS_TRANSLATER. However, if you don't provide a read function and the guest tries reading from this memory region, QEMU will crash because memory_region_read_with_attrs_accessor() calls a NULL pointer. Add a read function which always returns 0, to cover both bogus attempts to read GITS_TRANSLATER and also reads from the rest of the region, which is documented to be reserved, RES0. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-11-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3: Set GICR_CTLR.CES if LPIs are supportedPeter Maydell2-0/+5
The GICR_CTLR.CES bit is a read-only bit which is set to 1 to indicate that the GICR_CTLR.EnableLPIs bit can be written to 0 to disable LPIs (as opposed to allowing LPIs to be enabled but not subsequently disabled). Our implementation permits this, so advertise it by setting CES to 1. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-10-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3_redist: Remove unnecessary zero checksPeter Maydell1-5/+3
The ITS-related parts of the redistributor code make some checks for whether registers like GICR_PROPBASER and GICR_PENDBASER are zero. There is no requirement in the specification for treating zeroes in these address registers specially -- they contain guest physical addresses and it is entirely valid (if unusual) for the guest to choose to put the tables they address at guest physical address zero. We use these values only to calculate guest addresses, and attempts by the guest to use a bad address will be handled by the address_space_* functions which we use to do the loads and stores. Remove the unnecessary checks. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-9-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3_its: Sort ITS command list into numeric orderPeter Maydell1-5/+5
The list of #defines for the ITS command packet numbers is neither in alphabetical nor numeric order. Sort it into numeric order. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-8-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3: Honour GICD_CTLR.EnableGrp1NS for LPIsPeter Maydell1-0/+1
The GICD_CTLR distributor register has enable bits which control whether the different interrupt groups (Group 0, Non-secure Group 1 and Secure Group 1) are forwarded to the CPU. We get this right for traditional interrupts, but forgot to account for it when adding LPIs. LPIs are always Group 1 NS and if the EnableGrp1NS bit is not set we must not forward them to the CPU. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-7-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3_its: Don't clear GITS_CWRITER on writes to GITS_CBASERPeter Maydell1-3/+0
The ITS specification says that when the guest writes to GITS_CBASER this causes GITS_CREADR to be cleared. However it does not have an equivalent clause for GITS_CWRITER. (This is because GITS_CREADR is read-only, but GITS_CWRITER is writable and the guest can initialize it.) Remove the code that clears GITS_CWRITER on GITS_CBASER writes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-6-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3_its: Don't clear GITS_CREADR when GITS_CTLR.ENABLED is setPeter Maydell1-1/+0
The current ITS code clears GITS_CREADR when GITS_CTLR.ENABLED is set. This is not correct -- guest code can validly clear ENABLED and then set it again and expect the ITS to continue processing where it left off. Remove the erroneous assignment. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-5-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3: Initialise dma_as in GIC, not ITSPeter Maydell2-3/+5
In our implementation, all ITSes connected to a GIC share a single AddressSpace, which we keep in the GICv3State::dma_as field and initialized based on the GIC's 'sysmem' property. The right place to set it up by calling address_space_init() is therefore in the GIC's realize method, not the ITS's realize. This fixes a theoretical bug where QEMU hangs on startup if the board model creates two ITSes connected to the same GIC -- we would call address_space_init() twice on the same AddressSpace*, which creates an infinite loop in the QTAILQ that softmmu/memory.c uses to store its list of AddressSpaces and causes any subsequent attempt to iterate through that list to loop forever. There aren't any board models like that in the tree at the moment, though. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-4-peter.maydell@linaro.org
2022-01-28hw/intc/arm_gicv3_its: Add tracepointsPeter Maydell2-0/+19
The ITS currently has no tracepoints; add a minimal set that allows basic monitoring of guest register accesses and reading of commands from the command queue. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20220122182444.724087-3-peter.maydell@linaro.org
2022-01-28ppc/xive: check return value of ldq_be_dma()Cédric Le Goater1-4/+18
The ldq_be_dma() routine was recently changed to return a result of the transaction. Use it when loading the virtual structure descriptors in the XIVE PowerNV model. Cc: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Cédric Le Goater <clg@kaod.org> Message-Id: <20220124081635.3672439-1-clg@kaod.org> Signed-off-by: Cédric Le Goater <clg@kaod.org>