From ce50ba6d07c81c74dffe32ed83a5417a7d2640b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?=
 <remi.denis.courmont@huawei.com>
Date: Thu, 4 Mar 2021 14:20:45 -0500
Subject: [PATCH] target/arm: handle VMID change in secure state

The VTTBR write callback so far assumes that the underlying VM lies in
non-secure state. This handles the secure state scenario.

backports c4f060e89effd70ebdb23d3315495d33af377a09
---
 qemu/target/arm/helper.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/qemu/target/arm/helper.c b/qemu/target/arm/helper.c
index eeba448b..2ce0f935 100644
--- a/qemu/target/arm/helper.c
+++ b/qemu/target/arm/helper.c
@@ -3710,10 +3710,15 @@ static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
      * the combined stage 1&2 tlbs (EL10_1 and EL10_0).
      */
     if (raw_read(env, ri) != value) {
-        tlb_flush_by_mmuidx(cs,
-                            ARMMMUIdxBit_E10_1 |
-                            ARMMMUIdxBit_E10_1_PAN |
-                            ARMMMUIdxBit_E10_0);
+        uint16_t mask = ARMMMUIdxBit_E10_1 |
+                        ARMMMUIdxBit_E10_1_PAN |
+                        ARMMMUIdxBit_E10_0;
+
+        if (arm_is_secure_below_el3(env)) {
+            mask >>= ARM_MMU_IDX_A_NS;
+        }
+
+        tlb_flush_by_mmuidx(cs, mask);
         raw_write(env, ri, value);
     }
 }