Any register or memory value that is used by the .tlb_fill function (e.g., in ppc_xlate()) can affect what gets put in TCG's TLB, so changing it requires either: that the ISA permits cached address translations that become incoherent vs the changed value; that TCG TLB is "tagged" with the changing value (e.g., with mmuidx); or that the TCG TLB is flushed.
ppc is missing a few such flushes. Other than the AMR flush, Linux/KVM probably covers such SPR changes with other flushes (e.g., context switching between guests or guest/host will update LPCR and LPIDR and LPIDR update already causes a TLB flush), which explains why they haven't caused obvious bugs. Thanks, Nick Nicholas Piggin (3): target/ppc: flush TLB on HRMOR and LPCR SPR updates target/ppc: Avoid work if MMU SPRs are written with same value target/ppc: add missing TLB flushes for memory protection key SPR updates target/ppc/helper.h | 3 ++ target/ppc/spr_common.h | 1 + target/ppc/cpu.c | 12 +++++- target/ppc/cpu_init.c | 6 +-- target/ppc/misc_helper.c | 85 +++++++++++++++++++++++++++++++++++++++- target/ppc/translate.c | 62 ++++++----------------------- 6 files changed, 114 insertions(+), 55 deletions(-) -- 2.47.1