Series comparison

-[Qemu-devel] [PULL 00/12] target-arm queue
+[PULL 0/4] target-arm queue
-ARM queue: nothing particularly exciting here, but no
+Arm patches for rc3 : just a handful of bug fixes.
 reason to sit on them for another week.
 thanks
 -- PMM
-The following changes since commit 61eedf7aec0e2395aabd628cc055096909a3ea15:
-  tests/prom-env: Ease time-out problems on slow hosts (2017-02-10 15:44:53 +0000)
+The following changes since commit 4ecc984210ca1bf508a96a550ec8a93a5f833f6c:
-are available in the git repository at:
+  Merge remote-tracking branch 'remotes/palmer/tags/riscv-for-master-4.2-rc3' into staging (2019-11-26 12:36:40 +0000)
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170210
+are available in the Git repository at:
-for you to fetch changes up to b4cc583f0285a2e1e78621dfba142f00ca47414a:
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191126
-  aspeed/smc: use a modulo to check segment limits (2017-02-10 17:40:30 +0000)
+for you to fetch changes up to 6a4ef4e5d1084ce41fafa7d470a644b0fd3d9317:
   target/arm: Honor HCR_EL2.TID3 trapping requirements (2019-11-26 13:55:37 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * aspeed: minor fixes
+ * handle FTYPE flag correctly in v7M exception return
- * virt: declare fwcfg and virtio-mmio as DMA coherent in DT & ACPI
+   for v7M CPUs with an FPU (v8M CPUs were already correct)
- * arm: enable basic TCG emulation of PMU for AArch64
+ * versal: Add the CRP as unimplemented
  * Fix ISR_EL1 tracking when executing at EL2
  * Honor HCR_EL2.TID3 trapping requirements
 ----------------------------------------------------------------
-Alexander Graf (4):
+Edgar E. Iglesias (1):
-      target-arm: Declare virtio-mmio as dma-coherent in dt
+      hw/arm: versal: Add the CRP as unimplemented
       hw/arm/virt: Declare virtio-mmio as dma cache coherent in ACPI
       hw/arm/virt: Declare fwcfg as dma cache coherent in ACPI
       hw/arm/virt: Declare fwcfg as dma cache coherent in dt
-Cédric Le Goater (4):
+Jean-Hugues Deschênes (1):
-      aspeed: check for negative values returned by blk_getlength()
+      target/arm: Fix handling of cortex-m FTYPE flag in EXCRET
       aspeed: remove useless comment on controller segment size
       aspeed/smc: handle dummies only in fast read mode
       aspeed/smc: use a modulo to check segment limits
-Wei Huang (4):
+Marc Zyngier (2):
-      target-arm: Add support for PMU register PMSELR_EL0
+      target/arm: Fix ISR_EL1 tracking when executing at EL2
-      target-arm: Add support for AArch64 PMU register PMXEVTYPER_EL0
+      target/arm: Honor HCR_EL2.TID3 trapping requirements
       target-arm: Add support for PMU register PMINTENSET_EL1
       target-arm: Enable vPMU support under TCG mode
- target/arm/cpu.h         |  4 +--
+ include/hw/arm/xlnx-versal.h |  3 ++
- hw/arm/aspeed.c          | 22 +++++++++-----
+ hw/arm/xlnx-versal.c         |  2 ++
- hw/arm/vexpress.c        |  1 +
+ target/arm/helper.c          | 83 ++++++++++++++++++++++++++++++++++++++++++--
- hw/arm/virt-acpi-build.c |  2 ++
+ target/arm/m_helper.c        |  7 ++--
- hw/arm/virt.c            |  4 ++-
+files changed, 89 insertions(+), 6 deletions(-)
  hw/ssi/aspeed_smc.c      | 13 +++++----
  target/arm/cpu.c         |  2 +-
  target/arm/helper.c      | 74 ++++++++++++++++++++++++++++++++++++------------
 files changed, 88 insertions(+), 34 deletions(-)

-[Qemu-devel] [PULL 01/12] target-arm: Add support for PMU register PMSELR_EL0
+Deleted patch
-From: Wei Huang <wei@redhat.com>
-This patch adds support for AArch64 register PMSELR_EL0. The existing
-PMSELR definition is revised accordingly.
-Signed-off-by: Wei Huang <wei@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-[PMM: Moved #ifndef CONFIG_USER_ONLY to cover new regdefs]
-Message-id: 1486504171-26807-2-git-send-email-wei@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h    |  1 +
- target/arm/helper.c | 27 +++++++++++++++++++++------
-files changed, 22 insertions(+), 6 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
-         uint32_t c9_pmovsr; /* perf monitor overflow status */
-         uint32_t c9_pmxevtyper; /* perf monitor event type */
-         uint32_t c9_pmuserenr; /* perf monitor user enable */
-+        uint64_t c9_pmselr; /* perf monitor counter selection register */
-         uint32_t c9_pminten; /* perf monitor interrupt enables */
-         union { /* Memory attribute redirection */
-             struct {
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t pmccntr_read(CPUARMState *env, const ARMCPRegInfo *ri)
-     return total_ticks - env->cp15.c15_ccnt;
- }
-+static void pmselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+                         uint64_t value)
-+{
-+    /* The value of PMSELR.SEL affects the behavior of PMXEVTYPER and
-+     * PMXEVCNTR. We allow [0..31] to be written to PMSELR here; in the
-+     * meanwhile, we check PMSELR.SEL when PMXEVTYPER and PMXEVCNTR are
-+     * accessed.
-+     */
-+    env->cp15.c9_pmselr = value & 0x1f;
-+}
-+
- static void pmccntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-                         uint64_t value)
- {
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
-     /* Unimplemented so WI. */
-     { .name = "PMSWINC", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 4,
-       .access = PL0_W, .accessfn = pmreg_access, .type = ARM_CP_NOP },
--    /* Since we don't implement any events, writing to PMSELR is UNPREDICTABLE.
--     * We choose to RAZ/WI.
--     */
--    { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
--      .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
--      .accessfn = pmreg_access },
- #ifndef CONFIG_USER_ONLY
-+    { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
-+      .access = PL0_RW, .type = ARM_CP_ALIAS,
-+      .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmselr),
-+      .accessfn = pmreg_access, .writefn = pmselr_write,
-+      .raw_writefn = raw_write},
-+    { .name = "PMSELR_EL0", .state = ARM_CP_STATE_AA64,
-+      .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 5,
-+      .access = PL0_RW, .accessfn = pmreg_access,
-+      .fieldoffset = offsetof(CPUARMState, cp15.c9_pmselr),
-+      .writefn = pmselr_write, .raw_writefn = raw_write, },
-     { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0,
-       .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_IO,
-       .readfn = pmccntr_read, .writefn = pmccntr_write32,
---
-.7.4

-[Qemu-devel] [PULL 09/12] aspeed: check for negative values returned by blk_getlength()
+[PULL 1/4] target/arm: Fix handling of cortex-m FTYPE flag in EXCRET
-From: Cédric Le Goater <clg@kaod.org>
+From: Jean-Hugues Deschênes <Jean-Hugues.Deschenes@ossiaco.com>
-write_boot_rom() does not check for negative values. This is more a
+According to the PushStack() pseudocode in the armv7m RM,
-problem for coverity than the actual code as the size of the flash
+bit 4 of the LR should be set to NOT(CONTROL.PFCA) when
-device is checked when the m25p80 object is created. If there is
+an FPU is present. Current implementation is doing it for
-anything wrong with the backing file, we should not even reach that
+armv8, but not for armv7. This patch makes the existing
-path.
+logic applicable to both code paths.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Jean-Hugues Deschenes <jean-hugues.deschenes@ossiaco.com>
 Message-id: 1486648058-520-2-git-send-email-clg@kaod.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/aspeed.c | 14 ++++++++++++--
+ target/arm/m_helper.c | 7 +++----
-file changed, 12 insertions(+), 2 deletions(-)
+file changed, 3 insertions(+), 4 deletions(-)
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
+diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
+--- a/target/arm/m_helper.c
-+++ b/hw/arm/aspeed.c
++++ b/target/arm/m_helper.c
-@@ -XXX,XX +XXX,XX @@ static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size,
+@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
- {
+         if (env->v7m.secure) {
-     BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
+             lr |= R_V7M_EXCRET_S_MASK;
-     uint8_t *storage;
+         }
-+    int64_t size;
+-        if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
+-            lr |= R_V7M_EXCRET_FTYPE_MASK;
--    if (rom_size > blk_getlength(blk)) {
+-        }
--        rom_size = blk_getlength(blk);
+     } else {
-+    /* The block backend size should have already been 'validated' by
+         lr = R_V7M_EXCRET_RES1_MASK |
-+     * the creation of the m25p80 object.
+             R_V7M_EXCRET_S_MASK |
-+     */
+             R_V7M_EXCRET_DCRS_MASK |
-+    size = blk_getlength(blk);
+-            R_V7M_EXCRET_FTYPE_MASK |
-+    if (size <= 0) {
+             R_V7M_EXCRET_ES_MASK;
-+        error_setg(errp, "failed to get flash size");
+         if (env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK) {
-+        return;
+             lr |= R_V7M_EXCRET_SPSEL_MASK;
          }
      }
 +    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
 +        lr |= R_V7M_EXCRET_FTYPE_MASK;
 +    }
-+
+     if (!arm_v7m_is_handler_mode(env)) {
-+    if (rom_size > size) {
+         lr |= R_V7M_EXCRET_MODE_MASK;
 +        rom_size = size;
      }
-     storage = g_new0(uint8_t, rom_size);
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 12/12] aspeed/smc: use a modulo to check segment limits
+[PULL 2/4] hw/arm: versal: Add the CRP as unimplemented
-From: Cédric Le Goater <clg@kaod.org>
+From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
-The size of a segment is not necessarily a power of 2.
+Add the CRP as unimplemented thus avoiding bus errors when
 guests access these registers.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Message-id: 1486648058-520-5-git-send-email-clg@kaod.org
+Reviewed-by: Luc Michel <luc.michel@greensocs.com>
 Message-id: 20191115154734.26449-2-edgar.iglesias@gmail.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/aspeed_smc.c | 4 ++--
+ include/hw/arm/xlnx-versal.h | 3 +++
-file changed, 2 insertions(+), 2 deletions(-)
+ hw/arm/xlnx-versal.c         | 2 ++
 files changed, 5 insertions(+)
-diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
+diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/aspeed_smc.c
+--- a/include/hw/arm/xlnx-versal.h
-+++ b/hw/ssi/aspeed_smc.c
++++ b/include/hw/arm/xlnx-versal.h
-@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_smc_check_segment_addr(const AspeedSMCFlash *fl,
+@@ -XXX,XX +XXX,XX @@ typedef struct Versal {
-     AspeedSegments seg;
+ #define MM_IOU_SCNTRS_SIZE          0x10000
+ #define MM_FPD_CRF                  0xfd1a0000U
-     aspeed_smc_reg_to_segment(s->regs[R_SEG_ADDR0 + fl->id], &seg);
+ #define MM_FPD_CRF_SIZE             0x140000
--    if ((addr & (seg.size - 1)) != addr) {
++
-+    if ((addr % seg.size) != addr) {
++#define MM_PMC_CRP                  0xf1260000U
-         qemu_log_mask(LOG_GUEST_ERROR,
++#define MM_PMC_CRP_SIZE             0x10000
-                       "%s: invalid address 0x%08x for CS%d segment : "
+ #endif
-                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
+diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
-                       s->ctrl->name, addr, fl->id, seg.addr,
+index XXXXXXX..XXXXXXX 100644
-                       seg.addr + seg.size);
+--- a/hw/arm/xlnx-versal.c
-+        addr %= seg.size;
++++ b/hw/arm/xlnx-versal.c
-     }
+@@ -XXX,XX +XXX,XX @@ static void versal_unimp(Versal *s)
+                         MM_CRL, MM_CRL_SIZE);
--    addr &= seg.size - 1;
+     versal_unimp_area(s, "crf", &s->mr_ps,
-     return addr;
+                         MM_FPD_CRF, MM_FPD_CRF_SIZE);
- }
++    versal_unimp_area(s, "crp", &s->mr_ps,
++                        MM_PMC_CRP, MM_PMC_CRP_SIZE);
      versal_unimp_area(s, "iou-scntr", &s->mr_ps,
                          MM_IOU_SCNTR, MM_IOU_SCNTR_SIZE);
      versal_unimp_area(s, "iou-scntr-seucre", &s->mr_ps,
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 02/12] target-arm: Add support for AArch64 PMU register PMXEVTYPER_EL0
+[PULL 3/4] target/arm: Fix ISR_EL1 tracking when executing at EL2
-From: Wei Huang <wei@redhat.com>
+From: Marc Zyngier <maz@kernel.org>
-In order to support Linux perf, which uses PMXEVTYPER register,
+The ARMv8 ARM states when executing at EL2, EL3 or Secure EL1,
-this patch adds read/write access support for PMXEVTYPER. The access
+ISR_EL1 shows the pending status of the physical IRQ, FIQ, or
-is CONSTRAINED UNPREDICTABLE when PMSELR is not 0x1f. Additionally
+SError interrupts.
 this patch adds support for PMXEVTYPER_EL0.
-Signed-off-by: Wei Huang <wei@redhat.com>
+Unfortunately, QEMU's implementation only considers the HCR_EL2
-Message-id: 1486504171-26807-3-git-send-email-wei@redhat.com
+bits, and ignores the current exception level. This means a hypervisor
 trying to look at its own interrupt state actually sees the guest
 state, which is unexpected and breaks KVM as of Linux 5.3.
 Instead, check for the running EL and return the physical bits
 if not running in a virtualized context.
 Fixes: 636540e9c40b
 Cc: qemu-stable@nongnu.org
 Reported-by: Quentin Perret <qperret@google.com>
 Signed-off-by: Marc Zyngier <maz@kernel.org>
 Message-id: 20191122135833.28953-1-maz@kernel.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h    |  1 -
+ target/arm/helper.c | 7 +++++--
- target/arm/helper.c | 30 +++++++++++++++++++++++++-----
+file changed, 5 insertions(+), 2 deletions(-)
 files changed, 25 insertions(+), 6 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
-         uint64_t c9_pmcr; /* performance monitor control register */
-         uint64_t c9_pmcnten; /* perf monitor counter enables */
-         uint32_t c9_pmovsr; /* perf monitor overflow status */
--        uint32_t c9_pmxevtyper; /* perf monitor event type */
-         uint32_t c9_pmuserenr; /* perf monitor user enable */
-         uint64_t c9_pmselr; /* perf monitor counter selection register */
-         uint32_t c9_pminten; /* perf monitor interrupt enables */
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void pmovsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
- static void pmxevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri,
+     CPUState *cs = env_cpu(env);
-                              uint64_t value)
+     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
- {
+     uint64_t ret = 0;
--    env->cp15.c9_pmxevtyper = value & 0xff;
++    bool allow_virt = (arm_current_el(env) == 1 &&
-+    /* Attempts to access PMXEVTYPER are CONSTRAINED UNPREDICTABLE when
++                       (!arm_is_secure_below_el3(env) ||
-+     * PMSELR value is equal to or greater than the number of implemented
++                        (env->cp15.scr_el3 & SCR_EEL2)));
-+     * counters, but not equal to 0x1f. We opt to behave as a RAZ/WI.
-+     */
+-    if (hcr_el2 & HCR_IMO) {
-+    if (env->cp15.c9_pmselr == 0x1f) {
++    if (allow_virt && (hcr_el2 & HCR_IMO)) {
-+        pmccfiltr_write(env, ri, value);
+         if (cs->interrupt_request & CPU_INTERRUPT_VIRQ) {
-+    }
+             ret |= CPSR_I;
-+}
+         }
-+
+@@ -XXX,XX +XXX,XX @@ static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
-+static uint64_t pmxevtyper_read(CPUARMState *env, const ARMCPRegInfo *ri)
+         }
-+{
+     }
-+    /* We opt to behave as a RAZ/WI when attempts to access PMXEVTYPER
-+     * are CONSTRAINED UNPREDICTABLE. See comments in pmxevtyper_write().
+-    if (hcr_el2 & HCR_FMO) {
-+     */
++    if (allow_virt && (hcr_el2 & HCR_FMO)) {
-+    if (env->cp15.c9_pmselr == 0x1f) {
+         if (cs->interrupt_request & CPU_INTERRUPT_VFIQ) {
-+        return env->cp15.pmccfiltr_el0;
+             ret |= CPSR_F;
-+    } else {
+         }
 +        return 0;
 +    }
  }
  static void pmuserenr_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
        .fieldoffset = offsetof(CPUARMState, cp15.pmccfiltr_el0),
        .resetvalue = 0, },
      { .name = "PMXEVTYPER", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 1,
 -      .access = PL0_RW,
 -      .fieldoffset = offsetof(CPUARMState, cp15.c9_pmxevtyper),
 -      .accessfn = pmreg_access, .writefn = pmxevtyper_write,
 -      .raw_writefn = raw_write },
 +      .access = PL0_RW, .type = ARM_CP_NO_RAW, .accessfn = pmreg_access,
 +      .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
 +    { .name = "PMXEVTYPER_EL0", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 1,
 +      .access = PL0_RW, .type = ARM_CP_NO_RAW, .accessfn = pmreg_access,
 +      .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
      /* Unimplemented, RAZ/WI. */
      { .name = "PMXEVCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 2,
        .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 03/12] target-arm: Add support for PMU register PMINTENSET_EL1
+Deleted patch
-From: Wei Huang <wei@redhat.com>
-This patch adds access support for PMINTENSET_EL1.
-Signed-off-by: Wei Huang <wei@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1486504171-26807-4-git-send-email-wei@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h    |  2 +-
- target/arm/helper.c | 10 +++++++++-
-files changed, 10 insertions(+), 2 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
-         uint32_t c9_pmovsr; /* perf monitor overflow status */
-         uint32_t c9_pmuserenr; /* perf monitor user enable */
-         uint64_t c9_pmselr; /* perf monitor counter selection register */
--        uint32_t c9_pminten; /* perf monitor interrupt enables */
-+        uint64_t c9_pminten; /* perf monitor interrupt enables */
-         union { /* Memory attribute redirection */
-             struct {
- #ifdef HOST_WORDS_BIGENDIAN
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
-       .writefn = pmuserenr_write, .raw_writefn = raw_write },
-     { .name = "PMINTENSET", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 1,
-       .access = PL1_RW, .accessfn = access_tpm,
--      .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
-+      .type = ARM_CP_ALIAS,
-+      .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pminten),
-       .resetvalue = 0,
-       .writefn = pmintenset_write, .raw_writefn = raw_write },
-+    { .name = "PMINTENSET_EL1", .state = ARM_CP_STATE_AA64,
-+      .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 1,
-+      .access = PL1_RW, .accessfn = access_tpm,
-+      .type = ARM_CP_IO,
-+      .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
-+      .writefn = pmintenset_write, .raw_writefn = raw_write,
-+      .resetvalue = 0x0 },
-     { .name = "PMINTENCLR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 2,
-       .access = PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS,
-       .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
---
-.7.4

-[Qemu-devel] [PULL 04/12] target-arm: Enable vPMU support under TCG mode
+[PULL 4/4] target/arm: Honor HCR_EL2.TID3 trapping requirements
-From: Wei Huang <wei@redhat.com>
+From: Marc Zyngier <maz@kernel.org>
-This patch contains several fixes to enable vPMU under TCG mode. It
+HCR_EL2.TID3 mandates that access from EL1 to a long list of id
-first removes the checking of kvm_enabled() while unsetting
+registers traps to EL2, and QEMU has so far ignored this requirement.
-ARM_FEATURE_PMU. With it, the .pmu option can be used to turn on/off vPMU
-under TCG mode. Secondly the PMU node of DT table is now created under TCG.
+This breaks (among other things) KVM guests that have PtrAuth enabled,
-The last fix is to disable the masking of PMUver field of ID_AA64DFR0_EL1.
+while the hypervisor doesn't want to expose the feature to its guest.
+To achieve this, KVM traps the ID registers (ID_AA64ISAR1_EL1 in this
-Signed-off-by: Wei Huang <wei@redhat.com>
+case), and masks out the unsupported feature.
 QEMU not honoring the trap request means that the guest observes
 that the feature is present in the HW, starts using it, and dies
 a horrible death when KVM injects an UNDEF, because the feature
 *really* isn't supported.
 Do the right thing by trapping to EL2 if HCR_EL2.TID3 is set.
 Note that this change does not include trapping of the MVFR
 registers from AArch32 (they are accessed via the VMRS
 instruction and need to be handled in a different way).
 Reported-by: Will Deacon <will@kernel.org>
 Signed-off-by: Marc Zyngier <maz@kernel.org>
 Tested-by: Will Deacon <will@kernel.org>
 Message-id: 20191123115618.29230-1-maz@kernel.org
 [PMM: added missing accessfn line for ID_AA4PFR2_EL1_RESERVED;
  changed names of access functions to include _tid3]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1486504171-26807-5-git-send-email-wei@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c       | 2 +-
+ target/arm/helper.c | 76 +++++++++++++++++++++++++++++++++++++++++++++
- target/arm/cpu.c    | 2 +-
+file changed, 76 insertions(+)
- target/arm/helper.c | 7 +------
 files changed, 3 insertions(+), 8 deletions(-)
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms)
      CPU_FOREACH(cpu) {
          armcpu = ARM_CPU(cpu);
          if (!arm_feature(&armcpu->env, ARM_FEATURE_PMU) ||
 -            !kvm_arm_pmu_create(cpu, PPI(VIRTUAL_PMU_IRQ))) {
 +            (kvm_enabled() && !kvm_arm_pmu_create(cpu, PPI(VIRTUAL_PMU_IRQ)))) {
              return;
          }
      }
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
          unset_feature(env, ARM_FEATURE_EL2);
      }
 -    if (!cpu->has_pmu || !kvm_enabled()) {
 +    if (!cpu->has_pmu) {
          cpu->has_pmu = false;
          unset_feature(env, ARM_FEATURE_PMU);
      }
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo predinv_reginfo[] = {
+     REGINFO_SENTINEL
+ };
++static CPAccessResult access_aa64_tid3(CPUARMState *env, const ARMCPRegInfo *ri,
++                                       bool isread)
++{
++    if ((arm_current_el(env) < 2) && (arm_hcr_el2_eff(env) & HCR_TID3)) {
++        return CP_ACCESS_TRAP_EL2;
++    }
++
++    return CP_ACCESS_OK;
++}
++
++static CPAccessResult access_aa32_tid3(CPUARMState *env, const ARMCPRegInfo *ri,
++                                       bool isread)
++{
++    if (arm_feature(env, ARM_FEATURE_V8)) {
++        return access_aa64_tid3(env, ri, isread);
++    }
++
++    return CP_ACCESS_OK;
++}
++
+ void register_cp_regs_for_features(ARMCPU *cpu)
+ {
+     /* Register all the coprocessor registers based on feature bits */
 @@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
+             { .name = "ID_PFR0", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->id_pfr0 },
+             /* ID_PFR1 is not a plain ARM_CP_CONST because we don't know
+              * the value of the GIC field until after we define these regs.
+@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
+             { .name = "ID_PFR1", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 1,
+               .access = PL1_R, .type = ARM_CP_NO_RAW,
++              .accessfn = access_aa32_tid3,
+               .readfn = id_pfr1_read,
+               .writefn = arm_cp_write_ignore },
+             { .name = "ID_DFR0", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 2,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->id_dfr0 },
+             { .name = "ID_AFR0", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 3,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->id_afr0 },
+             { .name = "ID_MMFR0", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 4,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->id_mmfr0 },
+             { .name = "ID_MMFR1", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 5,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->id_mmfr1 },
+             { .name = "ID_MMFR2", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 6,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->id_mmfr2 },
+             { .name = "ID_MMFR3", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 7,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->id_mmfr3 },
+             { .name = "ID_ISAR0", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->isar.id_isar0 },
+             { .name = "ID_ISAR1", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 1,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->isar.id_isar1 },
+             { .name = "ID_ISAR2", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->isar.id_isar2 },
+             { .name = "ID_ISAR3", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 3,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->isar.id_isar3 },
+             { .name = "ID_ISAR4", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 4,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->isar.id_isar4 },
+             { .name = "ID_ISAR5", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 5,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->isar.id_isar5 },
+             { .name = "ID_MMFR4", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->id_mmfr4 },
+             { .name = "ID_ISAR6", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 7,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa32_tid3,
+               .resetvalue = cpu->isar.id_isar6 },
+             REGINFO_SENTINEL
+         };
+@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
+             { .name = "ID_AA64PFR0_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 0,
+               .access = PL1_R, .type = ARM_CP_NO_RAW,
++              .accessfn = access_aa64_tid3,
+               .readfn = id_aa64pfr0_read,
+               .writefn = arm_cp_write_ignore },
+             { .name = "ID_AA64PFR1_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 1,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->isar.id_aa64pfr1},
+             { .name = "ID_AA64PFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 2,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64PFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 3,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64ZFR0_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 4,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               /* At present, only SVEver == 0 is defined anyway.  */
+               .resetvalue = 0 },
+             { .name = "ID_AA64PFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 5,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64PFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 6,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64PFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 7,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
              { .name = "ID_AA64DFR0_EL1", .state = ARM_CP_STATE_AA64,
                .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
                .access = PL1_R, .type = ARM_CP_CONST,
--              /* We mask out the PMUVer field, because we don't currently
++              .accessfn = access_aa64_tid3,
--               * implement the PMU. Not advertising it prevents the guest
+               .resetvalue = cpu->id_aa64dfr0 },
 -               * from trying to use it and getting UNDEFs on registers we
 -               * don't implement.
 -               */
 -              .resetvalue = cpu->id_aa64dfr0 & ~0xf00 },
 +              .resetvalue = cpu->id_aa64dfr0 },
              { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
                .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
                .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->id_aa64dfr1 },
+             { .name = "ID_AA64DFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 2,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64DFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 3,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64AFR0_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 4,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->id_aa64afr0 },
+             { .name = "ID_AA64AFR1_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 5,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->id_aa64afr1 },
+             { .name = "ID_AA64AFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 6,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64AFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 7,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64ISAR0_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 0,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->isar.id_aa64isar0 },
+             { .name = "ID_AA64ISAR1_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 1,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->isar.id_aa64isar1 },
+             { .name = "ID_AA64ISAR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 2,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64ISAR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 3,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64ISAR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 4,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64ISAR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 5,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64ISAR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 6,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64ISAR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 7,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64MMFR0_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->isar.id_aa64mmfr0 },
+             { .name = "ID_AA64MMFR1_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 1,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->isar.id_aa64mmfr1 },
+             { .name = "ID_AA64MMFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 2,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64MMFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 3,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64MMFR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 4,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64MMFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 5,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64MMFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 6,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "ID_AA64MMFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 7,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "MVFR0_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 0,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->isar.mvfr0 },
+             { .name = "MVFR1_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 1,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->isar.mvfr1 },
+             { .name = "MVFR2_EL1", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = cpu->isar.mvfr2 },
+             { .name = "MVFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 3,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "MVFR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 4,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "MVFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 5,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "MVFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 6,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "MVFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 7,
+               .access = PL1_R, .type = ARM_CP_CONST,
++              .accessfn = access_aa64_tid3,
+               .resetvalue = 0 },
+             { .name = "PMCEID0", .state = ARM_CP_STATE_AA32,
+               .cp = 15, .opc1 = 0, .crn = 9, .crm = 12, .opc2 = 6,
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 05/12] target-arm: Declare virtio-mmio as dma-coherent in dt
+Deleted patch
-From: Alexander Graf <agraf@suse.de>
-QEMU emulated hardware is always dma coherent with its guest. We do
-annotate that correctly on the PCI host controller, but left out
-virtio-mmio.
-Recent kernels have started to interpret that flag rather than take
-dma coherency as granted with virtio-mmio. While that is considered
-a kernel bug, as it breaks previously working systems, it showed that
-our dt description is incomplete.
-This patch adds the respective marker that allows guest OSs to evaluate
-that our virtio-mmio devices are indeed cache coherent.
-Signed-off-by: Alexander Graf <agraf@suse.de>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Message-id: 1486644810-33181-2-git-send-email-agraf@suse.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/vexpress.c | 1 +
- hw/arm/virt.c     | 1 +
-files changed, 2 insertions(+)
-diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/vexpress.c
-+++ b/hw/arm/vexpress.c
-@@ -XXX,XX +XXX,XX @@ static int add_virtio_mmio_node(void *fdt, uint32_t acells, uint32_t scells,
-                                        acells, addr, scells, size);
-     qemu_fdt_setprop_cells(fdt, nodename, "interrupt-parent", intc);
-     qemu_fdt_setprop_cells(fdt, nodename, "interrupts", 0, irq, 1);
-+    qemu_fdt_setprop(fdt, nodename, "dma-coherent", NULL, 0);
-     g_free(nodename);
-     if (rc) {
-         return -1;
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
-+++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static void create_virtio_devices(const VirtMachineState *vms, qemu_irq *pic)
-         qemu_fdt_setprop_cells(vms->fdt, nodename, "interrupts",
-                                GIC_FDT_IRQ_TYPE_SPI, irq,
-                                GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
-+        qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
-         g_free(nodename);
-     }
- }
---
-.7.4

-[Qemu-devel] [PULL 06/12] hw/arm/virt: Declare virtio-mmio as dma cache coherent in ACPI
+Deleted patch
-From: Alexander Graf <agraf@suse.de>
-Virtio-mmio devices can directly access guest memory and do so in cache
-coherent fashion. Tell the guest about that fact when it's using ACPI.
-Signed-off-by: Alexander Graf <agraf@suse.de>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
-Message-id: 1486644810-33181-3-git-send-email-agraf@suse.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/virt-acpi-build.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
-+++ b/hw/arm/virt-acpi-build.c
-@@ -XXX,XX +XXX,XX @@ static void acpi_dsdt_add_virtio(Aml *scope,
-         Aml *dev = aml_device("VR%02u", i);
-         aml_append(dev, aml_name_decl("_HID", aml_string("LNRO0005")));
-         aml_append(dev, aml_name_decl("_UID", aml_int(i)));
-+        aml_append(dev, aml_name_decl("_CCA", aml_int(1)));
-         Aml *crs = aml_resource_template();
-         aml_append(crs, aml_memory32_fixed(base, size, AML_READ_WRITE));
---
-.7.4

-[Qemu-devel] [PULL 07/12] hw/arm/virt: Declare fwcfg as dma cache coherent in ACPI
+Deleted patch
-From: Alexander Graf <agraf@suse.de>
-Fw-cfg recently learned how to directly access guest memory and does so in
-cache coherent fashion. Tell the guest about that fact when it's using ACPI.
-Signed-off-by: Alexander Graf <agraf@suse.de>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
-Message-id: 1486644810-33181-4-git-send-email-agraf@suse.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/virt-acpi-build.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
-+++ b/hw/arm/virt-acpi-build.c
-@@ -XXX,XX +XXX,XX @@ static void acpi_dsdt_add_fw_cfg(Aml *scope, const MemMapEntry *fw_cfg_memmap)
-     aml_append(dev, aml_name_decl("_HID", aml_string("QEMU0002")));
-     /* device present, functioning, decoding, not shown in UI */
-     aml_append(dev, aml_name_decl("_STA", aml_int(0xB)));
-+    aml_append(dev, aml_name_decl("_CCA", aml_int(1)));
-     Aml *crs = aml_resource_template();
-     aml_append(crs, aml_memory32_fixed(fw_cfg_memmap->base,
---
-.7.4

-[Qemu-devel] [PULL 08/12] hw/arm/virt: Declare fwcfg as dma cache coherent in dt
+Deleted patch
-From: Alexander Graf <agraf@suse.de>
-Fw-cfg recently learned how to directly access guest memory and does so in
-cache coherent fashion. Tell the guest about that fact when it's using DT.
-Signed-off-by: Alexander Graf <agraf@suse.de>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
-Message-id: 1486644810-33181-5-git-send-email-agraf@suse.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/virt.c | 1 +
-file changed, 1 insertion(+)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
-+++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static FWCfgState *create_fw_cfg(const VirtMachineState *vms, AddressSpace *as)
-                             "compatible", "qemu,fw-cfg-mmio");
-     qemu_fdt_setprop_sized_cells(vms->fdt, nodename, "reg",
-, base, 2, size);
-+    qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
-     g_free(nodename);
-     return fw_cfg;
- }
---
-.7.4

-[Qemu-devel] [PULL 10/12] aspeed: remove useless comment on controller segment size
+Deleted patch
-From: Cédric Le Goater <clg@kaod.org>
-The flash devices used for the FMC controller (BMC firmware) are well
-defined for each Aspeed machine and are all smaller than the default
-mapping window size, at least for CE0 which is the chip the SoC boots
-from.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 1486648058-520-3-git-send-email-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/aspeed.c | 8 +++-----
-file changed, 3 insertions(+), 5 deletions(-)
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
-+++ b/hw/arm/aspeed.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype,
-         DriveInfo *dinfo = drive_get_next(IF_MTD);
-         qemu_irq cs_line;
--        /*
--         * FIXME: check that we are not using a flash module exceeding
--         * the controller segment size
--         */
-         fl->flash = ssi_create_slave_no_init(s->spi, flashtype);
-         if (dinfo) {
-             qdev_prop_set_drive(fl->flash, "drive", blk_by_legacy_dinfo(dinfo),
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-         /*
-          * create a ROM region using the default mapping window size of
--         * the flash module.
-+         * the flash module. The window size is 64MB for the AST2400
-+         * SoC and 128MB for the AST2500 SoC, which is twice as big as
-+         * needed by the flash modules of the Aspeed machines.
-          */
-         memory_region_init_rom(boot_rom, OBJECT(bmc), "aspeed.boot_rom",
-                                fl->size, &error_abort);
---
-.7.4

-[Qemu-devel] [PULL 11/12] aspeed/smc: handle dummies only in fast read mode
+Deleted patch
-From: Cédric Le Goater <clg@kaod.org>
-HW works fine in normal read mode with dummy bytes being set. So let's
-check this case to not transfer bytes.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 1486648058-520-4-git-send-email-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/ssi/aspeed_smc.c | 9 ++++++---
-file changed, 6 insertions(+), 3 deletions(-)
-diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/aspeed_smc.c
-+++ b/hw/ssi/aspeed_smc.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
-         /*
-          * Use fake transfers to model dummy bytes. The value should
-          * be configured to some non-zero value in fast read mode and
--         * zero in read mode.
-+         * zero in read mode. But, as the HW allows inconsistent
-+         * settings, let's check for fast read mode.
-          */
--        for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
--            ssi_transfer(fl->controller->spi, 0xFF);
-+        if (aspeed_smc_flash_mode(fl) == CTRL_FREADMODE) {
-+            for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
-+                ssi_transfer(fl->controller->spi, 0xFF);
-+            }
-         }
-         for (i = 0; i < size; i++) {
---
-.7.4

ARM queue: nothing particularly exciting here, but no
reason to sit on them for another week.

thanks
-- PMM

The following changes since commit 61eedf7aec0e2395aabd628cc055096909a3ea15:

tests/prom-env: Ease time-out problems on slow hosts (2017-02-10 15:44:53 +0000)

are available in the git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170210

for you to fetch changes up to b4cc583f0285a2e1e78621dfba142f00ca47414a:

aspeed/smc: use a modulo to check segment limits (2017-02-10 17:40:30 +0000)

----------------------------------------------------------------
target-arm queue:
 * aspeed: minor fixes
 * virt: declare fwcfg and virtio-mmio as DMA coherent in DT & ACPI
 * arm: enable basic TCG emulation of PMU for AArch64

----------------------------------------------------------------
Alexander Graf (4):
      target-arm: Declare virtio-mmio as dma-coherent in dt
      hw/arm/virt: Declare virtio-mmio as dma cache coherent in ACPI
      hw/arm/virt: Declare fwcfg as dma cache coherent in ACPI
      hw/arm/virt: Declare fwcfg as dma cache coherent in dt

Cédric Le Goater (4):
      aspeed: check for negative values returned by blk_getlength()
      aspeed: remove useless comment on controller segment size
      aspeed/smc: handle dummies only in fast read mode
      aspeed/smc: use a modulo to check segment limits

Wei Huang (4):
      target-arm: Add support for PMU register PMSELR_EL0
      target-arm: Add support for AArch64 PMU register PMXEVTYPER_EL0
      target-arm: Add support for PMU register PMINTENSET_EL1
      target-arm: Enable vPMU support under TCG mode

From: Wei Huang <wei@redhat.com>

This patch adds support for AArch64 register PMSELR_EL0. The existing
PMSELR definition is revised accordingly.

Signed-off-by: Wei Huang <wei@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: Moved #ifndef CONFIG_USER_ONLY to cover new regdefs]
Message-id: 1486504171-26807-2-git-send-email-wei@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  1 +
 target/arm/helper.c | 27 +++++++++++++++++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         uint32_t c9_pmovsr; /* perf monitor overflow status */
         uint32_t c9_pmxevtyper; /* perf monitor event type */
         uint32_t c9_pmuserenr; /* perf monitor user enable */
+        uint64_t c9_pmselr; /* perf monitor counter selection register */
         uint32_t c9_pminten; /* perf monitor interrupt enables */
         union { /* Memory attribute redirection */
             struct {
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pmccntr_read(CPUARMState *env, const ARMCPRegInfo *ri)
     return total_ticks - env->cp15.c15_ccnt;
 }
 
+static void pmselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                         uint64_t value)
+{
+    /* The value of PMSELR.SEL affects the behavior of PMXEVTYPER and
+     * PMXEVCNTR. We allow [0..31] to be written to PMSELR here; in the
+     * meanwhile, we check PMSELR.SEL when PMXEVTYPER and PMXEVCNTR are
+     * accessed.
+     */
+    env->cp15.c9_pmselr = value & 0x1f;
+}
+
 static void pmccntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
                         uint64_t value)
 {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
     /* Unimplemented so WI. */
     { .name = "PMSWINC", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 4,
       .access = PL0_W, .accessfn = pmreg_access, .type = ARM_CP_NOP },
-    /* Since we don't implement any events, writing to PMSELR is UNPREDICTABLE.
-     * We choose to RAZ/WI.
-     */
-    { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
-      .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
-      .accessfn = pmreg_access },
 #ifndef CONFIG_USER_ONLY
+    { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
+      .access = PL0_RW, .type = ARM_CP_ALIAS,
+      .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmselr),
+      .accessfn = pmreg_access, .writefn = pmselr_write,
+      .raw_writefn = raw_write},
+    { .name = "PMSELR_EL0", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 5,
+      .access = PL0_RW, .accessfn = pmreg_access,
+      .fieldoffset = offsetof(CPUARMState, cp15.c9_pmselr),
+      .writefn = pmselr_write, .raw_writefn = raw_write, },
     { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0,
       .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_IO,
       .readfn = pmccntr_read, .writefn = pmccntr_write32,
-- 
2.7.4

From: Wei Huang <wei@redhat.com>

In order to support Linux perf, which uses PMXEVTYPER register,
this patch adds read/write access support for PMXEVTYPER. The access
is CONSTRAINED UNPREDICTABLE when PMSELR is not 0x1f. Additionally
this patch adds support for PMXEVTYPER_EL0.

Signed-off-by: Wei Huang <wei@redhat.com>
Message-id: 1486504171-26807-3-git-send-email-wei@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  1 -
 target/arm/helper.c | 30 +++++++++++++++++++++++++-----
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         uint64_t c9_pmcr; /* performance monitor control register */
         uint64_t c9_pmcnten; /* perf monitor counter enables */
         uint32_t c9_pmovsr; /* perf monitor overflow status */
-        uint32_t c9_pmxevtyper; /* perf monitor event type */
         uint32_t c9_pmuserenr; /* perf monitor user enable */
         uint64_t c9_pmselr; /* perf monitor counter selection register */
         uint32_t c9_pminten; /* perf monitor interrupt enables */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void pmovsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
 static void pmxevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri,
                              uint64_t value)
 {
-    env->cp15.c9_pmxevtyper = value & 0xff;
+    /* Attempts to access PMXEVTYPER are CONSTRAINED UNPREDICTABLE when
+     * PMSELR value is equal to or greater than the number of implemented
+     * counters, but not equal to 0x1f. We opt to behave as a RAZ/WI.
+     */
+    if (env->cp15.c9_pmselr == 0x1f) {
+        pmccfiltr_write(env, ri, value);
+    }
+}
+
+static uint64_t pmxevtyper_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    /* We opt to behave as a RAZ/WI when attempts to access PMXEVTYPER
+     * are CONSTRAINED UNPREDICTABLE. See comments in pmxevtyper_write().
+     */
+    if (env->cp15.c9_pmselr == 0x1f) {
+        return env->cp15.pmccfiltr_el0;
+    } else {
+        return 0;
+    }
 }
 
 static void pmuserenr_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
       .fieldoffset = offsetof(CPUARMState, cp15.pmccfiltr_el0),
       .resetvalue = 0, },
     { .name = "PMXEVTYPER", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 1,
-      .access = PL0_RW,
-      .fieldoffset = offsetof(CPUARMState, cp15.c9_pmxevtyper),
-      .accessfn = pmreg_access, .writefn = pmxevtyper_write,
-      .raw_writefn = raw_write },
+      .access = PL0_RW, .type = ARM_CP_NO_RAW, .accessfn = pmreg_access,
+      .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
+    { .name = "PMXEVTYPER_EL0", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 1,
+      .access = PL0_RW, .type = ARM_CP_NO_RAW, .accessfn = pmreg_access,
+      .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
     /* Unimplemented, RAZ/WI. */
     { .name = "PMXEVCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 2,
       .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
-- 
2.7.4

From: Wei Huang <wei@redhat.com>

This patch adds access support for PMINTENSET_EL1.

Signed-off-by: Wei Huang <wei@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1486504171-26807-4-git-send-email-wei@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  2 +-
 target/arm/helper.c | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

From: Wei Huang <wei@redhat.com>

This patch contains several fixes to enable vPMU under TCG mode. It
first removes the checking of kvm_enabled() while unsetting
ARM_FEATURE_PMU. With it, the .pmu option can be used to turn on/off vPMU
under TCG mode. Secondly the PMU node of DT table is now created under TCG.
The last fix is to disable the masking of PMUver field of ID_AA64DFR0_EL1.

Signed-off-by: Wei Huang <wei@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1486504171-26807-5-git-send-email-wei@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c       | 2 +-
 target/arm/cpu.c    | 2 +-
 target/arm/helper.c | 7 +------
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms)
     CPU_FOREACH(cpu) {
         armcpu = ARM_CPU(cpu);
         if (!arm_feature(&armcpu->env, ARM_FEATURE_PMU) ||
-            !kvm_arm_pmu_create(cpu, PPI(VIRTUAL_PMU_IRQ))) {
+            (kvm_enabled() && !kvm_arm_pmu_create(cpu, PPI(VIRTUAL_PMU_IRQ)))) {
             return;
         }
     }
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
         unset_feature(env, ARM_FEATURE_EL2);
     }
 
-    if (!cpu->has_pmu || !kvm_enabled()) {
+    if (!cpu->has_pmu) {
         cpu->has_pmu = false;
         unset_feature(env, ARM_FEATURE_PMU);
     }
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "ID_AA64DFR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
-              /* We mask out the PMUVer field, because we don't currently
-               * implement the PMU. Not advertising it prevents the guest
-               * from trying to use it and getting UNDEFs on registers we
-               * don't implement.
-               */
-              .resetvalue = cpu->id_aa64dfr0 & ~0xf00 },
+              .resetvalue = cpu->id_aa64dfr0 },
             { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
-- 
2.7.4

From: Alexander Graf <agraf@suse.de>

QEMU emulated hardware is always dma coherent with its guest. We do
annotate that correctly on the PCI host controller, but left out
virtio-mmio.

Recent kernels have started to interpret that flag rather than take
dma coherency as granted with virtio-mmio. While that is considered
a kernel bug, as it breaks previously working systems, it showed that
our dt description is incomplete.

This patch adds the respective marker that allows guest OSs to evaluate
that our virtio-mmio devices are indeed cache coherent.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Message-id: 1486644810-33181-2-git-send-email-agraf@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/vexpress.c | 1 +
 hw/arm/virt.c     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@ static int add_virtio_mmio_node(void *fdt, uint32_t acells, uint32_t scells,
                                        acells, addr, scells, size);
     qemu_fdt_setprop_cells(fdt, nodename, "interrupt-parent", intc);
     qemu_fdt_setprop_cells(fdt, nodename, "interrupts", 0, irq, 1);
+    qemu_fdt_setprop(fdt, nodename, "dma-coherent", NULL, 0);
     g_free(nodename);
     if (rc) {
         return -1;
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void create_virtio_devices(const VirtMachineState *vms, qemu_irq *pic)
         qemu_fdt_setprop_cells(vms->fdt, nodename, "interrupts",
                                GIC_FDT_IRQ_TYPE_SPI, irq,
                                GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
+        qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
         g_free(nodename);
     }
 }
-- 
2.7.4

From: Alexander Graf <agraf@suse.de>

Virtio-mmio devices can directly access guest memory and do so in cache
coherent fashion. Tell the guest about that fact when it's using ACPI.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1486644810-33181-3-git-send-email-agraf@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ static void acpi_dsdt_add_virtio(Aml *scope,
         Aml *dev = aml_device("VR%02u", i);
         aml_append(dev, aml_name_decl("_HID", aml_string("LNRO0005")));
         aml_append(dev, aml_name_decl("_UID", aml_int(i)));
+        aml_append(dev, aml_name_decl("_CCA", aml_int(1)));
 
         Aml *crs = aml_resource_template();
         aml_append(crs, aml_memory32_fixed(base, size, AML_READ_WRITE));
-- 
2.7.4

From: Alexander Graf <agraf@suse.de>

Fw-cfg recently learned how to directly access guest memory and does so in
cache coherent fashion. Tell the guest about that fact when it's using ACPI.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1486644810-33181-4-git-send-email-agraf@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ static void acpi_dsdt_add_fw_cfg(Aml *scope, const MemMapEntry *fw_cfg_memmap)
     aml_append(dev, aml_name_decl("_HID", aml_string("QEMU0002")));
     /* device present, functioning, decoding, not shown in UI */
     aml_append(dev, aml_name_decl("_STA", aml_int(0xB)));
+    aml_append(dev, aml_name_decl("_CCA", aml_int(1)));
 
     Aml *crs = aml_resource_template();
     aml_append(crs, aml_memory32_fixed(fw_cfg_memmap->base,
-- 
2.7.4

From: Alexander Graf <agraf@suse.de>

Fw-cfg recently learned how to directly access guest memory and does so in
cache coherent fashion. Tell the guest about that fact when it's using DT.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1486644810-33181-5-git-send-email-agraf@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static FWCfgState *create_fw_cfg(const VirtMachineState *vms, AddressSpace *as)
                             "compatible", "qemu,fw-cfg-mmio");
     qemu_fdt_setprop_sized_cells(vms->fdt, nodename, "reg",
                                  2, base, 2, size);
+    qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
     g_free(nodename);
     return fw_cfg;
 }
-- 
2.7.4

From: Cédric Le Goater <clg@kaod.org>

write_boot_rom() does not check for negative values. This is more a
problem for coverity than the actual code as the size of the flash
device is checked when the m25p80 object is created. If there is
anything wrong with the backing file, we should not even reach that
path.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 1486648058-520-2-git-send-email-clg@kaod.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size,
 {
     BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
     uint8_t *storage;
+    int64_t size;
 
-    if (rom_size > blk_getlength(blk)) {
-        rom_size = blk_getlength(blk);
+    /* The block backend size should have already been 'validated' by
+     * the creation of the m25p80 object.
+     */
+    size = blk_getlength(blk);
+    if (size <= 0) {
+        error_setg(errp, "failed to get flash size");
+        return;
+    }
+
+    if (rom_size > size) {
+        rom_size = size;
     }
 
     storage = g_new0(uint8_t, rom_size);
-- 
2.7.4

From: Cédric Le Goater <clg@kaod.org>

The flash devices used for the FMC controller (BMC firmware) are well
defined for each Aspeed machine and are all smaller than the default
mapping window size, at least for CE0 which is the chip the SoC boots
from.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1486648058-520-3-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype,
         DriveInfo *dinfo = drive_get_next(IF_MTD);
         qemu_irq cs_line;
 
-        /*
-         * FIXME: check that we are not using a flash module exceeding
-         * the controller segment size
-         */
         fl->flash = ssi_create_slave_no_init(s->spi, flashtype);
         if (dinfo) {
             qdev_prop_set_drive(fl->flash, "drive", blk_by_legacy_dinfo(dinfo),
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
 
         /*
          * create a ROM region using the default mapping window size of
-         * the flash module.
+         * the flash module. The window size is 64MB for the AST2400
+         * SoC and 128MB for the AST2500 SoC, which is twice as big as
+         * needed by the flash modules of the Aspeed machines.
          */
         memory_region_init_rom(boot_rom, OBJECT(bmc), "aspeed.boot_rom",
                                fl->size, &error_abort);
-- 
2.7.4

From: Cédric Le Goater <clg@kaod.org>

HW works fine in normal read mode with dummy bytes being set. So let's
check this case to not transfer bytes.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 1486648058-520-4-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/aspeed_smc.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
         /*
          * Use fake transfers to model dummy bytes. The value should
          * be configured to some non-zero value in fast read mode and
-         * zero in read mode.
+         * zero in read mode. But, as the HW allows inconsistent
+         * settings, let's check for fast read mode.
          */
-        for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
-            ssi_transfer(fl->controller->spi, 0xFF);
+        if (aspeed_smc_flash_mode(fl) == CTRL_FREADMODE) {
+            for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
+                ssi_transfer(fl->controller->spi, 0xFF);
+            }
         }
 
         for (i = 0; i < size; i++) {
-- 
2.7.4

From: Cédric Le Goater <clg@kaod.org>

The size of a segment is not necessarily a power of 2.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1486648058-520-5-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/aspeed_smc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_smc_check_segment_addr(const AspeedSMCFlash *fl,
     AspeedSegments seg;
 
     aspeed_smc_reg_to_segment(s->regs[R_SEG_ADDR0 + fl->id], &seg);
-    if ((addr & (seg.size - 1)) != addr) {
+    if ((addr % seg.size) != addr) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid address 0x%08x for CS%d segment : "
                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
                       s->ctrl->name, addr, fl->id, seg.addr,
                       seg.addr + seg.size);
+        addr %= seg.size;
     }
 
-    addr &= seg.size - 1;
     return addr;
 }
 
-- 
2.7.4

Arm patches for rc3 : just a handful of bug fixes.

thanks
-- PMM

The following changes since commit 4ecc984210ca1bf508a96a550ec8a93a5f833f6c:

Merge remote-tracking branch 'remotes/palmer/tags/riscv-for-master-4.2-rc3' into staging (2019-11-26 12:36:40 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191126

for you to fetch changes up to 6a4ef4e5d1084ce41fafa7d470a644b0fd3d9317:

target/arm: Honor HCR_EL2.TID3 trapping requirements (2019-11-26 13:55:37 +0000)

----------------------------------------------------------------
target-arm queue:
 * handle FTYPE flag correctly in v7M exception return
   for v7M CPUs with an FPU (v8M CPUs were already correct)
 * versal: Add the CRP as unimplemented
 * Fix ISR_EL1 tracking when executing at EL2
 * Honor HCR_EL2.TID3 trapping requirements

----------------------------------------------------------------
Edgar E. Iglesias (1):
      hw/arm: versal: Add the CRP as unimplemented

Jean-Hugues Deschênes (1):
      target/arm: Fix handling of cortex-m FTYPE flag in EXCRET

Marc Zyngier (2):
      target/arm: Fix ISR_EL1 tracking when executing at EL2
      target/arm: Honor HCR_EL2.TID3 trapping requirements

include/hw/arm/xlnx-versal.h |  3 ++
 hw/arm/xlnx-versal.c         |  2 ++
 target/arm/helper.c          | 83 ++++++++++++++++++++++++++++++++++++++++++--
 target/arm/m_helper.c        |  7 ++--
 4 files changed, 89 insertions(+), 6 deletions(-)

From: Jean-Hugues Deschênes <Jean-Hugues.Deschenes@ossiaco.com>

According to the PushStack() pseudocode in the armv7m RM,
bit 4 of the LR should be set to NOT(CONTROL.PFCA) when
an FPU is present. Current implementation is doing it for
armv8, but not for armv7. This patch makes the existing
logic applicable to both code paths.

Signed-off-by: Jean-Hugues Deschenes <jean-hugues.deschenes@ossiaco.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/m_helper.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
         if (env->v7m.secure) {
             lr |= R_V7M_EXCRET_S_MASK;
         }
-        if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
-            lr |= R_V7M_EXCRET_FTYPE_MASK;
-        }
     } else {
         lr = R_V7M_EXCRET_RES1_MASK |
             R_V7M_EXCRET_S_MASK |
             R_V7M_EXCRET_DCRS_MASK |
-            R_V7M_EXCRET_FTYPE_MASK |
             R_V7M_EXCRET_ES_MASK;
         if (env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK) {
             lr |= R_V7M_EXCRET_SPSEL_MASK;
         }
     }
+    if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
+        lr |= R_V7M_EXCRET_FTYPE_MASK;
+    }
     if (!arm_v7m_is_handler_mode(env)) {
         lr |= R_V7M_EXCRET_MODE_MASK;
     }
-- 
2.20.1

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Add the CRP as unimplemented thus avoiding bus errors when
guests access these registers.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Luc Michel <luc.michel@greensocs.com>
Message-id: 20191115154734.26449-2-edgar.iglesias@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/xlnx-versal.h | 3 +++
 hw/arm/xlnx-versal.c         | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-versal.h
+++ b/include/hw/arm/xlnx-versal.h
@@ -XXX,XX +XXX,XX @@ typedef struct Versal {
 #define MM_IOU_SCNTRS_SIZE          0x10000
 #define MM_FPD_CRF                  0xfd1a0000U
 #define MM_FPD_CRF_SIZE             0x140000
+
+#define MM_PMC_CRP                  0xf1260000U
+#define MM_PMC_CRP_SIZE             0x10000
 #endif
diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal.c
+++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@ static void versal_unimp(Versal *s)
                         MM_CRL, MM_CRL_SIZE);
     versal_unimp_area(s, "crf", &s->mr_ps,
                         MM_FPD_CRF, MM_FPD_CRF_SIZE);
+    versal_unimp_area(s, "crp", &s->mr_ps,
+                        MM_PMC_CRP, MM_PMC_CRP_SIZE);
     versal_unimp_area(s, "iou-scntr", &s->mr_ps,
                         MM_IOU_SCNTR, MM_IOU_SCNTR_SIZE);
     versal_unimp_area(s, "iou-scntr-seucre", &s->mr_ps,
-- 
2.20.1

From: Marc Zyngier <maz@kernel.org>

The ARMv8 ARM states when executing at EL2, EL3 or Secure EL1,
ISR_EL1 shows the pending status of the physical IRQ, FIQ, or
SError interrupts.

Unfortunately, QEMU's implementation only considers the HCR_EL2
bits, and ignores the current exception level. This means a hypervisor
trying to look at its own interrupt state actually sees the guest
state, which is unexpected and breaks KVM as of Linux 5.3.

Instead, check for the running EL and return the physical bits
if not running in a virtualized context.

Fixes: 636540e9c40b
Cc: qemu-stable@nongnu.org
Reported-by: Quentin Perret <qperret@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Message-id: 20191122135833.28953-1-maz@kernel.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
     CPUState *cs = env_cpu(env);
     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
     uint64_t ret = 0;
+    bool allow_virt = (arm_current_el(env) == 1 &&
+                       (!arm_is_secure_below_el3(env) ||
+                        (env->cp15.scr_el3 & SCR_EEL2)));
 
-    if (hcr_el2 & HCR_IMO) {
+    if (allow_virt && (hcr_el2 & HCR_IMO)) {
         if (cs->interrupt_request & CPU_INTERRUPT_VIRQ) {
             ret |= CPSR_I;
         }
@@ -XXX,XX +XXX,XX @@ static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
         }
     }
 
-    if (hcr_el2 & HCR_FMO) {
+    if (allow_virt && (hcr_el2 & HCR_FMO)) {
         if (cs->interrupt_request & CPU_INTERRUPT_VFIQ) {
             ret |= CPSR_F;
         }
-- 
2.20.1

From: Marc Zyngier <maz@kernel.org>

HCR_EL2.TID3 mandates that access from EL1 to a long list of id
registers traps to EL2, and QEMU has so far ignored this requirement.

This breaks (among other things) KVM guests that have PtrAuth enabled,
while the hypervisor doesn't want to expose the feature to its guest.
To achieve this, KVM traps the ID registers (ID_AA64ISAR1_EL1 in this
case), and masks out the unsupported feature.

QEMU not honoring the trap request means that the guest observes
that the feature is present in the HW, starts using it, and dies
a horrible death when KVM injects an UNDEF, because the feature
*really* isn't supported.

Do the right thing by trapping to EL2 if HCR_EL2.TID3 is set.

Note that this change does not include trapping of the MVFR
registers from AArch32 (they are accessed via the VMRS
instruction and need to be handled in a different way).

Reported-by: Will Deacon <will@kernel.org>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Tested-by: Will Deacon <will@kernel.org>
Message-id: 20191123115618.29230-1-maz@kernel.org
[PMM: added missing accessfn line for ID_AA4PFR2_EL1_RESERVED;
 changed names of access functions to include _tid3]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 76 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo predinv_reginfo[] = {
     REGINFO_SENTINEL
 };
 
+static CPAccessResult access_aa64_tid3(CPUARMState *env, const ARMCPRegInfo *ri,
+                                       bool isread)
+{
+    if ((arm_current_el(env) < 2) && (arm_hcr_el2_eff(env) & HCR_TID3)) {
+        return CP_ACCESS_TRAP_EL2;
+    }
+
+    return CP_ACCESS_OK;
+}
+
+static CPAccessResult access_aa32_tid3(CPUARMState *env, const ARMCPRegInfo *ri,
+                                       bool isread)
+{
+    if (arm_feature(env, ARM_FEATURE_V8)) {
+        return access_aa64_tid3(env, ri, isread);
+    }
+
+    return CP_ACCESS_OK;
+}
+
 void register_cp_regs_for_features(ARMCPU *cpu)
 {
     /* Register all the coprocessor registers based on feature bits */
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "ID_PFR0", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->id_pfr0 },
             /* ID_PFR1 is not a plain ARM_CP_CONST because we don't know
              * the value of the GIC field until after we define these regs.
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "ID_PFR1", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_NO_RAW,
+              .accessfn = access_aa32_tid3,
               .readfn = id_pfr1_read,
               .writefn = arm_cp_write_ignore },
             { .name = "ID_DFR0", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->id_dfr0 },
             { .name = "ID_AFR0", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 3,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->id_afr0 },
             { .name = "ID_MMFR0", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 4,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->id_mmfr0 },
             { .name = "ID_MMFR1", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 5,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->id_mmfr1 },
             { .name = "ID_MMFR2", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 6,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->id_mmfr2 },
             { .name = "ID_MMFR3", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 7,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->id_mmfr3 },
             { .name = "ID_ISAR0", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->isar.id_isar0 },
             { .name = "ID_ISAR1", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->isar.id_isar1 },
             { .name = "ID_ISAR2", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->isar.id_isar2 },
             { .name = "ID_ISAR3", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 3,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->isar.id_isar3 },
             { .name = "ID_ISAR4", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 4,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->isar.id_isar4 },
             { .name = "ID_ISAR5", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 5,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->isar.id_isar5 },
             { .name = "ID_MMFR4", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->id_mmfr4 },
             { .name = "ID_ISAR6", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 7,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa32_tid3,
               .resetvalue = cpu->isar.id_isar6 },
             REGINFO_SENTINEL
         };
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "ID_AA64PFR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_NO_RAW,
+              .accessfn = access_aa64_tid3,
               .readfn = id_aa64pfr0_read,
               .writefn = arm_cp_write_ignore },
             { .name = "ID_AA64PFR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->isar.id_aa64pfr1},
             { .name = "ID_AA64PFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64PFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 3,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64ZFR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 4,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               /* At present, only SVEver == 0 is defined anyway.  */
               .resetvalue = 0 },
             { .name = "ID_AA64PFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 5,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64PFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 6,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64PFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 7,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64DFR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->id_aa64dfr0 },
             { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->id_aa64dfr1 },
             { .name = "ID_AA64DFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64DFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 3,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64AFR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 4,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->id_aa64afr0 },
             { .name = "ID_AA64AFR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 5,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->id_aa64afr1 },
             { .name = "ID_AA64AFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 6,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64AFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 7,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64ISAR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->isar.id_aa64isar0 },
             { .name = "ID_AA64ISAR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->isar.id_aa64isar1 },
             { .name = "ID_AA64ISAR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64ISAR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 3,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64ISAR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 4,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64ISAR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 5,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64ISAR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 6,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64ISAR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 7,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64MMFR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->isar.id_aa64mmfr0 },
             { .name = "ID_AA64MMFR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->isar.id_aa64mmfr1 },
             { .name = "ID_AA64MMFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64MMFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 3,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64MMFR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 4,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64MMFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 5,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64MMFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 6,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "ID_AA64MMFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 7,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "MVFR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->isar.mvfr0 },
             { .name = "MVFR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->isar.mvfr1 },
             { .name = "MVFR2_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = cpu->isar.mvfr2 },
             { .name = "MVFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 3,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "MVFR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 4,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "MVFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 5,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "MVFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 6,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "MVFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 7,
               .access = PL1_R, .type = ARM_CP_CONST,
+              .accessfn = access_aa64_tid3,
               .resetvalue = 0 },
             { .name = "PMCEID0", .state = ARM_CP_STATE_AA32,
               .cp = 15, .opc1 = 0, .crn = 9, .crm = 12, .opc2 = 6,
-- 
2.20.1