Series comparison

-[Qemu-devel] [PULL 00/12] target-arm queue
+[PULL 00/30] target-arm queue
-ARM queue: nothing particularly exciting here, but no
+Hi; here's this week's arm pullreq. Mostly this is my
-reason to sit on them for another week.
+work on FEAT_MOPS and FEAT_HBC, but there are some
 other bits and pieces in there too, including a recent
 set of elf2dmp patches.
 thanks
 -- PMM
-The following changes since commit 61eedf7aec0e2395aabd628cc055096909a3ea15:
+The following changes since commit 55394dcbec8f0c29c30e792c102a0edd50a52bf4:
-  tests/prom-env: Ease time-out problems on slow hosts (2017-02-10 15:44:53 +0000)
+  Merge tag 'pull-loongarch-20230920' of https://gitlab.com/gaosong/qemu into staging (2023-09-20 13:56:18 -0400)
-are available in the git repository at:
+are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170210
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230921
-for you to fetch changes up to b4cc583f0285a2e1e78621dfba142f00ca47414a:
+for you to fetch changes up to 231f6a7d66254a58bedbee458591b780e0a507b1:
-  aspeed/smc: use a modulo to check segment limits (2017-02-10 17:40:30 +0000)
+  elf2dmp: rework PDB_STREAM_INDEXES::segments obtaining (2023-09-21 16:13:54 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * aspeed: minor fixes
+ * target/m68k: Add URL to semihosting spec
- * virt: declare fwcfg and virtio-mmio as DMA coherent in DT & ACPI
+ * docs/devel/loads-stores: Fix git grep regexes
- * arm: enable basic TCG emulation of PMU for AArch64
+ * hw/arm/boot: Set SCR_EL3.FGTEn when booting kernel
  * linux-user: Correct SME feature names reported in cpuinfo
  * linux-user: Add missing arm32 hwcaps
  * Don't skip MTE checks for LDRT/STRT at EL0
  * Implement FEAT_HBC
  * Implement FEAT_MOPS
  * audio/jackaudio: Avoid dynamic stack allocation
  * sbsa-ref: add non-secure EL2 virtual timer
  * elf2dmp: improve Win2022, Win11 and large dumps
 ----------------------------------------------------------------
-Alexander Graf (4):
+Fabian Vogt (1):
-      target-arm: Declare virtio-mmio as dma-coherent in dt
+      hw/arm/boot: Set SCR_EL3.FGTEn when booting kernel
       hw/arm/virt: Declare virtio-mmio as dma cache coherent in ACPI
       hw/arm/virt: Declare fwcfg as dma cache coherent in ACPI
       hw/arm/virt: Declare fwcfg as dma cache coherent in dt
-Cédric Le Goater (4):
+Marcin Juszkiewicz (1):
-      aspeed: check for negative values returned by blk_getlength()
+      sbsa-ref: add non-secure EL2 virtual timer
       aspeed: remove useless comment on controller segment size
       aspeed/smc: handle dummies only in fast read mode
       aspeed/smc: use a modulo to check segment limits
-Wei Huang (4):
+Peter Maydell (23):
-      target-arm: Add support for PMU register PMSELR_EL0
+      target/m68k: Add URL to semihosting spec
-      target-arm: Add support for AArch64 PMU register PMXEVTYPER_EL0
+      docs/devel/loads-stores: Fix git grep regexes
-      target-arm: Add support for PMU register PMINTENSET_EL1
+      linux-user/elfload.c: Correct SME feature names reported in cpuinfo
-      target-arm: Enable vPMU support under TCG mode
+      linux-user/elfload.c: Add missing arm and arm64 hwcap values
       linux-user/elfload.c: Report previously missing arm32 hwcaps
       target/arm: Update AArch64 ID register field definitions
       target/arm: Update user-mode ID reg mask values
       target/arm: Implement FEAT_HBC
       target/arm: Remove unused allocation_tag_mem() argument
       target/arm: Don't skip MTE checks for LDRT/STRT at EL0
       target/arm: Implement FEAT_MOPS enable bits
       target/arm: Pass unpriv bool to get_a64_user_mem_index()
       target/arm: Define syndrome function for MOPS exceptions
       target/arm: New function allocation_tag_mem_probe()
       target/arm: Implement MTE tag-checking functions for FEAT_MOPS
       target/arm: Implement the SET* instructions
       target/arm: Define new TB flag for ATA0
       target/arm: Implement the SETG* instructions
       target/arm: Implement MTE tag-checking functions for FEAT_MOPS copies
       target/arm: Implement the CPY* instructions
       target/arm: Enable FEAT_MOPS for CPU 'max'
       audio/jackaudio: Avoid dynamic stack allocation in qjack_client_init
       audio/jackaudio: Avoid dynamic stack allocation in qjack_process()
- target/arm/cpu.h         |  4 +--
+Viktor Prutyanov (5):
- hw/arm/aspeed.c          | 22 +++++++++-----
+      elf2dmp: replace PE export name check with PDB name check
- hw/arm/vexpress.c        |  1 +
+      elf2dmp: introduce physical block alignment
- hw/arm/virt-acpi-build.c |  2 ++
+      elf2dmp: introduce merging of physical memory runs
- hw/arm/virt.c            |  4 ++-
+      elf2dmp: use Linux mmap with MAP_NORESERVE when possible
- hw/ssi/aspeed_smc.c      | 13 +++++----
+      elf2dmp: rework PDB_STREAM_INDEXES::segments obtaining
  target/arm/cpu.c         |  2 +-
  target/arm/helper.c      | 74 ++++++++++++++++++++++++++++++++++++------------
 files changed, 88 insertions(+), 34 deletions(-)
+ docs/devel/loads-stores.rst    |  40 +-
+ docs/system/arm/emulation.rst  |   2 +
+ contrib/elf2dmp/addrspace.h    |   1 +
+ contrib/elf2dmp/pdb.h          |   2 +-
+ contrib/elf2dmp/qemu_elf.h     |   2 +
+ target/arm/cpu.h               |  35 ++
+ target/arm/internals.h         |  55 +++
+ target/arm/syndrome.h          |  12 +
+ target/arm/tcg/helper-a64.h    |  14 +
+ target/arm/tcg/translate.h     |   4 +-
+ target/arm/tcg/a64.decode      |  38 +-
+ audio/jackaudio.c              |  21 +-
+ contrib/elf2dmp/addrspace.c    |  31 +-
+ contrib/elf2dmp/main.c         | 154 ++++----
+ contrib/elf2dmp/pdb.c          |  15 +-
+ contrib/elf2dmp/qemu_elf.c     |  68 +++-
+ hw/arm/boot.c                  |   4 +
+ hw/arm/sbsa-ref.c              |   2 +
+ linux-user/elfload.c           |  72 +++-
+ target/arm/helper.c            |  39 +-
+ target/arm/tcg/cpu64.c         |   5 +
+ target/arm/tcg/helper-a64.c    | 878 +++++++++++++++++++++++++++++++++++++++++
+ target/arm/tcg/hflags.c        |  21 +
+ target/arm/tcg/mte_helper.c    | 281 +++++++++++--
+ target/arm/tcg/translate-a64.c | 164 +++++++-
+ target/m68k/m68k-semi.c        |   4 +
+ tests/tcg/aarch64/sysregs.c    |   4 +-
+files changed, 1768 insertions(+), 200 deletions(-)

-New patch
+[PULL 01/30] target/m68k: Add URL to semihosting spec
+The spec for m68k semihosting is documented in the libgloss
+sources. Add a comment with the URL for it, as we already
+have for nios2 semihosting.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-id: 20230801154451.3505492-1-peter.maydell@linaro.org
+---
+ target/m68k/m68k-semi.c | 4 ++++
+file changed, 4 insertions(+)
+diff --git a/target/m68k/m68k-semi.c b/target/m68k/m68k-semi.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/m68k/m68k-semi.c
++++ b/target/m68k/m68k-semi.c
+@@ -XXX,XX +XXX,XX @@
+  *
+  *  You should have received a copy of the GNU General Public License
+  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
++ *
++ *  The semihosting protocol implemented here is described in the
++ *  libgloss sources:
++ *  https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=libgloss/m68k/m68k-semi.txt;hb=HEAD
+  */
+ #include "qemu/osdep.h"
+--
+.34.1

-New patch
+[PULL 02/30] docs/devel/loads-stores: Fix git grep regexes
+The loads-and-stores documentation includes git grep regexes to find
+occurrences of the various functions.  Some of these regexes have
+errors, typically failing to escape the '?', '(' and ')' when they
+should be metacharacters (since these are POSIX basic REs). We also
+weren't consistent about whether to have a ':' on the end of the
+line introducing the list of regexes in each section.
+Fix the errors.
+The following shell rune will complain about any REs in the
+file which don't have any matches in the codebase:
+ for re in $(sed -ne 's/ - ``\(\\<.*\)``/\1/p' docs/devel/loads-stores.rst); do git grep -q "$re" || echo "no matches for re $re"; done
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-id: 20230904161703.3996734-1-peter.maydell@linaro.org
+---
+ docs/devel/loads-stores.rst | 40 ++++++++++++++++++-------------------
+file changed, 20 insertions(+), 20 deletions(-)
+diff --git a/docs/devel/loads-stores.rst b/docs/devel/loads-stores.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/devel/loads-stores.rst
++++ b/docs/devel/loads-stores.rst
+@@ -XXX,XX +XXX,XX @@ which stores ``val`` to ``ptr`` as an ``{endian}`` order value
+ of size ``sz`` bytes.
+-Regexes for git grep
++Regexes for git grep:
+  - ``\<ld[us]\?[bwlq]\(_[hbl]e\)\?_p\>``
+  - ``\<st[bwlq]\(_[hbl]e\)\?_p\>``
+  - ``\<st24\(_[hbl]e\)\?_p\>``
+- - ``\<ldn_\([hbl]e\)?_p\>``
+- - ``\<stn_\([hbl]e\)?_p\>``
++ - ``\<ldn_\([hbl]e\)\?_p\>``
++ - ``\<stn_\([hbl]e\)\?_p\>``
+ ``cpu_{ld,st}*_mmu``
+ ~~~~~~~~~~~~~~~~~~~~
+@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}{end}_mmu(env, ptr, val, oi, retaddr)``
+  - ``_le`` : little endian
+ Regexes for git grep:
+- - ``\<cpu_ld[bwlq](_[bl]e)\?_mmu\>``
+- - ``\<cpu_st[bwlq](_[bl]e)\?_mmu\>``
++ - ``\<cpu_ld[bwlq]\(_[bl]e\)\?_mmu\>``
++ - ``\<cpu_st[bwlq]\(_[bl]e\)\?_mmu\>``
+ ``cpu_{ld,st}*_mmuidx_ra``
+@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}{end}_mmuidx_ra(env, ptr, val, mmuidx, retaddr)``
+  - ``_le`` : little endian
+ Regexes for git grep:
+- - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_mmuidx_ra\>``
+- - ``\<cpu_st[bwlq](_[bl]e)\?_mmuidx_ra\>``
++ - ``\<cpu_ld[us]\?[bwlq]\(_[bl]e\)\?_mmuidx_ra\>``
++ - ``\<cpu_st[bwlq]\(_[bl]e\)\?_mmuidx_ra\>``
+ ``cpu_{ld,st}*_data_ra``
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}{end}_data_ra(env, ptr, val, ra)``
+  - ``_le`` : little endian
+ Regexes for git grep:
+- - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_data_ra\>``
+- - ``\<cpu_st[bwlq](_[bl]e)\?_data_ra\>``
++ - ``\<cpu_ld[us]\?[bwlq]\(_[bl]e\)\?_data_ra\>``
++ - ``\<cpu_st[bwlq]\(_[bl]e\)\?_data_ra\>``
+ ``cpu_{ld,st}*_data``
+ ~~~~~~~~~~~~~~~~~~~~~
+@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}{end}_data(env, ptr, val)``
+  - ``_be`` : big endian
+  - ``_le`` : little endian
+-Regexes for git grep
+- - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_data\>``
+- - ``\<cpu_st[bwlq](_[bl]e)\?_data\+\>``
++Regexes for git grep:
++ - ``\<cpu_ld[us]\?[bwlq]\(_[bl]e\)\?_data\>``
++ - ``\<cpu_st[bwlq]\(_[bl]e\)\?_data\+\>``
+ ``cpu_ld*_code``
+ ~~~~~~~~~~~~~~~~
+@@ -XXX,XX +XXX,XX @@ swap: ``translator_ld{sign}{size}_swap(env, ptr, swap)``
+  - ``l`` : 32 bits
+  - ``q`` : 64 bits
+-Regexes for git grep
++Regexes for git grep:
+  - ``\<translator_ld[us]\?[bwlq]\(_swap\)\?\>``
+ ``helper_{ld,st}*_mmu``
+@@ -XXX,XX +XXX,XX @@ store: ``helper_{size}_mmu(env, addr, val, opindex, retaddr)``
+  - ``l`` : 32 bits
+  - ``q`` : 64 bits
+-Regexes for git grep
++Regexes for git grep:
+  - ``\<helper_ld[us]\?[bwlq]_mmu\>``
+  - ``\<helper_st[bwlq]_mmu\>``
+@@ -XXX,XX +XXX,XX @@ succeeded using a MemTxResult return code.
+ The ``_{endian}`` suffix is omitted for byte accesses.
+-Regexes for git grep
++Regexes for git grep:
+  - ``\<address_space_\(read\|write\|rw\)\>``
+  - ``\<address_space_ldu\?[bwql]\(_[lb]e\)\?\>``
+  - ``\<address_space_st[bwql]\(_[lb]e\)\?\>``
+@@ -XXX,XX +XXX,XX @@ Note that portions of the write which attempt to write data to a
+ device will be silently ignored -- only real RAM and ROM will
+ be written to.
+-Regexes for git grep
++Regexes for git grep:
+  - ``address_space_write_rom``
+ ``{ld,st}*_phys``
+@@ -XXX,XX +XXX,XX @@ device doing the access has no way to report such an error.
+ The ``_{endian}_`` infix is omitted for byte accesses.
+-Regexes for git grep
++Regexes for git grep:
+  - ``\<ldu\?[bwlq]\(_[bl]e\)\?_phys\>``
+  - ``\<st[bwlq]\(_[bl]e\)\?_phys\>``
+@@ -XXX,XX +XXX,XX @@ For new code they are better avoided:
+ ``cpu_physical_memory_rw``
+-Regexes for git grep
++Regexes for git grep:
+  - ``\<cpu_physical_memory_\(read\|write\|rw\)\>``
+ ``cpu_memory_rw_debug``
+@@ -XXX,XX +XXX,XX @@ make sure our existing code is doing things correctly.
+ ``dma_memory_rw``
+-Regexes for git grep
++Regexes for git grep:
+  - ``\<dma_memory_\(read\|write\|rw\)\>``
+  - ``\<ldu\?[bwlq]\(_[bl]e\)\?_dma\>``
+  - ``\<st[bwlq]\(_[bl]e\)\?_dma\>``
+@@ -XXX,XX +XXX,XX @@ correct address space for that device.
+ The ``_{endian}_`` infix is omitted for byte accesses.
+-Regexes for git grep
++Regexes for git grep:
+  - ``\<pci_dma_\(read\|write\|rw\)\>``
+  - ``\<ldu\?[bwlq]\(_[bl]e\)\?_pci_dma\>``
+  - ``\<st[bwlq]\(_[bl]e\)\?_pci_dma\>``
+--
+.34.1

-New patch
+[PULL 03/30] hw/arm/boot: Set SCR_EL3.FGTEn when booting kernel
+From: Fabian Vogt <fvogt@suse.de>
+Just like d7ef5e16a17c sets SCR_EL3.HXEn for FEAT_HCX, this commit
+handles SCR_EL3.FGTEn for FEAT_FGT:
+When we direct boot a kernel on a CPU which emulates EL3, we need to
+set up the EL3 system registers as the Linux kernel documentation
+specifies:
+    https://www.kernel.org/doc/Documentation/arm64/booting.rst
+> For CPUs with the Fine Grained Traps (FEAT_FGT) extension present:
+> - If EL3 is present and the kernel is entered at EL2:
+>   - SCR_EL3.FGTEn (bit 27) must be initialised to 0b1.
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Fabian Vogt <fvogt@suse.de>
+Message-id: 4831384.GXAFRqVoOG@linux-e202.suse.de
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/boot.c | 4 ++++
+file changed, 4 insertions(+)
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/boot.c
++++ b/hw/arm/boot.c
+@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
+                     if (cpu_isar_feature(aa64_hcx, cpu)) {
+                         env->cp15.scr_el3 |= SCR_HXEN;
+                     }
++                    if (cpu_isar_feature(aa64_fgt, cpu)) {
++                        env->cp15.scr_el3 |= SCR_FGTEN;
++                    }
++
+                     /* AArch64 kernels never boot in secure mode */
+                     assert(!info->secure_boot);
+                     /* This hook is only supported for AArch32 currently:
+--
+.34.1

-[Qemu-devel] [PULL 08/12] hw/arm/virt: Declare fwcfg as dma cache coherent in dt
+[PULL 04/30] linux-user/elfload.c: Correct SME feature names reported in cpuinfo
-From: Alexander Graf <agraf@suse.de>
+Some of the names we use for CPU features in linux-user's dummy
 /proc/cpuinfo don't match the strings in the real kernel in
 arch/arm64/kernel/cpuinfo.c. Specifically, the SME related
 features have an underscore in the HWCAP_FOO define name,
 but (like the SVE ones) they do not have an underscore in the
 string in cpuinfo. Correct the errors.
-Fw-cfg recently learned how to directly access guest memory and does so in
+Fixes: a55b9e7226708 ("linux-user: Emulate /proc/cpuinfo on aarch64 and arm")
-cache coherent fashion. Tell the guest about that fact when it's using DT.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  linux-user/elfload.c | 14 +++++++-------
 file changed, 7 insertions(+), 7 deletions(-)
-Signed-off-by: Alexander Graf <agraf@suse.de>
+diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 Reviewed-by: Laszlo Ersek <lersek@redhat.com>
 Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
 Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
 Message-id: 1486644810-33181-5-git-send-email-agraf@suse.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/arm/virt.c | 1 +
 file changed, 1 insertion(+)
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/linux-user/elfload.c
-+++ b/hw/arm/virt.c
++++ b/linux-user/elfload.c
-@@ -XXX,XX +XXX,XX @@ static FWCfgState *create_fw_cfg(const VirtMachineState *vms, AddressSpace *as)
+@@ -XXX,XX +XXX,XX @@ const char *elf_hwcap2_str(uint32_t bit)
-                             "compatible", "qemu,fw-cfg-mmio");
+     [__builtin_ctz(ARM_HWCAP2_A64_RPRES        )] = "rpres",
-     qemu_fdt_setprop_sized_cells(vms->fdt, nodename, "reg",
+     [__builtin_ctz(ARM_HWCAP2_A64_MTE3         )] = "mte3",
-, base, 2, size);
+     [__builtin_ctz(ARM_HWCAP2_A64_SME          )] = "sme",
-+    qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
+-    [__builtin_ctz(ARM_HWCAP2_A64_SME_I16I64   )] = "sme_i16i64",
-     g_free(nodename);
+-    [__builtin_ctz(ARM_HWCAP2_A64_SME_F64F64   )] = "sme_f64f64",
-     return fw_cfg;
+-    [__builtin_ctz(ARM_HWCAP2_A64_SME_I8I32    )] = "sme_i8i32",
- }
+-    [__builtin_ctz(ARM_HWCAP2_A64_SME_F16F32   )] = "sme_f16f32",
 -    [__builtin_ctz(ARM_HWCAP2_A64_SME_B16F32   )] = "sme_b16f32",
 -    [__builtin_ctz(ARM_HWCAP2_A64_SME_F32F32   )] = "sme_f32f32",
 -    [__builtin_ctz(ARM_HWCAP2_A64_SME_FA64     )] = "sme_fa64",
 +    [__builtin_ctz(ARM_HWCAP2_A64_SME_I16I64   )] = "smei16i64",
 +    [__builtin_ctz(ARM_HWCAP2_A64_SME_F64F64   )] = "smef64f64",
 +    [__builtin_ctz(ARM_HWCAP2_A64_SME_I8I32    )] = "smei8i32",
 +    [__builtin_ctz(ARM_HWCAP2_A64_SME_F16F32   )] = "smef16f32",
 +    [__builtin_ctz(ARM_HWCAP2_A64_SME_B16F32   )] = "smeb16f32",
 +    [__builtin_ctz(ARM_HWCAP2_A64_SME_F32F32   )] = "smef32f32",
 +    [__builtin_ctz(ARM_HWCAP2_A64_SME_FA64     )] = "smefa64",
      };
      return bit < ARRAY_SIZE(hwcap_str) ? hwcap_str[bit] : NULL;
 --
-.7.4
+.34.1

-[Qemu-devel] [PULL 07/12] hw/arm/virt: Declare fwcfg as dma cache coherent in ACPI
+[PULL 05/30] linux-user/elfload.c: Add missing arm and arm64 hwcap values
-From: Alexander Graf <agraf@suse.de>
+Our lists of Arm 32 and 64 bit hwcap values have lagged behind
 the Linux kernel. Update them to include all the bits defined
 as of upstream Linux git commit a48fa7efaf1161c1 (in the middle
 of the kernel 6.6 dev cycle).
-Fw-cfg recently learned how to directly access guest memory and does so in
+For 64-bit, we don't yet implement any of the features reported via
-cache coherent fashion. Tell the guest about that fact when it's using ACPI.
+these hwcap bits.  For 32-bit we do in fact already implement them
 all; we'll add the code to set them in a subsequent commit.
-Signed-off-by: Alexander Graf <agraf@suse.de>
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
-Message-id: 1486644810-33181-4-git-send-email-agraf@suse.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- hw/arm/virt-acpi-build.c | 1 +
+ linux-user/elfload.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
-file changed, 1 insertion(+)
+file changed, 44 insertions(+)
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
+diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
+--- a/linux-user/elfload.c
-+++ b/hw/arm/virt-acpi-build.c
++++ b/linux-user/elfload.c
-@@ -XXX,XX +XXX,XX @@ static void acpi_dsdt_add_fw_cfg(Aml *scope, const MemMapEntry *fw_cfg_memmap)
+@@ -XXX,XX +XXX,XX @@ enum
-     aml_append(dev, aml_name_decl("_HID", aml_string("QEMU0002")));
+     ARM_HWCAP_ARM_VFPD32    = 1 << 19,
-     /* device present, functioning, decoding, not shown in UI */
+     ARM_HWCAP_ARM_LPAE      = 1 << 20,
-     aml_append(dev, aml_name_decl("_STA", aml_int(0xB)));
+     ARM_HWCAP_ARM_EVTSTRM   = 1 << 21,
-+    aml_append(dev, aml_name_decl("_CCA", aml_int(1)));
++    ARM_HWCAP_ARM_FPHP      = 1 << 22,
++    ARM_HWCAP_ARM_ASIMDHP   = 1 << 23,
-     Aml *crs = aml_resource_template();
++    ARM_HWCAP_ARM_ASIMDDP   = 1 << 24,
-     aml_append(crs, aml_memory32_fixed(fw_cfg_memmap->base,
++    ARM_HWCAP_ARM_ASIMDFHM  = 1 << 25,
 +    ARM_HWCAP_ARM_ASIMDBF16 = 1 << 26,
 +    ARM_HWCAP_ARM_I8MM      = 1 << 27,
  };
  enum {
@@ -XXX,XX +XXX,XX @@ enum {
      ARM_HWCAP2_ARM_SHA1     = 1 << 2,
      ARM_HWCAP2_ARM_SHA2     = 1 << 3,
      ARM_HWCAP2_ARM_CRC32    = 1 << 4,
 +    ARM_HWCAP2_ARM_SB       = 1 << 5,
 +    ARM_HWCAP2_ARM_SSBS     = 1 << 6,
  };
  /* The commpage only exists for 32 bit kernels */
@@ -XXX,XX +XXX,XX @@ const char *elf_hwcap_str(uint32_t bit)
      [__builtin_ctz(ARM_HWCAP_ARM_VFPD32   )] = "vfpd32",
      [__builtin_ctz(ARM_HWCAP_ARM_LPAE     )] = "lpae",
      [__builtin_ctz(ARM_HWCAP_ARM_EVTSTRM  )] = "evtstrm",
 +    [__builtin_ctz(ARM_HWCAP_ARM_FPHP     )] = "fphp",
 +    [__builtin_ctz(ARM_HWCAP_ARM_ASIMDHP  )] = "asimdhp",
 +    [__builtin_ctz(ARM_HWCAP_ARM_ASIMDDP  )] = "asimddp",
 +    [__builtin_ctz(ARM_HWCAP_ARM_ASIMDFHM )] = "asimdfhm",
 +    [__builtin_ctz(ARM_HWCAP_ARM_ASIMDBF16)] = "asimdbf16",
 +    [__builtin_ctz(ARM_HWCAP_ARM_I8MM     )] = "i8mm",
      };
      return bit < ARRAY_SIZE(hwcap_str) ? hwcap_str[bit] : NULL;
@@ -XXX,XX +XXX,XX @@ const char *elf_hwcap2_str(uint32_t bit)
      [__builtin_ctz(ARM_HWCAP2_ARM_SHA1 )] = "sha1",
      [__builtin_ctz(ARM_HWCAP2_ARM_SHA2 )] = "sha2",
      [__builtin_ctz(ARM_HWCAP2_ARM_CRC32)] = "crc32",
 +    [__builtin_ctz(ARM_HWCAP2_ARM_SB   )] = "sb",
 +    [__builtin_ctz(ARM_HWCAP2_ARM_SSBS )] = "ssbs",
      };
      return bit < ARRAY_SIZE(hwcap_str) ? hwcap_str[bit] : NULL;
@@ -XXX,XX +XXX,XX @@ enum {
      ARM_HWCAP2_A64_SME_B16F32   = 1 << 28,
      ARM_HWCAP2_A64_SME_F32F32   = 1 << 29,
      ARM_HWCAP2_A64_SME_FA64     = 1 << 30,
 +    ARM_HWCAP2_A64_WFXT         = 1ULL << 31,
 +    ARM_HWCAP2_A64_EBF16        = 1ULL << 32,
 +    ARM_HWCAP2_A64_SVE_EBF16    = 1ULL << 33,
 +    ARM_HWCAP2_A64_CSSC         = 1ULL << 34,
 +    ARM_HWCAP2_A64_RPRFM        = 1ULL << 35,
 +    ARM_HWCAP2_A64_SVE2P1       = 1ULL << 36,
 +    ARM_HWCAP2_A64_SME2         = 1ULL << 37,
 +    ARM_HWCAP2_A64_SME2P1       = 1ULL << 38,
 +    ARM_HWCAP2_A64_SME_I16I32   = 1ULL << 39,
 +    ARM_HWCAP2_A64_SME_BI32I32  = 1ULL << 40,
 +    ARM_HWCAP2_A64_SME_B16B16   = 1ULL << 41,
 +    ARM_HWCAP2_A64_SME_F16F16   = 1ULL << 42,
 +    ARM_HWCAP2_A64_MOPS         = 1ULL << 43,
 +    ARM_HWCAP2_A64_HBC          = 1ULL << 44,
  };
  #define ELF_HWCAP   get_elf_hwcap()
@@ -XXX,XX +XXX,XX @@ const char *elf_hwcap2_str(uint32_t bit)
      [__builtin_ctz(ARM_HWCAP2_A64_SME_B16F32   )] = "smeb16f32",
      [__builtin_ctz(ARM_HWCAP2_A64_SME_F32F32   )] = "smef32f32",
      [__builtin_ctz(ARM_HWCAP2_A64_SME_FA64     )] = "smefa64",
 +    [__builtin_ctz(ARM_HWCAP2_A64_WFXT         )] = "wfxt",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_EBF16      )] = "ebf16",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_SVE_EBF16  )] = "sveebf16",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_CSSC       )] = "cssc",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_RPRFM      )] = "rprfm",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_SVE2P1     )] = "sve2p1",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_SME2       )] = "sme2",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_SME2P1     )] = "sme2p1",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_SME_I16I32 )] = "smei16i32",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_SME_BI32I32)] = "smebi32i32",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_SME_B16B16 )] = "smeb16b16",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_SME_F16F16 )] = "smef16f16",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_MOPS       )] = "mops",
 +    [__builtin_ctzll(ARM_HWCAP2_A64_HBC        )] = "hbc",
      };
      return bit < ARRAY_SIZE(hwcap_str) ? hwcap_str[bit] : NULL;
 --
-.7.4
+.34.1

-New patch
+[PULL 06/30] linux-user/elfload.c: Report previously missing arm32 hwcaps
+Add the code to report the arm32 hwcaps we were previously missing:
+ ss, ssbs, fphp, asimdhp, asimddp, asimdfhm, asimdbf16, i8mm
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ linux-user/elfload.c | 12 ++++++++++++
+file changed, 12 insertions(+)
+diff --git a/linux-user/elfload.c b/linux-user/elfload.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/elfload.c
++++ b/linux-user/elfload.c
+@@ -XXX,XX +XXX,XX @@ uint32_t get_elf_hwcap(void)
+         }
+     }
+     GET_FEATURE_ID(aa32_simdfmac, ARM_HWCAP_ARM_VFPv4);
++    /*
++     * MVFR1.FPHP and .SIMDHP must be in sync, and QEMU uses the same
++     * isar_feature function for both. The kernel reports them as two hwcaps.
++     */
++    GET_FEATURE_ID(aa32_fp16_arith, ARM_HWCAP_ARM_FPHP);
++    GET_FEATURE_ID(aa32_fp16_arith, ARM_HWCAP_ARM_ASIMDHP);
++    GET_FEATURE_ID(aa32_dp, ARM_HWCAP_ARM_ASIMDDP);
++    GET_FEATURE_ID(aa32_fhm, ARM_HWCAP_ARM_ASIMDFHM);
++    GET_FEATURE_ID(aa32_bf16, ARM_HWCAP_ARM_ASIMDBF16);
++    GET_FEATURE_ID(aa32_i8mm, ARM_HWCAP_ARM_I8MM);
+     return hwcaps;
+ }
+@@ -XXX,XX +XXX,XX @@ uint32_t get_elf_hwcap2(void)
+     GET_FEATURE_ID(aa32_sha1, ARM_HWCAP2_ARM_SHA1);
+     GET_FEATURE_ID(aa32_sha2, ARM_HWCAP2_ARM_SHA2);
+     GET_FEATURE_ID(aa32_crc32, ARM_HWCAP2_ARM_CRC32);
++    GET_FEATURE_ID(aa32_sb, ARM_HWCAP2_ARM_SB);
++    GET_FEATURE_ID(aa32_ssbs, ARM_HWCAP2_ARM_SSBS);
+     return hwcaps;
+ }
+--
+.34.1

-New patch
+[PULL 07/30] target/arm: Update AArch64 ID register field definitions
+Update our AArch64 ID register field definitions from the 2023-06
+system register XML release:
+ https://developer.arm.com/documentation/ddi0601/2023-06/
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/arm/cpu.h | 23 +++++++++++++++++++++++
+file changed, 23 insertions(+)
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.h
++++ b/target/arm/cpu.h
+@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64ISAR0, SHA1, 8, 4)
+ FIELD(ID_AA64ISAR0, SHA2, 12, 4)
+ FIELD(ID_AA64ISAR0, CRC32, 16, 4)
+ FIELD(ID_AA64ISAR0, ATOMIC, 20, 4)
++FIELD(ID_AA64ISAR0, TME, 24, 4)
+ FIELD(ID_AA64ISAR0, RDM, 28, 4)
+ FIELD(ID_AA64ISAR0, SHA3, 32, 4)
+ FIELD(ID_AA64ISAR0, SM3, 36, 4)
+@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64ISAR2, APA3, 12, 4)
+ FIELD(ID_AA64ISAR2, MOPS, 16, 4)
+ FIELD(ID_AA64ISAR2, BC, 20, 4)
+ FIELD(ID_AA64ISAR2, PAC_FRAC, 24, 4)
++FIELD(ID_AA64ISAR2, CLRBHB, 28, 4)
++FIELD(ID_AA64ISAR2, SYSREG_128, 32, 4)
++FIELD(ID_AA64ISAR2, SYSINSTR_128, 36, 4)
++FIELD(ID_AA64ISAR2, PRFMSLC, 40, 4)
++FIELD(ID_AA64ISAR2, RPRFM, 48, 4)
++FIELD(ID_AA64ISAR2, CSSC, 52, 4)
++FIELD(ID_AA64ISAR2, ATS1A, 60, 4)
+ FIELD(ID_AA64PFR0, EL0, 0, 4)
+ FIELD(ID_AA64PFR0, EL1, 4, 4)
+@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64PFR1, SME, 24, 4)
+ FIELD(ID_AA64PFR1, RNDR_TRAP, 28, 4)
+ FIELD(ID_AA64PFR1, CSV2_FRAC, 32, 4)
+ FIELD(ID_AA64PFR1, NMI, 36, 4)
++FIELD(ID_AA64PFR1, MTE_FRAC, 40, 4)
++FIELD(ID_AA64PFR1, GCS, 44, 4)
++FIELD(ID_AA64PFR1, THE, 48, 4)
++FIELD(ID_AA64PFR1, MTEX, 52, 4)
++FIELD(ID_AA64PFR1, DF2, 56, 4)
++FIELD(ID_AA64PFR1, PFAR, 60, 4)
+ FIELD(ID_AA64MMFR0, PARANGE, 0, 4)
+ FIELD(ID_AA64MMFR0, ASIDBITS, 4, 4)
+@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64MMFR1, AFP, 44, 4)
+ FIELD(ID_AA64MMFR1, NTLBPA, 48, 4)
+ FIELD(ID_AA64MMFR1, TIDCP1, 52, 4)
+ FIELD(ID_AA64MMFR1, CMOW, 56, 4)
++FIELD(ID_AA64MMFR1, ECBHB, 60, 4)
+ FIELD(ID_AA64MMFR2, CNP, 0, 4)
+ FIELD(ID_AA64MMFR2, UAO, 4, 4)
+@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64DFR0, DEBUGVER, 0, 4)
+ FIELD(ID_AA64DFR0, TRACEVER, 4, 4)
+ FIELD(ID_AA64DFR0, PMUVER, 8, 4)
+ FIELD(ID_AA64DFR0, BRPS, 12, 4)
++FIELD(ID_AA64DFR0, PMSS, 16, 4)
+ FIELD(ID_AA64DFR0, WRPS, 20, 4)
++FIELD(ID_AA64DFR0, SEBEP, 24, 4)
+ FIELD(ID_AA64DFR0, CTX_CMPS, 28, 4)
+ FIELD(ID_AA64DFR0, PMSVER, 32, 4)
+ FIELD(ID_AA64DFR0, DOUBLELOCK, 36, 4)
+@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64DFR0, TRACEFILT, 40, 4)
+ FIELD(ID_AA64DFR0, TRACEBUFFER, 44, 4)
+ FIELD(ID_AA64DFR0, MTPMU, 48, 4)
+ FIELD(ID_AA64DFR0, BRBE, 52, 4)
++FIELD(ID_AA64DFR0, EXTTRCBUFF, 56, 4)
+ FIELD(ID_AA64DFR0, HPMN0, 60, 4)
+ FIELD(ID_AA64ZFR0, SVEVER, 0, 4)
+ FIELD(ID_AA64ZFR0, AES, 4, 4)
+ FIELD(ID_AA64ZFR0, BITPERM, 16, 4)
+ FIELD(ID_AA64ZFR0, BFLOAT16, 20, 4)
++FIELD(ID_AA64ZFR0, B16B16, 24, 4)
+ FIELD(ID_AA64ZFR0, SHA3, 32, 4)
+ FIELD(ID_AA64ZFR0, SM4, 40, 4)
+ FIELD(ID_AA64ZFR0, I8MM, 44, 4)
+@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64ZFR0, F32MM, 52, 4)
+ FIELD(ID_AA64ZFR0, F64MM, 56, 4)
+ FIELD(ID_AA64SMFR0, F32F32, 32, 1)
++FIELD(ID_AA64SMFR0, BI32I32, 33, 1)
+ FIELD(ID_AA64SMFR0, B16F32, 34, 1)
+ FIELD(ID_AA64SMFR0, F16F32, 35, 1)
+ FIELD(ID_AA64SMFR0, I8I32, 36, 4)
++FIELD(ID_AA64SMFR0, F16F16, 42, 1)
++FIELD(ID_AA64SMFR0, B16B16, 43, 1)
++FIELD(ID_AA64SMFR0, I16I32, 44, 4)
+ FIELD(ID_AA64SMFR0, F64F64, 48, 1)
+ FIELD(ID_AA64SMFR0, I16I64, 52, 4)
+ FIELD(ID_AA64SMFR0, SMEVER, 56, 4)
+--
+.34.1

-[Qemu-devel] [PULL 04/12] target-arm: Enable vPMU support under TCG mode
+[PULL 08/30] target/arm: Update user-mode ID reg mask values
-From: Wei Huang <wei@redhat.com>
+For user-only mode we reveal a subset of the AArch64 ID registers
 to the guest, to emulate the kernel's trap-and-emulate-ID-regs
 handling. Update the feature bit masks to match upstream kernel
 commit a48fa7efaf1161c1c.
-This patch contains several fixes to enable vPMU under TCG mode. It
+None of these features are yet implemented by QEMU, so this
-first removes the checking of kvm_enabled() while unsetting
+doesn't yet have a behavioural change, but implementation of
-ARM_FEATURE_PMU. With it, the .pmu option can be used to turn on/off vPMU
+FEAT_MOPS and FEAT_HBC is imminent.
 under TCG mode. Secondly the PMU node of DT table is now created under TCG.
 The last fix is to disable the masking of PMUver field of ID_AA64DFR0_EL1.
-Signed-off-by: Wei Huang <wei@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1486504171-26807-5-git-send-email-wei@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- hw/arm/virt.c       | 2 +-
+ target/arm/helper.c         | 11 ++++++++++-
- target/arm/cpu.c    | 2 +-
+ tests/tcg/aarch64/sysregs.c |  4 ++--
- target/arm/helper.c | 7 +------
+files changed, 12 insertions(+), 3 deletions(-)
 files changed, 3 insertions(+), 8 deletions(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
-+++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms)
-     CPU_FOREACH(cpu) {
-         armcpu = ARM_CPU(cpu);
-         if (!arm_feature(&armcpu->env, ARM_FEATURE_PMU) ||
--            !kvm_arm_pmu_create(cpu, PPI(VIRTUAL_PMU_IRQ))) {
-+            (kvm_enabled() && !kvm_arm_pmu_create(cpu, PPI(VIRTUAL_PMU_IRQ)))) {
-             return;
-         }
-     }
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
-         unset_feature(env, ARM_FEATURE_EL2);
-     }
--    if (!cpu->has_pmu || !kvm_enabled()) {
-+    if (!cpu->has_pmu) {
-         cpu->has_pmu = false;
-         unset_feature(env, ARM_FEATURE_PMU);
-     }
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
 @@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-             { .name = "ID_AA64DFR0_EL1", .state = ARM_CP_STATE_AA64,
+                                R_ID_AA64ZFR0_F64MM_MASK },
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
+             { .name = "ID_AA64SMFR0_EL1",
-               .access = PL1_R, .type = ARM_CP_CONST,
+               .exported_bits = R_ID_AA64SMFR0_F32F32_MASK |
--              /* We mask out the PMUVer field, because we don't currently
++                               R_ID_AA64SMFR0_BI32I32_MASK |
--               * implement the PMU. Not advertising it prevents the guest
+                                R_ID_AA64SMFR0_B16F32_MASK |
--               * from trying to use it and getting UNDEFs on registers we
+                                R_ID_AA64SMFR0_F16F32_MASK |
--               * don't implement.
+                                R_ID_AA64SMFR0_I8I32_MASK |
--               */
++                               R_ID_AA64SMFR0_F16F16_MASK |
--              .resetvalue = cpu->id_aa64dfr0 & ~0xf00 },
++                               R_ID_AA64SMFR0_B16B16_MASK |
-+              .resetvalue = cpu->id_aa64dfr0 },
++                               R_ID_AA64SMFR0_I16I32_MASK |
-             { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
+                                R_ID_AA64SMFR0_F64F64_MASK |
-               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
+                                R_ID_AA64SMFR0_I16I64_MASK |
-               .access = PL1_R, .type = ARM_CP_CONST,
++                               R_ID_AA64SMFR0_SMEVER_MASK |
                                 R_ID_AA64SMFR0_FA64_MASK },
              { .name = "ID_AA64MMFR0_EL1",
                .exported_bits = R_ID_AA64MMFR0_ECV_MASK,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .exported_bits = R_ID_AA64ISAR2_WFXT_MASK |
                                 R_ID_AA64ISAR2_RPRES_MASK |
                                 R_ID_AA64ISAR2_GPA3_MASK |
 -                               R_ID_AA64ISAR2_APA3_MASK },
 +                               R_ID_AA64ISAR2_APA3_MASK |
 +                               R_ID_AA64ISAR2_MOPS_MASK |
 +                               R_ID_AA64ISAR2_BC_MASK |
 +                               R_ID_AA64ISAR2_RPRFM_MASK |
 +                               R_ID_AA64ISAR2_CSSC_MASK },
              { .name = "ID_AA64ISAR*_EL1_RESERVED",
                .is_glob = true },
          };
 diff --git a/tests/tcg/aarch64/sysregs.c b/tests/tcg/aarch64/sysregs.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/tcg/aarch64/sysregs.c
 +++ b/tests/tcg/aarch64/sysregs.c
@@ -XXX,XX +XXX,XX @@ int main(void)
       */
      get_cpu_reg_check_mask(id_aa64isar0_el1, _m(f0ff,ffff,f0ff,fff0));
      get_cpu_reg_check_mask(id_aa64isar1_el1, _m(00ff,f0ff,ffff,ffff));
 -    get_cpu_reg_check_mask(SYS_ID_AA64ISAR2_EL1, _m(0000,0000,0000,ffff));
 +    get_cpu_reg_check_mask(SYS_ID_AA64ISAR2_EL1, _m(00ff,0000,00ff,ffff));
      /* TGran4 & TGran64 as pegged to -1 */
      get_cpu_reg_check_mask(id_aa64mmfr0_el1, _m(f000,0000,ff00,0000));
      get_cpu_reg_check_mask(id_aa64mmfr1_el1, _m(0000,f000,0000,0000));
@@ -XXX,XX +XXX,XX @@ int main(void)
      get_cpu_reg_check_mask(id_aa64dfr0_el1,  _m(0000,0000,0000,0006));
      get_cpu_reg_check_zero(id_aa64dfr1_el1);
      get_cpu_reg_check_mask(SYS_ID_AA64ZFR0_EL1,  _m(0ff0,ff0f,00ff,00ff));
 -    get_cpu_reg_check_mask(SYS_ID_AA64SMFR0_EL1, _m(80f1,00fd,0000,0000));
 +    get_cpu_reg_check_mask(SYS_ID_AA64SMFR0_EL1, _m(8ff1,fcff,0000,0000));
      get_cpu_reg_check_zero(id_aa64afr0_el1);
      get_cpu_reg_check_zero(id_aa64afr1_el1);
 --
-.7.4
+.34.1

-[Qemu-devel] [PULL 01/12] target-arm: Add support for PMU register PMSELR_EL0
+[PULL 09/30] target/arm: Implement FEAT_HBC
-From: Wei Huang <wei@redhat.com>
+FEAT_HBC (Hinted conditional branches) provides a new instruction
 BC.cond, which behaves exactly like the existing B.cond except
 that it provides a hint to the branch predictor about the
 likely behaviour of the branch.
-This patch adds support for AArch64 register PMSELR_EL0. The existing
+Since QEMU does not implement branch prediction, we can treat
-PMSELR definition is revised accordingly.
+this identically to B.cond.
-Signed-off-by: Wei Huang <wei@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-[PMM: Moved #ifndef CONFIG_USER_ONLY to cover new regdefs]
-Message-id: 1486504171-26807-2-git-send-email-wei@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/arm/cpu.h    |  1 +
+ docs/system/arm/emulation.rst  | 1 +
- target/arm/helper.c | 27 +++++++++++++++++++++------
+ target/arm/cpu.h               | 5 +++++
-files changed, 22 insertions(+), 6 deletions(-)
+ target/arm/tcg/a64.decode      | 3 ++-
  linux-user/elfload.c           | 1 +
  target/arm/tcg/cpu64.c         | 4 ++++
  target/arm/tcg/translate-a64.c | 4 ++++
 files changed, 17 insertions(+), 1 deletion(-)
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/emulation.rst
++++ b/docs/system/arm/emulation.rst
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+ - FEAT_FlagM2 (Enhancements to flag manipulation instructions)
+ - FEAT_GTG (Guest translation granule size)
+ - FEAT_HAFDBS (Hardware management of the access flag and dirty bit state)
++- FEAT_HBC (Hinted conditional branches)
+ - FEAT_HCX (Support for the HCRX_EL2 register)
+ - FEAT_HPDS (Hierarchical permission disables)
+ - FEAT_HPDS2 (Translation table page-based hardware attributes)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
+@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_i8mm(const ARMISARegisters *id)
-         uint32_t c9_pmovsr; /* perf monitor overflow status */
+     return FIELD_EX64(id->id_aa64isar1, ID_AA64ISAR1, I8MM) != 0;
          uint32_t c9_pmxevtyper; /* perf monitor event type */
          uint32_t c9_pmuserenr; /* perf monitor user enable */
 +        uint64_t c9_pmselr; /* perf monitor counter selection register */
          uint32_t c9_pminten; /* perf monitor interrupt enables */
          union { /* Memory attribute redirection */
              struct {
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pmccntr_read(CPUARMState *env, const ARMCPRegInfo *ri)
      return total_ticks - env->cp15.c15_ccnt;
  }
-+static void pmselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
++static inline bool isar_feature_aa64_hbc(const ARMISARegisters *id)
 +                         uint64_t value)
 +{
-+    /* The value of PMSELR.SEL affects the behavior of PMXEVTYPER and
++    return FIELD_EX64(id->id_aa64isar2, ID_AA64ISAR2, BC) != 0;
 +     * PMXEVCNTR. We allow [0..31] to be written to PMSELR here; in the
 +     * meanwhile, we check PMSELR.SEL when PMXEVTYPER and PMXEVCNTR are
 +     * accessed.
 +     */
 +    env->cp15.c9_pmselr = value & 0x1f;
 +}
 +
- static void pmccntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ static inline bool isar_feature_aa64_tgran4_lpa2(const ARMISARegisters *id)
                          uint64_t value)
  {
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
+     return FIELD_SEX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4) >= 1;
-     /* Unimplemented so WI. */
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
-     { .name = "PMSWINC", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 4,
+index XXXXXXX..XXXXXXX 100644
-       .access = PL0_W, .accessfn = pmreg_access, .type = ARM_CP_NOP },
+--- a/target/arm/tcg/a64.decode
--    /* Since we don't implement any events, writing to PMSELR is UNPREDICTABLE.
++++ b/target/arm/tcg/a64.decode
--     * We choose to RAZ/WI.
+@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
--     */
--    { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
+ TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
--      .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
--      .accessfn = pmreg_access },
+-B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
- #ifndef CONFIG_USER_ONLY
++# B.cond and BC.cond
-+    { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
++B_cond          0101010 0 ................... c:1 cond:4 imm=%imm19
-+      .access = PL0_RW, .type = ARM_CP_ALIAS,
-+      .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmselr),
+ BR              1101011 0000 11111 000000 rn:5 00000 &r
-+      .accessfn = pmreg_access, .writefn = pmselr_write,
+ BLR             1101011 0001 11111 000000 rn:5 00000 &r
-+      .raw_writefn = raw_write},
+diff --git a/linux-user/elfload.c b/linux-user/elfload.c
-+    { .name = "PMSELR_EL0", .state = ARM_CP_STATE_AA64,
+index XXXXXXX..XXXXXXX 100644
-+      .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 5,
+--- a/linux-user/elfload.c
-+      .access = PL0_RW, .accessfn = pmreg_access,
++++ b/linux-user/elfload.c
-+      .fieldoffset = offsetof(CPUARMState, cp15.c9_pmselr),
+@@ -XXX,XX +XXX,XX @@ uint32_t get_elf_hwcap2(void)
-+      .writefn = pmselr_write, .raw_writefn = raw_write, },
+     GET_FEATURE_ID(aa64_sme_f64f64, ARM_HWCAP2_A64_SME_F64F64);
-     { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0,
+     GET_FEATURE_ID(aa64_sme_i16i64, ARM_HWCAP2_A64_SME_I16I64);
-       .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_IO,
+     GET_FEATURE_ID(aa64_sme_fa64, ARM_HWCAP2_A64_SME_FA64);
-       .readfn = pmccntr_read, .writefn = pmccntr_write32,
++    GET_FEATURE_ID(aa64_hbc, ARM_HWCAP2_A64_HBC);
      return hwcaps;
  }
 diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/cpu64.c
 +++ b/target/arm/tcg/cpu64.c
@@ -XXX,XX +XXX,XX @@ void aarch64_max_tcg_initfn(Object *obj)
      t = FIELD_DP64(t, ID_AA64ISAR1, I8MM, 1);     /* FEAT_I8MM */
      cpu->isar.id_aa64isar1 = t;
 +    t = cpu->isar.id_aa64isar2;
 +    t = FIELD_DP64(t, ID_AA64ISAR2, BC, 1);      /* FEAT_HBC */
 +    cpu->isar.id_aa64isar2 = t;
 +
      t = cpu->isar.id_aa64pfr0;
      t = FIELD_DP64(t, ID_AA64PFR0, FP, 1);        /* FEAT_FP16 */
      t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);   /* FEAT_FP16 */
 diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/translate-a64.c
 +++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_TBZ(DisasContext *s, arg_tbz *a)
  static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
  {
 +    /* BC.cond is only present with FEAT_HBC */
 +    if (a->c && !dc_isar_feature(aa64_hbc, s)) {
 +        return false;
 +    }
      reset_btype(s);
      if (a->cond < 0x0e) {
          /* genuinely conditional branches */
 --
-.7.4
+.34.1

-[Qemu-devel] [PULL 10/12] aspeed: remove useless comment on controller segment size
+[PULL 10/30] target/arm: Remove unused allocation_tag_mem() argument
-From: Cédric Le Goater <clg@kaod.org>
+The allocation_tag_mem() function takes an argument tag_size,
 but it never uses it. Remove the argument. In mte_probe_int()
 in particular this also lets us delete the code computing
 the value we were passing in.
-The flash devices used for the FMC controller (BMC firmware) are well
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-defined for each Aspeed machine and are all smaller than the default
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-mapping window size, at least for CE0 which is the chip the SoC boots
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-from.
+---
  target/arm/tcg/mte_helper.c | 42 +++++++++++++------------------------
 file changed, 14 insertions(+), 28 deletions(-)
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
+diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 1486648058-520-3-git-send-email-clg@kaod.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/arm/aspeed.c | 8 +++-----
 file changed, 3 insertions(+), 5 deletions(-)
 diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
+--- a/target/arm/tcg/mte_helper.c
-+++ b/hw/arm/aspeed.c
++++ b/target/arm/tcg/mte_helper.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype,
+@@ -XXX,XX +XXX,XX @@ static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
-         DriveInfo *dinfo = drive_get_next(IF_MTD);
+  * @ptr_access: the access to use for the virtual address
-         qemu_irq cs_line;
+  * @ptr_size: the number of bytes in the normal memory access
+  * @tag_access: the access to use for the tag memory
--        /*
+- * @tag_size: the number of bytes in the tag memory access
--         * FIXME: check that we are not using a flash module exceeding
+  * @ra: the return address for exception handling
--         * the controller segment size
+  *
--         */
+  * Our tag memory is formatted as a sequence of little-endian nibbles.
-         fl->flash = ssi_create_slave_no_init(s->spi, flashtype);
+@@ -XXX,XX +XXX,XX @@ static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
-         if (dinfo) {
+  * a pointer to the corresponding tag byte.  Exit with exception if the
-             qdev_prop_set_drive(fl->flash, "drive", blk_by_legacy_dinfo(dinfo),
+  * virtual address is not accessible for @ptr_access.
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
+  *
 - * The @ptr_size and @tag_size values may not have an obvious relation
 - * due to the alignment of @ptr, and the number of tag checks required.
 - *
   * If there is no tag storage corresponding to @ptr, return NULL.
   */
  static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
                                     uint64_t ptr, MMUAccessType ptr_access,
                                     int ptr_size, MMUAccessType tag_access,
 -                                   int tag_size, uintptr_t ra)
 +                                   uintptr_t ra)
  {
  #ifdef CONFIG_USER_ONLY
      uint64_t clean_ptr = useronly_clean_ptr(ptr);
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(ldg)(CPUARMState *env, uint64_t ptr, uint64_t xt)
      /* Trap if accessing an invalid page.  */
      mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_LOAD, 1,
 -                             MMU_DATA_LOAD, 1, GETPC());
 +                             MMU_DATA_LOAD, GETPC());
      /* Load if page supports tags. */
      if (mem) {
@@ -XXX,XX +XXX,XX @@ static inline void do_stg(CPUARMState *env, uint64_t ptr, uint64_t xt,
      /* Trap if accessing an invalid page.  */
      mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE, TAG_GRANULE,
 -                             MMU_DATA_STORE, 1, ra);
 +                             MMU_DATA_STORE, ra);
      /* Store if page supports tags. */
      if (mem) {
@@ -XXX,XX +XXX,XX @@ static inline void do_st2g(CPUARMState *env, uint64_t ptr, uint64_t xt,
      if (ptr & TAG_GRANULE) {
          /* Two stores unaligned mod TAG_GRANULE*2 -- modify two bytes. */
          mem1 = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE,
 -                                  TAG_GRANULE, MMU_DATA_STORE, 1, ra);
 +                                  TAG_GRANULE, MMU_DATA_STORE, ra);
          mem2 = allocation_tag_mem(env, mmu_idx, ptr + TAG_GRANULE,
                                    MMU_DATA_STORE, TAG_GRANULE,
 -                                  MMU_DATA_STORE, 1, ra);
 +                                  MMU_DATA_STORE, ra);
          /* Store if page(s) support tags. */
          if (mem1) {
@@ -XXX,XX +XXX,XX @@ static inline void do_st2g(CPUARMState *env, uint64_t ptr, uint64_t xt,
      } else {
          /* Two stores aligned mod TAG_GRANULE*2 -- modify one byte. */
          mem1 = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE,
 -                                  2 * TAG_GRANULE, MMU_DATA_STORE, 1, ra);
 +                                  2 * TAG_GRANULE, MMU_DATA_STORE, ra);
          if (mem1) {
              tag |= tag << 4;
              qatomic_set(mem1, tag);
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(ldgm)(CPUARMState *env, uint64_t ptr)
      /* Trap if accessing an invalid page.  */
      tag_mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_LOAD,
 -                                 gm_bs_bytes, MMU_DATA_LOAD,
 -                                 gm_bs_bytes / (2 * TAG_GRANULE), ra);
 +                                 gm_bs_bytes, MMU_DATA_LOAD, ra);
      /* The tag is squashed to zero if the page does not support tags.  */
      if (!tag_mem) {
@@ -XXX,XX +XXX,XX @@ void HELPER(stgm)(CPUARMState *env, uint64_t ptr, uint64_t val)
      /* Trap if accessing an invalid page.  */
      tag_mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE,
 -                                 gm_bs_bytes, MMU_DATA_LOAD,
 -                                 gm_bs_bytes / (2 * TAG_GRANULE), ra);
 +                                 gm_bs_bytes, MMU_DATA_LOAD, ra);
      /*
       * Tag store only happens if the page support tags,
@@ -XXX,XX +XXX,XX @@ void HELPER(stzgm_tags)(CPUARMState *env, uint64_t ptr, uint64_t val)
      ptr &= -dcz_bytes;
      mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE, dcz_bytes,
 -                             MMU_DATA_STORE, tag_bytes, ra);
 +                             MMU_DATA_STORE, ra);
      if (mem) {
          int tag_pair = (val & 0xf) * 0x11;
          memset(mem, tag_pair, tag_bytes);
@@ -XXX,XX +XXX,XX @@ static int mte_probe_int(CPUARMState *env, uint32_t desc, uint64_t ptr,
      int mmu_idx, ptr_tag, bit55;
      uint64_t ptr_last, prev_page, next_page;
      uint64_t tag_first, tag_last;
 -    uint64_t tag_byte_first, tag_byte_last;
 -    uint32_t sizem1, tag_count, tag_size, n, c;
 +    uint32_t sizem1, tag_count, n, c;
      uint8_t *mem1, *mem2;
      MMUAccessType type;
@@ -XXX,XX +XXX,XX @@ static int mte_probe_int(CPUARMState *env, uint32_t desc, uint64_t ptr,
      tag_last = QEMU_ALIGN_DOWN(ptr_last, TAG_GRANULE);
      tag_count = ((tag_last - tag_first) / TAG_GRANULE) + 1;
 -    /* Round the bounds to twice the tag granule, and compute the bytes. */
 -    tag_byte_first = QEMU_ALIGN_DOWN(ptr, 2 * TAG_GRANULE);
 -    tag_byte_last = QEMU_ALIGN_DOWN(ptr_last, 2 * TAG_GRANULE);
 -
      /* Locate the page boundaries. */
      prev_page = ptr & TARGET_PAGE_MASK;
      next_page = prev_page + TARGET_PAGE_SIZE;
      if (likely(tag_last - prev_page < TARGET_PAGE_SIZE)) {
          /* Memory access stays on one page. */
 -        tag_size = ((tag_byte_last - tag_byte_first) / (2 * TAG_GRANULE)) + 1;
          mem1 = allocation_tag_mem(env, mmu_idx, ptr, type, sizem1 + 1,
 -                                  MMU_DATA_LOAD, tag_size, ra);
 +                                  MMU_DATA_LOAD, ra);
          if (!mem1) {
              return 1;
          }
@@ -XXX,XX +XXX,XX @@ static int mte_probe_int(CPUARMState *env, uint32_t desc, uint64_t ptr,
          n = checkN(mem1, ptr & TAG_GRANULE, ptr_tag, tag_count);
      } else {
          /* Memory access crosses to next page. */
 -        tag_size = (next_page - tag_byte_first) / (2 * TAG_GRANULE);
          mem1 = allocation_tag_mem(env, mmu_idx, ptr, type, next_page - ptr,
 -                                  MMU_DATA_LOAD, tag_size, ra);
 +                                  MMU_DATA_LOAD, ra);
 -        tag_size = ((tag_byte_last - next_page) / (2 * TAG_GRANULE)) + 1;
          mem2 = allocation_tag_mem(env, mmu_idx, next_page, type,
                                    ptr_last - next_page + 1,
 -                                  MMU_DATA_LOAD, tag_size, ra);
 +                                  MMU_DATA_LOAD, ra);
          /*
-          * create a ROM region using the default mapping window size of
+          * Perform all of the comparisons.
--         * the flash module.
+@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(mte_check_zva)(CPUARMState *env, uint32_t desc, uint64_t ptr)
-+         * the flash module. The window size is 64MB for the AST2400
+     mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
-+         * SoC and 128MB for the AST2500 SoC, which is twice as big as
+     (void) probe_write(env, ptr, 1, mmu_idx, ra);
-+         * needed by the flash modules of the Aspeed machines.
+     mem = allocation_tag_mem(env, mmu_idx, align_ptr, MMU_DATA_STORE,
-          */
+-                             dcz_bytes, MMU_DATA_LOAD, tag_bytes, ra);
-         memory_region_init_rom(boot_rom, OBJECT(bmc), "aspeed.boot_rom",
++                             dcz_bytes, MMU_DATA_LOAD, ra);
-                                fl->size, &error_abort);
+     if (!mem) {
          goto done;
      }
 --
-.7.4
+.34.1

-New patch
+[PULL 11/30] target/arm: Don't skip MTE checks for LDRT/STRT at EL0
+The LDRT/STRT "unprivileged load/store" instructions behave like
+normal ones if executed at EL0. We handle this correctly for
+the load/store semantics, but get the MTE checking wrong.
+We always look at s->mte_active[is_unpriv] to see whether we should
+be doing MTE checks, but in hflags.c when we set the TB flags that
+will be used to fill the mte_active[] array we only set the
+MTE0_ACTIVE bit if UNPRIV is true (i.e.  we are not at EL0).
+This means that a LDRT at EL0 will see s->mte_active[1] as 0,
+and will not do MTE checks even when MTE is enabled.
+To avoid the translate-time code having to do an explicit check on
+s->unpriv to see if it is OK to index into the mte_active[] array,
+duplicate MTE_ACTIVE into MTE0_ACTIVE when UNPRIV is false.
+(This isn't a very serious bug because generally nobody executes
+LDRT/STRT at EL0, because they have no use there.)
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-2-peter.maydell@linaro.org
+---
+ target/arm/tcg/hflags.c | 9 +++++++++
+file changed, 9 insertions(+)
+diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/hflags.c
++++ b/target/arm/tcg/hflags.c
+@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
+                 && !(env->pstate & PSTATE_TCO)
+                 && (sctlr & (el == 0 ? SCTLR_TCF0 : SCTLR_TCF))) {
+                 DP_TBFLAG_A64(flags, MTE_ACTIVE, 1);
++                if (!EX_TBFLAG_A64(flags, UNPRIV)) {
++                    /*
++                     * In non-unpriv contexts (eg EL0), unpriv load/stores
++                     * act like normal ones; duplicate the MTE info to
++                     * avoid translate-a64.c having to check UNPRIV to see
++                     * whether it is OK to index into MTE_ACTIVE[].
++                     */
++                    DP_TBFLAG_A64(flags, MTE0_ACTIVE, 1);
++                }
+             }
+         }
+         /* And again for unprivileged accesses, if required.  */
+--
+.34.1

-[Qemu-devel] [PULL 03/12] target-arm: Add support for PMU register PMINTENSET_EL1
+[PULL 12/30] target/arm: Implement FEAT_MOPS enable bits
-From: Wei Huang <wei@redhat.com>
+FEAT_MOPS defines a handful of new enable bits:
  * HCRX_EL2.MSCEn, SCTLR_EL1.MSCEn, SCTLR_EL2.MSCen:
    define whether the new insns should UNDEF or not
  * HCRX_EL2.MCE2: defines whether memops exceptions from
    EL1 should be taken to EL1 or EL2
-This patch adds access support for PMINTENSET_EL1.
+Since we don't sanitise what bits can be written for the SCTLR
 registers, we only need to handle the new bits in HCRX_EL2, and
 define SCTLR_MSCEN for the new SCTLR bit value.
-Signed-off-by: Wei Huang <wei@redhat.com>
+The precedence of "HCRX bits acts as 0 if SCR_EL3.HXEn is 0" versus
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+"bit acts as 1 if EL2 disabled" is not clear from the register
-Message-id: 1486504171-26807-4-git-send-email-wei@redhat.com
+definition text, but it is clear in the CheckMOPSEnabled()
 pseudocode(), so we follow that.  We'll have to check whether other
 bits we need to implement in future follow the same logic or not.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-3-peter.maydell@linaro.org
 ---
- target/arm/cpu.h    |  2 +-
+ target/arm/cpu.h    |  6 ++++++
- target/arm/helper.c | 10 +++++++++-
+ target/arm/helper.c | 28 +++++++++++++++++++++-------
-files changed, 10 insertions(+), 2 deletions(-)
+files changed, 27 insertions(+), 7 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
+@@ -XXX,XX +XXX,XX @@ void pmu_init(ARMCPU *cpu);
-         uint32_t c9_pmovsr; /* perf monitor overflow status */
+ #define SCTLR_EnIB    (1U << 30) /* v8.3, AArch64 only */
-         uint32_t c9_pmuserenr; /* perf monitor user enable */
+ #define SCTLR_EnIA    (1U << 31) /* v8.3, AArch64 only */
-         uint64_t c9_pmselr; /* perf monitor counter selection register */
+ #define SCTLR_DSSBS_32 (1U << 31) /* v8.5, AArch32 only */
--        uint32_t c9_pminten; /* perf monitor interrupt enables */
++#define SCTLR_MSCEN   (1ULL << 33) /* FEAT_MOPS */
-+        uint64_t c9_pminten; /* perf monitor interrupt enables */
+ #define SCTLR_BT0     (1ULL << 35) /* v8.5-BTI */
-         union { /* Memory attribute redirection */
+ #define SCTLR_BT1     (1ULL << 36) /* v8.5-BTI */
-             struct {
+ #define SCTLR_ITFSB   (1ULL << 37) /* v8.5-MemTag */
- #ifdef HOST_WORDS_BIGENDIAN
+@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_doublelock(const ARMISARegisters *id)
      return FIELD_SEX64(id->id_aa64dfr0, ID_AA64DFR0, DOUBLELOCK) >= 0;
  }
 +static inline bool isar_feature_aa64_mops(const ARMISARegisters *id)
 +{
 +    return FIELD_EX64(id->id_aa64isar2, ID_AA64ISAR2, MOPS);
 +}
 +
  /*
   * Feature tests for "does this exist in either 32-bit or 64-bit?"
   */
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
+@@ -XXX,XX +XXX,XX @@ static void hcrx_write(CPUARMState *env, const ARMCPRegInfo *ri,
-       .writefn = pmuserenr_write, .raw_writefn = raw_write },
+ {
-     { .name = "PMINTENSET", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 1,
+     uint64_t valid_mask = 0;
-       .access = PL1_RW, .accessfn = access_tpm,
--      .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
+-    /* No features adding bits to HCRX are implemented. */
-+      .type = ARM_CP_ALIAS,
++    /* FEAT_MOPS adds MSCEn and MCE2 */
-+      .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pminten),
++    if (cpu_isar_feature(aa64_mops, env_archcpu(env))) {
-       .resetvalue = 0,
++        valid_mask |= HCRX_MSCEN | HCRX_MCE2;
-       .writefn = pmintenset_write, .raw_writefn = raw_write },
++    }
-+    { .name = "PMINTENSET_EL1", .state = ARM_CP_STATE_AA64,
-+      .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 1,
+     /* Clear RES0 bits.  */
-+      .access = PL1_RW, .accessfn = access_tpm,
+     env->cp15.hcrx_el2 = value & valid_mask;
-+      .type = ARM_CP_IO,
+@@ -XXX,XX +XXX,XX @@ uint64_t arm_hcrx_el2_eff(CPUARMState *env)
-+      .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
+ {
-+      .writefn = pmintenset_write, .raw_writefn = raw_write,
+     /*
-+      .resetvalue = 0x0 },
+      * The bits in this register behave as 0 for all purposes other than
-     { .name = "PMINTENCLR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 2,
+-     * direct reads of the register if:
-       .access = PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS,
+-     *   - EL2 is not enabled in the current security state,
-       .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
+-     *   - SCR_EL3.HXEn is 0.
 +     * direct reads of the register if SCR_EL3.HXEn is 0.
 +     * If EL2 is not enabled in the current security state, then the
 +     * bit may behave as if 0, or as if 1, depending on the bit.
 +     * For the moment, we treat the EL2-disabled case as taking
 +     * priority over the HXEn-disabled case. This is true for the only
 +     * bit for a feature which we implement where the answer is different
 +     * for the two cases (MSCEn for FEAT_MOPS).
 +     * This may need to be revisited for future bits.
       */
 -    if (!arm_is_el2_enabled(env)
 -        || (arm_feature(env, ARM_FEATURE_EL3)
 -            && !(env->cp15.scr_el3 & SCR_HXEN))) {
 +    if (!arm_is_el2_enabled(env)) {
 +        uint64_t hcrx = 0;
 +        if (cpu_isar_feature(aa64_mops, env_archcpu(env))) {
 +            /* MSCEn behaves as 1 if EL2 is not enabled */
 +            hcrx |= HCRX_MSCEN;
 +        }
 +        return hcrx;
 +    }
 +    if (arm_feature(env, ARM_FEATURE_EL3) && !(env->cp15.scr_el3 & SCR_HXEN)) {
          return 0;
      }
      return env->cp15.hcrx_el2;
 --
-.7.4
+.34.1

-New patch
+[PULL 13/30] target/arm: Pass unpriv bool to get_a64_user_mem_index()
+In every place that we call the get_a64_user_mem_index() function
+we do it like this:
+ memidx = a->unpriv ? get_a64_user_mem_index(s) : get_mem_index(s);
+Refactor so the caller passes in the bool that says whether they
+want the 'unpriv' or 'normal' mem_index rather than having to
+do the ?: themselves.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230912140434.1333369-4-peter.maydell@linaro.org
+---
+ target/arm/tcg/translate-a64.c | 20 ++++++++++++++------
+file changed, 14 insertions(+), 6 deletions(-)
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ void a64_translate_init(void)
+ }
+ /*
+- * Return the core mmu_idx to use for A64 "unprivileged load/store" insns
++ * Return the core mmu_idx to use for A64 load/store insns which
++ * have a "unprivileged load/store" variant. Those insns access
++ * EL0 if executed from an EL which has control over EL0 (usually
++ * EL1) but behave like normal loads and stores if executed from
++ * elsewhere (eg EL3).
++ *
++ * @unpriv : true for the unprivileged encoding; false for the
++ *           normal encoding (in which case we will return the same
++ *           thing as get_mem_index().
+  */
+-static int get_a64_user_mem_index(DisasContext *s)
++static int get_a64_user_mem_index(DisasContext *s, bool unpriv)
+ {
+     /*
+      * If AccType_UNPRIV is not used, the insn uses AccType_NORMAL,
+@@ -XXX,XX +XXX,XX @@ static int get_a64_user_mem_index(DisasContext *s)
+      */
+     ARMMMUIdx useridx = s->mmu_idx;
+-    if (s->unpriv) {
++    if (unpriv && s->unpriv) {
+         /*
+          * We have pre-computed the condition for AccType_UNPRIV.
+          * Therefore we should never get here with a mmu_idx for
+@@ -XXX,XX +XXX,XX @@ static void op_addr_ldst_imm_pre(DisasContext *s, arg_ldst_imm *a,
+     if (!a->p) {
+         tcg_gen_addi_i64(*dirty_addr, *dirty_addr, offset);
+     }
+-    memidx = a->unpriv ? get_a64_user_mem_index(s) : get_mem_index(s);
++    memidx = get_a64_user_mem_index(s, a->unpriv);
+     *clean_addr = gen_mte_check1_mmuidx(s, *dirty_addr, is_store,
+                                         a->w || a->rn != 31,
+                                         mop, a->unpriv, memidx);
+@@ -XXX,XX +XXX,XX @@ static bool trans_STR_i(DisasContext *s, arg_ldst_imm *a)
+ {
+     bool iss_sf, iss_valid = !a->w;
+     TCGv_i64 clean_addr, dirty_addr, tcg_rt;
+-    int memidx = a->unpriv ? get_a64_user_mem_index(s) : get_mem_index(s);
++    int memidx = get_a64_user_mem_index(s, a->unpriv);
+     MemOp mop = finalize_memop(s, a->sz + a->sign * MO_SIGN);
+     op_addr_ldst_imm_pre(s, a, &clean_addr, &dirty_addr, a->imm, true, mop);
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_i(DisasContext *s, arg_ldst_imm *a)
+ {
+     bool iss_sf, iss_valid = !a->w;
+     TCGv_i64 clean_addr, dirty_addr, tcg_rt;
+-    int memidx = a->unpriv ? get_a64_user_mem_index(s) : get_mem_index(s);
++    int memidx = get_a64_user_mem_index(s, a->unpriv);
+     MemOp mop = finalize_memop(s, a->sz + a->sign * MO_SIGN);
+     op_addr_ldst_imm_pre(s, a, &clean_addr, &dirty_addr, a->imm, false, mop);
+--
+.34.1

-New patch
+[PULL 14/30] target/arm: Define syndrome function for MOPS exceptions
+The FEAT_MOPS memory operations can raise a Memory Copy or Memory Set
+exception if a copy or set instruction is executed when the CPU
+register state is not correct for that instruction. Define the
+usual syn_* function that constructs the syndrome register value
+for these exceptions.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-5-peter.maydell@linaro.org
+---
+ target/arm/syndrome.h | 12 ++++++++++++
+file changed, 12 insertions(+)
+diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/syndrome.h
++++ b/target/arm/syndrome.h
+@@ -XXX,XX +XXX,XX @@ enum arm_exception_class {
+     EC_DATAABORT              = 0x24,
+     EC_DATAABORT_SAME_EL      = 0x25,
+     EC_SPALIGNMENT            = 0x26,
++    EC_MOP                    = 0x27,
+     EC_AA32_FPTRAP            = 0x28,
+     EC_AA64_FPTRAP            = 0x2c,
+     EC_SERROR                 = 0x2f,
+@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_serror(uint32_t extra)
+     return (EC_SERROR << ARM_EL_EC_SHIFT) | ARM_EL_IL | extra;
+ }
++static inline uint32_t syn_mop(bool is_set, bool is_setg, int options,
++                               bool epilogue, bool wrong_option, bool option_a,
++                               int destreg, int srcreg, int sizereg)
++{
++    return (EC_MOP << ARM_EL_EC_SHIFT) | ARM_EL_IL |
++        (is_set << 24) | (is_setg << 23) | (options << 19) |
++        (epilogue << 18) | (wrong_option << 17) | (option_a << 16) |
++        (destreg << 10) | (srcreg << 5) | sizereg;
++}
++
++
+ #endif /* TARGET_ARM_SYNDROME_H */
+--
+.34.1

-New patch
+[PULL 15/30] target/arm: New function allocation_tag_mem_probe()
+For the FEAT_MOPS operations, the existing allocation_tag_mem()
+function almost does what we want, but it will take a watchpoint
+exception even for an ra == 0 probe request, and it requires that the
+caller guarantee that the memory is accessible.  For FEAT_MOPS we
+want a function that will not take any kind of exception, and will
+return NULL for the not-accessible case.
+Rename allocation_tag_mem() to allocation_tag_mem_probe() and add an
+extra 'probe' argument that lets us distinguish these cases;
+allocation_tag_mem() is now a wrapper that always passes 'false'.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-6-peter.maydell@linaro.org
+---
+ target/arm/tcg/mte_helper.c | 48 ++++++++++++++++++++++++++++---------
+file changed, 37 insertions(+), 11 deletions(-)
+diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/mte_helper.c
++++ b/target/arm/tcg/mte_helper.c
+@@ -XXX,XX +XXX,XX @@ static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
+ }
+ /**
+- * allocation_tag_mem:
++ * allocation_tag_mem_probe:
+  * @env: the cpu environment
+  * @ptr_mmu_idx: the addressing regime to use for the virtual address
+  * @ptr: the virtual address for which to look up tag memory
+  * @ptr_access: the access to use for the virtual address
+  * @ptr_size: the number of bytes in the normal memory access
+  * @tag_access: the access to use for the tag memory
++ * @probe: true to merely probe, never taking an exception
+  * @ra: the return address for exception handling
+  *
+  * Our tag memory is formatted as a sequence of little-endian nibbles.
+@@ -XXX,XX +XXX,XX @@ static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
+  * for the higher addr.
+  *
+  * Here, resolve the physical address from the virtual address, and return
+- * a pointer to the corresponding tag byte.  Exit with exception if the
+- * virtual address is not accessible for @ptr_access.
++ * a pointer to the corresponding tag byte.
+  *
+  * If there is no tag storage corresponding to @ptr, return NULL.
++ *
++ * If the page is inaccessible for @ptr_access, or has a watchpoint, there are
++ * three options:
++ * (1) probe = true, ra = 0 : pure probe -- we return NULL if the page is not
++ *     accessible, and do not take watchpoint traps. The calling code must
++ *     handle those cases in the right priority compared to MTE traps.
++ * (2) probe = false, ra = 0 : probe, no fault expected -- the caller guarantees
++ *     that the page is going to be accessible. We will take watchpoint traps.
++ * (3) probe = false, ra != 0 : non-probe -- we will take both memory access
++ *     traps and watchpoint traps.
++ * (probe = true, ra != 0 is invalid and will assert.)
+  */
+-static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
+-                                   uint64_t ptr, MMUAccessType ptr_access,
+-                                   int ptr_size, MMUAccessType tag_access,
+-                                   uintptr_t ra)
++static uint8_t *allocation_tag_mem_probe(CPUARMState *env, int ptr_mmu_idx,
++                                         uint64_t ptr, MMUAccessType ptr_access,
++                                         int ptr_size, MMUAccessType tag_access,
++                                         bool probe, uintptr_t ra)
+ {
+ #ifdef CONFIG_USER_ONLY
+     uint64_t clean_ptr = useronly_clean_ptr(ptr);
+@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
+     uint8_t *tags;
+     uintptr_t index;
++    assert(!(probe && ra));
++
+     if (!(flags & (ptr_access == MMU_DATA_STORE ? PAGE_WRITE_ORG : PAGE_READ))) {
+         cpu_loop_exit_sigsegv(env_cpu(env), ptr, ptr_access,
+                               !(flags & PAGE_VALID), ra);
+@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
+      * exception for inaccessible pages, and resolves the virtual address
+      * into the softmmu tlb.
+      *
+-     * When RA == 0, this is for mte_probe.  The page is expected to be
+-     * valid.  Indicate to probe_access_flags no-fault, then assert that
+-     * we received a valid page.
++     * When RA == 0, this is either a pure probe or a no-fault-expected probe.
++     * Indicate to probe_access_flags no-fault, then either return NULL
++     * for the pure probe, or assert that we received a valid page for the
++     * no-fault-expected probe.
+      */
+     flags = probe_access_full(env, ptr, 0, ptr_access, ptr_mmu_idx,
+                               ra == 0, &host, &full, ra);
++    if (probe && (flags & TLB_INVALID_MASK)) {
++        return NULL;
++    }
+     assert(!(flags & TLB_INVALID_MASK));
+     /* If the virtual page MemAttr != Tagged, access unchecked. */
+@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
+     }
+     /* Any debug exception has priority over a tag check exception. */
+-    if (unlikely(flags & TLB_WATCHPOINT)) {
++    if (!probe && unlikely(flags & TLB_WATCHPOINT)) {
+         int wp = ptr_access == MMU_DATA_LOAD ? BP_MEM_READ : BP_MEM_WRITE;
+         assert(ra != 0);
+         cpu_check_watchpoint(env_cpu(env), ptr, ptr_size, attrs, wp, ra);
+@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
+ #endif
+ }
++static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
++                                   uint64_t ptr, MMUAccessType ptr_access,
++                                   int ptr_size, MMUAccessType tag_access,
++                                   uintptr_t ra)
++{
++    return allocation_tag_mem_probe(env, ptr_mmu_idx, ptr, ptr_access,
++                                    ptr_size, tag_access, false, ra);
++}
++
+ uint64_t HELPER(irg)(CPUARMState *env, uint64_t rn, uint64_t rm)
+ {
+     uint16_t exclude = extract32(rm | env->cp15.gcr_el1, 0, 16);
+--
+.34.1

-New patch
+[PULL 16/30] target/arm: Implement MTE tag-checking functions for FEAT_MOPS
+The FEAT_MOPS instructions need a couple of helper routines that
+check for MTE tag failures:
+ * mte_mops_probe() checks whether there is going to be a tag
+   error in the next up-to-a-page worth of data
+ * mte_check_fail() is an existing function to record the fact
+   of a tag failure, which we need to make global so we can
+   call it from helper-a64.c
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-7-peter.maydell@linaro.org
+---
+ target/arm/internals.h      | 28 +++++++++++++++++++
+ target/arm/tcg/mte_helper.c | 54 +++++++++++++++++++++++++++++++++++--
+files changed, 80 insertions(+), 2 deletions(-)
+diff --git a/target/arm/internals.h b/target/arm/internals.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/internals.h
++++ b/target/arm/internals.h
+@@ -XXX,XX +XXX,XX @@ FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - 12)  /* size - 1 */
+ bool mte_probe(CPUARMState *env, uint32_t desc, uint64_t ptr);
+ uint64_t mte_check(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);
++/**
++ * mte_mops_probe: Check where the next MTE failure is for a FEAT_MOPS operation
++ * @env: CPU env
++ * @ptr: start address of memory region (dirty pointer)
++ * @size: length of region (guaranteed not to cross a page boundary)
++ * @desc: MTEDESC descriptor word (0 means no MTE checks)
++ * Returns: the size of the region that can be copied without hitting
++ *          an MTE tag failure
++ *
++ * Note that we assume that the caller has already checked the TBI
++ * and TCMA bits with mte_checks_needed() and an MTE check is definitely
++ * required.
++ */
++uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
++                        uint32_t desc);
++
++/**
++ * mte_check_fail: Record an MTE tag check failure
++ * @env: CPU env
++ * @desc: MTEDESC descriptor word
++ * @dirty_ptr: Failing dirty address
++ * @ra: TCG retaddr
++ *
++ * This may never return (if the MTE tag checks are configured to fault).
++ */
++void mte_check_fail(CPUARMState *env, uint32_t desc,
++                    uint64_t dirty_ptr, uintptr_t ra);
++
+ static inline int allocation_tag_from_addr(uint64_t ptr)
+ {
+     return extract64(ptr, 56, 4);
+diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/mte_helper.c
++++ b/target/arm/tcg/mte_helper.c
+@@ -XXX,XX +XXX,XX @@ static void mte_async_check_fail(CPUARMState *env, uint64_t dirty_ptr,
+ }
+ /* Record a tag check failure.  */
+-static void mte_check_fail(CPUARMState *env, uint32_t desc,
+-                           uint64_t dirty_ptr, uintptr_t ra)
++void mte_check_fail(CPUARMState *env, uint32_t desc,
++                    uint64_t dirty_ptr, uintptr_t ra)
+ {
+     int mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
+     ARMMMUIdx arm_mmu_idx = core_to_aa64_mmu_idx(mmu_idx);
+@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(mte_check_zva)(CPUARMState *env, uint32_t desc, uint64_t ptr)
+  done:
+     return useronly_clean_ptr(ptr);
+ }
++
++uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
++                        uint32_t desc)
++{
++    int mmu_idx, tag_count;
++    uint64_t ptr_tag, tag_first, tag_last;
++    void *mem;
++    bool w = FIELD_EX32(desc, MTEDESC, WRITE);
++    uint32_t n;
++
++    mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
++    /* True probe; this will never fault */
++    mem = allocation_tag_mem_probe(env, mmu_idx, ptr,
++                                   w ? MMU_DATA_STORE : MMU_DATA_LOAD,
++                                   size, MMU_DATA_LOAD, true, 0);
++    if (!mem) {
++        return size;
++    }
++
++    /*
++     * TODO: checkN() is not designed for checks of the size we expect
++     * for FEAT_MOPS operations, so we should implement this differently.
++     * Maybe we should do something like
++     *   if (region start and size are aligned nicely) {
++     *      do direct loads of 64 tag bits at a time;
++     *   } else {
++     *      call checkN()
++     *   }
++     */
++    /* Round the bounds to the tag granule, and compute the number of tags. */
++    ptr_tag = allocation_tag_from_addr(ptr);
++    tag_first = QEMU_ALIGN_DOWN(ptr, TAG_GRANULE);
++    tag_last = QEMU_ALIGN_DOWN(ptr + size - 1, TAG_GRANULE);
++    tag_count = ((tag_last - tag_first) / TAG_GRANULE) + 1;
++    n = checkN(mem, ptr & TAG_GRANULE, ptr_tag, tag_count);
++    if (likely(n == tag_count)) {
++        return size;
++    }
++
++    /*
++     * Failure; for the first granule, it's at @ptr. Otherwise
++     * it's at the first byte of the nth granule. Calculate how
++     * many bytes we can access without hitting that failure.
++     */
++    if (n == 0) {
++        return 0;
++    } else {
++        return n * TAG_GRANULE - (ptr - tag_first);
++    }
++}
+--
+.34.1

-New patch
+[PULL 17/30] target/arm: Implement the SET* instructions
+Implement the SET* instructions which collectively implement a
+"memset" operation.  These come in a set of three, eg SETP
+(prologue), SETM (main), SETE (epilogue), and each of those has
+different flavours to indicate whether memory accesses should be
+unpriv or non-temporal.
+This commit does not include the "memset with tag setting"
+SETG* instructions.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-8-peter.maydell@linaro.org
+---
+ target/arm/tcg/helper-a64.h    |   4 +
+ target/arm/tcg/a64.decode      |  16 ++
+ target/arm/tcg/helper-a64.c    | 344 +++++++++++++++++++++++++++++++++
+ target/arm/tcg/translate-a64.c |  49 +++++
+files changed, 413 insertions(+)
+diff --git a/target/arm/tcg/helper-a64.h b/target/arm/tcg/helper-a64.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/helper-a64.h
++++ b/target/arm/tcg/helper-a64.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(stzgm_tags, TCG_CALL_NO_WG, void, env, i64, i64)
+ DEF_HELPER_FLAGS_4(unaligned_access, TCG_CALL_NO_WG,
+                    noreturn, env, i64, i32, i32)
++
++DEF_HELPER_3(setp, void, env, i32, i32)
++DEF_HELPER_3(setm, void, env, i32, i32)
++DEF_HELPER_3(sete, void, env, i32, i32)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ LDGM            11011001 11 1 ......... 00 ..... ..... @ldst_tag_mult p=0 w=0
+ STZ2G           11011001 11 1 ......... 01 ..... ..... @ldst_tag p=1 w=1
+ STZ2G           11011001 11 1 ......... 10 ..... ..... @ldst_tag p=0 w=0
+ STZ2G           11011001 11 1 ......... 11 ..... ..... @ldst_tag p=0 w=1
++
++# Memory operations (memset, memcpy, memmove)
++# Each of these comes in a set of three, eg SETP (prologue), SETM (main),
++# SETE (epilogue), and each of those has different flavours to
++# indicate whether memory accesses should be unpriv or non-temporal.
++# We don't distinguish temporal and non-temporal accesses, but we
++# do need to report it in syndrome register values.
++
++# Memset
++&set rs rn rd unpriv nontemp
++# op2 bit 1 is nontemporal bit
++@set         .. ......... rs:5 .. nontemp:1 unpriv:1 .. rn:5 rd:5 &set
++
++SETP            00 011001110 ..... 00 . . 01 ..... ..... @set
++SETM            00 011001110 ..... 01 . . 01 ..... ..... @set
++SETE            00 011001110 ..... 10 . . 01 ..... ..... @set
+diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/helper-a64.c
++++ b/target/arm/tcg/helper-a64.c
+@@ -XXX,XX +XXX,XX @@ void HELPER(unaligned_access)(CPUARMState *env, uint64_t addr,
+     arm_cpu_do_unaligned_access(env_cpu(env), addr, access_type,
+                                 mmu_idx, GETPC());
+ }
++
++/* Memory operations (memset, memmove, memcpy) */
++
++/*
++ * Return true if the CPY* and SET* insns can execute; compare
++ * pseudocode CheckMOPSEnabled(), though we refactor it a little.
++ */
++static bool mops_enabled(CPUARMState *env)
++{
++    int el = arm_current_el(env);
++
++    if (el < 2 &&
++        (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE) &&
++        !(arm_hcrx_el2_eff(env) & HCRX_MSCEN)) {
++        return false;
++    }
++
++    if (el == 0) {
++        if (!el_is_in_host(env, 0)) {
++            return env->cp15.sctlr_el[1] & SCTLR_MSCEN;
++        } else {
++            return env->cp15.sctlr_el[2] & SCTLR_MSCEN;
++        }
++    }
++    return true;
++}
++
++static void check_mops_enabled(CPUARMState *env, uintptr_t ra)
++{
++    if (!mops_enabled(env)) {
++        raise_exception_ra(env, EXCP_UDEF, syn_uncategorized(),
++                           exception_target_el(env), ra);
++    }
++}
++
++/*
++ * Return the target exception level for an exception due
++ * to mismatched arguments in a FEAT_MOPS copy or set.
++ * Compare pseudocode MismatchedCpySetTargetEL()
++ */
++static int mops_mismatch_exception_target_el(CPUARMState *env)
++{
++    int el = arm_current_el(env);
++
++    if (el > 1) {
++        return el;
++    }
++    if (el == 0 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
++        return 2;
++    }
++    if (el == 1 && (arm_hcrx_el2_eff(env) & HCRX_MCE2)) {
++        return 2;
++    }
++    return 1;
++}
++
++/*
++ * Check whether an M or E instruction was executed with a CF value
++ * indicating the wrong option for this implementation.
++ * Assumes we are always Option A.
++ */
++static void check_mops_wrong_option(CPUARMState *env, uint32_t syndrome,
++                                    uintptr_t ra)
++{
++    if (env->CF != 0) {
++        syndrome |= 1 << 17; /* Set the wrong-option bit */
++        raise_exception_ra(env, EXCP_UDEF, syndrome,
++                           mops_mismatch_exception_target_el(env), ra);
++    }
++}
++
++/*
++ * Return the maximum number of bytes we can transfer starting at addr
++ * without crossing a page boundary.
++ */
++static uint64_t page_limit(uint64_t addr)
++{
++    return TARGET_PAGE_ALIGN(addr + 1) - addr;
++}
++
++/*
++ * Perform part of a memory set on an area of guest memory starting at
++ * toaddr (a dirty address) and extending for setsize bytes.
++ *
++ * Returns the number of bytes actually set, which might be less than
++ * setsize; the caller should loop until the whole set has been done.
++ * The caller should ensure that the guest registers are correct
++ * for the possibility that the first byte of the set encounters
++ * an exception or watchpoint. We guarantee not to take any faults
++ * for bytes other than the first.
++ */
++static uint64_t set_step(CPUARMState *env, uint64_t toaddr,
++                         uint64_t setsize, uint32_t data, int memidx,
++                         uint32_t *mtedesc, uintptr_t ra)
++{
++    void *mem;
++
++    setsize = MIN(setsize, page_limit(toaddr));
++    if (*mtedesc) {
++        uint64_t mtesize = mte_mops_probe(env, toaddr, setsize, *mtedesc);
++        if (mtesize == 0) {
++            /* Trap, or not. All CPU state is up to date */
++            mte_check_fail(env, *mtedesc, toaddr, ra);
++            /* Continue, with no further MTE checks required */
++            *mtedesc = 0;
++        } else {
++            /* Advance to the end, or to the tag mismatch */
++            setsize = MIN(setsize, mtesize);
++        }
++    }
++
++    toaddr = useronly_clean_ptr(toaddr);
++    /*
++     * Trapless lookup: returns NULL for invalid page, I/O,
++     * watchpoints, clean pages, etc.
++     */
++    mem = tlb_vaddr_to_host(env, toaddr, MMU_DATA_STORE, memidx);
++
++#ifndef CONFIG_USER_ONLY
++    if (unlikely(!mem)) {
++        /*
++         * Slow-path: just do one byte write. This will handle the
++         * watchpoint, invalid page, etc handling correctly.
++         * For clean code pages, the next iteration will see
++         * the page dirty and will use the fast path.
++         */
++        cpu_stb_mmuidx_ra(env, toaddr, data, memidx, ra);
++        return 1;
++    }
++#endif
++    /* Easy case: just memset the host memory */
++    memset(mem, data, setsize);
++    return setsize;
++}
++
++typedef uint64_t StepFn(CPUARMState *env, uint64_t toaddr,
++                        uint64_t setsize, uint32_t data,
++                        int memidx, uint32_t *mtedesc, uintptr_t ra);
++
++/* Extract register numbers from a MOPS exception syndrome value */
++static int mops_destreg(uint32_t syndrome)
++{
++    return extract32(syndrome, 10, 5);
++}
++
++static int mops_srcreg(uint32_t syndrome)
++{
++    return extract32(syndrome, 5, 5);
++}
++
++static int mops_sizereg(uint32_t syndrome)
++{
++    return extract32(syndrome, 0, 5);
++}
++
++/*
++ * Return true if TCMA and TBI bits mean we need to do MTE checks.
++ * We only need to do this once per MOPS insn, not for every page.
++ */
++static bool mte_checks_needed(uint64_t ptr, uint32_t desc)
++{
++    int bit55 = extract64(ptr, 55, 1);
++
++    /*
++     * Note that tbi_check() returns true for "access checked" but
++     * tcma_check() returns true for "access unchecked".
++     */
++    if (!tbi_check(desc, bit55)) {
++        return false;
++    }
++    return !tcma_check(desc, bit55, allocation_tag_from_addr(ptr));
++}
++
++/*
++ * For the Memory Set operation, our implementation chooses
++ * always to use "option A", where we update Xd to the final
++ * address in the SETP insn, and set Xn to be -(bytes remaining).
++ * On SETM and SETE insns we only need update Xn.
++ *
++ * @env: CPU
++ * @syndrome: syndrome value for mismatch exceptions
++ * (also contains the register numbers we need to use)
++ * @mtedesc: MTE descriptor word
++ * @stepfn: function which does a single part of the set operation
++ * @is_setg: true if this is the tag-setting SETG variant
++ */
++static void do_setp(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
++                    StepFn *stepfn, bool is_setg, uintptr_t ra)
++{
++    /* Prologue: we choose to do up to the next page boundary */
++    int rd = mops_destreg(syndrome);
++    int rs = mops_srcreg(syndrome);
++    int rn = mops_sizereg(syndrome);
++    uint8_t data = env->xregs[rs];
++    uint32_t memidx = FIELD_EX32(mtedesc, MTEDESC, MIDX);
++    uint64_t toaddr = env->xregs[rd];
++    uint64_t setsize = env->xregs[rn];
++    uint64_t stagesetsize, step;
++
++    check_mops_enabled(env, ra);
++
++    if (setsize > INT64_MAX) {
++        setsize = INT64_MAX;
++    }
++
++    if (!mte_checks_needed(toaddr, mtedesc)) {
++        mtedesc = 0;
++    }
++
++    stagesetsize = MIN(setsize, page_limit(toaddr));
++    while (stagesetsize) {
++        env->xregs[rd] = toaddr;
++        env->xregs[rn] = setsize;
++        step = stepfn(env, toaddr, stagesetsize, data, memidx, &mtedesc, ra);
++        toaddr += step;
++        setsize -= step;
++        stagesetsize -= step;
++    }
++    /* Insn completed, so update registers to the Option A format */
++    env->xregs[rd] = toaddr + setsize;
++    env->xregs[rn] = -setsize;
++
++    /* Set NZCV = 0000 to indicate we are an Option A implementation */
++    env->NF = 0;
++    env->ZF = 1; /* our env->ZF encoding is inverted */
++    env->CF = 0;
++    env->VF = 0;
++    return;
++}
++
++void HELPER(setp)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
++{
++    do_setp(env, syndrome, mtedesc, set_step, false, GETPC());
++}
++
++static void do_setm(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
++                    StepFn *stepfn, bool is_setg, uintptr_t ra)
++{
++    /* Main: we choose to do all the full-page chunks */
++    CPUState *cs = env_cpu(env);
++    int rd = mops_destreg(syndrome);
++    int rs = mops_srcreg(syndrome);
++    int rn = mops_sizereg(syndrome);
++    uint8_t data = env->xregs[rs];
++    uint64_t toaddr = env->xregs[rd] + env->xregs[rn];
++    uint64_t setsize = -env->xregs[rn];
++    uint32_t memidx = FIELD_EX32(mtedesc, MTEDESC, MIDX);
++    uint64_t step, stagesetsize;
++
++    check_mops_enabled(env, ra);
++
++    /*
++     * We're allowed to NOP out "no data to copy" before the consistency
++     * checks; we choose to do so.
++     */
++    if (env->xregs[rn] == 0) {
++        return;
++    }
++
++    check_mops_wrong_option(env, syndrome, ra);
++
++    /*
++     * Our implementation will work fine even if we have an unaligned
++     * destination address, and because we update Xn every time around
++     * the loop below and the return value from stepfn() may be less
++     * than requested, we might find toaddr is unaligned. So we don't
++     * have an IMPDEF check for alignment here.
++     */
++
++    if (!mte_checks_needed(toaddr, mtedesc)) {
++        mtedesc = 0;
++    }
++
++    /* Do the actual memset: we leave the last partial page to SETE */
++    stagesetsize = setsize & TARGET_PAGE_MASK;
++    while (stagesetsize > 0) {
++        step = stepfn(env, toaddr, setsize, data, memidx, &mtedesc, ra);
++        toaddr += step;
++        setsize -= step;
++        stagesetsize -= step;
++        env->xregs[rn] = -setsize;
++        if (stagesetsize > 0 && unlikely(cpu_loop_exit_requested(cs))) {
++            cpu_loop_exit_restore(cs, ra);
++        }
++    }
++}
++
++void HELPER(setm)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
++{
++    do_setm(env, syndrome, mtedesc, set_step, false, GETPC());
++}
++
++static void do_sete(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
++                    StepFn *stepfn, bool is_setg, uintptr_t ra)
++{
++    /* Epilogue: do the last partial page */
++    int rd = mops_destreg(syndrome);
++    int rs = mops_srcreg(syndrome);
++    int rn = mops_sizereg(syndrome);
++    uint8_t data = env->xregs[rs];
++    uint64_t toaddr = env->xregs[rd] + env->xregs[rn];
++    uint64_t setsize = -env->xregs[rn];
++    uint32_t memidx = FIELD_EX32(mtedesc, MTEDESC, MIDX);
++    uint64_t step;
++
++    check_mops_enabled(env, ra);
++
++    /*
++     * We're allowed to NOP out "no data to copy" before the consistency
++     * checks; we choose to do so.
++     */
++    if (setsize == 0) {
++        return;
++    }
++
++    check_mops_wrong_option(env, syndrome, ra);
++
++    /*
++     * Our implementation has no address alignment requirements, but
++     * we do want to enforce the "less than a page" size requirement,
++     * so we don't need to have the "check for interrupts" here.
++     */
++    if (setsize >= TARGET_PAGE_SIZE) {
++        raise_exception_ra(env, EXCP_UDEF, syndrome,
++                           mops_mismatch_exception_target_el(env), ra);
++    }
++
++    if (!mte_checks_needed(toaddr, mtedesc)) {
++        mtedesc = 0;
++    }
++
++    /* Do the actual memset */
++    while (setsize > 0) {
++        step = stepfn(env, toaddr, setsize, data, memidx, &mtedesc, ra);
++        toaddr += step;
++        setsize -= step;
++        env->xregs[rn] = -setsize;
++    }
++}
++
++void HELPER(sete)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
++{
++    do_sete(env, syndrome, mtedesc, set_step, false, GETPC());
++}
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(STZG, aa64_mte_insn_reg, do_STG, a, true, false)
+ TRANS_FEAT(ST2G, aa64_mte_insn_reg, do_STG, a, false, true)
+ TRANS_FEAT(STZ2G, aa64_mte_insn_reg, do_STG, a, true, true)
++typedef void SetFn(TCGv_env, TCGv_i32, TCGv_i32);
++
++static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue, SetFn fn)
++{
++    int memidx;
++    uint32_t syndrome, desc = 0;
++
++    /*
++     * UNPREDICTABLE cases: we choose to UNDEF, which allows
++     * us to pull this check before the CheckMOPSEnabled() test
++     * (which we do in the helper function)
++     */
++    if (a->rs == a->rn || a->rs == a->rd || a->rn == a->rd ||
++        a->rd == 31 || a->rn == 31) {
++        return false;
++    }
++
++    memidx = get_a64_user_mem_index(s, a->unpriv);
++
++    /*
++     * We pass option_a == true, matching our implementation;
++     * we pass wrong_option == false: helper function may set that bit.
++     */
++    syndrome = syn_mop(true, false, (a->nontemp << 1) | a->unpriv,
++                       is_epilogue, false, true, a->rd, a->rs, a->rn);
++
++    if (s->mte_active[a->unpriv]) {
++        /* We may need to do MTE tag checking, so assemble the descriptor */
++        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
++        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
++        desc = FIELD_DP32(desc, MTEDESC, WRITE, true);
++        /* SIZEM1 and ALIGN we leave 0 (byte write) */
++    }
++    /* The helper function always needs the memidx even with MTE disabled */
++    desc = FIELD_DP32(desc, MTEDESC, MIDX, memidx);
++
++    /*
++     * The helper needs the register numbers, but since they're in
++     * the syndrome anyway, we let it extract them from there rather
++     * than passing in an extra three integer arguments.
++     */
++    fn(cpu_env, tcg_constant_i32(syndrome), tcg_constant_i32(desc));
++    return true;
++}
++
++TRANS_FEAT(SETP, aa64_mops, do_SET, a, false, gen_helper_setp)
++TRANS_FEAT(SETM, aa64_mops, do_SET, a, false, gen_helper_setm)
++TRANS_FEAT(SETE, aa64_mops, do_SET, a, true, gen_helper_sete)
++
+ typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
+ static bool gen_rri(DisasContext *s, arg_rri_sf *a,
+--
+.34.1

-[Qemu-devel] [PULL 02/12] target-arm: Add support for AArch64 PMU register PMXEVTYPER_EL0
+[PULL 18/30] target/arm: Define new TB flag for ATA0
-From: Wei Huang <wei@redhat.com>
+Currently the only tag-setting instructions always do so in the
 context of the current EL, and so we only need one ATA bit in the TB
 flags.  The FEAT_MOPS SETG instructions include ones which set tags
 for a non-privileged access, so we now also need the equivalent "are
 tags enabled?" information for EL0.
-In order to support Linux perf, which uses PMXEVTYPER register,
+Add the new TB flag, and convert the existing 'bool ata' field in
-this patch adds read/write access support for PMXEVTYPER. The access
+DisasContext to a 'bool ata[2]' that can be indexed by the is_unpriv
-is CONSTRAINED UNPREDICTABLE when PMSELR is not 0x1f. Additionally
+bit in an instruction, similarly to mte[2].
 this patch adds support for PMXEVTYPER_EL0.
-Signed-off-by: Wei Huang <wei@redhat.com>
-Message-id: 1486504171-26807-3-git-send-email-wei@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-9-peter.maydell@linaro.org
 ---
- target/arm/cpu.h    |  1 -
+ target/arm/cpu.h               |  1 +
- target/arm/helper.c | 30 +++++++++++++++++++++++++-----
+ target/arm/tcg/translate.h     |  4 ++--
-files changed, 25 insertions(+), 6 deletions(-)
+ target/arm/tcg/hflags.c        | 12 ++++++++++++
  target/arm/tcg/translate-a64.c | 23 ++++++++++++-----------
 files changed, 27 insertions(+), 13 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
+@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A64, SVL, 24, 4)
-         uint64_t c9_pmcr; /* performance monitor control register */
+ FIELD(TBFLAG_A64, SME_TRAP_NONSTREAMING, 28, 1)
-         uint64_t c9_pmcnten; /* perf monitor counter enables */
+ FIELD(TBFLAG_A64, FGT_ERET, 29, 1)
-         uint32_t c9_pmovsr; /* perf monitor overflow status */
+ FIELD(TBFLAG_A64, NAA, 30, 1)
--        uint32_t c9_pmxevtyper; /* perf monitor event type */
++FIELD(TBFLAG_A64, ATA0, 31, 1)
-         uint32_t c9_pmuserenr; /* perf monitor user enable */
-         uint64_t c9_pmselr; /* perf monitor counter selection register */
+ /*
-         uint32_t c9_pminten; /* perf monitor interrupt enables */
+  * Helpers for using the above.
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/tcg/translate.h
-+++ b/target/arm/helper.c
++++ b/target/arm/tcg/translate.h
-@@ -XXX,XX +XXX,XX @@ static void pmovsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
- static void pmxevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri,
+     bool unpriv;
-                              uint64_t value)
+     /* True if v8.3-PAuth is active.  */
- {
+     bool pauth_active;
--    env->cp15.c9_pmxevtyper = value & 0xff;
+-    /* True if v8.5-MTE access to tags is enabled.  */
-+    /* Attempts to access PMXEVTYPER are CONSTRAINED UNPREDICTABLE when
+-    bool ata;
-+     * PMSELR value is equal to or greater than the number of implemented
++    /* True if v8.5-MTE access to tags is enabled; index with is_unpriv.  */
-+     * counters, but not equal to 0x1f. We opt to behave as a RAZ/WI.
++    bool ata[2];
-+     */
+     /* True if v8.5-MTE tag checks affect the PE; index with is_unpriv.  */
-+    if (env->cp15.c9_pmselr == 0x1f) {
+     bool mte_active[2];
-+        pmccfiltr_write(env, ri, value);
+     /* True with v8.5-BTI and SCTLR_ELx.BT* set.  */
-+    }
+diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
-+}
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/target/arm/tcg/hflags.c
-+static uint64_t pmxevtyper_read(CPUARMState *env, const ARMCPRegInfo *ri)
++++ b/target/arm/tcg/hflags.c
-+{
+@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
-+    /* We opt to behave as a RAZ/WI when attempts to access PMXEVTYPER
+             && allocation_tag_access_enabled(env, 0, sctlr)) {
-+     * are CONSTRAINED UNPREDICTABLE. See comments in pmxevtyper_write().
+             DP_TBFLAG_A64(flags, MTE0_ACTIVE, 1);
-+     */
+         }
-+    if (env->cp15.c9_pmselr == 0x1f) {
++        /*
-+        return env->cp15.pmccfiltr_el0;
++         * For unpriv tag-setting accesses we alse need ATA0. Again, in
-+    } else {
++         * contexts where unpriv and normal insns are the same we
-+        return 0;
++         * duplicate the ATA bit to save effort for translate-a64.c.
-+    }
++         */
- }
++        if (EX_TBFLAG_A64(flags, UNPRIV)) {
++            if (allocation_tag_access_enabled(env, 0, sctlr)) {
- static void pmuserenr_write(CPUARMState *env, const ARMCPRegInfo *ri,
++                DP_TBFLAG_A64(flags, ATA0, 1);
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
++            }
-       .fieldoffset = offsetof(CPUARMState, cp15.pmccfiltr_el0),
++        } else {
-       .resetvalue = 0, },
++            DP_TBFLAG_A64(flags, ATA0, EX_TBFLAG_A64(flags, ATA));
-     { .name = "PMXEVTYPER", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 1,
++        }
--      .access = PL0_RW,
+         /* Cache TCMA as well as TBI. */
--      .fieldoffset = offsetof(CPUARMState, cp15.c9_pmxevtyper),
+         DP_TBFLAG_A64(flags, TCMA, aa64_va_parameter_tcma(tcr, mmu_idx));
--      .accessfn = pmreg_access, .writefn = pmxevtyper_write,
+     }
--      .raw_writefn = raw_write },
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
-+      .access = PL0_RW, .type = ARM_CP_NO_RAW, .accessfn = pmreg_access,
+index XXXXXXX..XXXXXXX 100644
-+      .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
+--- a/target/arm/tcg/translate-a64.c
-+    { .name = "PMXEVTYPER_EL0", .state = ARM_CP_STATE_AA64,
++++ b/target/arm/tcg/translate-a64.c
-+      .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 1,
+@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, bool isread,
-+      .access = PL0_RW, .type = ARM_CP_NO_RAW, .accessfn = pmreg_access,
+             clean_addr = clean_data_tbi(s, tcg_rt);
-+      .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
+             gen_probe_access(s, clean_addr, MMU_DATA_STORE, MO_8);
-     /* Unimplemented, RAZ/WI. */
-     { .name = "PMXEVCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 2,
+-            if (s->ata) {
-       .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
++            if (s->ata[0]) {
                  /* Extract the tag from the register to match STZGM.  */
                  tag = tcg_temp_new_i64();
                  tcg_gen_shri_i64(tag, tcg_rt, 56);
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, bool isread,
              clean_addr = clean_data_tbi(s, tcg_rt);
              gen_helper_dc_zva(cpu_env, clean_addr);
 -            if (s->ata) {
 +            if (s->ata[0]) {
                  /* Extract the tag from the register to match STZGM.  */
                  tag = tcg_temp_new_i64();
                  tcg_gen_shri_i64(tag, tcg_rt, 56);
@@ -XXX,XX +XXX,XX @@ static bool trans_STGP(DisasContext *s, arg_ldstpair *a)
      tcg_gen_qemu_st_i128(tmp, clean_addr, get_mem_index(s), mop);
      /* Perform the tag store, if tag access enabled. */
 -    if (s->ata) {
 +    if (s->ata[0]) {
          if (tb_cflags(s->base.tb) & CF_PARALLEL) {
              gen_helper_stg_parallel(cpu_env, dirty_addr, dirty_addr);
          } else {
@@ -XXX,XX +XXX,XX @@ static bool trans_STZGM(DisasContext *s, arg_ldst_tag *a)
      tcg_gen_addi_i64(addr, addr, a->imm);
      tcg_rt = cpu_reg(s, a->rt);
 -    if (s->ata) {
 +    if (s->ata[0]) {
          gen_helper_stzgm_tags(cpu_env, addr, tcg_rt);
      }
      /*
@@ -XXX,XX +XXX,XX @@ static bool trans_STGM(DisasContext *s, arg_ldst_tag *a)
      tcg_gen_addi_i64(addr, addr, a->imm);
      tcg_rt = cpu_reg(s, a->rt);
 -    if (s->ata) {
 +    if (s->ata[0]) {
          gen_helper_stgm(cpu_env, addr, tcg_rt);
      } else {
          MMUAccessType acc = MMU_DATA_STORE;
@@ -XXX,XX +XXX,XX @@ static bool trans_LDGM(DisasContext *s, arg_ldst_tag *a)
      tcg_gen_addi_i64(addr, addr, a->imm);
      tcg_rt = cpu_reg(s, a->rt);
 -    if (s->ata) {
 +    if (s->ata[0]) {
          gen_helper_ldgm(tcg_rt, cpu_env, addr);
      } else {
          MMUAccessType acc = MMU_DATA_LOAD;
@@ -XXX,XX +XXX,XX @@ static bool trans_LDG(DisasContext *s, arg_ldst_tag *a)
      tcg_gen_andi_i64(addr, addr, -TAG_GRANULE);
      tcg_rt = cpu_reg(s, a->rt);
 -    if (s->ata) {
 +    if (s->ata[0]) {
          gen_helper_ldg(tcg_rt, cpu_env, addr, tcg_rt);
      } else {
          /*
@@ -XXX,XX +XXX,XX @@ static bool do_STG(DisasContext *s, arg_ldst_tag *a, bool is_zero, bool is_pair)
          tcg_gen_addi_i64(addr, addr, a->imm);
      }
      tcg_rt = cpu_reg_sp(s, a->rt);
 -    if (!s->ata) {
 +    if (!s->ata[0]) {
          /*
           * For STG and ST2G, we need to check alignment and probe memory.
           * TODO: For STZG and STZ2G, we could rely on the stores below,
@@ -XXX,XX +XXX,XX @@ static bool gen_add_sub_imm_with_tags(DisasContext *s, arg_rri_tag *a,
      tcg_rn = cpu_reg_sp(s, a->rn);
      tcg_rd = cpu_reg_sp(s, a->rd);
 -    if (s->ata) {
 +    if (s->ata[0]) {
          gen_helper_addsubg(tcg_rd, cpu_env, tcg_rn,
                             tcg_constant_i32(imm),
                             tcg_constant_i32(a->uimm4));
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_2src(DisasContext *s, uint32_t insn)
          if (sf == 0 || !dc_isar_feature(aa64_mte_insn_reg, s)) {
              goto do_unallocated;
          }
 -        if (s->ata) {
 +        if (s->ata[0]) {
              gen_helper_irg(cpu_reg_sp(s, rd), cpu_env,
                             cpu_reg_sp(s, rn), cpu_reg(s, rm));
          } else {
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
      dc->bt = EX_TBFLAG_A64(tb_flags, BT);
      dc->btype = EX_TBFLAG_A64(tb_flags, BTYPE);
      dc->unpriv = EX_TBFLAG_A64(tb_flags, UNPRIV);
 -    dc->ata = EX_TBFLAG_A64(tb_flags, ATA);
 +    dc->ata[0] = EX_TBFLAG_A64(tb_flags, ATA);
 +    dc->ata[1] = EX_TBFLAG_A64(tb_flags, ATA0);
      dc->mte_active[0] = EX_TBFLAG_A64(tb_flags, MTE_ACTIVE);
      dc->mte_active[1] = EX_TBFLAG_A64(tb_flags, MTE0_ACTIVE);
      dc->pstate_sm = EX_TBFLAG_A64(tb_flags, PSTATE_SM);
 --
-.7.4
+.34.1

-New patch
+[PULL 19/30] target/arm: Implement the SETG* instructions
+The FEAT_MOPS SETG* instructions are very similar to the SET*
+instructions, but as well as setting memory contents they also
+set the MTE tags. They are architecturally required to operate
+on tag-granule aligned regions only.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-10-peter.maydell@linaro.org
+---
+ target/arm/internals.h         | 10 ++++
+ target/arm/tcg/helper-a64.h    |  3 ++
+ target/arm/tcg/a64.decode      |  5 ++
+ target/arm/tcg/helper-a64.c    | 86 ++++++++++++++++++++++++++++++++--
+ target/arm/tcg/mte_helper.c    | 40 ++++++++++++++++
+ target/arm/tcg/translate-a64.c | 20 +++++---
+files changed, 155 insertions(+), 9 deletions(-)
+diff --git a/target/arm/internals.h b/target/arm/internals.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/internals.h
++++ b/target/arm/internals.h
+@@ -XXX,XX +XXX,XX @@ uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
+ void mte_check_fail(CPUARMState *env, uint32_t desc,
+                     uint64_t dirty_ptr, uintptr_t ra);
++/**
++ * mte_mops_set_tags: Set MTE tags for a portion of a FEAT_MOPS operation
++ * @env: CPU env
++ * @dirty_ptr: Start address of memory region (dirty pointer)
++ * @size: length of region (guaranteed not to cross page boundary)
++ * @desc: MTEDESC descriptor word
++ */
++void mte_mops_set_tags(CPUARMState *env, uint64_t dirty_ptr, uint64_t size,
++                       uint32_t desc);
++
+ static inline int allocation_tag_from_addr(uint64_t ptr)
+ {
+     return extract64(ptr, 56, 4);
+diff --git a/target/arm/tcg/helper-a64.h b/target/arm/tcg/helper-a64.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/helper-a64.h
++++ b/target/arm/tcg/helper-a64.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(unaligned_access, TCG_CALL_NO_WG,
+ DEF_HELPER_3(setp, void, env, i32, i32)
+ DEF_HELPER_3(setm, void, env, i32, i32)
+ DEF_HELPER_3(sete, void, env, i32, i32)
++DEF_HELPER_3(setgp, void, env, i32, i32)
++DEF_HELPER_3(setgm, void, env, i32, i32)
++DEF_HELPER_3(setge, void, env, i32, i32)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ STZ2G           11011001 11 1 ......... 11 ..... ..... @ldst_tag p=0 w=1
+ SETP            00 011001110 ..... 00 . . 01 ..... ..... @set
+ SETM            00 011001110 ..... 01 . . 01 ..... ..... @set
+ SETE            00 011001110 ..... 10 . . 01 ..... ..... @set
++
++# Like SET, but also setting MTE tags
++SETGP           00 011101110 ..... 00 . . 01 ..... ..... @set
++SETGM           00 011101110 ..... 01 . . 01 ..... ..... @set
++SETGE           00 011101110 ..... 10 . . 01 ..... ..... @set
+diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/helper-a64.c
++++ b/target/arm/tcg/helper-a64.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t set_step(CPUARMState *env, uint64_t toaddr,
+     return setsize;
+ }
++/*
++ * Similar, but setting tags. The architecture requires us to do this
++ * in 16-byte chunks. SETP accesses are not tag checked; they set
++ * the tags.
++ */
++static uint64_t set_step_tags(CPUARMState *env, uint64_t toaddr,
++                              uint64_t setsize, uint32_t data, int memidx,
++                              uint32_t *mtedesc, uintptr_t ra)
++{
++    void *mem;
++    uint64_t cleanaddr;
++
++    setsize = MIN(setsize, page_limit(toaddr));
++
++    cleanaddr = useronly_clean_ptr(toaddr);
++    /*
++     * Trapless lookup: returns NULL for invalid page, I/O,
++     * watchpoints, clean pages, etc.
++     */
++    mem = tlb_vaddr_to_host(env, cleanaddr, MMU_DATA_STORE, memidx);
++
++#ifndef CONFIG_USER_ONLY
++    if (unlikely(!mem)) {
++        /*
++         * Slow-path: just do one write. This will handle the
++         * watchpoint, invalid page, etc handling correctly.
++         * The architecture requires that we do 16 bytes at a time,
++         * and we know both ptr and size are 16 byte aligned.
++         * For clean code pages, the next iteration will see
++         * the page dirty and will use the fast path.
++         */
++        uint64_t repldata = data * 0x0101010101010101ULL;
++        MemOpIdx oi16 = make_memop_idx(MO_TE | MO_128, memidx);
++        cpu_st16_mmu(env, toaddr, int128_make128(repldata, repldata), oi16, ra);
++        mte_mops_set_tags(env, toaddr, 16, *mtedesc);
++        return 16;
++    }
++#endif
++    /* Easy case: just memset the host memory */
++    memset(mem, data, setsize);
++    mte_mops_set_tags(env, toaddr, setsize, *mtedesc);
++    return setsize;
++}
++
+ typedef uint64_t StepFn(CPUARMState *env, uint64_t toaddr,
+                         uint64_t setsize, uint32_t data,
+                         int memidx, uint32_t *mtedesc, uintptr_t ra);
+@@ -XXX,XX +XXX,XX @@ static bool mte_checks_needed(uint64_t ptr, uint32_t desc)
+     return !tcma_check(desc, bit55, allocation_tag_from_addr(ptr));
+ }
++/* Take an exception if the SETG addr/size are not granule aligned */
++static void check_setg_alignment(CPUARMState *env, uint64_t ptr, uint64_t size,
++                                 uint32_t memidx, uintptr_t ra)
++{
++    if ((size != 0 && !QEMU_IS_ALIGNED(ptr, TAG_GRANULE)) ||
++        !QEMU_IS_ALIGNED(size, TAG_GRANULE)) {
++        arm_cpu_do_unaligned_access(env_cpu(env), ptr, MMU_DATA_STORE,
++                                    memidx, ra);
++
++    }
++}
++
+ /*
+  * For the Memory Set operation, our implementation chooses
+  * always to use "option A", where we update Xd to the final
+@@ -XXX,XX +XXX,XX @@ static void do_setp(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
+     if (setsize > INT64_MAX) {
+         setsize = INT64_MAX;
++        if (is_setg) {
++            setsize &= ~0xf;
++        }
+     }
+-    if (!mte_checks_needed(toaddr, mtedesc)) {
++    if (unlikely(is_setg)) {
++        check_setg_alignment(env, toaddr, setsize, memidx, ra);
++    } else if (!mte_checks_needed(toaddr, mtedesc)) {
+         mtedesc = 0;
+     }
+@@ -XXX,XX +XXX,XX @@ void HELPER(setp)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+     do_setp(env, syndrome, mtedesc, set_step, false, GETPC());
+ }
++void HELPER(setgp)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
++{
++    do_setp(env, syndrome, mtedesc, set_step_tags, true, GETPC());
++}
++
+ static void do_setm(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
+                     StepFn *stepfn, bool is_setg, uintptr_t ra)
+ {
+@@ -XXX,XX +XXX,XX @@ static void do_setm(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
+      * have an IMPDEF check for alignment here.
+      */
+-    if (!mte_checks_needed(toaddr, mtedesc)) {
++    if (unlikely(is_setg)) {
++        check_setg_alignment(env, toaddr, setsize, memidx, ra);
++    } else if (!mte_checks_needed(toaddr, mtedesc)) {
+         mtedesc = 0;
+     }
+@@ -XXX,XX +XXX,XX @@ void HELPER(setm)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+     do_setm(env, syndrome, mtedesc, set_step, false, GETPC());
+ }
++void HELPER(setgm)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
++{
++    do_setm(env, syndrome, mtedesc, set_step_tags, true, GETPC());
++}
++
+ static void do_sete(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
+                     StepFn *stepfn, bool is_setg, uintptr_t ra)
+ {
+@@ -XXX,XX +XXX,XX @@ static void do_sete(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
+                            mops_mismatch_exception_target_el(env), ra);
+     }
+-    if (!mte_checks_needed(toaddr, mtedesc)) {
++    if (unlikely(is_setg)) {
++        check_setg_alignment(env, toaddr, setsize, memidx, ra);
++    } else if (!mte_checks_needed(toaddr, mtedesc)) {
+         mtedesc = 0;
+     }
+@@ -XXX,XX +XXX,XX @@ void HELPER(sete)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+ {
+     do_sete(env, syndrome, mtedesc, set_step, false, GETPC());
+ }
++
++void HELPER(setge)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
++{
++    do_sete(env, syndrome, mtedesc, set_step_tags, true, GETPC());
++}
+diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/mte_helper.c
++++ b/target/arm/tcg/mte_helper.c
+@@ -XXX,XX +XXX,XX @@ uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
+         return n * TAG_GRANULE - (ptr - tag_first);
+     }
+ }
++
++void mte_mops_set_tags(CPUARMState *env, uint64_t ptr, uint64_t size,
++                       uint32_t desc)
++{
++    int mmu_idx, tag_count;
++    uint64_t ptr_tag;
++    void *mem;
++
++    if (!desc) {
++        /* Tags not actually enabled */
++        return;
++    }
++
++    mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
++    /* True probe: this will never fault */
++    mem = allocation_tag_mem_probe(env, mmu_idx, ptr, MMU_DATA_STORE, size,
++                                   MMU_DATA_STORE, true, 0);
++    if (!mem) {
++        return;
++    }
++
++    /*
++     * We know that ptr and size are both TAG_GRANULE aligned; store
++     * the tag from the pointer value into the tag memory.
++     */
++    ptr_tag = allocation_tag_from_addr(ptr);
++    tag_count = size / TAG_GRANULE;
++    if (ptr & TAG_GRANULE) {
++        /* Not 2*TAG_GRANULE-aligned: store tag to first nibble */
++        store_tag1_parallel(TAG_GRANULE, mem, ptr_tag);
++        mem++;
++        tag_count--;
++    }
++    memset(mem, ptr_tag | (ptr_tag << 4), tag_count / 2);
++    if (tag_count & 1) {
++        /* Final trailing unaligned nibble */
++        mem += tag_count / 2;
++        store_tag1_parallel(0, mem, ptr_tag);
++    }
++}
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(STZ2G, aa64_mte_insn_reg, do_STG, a, true, true)
+ typedef void SetFn(TCGv_env, TCGv_i32, TCGv_i32);
+-static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue, SetFn fn)
++static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue,
++                   bool is_setg, SetFn fn)
+ {
+     int memidx;
+     uint32_t syndrome, desc = 0;
++    if (is_setg && !dc_isar_feature(aa64_mte, s)) {
++        return false;
++    }
++
+     /*
+      * UNPREDICTABLE cases: we choose to UNDEF, which allows
+      * us to pull this check before the CheckMOPSEnabled() test
+@@ -XXX,XX +XXX,XX @@ static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue, SetFn fn)
+      * We pass option_a == true, matching our implementation;
+      * we pass wrong_option == false: helper function may set that bit.
+      */
+-    syndrome = syn_mop(true, false, (a->nontemp << 1) | a->unpriv,
++    syndrome = syn_mop(true, is_setg, (a->nontemp << 1) | a->unpriv,
+                        is_epilogue, false, true, a->rd, a->rs, a->rn);
+-    if (s->mte_active[a->unpriv]) {
++    if (is_setg ? s->ata[a->unpriv] : s->mte_active[a->unpriv]) {
+         /* We may need to do MTE tag checking, so assemble the descriptor */
+         desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
+         desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
+@@ -XXX,XX +XXX,XX @@ static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue, SetFn fn)
+     return true;
+ }
+-TRANS_FEAT(SETP, aa64_mops, do_SET, a, false, gen_helper_setp)
+-TRANS_FEAT(SETM, aa64_mops, do_SET, a, false, gen_helper_setm)
+-TRANS_FEAT(SETE, aa64_mops, do_SET, a, true, gen_helper_sete)
++TRANS_FEAT(SETP, aa64_mops, do_SET, a, false, false, gen_helper_setp)
++TRANS_FEAT(SETM, aa64_mops, do_SET, a, false, false, gen_helper_setm)
++TRANS_FEAT(SETE, aa64_mops, do_SET, a, true, false, gen_helper_sete)
++TRANS_FEAT(SETGP, aa64_mops, do_SET, a, false, true, gen_helper_setgp)
++TRANS_FEAT(SETGM, aa64_mops, do_SET, a, false, true, gen_helper_setgm)
++TRANS_FEAT(SETGE, aa64_mops, do_SET, a, true, true, gen_helper_setge)
+ typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
+--
+.34.1

-New patch
+[PULL 20/30] target/arm: Implement MTE tag-checking functions for FEAT_MOPS copies
+The FEAT_MOPS memory copy operations need an extra helper routine
+for checking for MTE tag checking failures beyond the ones we
+already added for memory set operations:
+ * mte_mops_probe_rev() does the same job as mte_mops_probe(), but
+   it checks tags starting at the provided address and working
+   backwards, rather than forwards
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-11-peter.maydell@linaro.org
+---
+ target/arm/internals.h      | 17 +++++++
+ target/arm/tcg/mte_helper.c | 99 +++++++++++++++++++++++++++++++++++++
+files changed, 116 insertions(+)
+diff --git a/target/arm/internals.h b/target/arm/internals.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/internals.h
++++ b/target/arm/internals.h
+@@ -XXX,XX +XXX,XX @@ uint64_t mte_check(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);
+ uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
+                         uint32_t desc);
++/**
++ * mte_mops_probe_rev: Check where the next MTE failure is for a FEAT_MOPS
++ *                     operation going in the reverse direction
++ * @env: CPU env
++ * @ptr: *end* address of memory region (dirty pointer)
++ * @size: length of region (guaranteed not to cross a page boundary)
++ * @desc: MTEDESC descriptor word (0 means no MTE checks)
++ * Returns: the size of the region that can be copied without hitting
++ *          an MTE tag failure
++ *
++ * Note that we assume that the caller has already checked the TBI
++ * and TCMA bits with mte_checks_needed() and an MTE check is definitely
++ * required.
++ */
++uint64_t mte_mops_probe_rev(CPUARMState *env, uint64_t ptr, uint64_t size,
++                            uint32_t desc);
++
+ /**
+  * mte_check_fail: Record an MTE tag check failure
+  * @env: CPU env
+diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/mte_helper.c
++++ b/target/arm/tcg/mte_helper.c
+@@ -XXX,XX +XXX,XX @@ static int checkN(uint8_t *mem, int odd, int cmp, int count)
+     return n;
+ }
++/**
++ * checkNrev:
++ * @tag: tag memory to test
++ * @odd: true to begin testing at tags at odd nibble
++ * @cmp: the tag to compare against
++ * @count: number of tags to test
++ *
++ * Return the number of successful tests.
++ * Thus a return value < @count indicates a failure.
++ *
++ * This is like checkN, but it runs backwards, checking the
++ * tags starting with @tag and then the tags preceding it.
++ * This is needed by the backwards-memory-copying operations.
++ */
++static int checkNrev(uint8_t *mem, int odd, int cmp, int count)
++{
++    int n = 0, diff;
++
++    /* Replicate the test tag and compare.  */
++    cmp *= 0x11;
++    diff = *mem-- ^ cmp;
++
++    if (!odd) {
++        goto start_even;
++    }
++
++    while (1) {
++        /* Test odd tag. */
++        if (unlikely((diff) & 0xf0)) {
++            break;
++        }
++        if (++n == count) {
++            break;
++        }
++
++    start_even:
++        /* Test even tag. */
++        if (unlikely((diff) & 0x0f)) {
++            break;
++        }
++        if (++n == count) {
++            break;
++        }
++
++        diff = *mem-- ^ cmp;
++    }
++    return n;
++}
++
+ /**
+  * mte_probe_int() - helper for mte_probe and mte_check
+  * @env: CPU environment
+@@ -XXX,XX +XXX,XX @@ uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
+     }
+ }
++uint64_t mte_mops_probe_rev(CPUARMState *env, uint64_t ptr, uint64_t size,
++                            uint32_t desc)
++{
++    int mmu_idx, tag_count;
++    uint64_t ptr_tag, tag_first, tag_last;
++    void *mem;
++    bool w = FIELD_EX32(desc, MTEDESC, WRITE);
++    uint32_t n;
++
++    mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
++    /* True probe; this will never fault */
++    mem = allocation_tag_mem_probe(env, mmu_idx, ptr,
++                                   w ? MMU_DATA_STORE : MMU_DATA_LOAD,
++                                   size, MMU_DATA_LOAD, true, 0);
++    if (!mem) {
++        return size;
++    }
++
++    /*
++     * TODO: checkNrev() is not designed for checks of the size we expect
++     * for FEAT_MOPS operations, so we should implement this differently.
++     * Maybe we should do something like
++     *   if (region start and size are aligned nicely) {
++     *      do direct loads of 64 tag bits at a time;
++     *   } else {
++     *      call checkN()
++     *   }
++     */
++    /* Round the bounds to the tag granule, and compute the number of tags. */
++    ptr_tag = allocation_tag_from_addr(ptr);
++    tag_first = QEMU_ALIGN_DOWN(ptr - (size - 1), TAG_GRANULE);
++    tag_last = QEMU_ALIGN_DOWN(ptr, TAG_GRANULE);
++    tag_count = ((tag_last - tag_first) / TAG_GRANULE) + 1;
++    n = checkNrev(mem, ptr & TAG_GRANULE, ptr_tag, tag_count);
++    if (likely(n == tag_count)) {
++        return size;
++    }
++
++    /*
++     * Failure; for the first granule, it's at @ptr. Otherwise
++     * it's at the last byte of the nth granule. Calculate how
++     * many bytes we can access without hitting that failure.
++     */
++    if (n == 0) {
++        return 0;
++    } else {
++        return (n - 1) * TAG_GRANULE + ((ptr + 1) - tag_last);
++    }
++}
++
+ void mte_mops_set_tags(CPUARMState *env, uint64_t ptr, uint64_t size,
+                        uint32_t desc)
+ {
+--
+.34.1

-New patch
+[PULL 21/30] target/arm: Implement the CPY* instructions
+The FEAT_MOPS CPY* instructions implement memory copies. These
+come in both "always forwards" (memcpy-style) and "overlap OK"
+(memmove-style) flavours.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-12-peter.maydell@linaro.org
+---
+ target/arm/tcg/helper-a64.h    |   7 +
+ target/arm/tcg/a64.decode      |  14 +
+ target/arm/tcg/helper-a64.c    | 454 +++++++++++++++++++++++++++++++++
+ target/arm/tcg/translate-a64.c |  60 +++++
+files changed, 535 insertions(+)
+diff --git a/target/arm/tcg/helper-a64.h b/target/arm/tcg/helper-a64.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/helper-a64.h
++++ b/target/arm/tcg/helper-a64.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(sete, void, env, i32, i32)
+ DEF_HELPER_3(setgp, void, env, i32, i32)
+ DEF_HELPER_3(setgm, void, env, i32, i32)
+ DEF_HELPER_3(setge, void, env, i32, i32)
++
++DEF_HELPER_4(cpyp, void, env, i32, i32, i32)
++DEF_HELPER_4(cpym, void, env, i32, i32, i32)
++DEF_HELPER_4(cpye, void, env, i32, i32, i32)
++DEF_HELPER_4(cpyfp, void, env, i32, i32, i32)
++DEF_HELPER_4(cpyfm, void, env, i32, i32, i32)
++DEF_HELPER_4(cpyfe, void, env, i32, i32, i32)
+diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/a64.decode
++++ b/target/arm/tcg/a64.decode
+@@ -XXX,XX +XXX,XX @@ SETE            00 011001110 ..... 10 . . 01 ..... ..... @set
+ SETGP           00 011101110 ..... 00 . . 01 ..... ..... @set
+ SETGM           00 011101110 ..... 01 . . 01 ..... ..... @set
+ SETGE           00 011101110 ..... 10 . . 01 ..... ..... @set
++
++# Memmove/Memcopy: the CPY insns allow overlapping src/dest and
++# copy in the correct direction; the CPYF insns always copy forwards.
++#
++# options has the nontemporal and unpriv bits for src and dest
++&cpy rs rn rd options
++@cpy            .. ... . ..... rs:5 options:4 .. rn:5 rd:5 &cpy
++
++CPYFP           00 011 0 01000 ..... .... 01 ..... ..... @cpy
++CPYFM           00 011 0 01010 ..... .... 01 ..... ..... @cpy
++CPYFE           00 011 0 01100 ..... .... 01 ..... ..... @cpy
++CPYP            00 011 1 01000 ..... .... 01 ..... ..... @cpy
++CPYM            00 011 1 01010 ..... .... 01 ..... ..... @cpy
++CPYE            00 011 1 01100 ..... .... 01 ..... ..... @cpy
+diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/helper-a64.c
++++ b/target/arm/tcg/helper-a64.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t page_limit(uint64_t addr)
+     return TARGET_PAGE_ALIGN(addr + 1) - addr;
+ }
++/*
++ * Return the number of bytes we can copy starting from addr and working
++ * backwards without crossing a page boundary.
++ */
++static uint64_t page_limit_rev(uint64_t addr)
++{
++    return (addr & ~TARGET_PAGE_MASK) + 1;
++}
++
+ /*
+  * Perform part of a memory set on an area of guest memory starting at
+  * toaddr (a dirty address) and extending for setsize bytes.
+@@ -XXX,XX +XXX,XX @@ void HELPER(setge)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+ {
+     do_sete(env, syndrome, mtedesc, set_step_tags, true, GETPC());
+ }
++
++/*
++ * Perform part of a memory copy from the guest memory at fromaddr
++ * and extending for copysize bytes, to the guest memory at
++ * toaddr. Both addreses are dirty.
++ *
++ * Returns the number of bytes actually set, which might be less than
++ * copysize; the caller should loop until the whole copy has been done.
++ * The caller should ensure that the guest registers are correct
++ * for the possibility that the first byte of the copy encounters
++ * an exception or watchpoint. We guarantee not to take any faults
++ * for bytes other than the first.
++ */
++static uint64_t copy_step(CPUARMState *env, uint64_t toaddr, uint64_t fromaddr,
++                          uint64_t copysize, int wmemidx, int rmemidx,
++                          uint32_t *wdesc, uint32_t *rdesc, uintptr_t ra)
++{
++    void *rmem;
++    void *wmem;
++
++    /* Don't cross a page boundary on either source or destination */
++    copysize = MIN(copysize, page_limit(toaddr));
++    copysize = MIN(copysize, page_limit(fromaddr));
++    /*
++     * Handle MTE tag checks: either handle the tag mismatch for byte 0,
++     * or else copy up to but not including the byte with the mismatch.
++     */
++    if (*rdesc) {
++        uint64_t mtesize = mte_mops_probe(env, fromaddr, copysize, *rdesc);
++        if (mtesize == 0) {
++            mte_check_fail(env, *rdesc, fromaddr, ra);
++            *rdesc = 0;
++        } else {
++            copysize = MIN(copysize, mtesize);
++        }
++    }
++    if (*wdesc) {
++        uint64_t mtesize = mte_mops_probe(env, toaddr, copysize, *wdesc);
++        if (mtesize == 0) {
++            mte_check_fail(env, *wdesc, toaddr, ra);
++            *wdesc = 0;
++        } else {
++            copysize = MIN(copysize, mtesize);
++        }
++    }
++
++    toaddr = useronly_clean_ptr(toaddr);
++    fromaddr = useronly_clean_ptr(fromaddr);
++    /* Trapless lookup of whether we can get a host memory pointer */
++    wmem = tlb_vaddr_to_host(env, toaddr, MMU_DATA_STORE, wmemidx);
++    rmem = tlb_vaddr_to_host(env, fromaddr, MMU_DATA_LOAD, rmemidx);
++
++#ifndef CONFIG_USER_ONLY
++    /*
++     * If we don't have host memory for both source and dest then just
++     * do a single byte copy. This will handle watchpoints, invalid pages,
++     * etc correctly. For clean code pages, the next iteration will see
++     * the page dirty and will use the fast path.
++     */
++    if (unlikely(!rmem || !wmem)) {
++        uint8_t byte;
++        if (rmem) {
++            byte = *(uint8_t *)rmem;
++        } else {
++            byte = cpu_ldub_mmuidx_ra(env, fromaddr, rmemidx, ra);
++        }
++        if (wmem) {
++            *(uint8_t *)wmem = byte;
++        } else {
++            cpu_stb_mmuidx_ra(env, toaddr, byte, wmemidx, ra);
++        }
++        return 1;
++    }
++#endif
++    /* Easy case: just memmove the host memory */
++    memmove(wmem, rmem, copysize);
++    return copysize;
++}
++
++/*
++ * Do part of a backwards memory copy. Here toaddr and fromaddr point
++ * to the *last* byte to be copied.
++ */
++static uint64_t copy_step_rev(CPUARMState *env, uint64_t toaddr,
++                              uint64_t fromaddr,
++                              uint64_t copysize, int wmemidx, int rmemidx,
++                              uint32_t *wdesc, uint32_t *rdesc, uintptr_t ra)
++{
++    void *rmem;
++    void *wmem;
++
++    /* Don't cross a page boundary on either source or destination */
++    copysize = MIN(copysize, page_limit_rev(toaddr));
++    copysize = MIN(copysize, page_limit_rev(fromaddr));
++
++    /*
++     * Handle MTE tag checks: either handle the tag mismatch for byte 0,
++     * or else copy up to but not including the byte with the mismatch.
++     */
++    if (*rdesc) {
++        uint64_t mtesize = mte_mops_probe_rev(env, fromaddr, copysize, *rdesc);
++        if (mtesize == 0) {
++            mte_check_fail(env, *rdesc, fromaddr, ra);
++            *rdesc = 0;
++        } else {
++            copysize = MIN(copysize, mtesize);
++        }
++    }
++    if (*wdesc) {
++        uint64_t mtesize = mte_mops_probe_rev(env, toaddr, copysize, *wdesc);
++        if (mtesize == 0) {
++            mte_check_fail(env, *wdesc, toaddr, ra);
++            *wdesc = 0;
++        } else {
++            copysize = MIN(copysize, mtesize);
++        }
++    }
++
++    toaddr = useronly_clean_ptr(toaddr);
++    fromaddr = useronly_clean_ptr(fromaddr);
++    /* Trapless lookup of whether we can get a host memory pointer */
++    wmem = tlb_vaddr_to_host(env, toaddr, MMU_DATA_STORE, wmemidx);
++    rmem = tlb_vaddr_to_host(env, fromaddr, MMU_DATA_LOAD, rmemidx);
++
++#ifndef CONFIG_USER_ONLY
++    /*
++     * If we don't have host memory for both source and dest then just
++     * do a single byte copy. This will handle watchpoints, invalid pages,
++     * etc correctly. For clean code pages, the next iteration will see
++     * the page dirty and will use the fast path.
++     */
++    if (unlikely(!rmem || !wmem)) {
++        uint8_t byte;
++        if (rmem) {
++            byte = *(uint8_t *)rmem;
++        } else {
++            byte = cpu_ldub_mmuidx_ra(env, fromaddr, rmemidx, ra);
++        }
++        if (wmem) {
++            *(uint8_t *)wmem = byte;
++        } else {
++            cpu_stb_mmuidx_ra(env, toaddr, byte, wmemidx, ra);
++        }
++        return 1;
++    }
++#endif
++    /*
++     * Easy case: just memmove the host memory. Note that wmem and
++     * rmem here point to the *last* byte to copy.
++     */
++    memmove(wmem - (copysize - 1), rmem - (copysize - 1), copysize);
++    return copysize;
++}
++
++/*
++ * for the Memory Copy operation, our implementation chooses always
++ * to use "option A", where we update Xd and Xs to the final addresses
++ * in the CPYP insn, and then in CPYM and CPYE only need to update Xn.
++ *
++ * @env: CPU
++ * @syndrome: syndrome value for mismatch exceptions
++ * (also contains the register numbers we need to use)
++ * @wdesc: MTE descriptor for the writes (destination)
++ * @rdesc: MTE descriptor for the reads (source)
++ * @move: true if this is CPY (memmove), false for CPYF (memcpy forwards)
++ */
++static void do_cpyp(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
++                    uint32_t rdesc, uint32_t move, uintptr_t ra)
++{
++    int rd = mops_destreg(syndrome);
++    int rs = mops_srcreg(syndrome);
++    int rn = mops_sizereg(syndrome);
++    uint32_t rmemidx = FIELD_EX32(rdesc, MTEDESC, MIDX);
++    uint32_t wmemidx = FIELD_EX32(wdesc, MTEDESC, MIDX);
++    bool forwards = true;
++    uint64_t toaddr = env->xregs[rd];
++    uint64_t fromaddr = env->xregs[rs];
++    uint64_t copysize = env->xregs[rn];
++    uint64_t stagecopysize, step;
++
++    check_mops_enabled(env, ra);
++
++
++    if (move) {
++        /*
++         * Copy backwards if necessary. The direction for a non-overlapping
++         * copy is IMPDEF; we choose forwards.
++         */
++        if (copysize > 0x007FFFFFFFFFFFFFULL) {
++            copysize = 0x007FFFFFFFFFFFFFULL;
++        }
++        uint64_t fs = extract64(fromaddr, 0, 56);
++        uint64_t ts = extract64(toaddr, 0, 56);
++        uint64_t fe = extract64(fromaddr + copysize, 0, 56);
++
++        if (fs < ts && fe > ts) {
++            forwards = false;
++        }
++    } else {
++        if (copysize > INT64_MAX) {
++            copysize = INT64_MAX;
++        }
++    }
++
++    if (!mte_checks_needed(fromaddr, rdesc)) {
++        rdesc = 0;
++    }
++    if (!mte_checks_needed(toaddr, wdesc)) {
++        wdesc = 0;
++    }
++
++    if (forwards) {
++        stagecopysize = MIN(copysize, page_limit(toaddr));
++        stagecopysize = MIN(stagecopysize, page_limit(fromaddr));
++        while (stagecopysize) {
++            env->xregs[rd] = toaddr;
++            env->xregs[rs] = fromaddr;
++            env->xregs[rn] = copysize;
++            step = copy_step(env, toaddr, fromaddr, stagecopysize,
++                             wmemidx, rmemidx, &wdesc, &rdesc, ra);
++            toaddr += step;
++            fromaddr += step;
++            copysize -= step;
++            stagecopysize -= step;
++        }
++        /* Insn completed, so update registers to the Option A format */
++        env->xregs[rd] = toaddr + copysize;
++        env->xregs[rs] = fromaddr + copysize;
++        env->xregs[rn] = -copysize;
++    } else {
++        /*
++         * In a reverse copy the to and from addrs in Xs and Xd are the start
++         * of the range, but it's more convenient for us to work with pointers
++         * to the last byte being copied.
++         */
++        toaddr += copysize - 1;
++        fromaddr += copysize - 1;
++        stagecopysize = MIN(copysize, page_limit_rev(toaddr));
++        stagecopysize = MIN(stagecopysize, page_limit_rev(fromaddr));
++        while (stagecopysize) {
++            env->xregs[rn] = copysize;
++            step = copy_step_rev(env, toaddr, fromaddr, stagecopysize,
++                                 wmemidx, rmemidx, &wdesc, &rdesc, ra);
++            copysize -= step;
++            stagecopysize -= step;
++            toaddr -= step;
++            fromaddr -= step;
++        }
++        /*
++         * Insn completed, so update registers to the Option A format.
++         * For a reverse copy this is no different to the CPYP input format.
++         */
++        env->xregs[rn] = copysize;
++    }
++
++    /* Set NZCV = 0000 to indicate we are an Option A implementation */
++    env->NF = 0;
++    env->ZF = 1; /* our env->ZF encoding is inverted */
++    env->CF = 0;
++    env->VF = 0;
++    return;
++}
++
++void HELPER(cpyp)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
++                  uint32_t rdesc)
++{
++    do_cpyp(env, syndrome, wdesc, rdesc, true, GETPC());
++}
++
++void HELPER(cpyfp)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
++                   uint32_t rdesc)
++{
++    do_cpyp(env, syndrome, wdesc, rdesc, false, GETPC());
++}
++
++static void do_cpym(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
++                    uint32_t rdesc, uint32_t move, uintptr_t ra)
++{
++    /* Main: we choose to copy until less than a page remaining */
++    CPUState *cs = env_cpu(env);
++    int rd = mops_destreg(syndrome);
++    int rs = mops_srcreg(syndrome);
++    int rn = mops_sizereg(syndrome);
++    uint32_t rmemidx = FIELD_EX32(rdesc, MTEDESC, MIDX);
++    uint32_t wmemidx = FIELD_EX32(wdesc, MTEDESC, MIDX);
++    bool forwards = true;
++    uint64_t toaddr, fromaddr, copysize, step;
++
++    check_mops_enabled(env, ra);
++
++    /* We choose to NOP out "no data to copy" before consistency checks */
++    if (env->xregs[rn] == 0) {
++        return;
++    }
++
++    check_mops_wrong_option(env, syndrome, ra);
++
++    if (move) {
++        forwards = (int64_t)env->xregs[rn] < 0;
++    }
++
++    if (forwards) {
++        toaddr = env->xregs[rd] + env->xregs[rn];
++        fromaddr = env->xregs[rs] + env->xregs[rn];
++        copysize = -env->xregs[rn];
++    } else {
++        copysize = env->xregs[rn];
++        /* This toaddr and fromaddr point to the *last* byte to copy */
++        toaddr = env->xregs[rd] + copysize - 1;
++        fromaddr = env->xregs[rs] + copysize - 1;
++    }
++
++    if (!mte_checks_needed(fromaddr, rdesc)) {
++        rdesc = 0;
++    }
++    if (!mte_checks_needed(toaddr, wdesc)) {
++        wdesc = 0;
++    }
++
++    /* Our implementation has no particular parameter requirements for CPYM */
++
++    /* Do the actual memmove */
++    if (forwards) {
++        while (copysize >= TARGET_PAGE_SIZE) {
++            step = copy_step(env, toaddr, fromaddr, copysize,
++                             wmemidx, rmemidx, &wdesc, &rdesc, ra);
++            toaddr += step;
++            fromaddr += step;
++            copysize -= step;
++            env->xregs[rn] = -copysize;
++            if (copysize >= TARGET_PAGE_SIZE &&
++                unlikely(cpu_loop_exit_requested(cs))) {
++                cpu_loop_exit_restore(cs, ra);
++            }
++        }
++    } else {
++        while (copysize >= TARGET_PAGE_SIZE) {
++            step = copy_step_rev(env, toaddr, fromaddr, copysize,
++                                 wmemidx, rmemidx, &wdesc, &rdesc, ra);
++            toaddr -= step;
++            fromaddr -= step;
++            copysize -= step;
++            env->xregs[rn] = copysize;
++            if (copysize >= TARGET_PAGE_SIZE &&
++                unlikely(cpu_loop_exit_requested(cs))) {
++                cpu_loop_exit_restore(cs, ra);
++            }
++        }
++    }
++}
++
++void HELPER(cpym)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
++                  uint32_t rdesc)
++{
++    do_cpym(env, syndrome, wdesc, rdesc, true, GETPC());
++}
++
++void HELPER(cpyfm)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
++                   uint32_t rdesc)
++{
++    do_cpym(env, syndrome, wdesc, rdesc, false, GETPC());
++}
++
++static void do_cpye(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
++                    uint32_t rdesc, uint32_t move, uintptr_t ra)
++{
++    /* Epilogue: do the last partial page */
++    int rd = mops_destreg(syndrome);
++    int rs = mops_srcreg(syndrome);
++    int rn = mops_sizereg(syndrome);
++    uint32_t rmemidx = FIELD_EX32(rdesc, MTEDESC, MIDX);
++    uint32_t wmemidx = FIELD_EX32(wdesc, MTEDESC, MIDX);
++    bool forwards = true;
++    uint64_t toaddr, fromaddr, copysize, step;
++
++    check_mops_enabled(env, ra);
++
++    /* We choose to NOP out "no data to copy" before consistency checks */
++    if (env->xregs[rn] == 0) {
++        return;
++    }
++
++    check_mops_wrong_option(env, syndrome, ra);
++
++    if (move) {
++        forwards = (int64_t)env->xregs[rn] < 0;
++    }
++
++    if (forwards) {
++        toaddr = env->xregs[rd] + env->xregs[rn];
++        fromaddr = env->xregs[rs] + env->xregs[rn];
++        copysize = -env->xregs[rn];
++    } else {
++        copysize = env->xregs[rn];
++        /* This toaddr and fromaddr point to the *last* byte to copy */
++        toaddr = env->xregs[rd] + copysize - 1;
++        fromaddr = env->xregs[rs] + copysize - 1;
++    }
++
++    if (!mte_checks_needed(fromaddr, rdesc)) {
++        rdesc = 0;
++    }
++    if (!mte_checks_needed(toaddr, wdesc)) {
++        wdesc = 0;
++    }
++
++    /* Check the size; we don't want to have do a check-for-interrupts */
++    if (copysize >= TARGET_PAGE_SIZE) {
++        raise_exception_ra(env, EXCP_UDEF, syndrome,
++                           mops_mismatch_exception_target_el(env), ra);
++    }
++
++    /* Do the actual memmove */
++    if (forwards) {
++        while (copysize > 0) {
++            step = copy_step(env, toaddr, fromaddr, copysize,
++                             wmemidx, rmemidx, &wdesc, &rdesc, ra);
++            toaddr += step;
++            fromaddr += step;
++            copysize -= step;
++            env->xregs[rn] = -copysize;
++        }
++    } else {
++        while (copysize > 0) {
++            step = copy_step_rev(env, toaddr, fromaddr, copysize,
++                                 wmemidx, rmemidx, &wdesc, &rdesc, ra);
++            toaddr -= step;
++            fromaddr -= step;
++            copysize -= step;
++            env->xregs[rn] = copysize;
++        }
++    }
++}
++
++void HELPER(cpye)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
++                  uint32_t rdesc)
++{
++    do_cpye(env, syndrome, wdesc, rdesc, true, GETPC());
++}
++
++void HELPER(cpyfe)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
++                   uint32_t rdesc)
++{
++    do_cpye(env, syndrome, wdesc, rdesc, false, GETPC());
++}
+diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/translate-a64.c
++++ b/target/arm/tcg/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(SETGP, aa64_mops, do_SET, a, false, true, gen_helper_setgp)
+ TRANS_FEAT(SETGM, aa64_mops, do_SET, a, false, true, gen_helper_setgm)
+ TRANS_FEAT(SETGE, aa64_mops, do_SET, a, true, true, gen_helper_setge)
++typedef void CpyFn(TCGv_env, TCGv_i32, TCGv_i32, TCGv_i32);
++
++static bool do_CPY(DisasContext *s, arg_cpy *a, bool is_epilogue, CpyFn fn)
++{
++    int rmemidx, wmemidx;
++    uint32_t syndrome, rdesc = 0, wdesc = 0;
++    bool wunpriv = extract32(a->options, 0, 1);
++    bool runpriv = extract32(a->options, 1, 1);
++
++    /*
++     * UNPREDICTABLE cases: we choose to UNDEF, which allows
++     * us to pull this check before the CheckMOPSEnabled() test
++     * (which we do in the helper function)
++     */
++    if (a->rs == a->rn || a->rs == a->rd || a->rn == a->rd ||
++        a->rd == 31 || a->rs == 31 || a->rn == 31) {
++        return false;
++    }
++
++    rmemidx = get_a64_user_mem_index(s, runpriv);
++    wmemidx = get_a64_user_mem_index(s, wunpriv);
++
++    /*
++     * We pass option_a == true, matching our implementation;
++     * we pass wrong_option == false: helper function may set that bit.
++     */
++    syndrome = syn_mop(false, false, a->options, is_epilogue,
++                       false, true, a->rd, a->rs, a->rn);
++
++    /* If we need to do MTE tag checking, assemble the descriptors */
++    if (s->mte_active[runpriv]) {
++        rdesc = FIELD_DP32(rdesc, MTEDESC, TBI, s->tbid);
++        rdesc = FIELD_DP32(rdesc, MTEDESC, TCMA, s->tcma);
++    }
++    if (s->mte_active[wunpriv]) {
++        wdesc = FIELD_DP32(wdesc, MTEDESC, TBI, s->tbid);
++        wdesc = FIELD_DP32(wdesc, MTEDESC, TCMA, s->tcma);
++        wdesc = FIELD_DP32(wdesc, MTEDESC, WRITE, true);
++    }
++    /* The helper function needs these parts of the descriptor regardless */
++    rdesc = FIELD_DP32(rdesc, MTEDESC, MIDX, rmemidx);
++    wdesc = FIELD_DP32(wdesc, MTEDESC, MIDX, wmemidx);
++
++    /*
++     * The helper needs the register numbers, but since they're in
++     * the syndrome anyway, we let it extract them from there rather
++     * than passing in an extra three integer arguments.
++     */
++    fn(cpu_env, tcg_constant_i32(syndrome), tcg_constant_i32(wdesc),
++       tcg_constant_i32(rdesc));
++    return true;
++}
++
++TRANS_FEAT(CPYP, aa64_mops, do_CPY, a, false, gen_helper_cpyp)
++TRANS_FEAT(CPYM, aa64_mops, do_CPY, a, false, gen_helper_cpym)
++TRANS_FEAT(CPYE, aa64_mops, do_CPY, a, true, gen_helper_cpye)
++TRANS_FEAT(CPYFP, aa64_mops, do_CPY, a, false, gen_helper_cpyfp)
++TRANS_FEAT(CPYFM, aa64_mops, do_CPY, a, false, gen_helper_cpyfm)
++TRANS_FEAT(CPYFE, aa64_mops, do_CPY, a, true, gen_helper_cpyfe)
++
+ typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
+ static bool gen_rri(DisasContext *s, arg_rri_sf *a,
+--
+.34.1

-New patch
+[PULL 22/30] target/arm: Enable FEAT_MOPS for CPU 'max'
+Enable FEAT_MOPS on the AArch64 'max' CPU, and add it to
+the list of features we implement.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230912140434.1333369-13-peter.maydell@linaro.org
+---
+ docs/system/arm/emulation.rst | 1 +
+ linux-user/elfload.c          | 1 +
+ target/arm/tcg/cpu64.c        | 1 +
+files changed, 3 insertions(+)
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/emulation.rst
++++ b/docs/system/arm/emulation.rst
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+ - FEAT_LSE (Large System Extensions)
+ - FEAT_LSE2 (Large System Extensions v2)
+ - FEAT_LVA (Large Virtual Address space)
++- FEAT_MOPS (Standardization of memory operations)
+ - FEAT_MTE (Memory Tagging Extension)
+ - FEAT_MTE2 (Memory Tagging Extension)
+ - FEAT_MTE3 (MTE Asymmetric Fault Handling)
+diff --git a/linux-user/elfload.c b/linux-user/elfload.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/elfload.c
++++ b/linux-user/elfload.c
+@@ -XXX,XX +XXX,XX @@ uint32_t get_elf_hwcap2(void)
+     GET_FEATURE_ID(aa64_sme_i16i64, ARM_HWCAP2_A64_SME_I16I64);
+     GET_FEATURE_ID(aa64_sme_fa64, ARM_HWCAP2_A64_SME_FA64);
+     GET_FEATURE_ID(aa64_hbc, ARM_HWCAP2_A64_HBC);
++    GET_FEATURE_ID(aa64_mops, ARM_HWCAP2_A64_MOPS);
+     return hwcaps;
+ }
+diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/tcg/cpu64.c
++++ b/target/arm/tcg/cpu64.c
+@@ -XXX,XX +XXX,XX @@ void aarch64_max_tcg_initfn(Object *obj)
+     cpu->isar.id_aa64isar1 = t;
+     t = cpu->isar.id_aa64isar2;
++    t = FIELD_DP64(t, ID_AA64ISAR2, MOPS, 1);     /* FEAT_MOPS */
+     t = FIELD_DP64(t, ID_AA64ISAR2, BC, 1);      /* FEAT_HBC */
+     cpu->isar.id_aa64isar2 = t;
+--
+.34.1

-[Qemu-devel] [PULL 06/12] hw/arm/virt: Declare virtio-mmio as dma cache coherent in ACPI
+[PULL 23/30] audio/jackaudio: Avoid dynamic stack allocation in qjack_client_init
-From: Alexander Graf <agraf@suse.de>
+Avoid a dynamic stack allocation in qjack_client_init(), by using
 a g_autofree heap allocation instead.
-Virtio-mmio devices can directly access guest memory and do so in cache
+(We stick with allocate + snprintf() because the JACK API requires
-coherent fashion. Tell the guest about that fact when it's using ACPI.
+the name to be no more than its maximum size, so g_strdup_printf()
 would require an extra truncation step.)
-Signed-off-by: Alexander Graf <agraf@suse.de>
+The codebase has very few VLAs, and if we can get rid of them all we
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+can make the compiler error on new additions.  This is a defensive
-Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+measure against security bugs where an on-stack dynamic allocation
-Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
+isn't correctly size-checked (e.g.  CVE-2021-3527).
-Message-id: 1486644810-33181-3-git-send-email-agraf@suse.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Message-id: 20230818155846.1651287-2-peter.maydell@linaro.org
 ---
- hw/arm/virt-acpi-build.c | 1 +
+ audio/jackaudio.c | 5 +++--
-file changed, 1 insertion(+)
+file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
+diff --git a/audio/jackaudio.c b/audio/jackaudio.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
+--- a/audio/jackaudio.c
-+++ b/hw/arm/virt-acpi-build.c
++++ b/audio/jackaudio.c
-@@ -XXX,XX +XXX,XX @@ static void acpi_dsdt_add_virtio(Aml *scope,
+@@ -XXX,XX +XXX,XX @@ static void qjack_client_connect_ports(QJackClient *c)
-         Aml *dev = aml_device("VR%02u", i);
+ static int qjack_client_init(QJackClient *c)
-         aml_append(dev, aml_name_decl("_HID", aml_string("LNRO0005")));
+ {
-         aml_append(dev, aml_name_decl("_UID", aml_int(i)));
+     jack_status_t status;
-+        aml_append(dev, aml_name_decl("_CCA", aml_int(1)));
+-    char client_name[jack_client_name_size()];
++    int client_name_len = jack_client_name_size(); /* includes NUL */
-         Aml *crs = aml_resource_template();
++    g_autofree char *client_name = g_new(char, client_name_len);
-         aml_append(crs, aml_memory32_fixed(base, size, AML_READ_WRITE));
+     jack_options_t options = JackNullOption;
      if (c->state == QJACK_STATE_RUNNING) {
@@ -XXX,XX +XXX,XX @@ static int qjack_client_init(QJackClient *c)
      c->connect_ports = true;
 -    snprintf(client_name, sizeof(client_name), "%s-%s",
 +    snprintf(client_name, client_name_len, "%s-%s",
          c->out ? "out" : "in",
          c->opt->client_name ? c->opt->client_name : audio_application_name());
 --
-.7.4
+.34.1

-[Qemu-devel] [PULL 12/12] aspeed/smc: use a modulo to check segment limits
+[PULL 24/30] audio/jackaudio: Avoid dynamic stack allocation in qjack_process()
-From: Cédric Le Goater <clg@kaod.org>
+Avoid a dynamic stack allocation in qjack_process().  Since this
 function is a JACK process callback, we are not permitted to malloc()
 here, so we allocate a working buffer in qjack_client_init() instead.
-The size of a segment is not necessarily a power of 2.
+The codebase has very few VLAs, and if we can get rid of them all we
 can make the compiler error on new additions.  This is a defensive
 measure against security bugs where an on-stack dynamic allocation
 isn't correctly size-checked (e.g.  CVE-2021-3527).
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 1486648058-520-5-git-send-email-clg@kaod.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
+Message-id: 20230818155846.1651287-3-peter.maydell@linaro.org
 ---
- hw/ssi/aspeed_smc.c | 4 ++--
+ audio/jackaudio.c | 16 +++++++++++-----
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 11 insertions(+), 5 deletions(-)
-diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
+diff --git a/audio/jackaudio.c b/audio/jackaudio.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/aspeed_smc.c
+--- a/audio/jackaudio.c
-+++ b/hw/ssi/aspeed_smc.c
++++ b/audio/jackaudio.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_smc_check_segment_addr(const AspeedSMCFlash *fl,
+@@ -XXX,XX +XXX,XX @@ typedef struct QJackClient {
-     AspeedSegments seg;
+     int             buffersize;
+     jack_port_t   **port;
-     aspeed_smc_reg_to_segment(s->regs[R_SEG_ADDR0 + fl->id], &seg);
+     QJackBuffer     fifo;
--    if ((addr & (seg.size - 1)) != addr) {
++
-+    if ((addr % seg.size) != addr) {
++    /* Used as workspace by qjack_process() */
-         qemu_log_mask(LOG_GUEST_ERROR,
++    float **process_buffers;
-                       "%s: invalid address 0x%08x for CS%d segment : "
+ }
-                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
+ QJackClient;
-                       s->ctrl->name, addr, fl->id, seg.addr,
-                       seg.addr + seg.size);
+@@ -XXX,XX +XXX,XX @@ static int qjack_process(jack_nframes_t nframes, void *arg)
 +        addr %= seg.size;
      }
--    addr &= seg.size - 1;
+     /* get the buffers for the ports */
-     return addr;
+-    float *buffers[c->nchannels];
- }
+     for (int i = 0; i < c->nchannels; ++i) {
+-        buffers[i] = jack_port_get_buffer(c->port[i], nframes);
 +        c->process_buffers[i] = jack_port_get_buffer(c->port[i], nframes);
      }
      if (c->out) {
          if (likely(c->enabled)) {
 -            qjack_buffer_read_l(&c->fifo, buffers, nframes);
 +            qjack_buffer_read_l(&c->fifo, c->process_buffers, nframes);
          } else {
              for (int i = 0; i < c->nchannels; ++i) {
 -                memset(buffers[i], 0, nframes * sizeof(float));
 +                memset(c->process_buffers[i], 0, nframes * sizeof(float));
              }
          }
      } else {
          if (likely(c->enabled)) {
 -            qjack_buffer_write_l(&c->fifo, buffers, nframes);
 +            qjack_buffer_write_l(&c->fifo, c->process_buffers, nframes);
          }
      }
@@ -XXX,XX +XXX,XX @@ static int qjack_client_init(QJackClient *c)
            jack_get_client_name(c->client));
      }
 +    /* Allocate working buffer for process callback */
 +    c->process_buffers = g_new(float *, c->nchannels);
 +
      jack_set_process_callback(c->client, qjack_process , c);
      jack_set_port_registration_callback(c->client, qjack_port_registration, c);
      jack_set_xrun_callback(c->client, qjack_xrun, c);
@@ -XXX,XX +XXX,XX @@ static void qjack_client_fini_locked(QJackClient *c)
          qjack_buffer_free(&c->fifo);
          g_free(c->port);
 +        g_free(c->process_buffers);
          c->state = QJACK_STATE_DISCONNECTED;
          /* fallthrough */
 --
-.7.4
+.34.1

-New patch
+[PULL 25/30] sbsa-ref: add non-secure EL2 virtual timer
+From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+Armv8.1+ cpus have Virtual Host Extension (VHE) which added non-secure
+EL2 virtual timer.
+This change adds it to fullfil Arm BSA (Base System Architecture)
+requirements.
+Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
+Message-id: 20230913140610.214893-2-marcin.juszkiewicz@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/sbsa-ref.c | 2 ++
+file changed, 2 insertions(+)
+diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/sbsa-ref.c
++++ b/hw/arm/sbsa-ref.c
+@@ -XXX,XX +XXX,XX @@
+ #define ARCH_TIMER_S_EL1_IRQ   13
+ #define ARCH_TIMER_NS_EL1_IRQ  14
+ #define ARCH_TIMER_NS_EL2_IRQ  10
++#define ARCH_TIMER_NS_EL2_VIRT_IRQ  12
+ enum {
+     SBSA_FLASH,
+@@ -XXX,XX +XXX,XX @@ static void create_gic(SBSAMachineState *sms, MemoryRegion *mem)
+             [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
+             [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
+             [GTIMER_SEC]  = ARCH_TIMER_S_EL1_IRQ,
++            [GTIMER_HYPVIRT] = ARCH_TIMER_NS_EL2_VIRT_IRQ,
+         };
+         for (irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
+--
+.34.1

-[Qemu-devel] [PULL 11/12] aspeed/smc: handle dummies only in fast read mode
+[PULL 26/30] elf2dmp: replace PE export name check with PDB name check
-From: Cédric Le Goater <clg@kaod.org>
+From: Viktor Prutyanov <viktor@daynix.com>
-HW works fine in normal read mode with dummy bytes being set. So let's
+PE export name check introduced in d399d6b179 isn't reliable enough,
-check this case to not transfer bytes.
+because a page with the export directory may be not present for some
 reason. On the other hand, elf2dmp retrieves the PDB name in any case.
 It can be also used to check that a PE image is the kernel image. So,
 check PDB name when searching for Windows kernel image.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2165917
-Message-id: 1486648058-520-4-git-send-email-clg@kaod.org
 Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
 Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
 Message-id: 20230915170153.10959-2-viktor@daynix.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/aspeed_smc.c | 9 ++++++---
+ contrib/elf2dmp/main.c | 93 +++++++++++++++---------------------------
-file changed, 6 insertions(+), 3 deletions(-)
+file changed, 33 insertions(+), 60 deletions(-)
-diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
+diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/aspeed_smc.c
+--- a/contrib/elf2dmp/main.c
-+++ b/hw/ssi/aspeed_smc.c
++++ b/contrib/elf2dmp/main.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
+@@ -XXX,XX +XXX,XX @@ static int write_dump(struct pa_space *ps,
-         /*
+     return fclose(dmp_file);
-          * Use fake transfers to model dummy bytes. The value should
+ }
-          * be configured to some non-zero value in fast read mode and
--         * zero in read mode.
+-static bool pe_check_export_name(uint64_t base, void *start_addr,
-+         * zero in read mode. But, as the HW allows inconsistent
+-        struct va_space *vs)
-+         * settings, let's check for fast read mode.
+-{
-          */
+-    IMAGE_EXPORT_DIRECTORY export_dir;
--        for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
+-    const char *pe_name;
--            ssi_transfer(fl->controller->spi, 0xFF);
+-
-+        if (aspeed_smc_flash_mode(fl) == CTRL_FREADMODE) {
+-    if (pe_get_data_dir_entry(base, start_addr, IMAGE_FILE_EXPORT_DIRECTORY,
-+            for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
+-                &export_dir, sizeof(export_dir), vs)) {
-+                ssi_transfer(fl->controller->spi, 0xFF);
+-        return false;
-+            }
+-    }
 -
 -    pe_name = va_space_resolve(vs, base + export_dir.Name);
 -    if (!pe_name) {
 -        return false;
 -    }
 -
 -    return !strcmp(pe_name, PE_NAME);
 -}
 -
 -static int pe_get_pdb_symstore_hash(uint64_t base, void *start_addr,
 -        char *hash, struct va_space *vs)
 +static bool pe_check_pdb_name(uint64_t base, void *start_addr,
 +        struct va_space *vs, OMFSignatureRSDS *rsds)
  {
      const char sign_rsds[4] = "RSDS";
      IMAGE_DEBUG_DIRECTORY debug_dir;
 -    OMFSignatureRSDS rsds;
 -    char *pdb_name;
 -    size_t pdb_name_sz;
 -    size_t i;
 +    char pdb_name[sizeof(PDB_NAME)];
      if (pe_get_data_dir_entry(base, start_addr, IMAGE_FILE_DEBUG_DIRECTORY,
                  &debug_dir, sizeof(debug_dir), vs)) {
          eprintf("Failed to get Debug Directory\n");
 -        return 1;
 +        return false;
      }
      if (debug_dir.Type != IMAGE_DEBUG_TYPE_CODEVIEW) {
 -        return 1;
 +        eprintf("Debug Directory type is not CodeView\n");
 +        return false;
      }
      if (va_space_rw(vs,
                  base + debug_dir.AddressOfRawData,
 -                &rsds, sizeof(rsds), 0)) {
 -        return 1;
 +                rsds, sizeof(*rsds), 0)) {
 +        eprintf("Failed to resolve OMFSignatureRSDS\n");
 +        return false;
      }
 -    printf("CodeView signature is \'%.4s\'\n", rsds.Signature);
 -
 -    if (memcmp(&rsds.Signature, sign_rsds, sizeof(sign_rsds))) {
 -        return 1;
 +    if (memcmp(&rsds->Signature, sign_rsds, sizeof(sign_rsds))) {
 +        eprintf("CodeView signature is \'%.4s\', \'%s\' expected\n",
 +                rsds->Signature, sign_rsds);
 +        return false;
      }
 -    pdb_name_sz = debug_dir.SizeOfData - sizeof(rsds);
 -    pdb_name = malloc(pdb_name_sz);
 -    if (!pdb_name) {
 -        return 1;
 +    if (debug_dir.SizeOfData - sizeof(*rsds) != sizeof(PDB_NAME)) {
 +        eprintf("PDB name size doesn't match\n");
 +        return false;
      }
      if (va_space_rw(vs, base + debug_dir.AddressOfRawData +
 -                offsetof(OMFSignatureRSDS, name), pdb_name, pdb_name_sz, 0)) {
 -        free(pdb_name);
 -        return 1;
 +                offsetof(OMFSignatureRSDS, name), pdb_name, sizeof(PDB_NAME),
 +                0)) {
 +        eprintf("Failed to resolve PDB name\n");
 +        return false;
      }
      printf("PDB name is \'%s\', \'%s\' expected\n", pdb_name, PDB_NAME);
 -    if (strcmp(pdb_name, PDB_NAME)) {
 -        eprintf("Unexpected PDB name, it seems the kernel isn't found\n");
 -        free(pdb_name);
 -        return 1;
 -    }
 +    return !strcmp(pdb_name, PDB_NAME);
 +}
 -    free(pdb_name);
 -
 -    sprintf(hash, "%.08x%.04x%.04x%.02x%.02x", rsds.guid.a, rsds.guid.b,
 -            rsds.guid.c, rsds.guid.d[0], rsds.guid.d[1]);
 +static void pe_get_pdb_symstore_hash(OMFSignatureRSDS *rsds, char *hash)
 +{
 +    sprintf(hash, "%.08x%.04x%.04x%.02x%.02x", rsds->guid.a, rsds->guid.b,
 +            rsds->guid.c, rsds->guid.d[0], rsds->guid.d[1]);
      hash += 20;
 -    for (i = 0; i < 6; i++, hash += 2) {
 -        sprintf(hash, "%.02x", rsds.guid.e[i]);
 +    for (unsigned int i = 0; i < 6; i++, hash += 2) {
 +        sprintf(hash, "%.02x", rsds->guid.e[i]);
      }
 -    sprintf(hash, "%.01x", rsds.age);
 -
 -    return 0;
 +    sprintf(hash, "%.01x", rsds->age);
  }
  int main(int argc, char *argv[])
@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
      KDDEBUGGER_DATA64 *kdbg;
      uint64_t KdVersionBlock;
      bool kernel_found = false;
 +    OMFSignatureRSDS rsds;
      if (argc != 3) {
          eprintf("usage:\n\t%s elf_file dmp_file\n", argv[0]);
@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
          }
-         for (i = 0; i < size; i++) {
+         if (*(uint16_t *)nt_start_addr == 0x5a4d) { /* MZ */
 -            if (pe_check_export_name(KernBase, nt_start_addr, &vs)) {
 +            printf("Checking candidate KernBase = 0x%016"PRIx64"\n", KernBase);
 +            if (pe_check_pdb_name(KernBase, nt_start_addr, &vs, &rsds)) {
                  kernel_found = true;
                  break;
              }
@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
      printf("KernBase = 0x%016"PRIx64", signature is \'%.2s\'\n", KernBase,
              (char *)nt_start_addr);
 -    if (pe_get_pdb_symstore_hash(KernBase, nt_start_addr, pdb_hash, &vs)) {
 -        eprintf("Failed to get PDB symbol store hash\n");
 -        err = 1;
 -        goto out_ps;
 -    }
 +    pe_get_pdb_symstore_hash(&rsds, pdb_hash);
      sprintf(pdb_url, "%s%s/%s/%s", SYM_URL_BASE, PDB_NAME, pdb_hash, PDB_NAME);
      printf("PDB URL is %s\n", pdb_url);
 --
-.7.4
+.34.1

-[Qemu-devel] [PULL 09/12] aspeed: check for negative values returned by blk_getlength()
+[PULL 27/30] elf2dmp: introduce physical block alignment
-From: Cédric Le Goater <clg@kaod.org>
+From: Viktor Prutyanov <viktor@daynix.com>
-write_boot_rom() does not check for negative values. This is more a
+Physical memory ranges may not be aligned to page size in QEMU ELF, but
-problem for coverity than the actual code as the size of the flash
+DMP can only contain page-aligned runs. So, align them.
 device is checked when the m25p80 object is created. If there is
 anything wrong with the backing file, we should not even reach that
 path.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
-Message-id: 1486648058-520-2-git-send-email-clg@kaod.org
+Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230915170153.10959-3-viktor@daynix.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/aspeed.c | 14 ++++++++++++--
+ contrib/elf2dmp/addrspace.h |  1 +
-file changed, 12 insertions(+), 2 deletions(-)
+ contrib/elf2dmp/addrspace.c | 31 +++++++++++++++++++++++++++++--
  contrib/elf2dmp/main.c      |  5 +++--
 files changed, 33 insertions(+), 4 deletions(-)
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
+diff --git a/contrib/elf2dmp/addrspace.h b/contrib/elf2dmp/addrspace.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
+--- a/contrib/elf2dmp/addrspace.h
-+++ b/hw/arm/aspeed.c
++++ b/contrib/elf2dmp/addrspace.h
-@@ -XXX,XX +XXX,XX @@ static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size,
+@@ -XXX,XX +XXX,XX @@
- {
-     BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
+ #define ELF2DMP_PAGE_BITS 12
-     uint8_t *storage;
+ #define ELF2DMP_PAGE_SIZE (1ULL << ELF2DMP_PAGE_BITS)
-+    int64_t size;
++#define ELF2DMP_PAGE_MASK (ELF2DMP_PAGE_SIZE - 1)
+ #define ELF2DMP_PFN_MASK (~(ELF2DMP_PAGE_SIZE - 1))
--    if (rom_size > blk_getlength(blk)) {
--        rom_size = blk_getlength(blk);
+ #define INVALID_PA  UINT64_MAX
-+    /* The block backend size should have already been 'validated' by
+diff --git a/contrib/elf2dmp/addrspace.c b/contrib/elf2dmp/addrspace.c
-+     * the creation of the m25p80 object.
+index XXXXXXX..XXXXXXX 100644
-+     */
+--- a/contrib/elf2dmp/addrspace.c
-+    size = blk_getlength(blk);
++++ b/contrib/elf2dmp/addrspace.c
-+    if (size <= 0) {
+@@ -XXX,XX +XXX,XX @@ static struct pa_block *pa_space_find_block(struct pa_space *ps, uint64_t pa)
-+        error_setg(errp, "failed to get flash size");
      for (i = 0; i < ps->block_nr; i++) {
          if (ps->block[i].paddr <= pa &&
 -                pa <= ps->block[i].paddr + ps->block[i].size) {
 +                pa < ps->block[i].paddr + ps->block[i].size) {
              return ps->block + i;
          }
      }
@@ -XXX,XX +XXX,XX @@ static uint8_t *pa_space_resolve(struct pa_space *ps, uint64_t pa)
      return block->addr + (pa - block->paddr);
  }
 +static void pa_block_align(struct pa_block *b)
 +{
 +    uint64_t low_align = ((b->paddr - 1) | ELF2DMP_PAGE_MASK) + 1 - b->paddr;
 +    uint64_t high_align = (b->paddr + b->size) & ELF2DMP_PAGE_MASK;
 +
 +    if (low_align == 0 && high_align == 0) {
 +        return;
 +    }
 +
-+    if (rom_size > size) {
++    if (low_align + high_align < b->size) {
-+        rom_size = size;
++        printf("Block 0x%"PRIx64"+:0x%"PRIx64" will be aligned to "
 +                "0x%"PRIx64"+:0x%"PRIx64"\n", b->paddr, b->size,
 +                b->paddr + low_align, b->size - low_align - high_align);
 +        b->size -= low_align + high_align;
 +    } else {
 +        printf("Block 0x%"PRIx64"+:0x%"PRIx64" is too small to align\n",
 +                b->paddr, b->size);
 +        b->size = 0;
 +    }
 +
 +    b->addr += low_align;
 +    b->paddr += low_align;
 +}
 +
  int pa_space_create(struct pa_space *ps, QEMU_Elf *qemu_elf)
  {
      Elf64_Half phdr_nr = elf_getphdrnum(qemu_elf->map);
@@ -XXX,XX +XXX,XX @@ int pa_space_create(struct pa_space *ps, QEMU_Elf *qemu_elf)
                  .paddr = phdr[i].p_paddr,
                  .size = phdr[i].p_filesz,
              };
 -            block_i++;
 +            pa_block_align(&ps->block[block_i]);
 +            block_i = ps->block[block_i].size ? (block_i + 1) : block_i;
          }
      }
-     storage = g_new0(uint8_t, rom_size);
++    ps->block_nr = block_i;
 +
      return 0;
  }
 diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c
 index XXXXXXX..XXXXXXX 100644
 --- a/contrib/elf2dmp/main.c
 +++ b/contrib/elf2dmp/main.c
@@ -XXX,XX +XXX,XX @@ static int write_dump(struct pa_space *ps,
      for (i = 0; i < ps->block_nr; i++) {
          struct pa_block *b = &ps->block[i];
 -        printf("Writing block #%zu/%zu to file...\n", i, ps->block_nr);
 +        printf("Writing block #%zu/%zu of %"PRIu64" bytes to file...\n", i,
 +                ps->block_nr, b->size);
          if (fwrite(b->addr, b->size, 1, dmp_file) != 1) {
 -            eprintf("Failed to write dump header\n");
 +            eprintf("Failed to write block\n");
              fclose(dmp_file);
              return 1;
          }
 --
-.7.4
+.34.1

-New patch
+[PULL 28/30] elf2dmp: introduce merging of physical memory runs
+From: Viktor Prutyanov <viktor@daynix.com>
+DMP supports 42 physical memory runs at most. So, merge adjacent
+physical memory ranges from QEMU ELF when possible to minimize total
+number of runs.
+Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Message-id: 20230915170153.10959-4-viktor@daynix.com
+[PMM: fixed format string for printing size_t values]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ contrib/elf2dmp/main.c | 56 ++++++++++++++++++++++++++++++++++++------
+file changed, 48 insertions(+), 8 deletions(-)
+diff --git a/contrib/elf2dmp/main.c b/contrib/elf2dmp/main.c
+index XXXXXXX..XXXXXXX 100644
+--- a/contrib/elf2dmp/main.c
++++ b/contrib/elf2dmp/main.c
+@@ -XXX,XX +XXX,XX @@
+ #define PE_NAME     "ntoskrnl.exe"
+ #define INITIAL_MXCSR   0x1f80
++#define MAX_NUMBER_OF_RUNS  42
+ typedef struct idt_desc {
+     uint16_t offset1;   /* offset bits 0..15 */
+@@ -XXX,XX +XXX,XX @@ static int fix_dtb(struct va_space *vs, QEMU_Elf *qe)
+     return 1;
+ }
++static void try_merge_runs(struct pa_space *ps,
++        WinDumpPhyMemDesc64 *PhysicalMemoryBlock)
++{
++    unsigned int merge_cnt = 0, run_idx = 0;
++
++    PhysicalMemoryBlock->NumberOfRuns = 0;
++
++    for (size_t idx = 0; idx < ps->block_nr; idx++) {
++        struct pa_block *blk = ps->block + idx;
++        struct pa_block *next = blk + 1;
++
++        PhysicalMemoryBlock->NumberOfPages += blk->size / ELF2DMP_PAGE_SIZE;
++
++        if (idx + 1 != ps->block_nr && blk->paddr + blk->size == next->paddr) {
++            printf("Block #%zu 0x%"PRIx64"+:0x%"PRIx64" and %u previous will be"
++                    " merged\n", idx, blk->paddr, blk->size, merge_cnt);
++            merge_cnt++;
++        } else {
++            struct pa_block *first_merged = blk - merge_cnt;
++
++            printf("Block #%zu 0x%"PRIx64"+:0x%"PRIx64" and %u previous will be"
++                    " merged to 0x%"PRIx64"+:0x%"PRIx64" (run #%u)\n",
++                    idx, blk->paddr, blk->size, merge_cnt, first_merged->paddr,
++                    blk->paddr + blk->size - first_merged->paddr, run_idx);
++            PhysicalMemoryBlock->Run[run_idx] = (WinDumpPhyMemRun64) {
++                .BasePage = first_merged->paddr / ELF2DMP_PAGE_SIZE,
++                .PageCount = (blk->paddr + blk->size - first_merged->paddr) /
++                        ELF2DMP_PAGE_SIZE,
++            };
++            PhysicalMemoryBlock->NumberOfRuns++;
++            run_idx++;
++            merge_cnt = 0;
++        }
++    }
++}
++
+ static int fill_header(WinDumpHeader64 *hdr, struct pa_space *ps,
+         struct va_space *vs, uint64_t KdDebuggerDataBlock,
+         KDDEBUGGER_DATA64 *kdbg, uint64_t KdVersionBlock, int nr_cpus)
+@@ -XXX,XX +XXX,XX @@ static int fill_header(WinDumpHeader64 *hdr, struct pa_space *ps,
+             KUSD_OFFSET_PRODUCT_TYPE);
+     DBGKD_GET_VERSION64 kvb;
+     WinDumpHeader64 h;
+-    size_t i;
+     QEMU_BUILD_BUG_ON(KUSD_OFFSET_SUITE_MASK >= ELF2DMP_PAGE_SIZE);
+     QEMU_BUILD_BUG_ON(KUSD_OFFSET_PRODUCT_TYPE >= ELF2DMP_PAGE_SIZE);
+@@ -XXX,XX +XXX,XX @@ static int fill_header(WinDumpHeader64 *hdr, struct pa_space *ps,
+         .RequiredDumpSpace = sizeof(h),
+     };
+-    for (i = 0; i < ps->block_nr; i++) {
+-        h.PhysicalMemoryBlock.NumberOfPages +=
+-                ps->block[i].size / ELF2DMP_PAGE_SIZE;
+-        h.PhysicalMemoryBlock.Run[i] = (WinDumpPhyMemRun64) {
+-            .BasePage = ps->block[i].paddr / ELF2DMP_PAGE_SIZE,
+-            .PageCount = ps->block[i].size / ELF2DMP_PAGE_SIZE,
+-        };
++    if (h.PhysicalMemoryBlock.NumberOfRuns <= MAX_NUMBER_OF_RUNS) {
++        for (size_t idx = 0; idx < ps->block_nr; idx++) {
++            h.PhysicalMemoryBlock.NumberOfPages +=
++                    ps->block[idx].size / ELF2DMP_PAGE_SIZE;
++            h.PhysicalMemoryBlock.Run[idx] = (WinDumpPhyMemRun64) {
++                .BasePage = ps->block[idx].paddr / ELF2DMP_PAGE_SIZE,
++                .PageCount = ps->block[idx].size / ELF2DMP_PAGE_SIZE,
++            };
++        }
++    } else {
++        try_merge_runs(ps, &h.PhysicalMemoryBlock);
+     }
+     h.RequiredDumpSpace +=
+--
+.34.1

-[Qemu-devel] [PULL 05/12] target-arm: Declare virtio-mmio as dma-coherent in dt
+[PULL 29/30] elf2dmp: use Linux mmap with MAP_NORESERVE when possible
-From: Alexander Graf <agraf@suse.de>
+From: Viktor Prutyanov <viktor@daynix.com>
-QEMU emulated hardware is always dma coherent with its guest. We do
+Glib's g_mapped_file_new maps file with PROT_READ|PROT_WRITE and
-annotate that correctly on the PCI host controller, but left out
+MAP_PRIVATE. This leads to premature physical memory allocation of dump
-virtio-mmio.
+file size on Linux hosts and may fail. On Linux, mapping the file with
 MAP_NORESERVE limits the allocation by available memory.
-Recent kernels have started to interpret that flag rather than take
+Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
-dma coherency as granted with virtio-mmio. While that is considered
+Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
-a kernel bug, as it breaks previously working systems, it showed that
+Message-id: 20230915170153.10959-5-viktor@daynix.com
 our dt description is incomplete.
 This patch adds the respective marker that allows guest OSs to evaluate
 that our virtio-mmio devices are indeed cache coherent.
 Signed-off-by: Alexander Graf <agraf@suse.de>
 Reviewed-by: Laszlo Ersek <lersek@redhat.com>
 Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
 Message-id: 1486644810-33181-2-git-send-email-agraf@suse.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/vexpress.c | 1 +
+ contrib/elf2dmp/qemu_elf.h |  2 ++
- hw/arm/virt.c     | 1 +
+ contrib/elf2dmp/qemu_elf.c | 68 +++++++++++++++++++++++++++++++-------
-files changed, 2 insertions(+)
+files changed, 58 insertions(+), 12 deletions(-)
-diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
+diff --git a/contrib/elf2dmp/qemu_elf.h b/contrib/elf2dmp/qemu_elf.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/vexpress.c
+--- a/contrib/elf2dmp/qemu_elf.h
-+++ b/hw/arm/vexpress.c
++++ b/contrib/elf2dmp/qemu_elf.h
-@@ -XXX,XX +XXX,XX @@ static int add_virtio_mmio_node(void *fdt, uint32_t acells, uint32_t scells,
+@@ -XXX,XX +XXX,XX @@ typedef struct QEMUCPUState {
-                                        acells, addr, scells, size);
+ int is_system(QEMUCPUState *s);
-     qemu_fdt_setprop_cells(fdt, nodename, "interrupt-parent", intc);
-     qemu_fdt_setprop_cells(fdt, nodename, "interrupts", 0, irq, 1);
+ typedef struct QEMU_Elf {
-+    qemu_fdt_setprop(fdt, nodename, "dma-coherent", NULL, 0);
++#ifndef CONFIG_LINUX
-     g_free(nodename);
+     GMappedFile *gmf;
-     if (rc) {
++#endif
-         return -1;
+     size_t size;
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+     void *map;
      QEMUCPUState **state;
 diff --git a/contrib/elf2dmp/qemu_elf.c b/contrib/elf2dmp/qemu_elf.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/contrib/elf2dmp/qemu_elf.c
-+++ b/hw/arm/virt.c
++++ b/contrib/elf2dmp/qemu_elf.c
-@@ -XXX,XX +XXX,XX @@ static void create_virtio_devices(const VirtMachineState *vms, qemu_irq *pic)
+@@ -XXX,XX +XXX,XX @@ static bool check_ehdr(QEMU_Elf *qe)
-         qemu_fdt_setprop_cells(vms->fdt, nodename, "interrupts",
+     return true;
-                                GIC_FDT_IRQ_TYPE_SPI, irq,
+ }
-                                GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
-+        qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
+-int QEMU_Elf_init(QEMU_Elf *qe, const char *filename)
-         g_free(nodename);
++static int QEMU_Elf_map(QEMU_Elf *qe, const char *filename)
  {
 +#ifdef CONFIG_LINUX
 +    struct stat st;
 +    int fd;
 +
 +    printf("Using Linux mmap\n");
 +
 +    fd = open(filename, O_RDONLY, 0);
 +    if (fd == -1) {
 +        eprintf("Failed to open ELF dump file \'%s\'\n", filename);
 +        return 1;
 +    }
 +
 +    if (fstat(fd, &st)) {
 +        eprintf("Failed to get size of ELF dump file\n");
 +        close(fd);
 +        return 1;
 +    }
 +    qe->size = st.st_size;
 +
 +    qe->map = mmap(NULL, qe->size, PROT_READ | PROT_WRITE,
 +            MAP_PRIVATE | MAP_NORESERVE, fd, 0);
 +    if (qe->map == MAP_FAILED) {
 +        eprintf("Failed to map ELF file\n");
 +        close(fd);
 +        return 1;
 +    }
 +
 +    close(fd);
 +#else
      GError *gerr = NULL;
 -    int err = 0;
 +
 +    printf("Using GLib mmap\n");
      qe->gmf = g_mapped_file_new(filename, TRUE, &gerr);
      if (gerr) {
@@ -XXX,XX +XXX,XX @@ int QEMU_Elf_init(QEMU_Elf *qe, const char *filename)
      qe->map = g_mapped_file_get_contents(qe->gmf);
      qe->size = g_mapped_file_get_length(qe->gmf);
 +#endif
 +
 +    return 0;
 +}
 +
 +static void QEMU_Elf_unmap(QEMU_Elf *qe)
 +{
 +#ifdef CONFIG_LINUX
 +    munmap(qe->map, qe->size);
 +#else
 +    g_mapped_file_unref(qe->gmf);
 +#endif
 +}
 +
 +int QEMU_Elf_init(QEMU_Elf *qe, const char *filename)
 +{
 +    if (QEMU_Elf_map(qe, filename)) {
 +        return 1;
 +    }
      if (!check_ehdr(qe)) {
          eprintf("Input file has the wrong format\n");
 -        err = 1;
 -        goto out_unmap;
 +        QEMU_Elf_unmap(qe);
 +        return 1;
      }
+     if (init_states(qe)) {
+         eprintf("Failed to extract QEMU CPU states\n");
+-        err = 1;
+-        goto out_unmap;
++        QEMU_Elf_unmap(qe);
++        return 1;
+     }
+     return 0;
+-
+-out_unmap:
+-    g_mapped_file_unref(qe->gmf);
+-
+-    return err;
+ }
+ void QEMU_Elf_exit(QEMU_Elf *qe)
+ {
+     exit_states(qe);
+-    g_mapped_file_unref(qe->gmf);
++    QEMU_Elf_unmap(qe);
  }
 --
-.7.4
+.34.1

-New patch
+[PULL 30/30] elf2dmp: rework PDB_STREAM_INDEXES::segments obtaining
+From: Viktor Prutyanov <viktor@daynix.com>
+PDB for Windows 11 kernel has slightly different structure compared to
+previous versions. Since elf2dmp don't use the other fields, copy only
+'segments' field from PDB_STREAM_INDEXES.
+Signed-off-by: Viktor Prutyanov <viktor@daynix.com>
+Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Message-id: 20230915170153.10959-6-viktor@daynix.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ contrib/elf2dmp/pdb.h |  2 +-
+ contrib/elf2dmp/pdb.c | 15 ++++-----------
+files changed, 5 insertions(+), 12 deletions(-)
+diff --git a/contrib/elf2dmp/pdb.h b/contrib/elf2dmp/pdb.h
+index XXXXXXX..XXXXXXX 100644
+--- a/contrib/elf2dmp/pdb.h
++++ b/contrib/elf2dmp/pdb.h
+@@ -XXX,XX +XXX,XX @@ struct pdb_reader {
+     } ds;
+     uint32_t file_used[1024];
+     PDB_SYMBOLS *symbols;
+-    PDB_STREAM_INDEXES sidx;
++    uint16_t segments;
+     uint8_t *modimage;
+     char *segs;
+     size_t segs_size;
+diff --git a/contrib/elf2dmp/pdb.c b/contrib/elf2dmp/pdb.c
+index XXXXXXX..XXXXXXX 100644
+--- a/contrib/elf2dmp/pdb.c
++++ b/contrib/elf2dmp/pdb.c
+@@ -XXX,XX +XXX,XX @@ static void *pdb_ds_read_file(struct pdb_reader* r, uint32_t file_number)
+ static int pdb_init_segments(struct pdb_reader *r)
+ {
+     char *segs;
+-    unsigned stream_idx = r->sidx.segments;
++    unsigned stream_idx = r->segments;
+     segs = pdb_ds_read_file(r, stream_idx);
+     if (!segs) {
+@@ -XXX,XX +XXX,XX @@ static int pdb_init_symbols(struct pdb_reader *r)
+ {
+     int err = 0;
+     PDB_SYMBOLS *symbols;
+-    PDB_STREAM_INDEXES *sidx = &r->sidx;
+-
+-    memset(sidx, -1, sizeof(*sidx));
+     symbols = pdb_ds_read_file(r, 3);
+     if (!symbols) {
+@@ -XXX,XX +XXX,XX @@ static int pdb_init_symbols(struct pdb_reader *r)
+     r->symbols = symbols;
+-    if (symbols->stream_index_size != sizeof(PDB_STREAM_INDEXES)) {
+-        err = 1;
+-        goto out_symbols;
+-    }
+-
+-    memcpy(sidx, (const char *)symbols + sizeof(PDB_SYMBOLS) +
++    r->segments = *(uint16_t *)((const char *)symbols + sizeof(PDB_SYMBOLS) +
+             symbols->module_size + symbols->offset_size +
+             symbols->hash_size + symbols->srcmodule_size +
+-            symbols->pdbimport_size + symbols->unknown2_size, sizeof(*sidx));
++            symbols->pdbimport_size + symbols->unknown2_size +
++            offsetof(PDB_STREAM_INDEXES, segments));
+     /* Read global symbol table */
+     r->modimage = pdb_ds_read_file(r, symbols->gsym_file);
+--
+.34.1

ARM queue: nothing particularly exciting here, but no
reason to sit on them for another week.

thanks
-- PMM

The following changes since commit 61eedf7aec0e2395aabd628cc055096909a3ea15:

tests/prom-env: Ease time-out problems on slow hosts (2017-02-10 15:44:53 +0000)

are available in the git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170210

for you to fetch changes up to b4cc583f0285a2e1e78621dfba142f00ca47414a:

aspeed/smc: use a modulo to check segment limits (2017-02-10 17:40:30 +0000)

----------------------------------------------------------------
target-arm queue:
 * aspeed: minor fixes
 * virt: declare fwcfg and virtio-mmio as DMA coherent in DT & ACPI
 * arm: enable basic TCG emulation of PMU for AArch64

----------------------------------------------------------------
Alexander Graf (4):
      target-arm: Declare virtio-mmio as dma-coherent in dt
      hw/arm/virt: Declare virtio-mmio as dma cache coherent in ACPI
      hw/arm/virt: Declare fwcfg as dma cache coherent in ACPI
      hw/arm/virt: Declare fwcfg as dma cache coherent in dt

Cédric Le Goater (4):
      aspeed: check for negative values returned by blk_getlength()
      aspeed: remove useless comment on controller segment size
      aspeed/smc: handle dummies only in fast read mode
      aspeed/smc: use a modulo to check segment limits

Wei Huang (4):
      target-arm: Add support for PMU register PMSELR_EL0
      target-arm: Add support for AArch64 PMU register PMXEVTYPER_EL0
      target-arm: Add support for PMU register PMINTENSET_EL1
      target-arm: Enable vPMU support under TCG mode

From: Wei Huang <wei@redhat.com>

This patch adds support for AArch64 register PMSELR_EL0. The existing
PMSELR definition is revised accordingly.

Signed-off-by: Wei Huang <wei@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: Moved #ifndef CONFIG_USER_ONLY to cover new regdefs]
Message-id: 1486504171-26807-2-git-send-email-wei@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  1 +
 target/arm/helper.c | 27 +++++++++++++++++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         uint32_t c9_pmovsr; /* perf monitor overflow status */
         uint32_t c9_pmxevtyper; /* perf monitor event type */
         uint32_t c9_pmuserenr; /* perf monitor user enable */
+        uint64_t c9_pmselr; /* perf monitor counter selection register */
         uint32_t c9_pminten; /* perf monitor interrupt enables */
         union { /* Memory attribute redirection */
             struct {
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pmccntr_read(CPUARMState *env, const ARMCPRegInfo *ri)
     return total_ticks - env->cp15.c15_ccnt;
 }
 
+static void pmselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                         uint64_t value)
+{
+    /* The value of PMSELR.SEL affects the behavior of PMXEVTYPER and
+     * PMXEVCNTR. We allow [0..31] to be written to PMSELR here; in the
+     * meanwhile, we check PMSELR.SEL when PMXEVTYPER and PMXEVCNTR are
+     * accessed.
+     */
+    env->cp15.c9_pmselr = value & 0x1f;
+}
+
 static void pmccntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
                         uint64_t value)
 {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
     /* Unimplemented so WI. */
     { .name = "PMSWINC", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 4,
       .access = PL0_W, .accessfn = pmreg_access, .type = ARM_CP_NOP },
-    /* Since we don't implement any events, writing to PMSELR is UNPREDICTABLE.
-     * We choose to RAZ/WI.
-     */
-    { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
-      .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
-      .accessfn = pmreg_access },
 #ifndef CONFIG_USER_ONLY
+    { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
+      .access = PL0_RW, .type = ARM_CP_ALIAS,
+      .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmselr),
+      .accessfn = pmreg_access, .writefn = pmselr_write,
+      .raw_writefn = raw_write},
+    { .name = "PMSELR_EL0", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 5,
+      .access = PL0_RW, .accessfn = pmreg_access,
+      .fieldoffset = offsetof(CPUARMState, cp15.c9_pmselr),
+      .writefn = pmselr_write, .raw_writefn = raw_write, },
     { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0,
       .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_IO,
       .readfn = pmccntr_read, .writefn = pmccntr_write32,
-- 
2.7.4

From: Wei Huang <wei@redhat.com>

In order to support Linux perf, which uses PMXEVTYPER register,
this patch adds read/write access support for PMXEVTYPER. The access
is CONSTRAINED UNPREDICTABLE when PMSELR is not 0x1f. Additionally
this patch adds support for PMXEVTYPER_EL0.

Signed-off-by: Wei Huang <wei@redhat.com>
Message-id: 1486504171-26807-3-git-send-email-wei@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  1 -
 target/arm/helper.c | 30 +++++++++++++++++++++++++-----
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         uint64_t c9_pmcr; /* performance monitor control register */
         uint64_t c9_pmcnten; /* perf monitor counter enables */
         uint32_t c9_pmovsr; /* perf monitor overflow status */
-        uint32_t c9_pmxevtyper; /* perf monitor event type */
         uint32_t c9_pmuserenr; /* perf monitor user enable */
         uint64_t c9_pmselr; /* perf monitor counter selection register */
         uint32_t c9_pminten; /* perf monitor interrupt enables */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void pmovsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
 static void pmxevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri,
                              uint64_t value)
 {
-    env->cp15.c9_pmxevtyper = value & 0xff;
+    /* Attempts to access PMXEVTYPER are CONSTRAINED UNPREDICTABLE when
+     * PMSELR value is equal to or greater than the number of implemented
+     * counters, but not equal to 0x1f. We opt to behave as a RAZ/WI.
+     */
+    if (env->cp15.c9_pmselr == 0x1f) {
+        pmccfiltr_write(env, ri, value);
+    }
+}
+
+static uint64_t pmxevtyper_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    /* We opt to behave as a RAZ/WI when attempts to access PMXEVTYPER
+     * are CONSTRAINED UNPREDICTABLE. See comments in pmxevtyper_write().
+     */
+    if (env->cp15.c9_pmselr == 0x1f) {
+        return env->cp15.pmccfiltr_el0;
+    } else {
+        return 0;
+    }
 }
 
 static void pmuserenr_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
       .fieldoffset = offsetof(CPUARMState, cp15.pmccfiltr_el0),
       .resetvalue = 0, },
     { .name = "PMXEVTYPER", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 1,
-      .access = PL0_RW,
-      .fieldoffset = offsetof(CPUARMState, cp15.c9_pmxevtyper),
-      .accessfn = pmreg_access, .writefn = pmxevtyper_write,
-      .raw_writefn = raw_write },
+      .access = PL0_RW, .type = ARM_CP_NO_RAW, .accessfn = pmreg_access,
+      .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
+    { .name = "PMXEVTYPER_EL0", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 1,
+      .access = PL0_RW, .type = ARM_CP_NO_RAW, .accessfn = pmreg_access,
+      .writefn = pmxevtyper_write, .readfn = pmxevtyper_read },
     /* Unimplemented, RAZ/WI. */
     { .name = "PMXEVCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 2,
       .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
-- 
2.7.4

From: Wei Huang <wei@redhat.com>

This patch adds access support for PMINTENSET_EL1.

Signed-off-by: Wei Huang <wei@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1486504171-26807-4-git-send-email-wei@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  2 +-
 target/arm/helper.c | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

From: Wei Huang <wei@redhat.com>

This patch contains several fixes to enable vPMU under TCG mode. It
first removes the checking of kvm_enabled() while unsetting
ARM_FEATURE_PMU. With it, the .pmu option can be used to turn on/off vPMU
under TCG mode. Secondly the PMU node of DT table is now created under TCG.
The last fix is to disable the masking of PMUver field of ID_AA64DFR0_EL1.

Signed-off-by: Wei Huang <wei@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1486504171-26807-5-git-send-email-wei@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c       | 2 +-
 target/arm/cpu.c    | 2 +-
 target/arm/helper.c | 7 +------
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms)
     CPU_FOREACH(cpu) {
         armcpu = ARM_CPU(cpu);
         if (!arm_feature(&armcpu->env, ARM_FEATURE_PMU) ||
-            !kvm_arm_pmu_create(cpu, PPI(VIRTUAL_PMU_IRQ))) {
+            (kvm_enabled() && !kvm_arm_pmu_create(cpu, PPI(VIRTUAL_PMU_IRQ)))) {
             return;
         }
     }
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
         unset_feature(env, ARM_FEATURE_EL2);
     }
 
-    if (!cpu->has_pmu || !kvm_enabled()) {
+    if (!cpu->has_pmu) {
         cpu->has_pmu = false;
         unset_feature(env, ARM_FEATURE_PMU);
     }
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "ID_AA64DFR0_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
               .access = PL1_R, .type = ARM_CP_CONST,
-              /* We mask out the PMUVer field, because we don't currently
-               * implement the PMU. Not advertising it prevents the guest
-               * from trying to use it and getting UNDEFs on registers we
-               * don't implement.
-               */
-              .resetvalue = cpu->id_aa64dfr0 & ~0xf00 },
+              .resetvalue = cpu->id_aa64dfr0 },
             { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
               .access = PL1_R, .type = ARM_CP_CONST,
-- 
2.7.4

From: Alexander Graf <agraf@suse.de>

QEMU emulated hardware is always dma coherent with its guest. We do
annotate that correctly on the PCI host controller, but left out
virtio-mmio.

Recent kernels have started to interpret that flag rather than take
dma coherency as granted with virtio-mmio. While that is considered
a kernel bug, as it breaks previously working systems, it showed that
our dt description is incomplete.

This patch adds the respective marker that allows guest OSs to evaluate
that our virtio-mmio devices are indeed cache coherent.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Message-id: 1486644810-33181-2-git-send-email-agraf@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/vexpress.c | 1 +
 hw/arm/virt.c     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@ static int add_virtio_mmio_node(void *fdt, uint32_t acells, uint32_t scells,
                                        acells, addr, scells, size);
     qemu_fdt_setprop_cells(fdt, nodename, "interrupt-parent", intc);
     qemu_fdt_setprop_cells(fdt, nodename, "interrupts", 0, irq, 1);
+    qemu_fdt_setprop(fdt, nodename, "dma-coherent", NULL, 0);
     g_free(nodename);
     if (rc) {
         return -1;
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void create_virtio_devices(const VirtMachineState *vms, qemu_irq *pic)
         qemu_fdt_setprop_cells(vms->fdt, nodename, "interrupts",
                                GIC_FDT_IRQ_TYPE_SPI, irq,
                                GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
+        qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
         g_free(nodename);
     }
 }
-- 
2.7.4

From: Alexander Graf <agraf@suse.de>

Virtio-mmio devices can directly access guest memory and do so in cache
coherent fashion. Tell the guest about that fact when it's using ACPI.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1486644810-33181-3-git-send-email-agraf@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ static void acpi_dsdt_add_virtio(Aml *scope,
         Aml *dev = aml_device("VR%02u", i);
         aml_append(dev, aml_name_decl("_HID", aml_string("LNRO0005")));
         aml_append(dev, aml_name_decl("_UID", aml_int(i)));
+        aml_append(dev, aml_name_decl("_CCA", aml_int(1)));
 
         Aml *crs = aml_resource_template();
         aml_append(crs, aml_memory32_fixed(base, size, AML_READ_WRITE));
-- 
2.7.4

From: Alexander Graf <agraf@suse.de>

Fw-cfg recently learned how to directly access guest memory and does so in
cache coherent fashion. Tell the guest about that fact when it's using ACPI.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1486644810-33181-4-git-send-email-agraf@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ static void acpi_dsdt_add_fw_cfg(Aml *scope, const MemMapEntry *fw_cfg_memmap)
     aml_append(dev, aml_name_decl("_HID", aml_string("QEMU0002")));
     /* device present, functioning, decoding, not shown in UI */
     aml_append(dev, aml_name_decl("_STA", aml_int(0xB)));
+    aml_append(dev, aml_name_decl("_CCA", aml_int(1)));
 
     Aml *crs = aml_resource_template();
     aml_append(crs, aml_memory32_fixed(fw_cfg_memmap->base,
-- 
2.7.4

From: Alexander Graf <agraf@suse.de>

Fw-cfg recently learned how to directly access guest memory and does so in
cache coherent fashion. Tell the guest about that fact when it's using DT.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1486644810-33181-5-git-send-email-agraf@suse.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static FWCfgState *create_fw_cfg(const VirtMachineState *vms, AddressSpace *as)
                             "compatible", "qemu,fw-cfg-mmio");
     qemu_fdt_setprop_sized_cells(vms->fdt, nodename, "reg",
                                  2, base, 2, size);
+    qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
     g_free(nodename);
     return fw_cfg;
 }
-- 
2.7.4

From: Cédric Le Goater <clg@kaod.org>

write_boot_rom() does not check for negative values. This is more a
problem for coverity than the actual code as the size of the flash
device is checked when the m25p80 object is created. If there is
anything wrong with the backing file, we should not even reach that
path.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 1486648058-520-2-git-send-email-clg@kaod.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size,
 {
     BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
     uint8_t *storage;
+    int64_t size;
 
-    if (rom_size > blk_getlength(blk)) {
-        rom_size = blk_getlength(blk);
+    /* The block backend size should have already been 'validated' by
+     * the creation of the m25p80 object.
+     */
+    size = blk_getlength(blk);
+    if (size <= 0) {
+        error_setg(errp, "failed to get flash size");
+        return;
+    }
+
+    if (rom_size > size) {
+        rom_size = size;
     }
 
     storage = g_new0(uint8_t, rom_size);
-- 
2.7.4

From: Cédric Le Goater <clg@kaod.org>

The flash devices used for the FMC controller (BMC firmware) are well
defined for each Aspeed machine and are all smaller than the default
mapping window size, at least for CE0 which is the chip the SoC boots
from.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1486648058-520-3-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init_flashes(AspeedSMCState *s, const char *flashtype,
         DriveInfo *dinfo = drive_get_next(IF_MTD);
         qemu_irq cs_line;
 
-        /*
-         * FIXME: check that we are not using a flash module exceeding
-         * the controller segment size
-         */
         fl->flash = ssi_create_slave_no_init(s->spi, flashtype);
         if (dinfo) {
             qdev_prop_set_drive(fl->flash, "drive", blk_by_legacy_dinfo(dinfo),
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
 
         /*
          * create a ROM region using the default mapping window size of
-         * the flash module.
+         * the flash module. The window size is 64MB for the AST2400
+         * SoC and 128MB for the AST2500 SoC, which is twice as big as
+         * needed by the flash modules of the Aspeed machines.
          */
         memory_region_init_rom(boot_rom, OBJECT(bmc), "aspeed.boot_rom",
                                fl->size, &error_abort);
-- 
2.7.4

From: Cédric Le Goater <clg@kaod.org>

HW works fine in normal read mode with dummy bytes being set. So let's
check this case to not transfer bytes.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 1486648058-520-4-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/aspeed_smc.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_smc_flash_read(void *opaque, hwaddr addr, unsigned size)
         /*
          * Use fake transfers to model dummy bytes. The value should
          * be configured to some non-zero value in fast read mode and
-         * zero in read mode.
+         * zero in read mode. But, as the HW allows inconsistent
+         * settings, let's check for fast read mode.
          */
-        for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
-            ssi_transfer(fl->controller->spi, 0xFF);
+        if (aspeed_smc_flash_mode(fl) == CTRL_FREADMODE) {
+            for (i = 0; i < aspeed_smc_flash_dummies(fl); i++) {
+                ssi_transfer(fl->controller->spi, 0xFF);
+            }
         }
 
         for (i = 0; i < size; i++) {
-- 
2.7.4

From: Cédric Le Goater <clg@kaod.org>

The size of a segment is not necessarily a power of 2.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1486648058-520-5-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/aspeed_smc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_smc_check_segment_addr(const AspeedSMCFlash *fl,
     AspeedSegments seg;
 
     aspeed_smc_reg_to_segment(s->regs[R_SEG_ADDR0 + fl->id], &seg);
-    if ((addr & (seg.size - 1)) != addr) {
+    if ((addr % seg.size) != addr) {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: invalid address 0x%08x for CS%d segment : "
                       "[ 0x%"HWADDR_PRIx" - 0x%"HWADDR_PRIx" ]\n",
                       s->ctrl->name, addr, fl->id, seg.addr,
                       seg.addr + seg.size);
+        addr %= seg.size;
     }
 
-    addr &= seg.size - 1;
     return addr;
 }
 
-- 
2.7.4

Hi; here's this week's arm pullreq. Mostly this is my
work on FEAT_MOPS and FEAT_HBC, but there are some
other bits and pieces in there too, including a recent
set of elf2dmp patches.

thanks
-- PMM

The following changes since commit 55394dcbec8f0c29c30e792c102a0edd50a52bf4:

Merge tag 'pull-loongarch-20230920' of https://gitlab.com/gaosong/qemu into staging (2023-09-20 13:56:18 -0400)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230921

for you to fetch changes up to 231f6a7d66254a58bedbee458591b780e0a507b1:

elf2dmp: rework PDB_STREAM_INDEXES::segments obtaining (2023-09-21 16:13:54 +0100)

----------------------------------------------------------------
target-arm queue:
 * target/m68k: Add URL to semihosting spec
 * docs/devel/loads-stores: Fix git grep regexes
 * hw/arm/boot: Set SCR_EL3.FGTEn when booting kernel
 * linux-user: Correct SME feature names reported in cpuinfo
 * linux-user: Add missing arm32 hwcaps
 * Don't skip MTE checks for LDRT/STRT at EL0
 * Implement FEAT_HBC
 * Implement FEAT_MOPS
 * audio/jackaudio: Avoid dynamic stack allocation
 * sbsa-ref: add non-secure EL2 virtual timer
 * elf2dmp: improve Win2022, Win11 and large dumps

----------------------------------------------------------------
Fabian Vogt (1):
      hw/arm/boot: Set SCR_EL3.FGTEn when booting kernel

Marcin Juszkiewicz (1):
      sbsa-ref: add non-secure EL2 virtual timer

Peter Maydell (23):
      target/m68k: Add URL to semihosting spec
      docs/devel/loads-stores: Fix git grep regexes
      linux-user/elfload.c: Correct SME feature names reported in cpuinfo
      linux-user/elfload.c: Add missing arm and arm64 hwcap values
      linux-user/elfload.c: Report previously missing arm32 hwcaps
      target/arm: Update AArch64 ID register field definitions
      target/arm: Update user-mode ID reg mask values
      target/arm: Implement FEAT_HBC
      target/arm: Remove unused allocation_tag_mem() argument
      target/arm: Don't skip MTE checks for LDRT/STRT at EL0
      target/arm: Implement FEAT_MOPS enable bits
      target/arm: Pass unpriv bool to get_a64_user_mem_index()
      target/arm: Define syndrome function for MOPS exceptions
      target/arm: New function allocation_tag_mem_probe()
      target/arm: Implement MTE tag-checking functions for FEAT_MOPS
      target/arm: Implement the SET* instructions
      target/arm: Define new TB flag for ATA0
      target/arm: Implement the SETG* instructions
      target/arm: Implement MTE tag-checking functions for FEAT_MOPS copies
      target/arm: Implement the CPY* instructions
      target/arm: Enable FEAT_MOPS for CPU 'max'
      audio/jackaudio: Avoid dynamic stack allocation in qjack_client_init
      audio/jackaudio: Avoid dynamic stack allocation in qjack_process()

Viktor Prutyanov (5):
      elf2dmp: replace PE export name check with PDB name check
      elf2dmp: introduce physical block alignment
      elf2dmp: introduce merging of physical memory runs
      elf2dmp: use Linux mmap with MAP_NORESERVE when possible
      elf2dmp: rework PDB_STREAM_INDEXES::segments obtaining

The spec for m68k semihosting is documented in the libgloss
sources. Add a comment with the URL for it, as we already
have for nios2 semihosting.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230801154451.3505492-1-peter.maydell@linaro.org
---
 target/m68k/m68k-semi.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/m68k/m68k-semi.c b/target/m68k/m68k-semi.c
index XXXXXXX..XXXXXXX 100644
--- a/target/m68k/m68k-semi.c
+++ b/target/m68k/m68k-semi.c
@@ -XXX,XX +XXX,XX @@
  *
  *  You should have received a copy of the GNU General Public License
  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ *  The semihosting protocol implemented here is described in the
+ *  libgloss sources:
+ *  https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=libgloss/m68k/m68k-semi.txt;hb=HEAD
  */
 
 #include "qemu/osdep.h"
-- 
2.34.1

The loads-and-stores documentation includes git grep regexes to find
occurrences of the various functions.  Some of these regexes have
errors, typically failing to escape the '?', '(' and ')' when they
should be metacharacters (since these are POSIX basic REs). We also
weren't consistent about whether to have a ':' on the end of the
line introducing the list of regexes in each section.

Fix the errors.

The following shell rune will complain about any REs in the
file which don't have any matches in the codebase:
 for re in $(sed -ne 's/ - ``$\\<.*$``/\1/p' docs/devel/loads-stores.rst); do git grep -q "$re" || echo "no matches for re $re"; done

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20230904161703.3996734-1-peter.maydell@linaro.org
---
 docs/devel/loads-stores.rst | 40 ++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/docs/devel/loads-stores.rst b/docs/devel/loads-stores.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/devel/loads-stores.rst
+++ b/docs/devel/loads-stores.rst
@@ -XXX,XX +XXX,XX @@ which stores ``val`` to ``ptr`` as an ``{endian}`` order value
 of size ``sz`` bytes.
 
 
-Regexes for git grep
+Regexes for git grep:
  - ``\<ld[us]\?[bwlq]$_[hbl]e$\?_p\>``
  - ``\<st[bwlq]$_[hbl]e$\?_p\>``
  - ``\<st24$_[hbl]e$\?_p\>``
- - ``\<ldn_$[hbl]e$?_p\>``
- - ``\<stn_$[hbl]e$?_p\>``
+ - ``\<ldn_$[hbl]e$\?_p\>``
+ - ``\<stn_$[hbl]e$\?_p\>``
 
 ``cpu_{ld,st}*_mmu``
 ~~~~~~~~~~~~~~~~~~~~
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}{end}_mmu(env, ptr, val, oi, retaddr)``
  - ``_le`` : little endian
 
 Regexes for git grep:
- - ``\<cpu_ld[bwlq](_[bl]e)\?_mmu\>``
- - ``\<cpu_st[bwlq](_[bl]e)\?_mmu\>``
+ - ``\<cpu_ld[bwlq]$_[bl]e$\?_mmu\>``
+ - ``\<cpu_st[bwlq]$_[bl]e$\?_mmu\>``
 
 
 ``cpu_{ld,st}*_mmuidx_ra``
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}{end}_mmuidx_ra(env, ptr, val, mmuidx, retaddr)``
  - ``_le`` : little endian
 
 Regexes for git grep:
- - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_mmuidx_ra\>``
- - ``\<cpu_st[bwlq](_[bl]e)\?_mmuidx_ra\>``
+ - ``\<cpu_ld[us]\?[bwlq]$_[bl]e$\?_mmuidx_ra\>``
+ - ``\<cpu_st[bwlq]$_[bl]e$\?_mmuidx_ra\>``
 
 ``cpu_{ld,st}*_data_ra``
 ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}{end}_data_ra(env, ptr, val, ra)``
  - ``_le`` : little endian
 
 Regexes for git grep:
- - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_data_ra\>``
- - ``\<cpu_st[bwlq](_[bl]e)\?_data_ra\>``
+ - ``\<cpu_ld[us]\?[bwlq]$_[bl]e$\?_data_ra\>``
+ - ``\<cpu_st[bwlq]$_[bl]e$\?_data_ra\>``
 
 ``cpu_{ld,st}*_data``
 ~~~~~~~~~~~~~~~~~~~~~
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}{end}_data(env, ptr, val)``
  - ``_be`` : big endian
  - ``_le`` : little endian
 
-Regexes for git grep
- - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_data\>``
- - ``\<cpu_st[bwlq](_[bl]e)\?_data\+\>``
+Regexes for git grep:
+ - ``\<cpu_ld[us]\?[bwlq]$_[bl]e$\?_data\>``
+ - ``\<cpu_st[bwlq]$_[bl]e$\?_data\+\>``
 
 ``cpu_ld*_code``
 ~~~~~~~~~~~~~~~~
@@ -XXX,XX +XXX,XX @@ swap: ``translator_ld{sign}{size}_swap(env, ptr, swap)``
  - ``l`` : 32 bits
  - ``q`` : 64 bits
 
-Regexes for git grep
+Regexes for git grep:
  - ``\<translator_ld[us]\?[bwlq]$_swap$\?\>``
 
 ``helper_{ld,st}*_mmu``
@@ -XXX,XX +XXX,XX @@ store: ``helper_{size}_mmu(env, addr, val, opindex, retaddr)``
  - ``l`` : 32 bits
  - ``q`` : 64 bits
 
-Regexes for git grep
+Regexes for git grep:
  - ``\<helper_ld[us]\?[bwlq]_mmu\>``
  - ``\<helper_st[bwlq]_mmu\>``
 
@@ -XXX,XX +XXX,XX @@ succeeded using a MemTxResult return code.
 
 The ``_{endian}`` suffix is omitted for byte accesses.
 
-Regexes for git grep
+Regexes for git grep:
  - ``\<address_space_$read\|write\|rw$\>``
  - ``\<address_space_ldu\?[bwql]$_[lb]e$\?\>``
  - ``\<address_space_st[bwql]$_[lb]e$\?\>``
@@ -XXX,XX +XXX,XX @@ Note that portions of the write which attempt to write data to a
 device will be silently ignored -- only real RAM and ROM will
 be written to.
 
-Regexes for git grep
+Regexes for git grep:
  - ``address_space_write_rom``
 
 ``{ld,st}*_phys``
@@ -XXX,XX +XXX,XX @@ device doing the access has no way to report such an error.
 
 The ``_{endian}_`` infix is omitted for byte accesses.
 
-Regexes for git grep
+Regexes for git grep:
  - ``\<ldu\?[bwlq]$_[bl]e$\?_phys\>``
  - ``\<st[bwlq]$_[bl]e$\?_phys\>``
 
@@ -XXX,XX +XXX,XX @@ For new code they are better avoided:
 
 ``cpu_physical_memory_rw``
 
-Regexes for git grep
+Regexes for git grep:
  - ``\<cpu_physical_memory_$read\|write\|rw$\>``
 
 ``cpu_memory_rw_debug``
@@ -XXX,XX +XXX,XX @@ make sure our existing code is doing things correctly.
 
 ``dma_memory_rw``
 
-Regexes for git grep
+Regexes for git grep:
  - ``\<dma_memory_$read\|write\|rw$\>``
  - ``\<ldu\?[bwlq]$_[bl]e$\?_dma\>``
  - ``\<st[bwlq]$_[bl]e$\?_dma\>``
@@ -XXX,XX +XXX,XX @@ correct address space for that device.
 
 The ``_{endian}_`` infix is omitted for byte accesses.
 
-Regexes for git grep
+Regexes for git grep:
  - ``\<pci_dma_$read\|write\|rw$\>``
  - ``\<ldu\?[bwlq]$_[bl]e$\?_pci_dma\>``
  - ``\<st[bwlq]$_[bl]e$\?_pci_dma\>``
-- 
2.34.1

From: Fabian Vogt <fvogt@suse.de>

Just like d7ef5e16a17c sets SCR_EL3.HXEn for FEAT_HCX, this commit
handles SCR_EL3.FGTEn for FEAT_FGT:

When we direct boot a kernel on a CPU which emulates EL3, we need to
set up the EL3 system registers as the Linux kernel documentation
specifies:
    https://www.kernel.org/doc/Documentation/arm64/booting.rst

> For CPUs with the Fine Grained Traps (FEAT_FGT) extension present:
> - If EL3 is present and the kernel is entered at EL2:
>   - SCR_EL3.FGTEn (bit 27) must be initialised to 0b1.

Cc: qemu-stable@nongnu.org
Signed-off-by: Fabian Vogt <fvogt@suse.de>
Message-id: 4831384.GXAFRqVoOG@linux-e202.suse.de
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
                     if (cpu_isar_feature(aa64_hcx, cpu)) {
                         env->cp15.scr_el3 |= SCR_HXEN;
                     }
+                    if (cpu_isar_feature(aa64_fgt, cpu)) {
+                        env->cp15.scr_el3 |= SCR_FGTEN;
+                    }
+
                     /* AArch64 kernels never boot in secure mode */
                     assert(!info->secure_boot);
                     /* This hook is only supported for AArch32 currently:
-- 
2.34.1

Some of the names we use for CPU features in linux-user's dummy
/proc/cpuinfo don't match the strings in the real kernel in
arch/arm64/kernel/cpuinfo.c. Specifically, the SME related
features have an underscore in the HWCAP_FOO define name,
but (like the SVE ones) they do not have an underscore in the
string in cpuinfo. Correct the errors.

Fixes: a55b9e7226708 ("linux-user: Emulate /proc/cpuinfo on aarch64 and arm")
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/elfload.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ const char *elf_hwcap2_str(uint32_t bit)
     [__builtin_ctz(ARM_HWCAP2_A64_RPRES        )] = "rpres",
     [__builtin_ctz(ARM_HWCAP2_A64_MTE3         )] = "mte3",
     [__builtin_ctz(ARM_HWCAP2_A64_SME          )] = "sme",
-    [__builtin_ctz(ARM_HWCAP2_A64_SME_I16I64   )] = "sme_i16i64",
-    [__builtin_ctz(ARM_HWCAP2_A64_SME_F64F64   )] = "sme_f64f64",
-    [__builtin_ctz(ARM_HWCAP2_A64_SME_I8I32    )] = "sme_i8i32",
-    [__builtin_ctz(ARM_HWCAP2_A64_SME_F16F32   )] = "sme_f16f32",
-    [__builtin_ctz(ARM_HWCAP2_A64_SME_B16F32   )] = "sme_b16f32",
-    [__builtin_ctz(ARM_HWCAP2_A64_SME_F32F32   )] = "sme_f32f32",
-    [__builtin_ctz(ARM_HWCAP2_A64_SME_FA64     )] = "sme_fa64",
+    [__builtin_ctz(ARM_HWCAP2_A64_SME_I16I64   )] = "smei16i64",
+    [__builtin_ctz(ARM_HWCAP2_A64_SME_F64F64   )] = "smef64f64",
+    [__builtin_ctz(ARM_HWCAP2_A64_SME_I8I32    )] = "smei8i32",
+    [__builtin_ctz(ARM_HWCAP2_A64_SME_F16F32   )] = "smef16f32",
+    [__builtin_ctz(ARM_HWCAP2_A64_SME_B16F32   )] = "smeb16f32",
+    [__builtin_ctz(ARM_HWCAP2_A64_SME_F32F32   )] = "smef32f32",
+    [__builtin_ctz(ARM_HWCAP2_A64_SME_FA64     )] = "smefa64",
     };
 
     return bit < ARRAY_SIZE(hwcap_str) ? hwcap_str[bit] : NULL;
-- 
2.34.1

Our lists of Arm 32 and 64 bit hwcap values have lagged behind
the Linux kernel. Update them to include all the bits defined
as of upstream Linux git commit a48fa7efaf1161c1 (in the middle
of the kernel 6.6 dev cycle).

For 64-bit, we don't yet implement any of the features reported via
these hwcap bits.  For 32-bit we do in fact already implement them
all; we'll add the code to set them in a subsequent commit.

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ enum
     ARM_HWCAP_ARM_VFPD32    = 1 << 19,
     ARM_HWCAP_ARM_LPAE      = 1 << 20,
     ARM_HWCAP_ARM_EVTSTRM   = 1 << 21,
+    ARM_HWCAP_ARM_FPHP      = 1 << 22,
+    ARM_HWCAP_ARM_ASIMDHP   = 1 << 23,
+    ARM_HWCAP_ARM_ASIMDDP   = 1 << 24,
+    ARM_HWCAP_ARM_ASIMDFHM  = 1 << 25,
+    ARM_HWCAP_ARM_ASIMDBF16 = 1 << 26,
+    ARM_HWCAP_ARM_I8MM      = 1 << 27,
 };
 
 enum {
@@ -XXX,XX +XXX,XX @@ enum {
     ARM_HWCAP2_ARM_SHA1     = 1 << 2,
     ARM_HWCAP2_ARM_SHA2     = 1 << 3,
     ARM_HWCAP2_ARM_CRC32    = 1 << 4,
+    ARM_HWCAP2_ARM_SB       = 1 << 5,
+    ARM_HWCAP2_ARM_SSBS     = 1 << 6,
 };
 
 /* The commpage only exists for 32 bit kernels */
@@ -XXX,XX +XXX,XX @@ const char *elf_hwcap_str(uint32_t bit)
     [__builtin_ctz(ARM_HWCAP_ARM_VFPD32   )] = "vfpd32",
     [__builtin_ctz(ARM_HWCAP_ARM_LPAE     )] = "lpae",
     [__builtin_ctz(ARM_HWCAP_ARM_EVTSTRM  )] = "evtstrm",
+    [__builtin_ctz(ARM_HWCAP_ARM_FPHP     )] = "fphp",
+    [__builtin_ctz(ARM_HWCAP_ARM_ASIMDHP  )] = "asimdhp",
+    [__builtin_ctz(ARM_HWCAP_ARM_ASIMDDP  )] = "asimddp",
+    [__builtin_ctz(ARM_HWCAP_ARM_ASIMDFHM )] = "asimdfhm",
+    [__builtin_ctz(ARM_HWCAP_ARM_ASIMDBF16)] = "asimdbf16",
+    [__builtin_ctz(ARM_HWCAP_ARM_I8MM     )] = "i8mm",
     };
 
     return bit < ARRAY_SIZE(hwcap_str) ? hwcap_str[bit] : NULL;
@@ -XXX,XX +XXX,XX @@ const char *elf_hwcap2_str(uint32_t bit)
     [__builtin_ctz(ARM_HWCAP2_ARM_SHA1 )] = "sha1",
     [__builtin_ctz(ARM_HWCAP2_ARM_SHA2 )] = "sha2",
     [__builtin_ctz(ARM_HWCAP2_ARM_CRC32)] = "crc32",
+    [__builtin_ctz(ARM_HWCAP2_ARM_SB   )] = "sb",
+    [__builtin_ctz(ARM_HWCAP2_ARM_SSBS )] = "ssbs",
     };
 
     return bit < ARRAY_SIZE(hwcap_str) ? hwcap_str[bit] : NULL;
@@ -XXX,XX +XXX,XX @@ enum {
     ARM_HWCAP2_A64_SME_B16F32   = 1 << 28,
     ARM_HWCAP2_A64_SME_F32F32   = 1 << 29,
     ARM_HWCAP2_A64_SME_FA64     = 1 << 30,
+    ARM_HWCAP2_A64_WFXT         = 1ULL << 31,
+    ARM_HWCAP2_A64_EBF16        = 1ULL << 32,
+    ARM_HWCAP2_A64_SVE_EBF16    = 1ULL << 33,
+    ARM_HWCAP2_A64_CSSC         = 1ULL << 34,
+    ARM_HWCAP2_A64_RPRFM        = 1ULL << 35,
+    ARM_HWCAP2_A64_SVE2P1       = 1ULL << 36,
+    ARM_HWCAP2_A64_SME2         = 1ULL << 37,
+    ARM_HWCAP2_A64_SME2P1       = 1ULL << 38,
+    ARM_HWCAP2_A64_SME_I16I32   = 1ULL << 39,
+    ARM_HWCAP2_A64_SME_BI32I32  = 1ULL << 40,
+    ARM_HWCAP2_A64_SME_B16B16   = 1ULL << 41,
+    ARM_HWCAP2_A64_SME_F16F16   = 1ULL << 42,
+    ARM_HWCAP2_A64_MOPS         = 1ULL << 43,
+    ARM_HWCAP2_A64_HBC          = 1ULL << 44,
 };
 
 #define ELF_HWCAP   get_elf_hwcap()
@@ -XXX,XX +XXX,XX @@ const char *elf_hwcap2_str(uint32_t bit)
     [__builtin_ctz(ARM_HWCAP2_A64_SME_B16F32   )] = "smeb16f32",
     [__builtin_ctz(ARM_HWCAP2_A64_SME_F32F32   )] = "smef32f32",
     [__builtin_ctz(ARM_HWCAP2_A64_SME_FA64     )] = "smefa64",
+    [__builtin_ctz(ARM_HWCAP2_A64_WFXT         )] = "wfxt",
+    [__builtin_ctzll(ARM_HWCAP2_A64_EBF16      )] = "ebf16",
+    [__builtin_ctzll(ARM_HWCAP2_A64_SVE_EBF16  )] = "sveebf16",
+    [__builtin_ctzll(ARM_HWCAP2_A64_CSSC       )] = "cssc",
+    [__builtin_ctzll(ARM_HWCAP2_A64_RPRFM      )] = "rprfm",
+    [__builtin_ctzll(ARM_HWCAP2_A64_SVE2P1     )] = "sve2p1",
+    [__builtin_ctzll(ARM_HWCAP2_A64_SME2       )] = "sme2",
+    [__builtin_ctzll(ARM_HWCAP2_A64_SME2P1     )] = "sme2p1",
+    [__builtin_ctzll(ARM_HWCAP2_A64_SME_I16I32 )] = "smei16i32",
+    [__builtin_ctzll(ARM_HWCAP2_A64_SME_BI32I32)] = "smebi32i32",
+    [__builtin_ctzll(ARM_HWCAP2_A64_SME_B16B16 )] = "smeb16b16",
+    [__builtin_ctzll(ARM_HWCAP2_A64_SME_F16F16 )] = "smef16f16",
+    [__builtin_ctzll(ARM_HWCAP2_A64_MOPS       )] = "mops",
+    [__builtin_ctzll(ARM_HWCAP2_A64_HBC        )] = "hbc",
     };
 
     return bit < ARRAY_SIZE(hwcap_str) ? hwcap_str[bit] : NULL;
-- 
2.34.1

Add the code to report the arm32 hwcaps we were previously missing:
 ss, ssbs, fphp, asimdhp, asimddp, asimdfhm, asimdbf16, i8mm

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/elfload.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ uint32_t get_elf_hwcap(void)
         }
     }
     GET_FEATURE_ID(aa32_simdfmac, ARM_HWCAP_ARM_VFPv4);
+    /*
+     * MVFR1.FPHP and .SIMDHP must be in sync, and QEMU uses the same
+     * isar_feature function for both. The kernel reports them as two hwcaps.
+     */
+    GET_FEATURE_ID(aa32_fp16_arith, ARM_HWCAP_ARM_FPHP);
+    GET_FEATURE_ID(aa32_fp16_arith, ARM_HWCAP_ARM_ASIMDHP);
+    GET_FEATURE_ID(aa32_dp, ARM_HWCAP_ARM_ASIMDDP);
+    GET_FEATURE_ID(aa32_fhm, ARM_HWCAP_ARM_ASIMDFHM);
+    GET_FEATURE_ID(aa32_bf16, ARM_HWCAP_ARM_ASIMDBF16);
+    GET_FEATURE_ID(aa32_i8mm, ARM_HWCAP_ARM_I8MM);
 
     return hwcaps;
 }
@@ -XXX,XX +XXX,XX @@ uint32_t get_elf_hwcap2(void)
     GET_FEATURE_ID(aa32_sha1, ARM_HWCAP2_ARM_SHA1);
     GET_FEATURE_ID(aa32_sha2, ARM_HWCAP2_ARM_SHA2);
     GET_FEATURE_ID(aa32_crc32, ARM_HWCAP2_ARM_CRC32);
+    GET_FEATURE_ID(aa32_sb, ARM_HWCAP2_ARM_SB);
+    GET_FEATURE_ID(aa32_ssbs, ARM_HWCAP2_ARM_SSBS);
     return hwcaps;
 }
 
-- 
2.34.1

Update our AArch64 ID register field definitions from the 2023-06
system register XML release:
 https://developer.arm.com/documentation/ddi0601/2023-06/

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/arm/cpu.h | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64ISAR0, SHA1, 8, 4)
 FIELD(ID_AA64ISAR0, SHA2, 12, 4)
 FIELD(ID_AA64ISAR0, CRC32, 16, 4)
 FIELD(ID_AA64ISAR0, ATOMIC, 20, 4)
+FIELD(ID_AA64ISAR0, TME, 24, 4)
 FIELD(ID_AA64ISAR0, RDM, 28, 4)
 FIELD(ID_AA64ISAR0, SHA3, 32, 4)
 FIELD(ID_AA64ISAR0, SM3, 36, 4)
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64ISAR2, APA3, 12, 4)
 FIELD(ID_AA64ISAR2, MOPS, 16, 4)
 FIELD(ID_AA64ISAR2, BC, 20, 4)
 FIELD(ID_AA64ISAR2, PAC_FRAC, 24, 4)
+FIELD(ID_AA64ISAR2, CLRBHB, 28, 4)
+FIELD(ID_AA64ISAR2, SYSREG_128, 32, 4)
+FIELD(ID_AA64ISAR2, SYSINSTR_128, 36, 4)
+FIELD(ID_AA64ISAR2, PRFMSLC, 40, 4)
+FIELD(ID_AA64ISAR2, RPRFM, 48, 4)
+FIELD(ID_AA64ISAR2, CSSC, 52, 4)
+FIELD(ID_AA64ISAR2, ATS1A, 60, 4)
 
 FIELD(ID_AA64PFR0, EL0, 0, 4)
 FIELD(ID_AA64PFR0, EL1, 4, 4)
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64PFR1, SME, 24, 4)
 FIELD(ID_AA64PFR1, RNDR_TRAP, 28, 4)
 FIELD(ID_AA64PFR1, CSV2_FRAC, 32, 4)
 FIELD(ID_AA64PFR1, NMI, 36, 4)
+FIELD(ID_AA64PFR1, MTE_FRAC, 40, 4)
+FIELD(ID_AA64PFR1, GCS, 44, 4)
+FIELD(ID_AA64PFR1, THE, 48, 4)
+FIELD(ID_AA64PFR1, MTEX, 52, 4)
+FIELD(ID_AA64PFR1, DF2, 56, 4)
+FIELD(ID_AA64PFR1, PFAR, 60, 4)
 
 FIELD(ID_AA64MMFR0, PARANGE, 0, 4)
 FIELD(ID_AA64MMFR0, ASIDBITS, 4, 4)
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64MMFR1, AFP, 44, 4)
 FIELD(ID_AA64MMFR1, NTLBPA, 48, 4)
 FIELD(ID_AA64MMFR1, TIDCP1, 52, 4)
 FIELD(ID_AA64MMFR1, CMOW, 56, 4)
+FIELD(ID_AA64MMFR1, ECBHB, 60, 4)
 
 FIELD(ID_AA64MMFR2, CNP, 0, 4)
 FIELD(ID_AA64MMFR2, UAO, 4, 4)
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64DFR0, DEBUGVER, 0, 4)
 FIELD(ID_AA64DFR0, TRACEVER, 4, 4)
 FIELD(ID_AA64DFR0, PMUVER, 8, 4)
 FIELD(ID_AA64DFR0, BRPS, 12, 4)
+FIELD(ID_AA64DFR0, PMSS, 16, 4)
 FIELD(ID_AA64DFR0, WRPS, 20, 4)
+FIELD(ID_AA64DFR0, SEBEP, 24, 4)
 FIELD(ID_AA64DFR0, CTX_CMPS, 28, 4)
 FIELD(ID_AA64DFR0, PMSVER, 32, 4)
 FIELD(ID_AA64DFR0, DOUBLELOCK, 36, 4)
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64DFR0, TRACEFILT, 40, 4)
 FIELD(ID_AA64DFR0, TRACEBUFFER, 44, 4)
 FIELD(ID_AA64DFR0, MTPMU, 48, 4)
 FIELD(ID_AA64DFR0, BRBE, 52, 4)
+FIELD(ID_AA64DFR0, EXTTRCBUFF, 56, 4)
 FIELD(ID_AA64DFR0, HPMN0, 60, 4)
 
 FIELD(ID_AA64ZFR0, SVEVER, 0, 4)
 FIELD(ID_AA64ZFR0, AES, 4, 4)
 FIELD(ID_AA64ZFR0, BITPERM, 16, 4)
 FIELD(ID_AA64ZFR0, BFLOAT16, 20, 4)
+FIELD(ID_AA64ZFR0, B16B16, 24, 4)
 FIELD(ID_AA64ZFR0, SHA3, 32, 4)
 FIELD(ID_AA64ZFR0, SM4, 40, 4)
 FIELD(ID_AA64ZFR0, I8MM, 44, 4)
@@ -XXX,XX +XXX,XX @@ FIELD(ID_AA64ZFR0, F32MM, 52, 4)
 FIELD(ID_AA64ZFR0, F64MM, 56, 4)
 
 FIELD(ID_AA64SMFR0, F32F32, 32, 1)
+FIELD(ID_AA64SMFR0, BI32I32, 33, 1)
 FIELD(ID_AA64SMFR0, B16F32, 34, 1)
 FIELD(ID_AA64SMFR0, F16F32, 35, 1)
 FIELD(ID_AA64SMFR0, I8I32, 36, 4)
+FIELD(ID_AA64SMFR0, F16F16, 42, 1)
+FIELD(ID_AA64SMFR0, B16B16, 43, 1)
+FIELD(ID_AA64SMFR0, I16I32, 44, 4)
 FIELD(ID_AA64SMFR0, F64F64, 48, 1)
 FIELD(ID_AA64SMFR0, I16I64, 52, 4)
 FIELD(ID_AA64SMFR0, SMEVER, 56, 4)
-- 
2.34.1

For user-only mode we reveal a subset of the AArch64 ID registers
to the guest, to emulate the kernel's trap-and-emulate-ID-regs
handling. Update the feature bit masks to match upstream kernel
commit a48fa7efaf1161c1c.

None of these features are yet implemented by QEMU, so this
doesn't yet have a behavioural change, but implementation of
FEAT_MOPS and FEAT_HBC is imminent.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/arm/helper.c         | 11 ++++++++++-
 tests/tcg/aarch64/sysregs.c |  4 ++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                                R_ID_AA64ZFR0_F64MM_MASK },
             { .name = "ID_AA64SMFR0_EL1",
               .exported_bits = R_ID_AA64SMFR0_F32F32_MASK |
+                               R_ID_AA64SMFR0_BI32I32_MASK |
                                R_ID_AA64SMFR0_B16F32_MASK |
                                R_ID_AA64SMFR0_F16F32_MASK |
                                R_ID_AA64SMFR0_I8I32_MASK |
+                               R_ID_AA64SMFR0_F16F16_MASK |
+                               R_ID_AA64SMFR0_B16B16_MASK |
+                               R_ID_AA64SMFR0_I16I32_MASK |
                                R_ID_AA64SMFR0_F64F64_MASK |
                                R_ID_AA64SMFR0_I16I64_MASK |
+                               R_ID_AA64SMFR0_SMEVER_MASK |
                                R_ID_AA64SMFR0_FA64_MASK },
             { .name = "ID_AA64MMFR0_EL1",
               .exported_bits = R_ID_AA64MMFR0_ECV_MASK,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .exported_bits = R_ID_AA64ISAR2_WFXT_MASK |
                                R_ID_AA64ISAR2_RPRES_MASK |
                                R_ID_AA64ISAR2_GPA3_MASK |
-                               R_ID_AA64ISAR2_APA3_MASK },
+                               R_ID_AA64ISAR2_APA3_MASK |
+                               R_ID_AA64ISAR2_MOPS_MASK |
+                               R_ID_AA64ISAR2_BC_MASK |
+                               R_ID_AA64ISAR2_RPRFM_MASK |
+                               R_ID_AA64ISAR2_CSSC_MASK },
             { .name = "ID_AA64ISAR*_EL1_RESERVED",
               .is_glob = true },
         };
diff --git a/tests/tcg/aarch64/sysregs.c b/tests/tcg/aarch64/sysregs.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/sysregs.c
+++ b/tests/tcg/aarch64/sysregs.c
@@ -XXX,XX +XXX,XX @@ int main(void)
      */
     get_cpu_reg_check_mask(id_aa64isar0_el1, _m(f0ff,ffff,f0ff,fff0));
     get_cpu_reg_check_mask(id_aa64isar1_el1, _m(00ff,f0ff,ffff,ffff));
-    get_cpu_reg_check_mask(SYS_ID_AA64ISAR2_EL1, _m(0000,0000,0000,ffff));
+    get_cpu_reg_check_mask(SYS_ID_AA64ISAR2_EL1, _m(00ff,0000,00ff,ffff));
     /* TGran4 & TGran64 as pegged to -1 */
     get_cpu_reg_check_mask(id_aa64mmfr0_el1, _m(f000,0000,ff00,0000));
     get_cpu_reg_check_mask(id_aa64mmfr1_el1, _m(0000,f000,0000,0000));
@@ -XXX,XX +XXX,XX @@ int main(void)
     get_cpu_reg_check_mask(id_aa64dfr0_el1,  _m(0000,0000,0000,0006));
     get_cpu_reg_check_zero(id_aa64dfr1_el1);
     get_cpu_reg_check_mask(SYS_ID_AA64ZFR0_EL1,  _m(0ff0,ff0f,00ff,00ff));
-    get_cpu_reg_check_mask(SYS_ID_AA64SMFR0_EL1, _m(80f1,00fd,0000,0000));
+    get_cpu_reg_check_mask(SYS_ID_AA64SMFR0_EL1, _m(8ff1,fcff,0000,0000));
 
     get_cpu_reg_check_zero(id_aa64afr0_el1);
     get_cpu_reg_check_zero(id_aa64afr1_el1);
-- 
2.34.1

FEAT_HBC (Hinted conditional branches) provides a new instruction
BC.cond, which behaves exactly like the existing B.cond except
that it provides a hint to the branch predictor about the
likely behaviour of the branch.

Since QEMU does not implement branch prediction, we can treat
this identically to B.cond.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 docs/system/arm/emulation.rst  | 1 +
 target/arm/cpu.h               | 5 +++++
 target/arm/tcg/a64.decode      | 3 ++-
 linux-user/elfload.c           | 1 +
 target/arm/tcg/cpu64.c         | 4 ++++
 target/arm/tcg/translate-a64.c | 4 ++++
 6 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
 - FEAT_FlagM2 (Enhancements to flag manipulation instructions)
 - FEAT_GTG (Guest translation granule size)
 - FEAT_HAFDBS (Hardware management of the access flag and dirty bit state)
+- FEAT_HBC (Hinted conditional branches)
 - FEAT_HCX (Support for the HCRX_EL2 register)
 - FEAT_HPDS (Hierarchical permission disables)
 - FEAT_HPDS2 (Translation table page-based hardware attributes)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_i8mm(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64isar1, ID_AA64ISAR1, I8MM) != 0;
 }
 
+static inline bool isar_feature_aa64_hbc(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64isar2, ID_AA64ISAR2, BC) != 0;
+}
+
 static inline bool isar_feature_aa64_tgran4_lpa2(const ARMISARegisters *id)
 {
     return FIELD_SEX64(id->id_aa64mmfr0, ID_AA64MMFR0, TGRAN4) >= 1;
diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ CBZ             sf:1 011010 nz:1 ................... rt:5 &cbz imm=%imm19
 
 TBZ             . 011011 nz:1 ..... .............. rt:5 &tbz  imm=%imm14 bitpos=%imm31_19
 
-B_cond          0101010 0 ................... 0 cond:4 imm=%imm19
+# B.cond and BC.cond
+B_cond          0101010 0 ................... c:1 cond:4 imm=%imm19
 
 BR              1101011 0000 11111 000000 rn:5 00000 &r
 BLR             1101011 0001 11111 000000 rn:5 00000 &r
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ uint32_t get_elf_hwcap2(void)
     GET_FEATURE_ID(aa64_sme_f64f64, ARM_HWCAP2_A64_SME_F64F64);
     GET_FEATURE_ID(aa64_sme_i16i64, ARM_HWCAP2_A64_SME_I16I64);
     GET_FEATURE_ID(aa64_sme_fa64, ARM_HWCAP2_A64_SME_FA64);
+    GET_FEATURE_ID(aa64_hbc, ARM_HWCAP2_A64_HBC);
 
     return hwcaps;
 }
diff --git a/target/arm/tcg/cpu64.c b/target/arm/tcg/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/cpu64.c
+++ b/target/arm/tcg/cpu64.c
@@ -XXX,XX +XXX,XX @@ void aarch64_max_tcg_initfn(Object *obj)
     t = FIELD_DP64(t, ID_AA64ISAR1, I8MM, 1);     /* FEAT_I8MM */
     cpu->isar.id_aa64isar1 = t;
 
+    t = cpu->isar.id_aa64isar2;
+    t = FIELD_DP64(t, ID_AA64ISAR2, BC, 1);      /* FEAT_HBC */
+    cpu->isar.id_aa64isar2 = t;
+
     t = cpu->isar.id_aa64pfr0;
     t = FIELD_DP64(t, ID_AA64PFR0, FP, 1);        /* FEAT_FP16 */
     t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);   /* FEAT_FP16 */
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool trans_TBZ(DisasContext *s, arg_tbz *a)
 
 static bool trans_B_cond(DisasContext *s, arg_B_cond *a)
 {
+    /* BC.cond is only present with FEAT_HBC */
+    if (a->c && !dc_isar_feature(aa64_hbc, s)) {
+        return false;
+    }
     reset_btype(s);
     if (a->cond < 0x0e) {
         /* genuinely conditional branches */
-- 
2.34.1

The allocation_tag_mem() function takes an argument tag_size,
but it never uses it. Remove the argument. In mte_probe_int()
in particular this also lets us delete the code computing
the value we were passing in.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 target/arm/tcg/mte_helper.c | 42 +++++++++++++------------------------
 1 file changed, 14 insertions(+), 28 deletions(-)

diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/mte_helper.c
+++ b/target/arm/tcg/mte_helper.c
@@ -XXX,XX +XXX,XX @@ static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
  * @ptr_access: the access to use for the virtual address
  * @ptr_size: the number of bytes in the normal memory access
  * @tag_access: the access to use for the tag memory
- * @tag_size: the number of bytes in the tag memory access
  * @ra: the return address for exception handling
  *
  * Our tag memory is formatted as a sequence of little-endian nibbles.
@@ -XXX,XX +XXX,XX @@ static int choose_nonexcluded_tag(int tag, int offset, uint16_t exclude)
  * a pointer to the corresponding tag byte.  Exit with exception if the
  * virtual address is not accessible for @ptr_access.
  *
- * The @ptr_size and @tag_size values may not have an obvious relation
- * due to the alignment of @ptr, and the number of tag checks required.
- *
  * If there is no tag storage corresponding to @ptr, return NULL.
  */
 static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
                                    uint64_t ptr, MMUAccessType ptr_access,
                                    int ptr_size, MMUAccessType tag_access,
-                                   int tag_size, uintptr_t ra)
+                                   uintptr_t ra)
 {
 #ifdef CONFIG_USER_ONLY
     uint64_t clean_ptr = useronly_clean_ptr(ptr);
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(ldg)(CPUARMState *env, uint64_t ptr, uint64_t xt)
 
     /* Trap if accessing an invalid page.  */
     mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_LOAD, 1,
-                             MMU_DATA_LOAD, 1, GETPC());
+                             MMU_DATA_LOAD, GETPC());
 
     /* Load if page supports tags. */
     if (mem) {
@@ -XXX,XX +XXX,XX @@ static inline void do_stg(CPUARMState *env, uint64_t ptr, uint64_t xt,
 
     /* Trap if accessing an invalid page.  */
     mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE, TAG_GRANULE,
-                             MMU_DATA_STORE, 1, ra);
+                             MMU_DATA_STORE, ra);
 
     /* Store if page supports tags. */
     if (mem) {
@@ -XXX,XX +XXX,XX @@ static inline void do_st2g(CPUARMState *env, uint64_t ptr, uint64_t xt,
     if (ptr & TAG_GRANULE) {
         /* Two stores unaligned mod TAG_GRANULE*2 -- modify two bytes. */
         mem1 = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE,
-                                  TAG_GRANULE, MMU_DATA_STORE, 1, ra);
+                                  TAG_GRANULE, MMU_DATA_STORE, ra);
         mem2 = allocation_tag_mem(env, mmu_idx, ptr + TAG_GRANULE,
                                   MMU_DATA_STORE, TAG_GRANULE,
-                                  MMU_DATA_STORE, 1, ra);
+                                  MMU_DATA_STORE, ra);
 
         /* Store if page(s) support tags. */
         if (mem1) {
@@ -XXX,XX +XXX,XX @@ static inline void do_st2g(CPUARMState *env, uint64_t ptr, uint64_t xt,
     } else {
         /* Two stores aligned mod TAG_GRANULE*2 -- modify one byte. */
         mem1 = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE,
-                                  2 * TAG_GRANULE, MMU_DATA_STORE, 1, ra);
+                                  2 * TAG_GRANULE, MMU_DATA_STORE, ra);
         if (mem1) {
             tag |= tag << 4;
             qatomic_set(mem1, tag);
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(ldgm)(CPUARMState *env, uint64_t ptr)
 
     /* Trap if accessing an invalid page.  */
     tag_mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_LOAD,
-                                 gm_bs_bytes, MMU_DATA_LOAD,
-                                 gm_bs_bytes / (2 * TAG_GRANULE), ra);
+                                 gm_bs_bytes, MMU_DATA_LOAD, ra);
 
     /* The tag is squashed to zero if the page does not support tags.  */
     if (!tag_mem) {
@@ -XXX,XX +XXX,XX @@ void HELPER(stgm)(CPUARMState *env, uint64_t ptr, uint64_t val)
 
     /* Trap if accessing an invalid page.  */
     tag_mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE,
-                                 gm_bs_bytes, MMU_DATA_LOAD,
-                                 gm_bs_bytes / (2 * TAG_GRANULE), ra);
+                                 gm_bs_bytes, MMU_DATA_LOAD, ra);
 
     /*
      * Tag store only happens if the page support tags,
@@ -XXX,XX +XXX,XX @@ void HELPER(stzgm_tags)(CPUARMState *env, uint64_t ptr, uint64_t val)
     ptr &= -dcz_bytes;
 
     mem = allocation_tag_mem(env, mmu_idx, ptr, MMU_DATA_STORE, dcz_bytes,
-                             MMU_DATA_STORE, tag_bytes, ra);
+                             MMU_DATA_STORE, ra);
     if (mem) {
         int tag_pair = (val & 0xf) * 0x11;
         memset(mem, tag_pair, tag_bytes);
@@ -XXX,XX +XXX,XX @@ static int mte_probe_int(CPUARMState *env, uint32_t desc, uint64_t ptr,
     int mmu_idx, ptr_tag, bit55;
     uint64_t ptr_last, prev_page, next_page;
     uint64_t tag_first, tag_last;
-    uint64_t tag_byte_first, tag_byte_last;
-    uint32_t sizem1, tag_count, tag_size, n, c;
+    uint32_t sizem1, tag_count, n, c;
     uint8_t *mem1, *mem2;
     MMUAccessType type;
 
@@ -XXX,XX +XXX,XX @@ static int mte_probe_int(CPUARMState *env, uint32_t desc, uint64_t ptr,
     tag_last = QEMU_ALIGN_DOWN(ptr_last, TAG_GRANULE);
     tag_count = ((tag_last - tag_first) / TAG_GRANULE) + 1;
 
-    /* Round the bounds to twice the tag granule, and compute the bytes. */
-    tag_byte_first = QEMU_ALIGN_DOWN(ptr, 2 * TAG_GRANULE);
-    tag_byte_last = QEMU_ALIGN_DOWN(ptr_last, 2 * TAG_GRANULE);
-
     /* Locate the page boundaries. */
     prev_page = ptr & TARGET_PAGE_MASK;
     next_page = prev_page + TARGET_PAGE_SIZE;
 
     if (likely(tag_last - prev_page < TARGET_PAGE_SIZE)) {
         /* Memory access stays on one page. */
-        tag_size = ((tag_byte_last - tag_byte_first) / (2 * TAG_GRANULE)) + 1;
         mem1 = allocation_tag_mem(env, mmu_idx, ptr, type, sizem1 + 1,
-                                  MMU_DATA_LOAD, tag_size, ra);
+                                  MMU_DATA_LOAD, ra);
         if (!mem1) {
             return 1;
         }
@@ -XXX,XX +XXX,XX @@ static int mte_probe_int(CPUARMState *env, uint32_t desc, uint64_t ptr,
         n = checkN(mem1, ptr & TAG_GRANULE, ptr_tag, tag_count);
     } else {
         /* Memory access crosses to next page. */
-        tag_size = (next_page - tag_byte_first) / (2 * TAG_GRANULE);
         mem1 = allocation_tag_mem(env, mmu_idx, ptr, type, next_page - ptr,
-                                  MMU_DATA_LOAD, tag_size, ra);
+                                  MMU_DATA_LOAD, ra);
 
-        tag_size = ((tag_byte_last - next_page) / (2 * TAG_GRANULE)) + 1;
         mem2 = allocation_tag_mem(env, mmu_idx, next_page, type,
                                   ptr_last - next_page + 1,
-                                  MMU_DATA_LOAD, tag_size, ra);
+                                  MMU_DATA_LOAD, ra);
 
         /*
          * Perform all of the comparisons.
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(mte_check_zva)(CPUARMState *env, uint32_t desc, uint64_t ptr)
     mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
     (void) probe_write(env, ptr, 1, mmu_idx, ra);
     mem = allocation_tag_mem(env, mmu_idx, align_ptr, MMU_DATA_STORE,
-                             dcz_bytes, MMU_DATA_LOAD, tag_bytes, ra);
+                             dcz_bytes, MMU_DATA_LOAD, ra);
     if (!mem) {
         goto done;
     }
-- 
2.34.1

The LDRT/STRT "unprivileged load/store" instructions behave like
normal ones if executed at EL0. We handle this correctly for
the load/store semantics, but get the MTE checking wrong.

We always look at s->mte_active[is_unpriv] to see whether we should
be doing MTE checks, but in hflags.c when we set the TB flags that
will be used to fill the mte_active[] array we only set the
MTE0_ACTIVE bit if UNPRIV is true (i.e.  we are not at EL0).

This means that a LDRT at EL0 will see s->mte_active[1] as 0,
and will not do MTE checks even when MTE is enabled.

To avoid the translate-time code having to do an explicit check on
s->unpriv to see if it is OK to index into the mte_active[] array,
duplicate MTE_ACTIVE into MTE0_ACTIVE when UNPRIV is false.

(This isn't a very serious bug because generally nobody executes
LDRT/STRT at EL0, because they have no use there.)

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-2-peter.maydell@linaro.org
---
 target/arm/tcg/hflags.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/hflags.c
+++ b/target/arm/tcg/hflags.c
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
                 && !(env->pstate & PSTATE_TCO)
                 && (sctlr & (el == 0 ? SCTLR_TCF0 : SCTLR_TCF))) {
                 DP_TBFLAG_A64(flags, MTE_ACTIVE, 1);
+                if (!EX_TBFLAG_A64(flags, UNPRIV)) {
+                    /*
+                     * In non-unpriv contexts (eg EL0), unpriv load/stores
+                     * act like normal ones; duplicate the MTE info to
+                     * avoid translate-a64.c having to check UNPRIV to see
+                     * whether it is OK to index into MTE_ACTIVE[].
+                     */
+                    DP_TBFLAG_A64(flags, MTE0_ACTIVE, 1);
+                }
             }
         }
         /* And again for unprivileged accesses, if required.  */
-- 
2.34.1

FEAT_MOPS defines a handful of new enable bits:
 * HCRX_EL2.MSCEn, SCTLR_EL1.MSCEn, SCTLR_EL2.MSCen:
   define whether the new insns should UNDEF or not
 * HCRX_EL2.MCE2: defines whether memops exceptions from
   EL1 should be taken to EL1 or EL2

Since we don't sanitise what bits can be written for the SCTLR
registers, we only need to handle the new bits in HCRX_EL2, and
define SCTLR_MSCEN for the new SCTLR bit value.

The precedence of "HCRX bits acts as 0 if SCR_EL3.HXEn is 0" versus
"bit acts as 1 if EL2 disabled" is not clear from the register
definition text, but it is clear in the CheckMOPSEnabled()
pseudocode(), so we follow that.  We'll have to check whether other
bits we need to implement in future follow the same logic or not.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-3-peter.maydell@linaro.org
---
 target/arm/cpu.h    |  6 ++++++
 target/arm/helper.c | 28 +++++++++++++++++++++-------
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ void pmu_init(ARMCPU *cpu);
 #define SCTLR_EnIB    (1U << 30) /* v8.3, AArch64 only */
 #define SCTLR_EnIA    (1U << 31) /* v8.3, AArch64 only */
 #define SCTLR_DSSBS_32 (1U << 31) /* v8.5, AArch32 only */
+#define SCTLR_MSCEN   (1ULL << 33) /* FEAT_MOPS */
 #define SCTLR_BT0     (1ULL << 35) /* v8.5-BTI */
 #define SCTLR_BT1     (1ULL << 36) /* v8.5-BTI */
 #define SCTLR_ITFSB   (1ULL << 37) /* v8.5-MemTag */
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_doublelock(const ARMISARegisters *id)
     return FIELD_SEX64(id->id_aa64dfr0, ID_AA64DFR0, DOUBLELOCK) >= 0;
 }
 
+static inline bool isar_feature_aa64_mops(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64isar2, ID_AA64ISAR2, MOPS);
+}
+
 /*
  * Feature tests for "does this exist in either 32-bit or 64-bit?"
  */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void hcrx_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     uint64_t valid_mask = 0;
 
-    /* No features adding bits to HCRX are implemented. */
+    /* FEAT_MOPS adds MSCEn and MCE2 */
+    if (cpu_isar_feature(aa64_mops, env_archcpu(env))) {
+        valid_mask |= HCRX_MSCEN | HCRX_MCE2;
+    }
 
     /* Clear RES0 bits.  */
     env->cp15.hcrx_el2 = value & valid_mask;
@@ -XXX,XX +XXX,XX @@ uint64_t arm_hcrx_el2_eff(CPUARMState *env)
 {
     /*
      * The bits in this register behave as 0 for all purposes other than
-     * direct reads of the register if:
-     *   - EL2 is not enabled in the current security state,
-     *   - SCR_EL3.HXEn is 0.
+     * direct reads of the register if SCR_EL3.HXEn is 0.
+     * If EL2 is not enabled in the current security state, then the
+     * bit may behave as if 0, or as if 1, depending on the bit.
+     * For the moment, we treat the EL2-disabled case as taking
+     * priority over the HXEn-disabled case. This is true for the only
+     * bit for a feature which we implement where the answer is different
+     * for the two cases (MSCEn for FEAT_MOPS).
+     * This may need to be revisited for future bits.
      */
-    if (!arm_is_el2_enabled(env)
-        || (arm_feature(env, ARM_FEATURE_EL3)
-            && !(env->cp15.scr_el3 & SCR_HXEN))) {
+    if (!arm_is_el2_enabled(env)) {
+        uint64_t hcrx = 0;
+        if (cpu_isar_feature(aa64_mops, env_archcpu(env))) {
+            /* MSCEn behaves as 1 if EL2 is not enabled */
+            hcrx |= HCRX_MSCEN;
+        }
+        return hcrx;
+    }
+    if (arm_feature(env, ARM_FEATURE_EL3) && !(env->cp15.scr_el3 & SCR_HXEN)) {
         return 0;
     }
     return env->cp15.hcrx_el2;
-- 
2.34.1

In every place that we call the get_a64_user_mem_index() function
we do it like this:
 memidx = a->unpriv ? get_a64_user_mem_index(s) : get_mem_index(s);
Refactor so the caller passes in the bool that says whether they
want the 'unpriv' or 'normal' mem_index rather than having to
do the ?: themselves.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20230912140434.1333369-4-peter.maydell@linaro.org
---
 target/arm/tcg/translate-a64.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ void a64_translate_init(void)
 }
 
 /*
- * Return the core mmu_idx to use for A64 "unprivileged load/store" insns
+ * Return the core mmu_idx to use for A64 load/store insns which
+ * have a "unprivileged load/store" variant. Those insns access
+ * EL0 if executed from an EL which has control over EL0 (usually
+ * EL1) but behave like normal loads and stores if executed from
+ * elsewhere (eg EL3).
+ *
+ * @unpriv : true for the unprivileged encoding; false for the
+ *           normal encoding (in which case we will return the same
+ *           thing as get_mem_index().
  */
-static int get_a64_user_mem_index(DisasContext *s)
+static int get_a64_user_mem_index(DisasContext *s, bool unpriv)
 {
     /*
      * If AccType_UNPRIV is not used, the insn uses AccType_NORMAL,
@@ -XXX,XX +XXX,XX @@ static int get_a64_user_mem_index(DisasContext *s)
      */
     ARMMMUIdx useridx = s->mmu_idx;
 
-    if (s->unpriv) {
+    if (unpriv && s->unpriv) {
         /*
          * We have pre-computed the condition for AccType_UNPRIV.
          * Therefore we should never get here with a mmu_idx for
@@ -XXX,XX +XXX,XX @@ static void op_addr_ldst_imm_pre(DisasContext *s, arg_ldst_imm *a,
     if (!a->p) {
         tcg_gen_addi_i64(*dirty_addr, *dirty_addr, offset);
     }
-    memidx = a->unpriv ? get_a64_user_mem_index(s) : get_mem_index(s);
+    memidx = get_a64_user_mem_index(s, a->unpriv);
     *clean_addr = gen_mte_check1_mmuidx(s, *dirty_addr, is_store,
                                         a->w || a->rn != 31,
                                         mop, a->unpriv, memidx);
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_i(DisasContext *s, arg_ldst_imm *a)
 {
     bool iss_sf, iss_valid = !a->w;
     TCGv_i64 clean_addr, dirty_addr, tcg_rt;
-    int memidx = a->unpriv ? get_a64_user_mem_index(s) : get_mem_index(s);
+    int memidx = get_a64_user_mem_index(s, a->unpriv);
     MemOp mop = finalize_memop(s, a->sz + a->sign * MO_SIGN);
 
     op_addr_ldst_imm_pre(s, a, &clean_addr, &dirty_addr, a->imm, true, mop);
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_i(DisasContext *s, arg_ldst_imm *a)
 {
     bool iss_sf, iss_valid = !a->w;
     TCGv_i64 clean_addr, dirty_addr, tcg_rt;
-    int memidx = a->unpriv ? get_a64_user_mem_index(s) : get_mem_index(s);
+    int memidx = get_a64_user_mem_index(s, a->unpriv);
     MemOp mop = finalize_memop(s, a->sz + a->sign * MO_SIGN);
 
     op_addr_ldst_imm_pre(s, a, &clean_addr, &dirty_addr, a->imm, false, mop);
-- 
2.34.1

The FEAT_MOPS memory operations can raise a Memory Copy or Memory Set
exception if a copy or set instruction is executed when the CPU
register state is not correct for that instruction. Define the
usual syn_* function that constructs the syndrome register value
for these exceptions.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-5-peter.maydell@linaro.org
---
 target/arm/syndrome.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/syndrome.h
+++ b/target/arm/syndrome.h
@@ -XXX,XX +XXX,XX @@ enum arm_exception_class {
     EC_DATAABORT              = 0x24,
     EC_DATAABORT_SAME_EL      = 0x25,
     EC_SPALIGNMENT            = 0x26,
+    EC_MOP                    = 0x27,
     EC_AA32_FPTRAP            = 0x28,
     EC_AA64_FPTRAP            = 0x2c,
     EC_SERROR                 = 0x2f,
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_serror(uint32_t extra)
     return (EC_SERROR << ARM_EL_EC_SHIFT) | ARM_EL_IL | extra;
 }
 
+static inline uint32_t syn_mop(bool is_set, bool is_setg, int options,
+                               bool epilogue, bool wrong_option, bool option_a,
+                               int destreg, int srcreg, int sizereg)
+{
+    return (EC_MOP << ARM_EL_EC_SHIFT) | ARM_EL_IL |
+        (is_set << 24) | (is_setg << 23) | (options << 19) |
+        (epilogue << 18) | (wrong_option << 17) | (option_a << 16) |
+        (destreg << 10) | (srcreg << 5) | sizereg;
+}
+
+
 #endif /* TARGET_ARM_SYNDROME_H */
-- 
2.34.1

For the FEAT_MOPS operations, the existing allocation_tag_mem()
function almost does what we want, but it will take a watchpoint
exception even for an ra == 0 probe request, and it requires that the
caller guarantee that the memory is accessible.  For FEAT_MOPS we
want a function that will not take any kind of exception, and will
return NULL for the not-accessible case.

Rename allocation_tag_mem() to allocation_tag_mem_probe() and add an
extra 'probe' argument that lets us distinguish these cases;
allocation_tag_mem() is now a wrapper that always passes 'false'.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-6-peter.maydell@linaro.org
---
 target/arm/tcg/mte_helper.c | 48 ++++++++++++++++++++++++++++---------
 1 file changed, 37 insertions(+), 11 deletions(-)

The FEAT_MOPS instructions need a couple of helper routines that
check for MTE tag failures:
 * mte_mops_probe() checks whether there is going to be a tag
   error in the next up-to-a-page worth of data
 * mte_check_fail() is an existing function to record the fact
   of a tag failure, which we need to make global so we can
   call it from helper-a64.c

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-7-peter.maydell@linaro.org
---
 target/arm/internals.h      | 28 +++++++++++++++++++
 target/arm/tcg/mte_helper.c | 54 +++++++++++++++++++++++++++++++++++--
 2 files changed, 80 insertions(+), 2 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ FIELD(MTEDESC, SIZEM1, 12, SIMD_DATA_BITS - 12)  /* size - 1 */
 bool mte_probe(CPUARMState *env, uint32_t desc, uint64_t ptr);
 uint64_t mte_check(CPUARMState *env, uint32_t desc, uint64_t ptr, uintptr_t ra);
 
+/**
+ * mte_mops_probe: Check where the next MTE failure is for a FEAT_MOPS operation
+ * @env: CPU env
+ * @ptr: start address of memory region (dirty pointer)
+ * @size: length of region (guaranteed not to cross a page boundary)
+ * @desc: MTEDESC descriptor word (0 means no MTE checks)
+ * Returns: the size of the region that can be copied without hitting
+ *          an MTE tag failure
+ *
+ * Note that we assume that the caller has already checked the TBI
+ * and TCMA bits with mte_checks_needed() and an MTE check is definitely
+ * required.
+ */
+uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
+                        uint32_t desc);
+
+/**
+ * mte_check_fail: Record an MTE tag check failure
+ * @env: CPU env
+ * @desc: MTEDESC descriptor word
+ * @dirty_ptr: Failing dirty address
+ * @ra: TCG retaddr
+ *
+ * This may never return (if the MTE tag checks are configured to fault).
+ */
+void mte_check_fail(CPUARMState *env, uint32_t desc,
+                    uint64_t dirty_ptr, uintptr_t ra);
+
 static inline int allocation_tag_from_addr(uint64_t ptr)
 {
     return extract64(ptr, 56, 4);
diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/mte_helper.c
+++ b/target/arm/tcg/mte_helper.c
@@ -XXX,XX +XXX,XX @@ static void mte_async_check_fail(CPUARMState *env, uint64_t dirty_ptr,
 }
 
 /* Record a tag check failure.  */
-static void mte_check_fail(CPUARMState *env, uint32_t desc,
-                           uint64_t dirty_ptr, uintptr_t ra)
+void mte_check_fail(CPUARMState *env, uint32_t desc,
+                    uint64_t dirty_ptr, uintptr_t ra)
 {
     int mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
     ARMMMUIdx arm_mmu_idx = core_to_aa64_mmu_idx(mmu_idx);
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(mte_check_zva)(CPUARMState *env, uint32_t desc, uint64_t ptr)
  done:
     return useronly_clean_ptr(ptr);
 }
+
+uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
+                        uint32_t desc)
+{
+    int mmu_idx, tag_count;
+    uint64_t ptr_tag, tag_first, tag_last;
+    void *mem;
+    bool w = FIELD_EX32(desc, MTEDESC, WRITE);
+    uint32_t n;
+
+    mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
+    /* True probe; this will never fault */
+    mem = allocation_tag_mem_probe(env, mmu_idx, ptr,
+                                   w ? MMU_DATA_STORE : MMU_DATA_LOAD,
+                                   size, MMU_DATA_LOAD, true, 0);
+    if (!mem) {
+        return size;
+    }
+
+    /*
+     * TODO: checkN() is not designed for checks of the size we expect
+     * for FEAT_MOPS operations, so we should implement this differently.
+     * Maybe we should do something like
+     *   if (region start and size are aligned nicely) {
+     *      do direct loads of 64 tag bits at a time;
+     *   } else {
+     *      call checkN()
+     *   }
+     */
+    /* Round the bounds to the tag granule, and compute the number of tags. */
+    ptr_tag = allocation_tag_from_addr(ptr);
+    tag_first = QEMU_ALIGN_DOWN(ptr, TAG_GRANULE);
+    tag_last = QEMU_ALIGN_DOWN(ptr + size - 1, TAG_GRANULE);
+    tag_count = ((tag_last - tag_first) / TAG_GRANULE) + 1;
+    n = checkN(mem, ptr & TAG_GRANULE, ptr_tag, tag_count);
+    if (likely(n == tag_count)) {
+        return size;
+    }
+
+    /*
+     * Failure; for the first granule, it's at @ptr. Otherwise
+     * it's at the first byte of the nth granule. Calculate how
+     * many bytes we can access without hitting that failure.
+     */
+    if (n == 0) {
+        return 0;
+    } else {
+        return n * TAG_GRANULE - (ptr - tag_first);
+    }
+}
-- 
2.34.1

Implement the SET* instructions which collectively implement a
"memset" operation.  These come in a set of three, eg SETP
(prologue), SETM (main), SETE (epilogue), and each of those has
different flavours to indicate whether memory accesses should be
unpriv or non-temporal.

This commit does not include the "memset with tag setting"
SETG* instructions.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-8-peter.maydell@linaro.org
---
 target/arm/tcg/helper-a64.h    |   4 +
 target/arm/tcg/a64.decode      |  16 ++
 target/arm/tcg/helper-a64.c    | 344 +++++++++++++++++++++++++++++++++
 target/arm/tcg/translate-a64.c |  49 +++++
 4 files changed, 413 insertions(+)

diff --git a/target/arm/tcg/helper-a64.h b/target/arm/tcg/helper-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/helper-a64.h
+++ b/target/arm/tcg/helper-a64.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(stzgm_tags, TCG_CALL_NO_WG, void, env, i64, i64)
 
 DEF_HELPER_FLAGS_4(unaligned_access, TCG_CALL_NO_WG,
                    noreturn, env, i64, i32, i32)
+
+DEF_HELPER_3(setp, void, env, i32, i32)
+DEF_HELPER_3(setm, void, env, i32, i32)
+DEF_HELPER_3(sete, void, env, i32, i32)
diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ LDGM            11011001 11 1 ......... 00 ..... ..... @ldst_tag_mult p=0 w=0
 STZ2G           11011001 11 1 ......... 01 ..... ..... @ldst_tag p=1 w=1
 STZ2G           11011001 11 1 ......... 10 ..... ..... @ldst_tag p=0 w=0
 STZ2G           11011001 11 1 ......... 11 ..... ..... @ldst_tag p=0 w=1
+
+# Memory operations (memset, memcpy, memmove)
+# Each of these comes in a set of three, eg SETP (prologue), SETM (main),
+# SETE (epilogue), and each of those has different flavours to
+# indicate whether memory accesses should be unpriv or non-temporal.
+# We don't distinguish temporal and non-temporal accesses, but we
+# do need to report it in syndrome register values.
+
+# Memset
+&set rs rn rd unpriv nontemp
+# op2 bit 1 is nontemporal bit
+@set         .. ......... rs:5 .. nontemp:1 unpriv:1 .. rn:5 rd:5 &set
+
+SETP            00 011001110 ..... 00 . . 01 ..... ..... @set
+SETM            00 011001110 ..... 01 . . 01 ..... ..... @set
+SETE            00 011001110 ..... 10 . . 01 ..... ..... @set
diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/helper-a64.c
+++ b/target/arm/tcg/helper-a64.c
@@ -XXX,XX +XXX,XX @@ void HELPER(unaligned_access)(CPUARMState *env, uint64_t addr,
     arm_cpu_do_unaligned_access(env_cpu(env), addr, access_type,
                                 mmu_idx, GETPC());
 }
+
+/* Memory operations (memset, memmove, memcpy) */
+
+/*
+ * Return true if the CPY* and SET* insns can execute; compare
+ * pseudocode CheckMOPSEnabled(), though we refactor it a little.
+ */
+static bool mops_enabled(CPUARMState *env)
+{
+    int el = arm_current_el(env);
+
+    if (el < 2 &&
+        (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE) &&
+        !(arm_hcrx_el2_eff(env) & HCRX_MSCEN)) {
+        return false;
+    }
+
+    if (el == 0) {
+        if (!el_is_in_host(env, 0)) {
+            return env->cp15.sctlr_el[1] & SCTLR_MSCEN;
+        } else {
+            return env->cp15.sctlr_el[2] & SCTLR_MSCEN;
+        }
+    }
+    return true;
+}
+
+static void check_mops_enabled(CPUARMState *env, uintptr_t ra)
+{
+    if (!mops_enabled(env)) {
+        raise_exception_ra(env, EXCP_UDEF, syn_uncategorized(),
+                           exception_target_el(env), ra);
+    }
+}
+
+/*
+ * Return the target exception level for an exception due
+ * to mismatched arguments in a FEAT_MOPS copy or set.
+ * Compare pseudocode MismatchedCpySetTargetEL()
+ */
+static int mops_mismatch_exception_target_el(CPUARMState *env)
+{
+    int el = arm_current_el(env);
+
+    if (el > 1) {
+        return el;
+    }
+    if (el == 0 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
+        return 2;
+    }
+    if (el == 1 && (arm_hcrx_el2_eff(env) & HCRX_MCE2)) {
+        return 2;
+    }
+    return 1;
+}
+
+/*
+ * Check whether an M or E instruction was executed with a CF value
+ * indicating the wrong option for this implementation.
+ * Assumes we are always Option A.
+ */
+static void check_mops_wrong_option(CPUARMState *env, uint32_t syndrome,
+                                    uintptr_t ra)
+{
+    if (env->CF != 0) {
+        syndrome |= 1 << 17; /* Set the wrong-option bit */
+        raise_exception_ra(env, EXCP_UDEF, syndrome,
+                           mops_mismatch_exception_target_el(env), ra);
+    }
+}
+
+/*
+ * Return the maximum number of bytes we can transfer starting at addr
+ * without crossing a page boundary.
+ */
+static uint64_t page_limit(uint64_t addr)
+{
+    return TARGET_PAGE_ALIGN(addr + 1) - addr;
+}
+
+/*
+ * Perform part of a memory set on an area of guest memory starting at
+ * toaddr (a dirty address) and extending for setsize bytes.
+ *
+ * Returns the number of bytes actually set, which might be less than
+ * setsize; the caller should loop until the whole set has been done.
+ * The caller should ensure that the guest registers are correct
+ * for the possibility that the first byte of the set encounters
+ * an exception or watchpoint. We guarantee not to take any faults
+ * for bytes other than the first.
+ */
+static uint64_t set_step(CPUARMState *env, uint64_t toaddr,
+                         uint64_t setsize, uint32_t data, int memidx,
+                         uint32_t *mtedesc, uintptr_t ra)
+{
+    void *mem;
+
+    setsize = MIN(setsize, page_limit(toaddr));
+    if (*mtedesc) {
+        uint64_t mtesize = mte_mops_probe(env, toaddr, setsize, *mtedesc);
+        if (mtesize == 0) {
+            /* Trap, or not. All CPU state is up to date */
+            mte_check_fail(env, *mtedesc, toaddr, ra);
+            /* Continue, with no further MTE checks required */
+            *mtedesc = 0;
+        } else {
+            /* Advance to the end, or to the tag mismatch */
+            setsize = MIN(setsize, mtesize);
+        }
+    }
+
+    toaddr = useronly_clean_ptr(toaddr);
+    /*
+     * Trapless lookup: returns NULL for invalid page, I/O,
+     * watchpoints, clean pages, etc.
+     */
+    mem = tlb_vaddr_to_host(env, toaddr, MMU_DATA_STORE, memidx);
+
+#ifndef CONFIG_USER_ONLY
+    if (unlikely(!mem)) {
+        /*
+         * Slow-path: just do one byte write. This will handle the
+         * watchpoint, invalid page, etc handling correctly.
+         * For clean code pages, the next iteration will see
+         * the page dirty and will use the fast path.
+         */
+        cpu_stb_mmuidx_ra(env, toaddr, data, memidx, ra);
+        return 1;
+    }
+#endif
+    /* Easy case: just memset the host memory */
+    memset(mem, data, setsize);
+    return setsize;
+}
+
+typedef uint64_t StepFn(CPUARMState *env, uint64_t toaddr,
+                        uint64_t setsize, uint32_t data,
+                        int memidx, uint32_t *mtedesc, uintptr_t ra);
+
+/* Extract register numbers from a MOPS exception syndrome value */
+static int mops_destreg(uint32_t syndrome)
+{
+    return extract32(syndrome, 10, 5);
+}
+
+static int mops_srcreg(uint32_t syndrome)
+{
+    return extract32(syndrome, 5, 5);
+}
+
+static int mops_sizereg(uint32_t syndrome)
+{
+    return extract32(syndrome, 0, 5);
+}
+
+/*
+ * Return true if TCMA and TBI bits mean we need to do MTE checks.
+ * We only need to do this once per MOPS insn, not for every page.
+ */
+static bool mte_checks_needed(uint64_t ptr, uint32_t desc)
+{
+    int bit55 = extract64(ptr, 55, 1);
+
+    /*
+     * Note that tbi_check() returns true for "access checked" but
+     * tcma_check() returns true for "access unchecked".
+     */
+    if (!tbi_check(desc, bit55)) {
+        return false;
+    }
+    return !tcma_check(desc, bit55, allocation_tag_from_addr(ptr));
+}
+
+/*
+ * For the Memory Set operation, our implementation chooses
+ * always to use "option A", where we update Xd to the final
+ * address in the SETP insn, and set Xn to be -(bytes remaining).
+ * On SETM and SETE insns we only need update Xn.
+ *
+ * @env: CPU
+ * @syndrome: syndrome value for mismatch exceptions
+ * (also contains the register numbers we need to use)
+ * @mtedesc: MTE descriptor word
+ * @stepfn: function which does a single part of the set operation
+ * @is_setg: true if this is the tag-setting SETG variant
+ */
+static void do_setp(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
+                    StepFn *stepfn, bool is_setg, uintptr_t ra)
+{
+    /* Prologue: we choose to do up to the next page boundary */
+    int rd = mops_destreg(syndrome);
+    int rs = mops_srcreg(syndrome);
+    int rn = mops_sizereg(syndrome);
+    uint8_t data = env->xregs[rs];
+    uint32_t memidx = FIELD_EX32(mtedesc, MTEDESC, MIDX);
+    uint64_t toaddr = env->xregs[rd];
+    uint64_t setsize = env->xregs[rn];
+    uint64_t stagesetsize, step;
+
+    check_mops_enabled(env, ra);
+
+    if (setsize > INT64_MAX) {
+        setsize = INT64_MAX;
+    }
+
+    if (!mte_checks_needed(toaddr, mtedesc)) {
+        mtedesc = 0;
+    }
+
+    stagesetsize = MIN(setsize, page_limit(toaddr));
+    while (stagesetsize) {
+        env->xregs[rd] = toaddr;
+        env->xregs[rn] = setsize;
+        step = stepfn(env, toaddr, stagesetsize, data, memidx, &mtedesc, ra);
+        toaddr += step;
+        setsize -= step;
+        stagesetsize -= step;
+    }
+    /* Insn completed, so update registers to the Option A format */
+    env->xregs[rd] = toaddr + setsize;
+    env->xregs[rn] = -setsize;
+
+    /* Set NZCV = 0000 to indicate we are an Option A implementation */
+    env->NF = 0;
+    env->ZF = 1; /* our env->ZF encoding is inverted */
+    env->CF = 0;
+    env->VF = 0;
+    return;
+}
+
+void HELPER(setp)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+{
+    do_setp(env, syndrome, mtedesc, set_step, false, GETPC());
+}
+
+static void do_setm(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
+                    StepFn *stepfn, bool is_setg, uintptr_t ra)
+{
+    /* Main: we choose to do all the full-page chunks */
+    CPUState *cs = env_cpu(env);
+    int rd = mops_destreg(syndrome);
+    int rs = mops_srcreg(syndrome);
+    int rn = mops_sizereg(syndrome);
+    uint8_t data = env->xregs[rs];
+    uint64_t toaddr = env->xregs[rd] + env->xregs[rn];
+    uint64_t setsize = -env->xregs[rn];
+    uint32_t memidx = FIELD_EX32(mtedesc, MTEDESC, MIDX);
+    uint64_t step, stagesetsize;
+
+    check_mops_enabled(env, ra);
+
+    /*
+     * We're allowed to NOP out "no data to copy" before the consistency
+     * checks; we choose to do so.
+     */
+    if (env->xregs[rn] == 0) {
+        return;
+    }
+
+    check_mops_wrong_option(env, syndrome, ra);
+
+    /*
+     * Our implementation will work fine even if we have an unaligned
+     * destination address, and because we update Xn every time around
+     * the loop below and the return value from stepfn() may be less
+     * than requested, we might find toaddr is unaligned. So we don't
+     * have an IMPDEF check for alignment here.
+     */
+
+    if (!mte_checks_needed(toaddr, mtedesc)) {
+        mtedesc = 0;
+    }
+
+    /* Do the actual memset: we leave the last partial page to SETE */
+    stagesetsize = setsize & TARGET_PAGE_MASK;
+    while (stagesetsize > 0) {
+        step = stepfn(env, toaddr, setsize, data, memidx, &mtedesc, ra);
+        toaddr += step;
+        setsize -= step;
+        stagesetsize -= step;
+        env->xregs[rn] = -setsize;
+        if (stagesetsize > 0 && unlikely(cpu_loop_exit_requested(cs))) {
+            cpu_loop_exit_restore(cs, ra);
+        }
+    }
+}
+
+void HELPER(setm)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+{
+    do_setm(env, syndrome, mtedesc, set_step, false, GETPC());
+}
+
+static void do_sete(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
+                    StepFn *stepfn, bool is_setg, uintptr_t ra)
+{
+    /* Epilogue: do the last partial page */
+    int rd = mops_destreg(syndrome);
+    int rs = mops_srcreg(syndrome);
+    int rn = mops_sizereg(syndrome);
+    uint8_t data = env->xregs[rs];
+    uint64_t toaddr = env->xregs[rd] + env->xregs[rn];
+    uint64_t setsize = -env->xregs[rn];
+    uint32_t memidx = FIELD_EX32(mtedesc, MTEDESC, MIDX);
+    uint64_t step;
+
+    check_mops_enabled(env, ra);
+
+    /*
+     * We're allowed to NOP out "no data to copy" before the consistency
+     * checks; we choose to do so.
+     */
+    if (setsize == 0) {
+        return;
+    }
+
+    check_mops_wrong_option(env, syndrome, ra);
+
+    /*
+     * Our implementation has no address alignment requirements, but
+     * we do want to enforce the "less than a page" size requirement,
+     * so we don't need to have the "check for interrupts" here.
+     */
+    if (setsize >= TARGET_PAGE_SIZE) {
+        raise_exception_ra(env, EXCP_UDEF, syndrome,
+                           mops_mismatch_exception_target_el(env), ra);
+    }
+
+    if (!mte_checks_needed(toaddr, mtedesc)) {
+        mtedesc = 0;
+    }
+
+    /* Do the actual memset */
+    while (setsize > 0) {
+        step = stepfn(env, toaddr, setsize, data, memidx, &mtedesc, ra);
+        toaddr += step;
+        setsize -= step;
+        env->xregs[rn] = -setsize;
+    }
+}
+
+void HELPER(sete)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+{
+    do_sete(env, syndrome, mtedesc, set_step, false, GETPC());
+}
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(STZG, aa64_mte_insn_reg, do_STG, a, true, false)
 TRANS_FEAT(ST2G, aa64_mte_insn_reg, do_STG, a, false, true)
 TRANS_FEAT(STZ2G, aa64_mte_insn_reg, do_STG, a, true, true)
 
+typedef void SetFn(TCGv_env, TCGv_i32, TCGv_i32);
+
+static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue, SetFn fn)
+{
+    int memidx;
+    uint32_t syndrome, desc = 0;
+
+    /*
+     * UNPREDICTABLE cases: we choose to UNDEF, which allows
+     * us to pull this check before the CheckMOPSEnabled() test
+     * (which we do in the helper function)
+     */
+    if (a->rs == a->rn || a->rs == a->rd || a->rn == a->rd ||
+        a->rd == 31 || a->rn == 31) {
+        return false;
+    }
+
+    memidx = get_a64_user_mem_index(s, a->unpriv);
+
+    /*
+     * We pass option_a == true, matching our implementation;
+     * we pass wrong_option == false: helper function may set that bit.
+     */
+    syndrome = syn_mop(true, false, (a->nontemp << 1) | a->unpriv,
+                       is_epilogue, false, true, a->rd, a->rs, a->rn);
+
+    if (s->mte_active[a->unpriv]) {
+        /* We may need to do MTE tag checking, so assemble the descriptor */
+        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
+        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
+        desc = FIELD_DP32(desc, MTEDESC, WRITE, true);
+        /* SIZEM1 and ALIGN we leave 0 (byte write) */
+    }
+    /* The helper function always needs the memidx even with MTE disabled */
+    desc = FIELD_DP32(desc, MTEDESC, MIDX, memidx);
+
+    /*
+     * The helper needs the register numbers, but since they're in
+     * the syndrome anyway, we let it extract them from there rather
+     * than passing in an extra three integer arguments.
+     */
+    fn(cpu_env, tcg_constant_i32(syndrome), tcg_constant_i32(desc));
+    return true;
+}
+
+TRANS_FEAT(SETP, aa64_mops, do_SET, a, false, gen_helper_setp)
+TRANS_FEAT(SETM, aa64_mops, do_SET, a, false, gen_helper_setm)
+TRANS_FEAT(SETE, aa64_mops, do_SET, a, true, gen_helper_sete)
+
 typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
 
 static bool gen_rri(DisasContext *s, arg_rri_sf *a,
-- 
2.34.1

Currently the only tag-setting instructions always do so in the
context of the current EL, and so we only need one ATA bit in the TB
flags.  The FEAT_MOPS SETG instructions include ones which set tags
for a non-privileged access, so we now also need the equivalent "are
tags enabled?" information for EL0.

Add the new TB flag, and convert the existing 'bool ata' field in
DisasContext to a 'bool ata[2]' that can be indexed by the is_unpriv
bit in an instruction, similarly to mte[2].

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-9-peter.maydell@linaro.org
---
 target/arm/cpu.h               |  1 +
 target/arm/tcg/translate.h     |  4 ++--
 target/arm/tcg/hflags.c        | 12 ++++++++++++
 target/arm/tcg/translate-a64.c | 23 ++++++++++++-----------
 4 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A64, SVL, 24, 4)
 FIELD(TBFLAG_A64, SME_TRAP_NONSTREAMING, 28, 1)
 FIELD(TBFLAG_A64, FGT_ERET, 29, 1)
 FIELD(TBFLAG_A64, NAA, 30, 1)
+FIELD(TBFLAG_A64, ATA0, 31, 1)
 
 /*
  * Helpers for using the above.
diff --git a/target/arm/tcg/translate.h b/target/arm/tcg/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate.h
+++ b/target/arm/tcg/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     bool unpriv;
     /* True if v8.3-PAuth is active.  */
     bool pauth_active;
-    /* True if v8.5-MTE access to tags is enabled.  */
-    bool ata;
+    /* True if v8.5-MTE access to tags is enabled; index with is_unpriv.  */
+    bool ata[2];
     /* True if v8.5-MTE tag checks affect the PE; index with is_unpriv.  */
     bool mte_active[2];
     /* True with v8.5-BTI and SCTLR_ELx.BT* set.  */
diff --git a/target/arm/tcg/hflags.c b/target/arm/tcg/hflags.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/hflags.c
+++ b/target/arm/tcg/hflags.c
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
             && allocation_tag_access_enabled(env, 0, sctlr)) {
             DP_TBFLAG_A64(flags, MTE0_ACTIVE, 1);
         }
+        /*
+         * For unpriv tag-setting accesses we alse need ATA0. Again, in
+         * contexts where unpriv and normal insns are the same we
+         * duplicate the ATA bit to save effort for translate-a64.c.
+         */
+        if (EX_TBFLAG_A64(flags, UNPRIV)) {
+            if (allocation_tag_access_enabled(env, 0, sctlr)) {
+                DP_TBFLAG_A64(flags, ATA0, 1);
+            }
+        } else {
+            DP_TBFLAG_A64(flags, ATA0, EX_TBFLAG_A64(flags, ATA));
+        }
         /* Cache TCMA as well as TBI. */
         DP_TBFLAG_A64(flags, TCMA, aa64_va_parameter_tcma(tcr, mmu_idx));
     }
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, bool isread,
             clean_addr = clean_data_tbi(s, tcg_rt);
             gen_probe_access(s, clean_addr, MMU_DATA_STORE, MO_8);
 
-            if (s->ata) {
+            if (s->ata[0]) {
                 /* Extract the tag from the register to match STZGM.  */
                 tag = tcg_temp_new_i64();
                 tcg_gen_shri_i64(tag, tcg_rt, 56);
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, bool isread,
             clean_addr = clean_data_tbi(s, tcg_rt);
             gen_helper_dc_zva(cpu_env, clean_addr);
 
-            if (s->ata) {
+            if (s->ata[0]) {
                 /* Extract the tag from the register to match STZGM.  */
                 tag = tcg_temp_new_i64();
                 tcg_gen_shri_i64(tag, tcg_rt, 56);
@@ -XXX,XX +XXX,XX @@ static bool trans_STGP(DisasContext *s, arg_ldstpair *a)
     tcg_gen_qemu_st_i128(tmp, clean_addr, get_mem_index(s), mop);
 
     /* Perform the tag store, if tag access enabled. */
-    if (s->ata) {
+    if (s->ata[0]) {
         if (tb_cflags(s->base.tb) & CF_PARALLEL) {
             gen_helper_stg_parallel(cpu_env, dirty_addr, dirty_addr);
         } else {
@@ -XXX,XX +XXX,XX @@ static bool trans_STZGM(DisasContext *s, arg_ldst_tag *a)
     tcg_gen_addi_i64(addr, addr, a->imm);
     tcg_rt = cpu_reg(s, a->rt);
 
-    if (s->ata) {
+    if (s->ata[0]) {
         gen_helper_stzgm_tags(cpu_env, addr, tcg_rt);
     }
     /*
@@ -XXX,XX +XXX,XX @@ static bool trans_STGM(DisasContext *s, arg_ldst_tag *a)
     tcg_gen_addi_i64(addr, addr, a->imm);
     tcg_rt = cpu_reg(s, a->rt);
 
-    if (s->ata) {
+    if (s->ata[0]) {
         gen_helper_stgm(cpu_env, addr, tcg_rt);
     } else {
         MMUAccessType acc = MMU_DATA_STORE;
@@ -XXX,XX +XXX,XX @@ static bool trans_LDGM(DisasContext *s, arg_ldst_tag *a)
     tcg_gen_addi_i64(addr, addr, a->imm);
     tcg_rt = cpu_reg(s, a->rt);
 
-    if (s->ata) {
+    if (s->ata[0]) {
         gen_helper_ldgm(tcg_rt, cpu_env, addr);
     } else {
         MMUAccessType acc = MMU_DATA_LOAD;
@@ -XXX,XX +XXX,XX @@ static bool trans_LDG(DisasContext *s, arg_ldst_tag *a)
 
     tcg_gen_andi_i64(addr, addr, -TAG_GRANULE);
     tcg_rt = cpu_reg(s, a->rt);
-    if (s->ata) {
+    if (s->ata[0]) {
         gen_helper_ldg(tcg_rt, cpu_env, addr, tcg_rt);
     } else {
         /*
@@ -XXX,XX +XXX,XX @@ static bool do_STG(DisasContext *s, arg_ldst_tag *a, bool is_zero, bool is_pair)
         tcg_gen_addi_i64(addr, addr, a->imm);
     }
     tcg_rt = cpu_reg_sp(s, a->rt);
-    if (!s->ata) {
+    if (!s->ata[0]) {
         /*
          * For STG and ST2G, we need to check alignment and probe memory.
          * TODO: For STZG and STZ2G, we could rely on the stores below,
@@ -XXX,XX +XXX,XX @@ static bool gen_add_sub_imm_with_tags(DisasContext *s, arg_rri_tag *a,
     tcg_rn = cpu_reg_sp(s, a->rn);
     tcg_rd = cpu_reg_sp(s, a->rd);
 
-    if (s->ata) {
+    if (s->ata[0]) {
         gen_helper_addsubg(tcg_rd, cpu_env, tcg_rn,
                            tcg_constant_i32(imm),
                            tcg_constant_i32(a->uimm4));
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_2src(DisasContext *s, uint32_t insn)
         if (sf == 0 || !dc_isar_feature(aa64_mte_insn_reg, s)) {
             goto do_unallocated;
         }
-        if (s->ata) {
+        if (s->ata[0]) {
             gen_helper_irg(cpu_reg_sp(s, rd), cpu_env,
                            cpu_reg_sp(s, rn), cpu_reg(s, rm));
         } else {
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
     dc->bt = EX_TBFLAG_A64(tb_flags, BT);
     dc->btype = EX_TBFLAG_A64(tb_flags, BTYPE);
     dc->unpriv = EX_TBFLAG_A64(tb_flags, UNPRIV);
-    dc->ata = EX_TBFLAG_A64(tb_flags, ATA);
+    dc->ata[0] = EX_TBFLAG_A64(tb_flags, ATA);
+    dc->ata[1] = EX_TBFLAG_A64(tb_flags, ATA0);
     dc->mte_active[0] = EX_TBFLAG_A64(tb_flags, MTE_ACTIVE);
     dc->mte_active[1] = EX_TBFLAG_A64(tb_flags, MTE0_ACTIVE);
     dc->pstate_sm = EX_TBFLAG_A64(tb_flags, PSTATE_SM);
-- 
2.34.1

The FEAT_MOPS SETG* instructions are very similar to the SET*
instructions, but as well as setting memory contents they also
set the MTE tags. They are architecturally required to operate
on tag-granule aligned regions only.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-10-peter.maydell@linaro.org
---
 target/arm/internals.h         | 10 ++++
 target/arm/tcg/helper-a64.h    |  3 ++
 target/arm/tcg/a64.decode      |  5 ++
 target/arm/tcg/helper-a64.c    | 86 ++++++++++++++++++++++++++++++++--
 target/arm/tcg/mte_helper.c    | 40 ++++++++++++++++
 target/arm/tcg/translate-a64.c | 20 +++++---
 6 files changed, 155 insertions(+), 9 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
 void mte_check_fail(CPUARMState *env, uint32_t desc,
                     uint64_t dirty_ptr, uintptr_t ra);
 
+/**
+ * mte_mops_set_tags: Set MTE tags for a portion of a FEAT_MOPS operation
+ * @env: CPU env
+ * @dirty_ptr: Start address of memory region (dirty pointer)
+ * @size: length of region (guaranteed not to cross page boundary)
+ * @desc: MTEDESC descriptor word
+ */
+void mte_mops_set_tags(CPUARMState *env, uint64_t dirty_ptr, uint64_t size,
+                       uint32_t desc);
+
 static inline int allocation_tag_from_addr(uint64_t ptr)
 {
     return extract64(ptr, 56, 4);
diff --git a/target/arm/tcg/helper-a64.h b/target/arm/tcg/helper-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/helper-a64.h
+++ b/target/arm/tcg/helper-a64.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(unaligned_access, TCG_CALL_NO_WG,
 DEF_HELPER_3(setp, void, env, i32, i32)
 DEF_HELPER_3(setm, void, env, i32, i32)
 DEF_HELPER_3(sete, void, env, i32, i32)
+DEF_HELPER_3(setgp, void, env, i32, i32)
+DEF_HELPER_3(setgm, void, env, i32, i32)
+DEF_HELPER_3(setge, void, env, i32, i32)
diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ STZ2G           11011001 11 1 ......... 11 ..... ..... @ldst_tag p=0 w=1
 SETP            00 011001110 ..... 00 . . 01 ..... ..... @set
 SETM            00 011001110 ..... 01 . . 01 ..... ..... @set
 SETE            00 011001110 ..... 10 . . 01 ..... ..... @set
+
+# Like SET, but also setting MTE tags
+SETGP           00 011101110 ..... 00 . . 01 ..... ..... @set
+SETGM           00 011101110 ..... 01 . . 01 ..... ..... @set
+SETGE           00 011101110 ..... 10 . . 01 ..... ..... @set
diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/helper-a64.c
+++ b/target/arm/tcg/helper-a64.c
@@ -XXX,XX +XXX,XX @@ static uint64_t set_step(CPUARMState *env, uint64_t toaddr,
     return setsize;
 }
 
+/*
+ * Similar, but setting tags. The architecture requires us to do this
+ * in 16-byte chunks. SETP accesses are not tag checked; they set
+ * the tags.
+ */
+static uint64_t set_step_tags(CPUARMState *env, uint64_t toaddr,
+                              uint64_t setsize, uint32_t data, int memidx,
+                              uint32_t *mtedesc, uintptr_t ra)
+{
+    void *mem;
+    uint64_t cleanaddr;
+
+    setsize = MIN(setsize, page_limit(toaddr));
+
+    cleanaddr = useronly_clean_ptr(toaddr);
+    /*
+     * Trapless lookup: returns NULL for invalid page, I/O,
+     * watchpoints, clean pages, etc.
+     */
+    mem = tlb_vaddr_to_host(env, cleanaddr, MMU_DATA_STORE, memidx);
+
+#ifndef CONFIG_USER_ONLY
+    if (unlikely(!mem)) {
+        /*
+         * Slow-path: just do one write. This will handle the
+         * watchpoint, invalid page, etc handling correctly.
+         * The architecture requires that we do 16 bytes at a time,
+         * and we know both ptr and size are 16 byte aligned.
+         * For clean code pages, the next iteration will see
+         * the page dirty and will use the fast path.
+         */
+        uint64_t repldata = data * 0x0101010101010101ULL;
+        MemOpIdx oi16 = make_memop_idx(MO_TE | MO_128, memidx);
+        cpu_st16_mmu(env, toaddr, int128_make128(repldata, repldata), oi16, ra);
+        mte_mops_set_tags(env, toaddr, 16, *mtedesc);
+        return 16;
+    }
+#endif
+    /* Easy case: just memset the host memory */
+    memset(mem, data, setsize);
+    mte_mops_set_tags(env, toaddr, setsize, *mtedesc);
+    return setsize;
+}
+
 typedef uint64_t StepFn(CPUARMState *env, uint64_t toaddr,
                         uint64_t setsize, uint32_t data,
                         int memidx, uint32_t *mtedesc, uintptr_t ra);
@@ -XXX,XX +XXX,XX @@ static bool mte_checks_needed(uint64_t ptr, uint32_t desc)
     return !tcma_check(desc, bit55, allocation_tag_from_addr(ptr));
 }
 
+/* Take an exception if the SETG addr/size are not granule aligned */
+static void check_setg_alignment(CPUARMState *env, uint64_t ptr, uint64_t size,
+                                 uint32_t memidx, uintptr_t ra)
+{
+    if ((size != 0 && !QEMU_IS_ALIGNED(ptr, TAG_GRANULE)) ||
+        !QEMU_IS_ALIGNED(size, TAG_GRANULE)) {
+        arm_cpu_do_unaligned_access(env_cpu(env), ptr, MMU_DATA_STORE,
+                                    memidx, ra);
+
+    }
+}
+
 /*
  * For the Memory Set operation, our implementation chooses
  * always to use "option A", where we update Xd to the final
@@ -XXX,XX +XXX,XX @@ static void do_setp(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
 
     if (setsize > INT64_MAX) {
         setsize = INT64_MAX;
+        if (is_setg) {
+            setsize &= ~0xf;
+        }
     }
 
-    if (!mte_checks_needed(toaddr, mtedesc)) {
+    if (unlikely(is_setg)) {
+        check_setg_alignment(env, toaddr, setsize, memidx, ra);
+    } else if (!mte_checks_needed(toaddr, mtedesc)) {
         mtedesc = 0;
     }
 
@@ -XXX,XX +XXX,XX @@ void HELPER(setp)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
     do_setp(env, syndrome, mtedesc, set_step, false, GETPC());
 }
 
+void HELPER(setgp)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+{
+    do_setp(env, syndrome, mtedesc, set_step_tags, true, GETPC());
+}
+
 static void do_setm(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
                     StepFn *stepfn, bool is_setg, uintptr_t ra)
 {
@@ -XXX,XX +XXX,XX @@ static void do_setm(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
      * have an IMPDEF check for alignment here.
      */
 
-    if (!mte_checks_needed(toaddr, mtedesc)) {
+    if (unlikely(is_setg)) {
+        check_setg_alignment(env, toaddr, setsize, memidx, ra);
+    } else if (!mte_checks_needed(toaddr, mtedesc)) {
         mtedesc = 0;
     }
 
@@ -XXX,XX +XXX,XX @@ void HELPER(setm)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
     do_setm(env, syndrome, mtedesc, set_step, false, GETPC());
 }
 
+void HELPER(setgm)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+{
+    do_setm(env, syndrome, mtedesc, set_step_tags, true, GETPC());
+}
+
 static void do_sete(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
                     StepFn *stepfn, bool is_setg, uintptr_t ra)
 {
@@ -XXX,XX +XXX,XX @@ static void do_sete(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc,
                            mops_mismatch_exception_target_el(env), ra);
     }
 
-    if (!mte_checks_needed(toaddr, mtedesc)) {
+    if (unlikely(is_setg)) {
+        check_setg_alignment(env, toaddr, setsize, memidx, ra);
+    } else if (!mte_checks_needed(toaddr, mtedesc)) {
         mtedesc = 0;
     }
 
@@ -XXX,XX +XXX,XX @@ void HELPER(sete)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
 {
     do_sete(env, syndrome, mtedesc, set_step, false, GETPC());
 }
+
+void HELPER(setge)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
+{
+    do_sete(env, syndrome, mtedesc, set_step_tags, true, GETPC());
+}
diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/mte_helper.c
+++ b/target/arm/tcg/mte_helper.c
@@ -XXX,XX +XXX,XX @@ uint64_t mte_mops_probe(CPUARMState *env, uint64_t ptr, uint64_t size,
         return n * TAG_GRANULE - (ptr - tag_first);
     }
 }
+
+void mte_mops_set_tags(CPUARMState *env, uint64_t ptr, uint64_t size,
+                       uint32_t desc)
+{
+    int mmu_idx, tag_count;
+    uint64_t ptr_tag;
+    void *mem;
+
+    if (!desc) {
+        /* Tags not actually enabled */
+        return;
+    }
+
+    mmu_idx = FIELD_EX32(desc, MTEDESC, MIDX);
+    /* True probe: this will never fault */
+    mem = allocation_tag_mem_probe(env, mmu_idx, ptr, MMU_DATA_STORE, size,
+                                   MMU_DATA_STORE, true, 0);
+    if (!mem) {
+        return;
+    }
+
+    /*
+     * We know that ptr and size are both TAG_GRANULE aligned; store
+     * the tag from the pointer value into the tag memory.
+     */
+    ptr_tag = allocation_tag_from_addr(ptr);
+    tag_count = size / TAG_GRANULE;
+    if (ptr & TAG_GRANULE) {
+        /* Not 2*TAG_GRANULE-aligned: store tag to first nibble */
+        store_tag1_parallel(TAG_GRANULE, mem, ptr_tag);
+        mem++;
+        tag_count--;
+    }
+    memset(mem, ptr_tag | (ptr_tag << 4), tag_count / 2);
+    if (tag_count & 1) {
+        /* Final trailing unaligned nibble */
+        mem += tag_count / 2;
+        store_tag1_parallel(0, mem, ptr_tag);
+    }
+}
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(STZ2G, aa64_mte_insn_reg, do_STG, a, true, true)
 
 typedef void SetFn(TCGv_env, TCGv_i32, TCGv_i32);
 
-static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue, SetFn fn)
+static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue,
+                   bool is_setg, SetFn fn)
 {
     int memidx;
     uint32_t syndrome, desc = 0;
 
+    if (is_setg && !dc_isar_feature(aa64_mte, s)) {
+        return false;
+    }
+
     /*
      * UNPREDICTABLE cases: we choose to UNDEF, which allows
      * us to pull this check before the CheckMOPSEnabled() test
@@ -XXX,XX +XXX,XX @@ static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue, SetFn fn)
      * We pass option_a == true, matching our implementation;
      * we pass wrong_option == false: helper function may set that bit.
      */
-    syndrome = syn_mop(true, false, (a->nontemp << 1) | a->unpriv,
+    syndrome = syn_mop(true, is_setg, (a->nontemp << 1) | a->unpriv,
                        is_epilogue, false, true, a->rd, a->rs, a->rn);
 
-    if (s->mte_active[a->unpriv]) {
+    if (is_setg ? s->ata[a->unpriv] : s->mte_active[a->unpriv]) {
         /* We may need to do MTE tag checking, so assemble the descriptor */
         desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
         desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
@@ -XXX,XX +XXX,XX @@ static bool do_SET(DisasContext *s, arg_set *a, bool is_epilogue, SetFn fn)
     return true;
 }
 
-TRANS_FEAT(SETP, aa64_mops, do_SET, a, false, gen_helper_setp)
-TRANS_FEAT(SETM, aa64_mops, do_SET, a, false, gen_helper_setm)
-TRANS_FEAT(SETE, aa64_mops, do_SET, a, true, gen_helper_sete)
+TRANS_FEAT(SETP, aa64_mops, do_SET, a, false, false, gen_helper_setp)
+TRANS_FEAT(SETM, aa64_mops, do_SET, a, false, false, gen_helper_setm)
+TRANS_FEAT(SETE, aa64_mops, do_SET, a, true, false, gen_helper_sete)
+TRANS_FEAT(SETGP, aa64_mops, do_SET, a, false, true, gen_helper_setgp)
+TRANS_FEAT(SETGM, aa64_mops, do_SET, a, false, true, gen_helper_setgm)
+TRANS_FEAT(SETGE, aa64_mops, do_SET, a, true, true, gen_helper_setge)
 
 typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
 
-- 
2.34.1

The FEAT_MOPS memory copy operations need an extra helper routine
for checking for MTE tag checking failures beyond the ones we
already added for memory set operations:
 * mte_mops_probe_rev() does the same job as mte_mops_probe(), but
   it checks tags starting at the provided address and working
   backwards, rather than forwards

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-11-peter.maydell@linaro.org
---
 target/arm/internals.h      | 17 +++++++
 target/arm/tcg/mte_helper.c | 99 +++++++++++++++++++++++++++++++++++++
 2 files changed, 116 insertions(+)

The FEAT_MOPS CPY* instructions implement memory copies. These
come in both "always forwards" (memcpy-style) and "overlap OK"
(memmove-style) flavours.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-12-peter.maydell@linaro.org
---
 target/arm/tcg/helper-a64.h    |   7 +
 target/arm/tcg/a64.decode      |  14 +
 target/arm/tcg/helper-a64.c    | 454 +++++++++++++++++++++++++++++++++
 target/arm/tcg/translate-a64.c |  60 +++++
 4 files changed, 535 insertions(+)

diff --git a/target/arm/tcg/helper-a64.h b/target/arm/tcg/helper-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/helper-a64.h
+++ b/target/arm/tcg/helper-a64.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(sete, void, env, i32, i32)
 DEF_HELPER_3(setgp, void, env, i32, i32)
 DEF_HELPER_3(setgm, void, env, i32, i32)
 DEF_HELPER_3(setge, void, env, i32, i32)
+
+DEF_HELPER_4(cpyp, void, env, i32, i32, i32)
+DEF_HELPER_4(cpym, void, env, i32, i32, i32)
+DEF_HELPER_4(cpye, void, env, i32, i32, i32)
+DEF_HELPER_4(cpyfp, void, env, i32, i32, i32)
+DEF_HELPER_4(cpyfm, void, env, i32, i32, i32)
+DEF_HELPER_4(cpyfe, void, env, i32, i32, i32)
diff --git a/target/arm/tcg/a64.decode b/target/arm/tcg/a64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/a64.decode
+++ b/target/arm/tcg/a64.decode
@@ -XXX,XX +XXX,XX @@ SETE            00 011001110 ..... 10 . . 01 ..... ..... @set
 SETGP           00 011101110 ..... 00 . . 01 ..... ..... @set
 SETGM           00 011101110 ..... 01 . . 01 ..... ..... @set
 SETGE           00 011101110 ..... 10 . . 01 ..... ..... @set
+
+# Memmove/Memcopy: the CPY insns allow overlapping src/dest and
+# copy in the correct direction; the CPYF insns always copy forwards.
+#
+# options has the nontemporal and unpriv bits for src and dest
+&cpy rs rn rd options
+@cpy            .. ... . ..... rs:5 options:4 .. rn:5 rd:5 &cpy
+
+CPYFP           00 011 0 01000 ..... .... 01 ..... ..... @cpy
+CPYFM           00 011 0 01010 ..... .... 01 ..... ..... @cpy
+CPYFE           00 011 0 01100 ..... .... 01 ..... ..... @cpy
+CPYP            00 011 1 01000 ..... .... 01 ..... ..... @cpy
+CPYM            00 011 1 01010 ..... .... 01 ..... ..... @cpy
+CPYE            00 011 1 01100 ..... .... 01 ..... ..... @cpy
diff --git a/target/arm/tcg/helper-a64.c b/target/arm/tcg/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/helper-a64.c
+++ b/target/arm/tcg/helper-a64.c
@@ -XXX,XX +XXX,XX @@ static uint64_t page_limit(uint64_t addr)
     return TARGET_PAGE_ALIGN(addr + 1) - addr;
 }
 
+/*
+ * Return the number of bytes we can copy starting from addr and working
+ * backwards without crossing a page boundary.
+ */
+static uint64_t page_limit_rev(uint64_t addr)
+{
+    return (addr & ~TARGET_PAGE_MASK) + 1;
+}
+
 /*
  * Perform part of a memory set on an area of guest memory starting at
  * toaddr (a dirty address) and extending for setsize bytes.
@@ -XXX,XX +XXX,XX @@ void HELPER(setge)(CPUARMState *env, uint32_t syndrome, uint32_t mtedesc)
 {
     do_sete(env, syndrome, mtedesc, set_step_tags, true, GETPC());
 }
+
+/*
+ * Perform part of a memory copy from the guest memory at fromaddr
+ * and extending for copysize bytes, to the guest memory at
+ * toaddr. Both addreses are dirty.
+ *
+ * Returns the number of bytes actually set, which might be less than
+ * copysize; the caller should loop until the whole copy has been done.
+ * The caller should ensure that the guest registers are correct
+ * for the possibility that the first byte of the copy encounters
+ * an exception or watchpoint. We guarantee not to take any faults
+ * for bytes other than the first.
+ */
+static uint64_t copy_step(CPUARMState *env, uint64_t toaddr, uint64_t fromaddr,
+                          uint64_t copysize, int wmemidx, int rmemidx,
+                          uint32_t *wdesc, uint32_t *rdesc, uintptr_t ra)
+{
+    void *rmem;
+    void *wmem;
+
+    /* Don't cross a page boundary on either source or destination */
+    copysize = MIN(copysize, page_limit(toaddr));
+    copysize = MIN(copysize, page_limit(fromaddr));
+    /*
+     * Handle MTE tag checks: either handle the tag mismatch for byte 0,
+     * or else copy up to but not including the byte with the mismatch.
+     */
+    if (*rdesc) {
+        uint64_t mtesize = mte_mops_probe(env, fromaddr, copysize, *rdesc);
+        if (mtesize == 0) {
+            mte_check_fail(env, *rdesc, fromaddr, ra);
+            *rdesc = 0;
+        } else {
+            copysize = MIN(copysize, mtesize);
+        }
+    }
+    if (*wdesc) {
+        uint64_t mtesize = mte_mops_probe(env, toaddr, copysize, *wdesc);
+        if (mtesize == 0) {
+            mte_check_fail(env, *wdesc, toaddr, ra);
+            *wdesc = 0;
+        } else {
+            copysize = MIN(copysize, mtesize);
+        }
+    }
+
+    toaddr = useronly_clean_ptr(toaddr);
+    fromaddr = useronly_clean_ptr(fromaddr);
+    /* Trapless lookup of whether we can get a host memory pointer */
+    wmem = tlb_vaddr_to_host(env, toaddr, MMU_DATA_STORE, wmemidx);
+    rmem = tlb_vaddr_to_host(env, fromaddr, MMU_DATA_LOAD, rmemidx);
+
+#ifndef CONFIG_USER_ONLY
+    /*
+     * If we don't have host memory for both source and dest then just
+     * do a single byte copy. This will handle watchpoints, invalid pages,
+     * etc correctly. For clean code pages, the next iteration will see
+     * the page dirty and will use the fast path.
+     */
+    if (unlikely(!rmem || !wmem)) {
+        uint8_t byte;
+        if (rmem) {
+            byte = *(uint8_t *)rmem;
+        } else {
+            byte = cpu_ldub_mmuidx_ra(env, fromaddr, rmemidx, ra);
+        }
+        if (wmem) {
+            *(uint8_t *)wmem = byte;
+        } else {
+            cpu_stb_mmuidx_ra(env, toaddr, byte, wmemidx, ra);
+        }
+        return 1;
+    }
+#endif
+    /* Easy case: just memmove the host memory */
+    memmove(wmem, rmem, copysize);
+    return copysize;
+}
+
+/*
+ * Do part of a backwards memory copy. Here toaddr and fromaddr point
+ * to the *last* byte to be copied.
+ */
+static uint64_t copy_step_rev(CPUARMState *env, uint64_t toaddr,
+                              uint64_t fromaddr,
+                              uint64_t copysize, int wmemidx, int rmemidx,
+                              uint32_t *wdesc, uint32_t *rdesc, uintptr_t ra)
+{
+    void *rmem;
+    void *wmem;
+
+    /* Don't cross a page boundary on either source or destination */
+    copysize = MIN(copysize, page_limit_rev(toaddr));
+    copysize = MIN(copysize, page_limit_rev(fromaddr));
+
+    /*
+     * Handle MTE tag checks: either handle the tag mismatch for byte 0,
+     * or else copy up to but not including the byte with the mismatch.
+     */
+    if (*rdesc) {
+        uint64_t mtesize = mte_mops_probe_rev(env, fromaddr, copysize, *rdesc);
+        if (mtesize == 0) {
+            mte_check_fail(env, *rdesc, fromaddr, ra);
+            *rdesc = 0;
+        } else {
+            copysize = MIN(copysize, mtesize);
+        }
+    }
+    if (*wdesc) {
+        uint64_t mtesize = mte_mops_probe_rev(env, toaddr, copysize, *wdesc);
+        if (mtesize == 0) {
+            mte_check_fail(env, *wdesc, toaddr, ra);
+            *wdesc = 0;
+        } else {
+            copysize = MIN(copysize, mtesize);
+        }
+    }
+
+    toaddr = useronly_clean_ptr(toaddr);
+    fromaddr = useronly_clean_ptr(fromaddr);
+    /* Trapless lookup of whether we can get a host memory pointer */
+    wmem = tlb_vaddr_to_host(env, toaddr, MMU_DATA_STORE, wmemidx);
+    rmem = tlb_vaddr_to_host(env, fromaddr, MMU_DATA_LOAD, rmemidx);
+
+#ifndef CONFIG_USER_ONLY
+    /*
+     * If we don't have host memory for both source and dest then just
+     * do a single byte copy. This will handle watchpoints, invalid pages,
+     * etc correctly. For clean code pages, the next iteration will see
+     * the page dirty and will use the fast path.
+     */
+    if (unlikely(!rmem || !wmem)) {
+        uint8_t byte;
+        if (rmem) {
+            byte = *(uint8_t *)rmem;
+        } else {
+            byte = cpu_ldub_mmuidx_ra(env, fromaddr, rmemidx, ra);
+        }
+        if (wmem) {
+            *(uint8_t *)wmem = byte;
+        } else {
+            cpu_stb_mmuidx_ra(env, toaddr, byte, wmemidx, ra);
+        }
+        return 1;
+    }
+#endif
+    /*
+     * Easy case: just memmove the host memory. Note that wmem and
+     * rmem here point to the *last* byte to copy.
+     */
+    memmove(wmem - (copysize - 1), rmem - (copysize - 1), copysize);
+    return copysize;
+}
+
+/*
+ * for the Memory Copy operation, our implementation chooses always
+ * to use "option A", where we update Xd and Xs to the final addresses
+ * in the CPYP insn, and then in CPYM and CPYE only need to update Xn.
+ *
+ * @env: CPU
+ * @syndrome: syndrome value for mismatch exceptions
+ * (also contains the register numbers we need to use)
+ * @wdesc: MTE descriptor for the writes (destination)
+ * @rdesc: MTE descriptor for the reads (source)
+ * @move: true if this is CPY (memmove), false for CPYF (memcpy forwards)
+ */
+static void do_cpyp(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
+                    uint32_t rdesc, uint32_t move, uintptr_t ra)
+{
+    int rd = mops_destreg(syndrome);
+    int rs = mops_srcreg(syndrome);
+    int rn = mops_sizereg(syndrome);
+    uint32_t rmemidx = FIELD_EX32(rdesc, MTEDESC, MIDX);
+    uint32_t wmemidx = FIELD_EX32(wdesc, MTEDESC, MIDX);
+    bool forwards = true;
+    uint64_t toaddr = env->xregs[rd];
+    uint64_t fromaddr = env->xregs[rs];
+    uint64_t copysize = env->xregs[rn];
+    uint64_t stagecopysize, step;
+
+    check_mops_enabled(env, ra);
+
+
+    if (move) {
+        /*
+         * Copy backwards if necessary. The direction for a non-overlapping
+         * copy is IMPDEF; we choose forwards.
+         */
+        if (copysize > 0x007FFFFFFFFFFFFFULL) {
+            copysize = 0x007FFFFFFFFFFFFFULL;
+        }
+        uint64_t fs = extract64(fromaddr, 0, 56);
+        uint64_t ts = extract64(toaddr, 0, 56);
+        uint64_t fe = extract64(fromaddr + copysize, 0, 56);
+
+        if (fs < ts && fe > ts) {
+            forwards = false;
+        }
+    } else {
+        if (copysize > INT64_MAX) {
+            copysize = INT64_MAX;
+        }
+    }
+
+    if (!mte_checks_needed(fromaddr, rdesc)) {
+        rdesc = 0;
+    }
+    if (!mte_checks_needed(toaddr, wdesc)) {
+        wdesc = 0;
+    }
+
+    if (forwards) {
+        stagecopysize = MIN(copysize, page_limit(toaddr));
+        stagecopysize = MIN(stagecopysize, page_limit(fromaddr));
+        while (stagecopysize) {
+            env->xregs[rd] = toaddr;
+            env->xregs[rs] = fromaddr;
+            env->xregs[rn] = copysize;
+            step = copy_step(env, toaddr, fromaddr, stagecopysize,
+                             wmemidx, rmemidx, &wdesc, &rdesc, ra);
+            toaddr += step;
+            fromaddr += step;
+            copysize -= step;
+            stagecopysize -= step;
+        }
+        /* Insn completed, so update registers to the Option A format */
+        env->xregs[rd] = toaddr + copysize;
+        env->xregs[rs] = fromaddr + copysize;
+        env->xregs[rn] = -copysize;
+    } else {
+        /*
+         * In a reverse copy the to and from addrs in Xs and Xd are the start
+         * of the range, but it's more convenient for us to work with pointers
+         * to the last byte being copied.
+         */
+        toaddr += copysize - 1;
+        fromaddr += copysize - 1;
+        stagecopysize = MIN(copysize, page_limit_rev(toaddr));
+        stagecopysize = MIN(stagecopysize, page_limit_rev(fromaddr));
+        while (stagecopysize) {
+            env->xregs[rn] = copysize;
+            step = copy_step_rev(env, toaddr, fromaddr, stagecopysize,
+                                 wmemidx, rmemidx, &wdesc, &rdesc, ra);
+            copysize -= step;
+            stagecopysize -= step;
+            toaddr -= step;
+            fromaddr -= step;
+        }
+        /*
+         * Insn completed, so update registers to the Option A format.
+         * For a reverse copy this is no different to the CPYP input format.
+         */
+        env->xregs[rn] = copysize;
+    }
+
+    /* Set NZCV = 0000 to indicate we are an Option A implementation */
+    env->NF = 0;
+    env->ZF = 1; /* our env->ZF encoding is inverted */
+    env->CF = 0;
+    env->VF = 0;
+    return;
+}
+
+void HELPER(cpyp)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
+                  uint32_t rdesc)
+{
+    do_cpyp(env, syndrome, wdesc, rdesc, true, GETPC());
+}
+
+void HELPER(cpyfp)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
+                   uint32_t rdesc)
+{
+    do_cpyp(env, syndrome, wdesc, rdesc, false, GETPC());
+}
+
+static void do_cpym(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
+                    uint32_t rdesc, uint32_t move, uintptr_t ra)
+{
+    /* Main: we choose to copy until less than a page remaining */
+    CPUState *cs = env_cpu(env);
+    int rd = mops_destreg(syndrome);
+    int rs = mops_srcreg(syndrome);
+    int rn = mops_sizereg(syndrome);
+    uint32_t rmemidx = FIELD_EX32(rdesc, MTEDESC, MIDX);
+    uint32_t wmemidx = FIELD_EX32(wdesc, MTEDESC, MIDX);
+    bool forwards = true;
+    uint64_t toaddr, fromaddr, copysize, step;
+
+    check_mops_enabled(env, ra);
+
+    /* We choose to NOP out "no data to copy" before consistency checks */
+    if (env->xregs[rn] == 0) {
+        return;
+    }
+
+    check_mops_wrong_option(env, syndrome, ra);
+
+    if (move) {
+        forwards = (int64_t)env->xregs[rn] < 0;
+    }
+
+    if (forwards) {
+        toaddr = env->xregs[rd] + env->xregs[rn];
+        fromaddr = env->xregs[rs] + env->xregs[rn];
+        copysize = -env->xregs[rn];
+    } else {
+        copysize = env->xregs[rn];
+        /* This toaddr and fromaddr point to the *last* byte to copy */
+        toaddr = env->xregs[rd] + copysize - 1;
+        fromaddr = env->xregs[rs] + copysize - 1;
+    }
+
+    if (!mte_checks_needed(fromaddr, rdesc)) {
+        rdesc = 0;
+    }
+    if (!mte_checks_needed(toaddr, wdesc)) {
+        wdesc = 0;
+    }
+
+    /* Our implementation has no particular parameter requirements for CPYM */
+
+    /* Do the actual memmove */
+    if (forwards) {
+        while (copysize >= TARGET_PAGE_SIZE) {
+            step = copy_step(env, toaddr, fromaddr, copysize,
+                             wmemidx, rmemidx, &wdesc, &rdesc, ra);
+            toaddr += step;
+            fromaddr += step;
+            copysize -= step;
+            env->xregs[rn] = -copysize;
+            if (copysize >= TARGET_PAGE_SIZE &&
+                unlikely(cpu_loop_exit_requested(cs))) {
+                cpu_loop_exit_restore(cs, ra);
+            }
+        }
+    } else {
+        while (copysize >= TARGET_PAGE_SIZE) {
+            step = copy_step_rev(env, toaddr, fromaddr, copysize,
+                                 wmemidx, rmemidx, &wdesc, &rdesc, ra);
+            toaddr -= step;
+            fromaddr -= step;
+            copysize -= step;
+            env->xregs[rn] = copysize;
+            if (copysize >= TARGET_PAGE_SIZE &&
+                unlikely(cpu_loop_exit_requested(cs))) {
+                cpu_loop_exit_restore(cs, ra);
+            }
+        }
+    }
+}
+
+void HELPER(cpym)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
+                  uint32_t rdesc)
+{
+    do_cpym(env, syndrome, wdesc, rdesc, true, GETPC());
+}
+
+void HELPER(cpyfm)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
+                   uint32_t rdesc)
+{
+    do_cpym(env, syndrome, wdesc, rdesc, false, GETPC());
+}
+
+static void do_cpye(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
+                    uint32_t rdesc, uint32_t move, uintptr_t ra)
+{
+    /* Epilogue: do the last partial page */
+    int rd = mops_destreg(syndrome);
+    int rs = mops_srcreg(syndrome);
+    int rn = mops_sizereg(syndrome);
+    uint32_t rmemidx = FIELD_EX32(rdesc, MTEDESC, MIDX);
+    uint32_t wmemidx = FIELD_EX32(wdesc, MTEDESC, MIDX);
+    bool forwards = true;
+    uint64_t toaddr, fromaddr, copysize, step;
+
+    check_mops_enabled(env, ra);
+
+    /* We choose to NOP out "no data to copy" before consistency checks */
+    if (env->xregs[rn] == 0) {
+        return;
+    }
+
+    check_mops_wrong_option(env, syndrome, ra);
+
+    if (move) {
+        forwards = (int64_t)env->xregs[rn] < 0;
+    }
+
+    if (forwards) {
+        toaddr = env->xregs[rd] + env->xregs[rn];
+        fromaddr = env->xregs[rs] + env->xregs[rn];
+        copysize = -env->xregs[rn];
+    } else {
+        copysize = env->xregs[rn];
+        /* This toaddr and fromaddr point to the *last* byte to copy */
+        toaddr = env->xregs[rd] + copysize - 1;
+        fromaddr = env->xregs[rs] + copysize - 1;
+    }
+
+    if (!mte_checks_needed(fromaddr, rdesc)) {
+        rdesc = 0;
+    }
+    if (!mte_checks_needed(toaddr, wdesc)) {
+        wdesc = 0;
+    }
+
+    /* Check the size; we don't want to have do a check-for-interrupts */
+    if (copysize >= TARGET_PAGE_SIZE) {
+        raise_exception_ra(env, EXCP_UDEF, syndrome,
+                           mops_mismatch_exception_target_el(env), ra);
+    }
+
+    /* Do the actual memmove */
+    if (forwards) {
+        while (copysize > 0) {
+            step = copy_step(env, toaddr, fromaddr, copysize,
+                             wmemidx, rmemidx, &wdesc, &rdesc, ra);
+            toaddr += step;
+            fromaddr += step;
+            copysize -= step;
+            env->xregs[rn] = -copysize;
+        }
+    } else {
+        while (copysize > 0) {
+            step = copy_step_rev(env, toaddr, fromaddr, copysize,
+                                 wmemidx, rmemidx, &wdesc, &rdesc, ra);
+            toaddr -= step;
+            fromaddr -= step;
+            copysize -= step;
+            env->xregs[rn] = copysize;
+        }
+    }
+}
+
+void HELPER(cpye)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
+                  uint32_t rdesc)
+{
+    do_cpye(env, syndrome, wdesc, rdesc, true, GETPC());
+}
+
+void HELPER(cpyfe)(CPUARMState *env, uint32_t syndrome, uint32_t wdesc,
+                   uint32_t rdesc)
+{
+    do_cpye(env, syndrome, wdesc, rdesc, false, GETPC());
+}
diff --git a/target/arm/tcg/translate-a64.c b/target/arm/tcg/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate-a64.c
+++ b/target/arm/tcg/translate-a64.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(SETGP, aa64_mops, do_SET, a, false, true, gen_helper_setgp)
 TRANS_FEAT(SETGM, aa64_mops, do_SET, a, false, true, gen_helper_setgm)
 TRANS_FEAT(SETGE, aa64_mops, do_SET, a, true, true, gen_helper_setge)
 
+typedef void CpyFn(TCGv_env, TCGv_i32, TCGv_i32, TCGv_i32);
+
+static bool do_CPY(DisasContext *s, arg_cpy *a, bool is_epilogue, CpyFn fn)
+{
+    int rmemidx, wmemidx;
+    uint32_t syndrome, rdesc = 0, wdesc = 0;
+    bool wunpriv = extract32(a->options, 0, 1);
+    bool runpriv = extract32(a->options, 1, 1);
+
+    /*
+     * UNPREDICTABLE cases: we choose to UNDEF, which allows
+     * us to pull this check before the CheckMOPSEnabled() test
+     * (which we do in the helper function)
+     */
+    if (a->rs == a->rn || a->rs == a->rd || a->rn == a->rd ||
+        a->rd == 31 || a->rs == 31 || a->rn == 31) {
+        return false;
+    }
+
+    rmemidx = get_a64_user_mem_index(s, runpriv);
+    wmemidx = get_a64_user_mem_index(s, wunpriv);
+
+    /*
+     * We pass option_a == true, matching our implementation;
+     * we pass wrong_option == false: helper function may set that bit.
+     */
+    syndrome = syn_mop(false, false, a->options, is_epilogue,
+                       false, true, a->rd, a->rs, a->rn);
+
+    /* If we need to do MTE tag checking, assemble the descriptors */
+    if (s->mte_active[runpriv]) {
+        rdesc = FIELD_DP32(rdesc, MTEDESC, TBI, s->tbid);
+        rdesc = FIELD_DP32(rdesc, MTEDESC, TCMA, s->tcma);
+    }
+    if (s->mte_active[wunpriv]) {
+        wdesc = FIELD_DP32(wdesc, MTEDESC, TBI, s->tbid);
+        wdesc = FIELD_DP32(wdesc, MTEDESC, TCMA, s->tcma);
+        wdesc = FIELD_DP32(wdesc, MTEDESC, WRITE, true);
+    }
+    /* The helper function needs these parts of the descriptor regardless */
+    rdesc = FIELD_DP32(rdesc, MTEDESC, MIDX, rmemidx);
+    wdesc = FIELD_DP32(wdesc, MTEDESC, MIDX, wmemidx);
+
+    /*
+     * The helper needs the register numbers, but since they're in
+     * the syndrome anyway, we let it extract them from there rather
+     * than passing in an extra three integer arguments.
+     */
+    fn(cpu_env, tcg_constant_i32(syndrome), tcg_constant_i32(wdesc),
+       tcg_constant_i32(rdesc));
+    return true;
+}
+
+TRANS_FEAT(CPYP, aa64_mops, do_CPY, a, false, gen_helper_cpyp)
+TRANS_FEAT(CPYM, aa64_mops, do_CPY, a, false, gen_helper_cpym)
+TRANS_FEAT(CPYE, aa64_mops, do_CPY, a, true, gen_helper_cpye)
+TRANS_FEAT(CPYFP, aa64_mops, do_CPY, a, false, gen_helper_cpyfp)
+TRANS_FEAT(CPYFM, aa64_mops, do_CPY, a, false, gen_helper_cpyfm)
+TRANS_FEAT(CPYFE, aa64_mops, do_CPY, a, true, gen_helper_cpyfe)
+
 typedef void ArithTwoOp(TCGv_i64, TCGv_i64, TCGv_i64);
 
 static bool gen_rri(DisasContext *s, arg_rri_sf *a,
-- 
2.34.1

Enable FEAT_MOPS on the AArch64 'max' CPU, and add it to
the list of features we implement.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20230912140434.1333369-13-peter.maydell@linaro.org
---
 docs/system/arm/emulation.rst | 1 +
 linux-user/elfload.c          | 1 +
 target/arm/tcg/cpu64.c        | 1 +
 3 files changed, 3 insertions(+)

Avoid a dynamic stack allocation in qjack_client_init(), by using
a g_autofree heap allocation instead.

(We stick with allocate + snprintf() because the JACK API requires
the name to be no more than its maximum size, so g_strdup_printf()
would require an extra truncation step.)

The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions.  This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g.  CVE-2021-3527).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-id: 20230818155846.1651287-2-peter.maydell@linaro.org
---
 audio/jackaudio.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/audio/jackaudio.c b/audio/jackaudio.c
index XXXXXXX..XXXXXXX 100644
--- a/audio/jackaudio.c
+++ b/audio/jackaudio.c
@@ -XXX,XX +XXX,XX @@ static void qjack_client_connect_ports(QJackClient *c)
 static int qjack_client_init(QJackClient *c)
 {
     jack_status_t status;
-    char client_name[jack_client_name_size()];
+    int client_name_len = jack_client_name_size(); /* includes NUL */
+    g_autofree char *client_name = g_new(char, client_name_len);
     jack_options_t options = JackNullOption;
 
     if (c->state == QJACK_STATE_RUNNING) {
@@ -XXX,XX +XXX,XX @@ static int qjack_client_init(QJackClient *c)
 
     c->connect_ports = true;
 
-    snprintf(client_name, sizeof(client_name), "%s-%s",
+    snprintf(client_name, client_name_len, "%s-%s",
         c->out ? "out" : "in",
         c->opt->client_name ? c->opt->client_name : audio_application_name());
 
-- 
2.34.1

Avoid a dynamic stack allocation in qjack_process().  Since this
function is a JACK process callback, we are not permitted to malloc()
here, so we allocate a working buffer in qjack_client_init() instead.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-id: 20230818155846.1651287-3-peter.maydell@linaro.org
---
 audio/jackaudio.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/audio/jackaudio.c b/audio/jackaudio.c
index XXXXXXX..XXXXXXX 100644
--- a/audio/jackaudio.c
+++ b/audio/jackaudio.c
@@ -XXX,XX +XXX,XX @@ typedef struct QJackClient {
     int             buffersize;
     jack_port_t   **port;
     QJackBuffer     fifo;
+
+    /* Used as workspace by qjack_process() */
+    float **process_buffers;
 }
 QJackClient;
 
@@ -XXX,XX +XXX,XX @@ static int qjack_process(jack_nframes_t nframes, void *arg)
     }
 
     /* get the buffers for the ports */
-    float *buffers[c->nchannels];
     for (int i = 0; i < c->nchannels; ++i) {
-        buffers[i] = jack_port_get_buffer(c->port[i], nframes);
+        c->process_buffers[i] = jack_port_get_buffer(c->port[i], nframes);
     }
 
     if (c->out) {
         if (likely(c->enabled)) {
-            qjack_buffer_read_l(&c->fifo, buffers, nframes);
+            qjack_buffer_read_l(&c->fifo, c->process_buffers, nframes);
         } else {
             for (int i = 0; i < c->nchannels; ++i) {
-                memset(buffers[i], 0, nframes * sizeof(float));
+                memset(c->process_buffers[i], 0, nframes * sizeof(float));
             }
         }
     } else {
         if (likely(c->enabled)) {
-            qjack_buffer_write_l(&c->fifo, buffers, nframes);
+            qjack_buffer_write_l(&c->fifo, c->process_buffers, nframes);
         }
     }
 
@@ -XXX,XX +XXX,XX @@ static int qjack_client_init(QJackClient *c)
           jack_get_client_name(c->client));
     }
 
+    /* Allocate working buffer for process callback */
+    c->process_buffers = g_new(float *, c->nchannels);
+
     jack_set_process_callback(c->client, qjack_process , c);
     jack_set_port_registration_callback(c->client, qjack_port_registration, c);
     jack_set_xrun_callback(c->client, qjack_xrun, c);
@@ -XXX,XX +XXX,XX @@ static void qjack_client_fini_locked(QJackClient *c)
 
         qjack_buffer_free(&c->fifo);
         g_free(c->port);
+        g_free(c->process_buffers);
 
         c->state = QJACK_STATE_DISCONNECTED;
         /* fallthrough */
-- 
2.34.1

From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>

Armv8.1+ cpus have Virtual Host Extension (VHE) which added non-secure
EL2 virtual timer.

This change adds it to fullfil Arm BSA (Base System Architecture)
requirements.

Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
Message-id: 20230913140610.214893-2-marcin.juszkiewicz@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/sbsa-ref.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@
 #define ARCH_TIMER_S_EL1_IRQ   13
 #define ARCH_TIMER_NS_EL1_IRQ  14
 #define ARCH_TIMER_NS_EL2_IRQ  10
+#define ARCH_TIMER_NS_EL2_VIRT_IRQ  12
 
 enum {
     SBSA_FLASH,
@@ -XXX,XX +XXX,XX @@ static void create_gic(SBSAMachineState *sms, MemoryRegion *mem)
             [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
             [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
             [GTIMER_SEC]  = ARCH_TIMER_S_EL1_IRQ,
+            [GTIMER_HYPVIRT] = ARCH_TIMER_NS_EL2_VIRT_IRQ,
         };
 
         for (irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
-- 
2.34.1