Series comparison

-[Qemu-devel] [PULL 00/24] target-arm queue
+[PULL 00/36] target-arm queue
-First ARM pullreq of the 2.10 cycle...
+First pullreq for 6.0: mostly my v8.1M work, plus some other
 bits and pieces. (I still have a lot of stuff in my to-review
 folder, which I may or may not get to before the Christmas break...)
 thanks
 -- PMM
-The following changes since commit 64c8ed97cceabac4fafe17fca8d88ef08183f439:
+The following changes since commit 5e7b204dbfae9a562fc73684986f936b97f63877:
-  Open 2.10 development tree (2017-04-20 15:42:31 +0100)
+  Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging (2020-12-09 20:08:54 +0000)
-are available in the git repository at:
+are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170420
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201210
-for you to fetch changes up to f4e8e4edda875cab9df91dc4ae9767f7cb1f50aa:
+for you to fetch changes up to 71f916be1c7e9ede0e37d9cabc781b5a9e8638ff:
-  arm: Remove workarounds for old M-profile exception return implementation (2017-04-20 17:39:17 +0100)
+  hw/arm/armv7m: Correct typo in QOM object name (2020-12-10 11:44:56 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * implement M profile exception return properly
+ * hw/arm/smmuv3: Fix up L1STD_SPAN decoding
- * cadence GEM: fix multiqueue handling bugs
+ * xlnx-zynqmp: Support Xilinx ZynqMP CAN controllers
- * pxa2xx.c: QOMify a device
+ * sbsa-ref: allow to use Cortex-A53/57/72 cpus
- * arm/kvm: Remove trailing newlines from error_report()
+ * Various minor code cleanups
- * stellaris: Don't hw_error() on bad register accesses
+ * hw/intc/armv7m_nvic: Make all of system PPB range be RAZWI/BusFault
- * Add assertion about FSC format for syndrome registers
+ * Implement more pieces of ARMv8.1M support
  * Move excnames[] array into arm_log_exceptions()
  * exynos: minor code cleanups
  * hw/arm/boot: take Linux/arm64 TEXT_OFFSET header field into account
  * Fix APSR writes via M profile MSR
 ----------------------------------------------------------------
-Alistair Francis (5):
+Alex Chen (4):
-      cadence_gem: Read the correct queue descriptor
+      i.MX25: Fix bad printf format specifiers
-      cadence_gem: Correct the multi-queue can rx logic
+      i.MX31: Fix bad printf format specifiers
-      cadence_gem: Correct the interupt logic
+      i.MX6: Fix bad printf format specifiers
-      cadence_gem: Make the revision a property
+      i.MX6ul: Fix bad printf format specifiers
       xlnx-zynqmp: Set the Cadence GEM revision
-Ard Biesheuvel (1):
+Havard Skinnemoen (1):
-      hw/arm/boot: take Linux/arm64 TEXT_OFFSET header field into account
+      tests/qtest/npcm7xx_rng-test: dump random data on failure
-Ishani Chugh (1):
+Kunkun Jiang (1):
-      arm/kvm: Remove trailing newlines from error_report()
+      hw/arm/smmuv3: Fix up L1STD_SPAN decoding
-Krzysztof Kozlowski (3):
+Marcin Juszkiewicz (1):
-      hw/arm/exynos: Convert fprintf to qemu_log_mask/error_report
+      sbsa-ref: allow to use Cortex-A53/57/72 cpus
       hw/char/exynos4210_uart: Constify static array and few arguments
       hw/misc/exynos4210_pmu: Reorder local variables for readability
-Peter Maydell (13):
+Peter Maydell (25):
-      target/arm: Add missing entries to excnames[] for log strings
+      hw/intc/armv7m_nvic: Make all of system PPB range be RAZWI/BusFault
-      arm: Move excnames[] array into arm_log_exceptions()
+      target/arm: Implement v8.1M PXN extension
-      target/arm: Add assertion about FSC format for syndrome registers
+      target/arm: Don't clobber ID_PFR1.Security on M-profile cores
-      stellaris: Don't hw_error() on bad register accesses
+      target/arm: Implement VSCCLRM insn
-      arm: Don't implement BXJ on M-profile CPUs
+      target/arm: Implement CLRM instruction
-      arm: Thumb shift operations should not permit interworking branches
+      target/arm: Enforce M-profile VMRS/VMSR register restrictions
-      arm: Factor out "generate right kind of step exception"
+      target/arm: Refactor M-profile VMSR/VMRS handling
-      arm: Move gen_set_condexec() and gen_set_pc_im() up in the file
+      target/arm: Move general-use constant expanders up in translate.c
-      arm: Move condition-failed codepath generation out of if()
+      target/arm: Implement VLDR/VSTR system register
-      arm: Abstract out "are we singlestepping" test to utility function
+      target/arm: Implement M-profile FPSCR_nzcvqc
-      arm: Track M profile handler mode state in TB flags
+      target/arm: Use new FPCR_NZCV_MASK constant
-      arm: Implement M profile exception return properly
+      target/arm: Factor out preserve-fp-state from full_vfp_access_check()
-      arm: Remove workarounds for old M-profile exception return implementation
+      target/arm: Implement FPCXT_S fp system register
       hw/intc/armv7m_nvic: Update FPDSCR masking for v8.1M
       target/arm: For v8.1M, always clear R0-R3, R12, APSR, EPSR on exception entry
       target/arm: In v8.1M, don't set HFSR.FORCED on vector table fetch failures
       target/arm: Implement v8.1M REVIDR register
       target/arm: Implement new v8.1M NOCP check for exception return
       target/arm: Implement new v8.1M VLLDM and VLSTM encodings
       hw/intc/armv7m_nvic: Support v8.1M CCR.TRD bit
       target/arm: Implement CCR_S.TRD behaviour for SG insns
       hw/intc/armv7m_nvic: Fix "return from inactive handler" check
       target/arm: Implement M-profile "minimal RAS implementation"
       hw/intc/armv7m_nvic: Implement read/write for RAS register block
       hw/arm/armv7m: Correct typo in QOM object name
-Suramya Shah (1):
+Vikram Garhwal (4):
-      hw/arm: Qomify pxa2xx.c
+      hw/net/can: Introduce Xilinx ZynqMP CAN controller
       xlnx-zynqmp: Connect Xilinx ZynqMP CAN controllers
       tests/qtest: Introduce tests for Xilinx ZynqMP CAN controller
       MAINTAINERS: Add maintainer entry for Xilinx ZynqMP CAN controller
- include/hw/net/cadence_gem.h |   1 +
+ meson.build                      |    1 +
- target/arm/cpu.h             |  10 +++
+ hw/arm/smmuv3-internal.h         |    2 +-
- target/arm/internals.h       |  21 -----
+ hw/net/can/trace.h               |    1 +
- target/arm/translate.h       |   5 ++
+ include/hw/arm/xlnx-zynqmp.h     |    8 +
- hw/arm/boot.c                |  64 ++++++++++++---
+ include/hw/intc/armv7m_nvic.h    |    2 +
- hw/arm/exynos4_boards.c      |   7 +-
+ include/hw/net/xlnx-zynqmp-can.h |   78 +++
- hw/arm/pxa2xx.c              |  14 ++--
+ target/arm/cpu.h                 |   46 ++
- hw/arm/stellaris.c           |  60 ++++++++------
+ target/arm/m-nocp.decode         |   10 +-
- hw/arm/xlnx-zynqmp.c         |   6 +-
+ target/arm/t32.decode            |   10 +-
- hw/char/exynos4210_uart.c    |   8 +-
+ target/arm/vfp.decode            |   14 +
- hw/misc/exynos4210_pmu.c     |   4 +-
+ hw/arm/armv7m.c                  |    4 +-
- hw/net/cadence_gem.c         |  45 +++++++----
+ hw/arm/sbsa-ref.c                |   23 +-
- hw/timer/exynos4210_mct.c    |   6 +-
+ hw/arm/xlnx-zcu102.c             |   20 +
- hw/timer/exynos4210_pwm.c    |  13 ++--
+ hw/arm/xlnx-zynqmp.c             |   34 ++
- hw/timer/exynos4210_rtc.c    |  19 ++---
+ hw/intc/armv7m_nvic.c            |  246 ++++++--
- target/arm/cpu.c             |  43 +---------
+ hw/misc/imx25_ccm.c              |   12 +-
- target/arm/helper.c          |  19 +++++
+ hw/misc/imx31_ccm.c              |   14 +-
- target/arm/kvm64.c           |   4 +-
+ hw/misc/imx6_ccm.c               |   20 +-
- target/arm/op_helper.c       |  23 ++++--
+ hw/misc/imx6_src.c               |    2 +-
- target/arm/translate.c       | 181 +++++++++++++++++++++++++++++--------------
+ hw/misc/imx6ul_ccm.c             |    4 +-
-files changed, 341 insertions(+), 212 deletions(-)
+ hw/misc/imx_ccm.c                |    4 +-
  hw/net/can/xlnx-zynqmp-can.c     | 1161 ++++++++++++++++++++++++++++++++++++++
  target/arm/cpu.c                 |    5 +-
  target/arm/helper.c              |    7 +-
  target/arm/m_helper.c            |  130 ++++-
  target/arm/translate.c           |  105 +++-
  tests/qtest/npcm7xx_rng-test.c   |   12 +
  tests/qtest/xlnx-can-test.c      |  360 ++++++++++++
  MAINTAINERS                      |    8 +
  hw/Kconfig                       |    1 +
  hw/net/can/meson.build           |    1 +
  hw/net/can/trace-events          |    9 +
  target/arm/translate-vfp.c.inc   |  511 ++++++++++++++++-
  tests/qtest/meson.build          |    1 +
 files changed, 2713 insertions(+), 153 deletions(-)
  create mode 100644 hw/net/can/trace.h
  create mode 100644 include/hw/net/xlnx-zynqmp-can.h
  create mode 100644 hw/net/can/xlnx-zynqmp-can.c
  create mode 100644 tests/qtest/xlnx-can-test.c
  create mode 100644 hw/net/can/trace-events

-New patch
+[PULL 01/36] hw/arm/smmuv3: Fix up L1STD_SPAN decoding
+From: Kunkun Jiang <jiangkunkun@huawei.com>
+Accroding to the SMMUv3 spec, the SPAN field of Level1 Stream Table
+Descriptor is 5 bits([4:0]).
+Fixes: 9bde7f0674f(hw/arm/smmuv3: Implement translate callback)
+Signed-off-by: Kunkun Jiang <jiangkunkun@huawei.com>
+Message-id: 20201124023711.1184-1-jiangkunkun@huawei.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Acked-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/smmuv3-internal.h | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/smmuv3-internal.h
++++ b/hw/arm/smmuv3-internal.h
+@@ -XXX,XX +XXX,XX @@ static inline uint64_t l1std_l2ptr(STEDesc *desc)
+     return hi << 32 | lo;
+ }
+-#define L1STD_SPAN(stm) (extract32((stm)->word[0], 0, 4))
++#define L1STD_SPAN(stm) (extract32((stm)->word[0], 0, 5))
+ #endif
+--
+.20.1

-[Qemu-devel] [PULL 13/24] cadence_gem: Correct the interupt logic
+[PULL 02/36] hw/net/can: Introduce Xilinx ZynqMP CAN controller
-From: Alistair Francis <alistair.francis@xilinx.com>
+From: Vikram Garhwal <fnu.vikram@xilinx.com>
-This patch fixes two mistakes in the interrupt logic.
+The Xilinx ZynqMP CAN controller is developed based on SocketCAN, QEMU CAN bus
 implementation. Bus connection and socketCAN connection for each CAN module
 can be set through command lines.
-First we only trigger single-queue or multi-queue interrupts if the status
+Example for using single CAN:
-register is set. This logic was already used for non multi-queue interrupts
+    -object can-bus,id=canbus0 \
-but it also applies to multi-queue interrupts.
+    -machine xlnx-zcu102.canbus0=canbus0 \
     -object can-host-socketcan,id=socketcan0,if=vcan0,canbus=canbus0
-Secondly we need to lower the interrupts if the ISR isn't set. As part
+Example for connecting both CAN to same virtual CAN on host machine:
-of this we can remove the other interrupt lowering logic and consolidate
+    -object can-bus,id=canbus0 -object can-bus,id=canbus1 \
-it inside gem_update_int_status().
+    -machine xlnx-zcu102.canbus0=canbus0 \
     -machine xlnx-zcu102.canbus1=canbus1 \
     -object can-host-socketcan,id=socketcan0,if=vcan0,canbus=canbus0 \
     -object can-host-socketcan,id=socketcan1,if=vcan0,canbus=canbus1
-Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
+To create virtual CAN on the host machine, please check the QEMU CAN docs:
-Message-id: 438bcc014f8f8a2f8f68f322cb6a53f4c04688c2.1491947224.git.alistair.francis@xilinx.com
+https://github.com/qemu/qemu/blob/master/docs/can.txt
 Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
 Message-id: 1605728926-352690-2-git-send-email-fnu.vikram@xilinx.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/net/cadence_gem.c | 18 +++++++++++++-----
+ meson.build                      |    1 +
-file changed, 13 insertions(+), 5 deletions(-)
+ hw/net/can/trace.h               |    1 +
  include/hw/net/xlnx-zynqmp-can.h |   78 ++
  hw/net/can/xlnx-zynqmp-can.c     | 1161 ++++++++++++++++++++++++++++++
  hw/Kconfig                       |    1 +
  hw/net/can/meson.build           |    1 +
  hw/net/can/trace-events          |    9 +
 files changed, 1252 insertions(+)
  create mode 100644 hw/net/can/trace.h
  create mode 100644 include/hw/net/xlnx-zynqmp-can.h
  create mode 100644 hw/net/can/xlnx-zynqmp-can.c
  create mode 100644 hw/net/can/trace-events
-diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
+diff --git a/meson.build b/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/cadence_gem.c
+--- a/meson.build
-+++ b/hw/net/cadence_gem.c
++++ b/meson.build
-@@ -XXX,XX +XXX,XX @@ static void gem_update_int_status(CadenceGEMState *s)
+@@ -XXX,XX +XXX,XX @@ if have_system
- {
+     'hw/misc',
-     int i;
+     'hw/misc/macio',
+     'hw/net',
--    if ((s->num_priority_queues == 1) && s->regs[GEM_ISR]) {
++    'hw/net/can',
-+    if (!s->regs[GEM_ISR]) {
+     'hw/nvram',
-+        /* ISR isn't set, clear all the interrupts */
+     'hw/pci',
-+        for (i = 0; i < s->num_priority_queues; ++i) {
+     'hw/pci-host',
-+            qemu_set_irq(s->irq[i], 0);
+diff --git a/hw/net/can/trace.h b/hw/net/can/trace.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/net/can/trace.h
@@ -0,0 +1 @@
 +#include "trace/trace-hw_net_can.h"
 diff --git a/include/hw/net/xlnx-zynqmp-can.h b/include/hw/net/xlnx-zynqmp-can.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/include/hw/net/xlnx-zynqmp-can.h
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QEMU model of the Xilinx ZynqMP CAN controller.
 + *
 + * Copyright (c) 2020 Xilinx Inc.
 + *
 + * Written-by: Vikram Garhwal<fnu.vikram@xilinx.com>
 + *
 + * Based on QEMU CAN Device emulation implemented by Jin Yang, Deniz Eren and
 + * Pavel Pisa.
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#ifndef XLNX_ZYNQMP_CAN_H
 +#define XLNX_ZYNQMP_CAN_H
 +
 +#include "hw/register.h"
 +#include "net/can_emu.h"
 +#include "net/can_host.h"
 +#include "qemu/fifo32.h"
 +#include "hw/ptimer.h"
 +#include "hw/qdev-clock.h"
 +
 +#define TYPE_XLNX_ZYNQMP_CAN "xlnx.zynqmp-can"
 +
 +#define XLNX_ZYNQMP_CAN(obj) \
 +     OBJECT_CHECK(XlnxZynqMPCANState, (obj), TYPE_XLNX_ZYNQMP_CAN)
 +
 +#define MAX_CAN_CTRLS      2
 +#define XLNX_ZYNQMP_CAN_R_MAX     (0x84 / 4)
 +#define MAILBOX_CAPACITY   64
 +#define CAN_TIMER_MAX  0XFFFFUL
 +#define CAN_DEFAULT_CLOCK (24 * 1000 * 1000)
 +
 +/* Each CAN_FRAME will have 4 * 32bit size. */
 +#define CAN_FRAME_SIZE     4
 +#define RXFIFO_SIZE        (MAILBOX_CAPACITY * CAN_FRAME_SIZE)
 +
 +typedef struct XlnxZynqMPCANState {
 +    SysBusDevice        parent_obj;
 +    MemoryRegion        iomem;
 +
 +    qemu_irq            irq;
 +
 +    CanBusClientState   bus_client;
 +    CanBusState         *canbus;
 +
 +    struct {
 +        uint32_t        ext_clk_freq;
 +    } cfg;
 +
 +    RegisterInfo        reg_info[XLNX_ZYNQMP_CAN_R_MAX];
 +    uint32_t            regs[XLNX_ZYNQMP_CAN_R_MAX];
 +
 +    Fifo32              rx_fifo;
 +    Fifo32              tx_fifo;
 +    Fifo32              txhpb_fifo;
 +
 +    ptimer_state        *can_timer;
 +} XlnxZynqMPCANState;
 +
 +#endif
 diff --git a/hw/net/can/xlnx-zynqmp-can.c b/hw/net/can/xlnx-zynqmp-can.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/net/can/xlnx-zynqmp-can.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QEMU model of the Xilinx ZynqMP CAN controller.
 + * This implementation is based on the following datasheet:
 + * https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
 + *
 + * Copyright (c) 2020 Xilinx Inc.
 + *
 + * Written-by: Vikram Garhwal<fnu.vikram@xilinx.com>
 + *
 + * Based on QEMU CAN Device emulation implemented by Jin Yang, Deniz Eren and
 + * Pavel Pisa
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "hw/sysbus.h"
 +#include "hw/register.h"
 +#include "hw/irq.h"
 +#include "qapi/error.h"
 +#include "qemu/bitops.h"
 +#include "qemu/log.h"
 +#include "qemu/cutils.h"
 +#include "sysemu/sysemu.h"
 +#include "migration/vmstate.h"
 +#include "hw/qdev-properties.h"
 +#include "net/can_emu.h"
 +#include "net/can_host.h"
 +#include "qemu/event_notifier.h"
 +#include "qom/object_interfaces.h"
 +#include "hw/net/xlnx-zynqmp-can.h"
 +#include "trace.h"
 +
 +#ifndef XLNX_ZYNQMP_CAN_ERR_DEBUG
 +#define XLNX_ZYNQMP_CAN_ERR_DEBUG 0
 +#endif
 +
 +#define MAX_DLC            8
 +#undef ERROR
 +
 +REG32(SOFTWARE_RESET_REGISTER, 0x0)
 +    FIELD(SOFTWARE_RESET_REGISTER, CEN, 1, 1)
 +    FIELD(SOFTWARE_RESET_REGISTER, SRST, 0, 1)
 +REG32(MODE_SELECT_REGISTER, 0x4)
 +    FIELD(MODE_SELECT_REGISTER, SNOOP, 2, 1)
 +    FIELD(MODE_SELECT_REGISTER, LBACK, 1, 1)
 +    FIELD(MODE_SELECT_REGISTER, SLEEP, 0, 1)
 +REG32(ARBITRATION_PHASE_BAUD_RATE_PRESCALER_REGISTER, 0x8)
 +    FIELD(ARBITRATION_PHASE_BAUD_RATE_PRESCALER_REGISTER, BRP, 0, 8)
 +REG32(ARBITRATION_PHASE_BIT_TIMING_REGISTER, 0xc)
 +    FIELD(ARBITRATION_PHASE_BIT_TIMING_REGISTER, SJW, 7, 2)
 +    FIELD(ARBITRATION_PHASE_BIT_TIMING_REGISTER, TS2, 4, 3)
 +    FIELD(ARBITRATION_PHASE_BIT_TIMING_REGISTER, TS1, 0, 4)
 +REG32(ERROR_COUNTER_REGISTER, 0x10)
 +    FIELD(ERROR_COUNTER_REGISTER, REC, 8, 8)
 +    FIELD(ERROR_COUNTER_REGISTER, TEC, 0, 8)
 +REG32(ERROR_STATUS_REGISTER, 0x14)
 +    FIELD(ERROR_STATUS_REGISTER, ACKER, 4, 1)
 +    FIELD(ERROR_STATUS_REGISTER, BERR, 3, 1)
 +    FIELD(ERROR_STATUS_REGISTER, STER, 2, 1)
 +    FIELD(ERROR_STATUS_REGISTER, FMER, 1, 1)
 +    FIELD(ERROR_STATUS_REGISTER, CRCER, 0, 1)
 +REG32(STATUS_REGISTER, 0x18)
 +    FIELD(STATUS_REGISTER, SNOOP, 12, 1)
 +    FIELD(STATUS_REGISTER, ACFBSY, 11, 1)
 +    FIELD(STATUS_REGISTER, TXFLL, 10, 1)
 +    FIELD(STATUS_REGISTER, TXBFLL, 9, 1)
 +    FIELD(STATUS_REGISTER, ESTAT, 7, 2)
 +    FIELD(STATUS_REGISTER, ERRWRN, 6, 1)
 +    FIELD(STATUS_REGISTER, BBSY, 5, 1)
 +    FIELD(STATUS_REGISTER, BIDLE, 4, 1)
 +    FIELD(STATUS_REGISTER, NORMAL, 3, 1)
 +    FIELD(STATUS_REGISTER, SLEEP, 2, 1)
 +    FIELD(STATUS_REGISTER, LBACK, 1, 1)
 +    FIELD(STATUS_REGISTER, CONFIG, 0, 1)
 +REG32(INTERRUPT_STATUS_REGISTER, 0x1c)
 +    FIELD(INTERRUPT_STATUS_REGISTER, TXFEMP, 14, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, TXFWMEMP, 13, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, RXFWMFLL, 12, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, WKUP, 11, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, SLP, 10, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, BSOFF, 9, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, ERROR, 8, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, RXNEMP, 7, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, RXOFLW, 6, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, RXUFLW, 5, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, RXOK, 4, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, TXBFLL, 3, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, TXFLL, 2, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, TXOK, 1, 1)
 +    FIELD(INTERRUPT_STATUS_REGISTER, ARBLST, 0, 1)
 +REG32(INTERRUPT_ENABLE_REGISTER, 0x20)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ETXFEMP, 14, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ETXFWMEMP, 13, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ERXFWMFLL, 12, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, EWKUP, 11, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ESLP, 10, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, EBSOFF, 9, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, EERROR, 8, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ERXNEMP, 7, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ERXOFLW, 6, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ERXUFLW, 5, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ERXOK, 4, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ETXBFLL, 3, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ETXFLL, 2, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, ETXOK, 1, 1)
 +    FIELD(INTERRUPT_ENABLE_REGISTER, EARBLST, 0, 1)
 +REG32(INTERRUPT_CLEAR_REGISTER, 0x24)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CTXFEMP, 14, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CTXFWMEMP, 13, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CRXFWMFLL, 12, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CWKUP, 11, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CSLP, 10, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CBSOFF, 9, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CERROR, 8, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CRXNEMP, 7, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CRXOFLW, 6, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CRXUFLW, 5, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CRXOK, 4, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CTXBFLL, 3, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CTXFLL, 2, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CTXOK, 1, 1)
 +    FIELD(INTERRUPT_CLEAR_REGISTER, CARBLST, 0, 1)
 +REG32(TIMESTAMP_REGISTER, 0x28)
 +    FIELD(TIMESTAMP_REGISTER, CTS, 0, 1)
 +REG32(WIR, 0x2c)
 +    FIELD(WIR, EW, 8, 8)
 +    FIELD(WIR, FW, 0, 8)
 +REG32(TXFIFO_ID, 0x30)
 +    FIELD(TXFIFO_ID, IDH, 21, 11)
 +    FIELD(TXFIFO_ID, SRRRTR, 20, 1)
 +    FIELD(TXFIFO_ID, IDE, 19, 1)
 +    FIELD(TXFIFO_ID, IDL, 1, 18)
 +    FIELD(TXFIFO_ID, RTR, 0, 1)
 +REG32(TXFIFO_DLC, 0x34)
 +    FIELD(TXFIFO_DLC, DLC, 28, 4)
 +REG32(TXFIFO_DATA1, 0x38)
 +    FIELD(TXFIFO_DATA1, DB0, 24, 8)
 +    FIELD(TXFIFO_DATA1, DB1, 16, 8)
 +    FIELD(TXFIFO_DATA1, DB2, 8, 8)
 +    FIELD(TXFIFO_DATA1, DB3, 0, 8)
 +REG32(TXFIFO_DATA2, 0x3c)
 +    FIELD(TXFIFO_DATA2, DB4, 24, 8)
 +    FIELD(TXFIFO_DATA2, DB5, 16, 8)
 +    FIELD(TXFIFO_DATA2, DB6, 8, 8)
 +    FIELD(TXFIFO_DATA2, DB7, 0, 8)
 +REG32(TXHPB_ID, 0x40)
 +    FIELD(TXHPB_ID, IDH, 21, 11)
 +    FIELD(TXHPB_ID, SRRRTR, 20, 1)
 +    FIELD(TXHPB_ID, IDE, 19, 1)
 +    FIELD(TXHPB_ID, IDL, 1, 18)
 +    FIELD(TXHPB_ID, RTR, 0, 1)
 +REG32(TXHPB_DLC, 0x44)
 +    FIELD(TXHPB_DLC, DLC, 28, 4)
 +REG32(TXHPB_DATA1, 0x48)
 +    FIELD(TXHPB_DATA1, DB0, 24, 8)
 +    FIELD(TXHPB_DATA1, DB1, 16, 8)
 +    FIELD(TXHPB_DATA1, DB2, 8, 8)
 +    FIELD(TXHPB_DATA1, DB3, 0, 8)
 +REG32(TXHPB_DATA2, 0x4c)
 +    FIELD(TXHPB_DATA2, DB4, 24, 8)
 +    FIELD(TXHPB_DATA2, DB5, 16, 8)
 +    FIELD(TXHPB_DATA2, DB6, 8, 8)
 +    FIELD(TXHPB_DATA2, DB7, 0, 8)
 +REG32(RXFIFO_ID, 0x50)
 +    FIELD(RXFIFO_ID, IDH, 21, 11)
 +    FIELD(RXFIFO_ID, SRRRTR, 20, 1)
 +    FIELD(RXFIFO_ID, IDE, 19, 1)
 +    FIELD(RXFIFO_ID, IDL, 1, 18)
 +    FIELD(RXFIFO_ID, RTR, 0, 1)
 +REG32(RXFIFO_DLC, 0x54)
 +    FIELD(RXFIFO_DLC, DLC, 28, 4)
 +    FIELD(RXFIFO_DLC, RXT, 0, 16)
 +REG32(RXFIFO_DATA1, 0x58)
 +    FIELD(RXFIFO_DATA1, DB0, 24, 8)
 +    FIELD(RXFIFO_DATA1, DB1, 16, 8)
 +    FIELD(RXFIFO_DATA1, DB2, 8, 8)
 +    FIELD(RXFIFO_DATA1, DB3, 0, 8)
 +REG32(RXFIFO_DATA2, 0x5c)
 +    FIELD(RXFIFO_DATA2, DB4, 24, 8)
 +    FIELD(RXFIFO_DATA2, DB5, 16, 8)
 +    FIELD(RXFIFO_DATA2, DB6, 8, 8)
 +    FIELD(RXFIFO_DATA2, DB7, 0, 8)
 +REG32(AFR, 0x60)
 +    FIELD(AFR, UAF4, 3, 1)
 +    FIELD(AFR, UAF3, 2, 1)
 +    FIELD(AFR, UAF2, 1, 1)
 +    FIELD(AFR, UAF1, 0, 1)
 +REG32(AFMR1, 0x64)
 +    FIELD(AFMR1, AMIDH, 21, 11)
 +    FIELD(AFMR1, AMSRR, 20, 1)
 +    FIELD(AFMR1, AMIDE, 19, 1)
 +    FIELD(AFMR1, AMIDL, 1, 18)
 +    FIELD(AFMR1, AMRTR, 0, 1)
 +REG32(AFIR1, 0x68)
 +    FIELD(AFIR1, AIIDH, 21, 11)
 +    FIELD(AFIR1, AISRR, 20, 1)
 +    FIELD(AFIR1, AIIDE, 19, 1)
 +    FIELD(AFIR1, AIIDL, 1, 18)
 +    FIELD(AFIR1, AIRTR, 0, 1)
 +REG32(AFMR2, 0x6c)
 +    FIELD(AFMR2, AMIDH, 21, 11)
 +    FIELD(AFMR2, AMSRR, 20, 1)
 +    FIELD(AFMR2, AMIDE, 19, 1)
 +    FIELD(AFMR2, AMIDL, 1, 18)
 +    FIELD(AFMR2, AMRTR, 0, 1)
 +REG32(AFIR2, 0x70)
 +    FIELD(AFIR2, AIIDH, 21, 11)
 +    FIELD(AFIR2, AISRR, 20, 1)
 +    FIELD(AFIR2, AIIDE, 19, 1)
 +    FIELD(AFIR2, AIIDL, 1, 18)
 +    FIELD(AFIR2, AIRTR, 0, 1)
 +REG32(AFMR3, 0x74)
 +    FIELD(AFMR3, AMIDH, 21, 11)
 +    FIELD(AFMR3, AMSRR, 20, 1)
 +    FIELD(AFMR3, AMIDE, 19, 1)
 +    FIELD(AFMR3, AMIDL, 1, 18)
 +    FIELD(AFMR3, AMRTR, 0, 1)
 +REG32(AFIR3, 0x78)
 +    FIELD(AFIR3, AIIDH, 21, 11)
 +    FIELD(AFIR3, AISRR, 20, 1)
 +    FIELD(AFIR3, AIIDE, 19, 1)
 +    FIELD(AFIR3, AIIDL, 1, 18)
 +    FIELD(AFIR3, AIRTR, 0, 1)
 +REG32(AFMR4, 0x7c)
 +    FIELD(AFMR4, AMIDH, 21, 11)
 +    FIELD(AFMR4, AMSRR, 20, 1)
 +    FIELD(AFMR4, AMIDE, 19, 1)
 +    FIELD(AFMR4, AMIDL, 1, 18)
 +    FIELD(AFMR4, AMRTR, 0, 1)
 +REG32(AFIR4, 0x80)
 +    FIELD(AFIR4, AIIDH, 21, 11)
 +    FIELD(AFIR4, AISRR, 20, 1)
 +    FIELD(AFIR4, AIIDE, 19, 1)
 +    FIELD(AFIR4, AIIDL, 1, 18)
 +    FIELD(AFIR4, AIRTR, 0, 1)
 +
 +static void can_update_irq(XlnxZynqMPCANState *s)
 +{
 +    uint32_t irq;
 +
 +    /* Watermark register interrupts. */
 +    if ((fifo32_num_free(&s->tx_fifo) / CAN_FRAME_SIZE) >
 +            ARRAY_FIELD_EX32(s->regs, WIR, EW)) {
 +        ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, TXFWMEMP, 1);
 +    }
 +
 +    if ((fifo32_num_used(&s->rx_fifo) / CAN_FRAME_SIZE) >
 +            ARRAY_FIELD_EX32(s->regs, WIR, FW)) {
 +        ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXFWMFLL, 1);
 +    }
 +
 +    /* RX Interrupts. */
 +    if (fifo32_num_used(&s->rx_fifo) >= CAN_FRAME_SIZE) {
 +        ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXNEMP, 1);
 +    }
 +
 +    /* TX interrupts. */
 +    if (fifo32_is_empty(&s->tx_fifo)) {
 +        ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, TXFEMP, 1);
 +    }
 +
 +    if (fifo32_is_full(&s->tx_fifo)) {
 +        ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, TXFLL, 1);
 +    }
 +
 +    if (fifo32_is_full(&s->txhpb_fifo)) {
 +        ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, TXBFLL, 1);
 +    }
 +
 +    irq = s->regs[R_INTERRUPT_STATUS_REGISTER];
 +    irq &= s->regs[R_INTERRUPT_ENABLE_REGISTER];
 +
 +    trace_xlnx_can_update_irq(s->regs[R_INTERRUPT_STATUS_REGISTER],
 +                              s->regs[R_INTERRUPT_ENABLE_REGISTER], irq);
 +    qemu_set_irq(s->irq, irq);
 +}
 +
 +static void can_ier_post_write(RegisterInfo *reg, uint64_t val)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
 +
 +    can_update_irq(s);
 +}
 +
 +static uint64_t can_icr_pre_write(RegisterInfo *reg, uint64_t val)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
 +
 +    s->regs[R_INTERRUPT_STATUS_REGISTER] &= ~val;
 +    can_update_irq(s);
 +
 +    return 0;
 +}
 +
 +static void can_config_reset(XlnxZynqMPCANState *s)
 +{
 +    /* Reset all the configuration registers. */
 +    register_reset(&s->reg_info[R_SOFTWARE_RESET_REGISTER]);
 +    register_reset(&s->reg_info[R_MODE_SELECT_REGISTER]);
 +    register_reset(
 +              &s->reg_info[R_ARBITRATION_PHASE_BAUD_RATE_PRESCALER_REGISTER]);
 +    register_reset(&s->reg_info[R_ARBITRATION_PHASE_BIT_TIMING_REGISTER]);
 +    register_reset(&s->reg_info[R_STATUS_REGISTER]);
 +    register_reset(&s->reg_info[R_INTERRUPT_STATUS_REGISTER]);
 +    register_reset(&s->reg_info[R_INTERRUPT_ENABLE_REGISTER]);
 +    register_reset(&s->reg_info[R_INTERRUPT_CLEAR_REGISTER]);
 +    register_reset(&s->reg_info[R_WIR]);
 +}
 +
 +static void can_config_mode(XlnxZynqMPCANState *s)
 +{
 +    register_reset(&s->reg_info[R_ERROR_COUNTER_REGISTER]);
 +    register_reset(&s->reg_info[R_ERROR_STATUS_REGISTER]);
 +
 +    /* Put XlnxZynqMPCAN in configuration mode. */
 +    ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, CONFIG, 1);
 +    ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, WKUP, 0);
 +    ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, SLP, 0);
 +    ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, BSOFF, 0);
 +    ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, ERROR, 0);
 +    ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOFLW, 0);
 +    ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOK, 0);
 +    ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, TXOK, 0);
 +    ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, ARBLST, 0);
 +
 +    can_update_irq(s);
 +}
 +
 +static void update_status_register_mode_bits(XlnxZynqMPCANState *s)
 +{
 +    bool sleep_status = ARRAY_FIELD_EX32(s->regs, STATUS_REGISTER, SLEEP);
 +    bool sleep_mode = ARRAY_FIELD_EX32(s->regs, MODE_SELECT_REGISTER, SLEEP);
 +    /* Wake up interrupt bit. */
 +    bool wakeup_irq_val = sleep_status && (sleep_mode == 0);
 +    /* Sleep interrupt bit. */
 +    bool sleep_irq_val = sleep_mode && (sleep_status == 0);
 +
 +    /* Clear previous core mode status bits. */
 +    ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, LBACK, 0);
 +    ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, SLEEP, 0);
 +    ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, SNOOP, 0);
 +    ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, NORMAL, 0);
 +
 +    /* set current mode bit and generate irqs accordingly. */
 +    if (ARRAY_FIELD_EX32(s->regs, MODE_SELECT_REGISTER, LBACK)) {
 +        ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, LBACK, 1);
 +    } else if (ARRAY_FIELD_EX32(s->regs, MODE_SELECT_REGISTER, SLEEP)) {
 +        ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, SLEEP, 1);
 +        ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, SLP,
 +                         sleep_irq_val);
 +    } else if (ARRAY_FIELD_EX32(s->regs, MODE_SELECT_REGISTER, SNOOP)) {
 +        ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, SNOOP, 1);
 +    } else {
 +        /*
 +         * If all bits are zero then XlnxZynqMPCAN is set in normal mode.
 +         */
 +        ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, NORMAL, 1);
 +        /* Set wakeup interrupt bit. */
 +        ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, WKUP,
 +                         wakeup_irq_val);
 +    }
 +
 +    can_update_irq(s);
 +}
 +
 +static void can_exit_sleep_mode(XlnxZynqMPCANState *s)
 +{
 +    ARRAY_FIELD_DP32(s->regs, MODE_SELECT_REGISTER, SLEEP, 0);
 +    update_status_register_mode_bits(s);
 +}
 +
 +static void generate_frame(qemu_can_frame *frame, uint32_t *data)
 +{
 +    frame->can_id = data[0];
 +    frame->can_dlc = FIELD_EX32(data[1], TXFIFO_DLC, DLC);
 +
 +    frame->data[0] = FIELD_EX32(data[2], TXFIFO_DATA1, DB3);
 +    frame->data[1] = FIELD_EX32(data[2], TXFIFO_DATA1, DB2);
 +    frame->data[2] = FIELD_EX32(data[2], TXFIFO_DATA1, DB1);
 +    frame->data[3] = FIELD_EX32(data[2], TXFIFO_DATA1, DB0);
 +
 +    frame->data[4] = FIELD_EX32(data[3], TXFIFO_DATA2, DB7);
 +    frame->data[5] = FIELD_EX32(data[3], TXFIFO_DATA2, DB6);
 +    frame->data[6] = FIELD_EX32(data[3], TXFIFO_DATA2, DB5);
 +    frame->data[7] = FIELD_EX32(data[3], TXFIFO_DATA2, DB4);
 +}
 +
 +static bool tx_ready_check(XlnxZynqMPCANState *s)
 +{
 +    if (ARRAY_FIELD_EX32(s->regs, SOFTWARE_RESET_REGISTER, SRST)) {
 +        g_autofree char *path = object_get_canonical_path(OBJECT(s));
 +
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: Attempting to transfer data while"
 +                      " data while controller is in reset mode.\n",
 +                      path);
 +        return false;
 +    }
 +
 +    if (ARRAY_FIELD_EX32(s->regs, SOFTWARE_RESET_REGISTER, CEN) == 0) {
 +        g_autofree char *path = object_get_canonical_path(OBJECT(s));
 +
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: Attempting to transfer"
 +                      " data while controller is in configuration mode. Reset"
 +                      " the core so operations can start fresh.\n",
 +                      path);
 +        return false;
 +    }
 +
 +    if (ARRAY_FIELD_EX32(s->regs, STATUS_REGISTER, SNOOP)) {
 +        g_autofree char *path = object_get_canonical_path(OBJECT(s));
 +
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: Attempting to transfer"
 +                      " data while controller is in SNOOP MODE.\n",
 +                      path);
 +        return false;
 +    }
 +
 +    return true;
 +}
 +
 +static void transfer_fifo(XlnxZynqMPCANState *s, Fifo32 *fifo)
 +{
 +    qemu_can_frame frame;
 +    uint32_t data[CAN_FRAME_SIZE];
 +    int i;
 +    bool can_tx = tx_ready_check(s);
 +
 +    if (!can_tx) {
 +        g_autofree char *path = object_get_canonical_path(OBJECT(s));
 +
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: Controller is not enabled for data"
 +                      " transfer.\n", path);
 +        can_update_irq(s);
 +        return;
 +    }
 +
 +    while (!fifo32_is_empty(fifo)) {
 +        for (i = 0; i < CAN_FRAME_SIZE; i++) {
 +            data[i] = fifo32_pop(fifo);
 +        }
++
++        if (ARRAY_FIELD_EX32(s->regs, STATUS_REGISTER, LBACK)) {
++            /*
++             * Controller is in loopback. In Loopback mode, the CAN core
++             * transmits a recessive bitstream on to the XlnxZynqMPCAN Bus.
++             * Any message transmitted is looped back to the RX line and
++             * acknowledged. The XlnxZynqMPCAN core receives any message
++             * that it transmits.
++             */
++            if (fifo32_is_full(&s->rx_fifo)) {
++                ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOFLW, 1);
++            } else {
++                for (i = 0; i < CAN_FRAME_SIZE; i++) {
++                    fifo32_push(&s->rx_fifo, data[i]);
++                }
++
++                ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOK, 1);
++            }
++        } else {
++            /* Normal mode Tx. */
++            generate_frame(&frame, data);
++
++            trace_xlnx_can_tx_data(frame.can_id, frame.can_dlc,
++                                   frame.data[0], frame.data[1],
++                                   frame.data[2], frame.data[3],
++                                   frame.data[4], frame.data[5],
++                                   frame.data[6], frame.data[7]);
++            can_bus_client_send(&s->bus_client, &frame, 1);
++        }
++    }
++
++    ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, TXOK, 1);
++    ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, TXBFLL, 0);
++
++    if (ARRAY_FIELD_EX32(s->regs, STATUS_REGISTER, SLEEP)) {
++        can_exit_sleep_mode(s);
++    }
++
++    can_update_irq(s);
++}
++
++static uint64_t can_srr_pre_write(RegisterInfo *reg, uint64_t val)
++{
++    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
++
++    ARRAY_FIELD_DP32(s->regs, SOFTWARE_RESET_REGISTER, CEN,
++                     FIELD_EX32(val, SOFTWARE_RESET_REGISTER, CEN));
++
++    if (FIELD_EX32(val, SOFTWARE_RESET_REGISTER, SRST)) {
++        trace_xlnx_can_reset(val);
++
++        /* First, core will do software reset then will enter in config mode. */
++        can_config_reset(s);
++    }
++
++    if (ARRAY_FIELD_EX32(s->regs, SOFTWARE_RESET_REGISTER, CEN) == 0) {
++        can_config_mode(s);
++    } else {
++        /*
++         * Leave config mode. Now XlnxZynqMPCAN core will enter normal,
++         * sleep, snoop or loopback mode depending upon LBACK, SLEEP, SNOOP
++         * register states.
++         */
++        ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, CONFIG, 0);
++
++        ptimer_transaction_begin(s->can_timer);
++        ptimer_set_count(s->can_timer, 0);
++        ptimer_transaction_commit(s->can_timer);
++
++        /* XlnxZynqMPCAN is out of config mode. It will send pending data. */
++        transfer_fifo(s, &s->txhpb_fifo);
++        transfer_fifo(s, &s->tx_fifo);
++    }
++
++    update_status_register_mode_bits(s);
++
++    return s->regs[R_SOFTWARE_RESET_REGISTER];
++}
++
++static uint64_t can_msr_pre_write(RegisterInfo *reg, uint64_t val)
++{
++    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
++    uint8_t multi_mode;
++
++    /*
++     * Multiple mode set check. This is done to make sure user doesn't set
++     * multiple modes.
++     */
++    multi_mode = FIELD_EX32(val, MODE_SELECT_REGISTER, LBACK) +
++                 FIELD_EX32(val, MODE_SELECT_REGISTER, SLEEP) +
++                 FIELD_EX32(val, MODE_SELECT_REGISTER, SNOOP);
++
++    if (multi_mode > 1) {
++        g_autofree char *path = object_get_canonical_path(OBJECT(s));
++
++        qemu_log_mask(LOG_GUEST_ERROR, "%s: Attempting to config"
++                      " several modes simultaneously. One mode will be selected"
++                      " according to their priority: LBACK > SLEEP > SNOOP.\n",
++                      path);
++    }
++
++    if (ARRAY_FIELD_EX32(s->regs, SOFTWARE_RESET_REGISTER, CEN) == 0) {
++        /* We are in configuration mode, any mode can be selected. */
++        s->regs[R_MODE_SELECT_REGISTER] = val;
++    } else {
++        bool sleep_mode_bit = FIELD_EX32(val, MODE_SELECT_REGISTER, SLEEP);
++
++        ARRAY_FIELD_DP32(s->regs, MODE_SELECT_REGISTER, SLEEP, sleep_mode_bit);
++
++        if (FIELD_EX32(val, MODE_SELECT_REGISTER, LBACK)) {
++            g_autofree char *path = object_get_canonical_path(OBJECT(s));
++
++            qemu_log_mask(LOG_GUEST_ERROR, "%s: Attempting to set"
++                          " LBACK mode without setting CEN bit as 0.\n",
++                          path);
++        } else if (FIELD_EX32(val, MODE_SELECT_REGISTER, SNOOP)) {
++            g_autofree char *path = object_get_canonical_path(OBJECT(s));
++
++            qemu_log_mask(LOG_GUEST_ERROR, "%s: Attempting to set"
++                          " SNOOP mode without setting CEN bit as 0.\n",
++                          path);
++        }
++
++        update_status_register_mode_bits(s);
++    }
++
++    return s->regs[R_MODE_SELECT_REGISTER];
++}
++
++static uint64_t can_brpr_pre_write(RegisterInfo  *reg, uint64_t val)
++{
++    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
++
++    /* Only allow writes when in config mode. */
++    if (ARRAY_FIELD_EX32(s->regs, SOFTWARE_RESET_REGISTER, CEN)) {
++        return s->regs[R_ARBITRATION_PHASE_BAUD_RATE_PRESCALER_REGISTER];
++    }
++
++    return val;
++}
++
++static uint64_t can_btr_pre_write(RegisterInfo  *reg, uint64_t val)
++{
++    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
++
++    /* Only allow writes when in config mode. */
++    if (ARRAY_FIELD_EX32(s->regs, SOFTWARE_RESET_REGISTER, CEN)) {
++        return s->regs[R_ARBITRATION_PHASE_BIT_TIMING_REGISTER];
++    }
++
++    return val;
++}
++
++static uint64_t can_tcr_pre_write(RegisterInfo  *reg, uint64_t val)
++{
++    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
++
++    if (FIELD_EX32(val, TIMESTAMP_REGISTER, CTS)) {
++        ptimer_transaction_begin(s->can_timer);
++        ptimer_set_count(s->can_timer, 0);
++        ptimer_transaction_commit(s->can_timer);
++    }
++
++    return 0;
++}
++
++static void update_rx_fifo(XlnxZynqMPCANState *s, const qemu_can_frame *frame)
++{
++    bool filter_pass = false;
++    uint16_t timestamp = 0;
++
++    /* If no filter is enabled. Message will be stored in FIFO. */
++    if (!((ARRAY_FIELD_EX32(s->regs, AFR, UAF1)) |
++       (ARRAY_FIELD_EX32(s->regs, AFR, UAF2)) |
++       (ARRAY_FIELD_EX32(s->regs, AFR, UAF3)) |
++       (ARRAY_FIELD_EX32(s->regs, AFR, UAF4)))) {
++        filter_pass = true;
++    }
++
++    /*
++     * Messages that pass any of the acceptance filters will be stored in
++     * the RX FIFO.
++     */
++    if (ARRAY_FIELD_EX32(s->regs, AFR, UAF1)) {
++        uint32_t id_masked = s->regs[R_AFMR1] & frame->can_id;
++        uint32_t filter_id_masked = s->regs[R_AFMR1] & s->regs[R_AFIR1];
++
++        if (filter_id_masked == id_masked) {
++            filter_pass = true;
++        }
++    }
++
++    if (ARRAY_FIELD_EX32(s->regs, AFR, UAF2)) {
++        uint32_t id_masked = s->regs[R_AFMR2] & frame->can_id;
++        uint32_t filter_id_masked = s->regs[R_AFMR2] & s->regs[R_AFIR2];
++
++        if (filter_id_masked == id_masked) {
++            filter_pass = true;
++        }
++    }
++
++    if (ARRAY_FIELD_EX32(s->regs, AFR, UAF3)) {
++        uint32_t id_masked = s->regs[R_AFMR3] & frame->can_id;
++        uint32_t filter_id_masked = s->regs[R_AFMR3] & s->regs[R_AFIR3];
++
++        if (filter_id_masked == id_masked) {
++            filter_pass = true;
++        }
++    }
++
++    if (ARRAY_FIELD_EX32(s->regs, AFR, UAF4)) {
++        uint32_t id_masked = s->regs[R_AFMR4] & frame->can_id;
++        uint32_t filter_id_masked = s->regs[R_AFMR4] & s->regs[R_AFIR4];
++
++        if (filter_id_masked == id_masked) {
++            filter_pass = true;
++        }
++    }
++
++    if (!filter_pass) {
++        trace_xlnx_can_rx_fifo_filter_reject(frame->can_id, frame->can_dlc);
 +        return;
 +    }
 +
-+    /* If we get here we know s->regs[GEM_ISR] is set, so we don't need to
++    /* Store the message in fifo if it passed through any of the filters. */
-+     * check it again.
++    if (filter_pass && frame->can_dlc <= MAX_DLC) {
 +
 +        if (fifo32_is_full(&s->rx_fifo)) {
 +            ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOFLW, 1);
 +        } else {
 +            timestamp = CAN_TIMER_MAX - ptimer_get_count(s->can_timer);
 +
 +            fifo32_push(&s->rx_fifo, frame->can_id);
 +
 +            fifo32_push(&s->rx_fifo, deposit32(0, R_RXFIFO_DLC_DLC_SHIFT,
 +                                               R_RXFIFO_DLC_DLC_LENGTH,
 +                                               frame->can_dlc) |
 +                                     deposit32(0, R_RXFIFO_DLC_RXT_SHIFT,
 +                                               R_RXFIFO_DLC_RXT_LENGTH,
 +                                               timestamp));
 +
 +            /* First 32 bit of the data. */
 +            fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA1_DB3_SHIFT,
 +                                               R_TXFIFO_DATA1_DB3_LENGTH,
 +                                               frame->data[0]) |
 +                                     deposit32(0, R_TXFIFO_DATA1_DB2_SHIFT,
 +                                               R_TXFIFO_DATA1_DB2_LENGTH,
 +                                               frame->data[1]) |
 +                                     deposit32(0, R_TXFIFO_DATA1_DB1_SHIFT,
 +                                               R_TXFIFO_DATA1_DB1_LENGTH,
 +                                               frame->data[2]) |
 +                                     deposit32(0, R_TXFIFO_DATA1_DB0_SHIFT,
 +                                               R_TXFIFO_DATA1_DB0_LENGTH,
 +                                               frame->data[3]));
 +            /* Last 32 bit of the data. */
 +            fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA2_DB7_SHIFT,
 +                                               R_TXFIFO_DATA2_DB7_LENGTH,
 +                                               frame->data[4]) |
 +                                     deposit32(0, R_TXFIFO_DATA2_DB6_SHIFT,
 +                                               R_TXFIFO_DATA2_DB6_LENGTH,
 +                                               frame->data[5]) |
 +                                     deposit32(0, R_TXFIFO_DATA2_DB5_SHIFT,
 +                                               R_TXFIFO_DATA2_DB5_LENGTH,
 +                                               frame->data[6]) |
 +                                     deposit32(0, R_TXFIFO_DATA2_DB4_SHIFT,
 +                                               R_TXFIFO_DATA2_DB4_LENGTH,
 +                                               frame->data[7]));
 +
 +            ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOK, 1);
 +            trace_xlnx_can_rx_data(frame->can_id, frame->can_dlc,
 +                                   frame->data[0], frame->data[1],
 +                                   frame->data[2], frame->data[3],
 +                                   frame->data[4], frame->data[5],
 +                                   frame->data[6], frame->data[7]);
 +        }
 +
 +        can_update_irq(s);
 +    }
 +}
 +
 +static uint64_t can_rxfifo_pre_read(RegisterInfo *reg, uint64_t val)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
 +
 +    if (!fifo32_is_empty(&s->rx_fifo)) {
 +        val = fifo32_pop(&s->rx_fifo);
 +    } else {
 +        ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXUFLW, 1);
 +    }
 +
 +    can_update_irq(s);
 +    return val;
 +}
 +
 +static void can_filter_enable_post_write(RegisterInfo *reg, uint64_t val)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
 +
 +    if (ARRAY_FIELD_EX32(s->regs, AFR, UAF1) &&
 +        ARRAY_FIELD_EX32(s->regs, AFR, UAF2) &&
 +        ARRAY_FIELD_EX32(s->regs, AFR, UAF3) &&
 +        ARRAY_FIELD_EX32(s->regs, AFR, UAF4)) {
 +        ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, ACFBSY, 1);
 +    } else {
 +        ARRAY_FIELD_DP32(s->regs, STATUS_REGISTER, ACFBSY, 0);
 +    }
 +}
 +
 +static uint64_t can_filter_mask_pre_write(RegisterInfo *reg, uint64_t val)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
 +    uint32_t reg_idx = (reg->access->addr) / 4;
 +    uint32_t filter_number = (reg_idx - R_AFMR1) / 2;
 +
 +    /* modify an acceptance filter, the corresponding UAF bit should be '0'. */
 +    if (!(s->regs[R_AFR] & (1 << filter_number))) {
 +        s->regs[reg_idx] = val;
 +
 +        trace_xlnx_can_filter_mask_pre_write(filter_number, s->regs[reg_idx]);
 +    } else {
 +        g_autofree char *path = object_get_canonical_path(OBJECT(s));
 +
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: Acceptance filter %d"
 +                      " mask is not set as corresponding UAF bit is not 0.\n",
 +                      path, filter_number + 1);
 +    }
 +
 +    return s->regs[reg_idx];
 +}
 +
 +static uint64_t can_filter_id_pre_write(RegisterInfo *reg, uint64_t val)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
 +    uint32_t reg_idx = (reg->access->addr) / 4;
 +    uint32_t filter_number = (reg_idx - R_AFIR1) / 2;
 +
 +    if (!(s->regs[R_AFR] & (1 << filter_number))) {
 +        s->regs[reg_idx] = val;
 +
 +        trace_xlnx_can_filter_id_pre_write(filter_number, s->regs[reg_idx]);
 +    } else {
 +        g_autofree char *path = object_get_canonical_path(OBJECT(s));
 +
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: Acceptance filter %d"
 +                      " id is not set as corresponding UAF bit is not 0.\n",
 +                      path, filter_number + 1);
 +    }
 +
 +    return s->regs[reg_idx];
 +}
 +
 +static void can_tx_post_write(RegisterInfo *reg, uint64_t val)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(reg->opaque);
 +
 +    bool is_txhpb = reg->access->addr > A_TXFIFO_DATA2;
 +
 +    bool initiate_transfer = (reg->access->addr == A_TXFIFO_DATA2) ||
 +                             (reg->access->addr == A_TXHPB_DATA2);
 +
 +    Fifo32 *f = is_txhpb ? &s->txhpb_fifo : &s->tx_fifo;
 +
 +    if (!fifo32_is_full(f)) {
 +        fifo32_push(f, val);
 +    } else {
 +        g_autofree char *path = object_get_canonical_path(OBJECT(s));
 +
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: TX FIFO is full.\n", path);
 +    }
 +
 +    /* Initiate the message send if TX register is written. */
 +    if (initiate_transfer &&
 +        ARRAY_FIELD_EX32(s->regs, SOFTWARE_RESET_REGISTER, CEN)) {
 +        transfer_fifo(s, f);
 +    }
 +
 +    can_update_irq(s);
 +}
 +
 +static const RegisterAccessInfo can_regs_info[] = {
 +    {   .name = "SOFTWARE_RESET_REGISTER",
 +        .addr = A_SOFTWARE_RESET_REGISTER,
 +        .rsvd = 0xfffffffc,
 +        .pre_write = can_srr_pre_write,
 +    },{ .name = "MODE_SELECT_REGISTER",
 +        .addr = A_MODE_SELECT_REGISTER,
 +        .rsvd = 0xfffffff8,
 +        .pre_write = can_msr_pre_write,
 +    },{ .name = "ARBITRATION_PHASE_BAUD_RATE_PRESCALER_REGISTER",
 +        .addr = A_ARBITRATION_PHASE_BAUD_RATE_PRESCALER_REGISTER,
 +        .rsvd = 0xffffff00,
 +        .pre_write = can_brpr_pre_write,
 +    },{ .name = "ARBITRATION_PHASE_BIT_TIMING_REGISTER",
 +        .addr = A_ARBITRATION_PHASE_BIT_TIMING_REGISTER,
 +        .rsvd = 0xfffffe00,
 +        .pre_write = can_btr_pre_write,
 +    },{ .name = "ERROR_COUNTER_REGISTER",
 +        .addr = A_ERROR_COUNTER_REGISTER,
 +        .rsvd = 0xffff0000,
 +        .ro = 0xffffffff,
 +    },{ .name = "ERROR_STATUS_REGISTER",
 +        .addr = A_ERROR_STATUS_REGISTER,
 +        .rsvd = 0xffffffe0,
 +        .w1c = 0x1f,
 +    },{ .name = "STATUS_REGISTER",  .addr = A_STATUS_REGISTER,
 +        .reset = 0x1,
 +        .rsvd = 0xffffe000,
 +        .ro = 0x1fff,
 +    },{ .name = "INTERRUPT_STATUS_REGISTER",
 +        .addr = A_INTERRUPT_STATUS_REGISTER,
 +        .reset = 0x6000,
 +        .rsvd = 0xffff8000,
 +        .ro = 0x7fff,
 +    },{ .name = "INTERRUPT_ENABLE_REGISTER",
 +        .addr = A_INTERRUPT_ENABLE_REGISTER,
 +        .rsvd = 0xffff8000,
 +        .post_write = can_ier_post_write,
 +    },{ .name = "INTERRUPT_CLEAR_REGISTER",
 +        .addr = A_INTERRUPT_CLEAR_REGISTER,
 +        .rsvd = 0xffff8000,
 +        .pre_write = can_icr_pre_write,
 +    },{ .name = "TIMESTAMP_REGISTER",
 +        .addr = A_TIMESTAMP_REGISTER,
 +        .rsvd = 0xfffffffe,
 +        .pre_write = can_tcr_pre_write,
 +    },{ .name = "WIR",  .addr = A_WIR,
 +        .reset = 0x3f3f,
 +        .rsvd = 0xffff0000,
 +    },{ .name = "TXFIFO_ID",  .addr = A_TXFIFO_ID,
 +        .post_write = can_tx_post_write,
 +    },{ .name = "TXFIFO_DLC",  .addr = A_TXFIFO_DLC,
 +        .rsvd = 0xfffffff,
 +        .post_write = can_tx_post_write,
 +    },{ .name = "TXFIFO_DATA1",  .addr = A_TXFIFO_DATA1,
 +        .post_write = can_tx_post_write,
 +    },{ .name = "TXFIFO_DATA2",  .addr = A_TXFIFO_DATA2,
 +        .post_write = can_tx_post_write,
 +    },{ .name = "TXHPB_ID",  .addr = A_TXHPB_ID,
 +        .post_write = can_tx_post_write,
 +    },{ .name = "TXHPB_DLC",  .addr = A_TXHPB_DLC,
 +        .rsvd = 0xfffffff,
 +        .post_write = can_tx_post_write,
 +    },{ .name = "TXHPB_DATA1",  .addr = A_TXHPB_DATA1,
 +        .post_write = can_tx_post_write,
 +    },{ .name = "TXHPB_DATA2",  .addr = A_TXHPB_DATA2,
 +        .post_write = can_tx_post_write,
 +    },{ .name = "RXFIFO_ID",  .addr = A_RXFIFO_ID,
 +        .ro = 0xffffffff,
 +        .post_read = can_rxfifo_pre_read,
 +    },{ .name = "RXFIFO_DLC",  .addr = A_RXFIFO_DLC,
 +        .rsvd = 0xfff0000,
 +        .post_read = can_rxfifo_pre_read,
 +    },{ .name = "RXFIFO_DATA1",  .addr = A_RXFIFO_DATA1,
 +        .post_read = can_rxfifo_pre_read,
 +    },{ .name = "RXFIFO_DATA2",  .addr = A_RXFIFO_DATA2,
 +        .post_read = can_rxfifo_pre_read,
 +    },{ .name = "AFR",  .addr = A_AFR,
 +        .rsvd = 0xfffffff0,
 +        .post_write = can_filter_enable_post_write,
 +    },{ .name = "AFMR1",  .addr = A_AFMR1,
 +        .pre_write = can_filter_mask_pre_write,
 +    },{ .name = "AFIR1",  .addr = A_AFIR1,
 +        .pre_write = can_filter_id_pre_write,
 +    },{ .name = "AFMR2",  .addr = A_AFMR2,
 +        .pre_write = can_filter_mask_pre_write,
 +    },{ .name = "AFIR2",  .addr = A_AFIR2,
 +        .pre_write = can_filter_id_pre_write,
 +    },{ .name = "AFMR3",  .addr = A_AFMR3,
 +        .pre_write = can_filter_mask_pre_write,
 +    },{ .name = "AFIR3",  .addr = A_AFIR3,
 +        .pre_write = can_filter_id_pre_write,
 +    },{ .name = "AFMR4",  .addr = A_AFMR4,
 +        .pre_write = can_filter_mask_pre_write,
 +    },{ .name = "AFIR4",  .addr = A_AFIR4,
 +        .pre_write = can_filter_id_pre_write,
 +    }
 +};
 +
 +static void xlnx_zynqmp_can_ptimer_cb(void *opaque)
 +{
 +    /* No action required on the timer rollover. */
 +}
 +
 +static const MemoryRegionOps can_ops = {
 +    .read = register_read_memory,
 +    .write = register_write_memory,
 +    .endianness = DEVICE_LITTLE_ENDIAN,
 +    .valid = {
 +        .min_access_size = 4,
 +        .max_access_size = 4,
 +    },
 +};
 +
 +static void xlnx_zynqmp_can_reset_init(Object *obj, ResetType type)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(obj);
 +    unsigned int i;
 +
 +    for (i = R_RXFIFO_ID; i < ARRAY_SIZE(s->reg_info); ++i) {
 +        register_reset(&s->reg_info[i]);
 +    }
 +
 +    ptimer_transaction_begin(s->can_timer);
 +    ptimer_set_count(s->can_timer, 0);
 +    ptimer_transaction_commit(s->can_timer);
 +}
 +
 +static void xlnx_zynqmp_can_reset_hold(Object *obj)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(obj);
 +    unsigned int i;
 +
 +    for (i = 0; i < R_RXFIFO_ID; ++i) {
 +        register_reset(&s->reg_info[i]);
 +    }
 +
 +    /*
 +     * Reset FIFOs when CAN model is reset. This will clear the fifo writes
 +     * done by post_write which gets called from register_reset function,
 +     * post_write handle will not be able to trigger tx because CAN will be
 +     * disabled when software_reset_register is cleared first.
 +     */
-+    if (s->num_priority_queues == 1) {
++    fifo32_reset(&s->rx_fifo);
-         /* No priority queues, just trigger the interrupt */
++    fifo32_reset(&s->tx_fifo);
-         DB_PRINT("asserting int.\n");
++    fifo32_reset(&s->txhpb_fifo);
-         qemu_set_irq(s->irq[0], 1);
++}
-@@ -XXX,XX +XXX,XX @@ static uint64_t gem_read(void *opaque, hwaddr offset, unsigned size)
++
- {
++static bool xlnx_zynqmp_can_can_receive(CanBusClientState *client)
-     CadenceGEMState *s;
++{
-     uint32_t retval;
++    XlnxZynqMPCANState *s = container_of(client, XlnxZynqMPCANState,
--    int i;
++                                         bus_client);
-     s = (CadenceGEMState *)opaque;
++
++    if (ARRAY_FIELD_EX32(s->regs, SOFTWARE_RESET_REGISTER, SRST)) {
-     offset >>= 2;
++        g_autofree char *path = object_get_canonical_path(OBJECT(s));
-@@ -XXX,XX +XXX,XX @@ static uint64_t gem_read(void *opaque, hwaddr offset, unsigned size)
++
-     switch (offset) {
++        qemu_log_mask(LOG_GUEST_ERROR, "%s: Controller is in reset state.\n",
-     case GEM_ISR:
++                      path);
-         DB_PRINT("lowering irqs on ISR read\n");
++        return false;
--        for (i = 0; i < s->num_priority_queues; ++i) {
++    }
--            qemu_set_irq(s->irq[i], 0);
++
--        }
++    if ((ARRAY_FIELD_EX32(s->regs, SOFTWARE_RESET_REGISTER, CEN)) == 0) {
-+        /* The interrupts get updated at the end of the function. */
++        g_autofree char *path = object_get_canonical_path(OBJECT(s));
-         break;
++
-     case GEM_PHYMNTNC:
++        qemu_log_mask(LOG_GUEST_ERROR, "%s: Controller is disabled. Incoming"
-         if (retval & GEM_PHYMNTNC_OP_R) {
++                      " messages will be discarded.\n", path);
 +        return false;
 +    }
 +
 +    return true;
 +}
 +
 +static ssize_t xlnx_zynqmp_can_receive(CanBusClientState *client,
 +                               const qemu_can_frame *buf, size_t buf_size) {
 +    XlnxZynqMPCANState *s = container_of(client, XlnxZynqMPCANState,
 +                                         bus_client);
 +    const qemu_can_frame *frame = buf;
 +
 +    if (buf_size <= 0) {
 +        g_autofree char *path = object_get_canonical_path(OBJECT(s));
 +
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: Error in the data received.\n",
 +                      path);
 +        return 0;
 +    }
 +
 +    if (ARRAY_FIELD_EX32(s->regs, STATUS_REGISTER, SNOOP)) {
 +        /* Snoop Mode: Just keep the data. no response back. */
 +        update_rx_fifo(s, frame);
 +    } else if ((ARRAY_FIELD_EX32(s->regs, STATUS_REGISTER, SLEEP))) {
 +        /*
 +         * XlnxZynqMPCAN is in sleep mode. Any data on bus will bring it to wake
 +         * up state.
 +         */
 +        can_exit_sleep_mode(s);
 +        update_rx_fifo(s, frame);
 +    } else if ((ARRAY_FIELD_EX32(s->regs, STATUS_REGISTER, SLEEP)) == 0) {
 +        update_rx_fifo(s, frame);
 +    } else {
 +        /*
 +         * XlnxZynqMPCAN will not participate in normal bus communication
 +         * and will not receive any messages transmitted by other CAN nodes.
 +         */
 +        trace_xlnx_can_rx_discard(s->regs[R_STATUS_REGISTER]);
 +    }
 +
 +    return 1;
 +}
 +
 +static CanBusClientInfo can_xilinx_bus_client_info = {
 +    .can_receive = xlnx_zynqmp_can_can_receive,
 +    .receive = xlnx_zynqmp_can_receive,
 +};
 +
 +static int xlnx_zynqmp_can_connect_to_bus(XlnxZynqMPCANState *s,
 +                                          CanBusState *bus)
 +{
 +    s->bus_client.info = &can_xilinx_bus_client_info;
 +
 +    if (can_bus_insert_client(bus, &s->bus_client) < 0) {
 +        return -1;
 +    }
 +    return 0;
 +}
 +
 +static void xlnx_zynqmp_can_realize(DeviceState *dev, Error **errp)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(dev);
 +
 +    if (s->canbus) {
 +        if (xlnx_zynqmp_can_connect_to_bus(s, s->canbus) < 0) {
 +            g_autofree char *path = object_get_canonical_path(OBJECT(s));
 +
 +            error_setg(errp, "%s: xlnx_zynqmp_can_connect_to_bus"
 +                       " failed.", path);
 +            return;
 +        }
 +    }
 +
 +    /* Create RX FIFO, TXFIFO, TXHPB storage. */
 +    fifo32_create(&s->rx_fifo, RXFIFO_SIZE);
 +    fifo32_create(&s->tx_fifo, RXFIFO_SIZE);
 +    fifo32_create(&s->txhpb_fifo, CAN_FRAME_SIZE);
 +
 +    /* Allocate a new timer. */
 +    s->can_timer = ptimer_init(xlnx_zynqmp_can_ptimer_cb, s,
 +                               PTIMER_POLICY_DEFAULT);
 +
 +    ptimer_transaction_begin(s->can_timer);
 +
 +    ptimer_set_freq(s->can_timer, s->cfg.ext_clk_freq);
 +    ptimer_set_limit(s->can_timer, CAN_TIMER_MAX, 1);
 +    ptimer_run(s->can_timer, 0);
 +    ptimer_transaction_commit(s->can_timer);
 +}
 +
 +static void xlnx_zynqmp_can_init(Object *obj)
 +{
 +    XlnxZynqMPCANState *s = XLNX_ZYNQMP_CAN(obj);
 +    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
 +
 +    RegisterInfoArray *reg_array;
 +
 +    memory_region_init(&s->iomem, obj, TYPE_XLNX_ZYNQMP_CAN,
 +                        XLNX_ZYNQMP_CAN_R_MAX * 4);
 +    reg_array = register_init_block32(DEVICE(obj), can_regs_info,
 +                               ARRAY_SIZE(can_regs_info),
 +                               s->reg_info, s->regs,
 +                               &can_ops,
 +                               XLNX_ZYNQMP_CAN_ERR_DEBUG,
 +                               XLNX_ZYNQMP_CAN_R_MAX * 4);
 +
 +    memory_region_add_subregion(&s->iomem, 0x00, &reg_array->mem);
 +    sysbus_init_mmio(sbd, &s->iomem);
 +    sysbus_init_irq(SYS_BUS_DEVICE(obj), &s->irq);
 +}
 +
 +static const VMStateDescription vmstate_can = {
 +    .name = TYPE_XLNX_ZYNQMP_CAN,
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_FIFO32(rx_fifo, XlnxZynqMPCANState),
 +        VMSTATE_FIFO32(tx_fifo, XlnxZynqMPCANState),
 +        VMSTATE_FIFO32(txhpb_fifo, XlnxZynqMPCANState),
 +        VMSTATE_UINT32_ARRAY(regs, XlnxZynqMPCANState, XLNX_ZYNQMP_CAN_R_MAX),
 +        VMSTATE_PTIMER(can_timer, XlnxZynqMPCANState),
 +        VMSTATE_END_OF_LIST(),
 +    }
 +};
 +
 +static Property xlnx_zynqmp_can_properties[] = {
 +    DEFINE_PROP_UINT32("ext_clk_freq", XlnxZynqMPCANState, cfg.ext_clk_freq,
 +                       CAN_DEFAULT_CLOCK),
 +    DEFINE_PROP_LINK("canbus", XlnxZynqMPCANState, canbus, TYPE_CAN_BUS,
 +                     CanBusState *),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static void xlnx_zynqmp_can_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +    ResettableClass *rc = RESETTABLE_CLASS(klass);
 +
 +    rc->phases.enter = xlnx_zynqmp_can_reset_init;
 +    rc->phases.hold = xlnx_zynqmp_can_reset_hold;
 +    dc->realize = xlnx_zynqmp_can_realize;
 +    device_class_set_props(dc, xlnx_zynqmp_can_properties);
 +    dc->vmsd = &vmstate_can;
 +}
 +
 +static const TypeInfo can_info = {
 +    .name          = TYPE_XLNX_ZYNQMP_CAN,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(XlnxZynqMPCANState),
 +    .class_init    = xlnx_zynqmp_can_class_init,
 +    .instance_init = xlnx_zynqmp_can_init,
 +};
 +
 +static void can_register_types(void)
 +{
 +    type_register_static(&can_info);
 +}
 +
 +type_init(can_register_types)
 diff --git a/hw/Kconfig b/hw/Kconfig
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/Kconfig
 +++ b/hw/Kconfig
@@ -XXX,XX +XXX,XX @@ config XILINX_AXI
  config XLNX_ZYNQMP
      bool
      select REGISTER
 +    select CAN_BUS
 diff --git a/hw/net/can/meson.build b/hw/net/can/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/net/can/meson.build
 +++ b/hw/net/can/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_CAN_PCI', if_true: files('can_pcm3680_pci.c'))
  softmmu_ss.add(when: 'CONFIG_CAN_PCI', if_true: files('can_mioe3680_pci.c'))
  softmmu_ss.add(when: 'CONFIG_CAN_CTUCANFD', if_true: files('ctucan_core.c'))
  softmmu_ss.add(when: 'CONFIG_CAN_CTUCANFD_PCI', if_true: files('ctucan_pci.c'))
 +softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP', if_true: files('xlnx-zynqmp-can.c'))
 diff --git a/hw/net/can/trace-events b/hw/net/can/trace-events
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/net/can/trace-events
@@ -XXX,XX +XXX,XX @@
 +# xlnx-zynqmp-can.c
 +xlnx_can_update_irq(uint32_t isr, uint32_t ier, uint32_t irq) "ISR: 0x%08x IER: 0x%08x IRQ: 0x%08x"
 +xlnx_can_reset(uint32_t val) "Resetting controller with value = 0x%08x"
 +xlnx_can_rx_fifo_filter_reject(uint32_t id, uint8_t dlc) "Frame: ID: 0x%08x DLC: 0x%02x"
 +xlnx_can_filter_id_pre_write(uint8_t filter_num, uint32_t value) "Filter%d ID: 0x%08x"
 +xlnx_can_filter_mask_pre_write(uint8_t filter_num, uint32_t value) "Filter%d MASK: 0x%08x"
 +xlnx_can_tx_data(uint32_t id, uint8_t dlc, uint8_t db0, uint8_t db1, uint8_t db2, uint8_t db3, uint8_t db4, uint8_t db5, uint8_t db6, uint8_t db7) "Frame: ID: 0x%08x DLC: 0x%02x DATA: 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x"
 +xlnx_can_rx_data(uint32_t id, uint32_t dlc, uint8_t db0, uint8_t db1, uint8_t db2, uint8_t db3, uint8_t db4, uint8_t db5, uint8_t db6, uint8_t db7) "Frame: ID: 0x%08x DLC: 0x%02x DATA: 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x"
 +xlnx_can_rx_discard(uint32_t status) "Controller is not enabled for bus communication. Status Register: 0x%08x"
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 15/24] xlnx-zynqmp: Set the Cadence GEM revision
+[PULL 03/36] xlnx-zynqmp: Connect Xilinx ZynqMP CAN controllers
-From: Alistair Francis <alistair.francis@xilinx.com>
+From: Vikram Garhwal <fnu.vikram@xilinx.com>
-Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
+Connect CAN0 and CAN1 on the ZynqMP.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 026dbe01a1d42619eee30ce3f2079741bf04bc73.1491947224.git.alistair.francis@xilinx.com
+Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
 Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
 Message-id: 1605728926-352690-3-git-send-email-fnu.vikram@xilinx.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/xlnx-zynqmp.c | 6 +++++-
+ include/hw/arm/xlnx-zynqmp.h |  8 ++++++++
-file changed, 5 insertions(+), 1 deletion(-)
+ hw/arm/xlnx-zcu102.c         | 20 ++++++++++++++++++++
  hw/arm/xlnx-zynqmp.c         | 34 ++++++++++++++++++++++++++++++++++
 files changed, 62 insertions(+)
+diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/xlnx-zynqmp.h
++++ b/include/hw/arm/xlnx-zynqmp.h
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/intc/arm_gic.h"
+ #include "hw/net/cadence_gem.h"
+ #include "hw/char/cadence_uart.h"
++#include "hw/net/xlnx-zynqmp-can.h"
+ #include "hw/ide/ahci.h"
+ #include "hw/sd/sdhci.h"
+ #include "hw/ssi/xilinx_spips.h"
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/cpu/cluster.h"
+ #include "target/arm/cpu.h"
+ #include "qom/object.h"
++#include "net/can_emu.h"
+ #define TYPE_XLNX_ZYNQMP "xlnx,zynqmp"
+ OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPState, XLNX_ZYNQMP)
+@@ -XXX,XX +XXX,XX @@ OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPState, XLNX_ZYNQMP)
+ #define XLNX_ZYNQMP_NUM_RPU_CPUS 2
+ #define XLNX_ZYNQMP_NUM_GEMS 4
+ #define XLNX_ZYNQMP_NUM_UARTS 2
++#define XLNX_ZYNQMP_NUM_CAN 2
++#define XLNX_ZYNQMP_CAN_REF_CLK (24 * 1000 * 1000)
+ #define XLNX_ZYNQMP_NUM_SDHCI 2
+ #define XLNX_ZYNQMP_NUM_SPIS 2
+ #define XLNX_ZYNQMP_NUM_GDMA_CH 8
+@@ -XXX,XX +XXX,XX @@ struct XlnxZynqMPState {
+     CadenceGEMState gem[XLNX_ZYNQMP_NUM_GEMS];
+     CadenceUARTState uart[XLNX_ZYNQMP_NUM_UARTS];
++    XlnxZynqMPCANState can[XLNX_ZYNQMP_NUM_CAN];
+     SysbusAHCIState sata;
+     SDHCIState sdhci[XLNX_ZYNQMP_NUM_SDHCI];
+     XilinxSPIPS spi[XLNX_ZYNQMP_NUM_SPIS];
+@@ -XXX,XX +XXX,XX @@ struct XlnxZynqMPState {
+     bool virt;
+     /* Has the RPU subsystem?  */
+     bool has_rpu;
++
++    /* CAN bus. */
++    CanBusState *canbus[XLNX_ZYNQMP_NUM_CAN];
+ };
+ #endif
+diff --git a/hw/arm/xlnx-zcu102.c b/hw/arm/xlnx-zcu102.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-zcu102.c
++++ b/hw/arm/xlnx-zcu102.c
+@@ -XXX,XX +XXX,XX @@
+ #include "sysemu/qtest.h"
+ #include "sysemu/device_tree.h"
+ #include "qom/object.h"
++#include "net/can_emu.h"
+ struct XlnxZCU102 {
+     MachineState parent_obj;
+@@ -XXX,XX +XXX,XX @@ struct XlnxZCU102 {
+     bool secure;
+     bool virt;
++    CanBusState *canbus[XLNX_ZYNQMP_NUM_CAN];
++
+     struct arm_boot_info binfo;
+ };
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zcu102_init(MachineState *machine)
+     object_property_set_bool(OBJECT(&s->soc), "virtualization", s->virt,
+                              &error_fatal);
++    for (i = 0; i < XLNX_ZYNQMP_NUM_CAN; i++) {
++        gchar *bus_name = g_strdup_printf("canbus%d", i);
++
++        object_property_set_link(OBJECT(&s->soc), bus_name,
++                                 OBJECT(s->canbus[i]), &error_fatal);
++        g_free(bus_name);
++    }
++
+     qdev_realize(DEVICE(&s->soc), NULL, &error_fatal);
+     /* Create and plug in the SD cards */
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zcu102_machine_instance_init(Object *obj)
+     s->secure = false;
+     /* Default to virt (EL2) being disabled */
+     s->virt = false;
++    object_property_add_link(obj, "xlnx-zcu102.canbus0", TYPE_CAN_BUS,
++                             (Object **)&s->canbus[0],
++                             object_property_allow_set_link,
++                             0);
++
++    object_property_add_link(obj, "xlnx-zcu102.canbus1", TYPE_CAN_BUS,
++                             (Object **)&s->canbus[1],
++                             object_property_allow_set_link,
++                             0);
+ }
+ static void xlnx_zcu102_machine_class_init(ObjectClass *oc, void *data)
 diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/xlnx-zynqmp.c
 +++ b/hw/arm/xlnx-zynqmp.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static const int uart_intr[XLNX_ZYNQMP_NUM_UARTS] = {
- #define ARM_PHYS_TIMER_PPI  30
+, 22,
- #define ARM_VIRT_TIMER_PPI  27
+ };
-+#define GEM_REVISION        0x40070106
++static const uint64_t can_addr[XLNX_ZYNQMP_NUM_CAN] = {
 +    0xFF060000, 0xFF070000,
 +};
 +
- #define GIC_BASE_ADDR       0xf9000000
++static const int can_intr[XLNX_ZYNQMP_NUM_CAN] = {
- #define GIC_DIST_ADDR       0xf9010000
++    23, 24,
- #define GIC_CPU_ADDR        0xf9020000
++};
 +
  static const uint64_t sdhci_addr[XLNX_ZYNQMP_NUM_SDHCI] = {
 xFF160000, 0xFF170000,
  };
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_init(Object *obj)
                                  TYPE_CADENCE_UART);
      }
 +    for (i = 0; i < XLNX_ZYNQMP_NUM_CAN; i++) {
 +        object_initialize_child(obj, "can[*]", &s->can[i],
 +                                TYPE_XLNX_ZYNQMP_CAN);
 +    }
 +
      object_initialize_child(obj, "sata", &s->sata, TYPE_SYSBUS_AHCI);
      for (i = 0; i < XLNX_ZYNQMP_NUM_SDHCI; i++) {
 @@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
-             qemu_check_nic_model(nd, TYPE_CADENCE_GEM);
+                            gic_spi[uart_intr[i]]);
-             qdev_set_nic_properties(DEVICE(&s->gem[i]), nd);
+     }
-         }
-+        object_property_set_int(OBJECT(&s->gem[i]), GEM_REVISION, "revision",
++    for (i = 0; i < XLNX_ZYNQMP_NUM_CAN; i++) {
-+                                &error_abort);
++        object_property_set_int(OBJECT(&s->can[i]), "ext_clk_freq",
-         object_property_set_int(OBJECT(&s->gem[i]), 2, "num-priority-queues",
++                                XLNX_ZYNQMP_CAN_REF_CLK, &error_abort);
--                                  &error_abort);
++
-+                                &error_abort);
++        object_property_set_link(OBJECT(&s->can[i]), "canbus",
-         object_property_set_bool(OBJECT(&s->gem[i]), true, "realized", &err);
++                                 OBJECT(s->canbus[i]), &error_fatal);
-         if (err) {
++
-             error_propagate(errp, err);
++        sysbus_realize(SYS_BUS_DEVICE(&s->can[i]), &err);
 +        if (err) {
 +            error_propagate(errp, err);
 +            return;
 +        }
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->can[i]), 0, can_addr[i]);
 +        sysbus_connect_irq(SYS_BUS_DEVICE(&s->can[i]), 0,
 +                           gic_spi[can_intr[i]]);
 +    }
 +
      object_property_set_int(OBJECT(&s->sata), "num-ports", SATA_NUM_PORTS,
                              &error_abort);
      if (!sysbus_realize(SYS_BUS_DEVICE(&s->sata), errp)) {
@@ -XXX,XX +XXX,XX @@ static Property xlnx_zynqmp_props[] = {
      DEFINE_PROP_BOOL("has_rpu", XlnxZynqMPState, has_rpu, false),
      DEFINE_PROP_LINK("ddr-ram", XlnxZynqMPState, ddr_ram, TYPE_MEMORY_REGION,
                       MemoryRegion *),
 +    DEFINE_PROP_LINK("canbus0", XlnxZynqMPState, canbus[0], TYPE_CAN_BUS,
 +                     CanBusState *),
 +    DEFINE_PROP_LINK("canbus1", XlnxZynqMPState, canbus[1], TYPE_CAN_BUS,
 +                     CanBusState *),
      DEFINE_PROP_END_OF_LIST()
  };
 --
-.7.4
+.20.1

-New patch
+[PULL 04/36] tests/qtest: Introduce tests for Xilinx ZynqMP CAN controller
+From: Vikram Garhwal <fnu.vikram@xilinx.com>
 The QTests perform five tests on the Xilinx ZynqMP CAN controller:
     Tests the CAN controller in loopback, sleep and snoop mode.
     Tests filtering of incoming CAN messages.
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
 Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
 Message-id: 1605728926-352690-4-git-send-email-fnu.vikram@xilinx.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  tests/qtest/xlnx-can-test.c | 360 ++++++++++++++++++++++++++++++++++++
  tests/qtest/meson.build     |   1 +
 files changed, 361 insertions(+)
  create mode 100644 tests/qtest/xlnx-can-test.c
 diff --git a/tests/qtest/xlnx-can-test.c b/tests/qtest/xlnx-can-test.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/qtest/xlnx-can-test.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QTests for the Xilinx ZynqMP CAN controller.
 + *
 + * Copyright (c) 2020 Xilinx Inc.
 + *
 + * Written-by: Vikram Garhwal<fnu.vikram@xilinx.com>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "libqos/libqtest.h"
 +
 +/* Base address. */
 +#define CAN0_BASE_ADDR          0xFF060000
 +#define CAN1_BASE_ADDR          0xFF070000
 +
 +/* Register addresses. */
 +#define R_SRR_OFFSET            0x00
 +#define R_MSR_OFFSET            0x04
 +#define R_SR_OFFSET             0x18
 +#define R_ISR_OFFSET            0x1C
 +#define R_ICR_OFFSET            0x24
 +#define R_TXID_OFFSET           0x30
 +#define R_TXDLC_OFFSET          0x34
 +#define R_TXDATA1_OFFSET        0x38
 +#define R_TXDATA2_OFFSET        0x3C
 +#define R_RXID_OFFSET           0x50
 +#define R_RXDLC_OFFSET          0x54
 +#define R_RXDATA1_OFFSET        0x58
 +#define R_RXDATA2_OFFSET        0x5C
 +#define R_AFR                   0x60
 +#define R_AFMR1                 0x64
 +#define R_AFIR1                 0x68
 +#define R_AFMR2                 0x6C
 +#define R_AFIR2                 0x70
 +#define R_AFMR3                 0x74
 +#define R_AFIR3                 0x78
 +#define R_AFMR4                 0x7C
 +#define R_AFIR4                 0x80
 +
 +/* CAN modes. */
 +#define CONFIG_MODE             0x00
 +#define NORMAL_MODE             0x00
 +#define LOOPBACK_MODE           0x02
 +#define SNOOP_MODE              0x04
 +#define SLEEP_MODE              0x01
 +#define ENABLE_CAN              (1 << 1)
 +#define STATUS_NORMAL_MODE      (1 << 3)
 +#define STATUS_LOOPBACK_MODE    (1 << 1)
 +#define STATUS_SNOOP_MODE       (1 << 12)
 +#define STATUS_SLEEP_MODE       (1 << 2)
 +#define ISR_TXOK                (1 << 1)
 +#define ISR_RXOK                (1 << 4)
 +
 +static void match_rx_tx_data(const uint32_t *buf_tx, const uint32_t *buf_rx,
 +                             uint8_t can_timestamp)
 +{
 +    uint16_t size = 0;
 +    uint8_t len = 4;
 +
 +    while (size < len) {
 +        if (R_RXID_OFFSET + 4 * size == R_RXDLC_OFFSET)  {
 +            g_assert_cmpint(buf_rx[size], ==, buf_tx[size] + can_timestamp);
 +        } else {
 +            g_assert_cmpint(buf_rx[size], ==, buf_tx[size]);
 +        }
 +
 +        size++;
 +    }
 +}
 +
 +static void read_data(QTestState *qts, uint64_t can_base_addr, uint32_t *buf_rx)
 +{
 +    uint32_t int_status;
 +
 +    /* Read the interrupt on CAN rx. */
 +    int_status = qtest_readl(qts, can_base_addr + R_ISR_OFFSET) & ISR_RXOK;
 +
 +    g_assert_cmpint(int_status, ==, ISR_RXOK);
 +
 +    /* Read the RX register data for CAN. */
 +    buf_rx[0] = qtest_readl(qts, can_base_addr + R_RXID_OFFSET);
 +    buf_rx[1] = qtest_readl(qts, can_base_addr + R_RXDLC_OFFSET);
 +    buf_rx[2] = qtest_readl(qts, can_base_addr + R_RXDATA1_OFFSET);
 +    buf_rx[3] = qtest_readl(qts, can_base_addr + R_RXDATA2_OFFSET);
 +
 +    /* Clear the RX interrupt. */
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_ICR_OFFSET, ISR_RXOK);
 +}
 +
 +static void send_data(QTestState *qts, uint64_t can_base_addr,
 +                      const uint32_t *buf_tx)
 +{
 +    uint32_t int_status;
 +
 +    /* Write the TX register data for CAN. */
 +    qtest_writel(qts, can_base_addr + R_TXID_OFFSET, buf_tx[0]);
 +    qtest_writel(qts, can_base_addr + R_TXDLC_OFFSET, buf_tx[1]);
 +    qtest_writel(qts, can_base_addr + R_TXDATA1_OFFSET, buf_tx[2]);
 +    qtest_writel(qts, can_base_addr + R_TXDATA2_OFFSET, buf_tx[3]);
 +
 +    /* Read the interrupt on CAN for tx. */
 +    int_status = qtest_readl(qts, can_base_addr + R_ISR_OFFSET) & ISR_TXOK;
 +
 +    g_assert_cmpint(int_status, ==, ISR_TXOK);
 +
 +    /* Clear the interrupt for tx. */
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_ICR_OFFSET, ISR_TXOK);
 +}
 +
 +/*
 + * This test will be transferring data from CAN0 and CAN1 through canbus. CAN0
 + * initiate the data transfer to can-bus, CAN1 receives the data. Test compares
 + * the data sent from CAN0 with received on CAN1.
 + */
 +static void test_can_bus(void)
 +{
 +    const uint32_t buf_tx[4] = { 0xFF, 0x80000000, 0x12345678, 0x87654321 };
 +    uint32_t buf_rx[4] = { 0x00, 0x00, 0x00, 0x00 };
 +    uint32_t status = 0;
 +    uint8_t can_timestamp = 1;
 +
 +    QTestState *qts = qtest_init("-machine xlnx-zcu102"
 +                " -object can-bus,id=canbus0"
 +                " -machine xlnx-zcu102.canbus0=canbus0"
 +                " -machine xlnx-zcu102.canbus1=canbus0"
 +                );
 +
 +    /* Configure the CAN0 and CAN1. */
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_MSR_OFFSET, NORMAL_MODE);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_MSR_OFFSET, NORMAL_MODE);
 +
 +    /* Check here if CAN0 and CAN1 are in normal mode. */
 +    status = qtest_readl(qts, CAN0_BASE_ADDR + R_SR_OFFSET);
 +    g_assert_cmpint(status, ==, STATUS_NORMAL_MODE);
 +
 +    status = qtest_readl(qts, CAN1_BASE_ADDR + R_SR_OFFSET);
 +    g_assert_cmpint(status, ==, STATUS_NORMAL_MODE);
 +
 +    send_data(qts, CAN0_BASE_ADDR, buf_tx);
 +
 +    read_data(qts, CAN1_BASE_ADDR, buf_rx);
 +    match_rx_tx_data(buf_tx, buf_rx, can_timestamp);
 +
 +    qtest_quit(qts);
 +}
 +
 +/*
 + * This test is performing loopback mode on CAN0 and CAN1. Data sent from TX of
 + * each CAN0 and CAN1 are compared with RX register data for respective CAN.
 + */
 +static void test_can_loopback(void)
 +{
 +    uint32_t buf_tx[4] = { 0xFF, 0x80000000, 0x12345678, 0x87654321 };
 +    uint32_t buf_rx[4] = { 0x00, 0x00, 0x00, 0x00 };
 +    uint32_t status = 0;
 +
 +    QTestState *qts = qtest_init("-machine xlnx-zcu102"
 +                " -object can-bus,id=canbus0"
 +                " -machine xlnx-zcu102.canbus0=canbus0"
 +                " -machine xlnx-zcu102.canbus1=canbus0"
 +                );
 +
 +    /* Configure the CAN0 in loopback mode. */
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_SRR_OFFSET, CONFIG_MODE);
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_MSR_OFFSET, LOOPBACK_MODE);
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +
 +    /* Check here if CAN0 is set in loopback mode. */
 +    status = qtest_readl(qts, CAN0_BASE_ADDR + R_SR_OFFSET);
 +
 +    g_assert_cmpint(status, ==, STATUS_LOOPBACK_MODE);
 +
 +    send_data(qts, CAN0_BASE_ADDR, buf_tx);
 +    read_data(qts, CAN0_BASE_ADDR, buf_rx);
 +    match_rx_tx_data(buf_tx, buf_rx, 0);
 +
 +    /* Configure the CAN1 in loopback mode. */
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_SRR_OFFSET, CONFIG_MODE);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_MSR_OFFSET, LOOPBACK_MODE);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +
 +    /* Check here if CAN1 is set in loopback mode. */
 +    status = qtest_readl(qts, CAN1_BASE_ADDR + R_SR_OFFSET);
 +
 +    g_assert_cmpint(status, ==, STATUS_LOOPBACK_MODE);
 +
 +    send_data(qts, CAN1_BASE_ADDR, buf_tx);
 +    read_data(qts, CAN1_BASE_ADDR, buf_rx);
 +    match_rx_tx_data(buf_tx, buf_rx, 0);
 +
 +    qtest_quit(qts);
 +}
 +
 +/*
 + * Enable filters for CAN1. This will filter incoming messages with ID. In this
 + * test message will pass through filter 2.
 + */
 +static void test_can_filter(void)
 +{
 +    uint32_t buf_tx[4] = { 0x14, 0x80000000, 0x12345678, 0x87654321 };
 +    uint32_t buf_rx[4] = { 0x00, 0x00, 0x00, 0x00 };
 +    uint32_t status = 0;
 +    uint8_t can_timestamp = 1;
 +
 +    QTestState *qts = qtest_init("-machine xlnx-zcu102"
 +                " -object can-bus,id=canbus0"
 +                " -machine xlnx-zcu102.canbus0=canbus0"
 +                " -machine xlnx-zcu102.canbus1=canbus0"
 +                );
 +
 +    /* Configure the CAN0 and CAN1. */
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_MSR_OFFSET, NORMAL_MODE);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_MSR_OFFSET, NORMAL_MODE);
 +
 +    /* Check here if CAN0 and CAN1 are in normal mode. */
 +    status = qtest_readl(qts, CAN0_BASE_ADDR + R_SR_OFFSET);
 +    g_assert_cmpint(status, ==, STATUS_NORMAL_MODE);
 +
 +    status = qtest_readl(qts, CAN1_BASE_ADDR + R_SR_OFFSET);
 +    g_assert_cmpint(status, ==, STATUS_NORMAL_MODE);
 +
 +    /* Set filter for CAN1 for incoming messages. */
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFR, 0x0);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFMR1, 0xF7);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFIR1, 0x121F);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFMR2, 0x5431);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFIR2, 0x14);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFMR3, 0x1234);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFIR3, 0x5431);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFMR4, 0xFFF);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFIR4, 0x1234);
 +
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_AFR, 0xF);
 +
 +    send_data(qts, CAN0_BASE_ADDR, buf_tx);
 +
 +    read_data(qts, CAN1_BASE_ADDR, buf_rx);
 +    match_rx_tx_data(buf_tx, buf_rx, can_timestamp);
 +
 +    qtest_quit(qts);
 +}
 +
 +/* Testing sleep mode on CAN0 while CAN1 is in normal mode. */
 +static void test_can_sleepmode(void)
 +{
 +    uint32_t buf_tx[4] = { 0x14, 0x80000000, 0x12345678, 0x87654321 };
 +    uint32_t buf_rx[4] = { 0x00, 0x00, 0x00, 0x00 };
 +    uint32_t status = 0;
 +    uint8_t can_timestamp = 1;
 +
 +    QTestState *qts = qtest_init("-machine xlnx-zcu102"
 +                " -object can-bus,id=canbus0"
 +                " -machine xlnx-zcu102.canbus0=canbus0"
 +                " -machine xlnx-zcu102.canbus1=canbus0"
 +                );
 +
 +    /* Configure the CAN0. */
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_SRR_OFFSET, CONFIG_MODE);
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_MSR_OFFSET, SLEEP_MODE);
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_MSR_OFFSET, NORMAL_MODE);
 +
 +    /* Check here if CAN0 is in SLEEP mode and CAN1 in normal mode. */
 +    status = qtest_readl(qts, CAN0_BASE_ADDR + R_SR_OFFSET);
 +    g_assert_cmpint(status, ==, STATUS_SLEEP_MODE);
 +
 +    status = qtest_readl(qts, CAN1_BASE_ADDR + R_SR_OFFSET);
 +    g_assert_cmpint(status, ==, STATUS_NORMAL_MODE);
 +
 +    send_data(qts, CAN1_BASE_ADDR, buf_tx);
 +
 +    /*
 +     * Once CAN1 sends data on can-bus. CAN0 should exit sleep mode.
 +     * Check the CAN0 status now. It should exit the sleep mode and receive the
 +     * incoming data.
 +     */
 +    status = qtest_readl(qts, CAN0_BASE_ADDR + R_SR_OFFSET);
 +    g_assert_cmpint(status, ==, STATUS_NORMAL_MODE);
 +
 +    read_data(qts, CAN0_BASE_ADDR, buf_rx);
 +
 +    match_rx_tx_data(buf_tx, buf_rx, can_timestamp);
 +
 +    qtest_quit(qts);
 +}
 +
 +/* Testing Snoop mode on CAN0 while CAN1 is in normal mode. */
 +static void test_can_snoopmode(void)
 +{
 +    uint32_t buf_tx[4] = { 0x14, 0x80000000, 0x12345678, 0x87654321 };
 +    uint32_t buf_rx[4] = { 0x00, 0x00, 0x00, 0x00 };
 +    uint32_t status = 0;
 +    uint8_t can_timestamp = 1;
 +
 +    QTestState *qts = qtest_init("-machine xlnx-zcu102"
 +                " -object can-bus,id=canbus0"
 +                " -machine xlnx-zcu102.canbus0=canbus0"
 +                " -machine xlnx-zcu102.canbus1=canbus0"
 +                );
 +
 +    /* Configure the CAN0. */
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_SRR_OFFSET, CONFIG_MODE);
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_MSR_OFFSET, SNOOP_MODE);
 +    qtest_writel(qts, CAN0_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_SRR_OFFSET, ENABLE_CAN);
 +    qtest_writel(qts, CAN1_BASE_ADDR + R_MSR_OFFSET, NORMAL_MODE);
 +
 +    /* Check here if CAN0 is in SNOOP mode and CAN1 in normal mode. */
 +    status = qtest_readl(qts, CAN0_BASE_ADDR + R_SR_OFFSET);
 +    g_assert_cmpint(status, ==, STATUS_SNOOP_MODE);
 +
 +    status = qtest_readl(qts, CAN1_BASE_ADDR + R_SR_OFFSET);
 +    g_assert_cmpint(status, ==, STATUS_NORMAL_MODE);
 +
 +    send_data(qts, CAN1_BASE_ADDR, buf_tx);
 +
 +    read_data(qts, CAN0_BASE_ADDR, buf_rx);
 +
 +    match_rx_tx_data(buf_tx, buf_rx, can_timestamp);
 +
 +    qtest_quit(qts);
 +}
 +
 +int main(int argc, char **argv)
 +{
 +    g_test_init(&argc, &argv, NULL);
 +
 +    qtest_add_func("/net/can/can_bus", test_can_bus);
 +    qtest_add_func("/net/can/can_loopback", test_can_loopback);
 +    qtest_add_func("/net/can/can_filter", test_can_filter);
 +    qtest_add_func("/net/can/can_test_snoopmode", test_can_snoopmode);
 +    qtest_add_func("/net/can/can_test_sleepmode", test_can_sleepmode);
 +
 +    return g_test_run();
 +}
 diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/qtest/meson.build
 +++ b/tests/qtest/meson.build
@@ -XXX,XX +XXX,XX @@ qtests_aarch64 = \
    ['arm-cpu-features',
     'numa-test',
     'boot-serial-test',
 +   'xlnx-can-test',
     'migration-test']
  qtests_s390x = \
 --
 .20.1

-New patch
+[PULL 05/36] MAINTAINERS: Add maintainer entry for Xilinx ZynqMP CAN controller
+From: Vikram Garhwal <fnu.vikram@xilinx.com>
+Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
+Message-id: 1605728926-352690-5-git-send-email-fnu.vikram@xilinx.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ MAINTAINERS | 8 ++++++++
+file changed, 8 insertions(+)
+diff --git a/MAINTAINERS b/MAINTAINERS
+index XXXXXXX..XXXXXXX 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -XXX,XX +XXX,XX @@ F: hw/net/opencores_eth.c
+ Devices
+ -------
++Xilinx CAN
++M: Vikram Garhwal <fnu.vikram@xilinx.com>
++M: Francisco Iglesias <francisco.iglesias@xilinx.com>
++S: Maintained
++F: hw/net/can/xlnx-*
++F: include/hw/net/xlnx-*
++F: tests/qtest/xlnx-can-test*
++
+ EDU
+ M: Jiri Slaby <jslaby@suse.cz>
+ S: Maintained
+--
+.20.1

-[Qemu-devel] [PULL 10/24] hw/arm: Qomify pxa2xx.c
+[PULL 06/36] sbsa-ref: allow to use Cortex-A53/57/72 cpus
-From: Suramya Shah <shah.suramya@gmail.com>
+From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
-Signed-off-by: Suramya Shah <shah.suramya@gmail.com>
+Trusted Firmware now supports A72 on sbsa-ref by default [1] so enable
-Message-id: 20170415180316.2694-1-shah.suramya@gmail.com
+it for QEMU as well. A53 was already enabled there.
 . https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/7117
 Signed-off-by: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20201120141705.246690-1-marcin.juszkiewicz@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/pxa2xx.c | 14 ++++++--------
+ hw/arm/sbsa-ref.c | 23 ++++++++++++++++++++---
-file changed, 6 insertions(+), 8 deletions(-)
+file changed, 20 insertions(+), 3 deletions(-)
-diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
+diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/pxa2xx.c
+--- a/hw/arm/sbsa-ref.c
-+++ b/hw/arm/pxa2xx.c
++++ b/hw/arm/sbsa-ref.c
-@@ -XXX,XX +XXX,XX @@ static void pxa2xx_ssp_reset(DeviceState *d)
+@@ -XXX,XX +XXX,XX @@ static const int sbsa_ref_irqmap[] = {
-     s->rx_start = s->rx_level = 0;
+     [SBSA_GWDT] = 16,
- }
+ };
--static int pxa2xx_ssp_init(SysBusDevice *sbd)
++static const char * const valid_cpus[] = {
-+static void pxa2xx_ssp_init(Object *obj)
++    ARM_CPU_TYPE_NAME("cortex-a53"),
 +    ARM_CPU_TYPE_NAME("cortex-a57"),
 +    ARM_CPU_TYPE_NAME("cortex-a72"),
 +};
 +
 +static bool cpu_type_valid(const char *cpu)
 +{
 +    int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(valid_cpus); i++) {
 +        if (strcmp(cpu, valid_cpus[i]) == 0) {
 +            return true;
 +        }
 +    }
 +    return false;
 +}
 +
  static uint64_t sbsa_ref_cpu_mp_affinity(SBSAMachineState *sms, int idx)
  {
--    DeviceState *dev = DEVICE(sbd);
+     uint8_t clustersz = ARM_DEFAULT_CPUS_PER_CLUSTER;
--    PXA2xxSSPState *s = PXA2XX_SSP(dev);
+@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
--
+     const CPUArchIdList *possible_cpus;
-+    DeviceState *dev = DEVICE(obj);
+     int n, sbsa_max_cpus;
-+    PXA2xxSSPState *s = PXA2XX_SSP(obj);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
+-    if (strcmp(machine->cpu_type, ARM_CPU_TYPE_NAME("cortex-a57"))) {
-     sysbus_init_irq(sbd, &s->irq);
+-        error_report("sbsa-ref: CPU type other than the built-in "
+-                     "cortex-a57 not supported");
--    memory_region_init_io(&s->iomem, OBJECT(s), &pxa2xx_ssp_ops, s,
++    if (!cpu_type_valid(machine->cpu_type)) {
-+    memory_region_init_io(&s->iomem, obj, &pxa2xx_ssp_ops, s,
++        error_report("mach-virt: CPU type %s not supported", machine->cpu_type);
-                           "pxa2xx-ssp", 0x1000);
+         exit(1);
-     sysbus_init_mmio(sbd, &s->iomem);
+     }
      s->bus = ssi_create_bus(dev, "ssi");
 -    return 0;
  }
  /* Real-Time Clock */
@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa255_init(MemoryRegion *address_space, unsigned int sdram_size)
  static void pxa2xx_ssp_class_init(ObjectClass *klass, void *data)
  {
 -    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
      DeviceClass *dc = DEVICE_CLASS(klass);
 -    sdc->init = pxa2xx_ssp_init;
      dc->reset = pxa2xx_ssp_reset;
      dc->vmsd = &vmstate_pxa2xx_ssp;
  }
@@ -XXX,XX +XXX,XX @@ static const TypeInfo pxa2xx_ssp_info = {
      .name          = TYPE_PXA2XX_SSP,
      .parent        = TYPE_SYS_BUS_DEVICE,
      .instance_size = sizeof(PXA2xxSSPState),
 +    .instance_init = pxa2xx_ssp_init,
      .class_init    = pxa2xx_ssp_class_init,
  };
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 03/24] hw/char/exynos4210_uart: Constify static array and few arguments
+[PULL 07/36] tests/qtest/npcm7xx_rng-test: dump random data on failure
-From: Krzysztof Kozlowski <krzk@kernel.org>
+From: Havard Skinnemoen <hskinnemoen@google.com>
-The static array exynos4210_uart_regs with register values is not
+Dump the collected random data after a randomness test failure.
 modified so it can be made const.
-Few other functions accept driver or uart state as an argument but they
+Note that this relies on the test having called
-do not change it and do not cast it so this can be made const for code
+g_test_set_nonfatal_assertions() so we don't abort immediately on the
-safeness.
+assertion failure.
-Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Havard Skinnemoen <hskinnemoen@google.com>
 Message-id: 20170313184750.429-3-krzk@kernel.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: minor commit message tweak]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/char/exynos4210_uart.c | 8 ++++----
+ tests/qtest/npcm7xx_rng-test.c | 12 ++++++++++++
-file changed, 4 insertions(+), 4 deletions(-)
+file changed, 12 insertions(+)
-diff --git a/hw/char/exynos4210_uart.c b/hw/char/exynos4210_uart.c
+diff --git a/tests/qtest/npcm7xx_rng-test.c b/tests/qtest/npcm7xx_rng-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/char/exynos4210_uart.c
+--- a/tests/qtest/npcm7xx_rng-test.c
-+++ b/hw/char/exynos4210_uart.c
++++ b/tests/qtest/npcm7xx_rng-test.c
-@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210UartReg {
+@@ -XXX,XX +XXX,XX @@
-     uint32_t            reset_value;
- } Exynos4210UartReg;
+ #include "libqtest-single.h"
+ #include "qemu/bitops.h"
--static Exynos4210UartReg exynos4210_uart_regs[] = {
++#include "qemu-common.h"
-+static const Exynos4210UartReg exynos4210_uart_regs[] = {
-     {"ULCON",    ULCON,    0x00000000},
+ #define RNG_BASE_ADDR   0xf000b000
-     {"UCON",     UCON,     0x00003000},
-     {"UFCON",    UFCON,    0x00000000},
+@@ -XXX,XX +XXX,XX @@
-@@ -XXX,XX +XXX,XX @@ static uint8_t fifo_retrieve(Exynos4210UartFIFO *q)
+ /* Number of bits to collect for randomness tests. */
-     return  ret;
+ #define TEST_INPUT_BITS  (128)
 +static void dump_buf_if_failed(const uint8_t *buf, size_t size)
 +{
 +    if (g_test_failed()) {
 +        qemu_hexdump(stderr, "", buf, size);
 +    }
 +}
 +
  static void rng_writeb(unsigned int offset, uint8_t value)
  {
      writeb(RNG_BASE_ADDR + offset, value);
@@ -XXX,XX +XXX,XX @@ static void test_continuous_monobit(void)
      }
      g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01);
 +    dump_buf_if_failed(buf, sizeof(buf));
  }
--static int fifo_elements_number(Exynos4210UartFIFO *q)
+ /*
-+static int fifo_elements_number(const Exynos4210UartFIFO *q)
+@@ -XXX,XX +XXX,XX @@ static void test_continuous_runs(void)
- {
+     }
-     if (q->sp < q->rp) {
-         return q->size - q->rp + q->sp;
+     g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01);
-@@ -XXX,XX +XXX,XX @@ static int fifo_elements_number(Exynos4210UartFIFO *q)
++    dump_buf_if_failed(buf.c, sizeof(buf));
      return q->sp - q->rp;
  }
--static int fifo_empty_elements_number(Exynos4210UartFIFO *q)
+ /*
-+static int fifo_empty_elements_number(const Exynos4210UartFIFO *q)
+@@ -XXX,XX +XXX,XX @@ static void test_first_byte_monobit(void)
- {
+     }
-     return q->size - fifo_elements_number(q);
      g_assert_cmpfloat(calc_monobit_p(buf, sizeof(buf)), >, 0.01);
 +    dump_buf_if_failed(buf, sizeof(buf));
  }
-@@ -XXX,XX +XXX,XX @@ static void fifo_reset(Exynos4210UartFIFO *q)
-     q->rp = 0;
+ /*
@@ -XXX,XX +XXX,XX @@ static void test_first_byte_runs(void)
      }
      g_assert_cmpfloat(calc_runs_p(buf.l, sizeof(buf) * BITS_PER_BYTE), >, 0.01);
 +    dump_buf_if_failed(buf.c, sizeof(buf));
  }
--static uint32_t exynos4210_uart_Tx_FIFO_trigger_level(Exynos4210UartState *s)
+ int main(int argc, char **argv)
 +static uint32_t exynos4210_uart_Tx_FIFO_trigger_level(const Exynos4210UartState *s)
  {
      uint32_t level = 0;
      uint32_t reg;
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 14/24] cadence_gem: Make the revision a property
+[PULL 08/36] i.MX25: Fix bad printf format specifiers
-From: Alistair Francis <alistair.francis@xilinx.com>
+From: Alex Chen <alex.chen@huawei.com>
-Expose the Cadence GEM revision as a property.
+We should use printf format specifier "%u" instead of "%d" for
 argument of type "unsigned int".
-Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
+Reported-by: Euler Robot <euler.robot@huawei.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Alex Chen <alex.chen@huawei.com>
 Message-id: 20201126111109.112238-2-alex.chen@huawei.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 541324373cf87b50f8be0439a0cb89f5028b016f.1491947224.git.alistair.francis@xilinx.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/net/cadence_gem.h | 1 +
+ hw/misc/imx25_ccm.c | 12 ++++++------
- hw/net/cadence_gem.c         | 6 +++++-
+file changed, 6 insertions(+), 6 deletions(-)
 files changed, 6 insertions(+), 1 deletion(-)
-diff --git a/include/hw/net/cadence_gem.h b/include/hw/net/cadence_gem.h
+diff --git a/hw/misc/imx25_ccm.c b/hw/misc/imx25_ccm.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/net/cadence_gem.h
+--- a/hw/misc/imx25_ccm.c
-+++ b/include/hw/net/cadence_gem.h
++++ b/hw/misc/imx25_ccm.c
-@@ -XXX,XX +XXX,XX @@ typedef struct CadenceGEMState {
+@@ -XXX,XX +XXX,XX @@ static const char *imx25_ccm_reg_name(uint32_t reg)
-     uint8_t num_priority_queues;
+     case IMX25_CCM_LPIMR1_REG:
-     uint8_t num_type1_screeners;
+         return "lpimr1";
-     uint8_t num_type2_screeners;
+     default:
-+    uint32_t revision;
+-        sprintf(unknown, "[%d ?]", reg);
++        sprintf(unknown, "[%u ?]", reg);
-     /* GEM registers backing store */
+         return unknown;
-     uint32_t regs[CADENCE_GEM_MAXREG];
+     }
-diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
+ }
-index XXXXXXX..XXXXXXX 100644
+@@ -XXX,XX +XXX,XX @@ static uint32_t imx25_ccm_get_mpll_clk(IMXCCMState *dev)
---- a/hw/net/cadence_gem.c
+         freq = imx_ccm_calc_pll(s->reg[IMX25_CCM_MPCTL_REG], CKIH_FREQ);
-+++ b/hw/net/cadence_gem.c
+     }
-@@ -XXX,XX +XXX,XX @@
- #define DESC_1_RX_SOF 0x00004000
+-    DPRINTF("freq = %d\n", freq);
- #define DESC_1_RX_EOF 0x00008000
++    DPRINTF("freq = %u\n", freq);
-+#define GEM_MODID_VALUE 0x00020118
+     return freq;
-+
+ }
- static inline unsigned tx_desc_get_buffer(unsigned *desc)
+@@ -XXX,XX +XXX,XX @@ static uint32_t imx25_ccm_get_mcu_clk(IMXCCMState *dev)
- {
-     return desc[0];
+     freq = freq / (1 + EXTRACT(s->reg[IMX25_CCM_CCTL_REG], ARM_CLK_DIV));
-@@ -XXX,XX +XXX,XX @@ static void gem_reset(DeviceState *d)
-     s->regs[GEM_TXPAUSE] = 0x0000ffff;
+-    DPRINTF("freq = %d\n", freq);
-     s->regs[GEM_TXPARTIALSF] = 0x000003ff;
++    DPRINTF("freq = %u\n", freq);
-     s->regs[GEM_RXPARTIALSF] = 0x000003ff;
--    s->regs[GEM_MODID] = 0x00020118;
+     return freq;
-+    s->regs[GEM_MODID] = s->revision;
+ }
-     s->regs[GEM_DESCONF] = 0x02500111;
+@@ -XXX,XX +XXX,XX @@ static uint32_t imx25_ccm_get_ahb_clk(IMXCCMState *dev)
-     s->regs[GEM_DESCONF2] = 0x2ab13fff;
+     freq = imx25_ccm_get_mcu_clk(dev)
-     s->regs[GEM_DESCONF5] = 0x002f2145;
+            / (1 + EXTRACT(s->reg[IMX25_CCM_CCTL_REG], AHB_CLK_DIV));
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_cadence_gem = {
+-    DPRINTF("freq = %d\n", freq);
- static Property gem_properties[] = {
++    DPRINTF("freq = %u\n", freq);
-     DEFINE_NIC_PROPERTIES(CadenceGEMState, conf),
-+    DEFINE_PROP_UINT32("revision", CadenceGEMState, revision,
+     return freq;
-+                       GEM_MODID_VALUE),
+ }
-     DEFINE_PROP_UINT8("num-priority-queues", CadenceGEMState,
+@@ -XXX,XX +XXX,XX @@ static uint32_t imx25_ccm_get_ipg_clk(IMXCCMState *dev)
-                       num_priority_queues, 1),
-     DEFINE_PROP_UINT8("num-type1-screeners", CadenceGEMState,
+     freq = imx25_ccm_get_ahb_clk(dev) / 2;
 -    DPRINTF("freq = %d\n", freq);
 +    DPRINTF("freq = %u\n", freq);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint32_t imx25_ccm_get_clock_frequency(IMXCCMState *dev, IMXClk clock)
          break;
      }
 -    DPRINTF("Clock = %d) = %d\n", clock, freq);
 +    DPRINTF("Clock = %d) = %u\n", clock, freq);
      return freq;
  }
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 09/24] arm/kvm: Remove trailing newlines from error_report()
+[PULL 09/36] i.MX31: Fix bad printf format specifiers
-From: Ishani Chugh <chugh.ishani@research.iiit.ac.in>
+From: Alex Chen <alex.chen@huawei.com>
-Signed-off-by: Ishani Chugh <chugh.ishani@research.iiit.ac.in>
+We should use printf format specifier "%u" instead of "%d" for
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+argument of type "unsigned int".
-Message-id: 1491629987-6826-1-git-send-email-chugh.ishani@research.iiit.ac.in
 Reported-by: Euler Robot <euler.robot@huawei.com>
 Signed-off-by: Alex Chen <alex.chen@huawei.com>
 Message-id: 20201126111109.112238-3-alex.chen@huawei.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/kvm64.c | 4 ++--
+ hw/misc/imx31_ccm.c | 14 +++++++-------
-file changed, 2 insertions(+), 2 deletions(-)
+ hw/misc/imx_ccm.c   |  4 ++--
 files changed, 9 insertions(+), 9 deletions(-)
-diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
+diff --git a/hw/misc/imx31_ccm.c b/hw/misc/imx31_ccm.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm64.c
+--- a/hw/misc/imx31_ccm.c
-+++ b/target/arm/kvm64.c
++++ b/hw/misc/imx31_ccm.c
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_handle_debug(CPUState *cs, struct kvm_debug_exit_arch *debug_exit)
+@@ -XXX,XX +XXX,XX @@ static const char *imx31_ccm_reg_name(uint32_t reg)
-              * single step at this point so something has gone wrong.
+     case IMX31_CCM_PDR2_REG:
-              */
+         return "PDR2";
-             error_report("%s: guest single-step while debugging unsupported"
+     default:
--                         " (%"PRIx64", %"PRIx32")\n",
+-        sprintf(unknown, "[%d ?]", reg);
-+                         " (%"PRIx64", %"PRIx32")",
++        sprintf(unknown, "[%u ?]", reg);
-                          __func__, env->pc, debug_exit->hsr);
+         return unknown;
-             return false;
+     }
-         }
+ }
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_handle_debug(CPUState *cs, struct kvm_debug_exit_arch *debug_exit)
+@@ -XXX,XX +XXX,XX @@ static uint32_t imx31_ccm_get_pll_ref_clk(IMXCCMState *dev)
          freq = CKIH_FREQ;
      }
 -    DPRINTF("freq = %d\n", freq);
 +    DPRINTF("freq = %u\n", freq);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint32_t imx31_ccm_get_mpll_clk(IMXCCMState *dev)
      freq = imx_ccm_calc_pll(s->reg[IMX31_CCM_MPCTL_REG],
                              imx31_ccm_get_pll_ref_clk(dev));
 -    DPRINTF("freq = %d\n", freq);
 +    DPRINTF("freq = %u\n", freq);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint32_t imx31_ccm_get_mcu_main_clk(IMXCCMState *dev)
          freq = imx31_ccm_get_mpll_clk(dev);
      }
 -    DPRINTF("freq = %d\n", freq);
 +    DPRINTF("freq = %u\n", freq);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint32_t imx31_ccm_get_hclk_clk(IMXCCMState *dev)
      freq = imx31_ccm_get_mcu_main_clk(dev)
             / (1 + EXTRACT(s->reg[IMX31_CCM_PDR0_REG], MAX));
 -    DPRINTF("freq = %d\n", freq);
 +    DPRINTF("freq = %u\n", freq);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint32_t imx31_ccm_get_ipg_clk(IMXCCMState *dev)
      freq = imx31_ccm_get_hclk_clk(dev)
             / (1 + EXTRACT(s->reg[IMX31_CCM_PDR0_REG], IPG));
 -    DPRINTF("freq = %d\n", freq);
 +    DPRINTF("freq = %u\n", freq);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint32_t imx31_ccm_get_clock_frequency(IMXCCMState *dev, IMXClk clock)
          break;
      }
-     default:
--        error_report("%s: unhandled debug exit (%"PRIx32", %"PRIx64")\n",
+-    DPRINTF("Clock = %d) = %d\n", clock, freq);
-+        error_report("%s: unhandled debug exit (%"PRIx32", %"PRIx64")",
++    DPRINTF("Clock = %d) = %u\n", clock, freq);
-                      __func__, debug_exit->hsr, env->pc);
      return freq;
  }
 diff --git a/hw/misc/imx_ccm.c b/hw/misc/imx_ccm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/imx_ccm.c
 +++ b/hw/misc/imx_ccm.c
@@ -XXX,XX +XXX,XX @@ uint32_t imx_ccm_get_clock_frequency(IMXCCMState *dev, IMXClk clock)
          freq = klass->get_clock_frequency(dev, clock);
      }
+-    DPRINTF("(clock = %d) = %d\n", clock, freq);
++    DPRINTF("(clock = %d) = %u\n", clock, freq);
+     return freq;
+ }
+@@ -XXX,XX +XXX,XX @@ uint32_t imx_ccm_calc_pll(uint32_t pllreg, uint32_t base_freq)
+     freq = ((2 * (base_freq >> 10) * (mfi * mfd + mfn)) /
+             (mfd * pd)) << 10;
+-    DPRINTF("(pllreg = 0x%08x, base_freq = %d) = %d\n", pllreg, base_freq,
++    DPRINTF("(pllreg = 0x%08x, base_freq = %u) = %d\n", pllreg, base_freq,
+             freq);
+     return freq;
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 02/24] hw/arm/exynos: Convert fprintf to qemu_log_mask/error_report
+[PULL 10/36] i.MX6: Fix bad printf format specifiers
-From: Krzysztof Kozlowski <krzk@kernel.org>
+From: Alex Chen <alex.chen@huawei.com>
-qemu_log_mask() and error_report() are preferred over fprintf() for
+We should use printf format specifier "%u" instead of "%d" for
-logging errors.  Also remove square brackets [] and additional new line
+argument of type "unsigned int".
 characters in printed messages.
-Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reported-by: Euler Robot <euler.robot@huawei.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Alex Chen <alex.chen@huawei.com>
-Message-id: 20170313184750.429-2-krzk@kernel.org
+Message-id: 20201126111109.112238-4-alex.chen@huawei.com
 [PMM: wrapped long line]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/exynos4_boards.c   |  7 ++++---
+ hw/misc/imx6_ccm.c | 20 ++++++++++----------
- hw/timer/exynos4210_mct.c |  6 ++++--
+ hw/misc/imx6_src.c |  2 +-
- hw/timer/exynos4210_pwm.c | 13 +++++++------
+files changed, 11 insertions(+), 11 deletions(-)
  hw/timer/exynos4210_rtc.c | 19 ++++++++++---------
 files changed, 25 insertions(+), 20 deletions(-)
-diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
+diff --git a/hw/misc/imx6_ccm.c b/hw/misc/imx6_ccm.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/exynos4_boards.c
+--- a/hw/misc/imx6_ccm.c
-+++ b/hw/arm/exynos4_boards.c
++++ b/hw/misc/imx6_ccm.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static const char *imx6_ccm_reg_name(uint32_t reg)
-  */
+     case CCM_CMEOR:
+         return "CMEOR";
- #include "qemu/osdep.h"
+     default:
-+#include "qemu/error-report.h"
+-        sprintf(unknown, "%d ?", reg);
- #include "qemu-common.h"
++        sprintf(unknown, "%u ?", reg);
- #include "cpu.h"
+         return unknown;
  #include "sysemu/sysemu.h"
@@ -XXX,XX +XXX,XX @@ static Exynos4210State *exynos4_boards_init_common(MachineState *machine,
      MachineClass *mc = MACHINE_GET_CLASS(machine);
      if (smp_cpus != EXYNOS4210_NCPUS && !qtest_enabled()) {
 -        fprintf(stderr, "%s board supports only %d CPU cores. Ignoring smp_cpus"
 -                " value.\n",
 -                mc->name, EXYNOS4210_NCPUS);
 +        error_report("%s board supports only %d CPU cores, ignoring smp_cpus"
 +                     " value",
 +                     mc->name, EXYNOS4210_NCPUS);
      }
+ }
-     exynos4_board_binfo.ram_size = exynos4_board_ram_size[board_type];
+@@ -XXX,XX +XXX,XX @@ static const char *imx6_analog_reg_name(uint32_t reg)
-diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c
+     case USB_ANALOG_DIGPROG:
-index XXXXXXX..XXXXXXX 100644
+         return "USB_ANALOG_DIGPROG";
 --- a/hw/timer/exynos4210_mct.c
 +++ b/hw/timer/exynos4210_mct.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
 +#include "qemu/log.h"
  #include "hw/sysbus.h"
  #include "qemu/timer.h"
  #include "qemu/main-loop.h"
@@ -XXX,XX +XXX,XX @@ break;
      case L0_TCNTO: case L1_TCNTO:
      case L0_ICNTO: case L1_ICNTO:
      case L0_FRCNTO: case L1_FRCNTO:
 -        fprintf(stderr, "\n[exynos4210.mct: write to RO register "
 -                TARGET_FMT_plx "]\n\n", offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "exynos4210.mct: write to RO register " TARGET_FMT_plx,
 +                      offset);
          break;
      case L0_INT_CSTAT: case L1_INT_CSTAT:
 diff --git a/hw/timer/exynos4210_pwm.c b/hw/timer/exynos4210_pwm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/timer/exynos4210_pwm.c
 +++ b/hw/timer/exynos4210_pwm.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
 +#include "qemu/log.h"
  #include "hw/sysbus.h"
  #include "qemu/timer.h"
  #include "qemu-common.h"
@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_pwm_read(void *opaque, hwaddr offset,
          break;
      default:
--        fprintf(stderr,
+-        sprintf(unknown, "%d ?", reg);
--                "[exynos4210.pwm: bad read offset " TARGET_FMT_plx "]\n",
++        sprintf(unknown, "%u ?", reg);
--                offset);
+         return unknown;
-+        qemu_log_mask(LOG_GUEST_ERROR,
+     }
-+                      "exynos4210.pwm: bad read offset " TARGET_FMT_plx,
+ }
-+                      offset);
+@@ -XXX,XX +XXX,XX @@ static uint64_t imx6_analog_get_pll2_clk(IMX6CCMState *dev)
          freq *= 20;
      }
 -    DPRINTF("freq = %d\n", (uint32_t)freq);
 +    DPRINTF("freq = %u\n", (uint32_t)freq);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t imx6_analog_get_pll2_pfd0_clk(IMX6CCMState *dev)
      freq = imx6_analog_get_pll2_clk(dev) * 18
             / EXTRACT(dev->analog[CCM_ANALOG_PFD_528], PFD0_FRAC);
 -    DPRINTF("freq = %d\n", (uint32_t)freq);
 +    DPRINTF("freq = %u\n", (uint32_t)freq);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t imx6_analog_get_pll2_pfd2_clk(IMX6CCMState *dev)
      freq = imx6_analog_get_pll2_clk(dev) * 18
             / EXTRACT(dev->analog[CCM_ANALOG_PFD_528], PFD2_FRAC);
 -    DPRINTF("freq = %d\n", (uint32_t)freq);
 +    DPRINTF("freq = %u\n", (uint32_t)freq);
      return freq;
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t imx6_analog_get_periph_clk(IMX6CCMState *dev)
          break;
      }
-     return value;
-@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_write(void *opaque, hwaddr offset,
+-    DPRINTF("freq = %d\n", (uint32_t)freq);
-         break;
++    DPRINTF("freq = %u\n", (uint32_t)freq);
-     default:
+     return freq;
--        fprintf(stderr,
+ }
--                "[exynos4210.pwm: bad write offset " TARGET_FMT_plx "]\n",
+@@ -XXX,XX +XXX,XX @@ static uint64_t imx6_ccm_get_ahb_clk(IMX6CCMState *dev)
--                offset);
+     freq = imx6_analog_get_periph_clk(dev)
-+        qemu_log_mask(LOG_GUEST_ERROR,
+            / (1 + EXTRACT(dev->ccm[CCM_CBCDR], AHB_PODF));
-+                      "exynos4210.pwm: bad write offset " TARGET_FMT_plx,
-+                      offset);
+-    DPRINTF("freq = %d\n", (uint32_t)freq);
-         break;
++    DPRINTF("freq = %u\n", (uint32_t)freq);
-     }
+     return freq;
-diff --git a/hw/timer/exynos4210_rtc.c b/hw/timer/exynos4210_rtc.c
+ }
-index XXXXXXX..XXXXXXX 100644
+@@ -XXX,XX +XXX,XX @@ static uint64_t imx6_ccm_get_ipg_clk(IMX6CCMState *dev)
---- a/hw/timer/exynos4210_rtc.c
+     freq = imx6_ccm_get_ahb_clk(dev)
-+++ b/hw/timer/exynos4210_rtc.c
+            / (1 + EXTRACT(dev->ccm[CCM_CBCDR], IPG_PODF));
-@@ -XXX,XX +XXX,XX @@
-  */
+-    DPRINTF("freq = %d\n", (uint32_t)freq);
++    DPRINTF("freq = %u\n", (uint32_t)freq);
- #include "qemu/osdep.h"
-+#include "qemu/log.h"
+     return freq;
- #include "hw/sysbus.h"
+ }
- #include "qemu/timer.h"
+@@ -XXX,XX +XXX,XX @@ static uint64_t imx6_ccm_get_per_clk(IMX6CCMState *dev)
- #include "qemu-common.h"
+     freq = imx6_ccm_get_ipg_clk(dev)
-@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_rtc_read(void *opaque, hwaddr offset,
+            / (1 + EXTRACT(dev->ccm[CCM_CSCMR1], PERCLK_PODF));
-         break;
+-    DPRINTF("freq = %d\n", (uint32_t)freq);
-     default:
++    DPRINTF("freq = %u\n", (uint32_t)freq);
--        fprintf(stderr,
--                "[exynos4210.rtc: bad read offset " TARGET_FMT_plx "]\n",
+     return freq;
--                offset);
+ }
-+        qemu_log_mask(LOG_GUEST_ERROR,
+@@ -XXX,XX +XXX,XX @@ static uint32_t imx6_ccm_get_clock_frequency(IMXCCMState *dev, IMXClk clock)
 +                      "exynos4210.rtc: bad read offset " TARGET_FMT_plx,
 +                      offset);
          break;
      }
-     return value;
-@@ -XXX,XX +XXX,XX @@ static void exynos4210_rtc_write(void *opaque, hwaddr offset,
+-    DPRINTF("Clock = %d) = %d\n", clock, freq);
-         if (value > TICNT_THRESHOLD) {
++    DPRINTF("Clock = %d) = %u\n", clock, freq);
-             s->reg_ticcnt = value;
-         } else {
+     return freq;
--            fprintf(stderr,
+ }
--                    "[exynos4210.rtc: bad TICNT value %u ]\n",
+diff --git a/hw/misc/imx6_src.c b/hw/misc/imx6_src.c
--                    (uint32_t)value);
+index XXXXXXX..XXXXXXX 100644
-+            qemu_log_mask(LOG_GUEST_ERROR,
+--- a/hw/misc/imx6_src.c
-+                          "exynos4210.rtc: bad TICNT value %u",
++++ b/hw/misc/imx6_src.c
-+                          (uint32_t)value);
+@@ -XXX,XX +XXX,XX @@ static const char *imx6_src_reg_name(uint32_t reg)
-         }
+     case SRC_GPR10:
-         break;
+         return "SRC_GPR10";
@@ -XXX,XX +XXX,XX @@ static void exynos4210_rtc_write(void *opaque, hwaddr offset,
          break;
      default:
--        fprintf(stderr,
+-        sprintf(unknown, "%d ?", reg);
--                "[exynos4210.rtc: bad write offset " TARGET_FMT_plx "]\n",
++        sprintf(unknown, "%u ?", reg);
--                offset);
+         return unknown;
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "exynos4210.rtc: bad write offset " TARGET_FMT_plx,
 +                      offset);
          break;
      }
+ }
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 04/24] hw/misc/exynos4210_pmu: Reorder local variables for readability
+[PULL 11/36] i.MX6ul: Fix bad printf format specifiers
-From: Krzysztof Kozlowski <krzk@kernel.org>
+From: Alex Chen <alex.chen@huawei.com>
-Short declaration of 'i' was in the middle of declarations with
+We should use printf format specifier "%u" instead of "%d" for
-assignments.  Make it a little bit more readable.  Additionally switch
+argument of type "unsigned int".
 from "unsigned" to "unsigned int" as this pattern is more widely used.
 No functional change.
-Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reported-by: Euler Robot <euler.robot@huawei.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Alex Chen <alex.chen@huawei.com>
-Message-id: 20170313184750.429-4-krzk@kernel.org
+Message-id: 20201126111109.112238-5-alex.chen@huawei.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/misc/exynos4210_pmu.c | 4 ++--
+ hw/misc/imx6ul_ccm.c | 4 ++--
 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/misc/exynos4210_pmu.c b/hw/misc/exynos4210_pmu.c
+diff --git a/hw/misc/imx6ul_ccm.c b/hw/misc/imx6ul_ccm.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/exynos4210_pmu.c
+--- a/hw/misc/imx6ul_ccm.c
-+++ b/hw/misc/exynos4210_pmu.c
++++ b/hw/misc/imx6ul_ccm.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_pmu_read(void *opaque, hwaddr offset,
+@@ -XXX,XX +XXX,XX @@ static const char *imx6ul_ccm_reg_name(uint32_t reg)
-                                     unsigned size)
+     case CCM_CMEOR:
- {
+         return "CMEOR";
-     Exynos4210PmuState *s = (Exynos4210PmuState *)opaque;
+     default:
--    unsigned i;
+-        sprintf(unknown, "%d ?", reg);
-     const Exynos4210PmuReg *reg_p = exynos4210_pmu_regs;
++        sprintf(unknown, "%u ?", reg);
-+    unsigned int i;
+         return unknown;
+     }
-     for (i = 0; i < PMU_NUM_OF_REGISTERS; i++) {
+ }
-         if (reg_p->offset == offset) {
+@@ -XXX,XX +XXX,XX @@ static const char *imx6ul_analog_reg_name(uint32_t reg)
-@@ -XXX,XX +XXX,XX @@ static void exynos4210_pmu_write(void *opaque, hwaddr offset,
+     case USB_ANALOG_DIGPROG:
-                                  uint64_t val, unsigned size)
+         return "USB_ANALOG_DIGPROG";
- {
+     default:
-     Exynos4210PmuState *s = (Exynos4210PmuState *)opaque;
+-        sprintf(unknown, "%d ?", reg);
--    unsigned i;
++        sprintf(unknown, "%u ?", reg);
-     const Exynos4210PmuReg *reg_p = exynos4210_pmu_regs;
+         return unknown;
-+    unsigned int i;
+     }
+ }
      for (i = 0; i < PMU_NUM_OF_REGISTERS; i++) {
          if (reg_p->offset == offset) {
 --
-.7.4
+.20.1

-New patch
+[PULL 12/36] hw/intc/armv7m_nvic: Make all of system PPB range be RAZWI/BusFault
+For M-profile CPUs, the range from 0xe0000000 to 0xe00fffff is the
+Private Peripheral Bus range, which includes all of the memory mapped
+devices and registers that are part of the CPU itself, including the
+NVIC, systick timer, and debug and trace components like the Data
+Watchpoint and Trace unit (DWT).  Within this large region, the range
+xe000e000 to 0xe000efff is the System Control Space (NVIC, system
+registers, systick) and 0xe002e000 to 0exe002efff is its Non-secure
+alias.
+The architecture is clear that within the SCS unimplemented registers
+should be RES0 for privileged accesses and generate BusFault for
+unprivileged accesses, and we currently implement this.
+It is less clear about how to handle accesses to unimplemented
+regions of the wider PPB.  Unprivileged accesses should definitely
+cause BusFaults (R_DQQS), but the behaviour of privileged accesses is
+not given as a general rule.  However, the register definitions of
+individual registers for components like the DWT all state that they
+are RES0 if the relevant component is not implemented, so the
+simplest way to provide that is to provide RAZ/WI for the whole range
+for privileged accesses.  (The v7M Arm ARM does say that reserved
+registers should be UNK/SBZP.)
+Expand the container MemoryRegion that the NVIC exposes so that
+it covers the whole PPB space. This means:
+ * moving the address that the ARMV7M device maps it to down by
+xe000 bytes
+ * moving the off and the offsets within the container of all the
+   subregions forward by 0xe000 bytes
+ * adding a new default MemoryRegion that covers the whole container
+   at a lower priority than anything else and which provides the
+   RAZWI/BusFault behaviour
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20201119215617.29887-2-peter.maydell@linaro.org
+---
+ include/hw/intc/armv7m_nvic.h |  1 +
+ hw/arm/armv7m.c               |  2 +-
+ hw/intc/armv7m_nvic.c         | 78 ++++++++++++++++++++++++++++++-----
+files changed, 69 insertions(+), 12 deletions(-)
+diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/intc/armv7m_nvic.h
++++ b/include/hw/intc/armv7m_nvic.h
+@@ -XXX,XX +XXX,XX @@ struct NVICState {
+     MemoryRegion systickmem;
+     MemoryRegion systick_ns_mem;
+     MemoryRegion container;
++    MemoryRegion defaultmem;
+     uint32_t num_irq;
+     qemu_irq excpout;
+diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/armv7m.c
++++ b/hw/arm/armv7m.c
+@@ -XXX,XX +XXX,XX @@ static void armv7m_realize(DeviceState *dev, Error **errp)
+     sysbus_connect_irq(sbd, 0,
+                        qdev_get_gpio_in(DEVICE(s->cpu), ARM_CPU_IRQ));
+-    memory_region_add_subregion(&s->container, 0xe000e000,
++    memory_region_add_subregion(&s->container, 0xe0000000,
+                                 sysbus_mmio_get_region(sbd, 0));
+     for (i = 0; i < ARRAY_SIZE(s->bitband); i++) {
+diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/armv7m_nvic.c
++++ b/hw/intc/armv7m_nvic.c
+@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps nvic_systick_ops = {
+     .endianness = DEVICE_NATIVE_ENDIAN,
+ };
++/*
++ * Unassigned portions of the PPB space are RAZ/WI for privileged
++ * accesses, and fault for non-privileged accesses.
++ */
++static MemTxResult ppb_default_read(void *opaque, hwaddr addr,
++                                    uint64_t *data, unsigned size,
++                                    MemTxAttrs attrs)
++{
++    qemu_log_mask(LOG_UNIMP, "Read of unassigned area of PPB: offset 0x%x\n",
++                  (uint32_t)addr);
++    if (attrs.user) {
++        return MEMTX_ERROR;
++    }
++    *data = 0;
++    return MEMTX_OK;
++}
++
++static MemTxResult ppb_default_write(void *opaque, hwaddr addr,
++                                     uint64_t value, unsigned size,
++                                     MemTxAttrs attrs)
++{
++    qemu_log_mask(LOG_UNIMP, "Write of unassigned area of PPB: offset 0x%x\n",
++                  (uint32_t)addr);
++    if (attrs.user) {
++        return MEMTX_ERROR;
++    }
++    return MEMTX_OK;
++}
++
++static const MemoryRegionOps ppb_default_ops = {
++    .read_with_attrs = ppb_default_read,
++    .write_with_attrs = ppb_default_write,
++    .endianness = DEVICE_NATIVE_ENDIAN,
++    .valid.min_access_size = 1,
++    .valid.max_access_size = 8,
++};
++
+ static int nvic_post_load(void *opaque, int version_id)
+ {
+     NVICState *s = opaque;
+@@ -XXX,XX +XXX,XX @@ static void nvic_systick_trigger(void *opaque, int n, int level)
+ static void armv7m_nvic_realize(DeviceState *dev, Error **errp)
+ {
+     NVICState *s = NVIC(dev);
+-    int regionlen;
+     /* The armv7m container object will have set our CPU pointer */
+     if (!s->cpu || !arm_feature(&s->cpu->env, ARM_FEATURE_M)) {
+@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_realize(DeviceState *dev, Error **errp)
+                                                   M_REG_S));
+     }
+-    /* The NVIC and System Control Space (SCS) starts at 0xe000e000
++    /*
++     * This device provides a single sysbus memory region which
++     * represents the whole of the "System PPB" space. This is the
++     * range from 0xe0000000 to 0xe00fffff and includes the NVIC,
++     * the System Control Space (system registers), the systick timer,
++     * and for CPUs with the Security extension an NS banked version
++     * of all of these.
++     *
++     * The default behaviour for unimplemented registers/ranges
++     * (for instance the Data Watchpoint and Trace unit at 0xe0001000)
++     * is to RAZ/WI for privileged access and BusFault for non-privileged
++     * access.
++     *
++     * The NVIC and System Control Space (SCS) starts at 0xe000e000
+      * and looks like this:
+      *  0x004 - ICTR
+      *  0x010 - 0xff - systick
+@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_realize(DeviceState *dev, Error **errp)
+      * generally code determining which banked register to use should
+      * use attrs.secure; code determining actual behaviour of the system
+      * should use env->v7m.secure.
++     *
++     * The container covers the whole PPB space. Within it the priority
++     * of overlapping regions is:
++     *  - default region (for RAZ/WI and BusFault) : -1
++     *  - system register regions : 0
++     *  - systick : 1
++     * This is because the systick device is a small block of registers
++     * in the middle of the other system control registers.
+      */
+-    regionlen = arm_feature(&s->cpu->env, ARM_FEATURE_V8) ? 0x21000 : 0x1000;
+-    memory_region_init(&s->container, OBJECT(s), "nvic", regionlen);
+-    /* The system register region goes at the bottom of the priority
+-     * stack as it covers the whole page.
+-     */
++    memory_region_init(&s->container, OBJECT(s), "nvic", 0x100000);
++    memory_region_init_io(&s->defaultmem, OBJECT(s), &ppb_default_ops, s,
++                          "nvic-default", 0x100000);
++    memory_region_add_subregion_overlap(&s->container, 0, &s->defaultmem, -1);
+     memory_region_init_io(&s->sysregmem, OBJECT(s), &nvic_sysreg_ops, s,
+                           "nvic_sysregs", 0x1000);
+-    memory_region_add_subregion(&s->container, 0, &s->sysregmem);
++    memory_region_add_subregion(&s->container, 0xe000, &s->sysregmem);
+     memory_region_init_io(&s->systickmem, OBJECT(s),
+                           &nvic_systick_ops, s,
+                           "nvic_systick", 0xe0);
+-    memory_region_add_subregion_overlap(&s->container, 0x10,
++    memory_region_add_subregion_overlap(&s->container, 0xe010,
+                                         &s->systickmem, 1);
+     if (arm_feature(&s->cpu->env, ARM_FEATURE_V8)) {
+         memory_region_init_io(&s->sysreg_ns_mem, OBJECT(s),
+                               &nvic_sysreg_ns_ops, &s->sysregmem,
+                               "nvic_sysregs_ns", 0x1000);
+-        memory_region_add_subregion(&s->container, 0x20000, &s->sysreg_ns_mem);
++        memory_region_add_subregion(&s->container, 0x2e000, &s->sysreg_ns_mem);
+         memory_region_init_io(&s->systick_ns_mem, OBJECT(s),
+                               &nvic_sysreg_ns_ops, &s->systickmem,
+                               "nvic_systick_ns", 0xe0);
+-        memory_region_add_subregion_overlap(&s->container, 0x20010,
++        memory_region_add_subregion_overlap(&s->container, 0x2e010,
+                                             &s->systick_ns_mem, 1);
+     }
+--
+.20.1

-[Qemu-devel] [PULL 16/24] arm: Don't implement BXJ on M-profile CPUs
+[PULL 13/36] target/arm: Implement v8.1M PXN extension
-For M-profile CPUs, the BXJ instruction does not exist at all, and
+In v8.1M the PXN architecture extension adds a new PXN bit to the
-the encoding should always UNDEF. We were accidentally implementing
+MPU_RLAR registers, which forbids execution of code in the region
-it to behave like A-profile BXJ; correct the error.
+from a privileged mode.
 This is another feature which is just in the generic "in v8.1M" set
 and has no ID register field indicating its presence.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Richard Henderson <rth@twiddle.net>
+Message-id: 20201119215617.29887-3-peter.maydell@linaro.org
 Message-id: 1491844419-12485-2-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 7 ++++++-
+ target/arm/helper.c | 7 ++++++-
 file changed, 6 insertions(+), 1 deletion(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/target/arm/helper.c
-+++ b/target/arm/translate.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
+@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
-                         }
+     } else {
-                         break;
+         uint32_t ap = extract32(env->pmsav8.rbar[secure][matchregion], 1, 2);
-                     case 4: /* bxj */
+         uint32_t xn = extract32(env->pmsav8.rbar[secure][matchregion], 0, 1);
--                        /* Trivial implementation equivalent to bx.  */
++        bool pxn = false;
-+                        /* Trivial implementation equivalent to bx.
++
-+                         * This instruction doesn't exist at all for M-profile.
++        if (arm_feature(env, ARM_FEATURE_V8_1M)) {
-+                         */
++            pxn = extract32(env->pmsav8.rlar[secure][matchregion], 4, 1);
-+                        if (arm_dc_feature(s, ARM_FEATURE_M)) {
++        }
-+                            goto illegal_op;
-+                        }
+         if (m_is_system_region(env, address)) {
-                         tmp = load_reg(s, rn);
+             /* System space is always execute never */
-                         gen_bx(s, tmp);
+@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
-                         break;
+         }
          *prot = simple_ap_to_rw_prot(env, mmu_idx, ap);
 -        if (*prot && !xn) {
 +        if (*prot && !xn && !(pxn && !is_user)) {
              *prot |= PAGE_EXEC;
          }
          /* We don't need to look the attribute up in the MAIR0/MAIR1
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 24/24] arm: Remove workarounds for old M-profile exception return implementation
+[PULL 14/36] target/arm: Don't clobber ID_PFR1.Security on M-profile cores
-Now that we've rewritten M-profile exception return so that the magic
+In arm_cpu_realizefn() we check whether the board code disabled EL3
-PC values are not visible to other parts of QEMU, we can delete the
+via the has_el3 CPU object property, which we create if the CPU
-special casing of them elsewhere.
+starts with the ARM_FEATURE_EL3 feature bit.  If it is disabled, then
 we turn off ARM_FEATURE_EL3 and also zero out the relevant fields in
 the ID_PFR1 and ID_AA64PFR0 registers.
 This codepath was incorrectly being taken for M-profile CPUs, which
 do not have an EL3 and don't set ARM_FEATURE_EL3, but which may have
 the M-profile Security extension and so should have non-zero values
 in the ID_PFR1.Security field.
 Restrict the handling of the feature flag to A/R-profile cores.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Richard Henderson <rth@twiddle.net>
+Message-id: 20201119215617.29887-4-peter.maydell@linaro.org
 Message-id: 1491844419-12485-10-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/cpu.c       | 43 ++-----------------------------------------
+ target/arm/cpu.c | 2 +-
- target/arm/translate.c |  8 --------
+file changed, 1 insertion(+), 1 deletion(-)
 files changed, 2 insertions(+), 49 deletions(-)
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ bool arm_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
  }
  #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
 -static void arm_v7m_unassigned_access(CPUState *cpu, hwaddr addr,
 -                                      bool is_write, bool is_exec, int opaque,
 -                                      unsigned size)
 -{
 -    ARMCPU *arm = ARM_CPU(cpu);
 -    CPUARMState *env = &arm->env;
 -
 -    /* ARMv7-M interrupt return works by loading a magic value into the PC.
 -     * On real hardware the load causes the return to occur.  The qemu
 -     * implementation performs the jump normally, then does the exception
 -     * return by throwing a special exception when when the CPU tries to
 -     * execute code at the magic address.
 -     */
 -    if (env->v7m.exception != 0 && addr >= 0xfffffff0 && is_exec) {
 -        cpu->exception_index = EXCP_EXCEPTION_EXIT;
 -        cpu_loop_exit(cpu);
 -    }
 -
 -    /* In real hardware an attempt to access parts of the address space
 -     * with nothing there will usually cause an external abort.
 -     * However our QEMU board models are often missing device models where
 -     * the guest can boot anyway with the default read-as-zero/writes-ignored
 -     * behaviour that you get without a QEMU unassigned_access hook.
 -     * So just return here to retain that default behaviour.
 -     */
 -}
 -
  static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
  {
      CPUClass *cc = CPU_GET_CLASS(cs);
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
      CPUARMState *env = &cpu->env;
      bool ret = false;
 -    /* ARMv7-M interrupt return works by loading a magic value
 -     * into the PC.  On real hardware the load causes the
 -     * return to occur.  The qemu implementation performs the
 -     * jump normally, then does the exception return when the
 -     * CPU tries to execute code at the magic address.
 -     * This will cause the magic PC value to be pushed to
 -     * the stack if an interrupt occurred at the wrong time.
 -     * We avoid this by disabling interrupts when
 -     * pc contains a magic address.
 -     *
 -     * ARMv7-M interrupt masking works differently than -A or -R.
 +    /* ARMv7-M interrupt masking works differently than -A or -R.
       * There is no FIQ/IRQ distinction. Instead of I and F bits
       * masking FIQ and IRQ interrupts, an exception is taken only
       * if it is higher priority than the current execution priority
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
       * currently active exception).
       */
      if (interrupt_request & CPU_INTERRUPT_HARD
 -        && (armv7m_nvic_can_take_pending_exception(env->nvic))
 -        && (env->regs[15] < 0xfffffff0)) {
 +        && (armv7m_nvic_can_take_pending_exception(env->nvic))) {
          cs->exception_index = EXCP_IRQ;
          cc->do_interrupt(cs);
          ret = true;
@@ -XXX,XX +XXX,XX @@ static void arm_v7m_class_init(ObjectClass *oc, void *data)
      cc->do_interrupt = arm_v7m_cpu_do_interrupt;
  #endif
 -    cc->do_unassigned_access = arm_v7m_unassigned_access;
      cc->cpu_exec_interrupt = arm_v7m_cpu_exec_interrupt;
  }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
              dc->is_jmp = DISAS_EXC;
              break;
          }
--#else
+     }
--        if (arm_dc_feature(dc, ARM_FEATURE_M)) {
--            /* Branches to the magic exception-return addresses should
+-    if (!cpu->has_el3) {
--             * already have been caught via the arm_v7m_unassigned_access hook,
++    if (!arm_feature(env, ARM_FEATURE_M) && !cpu->has_el3) {
--             * and never get here.
+         /* If the has_el3 CPU property is disabled then we need to disable the
--             */
+          * feature.
--            assert(dc->pc < 0xfffffff0);
+          */
 -        }
  #endif
          if (unlikely(!QTAILQ_EMPTY(&cs->breakpoints))) {
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 19/24] arm: Move gen_set_condexec() and gen_set_pc_im() up in the file
+[PULL 15/36] target/arm: Implement VSCCLRM insn
-Move the utility routines gen_set_condexec() and gen_set_pc_im()
+Implement the v8.1M VSCCLRM insn, which zeros floating point
-up in the file, as we will want to use them from a function
+registers if there is an active floating point context.
-placed earlier in the file than their current location.
+This requires support in write_neon_element32() for the MO_32
 element size, so add it.
 Because we want to use arm_gen_condlabel(), we need to move
 the definition of that function up in translate.c so it is
 before the #include of translate-vfp.c.inc.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Richard Henderson <rth@twiddle.net>
+Message-id: 20201119215617.29887-5-peter.maydell@linaro.org
 Message-id: 1491844419-12485-5-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 31 +++++++++++++++----------------
+ target/arm/cpu.h               |  9 ++++
-file changed, 15 insertions(+), 16 deletions(-)
+ target/arm/m-nocp.decode       |  8 +++-
+ target/arm/translate.c         | 21 +++++----
  target/arm/translate-vfp.c.inc | 84 ++++++++++++++++++++++++++++++++++
 files changed, 111 insertions(+), 11 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_mprofile(const ARMISARegisters *id)
      return FIELD_EX32(id->id_pfr1, ID_PFR1, MPROGMOD) != 0;
  }
 +static inline bool isar_feature_aa32_m_sec_state(const ARMISARegisters *id)
 +{
 +    /*
 +     * Return true if M-profile state handling insns
 +     * (VSCCLRM, CLRM, FPCTX access insns) are implemented
 +     */
 +    return FIELD_EX32(id->id_pfr1, ID_PFR1, SECURITY) >= 3;
 +}
 +
  static inline bool isar_feature_aa32_fp16_arith(const ARMISARegisters *id)
  {
      /* Sadly this is encoded differently for A-profile and M-profile */
 diff --git a/target/arm/m-nocp.decode b/target/arm/m-nocp.decode
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/m-nocp.decode
 +++ b/target/arm/m-nocp.decode
@@ -XXX,XX +XXX,XX @@
  # If the coprocessor is not present or disabled then we will generate
  # the NOCP exception; otherwise we let the insn through to the main decode.
 +%vd_dp  22:1 12:4
 +%vd_sp  12:4 22:1
 +
  &nocp cp
  {
    # Special cases which do not take an early NOCP: VLLDM and VLSTM
    VLLDM_VLSTM  1110 1100 001 l:1 rn:4 0000 1010 0000 0000
 -  # TODO: VSCCLRM (new in v8.1M) is similar:
 -  #VSCCLRM      1110 1100 1-01 1111 ---- 1011 ---- ---0
 +  # VSCCLRM (new in v8.1M) is similar:
 +  VSCCLRM      1110 1100 1.01 1111 .... 1011 imm:7 0   vd=%vd_dp size=3
 +  VSCCLRM      1110 1100 1.01 1111 .... 1010 imm:8     vd=%vd_sp size=2
    NOCP         111- 1110 ---- ---- ---- cp:4 ---- ---- &nocp
    NOCP         111- 110- ---- ---- ---- cp:4 ---- ---- &nocp
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static const uint8_t table_logic_cc[16] = {
+@@ -XXX,XX +XXX,XX @@ void arm_translate_init(void)
-, /* mvn */
+     a64_translate_init();
- };
+ }
-+static inline void gen_set_condexec(DisasContext *s)
++/* Generate a label used for skipping this instruction */
 +static void arm_gen_condlabel(DisasContext *s)
 +{
-+    if (s->condexec_mask) {
++    if (!s->condjmp) {
-+        uint32_t val = (s->condexec_cond << 4) | (s->condexec_mask >> 1);
++        s->condlabel = gen_new_label();
-+        TCGv_i32 tmp = tcg_temp_new_i32();
++        s->condjmp = 1;
 +        tcg_gen_movi_i32(tmp, val);
 +        store_cpu_field(tmp, condexec_bits);
 +    }
 +}
 +
-+static inline void gen_set_pc_im(DisasContext *s, target_ulong val)
+ /* Flags for the disas_set_da_iss info argument:
-+{
+  * lower bits hold the Rt register number, higher bits are flags.
-+    tcg_gen_movi_i32(cpu_R[15], val);
+  */
-+}
+@@ -XXX,XX +XXX,XX @@ static void write_neon_element64(TCGv_i64 src, int reg, int ele, MemOp memop)
-+
+     long off = neon_element_offset(reg, ele, memop);
- /* Set PC and Thumb state from an immediate address.  */
- static inline void gen_bx_im(DisasContext *s, uint32_t addr)
+     switch (memop) {
- {
++    case MO_32:
-@@ -XXX,XX +XXX,XX @@ DO_GEN_ST(8, MO_UB)
++        tcg_gen_st32_i64(src, cpu_env, off);
- DO_GEN_ST(16, MO_UW)
++        break;
- DO_GEN_ST(32, MO_UL)
+     case MO_64:
+         tcg_gen_st_i64(src, cpu_env, off);
--static inline void gen_set_pc_im(DisasContext *s, target_ulong val)
+         break;
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      s->base.is_jmp = DISAS_UPDATE_EXIT;
  }
 -/* Generate a label used for skipping this instruction */
 -static void arm_gen_condlabel(DisasContext *s)
 -{
--    tcg_gen_movi_i32(cpu_R[15], val);
+-    if (!s->condjmp) {
--}
+-        s->condlabel = gen_new_label();
--
+-        s->condjmp = 1;
  static inline void gen_hvc(DisasContext *s, int imm16)
  {
      /* The pre HVC helper handles cases when HVC gets trapped
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
      s->is_jmp = DISAS_SMC;
  }
 -static inline void
 -gen_set_condexec (DisasContext *s)
 -{
 -    if (s->condexec_mask) {
 -        uint32_t val = (s->condexec_cond << 4) | (s->condexec_mask >> 1);
 -        TCGv_i32 tmp = tcg_temp_new_i32();
 -        tcg_gen_movi_i32(tmp, val);
 -        store_cpu_field(tmp, condexec_bits);
 -    }
 -}
 -
- static void gen_exception_internal_insn(DisasContext *s, int offset, int excp)
+ /* Skip this instruction if the ARM condition is false */
- {
+ static void arm_skip_unless(DisasContext *s, uint32_t cond)
-     gen_set_condexec(s);
+ {
 diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.c.inc
 +++ b/target/arm/translate-vfp.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_VLLDM_VLSTM(DisasContext *s, arg_VLLDM_VLSTM *a)
      return true;
  }
 +static bool trans_VSCCLRM(DisasContext *s, arg_VSCCLRM *a)
 +{
 +    int btmreg, topreg;
 +    TCGv_i64 zero;
 +    TCGv_i32 aspen, sfpa;
 +
 +    if (!dc_isar_feature(aa32_m_sec_state, s)) {
 +        /* Before v8.1M, fall through in decode to NOCP check */
 +        return false;
 +    }
 +
 +    /* Explicitly UNDEF because this takes precedence over NOCP */
 +    if (!arm_dc_feature(s, ARM_FEATURE_M_MAIN) || !s->v8m_secure) {
 +        unallocated_encoding(s);
 +        return true;
 +    }
 +
 +    if (!dc_isar_feature(aa32_vfp_simd, s)) {
 +        /* NOP if we have neither FP nor MVE */
 +        return true;
 +    }
 +
 +    /*
 +     * If FPCCR.ASPEN != 0 && CONTROL_S.SFPA == 0 then there is no
 +     * active floating point context so we must NOP (without doing
 +     * any lazy state preservation or the NOCP check).
 +     */
 +    aspen = load_cpu_field(v7m.fpccr[M_REG_S]);
 +    sfpa = load_cpu_field(v7m.control[M_REG_S]);
 +    tcg_gen_andi_i32(aspen, aspen, R_V7M_FPCCR_ASPEN_MASK);
 +    tcg_gen_xori_i32(aspen, aspen, R_V7M_FPCCR_ASPEN_MASK);
 +    tcg_gen_andi_i32(sfpa, sfpa, R_V7M_CONTROL_SFPA_MASK);
 +    tcg_gen_or_i32(sfpa, sfpa, aspen);
 +    arm_gen_condlabel(s);
 +    tcg_gen_brcondi_i32(TCG_COND_EQ, sfpa, 0, s->condlabel);
 +
 +    if (s->fp_excp_el != 0) {
 +        gen_exception_insn(s, s->pc_curr, EXCP_NOCP,
 +                           syn_uncategorized(), s->fp_excp_el);
 +        return true;
 +    }
 +
 +    topreg = a->vd + a->imm - 1;
 +    btmreg = a->vd;
 +
 +    /* Convert to Sreg numbers if the insn specified in Dregs */
 +    if (a->size == 3) {
 +        topreg = topreg * 2 + 1;
 +        btmreg *= 2;
 +    }
 +
 +    if (topreg > 63 || (topreg > 31 && !(topreg & 1))) {
 +        /* UNPREDICTABLE: we choose to undef */
 +        unallocated_encoding(s);
 +        return true;
 +    }
 +
 +    /* Silently ignore requests to clear D16-D31 if they don't exist */
 +    if (topreg > 31 && !dc_isar_feature(aa32_simd_r32, s)) {
 +        topreg = 31;
 +    }
 +
 +    if (!vfp_access_check(s)) {
 +        return true;
 +    }
 +
 +    /* Zero the Sregs from btmreg to topreg inclusive. */
 +    zero = tcg_const_i64(0);
 +    if (btmreg & 1) {
 +        write_neon_element64(zero, btmreg >> 1, 1, MO_32);
 +        btmreg++;
 +    }
 +    for (; btmreg + 1 <= topreg; btmreg += 2) {
 +        write_neon_element64(zero, btmreg >> 1, 0, MO_64);
 +    }
 +    if (btmreg == topreg) {
 +        write_neon_element64(zero, btmreg >> 1, 0, MO_32);
 +        btmreg++;
 +    }
 +    assert(btmreg == topreg + 1);
 +    /* TODO: when MVE is implemented, zero VPR here */
 +    return true;
 +}
 +
  static bool trans_NOCP(DisasContext *s, arg_nocp *a)
  {
      /*
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 20/24] arm: Move condition-failed codepath generation out of if()
+[PULL 16/36] target/arm: Implement CLRM instruction
-Move the code to generate the "condition failed" instruction
+In v8.1M the new CLRM instruction allows zeroing an arbitrary set of
-codepath out of the if (singlestepping) {} else {}. This
+the general-purpose registers and APSR.  Implement this.
-will allow adding support for handling a new is_jmp type
-which can't be neatly split into "singlestepping case"
+The encoding is a subset of the LDMIA T2 encoding, using what would
-versus "not singlestepping case".
+be Rn=0b1111 (which UNDEFs for LDMIA).
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Richard Henderson <rth@twiddle.net>
+Message-id: 20201119215617.29887-6-peter.maydell@linaro.org
 Message-id: 1491844419-12485-6-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 24 +++++++++++-------------
+ target/arm/t32.decode  |  6 +++++-
-file changed, 11 insertions(+), 13 deletions(-)
+ target/arm/translate.c | 38 ++++++++++++++++++++++++++++++++++++++
 files changed, 43 insertions(+), 1 deletion(-)
+diff --git a/target/arm/t32.decode b/target/arm/t32.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/t32.decode
++++ b/target/arm/t32.decode
+@@ -XXX,XX +XXX,XX @@ UXTAB            1111 1010 0101 .... 1111 .... 10.. ....      @rrr_rot
+ STM_t32          1110 1000 10.0 .... ................         @ldstm i=1 b=0
+ STM_t32          1110 1001 00.0 .... ................         @ldstm i=0 b=1
+-LDM_t32          1110 1000 10.1 .... ................         @ldstm i=1 b=0
++{
++  # Rn=15 UNDEFs for LDM; M-profile CLRM uses that encoding
++  CLRM           1110 1000 1001 1111 list:16
++  LDM_t32        1110 1000 10.1 .... ................         @ldstm i=1 b=0
++}
+ LDM_t32          1110 1001 00.1 .... ................         @ldstm i=0 b=1
+ &rfe             !extern rn w pu
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDM_t16(DisasContext *s, arg_ldst_block *a)
-     /* At this stage dc->condjmp will only be set when the skipped
+     return do_ldm(s, a, 1);
-        instruction was a conditional branch or trap, and the PC has
+ }
-        already been written.  */
-+    gen_set_condexec(dc);
++static bool trans_CLRM(DisasContext *s, arg_CLRM *a)
-     if (unlikely(cs->singlestep_enabled || dc->ss_active)) {
++{
-         /* Unconditional and "condition passed" instruction codepath. */
++    int i;
--        gen_set_condexec(dc);
++    TCGv_i32 zero;
-         switch (dc->is_jmp) {
++
-         case DISAS_SWI:
++    if (!dc_isar_feature(aa32_m_sec_state, s)) {
-             gen_ss_advance(dc);
++        return false;
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
              /* FIXME: Single stepping a WFI insn will not halt the CPU. */
              gen_singlestep_exception(dc);
          }
 -        if (dc->condjmp) {
 -            /* "Condition failed" instruction codepath. */
 -            gen_set_label(dc->condlabel);
 -            gen_set_condexec(dc);
 -            gen_set_pc_im(dc, dc->pc);
 -            gen_singlestep_exception(dc);
 -        }
      } else {
          /* While branches must always occur at the end of an IT block,
             there are a few other things that can cause us to terminate
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
              - Hardware watchpoints.
             Hardware breakpoints have already been handled and skip this code.
           */
 -        gen_set_condexec(dc);
          switch(dc->is_jmp) {
          case DISAS_NEXT:
              gen_goto_tb(dc, 1, dc->pc);
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
              gen_exception(EXCP_SMC, syn_aa32_smc(), 3);
              break;
          }
 -        if (dc->condjmp) {
 -            gen_set_label(dc->condlabel);
 -            gen_set_condexec(dc);
 +    }
 +
-+    if (dc->condjmp) {
++    if (extract32(a->list, 13, 1)) {
-+        /* "Condition failed" instruction codepath for the branch/trap insn */
++        return false;
-+        gen_set_label(dc->condlabel);
++    }
-+        gen_set_condexec(dc);
++
-+        if (unlikely(cs->singlestep_enabled || dc->ss_active)) {
++    if (!a->list) {
-+            gen_set_pc_im(dc, dc->pc);
++        /* UNPREDICTABLE; we choose to UNDEF */
-+            gen_singlestep_exception(dc);
++        return false;
-+        } else {
++    }
-             gen_goto_tb(dc, 1, dc->pc);
++
--            dc->condjmp = 0;
++    zero = tcg_const_i32(0);
-         }
++    for (i = 0; i < 15; i++) {
-     }
++        if (extract32(a->list, i, 1)) {
++            /* Clear R[i] */
 +            tcg_gen_mov_i32(cpu_R[i], zero);
 +        }
 +    }
 +    if (extract32(a->list, 15, 1)) {
 +        /*
 +         * Clear APSR (by calling the MSR helper with the same argument
 +         * as for "MSR APSR_nzcvqg, Rn": mask = 0b1100, SYSM=0)
 +         */
 +        TCGv_i32 maskreg = tcg_const_i32(0xc << 8);
 +        gen_helper_v7m_msr(cpu_env, maskreg, zero);
 +        tcg_temp_free_i32(maskreg);
 +    }
 +    tcg_temp_free_i32(zero);
 +    return true;
 +}
 +
  /*
   * Branch, branch with link
   */
 --
-.7.4
+.20.1

-New patch
+[PULL 17/36] target/arm: Enforce M-profile VMRS/VMSR register restrictions
+For M-profile before v8.1M, the only valid register for VMSR/VMRS is
+the FPSCR.  We have a comment that states this, but the actual logic
+to forbid accesses for any other register value is missing, so we
+would end up with A-profile style behaviour.  Add the missing check.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20201119215617.29887-7-peter.maydell@linaro.org
+---
+ target/arm/translate-vfp.c.inc | 5 ++++-
+file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-vfp.c.inc
++++ b/target/arm/translate-vfp.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
+          * Accesses to R15 are UNPREDICTABLE; we choose to undef.
+          * (FPSCR -> r15 is a special case which writes to the PSR flags.)
+          */
+-        if (a->rt == 15 && (!a->l || a->reg != ARM_VFP_FPSCR)) {
++        if (a->reg != ARM_VFP_FPSCR) {
++            return false;
++        }
++        if (a->rt == 15 && !a->l) {
+             return false;
+         }
+     }
+--
+.20.1

-New patch
+[PULL 18/36] target/arm: Refactor M-profile VMSR/VMRS handling
+Currently M-profile borrows the A-profile code for VMSR and VMRS
 (access to the FP system registers), because all it needs to support
 is the FPSCR.  In v8.1M things become significantly more complicated
 in two ways:
  * there are several new FP system registers; some have side effects
    on read, and one (FPCXT_NS) needs to avoid the usual
    vfp_access_check() and the "only if FPU implemented" check
  * all sysregs are now accessible both by VMRS/VMSR (which
    reads/writes a general purpose register) and also by VLDR/VSTR
    (which reads/writes them directly to memory)
 Refactor the structure of how we handle VMSR/VMRS to cope with this:
  * keep the M-profile code entirely separate from the A-profile code
  * abstract out the "read or write the general purpose register" part
    of the code into a loadfn or storefn function pointer, so we can
    reuse it for VLDR/VSTR.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20201119215617.29887-8-peter.maydell@linaro.org
 ---
  target/arm/cpu.h               |   3 +
  target/arm/translate-vfp.c.inc | 182 ++++++++++++++++++++++++++++++---
 files changed, 171 insertions(+), 14 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ enum arm_cpu_mode {
  #define ARM_VFP_FPINST  9
  #define ARM_VFP_FPINST2 10
 +/* QEMU-internal value meaning "FPSCR, but we care only about NZCV" */
 +#define QEMU_VFP_FPSCR_NZCV 0xffff
 +
  /* iwMMXt coprocessor control registers.  */
  #define ARM_IWMMXT_wCID  0
  #define ARM_IWMMXT_wCon  1
 diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.c.inc
 +++ b/target/arm/translate-vfp.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_VDUP(DisasContext *s, arg_VDUP *a)
      return true;
  }
 +/*
 + * M-profile provides two different sets of instructions that can
 + * access floating point system registers: VMSR/VMRS (which move
 + * to/from a general purpose register) and VLDR/VSTR sysreg (which
 + * move directly to/from memory). In some cases there are also side
 + * effects which must happen after any write to memory (which could
 + * cause an exception). So we implement the common logic for the
 + * sysreg access in gen_M_fp_sysreg_write() and gen_M_fp_sysreg_read(),
 + * which take pointers to callback functions which will perform the
 + * actual "read/write general purpose register" and "read/write
 + * memory" operations.
 + */
 +
 +/*
 + * Emit code to store the sysreg to its final destination; frees the
 + * TCG temp 'value' it is passed.
 + */
 +typedef void fp_sysreg_storefn(DisasContext *s, void *opaque, TCGv_i32 value);
 +/*
 + * Emit code to load the value to be copied to the sysreg; returns
 + * a new TCG temporary
 + */
 +typedef TCGv_i32 fp_sysreg_loadfn(DisasContext *s, void *opaque);
 +
 +/* Common decode/access checks for fp sysreg read/write */
 +typedef enum FPSysRegCheckResult {
 +    FPSysRegCheckFailed, /* caller should return false */
 +    FPSysRegCheckDone, /* caller should return true */
 +    FPSysRegCheckContinue, /* caller should continue generating code */
 +} FPSysRegCheckResult;
 +
 +static FPSysRegCheckResult fp_sysreg_checks(DisasContext *s, int regno)
 +{
 +    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
 +        return FPSysRegCheckFailed;
 +    }
 +
 +    switch (regno) {
 +    case ARM_VFP_FPSCR:
 +    case QEMU_VFP_FPSCR_NZCV:
 +        break;
 +    default:
 +        return FPSysRegCheckFailed;
 +    }
 +
 +    if (!vfp_access_check(s)) {
 +        return FPSysRegCheckDone;
 +    }
 +
 +    return FPSysRegCheckContinue;
 +}
 +
 +static bool gen_M_fp_sysreg_write(DisasContext *s, int regno,
 +
 +                                  fp_sysreg_loadfn *loadfn,
 +                                 void *opaque)
 +{
 +    /* Do a write to an M-profile floating point system register */
 +    TCGv_i32 tmp;
 +
 +    switch (fp_sysreg_checks(s, regno)) {
 +    case FPSysRegCheckFailed:
 +        return false;
 +    case FPSysRegCheckDone:
 +        return true;
 +    case FPSysRegCheckContinue:
 +        break;
 +    }
 +
 +    switch (regno) {
 +    case ARM_VFP_FPSCR:
 +        tmp = loadfn(s, opaque);
 +        gen_helper_vfp_set_fpscr(cpu_env, tmp);
 +        tcg_temp_free_i32(tmp);
 +        gen_lookup_tb(s);
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +    return true;
 +}
 +
 +static bool gen_M_fp_sysreg_read(DisasContext *s, int regno,
 +                                fp_sysreg_storefn *storefn,
 +                                void *opaque)
 +{
 +    /* Do a read from an M-profile floating point system register */
 +    TCGv_i32 tmp;
 +
 +    switch (fp_sysreg_checks(s, regno)) {
 +    case FPSysRegCheckFailed:
 +        return false;
 +    case FPSysRegCheckDone:
 +        return true;
 +    case FPSysRegCheckContinue:
 +        break;
 +    }
 +
 +    switch (regno) {
 +    case ARM_VFP_FPSCR:
 +        tmp = tcg_temp_new_i32();
 +        gen_helper_vfp_get_fpscr(tmp, cpu_env);
 +        storefn(s, opaque, tmp);
 +        break;
 +    case QEMU_VFP_FPSCR_NZCV:
 +        /*
 +         * Read just NZCV; this is a special case to avoid the
 +         * helper call for the "VMRS to CPSR.NZCV" insn.
 +         */
 +        tmp = load_cpu_field(vfp.xregs[ARM_VFP_FPSCR]);
 +        tcg_gen_andi_i32(tmp, tmp, 0xf0000000);
 +        storefn(s, opaque, tmp);
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +    return true;
 +}
 +
 +static void fp_sysreg_to_gpr(DisasContext *s, void *opaque, TCGv_i32 value)
 +{
 +    arg_VMSR_VMRS *a = opaque;
 +
 +    if (a->rt == 15) {
 +        /* Set the 4 flag bits in the CPSR */
 +        gen_set_nzcv(value);
 +        tcg_temp_free_i32(value);
 +    } else {
 +        store_reg(s, a->rt, value);
 +    }
 +}
 +
 +static TCGv_i32 gpr_to_fp_sysreg(DisasContext *s, void *opaque)
 +{
 +    arg_VMSR_VMRS *a = opaque;
 +
 +    return load_reg(s, a->rt);
 +}
 +
 +static bool gen_M_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
 +{
 +    /*
 +     * Accesses to R15 are UNPREDICTABLE; we choose to undef.
 +     * FPSCR -> r15 is a special case which writes to the PSR flags;
 +     * set a->reg to a special value to tell gen_M_fp_sysreg_read()
 +     * we only care about the top 4 bits of FPSCR there.
 +     */
 +    if (a->rt == 15) {
 +        if (a->l && a->reg == ARM_VFP_FPSCR) {
 +            a->reg = QEMU_VFP_FPSCR_NZCV;
 +        } else {
 +            return false;
 +        }
 +    }
 +
 +    if (a->l) {
 +        /* VMRS, move FP system register to gp register */
 +        return gen_M_fp_sysreg_read(s, a->reg, fp_sysreg_to_gpr, a);
 +    } else {
 +        /* VMSR, move gp register to FP system register */
 +        return gen_M_fp_sysreg_write(s, a->reg, gpr_to_fp_sysreg, a);
 +    }
 +}
 +
  static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
  {
      TCGv_i32 tmp;
      bool ignore_vfp_enabled = false;
 -    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
 -        return false;
 +    if (arm_dc_feature(s, ARM_FEATURE_M)) {
 +        return gen_M_VMSR_VMRS(s, a);
      }
 -    if (arm_dc_feature(s, ARM_FEATURE_M)) {
 -        /*
 -         * The only M-profile VFP vmrs/vmsr sysreg is FPSCR.
 -         * Accesses to R15 are UNPREDICTABLE; we choose to undef.
 -         * (FPSCR -> r15 is a special case which writes to the PSR flags.)
 -         */
 -        if (a->reg != ARM_VFP_FPSCR) {
 -            return false;
 -        }
 -        if (a->rt == 15 && !a->l) {
 -            return false;
 -        }
 +    if (!dc_isar_feature(aa32_fpsp_v2, s)) {
 +        return false;
      }
      switch (a->reg) {
 --
 .20.1

-[Qemu-devel] [PULL 21/24] arm: Abstract out "are we singlestepping" test to utility function
+[PULL 19/36] target/arm: Move general-use constant expanders up in translate.c
-We now test for "are we singlestepping" in several places and
+The constant-expander functions like negate, plus_2, etc, are
-it's not a trivial check because we need to care about both
+generally useful; move them up in translate.c so we can use them in
-architectural singlestep and QEMU gdbstub singlestep. We're
+the VFP/Neon decoders as well as in the A32/T32/T16 decoders.
 also about to add another place that needs to make this check,
 so pull the condition out into a function.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <rth@twiddle.net>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20201119215617.29887-9-peter.maydell@linaro.org
 Message-id: 1491844419-12485-7-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 20 +++++++++++++++-----
+ target/arm/translate.c | 46 +++++++++++++++++++++++-------------------
-file changed, 15 insertions(+), 5 deletions(-)
+file changed, 25 insertions(+), 21 deletions(-)
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void gen_singlestep_exception(DisasContext *s)
+@@ -XXX,XX +XXX,XX @@ static void arm_gen_condlabel(DisasContext *s)
      }
  }
-+static inline bool is_singlestepping(DisasContext *s)
++/*
 + * Constant expanders for the decoders.
 + */
 +
 +static int negate(DisasContext *s, int x)
 +{
-+    /* Return true if we are singlestepping either because of
++    return -x;
 +     * architectural singlestep or QEMU gdbstub singlestep. This does
 +     * not include the command line '-singlestep' mode which is rather
 +     * misnamed as it only means "one instruction per TB" and doesn't
 +     * affect the code we generate.
 +     */
 +    return s->singlestep_enabled || s->ss_active;
 +}
 +
- static void gen_smul_dual(TCGv_i32 a, TCGv_i32 b)
++static int plus_2(DisasContext *s, int x)
 +{
 +    return x + 2;
 +}
 +
 +static int times_2(DisasContext *s, int x)
 +{
 +    return x * 2;
 +}
 +
 +static int times_4(DisasContext *s, int x)
 +{
 +    return x * 4;
 +}
 +
  /* Flags for the disas_set_da_iss info argument:
   * lower bits hold the Rt register number, higher bits are flags.
   */
@@ -XXX,XX +XXX,XX @@ static void arm_skip_unless(DisasContext *s, uint32_t cond)
  /*
 - * Constant expanders for the decoders.
 + * Constant expanders used by T16/T32 decode
   */
 -static int negate(DisasContext *s, int x)
 -{
 -    return -x;
 -}
 -
 -static int plus_2(DisasContext *s, int x)
 -{
 -    return x + 2;
 -}
 -
 -static int times_2(DisasContext *s, int x)
 -{
 -    return x * 2;
 -}
 -
 -static int times_4(DisasContext *s, int x)
 -{
 -    return x * 4;
 -}
 -
  /* Return only the rotation part of T32ExpandImm.  */
  static int t32_expandimm_rot(DisasContext *s, int x)
  {
-     TCGv_i32 tmp1 = tcg_temp_new_i32();
-@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, target_ulong dest)
- static inline void gen_jmp (DisasContext *s, uint32_t dest)
- {
--    if (unlikely(s->singlestep_enabled || s->ss_active)) {
-+    if (unlikely(is_singlestepping(s))) {
-         /* An indirect jump so that we still trigger the debug exception.  */
-         if (s->thumb)
-             dest |= 1;
-@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
-             ((dc->pc >= next_page_start - 3) && insn_crosses_page(env, dc));
-     } while (!dc->is_jmp && !tcg_op_buf_full() &&
--             !cs->singlestep_enabled &&
-+             !is_singlestepping(dc) &&
-              !singlestep &&
--             !dc->ss_active &&
-              !end_of_page &&
-              num_insns < max_insns);
-@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
-        instruction was a conditional branch or trap, and the PC has
-        already been written.  */
-     gen_set_condexec(dc);
--    if (unlikely(cs->singlestep_enabled || dc->ss_active)) {
-+    if (unlikely(is_singlestepping(dc))) {
-         /* Unconditional and "condition passed" instruction codepath. */
-         switch (dc->is_jmp) {
-         case DISAS_SWI:
-@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
-         /* "Condition failed" instruction codepath for the branch/trap insn */
-         gen_set_label(dc->condlabel);
-         gen_set_condexec(dc);
--        if (unlikely(cs->singlestep_enabled || dc->ss_active)) {
-+        if (unlikely(is_singlestepping(dc))) {
-             gen_set_pc_im(dc, dc->pc);
-             gen_singlestep_exception(dc);
-         } else {
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 23/24] arm: Implement M profile exception return properly
+[PULL 20/36] target/arm: Implement VLDR/VSTR system register
-On M profile, return from exceptions happen when code in Handler mode
+Implement the new-in-v8.1M VLDR/VSTR variants which directly
-executes one of the following function call return instructions:
+read or write FP system registers to memory.
  * POP or LDM which loads the PC
  * LDR to PC
  * BX register
 and the new PC value is 0xFFxxxxxx.
 QEMU tries to implement this by not treating the instruction
 specially but then catching the attempt to execute from the magic
 address value.  This is not ideal, because:
  * there are guest visible differences from the architecturally
    specified behaviour (for instance jumping to 0xFFxxxxxx via a
    different instruction should not cause an exception return but it
    will in the QEMU implementation)
  * we have to account for it in various places (like refusing to take
    an interrupt if the PC is at a magic value, and making sure that
    the MPU doesn't deny execution at the magic value addresses)
 Drop these hacks, and instead implement exception return the way the
 architecture specifies -- by having the relevant instructions check
 for the magic value and raise the 'do an exception return' QEMU
 internal exception immediately.
 The effect on the generated code is minor:
  bx lr, old code (and new code for Thread mode):
   TCG:
    mov_i32 tmp5,r14
    movi_i32 tmp6,$0xfffffffffffffffe
    and_i32 pc,tmp5,tmp6
    movi_i32 tmp6,$0x1
    and_i32 tmp5,tmp5,tmp6
    st_i32 tmp5,env,$0x218
    exit_tb $0x0
    set_label $L0
    exit_tb $0x7f2aabd61993
   x86_64 generated code:
 x7f2aabe87019:  mov    %ebx,%ebp
 x7f2aabe8701b:  and    $0xfffffffffffffffe,%ebp
 x7f2aabe8701e:  mov    %ebp,0x3c(%r14)
 x7f2aabe87022:  and    $0x1,%ebx
 x7f2aabe87025:  mov    %ebx,0x218(%r14)
 x7f2aabe8702c:  xor    %eax,%eax
 x7f2aabe8702e:  jmpq   0x7f2aabe7c016
  bx lr, new code when in Handler mode:
   TCG:
    mov_i32 tmp5,r14
    movi_i32 tmp6,$0xfffffffffffffffe
    and_i32 pc,tmp5,tmp6
    movi_i32 tmp6,$0x1
    and_i32 tmp5,tmp5,tmp6
    st_i32 tmp5,env,$0x218
    movi_i32 tmp5,$0xffffffffff000000
    brcond_i32 pc,tmp5,geu,$L1
    exit_tb $0x0
    set_label $L1
    movi_i32 tmp5,$0x8
    call exception_internal,$0x0,$0,env,tmp5
   x86_64 generated code:
 x7fe8fa1264e3:  mov    %ebp,%ebx
 x7fe8fa1264e5:  and    $0xfffffffffffffffe,%ebx
 x7fe8fa1264e8:  mov    %ebx,0x3c(%r14)
 x7fe8fa1264ec:  and    $0x1,%ebp
 x7fe8fa1264ef:  mov    %ebp,0x218(%r14)
 x7fe8fa1264f6:  cmp    $0xff000000,%ebx
 x7fe8fa1264fc:  jae    0x7fe8fa126509
 x7fe8fa126502:  xor    %eax,%eax
 x7fe8fa126504:  jmpq   0x7fe8fa122016
 x7fe8fa126509:  mov    %r14,%rdi
 x7fe8fa12650c:  mov    $0x8,%esi
 x7fe8fa126511:  mov    $0x56095dbeccf5,%r10
 x7fe8fa12651b:  callq  *%r10
 which is a difference of one cmp/branch-not-taken. This will
 be lost in the noise of having to exit generated code and
 look up the next TB anyway.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <rth@twiddle.net>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20201119215617.29887-10-peter.maydell@linaro.org
 Message-id: 1491844419-12485-9-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/translate.h |  4 +++
+ target/arm/vfp.decode          | 14 ++++++
- target/arm/translate.c | 66 +++++++++++++++++++++++++++++++++++++++++++++-----
+ target/arm/translate-vfp.c.inc | 91 ++++++++++++++++++++++++++++++++++
-files changed, 64 insertions(+), 6 deletions(-)
+files changed, 105 insertions(+)
-diff --git a/target/arm/translate.h b/target/arm/translate.h
+diff --git a/target/arm/vfp.decode b/target/arm/vfp.decode
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.h
+--- a/target/arm/vfp.decode
-+++ b/target/arm/translate.h
++++ b/target/arm/vfp.decode
-@@ -XXX,XX +XXX,XX @@ static void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
+@@ -XXX,XX +XXX,XX @@ VLDR_VSTR_hp ---- 1101 u:1 .0 l:1 rn:4 .... 1001 imm:8      vd=%vd_sp
- #define DISAS_HVC 8
+ VLDR_VSTR_sp ---- 1101 u:1 .0 l:1 rn:4 .... 1010 imm:8      vd=%vd_sp
- #define DISAS_SMC 9
+ VLDR_VSTR_dp ---- 1101 u:1 .0 l:1 rn:4 .... 1011 imm:8      vd=%vd_dp
- #define DISAS_YIELD 10
-+/* M profile branch which might be an exception return (and so needs
++# M-profile VLDR/VSTR to sysreg
-+ * custom end-of-TB code)
++%vldr_sysreg 22:1 13:3
-+ */
++%imm7_0x4 0:7 !function=times_4
-+#define DISAS_BX_EXCRET 11
++
++&vldr_sysreg rn reg imm a w p
- #ifdef TARGET_AARCH64
++@vldr_sysreg .... ... . a:1 . . . rn:4 ... . ... .. ....... \
- void a64_translate_init(void);
++             reg=%vldr_sysreg imm=%imm7_0x4 &vldr_sysreg
-diff --git a/target/arm/translate.c b/target/arm/translate.c
++
 +# P=0 W=0 is SEE "Related encodings", so split into two patterns
 +VLDR_sysreg  ---- 110 1 . . w:1 1 .... ... 0 111 11 ....... @vldr_sysreg p=1
 +VLDR_sysreg  ---- 110 0 . . 1   1 .... ... 0 111 11 ....... @vldr_sysreg p=0 w=1
 +VSTR_sysreg  ---- 110 1 . . w:1 0 .... ... 0 111 11 ....... @vldr_sysreg p=1
 +VSTR_sysreg  ---- 110 0 . . 1   0 .... ... 0 111 11 ....... @vldr_sysreg p=0 w=1
 +
  # We split the load/store multiple up into two patterns to avoid
  # overlap with other insns in the "Advanced SIMD load/store and 64-bit move"
  # grouping:
 diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/target/arm/translate-vfp.c.inc
-+++ b/target/arm/translate.c
++++ b/target/arm/translate-vfp.c.inc
-@@ -XXX,XX +XXX,XX @@ static inline void gen_bx(DisasContext *s, TCGv_i32 var)
+@@ -XXX,XX +XXX,XX @@ static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
-     store_cpu_field(var, thumb);
+     return true;
  }
-+/* Set PC and Thumb state from var. var is marked as dead.
++static void fp_sysreg_to_memory(DisasContext *s, void *opaque, TCGv_i32 value)
 + * For M-profile CPUs, include logic to detect exception-return
 + * branches and handle them. This is needed for Thumb POP/LDM to PC, LDR to PC,
 + * and BX reg, and no others, and happens only for code in Handler mode.
 + */
 +static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
 +{
-+    /* Generate the same code here as for a simple bx, but flag via
++    arg_vldr_sysreg *a = opaque;
-+     * s->is_jmp that we need to do the rest of the work later.
++    uint32_t offset = a->imm;
-+     */
++    TCGv_i32 addr;
-+    gen_bx(s, var);
++
-+    if (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M)) {
++    if (!a->a) {
-+        s->is_jmp = DISAS_BX_EXCRET;
++        offset = - offset;
 +    }
 +
 +    addr = load_reg(s, a->rn);
 +    if (a->p) {
 +        tcg_gen_addi_i32(addr, addr, offset);
 +    }
 +
 +    if (s->v8m_stackcheck && a->rn == 13 && a->w) {
 +        gen_helper_v8m_stackcheck(cpu_env, addr);
 +    }
 +
 +    gen_aa32_st_i32(s, value, addr, get_mem_index(s),
 +                    MO_UL | MO_ALIGN | s->be_data);
 +    tcg_temp_free_i32(value);
 +
 +    if (a->w) {
 +        /* writeback */
 +        if (!a->p) {
 +            tcg_gen_addi_i32(addr, addr, offset);
 +        }
 +        store_reg(s, a->rn, addr);
 +    } else {
 +        tcg_temp_free_i32(addr);
 +    }
 +}
 +
-+static inline void gen_bx_excret_final_code(DisasContext *s)
++static TCGv_i32 memory_to_fp_sysreg(DisasContext *s, void *opaque)
 +{
-+    /* Generate the code to finish possible exception return and end the TB */
++    arg_vldr_sysreg *a = opaque;
-+    TCGLabel *excret_label = gen_new_label();
++    uint32_t offset = a->imm;
 +    TCGv_i32 addr;
 +    TCGv_i32 value = tcg_temp_new_i32();
 +
-+    /* Is the new PC value in the magic range indicating exception return? */
++    if (!a->a) {
-+    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], 0xff000000, excret_label);
++        offset = - offset;
-+    /* No: end the TB as we would for a DISAS_JMP */
++    }
-+    if (is_singlestepping(s)) {
++
-+        gen_singlestep_exception(s);
++    addr = load_reg(s, a->rn);
 +    if (a->p) {
 +        tcg_gen_addi_i32(addr, addr, offset);
 +    }
 +
 +    if (s->v8m_stackcheck && a->rn == 13 && a->w) {
 +        gen_helper_v8m_stackcheck(cpu_env, addr);
 +    }
 +
 +    gen_aa32_ld_i32(s, value, addr, get_mem_index(s),
 +                    MO_UL | MO_ALIGN | s->be_data);
 +
 +    if (a->w) {
 +        /* writeback */
 +        if (!a->p) {
 +            tcg_gen_addi_i32(addr, addr, offset);
 +        }
 +        store_reg(s, a->rn, addr);
 +    } else {
-+        tcg_gen_exit_tb(0);
++        tcg_temp_free_i32(addr);
 +    }
-+    gen_set_label(excret_label);
++    return value;
 +    /* Yes: this is an exception return.
 +     * At this point in runtime env->regs[15] and env->thumb will hold
 +     * the exception-return magic number, which do_v7m_exception_exit()
 +     * will read. Nothing else will be able to see those values because
 +     * the cpu-exec main loop guarantees that we will always go straight
 +     * from raising the exception to the exception-handling code.
 +     *
 +     * gen_ss_advance(s) does nothing on M profile currently but
 +     * calling it is conceptually the right thing as we have executed
 +     * this instruction (compare SWI, HVC, SMC handling).
 +     */
 +    gen_ss_advance(s);
 +    gen_exception_internal(EXCP_EXCEPTION_EXIT);
 +}
 +
- /* Variant of store_reg which uses branch&exchange logic when storing
++static bool trans_VLDR_sysreg(DisasContext *s, arg_vldr_sysreg *a)
-    to r15 in ARM architecture v7 and above. The source must be a temporary
++{
-    and will be marked as dead. */
++    if (!arm_dc_feature(s, ARM_FEATURE_V8_1M)) {
-@@ -XXX,XX +XXX,XX @@ static inline void store_reg_bx(DisasContext *s, int reg, TCGv_i32 var)
++        return false;
- static inline void store_reg_from_load(DisasContext *s, int reg, TCGv_i32 var)
++    }
 +    if (a->rn == 15) {
 +        return false;
 +    }
 +    return gen_M_fp_sysreg_write(s, a->reg, memory_to_fp_sysreg, a);
 +}
 +
 +static bool trans_VSTR_sysreg(DisasContext *s, arg_vldr_sysreg *a)
 +{
 +    if (!arm_dc_feature(s, ARM_FEATURE_V8_1M)) {
 +        return false;
 +    }
 +    if (a->rn == 15) {
 +        return false;
 +    }
 +    return gen_M_fp_sysreg_read(s, a->reg, fp_sysreg_to_memory, a);
 +}
 +
  static bool trans_VMOV_half(DisasContext *s, arg_VMOV_single *a)
  {
-     if (reg == 15 && ENABLE_ARCH_5) {
+     TCGv_i32 tmp;
 -        gen_bx(s, var);
 +        gen_bx_excret(s, var);
      } else {
          store_reg(s, reg, var);
      }
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
                          tmp = tcg_temp_new_i32();
                          gen_aa32_ld32u(s, tmp, addr, get_mem_index(s));
                          if (i == 15) {
 -                            gen_bx(s, tmp);
 +                            gen_bx_excret(s, tmp);
                          } else if (i == rn) {
                              loaded_var = tmp;
                              loaded_base = 1;
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
                  goto illegal_op;
              }
              if (rs == 15) {
 -                gen_bx(s, tmp);
 +                gen_bx_excret(s, tmp);
              } else {
                  store_reg(s, rs, tmp);
              }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(CPUARMState *env, DisasContext *s)
                      tmp2 = tcg_temp_new_i32();
                      tcg_gen_movi_i32(tmp2, val);
                      store_reg(s, 14, tmp2);
 +                    gen_bx(s, tmp);
 +                } else {
 +                    /* Only BX works as exception-return, not BLX */
 +                    gen_bx_excret(s, tmp);
                  }
 -                /* already thumb, no need to check */
 -                gen_bx(s, tmp);
                  break;
              }
              break;
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
         instruction was a conditional branch or trap, and the PC has
         already been written.  */
      gen_set_condexec(dc);
 -    if (unlikely(is_singlestepping(dc))) {
 +    if (dc->is_jmp == DISAS_BX_EXCRET) {
 +        /* Exception return branches need some special case code at the
 +         * end of the TB, which is complex enough that it has to
 +         * handle the single-step vs not and the condition-failed
 +         * insn codepath itself.
 +         */
 +        gen_bx_excret_final_code(dc);
 +    } else if (unlikely(is_singlestepping(dc))) {
          /* Unconditional and "condition passed" instruction codepath. */
          switch (dc->is_jmp) {
          case DISAS_SWI:
 --
-.7.4
+.20.1

-New patch
+[PULL 21/36] target/arm: Implement M-profile FPSCR_nzcvqc
+v8.1M defines a new FP system register FPSCR_nzcvqc; this behaves
+like the existing FPSCR, except that it reads and writes only bits
+[31:27] of the FPSCR (the N, Z, C, V and QC flag bits).  (Unlike the
+FPSCR, the special case for Rt=15 of writing the CPSR.NZCV is not
+permitted.)
+Implement the register.  Since we don't yet implement MVE, we handle
+the QC bit as RES0, with todo comments for where we will need to add
+support later.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20201119215617.29887-11-peter.maydell@linaro.org
+---
+ target/arm/cpu.h               | 13 +++++++++++++
+ target/arm/translate-vfp.c.inc | 27 +++++++++++++++++++++++++++
+files changed, 40 insertions(+)
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.h
++++ b/target/arm/cpu.h
+@@ -XXX,XX +XXX,XX @@ void vfp_set_fpscr(CPUARMState *env, uint32_t val);
+ #define FPCR_FZ     (1 << 24)   /* Flush-to-zero enable bit */
+ #define FPCR_DN     (1 << 25)   /* Default NaN enable bit */
+ #define FPCR_QC     (1 << 27)   /* Cumulative saturation bit */
++#define FPCR_V      (1 << 28)   /* FP overflow flag */
++#define FPCR_C      (1 << 29)   /* FP carry flag */
++#define FPCR_Z      (1 << 30)   /* FP zero flag */
++#define FPCR_N      (1 << 31)   /* FP negative flag */
++
++#define FPCR_NZCV_MASK (FPCR_N | FPCR_Z | FPCR_C | FPCR_V)
++#define FPCR_NZCVQC_MASK (FPCR_NZCV_MASK | FPCR_QC)
+ static inline uint32_t vfp_get_fpsr(CPUARMState *env)
+ {
+@@ -XXX,XX +XXX,XX @@ enum arm_cpu_mode {
+ #define ARM_VFP_FPEXC   8
+ #define ARM_VFP_FPINST  9
+ #define ARM_VFP_FPINST2 10
++/* These ones are M-profile only */
++#define ARM_VFP_FPSCR_NZCVQC 2
++#define ARM_VFP_VPR 12
++#define ARM_VFP_P0 13
++#define ARM_VFP_FPCXT_NS 14
++#define ARM_VFP_FPCXT_S 15
+ /* QEMU-internal value meaning "FPSCR, but we care only about NZCV" */
+ #define QEMU_VFP_FPSCR_NZCV 0xffff
+diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-vfp.c.inc
++++ b/target/arm/translate-vfp.c.inc
+@@ -XXX,XX +XXX,XX @@ static FPSysRegCheckResult fp_sysreg_checks(DisasContext *s, int regno)
+     case ARM_VFP_FPSCR:
+     case QEMU_VFP_FPSCR_NZCV:
+         break;
++    case ARM_VFP_FPSCR_NZCVQC:
++        if (!arm_dc_feature(s, ARM_FEATURE_V8_1M)) {
++            return false;
++        }
++        break;
+     default:
+         return FPSysRegCheckFailed;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_write(DisasContext *s, int regno,
+         tcg_temp_free_i32(tmp);
+         gen_lookup_tb(s);
+         break;
++    case ARM_VFP_FPSCR_NZCVQC:
++    {
++        TCGv_i32 fpscr;
++        tmp = loadfn(s, opaque);
++        /*
++         * TODO: when we implement MVE, write the QC bit.
++         * For non-MVE, QC is RES0.
++         */
++        tcg_gen_andi_i32(tmp, tmp, FPCR_NZCV_MASK);
++        fpscr = load_cpu_field(vfp.xregs[ARM_VFP_FPSCR]);
++        tcg_gen_andi_i32(fpscr, fpscr, ~FPCR_NZCV_MASK);
++        tcg_gen_or_i32(fpscr, fpscr, tmp);
++        store_cpu_field(fpscr, vfp.xregs[ARM_VFP_FPSCR]);
++        tcg_temp_free_i32(tmp);
++        break;
++    }
+     default:
+         g_assert_not_reached();
+     }
+@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_read(DisasContext *s, int regno,
+         gen_helper_vfp_get_fpscr(tmp, cpu_env);
+         storefn(s, opaque, tmp);
+         break;
++    case ARM_VFP_FPSCR_NZCVQC:
++        /*
++         * TODO: MVE has a QC bit, which we probably won't store
++         * in the xregs[] field. For non-MVE, where QC is RES0,
++         * we can just fall through to the FPSCR_NZCV case.
++         */
+     case QEMU_VFP_FPSCR_NZCV:
+         /*
+          * Read just NZCV; this is a special case to avoid the
+--
+.20.1

-[Qemu-devel] [PULL 11/24] cadence_gem: Read the correct queue descriptor
+[PULL 22/36] target/arm: Use new FPCR_NZCV_MASK constant
-From: Alistair Francis <alistair.francis@xilinx.com>
+We defined a constant name for the mask of NZCV bits in the FPCR/FPSCR
 in the previous commit; use it in a couple of places in existing code,
 where we're masking out everything except NZCV for the "load to Rt=15
 sets CPSR.NZCV" special case.
-Read the correct descriptor instead of hardcoding the first (q=0).
-Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 988b183dcf951856d8b3379f7e911ec95233bbf4.1491947224.git.alistair.francis@xilinx.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20201119215617.29887-12-peter.maydell@linaro.org
 ---
- hw/net/cadence_gem.c | 4 ++--
+ target/arm/translate-vfp.c.inc | 4 ++--
 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
+diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/cadence_gem.c
+--- a/target/arm/translate-vfp.c.inc
-+++ b/hw/net/cadence_gem.c
++++ b/target/arm/translate-vfp.c.inc
-@@ -XXX,XX +XXX,XX @@ static void gem_get_rx_desc(CadenceGEMState *s, int q)
+@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_read(DisasContext *s, int regno,
- {
+          * helper call for the "VMRS to CPSR.NZCV" insn.
-     DB_PRINT("read descriptor 0x%x\n", (unsigned)s->rx_desc_addr[q]);
+          */
-     /* read current descriptor */
+         tmp = load_cpu_field(vfp.xregs[ARM_VFP_FPSCR]);
--    cpu_physical_memory_read(s->rx_desc_addr[0],
+-        tcg_gen_andi_i32(tmp, tmp, 0xf0000000);
--                             (uint8_t *)s->rx_desc[0], sizeof(s->rx_desc[0]));
++        tcg_gen_andi_i32(tmp, tmp, FPCR_NZCV_MASK);
-+    cpu_physical_memory_read(s->rx_desc_addr[q],
+         storefn(s, opaque, tmp);
-+                             (uint8_t *)s->rx_desc[q], sizeof(s->rx_desc[q]));
+         break;
+     default:
-     /* Descriptor owned by software ? */
+@@ -XXX,XX +XXX,XX @@ static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
-     if (rx_desc_get_ownership(s->rx_desc[q]) == 1) {
+         case ARM_VFP_FPSCR:
              if (a->rt == 15) {
                  tmp = load_cpu_field(vfp.xregs[ARM_VFP_FPSCR]);
 -                tcg_gen_andi_i32(tmp, tmp, 0xf0000000);
 +                tcg_gen_andi_i32(tmp, tmp, FPCR_NZCV_MASK);
              } else {
                  tmp = tcg_temp_new_i32();
                  gen_helper_vfp_get_fpscr(tmp, cpu_env);
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 18/24] arm: Factor out "generate right kind of step exception"
+[PULL 23/36] target/arm: Factor out preserve-fp-state from full_vfp_access_check()
-We currently have two places that do:
+Factor out the code which handles M-profile lazy FP state preservation
-            if (dc->ss_active) {
+from full_vfp_access_check(); accesses to the FPCXT_NS register are
-                gen_step_complete_exception(dc);
+a special case which need to do just this part (corresponding in the
-            } else {
+pseudocode to the PreserveFPState() function), and not the full
-                gen_exception_internal(EXCP_DEBUG);
+set of actions matching the pseudocode ExecuteFPCheck() which
-            }
+normal FP instructions need to do.
 Factor this out into its own function, as we're about to add
 a third place that needs the same logic.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Richard Henderson <rth@twiddle.net>
+Message-id: 20201119215617.29887-13-peter.maydell@linaro.org
 Message-id: 1491844419-12485-4-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 28 ++++++++++++++++------------
+ target/arm/translate-vfp.c.inc | 45 ++++++++++++++++++++--------------
-file changed, 16 insertions(+), 12 deletions(-)
+file changed, 27 insertions(+), 18 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/target/arm/translate-vfp.c.inc
-+++ b/target/arm/translate.c
++++ b/target/arm/translate-vfp.c.inc
-@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
+@@ -XXX,XX +XXX,XX @@ static inline long vfp_f16_offset(unsigned reg, bool top)
-     s->is_jmp = DISAS_EXC;
+     return offs;
  }
-+static void gen_singlestep_exception(DisasContext *s)
++/*
 + * Generate code for M-profile lazy FP state preservation if needed;
 + * this corresponds to the pseudocode PreserveFPState() function.
 + */
 +static void gen_preserve_fp_state(DisasContext *s)
 +{
-+    /* Generate the right kind of exception for singlestep, which is
++    if (s->v7m_lspact) {
-+     * either the architectural singlestep or EXCP_DEBUG for QEMU's
++        /*
-+     * gdb singlestepping.
++         * Lazy state saving affects external memory and also the NVIC,
-+     */
++         * so we must mark it as an IO operation for icount (and cause
-+    if (s->ss_active) {
++         * this to be the last insn in the TB).
-+        gen_step_complete_exception(s);
++         */
-+    } else {
++        if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
-+        gen_exception_internal(EXCP_DEBUG);
++            s->base.is_jmp = DISAS_UPDATE_EXIT;
 +            gen_io_start();
 +        }
 +        gen_helper_v7m_preserve_fp_state(cpu_env);
 +        /*
 +         * If the preserve_fp_state helper doesn't throw an exception
 +         * then it will clear LSPACT; we don't need to repeat this for
 +         * any further FP insns in this TB.
 +         */
 +        s->v7m_lspact = false;
 +    }
 +}
 +
- static void gen_smul_dual(TCGv_i32 a, TCGv_i32 b)
+ /*
- {
+  * Check that VFP access is enabled. If it is, do the necessary
-     TCGv_i32 tmp1 = tcg_temp_new_i32();
+  * M-profile lazy-FP handling and then return true.
-@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
+@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
-             gen_set_pc_im(dc, dc->pc);
+         /* Handle M-profile lazy FP state mechanics */
-             /* fall through */
-         default:
+         /* Trigger lazy-state preservation if necessary */
--            if (dc->ss_active) {
+-        if (s->v7m_lspact) {
--                gen_step_complete_exception(dc);
+-            /*
--            } else {
+-             * Lazy state saving affects external memory and also the NVIC,
--                /* FIXME: Single stepping a WFI insn will not halt
+-             * so we must mark it as an IO operation for icount (and cause
--                   the CPU.  */
+-             * this to be the last insn in the TB).
--                gen_exception_internal(EXCP_DEBUG);
+-             */
 -            if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
 -                s->base.is_jmp = DISAS_UPDATE_EXIT;
 -                gen_io_start();
 -            }
-+            /* FIXME: Single stepping a WFI insn will not halt the CPU. */
+-            gen_helper_v7m_preserve_fp_state(cpu_env);
-+            gen_singlestep_exception(dc);
+-            /*
-         }
+-             * If the preserve_fp_state helper doesn't throw an exception
-         if (dc->condjmp) {
+-             * then it will clear LSPACT; we don't need to repeat this for
-             /* "Condition failed" instruction codepath. */
+-             * any further FP insns in this TB.
-             gen_set_label(dc->condlabel);
+-             */
-             gen_set_condexec(dc);
+-            s->v7m_lspact = false;
-             gen_set_pc_im(dc, dc->pc);
+-        }
--            if (dc->ss_active) {
++        gen_preserve_fp_state(s);
--                gen_step_complete_exception(dc);
--            } else {
+         /* Update ownership of FP context: set FPCCR.S to match current state */
--                gen_exception_internal(EXCP_DEBUG);
+         if (s->v8m_fpccr_s_wrong) {
 -            }
 +            gen_singlestep_exception(dc);
          }
      } else {
          /* While branches must always occur at the end of an IT block,
 --
-.7.4
+.20.1

-New patch
+[PULL 24/36] target/arm: Implement FPCXT_S fp system register
+Implement the new-in-v8.1M FPCXT_S floating point system register.
+This is for saving and restoring the secure floating point context,
+and it reads and writes bits [27:0] from the FPSCR and the
+CONTROL.SFPA bit in bit [31].
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20201119215617.29887-14-peter.maydell@linaro.org
+---
+ target/arm/translate-vfp.c.inc | 58 ++++++++++++++++++++++++++++++++++
+file changed, 58 insertions(+)
+diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-vfp.c.inc
++++ b/target/arm/translate-vfp.c.inc
+@@ -XXX,XX +XXX,XX @@ static FPSysRegCheckResult fp_sysreg_checks(DisasContext *s, int regno)
+             return false;
+         }
+         break;
++    case ARM_VFP_FPCXT_S:
++        if (!arm_dc_feature(s, ARM_FEATURE_V8_1M)) {
++            return false;
++        }
++        if (!s->v8m_secure) {
++            return false;
++        }
++        break;
+     default:
+         return FPSysRegCheckFailed;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_write(DisasContext *s, int regno,
+         tcg_temp_free_i32(tmp);
+         break;
+     }
++    case ARM_VFP_FPCXT_S:
++    {
++        TCGv_i32 sfpa, control, fpscr;
++        /* Set FPSCR[27:0] and CONTROL.SFPA from value */
++        tmp = loadfn(s, opaque);
++        sfpa = tcg_temp_new_i32();
++        tcg_gen_shri_i32(sfpa, tmp, 31);
++        control = load_cpu_field(v7m.control[M_REG_S]);
++        tcg_gen_deposit_i32(control, control, sfpa,
++                            R_V7M_CONTROL_SFPA_SHIFT, 1);
++        store_cpu_field(control, v7m.control[M_REG_S]);
++        fpscr = load_cpu_field(vfp.xregs[ARM_VFP_FPSCR]);
++        tcg_gen_andi_i32(fpscr, fpscr, FPCR_NZCV_MASK);
++        tcg_gen_andi_i32(tmp, tmp, ~FPCR_NZCV_MASK);
++        tcg_gen_or_i32(fpscr, fpscr, tmp);
++        store_cpu_field(fpscr, vfp.xregs[ARM_VFP_FPSCR]);
++        tcg_temp_free_i32(tmp);
++        tcg_temp_free_i32(sfpa);
++        break;
++    }
+     default:
+         g_assert_not_reached();
+     }
+@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_read(DisasContext *s, int regno,
+         tcg_gen_andi_i32(tmp, tmp, FPCR_NZCV_MASK);
+         storefn(s, opaque, tmp);
+         break;
++    case ARM_VFP_FPCXT_S:
++    {
++        TCGv_i32 control, sfpa, fpscr;
++        /* Bits [27:0] from FPSCR, bit [31] from CONTROL.SFPA */
++        tmp = tcg_temp_new_i32();
++        sfpa = tcg_temp_new_i32();
++        gen_helper_vfp_get_fpscr(tmp, cpu_env);
++        tcg_gen_andi_i32(tmp, tmp, ~FPCR_NZCV_MASK);
++        control = load_cpu_field(v7m.control[M_REG_S]);
++        tcg_gen_andi_i32(sfpa, control, R_V7M_CONTROL_SFPA_MASK);
++        tcg_gen_shli_i32(sfpa, sfpa, 31 - R_V7M_CONTROL_SFPA_SHIFT);
++        tcg_gen_or_i32(tmp, tmp, sfpa);
++        tcg_temp_free_i32(sfpa);
++        /*
++         * Store result before updating FPSCR etc, in case
++         * it is a memory write which causes an exception.
++         */
++        storefn(s, opaque, tmp);
++        /*
++         * Now we must reset FPSCR from FPDSCR_NS, and clear
++         * CONTROL.SFPA; so we'll end the TB here.
++         */
++        tcg_gen_andi_i32(control, control, ~R_V7M_CONTROL_SFPA_MASK);
++        store_cpu_field(control, v7m.control[M_REG_S]);
++        fpscr = load_cpu_field(v7m.fpdscr[M_REG_NS]);
++        gen_helper_vfp_set_fpscr(cpu_env, fpscr);
++        tcg_temp_free_i32(fpscr);
++        gen_lookup_tb(s);
++        break;
++    }
+     default:
+         g_assert_not_reached();
+     }
+--
+.20.1

-[Qemu-devel] [PULL 22/24] arm: Track M profile handler mode state in TB flags
+[PULL 25/36] hw/intc/armv7m_nvic: Update FPDSCR masking for v8.1M
-For M profile exception-return handling we'd like to generate different
+The FPDSCR register has a similar layout to the FPSCR.  In v8.1M it
-code for some instructions depending on whether we are in Handler
+gains new fields FZ16 (if half-precision floating point is supported)
-mode or Thread mode. This isn't the same as "are we privileged
+and LTPSIZE (always reads as 4).  Update the reset value and the code
-or user", so we need an extra bit in the TB flags to distinguish.
+that handles writes to this register accordingly.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <rth@twiddle.net>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20201119215617.29887-16-peter.maydell@linaro.org
 Message-id: 1491844419-12485-8-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/cpu.h       | 9 +++++++++
+ target/arm/cpu.h      | 5 +++++
- target/arm/translate.h | 1 +
+ hw/intc/armv7m_nvic.c | 9 ++++++++-
- target/arm/translate.c | 1 +
+ target/arm/cpu.c      | 3 +++
-files changed, 11 insertions(+)
+files changed, 16 insertions(+), 1 deletion(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_cpu_data_is_big_endian(CPUARMState *env)
+@@ -XXX,XX +XXX,XX @@ void vfp_set_fpscr(CPUARMState *env, uint32_t val);
- #define ARM_TBFLAG_NS_MASK          (1 << ARM_TBFLAG_NS_SHIFT)
+ #define FPCR_IXE    (1 << 12)   /* Inexact exception trap enable */
- #define ARM_TBFLAG_BE_DATA_SHIFT    20
+ #define FPCR_IDE    (1 << 15)   /* Input Denormal exception trap enable */
- #define ARM_TBFLAG_BE_DATA_MASK     (1 << ARM_TBFLAG_BE_DATA_SHIFT)
+ #define FPCR_FZ16   (1 << 19)   /* ARMv8.2+, FP16 flush-to-zero */
-+/* For M profile only, Handler (ie not Thread) mode */
++#define FPCR_RMODE_MASK (3 << 22) /* Rounding mode */
-+#define ARM_TBFLAG_HANDLER_SHIFT    21
+ #define FPCR_FZ     (1 << 24)   /* Flush-to-zero enable bit */
-+#define ARM_TBFLAG_HANDLER_MASK     (1 << ARM_TBFLAG_HANDLER_SHIFT)
+ #define FPCR_DN     (1 << 25)   /* Default NaN enable bit */
++#define FPCR_AHP    (1 << 26)   /* Alternative half-precision */
- /* Bit usage when in AArch64 state */
+ #define FPCR_QC     (1 << 27)   /* Cumulative saturation bit */
- #define ARM_TBFLAG_TBI0_SHIFT 0        /* TBI0 for EL0/1 or TBI for EL2/3 */
+ #define FPCR_V      (1 << 28)   /* FP overflow flag */
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_cpu_data_is_big_endian(CPUARMState *env)
+ #define FPCR_C      (1 << 29)   /* FP carry flag */
-     (((F) & ARM_TBFLAG_NS_MASK) >> ARM_TBFLAG_NS_SHIFT)
+ #define FPCR_Z      (1 << 30)   /* FP zero flag */
- #define ARM_TBFLAG_BE_DATA(F) \
+ #define FPCR_N      (1 << 31)   /* FP negative flag */
-     (((F) & ARM_TBFLAG_BE_DATA_MASK) >> ARM_TBFLAG_BE_DATA_SHIFT)
-+#define ARM_TBFLAG_HANDLER(F) \
++#define FPCR_LTPSIZE_SHIFT 16   /* LTPSIZE, M-profile only */
-+    (((F) & ARM_TBFLAG_HANDLER_MASK) >> ARM_TBFLAG_HANDLER_SHIFT)
++#define FPCR_LTPSIZE_MASK (7 << FPCR_LTPSIZE_SHIFT)
  #define ARM_TBFLAG_TBI0(F) \
      (((F) & ARM_TBFLAG_TBI0_MASK) >> ARM_TBFLAG_TBI0_SHIFT)
  #define ARM_TBFLAG_TBI1(F) \
@@ -XXX,XX +XXX,XX @@ static inline void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
      }
      *flags |= fp_exception_el(env) << ARM_TBFLAG_FPEXC_EL_SHIFT;
 +    if (env->v7m.exception != 0) {
 +        *flags |= ARM_TBFLAG_HANDLER_MASK;
 +    }
 +
-     *cs_base = 0;
+ #define FPCR_NZCV_MASK (FPCR_N | FPCR_Z | FPCR_C | FPCR_V)
- }
+ #define FPCR_NZCVQC_MASK (FPCR_NZCV_MASK | FPCR_QC)
-diff --git a/target/arm/translate.h b/target/arm/translate.h
+diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.h
+--- a/hw/intc/armv7m_nvic.c
-+++ b/target/arm/translate.h
++++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
+@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
-     bool vfp_enabled; /* FP enabled via FPSCR.EN */
+         break;
-     int vec_len;
+     case 0xf3c: /* FPDSCR */
-     int vec_stride;
+         if (cpu_isar_feature(aa32_vfp_simd, cpu)) {
-+    bool v7m_handler_mode;
+-            value &= 0x07c00000;
-     /* Immediate value in AArch32 SVC insn; must be set if is_jmp == DISAS_SWI
++            uint32_t mask = FPCR_AHP | FPCR_DN | FPCR_FZ | FPCR_RMODE_MASK;
-      * so that top level loop can generate correct syndrome information.
++            if (cpu_isar_feature(any_fp16, cpu)) {
-      */
++                mask |= FPCR_FZ16;
-diff --git a/target/arm/translate.c b/target/arm/translate.c
++            }
 +            value &= mask;
 +            if (cpu_isar_feature(aa32_lob, cpu)) {
 +                value |= 4 << FPCR_LTPSIZE_SHIFT;
 +            }
              cpu->env.v7m.fpdscr[attrs.secure] = value;
          }
          break;
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/target/arm/cpu.c
-+++ b/target/arm/translate.c
++++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUARMState *env, TranslationBlock *tb)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
-     dc->vec_len = ARM_TBFLAG_VECLEN(tb->flags);
+              * always reset to 4.
-     dc->vec_stride = ARM_TBFLAG_VECSTRIDE(tb->flags);
+              */
-     dc->c15_cpar = ARM_TBFLAG_XSCALE_CPAR(tb->flags);
+             env->v7m.ltpsize = 4;
-+    dc->v7m_handler_mode = ARM_TBFLAG_HANDLER(tb->flags);
++            /* The LTPSIZE field in FPDSCR is constant and reads as 4. */
-     dc->cp_regs = cpu->cp_regs;
++            env->v7m.fpdscr[M_REG_NS] = 4 << FPCR_LTPSIZE_SHIFT;
-     dc->features = env->features;
++            env->v7m.fpdscr[M_REG_S] = 4 << FPCR_LTPSIZE_SHIFT;
+         }
          if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 --
-.7.4
+.20.1

-New patch
+[PULL 26/36] target/arm: For v8.1M, always clear R0-R3, R12, APSR, EPSR on exception entry
+In v8.0M, on exception entry the registers R0-R3, R12, APSR and EPSR
+are zeroed for an exception taken to Non-secure state; for an
+exception taken to Secure state they become UNKNOWN, and we chose to
+leave them at their previous values.
+In v8.1M the behaviour is specified more tightly and these registers
+are always zeroed regardless of the security state that the exception
+targets (see rule R_KPZV).  Implement this.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20201119215617.29887-17-peter.maydell@linaro.org
+---
+ target/arm/m_helper.c | 16 ++++++++++++----
+file changed, 12 insertions(+), 4 deletions(-)
+diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/m_helper.c
++++ b/target/arm/m_helper.c
+@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
+          * Clear registers if necessary to prevent non-secure exception
+          * code being able to see register values from secure code.
+          * Where register values become architecturally UNKNOWN we leave
+-         * them with their previous values.
++         * them with their previous values. v8.1M is tighter than v8.0M
++         * here and always zeroes the caller-saved registers regardless
++         * of the security state the exception is targeting.
+          */
+         if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+-            if (!targets_secure) {
++            if (!targets_secure || arm_feature(env, ARM_FEATURE_V8_1M)) {
+                 /*
+                  * Always clear the caller-saved registers (they have been
+                  * pushed to the stack earlier in v7m_push_stack()).
+@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
+                  * v7m_push_callee_stack()).
+                  */
+                 int i;
++                /*
++                 * r4..r11 are callee-saves, zero only if background
++                 * state was Secure (EXCRET.S == 1) and exception
++                 * targets Non-secure state
++                 */
++                bool zero_callee_saves = !targets_secure &&
++                    (lr & R_V7M_EXCRET_S_MASK);
+                 for (i = 0; i < 13; i++) {
+-                    /* r4..r11 are callee-saves, zero only if EXCRET.S == 1 */
+-                    if (i < 4 || i > 11 || (lr & R_V7M_EXCRET_S_MASK)) {
++                    if (i < 4 || i > 11 || zero_callee_saves) {
+                         env->regs[i] = 0;
+                     }
+                 }
+--
+.20.1

-[Qemu-devel] [PULL 08/24] stellaris: Don't hw_error() on bad register accesses
+[PULL 27/36] target/arm: In v8.1M, don't set HFSR.FORCED on vector table fetch failures
-Current recommended style is to log a guest error on bad register
+In v8.1M, vector table fetch failures don't set HFSR.FORCED (see rule
-accesses, not kill the whole system with hw_error().  Change the
+R_LLRP).  (In previous versions of the architecture this was either
-hw_error() calls to log as LOG_GUEST_ERROR or LOG_UNIMP or use
+required or IMPDEF.)
 g_assert_not_reached() as appropriate.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1491486314-25823-1-git-send-email-peter.maydell@linaro.org
+Message-id: 20201119215617.29887-18-peter.maydell@linaro.org
 ---
- hw/arm/stellaris.c | 60 +++++++++++++++++++++++++++++++++---------------------
+ target/arm/m_helper.c | 6 +++++-
-file changed, 37 insertions(+), 23 deletions(-)
+file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
+diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/stellaris.c
+--- a/target/arm/m_helper.c
-+++ b/hw/arm/stellaris.c
++++ b/target/arm/m_helper.c
-@@ -XXX,XX +XXX,XX @@ static void gptm_reload(gptm_state *s, int n, int reset)
+@@ -XXX,XX +XXX,XX @@ load_fail:
-     } else if (s->mode[n] == 0xa) {
+      * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
-         /* PWM mode.  Not implemented.  */
+      * secure); otherwise it targets the same security state as the
-     } else {
+      * underlying exception.
--        hw_error("TODO: 16-bit timer mode 0x%x\n", s->mode[n]);
++     * In v8.1M HardFaults from vector table fetch fails don't set FORCED.
-+        qemu_log_mask(LOG_UNIMP,
+      */
-+                      "GPTM: 16-bit timer mode unimplemented: 0x%x\n",
+     if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
-+                      s->mode[n]);
+         exc_secure = true;
 +        return;
      }
-     s->tick[n] = tick;
+-    env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
-     timer_mod(s->timer[n], tick);
++    env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK;
-@@ -XXX,XX +XXX,XX @@ static void gptm_tick(void *opaque)
++    if (!arm_feature(env, ARM_FEATURE_V8_1M)) {
-     } else if (s->mode[n] == 0xa) {
++        env->v7m.hfsr |= R_V7M_HFSR_FORCED_MASK;
-         /* PWM mode.  Not implemented.  */
++    }
-     } else {
+     armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
--        hw_error("TODO: 16-bit timer mode 0x%x\n", s->mode[n]);
+     return false;
 +        qemu_log_mask(LOG_UNIMP,
 +                      "GPTM: 16-bit timer mode unimplemented: 0x%x\n",
 +                      s->mode[n]);
      }
      gptm_update_irq(s);
  }
@@ -XXX,XX +XXX,XX @@ static void gptm_write(void *opaque, hwaddr offset,
          s->match_prescale[0] = value;
          break;
      default:
 -        hw_error("gptm_write: Bad offset 0x%x\n", (int)offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "GPTM: read at bad offset 0x%x\n", (int)offset);
      }
      gptm_update_irq(s);
  }
@@ -XXX,XX +XXX,XX @@ static int ssys_board_class(const ssys_state *s)
          }
          /* for unknown classes, fall through */
      default:
 -        hw_error("ssys_board_class: Unknown class 0x%08x\n", did0);
 +        /* This can only happen if the hardwired constant did0 value
 +         * in this board's stellaris_board_info struct is wrong.
 +         */
 +        g_assert_not_reached();
      }
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t ssys_read(void *opaque, hwaddr offset,
              case DID0_CLASS_SANDSTORM:
                  return pllcfg_sandstorm[xtal];
              default:
 -                hw_error("ssys_read: Unhandled class for PLLCFG read.\n");
 -                return 0;
 +                g_assert_not_reached();
              }
          }
      case 0x070: /* RCC2 */
@@ -XXX,XX +XXX,XX @@ static uint64_t ssys_read(void *opaque, hwaddr offset,
      case 0x1e4: /* USER1 */
          return s->user1;
      default:
 -        hw_error("ssys_read: Bad offset 0x%x\n", (int)offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "SSYS: read at bad offset 0x%x\n", (int)offset);
          return 0;
      }
  }
@@ -XXX,XX +XXX,XX @@ static void ssys_write(void *opaque, hwaddr offset,
          s->ldoarst = value;
          break;
      default:
 -        hw_error("ssys_write: Bad offset 0x%x\n", (int)offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "SSYS: write at bad offset 0x%x\n", (int)offset);
      }
      ssys_update(s);
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t stellaris_i2c_read(void *opaque, hwaddr offset,
      case 0x20: /* MCR */
          return s->mcr;
      default:
 -        hw_error("strllaris_i2c_read: Bad offset 0x%x\n", (int)offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "stellaris_i2c: read at bad offset 0x%x\n", (int)offset);
          return 0;
      }
  }
@@ -XXX,XX +XXX,XX @@ static void stellaris_i2c_write(void *opaque, hwaddr offset,
          s->mris &= ~value;
          break;
      case 0x20: /* MCR */
 -        if (value & 1)
 -            hw_error(
 -                      "stellaris_i2c_write: Loopback not implemented\n");
 -        if (value & 0x20)
 -            hw_error(
 -                      "stellaris_i2c_write: Slave mode not implemented\n");
 +        if (value & 1) {
 +            qemu_log_mask(LOG_UNIMP, "stellaris_i2c: Loopback not implemented");
 +        }
 +        if (value & 0x20) {
 +            qemu_log_mask(LOG_UNIMP,
 +                          "stellaris_i2c: Slave mode not implemented");
 +        }
          s->mcr = value & 0x31;
          break;
      default:
 -        hw_error("stellaris_i2c_write: Bad offset 0x%x\n",
 -                  (int)offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "stellaris_i2c: write at bad offset 0x%x\n", (int)offset);
      }
      stellaris_i2c_update(s);
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t stellaris_adc_read(void *opaque, hwaddr offset,
      case 0x30: /* SAC */
          return s->sac;
      default:
 -        hw_error("strllaris_adc_read: Bad offset 0x%x\n",
 -                  (int)offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "stellaris_adc: read at bad offset 0x%x\n", (int)offset);
          return 0;
      }
  }
@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_write(void *opaque, hwaddr offset,
              return;
          case 0x04: /* SSCTL */
              if (value != 6) {
 -                hw_error("ADC: Unimplemented sequence %" PRIx64 "\n",
 -                          value);
 +                qemu_log_mask(LOG_UNIMP,
 +                              "ADC: Unimplemented sequence %" PRIx64 "\n",
 +                              value);
              }
              s->ssctl[n] = value;
              return;
@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_write(void *opaque, hwaddr offset,
          s->sspri = value;
          break;
      case 0x28: /* PSSI */
 -        hw_error("Not implemented:  ADC sample initiate\n");
 +        qemu_log_mask(LOG_UNIMP, "ADC: sample initiate unimplemented");
          break;
      case 0x30: /* SAC */
          s->sac = value;
          break;
      default:
 -        hw_error("stellaris_adc_write: Bad offset 0x%x\n", (int)offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "stellaris_adc: write at bad offset 0x%x\n", (int)offset);
      }
      stellaris_adc_update(s);
  }
 --
-.7.4
+.20.1

-New patch
+[PULL 28/36] target/arm: Implement v8.1M REVIDR register
+In v8.1M a REVIDR register is defined, which is at address 0xe00ecfc
+and is a read-only IMPDEF register providing implementation specific
+minor revision information, like the v8A REVIDR_EL1. Implement this.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20201119215617.29887-19-peter.maydell@linaro.org
+---
+ hw/intc/armv7m_nvic.c | 5 +++++
+file changed, 5 insertions(+)
+diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/armv7m_nvic.c
++++ b/hw/intc/armv7m_nvic.c
+@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
+         }
+         return val;
+     }
++    case 0xcfc:
++        if (!arm_feature(&cpu->env, ARM_FEATURE_V8_1M)) {
++            goto bad_offset;
++        }
++        return cpu->revidr;
+     case 0xd00: /* CPUID Base.  */
+         return cpu->midr;
+     case 0xd04: /* Interrupt Control State (ICSR) */
+--
+.20.1

-New patch
+[PULL 29/36] target/arm: Implement new v8.1M NOCP check for exception return
+In v8.1M a new exception return check is added which may cause a NOCP
+UsageFault (see rule R_XLTP): before we clear s0..s15 and the FPSCR
+we must check whether access to CP10 from the Security state of the
+returning exception is disabled; if it is then we must take a fault.
+(Note that for our implementation CPPWR is always RAZ/WI and so can
+never cause CP10 accesses to fail.)
+The other v8.1M change to this register-clearing code is that if MVE
+is implemented VPR must also be cleared, so add a TODO comment to
+that effect.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20201119215617.29887-20-peter.maydell@linaro.org
+---
+ target/arm/m_helper.c | 22 +++++++++++++++++++++-
+file changed, 21 insertions(+), 1 deletion(-)
+diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/m_helper.c
++++ b/target/arm/m_helper.c
+@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
+             v7m_exception_taken(cpu, excret, true, false);
+             return;
+         } else {
+-            /* Clear s0..s15 and FPSCR */
++            if (arm_feature(env, ARM_FEATURE_V8_1M)) {
++                /* v8.1M adds this NOCP check */
++                bool nsacr_pass = exc_secure ||
++                    extract32(env->v7m.nsacr, 10, 1);
++                bool cpacr_pass = v7m_cpacr_pass(env, exc_secure, true);
++                if (!nsacr_pass) {
++                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, true);
++                    env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
++                    qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
++                        "stackframe: NSACR prevents clearing FPU registers\n");
++                    v7m_exception_taken(cpu, excret, true, false);
++                } else if (!cpacr_pass) {
++                    armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
++                                            exc_secure);
++                    env->v7m.cfsr[exc_secure] |= R_V7M_CFSR_NOCP_MASK;
++                    qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
++                        "stackframe: CPACR prevents clearing FPU registers\n");
++                    v7m_exception_taken(cpu, excret, true, false);
++                }
++            }
++            /* Clear s0..s15 and FPSCR; TODO also VPR when MVE is implemented */
+             int i;
+             for (i = 0; i < 16; i += 2) {
+--
+.20.1

-New patch
+[PULL 30/36] target/arm: Implement new v8.1M VLLDM and VLSTM encodings
+v8.1M adds new encodings of VLLDM and VLSTM (where bit 7 is set).
+The only difference is that:
+ * the old T1 encodings UNDEF if the implementation implements 32
+   Dregs (this is currently architecturally impossible for M-profile)
+ * the new T2 encodings have the implementation-defined option to
+   read from memory (discarding the data) or write UNKNOWN values to
+   memory for the stack slots that would be D16-D31
+We choose not to make those accesses, so for us the two
+instructions behave identically assuming they don't UNDEF.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20201119215617.29887-21-peter.maydell@linaro.org
+---
+ target/arm/m-nocp.decode       |  2 +-
+ target/arm/translate-vfp.c.inc | 25 +++++++++++++++++++++++++
+files changed, 26 insertions(+), 1 deletion(-)
+diff --git a/target/arm/m-nocp.decode b/target/arm/m-nocp.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/m-nocp.decode
++++ b/target/arm/m-nocp.decode
+@@ -XXX,XX +XXX,XX @@
+ {
+   # Special cases which do not take an early NOCP: VLLDM and VLSTM
+-  VLLDM_VLSTM  1110 1100 001 l:1 rn:4 0000 1010 0000 0000
++  VLLDM_VLSTM  1110 1100 001 l:1 rn:4 0000 1010 op:1 000 0000
+   # VSCCLRM (new in v8.1M) is similar:
+   VSCCLRM      1110 1100 1.01 1111 .... 1011 imm:7 0   vd=%vd_dp size=3
+   VSCCLRM      1110 1100 1.01 1111 .... 1010 imm:8     vd=%vd_sp size=2
+diff --git a/target/arm/translate-vfp.c.inc b/target/arm/translate-vfp.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-vfp.c.inc
++++ b/target/arm/translate-vfp.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool trans_VLLDM_VLSTM(DisasContext *s, arg_VLLDM_VLSTM *a)
+         !arm_dc_feature(s, ARM_FEATURE_V8)) {
+         return false;
+     }
++
++    if (a->op) {
++        /*
++         * T2 encoding ({D0-D31} reglist): v8.1M and up. We choose not
++         * to take the IMPDEF option to make memory accesses to the stack
++         * slots that correspond to the D16-D31 registers (discarding
++         * read data and writing UNKNOWN values), so for us the T2
++         * encoding behaves identically to the T1 encoding.
++         */
++        if (!arm_dc_feature(s, ARM_FEATURE_V8_1M)) {
++            return false;
++        }
++    } else {
++        /*
++         * T1 encoding ({D0-D15} reglist); undef if we have 32 Dregs.
++         * This is currently architecturally impossible, but we add the
++         * check to stay in line with the pseudocode. Note that we must
++         * emit code for the UNDEF so it takes precedence over the NOCP.
++         */
++        if (dc_isar_feature(aa32_simd_r32, s)) {
++            unallocated_encoding(s);
++            return true;
++        }
++    }
++
+     /*
+      * If not secure, UNDEF. We must emit code for this
+      * rather than returning false so that this takes
+--
+.20.1

-[Qemu-devel] [PULL 06/24] arm: Move excnames[] array into arm_log_exceptions()
+[PULL 31/36] hw/intc/armv7m_nvic: Support v8.1M CCR.TRD bit
-The excnames[] array is defined in internals.h because we used
+v8.1M introduces a new TRD flag in the CCR register, which enables
-to use it from two different source files for handling logging
+checking for stack frame integrity signatures on SG instructions.
-of AArch32 and AArch64 exception entry. Refactoring means that
+This bit is not banked, and is always RAZ/WI to Non-secure code.
-it's now used only in arm_log_exception() in helper.c, so move
+Adjust the code for handling CCR reads and writes to handle this.
 the array into that function.
-Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1491821097-5647-1-git-send-email-peter.maydell@linaro.org
+Message-id: 20201119215617.29887-23-peter.maydell@linaro.org
 ---
- target/arm/cpu.h       |  2 +-
+ target/arm/cpu.h      |  2 ++
- target/arm/internals.h | 23 -----------------------
+ hw/intc/armv7m_nvic.c | 26 ++++++++++++++++++--------
- target/arm/helper.c    | 19 +++++++++++++++++++
+files changed, 20 insertions(+), 8 deletions(-)
 files changed, 20 insertions(+), 24 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ FIELD(V7M_CCR, STKOFHFNMIGN, 10, 1)
- #define EXCP_SEMIHOST       16   /* semihosting call */
+ FIELD(V7M_CCR, DC, 16, 1)
- #define EXCP_NOCP           17   /* v7M NOCP UsageFault */
+ FIELD(V7M_CCR, IC, 17, 1)
- #define EXCP_INVSTATE       18   /* v7M INVSTATE UsageFault */
+ FIELD(V7M_CCR, BP, 18, 1)
--/* NB: new EXCP_ defines should be added to the excnames[] array too */
++FIELD(V7M_CCR, LOB, 19, 1)
-+/* NB: add new EXCP_ defines to the array in arm_log_exception() too */
++FIELD(V7M_CCR, TRD, 20, 1)
- #define ARMV7M_EXCP_RESET   1
+ /* V7M SCR bits */
- #define ARMV7M_EXCP_NMI     2
+ FIELD(V7M_SCR, SLEEPONEXIT, 1, 1)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
+diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
+--- a/hw/intc/armv7m_nvic.c
-+++ b/target/arm/internals.h
++++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static inline bool excp_is_internal(int excp)
+@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
-         || excp == EXCP_SEMIHOST;
+         }
- }
+         return cpu->env.v7m.scr[attrs.secure];
+     case 0xd14: /* Configuration Control.  */
--/* Exception names for debug logging; note that not all of these
+-        /* The BFHFNMIGN bit is the only non-banked bit; we
-- * precisely correspond to architectural exceptions.
+-         * keep it in the non-secure copy of the register.
-- */
++        /*
--static const char * const excnames[] = {
++         * Non-banked bits: BFHFNMIGN (stored in the NS copy of the register)
--    [EXCP_UDEF] = "Undefined Instruction",
++         * and TRD (stored in the S copy of the register)
--    [EXCP_SWI] = "SVC",
+          */
--    [EXCP_PREFETCH_ABORT] = "Prefetch Abort",
+         val = cpu->env.v7m.ccr[attrs.secure];
--    [EXCP_DATA_ABORT] = "Data Abort",
+         val |= cpu->env.v7m.ccr[M_REG_NS] & R_V7M_CCR_BFHFNMIGN_MASK;
--    [EXCP_IRQ] = "IRQ",
+@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
--    [EXCP_FIQ] = "FIQ",
+         cpu->env.v7m.scr[attrs.secure] = value;
--    [EXCP_BKPT] = "Breakpoint",
+         break;
--    [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit",
+     case 0xd14: /* Configuration Control.  */
--    [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage",
++    {
--    [EXCP_HVC] = "Hypervisor Call",
++        uint32_t mask;
--    [EXCP_HYP_TRAP] = "Hypervisor Trap",
++
--    [EXCP_SMC] = "Secure Monitor Call",
+         if (!arm_feature(&cpu->env, ARM_FEATURE_M_MAIN)) {
--    [EXCP_VIRQ] = "Virtual IRQ",
+             goto bad_offset;
--    [EXCP_VFIQ] = "Virtual FIQ",
+         }
--    [EXCP_SEMIHOST] = "Semihosting call",
--    [EXCP_NOCP] = "v7M NOCP UsageFault",
+         /* Enforce RAZ/WI on reserved and must-RAZ/WI bits */
--    [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
+-        value &= (R_V7M_CCR_STKALIGN_MASK |
--};
+-                  R_V7M_CCR_BFHFNMIGN_MASK |
--
+-                  R_V7M_CCR_DIV_0_TRP_MASK |
- /* Scale factor for generic timers, ie number of ns per tick.
+-                  R_V7M_CCR_UNALIGN_TRP_MASK |
-  * This gives a 62.5MHz timer.
+-                  R_V7M_CCR_USERSETMPEND_MASK |
-  */
+-                  R_V7M_CCR_NONBASETHRDENA_MASK);
-diff --git a/target/arm/helper.c b/target/arm/helper.c
++        mask = R_V7M_CCR_STKALIGN_MASK |
-index XXXXXXX..XXXXXXX 100644
++            R_V7M_CCR_BFHFNMIGN_MASK |
---- a/target/arm/helper.c
++            R_V7M_CCR_DIV_0_TRP_MASK |
-+++ b/target/arm/helper.c
++            R_V7M_CCR_UNALIGN_TRP_MASK |
-@@ -XXX,XX +XXX,XX @@ static void arm_log_exception(int idx)
++            R_V7M_CCR_USERSETMPEND_MASK |
- {
++            R_V7M_CCR_NONBASETHRDENA_MASK;
-     if (qemu_loglevel_mask(CPU_LOG_INT)) {
++        if (arm_feature(&cpu->env, ARM_FEATURE_V8_1M) && attrs.secure) {
-         const char *exc = NULL;
++            /* TRD is always RAZ/WI from NS */
-+        static const char * const excnames[] = {
++            mask |= R_V7M_CCR_TRD_MASK;
-+            [EXCP_UDEF] = "Undefined Instruction",
++        }
-+            [EXCP_SWI] = "SVC",
++        value &= mask;
-+            [EXCP_PREFETCH_ABORT] = "Prefetch Abort",
-+            [EXCP_DATA_ABORT] = "Data Abort",
+         if (arm_feature(&cpu->env, ARM_FEATURE_V8)) {
-+            [EXCP_IRQ] = "IRQ",
+             /* v8M makes NONBASETHRDENA and STKALIGN be RES1 */
-+            [EXCP_FIQ] = "FIQ",
+@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
-+            [EXCP_BKPT] = "Breakpoint",
-+            [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit",
+         cpu->env.v7m.ccr[attrs.secure] = value;
-+            [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage",
+         break;
-+            [EXCP_HVC] = "Hypervisor Call",
++    }
-+            [EXCP_HYP_TRAP] = "Hypervisor Trap",
+     case 0xd24: /* System Handler Control and State (SHCSR) */
-+            [EXCP_SMC] = "Secure Monitor Call",
+         if (!arm_feature(&cpu->env, ARM_FEATURE_V7)) {
-+            [EXCP_VIRQ] = "Virtual IRQ",
+             goto bad_offset;
 +            [EXCP_VFIQ] = "Virtual FIQ",
 +            [EXCP_SEMIHOST] = "Semihosting call",
 +            [EXCP_NOCP] = "v7M NOCP UsageFault",
 +            [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
 +        };
          if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
              exc = excnames[idx];
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 07/24] target/arm: Add assertion about FSC format for syndrome registers
+[PULL 32/36] target/arm: Implement CCR_S.TRD behaviour for SG insns
-In tlb_fill() we construct a syndrome register value from a
+v8.1M introduces a new TRD flag in the CCR register, which enables
-fault status register value which is filled in by arm_tlb_fill().
+checking for stack frame integrity signatures on SG instructions.
-arm_tlb_fill() returns FSR values which might be in the format
+Add the code in the SG insn implementation for the new behaviour.
 used with short-format page descriptors, or the format used
 with long-format (LPAE) descriptors. The syndrome register
 always uses LPAE-format FSR status codes.
 It isn't actually possible to end up delivering a syndrome
 register value to the guest for a fault which is reported
 with a short-format FSR (that kind of stage 1 fault will only
 happen for an AArch32 translation regime which doesn't have
 a syndrome register, and can never be redirected to an AArch64
 or Hyp exception level). Add an assertion which checks this,
 and adjust the code so that we construct a syndrome with
 an invalid status code, rather than allowing set bits in
 the FSR input to randomly corrupt other fields in the syndrome.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1491486152-24304-1-git-send-email-peter.maydell@linaro.org
+Message-id: 20201119215617.29887-24-peter.maydell@linaro.org
 ---
- target/arm/op_helper.c | 23 ++++++++++++++++++-----
+ target/arm/m_helper.c | 86 +++++++++++++++++++++++++++++++++++++++++++
-file changed, 18 insertions(+), 5 deletions(-)
+file changed, 86 insertions(+)
-diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
+diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/op_helper.c
+--- a/target/arm/m_helper.c
-+++ b/target/arm/op_helper.c
++++ b/target/arm/m_helper.c
-@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, MMUAccessType access_type,
+@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
-     if (unlikely(ret)) {
+     return true;
-         ARMCPU *cpu = ARM_CPU(cs);
+ }
-         CPUARMState *env = &cpu->env;
--        uint32_t syn, exc;
++static bool v7m_read_sg_stack_word(ARMCPU *cpu, ARMMMUIdx mmu_idx,
-+        uint32_t syn, exc, fsc;
++                                   uint32_t addr, uint32_t *spdata)
-         unsigned int target_el;
++{
-         bool same_el;
++    /*
++     * Read a word of data from the stack for the SG instruction,
-@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, MMUAccessType access_type,
++     * writing the value into *spdata. If the load succeeds, return
-             env->cp15.hpfar_el2 = extract64(fi.s2addr, 12, 47) << 4;
++     * true; otherwise pend an appropriate exception and return false.
-         }
++     * (We can't use data load helpers here that throw an exception
-         same_el = arm_current_el(env) == target_el;
++     * because of the context we're called in, which is halfway through
--        /* AArch64 syndrome does not have an LPAE bit */
++     * arm_v7m_cpu_do_interrupt().)
--        syn = fsr & ~(1 << 9);
++     */
 +    CPUState *cs = CPU(cpu);
 +    CPUARMState *env = &cpu->env;
 +    MemTxAttrs attrs = {};
 +    MemTxResult txres;
 +    target_ulong page_size;
 +    hwaddr physaddr;
 +    int prot;
 +    ARMMMUFaultInfo fi = {};
 +    ARMCacheAttrs cacheattrs = {};
 +    uint32_t value;
 +
-+        if (fsr & (1 << 9)) {
++    if (get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &physaddr,
-+            /* LPAE format fault status register : bottom 6 bits are
++                      &attrs, &prot, &page_size, &fi, &cacheattrs)) {
-+             * status code in the same form as needed for syndrome
++        /* MPU/SAU lookup failed */
-+             */
++        if (fi.type == ARMFault_QEMU_SFault) {
-+            fsc = extract32(fsr, 0, 6);
++            qemu_log_mask(CPU_LOG_INT,
 +                          "...SecureFault during stack word read\n");
 +            env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK | R_V7M_SFSR_SFARVALID_MASK;
 +            env->v7m.sfar = addr;
 +            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
 +        } else {
-+            /* Short format FSR : this fault will never actually be reported
++            qemu_log_mask(CPU_LOG_INT,
-+             * to an EL that uses a syndrome register. Check that here,
++                          "...MemManageFault during stack word read\n");
-+             * and use a (currently) reserved FSR code in case the constructed
++            env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_DACCVIOL_MASK |
-+             * syndrome does leak into the guest somehow.
++                R_V7M_CFSR_MMARVALID_MASK;
-+             */
++            env->v7m.mmfar[M_REG_S] = addr;
-+            assert(target_el != 2 && !arm_el_is_aa64(env, target_el));
++            armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, false);
 +            fsc = 0x3f;
 +        }
++        return false;
-         /* For insn and data aborts we assume there is no instruction syndrome
++    }
-          * information; this is always true for exceptions reported to EL1.
++    value = address_space_ldl(arm_addressspace(cs, attrs), physaddr,
-          */
++                              attrs, &txres);
-         if (access_type == MMU_INST_FETCH) {
++    if (txres != MEMTX_OK) {
--            syn = syn_insn_abort(same_el, 0, fi.s1ptw, syn);
++        /* BusFault trying to read the data */
-+            syn = syn_insn_abort(same_el, 0, fi.s1ptw, fsc);
++        qemu_log_mask(CPU_LOG_INT,
-             exc = EXCP_PREFETCH_ABORT;
++                      "...BusFault during stack word read\n");
-         } else {
++        env->v7m.cfsr[M_REG_NS] |=
-             syn = merge_syn_data_abort(env->exception.syndrome, target_el,
++            (R_V7M_CFSR_PRECISERR_MASK | R_V7M_CFSR_BFARVALID_MASK);
-                                        same_el, fi.s1ptw,
++        env->v7m.bfar = addr;
--                                       access_type == MMU_DATA_STORE, syn);
++        armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
-+                                       access_type == MMU_DATA_STORE, fsc);
++        return false;
-             if (access_type == MMU_DATA_STORE
++    }
-                 && arm_feature(env, ARM_FEATURE_V6)) {
++
-                 fsr |= (1 << 11);
++    *spdata = value;
 +    return true;
 +}
 +
  static bool v7m_handle_execute_nsc(ARMCPU *cpu)
  {
      /*
@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
       */
      qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
                    ", executing it\n", env->regs[15]);
 +
 +    if (cpu_isar_feature(aa32_m_sec_state, cpu) &&
 +        !arm_v7m_is_handler_mode(env)) {
 +        /*
 +         * v8.1M exception stack frame integrity check. Note that we
 +         * must perform the memory access even if CCR_S.TRD is zero
 +         * and we aren't going to check what the data loaded is.
 +         */
 +        uint32_t spdata, sp;
 +
 +        /*
 +         * We know we are currently NS, so the S stack pointers must be
 +         * in other_ss_{psp,msp}, not in regs[13]/other_sp.
 +         */
 +        sp = v7m_using_psp(env) ? env->v7m.other_ss_psp : env->v7m.other_ss_msp;
 +        if (!v7m_read_sg_stack_word(cpu, mmu_idx, sp, &spdata)) {
 +            /* Stack access failed and an exception has been pended */
 +            return false;
 +        }
 +
 +        if (env->v7m.ccr[M_REG_S] & R_V7M_CCR_TRD_MASK) {
 +            if (((spdata & ~1) == 0xfefa125a) ||
 +                !(env->v7m.control[M_REG_S] & 1)) {
 +                goto gen_invep;
 +            }
 +        }
 +    }
 +
      env->regs[14] &= ~1;
      env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
      switch_v7m_security_state(env, true);
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 12/24] cadence_gem: Correct the multi-queue can rx logic
+[PULL 33/36] hw/intc/armv7m_nvic: Fix "return from inactive handler" check
-From: Alistair Francis <alistair.francis@xilinx.com>
+In commit 077d7449100d824a4 we added code to handle the v8M
 requirement that returns from NMI or HardFault forcibly deactivate
 those exceptions regardless of what interrupt the guest is trying to
 deactivate.  Unfortunately this broke the handling of the "illegal
 exception return because the returning exception number is not
 active" check for those cases.  In the pseudocode this test is done
 on the exception the guest asks to return from, but because our
 implementation was doing this in armv7m_nvic_complete_irq() after the
 new "deactivate NMI/HardFault regardless" code we ended up doing the
 test on the VecInfo for that exception instead, which usually meant
 failing to raise the illegal exception return fault.
-Correct the buffer descriptor busy logic to work correctly when using
+In the case for "configurable exception targeting the opposite
-multiple queues.
+security state" we detected the illegal-return case but went ahead
 and deactivated the VecInfo anyway, which is wrong because that is
 the VecInfo for the other security state.
-Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
+Rearrange the code so that we first identify the illegal return
-Message-id: 8a7e8059984e27d46a276a66299d035a0afd280f.1491947224.git.alistair.francis@xilinx.com
+cases, then see if we really need to deactivate NMI or HardFault
 instead, and finally do the deactivation.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20201119215617.29887-25-peter.maydell@linaro.org
 ---
- hw/net/cadence_gem.c | 17 ++++++++++-------
+ hw/intc/armv7m_nvic.c | 59 +++++++++++++++++++++++--------------------
-file changed, 10 insertions(+), 7 deletions(-)
+file changed, 32 insertions(+), 27 deletions(-)
-diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
+diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/cadence_gem.c
+--- a/hw/intc/armv7m_nvic.c
-+++ b/hw/net/cadence_gem.c
++++ b/hw/intc/armv7m_nvic.c
-@@ -XXX,XX +XXX,XX @@ static int gem_can_receive(NetClientState *nc)
+@@ -XXX,XX +XXX,XX @@ int armv7m_nvic_complete_irq(void *opaque, int irq, bool secure)
  {
      NVICState *s = (NVICState *)opaque;
      VecInfo *vec = NULL;
 -    int ret;
 +    int ret = 0;
      assert(irq > ARMV7M_EXCP_RESET && irq < s->num_irq);
 +    trace_nvic_complete_irq(irq, secure);
 +
 +    if (secure && exc_is_banked(irq)) {
 +        vec = &s->sec_vectors[irq];
 +    } else {
 +        vec = &s->vectors[irq];
 +    }
 +
 +    /*
 +     * Identify illegal exception return cases. We can't immediately
 +     * return at this point because we still need to deactivate
 +     * (either this exception or NMI/HardFault) first.
 +     */
 +    if (!exc_is_banked(irq) && exc_targets_secure(s, irq) != secure) {
 +        /*
 +         * Return from a configurable exception targeting the opposite
 +         * security state from the one we're trying to complete it for.
 +         * Clear vec because it's not really the VecInfo for this
 +         * (irq, secstate) so we mustn't deactivate it.
 +         */
 +        ret = -1;
 +        vec = NULL;
 +    } else if (!vec->active) {
 +        /* Return from an inactive interrupt */
 +        ret = -1;
 +    } else {
 +        /* Legal return, we will return the RETTOBASE bit value to the caller */
 +        ret = nvic_rettobase(s);
 +    }
 +
      /*
       * For negative priorities, v8M will forcibly deactivate the appropriate
       * NMI or HardFault regardless of what interrupt we're being asked to
@@ -XXX,XX +XXX,XX @@ int armv7m_nvic_complete_irq(void *opaque, int irq, bool secure)
      }
-     for (i = 0; i < s->num_priority_queues; i++) {
+     if (!vec) {
--        if (rx_desc_get_ownership(s->rx_desc[i]) == 1) {
+-        if (secure && exc_is_banked(irq)) {
--            if (s->can_rx_state != 2) {
+-            vec = &s->sec_vectors[irq];
--                s->can_rx_state = 2;
+-        } else {
--                DB_PRINT("can't receive - busy buffer descriptor (q%d) 0x%x\n",
+-            vec = &s->vectors[irq];
--                         i, s->rx_desc_addr[i]);
+-        }
--             }
+-    }
--            return 0;
+-
-+        if (rx_desc_get_ownership(s->rx_desc[i]) != 1) {
+-    trace_nvic_complete_irq(irq, secure);
-+            break;
+-
-+        }
+-    if (!vec->active) {
-+    };
+-        /* Tell the caller this was an illegal exception return */
-+
+-        return -1;
-+    if (i == s->num_priority_queues) {
+-    }
-+        if (s->can_rx_state != 2) {
+-
-+            s->can_rx_state = 2;
+-    /*
-+            DB_PRINT("can't receive - all the buffer descriptors are busy\n");
+-     * If this is a configurable exception and it is currently
-         }
+-     * targeting the opposite security state from the one we're trying
-+        return 0;
+-     * to complete it for, this counts as an illegal exception return.
 -     * We still need to deactivate whatever vector the logic above has
 -     * selected, though, as it might not be the same as the one for the
 -     * requested exception number.
 -     */
 -    if (!exc_is_banked(irq) && exc_targets_secure(s, irq) != secure) {
 -        ret = -1;
 -    } else {
 -        ret = nvic_rettobase(s);
 +        return ret;
      }
-     if (s->can_rx_state != 0) {
+     vec->active = 0;
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 05/24] target/arm: Add missing entries to excnames[] for log strings
+[PULL 34/36] target/arm: Implement M-profile "minimal RAS implementation"
-Recent changes have added new EXCP_ values to ARM but forgot
+For v8.1M the architecture mandates that CPUs must provide at
-to update the excnames[] array which is used to provide
+least the "minimal RAS implementation" from the Reliability,
-human-readable strings when printing information about the
+Availability and Serviceability extension. This consists of:
-exception for debug logging. Add the missing entries, and
+ * an ESB instruction which is a NOP
-add a comment to the list of #defines to help avoid the mistake
+   -- since it is in the HINT space we need only add a comment
-being repeated in future.
+ * an RFSR register which will RAZ/WI
  * a RAZ/WI AIRCR.IESB bit
    -- the code which handles writes to AIRCR does not allow setting
       of RES0 bits, so we already treat this as RAZ/WI; add a comment
       noting that this is deliberate
  * minimal implementation of the RAS register block at 0xe0005000
    -- this will be in a subsequent commit
  * setting the ID_PFR0.RAS field to 0b0010
    -- we will do this when we add the Cortex-M55 CPU model
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Message-id: 20201119215617.29887-26-peter.maydell@linaro.org
 Message-id: 1491486340-25988-1-git-send-email-peter.maydell@linaro.org
 ---
- target/arm/cpu.h       | 1 +
+ target/arm/cpu.h      | 14 ++++++++++++++
- target/arm/internals.h | 2 ++
+ target/arm/t32.decode |  4 ++++
-files changed, 3 insertions(+)
+ hw/intc/armv7m_nvic.c | 13 +++++++++++++
 files changed, 31 insertions(+)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ FIELD(ID_MMFR4, LSM, 20, 4)
- #define EXCP_SEMIHOST       16   /* semihosting call */
+ FIELD(ID_MMFR4, CCIDX, 24, 4)
- #define EXCP_NOCP           17   /* v7M NOCP UsageFault */
+ FIELD(ID_MMFR4, EVT, 28, 4)
- #define EXCP_INVSTATE       18   /* v7M INVSTATE UsageFault */
-+/* NB: new EXCP_ defines should be added to the excnames[] array too */
++FIELD(ID_PFR0, STATE0, 0, 4)
++FIELD(ID_PFR0, STATE1, 4, 4)
- #define ARMV7M_EXCP_RESET   1
++FIELD(ID_PFR0, STATE2, 8, 4)
- #define ARMV7M_EXCP_NMI     2
++FIELD(ID_PFR0, STATE3, 12, 4)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
++FIELD(ID_PFR0, CSV2, 16, 4)
 +FIELD(ID_PFR0, AMU, 20, 4)
 +FIELD(ID_PFR0, DIT, 24, 4)
 +FIELD(ID_PFR0, RAS, 28, 4)
 +
  FIELD(ID_PFR1, PROGMOD, 0, 4)
  FIELD(ID_PFR1, SECURITY, 4, 4)
  FIELD(ID_PFR1, MPROGMOD, 8, 4)
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_predinv(const ARMISARegisters *id)
      return FIELD_EX32(id->id_isar6, ID_ISAR6, SPECRES) != 0;
  }
 +static inline bool isar_feature_aa32_ras(const ARMISARegisters *id)
 +{
 +    return FIELD_EX32(id->id_pfr0, ID_PFR0, RAS) != 0;
 +}
 +
  static inline bool isar_feature_aa32_mprofile(const ARMISARegisters *id)
  {
      return FIELD_EX32(id->id_pfr1, ID_PFR1, MPROGMOD) != 0;
 diff --git a/target/arm/t32.decode b/target/arm/t32.decode
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
+--- a/target/arm/t32.decode
-+++ b/target/arm/internals.h
++++ b/target/arm/t32.decode
-@@ -XXX,XX +XXX,XX @@ static const char * const excnames[] = {
+@@ -XXX,XX +XXX,XX @@ CLZ              1111 1010 1011 ---- 1111 .... 1000 ....      @rdm
-     [EXCP_VIRQ] = "Virtual IRQ",
+       # SEV      1111 0011 1010 1111 1000 0000 0000 0100
-     [EXCP_VFIQ] = "Virtual FIQ",
+       # SEVL     1111 0011 1010 1111 1000 0000 0000 0101
-     [EXCP_SEMIHOST] = "Semihosting call",
-+    [EXCP_NOCP] = "v7M NOCP UsageFault",
++      # For M-profile minimal-RAS ESB can be a NOP, which is the
-+    [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
++      # default behaviour since it is in the hint space.
- };
++      # ESB      1111 0011 1010 1111 1000 0000 0001 0000
++
- /* Scale factor for generic timers, ie number of ns per tick.
+       # The canonical nop ends in 0000 0000, but the whole rest
        # of the space is "reserved hint, behaves as nop".
        NOP        1111 0011 1010 1111 1000 0000 ---- ----
 diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/armv7m_nvic.c
 +++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static uint32_t nvic_readl(NVICState *s, uint32_t offset, MemTxAttrs attrs)
              return 0;
          }
          return cpu->env.v7m.sfar;
 +    case 0xf04: /* RFSR */
 +        if (!cpu_isar_feature(aa32_ras, cpu)) {
 +            goto bad_offset;
 +        }
 +        /* We provide minimal-RAS only: RFSR is RAZ/WI */
 +        return 0;
      case 0xf34: /* FPCCR */
          if (!cpu_isar_feature(aa32_vfp_simd, cpu)) {
              return 0;
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
                                R_V7M_AIRCR_PRIGROUP_SHIFT,
                                R_V7M_AIRCR_PRIGROUP_LENGTH);
              }
 +            /* AIRCR.IESB is RAZ/WI because we implement only minimal RAS */
              if (attrs.secure) {
                  /* These bits are only writable by secure */
                  cpu->env.v7m.aircr = value &
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
          }
          break;
      }
 +    case 0xf04: /* RFSR */
 +        if (!cpu_isar_feature(aa32_ras, cpu)) {
 +            goto bad_offset;
 +        }
 +        /* We provide minimal-RAS only: RFSR is RAZ/WI */
 +        break;
      case 0xf34: /* FPCCR */
          if (cpu_isar_feature(aa32_vfp_simd, cpu)) {
              /* Not all bits here are banked. */
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 01/24] hw/arm/boot: take Linux/arm64 TEXT_OFFSET header field into account
+[PULL 35/36] hw/intc/armv7m_nvic: Implement read/write for RAS register block
-From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+The RAS feature has a block of memory-mapped registers at offset
 x5000 within the PPB.  For a "minimal RAS" implementation we provide
 no error records and so the only registers that exist in the block
 are ERRIIDR and ERRDEVID.
-The arm64 boot protocol stipulates that the kernel must be loaded
+The "RAZ/WI for privileged, BusFault for nonprivileged" behaviour
-TEXT_OFFSET bytes beyond a 2 MB aligned base address, where TEXT_OFFSET
+of the "nvic-default" region is actually valid for minimal-RAS,
-could be any 4 KB multiple between 0 and 2 MB, and whose value can be
+so the main benefit of providing an explicit implementation of
-found in the header of the Image file.
+the register block is more accurate LOG_UNIMP messages, and a
 framework for where we could add a real RAS implementation later
 if necessary.
-So after attempts to load the arm64 kernel image as an ELF file or as a
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-U-Boot image have failed (both of which have their own way of specifying
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-the load offset), try to determine the TEXT_OFFSET from the image after
+Message-id: 20201119215617.29887-27-peter.maydell@linaro.org
-loading it but before mapping it as a ROM mapping into the guest address
+---
-space.
+ include/hw/intc/armv7m_nvic.h |  1 +
  hw/intc/armv7m_nvic.c         | 56 +++++++++++++++++++++++++++++++++++
 files changed, 57 insertions(+)
-Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+diff --git a/include/hw/intc/armv7m_nvic.h b/include/hw/intc/armv7m_nvic.h
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 1489414630-21609-1-git-send-email-ard.biesheuvel@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/arm/boot.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++----------
 file changed, 53 insertions(+), 11 deletions(-)
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/include/hw/intc/armv7m_nvic.h
-+++ b/hw/arm/boot.c
++++ b/include/hw/intc/armv7m_nvic.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ struct NVICState {
- #define KERNEL_LOAD_ADDR 0x00010000
+     MemoryRegion sysreg_ns_mem;
- #define KERNEL64_LOAD_ADDR 0x00080000
+     MemoryRegion systickmem;
+     MemoryRegion systick_ns_mem;
-+#define ARM64_TEXT_OFFSET_OFFSET    8
++    MemoryRegion ras_mem;
-+#define ARM64_MAGIC_OFFSET          56
+     MemoryRegion container;
      MemoryRegion defaultmem;
 diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/armv7m_nvic.c
 +++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps nvic_systick_ops = {
      .endianness = DEVICE_NATIVE_ENDIAN,
  };
 +
- typedef enum {
++static MemTxResult ras_read(void *opaque, hwaddr addr,
-     FIXUP_NONE = 0,     /* do nothing */
++                            uint64_t *data, unsigned size,
-     FIXUP_TERMINATOR,   /* end of insns */
++                            MemTxAttrs attrs)
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_load_elf(struct arm_boot_info *info, uint64_t *pentry,
      return ret;
  }
 +static uint64_t load_aarch64_image(const char *filename, hwaddr mem_base,
 +                                   hwaddr *entry)
 +{
-+    hwaddr kernel_load_offset = KERNEL64_LOAD_ADDR;
++    if (attrs.user) {
-+    uint8_t *buffer;
++        return MEMTX_ERROR;
 +    int size;
 +
 +    /* On aarch64, it's the bootloader's job to uncompress the kernel. */
 +    size = load_image_gzipped_buffer(filename, LOAD_IMAGE_MAX_GUNZIP_BYTES,
 +                                     &buffer);
 +
 +    if (size < 0) {
 +        gsize len;
 +
 +        /* Load as raw file otherwise */
 +        if (!g_file_get_contents(filename, (char **)&buffer, &len, NULL)) {
 +            return -1;
 +        }
 +        size = len;
 +    }
 +
-+    /* check the arm64 magic header value -- very old kernels may not have it */
++    switch (addr) {
-+    if (memcmp(buffer + ARM64_MAGIC_OFFSET, "ARM\x64", 4) == 0) {
++    case 0xe10: /* ERRIIDR */
-+        uint64_t hdrvals[2];
++        /* architect field = Arm; product/variant/revision 0 */
 +        *data = 0x43b;
 +        break;
 +    case 0xfc8: /* ERRDEVID */
 +        /* Minimal RAS: we implement 0 error record indexes */
 +        *data = 0;
 +        break;
 +    default:
 +        qemu_log_mask(LOG_UNIMP, "Read RAS register offset 0x%x\n",
 +                      (uint32_t)addr);
 +        *data = 0;
 +        break;
 +    }
 +    return MEMTX_OK;
 +}
 +
-+        /* The arm64 Image header has text_offset and image_size fields at 8 and
++static MemTxResult ras_write(void *opaque, hwaddr addr,
-+         * 16 bytes into the Image header, respectively. The text_offset field
++                             uint64_t value, unsigned size,
-+         * is only valid if the image_size is non-zero.
++                             MemTxAttrs attrs)
-+         */
++{
-+        memcpy(&hdrvals, buffer + ARM64_TEXT_OFFSET_OFFSET, sizeof(hdrvals));
++    if (attrs.user) {
-+        if (hdrvals[1] != 0) {
++        return MEMTX_ERROR;
 +            kernel_load_offset = le64_to_cpu(hdrvals[0]);
 +        }
 +    }
 +
-+    *entry = mem_base + kernel_load_offset;
++    switch (addr) {
-+    rom_add_blob_fixed(filename, buffer, size, *entry);
++    default:
-+
++        qemu_log_mask(LOG_UNIMP, "Write to RAS register offset 0x%x\n",
-+    g_free(buffer);
++                      (uint32_t)addr);
-+
++        break;
-+    return size;
++    }
 +    return MEMTX_OK;
 +}
 +
- static void arm_load_kernel_notify(Notifier *notifier, void *data)
++static const MemoryRegionOps ras_ops = {
- {
++    .read_with_attrs = ras_read,
-     CPUState *cs;
++    .write_with_attrs = ras_write,
-@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
++    .endianness = DEVICE_NATIVE_ENDIAN,
-     int is_linux = 0;
++};
-     uint64_t elf_entry, elf_low_addr, elf_high_addr;
++
-     int elf_machine;
+ /*
--    hwaddr entry, kernel_load_offset;
+  * Unassigned portions of the PPB space are RAZ/WI for privileged
-+    hwaddr entry;
+  * accesses, and fault for non-privileged accesses.
-     static const ARMInsnFixup *primary_loader;
+@@ -XXX,XX +XXX,XX @@ static void armv7m_nvic_realize(DeviceState *dev, Error **errp)
-     ArmLoadKernelNotifier *n = DO_UPCAST(ArmLoadKernelNotifier,
+                                             &s->systick_ns_mem, 1);
                                           notifier, notifier);
@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
      if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
          primary_loader = bootloader_aarch64;
 -        kernel_load_offset = KERNEL64_LOAD_ADDR;
          elf_machine = EM_AARCH64;
      } else {
          primary_loader = bootloader;
          if (!info->write_board_setup) {
              primary_loader += BOOTLOADER_NO_BOARD_SETUP_OFFSET;
          }
 -        kernel_load_offset = KERNEL_LOAD_ADDR;
          elf_machine = EM_ARM;
      }
-@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
++    if (cpu_isar_feature(aa32_ras, s->cpu)) {
-         kernel_size = load_uimage(info->kernel_filename, &entry, NULL,
++        memory_region_init_io(&s->ras_mem, OBJECT(s),
-                                   &is_linux, NULL, NULL);
++                              &ras_ops, s, "nvic_ras", 0x1000);
-     }
++        memory_region_add_subregion(&s->container, 0x5000, &s->ras_mem);
--    /* On aarch64, it's the bootloader's job to uncompress the kernel. */
++    }
-     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64) && kernel_size < 0) {
++
--        entry = info->loader_start + kernel_load_offset;
+     sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->container);
--        kernel_size = load_image_gzipped(info->kernel_filename, entry,
+ }
--                                         info->ram_size - kernel_load_offset);
 +        kernel_size = load_aarch64_image(info->kernel_filename,
 +                                         info->loader_start, &entry);
          is_linux = 1;
 -    }
 -    if (kernel_size < 0) {
 -        entry = info->loader_start + kernel_load_offset;
 +    } else if (kernel_size < 0) {
 +        /* 32-bit ARM */
 +        entry = info->loader_start + KERNEL_LOAD_ADDR;
          kernel_size = load_image_targphys(info->kernel_filename, entry,
 -                                          info->ram_size - kernel_load_offset);
 +                                          info->ram_size - KERNEL_LOAD_ADDR);
          is_linux = 1;
      }
      if (kernel_size < 0) {
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 17/24] arm: Thumb shift operations should not permit interworking branches
+[PULL 36/36] hw/arm/armv7m: Correct typo in QOM object name
-In Thumb mode, the only instructions which can cause an interworking
+Correct a typo in the name we give the NVIC object.
 branch by writing the PC are BLX, BX, BXJ, LDR, POP and LDM. Unlike
 ARM mode, data processing instructions which target the PC do not
 cause interworking branches.
 When we added support for doing interworking branches on writes to
 PC from data processing instructions in commit 21aeb3430ce7ba, we
 accidentally changed a Thumb instruction to have interworking
 branch behaviour for writes to PC. (MOV, MOVS register-shifted
 register, encoding T2; this is the standard encoding for
 LSL/LSR/ASR/ROR (register).)
 For this encoding, behaviour with Rd == R15 is specified as
 UNPREDICTABLE, so allowing an interworking branch is within
 spec, but it's confusing and differs from our handling of this
 class of UNPREDICTABLE for other Thumb ALU operations. Make
 it perform a simple (non-interworking) branch like the others.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <rth@twiddle.net>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 1491844419-12485-3-git-send-email-peter.maydell@linaro.org
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20201119215617.29887-28-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 2 +-
+ hw/arm/armv7m.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
+diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/hw/arm/armv7m.c
-+++ b/target/arm/translate.c
++++ b/hw/arm/armv7m.c
-@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw
+@@ -XXX,XX +XXX,XX @@ static void armv7m_instance_init(Object *obj)
-             gen_arm_shift_reg(tmp, op, tmp2, logic_cc);
-             if (logic_cc)
+     memory_region_init(&s->container, obj, "armv7m-container", UINT64_MAX);
-                 gen_logic_CC(tmp);
--            store_reg_bx(s, rd, tmp);
+-    object_initialize_child(obj, "nvnic", &s->nvic, TYPE_NVIC);
-+            store_reg(s, rd, tmp);
++    object_initialize_child(obj, "nvic", &s->nvic, TYPE_NVIC);
-             break;
+     object_property_add_alias(obj, "num-irq",
-         case 1: /* Sign/zero extend.  */
+                               OBJECT(&s->nvic), "num-irq");
-             op = (insn >> 20) & 7;
 --
-.7.4
+.20.1

First ARM pullreq of the 2.10 cycle...

thanks
-- PMM

The following changes since commit 64c8ed97cceabac4fafe17fca8d88ef08183f439:

Open 2.10 development tree (2017-04-20 15:42:31 +0100)

are available in the git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20170420

for you to fetch changes up to f4e8e4edda875cab9df91dc4ae9767f7cb1f50aa:

arm: Remove workarounds for old M-profile exception return implementation (2017-04-20 17:39:17 +0100)

----------------------------------------------------------------
target-arm queue:
 * implement M profile exception return properly
 * cadence GEM: fix multiqueue handling bugs
 * pxa2xx.c: QOMify a device
 * arm/kvm: Remove trailing newlines from error_report()
 * stellaris: Don't hw_error() on bad register accesses
 * Add assertion about FSC format for syndrome registers
 * Move excnames[] array into arm_log_exceptions()
 * exynos: minor code cleanups
 * hw/arm/boot: take Linux/arm64 TEXT_OFFSET header field into account
 * Fix APSR writes via M profile MSR

----------------------------------------------------------------
Alistair Francis (5):
      cadence_gem: Read the correct queue descriptor
      cadence_gem: Correct the multi-queue can rx logic
      cadence_gem: Correct the interupt logic
      cadence_gem: Make the revision a property
      xlnx-zynqmp: Set the Cadence GEM revision

Ard Biesheuvel (1):
      hw/arm/boot: take Linux/arm64 TEXT_OFFSET header field into account

Ishani Chugh (1):
      arm/kvm: Remove trailing newlines from error_report()

Krzysztof Kozlowski (3):
      hw/arm/exynos: Convert fprintf to qemu_log_mask/error_report
      hw/char/exynos4210_uart: Constify static array and few arguments
      hw/misc/exynos4210_pmu: Reorder local variables for readability

Peter Maydell (13):
      target/arm: Add missing entries to excnames[] for log strings
      arm: Move excnames[] array into arm_log_exceptions()
      target/arm: Add assertion about FSC format for syndrome registers
      stellaris: Don't hw_error() on bad register accesses
      arm: Don't implement BXJ on M-profile CPUs
      arm: Thumb shift operations should not permit interworking branches
      arm: Factor out "generate right kind of step exception"
      arm: Move gen_set_condexec() and gen_set_pc_im() up in the file
      arm: Move condition-failed codepath generation out of if()
      arm: Abstract out "are we singlestepping" test to utility function
      arm: Track M profile handler mode state in TB flags
      arm: Implement M profile exception return properly
      arm: Remove workarounds for old M-profile exception return implementation

Suramya Shah (1):
      hw/arm: Qomify pxa2xx.c

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>

The arm64 boot protocol stipulates that the kernel must be loaded
TEXT_OFFSET bytes beyond a 2 MB aligned base address, where TEXT_OFFSET
could be any 4 KB multiple between 0 and 2 MB, and whose value can be
found in the header of the Image file.

So after attempts to load the arm64 kernel image as an ELF file or as a
U-Boot image have failed (both of which have their own way of specifying
the load offset), try to determine the TEXT_OFFSET from the image after
loading it but before mapping it as a ROM mapping into the guest address
space.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1489414630-21609-1-git-send-email-ard.biesheuvel@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 53 insertions(+), 11 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@
 #define KERNEL_LOAD_ADDR 0x00010000
 #define KERNEL64_LOAD_ADDR 0x00080000
 
+#define ARM64_TEXT_OFFSET_OFFSET    8
+#define ARM64_MAGIC_OFFSET          56
+
 typedef enum {
     FIXUP_NONE = 0,     /* do nothing */
     FIXUP_TERMINATOR,   /* end of insns */
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_load_elf(struct arm_boot_info *info, uint64_t *pentry,
     return ret;
 }
 
+static uint64_t load_aarch64_image(const char *filename, hwaddr mem_base,
+                                   hwaddr *entry)
+{
+    hwaddr kernel_load_offset = KERNEL64_LOAD_ADDR;
+    uint8_t *buffer;
+    int size;
+
+    /* On aarch64, it's the bootloader's job to uncompress the kernel. */
+    size = load_image_gzipped_buffer(filename, LOAD_IMAGE_MAX_GUNZIP_BYTES,
+                                     &buffer);
+
+    if (size < 0) {
+        gsize len;
+
+        /* Load as raw file otherwise */
+        if (!g_file_get_contents(filename, (char **)&buffer, &len, NULL)) {
+            return -1;
+        }
+        size = len;
+    }
+
+    /* check the arm64 magic header value -- very old kernels may not have it */
+    if (memcmp(buffer + ARM64_MAGIC_OFFSET, "ARM\x64", 4) == 0) {
+        uint64_t hdrvals[2];
+
+        /* The arm64 Image header has text_offset and image_size fields at 8 and
+         * 16 bytes into the Image header, respectively. The text_offset field
+         * is only valid if the image_size is non-zero.
+         */
+        memcpy(&hdrvals, buffer + ARM64_TEXT_OFFSET_OFFSET, sizeof(hdrvals));
+        if (hdrvals[1] != 0) {
+            kernel_load_offset = le64_to_cpu(hdrvals[0]);
+        }
+    }
+
+    *entry = mem_base + kernel_load_offset;
+    rom_add_blob_fixed(filename, buffer, size, *entry);
+
+    g_free(buffer);
+
+    return size;
+}
+
 static void arm_load_kernel_notify(Notifier *notifier, void *data)
 {
     CPUState *cs;
@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
     int is_linux = 0;
     uint64_t elf_entry, elf_low_addr, elf_high_addr;
     int elf_machine;
-    hwaddr entry, kernel_load_offset;
+    hwaddr entry;
     static const ARMInsnFixup *primary_loader;
     ArmLoadKernelNotifier *n = DO_UPCAST(ArmLoadKernelNotifier,
                                          notifier, notifier);
@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
 
     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
         primary_loader = bootloader_aarch64;
-        kernel_load_offset = KERNEL64_LOAD_ADDR;
         elf_machine = EM_AARCH64;
     } else {
         primary_loader = bootloader;
         if (!info->write_board_setup) {
             primary_loader += BOOTLOADER_NO_BOARD_SETUP_OFFSET;
         }
-        kernel_load_offset = KERNEL_LOAD_ADDR;
         elf_machine = EM_ARM;
     }
 
@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
         kernel_size = load_uimage(info->kernel_filename, &entry, NULL,
                                   &is_linux, NULL, NULL);
     }
-    /* On aarch64, it's the bootloader's job to uncompress the kernel. */
     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64) && kernel_size < 0) {
-        entry = info->loader_start + kernel_load_offset;
-        kernel_size = load_image_gzipped(info->kernel_filename, entry,
-                                         info->ram_size - kernel_load_offset);
+        kernel_size = load_aarch64_image(info->kernel_filename,
+                                         info->loader_start, &entry);
         is_linux = 1;
-    }
-    if (kernel_size < 0) {
-        entry = info->loader_start + kernel_load_offset;
+    } else if (kernel_size < 0) {
+        /* 32-bit ARM */
+        entry = info->loader_start + KERNEL_LOAD_ADDR;
         kernel_size = load_image_targphys(info->kernel_filename, entry,
-                                          info->ram_size - kernel_load_offset);
+                                          info->ram_size - KERNEL_LOAD_ADDR);
         is_linux = 1;
     }
     if (kernel_size < 0) {
-- 
2.7.4

From: Krzysztof Kozlowski <krzk@kernel.org>

qemu_log_mask() and error_report() are preferred over fprintf() for
logging errors.  Also remove square brackets [] and additional new line
characters in printed messages.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20170313184750.429-2-krzk@kernel.org
[PMM: wrapped long line]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/exynos4_boards.c   |  7 ++++---
 hw/timer/exynos4210_mct.c |  6 ++++--
 hw/timer/exynos4210_pwm.c | 13 +++++++------
 hw/timer/exynos4210_rtc.c | 19 ++++++++++---------
 4 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/exynos4_boards.c
+++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/error-report.h"
 #include "qemu-common.h"
 #include "cpu.h"
 #include "sysemu/sysemu.h"
@@ -XXX,XX +XXX,XX @@ static Exynos4210State *exynos4_boards_init_common(MachineState *machine,
     MachineClass *mc = MACHINE_GET_CLASS(machine);
 
     if (smp_cpus != EXYNOS4210_NCPUS && !qtest_enabled()) {
-        fprintf(stderr, "%s board supports only %d CPU cores. Ignoring smp_cpus"
-                " value.\n",
-                mc->name, EXYNOS4210_NCPUS);
+        error_report("%s board supports only %d CPU cores, ignoring smp_cpus"
+                     " value",
+                     mc->name, EXYNOS4210_NCPUS);
     }
 
     exynos4_board_binfo.ram_size = exynos4_board_ram_size[board_type];
diff --git a/hw/timer/exynos4210_mct.c b/hw/timer/exynos4210_mct.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/exynos4210_mct.c
+++ b/hw/timer/exynos4210_mct.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/log.h"
 #include "hw/sysbus.h"
 #include "qemu/timer.h"
 #include "qemu/main-loop.h"
@@ -XXX,XX +XXX,XX @@ break;
     case L0_TCNTO: case L1_TCNTO:
     case L0_ICNTO: case L1_ICNTO:
     case L0_FRCNTO: case L1_FRCNTO:
-        fprintf(stderr, "\n[exynos4210.mct: write to RO register "
-                TARGET_FMT_plx "]\n\n", offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "exynos4210.mct: write to RO register " TARGET_FMT_plx,
+                      offset);
         break;
 
     case L0_INT_CSTAT: case L1_INT_CSTAT:
diff --git a/hw/timer/exynos4210_pwm.c b/hw/timer/exynos4210_pwm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/exynos4210_pwm.c
+++ b/hw/timer/exynos4210_pwm.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/log.h"
 #include "hw/sysbus.h"
 #include "qemu/timer.h"
 #include "qemu-common.h"
@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_pwm_read(void *opaque, hwaddr offset,
         break;
 
     default:
-        fprintf(stderr,
-                "[exynos4210.pwm: bad read offset " TARGET_FMT_plx "]\n",
-                offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "exynos4210.pwm: bad read offset " TARGET_FMT_plx,
+                      offset);
         break;
     }
     return value;
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pwm_write(void *opaque, hwaddr offset,
         break;
 
     default:
-        fprintf(stderr,
-                "[exynos4210.pwm: bad write offset " TARGET_FMT_plx "]\n",
-                offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "exynos4210.pwm: bad write offset " TARGET_FMT_plx,
+                      offset);
         break;
 
     }
diff --git a/hw/timer/exynos4210_rtc.c b/hw/timer/exynos4210_rtc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/exynos4210_rtc.c
+++ b/hw/timer/exynos4210_rtc.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/log.h"
 #include "hw/sysbus.h"
 #include "qemu/timer.h"
 #include "qemu-common.h"
@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_rtc_read(void *opaque, hwaddr offset,
         break;
 
     default:
-        fprintf(stderr,
-                "[exynos4210.rtc: bad read offset " TARGET_FMT_plx "]\n",
-                offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "exynos4210.rtc: bad read offset " TARGET_FMT_plx,
+                      offset);
         break;
     }
     return value;
@@ -XXX,XX +XXX,XX @@ static void exynos4210_rtc_write(void *opaque, hwaddr offset,
         if (value > TICNT_THRESHOLD) {
             s->reg_ticcnt = value;
         } else {
-            fprintf(stderr,
-                    "[exynos4210.rtc: bad TICNT value %u ]\n",
-                    (uint32_t)value);
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "exynos4210.rtc: bad TICNT value %u",
+                          (uint32_t)value);
         }
         break;
 
@@ -XXX,XX +XXX,XX @@ static void exynos4210_rtc_write(void *opaque, hwaddr offset,
         break;
 
     default:
-        fprintf(stderr,
-                "[exynos4210.rtc: bad write offset " TARGET_FMT_plx "]\n",
-                offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "exynos4210.rtc: bad write offset " TARGET_FMT_plx,
+                      offset);
         break;
 
     }
-- 
2.7.4

From: Krzysztof Kozlowski <krzk@kernel.org>

The static array exynos4210_uart_regs with register values is not
modified so it can be made const.

Few other functions accept driver or uart state as an argument but they
do not change it and do not cast it so this can be made const for code
safeness.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Message-id: 20170313184750.429-3-krzk@kernel.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/exynos4210_uart.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/char/exynos4210_uart.c b/hw/char/exynos4210_uart.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/exynos4210_uart.c
+++ b/hw/char/exynos4210_uart.c
@@ -XXX,XX +XXX,XX @@ typedef struct Exynos4210UartReg {
     uint32_t            reset_value;
 } Exynos4210UartReg;
 
-static Exynos4210UartReg exynos4210_uart_regs[] = {
+static const Exynos4210UartReg exynos4210_uart_regs[] = {
     {"ULCON",    ULCON,    0x00000000},
     {"UCON",     UCON,     0x00003000},
     {"UFCON",    UFCON,    0x00000000},
@@ -XXX,XX +XXX,XX @@ static uint8_t fifo_retrieve(Exynos4210UartFIFO *q)
     return  ret;
 }
 
-static int fifo_elements_number(Exynos4210UartFIFO *q)
+static int fifo_elements_number(const Exynos4210UartFIFO *q)
 {
     if (q->sp < q->rp) {
         return q->size - q->rp + q->sp;
@@ -XXX,XX +XXX,XX @@ static int fifo_elements_number(Exynos4210UartFIFO *q)
     return q->sp - q->rp;
 }
 
-static int fifo_empty_elements_number(Exynos4210UartFIFO *q)
+static int fifo_empty_elements_number(const Exynos4210UartFIFO *q)
 {
     return q->size - fifo_elements_number(q);
 }
@@ -XXX,XX +XXX,XX @@ static void fifo_reset(Exynos4210UartFIFO *q)
     q->rp = 0;
 }
 
-static uint32_t exynos4210_uart_Tx_FIFO_trigger_level(Exynos4210UartState *s)
+static uint32_t exynos4210_uart_Tx_FIFO_trigger_level(const Exynos4210UartState *s)
 {
     uint32_t level = 0;
     uint32_t reg;
-- 
2.7.4

From: Krzysztof Kozlowski <krzk@kernel.org>

Short declaration of 'i' was in the middle of declarations with
assignments.  Make it a little bit more readable.  Additionally switch
from "unsigned" to "unsigned int" as this pattern is more widely used.
No functional change.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20170313184750.429-4-krzk@kernel.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/exynos4210_pmu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/misc/exynos4210_pmu.c b/hw/misc/exynos4210_pmu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/exynos4210_pmu.c
+++ b/hw/misc/exynos4210_pmu.c
@@ -XXX,XX +XXX,XX @@ static uint64_t exynos4210_pmu_read(void *opaque, hwaddr offset,
                                     unsigned size)
 {
     Exynos4210PmuState *s = (Exynos4210PmuState *)opaque;
-    unsigned i;
     const Exynos4210PmuReg *reg_p = exynos4210_pmu_regs;
+    unsigned int i;
 
     for (i = 0; i < PMU_NUM_OF_REGISTERS; i++) {
         if (reg_p->offset == offset) {
@@ -XXX,XX +XXX,XX @@ static void exynos4210_pmu_write(void *opaque, hwaddr offset,
                                  uint64_t val, unsigned size)
 {
     Exynos4210PmuState *s = (Exynos4210PmuState *)opaque;
-    unsigned i;
     const Exynos4210PmuReg *reg_p = exynos4210_pmu_regs;
+    unsigned int i;
 
     for (i = 0; i < PMU_NUM_OF_REGISTERS; i++) {
         if (reg_p->offset == offset) {
-- 
2.7.4

Recent changes have added new EXCP_ values to ARM but forgot
to update the excnames[] array which is used to provide
human-readable strings when printing information about the
exception for debug logging. Add the missing entries, and
add a comment to the list of #defines to help avoid the mistake
being repeated in future.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1491486340-25988-1-git-send-email-peter.maydell@linaro.org
---
 target/arm/cpu.h       | 1 +
 target/arm/internals.h | 2 ++
 2 files changed, 3 insertions(+)

The excnames[] array is defined in internals.h because we used
to use it from two different source files for handling logging
of AArch32 and AArch64 exception entry. Refactoring means that
it's now used only in arm_log_exception() in helper.c, so move
the array into that function.

Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1491821097-5647-1-git-send-email-peter.maydell@linaro.org
---
 target/arm/cpu.h       |  2 +-
 target/arm/internals.h | 23 -----------------------
 target/arm/helper.c    | 19 +++++++++++++++++++
 3 files changed, 20 insertions(+), 24 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@
 #define EXCP_SEMIHOST       16   /* semihosting call */
 #define EXCP_NOCP           17   /* v7M NOCP UsageFault */
 #define EXCP_INVSTATE       18   /* v7M INVSTATE UsageFault */
-/* NB: new EXCP_ defines should be added to the excnames[] array too */
+/* NB: add new EXCP_ defines to the array in arm_log_exception() too */
 
 #define ARMV7M_EXCP_RESET   1
 #define ARMV7M_EXCP_NMI     2
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline bool excp_is_internal(int excp)
         || excp == EXCP_SEMIHOST;
 }
 
-/* Exception names for debug logging; note that not all of these
- * precisely correspond to architectural exceptions.
- */
-static const char * const excnames[] = {
-    [EXCP_UDEF] = "Undefined Instruction",
-    [EXCP_SWI] = "SVC",
-    [EXCP_PREFETCH_ABORT] = "Prefetch Abort",
-    [EXCP_DATA_ABORT] = "Data Abort",
-    [EXCP_IRQ] = "IRQ",
-    [EXCP_FIQ] = "FIQ",
-    [EXCP_BKPT] = "Breakpoint",
-    [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit",
-    [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage",
-    [EXCP_HVC] = "Hypervisor Call",
-    [EXCP_HYP_TRAP] = "Hypervisor Trap",
-    [EXCP_SMC] = "Secure Monitor Call",
-    [EXCP_VIRQ] = "Virtual IRQ",
-    [EXCP_VFIQ] = "Virtual FIQ",
-    [EXCP_SEMIHOST] = "Semihosting call",
-    [EXCP_NOCP] = "v7M NOCP UsageFault",
-    [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
-};
-
 /* Scale factor for generic timers, ie number of ns per tick.
  * This gives a 62.5MHz timer.
  */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void arm_log_exception(int idx)
 {
     if (qemu_loglevel_mask(CPU_LOG_INT)) {
         const char *exc = NULL;
+        static const char * const excnames[] = {
+            [EXCP_UDEF] = "Undefined Instruction",
+            [EXCP_SWI] = "SVC",
+            [EXCP_PREFETCH_ABORT] = "Prefetch Abort",
+            [EXCP_DATA_ABORT] = "Data Abort",
+            [EXCP_IRQ] = "IRQ",
+            [EXCP_FIQ] = "FIQ",
+            [EXCP_BKPT] = "Breakpoint",
+            [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit",
+            [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage",
+            [EXCP_HVC] = "Hypervisor Call",
+            [EXCP_HYP_TRAP] = "Hypervisor Trap",
+            [EXCP_SMC] = "Secure Monitor Call",
+            [EXCP_VIRQ] = "Virtual IRQ",
+            [EXCP_VFIQ] = "Virtual FIQ",
+            [EXCP_SEMIHOST] = "Semihosting call",
+            [EXCP_NOCP] = "v7M NOCP UsageFault",
+            [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
+        };
 
         if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
             exc = excnames[idx];
-- 
2.7.4

In tlb_fill() we construct a syndrome register value from a
fault status register value which is filled in by arm_tlb_fill().
arm_tlb_fill() returns FSR values which might be in the format
used with short-format page descriptors, or the format used
with long-format (LPAE) descriptors. The syndrome register
always uses LPAE-format FSR status codes.

It isn't actually possible to end up delivering a syndrome
register value to the guest for a fault which is reported
with a short-format FSR (that kind of stage 1 fault will only
happen for an AArch32 translation regime which doesn't have
a syndrome register, and can never be redirected to an AArch64
or Hyp exception level). Add an assertion which checks this,
and adjust the code so that we construct a syndrome with
an invalid status code, rather than allowing set bits in
the FSR input to randomly corrupt other fields in the syndrome.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1491486152-24304-1-git-send-email-peter.maydell@linaro.org
---
 target/arm/op_helper.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, MMUAccessType access_type,
     if (unlikely(ret)) {
         ARMCPU *cpu = ARM_CPU(cs);
         CPUARMState *env = &cpu->env;
-        uint32_t syn, exc;
+        uint32_t syn, exc, fsc;
         unsigned int target_el;
         bool same_el;
 
@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, MMUAccessType access_type,
             env->cp15.hpfar_el2 = extract64(fi.s2addr, 12, 47) << 4;
         }
         same_el = arm_current_el(env) == target_el;
-        /* AArch64 syndrome does not have an LPAE bit */
-        syn = fsr & ~(1 << 9);
+
+        if (fsr & (1 << 9)) {
+            /* LPAE format fault status register : bottom 6 bits are
+             * status code in the same form as needed for syndrome
+             */
+            fsc = extract32(fsr, 0, 6);
+        } else {
+            /* Short format FSR : this fault will never actually be reported
+             * to an EL that uses a syndrome register. Check that here,
+             * and use a (currently) reserved FSR code in case the constructed
+             * syndrome does leak into the guest somehow.
+             */
+            assert(target_el != 2 && !arm_el_is_aa64(env, target_el));
+            fsc = 0x3f;
+        }
 
         /* For insn and data aborts we assume there is no instruction syndrome
          * information; this is always true for exceptions reported to EL1.
          */
         if (access_type == MMU_INST_FETCH) {
-            syn = syn_insn_abort(same_el, 0, fi.s1ptw, syn);
+            syn = syn_insn_abort(same_el, 0, fi.s1ptw, fsc);
             exc = EXCP_PREFETCH_ABORT;
         } else {
             syn = merge_syn_data_abort(env->exception.syndrome, target_el,
                                        same_el, fi.s1ptw,
-                                       access_type == MMU_DATA_STORE, syn);
+                                       access_type == MMU_DATA_STORE, fsc);
             if (access_type == MMU_DATA_STORE
                 && arm_feature(env, ARM_FEATURE_V6)) {
                 fsr |= (1 << 11);
-- 
2.7.4

Current recommended style is to log a guest error on bad register
accesses, not kill the whole system with hw_error().  Change the
hw_error() calls to log as LOG_GUEST_ERROR or LOG_UNIMP or use
g_assert_not_reached() as appropriate.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1491486314-25823-1-git-send-email-peter.maydell@linaro.org
---
 hw/arm/stellaris.c | 60 +++++++++++++++++++++++++++++++++---------------------
 1 file changed, 37 insertions(+), 23 deletions(-)

diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@ static void gptm_reload(gptm_state *s, int n, int reset)
     } else if (s->mode[n] == 0xa) {
         /* PWM mode.  Not implemented.  */
     } else {
-        hw_error("TODO: 16-bit timer mode 0x%x\n", s->mode[n]);
+        qemu_log_mask(LOG_UNIMP,
+                      "GPTM: 16-bit timer mode unimplemented: 0x%x\n",
+                      s->mode[n]);
+        return;
     }
     s->tick[n] = tick;
     timer_mod(s->timer[n], tick);
@@ -XXX,XX +XXX,XX @@ static void gptm_tick(void *opaque)
     } else if (s->mode[n] == 0xa) {
         /* PWM mode.  Not implemented.  */
     } else {
-        hw_error("TODO: 16-bit timer mode 0x%x\n", s->mode[n]);
+        qemu_log_mask(LOG_UNIMP,
+                      "GPTM: 16-bit timer mode unimplemented: 0x%x\n",
+                      s->mode[n]);
     }
     gptm_update_irq(s);
 }
@@ -XXX,XX +XXX,XX @@ static void gptm_write(void *opaque, hwaddr offset,
         s->match_prescale[0] = value;
         break;
     default:
-        hw_error("gptm_write: Bad offset 0x%x\n", (int)offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "GPTM: read at bad offset 0x%x\n", (int)offset);
     }
     gptm_update_irq(s);
 }
@@ -XXX,XX +XXX,XX @@ static int ssys_board_class(const ssys_state *s)
         }
         /* for unknown classes, fall through */
     default:
-        hw_error("ssys_board_class: Unknown class 0x%08x\n", did0);
+        /* This can only happen if the hardwired constant did0 value
+         * in this board's stellaris_board_info struct is wrong.
+         */
+        g_assert_not_reached();
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static uint64_t ssys_read(void *opaque, hwaddr offset,
             case DID0_CLASS_SANDSTORM:
                 return pllcfg_sandstorm[xtal];
             default:
-                hw_error("ssys_read: Unhandled class for PLLCFG read.\n");
-                return 0;
+                g_assert_not_reached();
             }
         }
     case 0x070: /* RCC2 */
@@ -XXX,XX +XXX,XX @@ static uint64_t ssys_read(void *opaque, hwaddr offset,
     case 0x1e4: /* USER1 */
         return s->user1;
     default:
-        hw_error("ssys_read: Bad offset 0x%x\n", (int)offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "SSYS: read at bad offset 0x%x\n", (int)offset);
         return 0;
     }
 }
@@ -XXX,XX +XXX,XX @@ static void ssys_write(void *opaque, hwaddr offset,
         s->ldoarst = value;
         break;
     default:
-        hw_error("ssys_write: Bad offset 0x%x\n", (int)offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "SSYS: write at bad offset 0x%x\n", (int)offset);
     }
     ssys_update(s);
 }
@@ -XXX,XX +XXX,XX @@ static uint64_t stellaris_i2c_read(void *opaque, hwaddr offset,
     case 0x20: /* MCR */
         return s->mcr;
     default:
-        hw_error("strllaris_i2c_read: Bad offset 0x%x\n", (int)offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "stellaris_i2c: read at bad offset 0x%x\n", (int)offset);
         return 0;
     }
 }
@@ -XXX,XX +XXX,XX @@ static void stellaris_i2c_write(void *opaque, hwaddr offset,
         s->mris &= ~value;
         break;
     case 0x20: /* MCR */
-        if (value & 1)
-            hw_error(
-                      "stellaris_i2c_write: Loopback not implemented\n");
-        if (value & 0x20)
-            hw_error(
-                      "stellaris_i2c_write: Slave mode not implemented\n");
+        if (value & 1) {
+            qemu_log_mask(LOG_UNIMP, "stellaris_i2c: Loopback not implemented");
+        }
+        if (value & 0x20) {
+            qemu_log_mask(LOG_UNIMP,
+                          "stellaris_i2c: Slave mode not implemented");
+        }
         s->mcr = value & 0x31;
         break;
     default:
-        hw_error("stellaris_i2c_write: Bad offset 0x%x\n",
-                  (int)offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "stellaris_i2c: write at bad offset 0x%x\n", (int)offset);
     }
     stellaris_i2c_update(s);
 }
@@ -XXX,XX +XXX,XX @@ static uint64_t stellaris_adc_read(void *opaque, hwaddr offset,
     case 0x30: /* SAC */
         return s->sac;
     default:
-        hw_error("strllaris_adc_read: Bad offset 0x%x\n",
-                  (int)offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "stellaris_adc: read at bad offset 0x%x\n", (int)offset);
         return 0;
     }
 }
@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_write(void *opaque, hwaddr offset,
             return;
         case 0x04: /* SSCTL */
             if (value != 6) {
-                hw_error("ADC: Unimplemented sequence %" PRIx64 "\n",
-                          value);
+                qemu_log_mask(LOG_UNIMP,
+                              "ADC: Unimplemented sequence %" PRIx64 "\n",
+                              value);
             }
             s->ssctl[n] = value;
             return;
@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_write(void *opaque, hwaddr offset,
         s->sspri = value;
         break;
     case 0x28: /* PSSI */
-        hw_error("Not implemented:  ADC sample initiate\n");
+        qemu_log_mask(LOG_UNIMP, "ADC: sample initiate unimplemented");
         break;
     case 0x30: /* SAC */
         s->sac = value;
         break;
     default:
-        hw_error("stellaris_adc_write: Bad offset 0x%x\n", (int)offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "stellaris_adc: write at bad offset 0x%x\n", (int)offset);
     }
     stellaris_adc_update(s);
 }
-- 
2.7.4

From: Ishani Chugh <chugh.ishani@research.iiit.ac.in>

Signed-off-by: Ishani Chugh <chugh.ishani@research.iiit.ac.in>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1491629987-6826-1-git-send-email-chugh.ishani@research.iiit.ac.in
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm64.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_handle_debug(CPUState *cs, struct kvm_debug_exit_arch *debug_exit)
              * single step at this point so something has gone wrong.
              */
             error_report("%s: guest single-step while debugging unsupported"
-                         " (%"PRIx64", %"PRIx32")\n",
+                         " (%"PRIx64", %"PRIx32")",
                          __func__, env->pc, debug_exit->hsr);
             return false;
         }
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_handle_debug(CPUState *cs, struct kvm_debug_exit_arch *debug_exit)
         break;
     }
     default:
-        error_report("%s: unhandled debug exit (%"PRIx32", %"PRIx64")\n",
+        error_report("%s: unhandled debug exit (%"PRIx32", %"PRIx64")",
                      __func__, debug_exit->hsr, env->pc);
     }
 
-- 
2.7.4

From: Suramya Shah <shah.suramya@gmail.com>

Signed-off-by: Suramya Shah <shah.suramya@gmail.com>
Message-id: 20170415180316.2694-1-shah.suramya@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/pxa2xx.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_ssp_reset(DeviceState *d)
     s->rx_start = s->rx_level = 0;
 }
 
-static int pxa2xx_ssp_init(SysBusDevice *sbd)
+static void pxa2xx_ssp_init(Object *obj)
 {
-    DeviceState *dev = DEVICE(sbd);
-    PXA2xxSSPState *s = PXA2XX_SSP(dev);
-
+    DeviceState *dev = DEVICE(obj);
+    PXA2xxSSPState *s = PXA2XX_SSP(obj);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
     sysbus_init_irq(sbd, &s->irq);
 
-    memory_region_init_io(&s->iomem, OBJECT(s), &pxa2xx_ssp_ops, s,
+    memory_region_init_io(&s->iomem, obj, &pxa2xx_ssp_ops, s,
                           "pxa2xx-ssp", 0x1000);
     sysbus_init_mmio(sbd, &s->iomem);
 
     s->bus = ssi_create_bus(dev, "ssi");
-    return 0;
 }
 
 /* Real-Time Clock */
@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa255_init(MemoryRegion *address_space, unsigned int sdram_size)
 
 static void pxa2xx_ssp_class_init(ObjectClass *klass, void *data)
 {
-    SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
     DeviceClass *dc = DEVICE_CLASS(klass);
 
-    sdc->init = pxa2xx_ssp_init;
     dc->reset = pxa2xx_ssp_reset;
     dc->vmsd = &vmstate_pxa2xx_ssp;
 }
@@ -XXX,XX +XXX,XX @@ static const TypeInfo pxa2xx_ssp_info = {
     .name          = TYPE_PXA2XX_SSP,
     .parent        = TYPE_SYS_BUS_DEVICE,
     .instance_size = sizeof(PXA2xxSSPState),
+    .instance_init = pxa2xx_ssp_init,
     .class_init    = pxa2xx_ssp_class_init,
 };
 
-- 
2.7.4