Series comparison

-[Qemu-devel] [PULL 0/7] target-arm queue
+[PULL v2 00/29] target-arm queue
-A small set of arm bugfixes for rc0.
+v2: drop pvpanic-pci patches.
+The following changes since commit f1fcb6851aba6dd9838886dc179717a11e344a1c:
+  Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2021-01-19' into staging (2021-01-19 11:57:07 +0000)
-The following changes since commit 5853e92207193e967abf5e4c25b4a551c7604725:
+are available in the Git repository at:
-  Merge remote-tracking branch 'remotes/pmaydell/tags/pull-cocoa-20171107' into staging (2017-11-07 12:19:48 +0000)
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210119-1
-are available in the git repository at:
+for you to fetch changes up to b93f4fbdc48283a39089469c44a5529d79dc40a8:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20171107
+  docs: Build and install all the docs in a single manual (2021-01-19 15:45:14 +0000)
 for you to fetch changes up to 8a7348b5d62d7ea16807e6bea54b448a0184bb0f:
   hw/intc/arm_gicv3_its: Don't abort on table save failure (2017-11-07 13:03:52 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * arm_gicv3_its: Don't abort on table save failure
+ * Implement IMPDEF pauth algorithm
- * arm_gicv3_its: Fix the VM termination in vm_change_state_handler()
+ * Support ARMv8.4-SEL2
- * translate.c: Fix usermode big-endian AArch32 LDREXD and STREXD
+ * Fix bug where we were truncating predicate vector lengths in SVE insns
- * hw/arm: Mark the "fsl,imx31/25/6" devices with user_creatable = false
+ * npcm7xx_adc-test: Fix memleak in adc_qom_set
- * arm: implement cache/shareability attribute bits for PAR registers
+ * target/arm/m_helper: Silence GCC 10 maybe-uninitialized error
  * docs: Build and install all the docs in a single manual
 ----------------------------------------------------------------
-Andrew Baumann (1):
+Gan Qixin (1):
-      arm: implement cache/shareability attribute bits for PAR registers
+      npcm7xx_adc-test: Fix memleak in adc_qom_set
 Eric Auger (1):
       hw/intc/arm_gicv3_its: Don't abort on table save failure
 Peter Maydell (1):
-      translate.c: Fix usermode big-endian AArch32 LDREXD and STREXD
+      docs: Build and install all the docs in a single manual
-Shanker Donthineni (1):
+Philippe Mathieu-Daudé (1):
-      hw/intc/arm_gicv3_its: Fix the VM termination in vm_change_state_handler()
+      target/arm/m_helper: Silence GCC 10 maybe-uninitialized error
-Thomas Huth (3):
+Richard Henderson (7):
-      hw/arm: Mark the "fsl,imx6" device with user_creatable = false
+      target/arm: Implement an IMPDEF pauth algorithm
-      hw/arm: Mark the "fsl,imx25" device with user_creatable = false
+      target/arm: Add cpu properties to control pauth
-      hw/arm: Mark the "fsl,imx31" device with user_creatable = false
+      target/arm: Use object_property_add_bool for "sve" property
       target/arm: Introduce PREDDESC field definitions
       target/arm: Update PFIRST, PNEXT for pred_desc
       target/arm: Update ZIP, UZP, TRN for pred_desc
       target/arm: Update REV, PUNPK for pred_desc
- hw/arm/fsl-imx25.c          |   6 +-
+Rémi Denis-Courmont (19):
- hw/arm/fsl-imx31.c          |   6 +-
+      target/arm: remove redundant tests
- hw/arm/fsl-imx6.c           |   3 +-
+      target/arm: add arm_is_el2_enabled() helper
- hw/intc/arm_gicv3_its_kvm.c |  12 +--
+      target/arm: use arm_is_el2_enabled() where applicable
- target/arm/helper.c         | 178 ++++++++++++++++++++++++++++++++++++++++----
+      target/arm: use arm_hcr_el2_eff() where applicable
- target/arm/translate.c      |  39 ++++++++--
+      target/arm: factor MDCR_EL2 common handling
-files changed, 214 insertions(+), 30 deletions(-)
+      target/arm: Define isar_feature function to test for presence of SEL2
       target/arm: add 64-bit S-EL2 to EL exception table
       target/arm: add MMU stage 1 for Secure EL2
       target/arm: add ARMv8.4-SEL2 system registers
       target/arm: handle VMID change in secure state
       target/arm: do S1_ptw_translate() before address space lookup
       target/arm: translate NS bit in page-walks
       target/arm: generalize 2-stage page-walk condition
       target/arm: secure stage 2 translation regime
       target/arm: set HPFAR_EL2.NS on secure stage 2 faults
       target/arm: revector to run-time pick target EL
       target/arm: Implement SCR_EL2.EEL2
       target/arm: enable Secure EL2 in max CPU
       target/arm: refactor vae1_tlbmask()
+ docs/conf.py                     |  46 ++++-
+ docs/devel/conf.py               |  15 --
+ docs/index.html.in               |  17 --
+ docs/interop/conf.py             |  28 ---
+ docs/meson.build                 |  64 +++---
+ docs/specs/conf.py               |  16 --
+ docs/system/arm/cpu-features.rst |  21 ++
+ docs/system/conf.py              |  28 ---
+ docs/tools/conf.py               |  37 ----
+ docs/user/conf.py                |  15 --
+ include/qemu/xxhash.h            |  98 +++++++++
+ target/arm/cpu-param.h           |   2 +-
+ target/arm/cpu.h                 | 107 ++++++++--
+ target/arm/internals.h           |  45 +++++
+ target/arm/cpu.c                 |  23 ++-
+ target/arm/cpu64.c               |  65 ++++--
+ target/arm/helper-a64.c          |   8 +-
+ target/arm/helper.c              | 414 ++++++++++++++++++++++++++-------------
+ target/arm/m_helper.c            |   2 +-
+ target/arm/monitor.c             |   1 +
+ target/arm/op_helper.c           |   4 +-
+ target/arm/pauth_helper.c        |  27 ++-
+ target/arm/sve_helper.c          |  33 ++--
+ target/arm/tlb_helper.c          |   3 +
+ target/arm/translate-a64.c       |   4 +
+ target/arm/translate-sve.c       |  31 ++-
+ target/arm/translate.c           |  36 +++-
+ tests/qtest/arm-cpu-features.c   |  13 ++
+ tests/qtest/npcm7xx_adc-test.c   |   1 +
+ .gitlab-ci.yml                   |   4 +-
+files changed, 770 insertions(+), 438 deletions(-)
+ delete mode 100644 docs/devel/conf.py
+ delete mode 100644 docs/index.html.in
+ delete mode 100644 docs/interop/conf.py
+ delete mode 100644 docs/specs/conf.py
+ delete mode 100644 docs/system/conf.py
+ delete mode 100644 docs/tools/conf.py
+ delete mode 100644 docs/user/conf.py

-[Qemu-devel] [PULL 1/7] arm: implement cache/shareability attribute bits for PAR registers
+Deleted patch
-From: Andrew Baumann <Andrew.Baumann@microsoft.com>
-On a successful address translation instruction, PAR is supposed to
-contain cacheability and shareability attributes determined by the
-translation. We previously returned 0 for these bits (in line with the
-general strategy of ignoring caches and memory attributes), but some
-guest OSes may depend on them.
-This patch collects the attribute bits in the page-table walk, and
-updates PAR with the correct attributes for all LPAE translations.
-Short descriptor formats still return 0 for these bits, as in the
-prior implementation.
-Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
-Message-id: 20171031223830.4608-1-Andrew.Baumann@microsoft.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 178 +++++++++++++++++++++++++++++++++++++++++++++++-----
-file changed, 164 insertions(+), 14 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@
- #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
- #ifndef CONFIG_USER_ONLY
-+/* Cacheability and shareability attributes for a memory access */
-+typedef struct ARMCacheAttrs {
-+    unsigned int attrs:8; /* as in the MAIR register encoding */
-+    unsigned int shareability:2; /* as in the SH field of the VMSAv8-64 PTEs */
-+} ARMCacheAttrs;
-+
- static bool get_phys_addr(CPUARMState *env, target_ulong address,
-                           MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                           hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
-                           target_ulong *page_size, uint32_t *fsr,
--                          ARMMMUFaultInfo *fi);
-+                          ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
- static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
-                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                                hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
-                                target_ulong *page_size_ptr, uint32_t *fsr,
--                               ARMMMUFaultInfo *fi);
-+                               ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
- /* Security attributes for an address, as returned by v8m_security_lookup. */
- typedef struct V8M_SAttributes {
-@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
-     uint64_t par64;
-     MemTxAttrs attrs = {};
-     ARMMMUFaultInfo fi = {};
-+    ARMCacheAttrs cacheattrs = {};
--    ret = get_phys_addr(env, value, access_type, mmu_idx,
--                        &phys_addr, &attrs, &prot, &page_size, &fsr, &fi);
-+    ret = get_phys_addr(env, value, access_type, mmu_idx, &phys_addr, &attrs,
-+                        &prot, &page_size, &fsr, &fi, &cacheattrs);
-     if (extended_addresses_enabled(env)) {
-         /* fsr is a DFSR/IFSR value for the long descriptor
-          * translation table format, but with WnR always clear.
-@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
-             if (!attrs.secure) {
-                 par64 |= (1 << 9); /* NS */
-             }
--            /* We don't set the ATTR or SH fields in the PAR. */
-+            par64 |= (uint64_t)cacheattrs.attrs << 56; /* ATTR */
-+            par64 |= cacheattrs.shareability << 7; /* SH */
-         } else {
-             par64 |= 1; /* F */
-             par64 |= (fsr & 0x3f) << 1; /* FS */
-@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
-         return false;
-     }
-     if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
--                      &physaddr, &attrs, &prot, &page_size, &fsr, &fi)) {
-+                      &physaddr, &attrs, &prot, &page_size, &fsr, &fi, NULL)) {
-         /* the MPU lookup failed */
-         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
-         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
-@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-         int ret;
-         ret = get_phys_addr_lpae(env, addr, 0, ARMMMUIdx_S2NS, &s2pa,
--                                 &txattrs, &s2prot, &s2size, fsr, fi);
-+                                 &txattrs, &s2prot, &s2size, fsr, fi, NULL);
-         if (ret) {
-             fi->s2addr = addr;
-             fi->stage2 = true;
-@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
-     return true;
- }
-+/* Translate from the 4-bit stage 2 representation of
-+ * memory attributes (without cache-allocation hints) to
-+ * the 8-bit representation of the stage 1 MAIR registers
-+ * (which includes allocation hints).
-+ *
-+ * ref: shared/translation/attrs/S2AttrDecode()
-+ *      .../S2ConvertAttrsHints()
-+ */
-+static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
-+{
-+    uint8_t hiattr = extract32(s2attrs, 2, 2);
-+    uint8_t loattr = extract32(s2attrs, 0, 2);
-+    uint8_t hihint = 0, lohint = 0;
-+
-+    if (hiattr != 0) { /* normal memory */
-+        if ((env->cp15.hcr_el2 & HCR_CD) != 0) { /* cache disabled */
-+            hiattr = loattr = 1; /* non-cacheable */
-+        } else {
-+            if (hiattr != 1) { /* Write-through or write-back */
-+                hihint = 3; /* RW allocate */
-+            }
-+            if (loattr != 1) { /* Write-through or write-back */
-+                lohint = 3; /* RW allocate */
-+            }
-+        }
-+    }
-+
-+    return (hiattr << 6) | (hihint << 4) | (loattr << 2) | lohint;
-+}
-+
- static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
-                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                                hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
-                                target_ulong *page_size_ptr, uint32_t *fsr,
--                               ARMMMUFaultInfo *fi)
-+                               ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
- {
-     ARMCPU *cpu = arm_env_get_cpu(env);
-     CPUState *cs = CPU(cpu);
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
-          */
-         txattrs->secure = false;
-     }
-+
-+    if (cacheattrs != NULL) {
-+        if (mmu_idx == ARMMMUIdx_S2NS) {
-+            cacheattrs->attrs = convert_stage2_attrs(env,
-+                                                     extract32(attrs, 0, 4));
-+        } else {
-+            /* Index into MAIR registers for cache attributes */
-+            uint8_t attrindx = extract32(attrs, 0, 3);
-+            uint64_t mair = env->cp15.mair_el[regime_el(env, mmu_idx)];
-+            assert(attrindx <= 7);
-+            cacheattrs->attrs = extract64(mair, attrindx * 8, 8);
-+        }
-+        cacheattrs->shareability = extract32(attrs, 6, 2);
-+    }
-+
-     *phys_ptr = descaddr;
-     *page_size_ptr = page_size;
-     return false;
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
-     return false;
- }
-+/* Combine either inner or outer cacheability attributes for normal
-+ * memory, according to table D4-42 and pseudocode procedure
-+ * CombineS1S2AttrHints() of ARM DDI 0487B.b (the ARMv8 ARM).
-+ *
-+ * NB: only stage 1 includes allocation hints (RW bits), leading to
-+ * some asymmetry.
-+ */
-+static uint8_t combine_cacheattr_nibble(uint8_t s1, uint8_t s2)
-+{
-+    if (s1 == 4 || s2 == 4) {
-+        /* non-cacheable has precedence */
-+        return 4;
-+    } else if (extract32(s1, 2, 2) == 0 || extract32(s1, 2, 2) == 2) {
-+        /* stage 1 write-through takes precedence */
-+        return s1;
-+    } else if (extract32(s2, 2, 2) == 2) {
-+        /* stage 2 write-through takes precedence, but the allocation hint
-+         * is still taken from stage 1
-+         */
-+        return (2 << 2) | extract32(s1, 0, 2);
-+    } else { /* write-back */
-+        return s1;
-+    }
-+}
-+
-+/* Combine S1 and S2 cacheability/shareability attributes, per D4.5.4
-+ * and CombineS1S2Desc()
-+ *
-+ * @s1:      Attributes from stage 1 walk
-+ * @s2:      Attributes from stage 2 walk
-+ */
-+static ARMCacheAttrs combine_cacheattrs(ARMCacheAttrs s1, ARMCacheAttrs s2)
-+{
-+    uint8_t s1lo = extract32(s1.attrs, 0, 4), s2lo = extract32(s2.attrs, 0, 4);
-+    uint8_t s1hi = extract32(s1.attrs, 4, 4), s2hi = extract32(s2.attrs, 4, 4);
-+    ARMCacheAttrs ret;
-+
-+    /* Combine shareability attributes (table D4-43) */
-+    if (s1.shareability == 2 || s2.shareability == 2) {
-+        /* if either are outer-shareable, the result is outer-shareable */
-+        ret.shareability = 2;
-+    } else if (s1.shareability == 3 || s2.shareability == 3) {
-+        /* if either are inner-shareable, the result is inner-shareable */
-+        ret.shareability = 3;
-+    } else {
-+        /* both non-shareable */
-+        ret.shareability = 0;
-+    }
-+
-+    /* Combine memory type and cacheability attributes */
-+    if (s1hi == 0 || s2hi == 0) {
-+        /* Device has precedence over normal */
-+        if (s1lo == 0 || s2lo == 0) {
-+            /* nGnRnE has precedence over anything */
-+            ret.attrs = 0;
-+        } else if (s1lo == 4 || s2lo == 4) {
-+            /* non-Reordering has precedence over Reordering */
-+            ret.attrs = 4;  /* nGnRE */
-+        } else if (s1lo == 8 || s2lo == 8) {
-+            /* non-Gathering has precedence over Gathering */
-+            ret.attrs = 8;  /* nGRE */
-+        } else {
-+            ret.attrs = 0xc; /* GRE */
-+        }
-+
-+        /* Any location for which the resultant memory type is any
-+         * type of Device memory is always treated as Outer Shareable.
-+         */
-+        ret.shareability = 2;
-+    } else { /* Normal memory */
-+        /* Outer/inner cacheability combine independently */
-+        ret.attrs = combine_cacheattr_nibble(s1hi, s2hi) << 4
-+                  | combine_cacheattr_nibble(s1lo, s2lo);
-+
-+        if (ret.attrs == 0x44) {
-+            /* Any location for which the resultant memory type is Normal
-+             * Inner Non-cacheable, Outer Non-cacheable is always treated
-+             * as Outer Shareable.
-+             */
-+            ret.shareability = 2;
-+        }
-+    }
-+
-+    return ret;
-+}
-+
-+
- /* get_phys_addr - get the physical address for this virtual address
-  *
-  * Find the physical address corresponding to the given virtual address,
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
-  * @prot: set to the permissions for the page containing phys_ptr
-  * @page_size: set to the size of the page containing phys_ptr
-  * @fsr: set to the DFSR/IFSR value on failure
-+ * @fi: set to fault info if the translation fails
-+ * @cacheattrs: (if non-NULL) set to the cacheability/shareability attributes
-  */
- static bool get_phys_addr(CPUARMState *env, target_ulong address,
-                           MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                           hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
-                           target_ulong *page_size, uint32_t *fsr,
--                          ARMMMUFaultInfo *fi)
-+                          ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
- {
-     if (mmu_idx == ARMMMUIdx_S12NSE0 || mmu_idx == ARMMMUIdx_S12NSE1) {
-         /* Call ourselves recursively to do the stage 1 and then stage 2
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address,
-             hwaddr ipa;
-             int s2_prot;
-             int ret;
-+            ARMCacheAttrs cacheattrs2 = {};
-             ret = get_phys_addr(env, address, access_type,
-                                 stage_1_mmu_idx(mmu_idx), &ipa, attrs,
--                                prot, page_size, fsr, fi);
-+                                prot, page_size, fsr, fi, cacheattrs);
-             /* If S1 fails or S2 is disabled, return early.  */
-             if (ret || regime_translation_disabled(env, ARMMMUIdx_S2NS)) {
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address,
-             /* S1 is done. Now do S2 translation.  */
-             ret = get_phys_addr_lpae(env, ipa, access_type, ARMMMUIdx_S2NS,
-                                      phys_ptr, attrs, &s2_prot,
--                                     page_size, fsr, fi);
-+                                     page_size, fsr, fi,
-+                                     cacheattrs != NULL ? &cacheattrs2 : NULL);
-             fi->s2addr = ipa;
-             /* Combine the S1 and S2 perms.  */
-             *prot &= s2_prot;
-+
-+            /* Combine the S1 and S2 cache attributes, if needed */
-+            if (!ret && cacheattrs != NULL) {
-+                *cacheattrs = combine_cacheattrs(*cacheattrs, cacheattrs2);
-+            }
-+
-             return ret;
-         } else {
-             /*
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address,
-     if (regime_using_lpae_format(env, mmu_idx)) {
-         return get_phys_addr_lpae(env, address, access_type, mmu_idx, phys_ptr,
--                                  attrs, prot, page_size, fsr, fi);
-+                                  attrs, prot, page_size, fsr, fi, cacheattrs);
-     } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
-         return get_phys_addr_v6(env, address, access_type, mmu_idx, phys_ptr,
-                                 attrs, prot, page_size, fsr, fi);
-@@ -XXX,XX +XXX,XX @@ bool arm_tlb_fill(CPUState *cs, vaddr address,
-     ret = get_phys_addr(env, address, access_type,
-                         core_to_arm_mmu_idx(env, mmu_idx), &phys_addr,
--                        &attrs, &prot, &page_size, fsr, fi);
-+                        &attrs, &prot, &page_size, fsr, fi, NULL);
-     if (!ret) {
-         /* Map a single [sub]page.  */
-         phys_addr &= TARGET_PAGE_MASK;
-@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
-     *attrs = (MemTxAttrs) {};
-     ret = get_phys_addr(env, addr, 0, mmu_idx, &phys_addr,
--                        attrs, &prot, &page_size, &fsr, &fi);
-+                        attrs, &prot, &page_size, &fsr, &fi, NULL);
-     if (ret) {
-         return -1;
---
-.7.4

-[Qemu-devel] [PULL 2/7] hw/arm: Mark the "fsl, imx6" device with user_creatable = false
+Deleted patch
-From: Thomas Huth <thuth@redhat.com>
-This device causes QEMU to abort if the user tries to instantiate it:
-$ qemu-system-aarch64 -M sabrelite -smp 1,maxcpus=2 -device fsl,,imx6
-Unexpected error in qemu_chr_fe_init() at chardev/char-fe.c:222:
-qemu-system-aarch64: -device fsl,,imx6: Device 'serial0' is in use
-Aborted (core dumped)
-The device uses serial_hds[] directly in its realize function, so it
-can not be instantiated again by the user.
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Message-id: 1509519537-6964-2-git-send-email-thuth@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/fsl-imx6.c | 3 ++-
-file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx6.c
-+++ b/hw/arm/fsl-imx6.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_class_init(ObjectClass *oc, void *data)
-     DeviceClass *dc = DEVICE_CLASS(oc);
-     dc->realize = fsl_imx6_realize;
--
-     dc->desc = "i.MX6 SOC";
-+    /* Reason: Uses serial_hds[] in the realize() function */
-+    dc->user_creatable = false;
- }
- static const TypeInfo fsl_imx6_type_info = {
---
-.7.4

-[Qemu-devel] [PULL 3/7] hw/arm: Mark the "fsl, imx25" device with user_creatable = false
+Deleted patch
-From: Thomas Huth <thuth@redhat.com>
-QEMU currently crashes when the user tries to instantiate the fsl,imx25
-device manually:
-$ aarch64-softmmu/qemu-system-aarch64 -S -M imx25-pdk -device fsl,,imx25
-**
-ERROR:/home/thuth/devel/qemu/tcg/tcg.c:538:tcg_register_thread:
- assertion failed: (n < max_cpus)
-The imx25-pdk board (which is the one that uses this CPU type) only
-supports one CPU, and the realize function of the "fsl,imx25" device
-also uses serial_hds[] directly, so this device clearly can not be
-instantiated twice and thus we should mark it with user_creatable = 0.
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Message-id: 1509519537-6964-3-git-send-email-thuth@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/fsl-imx25.c | 6 +++++-
-file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/fsl-imx25.c b/hw/arm/fsl-imx25.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx25.c
-+++ b/hw/arm/fsl-imx25.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_class_init(ObjectClass *oc, void *data)
-     DeviceClass *dc = DEVICE_CLASS(oc);
-     dc->realize = fsl_imx25_realize;
--
-     dc->desc = "i.MX25 SOC";
-+    /*
-+     * Reason: uses serial_hds in realize and the imx25 board does not
-+     * support multiple CPUs
-+     */
-+    dc->user_creatable = false;
- }
- static const TypeInfo fsl_imx25_type_info = {
---
-.7.4

-[Qemu-devel] [PULL 4/7] hw/arm: Mark the "fsl, imx31" device with user_creatable = false
+Deleted patch
-From: Thomas Huth <thuth@redhat.com>
-QEMU currently crashes when the user tries to instantiate the fsl,imx31
-device manually:
-$ aarch64-softmmu/qemu-system-aarch64 -M kzm -device fsl,,imx31
-**
-ERROR:/home/thuth/devel/qemu/tcg/tcg.c:538:tcg_register_thread:
- assertion failed: (n < max_cpus)
-Aborted (core dumped)
-The kzm board (which is the one that uses this CPU type) only supports
-one CPU, and the realize function of the "fsl,imx31" device also uses
-serial_hds[] directly, so this device clearly can not be instantiated
-twice and thus we should mark it with user_creatable = false.
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Message-id: 1509519537-6964-4-git-send-email-thuth@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/fsl-imx31.c | 6 +++++-
-file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/fsl-imx31.c b/hw/arm/fsl-imx31.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx31.c
-+++ b/hw/arm/fsl-imx31.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx31_class_init(ObjectClass *oc, void *data)
-     DeviceClass *dc = DEVICE_CLASS(oc);
-     dc->realize = fsl_imx31_realize;
--
-     dc->desc = "i.MX31 SOC";
-+    /*
-+     * Reason: uses serial_hds in realize and the kzm board does not
-+     * support multiple CPUs
-+     */
-+    dc->user_creatable = false;
- }
- static const TypeInfo fsl_imx31_type_info = {
---
-.7.4

-[Qemu-devel] [PULL 5/7] translate.c: Fix usermode big-endian AArch32 LDREXD and STREXD
+Deleted patch
-For AArch32 LDREXD and STREXD, architecturally the 32-bit word at the
-lowest address is always Rt and the one at addr+4 is Rt2, even if the
-CPU is big-endian. Our implementation does these with a single
--bit store, so if we're big-endian then we need to put the two
--bit halves together in the opposite order to little-endian,
-so that they end up in the right places. We were trying to do
-this with the gen_aa32_frob64() function, but that is not correct
-for the usermode emulator, because there there is a distinction
-between "load a 64 bit value" (which does a BE 64-bit access
-and doesn't need swapping) and "load two 32 bit values as one
-bit access" (where we still need to do the swapping, like
-system mode BE32).
-Fixes: https://bugs.launchpad.net/qemu/+bug/1725267
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1509622400-13351-1-git-send-email-peter.maydell@linaro.org
----
- target/arm/translate.c | 39 ++++++++++++++++++++++++++++++++++-----
-file changed, 34 insertions(+), 5 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void gen_load_exclusive(DisasContext *s, int rt, int rt2,
-         TCGv_i32 tmp2 = tcg_temp_new_i32();
-         TCGv_i64 t64 = tcg_temp_new_i64();
--        gen_aa32_ld_i64(s, t64, addr, get_mem_index(s), opc);
-+        /* For AArch32, architecturally the 32-bit word at the lowest
-+         * address is always Rt and the one at addr+4 is Rt2, even if
-+         * the CPU is big-endian. That means we don't want to do a
-+         * gen_aa32_ld_i64(), which invokes gen_aa32_frob64() as if
-+         * for an architecturally 64-bit access, but instead do a
-+         * 64-bit access using MO_BE if appropriate and then split
-+         * the two halves.
-+         * This only makes a difference for BE32 user-mode, where
-+         * frob64() must not flip the two halves of the 64-bit data
-+         * but this code must treat BE32 user-mode like BE32 system.
-+         */
-+        TCGv taddr = gen_aa32_addr(s, addr, opc);
-+
-+        tcg_gen_qemu_ld_i64(t64, taddr, get_mem_index(s), opc);
-+        tcg_temp_free(taddr);
-         tcg_gen_mov_i64(cpu_exclusive_val, t64);
--        tcg_gen_extr_i64_i32(tmp, tmp2, t64);
-+        if (s->be_data == MO_BE) {
-+            tcg_gen_extr_i64_i32(tmp2, tmp, t64);
-+        } else {
-+            tcg_gen_extr_i64_i32(tmp, tmp2, t64);
-+        }
-         tcg_temp_free_i64(t64);
-         store_reg(s, rt2, tmp2);
-@@ -XXX,XX +XXX,XX @@ static void gen_store_exclusive(DisasContext *s, int rd, int rt, int rt2,
-         TCGv_i64 n64 = tcg_temp_new_i64();
-         t2 = load_reg(s, rt2);
--        tcg_gen_concat_i32_i64(n64, t1, t2);
-+        /* For AArch32, architecturally the 32-bit word at the lowest
-+         * address is always Rt and the one at addr+4 is Rt2, even if
-+         * the CPU is big-endian. Since we're going to treat this as a
-+         * single 64-bit BE store, we need to put the two halves in the
-+         * opposite order for BE to LE, so that they end up in the right
-+         * places.
-+         * We don't want gen_aa32_frob64() because that does the wrong
-+         * thing for BE32 usermode.
-+         */
-+        if (s->be_data == MO_BE) {
-+            tcg_gen_concat_i32_i64(n64, t2, t1);
-+        } else {
-+            tcg_gen_concat_i32_i64(n64, t1, t2);
-+        }
-         tcg_temp_free_i32(t2);
--        gen_aa32_frob64(s, n64);
-         tcg_gen_atomic_cmpxchg_i64(o64, taddr, cpu_exclusive_val, n64,
-                                    get_mem_index(s), opc);
-         tcg_temp_free_i64(n64);
--        gen_aa32_frob64(s, o64);
-         tcg_gen_setcond_i64(TCG_COND_NE, o64, o64, cpu_exclusive_val);
-         tcg_gen_extrl_i64_i32(t0, o64);
---
-.7.4

-[Qemu-devel] [PULL 6/7] hw/intc/arm_gicv3_its: Fix the VM termination in vm_change_state_handler()
+Deleted patch
-From: Shanker Donthineni <shankerd@codeaurora.org>
-The commit cddafd8f353d ("hw/intc/arm_gicv3_its: Implement state save
-/restore") breaks the backward compatibility with the older kernels
-where vITS save/restore support is not available. The vmstate function
-vm_change_state_handler() should not be registered if the running kernel
-doesn't support ITS save/restore feature. Otherwise VM instance will be
-killed whenever vmstate callback function is invoked.
-Observed a virtual machine shutdown with QEMU-2.10+linux-4.11 when testing
-the reboot command "virsh reboot <domain> --mode acpi" instead of reboot.
-KVM Error: 'KVM_SET_DEVICE_ATTR failed: Group 4 attr 0x00000000000001'
-Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 1509712671-16299-1-git-send-email-shankerd@codeaurora.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/intc/arm_gicv3_its_kvm.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/intc/arm_gicv3_its_kvm.c b/hw/intc/arm_gicv3_its_kvm.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_its_kvm.c
-+++ b/hw/intc/arm_gicv3_its_kvm.c
-@@ -XXX,XX +XXX,XX @@ static void kvm_arm_its_realize(DeviceState *dev, Error **errp)
-             error_free(s->migration_blocker);
-             return;
-         }
-+    } else {
-+        qemu_add_vm_change_state_handler(vm_change_state_handler, s);
-     }
-     kvm_msi_use_devid = true;
-     kvm_gsi_direct_mapping = false;
-     kvm_msi_via_irqfd_allowed = kvm_irqfds_enabled();
--
--    qemu_add_vm_change_state_handler(vm_change_state_handler, s);
- }
- /**
---
-.7.4

-[Qemu-devel] [PULL 7/7] hw/intc/arm_gicv3_its: Don't abort on table save failure
+Deleted patch
-From: Eric Auger <eric.auger@redhat.com>
-The ITS is not fully properly reset at the moment. Caches are
-not emptied.
-After a reset, in case we attempt to save the state before
-the bound devices have registered their MSIs and after the
-st level table has been allocated by the ITS driver
-(device BASER is valid), the first level entries are still
-invalid. If the device cache is not empty (devices registered
-before the reset), vgic_its_save_device_tables fails with -EINVAL.
-This causes a QEMU abort().
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Reported-by: wanghaibin <wanghaibin.wang@huawei.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/intc/arm_gicv3_its_kvm.c | 8 ++------
-file changed, 2 insertions(+), 6 deletions(-)
-diff --git a/hw/intc/arm_gicv3_its_kvm.c b/hw/intc/arm_gicv3_its_kvm.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_its_kvm.c
-+++ b/hw/intc/arm_gicv3_its_kvm.c
-@@ -XXX,XX +XXX,XX @@ static void vm_change_state_handler(void *opaque, int running,
- {
-     GICv3ITSState *s = (GICv3ITSState *)opaque;
-     Error *err = NULL;
--    int ret;
-     if (running) {
-         return;
-     }
--    ret = kvm_device_access(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_CTRL,
--                            KVM_DEV_ARM_ITS_SAVE_TABLES, NULL, true, &err);
-+    kvm_device_access(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_CTRL,
-+                      KVM_DEV_ARM_ITS_SAVE_TABLES, NULL, true, &err);
-     if (err) {
-         error_report_err(err);
-     }
--    if (ret < 0 && ret != -EFAULT) {
--        abort();
--    }
- }
- static void kvm_arm_its_realize(DeviceState *dev, Error **errp)
---
-.7.4

A small set of arm bugfixes for rc0.

The following changes since commit 5853e92207193e967abf5e4c25b4a551c7604725:

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-cocoa-20171107' into staging (2017-11-07 12:19:48 +0000)

are available in the git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20171107

for you to fetch changes up to 8a7348b5d62d7ea16807e6bea54b448a0184bb0f:

hw/intc/arm_gicv3_its: Don't abort on table save failure (2017-11-07 13:03:52 +0000)

----------------------------------------------------------------
target-arm queue:
 * arm_gicv3_its: Don't abort on table save failure
 * arm_gicv3_its: Fix the VM termination in vm_change_state_handler()
 * translate.c: Fix usermode big-endian AArch32 LDREXD and STREXD
 * hw/arm: Mark the "fsl,imx31/25/6" devices with user_creatable = false
 * arm: implement cache/shareability attribute bits for PAR registers

----------------------------------------------------------------
Andrew Baumann (1):
      arm: implement cache/shareability attribute bits for PAR registers

Eric Auger (1):
      hw/intc/arm_gicv3_its: Don't abort on table save failure

Peter Maydell (1):
      translate.c: Fix usermode big-endian AArch32 LDREXD and STREXD

Shanker Donthineni (1):
      hw/intc/arm_gicv3_its: Fix the VM termination in vm_change_state_handler()

Thomas Huth (3):
      hw/arm: Mark the "fsl,imx6" device with user_creatable = false
      hw/arm: Mark the "fsl,imx25" device with user_creatable = false
      hw/arm: Mark the "fsl,imx31" device with user_creatable = false

From: Andrew Baumann <Andrew.Baumann@microsoft.com>

On a successful address translation instruction, PAR is supposed to
contain cacheability and shareability attributes determined by the
translation. We previously returned 0 for these bits (in line with the
general strategy of ignoring caches and memory attributes), but some
guest OSes may depend on them.

This patch collects the attribute bits in the page-table walk, and
updates PAR with the correct attributes for all LPAE translations.
Short descriptor formats still return 0 for these bits, as in the
prior implementation.

Signed-off-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Message-id: 20171031223830.4608-1-Andrew.Baumann@microsoft.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 178 +++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 164 insertions(+), 14 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
 
 #ifndef CONFIG_USER_ONLY
+/* Cacheability and shareability attributes for a memory access */
+typedef struct ARMCacheAttrs {
+    unsigned int attrs:8; /* as in the MAIR register encoding */
+    unsigned int shareability:2; /* as in the SH field of the VMSAv8-64 PTEs */
+} ARMCacheAttrs;
+
 static bool get_phys_addr(CPUARMState *env, target_ulong address,
                           MMUAccessType access_type, ARMMMUIdx mmu_idx,
                           hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
                           target_ulong *page_size, uint32_t *fsr,
-                          ARMMMUFaultInfo *fi);
+                          ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
 
 static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
                                hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
                                target_ulong *page_size_ptr, uint32_t *fsr,
-                               ARMMMUFaultInfo *fi);
+                               ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
 
 /* Security attributes for an address, as returned by v8m_security_lookup. */
 typedef struct V8M_SAttributes {
@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
     uint64_t par64;
     MemTxAttrs attrs = {};
     ARMMMUFaultInfo fi = {};
+    ARMCacheAttrs cacheattrs = {};
 
-    ret = get_phys_addr(env, value, access_type, mmu_idx,
-                        &phys_addr, &attrs, &prot, &page_size, &fsr, &fi);
+    ret = get_phys_addr(env, value, access_type, mmu_idx, &phys_addr, &attrs,
+                        &prot, &page_size, &fsr, &fi, &cacheattrs);
     if (extended_addresses_enabled(env)) {
         /* fsr is a DFSR/IFSR value for the long descriptor
          * translation table format, but with WnR always clear.
@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
             if (!attrs.secure) {
                 par64 |= (1 << 9); /* NS */
             }
-            /* We don't set the ATTR or SH fields in the PAR. */
+            par64 |= (uint64_t)cacheattrs.attrs << 56; /* ATTR */
+            par64 |= cacheattrs.shareability << 7; /* SH */
         } else {
             par64 |= 1; /* F */
             par64 |= (fsr & 0x3f) << 1; /* FS */
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
         return false;
     }
     if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx,
-                      &physaddr, &attrs, &prot, &page_size, &fsr, &fi)) {
+                      &physaddr, &attrs, &prot, &page_size, &fsr, &fi, NULL)) {
         /* the MPU lookup failed */
         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
         int ret;
 
         ret = get_phys_addr_lpae(env, addr, 0, ARMMMUIdx_S2NS, &s2pa,
-                                 &txattrs, &s2prot, &s2size, fsr, fi);
+                                 &txattrs, &s2prot, &s2size, fsr, fi, NULL);
         if (ret) {
             fi->s2addr = addr;
             fi->stage2 = true;
@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
     return true;
 }
 
+/* Translate from the 4-bit stage 2 representation of
+ * memory attributes (without cache-allocation hints) to
+ * the 8-bit representation of the stage 1 MAIR registers
+ * (which includes allocation hints).
+ *
+ * ref: shared/translation/attrs/S2AttrDecode()
+ *      .../S2ConvertAttrsHints()
+ */
+static uint8_t convert_stage2_attrs(CPUARMState *env, uint8_t s2attrs)
+{
+    uint8_t hiattr = extract32(s2attrs, 2, 2);
+    uint8_t loattr = extract32(s2attrs, 0, 2);
+    uint8_t hihint = 0, lohint = 0;
+
+    if (hiattr != 0) { /* normal memory */
+        if ((env->cp15.hcr_el2 & HCR_CD) != 0) { /* cache disabled */
+            hiattr = loattr = 1; /* non-cacheable */
+        } else {
+            if (hiattr != 1) { /* Write-through or write-back */
+                hihint = 3; /* RW allocate */
+            }
+            if (loattr != 1) { /* Write-through or write-back */
+                lohint = 3; /* RW allocate */
+            }
+        }
+    }
+
+    return (hiattr << 6) | (hihint << 4) | (loattr << 2) | lohint;
+}
+
 static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
                                hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
                                target_ulong *page_size_ptr, uint32_t *fsr,
-                               ARMMMUFaultInfo *fi)
+                               ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
 {
     ARMCPU *cpu = arm_env_get_cpu(env);
     CPUState *cs = CPU(cpu);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
          */
         txattrs->secure = false;
     }
+
+    if (cacheattrs != NULL) {
+        if (mmu_idx == ARMMMUIdx_S2NS) {
+            cacheattrs->attrs = convert_stage2_attrs(env,
+                                                     extract32(attrs, 0, 4));
+        } else {
+            /* Index into MAIR registers for cache attributes */
+            uint8_t attrindx = extract32(attrs, 0, 3);
+            uint64_t mair = env->cp15.mair_el[regime_el(env, mmu_idx)];
+            assert(attrindx <= 7);
+            cacheattrs->attrs = extract64(mair, attrindx * 8, 8);
+        }
+        cacheattrs->shareability = extract32(attrs, 6, 2);
+    }
+
     *phys_ptr = descaddr;
     *page_size_ptr = page_size;
     return false;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
     return false;
 }
 
+/* Combine either inner or outer cacheability attributes for normal
+ * memory, according to table D4-42 and pseudocode procedure
+ * CombineS1S2AttrHints() of ARM DDI 0487B.b (the ARMv8 ARM).
+ *
+ * NB: only stage 1 includes allocation hints (RW bits), leading to
+ * some asymmetry.
+ */
+static uint8_t combine_cacheattr_nibble(uint8_t s1, uint8_t s2)
+{
+    if (s1 == 4 || s2 == 4) {
+        /* non-cacheable has precedence */
+        return 4;
+    } else if (extract32(s1, 2, 2) == 0 || extract32(s1, 2, 2) == 2) {
+        /* stage 1 write-through takes precedence */
+        return s1;
+    } else if (extract32(s2, 2, 2) == 2) {
+        /* stage 2 write-through takes precedence, but the allocation hint
+         * is still taken from stage 1
+         */
+        return (2 << 2) | extract32(s1, 0, 2);
+    } else { /* write-back */
+        return s1;
+    }
+}
+
+/* Combine S1 and S2 cacheability/shareability attributes, per D4.5.4
+ * and CombineS1S2Desc()
+ *
+ * @s1:      Attributes from stage 1 walk
+ * @s2:      Attributes from stage 2 walk
+ */
+static ARMCacheAttrs combine_cacheattrs(ARMCacheAttrs s1, ARMCacheAttrs s2)
+{
+    uint8_t s1lo = extract32(s1.attrs, 0, 4), s2lo = extract32(s2.attrs, 0, 4);
+    uint8_t s1hi = extract32(s1.attrs, 4, 4), s2hi = extract32(s2.attrs, 4, 4);
+    ARMCacheAttrs ret;
+
+    /* Combine shareability attributes (table D4-43) */
+    if (s1.shareability == 2 || s2.shareability == 2) {
+        /* if either are outer-shareable, the result is outer-shareable */
+        ret.shareability = 2;
+    } else if (s1.shareability == 3 || s2.shareability == 3) {
+        /* if either are inner-shareable, the result is inner-shareable */
+        ret.shareability = 3;
+    } else {
+        /* both non-shareable */
+        ret.shareability = 0;
+    }
+
+    /* Combine memory type and cacheability attributes */
+    if (s1hi == 0 || s2hi == 0) {
+        /* Device has precedence over normal */
+        if (s1lo == 0 || s2lo == 0) {
+            /* nGnRnE has precedence over anything */
+            ret.attrs = 0;
+        } else if (s1lo == 4 || s2lo == 4) {
+            /* non-Reordering has precedence over Reordering */
+            ret.attrs = 4;  /* nGnRE */
+        } else if (s1lo == 8 || s2lo == 8) {
+            /* non-Gathering has precedence over Gathering */
+            ret.attrs = 8;  /* nGRE */
+        } else {
+            ret.attrs = 0xc; /* GRE */
+        }
+
+        /* Any location for which the resultant memory type is any
+         * type of Device memory is always treated as Outer Shareable.
+         */
+        ret.shareability = 2;
+    } else { /* Normal memory */
+        /* Outer/inner cacheability combine independently */
+        ret.attrs = combine_cacheattr_nibble(s1hi, s2hi) << 4
+                  | combine_cacheattr_nibble(s1lo, s2lo);
+
+        if (ret.attrs == 0x44) {
+            /* Any location for which the resultant memory type is Normal
+             * Inner Non-cacheable, Outer Non-cacheable is always treated
+             * as Outer Shareable.
+             */
+            ret.shareability = 2;
+        }
+    }
+
+    return ret;
+}
+
+
 /* get_phys_addr - get the physical address for this virtual address
  *
  * Find the physical address corresponding to the given virtual address,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
  * @prot: set to the permissions for the page containing phys_ptr
  * @page_size: set to the size of the page containing phys_ptr
  * @fsr: set to the DFSR/IFSR value on failure
+ * @fi: set to fault info if the translation fails
+ * @cacheattrs: (if non-NULL) set to the cacheability/shareability attributes
  */
 static bool get_phys_addr(CPUARMState *env, target_ulong address,
                           MMUAccessType access_type, ARMMMUIdx mmu_idx,
                           hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
                           target_ulong *page_size, uint32_t *fsr,
-                          ARMMMUFaultInfo *fi)
+                          ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
 {
     if (mmu_idx == ARMMMUIdx_S12NSE0 || mmu_idx == ARMMMUIdx_S12NSE1) {
         /* Call ourselves recursively to do the stage 1 and then stage 2
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address,
             hwaddr ipa;
             int s2_prot;
             int ret;
+            ARMCacheAttrs cacheattrs2 = {};
 
             ret = get_phys_addr(env, address, access_type,
                                 stage_1_mmu_idx(mmu_idx), &ipa, attrs,
-                                prot, page_size, fsr, fi);
+                                prot, page_size, fsr, fi, cacheattrs);
 
             /* If S1 fails or S2 is disabled, return early.  */
             if (ret || regime_translation_disabled(env, ARMMMUIdx_S2NS)) {
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address,
             /* S1 is done. Now do S2 translation.  */
             ret = get_phys_addr_lpae(env, ipa, access_type, ARMMMUIdx_S2NS,
                                      phys_ptr, attrs, &s2_prot,
-                                     page_size, fsr, fi);
+                                     page_size, fsr, fi,
+                                     cacheattrs != NULL ? &cacheattrs2 : NULL);
             fi->s2addr = ipa;
             /* Combine the S1 and S2 perms.  */
             *prot &= s2_prot;
+
+            /* Combine the S1 and S2 cache attributes, if needed */
+            if (!ret && cacheattrs != NULL) {
+                *cacheattrs = combine_cacheattrs(*cacheattrs, cacheattrs2);
+            }
+
             return ret;
         } else {
             /*
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr(CPUARMState *env, target_ulong address,
 
     if (regime_using_lpae_format(env, mmu_idx)) {
         return get_phys_addr_lpae(env, address, access_type, mmu_idx, phys_ptr,
-                                  attrs, prot, page_size, fsr, fi);
+                                  attrs, prot, page_size, fsr, fi, cacheattrs);
     } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
         return get_phys_addr_v6(env, address, access_type, mmu_idx, phys_ptr,
                                 attrs, prot, page_size, fsr, fi);
@@ -XXX,XX +XXX,XX @@ bool arm_tlb_fill(CPUState *cs, vaddr address,
 
     ret = get_phys_addr(env, address, access_type,
                         core_to_arm_mmu_idx(env, mmu_idx), &phys_addr,
-                        &attrs, &prot, &page_size, fsr, fi);
+                        &attrs, &prot, &page_size, fsr, fi, NULL);
     if (!ret) {
         /* Map a single [sub]page.  */
         phys_addr &= TARGET_PAGE_MASK;
@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
     *attrs = (MemTxAttrs) {};
 
     ret = get_phys_addr(env, addr, 0, mmu_idx, &phys_addr,
-                        attrs, &prot, &page_size, &fsr, &fi);
+                        attrs, &prot, &page_size, &fsr, &fi, NULL);
 
     if (ret) {
         return -1;
-- 
2.7.4

From: Thomas Huth <thuth@redhat.com>

This device causes QEMU to abort if the user tries to instantiate it:

$ qemu-system-aarch64 -M sabrelite -smp 1,maxcpus=2 -device fsl,,imx6
Unexpected error in qemu_chr_fe_init() at chardev/char-fe.c:222:
qemu-system-aarch64: -device fsl,,imx6: Device 'serial0' is in use
Aborted (core dumped)

The device uses serial_hds[] directly in its realize function, so it
can not be instantiated again by the user.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1509519537-6964-2-git-send-email-thuth@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/fsl-imx6.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx6.c
+++ b/hw/arm/fsl-imx6.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_class_init(ObjectClass *oc, void *data)
     DeviceClass *dc = DEVICE_CLASS(oc);
 
     dc->realize = fsl_imx6_realize;
-
     dc->desc = "i.MX6 SOC";
+    /* Reason: Uses serial_hds[] in the realize() function */
+    dc->user_creatable = false;
 }
 
 static const TypeInfo fsl_imx6_type_info = {
-- 
2.7.4

From: Thomas Huth <thuth@redhat.com>

QEMU currently crashes when the user tries to instantiate the fsl,imx25
device manually:

$ aarch64-softmmu/qemu-system-aarch64 -S -M imx25-pdk -device fsl,,imx25
**
ERROR:/home/thuth/devel/qemu/tcg/tcg.c:538:tcg_register_thread:
 assertion failed: (n < max_cpus)

The imx25-pdk board (which is the one that uses this CPU type) only
supports one CPU, and the realize function of the "fsl,imx25" device
also uses serial_hds[] directly, so this device clearly can not be
instantiated twice and thus we should mark it with user_creatable = 0.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1509519537-6964-3-git-send-email-thuth@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/fsl-imx25.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/arm/fsl-imx25.c b/hw/arm/fsl-imx25.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx25.c
+++ b/hw/arm/fsl-imx25.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_class_init(ObjectClass *oc, void *data)
     DeviceClass *dc = DEVICE_CLASS(oc);
 
     dc->realize = fsl_imx25_realize;
-
     dc->desc = "i.MX25 SOC";
+    /*
+     * Reason: uses serial_hds in realize and the imx25 board does not
+     * support multiple CPUs
+     */
+    dc->user_creatable = false;
 }
 
 static const TypeInfo fsl_imx25_type_info = {
-- 
2.7.4

From: Thomas Huth <thuth@redhat.com>

QEMU currently crashes when the user tries to instantiate the fsl,imx31
device manually:

$ aarch64-softmmu/qemu-system-aarch64 -M kzm -device fsl,,imx31
**
ERROR:/home/thuth/devel/qemu/tcg/tcg.c:538:tcg_register_thread:
 assertion failed: (n < max_cpus)
Aborted (core dumped)

The kzm board (which is the one that uses this CPU type) only supports
one CPU, and the realize function of the "fsl,imx31" device also uses
serial_hds[] directly, so this device clearly can not be instantiated
twice and thus we should mark it with user_creatable = false.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1509519537-6964-4-git-send-email-thuth@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/fsl-imx31.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/arm/fsl-imx31.c b/hw/arm/fsl-imx31.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx31.c
+++ b/hw/arm/fsl-imx31.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx31_class_init(ObjectClass *oc, void *data)
     DeviceClass *dc = DEVICE_CLASS(oc);
 
     dc->realize = fsl_imx31_realize;
-
     dc->desc = "i.MX31 SOC";
+    /*
+     * Reason: uses serial_hds in realize and the kzm board does not
+     * support multiple CPUs
+     */
+    dc->user_creatable = false;
 }
 
 static const TypeInfo fsl_imx31_type_info = {
-- 
2.7.4

For AArch32 LDREXD and STREXD, architecturally the 32-bit word at the
lowest address is always Rt and the one at addr+4 is Rt2, even if the
CPU is big-endian. Our implementation does these with a single
64-bit store, so if we're big-endian then we need to put the two
32-bit halves together in the opposite order to little-endian,
so that they end up in the right places. We were trying to do
this with the gen_aa32_frob64() function, but that is not correct
for the usermode emulator, because there there is a distinction
between "load a 64 bit value" (which does a BE 64-bit access
and doesn't need swapping) and "load two 32 bit values as one
64 bit access" (where we still need to do the swapping, like
system mode BE32).

Fixes: https://bugs.launchpad.net/qemu/+bug/1725267
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1509622400-13351-1-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 39 ++++++++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 5 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_load_exclusive(DisasContext *s, int rt, int rt2,
         TCGv_i32 tmp2 = tcg_temp_new_i32();
         TCGv_i64 t64 = tcg_temp_new_i64();
 
-        gen_aa32_ld_i64(s, t64, addr, get_mem_index(s), opc);
+        /* For AArch32, architecturally the 32-bit word at the lowest
+         * address is always Rt and the one at addr+4 is Rt2, even if
+         * the CPU is big-endian. That means we don't want to do a
+         * gen_aa32_ld_i64(), which invokes gen_aa32_frob64() as if
+         * for an architecturally 64-bit access, but instead do a
+         * 64-bit access using MO_BE if appropriate and then split
+         * the two halves.
+         * This only makes a difference for BE32 user-mode, where
+         * frob64() must not flip the two halves of the 64-bit data
+         * but this code must treat BE32 user-mode like BE32 system.
+         */
+        TCGv taddr = gen_aa32_addr(s, addr, opc);
+
+        tcg_gen_qemu_ld_i64(t64, taddr, get_mem_index(s), opc);
+        tcg_temp_free(taddr);
         tcg_gen_mov_i64(cpu_exclusive_val, t64);
-        tcg_gen_extr_i64_i32(tmp, tmp2, t64);
+        if (s->be_data == MO_BE) {
+            tcg_gen_extr_i64_i32(tmp2, tmp, t64);
+        } else {
+            tcg_gen_extr_i64_i32(tmp, tmp2, t64);
+        }
         tcg_temp_free_i64(t64);
 
         store_reg(s, rt2, tmp2);
@@ -XXX,XX +XXX,XX @@ static void gen_store_exclusive(DisasContext *s, int rd, int rt, int rt2,
         TCGv_i64 n64 = tcg_temp_new_i64();
 
         t2 = load_reg(s, rt2);
-        tcg_gen_concat_i32_i64(n64, t1, t2);
+        /* For AArch32, architecturally the 32-bit word at the lowest
+         * address is always Rt and the one at addr+4 is Rt2, even if
+         * the CPU is big-endian. Since we're going to treat this as a
+         * single 64-bit BE store, we need to put the two halves in the
+         * opposite order for BE to LE, so that they end up in the right
+         * places.
+         * We don't want gen_aa32_frob64() because that does the wrong
+         * thing for BE32 usermode.
+         */
+        if (s->be_data == MO_BE) {
+            tcg_gen_concat_i32_i64(n64, t2, t1);
+        } else {
+            tcg_gen_concat_i32_i64(n64, t1, t2);
+        }
         tcg_temp_free_i32(t2);
-        gen_aa32_frob64(s, n64);
 
         tcg_gen_atomic_cmpxchg_i64(o64, taddr, cpu_exclusive_val, n64,
                                    get_mem_index(s), opc);
         tcg_temp_free_i64(n64);
 
-        gen_aa32_frob64(s, o64);
         tcg_gen_setcond_i64(TCG_COND_NE, o64, o64, cpu_exclusive_val);
         tcg_gen_extrl_i64_i32(t0, o64);
 
-- 
2.7.4

From: Shanker Donthineni <shankerd@codeaurora.org>

The commit cddafd8f353d ("hw/intc/arm_gicv3_its: Implement state save
/restore") breaks the backward compatibility with the older kernels
where vITS save/restore support is not available. The vmstate function
vm_change_state_handler() should not be registered if the running kernel
doesn't support ITS save/restore feature. Otherwise VM instance will be
killed whenever vmstate callback function is invoked.

Observed a virtual machine shutdown with QEMU-2.10+linux-4.11 when testing
the reboot command "virsh reboot <domain> --mode acpi" instead of reboot.

KVM Error: 'KVM_SET_DEVICE_ATTR failed: Group 4 attr 0x00000000000001'

Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1509712671-16299-1-git-send-email-shankerd@codeaurora.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_its_kvm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/intc/arm_gicv3_its_kvm.c b/hw/intc/arm_gicv3_its_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its_kvm.c
+++ b/hw/intc/arm_gicv3_its_kvm.c
@@ -XXX,XX +XXX,XX @@ static void kvm_arm_its_realize(DeviceState *dev, Error **errp)
             error_free(s->migration_blocker);
             return;
         }
+    } else {
+        qemu_add_vm_change_state_handler(vm_change_state_handler, s);
     }
 
     kvm_msi_use_devid = true;
     kvm_gsi_direct_mapping = false;
     kvm_msi_via_irqfd_allowed = kvm_irqfds_enabled();
-
-    qemu_add_vm_change_state_handler(vm_change_state_handler, s);
 }
 
 /**
-- 
2.7.4

From: Eric Auger <eric.auger@redhat.com>

The ITS is not fully properly reset at the moment. Caches are
not emptied.

After a reset, in case we attempt to save the state before
the bound devices have registered their MSIs and after the
1st level table has been allocated by the ITS driver
(device BASER is valid), the first level entries are still
invalid. If the device cache is not empty (devices registered
before the reset), vgic_its_save_device_tables fails with -EINVAL.
This causes a QEMU abort().

Cc: qemu-stable@nongnu.org
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: wanghaibin <wanghaibin.wang@huawei.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_its_kvm.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/hw/intc/arm_gicv3_its_kvm.c b/hw/intc/arm_gicv3_its_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its_kvm.c
+++ b/hw/intc/arm_gicv3_its_kvm.c
@@ -XXX,XX +XXX,XX @@ static void vm_change_state_handler(void *opaque, int running,
 {
     GICv3ITSState *s = (GICv3ITSState *)opaque;
     Error *err = NULL;
-    int ret;
 
     if (running) {
         return;
     }
 
-    ret = kvm_device_access(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_CTRL,
-                            KVM_DEV_ARM_ITS_SAVE_TABLES, NULL, true, &err);
+    kvm_device_access(s->dev_fd, KVM_DEV_ARM_VGIC_GRP_CTRL,
+                      KVM_DEV_ARM_ITS_SAVE_TABLES, NULL, true, &err);
     if (err) {
         error_report_err(err);
     }
-    if (ret < 0 && ret != -EFAULT) {
-        abort();
-    }
 }
 
 static void kvm_arm_its_realize(DeviceState *dev, Error **errp)
-- 
2.7.4

v2: drop pvpanic-pci patches.

The following changes since commit f1fcb6851aba6dd9838886dc179717a11e344a1c:

Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2021-01-19' into staging (2021-01-19 11:57:07 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210119-1

for you to fetch changes up to b93f4fbdc48283a39089469c44a5529d79dc40a8:

docs: Build and install all the docs in a single manual (2021-01-19 15:45:14 +0000)

----------------------------------------------------------------
target-arm queue:
 * Implement IMPDEF pauth algorithm
 * Support ARMv8.4-SEL2
 * Fix bug where we were truncating predicate vector lengths in SVE insns
 * npcm7xx_adc-test: Fix memleak in adc_qom_set
 * target/arm/m_helper: Silence GCC 10 maybe-uninitialized error
 * docs: Build and install all the docs in a single manual

----------------------------------------------------------------
Gan Qixin (1):
      npcm7xx_adc-test: Fix memleak in adc_qom_set

Peter Maydell (1):
      docs: Build and install all the docs in a single manual

Philippe Mathieu-Daudé (1):
      target/arm/m_helper: Silence GCC 10 maybe-uninitialized error

Richard Henderson (7):
      target/arm: Implement an IMPDEF pauth algorithm
      target/arm: Add cpu properties to control pauth
      target/arm: Use object_property_add_bool for "sve" property
      target/arm: Introduce PREDDESC field definitions
      target/arm: Update PFIRST, PNEXT for pred_desc
      target/arm: Update ZIP, UZP, TRN for pred_desc
      target/arm: Update REV, PUNPK for pred_desc

Rémi Denis-Courmont (19):
      target/arm: remove redundant tests
      target/arm: add arm_is_el2_enabled() helper
      target/arm: use arm_is_el2_enabled() where applicable
      target/arm: use arm_hcr_el2_eff() where applicable
      target/arm: factor MDCR_EL2 common handling
      target/arm: Define isar_feature function to test for presence of SEL2
      target/arm: add 64-bit S-EL2 to EL exception table
      target/arm: add MMU stage 1 for Secure EL2
      target/arm: add ARMv8.4-SEL2 system registers
      target/arm: handle VMID change in secure state
      target/arm: do S1_ptw_translate() before address space lookup
      target/arm: translate NS bit in page-walks
      target/arm: generalize 2-stage page-walk condition
      target/arm: secure stage 2 translation regime
      target/arm: set HPFAR_EL2.NS on secure stage 2 faults
      target/arm: revector to run-time pick target EL
      target/arm: Implement SCR_EL2.EEL2
      target/arm: enable Secure EL2 in max CPU
      target/arm: refactor vae1_tlbmask()