Series comparison

-[Qemu-devel] [PULL 00/26] target-arm queue
+[PULL 00/12] target-arm queue
-ARM queue, various patches accumulated over the Christmas break.
+One last arm pullreq before I stop work for the end of the year...
 -- PMM
-The following changes since commit 612061b277915fadd80631eb7a6926f48a110c44:
+The following changes since commit 8e5943260a8f765216674ee87ce8588cc4e7463e:
-  Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-01-10' into staging (2018-01-11 11:52:40 +0000)
+  Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into staging (2019-12-20 12:46:10 +0000)
-are available in the git repository at:
+are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180111
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191220
-for you to fetch changes up to 0cf09852015e47a5fbb974ff7ac320366afd21ee:
+for you to fetch changes up to c8fa6079eb35888587f1be27c1590da4edcc5098:
-  hw/intc/arm_gic: reserved register addresses are RAZ/WI (2018-01-11 13:25:40 +0000)
+  arm/arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on() (2019-12-20 14:03:00 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * add aarch64_be linux-user target
+ * Support emulating the generic timers at frequencies other than 62.5MHz
- * Virt: ACPI: fix qemu assert due to re-assigned table data address
+ * Various fixes for SMMUv3 emulation bugs
- * imx_fec: various bug fixes and cleanups
+ * Improve assert error message for hflags mismatches
- * hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
+ * arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on()
  * hw/sd/pxa2xx_mmci: add read/write() trace events
  * linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
  * target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
  * hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
  * hw/intc/arm_gic: reserved register addresses are RAZ/WI
 ----------------------------------------------------------------
-Andrey Smirnov (11):
+Andrew Jeffery (4):
-      imx_fec: Do not link to netdev
+      target/arm: Remove redundant scaling of nexttick
-      imx_fec: Refactor imx_eth_enable_rx()
+      target/arm: Abstract the generic timer frequency
-      imx_fec: Change queue flushing heuristics
+      target/arm: Prepare generic timer for per-platform CNTFRQ
-      imx_fec: Move Tx frame buffer away from the stack
+      ast2600: Configure CNTFRQ at 1125MHz
       imx_fec: Use ENET_FTRL to determine truncation length
       imx_fec: Use MIN instead of explicit ternary operator
       imx_fec: Emulate SHIFT16 in ENETx_RACC
       imx_fec: Add support for multiple Tx DMA rings
       imx_fec: Use correct length for packet size
       imx_fec: Fix a typo in imx_enet_receive()
       imx_fec: Reserve full FSL_IMX25_FEC_SIZE page for the register file
-Michael Weiser (8):
+Niek Linnenbank (1):
-      linux-user: Add support for big-endian aarch64
+      arm/arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on()
       linux-user: Add separate aarch64_be uname
       linux-user: Fix endianess of aarch64 signal trampoline
       configure: Add aarch64_be-linux-user target
       linux-user: Add aarch64_be magic numbers to qemu-binfmt-conf.sh
       linux-user: Separate binfmt arm CPU families
       linux-user: Activate armeb handler registration
       target/arm: Fix stlxp for aarch64_be
-Peter Maydell (4):
+Philippe Mathieu-Daudé (1):
-      linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
+      target/arm: Display helpful message when hflags mismatch
       target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
       hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
       hw/intc/arm_gic: reserved register addresses are RAZ/WI
-Philippe Mathieu-Daudé (2):
+Simon Veith (6):
-      hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
+      hw/arm/smmuv3: Apply address mask to linear strtab base address
-      hw/sd/pxa2xx_mmci: add read/write() trace events
+      hw/arm/smmuv3: Correct SMMU_BASE_ADDR_MASK value
       hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE
       hw/arm/smmuv3: Align stream table base address to table size
       hw/arm/smmuv3: Use correct bit positions in EVT_SET_ADDR2 macro
       hw/arm/smmuv3: Report F_STE_FETCH fault address in correct word position
-Zhaoshenglong (1):
+ hw/arm/smmuv3-internal.h  |  6 ++---
-      Virt: ACPI: fix qemu assert due to re-assigned table data address
+ target/arm/cpu.h          |  5 ++++
  hw/arm/aspeed_ast2600.c   |  3 +++
  hw/arm/smmuv3.c           | 28 +++++++++++++++-----
  target/arm/arm-powerctl.c |  3 +++
  target/arm/cpu.c          | 65 +++++++++++++++++++++++++++++++++++++++++------
  target/arm/helper.c       | 42 +++++++++++++++++++++++-------
 files changed, 125 insertions(+), 27 deletions(-)
- configure                                 |   5 +-
- include/hw/arm/fsl-imx25.h                |   1 -
- include/hw/net/imx_fec.h                  |  27 +++-
- linux-user/aarch64/target_syscall.h       |   4 +
- hw/arm/fsl-imx6.c                         |   1 +
- hw/arm/virt-acpi-build.c                  |  18 ++-
- hw/intc/arm_gic.c                         |   5 +-
- hw/intc/arm_gicv3_dist.c                  |  13 ++
- hw/intc/arm_gicv3_its_common.c            |   8 +-
- hw/intc/arm_gicv3_redist.c                |  13 ++
- hw/net/imx_fec.c                          | 210 +++++++++++++++++++++++-------
- hw/sd/pxa2xx_mmci.c                       |  78 +++++++----
- hw/timer/pxa2xx_timer.c                   |  17 ++-
- linux-user/arm/nwfpe/fpa11.c              |   9 ++
- linux-user/main.c                         |   6 +
- linux-user/signal.c                       |  10 +-
- target/arm/helper-a64.c                   |   7 +-
- target/arm/translate.c                    |  23 ++--
- default-configs/aarch64_be-linux-user.mak |   1 +
- hw/sd/trace-events                        |   4 +
- scripts/qemu-binfmt-conf.sh               |  15 ++-
-files changed, 356 insertions(+), 119 deletions(-)
- create mode 100644 default-configs/aarch64_be-linux-user.mak

-[Qemu-devel] [PULL 01/26] linux-user: Add support for big-endian aarch64
+Deleted patch
-From: Michael Weiser <michael.weiser@gmx.de>
-Enable big-endian mode for data accesses on aarch64 for big-endian linux
-user mode. Activate it for all exception levels as documented by ARM:
-Set the SCTLR EE bit for ELs 1 through 3. Additionally set bit E0E in
-EL1 to enable it in EL0 as well.
-Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20171220212308.12614-2-michael.weiser@gmx.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- linux-user/main.c | 6 ++++++
-file changed, 6 insertions(+)
-diff --git a/linux-user/main.c b/linux-user/main.c
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/main.c
-+++ b/linux-user/main.c
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
-         }
-         env->pc = regs->pc;
-         env->xregs[31] = regs->sp;
-+#ifdef TARGET_WORDS_BIGENDIAN
-+        env->cp15.sctlr_el[1] |= SCTLR_E0E;
-+        for (i = 1; i < 4; ++i) {
-+            env->cp15.sctlr_el[i] |= SCTLR_EE;
-+        }
-+#endif
-     }
- #elif defined(TARGET_ARM)
-     {
---
-.7.4

-[Qemu-devel] [PULL 02/26] linux-user: Add separate aarch64_be uname
+Deleted patch
-From: Michael Weiser <michael.weiser@gmx.de>
-Make big-endian aarch64 systems identify as aarch64_be as expected by
-big-endian userland and toolchains.
-Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Laurent Vivier <laurent@vivier.eu>
-Message-id: 20171220212308.12614-3-michael.weiser@gmx.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- linux-user/aarch64/target_syscall.h | 4 ++++
-file changed, 4 insertions(+)
-diff --git a/linux-user/aarch64/target_syscall.h b/linux-user/aarch64/target_syscall.h
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/target_syscall.h
-+++ b/linux-user/aarch64/target_syscall.h
-@@ -XXX,XX +XXX,XX @@ struct target_pt_regs {
-     uint64_t        pstate;
- };
-+#if defined(TARGET_WORDS_BIGENDIAN)
-+#define UNAME_MACHINE "aarch64_be"
-+#else
- #define UNAME_MACHINE "aarch64"
-+#endif
- #define UNAME_MINIMUM_RELEASE "3.8.0"
- #define TARGET_CLONE_BACKWARDS
- #define TARGET_MINSIGSTKSZ       2048
---
-.7.4

-[Qemu-devel] [PULL 03/26] linux-user: Fix endianess of aarch64 signal trampoline
+Deleted patch
-From: Michael Weiser <michael.weiser@gmx.de>
-Since for aarch64 the signal trampoline is synthesized directly into the
-signal frame we need to make sure the instructions end up little-endian.
-Otherwise the wrong endianness will cause a SIGILL upon return from the
-signal handler on big-endian targets.
-Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20171220212308.12614-4-michael.weiser@gmx.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- linux-user/signal.c | 10 +++++++---
-file changed, 7 insertions(+), 3 deletions(-)
-diff --git a/linux-user/signal.c b/linux-user/signal.c
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/signal.c
-+++ b/linux-user/signal.c
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
-     if (ka->sa_flags & TARGET_SA_RESTORER) {
-         return_addr = ka->sa_restorer;
-     } else {
--        /* mov x8,#__NR_rt_sigreturn; svc #0 */
--        __put_user(0xd2801168, &frame->tramp[0]);
--        __put_user(0xd4000001, &frame->tramp[1]);
-+        /*
-+         * mov x8,#__NR_rt_sigreturn; svc #0
-+         * Since these are instructions they need to be put as little-endian
-+         * regardless of target default or current CPU endianness.
-+         */
-+        __put_user_e(0xd2801168, &frame->tramp[0], le);
-+        __put_user_e(0xd4000001, &frame->tramp[1], le);
-         return_addr = frame_addr + offsetof(struct target_rt_sigframe, tramp);
-     }
-     env->xregs[0] = usig;
---
-.7.4

-[Qemu-devel] [PULL 04/26] configure: Add aarch64_be-linux-user target
+Deleted patch
-From: Michael Weiser <michael.weiser@gmx.de>
-Add target aarch64_be-linux-user. This allows a qemu-aarch64_be binary
-to be built that will run big-endian aarch64 binaries.
-Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Laurent Vivier <laurent@vivier.eu>
-Message-id: 20171220212308.12614-5-michael.weiser@gmx.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- configure                                 | 5 +++--
- default-configs/aarch64_be-linux-user.mak | 1 +
-files changed, 4 insertions(+), 2 deletions(-)
- create mode 100644 default-configs/aarch64_be-linux-user.mak
-diff --git a/configure b/configure
-index XXXXXXX..XXXXXXX 100755
---- a/configure
-+++ b/configure
-@@ -XXX,XX +XXX,XX @@ target_name=$(echo $target | cut -d '-' -f 1)
- target_bigendian="no"
- case "$target_name" in
--  armeb|hppa|lm32|m68k|microblaze|mips|mipsn32|mips64|moxie|or1k|ppc|ppcemb|ppc64|ppc64abi32|s390x|sh4eb|sparc|sparc64|sparc32plus|xtensaeb)
-+  armeb|aarch64_be|hppa|lm32|m68k|microblaze|mips|mipsn32|mips64|moxie|or1k|ppc|ppcemb|ppc64|ppc64abi32|s390x|sh4eb|sparc|sparc64|sparc32plus|xtensaeb)
-   target_bigendian=yes
-   ;;
- esac
-@@ -XXX,XX +XXX,XX @@ case "$target_name" in
-     mttcg="yes"
-     gdb_xml_files="arm-core.xml arm-vfp.xml arm-vfp3.xml arm-neon.xml"
-   ;;
--  aarch64)
-+  aarch64|aarch64_be)
-+    TARGET_ARCH=aarch64
-     TARGET_BASE_ARCH=arm
-     bflt="yes"
-     mttcg="yes"
-diff --git a/default-configs/aarch64_be-linux-user.mak b/default-configs/aarch64_be-linux-user.mak
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/default-configs/aarch64_be-linux-user.mak
-@@ -0,0 +1 @@
-+# Default configuration for aarch64_be-linux-user
---
-.7.4

-[Qemu-devel] [PULL 05/26] linux-user: Add aarch64_be magic numbers to qemu-binfmt-conf.sh
+Deleted patch
-From: Michael Weiser <michael.weiser@gmx.de>
-As we now have a linux-user aarch64_be target, we can add it to the list
-of supported targets in qemu-binfmt-conf.sh
-Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
-Reviewed-by: Laurent Vivier <laurent@vivier.eu>
-Message-id: 20171220212308.12614-6-michael.weiser@gmx.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- scripts/qemu-binfmt-conf.sh | 6 +++++-
-file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
-index XXXXXXX..XXXXXXX 100755
---- a/scripts/qemu-binfmt-conf.sh
-+++ b/scripts/qemu-binfmt-conf.sh
-@@ -XXX,XX +XXX,XX @@
- qemu_target_list="i386 i486 alpha arm sparc32plus ppc ppc64 ppc64le m68k \
- mips mipsel mipsn32 mipsn32el mips64 mips64el \
--sh4 sh4eb s390x aarch64 hppa"
-+sh4 sh4eb s390x aarch64 aarch64_be hppa"
- i386_magic='\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00'
- i386_mask='\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
-@@ -XXX,XX +XXX,XX @@ aarch64_magic='\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x
- aarch64_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
- aarch64_family=arm
-+aarch64_be_magic='\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7'
-+aarch64_be_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
-+aarch64_be_family=arm
-+
- hppa_magic='\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0f'
- hppa_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
- hppa_family=hppa
---
-.7.4

-[Qemu-devel] [PULL 06/26] linux-user: Separate binfmt arm CPU families
+Deleted patch
-From: Michael Weiser <michael.weiser@gmx.de>
-Give big-endian arm and aarch64 CPUs their own family in
-qemu-binfmt-conf.sh to make sure we register qemu-user for binaries of
-the opposite endianness on arm and aarch64. Apart from the family
-assignments of the magic values, qemu_get_family() needs to be able to
-distinguish the two and recognise aarch64{,_be} as well.
-Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
-Reviewed-by: Laurent Vivier <laurent@vivier.eu>
-Message-id: 20171220212308.12614-7-michael.weiser@gmx.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- scripts/qemu-binfmt-conf.sh | 9 ++++++---
-file changed, 6 insertions(+), 3 deletions(-)
-diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
-index XXXXXXX..XXXXXXX 100755
---- a/scripts/qemu-binfmt-conf.sh
-+++ b/scripts/qemu-binfmt-conf.sh
-@@ -XXX,XX +XXX,XX @@ arm_family=arm
- armeb_magic='\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28'
- armeb_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
--armeb_family=arm
-+armeb_family=armeb
- sparc_magic='\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02'
- sparc_mask='\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
-@@ -XXX,XX +XXX,XX @@ aarch64_family=arm
- aarch64_be_magic='\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7'
- aarch64_be_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
--aarch64_be_family=arm
-+aarch64_be_family=armeb
- hppa_magic='\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0f'
- hppa_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
-@@ -XXX,XX +XXX,XX @@ qemu_get_family() {
-     ppc64el|ppc64le)
-         echo "ppcle"
-         ;;
--    arm|armel|armhf|arm64|armv[4-9]*)
-+    arm|armel|armhf|arm64|armv[4-9]*l|aarch64)
-         echo "arm"
-         ;;
-+    armeb|armv[4-9]*b|aarch64_be)
-+        echo "armeb"
-+        ;;
-     sparc*)
-         echo "sparc"
-         ;;
---
-.7.4

-[Qemu-devel] [PULL 07/26] linux-user: Activate armeb handler registration
+Deleted patch
-From: Michael Weiser <michael.weiser@gmx.de>
-armeb is missing from the target list in qemu-binfmt-conf.sh. Add it so
-the handler for those binaries gets registered by the script.
-Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
-Reviewed-by: Laurent Vivier <laurent@vivier.eu>
-Message-id: 20171220212308.12614-8-michael.weiser@gmx.de
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- scripts/qemu-binfmt-conf.sh | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
-index XXXXXXX..XXXXXXX 100755
---- a/scripts/qemu-binfmt-conf.sh
-+++ b/scripts/qemu-binfmt-conf.sh
-@@ -XXX,XX +XXX,XX @@
- # enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390/HPPA
- # program execution by the kernel
--qemu_target_list="i386 i486 alpha arm sparc32plus ppc ppc64 ppc64le m68k \
-+qemu_target_list="i386 i486 alpha arm armeb sparc32plus ppc ppc64 ppc64le m68k \
- mips mipsel mipsn32 mipsn32el mips64 mips64el \
- sh4 sh4eb s390x aarch64 aarch64_be hppa"
---
-.7.4

-[Qemu-devel] [PULL 08/26] target/arm: Fix stlxp for aarch64_be
+Deleted patch
-From: Michael Weiser <michael.weiser@gmx.de>
-ldxp loads two consecutive doublewords from memory regardless of CPU
-endianness. On store, stlxp currently assumes to work with a 128bit
-value and consequently switches order in big-endian mode. With this
-change it packs the doublewords in reverse order in anticipation of the
-bit big-endian store operation interposing them so they end up in
-memory in the right order. This makes it work for both MTTCG and !MTTCG.
-It effectively implements the ARM ARM STLXP operation pseudo-code:
-data = if BigEndian() then el1:el2 else el2:el1;
-With this change an aarch64_be Linux 4.14.4 kernel succeeds to boot up
-in system emulation mode.
-Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-a64.c | 7 +++++--
-file changed, 5 insertions(+), 2 deletions(-)
-diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-a64.c
-+++ b/target/arm/helper-a64.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t do_paired_cmpxchg64_be(CPUARMState *env, uint64_t addr,
-     Int128 oldv, cmpv, newv;
-     bool success;
--    cmpv = int128_make128(env->exclusive_val, env->exclusive_high);
--    newv = int128_make128(new_lo, new_hi);
-+    /* high and low need to be switched here because this is not actually a
-+     * 128bit store but two doublewords stored consecutively
-+     */
-+    cmpv = int128_make128(env->exclusive_high, env->exclusive_val);
-+    newv = int128_make128(new_hi, new_lo);
-     if (parallel) {
- #ifndef CONFIG_ATOMIC128
---
-.7.4

-[Qemu-devel] [PULL 26/26] hw/intc/arm_gic: reserved register addresses are RAZ/WI
+[PULL 01/12] target/arm: Remove redundant scaling of nexttick
-The GICv2 specification says that reserved register addresses
+From: Andrew Jeffery <andrew@aj.id.au>
 must RAZ/WI; now that we implement external abort handling
 for Arm CPUs this means we must return MEMTX_OK rather than
 MEMTX_ERROR, to avoid generating a spurious guest data abort.
-Cc: qemu-stable@nongnu.org
+The corner-case codepath was adjusting nexttick such that overflow
 wouldn't occur when timer_mod() scaled the value back up. Remove a use
 of GTIMER_SCALE and avoid unnecessary operations by calling
 timer_mod_ns() directly.
 Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Cédric Le Goater <clg@kaod.org>
 Message-id: f8c680720e3abe55476e6d9cb604ad27fdbeb2e0.1576215453.git-series.andrew@aj.id.au
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1513183941-24300-3-git-send-email-peter.maydell@linaro.org
-Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
 ---
- hw/intc/arm_gic.c | 5 +++--
+ target/arm/helper.c | 5 +++--
 file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gic.c
+--- a/target/arm/helper.c
-+++ b/hw/intc/arm_gic.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static MemTxResult gic_cpu_read(GICState *s, int cpu, int offset,
+@@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
-     default:
+          * timer expires we will reset the timer for any remaining period.
-         qemu_log_mask(LOG_GUEST_ERROR,
+          */
-                       "gic_cpu_read: Bad offset %x\n", (int)offset);
+         if (nexttick > INT64_MAX / GTIMER_SCALE) {
--        return MEMTX_ERROR;
+-            nexttick = INT64_MAX / GTIMER_SCALE;
-+        *data = 0;
++            timer_mod_ns(cpu->gt_timer[timeridx], INT64_MAX);
-+        break;
++        } else {
-     }
++            timer_mod(cpu->gt_timer[timeridx], nexttick);
-     return MEMTX_OK;
+         }
- }
+-        timer_mod(cpu->gt_timer[timeridx], nexttick);
-@@ -XXX,XX +XXX,XX @@ static MemTxResult gic_cpu_write(GICState *s, int cpu, int offset,
+         trace_arm_gt_recalc(timeridx, irqstate, nexttick);
-     default:
+     } else {
-         qemu_log_mask(LOG_GUEST_ERROR,
+         /* Timer disabled: ISTATUS and timer output always clear */
                        "gic_cpu_write: Bad offset %x\n", (int)offset);
 -        return MEMTX_ERROR;
 +        return MEMTX_OK;
      }
      gic_update(s);
      return MEMTX_OK;
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 09/26] Virt: ACPI: fix qemu assert due to re-assigned table data address
+[PULL 02/12] target/arm: Abstract the generic timer frequency
-From: Zhaoshenglong <zhaoshenglong@huawei.com>
+From: Andrew Jeffery <andrew@aj.id.au>
-acpi_data_push uses g_array_set_size to resize the memory size. If there
+Prepare for SoCs such as the ASPEED AST2600 whose firmware configures
-is no enough contiguous memory, the address will be changed. If we use
+CNTFRQ to values significantly larger than the static 62.5MHz value
-the old value, it will assert.
+currently derived from GTIMER_SCALE. As the OS potentially derives its
-qemu-kvm: hw/acpi/bios-linker-loader.c:214: bios_linker_loader_add_checksum:
+timer periods from the CNTFRQ value the lack of support for running
-Assertion `start_offset < file->blob->len' failed.`
+QEMUTimers at the appropriate rate leads to sticky behaviour in the
 guest.
-This issue only happens in building SRAT table now but here we unify the
+Substitute the GTIMER_SCALE constant with use of a helper to derive the
-pattern for other tables as well to avoid possible issues in the future.
+period from gt_cntfrq_hz stored in struct ARMCPU. Initially set
 gt_cntfrq_hz to the frequency associated with GTIMER_SCALE so current
 behaviour is maintained.
-Signed-off-by: Zhaoshenglong <zhaoshenglong@huawei.com>
+Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
-Reviewed-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 40bd8df043f66e1ccfb3e9482999d099ac72bb2e.1576215453.git-series.andrew@aj.id.au
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt-acpi-build.c | 18 +++++++++++-------
+ target/arm/cpu.h    |  5 +++++
-file changed, 11 insertions(+), 7 deletions(-)
+ target/arm/cpu.c    |  8 ++++++++
  target/arm/helper.c | 10 +++++++---
 files changed, 20 insertions(+), 3 deletions(-)
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
+--- a/target/arm/cpu.h
-+++ b/hw/arm/virt-acpi-build.c
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ build_spcr(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-     AcpiSerialPortConsoleRedirection *spcr;
+      */
-     const MemMapEntry *uart_memmap = &vms->memmap[VIRT_UART];
+     DECLARE_BITMAP(sve_vq_map, ARM_MAX_VQ);
-     int irq = vms->irqmap[VIRT_UART] + ARM_SPI_BASE;
+     DECLARE_BITMAP(sve_vq_init, ARM_MAX_VQ);
-+    int spcr_start = table_data->len;
++
++    /* Generic timer counter frequency, in Hz */
-     spcr = acpi_data_push(table_data, sizeof(*spcr));
++    uint64_t gt_cntfrq_hz;
+ };
-@@ -XXX,XX +XXX,XX @@ build_spcr(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
-     spcr->pci_device_id = 0xffff;  /* PCI Device ID: not a PCI device */
++unsigned int gt_cntfrq_period_ns(ARMCPU *cpu);
-     spcr->pci_vendor_id = 0xffff;  /* PCI Vendor ID: not a PCI device */
++
+ void arm_cpu_post_init(Object *obj);
--    build_header(linker, table_data, (void *)spcr, "SPCR", sizeof(*spcr), 2,
--                 NULL, NULL);
+ uint64_t arm_cpu_mp_affinity(int idx, uint8_t clustersz);
-+    build_header(linker, table_data, (void *)(table_data->data + spcr_start),
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-+                 "SPCR", table_data->len - spcr_start, 2, NULL, NULL);
+index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
      if (tcg_enabled()) {
          cpu->psci_version = 2; /* TCG implements PSCI 0.2 */
      }
 +
 +    cpu->gt_cntfrq_hz = NANOSECONDS_PER_SECOND / GTIMER_SCALE;
  }
- static void
+ static Property arm_cpu_reset_cbar_property =
-@@ -XXX,XX +XXX,XX @@ build_srat(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+@@ -XXX,XX +XXX,XX @@ static void arm_set_init_svtor(Object *obj, Visitor *v, const char *name,
-         mem_base += numa_info[i].node_mem;
+     visit_type_uint32(v, name, &cpu->init_svtor, errp);
      }
 -    build_header(linker, table_data, (void *)srat, "SRAT",
 -                 table_data->len - srat_start, 3, NULL, NULL);
 +    build_header(linker, table_data, (void *)(table_data->data + srat_start),
 +                 "SRAT", table_data->len - srat_start, 3, NULL, NULL);
  }
- static void
++unsigned int gt_cntfrq_period_ns(ARMCPU *cpu)
-@@ -XXX,XX +XXX,XX @@ build_mcfg(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
++{
-     AcpiTableMcfg *mcfg;
++    return NANOSECONDS_PER_SECOND > cpu->gt_cntfrq_hz ?
-     const MemMapEntry *memmap = vms->memmap;
++      NANOSECONDS_PER_SECOND / cpu->gt_cntfrq_hz : 1;
-     int len = sizeof(*mcfg) + sizeof(mcfg->allocation[0]);
++}
-+    int mcfg_start = table_data->len;
++
+ void arm_cpu_post_init(Object *obj)
-     mcfg = acpi_data_push(table_data, len);
+ {
-     mcfg->allocation[0].address = cpu_to_le64(memmap[VIRT_PCIE_ECAM].base);
+     ARMCPU *cpu = ARM_CPU(obj);
-@@ -XXX,XX +XXX,XX @@ build_mcfg(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
-     mcfg->allocation[0].end_bus_number = (memmap[VIRT_PCIE_ECAM].size
+index XXXXXXX..XXXXXXX 100644
-                                           / PCIE_MMCFG_SIZE_MIN) - 1;
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
--    build_header(linker, table_data, (void *)mcfg, "MCFG", len, 1, NULL, NULL);
+@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_stimer_access(CPUARMState *env,
-+    build_header(linker, table_data, (void *)(table_data->data + mcfg_start),
-+                 "MCFG", table_data->len - mcfg_start, 1, NULL, NULL);
+ static uint64_t gt_get_countervalue(CPUARMState *env)
  {
 -    return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / GTIMER_SCALE;
 +    ARMCPU *cpu = env_archcpu(env);
 +
 +    return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / gt_cntfrq_period_ns(cpu);
  }
- /* GTDT */
+ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
-@@ -XXX,XX +XXX,XX @@ build_madt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+@@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
- static void build_fadt(GArray *table_data, BIOSLinker *linker,
+          * set the timer for as far in the future as possible. When the
-                        VirtMachineState *vms, unsigned dsdt_tbl_offset)
+          * timer expires we will reset the timer for any remaining period.
           */
 -        if (nexttick > INT64_MAX / GTIMER_SCALE) {
 +        if (nexttick > INT64_MAX / gt_cntfrq_period_ns(cpu)) {
              timer_mod_ns(cpu->gt_timer[timeridx], INT64_MAX);
          } else {
              timer_mod(cpu->gt_timer[timeridx], nexttick);
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
  static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
-+    int fadt_start = table_data->len;
++    ARMCPU *cpu = env_archcpu(env);
-     AcpiFadtDescriptorRev5_1 *fadt = acpi_data_push(table_data, sizeof(*fadt));
++
-     unsigned xdsdt_entry_offset = (char *)&fadt->x_dsdt - table_data->data;
+     /* Currently we have no support for QEMUTimer in linux-user so we
-     uint16_t bootflags;
+      * can't call gt_get_countervalue(env), instead we directly
-@@ -XXX,XX +XXX,XX @@ static void build_fadt(GArray *table_data, BIOSLinker *linker,
+      * call the lower level functions.
-         ACPI_BUILD_TABLE_FILE, xdsdt_entry_offset, sizeof(fadt->x_dsdt),
+      */
-         ACPI_BUILD_TABLE_FILE, dsdt_tbl_offset);
+-    return cpu_get_clock() / GTIMER_SCALE;
++    return cpu_get_clock() / gt_cntfrq_period_ns(cpu);
 -    build_header(linker, table_data,
 -                 (void *)fadt, "FACP", sizeof(*fadt), 5, NULL, NULL);
 +    build_header(linker, table_data, (void *)(table_data->data + fadt_start),
 +                 "FACP", table_data->len - fadt_start, 5, NULL, NULL);
  }
- /* DSDT */
+ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 10/26] imx_fec: Do not link to netdev
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-Binding to a particular netdev doesn't seem to belong to this layer
-and should probably be done as a part of board or SoC specific code.
-Convert all of the users of this IP block to use
-qdev_set_nic_properties() instead.
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Jason Wang <jasowang@redhat.com>
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/fsl-imx6.c | 1 +
- hw/net/imx_fec.c  | 2 --
-files changed, 1 insertion(+), 2 deletions(-)
-diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx6.c
-+++ b/hw/arm/fsl-imx6.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_realize(DeviceState *dev, Error **errp)
-                                             spi_table[i].irq));
-     }
-+    qdev_set_nic_properties(DEVICE(&s->eth), &nd_table[0]);
-     object_property_set_bool(OBJECT(&s->eth), true, "realized", &err);
-     if (err) {
-         error_propagate(errp, err);
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/imx_fec.c
-+++ b/hw/net/imx_fec.c
-@@ -XXX,XX +XXX,XX @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
-     qemu_macaddr_default_if_unset(&s->conf.macaddr);
--    s->conf.peers.ncs[0] = nd_table[0].netdev;
--
-     s->nic = qemu_new_nic(&imx_eth_net_info, &s->conf,
-                           object_get_typename(OBJECT(dev)),
-                           DEVICE(dev)->id, s);
---
-.7.4

-[Qemu-devel] [PULL 11/26] imx_fec: Refactor imx_eth_enable_rx()
+[PULL 03/12] target/arm: Prepare generic timer for per-platform CNTFRQ
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+From: Andrew Jeffery <andrew@aj.id.au>
-Refactor imx_eth_enable_rx() to have more meaningfull variable name
+The ASPEED AST2600 clocks the generic timer at the rate of HPLL. On
-than 'tmp' and to reduce number of logical negations done.
+recent firmwares this is at 1125MHz, which is considerably quicker than
 the assumed 62.5MHz of the current generic timer implementation. The
 delta between the value as read from CNTFRQ and the true rate of the
 underlying QEMUTimer leads to sticky behaviour in AST2600 guests.
-Cc: Peter Maydell <peter.maydell@linaro.org>
+Add a feature-gated property exposing CNTFRQ for ARM CPUs providing the
-Cc: Jason Wang <jasowang@redhat.com>
+generic timer. This allows platforms to configure CNTFRQ (and the
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
+associated QEMUTimer) to the appropriate frequency prior to starting the
-Cc: qemu-devel@nongnu.org
+guest.
-Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
+As the platform can now determine the rate of CNTFRQ we're exposed to
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+limitations of QEMUTimer that didn't previously materialise: In the
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+course of emulation we need to arbitrarily and accurately convert
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+between guest ticks and time, but we're constrained by QEMUTimer's use
 of an integer scaling factor. The effect is QEMUTimer cannot exactly
 capture the period of frequencies that do not cleanly divide
 NANOSECONDS_PER_SECOND for scaling ticks to time. As such, provide an
 equally inaccurate scaling factor for scaling time to ticks so at least
 a self-consistent inverse relationship holds.
 Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: a22db9325f96e39f76e3c2baddcb712149f46bf2.1576215453.git-series.andrew@aj.id.au
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/net/imx_fec.c | 8 ++++----
+ target/arm/cpu.c    | 61 +++++++++++++++++++++++++++++++++++++--------
-file changed, 4 insertions(+), 4 deletions(-)
+ target/arm/helper.c |  9 ++++++-
 files changed, 59 insertions(+), 11 deletions(-)
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/imx_fec.c
+--- a/target/arm/cpu.c
-+++ b/hw/net/imx_fec.c
++++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void imx_eth_do_tx(IMXFECState *s)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
- static void imx_eth_enable_rx(IMXFECState *s)
+     if (tcg_enabled()) {
          cpu->psci_version = 2; /* TCG implements PSCI 0.2 */
      }
 -
 -    cpu->gt_cntfrq_hz = NANOSECONDS_PER_SECOND / GTIMER_SCALE;
  }
 +static Property arm_cpu_gt_cntfrq_property =
 +            DEFINE_PROP_UINT64("cntfrq", ARMCPU, gt_cntfrq_hz,
 +                               NANOSECONDS_PER_SECOND / GTIMER_SCALE);
 +
  static Property arm_cpu_reset_cbar_property =
              DEFINE_PROP_UINT64("reset-cbar", ARMCPU, reset_cbar, 0);
@@ -XXX,XX +XXX,XX @@ static void arm_set_init_svtor(Object *obj, Visitor *v, const char *name,
  unsigned int gt_cntfrq_period_ns(ARMCPU *cpu)
  {
-     IMXFECBufDesc bd;
++    /*
--    bool tmp;
++     * The exact approach to calculating guest ticks is:
-+    bool rx_ring_full;
++     *
++     *     muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), cpu->gt_cntfrq_hz,
-     imx_fec_read_bd(&bd, s->rx_descriptor);
++     *              NANOSECONDS_PER_SECOND);
++     *
--    tmp = ((bd.flags & ENET_BD_E) != 0);
++     * We don't do that. Rather we intentionally use integer division
-+    rx_ring_full = !(bd.flags & ENET_BD_E);
++     * truncation below and in the caller for the conversion of host monotonic
++     * time to guest ticks to provide the exact inverse for the semantics of
--    if (!tmp) {
++     * the QEMUTimer scale factor. QEMUTimer's scale facter is an integer, so
-+    if (rx_ring_full) {
++     * it loses precision when representing frequencies where
-         FEC_PRINTF("RX buffer full\n");
++     * `(NANOSECONDS_PER_SECOND % cpu->gt_cntfrq) > 0` holds. Failing to
-     } else if (!s->regs[ENET_RDAR]) {
++     * provide an exact inverse leads to scheduling timers with negative
-         qemu_flush_queued_packets(qemu_get_queue(s->nic));
++     * periods, which in turn leads to sticky behaviour in the guest.
 +     *
 +     * Finally, CNTFRQ is effectively capped at 1GHz to ensure our scale factor
 +     * cannot become zero.
 +     */
      return NANOSECONDS_PER_SECOND > cpu->gt_cntfrq_hz ?
        NANOSECONDS_PER_SECOND / cpu->gt_cntfrq_hz : 1;
  }
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
      qdev_property_add_static(DEVICE(obj), &arm_cpu_cfgend_property,
                               &error_abort);
 +
 +    if (arm_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER)) {
 +        qdev_property_add_static(DEVICE(cpu), &arm_cpu_gt_cntfrq_property,
 +                                 &error_abort);
 +    }
  }
  static void arm_cpu_finalizefn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
          }
      }
--    s->regs[ENET_RDAR] = tmp ? ENET_RDAR_RDAR : 0;
+-    cpu->gt_timer[GTIMER_PHYS] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
-+    s->regs[ENET_RDAR] = rx_ring_full ? 0 : ENET_RDAR_RDAR;
+-                                           arm_gt_ptimer_cb, cpu);
 -    cpu->gt_timer[GTIMER_VIRT] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
 -                                           arm_gt_vtimer_cb, cpu);
 -    cpu->gt_timer[GTIMER_HYP] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
 -                                          arm_gt_htimer_cb, cpu);
 -    cpu->gt_timer[GTIMER_SEC] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
 -                                          arm_gt_stimer_cb, cpu);
 +
 +    {
 +        uint64_t scale;
 +
 +        if (arm_feature(env, ARM_FEATURE_GENERIC_TIMER)) {
 +            if (!cpu->gt_cntfrq_hz) {
 +                error_setg(errp, "Invalid CNTFRQ: %"PRId64"Hz",
 +                           cpu->gt_cntfrq_hz);
 +                return;
 +            }
 +            scale = gt_cntfrq_period_ns(cpu);
 +        } else {
 +            scale = GTIMER_SCALE;
 +        }
 +
 +        cpu->gt_timer[GTIMER_PHYS] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
 +                                               arm_gt_ptimer_cb, cpu);
 +        cpu->gt_timer[GTIMER_VIRT] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
 +                                               arm_gt_vtimer_cb, cpu);
 +        cpu->gt_timer[GTIMER_HYP] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
 +                                              arm_gt_htimer_cb, cpu);
 +        cpu->gt_timer[GTIMER_SEC] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
 +                                              arm_gt_stimer_cb, cpu);
 +    }
  #endif
      cpu_exec_realizefn(cs, &local_err);
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void arm_gt_stimer_cb(void *opaque)
      gt_recalc_timer(cpu, GTIMER_SEC);
  }
- static void imx_eth_reset(DeviceState *d)
++static void arm_gt_cntfrq_reset(CPUARMState *env, const ARMCPRegInfo *opaque)
 +{
 +    ARMCPU *cpu = env_archcpu(env);
 +
 +    cpu->env.cp15.c14_cntfrq = cpu->gt_cntfrq_hz;
 +}
 +
  static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
      /* Note that CNTFRQ is purely reads-as-written for the benefit
       * of software; writing it doesn't actually change the timer frequency.
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
        .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 0,
        .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
        .fieldoffset = offsetof(CPUARMState, cp15.c14_cntfrq),
 -      .resetvalue = (1000 * 1000 * 1000) / GTIMER_SCALE,
 +      .resetfn = arm_gt_cntfrq_reset,
      },
      /* overall control: mostly access permissions */
      { .name = "CNTKCTL", .state = ARM_CP_STATE_BOTH,
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 23/26] linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
+[PULL 04/12] ast2600: Configure CNTFRQ at 1125MHz
-Our copy of the nwfpe code for emulating of the old FPA11 floating
+From: Andrew Jeffery <andrew@aj.id.au>
 point unit doesn't check the coprocessor number in the instruction
 when it emulates it.  This means that we might treat some
 instructions which should really UNDEF as being FPA11 instructions by
 accident.
-The kernel's copy of the nwfpe code doesn't make this error; I suspect
+This matches the configuration set by u-boot on the AST2600.
 the bug was noticed and fixed as part of the process of mainlining
 the nwfpe code more than a decade ago.
-Add a check that the coprocessor number (which is always in bits
+Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
-[11:8] of the instruction) is either 1 or 2, which is where the
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-FPA11 lives.
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reported-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 080ca1267a09381c43cf3c50d434fb6c186f2b6e.1576215453.git-series.andrew@aj.id.au
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/arm/nwfpe/fpa11.c | 9 +++++++++
+ hw/arm/aspeed_ast2600.c | 3 +++
-file changed, 9 insertions(+)
+file changed, 3 insertions(+)
-diff --git a/linux-user/arm/nwfpe/fpa11.c b/linux-user/arm/nwfpe/fpa11.c
+diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/arm/nwfpe/fpa11.c
+--- a/hw/arm/aspeed_ast2600.c
-+++ b/linux-user/arm/nwfpe/fpa11.c
++++ b/hw/arm/aspeed_ast2600.c
-@@ -XXX,XX +XXX,XX @@ unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa, CPUARMState* qregs)
+@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_ast2600_realize(DeviceState *dev, Error **errp)
-   unsigned int nRc = 0;
+         object_property_set_int(OBJECT(&s->cpu[i]), aspeed_calc_affinity(i),
- //  unsigned long flags;
+                                 "mp-affinity", &error_abort);
-   FPA11 *fpa11;
-+  unsigned int cp;
++        object_property_set_int(OBJECT(&s->cpu[i]), 1125000000, "cntfrq",
- //  save_flags(flags); sti();
++                                &error_abort);
 +  /* Check that this is really an FPA11 instruction: the coprocessor
 +   * field in bits [11:8] must be 1 or 2.
 +   */
 +  cp = (opcode >> 8) & 0xf;
 +  if (cp != 1 && cp != 2) {
 +    return 0;
 +  }
 +
-   qemufpa=qfpa;
+         /*
-   user_registers=qregs;
+          * TODO: the secondary CPUs are started and a boot helper
+          * is needed when using -kernel
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 19/26] imx_fec: Fix a typo in imx_enet_receive()
+[PULL 05/12] hw/arm/smmuv3: Apply address mask to linear strtab base address
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+From: Simon Veith <sveith@amazon.de>
-Cc: Peter Maydell <peter.maydell@linaro.org>
+In the SMMU_STRTAB_BASE register, the stream table base address only
-Cc: Jason Wang <jasowang@redhat.com>
+occupies bits [51:6]. Other bits, such as RA (bit [62]), must be masked
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
+out to obtain the base address.
 The branch for 2-level stream tables correctly applies this mask by way
 of SMMU_BASE_ADDR_MASK, but the one for linear stream tables does not.
 Apply the missing mask in that case as well so that the correct stream
 base address is used by guests which configure a linear stream table.
 Linux guests are unaffected by this change because they choose a 2-level
 stream table layout for the QEMU SMMUv3, based on the size of its stream
 ID space.
 ref. ARM IHI 0070C, section 6.3.23.
 Signed-off-by: Simon Veith <sveith@amazon.de>
 Acked-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1576509312-13083-2-git-send-email-sveith@amazon.de
 Cc: Eric Auger <eric.auger@redhat.com>
 Cc: qemu-devel@nongnu.org
 Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
+Acked-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/net/imx_fec.c | 2 +-
+ hw/arm/smmuv3.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/imx_fec.c
+--- a/hw/arm/smmuv3.c
-+++ b/hw/net/imx_fec.c
++++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
+@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
-         size += 2;
+         }
          addr = l2ptr + l2_ste_offset * sizeof(*ste);
      } else {
 -        addr = s->strtab_base + sid * sizeof(*ste);
 +        addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
      }
--    /* Huge frames are truncted.  */
+     if (smmu_get_ste(s, addr, ste, event)) {
 +    /* Huge frames are truncated. */
      if (size > s->regs[ENET_FTRL]) {
          size = s->regs[ENET_FTRL];
          flags |= ENET_BD_TR | ENET_BD_LG;
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 18/26] imx_fec: Use correct length for packet size
+[PULL 06/12] hw/arm/smmuv3: Correct SMMU_BASE_ADDR_MASK value
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+From: Simon Veith <sveith@amazon.de>
-Use 'frame_size' instead of 'len' when calling qemu_send_packet(),
+There are two issues with the current value of SMMU_BASE_ADDR_MASK:
 failing to do so results in malformed packets send in case when that
 packed is fragmented into multiple DMA transactions.
-Cc: Peter Maydell <peter.maydell@linaro.org>
+- At the lower end, we are clearing bits [4:0]. Per the SMMUv3 spec,
-Cc: Jason Wang <jasowang@redhat.com>
+  we should also be treating bit 5 as zero in the base address.
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
+- At the upper end, we are clearing bits [63:48]. Per the SMMUv3 spec,
   only bits [63:52] must be explicitly treated as zero.
 Update the SMMU_BASE_ADDR_MASK value to mask out bits [63:52] and [5:0].
 ref. ARM IHI 0070C, section 6.3.23.
 Signed-off-by: Simon Veith <sveith@amazon.de>
 Acked-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1576509312-13083-3-git-send-email-sveith@amazon.de
 Cc: Eric Auger <eric.auger@redhat.com>
 Cc: qemu-devel@nongnu.org
 Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/net/imx_fec.c | 2 +-
+ hw/arm/smmuv3-internal.h | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/imx_fec.c
+--- a/hw/arm/smmuv3-internal.h
-+++ b/hw/net/imx_fec.c
++++ b/hw/arm/smmuv3-internal.h
-@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
+@@ -XXX,XX +XXX,XX @@ REG32(GERROR_IRQ_CFG2, 0x74)
-             }
-             /* Last buffer in frame.  */
+ #define A_STRTAB_BASE      0x80 /* 64b */
--            qemu_send_packet(qemu_get_queue(s->nic), s->frame, len);
+-#define SMMU_BASE_ADDR_MASK 0xffffffffffe0
-+            qemu_send_packet(qemu_get_queue(s->nic), s->frame, frame_size);
++#define SMMU_BASE_ADDR_MASK 0xfffffffffffc0
-             ptr = s->frame;
+ REG32(STRTAB_BASE_CFG,     0x88)
-             frame_size = 0;
+     FIELD(STRTAB_BASE_CFG, FMT,      16, 2)
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 14/26] imx_fec: Use ENET_FTRL to determine truncation length
+[PULL 07/12] hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+From: Simon Veith <sveith@amazon.de>
-Frame truncation length, TRUNC_FL, is determined by the contents of
+When checking whether a stream ID is in range of the stream table, we
-ENET_FTRL register, so convert the code to use it instead of a
+have so far been only checking it against our implementation limit
-hardcoded constant.
+(SMMU_IDR1_SIDSIZE). However, the guest can program the
 STRTAB_BASE_CFG.LOG2SIZE field to a size that is smaller than this
 limit.
-To avoid the case where TRUNC_FL is greater that ENET_MAX_FRAME_SIZE,
+Check the stream ID against this limit as well to match the hardware
-increase the value of the latter to its theoretical maximum of 16K.
+behavior of raising C_BAD_STREAMID events in case the limit is exceeded.
 Also, ensure that we do not go one entry beyond the end of the table by
 checking that its index is strictly smaller than the table size.
-Cc: Peter Maydell <peter.maydell@linaro.org>
+ref. ARM IHI 0070C, section 6.3.24.
-Cc: Jason Wang <jasowang@redhat.com>
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Simon Veith <sveith@amazon.de>
 Acked-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1576509312-13083-4-git-send-email-sveith@amazon.de
 Cc: Eric Auger <eric.auger@redhat.com>
 Cc: qemu-devel@nongnu.org
 Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/net/imx_fec.h | 3 ++-
+ hw/arm/smmuv3.c | 8 ++++++--
- hw/net/imx_fec.c         | 4 ++--
+file changed, 6 insertions(+), 2 deletions(-)
 files changed, 4 insertions(+), 3 deletions(-)
-diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/net/imx_fec.h
+--- a/hw/arm/smmuv3.c
-+++ b/include/hw/net/imx_fec.h
++++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
- #define ENET_TCCR3             393
+                          SMMUEventInfo *event)
- #define ENET_MAX               400
+ {
+     dma_addr_t addr;
--#define ENET_MAX_FRAME_SIZE    2032
++    uint32_t log2size;
+     int ret;
- /* EIR and EIMR */
- #define ENET_INT_HB            (1 << 31)
+     trace_smmuv3_find_ste(sid, s->features, s->sid_split);
-@@ -XXX,XX +XXX,XX @@
+-    /* Check SID range */
- #define ENET_RCR_NLC           (1 << 30)
+-    if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
- #define ENET_RCR_GRS           (1 << 31)
++    log2size = FIELD_EX32(s->strtab_base_cfg, STRTAB_BASE_CFG, LOG2SIZE);
++    /*
-+#define ENET_MAX_FRAME_SIZE    (1 << ENET_RCR_MAX_FL_LENGTH)
++     * Check SID range against both guest-configured and implementation limits
-+
++     */
- /* TCR */
++    if (sid >= (1 << MIN(log2size, SMMU_IDR1_SIDSIZE))) {
- #define ENET_TCR_GTS           (1 << 0)
+         event->type = SMMU_EVT_C_BAD_STREAMID;
- #define ENET_TCR_FDEN          (1 << 2)
+         return -EINVAL;
 diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/net/imx_fec.c
 +++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
      crc_ptr = (uint8_t *) &crc;
      /* Huge frames are truncted.  */
 -    if (size > ENET_MAX_FRAME_SIZE) {
 -        size = ENET_MAX_FRAME_SIZE;
 +    if (size > s->regs[ENET_FTRL]) {
 +        size = s->regs[ENET_FTRL];
          flags |= ENET_BD_TR | ENET_BD_LG;
      }
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 12/26] imx_fec: Change queue flushing heuristics
+[PULL 08/12] hw/arm/smmuv3: Align stream table base address to table size
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+From: Simon Veith <sveith@amazon.de>
-In current implementation, packet queue flushing logic seem to suffer
+Per the specification, and as observed in hardware, the SMMUv3 aligns
-from a deadlock like scenario if a packet is received by the interface
+the SMMU_STRTAB_BASE address to the size of the table by masking out the
-before before Rx ring is initialized by Guest's driver. Consider the
+respective least significant bits in the ADDR field.
 following sequence of events:
-. A QEMU instance is started against a TAP device on Linux
+Apply this masking logic to our smmu_find_ste() lookup function per the
-       host, running Linux guest, e. g., something to the effect
+specification.
        of:
-       qemu-system-arm \
+ref. ARM IHI 0070C, section 6.3.23.
           -net nic,model=imx.fec,netdev=lan0 \
           netdev tap,id=lan0,ifname=tap0,script=no,downscript=no \
           ... rest of the arguments ...
-. Once QEMU starts, but before guest reaches the point where
+Signed-off-by: Simon Veith <sveith@amazon.de>
-       FEC deriver is done initializing the HW, Guest, via TAP
+Acked-by: Eric Auger <eric.auger@redhat.com>
-       interface, receives a number of multicast MDNS packets from
+Tested-by: Eric Auger <eric.auger@redhat.com>
-       Host (not necessarily true for every OS, but it happens at
+Message-id: 1576509312-13083-5-git-send-email-sveith@amazon.de
-       least on Fedora 25)
+Cc: Eric Auger <eric.auger@redhat.com>
 . Recieving a packet in such a state results in
        imx_eth_can_receive() returning '0', which in turn causes
        tap_send() to disable corresponding event (tap.c:203)
 . Once Guest's driver reaches the point where it is ready to
        recieve packets it prepares Rx ring descriptors and writes
        ENET_RDAR_RDAR to ENET_RDAR register to indicate to HW that
        more descriptors are ready. And at this points emulation
        layer does this:
             s->regs[index] = ENET_RDAR_RDAR;
                  imx_eth_enable_rx(s);
        which, combined with:
              if (!s->regs[ENET_RDAR]) {
              qemu_flush_queued_packets(qemu_get_queue(s->nic));
           }
        results in Rx queue never being flushed and corresponding
        I/O event beign disabled.
 To prevent the problem, change the code to always flush packet queue
 when ENET_RDAR transitions 0 -> ENET_RDAR_RDAR.
 Cc: Peter Maydell <peter.maydell@linaro.org>
 Cc: Jason Wang <jasowang@redhat.com>
 Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Cc: qemu-devel@nongnu.org
 Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/net/imx_fec.c | 12 ++++++------
+ hw/arm/smmuv3.c | 18 ++++++++++++++----
-file changed, 6 insertions(+), 6 deletions(-)
+file changed, 14 insertions(+), 4 deletions(-)
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/imx_fec.c
+--- a/hw/arm/smmuv3.c
-+++ b/hw/net/imx_fec.c
++++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static void imx_eth_do_tx(IMXFECState *s)
+@@ -XXX,XX +XXX,XX @@ bad_ste:
  static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
                           SMMUEventInfo *event)
  {
 -    dma_addr_t addr;
 +    dma_addr_t addr, strtab_base;
      uint32_t log2size;
 +    int strtab_size_shift;
      int ret;
      trace_smmuv3_find_ste(sid, s->features, s->sid_split);
@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
      }
- }
+     if (s->features & SMMU_FEATURE_2LVL_STE) {
+         int l1_ste_offset, l2_ste_offset, max_l2_ste, span;
--static void imx_eth_enable_rx(IMXFECState *s)
+-        dma_addr_t strtab_base, l1ptr, l2ptr;
-+static void imx_eth_enable_rx(IMXFECState *s, bool flush)
++        dma_addr_t l1ptr, l2ptr;
- {
+         STEDesc l1std;
-     IMXFECBufDesc bd;
-     bool rx_ring_full;
+-        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK;
-@@ -XXX,XX +XXX,XX @@ static void imx_eth_enable_rx(IMXFECState *s)
++        /*
++         * Align strtab base address to table size. For this purpose, assume it
-     if (rx_ring_full) {
++         * is not bounded by SMMU_IDR1_SIDSIZE.
-         FEC_PRINTF("RX buffer full\n");
++         */
--    } else if (!s->regs[ENET_RDAR]) {
++        strtab_size_shift = MAX(5, (int)log2size - s->sid_split - 1 + 3);
-+    } else if (flush) {
++        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
-         qemu_flush_queued_packets(qemu_get_queue(s->nic));
++                      ~MAKE_64BIT_MASK(0, strtab_size_shift);
          l1_ste_offset = sid >> s->sid_split;
          l2_ste_offset = sid & ((1 << s->sid_split) - 1);
          l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
          }
          addr = l2ptr + l2_ste_offset * sizeof(*ste);
      } else {
 -        addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
 +        strtab_size_shift = log2size + 5;
 +        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
 +                      ~MAKE_64BIT_MASK(0, strtab_size_shift);
 +        addr = strtab_base + sid * sizeof(*ste);
      }
-@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
+     if (smmu_get_ste(s, addr, ste, event)) {
          if (s->regs[ENET_ECR] & ENET_ECR_ETHEREN) {
              if (!s->regs[index]) {
                  s->regs[index] = ENET_RDAR_RDAR;
 -                imx_eth_enable_rx(s);
 +                imx_eth_enable_rx(s, true);
              }
          } else {
              s->regs[index] = 0;
@@ -XXX,XX +XXX,XX @@ static int imx_eth_can_receive(NetClientState *nc)
      FEC_PRINTF("\n");
 -    return s->regs[ENET_RDAR] ? 1 : 0;
 +    return !!s->regs[ENET_RDAR];
  }
  static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf,
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf,
          }
      }
      s->rx_descriptor = addr;
 -    imx_eth_enable_rx(s);
 +    imx_eth_enable_rx(s, false);
      imx_eth_update(s);
      return len;
  }
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
          }
      }
      s->rx_descriptor = addr;
 -    imx_eth_enable_rx(s);
 +    imx_eth_enable_rx(s, false);
      imx_eth_update(s);
      return len;
  }
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 13/26] imx_fec: Move Tx frame buffer away from the stack
+[PULL 09/12] hw/arm/smmuv3: Use correct bit positions in EVT_SET_ADDR2 macro
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+From: Simon Veith <sveith@amazon.de>
-Make Tx frame assembly buffer to be a paort of IMXFECState structure
+The bit offsets in the EVT_SET_ADDR2 macro do not match those specified
-to avoid a concern about having large data buffer on the stack.
+in the ARM SMMUv3 Architecture Specification. In all events that use
 this macro, e.g. F_WALK_EABT, the faulting fetch address or IPA actually
 occupies the 32-bit words 6 and 7 in the event record contiguously, with
 the upper and lower unused bits clear due to alignment or maximum
 supported address bits. How many bits are clear depends on the
 individual event type.
-Cc: Peter Maydell <peter.maydell@linaro.org>
+Update the macro to write to the correct words in the event record so
-Cc: Jason Wang <jasowang@redhat.com>
+that guest drivers can obtain accurate address information on events.
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
 ref. ARM IHI 0070C, sections 7.3.12 through 7.3.16.
 Signed-off-by: Simon Veith <sveith@amazon.de>
 Acked-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1576509312-13083-6-git-send-email-sveith@amazon.de
 Cc: Eric Auger <eric.auger@redhat.com>
 Cc: qemu-devel@nongnu.org
 Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
+Acked-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/net/imx_fec.h |  3 +++
+ hw/arm/smmuv3-internal.h | 4 ++--
- hw/net/imx_fec.c         | 22 +++++++++++-----------
+file changed, 2 insertions(+), 2 deletions(-)
 files changed, 14 insertions(+), 11 deletions(-)
-diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
+diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/net/imx_fec.h
+--- a/hw/arm/smmuv3-internal.h
-+++ b/include/hw/net/imx_fec.h
++++ b/hw/arm/smmuv3-internal.h
-@@ -XXX,XX +XXX,XX @@ typedef struct IMXFECState {
+@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
-     uint32_t phy_int_mask;
+     } while (0)
+ #define EVT_SET_ADDR2(x, addr)                            \
-     bool is_fec;
+     do {                                                  \
-+
+-            (x)->word[7] = deposit32((x)->word[7], 3, 29, addr >> 16);   \
-+    /* Buffer used to assemble a Tx frame */
+-            (x)->word[7] = deposit32((x)->word[7], 0, 16, addr & 0xffff);\
-+    uint8_t frame[ENET_MAX_FRAME_SIZE];
++            (x)->word[7] = (uint32_t)(addr >> 32);        \
- } IMXFECState;
++            (x)->word[6] = (uint32_t)(addr & 0xffffffff); \
+     } while (0)
- #endif
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+ void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/net/imx_fec.c
 +++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_eth_update(IMXFECState *s)
  static void imx_fec_do_tx(IMXFECState *s)
  {
      int frame_size = 0, descnt = 0;
 -    uint8_t frame[ENET_MAX_FRAME_SIZE];
 -    uint8_t *ptr = frame;
 +    uint8_t *ptr = s->frame;
      uint32_t addr = s->tx_descriptor;
      while (descnt++ < IMX_MAX_DESC) {
@@ -XXX,XX +XXX,XX @@ static void imx_fec_do_tx(IMXFECState *s)
          frame_size += len;
          if (bd.flags & ENET_BD_L) {
              /* Last buffer in frame.  */
 -            qemu_send_packet(qemu_get_queue(s->nic), frame, frame_size);
 -            ptr = frame;
 +            qemu_send_packet(qemu_get_queue(s->nic), s->frame, frame_size);
 +            ptr = s->frame;
              frame_size = 0;
              s->regs[ENET_EIR] |= ENET_INT_TXF;
          }
@@ -XXX,XX +XXX,XX @@ static void imx_fec_do_tx(IMXFECState *s)
  static void imx_enet_do_tx(IMXFECState *s)
  {
      int frame_size = 0, descnt = 0;
 -    uint8_t frame[ENET_MAX_FRAME_SIZE];
 -    uint8_t *ptr = frame;
 +    uint8_t *ptr = s->frame;
      uint32_t addr = s->tx_descriptor;
      while (descnt++ < IMX_MAX_DESC) {
@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s)
          frame_size += len;
          if (bd.flags & ENET_BD_L) {
              if (bd.option & ENET_BD_PINS) {
 -                struct ip_header *ip_hd = PKT_GET_IP_HDR(frame);
 +                struct ip_header *ip_hd = PKT_GET_IP_HDR(s->frame);
                  if (IP_HEADER_VERSION(ip_hd) == 4) {
 -                    net_checksum_calculate(frame, frame_size);
 +                    net_checksum_calculate(s->frame, frame_size);
                  }
              }
              if (bd.option & ENET_BD_IINS) {
 -                struct ip_header *ip_hd = PKT_GET_IP_HDR(frame);
 +                struct ip_header *ip_hd = PKT_GET_IP_HDR(s->frame);
                  /* We compute checksum only for IPv4 frames */
                  if (IP_HEADER_VERSION(ip_hd) == 4) {
                      uint16_t csum;
@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s)
                  }
              }
              /* Last buffer in frame.  */
 -            qemu_send_packet(qemu_get_queue(s->nic), frame, len);
 -            ptr = frame;
 +
 +            qemu_send_packet(qemu_get_queue(s->nic), s->frame, len);
 +            ptr = s->frame;
 +
              frame_size = 0;
              if (bd.option & ENET_BD_TX_INT) {
                  s->regs[ENET_EIR] |= ENET_INT_TXF;
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 15/26] imx_fec: Use MIN instead of explicit ternary operator
+[PULL 10/12] hw/arm/smmuv3: Report F_STE_FETCH fault address in correct word position
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+From: Simon Veith <sveith@amazon.de>
-Cc: Peter Maydell <peter.maydell@linaro.org>
+The smmuv3_record_event() function that generates the F_STE_FETCH error
-Cc: Jason Wang <jasowang@redhat.com>
+uses the EVT_SET_ADDR macro to record the fetch address, placing it in
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
+-bit words 4 and 5.
 The correct position for this address is in words 6 and 7, per the
 SMMUv3 Architecture Specification.
 Update the function to use the EVT_SET_ADDR2 macro instead, which is the
 macro intended for writing to these words.
 ref. ARM IHI 0070C, section 7.3.4.
 Signed-off-by: Simon Veith <sveith@amazon.de>
 Acked-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1576509312-13083-7-git-send-email-sveith@amazon.de
 Cc: Eric Auger <eric.auger@redhat.com>
 Cc: qemu-devel@nongnu.org
 Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
+Acked-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/net/imx_fec.c | 2 +-
+ hw/arm/smmuv3.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/imx_fec.c
+--- a/hw/arm/smmuv3.c
-+++ b/hw/net/imx_fec.c
++++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
+@@ -XXX,XX +XXX,XX @@ void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
-                           TYPE_IMX_FEC, __func__);
+     case SMMU_EVT_F_STE_FETCH:
-             break;
+         EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid);
-         }
+         EVT_SET_SSV(&evt,  info->u.f_ste_fetch.ssv);
--        buf_len = (size <= s->regs[ENET_MRBR]) ? size : s->regs[ENET_MRBR];
+-        EVT_SET_ADDR(&evt, info->u.f_ste_fetch.addr);
-+        buf_len = MIN(size, s->regs[ENET_MRBR]);
++        EVT_SET_ADDR2(&evt, info->u.f_ste_fetch.addr);
-         bd.length = buf_len;
+         break;
-         size -= buf_len;
+     case SMMU_EVT_C_BAD_STE:
+         EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid);
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 16/26] imx_fec: Emulate SHIFT16 in ENETx_RACC
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-Needed to support latest Linux kernel driver which relies on that
-functionality.
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Jason Wang <jasowang@redhat.com>
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/net/imx_fec.h |  2 ++
- hw/net/imx_fec.c         | 23 +++++++++++++++++++++++
-files changed, 25 insertions(+)
-diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/net/imx_fec.h
-+++ b/include/hw/net/imx_fec.h
-@@ -XXX,XX +XXX,XX @@
- #define ENET_TWFR_TFWR_LENGTH  (6)
- #define ENET_TWFR_STRFWD       (1 << 8)
-+#define ENET_RACC_SHIFT16      BIT(7)
-+
- /* Buffer Descriptor.  */
- typedef struct {
-     uint16_t length;
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/imx_fec.c
-+++ b/hw/net/imx_fec.c
-@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
-     uint8_t *crc_ptr;
-     unsigned int buf_len;
-     size_t size = len;
-+    bool shift16 = s->regs[ENET_RACC] & ENET_RACC_SHIFT16;
-     FEC_PRINTF("len %d\n", (int)size);
-@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
-     crc = cpu_to_be32(crc32(~0, buf, size));
-     crc_ptr = (uint8_t *) &crc;
-+    if (shift16) {
-+        size += 2;
-+    }
-+
-     /* Huge frames are truncted.  */
-     if (size > s->regs[ENET_FTRL]) {
-         size = s->regs[ENET_FTRL];
-@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
-             buf_len += size - 4;
-         }
-         buf_addr = bd.data;
-+
-+        if (shift16) {
-+            /*
-+             * If SHIFT16 bit of ENETx_RACC register is set we need to
-+             * align the payload to 4-byte boundary.
-+             */
-+            const uint8_t zeros[2] = { 0 };
-+
-+            dma_memory_write(&address_space_memory, buf_addr,
-+                             zeros, sizeof(zeros));
-+
-+            buf_addr += sizeof(zeros);
-+            buf_len  -= sizeof(zeros);
-+
-+            /* We only do this once per Ethernet frame */
-+            shift16 = false;
-+        }
-+
-         dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
-         buf += buf_len;
-         if (size < 4) {
---
-.7.4

-[Qemu-devel] [PULL 17/26] imx_fec: Add support for multiple Tx DMA rings
+[PULL 11/12] target/arm: Display helpful message when hflags mismatch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
-More recent version of the IP block support more than one Tx DMA ring,
+Instead of crashing in a confuse way, give some hint to the user
-so add the code implementing that feature.
+about why we aborted. He might report the issue without having
 to use a debugger.
-Cc: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Cc: Jason Wang <jasowang@redhat.com>
+Message-id: 20191209134552.27733-1-philmd@redhat.com
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Cc: qemu-devel@nongnu.org
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Cc: qemu-arm@nongnu.org
 Cc: yurovsky@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/net/imx_fec.h |  18 ++++++-
+ target/arm/helper.c | 18 +++++++++++++++---
- hw/net/imx_fec.c         | 133 ++++++++++++++++++++++++++++++++++++++++-------
+file changed, 15 insertions(+), 3 deletions(-)
 files changed, 130 insertions(+), 21 deletions(-)
-diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/net/imx_fec.h
+--- a/target/arm/helper.c
-+++ b/include/hw/net/imx_fec.h
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ void HELPER(rebuild_hflags_a64)(CPUARMState *env, int el)
- #define ENET_TFWR              81
+     env->hflags = rebuild_hflags_a64(env, el, fp_el, mmu_idx);
- #define ENET_FRBR              83
+ }
- #define ENET_FRSR              84
-+#define ENET_TDSR1             89
++static inline void assert_hflags_rebuild_correctly(CPUARMState *env)
-+#define ENET_TDSR2             92
++{
- #define ENET_RDSR              96
++#ifdef CONFIG_DEBUG_TCG
- #define ENET_TDSR              97
++    uint32_t env_flags_current = env->hflags;
- #define ENET_MRBR              98
++    uint32_t env_flags_rebuilt = rebuild_hflags_internal(env);
@@ -XXX,XX +XXX,XX @@
  #define ENET_FTRL              108
  #define ENET_TACC              112
  #define ENET_RACC              113
 +#define ENET_TDAR1             121
 +#define ENET_TDAR2             123
  #define ENET_MIIGSK_CFGR       192
  #define ENET_MIIGSK_ENR        194
  #define ENET_ATCR              256
@@ -XXX,XX +XXX,XX @@
  #define ENET_INT_WAKEUP        (1 << 17)
  #define ENET_INT_TS_AVAIL      (1 << 16)
  #define ENET_INT_TS_TIMER      (1 << 15)
 +#define ENET_INT_TXF2          (1 <<  7)
 +#define ENET_INT_TXB2          (1 <<  6)
 +#define ENET_INT_TXF1          (1 <<  3)
 +#define ENET_INT_TXB1          (1 <<  2)
  #define ENET_INT_MAC           (ENET_INT_HB | ENET_INT_BABR | ENET_INT_BABT | \
                                  ENET_INT_GRA | ENET_INT_TXF | ENET_INT_TXB | \
                                  ENET_INT_RXF | ENET_INT_RXB | ENET_INT_MII | \
                                  ENET_INT_EBERR | ENET_INT_LC | ENET_INT_RL | \
                                  ENET_INT_UN | ENET_INT_PLR | ENET_INT_WAKEUP | \
 -                                ENET_INT_TS_AVAIL)
 +                                ENET_INT_TS_AVAIL | ENET_INT_TXF1 | \
 +                                ENET_INT_TXB1 | ENET_INT_TXF2 | ENET_INT_TXB2)
  /* RDAR */
  #define ENET_RDAR_RDAR         (1 << 24)
@@ -XXX,XX +XXX,XX @@ typedef struct {
  #define ENET_BD_BDU            (1 << 31)
 +#define ENET_TX_RING_NUM       3
 +
-+
++    if (unlikely(env_flags_current != env_flags_rebuilt)) {
- typedef struct IMXFECState {
++        fprintf(stderr, "TCG hflags mismatch (current:0x%08x rebuilt:0x%08x)\n",
-     /*< private >*/
++                env_flags_current, env_flags_rebuilt);
-     SysBusDevice parent_obj;
++        abort();
-@@ -XXX,XX +XXX,XX @@ typedef struct IMXFECState {
++    }
++#endif
      uint32_t regs[ENET_MAX];
      uint32_t rx_descriptor;
 -    uint32_t tx_descriptor;
 +
 +    uint32_t tx_descriptor[ENET_TX_RING_NUM];
 +    uint32_t tx_ring_num;
      uint32_t phy_status;
      uint32_t phy_control;
 diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/net/imx_fec.c
 +++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static const char *imx_eth_reg_name(IMXFECState *s, uint32_t index)
      }
  }
 +/*
 + * Versions of this device with more than one TX descriptor save the
 + * 2nd and 3rd descriptors in a subsection, to maintain migration
 + * compatibility with previous versions of the device that only
 + * supported a single descriptor.
 + */
 +static bool imx_eth_is_multi_tx_ring(void *opaque)
 +{
 +    IMXFECState *s = IMX_FEC(opaque);
 +
 +    return s->tx_ring_num > 1;
 +}
 +
-+static const VMStateDescription vmstate_imx_eth_txdescs = {
+ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
-+    .name = "imx.fec/txdescs",
+                           target_ulong *cs_base, uint32_t *pflags)
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .needed = imx_eth_is_multi_tx_ring,
 +    .fields = (VMStateField[]) {
 +         VMSTATE_UINT32(tx_descriptor[1], IMXFECState),
 +         VMSTATE_UINT32(tx_descriptor[2], IMXFECState),
 +         VMSTATE_END_OF_LIST()
 +    }
 +};
 +
  static const VMStateDescription vmstate_imx_eth = {
      .name = TYPE_IMX_FEC,
      .version_id = 2,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_imx_eth = {
      .fields = (VMStateField[]) {
          VMSTATE_UINT32_ARRAY(regs, IMXFECState, ENET_MAX),
          VMSTATE_UINT32(rx_descriptor, IMXFECState),
 -        VMSTATE_UINT32(tx_descriptor, IMXFECState),
 -
 +        VMSTATE_UINT32(tx_descriptor[0], IMXFECState),
          VMSTATE_UINT32(phy_status, IMXFECState),
          VMSTATE_UINT32(phy_control, IMXFECState),
          VMSTATE_UINT32(phy_advertise, IMXFECState),
          VMSTATE_UINT32(phy_int, IMXFECState),
          VMSTATE_UINT32(phy_int_mask, IMXFECState),
          VMSTATE_END_OF_LIST()
 -    }
 +    },
 +    .subsections = (const VMStateDescription * []) {
 +        &vmstate_imx_eth_txdescs,
 +        NULL
 +    },
  };
  #define PHY_INT_ENERGYON            (1 << 7)
@@ -XXX,XX +XXX,XX @@ static void imx_fec_do_tx(IMXFECState *s)
  {
-     int frame_size = 0, descnt = 0;
+@@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
-     uint8_t *ptr = s->frame;
+     uint32_t pstate_for_ss;
--    uint32_t addr = s->tx_descriptor;
-+    uint32_t addr = s->tx_descriptor[0];
+     *cs_base = 0;
+-#ifdef CONFIG_DEBUG_TCG
-     while (descnt++ < IMX_MAX_DESC) {
+-    assert(flags == rebuild_hflags_internal(env));
-         IMXFECBufDesc bd;
+-#endif
-@@ -XXX,XX +XXX,XX @@ static void imx_fec_do_tx(IMXFECState *s)
++    assert_hflags_rebuild_correctly(env);
-         }
-     }
+     if (FIELD_EX32(flags, TBFLAG_ANY, AARCH64_STATE)) {
+         *pc = env->pc;
 -    s->tx_descriptor = addr;
 +    s->tx_descriptor[0] = addr;
      imx_eth_update(s);
  }
 -static void imx_enet_do_tx(IMXFECState *s)
 +static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
  {
      int frame_size = 0, descnt = 0;
 +
      uint8_t *ptr = s->frame;
 -    uint32_t addr = s->tx_descriptor;
 +    uint32_t addr, int_txb, int_txf, tdsr;
 +    size_t ring;
 +
 +    switch (index) {
 +    case ENET_TDAR:
 +        ring    = 0;
 +        int_txb = ENET_INT_TXB;
 +        int_txf = ENET_INT_TXF;
 +        tdsr    = ENET_TDSR;
 +        break;
 +    case ENET_TDAR1:
 +        ring    = 1;
 +        int_txb = ENET_INT_TXB1;
 +        int_txf = ENET_INT_TXF1;
 +        tdsr    = ENET_TDSR1;
 +        break;
 +    case ENET_TDAR2:
 +        ring    = 2;
 +        int_txb = ENET_INT_TXB2;
 +        int_txf = ENET_INT_TXF2;
 +        tdsr    = ENET_TDSR2;
 +        break;
 +    default:
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "%s: bogus value for index %x\n",
 +                      __func__, index);
 +        abort();
 +        break;
 +    }
 +
 +    addr = s->tx_descriptor[ring];
      while (descnt++ < IMX_MAX_DESC) {
          IMXENETBufDesc bd;
@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s)
              frame_size = 0;
              if (bd.option & ENET_BD_TX_INT) {
 -                s->regs[ENET_EIR] |= ENET_INT_TXF;
 +                s->regs[ENET_EIR] |= int_txf;
              }
          }
          if (bd.option & ENET_BD_TX_INT) {
 -            s->regs[ENET_EIR] |= ENET_INT_TXB;
 +            s->regs[ENET_EIR] |= int_txb;
          }
          bd.flags &= ~ENET_BD_R;
          /* Write back the modified descriptor.  */
          imx_enet_write_bd(&bd, addr);
          /* Advance to the next descriptor.  */
          if ((bd.flags & ENET_BD_W) != 0) {
 -            addr = s->regs[ENET_TDSR];
 +            addr = s->regs[tdsr];
          } else {
              addr += sizeof(bd);
          }
      }
 -    s->tx_descriptor = addr;
 +    s->tx_descriptor[ring] = addr;
      imx_eth_update(s);
  }
 -static void imx_eth_do_tx(IMXFECState *s)
 +static void imx_eth_do_tx(IMXFECState *s, uint32_t index)
  {
      if (!s->is_fec && (s->regs[ENET_ECR] & ENET_ECR_EN1588)) {
 -        imx_enet_do_tx(s);
 +        imx_enet_do_tx(s, index);
      } else {
          imx_fec_do_tx(s);
      }
@@ -XXX,XX +XXX,XX @@ static void imx_eth_reset(DeviceState *d)
      }
      s->rx_descriptor = 0;
 -    s->tx_descriptor = 0;
 +    memset(s->tx_descriptor, 0, sizeof(s->tx_descriptor));
      /* We also reset the PHY */
      phy_reset(s);
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
                             unsigned size)
  {
      IMXFECState *s = IMX_FEC(opaque);
 +    const bool single_tx_ring = !imx_eth_is_multi_tx_ring(s);
      uint32_t index = offset >> 2;
      FEC_PRINTF("reg[%s] <= 0x%" PRIx32 "\n", imx_eth_reg_name(s, index),
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
              s->regs[index] = 0;
          }
          break;
 -    case ENET_TDAR:
 +    case ENET_TDAR1:    /* FALLTHROUGH */
 +    case ENET_TDAR2:    /* FALLTHROUGH */
 +        if (unlikely(single_tx_ring)) {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "[%s]%s: trying to access TDAR2 or TDAR1\n",
 +                          TYPE_IMX_FEC, __func__);
 +            return;
 +        }
 +    case ENET_TDAR:     /* FALLTHROUGH */
          if (s->regs[ENET_ECR] & ENET_ECR_ETHEREN) {
              s->regs[index] = ENET_TDAR_TDAR;
 -            imx_eth_do_tx(s);
 +            imx_eth_do_tx(s, index);
          }
          s->regs[index] = 0;
          break;
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
          if ((s->regs[index] & ENET_ECR_ETHEREN) == 0) {
              s->regs[ENET_RDAR] = 0;
              s->rx_descriptor = s->regs[ENET_RDSR];
 -            s->regs[ENET_TDAR] = 0;
 -            s->tx_descriptor = s->regs[ENET_TDSR];
 +            s->regs[ENET_TDAR]  = 0;
 +            s->regs[ENET_TDAR1] = 0;
 +            s->regs[ENET_TDAR2] = 0;
 +            s->tx_descriptor[0] = s->regs[ENET_TDSR];
 +            s->tx_descriptor[1] = s->regs[ENET_TDSR1];
 +            s->tx_descriptor[2] = s->regs[ENET_TDSR2];
          }
          break;
      case ENET_MMFR:
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
          } else {
              s->regs[index] = value & ~7;
          }
 -        s->tx_descriptor = s->regs[index];
 +        s->tx_descriptor[0] = s->regs[index];
 +        break;
 +    case ENET_TDSR1:
 +        if (unlikely(single_tx_ring)) {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "[%s]%s: trying to access TDSR1\n",
 +                          TYPE_IMX_FEC, __func__);
 +            return;
 +        }
 +
 +        s->regs[index] = value & ~7;
 +        s->tx_descriptor[1] = s->regs[index];
 +        break;
 +    case ENET_TDSR2:
 +        if (unlikely(single_tx_ring)) {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "[%s]%s: trying to access TDSR2\n",
 +                          TYPE_IMX_FEC, __func__);
 +            return;
 +        }
 +
 +        s->regs[index] = value & ~7;
 +        s->tx_descriptor[2] = s->regs[index];
          break;
      case ENET_MRBR:
          s->regs[index] = value & 0x00003ff0;
@@ -XXX,XX +XXX,XX @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
  static Property imx_eth_properties[] = {
      DEFINE_NIC_PROPERTIES(IMXFECState, conf),
 +    DEFINE_PROP_UINT32("tx-ring-num", IMXFECState, tx_ring_num, 1),
      DEFINE_PROP_END_OF_LIST(),
  };
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 20/26] imx_fec: Reserve full FSL_IMX25_FEC_SIZE page for the register file
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-Some i.MX SoCs (e.g. i.MX7) have FEC registers going as far as offset
-x614, so to avoid getting aborts when accessing those on QEMU, extend
-the register file to cover FSL_IMX25_FEC_SIZE(16K) of address space
-instead of just 1K.
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Jason Wang <jasowang@redhat.com>
-Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Cc: yurovsky@gmail.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/fsl-imx25.h | 1 -
- include/hw/net/imx_fec.h   | 1 +
- hw/net/imx_fec.c           | 2 +-
-files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx25.h
-+++ b/include/hw/arm/fsl-imx25.h
-@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX25State {
- #define FSL_IMX25_UART5_ADDR    0x5002C000
- #define FSL_IMX25_UART5_SIZE    0x4000
- #define FSL_IMX25_FEC_ADDR      0x50038000
--#define FSL_IMX25_FEC_SIZE      0x4000
- #define FSL_IMX25_CCM_ADDR      0x53F80000
- #define FSL_IMX25_CCM_SIZE      0x4000
- #define FSL_IMX25_GPT4_ADDR     0x53F84000
-diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/net/imx_fec.h
-+++ b/include/hw/net/imx_fec.h
-@@ -XXX,XX +XXX,XX @@ typedef struct {
- #define ENET_TX_RING_NUM       3
-+#define FSL_IMX25_FEC_SIZE      0x4000
- typedef struct IMXFECState {
-     /*< private >*/
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/net/imx_fec.c
-+++ b/hw/net/imx_fec.c
-@@ -XXX,XX +XXX,XX @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
-     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
-     memory_region_init_io(&s->iomem, OBJECT(dev), &imx_eth_ops, s,
--                          TYPE_IMX_FEC, 0x400);
-+                          TYPE_IMX_FEC, FSL_IMX25_FEC_SIZE);
-     sysbus_init_mmio(sbd, &s->iomem);
-     sysbus_init_irq(sbd, &s->irq[0]);
-     sysbus_init_irq(sbd, &s->irq[1]);
---
-.7.4

-[Qemu-devel] [PULL 21/26] hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
+[PULL 12/12] arm/arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on()
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Niek Linnenbank <nieklinnenbank@gmail.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+After setting CP15 bits in arm_set_cpu_on() the cached hflags must
-Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
+be rebuild to reflect the changed processor state. Without rebuilding,
-Message-id: 20180103224208.30291-2-f4bug@amsat.org
+the cached hflags would be inconsistent until the next call to
 arm_rebuild_hflags(). When QEMU is compiled with debugging enabled
 (--enable-debug), this problem is captured shortly after the first
 call to arm_set_cpu_on() for CPUs running in ARM 32-bit non-secure mode:
   qemu-system-arm: target/arm/helper.c:11359: cpu_get_tb_cpu_state:
   Assertion `flags == rebuild_hflags_internal(env)' failed.
   Aborted (core dumped)
 Fixes: 0c7f8c43daf65
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/timer/pxa2xx_timer.c | 17 +++++++++++++++--
+ target/arm/arm-powerctl.c | 3 +++
-file changed, 15 insertions(+), 2 deletions(-)
+file changed, 3 insertions(+)
-diff --git a/hw/timer/pxa2xx_timer.c b/hw/timer/pxa2xx_timer.c
+diff --git a/target/arm/arm-powerctl.c b/target/arm/arm-powerctl.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/pxa2xx_timer.c
+--- a/target/arm/arm-powerctl.c
-+++ b/hw/timer/pxa2xx_timer.c
++++ b/target/arm/arm-powerctl.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void arm_set_cpu_on_async_work(CPUState *target_cpu_state,
- #include "sysemu/sysemu.h"
+         target_cpu->env.regs[0] = info->context_id;
  #include "hw/arm/pxa.h"
  #include "hw/sysbus.h"
 +#include "qemu/log.h"
  #define OSMR0    0x00
  #define OSMR1    0x04
@@ -XXX,XX +XXX,XX @@ static uint64_t pxa2xx_timer_read(void *opaque, hwaddr offset,
      case OSNR:
          return s->snapshot;
      default:
 +        qemu_log_mask(LOG_UNIMP,
 +                      "%s: unknown register 0x%02" HWADDR_PRIx "\n",
 +                      __func__, offset);
 +        break;
      badreg:
 -        hw_error("pxa2xx_timer_read: Bad offset " REG_FMT "\n", offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "%s: incorrect register 0x%02" HWADDR_PRIx "\n",
 +                      __func__, offset);
      }
-     return 0;
++    /* CP15 update requires rebuilding hflags */
-@@ -XXX,XX +XXX,XX @@ static void pxa2xx_timer_write(void *opaque, hwaddr offset,
++    arm_rebuild_hflags(&target_cpu->env);
-         }
++
-         break;
+     /* Start the new CPU at the requested address */
-     default:
+     cpu_set_pc(target_cpu_state, info->entry);
 +        qemu_log_mask(LOG_UNIMP,
 +                      "%s: unknown register 0x%02" HWADDR_PRIx " "
 +                      "(value 0x%08" PRIx64 ")\n",  __func__, offset, value);
 +        break;
      badreg:
 -        hw_error("pxa2xx_timer_write: Bad offset " REG_FMT "\n", offset);
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "%s: incorrect register 0x%02" HWADDR_PRIx " "
 +                      "(value 0x%08" PRIx64 ")\n", __func__, offset, value);
      }
  }
 --
-.7.4
+.20.1

-[Qemu-devel] [PULL 22/26] hw/sd/pxa2xx_mmci: add read/write() trace events
+Deleted patch
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
-Message-id: 20180104000156.30932-1-f4bug@amsat.org
-[PMM: add missing include]
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/sd/pxa2xx_mmci.c | 78 ++++++++++++++++++++++++++++++++++-------------------
- hw/sd/trace-events  |  4 +++
-files changed, 54 insertions(+), 28 deletions(-)
-diff --git a/hw/sd/pxa2xx_mmci.c b/hw/sd/pxa2xx_mmci.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/pxa2xx_mmci.c
-+++ b/hw/sd/pxa2xx_mmci.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/qdev.h"
- #include "hw/qdev-properties.h"
- #include "qemu/error-report.h"
-+#include "qemu/log.h"
-+#include "trace.h"
- #define TYPE_PXA2XX_MMCI "pxa2xx-mmci"
- #define PXA2XX_MMCI(obj) OBJECT_CHECK(PXA2xxMMCIState, (obj), TYPE_PXA2XX_MMCI)
-@@ -XXX,XX +XXX,XX @@ static void pxa2xx_mmci_wakequeues(PXA2xxMMCIState *s)
- static uint64_t pxa2xx_mmci_read(void *opaque, hwaddr offset, unsigned size)
- {
-     PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
--    uint32_t ret;
-+    uint32_t ret = 0;
-     switch (offset) {
-     case MMC_STRPCL:
--        return 0;
-+        break;
-     case MMC_STAT:
--        return s->status;
-+        ret = s->status;
-+        break;
-     case MMC_CLKRT:
--        return s->clkrt;
-+        ret = s->clkrt;
-+        break;
-     case MMC_SPI:
--        return s->spi;
-+        ret = s->spi;
-+        break;
-     case MMC_CMDAT:
--        return s->cmdat;
-+        ret = s->cmdat;
-+        break;
-     case MMC_RESTO:
--        return s->resp_tout;
-+        ret = s->resp_tout;
-+        break;
-     case MMC_RDTO:
--        return s->read_tout;
-+        ret = s->read_tout;
-+        break;
-     case MMC_BLKLEN:
--        return s->blklen;
-+        ret = s->blklen;
-+        break;
-     case MMC_NUMBLK:
--        return s->numblk;
-+        ret = s->numblk;
-+        break;
-     case MMC_PRTBUF:
--        return 0;
-+        break;
-     case MMC_I_MASK:
--        return s->intmask;
-+        ret = s->intmask;
-+        break;
-     case MMC_I_REG:
--        return s->intreq;
-+        ret = s->intreq;
-+        break;
-     case MMC_CMD:
--        return s->cmd | 0x40;
-+        ret = s->cmd | 0x40;
-+        break;
-     case MMC_ARGH:
--        return s->arg >> 16;
-+        ret = s->arg >> 16;
-+        break;
-     case MMC_ARGL:
--        return s->arg & 0xffff;
-+        ret = s->arg & 0xffff;
-+        break;
-     case MMC_RES:
--        if (s->resp_len < 9)
--            return s->resp_fifo[s->resp_len ++];
--        return 0;
-+        ret = (s->resp_len < 9) ? s->resp_fifo[s->resp_len++] : 0;
-+        break;
-     case MMC_RXFIFO:
--        ret = 0;
-         while (size-- && s->rx_len) {
-             ret |= s->rx_fifo[s->rx_start++] << (size << 3);
-             s->rx_start &= 0x1f;
-@@ -XXX,XX +XXX,XX @@ static uint64_t pxa2xx_mmci_read(void *opaque, hwaddr offset, unsigned size)
-         }
-         s->intreq &= ~INT_RXFIFO_REQ;
-         pxa2xx_mmci_fifo_update(s);
--        return ret;
-+        break;
-     case MMC_RDWAIT:
--        return 0;
-+        break;
-     case MMC_BLKS_REM:
--        return s->numblk;
-+        ret = s->numblk;
-+        break;
-     default:
--        hw_error("%s: Bad offset " REG_FMT "\n", __FUNCTION__, offset);
-+        qemu_log_mask(LOG_GUEST_ERROR,
-+                      "%s: incorrect register 0x%02" HWADDR_PRIx "\n",
-+                      __func__, offset);
-     }
-+    trace_pxa2xx_mmci_read(size, offset, ret);
--    return 0;
-+    return ret;
- }
- static void pxa2xx_mmci_write(void *opaque,
-@@ -XXX,XX +XXX,XX @@ static void pxa2xx_mmci_write(void *opaque,
- {
-     PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
-+    trace_pxa2xx_mmci_write(size, offset, value);
-     switch (offset) {
-     case MMC_STRPCL:
-         if (value & STRPCL_STRT_CLK) {
-@@ -XXX,XX +XXX,XX @@ static void pxa2xx_mmci_write(void *opaque,
-     case MMC_SPI:
-         s->spi = value & 0xf;
--        if (value & SPI_SPI_MODE)
--            printf("%s: attempted to use card in SPI mode\n", __FUNCTION__);
-+        if (value & SPI_SPI_MODE) {
-+            qemu_log_mask(LOG_GUEST_ERROR,
-+                          "%s: attempted to use card in SPI mode\n", __func__);
-+        }
-         break;
-     case MMC_CMDAT:
-@@ -XXX,XX +XXX,XX @@ static void pxa2xx_mmci_write(void *opaque,
-         break;
-     default:
--        hw_error("%s: Bad offset " REG_FMT "\n", __FUNCTION__, offset);
-+        qemu_log_mask(LOG_GUEST_ERROR,
-+                      "%s: incorrect reg 0x%02" HWADDR_PRIx " "
-+                      "(value 0x%08" PRIx64 ")\n", __func__, offset, value);
-     }
- }
-diff --git a/hw/sd/trace-events b/hw/sd/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/trace-events
-+++ b/hw/sd/trace-events
-@@ -XXX,XX +XXX,XX @@
- # hw/sd/milkymist-memcard.c
- milkymist_memcard_memory_read(uint32_t addr, uint32_t value) "addr 0x%08x value 0x%08x"
- milkymist_memcard_memory_write(uint32_t addr, uint32_t value) "addr 0x%08x value 0x%08x"
-+
-+# hw/sd/pxa2xx_mmci.c
-+pxa2xx_mmci_read(uint8_t size, uint32_t addr, uint32_t value) "size %d addr 0x%02x value 0x%08x"
-+pxa2xx_mmci_write(uint8_t size, uint32_t addr, uint32_t value) "size %d addr 0x%02x value 0x%08x"
---
-.7.4

-[Qemu-devel] [PULL 24/26] target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
+Deleted patch
-Refactor disas_thumb2_insn() so that it generates the code for raising
-an UNDEF exception for invalid insns, rather than returning a flag
-which the caller must check to see if it needs to generate the UNDEF
-code. This brings the function in to line with the behaviour of
-disas_thumb_insn() and disas_arm_insn().
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1513080506-17703-1-git-send-email-peter.maydell@linaro.org
----
- target/arm/translate.c | 23 ++++++++++-------------
-file changed, 10 insertions(+), 13 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ gen_thumb2_data_op(DisasContext *s, int op, int conds, uint32_t shifter_out,
-     return 0;
- }
--/* Translate a 32-bit thumb instruction.  Returns nonzero if the instruction
--   is not legal.  */
--static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
-+/* Translate a 32-bit thumb instruction. */
-+static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
- {
-     uint32_t imm, shift, offset;
-     uint32_t rd, rn, rm, rs;
-@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
-                     /* UNPREDICTABLE, unallocated hint or
-                      * PLD/PLDW/PLI (literal)
-                      */
--                    return 0;
-+                    return;
-                 }
-                 if (op1 & 1) {
--                    return 0; /* PLD/PLDW/PLI or unallocated hint */
-+                    return; /* PLD/PLDW/PLI or unallocated hint */
-                 }
-                 if ((op2 == 0) || ((op2 & 0x3c) == 0x30)) {
--                    return 0; /* PLD/PLDW/PLI or unallocated hint */
-+                    return; /* PLD/PLDW/PLI or unallocated hint */
-                 }
-                 /* UNDEF space, or an UNPREDICTABLE */
--                return 1;
-+                goto illegal_op;
-             }
-         }
-         memidx = get_mem_index(s);
-@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
-     default:
-         goto illegal_op;
-     }
--    return 0;
-+    return;
- illegal_op:
--    return 1;
-+    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
-+                       default_exception_el(s));
- }
- static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-     if (is_16bit) {
-         disas_thumb_insn(dc, insn);
-     } else {
--        if (disas_thumb2_insn(dc, insn)) {
--            gen_exception_insn(dc, 4, EXCP_UDEF, syn_uncategorized(),
--                               default_exception_el(dc));
--        }
-+        disas_thumb2_insn(dc, insn);
-     }
-     /* Advance the Thumb condexec condition.  */
---
-.7.4

-[Qemu-devel] [PULL 25/26] hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
+Deleted patch
-The GICv3 specification says that reserved register addresses
-should RAZ/WI. This means we need to return MEMTX_OK, not MEMTX_ERROR,
-because now that we support generating external aborts the
-latter will cause an abort on new board models.
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1513183941-24300-2-git-send-email-peter.maydell@linaro.org
-Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
----
- hw/intc/arm_gicv3_dist.c       | 13 +++++++++++++
- hw/intc/arm_gicv3_its_common.c |  8 +++-----
- hw/intc/arm_gicv3_redist.c     | 13 +++++++++++++
-files changed, 29 insertions(+), 5 deletions(-)
-diff --git a/hw/intc/arm_gicv3_dist.c b/hw/intc/arm_gicv3_dist.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_dist.c
-+++ b/hw/intc/arm_gicv3_dist.c
-@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_dist_read(void *opaque, hwaddr offset, uint64_t *data,
-                       "%s: invalid guest read at offset " TARGET_FMT_plx
-                       "size %u\n", __func__, offset, size);
-         trace_gicv3_dist_badread(offset, size, attrs.secure);
-+        /* The spec requires that reserved registers are RAZ/WI;
-+         * so use MEMTX_ERROR returns from leaf functions as a way to
-+         * trigger the guest-error logging but don't return it to
-+         * the caller, or we'll cause a spurious guest data abort.
-+         */
-+        r = MEMTX_OK;
-+        *data = 0;
-     } else {
-         trace_gicv3_dist_read(offset, *data, size, attrs.secure);
-     }
-@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_dist_write(void *opaque, hwaddr offset, uint64_t data,
-                       "%s: invalid guest write at offset " TARGET_FMT_plx
-                       "size %u\n", __func__, offset, size);
-         trace_gicv3_dist_badwrite(offset, data, size, attrs.secure);
-+        /* The spec requires that reserved registers are RAZ/WI;
-+         * so use MEMTX_ERROR returns from leaf functions as a way to
-+         * trigger the guest-error logging but don't return it to
-+         * the caller, or we'll cause a spurious guest data abort.
-+         */
-+        r = MEMTX_OK;
-     } else {
-         trace_gicv3_dist_write(offset, data, size, attrs.secure);
-     }
-diff --git a/hw/intc/arm_gicv3_its_common.c b/hw/intc/arm_gicv3_its_common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_its_common.c
-+++ b/hw/intc/arm_gicv3_its_common.c
-@@ -XXX,XX +XXX,XX @@ static MemTxResult gicv3_its_trans_read(void *opaque, hwaddr offset,
-                                         MemTxAttrs attrs)
- {
-     qemu_log_mask(LOG_GUEST_ERROR, "ITS read at offset 0x%"PRIx64"\n", offset);
--    return MEMTX_ERROR;
-+    *data = 0;
-+    return MEMTX_OK;
- }
- static MemTxResult gicv3_its_trans_write(void *opaque, hwaddr offset,
-@@ -XXX,XX +XXX,XX @@ static MemTxResult gicv3_its_trans_write(void *opaque, hwaddr offset,
-         if (ret <= 0) {
-             qemu_log_mask(LOG_GUEST_ERROR,
-                           "ITS: Error sending MSI: %s\n", strerror(-ret));
--            return MEMTX_DECODE_ERROR;
-         }
--
--        return MEMTX_OK;
-     } else {
-         qemu_log_mask(LOG_GUEST_ERROR,
-                       "ITS write at bad offset 0x%"PRIx64"\n", offset);
--        return MEMTX_DECODE_ERROR;
-     }
-+    return MEMTX_OK;
- }
- static const MemoryRegionOps gicv3_its_trans_ops = {
-diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_redist.c
-+++ b/hw/intc/arm_gicv3_redist.c
-@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
-                       "size %u\n", __func__, offset, size);
-         trace_gicv3_redist_badread(gicv3_redist_affid(cs), offset,
-                                    size, attrs.secure);
-+        /* The spec requires that reserved registers are RAZ/WI;
-+         * so use MEMTX_ERROR returns from leaf functions as a way to
-+         * trigger the guest-error logging but don't return it to
-+         * the caller, or we'll cause a spurious guest data abort.
-+         */
-+        r = MEMTX_OK;
-+        *data = 0;
-     } else {
-         trace_gicv3_redist_read(gicv3_redist_affid(cs), offset, *data,
-                                 size, attrs.secure);
-@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
-                       "size %u\n", __func__, offset, size);
-         trace_gicv3_redist_badwrite(gicv3_redist_affid(cs), offset, data,
-                                     size, attrs.secure);
-+        /* The spec requires that reserved registers are RAZ/WI;
-+         * so use MEMTX_ERROR returns from leaf functions as a way to
-+         * trigger the guest-error logging but don't return it to
-+         * the caller, or we'll cause a spurious guest data abort.
-+         */
-+        r = MEMTX_OK;
-     } else {
-         trace_gicv3_redist_write(gicv3_redist_affid(cs), offset, data,
-                                  size, attrs.secure);
---
-.7.4

ARM queue, various patches accumulated over the Christmas break.

-- PMM

The following changes since commit 612061b277915fadd80631eb7a6926f48a110c44:

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-01-10' into staging (2018-01-11 11:52:40 +0000)

are available in the git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180111

for you to fetch changes up to 0cf09852015e47a5fbb974ff7ac320366afd21ee:

hw/intc/arm_gic: reserved register addresses are RAZ/WI (2018-01-11 13:25:40 +0000)

----------------------------------------------------------------
target-arm queue:
 * add aarch64_be linux-user target
 * Virt: ACPI: fix qemu assert due to re-assigned table data address
 * imx_fec: various bug fixes and cleanups
 * hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
 * hw/sd/pxa2xx_mmci: add read/write() trace events
 * linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
 * target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
 * hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
 * hw/intc/arm_gic: reserved register addresses are RAZ/WI

----------------------------------------------------------------
Andrey Smirnov (11):
      imx_fec: Do not link to netdev
      imx_fec: Refactor imx_eth_enable_rx()
      imx_fec: Change queue flushing heuristics
      imx_fec: Move Tx frame buffer away from the stack
      imx_fec: Use ENET_FTRL to determine truncation length
      imx_fec: Use MIN instead of explicit ternary operator
      imx_fec: Emulate SHIFT16 in ENETx_RACC
      imx_fec: Add support for multiple Tx DMA rings
      imx_fec: Use correct length for packet size
      imx_fec: Fix a typo in imx_enet_receive()
      imx_fec: Reserve full FSL_IMX25_FEC_SIZE page for the register file

Michael Weiser (8):
      linux-user: Add support for big-endian aarch64
      linux-user: Add separate aarch64_be uname
      linux-user: Fix endianess of aarch64 signal trampoline
      configure: Add aarch64_be-linux-user target
      linux-user: Add aarch64_be magic numbers to qemu-binfmt-conf.sh
      linux-user: Separate binfmt arm CPU families
      linux-user: Activate armeb handler registration
      target/arm: Fix stlxp for aarch64_be

Peter Maydell (4):
      linux-user/arm/nwfpe: Check coprocessor number for FPA emulation
      target/arm: Make disas_thumb2_insn() generate its own UNDEF exceptions
      hw/intc/arm_gicv3: Make reserved register addresses RAZ/WI
      hw/intc/arm_gic: reserved register addresses are RAZ/WI

Philippe Mathieu-Daudé (2):
      hw/timer/pxa2xx_timer: replace hw_error() -> qemu_log_mask()
      hw/sd/pxa2xx_mmci: add read/write() trace events

Zhaoshenglong (1):
      Virt: ACPI: fix qemu assert due to re-assigned table data address

From: Michael Weiser <michael.weiser@gmx.de>

Enable big-endian mode for data accesses on aarch64 for big-endian linux
user mode. Activate it for all exception levels as documented by ARM:
Set the SCTLR EE bit for ELs 1 through 3. Additionally set bit E0E in
EL1 to enable it in EL0 as well.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20171220212308.12614-2-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/main.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/linux-user/main.c b/linux-user/main.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
         }
         env->pc = regs->pc;
         env->xregs[31] = regs->sp;
+#ifdef TARGET_WORDS_BIGENDIAN
+        env->cp15.sctlr_el[1] |= SCTLR_E0E;
+        for (i = 1; i < 4; ++i) {
+            env->cp15.sctlr_el[i] |= SCTLR_EE;
+        }
+#endif
     }
 #elif defined(TARGET_ARM)
     {
-- 
2.7.4

From: Michael Weiser <michael.weiser@gmx.de>

Make big-endian aarch64 systems identify as aarch64_be as expected by
big-endian userland and toolchains.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-3-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_syscall.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/linux-user/aarch64/target_syscall.h b/linux-user/aarch64/target_syscall.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_syscall.h
+++ b/linux-user/aarch64/target_syscall.h
@@ -XXX,XX +XXX,XX @@ struct target_pt_regs {
     uint64_t        pstate;
 };
 
+#if defined(TARGET_WORDS_BIGENDIAN)
+#define UNAME_MACHINE "aarch64_be"
+#else
 #define UNAME_MACHINE "aarch64"
+#endif
 #define UNAME_MINIMUM_RELEASE "3.8.0"
 #define TARGET_CLONE_BACKWARDS
 #define TARGET_MINSIGSTKSZ       2048
-- 
2.7.4

From: Michael Weiser <michael.weiser@gmx.de>

Since for aarch64 the signal trampoline is synthesized directly into the
signal frame we need to make sure the instructions end up little-endian.
Otherwise the wrong endianness will cause a SIGILL upon return from the
signal handler on big-endian targets.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20171220212308.12614-4-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/signal.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
     if (ka->sa_flags & TARGET_SA_RESTORER) {
         return_addr = ka->sa_restorer;
     } else {
-        /* mov x8,#__NR_rt_sigreturn; svc #0 */
-        __put_user(0xd2801168, &frame->tramp[0]);
-        __put_user(0xd4000001, &frame->tramp[1]);
+        /*
+         * mov x8,#__NR_rt_sigreturn; svc #0
+         * Since these are instructions they need to be put as little-endian
+         * regardless of target default or current CPU endianness.
+         */
+        __put_user_e(0xd2801168, &frame->tramp[0], le);
+        __put_user_e(0xd4000001, &frame->tramp[1], le);
         return_addr = frame_addr + offsetof(struct target_rt_sigframe, tramp);
     }
     env->xregs[0] = usig;
-- 
2.7.4

From: Michael Weiser <michael.weiser@gmx.de>

Add target aarch64_be-linux-user. This allows a qemu-aarch64_be binary
to be built that will run big-endian aarch64 binaries.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-5-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 configure                                 | 5 +++--
 default-configs/aarch64_be-linux-user.mak | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 default-configs/aarch64_be-linux-user.mak

From: Michael Weiser <michael.weiser@gmx.de>

As we now have a linux-user aarch64_be target, we can add it to the list
of supported targets in qemu-binfmt-conf.sh

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-6-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 scripts/qemu-binfmt-conf.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index XXXXXXX..XXXXXXX 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -XXX,XX +XXX,XX @@
 
 qemu_target_list="i386 i486 alpha arm sparc32plus ppc ppc64 ppc64le m68k \
 mips mipsel mipsn32 mipsn32el mips64 mips64el \
-sh4 sh4eb s390x aarch64 hppa"
+sh4 sh4eb s390x aarch64 aarch64_be hppa"
 
 i386_magic='\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00'
 i386_mask='\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
@@ -XXX,XX +XXX,XX @@ aarch64_magic='\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x
 aarch64_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'
 aarch64_family=arm
 
+aarch64_be_magic='\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7'
+aarch64_be_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
+aarch64_be_family=arm
+
 hppa_magic='\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0f'
 hppa_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
 hppa_family=hppa
-- 
2.7.4

From: Michael Weiser <michael.weiser@gmx.de>

Give big-endian arm and aarch64 CPUs their own family in
qemu-binfmt-conf.sh to make sure we register qemu-user for binaries of
the opposite endianness on arm and aarch64. Apart from the family
assignments of the magic values, qemu_get_family() needs to be able to
distinguish the two and recognise aarch64{,_be} as well.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-7-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 scripts/qemu-binfmt-conf.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index XXXXXXX..XXXXXXX 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -XXX,XX +XXX,XX @@ arm_family=arm
 
 armeb_magic='\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28'
 armeb_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
-armeb_family=arm
+armeb_family=armeb
 
 sparc_magic='\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02'
 sparc_mask='\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
@@ -XXX,XX +XXX,XX @@ aarch64_family=arm
 
 aarch64_be_magic='\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7'
 aarch64_be_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
-aarch64_be_family=arm
+aarch64_be_family=armeb
 
 hppa_magic='\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0f'
 hppa_mask='\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff'
@@ -XXX,XX +XXX,XX @@ qemu_get_family() {
     ppc64el|ppc64le)
         echo "ppcle"
         ;;
-    arm|armel|armhf|arm64|armv[4-9]*)
+    arm|armel|armhf|arm64|armv[4-9]*l|aarch64)
         echo "arm"
         ;;
+    armeb|armv[4-9]*b|aarch64_be)
+        echo "armeb"
+        ;;
     sparc*)
         echo "sparc"
         ;;
-- 
2.7.4

From: Michael Weiser <michael.weiser@gmx.de>

armeb is missing from the target list in qemu-binfmt-conf.sh. Add it so
the handler for those binaries gets registered by the script.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Message-id: 20171220212308.12614-8-michael.weiser@gmx.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 scripts/qemu-binfmt-conf.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index XXXXXXX..XXXXXXX 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -XXX,XX +XXX,XX @@
 # enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390/HPPA
 # program execution by the kernel
 
-qemu_target_list="i386 i486 alpha arm sparc32plus ppc ppc64 ppc64le m68k \
+qemu_target_list="i386 i486 alpha arm armeb sparc32plus ppc ppc64 ppc64le m68k \
 mips mipsel mipsn32 mipsn32el mips64 mips64el \
 sh4 sh4eb s390x aarch64 aarch64_be hppa"
 
-- 
2.7.4

From: Michael Weiser <michael.weiser@gmx.de>

ldxp loads two consecutive doublewords from memory regardless of CPU
endianness. On store, stlxp currently assumes to work with a 128bit
value and consequently switches order in big-endian mode. With this
change it packs the doublewords in reverse order in anticipation of the
128bit big-endian store operation interposing them so they end up in
memory in the right order. This makes it work for both MTTCG and !MTTCG.
It effectively implements the ARM ARM STLXP operation pseudo-code:

data = if BigEndian() then el1:el2 else el2:el1;

With this change an aarch64_be Linux 4.14.4 kernel succeeds to boot up
in system emulation mode.

Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-a64.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ static uint64_t do_paired_cmpxchg64_be(CPUARMState *env, uint64_t addr,
     Int128 oldv, cmpv, newv;
     bool success;
 
-    cmpv = int128_make128(env->exclusive_val, env->exclusive_high);
-    newv = int128_make128(new_lo, new_hi);
+    /* high and low need to be switched here because this is not actually a
+     * 128bit store but two doublewords stored consecutively
+     */
+    cmpv = int128_make128(env->exclusive_high, env->exclusive_val);
+    newv = int128_make128(new_hi, new_lo);
 
     if (parallel) {
 #ifndef CONFIG_ATOMIC128
-- 
2.7.4

From: Zhaoshenglong <zhaoshenglong@huawei.com>

acpi_data_push uses g_array_set_size to resize the memory size. If there
is no enough contiguous memory, the address will be changed. If we use
the old value, it will assert.
qemu-kvm: hw/acpi/bios-linker-loader.c:214: bios_linker_loader_add_checksum:
Assertion `start_offset < file->blob->len' failed.`

This issue only happens in building SRAT table now but here we unify the
pattern for other tables as well to avoid possible issues in the future.

Signed-off-by: Zhaoshenglong <zhaoshenglong@huawei.com>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ build_spcr(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     AcpiSerialPortConsoleRedirection *spcr;
     const MemMapEntry *uart_memmap = &vms->memmap[VIRT_UART];
     int irq = vms->irqmap[VIRT_UART] + ARM_SPI_BASE;
+    int spcr_start = table_data->len;
 
     spcr = acpi_data_push(table_data, sizeof(*spcr));
 
@@ -XXX,XX +XXX,XX @@ build_spcr(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     spcr->pci_device_id = 0xffff;  /* PCI Device ID: not a PCI device */
     spcr->pci_vendor_id = 0xffff;  /* PCI Vendor ID: not a PCI device */
 
-    build_header(linker, table_data, (void *)spcr, "SPCR", sizeof(*spcr), 2,
-                 NULL, NULL);
+    build_header(linker, table_data, (void *)(table_data->data + spcr_start),
+                 "SPCR", table_data->len - spcr_start, 2, NULL, NULL);
 }
 
 static void
@@ -XXX,XX +XXX,XX @@ build_srat(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
         mem_base += numa_info[i].node_mem;
     }
 
-    build_header(linker, table_data, (void *)srat, "SRAT",
-                 table_data->len - srat_start, 3, NULL, NULL);
+    build_header(linker, table_data, (void *)(table_data->data + srat_start),
+                 "SRAT", table_data->len - srat_start, 3, NULL, NULL);
 }
 
 static void
@@ -XXX,XX +XXX,XX @@ build_mcfg(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     AcpiTableMcfg *mcfg;
     const MemMapEntry *memmap = vms->memmap;
     int len = sizeof(*mcfg) + sizeof(mcfg->allocation[0]);
+    int mcfg_start = table_data->len;
 
     mcfg = acpi_data_push(table_data, len);
     mcfg->allocation[0].address = cpu_to_le64(memmap[VIRT_PCIE_ECAM].base);
@@ -XXX,XX +XXX,XX @@ build_mcfg(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     mcfg->allocation[0].end_bus_number = (memmap[VIRT_PCIE_ECAM].size
                                           / PCIE_MMCFG_SIZE_MIN) - 1;
 
-    build_header(linker, table_data, (void *)mcfg, "MCFG", len, 1, NULL, NULL);
+    build_header(linker, table_data, (void *)(table_data->data + mcfg_start),
+                 "MCFG", table_data->len - mcfg_start, 1, NULL, NULL);
 }
 
 /* GTDT */
@@ -XXX,XX +XXX,XX @@ build_madt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
 static void build_fadt(GArray *table_data, BIOSLinker *linker,
                        VirtMachineState *vms, unsigned dsdt_tbl_offset)
 {
+    int fadt_start = table_data->len;
     AcpiFadtDescriptorRev5_1 *fadt = acpi_data_push(table_data, sizeof(*fadt));
     unsigned xdsdt_entry_offset = (char *)&fadt->x_dsdt - table_data->data;
     uint16_t bootflags;
@@ -XXX,XX +XXX,XX @@ static void build_fadt(GArray *table_data, BIOSLinker *linker,
         ACPI_BUILD_TABLE_FILE, xdsdt_entry_offset, sizeof(fadt->x_dsdt),
         ACPI_BUILD_TABLE_FILE, dsdt_tbl_offset);
 
-    build_header(linker, table_data,
-                 (void *)fadt, "FACP", sizeof(*fadt), 5, NULL, NULL);
+    build_header(linker, table_data, (void *)(table_data->data + fadt_start),
+                 "FACP", table_data->len - fadt_start, 5, NULL, NULL);
 }
 
 /* DSDT */
-- 
2.7.4

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Binding to a particular netdev doesn't seem to belong to this layer
and should probably be done as a part of board or SoC specific code.

Convert all of the users of this IP block to use
qdev_set_nic_properties() instead.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/fsl-imx6.c | 1 +
 hw/net/imx_fec.c  | 2 --
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx6.c
+++ b/hw/arm/fsl-imx6.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_realize(DeviceState *dev, Error **errp)
                                             spi_table[i].irq));
     }
 
+    qdev_set_nic_properties(DEVICE(&s->eth), &nd_table[0]);
     object_property_set_bool(OBJECT(&s->eth), true, "realized", &err);
     if (err) {
         error_propagate(errp, err);
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
 
     qemu_macaddr_default_if_unset(&s->conf.macaddr);
 
-    s->conf.peers.ncs[0] = nd_table[0].netdev;
-
     s->nic = qemu_new_nic(&imx_eth_net_info, &s->conf,
                           object_get_typename(OBJECT(dev)),
                           DEVICE(dev)->id, s);
-- 
2.7.4

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Refactor imx_eth_enable_rx() to have more meaningfull variable name
than 'tmp' and to reduce number of logical negations done.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/imx_fec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_eth_do_tx(IMXFECState *s)
 static void imx_eth_enable_rx(IMXFECState *s)
 {
     IMXFECBufDesc bd;
-    bool tmp;
+    bool rx_ring_full;
 
     imx_fec_read_bd(&bd, s->rx_descriptor);
 
-    tmp = ((bd.flags & ENET_BD_E) != 0);
+    rx_ring_full = !(bd.flags & ENET_BD_E);
 
-    if (!tmp) {
+    if (rx_ring_full) {
         FEC_PRINTF("RX buffer full\n");
     } else if (!s->regs[ENET_RDAR]) {
         qemu_flush_queued_packets(qemu_get_queue(s->nic));
     }
 
-    s->regs[ENET_RDAR] = tmp ? ENET_RDAR_RDAR : 0;
+    s->regs[ENET_RDAR] = rx_ring_full ? 0 : ENET_RDAR_RDAR;
 }
 
 static void imx_eth_reset(DeviceState *d)
-- 
2.7.4

From: Andrey Smirnov <andrew.smirnov@gmail.com>

In current implementation, packet queue flushing logic seem to suffer
from a deadlock like scenario if a packet is received by the interface
before before Rx ring is initialized by Guest's driver. Consider the
following sequence of events:

1. A QEMU instance is started against a TAP device on Linux
	   host, running Linux guest, e. g., something to the effect
	   of:

qemu-system-arm \
	      -net nic,model=imx.fec,netdev=lan0 \
	      netdev tap,id=lan0,ifname=tap0,script=no,downscript=no \
	      ... rest of the arguments ...

2. Once QEMU starts, but before guest reaches the point where
	   FEC deriver is done initializing the HW, Guest, via TAP
	   interface, receives a number of multicast MDNS packets from
	   Host (not necessarily true for every OS, but it happens at
	   least on Fedora 25)

3. Recieving a packet in such a state results in
	   imx_eth_can_receive() returning '0', which in turn causes
	   tap_send() to disable corresponding event (tap.c:203)

4. Once Guest's driver reaches the point where it is ready to
	   recieve packets it prepares Rx ring descriptors and writes
	   ENET_RDAR_RDAR to ENET_RDAR register to indicate to HW that
	   more descriptors are ready. And at this points emulation
	   layer does this:

s->regs[index] = ENET_RDAR_RDAR;
                 imx_eth_enable_rx(s);

which, combined with:

if (!s->regs[ENET_RDAR]) {
		     qemu_flush_queued_packets(qemu_get_queue(s->nic));
		  }

results in Rx queue never being flushed and corresponding
	   I/O event beign disabled.

To prevent the problem, change the code to always flush packet queue
when ENET_RDAR transitions 0 -> ENET_RDAR_RDAR.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/imx_fec.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_eth_do_tx(IMXFECState *s)
     }
 }
 
-static void imx_eth_enable_rx(IMXFECState *s)
+static void imx_eth_enable_rx(IMXFECState *s, bool flush)
 {
     IMXFECBufDesc bd;
     bool rx_ring_full;
@@ -XXX,XX +XXX,XX @@ static void imx_eth_enable_rx(IMXFECState *s)
 
     if (rx_ring_full) {
         FEC_PRINTF("RX buffer full\n");
-    } else if (!s->regs[ENET_RDAR]) {
+    } else if (flush) {
         qemu_flush_queued_packets(qemu_get_queue(s->nic));
     }
 
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
         if (s->regs[ENET_ECR] & ENET_ECR_ETHEREN) {
             if (!s->regs[index]) {
                 s->regs[index] = ENET_RDAR_RDAR;
-                imx_eth_enable_rx(s);
+                imx_eth_enable_rx(s, true);
             }
         } else {
             s->regs[index] = 0;
@@ -XXX,XX +XXX,XX @@ static int imx_eth_can_receive(NetClientState *nc)
 
     FEC_PRINTF("\n");
 
-    return s->regs[ENET_RDAR] ? 1 : 0;
+    return !!s->regs[ENET_RDAR];
 }
 
 static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf,
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf,
         }
     }
     s->rx_descriptor = addr;
-    imx_eth_enable_rx(s);
+    imx_eth_enable_rx(s, false);
     imx_eth_update(s);
     return len;
 }
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
         }
     }
     s->rx_descriptor = addr;
-    imx_eth_enable_rx(s);
+    imx_eth_enable_rx(s, false);
     imx_eth_update(s);
     return len;
 }
-- 
2.7.4

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Make Tx frame assembly buffer to be a paort of IMXFECState structure
to avoid a concern about having large data buffer on the stack.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/net/imx_fec.h |  3 +++
 hw/net/imx_fec.c         | 22 +++++++++++-----------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/net/imx_fec.h
+++ b/include/hw/net/imx_fec.h
@@ -XXX,XX +XXX,XX @@ typedef struct IMXFECState {
     uint32_t phy_int_mask;
 
     bool is_fec;
+
+    /* Buffer used to assemble a Tx frame */
+    uint8_t frame[ENET_MAX_FRAME_SIZE];
 } IMXFECState;
 
 #endif
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_eth_update(IMXFECState *s)
 static void imx_fec_do_tx(IMXFECState *s)
 {
     int frame_size = 0, descnt = 0;
-    uint8_t frame[ENET_MAX_FRAME_SIZE];
-    uint8_t *ptr = frame;
+    uint8_t *ptr = s->frame;
     uint32_t addr = s->tx_descriptor;
 
     while (descnt++ < IMX_MAX_DESC) {
@@ -XXX,XX +XXX,XX @@ static void imx_fec_do_tx(IMXFECState *s)
         frame_size += len;
         if (bd.flags & ENET_BD_L) {
             /* Last buffer in frame.  */
-            qemu_send_packet(qemu_get_queue(s->nic), frame, frame_size);
-            ptr = frame;
+            qemu_send_packet(qemu_get_queue(s->nic), s->frame, frame_size);
+            ptr = s->frame;
             frame_size = 0;
             s->regs[ENET_EIR] |= ENET_INT_TXF;
         }
@@ -XXX,XX +XXX,XX @@ static void imx_fec_do_tx(IMXFECState *s)
 static void imx_enet_do_tx(IMXFECState *s)
 {
     int frame_size = 0, descnt = 0;
-    uint8_t frame[ENET_MAX_FRAME_SIZE];
-    uint8_t *ptr = frame;
+    uint8_t *ptr = s->frame;
     uint32_t addr = s->tx_descriptor;
 
     while (descnt++ < IMX_MAX_DESC) {
@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s)
         frame_size += len;
         if (bd.flags & ENET_BD_L) {
             if (bd.option & ENET_BD_PINS) {
-                struct ip_header *ip_hd = PKT_GET_IP_HDR(frame);
+                struct ip_header *ip_hd = PKT_GET_IP_HDR(s->frame);
                 if (IP_HEADER_VERSION(ip_hd) == 4) {
-                    net_checksum_calculate(frame, frame_size);
+                    net_checksum_calculate(s->frame, frame_size);
                 }
             }
             if (bd.option & ENET_BD_IINS) {
-                struct ip_header *ip_hd = PKT_GET_IP_HDR(frame);
+                struct ip_header *ip_hd = PKT_GET_IP_HDR(s->frame);
                 /* We compute checksum only for IPv4 frames */
                 if (IP_HEADER_VERSION(ip_hd) == 4) {
                     uint16_t csum;
@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s)
                 }
             }
             /* Last buffer in frame.  */
-            qemu_send_packet(qemu_get_queue(s->nic), frame, len);
-            ptr = frame;
+
+            qemu_send_packet(qemu_get_queue(s->nic), s->frame, len);
+            ptr = s->frame;
+
             frame_size = 0;
             if (bd.option & ENET_BD_TX_INT) {
                 s->regs[ENET_EIR] |= ENET_INT_TXF;
-- 
2.7.4

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Frame truncation length, TRUNC_FL, is determined by the contents of
ENET_FTRL register, so convert the code to use it instead of a
hardcoded constant.

To avoid the case where TRUNC_FL is greater that ENET_MAX_FRAME_SIZE,
increase the value of the latter to its theoretical maximum of 16K.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/net/imx_fec.h | 3 ++-
 hw/net/imx_fec.c         | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/net/imx_fec.h
+++ b/include/hw/net/imx_fec.h
@@ -XXX,XX +XXX,XX @@
 #define ENET_TCCR3             393
 #define ENET_MAX               400
 
-#define ENET_MAX_FRAME_SIZE    2032
 
 /* EIR and EIMR */
 #define ENET_INT_HB            (1 << 31)
@@ -XXX,XX +XXX,XX @@
 #define ENET_RCR_NLC           (1 << 30)
 #define ENET_RCR_GRS           (1 << 31)
 
+#define ENET_MAX_FRAME_SIZE    (1 << ENET_RCR_MAX_FL_LENGTH)
+
 /* TCR */
 #define ENET_TCR_GTS           (1 << 0)
 #define ENET_TCR_FDEN          (1 << 2)
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
     crc_ptr = (uint8_t *) &crc;
 
     /* Huge frames are truncted.  */
-    if (size > ENET_MAX_FRAME_SIZE) {
-        size = ENET_MAX_FRAME_SIZE;
+    if (size > s->regs[ENET_FTRL]) {
+        size = s->regs[ENET_FTRL];
         flags |= ENET_BD_TR | ENET_BD_LG;
     }
 
-- 
2.7.4

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Needed to support latest Linux kernel driver which relies on that
functionality.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/net/imx_fec.h |  2 ++
 hw/net/imx_fec.c         | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/net/imx_fec.h
+++ b/include/hw/net/imx_fec.h
@@ -XXX,XX +XXX,XX @@
 #define ENET_TWFR_TFWR_LENGTH  (6)
 #define ENET_TWFR_STRFWD       (1 << 8)
 
+#define ENET_RACC_SHIFT16      BIT(7)
+
 /* Buffer Descriptor.  */
 typedef struct {
     uint16_t length;
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
     uint8_t *crc_ptr;
     unsigned int buf_len;
     size_t size = len;
+    bool shift16 = s->regs[ENET_RACC] & ENET_RACC_SHIFT16;
 
     FEC_PRINTF("len %d\n", (int)size);
 
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
     crc = cpu_to_be32(crc32(~0, buf, size));
     crc_ptr = (uint8_t *) &crc;
 
+    if (shift16) {
+        size += 2;
+    }
+
     /* Huge frames are truncted.  */
     if (size > s->regs[ENET_FTRL]) {
         size = s->regs[ENET_FTRL];
@@ -XXX,XX +XXX,XX @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf,
             buf_len += size - 4;
         }
         buf_addr = bd.data;
+
+        if (shift16) {
+            /*
+             * If SHIFT16 bit of ENETx_RACC register is set we need to
+             * align the payload to 4-byte boundary.
+             */
+            const uint8_t zeros[2] = { 0 };
+
+            dma_memory_write(&address_space_memory, buf_addr,
+                             zeros, sizeof(zeros));
+
+            buf_addr += sizeof(zeros);
+            buf_len  -= sizeof(zeros);
+
+            /* We only do this once per Ethernet frame */
+            shift16 = false;
+        }
+
         dma_memory_write(&address_space_memory, buf_addr, buf, buf_len);
         buf += buf_len;
         if (size < 4) {
-- 
2.7.4

From: Andrey Smirnov <andrew.smirnov@gmail.com>

More recent version of the IP block support more than one Tx DMA ring,
so add the code implementing that feature.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/net/imx_fec.h |  18 ++++++-
 hw/net/imx_fec.c         | 133 ++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 130 insertions(+), 21 deletions(-)

diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/net/imx_fec.h
+++ b/include/hw/net/imx_fec.h
@@ -XXX,XX +XXX,XX @@
 #define ENET_TFWR              81
 #define ENET_FRBR              83
 #define ENET_FRSR              84
+#define ENET_TDSR1             89
+#define ENET_TDSR2             92
 #define ENET_RDSR              96
 #define ENET_TDSR              97
 #define ENET_MRBR              98
@@ -XXX,XX +XXX,XX @@
 #define ENET_FTRL              108
 #define ENET_TACC              112
 #define ENET_RACC              113
+#define ENET_TDAR1             121
+#define ENET_TDAR2             123
 #define ENET_MIIGSK_CFGR       192
 #define ENET_MIIGSK_ENR        194
 #define ENET_ATCR              256
@@ -XXX,XX +XXX,XX @@
 #define ENET_INT_WAKEUP        (1 << 17)
 #define ENET_INT_TS_AVAIL      (1 << 16)
 #define ENET_INT_TS_TIMER      (1 << 15)
+#define ENET_INT_TXF2          (1 <<  7)
+#define ENET_INT_TXB2          (1 <<  6)
+#define ENET_INT_TXF1          (1 <<  3)
+#define ENET_INT_TXB1          (1 <<  2)
 
 #define ENET_INT_MAC           (ENET_INT_HB | ENET_INT_BABR | ENET_INT_BABT | \
                                 ENET_INT_GRA | ENET_INT_TXF | ENET_INT_TXB | \
                                 ENET_INT_RXF | ENET_INT_RXB | ENET_INT_MII | \
                                 ENET_INT_EBERR | ENET_INT_LC | ENET_INT_RL | \
                                 ENET_INT_UN | ENET_INT_PLR | ENET_INT_WAKEUP | \
-                                ENET_INT_TS_AVAIL)
+                                ENET_INT_TS_AVAIL | ENET_INT_TXF1 | \
+                                ENET_INT_TXB1 | ENET_INT_TXF2 | ENET_INT_TXB2)
 
 /* RDAR */
 #define ENET_RDAR_RDAR         (1 << 24)
@@ -XXX,XX +XXX,XX @@ typedef struct {
 
 #define ENET_BD_BDU            (1 << 31)
 
+#define ENET_TX_RING_NUM       3
+
+
 typedef struct IMXFECState {
     /*< private >*/
     SysBusDevice parent_obj;
@@ -XXX,XX +XXX,XX @@ typedef struct IMXFECState {
 
     uint32_t regs[ENET_MAX];
     uint32_t rx_descriptor;
-    uint32_t tx_descriptor;
+
+    uint32_t tx_descriptor[ENET_TX_RING_NUM];
+    uint32_t tx_ring_num;
 
     uint32_t phy_status;
     uint32_t phy_control;
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static const char *imx_eth_reg_name(IMXFECState *s, uint32_t index)
     }
 }
 
+/*
+ * Versions of this device with more than one TX descriptor save the
+ * 2nd and 3rd descriptors in a subsection, to maintain migration
+ * compatibility with previous versions of the device that only
+ * supported a single descriptor.
+ */
+static bool imx_eth_is_multi_tx_ring(void *opaque)
+{
+    IMXFECState *s = IMX_FEC(opaque);
+
+    return s->tx_ring_num > 1;
+}
+
+static const VMStateDescription vmstate_imx_eth_txdescs = {
+    .name = "imx.fec/txdescs",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = imx_eth_is_multi_tx_ring,
+    .fields = (VMStateField[]) {
+         VMSTATE_UINT32(tx_descriptor[1], IMXFECState),
+         VMSTATE_UINT32(tx_descriptor[2], IMXFECState),
+         VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_imx_eth = {
     .name = TYPE_IMX_FEC,
     .version_id = 2,
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_imx_eth = {
     .fields = (VMStateField[]) {
         VMSTATE_UINT32_ARRAY(regs, IMXFECState, ENET_MAX),
         VMSTATE_UINT32(rx_descriptor, IMXFECState),
-        VMSTATE_UINT32(tx_descriptor, IMXFECState),
-
+        VMSTATE_UINT32(tx_descriptor[0], IMXFECState),
         VMSTATE_UINT32(phy_status, IMXFECState),
         VMSTATE_UINT32(phy_control, IMXFECState),
         VMSTATE_UINT32(phy_advertise, IMXFECState),
         VMSTATE_UINT32(phy_int, IMXFECState),
         VMSTATE_UINT32(phy_int_mask, IMXFECState),
         VMSTATE_END_OF_LIST()
-    }
+    },
+    .subsections = (const VMStateDescription * []) {
+        &vmstate_imx_eth_txdescs,
+        NULL
+    },
 };
 
 #define PHY_INT_ENERGYON            (1 << 7)
@@ -XXX,XX +XXX,XX @@ static void imx_fec_do_tx(IMXFECState *s)
 {
     int frame_size = 0, descnt = 0;
     uint8_t *ptr = s->frame;
-    uint32_t addr = s->tx_descriptor;
+    uint32_t addr = s->tx_descriptor[0];
 
     while (descnt++ < IMX_MAX_DESC) {
         IMXFECBufDesc bd;
@@ -XXX,XX +XXX,XX @@ static void imx_fec_do_tx(IMXFECState *s)
         }
     }
 
-    s->tx_descriptor = addr;
+    s->tx_descriptor[0] = addr;
 
     imx_eth_update(s);
 }
 
-static void imx_enet_do_tx(IMXFECState *s)
+static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
 {
     int frame_size = 0, descnt = 0;
+
     uint8_t *ptr = s->frame;
-    uint32_t addr = s->tx_descriptor;
+    uint32_t addr, int_txb, int_txf, tdsr;
+    size_t ring;
+
+    switch (index) {
+    case ENET_TDAR:
+        ring    = 0;
+        int_txb = ENET_INT_TXB;
+        int_txf = ENET_INT_TXF;
+        tdsr    = ENET_TDSR;
+        break;
+    case ENET_TDAR1:
+        ring    = 1;
+        int_txb = ENET_INT_TXB1;
+        int_txf = ENET_INT_TXF1;
+        tdsr    = ENET_TDSR1;
+        break;
+    case ENET_TDAR2:
+        ring    = 2;
+        int_txb = ENET_INT_TXB2;
+        int_txf = ENET_INT_TXF2;
+        tdsr    = ENET_TDSR2;
+        break;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: bogus value for index %x\n",
+                      __func__, index);
+        abort();
+        break;
+    }
+
+    addr = s->tx_descriptor[ring];
 
     while (descnt++ < IMX_MAX_DESC) {
         IMXENETBufDesc bd;
@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s)
 
             frame_size = 0;
             if (bd.option & ENET_BD_TX_INT) {
-                s->regs[ENET_EIR] |= ENET_INT_TXF;
+                s->regs[ENET_EIR] |= int_txf;
             }
         }
         if (bd.option & ENET_BD_TX_INT) {
-            s->regs[ENET_EIR] |= ENET_INT_TXB;
+            s->regs[ENET_EIR] |= int_txb;
         }
         bd.flags &= ~ENET_BD_R;
         /* Write back the modified descriptor.  */
         imx_enet_write_bd(&bd, addr);
         /* Advance to the next descriptor.  */
         if ((bd.flags & ENET_BD_W) != 0) {
-            addr = s->regs[ENET_TDSR];
+            addr = s->regs[tdsr];
         } else {
             addr += sizeof(bd);
         }
     }
 
-    s->tx_descriptor = addr;
+    s->tx_descriptor[ring] = addr;
 
     imx_eth_update(s);
 }
 
-static void imx_eth_do_tx(IMXFECState *s)
+static void imx_eth_do_tx(IMXFECState *s, uint32_t index)
 {
     if (!s->is_fec && (s->regs[ENET_ECR] & ENET_ECR_EN1588)) {
-        imx_enet_do_tx(s);
+        imx_enet_do_tx(s, index);
     } else {
         imx_fec_do_tx(s);
     }
@@ -XXX,XX +XXX,XX @@ static void imx_eth_reset(DeviceState *d)
     }
 
     s->rx_descriptor = 0;
-    s->tx_descriptor = 0;
+    memset(s->tx_descriptor, 0, sizeof(s->tx_descriptor));
 
     /* We also reset the PHY */
     phy_reset(s);
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
                            unsigned size)
 {
     IMXFECState *s = IMX_FEC(opaque);
+    const bool single_tx_ring = !imx_eth_is_multi_tx_ring(s);
     uint32_t index = offset >> 2;
 
     FEC_PRINTF("reg[%s] <= 0x%" PRIx32 "\n", imx_eth_reg_name(s, index),
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
             s->regs[index] = 0;
         }
         break;
-    case ENET_TDAR:
+    case ENET_TDAR1:    /* FALLTHROUGH */
+    case ENET_TDAR2:    /* FALLTHROUGH */
+        if (unlikely(single_tx_ring)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "[%s]%s: trying to access TDAR2 or TDAR1\n",
+                          TYPE_IMX_FEC, __func__);
+            return;
+        }
+    case ENET_TDAR:     /* FALLTHROUGH */
         if (s->regs[ENET_ECR] & ENET_ECR_ETHEREN) {
             s->regs[index] = ENET_TDAR_TDAR;
-            imx_eth_do_tx(s);
+            imx_eth_do_tx(s, index);
         }
         s->regs[index] = 0;
         break;
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
         if ((s->regs[index] & ENET_ECR_ETHEREN) == 0) {
             s->regs[ENET_RDAR] = 0;
             s->rx_descriptor = s->regs[ENET_RDSR];
-            s->regs[ENET_TDAR] = 0;
-            s->tx_descriptor = s->regs[ENET_TDSR];
+            s->regs[ENET_TDAR]  = 0;
+            s->regs[ENET_TDAR1] = 0;
+            s->regs[ENET_TDAR2] = 0;
+            s->tx_descriptor[0] = s->regs[ENET_TDSR];
+            s->tx_descriptor[1] = s->regs[ENET_TDSR1];
+            s->tx_descriptor[2] = s->regs[ENET_TDSR2];
         }
         break;
     case ENET_MMFR:
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
         } else {
             s->regs[index] = value & ~7;
         }
-        s->tx_descriptor = s->regs[index];
+        s->tx_descriptor[0] = s->regs[index];
+        break;
+    case ENET_TDSR1:
+        if (unlikely(single_tx_ring)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "[%s]%s: trying to access TDSR1\n",
+                          TYPE_IMX_FEC, __func__);
+            return;
+        }
+
+        s->regs[index] = value & ~7;
+        s->tx_descriptor[1] = s->regs[index];
+        break;
+    case ENET_TDSR2:
+        if (unlikely(single_tx_ring)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "[%s]%s: trying to access TDSR2\n",
+                          TYPE_IMX_FEC, __func__);
+            return;
+        }
+
+        s->regs[index] = value & ~7;
+        s->tx_descriptor[2] = s->regs[index];
         break;
     case ENET_MRBR:
         s->regs[index] = value & 0x00003ff0;
@@ -XXX,XX +XXX,XX @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
 
 static Property imx_eth_properties[] = {
     DEFINE_NIC_PROPERTIES(IMXFECState, conf),
+    DEFINE_PROP_UINT32("tx-ring-num", IMXFECState, tx_ring_num, 1),
     DEFINE_PROP_END_OF_LIST(),
 };
 
-- 
2.7.4

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Use 'frame_size' instead of 'len' when calling qemu_send_packet(),
failing to do so results in malformed packets send in case when that
packed is fragmented into multiple DMA transactions.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/imx_fec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index)
             }
             /* Last buffer in frame.  */
 
-            qemu_send_packet(qemu_get_queue(s->nic), s->frame, len);
+            qemu_send_packet(qemu_get_queue(s->nic), s->frame, frame_size);
             ptr = s->frame;
 
             frame_size = 0;
-- 
2.7.4

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Some i.MX SoCs (e.g. i.MX7) have FEC registers going as far as offset
0x614, so to avoid getting aborts when accessing those on QEMU, extend
the register file to cover FSL_IMX25_FEC_SIZE(16K) of address space
instead of just 1K.

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/fsl-imx25.h | 1 -
 include/hw/net/imx_fec.h   | 1 +
 hw/net/imx_fec.c           | 2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx25.h
+++ b/include/hw/arm/fsl-imx25.h
@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX25State {
 #define FSL_IMX25_UART5_ADDR    0x5002C000
 #define FSL_IMX25_UART5_SIZE    0x4000
 #define FSL_IMX25_FEC_ADDR      0x50038000
-#define FSL_IMX25_FEC_SIZE      0x4000
 #define FSL_IMX25_CCM_ADDR      0x53F80000
 #define FSL_IMX25_CCM_SIZE      0x4000
 #define FSL_IMX25_GPT4_ADDR     0x53F84000
diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/net/imx_fec.h
+++ b/include/hw/net/imx_fec.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
 
 #define ENET_TX_RING_NUM       3
 
+#define FSL_IMX25_FEC_SIZE      0x4000
 
 typedef struct IMXFECState {
     /*< private >*/
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 
     memory_region_init_io(&s->iomem, OBJECT(dev), &imx_eth_ops, s,
-                          TYPE_IMX_FEC, 0x400);
+                          TYPE_IMX_FEC, FSL_IMX25_FEC_SIZE);
     sysbus_init_mmio(sbd, &s->iomem);
     sysbus_init_irq(sbd, &s->irq[0]);
     sysbus_init_irq(sbd, &s->irq[1]);
-- 
2.7.4

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20180103224208.30291-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/pxa2xx_timer.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/hw/timer/pxa2xx_timer.c b/hw/timer/pxa2xx_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/pxa2xx_timer.c
+++ b/hw/timer/pxa2xx_timer.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/sysemu.h"
 #include "hw/arm/pxa.h"
 #include "hw/sysbus.h"
+#include "qemu/log.h"
 
 #define OSMR0	0x00
 #define OSMR1	0x04
@@ -XXX,XX +XXX,XX @@ static uint64_t pxa2xx_timer_read(void *opaque, hwaddr offset,
     case OSNR:
         return s->snapshot;
     default:
+        qemu_log_mask(LOG_UNIMP,
+                      "%s: unknown register 0x%02" HWADDR_PRIx "\n",
+                      __func__, offset);
+        break;
     badreg:
-        hw_error("pxa2xx_timer_read: Bad offset " REG_FMT "\n", offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: incorrect register 0x%02" HWADDR_PRIx "\n",
+                      __func__, offset);
     }
 
     return 0;
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_timer_write(void *opaque, hwaddr offset,
         }
         break;
     default:
+        qemu_log_mask(LOG_UNIMP,
+                      "%s: unknown register 0x%02" HWADDR_PRIx " "
+                      "(value 0x%08" PRIx64 ")\n",  __func__, offset, value);
+        break;
     badreg:
-        hw_error("pxa2xx_timer_write: Bad offset " REG_FMT "\n", offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: incorrect register 0x%02" HWADDR_PRIx " "
+                      "(value 0x%08" PRIx64 ")\n", __func__, offset, value);
     }
 }
 
-- 
2.7.4

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20180104000156.30932-1-f4bug@amsat.org
[PMM: add missing include]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sd/pxa2xx_mmci.c | 78 ++++++++++++++++++++++++++++++++++-------------------
 hw/sd/trace-events  |  4 +++
 2 files changed, 54 insertions(+), 28 deletions(-)

diff --git a/hw/sd/pxa2xx_mmci.c b/hw/sd/pxa2xx_mmci.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/pxa2xx_mmci.c
+++ b/hw/sd/pxa2xx_mmci.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/qdev.h"
 #include "hw/qdev-properties.h"
 #include "qemu/error-report.h"
+#include "qemu/log.h"
+#include "trace.h"
 
 #define TYPE_PXA2XX_MMCI "pxa2xx-mmci"
 #define PXA2XX_MMCI(obj) OBJECT_CHECK(PXA2xxMMCIState, (obj), TYPE_PXA2XX_MMCI)
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_mmci_wakequeues(PXA2xxMMCIState *s)
 static uint64_t pxa2xx_mmci_read(void *opaque, hwaddr offset, unsigned size)
 {
     PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
-    uint32_t ret;
+    uint32_t ret = 0;
 
     switch (offset) {
     case MMC_STRPCL:
-        return 0;
+        break;
     case MMC_STAT:
-        return s->status;
+        ret = s->status;
+        break;
     case MMC_CLKRT:
-        return s->clkrt;
+        ret = s->clkrt;
+        break;
     case MMC_SPI:
-        return s->spi;
+        ret = s->spi;
+        break;
     case MMC_CMDAT:
-        return s->cmdat;
+        ret = s->cmdat;
+        break;
     case MMC_RESTO:
-        return s->resp_tout;
+        ret = s->resp_tout;
+        break;
     case MMC_RDTO:
-        return s->read_tout;
+        ret = s->read_tout;
+        break;
     case MMC_BLKLEN:
-        return s->blklen;
+        ret = s->blklen;
+        break;
     case MMC_NUMBLK:
-        return s->numblk;
+        ret = s->numblk;
+        break;
     case MMC_PRTBUF:
-        return 0;
+        break;
     case MMC_I_MASK:
-        return s->intmask;
+        ret = s->intmask;
+        break;
     case MMC_I_REG:
-        return s->intreq;
+        ret = s->intreq;
+        break;
     case MMC_CMD:
-        return s->cmd | 0x40;
+        ret = s->cmd | 0x40;
+        break;
     case MMC_ARGH:
-        return s->arg >> 16;
+        ret = s->arg >> 16;
+        break;
     case MMC_ARGL:
-        return s->arg & 0xffff;
+        ret = s->arg & 0xffff;
+        break;
     case MMC_RES:
-        if (s->resp_len < 9)
-            return s->resp_fifo[s->resp_len ++];
-        return 0;
+        ret = (s->resp_len < 9) ? s->resp_fifo[s->resp_len++] : 0;
+        break;
     case MMC_RXFIFO:
-        ret = 0;
         while (size-- && s->rx_len) {
             ret |= s->rx_fifo[s->rx_start++] << (size << 3);
             s->rx_start &= 0x1f;
@@ -XXX,XX +XXX,XX @@ static uint64_t pxa2xx_mmci_read(void *opaque, hwaddr offset, unsigned size)
         }
         s->intreq &= ~INT_RXFIFO_REQ;
         pxa2xx_mmci_fifo_update(s);
-        return ret;
+        break;
     case MMC_RDWAIT:
-        return 0;
+        break;
     case MMC_BLKS_REM:
-        return s->numblk;
+        ret = s->numblk;
+        break;
     default:
-        hw_error("%s: Bad offset " REG_FMT "\n", __FUNCTION__, offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: incorrect register 0x%02" HWADDR_PRIx "\n",
+                      __func__, offset);
     }
+    trace_pxa2xx_mmci_read(size, offset, ret);
 
-    return 0;
+    return ret;
 }
 
 static void pxa2xx_mmci_write(void *opaque,
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_mmci_write(void *opaque,
 {
     PXA2xxMMCIState *s = (PXA2xxMMCIState *) opaque;
 
+    trace_pxa2xx_mmci_write(size, offset, value);
     switch (offset) {
     case MMC_STRPCL:
         if (value & STRPCL_STRT_CLK) {
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_mmci_write(void *opaque,
 
     case MMC_SPI:
         s->spi = value & 0xf;
-        if (value & SPI_SPI_MODE)
-            printf("%s: attempted to use card in SPI mode\n", __FUNCTION__);
+        if (value & SPI_SPI_MODE) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: attempted to use card in SPI mode\n", __func__);
+        }
         break;
 
     case MMC_CMDAT:
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_mmci_write(void *opaque,
         break;
 
     default:
-        hw_error("%s: Bad offset " REG_FMT "\n", __FUNCTION__, offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: incorrect reg 0x%02" HWADDR_PRIx " "
+                      "(value 0x%08" PRIx64 ")\n", __func__, offset, value);
     }
 }
 
diff --git a/hw/sd/trace-events b/hw/sd/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/trace-events
+++ b/hw/sd/trace-events
@@ -XXX,XX +XXX,XX @@
 # hw/sd/milkymist-memcard.c
 milkymist_memcard_memory_read(uint32_t addr, uint32_t value) "addr 0x%08x value 0x%08x"
 milkymist_memcard_memory_write(uint32_t addr, uint32_t value) "addr 0x%08x value 0x%08x"
+
+# hw/sd/pxa2xx_mmci.c
+pxa2xx_mmci_read(uint8_t size, uint32_t addr, uint32_t value) "size %d addr 0x%02x value 0x%08x"
+pxa2xx_mmci_write(uint8_t size, uint32_t addr, uint32_t value) "size %d addr 0x%02x value 0x%08x"
-- 
2.7.4

Our copy of the nwfpe code for emulating of the old FPA11 floating
point unit doesn't check the coprocessor number in the instruction
when it emulates it.  This means that we might treat some
instructions which should really UNDEF as being FPA11 instructions by
accident.

The kernel's copy of the nwfpe code doesn't make this error; I suspect
the bug was noticed and fixed as part of the process of mainlining
the nwfpe code more than a decade ago.

Add a check that the coprocessor number (which is always in bits
[11:8] of the instruction) is either 1 or 2, which is where the
FPA11 lives.

Reported-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/arm/nwfpe/fpa11.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/linux-user/arm/nwfpe/fpa11.c b/linux-user/arm/nwfpe/fpa11.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/arm/nwfpe/fpa11.c
+++ b/linux-user/arm/nwfpe/fpa11.c
@@ -XXX,XX +XXX,XX @@ unsigned int EmulateAll(unsigned int opcode, FPA11* qfpa, CPUARMState* qregs)
   unsigned int nRc = 0;
 //  unsigned long flags;
   FPA11 *fpa11;
+  unsigned int cp;
 //  save_flags(flags); sti();
 
+  /* Check that this is really an FPA11 instruction: the coprocessor
+   * field in bits [11:8] must be 1 or 2.
+   */
+  cp = (opcode >> 8) & 0xf;
+  if (cp != 1 && cp != 2) {
+    return 0;
+  }
+
   qemufpa=qfpa;
   user_registers=qregs;
 
-- 
2.7.4

Refactor disas_thumb2_insn() so that it generates the code for raising
an UNDEF exception for invalid insns, rather than returning a flag
which the caller must check to see if it needs to generate the UNDEF
code. This brings the function in to line with the behaviour of
disas_thumb_insn() and disas_arm_insn().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 1513080506-17703-1-git-send-email-peter.maydell@linaro.org
---
 target/arm/translate.c | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ gen_thumb2_data_op(DisasContext *s, int op, int conds, uint32_t shifter_out,
     return 0;
 }
 
-/* Translate a 32-bit thumb instruction.  Returns nonzero if the instruction
-   is not legal.  */
-static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
+/* Translate a 32-bit thumb instruction. */
+static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
 {
     uint32_t imm, shift, offset;
     uint32_t rd, rn, rm, rs;
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
                     /* UNPREDICTABLE, unallocated hint or
                      * PLD/PLDW/PLI (literal)
                      */
-                    return 0;
+                    return;
                 }
                 if (op1 & 1) {
-                    return 0; /* PLD/PLDW/PLI or unallocated hint */
+                    return; /* PLD/PLDW/PLI or unallocated hint */
                 }
                 if ((op2 == 0) || ((op2 & 0x3c) == 0x30)) {
-                    return 0; /* PLD/PLDW/PLI or unallocated hint */
+                    return; /* PLD/PLDW/PLI or unallocated hint */
                 }
                 /* UNDEF space, or an UNPREDICTABLE */
-                return 1;
+                goto illegal_op;
             }
         }
         memidx = get_mem_index(s);
@@ -XXX,XX +XXX,XX @@ static int disas_thumb2_insn(DisasContext *s, uint32_t insn)
     default:
         goto illegal_op;
     }
-    return 0;
+    return;
 illegal_op:
-    return 1;
+    gen_exception_insn(s, 4, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
 }
 
 static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     if (is_16bit) {
         disas_thumb_insn(dc, insn);
     } else {
-        if (disas_thumb2_insn(dc, insn)) {
-            gen_exception_insn(dc, 4, EXCP_UDEF, syn_uncategorized(),
-                               default_exception_el(dc));
-        }
+        disas_thumb2_insn(dc, insn);
     }
 
     /* Advance the Thumb condexec condition.  */
-- 
2.7.4

The GICv3 specification says that reserved register addresses
should RAZ/WI. This means we need to return MEMTX_OK, not MEMTX_ERROR,
because now that we support generating external aborts the
latter will cause an abort on new board models.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1513183941-24300-2-git-send-email-peter.maydell@linaro.org
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
---
 hw/intc/arm_gicv3_dist.c       | 13 +++++++++++++
 hw/intc/arm_gicv3_its_common.c |  8 +++-----
 hw/intc/arm_gicv3_redist.c     | 13 +++++++++++++
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/hw/intc/arm_gicv3_dist.c b/hw/intc/arm_gicv3_dist.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_dist.c
+++ b/hw/intc/arm_gicv3_dist.c
@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_dist_read(void *opaque, hwaddr offset, uint64_t *data,
                       "%s: invalid guest read at offset " TARGET_FMT_plx
                       "size %u\n", __func__, offset, size);
         trace_gicv3_dist_badread(offset, size, attrs.secure);
+        /* The spec requires that reserved registers are RAZ/WI;
+         * so use MEMTX_ERROR returns from leaf functions as a way to
+         * trigger the guest-error logging but don't return it to
+         * the caller, or we'll cause a spurious guest data abort.
+         */
+        r = MEMTX_OK;
+        *data = 0;
     } else {
         trace_gicv3_dist_read(offset, *data, size, attrs.secure);
     }
@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_dist_write(void *opaque, hwaddr offset, uint64_t data,
                       "%s: invalid guest write at offset " TARGET_FMT_plx
                       "size %u\n", __func__, offset, size);
         trace_gicv3_dist_badwrite(offset, data, size, attrs.secure);
+        /* The spec requires that reserved registers are RAZ/WI;
+         * so use MEMTX_ERROR returns from leaf functions as a way to
+         * trigger the guest-error logging but don't return it to
+         * the caller, or we'll cause a spurious guest data abort.
+         */
+        r = MEMTX_OK;
     } else {
         trace_gicv3_dist_write(offset, data, size, attrs.secure);
     }
diff --git a/hw/intc/arm_gicv3_its_common.c b/hw/intc/arm_gicv3_its_common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its_common.c
+++ b/hw/intc/arm_gicv3_its_common.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult gicv3_its_trans_read(void *opaque, hwaddr offset,
                                         MemTxAttrs attrs)
 {
     qemu_log_mask(LOG_GUEST_ERROR, "ITS read at offset 0x%"PRIx64"\n", offset);
-    return MEMTX_ERROR;
+    *data = 0;
+    return MEMTX_OK;
 }
 
 static MemTxResult gicv3_its_trans_write(void *opaque, hwaddr offset,
@@ -XXX,XX +XXX,XX @@ static MemTxResult gicv3_its_trans_write(void *opaque, hwaddr offset,
         if (ret <= 0) {
             qemu_log_mask(LOG_GUEST_ERROR,
                           "ITS: Error sending MSI: %s\n", strerror(-ret));
-            return MEMTX_DECODE_ERROR;
         }
-
-        return MEMTX_OK;
     } else {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "ITS write at bad offset 0x%"PRIx64"\n", offset);
-        return MEMTX_DECODE_ERROR;
     }
+    return MEMTX_OK;
 }
 
 static const MemoryRegionOps gicv3_its_trans_ops = {
diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_redist.c
+++ b/hw/intc/arm_gicv3_redist.c
@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
                       "size %u\n", __func__, offset, size);
         trace_gicv3_redist_badread(gicv3_redist_affid(cs), offset,
                                    size, attrs.secure);
+        /* The spec requires that reserved registers are RAZ/WI;
+         * so use MEMTX_ERROR returns from leaf functions as a way to
+         * trigger the guest-error logging but don't return it to
+         * the caller, or we'll cause a spurious guest data abort.
+         */
+        r = MEMTX_OK;
+        *data = 0;
     } else {
         trace_gicv3_redist_read(gicv3_redist_affid(cs), offset, *data,
                                 size, attrs.secure);
@@ -XXX,XX +XXX,XX @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
                       "size %u\n", __func__, offset, size);
         trace_gicv3_redist_badwrite(gicv3_redist_affid(cs), offset, data,
                                     size, attrs.secure);
+        /* The spec requires that reserved registers are RAZ/WI;
+         * so use MEMTX_ERROR returns from leaf functions as a way to
+         * trigger the guest-error logging but don't return it to
+         * the caller, or we'll cause a spurious guest data abort.
+         */
+        r = MEMTX_OK;
     } else {
         trace_gicv3_redist_write(gicv3_redist_affid(cs), offset, data,
                                  size, attrs.secure);
-- 
2.7.4

The GICv2 specification says that reserved register addresses
must RAZ/WI; now that we implement external abort handling
for Arm CPUs this means we must return MEMTX_OK rather than
MEMTX_ERROR, to avoid generating a spurious guest data abort.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1513183941-24300-3-git-send-email-peter.maydell@linaro.org
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
---
 hw/intc/arm_gic.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult gic_cpu_read(GICState *s, int cpu, int offset,
     default:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "gic_cpu_read: Bad offset %x\n", (int)offset);
-        return MEMTX_ERROR;
+        *data = 0;
+        break;
     }
     return MEMTX_OK;
 }
@@ -XXX,XX +XXX,XX @@ static MemTxResult gic_cpu_write(GICState *s, int cpu, int offset,
     default:
         qemu_log_mask(LOG_GUEST_ERROR,
                       "gic_cpu_write: Bad offset %x\n", (int)offset);
-        return MEMTX_ERROR;
+        return MEMTX_OK;
     }
     gic_update(s);
     return MEMTX_OK;
-- 
2.7.4

One last arm pullreq before I stop work for the end of the year...

-- PMM

The following changes since commit 8e5943260a8f765216674ee87ce8588cc4e7463e:

Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-pull-request' into staging (2019-12-20 12:46:10 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191220

for you to fetch changes up to c8fa6079eb35888587f1be27c1590da4edcc5098:

arm/arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on() (2019-12-20 14:03:00 +0000)

----------------------------------------------------------------
target-arm queue:
 * Support emulating the generic timers at frequencies other than 62.5MHz
 * Various fixes for SMMUv3 emulation bugs
 * Improve assert error message for hflags mismatches
 * arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on()

----------------------------------------------------------------
Andrew Jeffery (4):
      target/arm: Remove redundant scaling of nexttick
      target/arm: Abstract the generic timer frequency
      target/arm: Prepare generic timer for per-platform CNTFRQ
      ast2600: Configure CNTFRQ at 1125MHz

Niek Linnenbank (1):
      arm/arm-powerctl: rebuild hflags after setting CP15 bits in arm_set_cpu_on()

Philippe Mathieu-Daudé (1):
      target/arm: Display helpful message when hflags mismatch

Simon Veith (6):
      hw/arm/smmuv3: Apply address mask to linear strtab base address
      hw/arm/smmuv3: Correct SMMU_BASE_ADDR_MASK value
      hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE
      hw/arm/smmuv3: Align stream table base address to table size
      hw/arm/smmuv3: Use correct bit positions in EVT_SET_ADDR2 macro
      hw/arm/smmuv3: Report F_STE_FETCH fault address in correct word position

hw/arm/smmuv3-internal.h  |  6 ++---
 target/arm/cpu.h          |  5 ++++
 hw/arm/aspeed_ast2600.c   |  3 +++
 hw/arm/smmuv3.c           | 28 +++++++++++++++-----
 target/arm/arm-powerctl.c |  3 +++
 target/arm/cpu.c          | 65 +++++++++++++++++++++++++++++++++++++++++------
 target/arm/helper.c       | 42 +++++++++++++++++++++++-------
 7 files changed, 125 insertions(+), 27 deletions(-)

From: Andrew Jeffery <andrew@aj.id.au>

The corner-case codepath was adjusting nexttick such that overflow
wouldn't occur when timer_mod() scaled the value back up. Remove a use
of GTIMER_SCALE and avoid unnecessary operations by calling
timer_mod_ns() directly.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: f8c680720e3abe55476e6d9cb604ad27fdbeb2e0.1576215453.git-series.andrew@aj.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
          * timer expires we will reset the timer for any remaining period.
          */
         if (nexttick > INT64_MAX / GTIMER_SCALE) {
-            nexttick = INT64_MAX / GTIMER_SCALE;
+            timer_mod_ns(cpu->gt_timer[timeridx], INT64_MAX);
+        } else {
+            timer_mod(cpu->gt_timer[timeridx], nexttick);
         }
-        timer_mod(cpu->gt_timer[timeridx], nexttick);
         trace_arm_gt_recalc(timeridx, irqstate, nexttick);
     } else {
         /* Timer disabled: ISTATUS and timer output always clear */
-- 
2.20.1

From: Andrew Jeffery <andrew@aj.id.au>

Prepare for SoCs such as the ASPEED AST2600 whose firmware configures
CNTFRQ to values significantly larger than the static 62.5MHz value
currently derived from GTIMER_SCALE. As the OS potentially derives its
timer periods from the CNTFRQ value the lack of support for running
QEMUTimers at the appropriate rate leads to sticky behaviour in the
guest.

Substitute the GTIMER_SCALE constant with use of a helper to derive the
period from gt_cntfrq_hz stored in struct ARMCPU. Initially set
gt_cntfrq_hz to the frequency associated with GTIMER_SCALE so current
behaviour is maintained.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 40bd8df043f66e1ccfb3e9482999d099ac72bb2e.1576215453.git-series.andrew@aj.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  5 +++++
 target/arm/cpu.c    |  8 ++++++++
 target/arm/helper.c | 10 +++++++---
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
      */
     DECLARE_BITMAP(sve_vq_map, ARM_MAX_VQ);
     DECLARE_BITMAP(sve_vq_init, ARM_MAX_VQ);
+
+    /* Generic timer counter frequency, in Hz */
+    uint64_t gt_cntfrq_hz;
 };
 
+unsigned int gt_cntfrq_period_ns(ARMCPU *cpu);
+
 void arm_cpu_post_init(Object *obj);
 
 uint64_t arm_cpu_mp_affinity(int idx, uint8_t clustersz);
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
     if (tcg_enabled()) {
         cpu->psci_version = 2; /* TCG implements PSCI 0.2 */
     }
+
+    cpu->gt_cntfrq_hz = NANOSECONDS_PER_SECOND / GTIMER_SCALE;
 }
 
 static Property arm_cpu_reset_cbar_property =
@@ -XXX,XX +XXX,XX @@ static void arm_set_init_svtor(Object *obj, Visitor *v, const char *name,
     visit_type_uint32(v, name, &cpu->init_svtor, errp);
 }
 
+unsigned int gt_cntfrq_period_ns(ARMCPU *cpu)
+{
+    return NANOSECONDS_PER_SECOND > cpu->gt_cntfrq_hz ?
+      NANOSECONDS_PER_SECOND / cpu->gt_cntfrq_hz : 1;
+}
+
 void arm_cpu_post_init(Object *obj)
 {
     ARMCPU *cpu = ARM_CPU(obj);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_stimer_access(CPUARMState *env,
 
 static uint64_t gt_get_countervalue(CPUARMState *env)
 {
-    return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / GTIMER_SCALE;
+    ARMCPU *cpu = env_archcpu(env);
+
+    return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / gt_cntfrq_period_ns(cpu);
 }
 
 static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
@@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
          * set the timer for as far in the future as possible. When the
          * timer expires we will reset the timer for any remaining period.
          */
-        if (nexttick > INT64_MAX / GTIMER_SCALE) {
+        if (nexttick > INT64_MAX / gt_cntfrq_period_ns(cpu)) {
             timer_mod_ns(cpu->gt_timer[timeridx], INT64_MAX);
         } else {
             timer_mod(cpu->gt_timer[timeridx], nexttick);
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
 
 static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
+    ARMCPU *cpu = env_archcpu(env);
+
     /* Currently we have no support for QEMUTimer in linux-user so we
      * can't call gt_get_countervalue(env), instead we directly
      * call the lower level functions.
      */
-    return cpu_get_clock() / GTIMER_SCALE;
+    return cpu_get_clock() / gt_cntfrq_period_ns(cpu);
 }
 
 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
-- 
2.20.1

From: Andrew Jeffery <andrew@aj.id.au>

The ASPEED AST2600 clocks the generic timer at the rate of HPLL. On
recent firmwares this is at 1125MHz, which is considerably quicker than
the assumed 62.5MHz of the current generic timer implementation. The
delta between the value as read from CNTFRQ and the true rate of the
underlying QEMUTimer leads to sticky behaviour in AST2600 guests.

Add a feature-gated property exposing CNTFRQ for ARM CPUs providing the
generic timer. This allows platforms to configure CNTFRQ (and the
associated QEMUTimer) to the appropriate frequency prior to starting the
guest.

As the platform can now determine the rate of CNTFRQ we're exposed to
limitations of QEMUTimer that didn't previously materialise: In the
course of emulation we need to arbitrarily and accurately convert
between guest ticks and time, but we're constrained by QEMUTimer's use
of an integer scaling factor. The effect is QEMUTimer cannot exactly
capture the period of frequencies that do not cleanly divide
NANOSECONDS_PER_SECOND for scaling ticks to time. As such, provide an
equally inaccurate scaling factor for scaling time to ticks so at least
a self-consistent inverse relationship holds.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: a22db9325f96e39f76e3c2baddcb712149f46bf2.1576215453.git-series.andrew@aj.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c    | 61 +++++++++++++++++++++++++++++++++++++--------
 target/arm/helper.c |  9 ++++++-
 2 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
     if (tcg_enabled()) {
         cpu->psci_version = 2; /* TCG implements PSCI 0.2 */
     }
-
-    cpu->gt_cntfrq_hz = NANOSECONDS_PER_SECOND / GTIMER_SCALE;
 }
 
+static Property arm_cpu_gt_cntfrq_property =
+            DEFINE_PROP_UINT64("cntfrq", ARMCPU, gt_cntfrq_hz,
+                               NANOSECONDS_PER_SECOND / GTIMER_SCALE);
+
 static Property arm_cpu_reset_cbar_property =
             DEFINE_PROP_UINT64("reset-cbar", ARMCPU, reset_cbar, 0);
 
@@ -XXX,XX +XXX,XX @@ static void arm_set_init_svtor(Object *obj, Visitor *v, const char *name,
 
 unsigned int gt_cntfrq_period_ns(ARMCPU *cpu)
 {
+    /*
+     * The exact approach to calculating guest ticks is:
+     *
+     *     muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), cpu->gt_cntfrq_hz,
+     *              NANOSECONDS_PER_SECOND);
+     *
+     * We don't do that. Rather we intentionally use integer division
+     * truncation below and in the caller for the conversion of host monotonic
+     * time to guest ticks to provide the exact inverse for the semantics of
+     * the QEMUTimer scale factor. QEMUTimer's scale facter is an integer, so
+     * it loses precision when representing frequencies where
+     * `(NANOSECONDS_PER_SECOND % cpu->gt_cntfrq) > 0` holds. Failing to
+     * provide an exact inverse leads to scheduling timers with negative
+     * periods, which in turn leads to sticky behaviour in the guest.
+     *
+     * Finally, CNTFRQ is effectively capped at 1GHz to ensure our scale factor
+     * cannot become zero.
+     */
     return NANOSECONDS_PER_SECOND > cpu->gt_cntfrq_hz ?
       NANOSECONDS_PER_SECOND / cpu->gt_cntfrq_hz : 1;
 }
@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
 
     qdev_property_add_static(DEVICE(obj), &arm_cpu_cfgend_property,
                              &error_abort);
+
+    if (arm_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER)) {
+        qdev_property_add_static(DEVICE(cpu), &arm_cpu_gt_cntfrq_property,
+                                 &error_abort);
+    }
 }
 
 static void arm_cpu_finalizefn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
         }
     }
 
-    cpu->gt_timer[GTIMER_PHYS] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
-                                           arm_gt_ptimer_cb, cpu);
-    cpu->gt_timer[GTIMER_VIRT] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
-                                           arm_gt_vtimer_cb, cpu);
-    cpu->gt_timer[GTIMER_HYP] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
-                                          arm_gt_htimer_cb, cpu);
-    cpu->gt_timer[GTIMER_SEC] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
-                                          arm_gt_stimer_cb, cpu);
+
+    {
+        uint64_t scale;
+
+        if (arm_feature(env, ARM_FEATURE_GENERIC_TIMER)) {
+            if (!cpu->gt_cntfrq_hz) {
+                error_setg(errp, "Invalid CNTFRQ: %"PRId64"Hz",
+                           cpu->gt_cntfrq_hz);
+                return;
+            }
+            scale = gt_cntfrq_period_ns(cpu);
+        } else {
+            scale = GTIMER_SCALE;
+        }
+
+        cpu->gt_timer[GTIMER_PHYS] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
+                                               arm_gt_ptimer_cb, cpu);
+        cpu->gt_timer[GTIMER_VIRT] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
+                                               arm_gt_vtimer_cb, cpu);
+        cpu->gt_timer[GTIMER_HYP] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
+                                              arm_gt_htimer_cb, cpu);
+        cpu->gt_timer[GTIMER_SEC] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
+                                              arm_gt_stimer_cb, cpu);
+    }
 #endif
 
     cpu_exec_realizefn(cs, &local_err);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void arm_gt_stimer_cb(void *opaque)
     gt_recalc_timer(cpu, GTIMER_SEC);
 }
 
+static void arm_gt_cntfrq_reset(CPUARMState *env, const ARMCPRegInfo *opaque)
+{
+    ARMCPU *cpu = env_archcpu(env);
+
+    cpu->env.cp15.c14_cntfrq = cpu->gt_cntfrq_hz;
+}
+
 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     /* Note that CNTFRQ is purely reads-as-written for the benefit
      * of software; writing it doesn't actually change the timer frequency.
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
       .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 0,
       .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
       .fieldoffset = offsetof(CPUARMState, cp15.c14_cntfrq),
-      .resetvalue = (1000 * 1000 * 1000) / GTIMER_SCALE,
+      .resetfn = arm_gt_cntfrq_reset,
     },
     /* overall control: mostly access permissions */
     { .name = "CNTKCTL", .state = ARM_CP_STATE_BOTH,
-- 
2.20.1

From: Andrew Jeffery <andrew@aj.id.au>

This matches the configuration set by u-boot on the AST2600.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 080ca1267a09381c43cf3c50d434fb6c186f2b6e.1576215453.git-series.andrew@aj.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed_ast2600.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_ast2600.c
+++ b/hw/arm/aspeed_ast2600.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_ast2600_realize(DeviceState *dev, Error **errp)
         object_property_set_int(OBJECT(&s->cpu[i]), aspeed_calc_affinity(i),
                                 "mp-affinity", &error_abort);
 
+        object_property_set_int(OBJECT(&s->cpu[i]), 1125000000, "cntfrq",
+                                &error_abort);
+
         /*
          * TODO: the secondary CPUs are started and a boot helper
          * is needed when using -kernel
-- 
2.20.1

From: Simon Veith <sveith@amazon.de>

In the SMMU_STRTAB_BASE register, the stream table base address only
occupies bits [51:6]. Other bits, such as RA (bit [62]), must be masked
out to obtain the base address.

The branch for 2-level stream tables correctly applies this mask by way
of SMMU_BASE_ADDR_MASK, but the one for linear stream tables does not.

Apply the missing mask in that case as well so that the correct stream
base address is used by guests which configure a linear stream table.

Linux guests are unaffected by this change because they choose a 2-level
stream table layout for the QEMU SMMUv3, based on the size of its stream
ID space.

ref. ARM IHI 0070C, section 6.3.23.

Signed-off-by: Simon Veith <sveith@amazon.de>
Acked-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1576509312-13083-2-git-send-email-sveith@amazon.de
Cc: Eric Auger <eric.auger@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Acked-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
         }
         addr = l2ptr + l2_ste_offset * sizeof(*ste);
     } else {
-        addr = s->strtab_base + sid * sizeof(*ste);
+        addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
     }
 
     if (smmu_get_ste(s, addr, ste, event)) {
-- 
2.20.1

From: Simon Veith <sveith@amazon.de>

There are two issues with the current value of SMMU_BASE_ADDR_MASK:

- At the lower end, we are clearing bits [4:0]. Per the SMMUv3 spec,
  we should also be treating bit 5 as zero in the base address.
- At the upper end, we are clearing bits [63:48]. Per the SMMUv3 spec,
  only bits [63:52] must be explicitly treated as zero.

Update the SMMU_BASE_ADDR_MASK value to mask out bits [63:52] and [5:0].

ref. ARM IHI 0070C, section 6.3.23.

Signed-off-by: Simon Veith <sveith@amazon.de>
Acked-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1576509312-13083-3-git-send-email-sveith@amazon.de
Cc: Eric Auger <eric.auger@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ REG32(GERROR_IRQ_CFG2, 0x74)
 
 #define A_STRTAB_BASE      0x80 /* 64b */
 
-#define SMMU_BASE_ADDR_MASK 0xffffffffffe0
+#define SMMU_BASE_ADDR_MASK 0xfffffffffffc0
 
 REG32(STRTAB_BASE_CFG,     0x88)
     FIELD(STRTAB_BASE_CFG, FMT,      16, 2)
-- 
2.20.1

From: Simon Veith <sveith@amazon.de>

When checking whether a stream ID is in range of the stream table, we
have so far been only checking it against our implementation limit
(SMMU_IDR1_SIDSIZE). However, the guest can program the
STRTAB_BASE_CFG.LOG2SIZE field to a size that is smaller than this
limit.

Check the stream ID against this limit as well to match the hardware
behavior of raising C_BAD_STREAMID events in case the limit is exceeded.
Also, ensure that we do not go one entry beyond the end of the table by
checking that its index is strictly smaller than the table size.

ref. ARM IHI 0070C, section 6.3.24.

Signed-off-by: Simon Veith <sveith@amazon.de>
Acked-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1576509312-13083-4-git-send-email-sveith@amazon.de
Cc: Eric Auger <eric.auger@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
                          SMMUEventInfo *event)
 {
     dma_addr_t addr;
+    uint32_t log2size;
     int ret;
 
     trace_smmuv3_find_ste(sid, s->features, s->sid_split);
-    /* Check SID range */
-    if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
+    log2size = FIELD_EX32(s->strtab_base_cfg, STRTAB_BASE_CFG, LOG2SIZE);
+    /*
+     * Check SID range against both guest-configured and implementation limits
+     */
+    if (sid >= (1 << MIN(log2size, SMMU_IDR1_SIDSIZE))) {
         event->type = SMMU_EVT_C_BAD_STREAMID;
         return -EINVAL;
     }
-- 
2.20.1

From: Simon Veith <sveith@amazon.de>

Per the specification, and as observed in hardware, the SMMUv3 aligns
the SMMU_STRTAB_BASE address to the size of the table by masking out the
respective least significant bits in the ADDR field.

Apply this masking logic to our smmu_find_ste() lookup function per the
specification.

ref. ARM IHI 0070C, section 6.3.23.

Signed-off-by: Simon Veith <sveith@amazon.de>
Acked-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1576509312-13083-5-git-send-email-sveith@amazon.de
Cc: Eric Auger <eric.auger@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ bad_ste:
 static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
                          SMMUEventInfo *event)
 {
-    dma_addr_t addr;
+    dma_addr_t addr, strtab_base;
     uint32_t log2size;
+    int strtab_size_shift;
     int ret;
 
     trace_smmuv3_find_ste(sid, s->features, s->sid_split);
@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
     }
     if (s->features & SMMU_FEATURE_2LVL_STE) {
         int l1_ste_offset, l2_ste_offset, max_l2_ste, span;
-        dma_addr_t strtab_base, l1ptr, l2ptr;
+        dma_addr_t l1ptr, l2ptr;
         STEDesc l1std;
 
-        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK;
+        /*
+         * Align strtab base address to table size. For this purpose, assume it
+         * is not bounded by SMMU_IDR1_SIDSIZE.
+         */
+        strtab_size_shift = MAX(5, (int)log2size - s->sid_split - 1 + 3);
+        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
+                      ~MAKE_64BIT_MASK(0, strtab_size_shift);
         l1_ste_offset = sid >> s->sid_split;
         l2_ste_offset = sid & ((1 << s->sid_split) - 1);
         l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
         }
         addr = l2ptr + l2_ste_offset * sizeof(*ste);
     } else {
-        addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
+        strtab_size_shift = log2size + 5;
+        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
+                      ~MAKE_64BIT_MASK(0, strtab_size_shift);
+        addr = strtab_base + sid * sizeof(*ste);
     }
 
     if (smmu_get_ste(s, addr, ste, event)) {
-- 
2.20.1

From: Simon Veith <sveith@amazon.de>

The bit offsets in the EVT_SET_ADDR2 macro do not match those specified
in the ARM SMMUv3 Architecture Specification. In all events that use
this macro, e.g. F_WALK_EABT, the faulting fetch address or IPA actually
occupies the 32-bit words 6 and 7 in the event record contiguously, with
the upper and lower unused bits clear due to alignment or maximum
supported address bits. How many bits are clear depends on the
individual event type.

Update the macro to write to the correct words in the event record so
that guest drivers can obtain accurate address information on events.

ref. ARM IHI 0070C, sections 7.3.12 through 7.3.16.

Signed-off-by: Simon Veith <sveith@amazon.de>
Acked-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1576509312-13083-6-git-send-email-sveith@amazon.de
Cc: Eric Auger <eric.auger@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Acked-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
     } while (0)
 #define EVT_SET_ADDR2(x, addr)                            \
     do {                                                  \
-            (x)->word[7] = deposit32((x)->word[7], 3, 29, addr >> 16);   \
-            (x)->word[7] = deposit32((x)->word[7], 0, 16, addr & 0xffff);\
+            (x)->word[7] = (uint32_t)(addr >> 32);        \
+            (x)->word[6] = (uint32_t)(addr & 0xffffffff); \
     } while (0)
 
 void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
-- 
2.20.1

From: Simon Veith <sveith@amazon.de>

The smmuv3_record_event() function that generates the F_STE_FETCH error
uses the EVT_SET_ADDR macro to record the fetch address, placing it in
32-bit words 4 and 5.

The correct position for this address is in words 6 and 7, per the
SMMUv3 Architecture Specification.

Update the function to use the EVT_SET_ADDR2 macro instead, which is the
macro intended for writing to these words.

ref. ARM IHI 0070C, section 7.3.4.

Signed-off-by: Simon Veith <sveith@amazon.de>
Acked-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1576509312-13083-7-git-send-email-sveith@amazon.de
Cc: Eric Auger <eric.auger@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Acked-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
     case SMMU_EVT_F_STE_FETCH:
         EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid);
         EVT_SET_SSV(&evt,  info->u.f_ste_fetch.ssv);
-        EVT_SET_ADDR(&evt, info->u.f_ste_fetch.addr);
+        EVT_SET_ADDR2(&evt, info->u.f_ste_fetch.addr);
         break;
     case SMMU_EVT_C_BAD_STE:
         EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid);
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Instead of crashing in a confuse way, give some hint to the user
about why we aborted. He might report the issue without having
to use a debugger.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20191209134552.27733-1-philmd@redhat.com
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(rebuild_hflags_a64)(CPUARMState *env, int el)
     env->hflags = rebuild_hflags_a64(env, el, fp_el, mmu_idx);
 }
 
+static inline void assert_hflags_rebuild_correctly(CPUARMState *env)
+{
+#ifdef CONFIG_DEBUG_TCG
+    uint32_t env_flags_current = env->hflags;
+    uint32_t env_flags_rebuilt = rebuild_hflags_internal(env);
+
+    if (unlikely(env_flags_current != env_flags_rebuilt)) {
+        fprintf(stderr, "TCG hflags mismatch (current:0x%08x rebuilt:0x%08x)\n",
+                env_flags_current, env_flags_rebuilt);
+        abort();
+    }
+#endif
+}
+
 void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
                           target_ulong *cs_base, uint32_t *pflags)
 {
@@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
     uint32_t pstate_for_ss;
 
     *cs_base = 0;
-#ifdef CONFIG_DEBUG_TCG
-    assert(flags == rebuild_hflags_internal(env));
-#endif
+    assert_hflags_rebuild_correctly(env);
 
     if (FIELD_EX32(flags, TBFLAG_ANY, AARCH64_STATE)) {
         *pc = env->pc;
-- 
2.20.1

From: Niek Linnenbank <nieklinnenbank@gmail.com>

After setting CP15 bits in arm_set_cpu_on() the cached hflags must
be rebuild to reflect the changed processor state. Without rebuilding,
the cached hflags would be inconsistent until the next call to
arm_rebuild_hflags(). When QEMU is compiled with debugging enabled
(--enable-debug), this problem is captured shortly after the first
call to arm_set_cpu_on() for CPUs running in ARM 32-bit non-secure mode:

qemu-system-arm: target/arm/helper.c:11359: cpu_get_tb_cpu_state:
  Assertion `flags == rebuild_hflags_internal(env)' failed.
  Aborted (core dumped)

Fixes: 0c7f8c43daf65
Cc: qemu-stable@nongnu.org
Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/arm-powerctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/arm/arm-powerctl.c b/target/arm/arm-powerctl.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/arm-powerctl.c
+++ b/target/arm/arm-powerctl.c
@@ -XXX,XX +XXX,XX @@ static void arm_set_cpu_on_async_work(CPUState *target_cpu_state,
         target_cpu->env.regs[0] = info->context_id;
     }
 
+    /* CP15 update requires rebuilding hflags */
+    arm_rebuild_hflags(&target_cpu->env);
+
     /* Start the new CPU at the requested address */
     cpu_set_pc(target_cpu_state, info->entry);
 
-- 
2.20.1