Series comparison

-[Qemu-devel] [PULL 00/25] target-arm queue
+[PULL 00/27] target-arm queue
-Arm pullreq for the 2.12 codefreeze...
+arm queue: big stuff here is my MVE codegen optimisation,
 and Alex's Apple Silicon hvf support.
-thanks
 -- PMM
-The following changes since commit b39b61e410022f96ceb53d4381d25cba5126ac44:
+The following changes since commit 7adb961995a3744f51396502b33ad04a56a317c3:
-  memory: fix flatview_access_valid RCU read lock/unlock imbalance (2018-03-09 15:55:20 +0000)
+  Merge remote-tracking branch 'remotes/dgilbert-gitlab/tags/pull-virtiofs-20210916' into staging (2021-09-19 18:53:29 +0100)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180309
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210920
-for you to fetch changes up to 076a0fc32a73a9b960e0f73f04a531bc1bd94308:
+for you to fetch changes up to 1dc5a60bfe406bc1122d68cbdefda38d23134b27:
-  MAINTAINERS: Add entries for SD (SDHCI, SDBus, SDCard) (2018-03-09 17:09:45 +0000)
+  target/arm: Optimize MVE 1op-immediate insns (2021-09-20 14:18:01 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * i.MX: Add i.MX7 SOC implementation and i.MX7 Sabre board
+ * Optimize codegen for MVE when predication not active
- * Report the correct core count in A53 L2CTLR on the ZynqMP board
+ * hvf: Add Apple Silicon support
- * linux-user: preliminary SVE support work (signal handling)
+ * hw/intc: Set GIC maintenance interrupt level to only 0 or 1
- * hw/arm/boot: fix memory leak in case of error loading ELF file
+ * Fix mishandling of MVE FPSCR.LTPSIZE reset for usermode emulator
- * hw/arm/boot: avoid reading off end of buffer if passed very
+ * elf2dmp: Fix coverity nits
    small image file
  * hw/arm: Use more CONFIG switches for the object files
  * target/arm: Add "-cpu max" support
  * hw/arm/virt: Support -machine gic-version=max
  * hw/sd: improve debug tracing
  * hw/sd: sdcard: Add the Tuning Command (CMD 19)
  * MAINTAINERS: add Philippe as odd-fixes maintainer for SD
 ----------------------------------------------------------------
-Alistair Francis (2):
+Alexander Graf (7):
-      target/arm: Add a core count property
+      arm: Move PMC register definitions to internals.h
-      hw/arm: Set the core count for Xilinx's ZynqMP
+      hvf: Add execute to dirty log permission bitmap
       hvf: Introduce hvf_arch_init() callback
       hvf: Add Apple Silicon support
       hvf: arm: Implement PSCI handling
       arm: Add Hypervisor.framework build target
       hvf: arm: Add rudimentary PMC support
-Andrey Smirnov (3):
+Peter Collingbourne (1):
-      pci: Add support for Designware IP block
+      arm/hvf: Add a WFI handler
       i.MX: Add i.MX7 SOC implementation.
       Implement support for i.MX7 Sabre board
-Marc-André Lureau (2):
+Peter Maydell (18):
-      arm: fix load ELF error leak
+      elf2dmp: Check curl_easy_setopt() return value
-      arm: avoid heap-buffer-overflow in load_aarch64_image
+      elf2dmp: Fail cleanly if PDB file specifies zero block_size
       target/arm: Don't skip M-profile reset entirely in user mode
       target/arm: Always clear exclusive monitor on reset
       target/arm: Consolidate ifdef blocks in reset
       hvf: arm: Implement -cpu host
       target/arm: Avoid goto_tb if we're trying to exit to the main loop
       target/arm: Enforce that FPDSCR.LTPSIZE is 4 on inbound migration
       target/arm: Add TB flag for "MVE insns not predicated"
       target/arm: Optimize MVE logic ops
       target/arm: Optimize MVE arithmetic ops
       target/arm: Optimize MVE VNEG, VABS
       target/arm: Optimize MVE VDUP
       target/arm: Optimize MVE VMVN
       target/arm: Optimize MVE VSHL, VSHR immediate forms
       target/arm: Optimize MVE VSHLL and VMOVL
       target/arm: Optimize MVE VSLI and VSRI
       target/arm: Optimize MVE 1op-immediate insns
-Peter Maydell (6):
+Shashi Mallela (1):
-      target/arm: Query host CPU features on-demand at instance init
+      hw/intc: Set GIC maintenance interrupt level to only 0 or 1
       target/arm: Move definition of 'host' cpu type into cpu.c
       target/arm: Add "-cpu max" support
       target/arm: Make 'any' CPU just an alias for 'max'
       hw/arm/virt: Add "max" to the list of CPU types "virt" supports
       hw/arm/virt: Support -machine gic-version=max
-Philippe Mathieu-Daudé (6):
+ meson.build                   |    8 +
-      sdcard: Do not trace CMD55, except when we already expect an ACMD
+ include/sysemu/hvf_int.h      |   12 +-
-      sdcard: Display command name when tracing CMD/ACMD
+ target/arm/cpu.h              |    6 +-
-      sdcard: Display which protocol is used when tracing (SD or SPI)
+ target/arm/hvf_arm.h          |   18 +
-      sdcard: Add the Tuning Command (CMD19)
+ target/arm/internals.h        |   44 ++
-      sdhci: Fix a typo in comment
+ target/arm/kvm_arm.h          |    2 -
-      MAINTAINERS: Add entries for SD (SDHCI, SDBus, SDCard)
+ target/arm/translate.h        |    2 +
  accel/hvf/hvf-accel-ops.c     |   21 +-
  contrib/elf2dmp/download.c    |   22 +-
  contrib/elf2dmp/pdb.c         |    4 +
  hw/intc/arm_gicv3_cpuif.c     |    5 +-
  target/arm/cpu.c              |   56 +-
  target/arm/helper.c           |   77 ++-
  target/arm/hvf/hvf.c          | 1278 +++++++++++++++++++++++++++++++++++++++++
  target/arm/machine.c          |   13 +
  target/arm/translate-m-nocp.c |    8 +-
  target/arm/translate-mve.c    |  310 +++++++---
  target/arm/translate-vfp.c    |   33 +-
  target/arm/translate.c        |   42 +-
  target/i386/hvf/hvf.c         |   10 +
  MAINTAINERS                   |    5 +
  target/arm/hvf/meson.build    |    3 +
  target/arm/hvf/trace-events   |   11 +
  target/arm/meson.build        |    2 +
 files changed, 1824 insertions(+), 168 deletions(-)
  create mode 100644 target/arm/hvf_arm.h
  create mode 100644 target/arm/hvf/hvf.c
  create mode 100644 target/arm/hvf/meson.build
  create mode 100644 target/arm/hvf/trace-events
-Richard Henderson (5):
-      linux-user: Implement aarch64 PR_SVE_SET/GET_VL
-      aarch64-linux-user: Split out helpers for guest signal handling
-      aarch64-linux-user: Remove struct target_aux_context
-      aarch64-linux-user: Add support for EXTRA signal frame records
-      aarch64-linux-user: Add support for SVE signal frame records
-Thomas Huth (1):
-      hw/arm: Use more CONFIG switches for the object files
- hw/arm/Makefile.objs                |  31 +-
- hw/pci-host/Makefile.objs           |   2 +
- hw/sd/Makefile.objs                 |   2 +-
- hw/sd/sdmmc-internal.h              |  24 ++
- include/hw/arm/fsl-imx7.h           | 222 +++++++++++
- include/hw/pci-host/designware.h    | 102 +++++
- include/hw/pci/pci_ids.h            |   2 +
- linux-user/aarch64/target_syscall.h |   3 +
- target/arm/cpu-qom.h                |   2 +
- target/arm/cpu.h                    |  11 +
- target/arm/kvm_arm.h                |  35 +-
- hw/arm/boot.c                       |   4 +-
- hw/arm/fsl-imx7.c                   | 582 ++++++++++++++++++++++++++++
- hw/arm/mcimx7d-sabre.c              |  90 +++++
- hw/arm/virt.c                       |  30 +-
- hw/arm/xlnx-zynqmp.c                |   2 +
- hw/pci-host/designware.c            | 754 ++++++++++++++++++++++++++++++++++++
- hw/sd/sd.c                          |  55 ++-
- hw/sd/sdhci.c                       |   4 +-
- hw/sd/sdmmc-internal.c              |  72 ++++
- linux-user/signal.c                 | 415 ++++++++++++++++----
- linux-user/syscall.c                |  27 ++
- target/arm/cpu.c                    | 103 ++++-
- target/arm/cpu64.c                  | 113 ++++--
- target/arm/kvm.c                    |  53 +--
- target/arm/kvm32.c                  |   8 +-
- target/arm/kvm64.c                  |   8 +-
- MAINTAINERS                         |   8 +
- default-configs/arm-softmmu.mak     |   9 +
- hw/sd/trace-events                  |   8 +-
-files changed, 2583 insertions(+), 198 deletions(-)
- create mode 100644 include/hw/arm/fsl-imx7.h
- create mode 100644 include/hw/pci-host/designware.h
- create mode 100644 hw/arm/fsl-imx7.c
- create mode 100644 hw/arm/mcimx7d-sabre.c
- create mode 100644 hw/pci-host/designware.c
- create mode 100644 hw/sd/sdmmc-internal.c

-[Qemu-devel] [PULL 25/25] MAINTAINERS: Add entries for SD (SDHCI, SDBus, SDCard)
+[PULL 01/27] elf2dmp: Check curl_easy_setopt() return value
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Coverity points out that we aren't checking the return value
 from curl_easy_setopt().
-After spending months studying all the different SD Specifications
+Fixes: Coverity CID 1458895
-from the SD Association, voluntarily add myself as maintainer
+Inspired-by: Peter Maydell <peter.maydell@linaro.org>
-for the SD code.
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Tested-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20210910170656.366592-2-philmd@redhat.com
 Message-id: 20180309153654.13518-9-f4bug@amsat.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- MAINTAINERS | 8 ++++++++
+ contrib/elf2dmp/download.c | 22 ++++++++++------------
-file changed, 8 insertions(+)
+file changed, 10 insertions(+), 12 deletions(-)
-diff --git a/MAINTAINERS b/MAINTAINERS
+diff --git a/contrib/elf2dmp/download.c b/contrib/elf2dmp/download.c
 index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
+--- a/contrib/elf2dmp/download.c
-+++ b/MAINTAINERS
++++ b/contrib/elf2dmp/download.c
-@@ -XXX,XX +XXX,XX @@ M: Peter Crosthwaite <crosthwaite.peter@gmail.com>
+@@ -XXX,XX +XXX,XX @@ int download_url(const char *name, const char *url)
- S: Maintained
+         goto out_curl;
- F: hw/ssi/xilinx_*
+     }
-+SD (Secure Card)
+-    curl_easy_setopt(curl, CURLOPT_URL, url);
-+M: Philippe Mathieu-Daudé <f4bug@amsat.org>
+-    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, NULL);
-+S: Odd Fixes
+-    curl_easy_setopt(curl, CURLOPT_WRITEDATA, file);
-+F: include/hw/sd/sd*
+-    curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1);
-+F: hw/sd/core.c
+-    curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0);
-+F: hw/sd/sd*
+-
-+F: tests/sd*
+-    if (curl_easy_perform(curl) != CURLE_OK) {
-+
+-        err = 1;
- USB
+-        fclose(file);
- M: Gerd Hoffmann <kraxel@redhat.com>
++    if (curl_easy_setopt(curl, CURLOPT_URL, url) != CURLE_OK
- S: Maintained
++            || curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, NULL) != CURLE_OK
 +            || curl_easy_setopt(curl, CURLOPT_WRITEDATA, file) != CURLE_OK
 +            || curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1) != CURLE_OK
 +            || curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0) != CURLE_OK
 +            || curl_easy_perform(curl) != CURLE_OK) {
          unlink(name);
 -        goto out_curl;
 +        fclose(file);
 +        err = 1;
 +    } else {
 +        err = fclose(file);
      }
 -    err = fclose(file);
 -
  out_curl:
      curl_easy_cleanup(curl);
 --
-.16.2
+.20.1

-New patch
+[PULL 02/27] elf2dmp: Fail cleanly if PDB file specifies zero block_size
+Coverity points out that if the PDB file we're trying to read
+has a header specifying a block_size of zero then we will
+end up trying to divide by zero in pdb_ds_read_file().
+Check for this and fail cleanly instead.
+Fixes: Coverity CID 1458869
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
+Message-id: 20210910170656.366592-3-philmd@redhat.com
+Message-Id: <20210901143910.17112-3-peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+---
+ contrib/elf2dmp/pdb.c | 4 ++++
+file changed, 4 insertions(+)
+diff --git a/contrib/elf2dmp/pdb.c b/contrib/elf2dmp/pdb.c
+index XXXXXXX..XXXXXXX 100644
+--- a/contrib/elf2dmp/pdb.c
++++ b/contrib/elf2dmp/pdb.c
+@@ -XXX,XX +XXX,XX @@ out_symbols:
+ static int pdb_reader_ds_init(struct pdb_reader *r, PDB_DS_HEADER *hdr)
+ {
++    if (hdr->block_size == 0) {
++        return 1;
++    }
++
+     memset(r->file_used, 0, sizeof(r->file_used));
+     r->ds.header = hdr;
+     r->ds.toc = pdb_ds_read(hdr, (uint32_t *)((uint8_t *)hdr +
+--
+.20.1

-[Qemu-devel] [PULL 17/25] target/arm: Make 'any' CPU just an alias for 'max'
+[PULL 03/27] target/arm: Don't skip M-profile reset entirely in user mode
-Now we have a working '-cpu max', the linux-user-only
+Currently all of the M-profile specific code in arm_cpu_reset() is
-'any' CPU is pretty much the same thing, so implement it
+inside a !defined(CONFIG_USER_ONLY) ifdef block.  This is
-that way.
+unintentional: it happened because originally the only
 M-profile-specific handling was the setup of the initial SP and PC
 from the vector table, which is system-emulation only.  But then we
 added a lot of other M-profile setup to the same "if (ARM_FEATURE_M)"
 code block without noticing that it was all inside a not-user-mode
 ifdef.  This has generally been harmless, but with the addition of
 v8.1M low-overhead-loop support we ran into a problem: the reset of
 FPSCR.LTPSIZE to 4 was only being done for system emulation mode, so
 if a user-mode guest tried to execute the LE instruction it would
 incorrectly take a UsageFault.
-For the moment we don't add any of the extra feature bits
+Adjust the ifdefs so only the really system-emulation specific parts
-to the system-emulation "max", because we don't set the
+are covered.  Because this means we now run some reset code that sets
-ID register bits we would need to to advertise those
+up initial values in the FPCCR and similar FPU related registers,
-features as present.
+explicitly set up the registers controlling FPU context handling in
 user-emulation mode so that the FPU works by design and not by
 chance.
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/613
+Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180308130626.12393-5-peter.maydell@linaro.org
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20210914120725.24992-2-peter.maydell@linaro.org
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 ---
- target/arm/cpu.c   | 52 +++++++++++++++++++++++++----------------------
+ target/arm/cpu.c | 19 +++++++++++++++++++
- target/arm/cpu64.c | 59 ++++++++++++++++++++++++++----------------------------
+file changed, 19 insertions(+)
 files changed, 56 insertions(+), 55 deletions(-)
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static ObjectClass *arm_cpu_class_by_name(const char *cpu_model)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
-     ObjectClass *oc;
+         env->uncached_cpsr = ARM_CPU_MODE_SVC;
-     char *typename;
+     }
-     char **cpuname;
+     env->daif = PSTATE_D | PSTATE_A | PSTATE_I | PSTATE_F;
 +    const char *cpunamestr;
      cpuname = g_strsplit(cpu_model, ",", 1);
 -    typename = g_strdup_printf(ARM_CPU_TYPE_NAME("%s"), cpuname[0]);
 +    cpunamestr = cpuname[0];
 +#ifdef CONFIG_USER_ONLY
 +    /* For backwards compatibility usermode emulation allows "-cpu any",
 +     * which has the same semantics as "-cpu max".
 +     */
 +    if (!strcmp(cpunamestr, "any")) {
 +        cpunamestr = "max";
 +    }
 +#endif
-+    typename = g_strdup_printf(ARM_CPU_TYPE_NAME("%s"), cpunamestr);
-     oc = object_class_by_name(typename);
+     if (arm_feature(env, ARM_FEATURE_M)) {
-     g_strfreev(cpuname);
++#ifndef CONFIG_USER_ONLY
-     g_free(typename);
+         uint32_t initial_msp; /* Loaded from 0x0 */
-@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
+         uint32_t initial_pc; /* Loaded from 0x4 */
-         kvm_arm_set_cpu_features_from_host(cpu);
+         uint8_t *rom;
-     } else {
+         uint32_t vecbase;
-         cortex_a15_initfn(obj);
++#endif
--        /* In future we might add feature bits here even if the
--         * real-world A15 doesn't implement them.
+         if (cpu_isar_feature(aa32_lob, cpu)) {
--         */
+             /*
--    }
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
--}
+             env->v7m.fpccr[M_REG_S] = R_V7M_FPCCR_ASPEN_MASK |
--#endif
+                 R_V7M_FPCCR_LSPEN_MASK | R_V7M_FPCCR_S_MASK;
--
+         }
- #ifdef CONFIG_USER_ONLY
++
--static void arm_any_initfn(Object *obj)
++#ifndef CONFIG_USER_ONLY
--{
+         /* Unlike A/R profile, M profile defines the reset LR value */
--    ARMCPU *cpu = ARM_CPU(obj);
+         env->regs[14] = 0xffffffff;
--    set_feature(&cpu->env, ARM_FEATURE_V8);
--    set_feature(&cpu->env, ARM_FEATURE_VFP4);
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
--    set_feature(&cpu->env, ARM_FEATURE_NEON);
+         env->regs[13] = initial_msp & 0xFFFFFFFC;
--    set_feature(&cpu->env, ARM_FEATURE_THUMB2EE);
+         env->regs[15] = initial_pc & ~1;
--    set_feature(&cpu->env, ARM_FEATURE_V8_AES);
+         env->thumb = initial_pc & 1;
--    set_feature(&cpu->env, ARM_FEATURE_V8_SHA1);
++#else
--    set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
++        /*
--    set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
++         * For user mode we run non-secure and with access to the FPU.
--    set_feature(&cpu->env, ARM_FEATURE_CRC);
++         * The FPU context is active (ie does not need further setup)
--    set_feature(&cpu->env, ARM_FEATURE_V8_RDM);
++         * and is owned by non-secure.
 -    set_feature(&cpu->env, ARM_FEATURE_V8_FCMA);
 -    cpu->midr = 0xffffffff;
 +        /* We don't set these in system emulation mode for the moment,
 +         * since we don't correctly set the ID registers to advertise them,
 +         */
-+        set_feature(&cpu->env, ARM_FEATURE_V8);
++        env->v7m.secure = false;
-+        set_feature(&cpu->env, ARM_FEATURE_VFP4);
++        env->v7m.nsacr = 0xcff;
-+        set_feature(&cpu->env, ARM_FEATURE_NEON);
++        env->v7m.cpacr[M_REG_NS] = 0xf0ffff;
-+        set_feature(&cpu->env, ARM_FEATURE_THUMB2EE);
++        env->v7m.fpccr[M_REG_S] &=
-+        set_feature(&cpu->env, ARM_FEATURE_V8_AES);
++            ~(R_V7M_FPCCR_LSPEN_MASK | R_V7M_FPCCR_S_MASK);
-+        set_feature(&cpu->env, ARM_FEATURE_V8_SHA1);
++        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_FPCA_MASK;
 +        set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
 +        set_feature(&cpu->env, ARM_FEATURE_CRC);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_RDM);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_FCMA);
 +#endif
 +    }
  }
  #endif
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo arm_cpus[] = {
      { .name = "max",         .initfn = arm_max_initfn },
  #endif
  #ifdef CONFIG_USER_ONLY
 -    { .name = "any",         .initfn = arm_any_initfn },
 +    { .name = "any",         .initfn = arm_max_initfn },
  #endif
  #endif
      { .name = NULL }
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
          kvm_arm_set_cpu_features_from_host(cpu);
      } else {
          aarch64_a57_initfn(obj);
 -        /* In future we might add feature bits here even if the
 -         * real-world A57 doesn't implement them.
 +#ifdef CONFIG_USER_ONLY
 +        /* We don't set these in system emulation mode for the moment,
 +         * since we don't correctly set the ID registers to advertise them,
 +         * and in some cases they're only available in AArch64 and not AArch32,
 +         * whereas the architecture requires them to be present in both if
 +         * present in either.
           */
 +        set_feature(&cpu->env, ARM_FEATURE_V8);
 +        set_feature(&cpu->env, ARM_FEATURE_VFP4);
 +        set_feature(&cpu->env, ARM_FEATURE_NEON);
 +        set_feature(&cpu->env, ARM_FEATURE_AARCH64);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_AES);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_SHA1);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_SHA512);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_SHA3);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_SM3);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_SM4);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
 +        set_feature(&cpu->env, ARM_FEATURE_CRC);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_RDM);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_FP16);
 +        set_feature(&cpu->env, ARM_FEATURE_V8_FCMA);
 +        /* For usermode -cpu max we can use a larger and more efficient DCZ
 +         * blocksize since we don't have to follow what the hardware does.
 +         */
 +        cpu->ctr = 0x80038003; /* 32 byte I and D cacheline size, VIPT icache */
 +        cpu->dcz_blocksize = 7; /*  512 bytes */
 +#endif
      }
- }
++#ifndef CONFIG_USER_ONLY
--#ifdef CONFIG_USER_ONLY
+     /* AArch32 has a hard highvec setting of 0xFFFF0000.  If we are currently
--static void aarch64_any_initfn(Object *obj)
+      * executing as AArch32 then check if highvecs are enabled and
--{
+      * adjust the PC accordingly.
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    set_feature(&cpu->env, ARM_FEATURE_V8);
 -    set_feature(&cpu->env, ARM_FEATURE_VFP4);
 -    set_feature(&cpu->env, ARM_FEATURE_NEON);
 -    set_feature(&cpu->env, ARM_FEATURE_AARCH64);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_AES);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_SHA1);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_SHA512);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_SHA3);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_SM3);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_SM4);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
 -    set_feature(&cpu->env, ARM_FEATURE_CRC);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_RDM);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_FP16);
 -    set_feature(&cpu->env, ARM_FEATURE_V8_FCMA);
 -    cpu->ctr = 0x80038003; /* 32 byte I and D cacheline size, VIPT icache */
 -    cpu->dcz_blocksize = 7; /*  512 bytes */
 -}
 -#endif
 -
  typedef struct ARMCPUInfo {
      const char *name;
      void (*initfn)(Object *obj);
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo aarch64_cpus[] = {
      { .name = "cortex-a57",         .initfn = aarch64_a57_initfn },
      { .name = "cortex-a53",         .initfn = aarch64_a53_initfn },
      { .name = "max",                .initfn = aarch64_max_initfn },
 -#ifdef CONFIG_USER_ONLY
 -    { .name = "any",         .initfn = aarch64_any_initfn },
 -#endif
      { .name = NULL }
  };
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 16/25] target/arm: Add "-cpu max" support
+[PULL 04/27] target/arm: Always clear exclusive monitor on reset
-Add support for "-cpu max" for ARM guests. This CPU type behaves
+There's no particular reason why the exclusive monitor should
-like "-cpu host" when KVM is enabled, and like a system CPU with
+be only cleared on reset in system emulation mode. It doesn't
-the maximum possible feature set otherwise. (Note that this means
+hurt if it isn't cleared in user mode, but we might as well
-it won't be migratable across versions, as we will likely add
+reduce the amount of code we have that's inside an ifdef.
 features to it in future.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180308130626.12393-4-peter.maydell@linaro.org
+Message-id: 20210914120725.24992-3-peter.maydell@linaro.org
 ---
- target/arm/cpu-qom.h |  2 ++
+ target/arm/cpu.c | 6 +++---
- target/arm/cpu.c     | 24 ++++++++++++++++++++++++
+file changed, 3 insertions(+), 3 deletions(-)
  target/arm/cpu64.c   | 21 +++++++++++++++++++++
 files changed, 47 insertions(+)
-diff --git a/target/arm/cpu-qom.h b/target/arm/cpu-qom.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu-qom.h
-+++ b/target/arm/cpu-qom.h
-@@ -XXX,XX +XXX,XX @@ struct arm_boot_info;
- #define ARM_CPU_GET_CLASS(obj) \
-     OBJECT_GET_CLASS(ARMCPUClass, (obj), TYPE_ARM_CPU)
-+#define TYPE_ARM_MAX_CPU "max-" TYPE_ARM_CPU
-+
- /**
-  * ARMCPUClass:
-  * @parent_realize: The parent class' realize handler.
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void pxa270c5_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
-     cpu->reset_sctlr = 0x00000078;
+         env->regs[15] = 0xFFFF0000;
- }
+     }
-+#ifndef TARGET_AARCH64
++    env->vfp.xregs[ARM_VFP_FPEXC] = 0;
 +/* -cpu max: if KVM is enabled, like -cpu host (best possible with this host);
 + * otherwise, a CPU with as many features enabled as our emulation supports.
 + * The version of '-cpu max' for qemu-system-aarch64 is defined in cpu64.c;
 + * this only needs to handle 32 bits.
 + */
 +static void arm_max_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    if (kvm_enabled()) {
 +        kvm_arm_set_cpu_features_from_host(cpu);
 +    } else {
 +        cortex_a15_initfn(obj);
 +        /* In future we might add feature bits here even if the
 +         * real-world A15 doesn't implement them.
 +         */
 +    }
 +}
 +#endif
 +
- #ifdef CONFIG_USER_ONLY
+     /* M profile requires that reset clears the exclusive monitor;
- static void arm_any_initfn(Object *obj)
+      * A profile does not, but clearing it makes more sense than having it
- {
+      * set with an exclusive access on address zero.
-@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo arm_cpus[] = {
+      */
-     { .name = "pxa270-b1",   .initfn = pxa270b1_initfn },
+     arm_clear_exclusive(env);
-     { .name = "pxa270-c0",   .initfn = pxa270c0_initfn },
-     { .name = "pxa270-c5",   .initfn = pxa270c5_initfn },
+-    env->vfp.xregs[ARM_VFP_FPEXC] = 0;
-+#ifndef TARGET_AARCH64
+-#endif
-+    { .name = "max",         .initfn = arm_max_initfn },
+-
-+#endif
+     if (arm_feature(env, ARM_FEATURE_PMSA)) {
- #ifdef CONFIG_USER_ONLY
+         if (cpu->pmsav7_dregion > 0) {
-     { .name = "any",         .initfn = arm_any_initfn },
+             if (arm_feature(env, ARM_FEATURE_V8)) {
  #endif
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/arm/arm.h"
  #include "sysemu/sysemu.h"
  #include "sysemu/kvm.h"
 +#include "kvm_arm.h"
  static inline void set_feature(CPUARMState *env, int feature)
  {
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
      define_arm_cp_regs(cpu, cortex_a57_a53_cp_reginfo);
  }
 +/* -cpu max: if KVM is enabled, like -cpu host (best possible with this host);
 + * otherwise, a CPU with as many features enabled as our emulation supports.
 + * The version of '-cpu max' for qemu-system-arm is defined in cpu.c;
 + * this only needs to handle 64 bits.
 + */
 +static void aarch64_max_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    if (kvm_enabled()) {
 +        kvm_arm_set_cpu_features_from_host(cpu);
 +    } else {
 +        aarch64_a57_initfn(obj);
 +        /* In future we might add feature bits here even if the
 +         * real-world A57 doesn't implement them.
 +         */
 +    }
 +}
 +
  #ifdef CONFIG_USER_ONLY
  static void aarch64_any_initfn(Object *obj)
  {
@@ -XXX,XX +XXX,XX @@ typedef struct ARMCPUInfo {
  static const ARMCPUInfo aarch64_cpus[] = {
      { .name = "cortex-a57",         .initfn = aarch64_a57_initfn },
      { .name = "cortex-a53",         .initfn = aarch64_a53_initfn },
 +    { .name = "max",                .initfn = aarch64_max_initfn },
  #ifdef CONFIG_USER_ONLY
      { .name = "any",         .initfn = aarch64_any_initfn },
  #endif
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 01/25] target/arm: Add a core count property
+[PULL 05/27] target/arm: Consolidate ifdef blocks in reset
-From: Alistair Francis <alistair.francis@xilinx.com>
+Move an ifndef CONFIG_USER_ONLY code block up in arm_cpu_reset() so
 it can be merged with another earlier one.
-The cortex A53 TRM specifies that bits 24 and 25 of the L2CTLR register
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-specify the number of cores in the processor, not the total number of
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-cores in the system. To report this correctly on machines with multiple
+Message-id: 20210914120725.24992-4-peter.maydell@linaro.org
-CPU clusters (ARM's big.LITTLE or Xilinx's ZynqMP) we need to allow
+---
-the machine to overwrite this value. To do this let's add an optional
+ target/arm/cpu.c | 22 ++++++++++------------
-property.
+file changed, 10 insertions(+), 12 deletions(-)
-Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
-Message-id: ef01d95c0759e88f47f22d11b14c91512a658b4f.1520018138.git.alistair.francis@xilinx.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h   | 5 +++++
- target/arm/cpu.c   | 6 ++++++
- target/arm/cpu64.c | 6 ++++--
-files changed, 15 insertions(+), 2 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-     /* Uniprocessor system with MP extensions */
-     bool mp_is_up;
-+    /* Specify the number of cores in this CPU cluster. Used for the L2CTLR
-+     * register.
-+     */
-+    int32_t core_count;
-+
-     /* The instance init functions for implementation-specific subclasses
-      * set these fields to specify the implementation-dependent values of
-      * various constant registers and reset values of non-constant
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
-         cs->num_ases = 1;
+         env->uncached_cpsr = ARM_CPU_MODE_SVC;
      }
-     cpu_address_space_init(cs, ARMASIdx_NS, "cpu-memory", cs->memory);
+     env->daif = PSTATE_D | PSTATE_A | PSTATE_I | PSTATE_F;
 +
-+    /* No core_count specified, default to smp_cpus. */
++    /* AArch32 has a hard highvec setting of 0xFFFF0000.  If we are currently
-+    if (cpu->core_count == -1) {
++     * executing as AArch32 then check if highvecs are enabled and
-+        cpu->core_count = smp_cpus;
++     * adjust the PC accordingly.
 +     */
 +    if (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_V) {
 +        env->regs[15] = 0xFFFF0000;
 +    }
++
++    env->vfp.xregs[ARM_VFP_FPEXC] = 0;
  #endif
-     qemu_init_vcpu(cs);
+     if (arm_feature(env, ARM_FEATURE_M)) {
-@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_properties[] = {
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
      DEFINE_PROP_UINT64("mp-affinity", ARMCPU,
                          mp_affinity, ARM64_AFFINITY_INVALID),
      DEFINE_PROP_INT32("node-id", ARMCPU, node_id, CPU_UNSET_NUMA_NODE_ID),
 +    DEFINE_PROP_INT32("core-count", ARMCPU, core_count, -1),
      DEFINE_PROP_END_OF_LIST()
  };
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static inline void unset_feature(CPUARMState *env, int feature)
  #ifndef CONFIG_USER_ONLY
  static uint64_t a57_a53_l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
 -    /* Number of processors is in [25:24]; otherwise we RAZ */
 -    return (smp_cpus - 1) << 24;
 +    ARMCPU *cpu = arm_env_get_cpu(env);
 +
 +    /* Number of cores is in [25:24]; otherwise we RAZ */
 +    return (cpu->core_count - 1) << 24;
  }
  #endif
+     }
 -#ifndef CONFIG_USER_ONLY
 -    /* AArch32 has a hard highvec setting of 0xFFFF0000.  If we are currently
 -     * executing as AArch32 then check if highvecs are enabled and
 -     * adjust the PC accordingly.
 -     */
 -    if (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_V) {
 -        env->regs[15] = 0xFFFF0000;
 -    }
 -
 -    env->vfp.xregs[ARM_VFP_FPEXC] = 0;
 -#endif
 -
      /* M profile requires that reset clears the exclusive monitor;
       * A profile does not, but clearing it makes more sense than having it
       * set with an exclusive access on address zero.
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 13/25] arm: avoid heap-buffer-overflow in load_aarch64_image
+[PULL 06/27] hw/intc: Set GIC maintenance interrupt level to only 0 or 1
-From: Marc-André Lureau <marcandre.lureau@redhat.com>
+From: Shashi Mallela <shashi.mallela@linaro.org>
-Spotted by ASAN:
+During sbsa acs level 3 testing, it is seen that the GIC maintenance
 interrupts are not triggered and the related test cases fail.  This
 is because we were incorrectly passing the value of the MISR register
 (from maintenance_interrupt_state()) to qemu_set_irq() as the level
 argument, whereas the device on the other end of this irq line
 expects a 0/1 value.
-elmarco@boraha:~/src/qemu/build (master *%)$ QTEST_QEMU_BINARY=aarch64-softmmu/qemu-system-aarch64 tests/boot-serial-test
+Fix the logic to pass a 0/1 level indication, rather than a
-/aarch64/boot-serial/virt: ** (process:19740): DEBUG: 18:39:30.275: foo /tmp/qtest-boot-serial-cXaS94D
+/not-0 value.
 =================================================================
 ==19740==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000069648 at pc 0x7f1d2201cc54 bp 0x7fff331f6a40 sp 0x7fff331f61e8
 READ of size 4 at 0x603000069648 thread T0
     #0 0x7f1d2201cc53  (/lib64/libasan.so.4+0xafc53)
     #1 0x55bc86685ee3 in load_aarch64_image /home/elmarco/src/qemu/hw/arm/boot.c:894
     #2 0x55bc86687217 in arm_load_kernel_notify /home/elmarco/src/qemu/hw/arm/boot.c:1047
     #3 0x55bc877363b5 in notifier_list_notify /home/elmarco/src/qemu/util/notify.c:40
     #4 0x55bc869331ea in qemu_run_machine_init_done_notifiers /home/elmarco/src/qemu/vl.c:2716
     #5 0x55bc8693bc39 in main /home/elmarco/src/qemu/vl.c:4679
     #6 0x7f1d1652c009 in __libc_start_main (/lib64/libc.so.6+0x21009)
     #7 0x55bc86255cc9 in _start (/home/elmarco/src/qemu/build/aarch64-softmmu/qemu-system-aarch64+0x1ae5cc9)
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Fixes: c5fc89b36c0 ("hw/intc/arm_gicv3: Implement gicv3_cpuif_virt_update()")
 Signed-off-by: Shashi Mallela <shashi.mallela@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20210915205809.59068-1-shashi.mallela@linaro.org
 [PMM: tweaked commit message; collapsed nested if()s into one]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/boot.c | 3 ++-
+ hw/intc/arm_gicv3_cpuif.c | 5 +++--
-file changed, 2 insertions(+), 1 deletion(-)
+file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/hw/intc/arm_gicv3_cpuif.c
-+++ b/hw/arm/boot.c
++++ b/hw/intc/arm_gicv3_cpuif.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t load_aarch64_image(const char *filename, hwaddr mem_base,
+@@ -XXX,XX +XXX,XX @@ static void gicv3_cpuif_virt_update(GICv3CPUState *cs)
          }
      }
-     /* check the arm64 magic header value -- very old kernels may not have it */
+-    if (cs->ich_hcr_el2 & ICH_HCR_EL2_EN) {
--    if (memcmp(buffer + ARM64_MAGIC_OFFSET, "ARM\x64", 4) == 0) {
+-        maintlevel = maintenance_interrupt_state(cs);
-+    if (size > ARM64_MAGIC_OFFSET + 4 &&
++    if ((cs->ich_hcr_el2 & ICH_HCR_EL2_EN) &&
-+        memcmp(buffer + ARM64_MAGIC_OFFSET, "ARM\x64", 4) == 0) {
++        maintenance_interrupt_state(cs) != 0) {
-         uint64_t hdrvals[2];
++        maintlevel = 1;
+     }
-         /* The arm64 Image header has text_offset and image_size fields at 8 and
      trace_gicv3_cpuif_virt_set_irqs(gicv3_redist_affid(cs), fiqlevel,
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 07/25] aarch64-linux-user: Split out helpers for guest signal handling
+[PULL 07/27] arm: Move PMC register definitions to internals.h
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Alexander Graf <agraf@csgraf.de>
-Split out helpers from target_setup_frame and target_restore_sigframe
+We will need PMC register definitions in accel specific code later.
-for dealing with general registers, fpsimd registers, and the end record.
+Move all constant definitions to common arm headers so we can reuse
 them.
-When we add support for sve registers, the relative positions of
+Signed-off-by: Alexander Graf <agraf@csgraf.de>
 these will change.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210916155404.86958-2-agraf@csgraf.de
 Message-id: 20180303143823.27055-3-richard.henderson@linaro.org
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/signal.c | 120 ++++++++++++++++++++++++++++++----------------------
+ target/arm/internals.h | 44 ++++++++++++++++++++++++++++++++++++++++++
-file changed, 69 insertions(+), 51 deletions(-)
+ target/arm/helper.c    | 44 ------------------------------------------
 files changed, 44 insertions(+), 44 deletions(-)
-diff --git a/linux-user/signal.c b/linux-user/signal.c
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/signal.c
+--- a/target/arm/internals.h
-+++ b/linux-user/signal.c
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ struct target_rt_sigframe {
+@@ -XXX,XX +XXX,XX @@ enum MVEECIState {
-     uint32_t tramp[2];
+     /* All other values reserved */
  };
--static int target_setup_sigframe(struct target_rt_sigframe *sf,
++/* Definitions for the PMU registers */
--                                 CPUARMState *env, target_sigset_t *set)
++#define PMCRN_MASK  0xf800
-+static void target_setup_general_frame(struct target_rt_sigframe *sf,
++#define PMCRN_SHIFT 11
-+                                       CPUARMState *env, target_sigset_t *set)
++#define PMCRLC  0x40
- {
++#define PMCRDP  0x20
-     int i;
++#define PMCRX   0x10
--    struct target_aux_context *aux =
++#define PMCRD   0x8
--        (struct target_aux_context *)sf->uc.tuc_mcontext.__reserved;
++#define PMCRC   0x4
++#define PMCRP   0x2
--    /* set up the stack frame for unwinding */
++#define PMCRE   0x1
--    __put_user(env->xregs[29], &sf->fp);
++/*
--    __put_user(env->xregs[30], &sf->lr);
++ * Mask of PMCR bits writeable by guest (not including WO bits like C, P,
-+    __put_user(0, &sf->uc.tuc_flags);
++ * which can be written as 1 to trigger behaviour but which stay RAZ).
-+    __put_user(0, &sf->uc.tuc_link);
++ */
 +#define PMCR_WRITEABLE_MASK (PMCRLC | PMCRDP | PMCRX | PMCRD | PMCRE)
 +
-+    __put_user(target_sigaltstack_used.ss_sp, &sf->uc.tuc_stack.ss_sp);
++#define PMXEVTYPER_P          0x80000000
-+    __put_user(sas_ss_flags(env->xregs[31]), &sf->uc.tuc_stack.ss_flags);
++#define PMXEVTYPER_U          0x40000000
-+    __put_user(target_sigaltstack_used.ss_size, &sf->uc.tuc_stack.ss_size);
++#define PMXEVTYPER_NSK        0x20000000
++#define PMXEVTYPER_NSU        0x10000000
-     for (i = 0; i < 31; i++) {
++#define PMXEVTYPER_NSH        0x08000000
-         __put_user(env->xregs[i], &sf->uc.tuc_mcontext.regs[i]);
++#define PMXEVTYPER_M          0x04000000
-@@ -XXX,XX +XXX,XX @@ static int target_setup_sigframe(struct target_rt_sigframe *sf,
++#define PMXEVTYPER_MT         0x02000000
-     for (i = 0; i < TARGET_NSIG_WORDS; i++) {
++#define PMXEVTYPER_EVTCOUNT   0x0000ffff
-         __put_user(set->sig[i], &sf->uc.tuc_sigmask.sig[i]);
++#define PMXEVTYPER_MASK       (PMXEVTYPER_P | PMXEVTYPER_U | PMXEVTYPER_NSK | \
-     }
++                               PMXEVTYPER_NSU | PMXEVTYPER_NSH | \
 +                               PMXEVTYPER_M | PMXEVTYPER_MT | \
 +                               PMXEVTYPER_EVTCOUNT)
 +
 +#define PMCCFILTR             0xf8000000
 +#define PMCCFILTR_M           PMXEVTYPER_M
 +#define PMCCFILTR_EL0         (PMCCFILTR | PMCCFILTR_M)
 +
 +static inline uint32_t pmu_num_counters(CPUARMState *env)
 +{
 +  return (env->cp15.c9_pmcr & PMCRN_MASK) >> PMCRN_SHIFT;
 +}
 +
-+static void target_setup_fpsimd_record(struct target_fpsimd_context *fpsimd,
++/* Bits allowed to be set/cleared for PMCNTEN* and PMINTEN* */
-+                                       CPUARMState *env)
++static inline uint64_t pmu_counter_mask(CPUARMState *env)
 +{
-+    int i;
++  return (1 << 31) | ((1 << pmu_num_counters(env)) - 1);
 +
 +    __put_user(TARGET_FPSIMD_MAGIC, &fpsimd->head.magic);
 +    __put_user(sizeof(struct target_fpsimd_context), &fpsimd->head.size);
 +    __put_user(vfp_get_fpsr(env), &fpsimd->fpsr);
 +    __put_user(vfp_get_fpcr(env), &fpsimd->fpcr);
      for (i = 0; i < 32; i++) {
          uint64_t *q = aa64_vfp_qreg(env, i);
  #ifdef TARGET_WORDS_BIGENDIAN
 -        __put_user(q[0], &aux->fpsimd.vregs[i * 2 + 1]);
 -        __put_user(q[1], &aux->fpsimd.vregs[i * 2]);
 +        __put_user(q[0], &fpsimd->vregs[i * 2 + 1]);
 +        __put_user(q[1], &fpsimd->vregs[i * 2]);
  #else
 -        __put_user(q[0], &aux->fpsimd.vregs[i * 2]);
 -        __put_user(q[1], &aux->fpsimd.vregs[i * 2 + 1]);
 +        __put_user(q[0], &fpsimd->vregs[i * 2]);
 +        __put_user(q[1], &fpsimd->vregs[i * 2 + 1]);
  #endif
      }
 -    __put_user(vfp_get_fpsr(env), &aux->fpsimd.fpsr);
 -    __put_user(vfp_get_fpcr(env), &aux->fpsimd.fpcr);
 -    __put_user(TARGET_FPSIMD_MAGIC, &aux->fpsimd.head.magic);
 -    __put_user(sizeof(struct target_fpsimd_context),
 -            &aux->fpsimd.head.size);
 -
 -    /* set the "end" magic */
 -    __put_user(0, &aux->end.magic);
 -    __put_user(0, &aux->end.size);
 -
 -    return 0;
  }
 -static int target_restore_sigframe(CPUARMState *env,
 -                                   struct target_rt_sigframe *sf)
 +static void target_setup_end_record(struct target_aarch64_ctx *end)
 +{
 +    __put_user(0, &end->magic);
 +    __put_user(0, &end->size);
 +}
 +
-+static void target_restore_general_frame(CPUARMState *env,
-+                                         struct target_rt_sigframe *sf)
- {
-     sigset_t set;
--    int i;
--    struct target_aux_context *aux =
--        (struct target_aux_context *)sf->uc.tuc_mcontext.__reserved;
--    uint32_t magic, size, fpsr, fpcr;
-     uint64_t pstate;
-+    int i;
-     target_to_host_sigset(&set, &sf->uc.tuc_sigmask);
-     set_sigmask(&set);
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
-     __get_user(env->pc, &sf->uc.tuc_mcontext.pc);
-     __get_user(pstate, &sf->uc.tuc_mcontext.pstate);
-     pstate_write(env, pstate);
-+}
--    __get_user(magic, &aux->fpsimd.head.magic);
--    __get_user(size, &aux->fpsimd.head.size);
-+static void target_restore_fpsimd_record(CPUARMState *env,
-+                                         struct target_fpsimd_context *fpsimd)
-+{
-+    uint32_t fpsr, fpcr;
-+    int i;
--    if (magic != TARGET_FPSIMD_MAGIC
--        || size != sizeof(struct target_fpsimd_context)) {
--        return 1;
--    }
-+    __get_user(fpsr, &fpsimd->fpsr);
-+    vfp_set_fpsr(env, fpsr);
-+    __get_user(fpcr, &fpsimd->fpcr);
-+    vfp_set_fpcr(env, fpcr);
-     for (i = 0; i < 32; i++) {
-         uint64_t *q = aa64_vfp_qreg(env, i);
- #ifdef TARGET_WORDS_BIGENDIAN
--        __get_user(q[0], &aux->fpsimd.vregs[i * 2 + 1]);
--        __get_user(q[1], &aux->fpsimd.vregs[i * 2]);
-+        __get_user(q[0], &fpsimd->vregs[i * 2 + 1]);
-+        __get_user(q[1], &fpsimd->vregs[i * 2]);
- #else
--        __get_user(q[0], &aux->fpsimd.vregs[i * 2]);
--        __get_user(q[1], &aux->fpsimd.vregs[i * 2 + 1]);
-+        __get_user(q[0], &fpsimd->vregs[i * 2]);
-+        __get_user(q[1], &fpsimd->vregs[i * 2 + 1]);
  #endif
-     }
+diff --git a/target/arm/helper.c b/target/arm/helper.c
--    __get_user(fpsr, &aux->fpsimd.fpsr);
+index XXXXXXX..XXXXXXX 100644
--    vfp_set_fpsr(env, fpsr);
+--- a/target/arm/helper.c
--    __get_user(fpcr, &aux->fpsimd.fpcr);
++++ b/target/arm/helper.c
--    vfp_set_fpcr(env, fpcr);
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
-+}
+     REGINFO_SENTINEL
+ };
-+static int target_restore_sigframe(CPUARMState *env,
-+                                   struct target_rt_sigframe *sf)
+-/* Definitions for the PMU registers */
-+{
+-#define PMCRN_MASK  0xf800
-+    struct target_aux_context *aux
+-#define PMCRN_SHIFT 11
-+        = (struct target_aux_context *)sf->uc.tuc_mcontext.__reserved;
+-#define PMCRLC  0x40
-+    uint32_t magic, size;
+-#define PMCRDP  0x20
-+
+-#define PMCRX   0x10
-+    target_restore_general_frame(env, sf);
+-#define PMCRD   0x8
-+
+-#define PMCRC   0x4
-+    __get_user(magic, &aux->fpsimd.head.magic);
+-#define PMCRP   0x2
-+    __get_user(size, &aux->fpsimd.head.size);
+-#define PMCRE   0x1
-+    if (magic == TARGET_FPSIMD_MAGIC
+-/*
-+        && size == sizeof(struct target_fpsimd_context)) {
+- * Mask of PMCR bits writeable by guest (not including WO bits like C, P,
-+        target_restore_fpsimd_record(env, &aux->fpsimd);
+- * which can be written as 1 to trigger behaviour but which stay RAZ).
-+    } else {
+- */
-+        return 1;
+-#define PMCR_WRITEABLE_MASK (PMCRLC | PMCRDP | PMCRX | PMCRD | PMCRE)
-+    }
+-
-     return 0;
+-#define PMXEVTYPER_P          0x80000000
- }
+-#define PMXEVTYPER_U          0x40000000
+-#define PMXEVTYPER_NSK        0x20000000
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
+-#define PMXEVTYPER_NSU        0x10000000
-                                CPUARMState *env)
+-#define PMXEVTYPER_NSH        0x08000000
- {
+-#define PMXEVTYPER_M          0x04000000
-     struct target_rt_sigframe *frame;
+-#define PMXEVTYPER_MT         0x02000000
-+    struct target_aux_context *aux;
+-#define PMXEVTYPER_EVTCOUNT   0x0000ffff
-     abi_ulong frame_addr, return_addr;
+-#define PMXEVTYPER_MASK       (PMXEVTYPER_P | PMXEVTYPER_U | PMXEVTYPER_NSK | \
+-                               PMXEVTYPER_NSU | PMXEVTYPER_NSH | \
-     frame_addr = get_sigframe(ka, env);
+-                               PMXEVTYPER_M | PMXEVTYPER_MT | \
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
+-                               PMXEVTYPER_EVTCOUNT)
-     if (!lock_user_struct(VERIFY_WRITE, frame, frame_addr, 0)) {
+-
-         goto give_sigsegv;
+-#define PMCCFILTR             0xf8000000
-     }
+-#define PMCCFILTR_M           PMXEVTYPER_M
-+    aux = (struct target_aux_context *)frame->uc.tuc_mcontext.__reserved;
+-#define PMCCFILTR_EL0         (PMCCFILTR | PMCCFILTR_M)
+-
--    __put_user(0, &frame->uc.tuc_flags);
+-static inline uint32_t pmu_num_counters(CPUARMState *env)
--    __put_user(0, &frame->uc.tuc_link);
+-{
-+    target_setup_general_frame(frame, env, set);
+-  return (env->cp15.c9_pmcr & PMCRN_MASK) >> PMCRN_SHIFT;
-+    target_setup_fpsimd_record(&aux->fpsimd, env);
+-}
-+    target_setup_end_record(&aux->end);
+-
+-/* Bits allowed to be set/cleared for PMCNTEN* and PMINTEN* */
--    __put_user(target_sigaltstack_used.ss_sp,
+-static inline uint64_t pmu_counter_mask(CPUARMState *env)
--                      &frame->uc.tuc_stack.ss_sp);
+-{
--    __put_user(sas_ss_flags(env->xregs[31]),
+-  return (1 << 31) | ((1 << pmu_num_counters(env)) - 1);
--                      &frame->uc.tuc_stack.ss_flags);
+-}
--    __put_user(target_sigaltstack_used.ss_size,
+-
--                      &frame->uc.tuc_stack.ss_size);
+ typedef struct pm_event {
--    target_setup_sigframe(frame, env, set);
+     uint16_t number; /* PMEVTYPER.evtCount is 16 bits wide */
-     if (ka->sa_flags & TARGET_SA_RESTORER) {
+     /* If the event is supported on this CPU (used to generate PMCEID[01]) */
          return_addr = ka->sa_restorer;
      } else {
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 23/25] sdcard: Add the Tuning Command (CMD19)
+[PULL 08/27] hvf: Add execute to dirty log permission bitmap
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Alexander Graf <agraf@csgraf.de>
-From the "Physical Layer Simplified Specification Version 3.01":
+Hvf's permission bitmap during and after dirty logging does not include
 the HV_MEMORY_EXEC permission. At least on Apple Silicon, this leads to
 instruction faults once dirty logging was enabled.
-  A known data block ("Tuning block") can be used to tune sampling
+Add the bit to make it work properly.
   point for tuning required hosts. [...]
   This procedure gives the system optimal timing for each specific
   host and card combination and compensates for static delays in
   the timing budget including process, voltage and different PCB
   loads and skews. [...]
   Data block, carried by DAT[3:0], contains a pattern for tuning
   sampling position to receive data on the CMD and DAT[3:0] line.
-[based on a patch from Alistair Francis <alistair.francis@xilinx.com>
+Signed-off-by: Alexander Graf <agraf@csgraf.de>
- from qemu/xilinx tag xilinx-v2015.2]
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210916155404.86958-3-agraf@csgraf.de
 Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
 Message-id: 20180309153654.13518-5-f4bug@amsat.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/sd/sd.c | 29 +++++++++++++++++++++++++++++
+ accel/hvf/hvf-accel-ops.c | 4 ++--
-file changed, 29 insertions(+)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/sd.c
+--- a/accel/hvf/hvf-accel-ops.c
-+++ b/hw/sd/sd.c
++++ b/accel/hvf/hvf-accel-ops.c
-@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+@@ -XXX,XX +XXX,XX @@ static void hvf_set_dirty_tracking(MemoryRegionSection *section, bool on)
-         }
+     if (on) {
-         break;
+         slot->flags |= HVF_SLOT_LOG;
+         hv_vm_protect((uintptr_t)slot->start, (size_t)slot->size,
-+    case 19:    /* CMD19: SEND_TUNING_BLOCK (SD) */
+-                      HV_MEMORY_READ);
-+        if (sd->state == sd_transfer_state) {
++                      HV_MEMORY_READ | HV_MEMORY_EXEC);
-+            sd->state = sd_sendingdata_state;
+     /* stop tracking region*/
-+            sd->data_offset = 0;
+     } else {
-+            return sd_r1;
+         slot->flags &= ~HVF_SLOT_LOG;
-+        }
+         hv_vm_protect((uintptr_t)slot->start, (size_t)slot->size,
-+        break;
+-                      HV_MEMORY_READ | HV_MEMORY_WRITE);
-+
++                      HV_MEMORY_READ | HV_MEMORY_WRITE | HV_MEMORY_EXEC);
      case 23:    /* CMD23: SET_BLOCK_COUNT */
          switch (sd->state) {
          case sd_transfer_state:
@@ -XXX,XX +XXX,XX @@ void sd_write_data(SDState *sd, uint8_t value)
      }
  }
-+#define SD_TUNING_BLOCK_SIZE    64
-+
-+static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
-+    /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
-+    0xff, 0x0f, 0xff, 0x00,         0x0f, 0xfc, 0xc3, 0xcc,
-+    0xc3, 0x3c, 0xcc, 0xff,         0xfe, 0xff, 0xfe, 0xef,
-+    0xff, 0xdf, 0xff, 0xdd,         0xff, 0xfb, 0xff, 0xfb,
-+    0xbf, 0xff, 0x7f, 0xff,         0x77, 0xf7, 0xbd, 0xef,
-+    0xff, 0xf0, 0xff, 0xf0,         0x0f, 0xfc, 0xcc, 0x3c,
-+    0xcc, 0x33, 0xcc, 0xcf,         0xff, 0xef, 0xff, 0xee,
-+    0xff, 0xfd, 0xff, 0xfd,         0xdf, 0xff, 0xbf, 0xff,
-+    0xbb, 0xff, 0xf7, 0xff,         0xf7, 0x7f, 0x7b, 0xde,
-+};
-+
- uint8_t sd_read_data(SDState *sd)
- {
-     /* TODO: Append CRCs */
-@@ -XXX,XX +XXX,XX @@ uint8_t sd_read_data(SDState *sd)
-         }
-         break;
-+    case 19:    /* CMD19:  SEND_TUNING_BLOCK (SD) */
-+        if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
-+            sd->state = sd_transfer_state;
-+        }
-+        ret = sd_tuning_block_pattern[sd->data_offset++];
-+        break;
-+
-     case 22:    /* ACMD22: SEND_NUM_WR_BLOCKS */
-         ret = sd->data[sd->data_offset ++];
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 20/25] sdcard: Do not trace CMD55, except when we already expect an ACMD
+[PULL 09/27] hvf: Introduce hvf_arch_init() callback
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Alexander Graf <agraf@csgraf.de>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+We will need to install a migration helper for the ARM hvf backend.
-Acked-by: Alistair Francis <alistair.francis@xilinx.com>
+Let's introduce an arch callback for the overall hvf init chain to
-Message-id: 20180309153654.13518-2-f4bug@amsat.org
+do so.
 Signed-off-by: Alexander Graf <agraf@csgraf.de>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20210916155404.86958-4-agraf@csgraf.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/sd/sd.c | 11 ++++++++---
+ include/sysemu/hvf_int.h  | 1 +
-file changed, 8 insertions(+), 3 deletions(-)
+ accel/hvf/hvf-accel-ops.c | 3 ++-
  target/i386/hvf/hvf.c     | 5 +++++
 files changed, 8 insertions(+), 1 deletion(-)
-diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+diff --git a/include/sysemu/hvf_int.h b/include/sysemu/hvf_int.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/sd.c
+--- a/include/sysemu/hvf_int.h
-+++ b/hw/sd/sd.c
++++ b/include/sysemu/hvf_int.h
-@@ -XXX,XX +XXX,XX @@ static void sd_lock_command(SDState *sd)
+@@ -XXX,XX +XXX,XX @@ struct hvf_vcpu_state {
-         sd->card_status &= ~CARD_IS_LOCKED;
+ };
  void assert_hvf_ok(hv_return_t ret);
 +int hvf_arch_init(void);
  int hvf_arch_init_vcpu(CPUState *cpu);
  void hvf_arch_vcpu_destroy(CPUState *cpu);
  int hvf_vcpu_exec(CPUState *);
 diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/hvf/hvf-accel-ops.c
 +++ b/accel/hvf/hvf-accel-ops.c
@@ -XXX,XX +XXX,XX @@ static int hvf_accel_init(MachineState *ms)
      hvf_state = s;
      memory_listener_register(&hvf_memory_listener, &address_space_memory);
 -    return 0;
 +
 +    return hvf_arch_init();
  }
--static sd_rsp_type_t sd_normal_command(SDState *sd,
+ static void hvf_accel_class_init(ObjectClass *oc, void *data)
--                                       SDRequest req)
+diff --git a/target/i386/hvf/hvf.c b/target/i386/hvf/hvf.c
-+static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/hvf/hvf.c
 +++ b/target/i386/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@ static inline bool apic_bus_freq_is_known(CPUX86State *env)
      return env->apic_bus_freq != 0;
  }
 +int hvf_arch_init(void)
 +{
 +    return 0;
 +}
 +
  int hvf_arch_init_vcpu(CPUState *cpu)
  {
-     uint32_t rca = 0x0000;
+     X86CPU *x86cpu = X86_CPU(cpu);
      uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
 -    trace_sdcard_normal_command(req.cmd, req.arg, sd_state_name(sd->state));
 +    /* CMD55 precedes an ACMD, so we are not interested in tracing it.
 +     * However there is no ACMD55, so we want to trace this particular case.
 +     */
 +    if (req.cmd != 55 || sd->expecting_acmd) {
 +        trace_sdcard_normal_command(req.cmd, req.arg,
 +                                    sd_state_name(sd->state));
 +    }
      /* Not interpreting this as an app command */
      sd->card_status &= ~APP_CMD;
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 04/25] i.MX: Add i.MX7 SOC implementation.
+[PULL 10/27] hvf: Add Apple Silicon support
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+From: Alexander Graf <agraf@csgraf.de>
-The following interfaces are partially or fully emulated:
+With Apple Silicon available to the masses, it's a good time to add support
 for driving its virtualization extensions from QEMU.
-    * up to 2 Cortex A9 cores (SMP works with PSCI)
+This patch adds all necessary architecture specific code to get basic VMs
-    * A7 MPCORE (identical to A15 MPCORE)
+working, including save/restore.
     * 4 GPTs modules
     * 7 GPIO controllers
     * 2 IOMUXC controllers
     * 1 CCM module
     * 1 SVNS module
     * 1 SRC module
     * 1 GPCv2 controller
     * 4 eCSPI controllers
     * 4 I2C controllers
     * 7 i.MX UART controllers
     * 2 FlexCAN controllers
     * 2 Ethernet controllers (FEC)
     * 3 SD controllers (USDHC)
     * 4 WDT modules
     * 1 SDMA module
     * 1 GPR module
     * 2 USBMISC modules
     * 2 ADC modules
     * 1 PCIe controller
-Tested to boot and work with upstream Linux (4.13+) guest.
+Known limitations:
+  - WFI handling is missing (follows in later patch)
+  - No watchpoint/breakpoint support
+Signed-off-by: Alexander Graf <agraf@csgraf.de>
+Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Reviewed-by: Sergio Lopez <slp@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Message-id: 20210916155404.86958-5-agraf@csgraf.de
 [PMM: folded a couple of long lines]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs            |   1 +
+ meson.build                 |   1 +
- include/hw/arm/fsl-imx7.h       | 222 +++++++++++++++
+ include/sysemu/hvf_int.h    |  10 +-
- hw/arm/fsl-imx7.c               | 582 ++++++++++++++++++++++++++++++++++++++++
+ accel/hvf/hvf-accel-ops.c   |   9 +
- default-configs/arm-softmmu.mak |   1 +
+ target/arm/hvf/hvf.c        | 794 ++++++++++++++++++++++++++++++++++++
-files changed, 806 insertions(+)
+ target/i386/hvf/hvf.c       |   5 +
- create mode 100644 include/hw/arm/fsl-imx7.h
+ MAINTAINERS                 |   5 +
- create mode 100644 hw/arm/fsl-imx7.c
+ target/arm/hvf/trace-events |  10 +
 files changed, 833 insertions(+), 1 deletion(-)
  create mode 100644 target/arm/hvf/hvf.c
  create mode 100644 target/arm/hvf/trace-events
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/meson.build b/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/meson.build
-+++ b/hw/arm/Makefile.objs
++++ b/meson.build
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MPS2) += mps2.o
+@@ -XXX,XX +XXX,XX @@ if have_system or have_user
- obj-$(CONFIG_MPS2) += mps2-tz.o
+     'accel/tcg',
- obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
+     'hw/core',
- obj-$(CONFIG_IOTKIT) += iotkit.o
+     'target/arm',
-+obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o
++    'target/arm/hvf',
-diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
+     'target/hppa',
      'target/i386',
      'target/i386/kvm',
 diff --git a/include/sysemu/hvf_int.h b/include/sysemu/hvf_int.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/sysemu/hvf_int.h
 +++ b/include/sysemu/hvf_int.h
@@ -XXX,XX +XXX,XX @@
  #ifndef HVF_INT_H
  #define HVF_INT_H
 +#ifdef __aarch64__
 +#include <Hypervisor/Hypervisor.h>
 +#else
  #include <Hypervisor/hv.h>
 +#endif
  /* hvf_slot flags */
  #define HVF_SLOT_LOG (1 << 0)
@@ -XXX,XX +XXX,XX @@ struct HVFState {
      int num_slots;
      hvf_vcpu_caps *hvf_caps;
 +    uint64_t vtimer_offset;
  };
  extern HVFState *hvf_state;
  struct hvf_vcpu_state {
 -    int fd;
 +    uint64_t fd;
 +    void *exit;
 +    bool vtimer_masked;
  };
  void assert_hvf_ok(hv_return_t ret);
@@ -XXX,XX +XXX,XX @@ int hvf_vcpu_exec(CPUState *);
  hvf_slot *hvf_find_overlap_slot(uint64_t, uint64_t);
  int hvf_put_registers(CPUState *);
  int hvf_get_registers(CPUState *);
 +void hvf_kick_vcpu_thread(CPUState *cpu);
  #endif
 diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/hvf/hvf-accel-ops.c
 +++ b/accel/hvf/hvf-accel-ops.c
@@ -XXX,XX +XXX,XX @@
  HVFState *hvf_state;
 +#ifdef __aarch64__
 +#define HV_VM_DEFAULT NULL
 +#endif
 +
  /* Memory slots */
  hvf_slot *hvf_find_overlap_slot(uint64_t start, uint64_t size)
@@ -XXX,XX +XXX,XX @@ static int hvf_init_vcpu(CPUState *cpu)
      pthread_sigmask(SIG_BLOCK, NULL, &set);
      sigdelset(&set, SIG_IPI);
 +#ifdef __aarch64__
 +    r = hv_vcpu_create(&cpu->hvf->fd, (hv_vcpu_exit_t **)&cpu->hvf->exit, NULL);
 +#else
      r = hv_vcpu_create((hv_vcpuid_t *)&cpu->hvf->fd, HV_VCPU_DEFAULT);
 +#endif
      cpu->vcpu_dirty = 1;
      assert_hvf_ok(r);
@@ -XXX,XX +XXX,XX @@ static void hvf_accel_ops_class_init(ObjectClass *oc, void *data)
      AccelOpsClass *ops = ACCEL_OPS_CLASS(oc);
      ops->create_vcpu_thread = hvf_start_vcpu_thread;
 +    ops->kick_vcpu_thread = hvf_kick_vcpu_thread;
      ops->synchronize_post_reset = hvf_cpu_synchronize_post_reset;
      ops->synchronize_post_init = hvf_cpu_synchronize_post_init;
 diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/include/hw/arm/fsl-imx7.h
++++ b/target/arm/hvf/hvf.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * Copyright (c) 2018, Impinj, Inc.
++ * QEMU Hypervisor.framework support for Apple Silicon
 +
 + * Copyright 2020 Alexander Graf <agraf@csgraf.de>
 + *
-+ * i.MX7 SoC definitions
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + *
-+ * Author: Andrey Smirnov <andrew.smirnov@gmail.com>
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
 + */
 +
-+#ifndef FSL_IMX7_H
++#include "qemu/osdep.h"
-+#define FSL_IMX7_H
++#include "qemu-common.h"
-+
++#include "qemu/error-report.h"
-+#include "hw/arm/arm.h"
++
-+#include "hw/cpu/a15mpcore.h"
++#include "sysemu/runstate.h"
-+#include "hw/intc/imx_gpcv2.h"
++#include "sysemu/hvf.h"
-+#include "hw/misc/imx7_ccm.h"
++#include "sysemu/hvf_int.h"
-+#include "hw/misc/imx7_snvs.h"
++#include "sysemu/hw_accel.h"
-+#include "hw/misc/imx7_gpr.h"
++
-+#include "hw/misc/imx6_src.h"
++#include <mach/mach_time.h>
-+#include "hw/misc/imx2_wdt.h"
++
-+#include "hw/gpio/imx_gpio.h"
++#include "exec/address-spaces.h"
-+#include "hw/char/imx_serial.h"
++#include "hw/irq.h"
-+#include "hw/timer/imx_gpt.h"
++#include "qemu/main-loop.h"
-+#include "hw/timer/imx_epit.h"
++#include "sysemu/cpus.h"
-+#include "hw/i2c/imx_i2c.h"
++#include "target/arm/cpu.h"
-+#include "hw/gpio/imx_gpio.h"
++#include "target/arm/internals.h"
-+#include "hw/sd/sdhci.h"
++#include "trace/trace-target_arm_hvf.h"
-+#include "hw/ssi/imx_spi.h"
++#include "migration/vmstate.h"
-+#include "hw/net/imx_fec.h"
++
-+#include "hw/pci-host/designware.h"
++#define HVF_SYSREG(crn, crm, op0, op1, op2) \
-+#include "hw/usb/chipidea.h"
++        ENCODE_AA64_CP_REG(CP_REG_ARM64_SYSREG_CP, crn, crm, op0, op1, op2)
-+#include "exec/memory.h"
++#define PL1_WRITE_MASK 0x4
-+#include "cpu.h"
++
-+
++#define SYSREG(op0, op1, crn, crm, op2) \
-+#define TYPE_FSL_IMX7 "fsl,imx7"
++    ((op0 << 20) | (op2 << 17) | (op1 << 14) | (crn << 10) | (crm << 1))
-+#define FSL_IMX7(obj) OBJECT_CHECK(FslIMX7State, (obj), TYPE_FSL_IMX7)
++#define SYSREG_MASK           SYSREG(0x3, 0x7, 0xf, 0xf, 0x7)
-+
++#define SYSREG_OSLAR_EL1      SYSREG(2, 0, 1, 0, 4)
-+enum FslIMX7Configuration {
++#define SYSREG_OSLSR_EL1      SYSREG(2, 0, 1, 1, 4)
-+    FSL_IMX7_NUM_CPUS         = 2,
++#define SYSREG_OSDLR_EL1      SYSREG(2, 0, 1, 3, 4)
-+    FSL_IMX7_NUM_UARTS        = 7,
++#define SYSREG_CNTPCT_EL0     SYSREG(3, 3, 14, 0, 1)
-+    FSL_IMX7_NUM_ETHS         = 2,
++
-+    FSL_IMX7_ETH_NUM_TX_RINGS = 3,
++#define WFX_IS_WFE (1 << 0)
-+    FSL_IMX7_NUM_USDHCS       = 3,
++
-+    FSL_IMX7_NUM_WDTS         = 4,
++#define TMR_CTL_ENABLE  (1 << 0)
-+    FSL_IMX7_NUM_GPTS         = 4,
++#define TMR_CTL_IMASK   (1 << 1)
-+    FSL_IMX7_NUM_IOMUXCS      = 2,
++#define TMR_CTL_ISTATUS (1 << 2)
-+    FSL_IMX7_NUM_GPIOS        = 7,
++
-+    FSL_IMX7_NUM_I2CS         = 4,
++typedef struct HVFVTimer {
-+    FSL_IMX7_NUM_ECSPIS       = 4,
++    /* Vtimer value during migration and paused state */
-+    FSL_IMX7_NUM_USBS         = 3,
++    uint64_t vtimer_val;
-+    FSL_IMX7_NUM_ADCS         = 2,
++} HVFVTimer;
 +
 +static HVFVTimer vtimer;
 +
 +struct hvf_reg_match {
 +    int reg;
 +    uint64_t offset;
 +};
 +
-+typedef struct FslIMX7State {
++static const struct hvf_reg_match hvf_reg_match[] = {
-+    /*< private >*/
++    { HV_REG_X0,   offsetof(CPUARMState, xregs[0]) },
-+    DeviceState    parent_obj;
++    { HV_REG_X1,   offsetof(CPUARMState, xregs[1]) },
-+
++    { HV_REG_X2,   offsetof(CPUARMState, xregs[2]) },
-+    /*< public >*/
++    { HV_REG_X3,   offsetof(CPUARMState, xregs[3]) },
-+    ARMCPU             cpu[FSL_IMX7_NUM_CPUS];
++    { HV_REG_X4,   offsetof(CPUARMState, xregs[4]) },
-+    A15MPPrivState     a7mpcore;
++    { HV_REG_X5,   offsetof(CPUARMState, xregs[5]) },
-+    IMXGPTState        gpt[FSL_IMX7_NUM_GPTS];
++    { HV_REG_X6,   offsetof(CPUARMState, xregs[6]) },
-+    IMXGPIOState       gpio[FSL_IMX7_NUM_GPIOS];
++    { HV_REG_X7,   offsetof(CPUARMState, xregs[7]) },
-+    IMX7CCMState       ccm;
++    { HV_REG_X8,   offsetof(CPUARMState, xregs[8]) },
-+    IMX7AnalogState    analog;
++    { HV_REG_X9,   offsetof(CPUARMState, xregs[9]) },
-+    IMX7SNVSState      snvs;
++    { HV_REG_X10,  offsetof(CPUARMState, xregs[10]) },
-+    IMXGPCv2State      gpcv2;
++    { HV_REG_X11,  offsetof(CPUARMState, xregs[11]) },
-+    IMXSPIState        spi[FSL_IMX7_NUM_ECSPIS];
++    { HV_REG_X12,  offsetof(CPUARMState, xregs[12]) },
-+    IMXI2CState        i2c[FSL_IMX7_NUM_I2CS];
++    { HV_REG_X13,  offsetof(CPUARMState, xregs[13]) },
-+    IMXSerialState     uart[FSL_IMX7_NUM_UARTS];
++    { HV_REG_X14,  offsetof(CPUARMState, xregs[14]) },
-+    IMXFECState        eth[FSL_IMX7_NUM_ETHS];
++    { HV_REG_X15,  offsetof(CPUARMState, xregs[15]) },
-+    SDHCIState         usdhc[FSL_IMX7_NUM_USDHCS];
++    { HV_REG_X16,  offsetof(CPUARMState, xregs[16]) },
-+    IMX2WdtState       wdt[FSL_IMX7_NUM_WDTS];
++    { HV_REG_X17,  offsetof(CPUARMState, xregs[17]) },
-+    IMX7GPRState       gpr;
++    { HV_REG_X18,  offsetof(CPUARMState, xregs[18]) },
-+    ChipideaState      usb[FSL_IMX7_NUM_USBS];
++    { HV_REG_X19,  offsetof(CPUARMState, xregs[19]) },
-+    DesignwarePCIEHost pcie;
++    { HV_REG_X20,  offsetof(CPUARMState, xregs[20]) },
-+} FslIMX7State;
++    { HV_REG_X21,  offsetof(CPUARMState, xregs[21]) },
-+
++    { HV_REG_X22,  offsetof(CPUARMState, xregs[22]) },
-+enum FslIMX7MemoryMap {
++    { HV_REG_X23,  offsetof(CPUARMState, xregs[23]) },
-+    FSL_IMX7_MMDC_ADDR            = 0x80000000,
++    { HV_REG_X24,  offsetof(CPUARMState, xregs[24]) },
-+    FSL_IMX7_MMDC_SIZE            = 2 * 1024 * 1024 * 1024UL,
++    { HV_REG_X25,  offsetof(CPUARMState, xregs[25]) },
-+
++    { HV_REG_X26,  offsetof(CPUARMState, xregs[26]) },
-+    FSL_IMX7_GPIO1_ADDR           = 0x30200000,
++    { HV_REG_X27,  offsetof(CPUARMState, xregs[27]) },
-+    FSL_IMX7_GPIO2_ADDR           = 0x30210000,
++    { HV_REG_X28,  offsetof(CPUARMState, xregs[28]) },
-+    FSL_IMX7_GPIO3_ADDR           = 0x30220000,
++    { HV_REG_X29,  offsetof(CPUARMState, xregs[29]) },
-+    FSL_IMX7_GPIO4_ADDR           = 0x30230000,
++    { HV_REG_X30,  offsetof(CPUARMState, xregs[30]) },
-+    FSL_IMX7_GPIO5_ADDR           = 0x30240000,
++    { HV_REG_PC,   offsetof(CPUARMState, pc) },
-+    FSL_IMX7_GPIO6_ADDR           = 0x30250000,
++};
-+    FSL_IMX7_GPIO7_ADDR           = 0x30260000,
++
-+
++static const struct hvf_reg_match hvf_fpreg_match[] = {
-+    FSL_IMX7_IOMUXC_LPSR_GPR_ADDR = 0x30270000,
++    { HV_SIMD_FP_REG_Q0,  offsetof(CPUARMState, vfp.zregs[0]) },
-+
++    { HV_SIMD_FP_REG_Q1,  offsetof(CPUARMState, vfp.zregs[1]) },
-+    FSL_IMX7_WDOG1_ADDR           = 0x30280000,
++    { HV_SIMD_FP_REG_Q2,  offsetof(CPUARMState, vfp.zregs[2]) },
-+    FSL_IMX7_WDOG2_ADDR           = 0x30290000,
++    { HV_SIMD_FP_REG_Q3,  offsetof(CPUARMState, vfp.zregs[3]) },
-+    FSL_IMX7_WDOG3_ADDR           = 0x302A0000,
++    { HV_SIMD_FP_REG_Q4,  offsetof(CPUARMState, vfp.zregs[4]) },
-+    FSL_IMX7_WDOG4_ADDR           = 0x302B0000,
++    { HV_SIMD_FP_REG_Q5,  offsetof(CPUARMState, vfp.zregs[5]) },
-+
++    { HV_SIMD_FP_REG_Q6,  offsetof(CPUARMState, vfp.zregs[6]) },
-+    FSL_IMX7_IOMUXC_LPSR_ADDR     = 0x302C0000,
++    { HV_SIMD_FP_REG_Q7,  offsetof(CPUARMState, vfp.zregs[7]) },
-+
++    { HV_SIMD_FP_REG_Q8,  offsetof(CPUARMState, vfp.zregs[8]) },
-+    FSL_IMX7_GPT1_ADDR            = 0x302D0000,
++    { HV_SIMD_FP_REG_Q9,  offsetof(CPUARMState, vfp.zregs[9]) },
-+    FSL_IMX7_GPT2_ADDR            = 0x302E0000,
++    { HV_SIMD_FP_REG_Q10, offsetof(CPUARMState, vfp.zregs[10]) },
-+    FSL_IMX7_GPT3_ADDR            = 0x302F0000,
++    { HV_SIMD_FP_REG_Q11, offsetof(CPUARMState, vfp.zregs[11]) },
-+    FSL_IMX7_GPT4_ADDR            = 0x30300000,
++    { HV_SIMD_FP_REG_Q12, offsetof(CPUARMState, vfp.zregs[12]) },
-+
++    { HV_SIMD_FP_REG_Q13, offsetof(CPUARMState, vfp.zregs[13]) },
-+    FSL_IMX7_IOMUXC_ADDR          = 0x30330000,
++    { HV_SIMD_FP_REG_Q14, offsetof(CPUARMState, vfp.zregs[14]) },
-+    FSL_IMX7_IOMUXC_GPR_ADDR      = 0x30340000,
++    { HV_SIMD_FP_REG_Q15, offsetof(CPUARMState, vfp.zregs[15]) },
-+    FSL_IMX7_IOMUXCn_SIZE         = 0x1000,
++    { HV_SIMD_FP_REG_Q16, offsetof(CPUARMState, vfp.zregs[16]) },
-+
++    { HV_SIMD_FP_REG_Q17, offsetof(CPUARMState, vfp.zregs[17]) },
-+    FSL_IMX7_ANALOG_ADDR          = 0x30360000,
++    { HV_SIMD_FP_REG_Q18, offsetof(CPUARMState, vfp.zregs[18]) },
-+    FSL_IMX7_SNVS_ADDR            = 0x30370000,
++    { HV_SIMD_FP_REG_Q19, offsetof(CPUARMState, vfp.zregs[19]) },
-+    FSL_IMX7_CCM_ADDR             = 0x30380000,
++    { HV_SIMD_FP_REG_Q20, offsetof(CPUARMState, vfp.zregs[20]) },
-+
++    { HV_SIMD_FP_REG_Q21, offsetof(CPUARMState, vfp.zregs[21]) },
-+    FSL_IMX7_SRC_ADDR             = 0x30390000,
++    { HV_SIMD_FP_REG_Q22, offsetof(CPUARMState, vfp.zregs[22]) },
-+    FSL_IMX7_SRC_SIZE             = 0x1000,
++    { HV_SIMD_FP_REG_Q23, offsetof(CPUARMState, vfp.zregs[23]) },
-+
++    { HV_SIMD_FP_REG_Q24, offsetof(CPUARMState, vfp.zregs[24]) },
-+    FSL_IMX7_ADC1_ADDR            = 0x30610000,
++    { HV_SIMD_FP_REG_Q25, offsetof(CPUARMState, vfp.zregs[25]) },
-+    FSL_IMX7_ADC2_ADDR            = 0x30620000,
++    { HV_SIMD_FP_REG_Q26, offsetof(CPUARMState, vfp.zregs[26]) },
-+    FSL_IMX7_ADCn_SIZE            = 0x1000,
++    { HV_SIMD_FP_REG_Q27, offsetof(CPUARMState, vfp.zregs[27]) },
-+
++    { HV_SIMD_FP_REG_Q28, offsetof(CPUARMState, vfp.zregs[28]) },
-+    FSL_IMX7_GPC_ADDR             = 0x303A0000,
++    { HV_SIMD_FP_REG_Q29, offsetof(CPUARMState, vfp.zregs[29]) },
-+
++    { HV_SIMD_FP_REG_Q30, offsetof(CPUARMState, vfp.zregs[30]) },
-+    FSL_IMX7_I2C1_ADDR            = 0x30A20000,
++    { HV_SIMD_FP_REG_Q31, offsetof(CPUARMState, vfp.zregs[31]) },
-+    FSL_IMX7_I2C2_ADDR            = 0x30A30000,
++};
-+    FSL_IMX7_I2C3_ADDR            = 0x30A40000,
++
-+    FSL_IMX7_I2C4_ADDR            = 0x30A50000,
++struct hvf_sreg_match {
-+
++    int reg;
-+    FSL_IMX7_ECSPI1_ADDR          = 0x30820000,
++    uint32_t key;
-+    FSL_IMX7_ECSPI2_ADDR          = 0x30830000,
++    uint32_t cp_idx;
-+    FSL_IMX7_ECSPI3_ADDR          = 0x30840000,
++};
-+    FSL_IMX7_ECSPI4_ADDR          = 0x30630000,
++
-+
++static struct hvf_sreg_match hvf_sreg_match[] = {
-+    FSL_IMX7_LCDIF_ADDR           = 0x30730000,
++    { HV_SYS_REG_DBGBVR0_EL1, HVF_SYSREG(0, 0, 14, 0, 4) },
-+    FSL_IMX7_LCDIF_SIZE           = 0x1000,
++    { HV_SYS_REG_DBGBCR0_EL1, HVF_SYSREG(0, 0, 14, 0, 5) },
-+
++    { HV_SYS_REG_DBGWVR0_EL1, HVF_SYSREG(0, 0, 14, 0, 6) },
-+    FSL_IMX7_UART1_ADDR           = 0x30860000,
++    { HV_SYS_REG_DBGWCR0_EL1, HVF_SYSREG(0, 0, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR1_EL1, HVF_SYSREG(0, 1, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR1_EL1, HVF_SYSREG(0, 1, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR1_EL1, HVF_SYSREG(0, 1, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR1_EL1, HVF_SYSREG(0, 1, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR2_EL1, HVF_SYSREG(0, 2, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR2_EL1, HVF_SYSREG(0, 2, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR2_EL1, HVF_SYSREG(0, 2, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR2_EL1, HVF_SYSREG(0, 2, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR3_EL1, HVF_SYSREG(0, 3, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR3_EL1, HVF_SYSREG(0, 3, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR3_EL1, HVF_SYSREG(0, 3, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR3_EL1, HVF_SYSREG(0, 3, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR4_EL1, HVF_SYSREG(0, 4, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR4_EL1, HVF_SYSREG(0, 4, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR4_EL1, HVF_SYSREG(0, 4, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR4_EL1, HVF_SYSREG(0, 4, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR5_EL1, HVF_SYSREG(0, 5, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR5_EL1, HVF_SYSREG(0, 5, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR5_EL1, HVF_SYSREG(0, 5, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR5_EL1, HVF_SYSREG(0, 5, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR6_EL1, HVF_SYSREG(0, 6, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR6_EL1, HVF_SYSREG(0, 6, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR6_EL1, HVF_SYSREG(0, 6, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR6_EL1, HVF_SYSREG(0, 6, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR7_EL1, HVF_SYSREG(0, 7, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR7_EL1, HVF_SYSREG(0, 7, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR7_EL1, HVF_SYSREG(0, 7, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR7_EL1, HVF_SYSREG(0, 7, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR8_EL1, HVF_SYSREG(0, 8, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR8_EL1, HVF_SYSREG(0, 8, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR8_EL1, HVF_SYSREG(0, 8, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR8_EL1, HVF_SYSREG(0, 8, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR9_EL1, HVF_SYSREG(0, 9, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR9_EL1, HVF_SYSREG(0, 9, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR9_EL1, HVF_SYSREG(0, 9, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR9_EL1, HVF_SYSREG(0, 9, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR10_EL1, HVF_SYSREG(0, 10, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR10_EL1, HVF_SYSREG(0, 10, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR10_EL1, HVF_SYSREG(0, 10, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR10_EL1, HVF_SYSREG(0, 10, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR11_EL1, HVF_SYSREG(0, 11, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR11_EL1, HVF_SYSREG(0, 11, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR11_EL1, HVF_SYSREG(0, 11, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR11_EL1, HVF_SYSREG(0, 11, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR12_EL1, HVF_SYSREG(0, 12, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR12_EL1, HVF_SYSREG(0, 12, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR12_EL1, HVF_SYSREG(0, 12, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR12_EL1, HVF_SYSREG(0, 12, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR13_EL1, HVF_SYSREG(0, 13, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR13_EL1, HVF_SYSREG(0, 13, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR13_EL1, HVF_SYSREG(0, 13, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR13_EL1, HVF_SYSREG(0, 13, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR14_EL1, HVF_SYSREG(0, 14, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR14_EL1, HVF_SYSREG(0, 14, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR14_EL1, HVF_SYSREG(0, 14, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR14_EL1, HVF_SYSREG(0, 14, 14, 0, 7) },
 +
 +    { HV_SYS_REG_DBGBVR15_EL1, HVF_SYSREG(0, 15, 14, 0, 4) },
 +    { HV_SYS_REG_DBGBCR15_EL1, HVF_SYSREG(0, 15, 14, 0, 5) },
 +    { HV_SYS_REG_DBGWVR15_EL1, HVF_SYSREG(0, 15, 14, 0, 6) },
 +    { HV_SYS_REG_DBGWCR15_EL1, HVF_SYSREG(0, 15, 14, 0, 7) },
 +
 +#ifdef SYNC_NO_RAW_REGS
 +    /*
-+     * Some versions of the reference manual claim that UART2 is @
++     * The registers below are manually synced on init because they are
-+     * 0x30870000, but experiments with HW + DT files in upstream
++     * marked as NO_RAW. We still list them to make number space sync easier.
 +     * Linux kernel show that not to be true and that block is
 +     * acutally located @ 0x30890000
 +     */
-+    FSL_IMX7_UART2_ADDR           = 0x30890000,
++    { HV_SYS_REG_MDCCINT_EL1, HVF_SYSREG(0, 2, 2, 0, 0) },
-+    FSL_IMX7_UART3_ADDR           = 0x30880000,
++    { HV_SYS_REG_MIDR_EL1, HVF_SYSREG(0, 0, 3, 0, 0) },
-+    FSL_IMX7_UART4_ADDR           = 0x30A60000,
++    { HV_SYS_REG_MPIDR_EL1, HVF_SYSREG(0, 0, 3, 0, 5) },
-+    FSL_IMX7_UART5_ADDR           = 0x30A70000,
++    { HV_SYS_REG_ID_AA64PFR0_EL1, HVF_SYSREG(0, 4, 3, 0, 0) },
-+    FSL_IMX7_UART6_ADDR           = 0x30A80000,
++#endif
-+    FSL_IMX7_UART7_ADDR           = 0x30A90000,
++    { HV_SYS_REG_ID_AA64PFR1_EL1, HVF_SYSREG(0, 4, 3, 0, 2) },
-+
++    { HV_SYS_REG_ID_AA64DFR0_EL1, HVF_SYSREG(0, 5, 3, 0, 0) },
-+    FSL_IMX7_ENET1_ADDR           = 0x30BE0000,
++    { HV_SYS_REG_ID_AA64DFR1_EL1, HVF_SYSREG(0, 5, 3, 0, 1) },
-+    FSL_IMX7_ENET2_ADDR           = 0x30BF0000,
++    { HV_SYS_REG_ID_AA64ISAR0_EL1, HVF_SYSREG(0, 6, 3, 0, 0) },
-+
++    { HV_SYS_REG_ID_AA64ISAR1_EL1, HVF_SYSREG(0, 6, 3, 0, 1) },
-+    FSL_IMX7_USB1_ADDR            = 0x30B10000,
++#ifdef SYNC_NO_MMFR0
-+    FSL_IMX7_USBMISC1_ADDR        = 0x30B10200,
++    /* We keep the hardware MMFR0 around. HW limits are there anyway */
-+    FSL_IMX7_USB2_ADDR            = 0x30B20000,
++    { HV_SYS_REG_ID_AA64MMFR0_EL1, HVF_SYSREG(0, 7, 3, 0, 0) },
-+    FSL_IMX7_USBMISC2_ADDR        = 0x30B20200,
++#endif
-+    FSL_IMX7_USB3_ADDR            = 0x30B30000,
++    { HV_SYS_REG_ID_AA64MMFR1_EL1, HVF_SYSREG(0, 7, 3, 0, 1) },
-+    FSL_IMX7_USBMISC3_ADDR        = 0x30B30200,
++    { HV_SYS_REG_ID_AA64MMFR2_EL1, HVF_SYSREG(0, 7, 3, 0, 2) },
-+    FSL_IMX7_USBMISCn_SIZE        = 0x200,
++
-+
++    { HV_SYS_REG_MDSCR_EL1, HVF_SYSREG(0, 2, 2, 0, 2) },
-+    FSL_IMX7_USDHC1_ADDR          = 0x30B40000,
++    { HV_SYS_REG_SCTLR_EL1, HVF_SYSREG(1, 0, 3, 0, 0) },
-+    FSL_IMX7_USDHC2_ADDR          = 0x30B50000,
++    { HV_SYS_REG_CPACR_EL1, HVF_SYSREG(1, 0, 3, 0, 2) },
-+    FSL_IMX7_USDHC3_ADDR          = 0x30B60000,
++    { HV_SYS_REG_TTBR0_EL1, HVF_SYSREG(2, 0, 3, 0, 0) },
-+
++    { HV_SYS_REG_TTBR1_EL1, HVF_SYSREG(2, 0, 3, 0, 1) },
-+    FSL_IMX7_SDMA_ADDR            = 0x30BD0000,
++    { HV_SYS_REG_TCR_EL1, HVF_SYSREG(2, 0, 3, 0, 2) },
-+    FSL_IMX7_SDMA_SIZE            = 0x1000,
++
-+
++    { HV_SYS_REG_APIAKEYLO_EL1, HVF_SYSREG(2, 1, 3, 0, 0) },
-+    FSL_IMX7_A7MPCORE_ADDR        = 0x31000000,
++    { HV_SYS_REG_APIAKEYHI_EL1, HVF_SYSREG(2, 1, 3, 0, 1) },
-+    FSL_IMX7_A7MPCORE_DAP_ADDR    = 0x30000000,
++    { HV_SYS_REG_APIBKEYLO_EL1, HVF_SYSREG(2, 1, 3, 0, 2) },
-+
++    { HV_SYS_REG_APIBKEYHI_EL1, HVF_SYSREG(2, 1, 3, 0, 3) },
-+    FSL_IMX7_PCIE_REG_ADDR        = 0x33800000,
++    { HV_SYS_REG_APDAKEYLO_EL1, HVF_SYSREG(2, 2, 3, 0, 0) },
-+    FSL_IMX7_PCIE_REG_SIZE        = 16 * 1024,
++    { HV_SYS_REG_APDAKEYHI_EL1, HVF_SYSREG(2, 2, 3, 0, 1) },
-+
++    { HV_SYS_REG_APDBKEYLO_EL1, HVF_SYSREG(2, 2, 3, 0, 2) },
-+    FSL_IMX7_GPR_ADDR             = 0x30340000,
++    { HV_SYS_REG_APDBKEYHI_EL1, HVF_SYSREG(2, 2, 3, 0, 3) },
 +    { HV_SYS_REG_APGAKEYLO_EL1, HVF_SYSREG(2, 3, 3, 0, 0) },
 +    { HV_SYS_REG_APGAKEYHI_EL1, HVF_SYSREG(2, 3, 3, 0, 1) },
 +
 +    { HV_SYS_REG_SPSR_EL1, HVF_SYSREG(4, 0, 3, 0, 0) },
 +    { HV_SYS_REG_ELR_EL1, HVF_SYSREG(4, 0, 3, 0, 1) },
 +    { HV_SYS_REG_SP_EL0, HVF_SYSREG(4, 1, 3, 0, 0) },
 +    { HV_SYS_REG_AFSR0_EL1, HVF_SYSREG(5, 1, 3, 0, 0) },
 +    { HV_SYS_REG_AFSR1_EL1, HVF_SYSREG(5, 1, 3, 0, 1) },
 +    { HV_SYS_REG_ESR_EL1, HVF_SYSREG(5, 2, 3, 0, 0) },
 +    { HV_SYS_REG_FAR_EL1, HVF_SYSREG(6, 0, 3, 0, 0) },
 +    { HV_SYS_REG_PAR_EL1, HVF_SYSREG(7, 4, 3, 0, 0) },
 +    { HV_SYS_REG_MAIR_EL1, HVF_SYSREG(10, 2, 3, 0, 0) },
 +    { HV_SYS_REG_AMAIR_EL1, HVF_SYSREG(10, 3, 3, 0, 0) },
 +    { HV_SYS_REG_VBAR_EL1, HVF_SYSREG(12, 0, 3, 0, 0) },
 +    { HV_SYS_REG_CONTEXTIDR_EL1, HVF_SYSREG(13, 0, 3, 0, 1) },
 +    { HV_SYS_REG_TPIDR_EL1, HVF_SYSREG(13, 0, 3, 0, 4) },
 +    { HV_SYS_REG_CNTKCTL_EL1, HVF_SYSREG(14, 1, 3, 0, 0) },
 +    { HV_SYS_REG_CSSELR_EL1, HVF_SYSREG(0, 0, 3, 2, 0) },
 +    { HV_SYS_REG_TPIDR_EL0, HVF_SYSREG(13, 0, 3, 3, 2) },
 +    { HV_SYS_REG_TPIDRRO_EL0, HVF_SYSREG(13, 0, 3, 3, 3) },
 +    { HV_SYS_REG_CNTV_CTL_EL0, HVF_SYSREG(14, 3, 3, 3, 1) },
 +    { HV_SYS_REG_CNTV_CVAL_EL0, HVF_SYSREG(14, 3, 3, 3, 2) },
 +    { HV_SYS_REG_SP_EL1, HVF_SYSREG(4, 1, 3, 4, 0) },
 +};
 +
-+enum FslIMX7IRQs {
++int hvf_get_registers(CPUState *cpu)
-+    FSL_IMX7_USDHC1_IRQ   = 22,
++{
-+    FSL_IMX7_USDHC2_IRQ   = 23,
++    ARMCPU *arm_cpu = ARM_CPU(cpu);
-+    FSL_IMX7_USDHC3_IRQ   = 24,
++    CPUARMState *env = &arm_cpu->env;
-+
++    hv_return_t ret;
-+    FSL_IMX7_UART1_IRQ    = 26,
++    uint64_t val;
-+    FSL_IMX7_UART2_IRQ    = 27,
++    hv_simd_fp_uchar16_t fpval;
-+    FSL_IMX7_UART3_IRQ    = 28,
++    int i;
-+    FSL_IMX7_UART4_IRQ    = 29,
++
-+    FSL_IMX7_UART5_IRQ    = 30,
++    for (i = 0; i < ARRAY_SIZE(hvf_reg_match); i++) {
-+    FSL_IMX7_UART6_IRQ    = 16,
++        ret = hv_vcpu_get_reg(cpu->hvf->fd, hvf_reg_match[i].reg, &val);
-+
++        *(uint64_t *)((void *)env + hvf_reg_match[i].offset) = val;
-+    FSL_IMX7_ECSPI1_IRQ   = 31,
++        assert_hvf_ok(ret);
-+    FSL_IMX7_ECSPI2_IRQ   = 32,
++    }
-+    FSL_IMX7_ECSPI3_IRQ   = 33,
++
-+    FSL_IMX7_ECSPI4_IRQ   = 34,
++    for (i = 0; i < ARRAY_SIZE(hvf_fpreg_match); i++) {
-+
++        ret = hv_vcpu_get_simd_fp_reg(cpu->hvf->fd, hvf_fpreg_match[i].reg,
-+    FSL_IMX7_I2C1_IRQ     = 35,
++                                      &fpval);
-+    FSL_IMX7_I2C2_IRQ     = 36,
++        memcpy((void *)env + hvf_fpreg_match[i].offset, &fpval, sizeof(fpval));
-+    FSL_IMX7_I2C3_IRQ     = 37,
++        assert_hvf_ok(ret);
-+    FSL_IMX7_I2C4_IRQ     = 38,
++    }
 +
-+    FSL_IMX7_USB1_IRQ     = 43,
++    val = 0;
-+    FSL_IMX7_USB2_IRQ     = 42,
++    ret = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_FPCR, &val);
-+    FSL_IMX7_USB3_IRQ     = 40,
++    assert_hvf_ok(ret);
-+
++    vfp_set_fpcr(env, val);
-+    FSL_IMX7_PCI_INTA_IRQ = 122,
++
-+    FSL_IMX7_PCI_INTB_IRQ = 123,
++    val = 0;
-+    FSL_IMX7_PCI_INTC_IRQ = 124,
++    ret = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_FPSR, &val);
-+    FSL_IMX7_PCI_INTD_IRQ = 125,
++    assert_hvf_ok(ret);
-+
++    vfp_set_fpsr(env, val);
-+    FSL_IMX7_UART7_IRQ    = 126,
++
-+
++    ret = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_CPSR, &val);
-+#define FSL_IMX7_ENET_IRQ(i, n)  ((n) + ((i) ? 100 : 118))
++    assert_hvf_ok(ret);
-+
++    pstate_write(env, val);
-+    FSL_IMX7_MAX_IRQ      = 128,
++
 +    for (i = 0; i < ARRAY_SIZE(hvf_sreg_match); i++) {
 +        if (hvf_sreg_match[i].cp_idx == -1) {
 +            continue;
 +        }
 +
 +        ret = hv_vcpu_get_sys_reg(cpu->hvf->fd, hvf_sreg_match[i].reg, &val);
 +        assert_hvf_ok(ret);
 +
 +        arm_cpu->cpreg_values[hvf_sreg_match[i].cp_idx] = val;
 +    }
 +    assert(write_list_to_cpustate(arm_cpu));
 +
 +    aarch64_restore_sp(env, arm_current_el(env));
 +
 +    return 0;
 +}
 +
 +int hvf_put_registers(CPUState *cpu)
 +{
 +    ARMCPU *arm_cpu = ARM_CPU(cpu);
 +    CPUARMState *env = &arm_cpu->env;
 +    hv_return_t ret;
 +    uint64_t val;
 +    hv_simd_fp_uchar16_t fpval;
 +    int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(hvf_reg_match); i++) {
 +        val = *(uint64_t *)((void *)env + hvf_reg_match[i].offset);
 +        ret = hv_vcpu_set_reg(cpu->hvf->fd, hvf_reg_match[i].reg, val);
 +        assert_hvf_ok(ret);
 +    }
 +
 +    for (i = 0; i < ARRAY_SIZE(hvf_fpreg_match); i++) {
 +        memcpy(&fpval, (void *)env + hvf_fpreg_match[i].offset, sizeof(fpval));
 +        ret = hv_vcpu_set_simd_fp_reg(cpu->hvf->fd, hvf_fpreg_match[i].reg,
 +                                      fpval);
 +        assert_hvf_ok(ret);
 +    }
 +
 +    ret = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_FPCR, vfp_get_fpcr(env));
 +    assert_hvf_ok(ret);
 +
 +    ret = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_FPSR, vfp_get_fpsr(env));
 +    assert_hvf_ok(ret);
 +
 +    ret = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_CPSR, pstate_read(env));
 +    assert_hvf_ok(ret);
 +
 +    aarch64_save_sp(env, arm_current_el(env));
 +
 +    assert(write_cpustate_to_list(arm_cpu, false));
 +    for (i = 0; i < ARRAY_SIZE(hvf_sreg_match); i++) {
 +        if (hvf_sreg_match[i].cp_idx == -1) {
 +            continue;
 +        }
 +
 +        val = arm_cpu->cpreg_values[hvf_sreg_match[i].cp_idx];
 +        ret = hv_vcpu_set_sys_reg(cpu->hvf->fd, hvf_sreg_match[i].reg, val);
 +        assert_hvf_ok(ret);
 +    }
 +
 +    ret = hv_vcpu_set_vtimer_offset(cpu->hvf->fd, hvf_state->vtimer_offset);
 +    assert_hvf_ok(ret);
 +
 +    return 0;
 +}
 +
 +static void flush_cpu_state(CPUState *cpu)
 +{
 +    if (cpu->vcpu_dirty) {
 +        hvf_put_registers(cpu);
 +        cpu->vcpu_dirty = false;
 +    }
 +}
 +
 +static void hvf_set_reg(CPUState *cpu, int rt, uint64_t val)
 +{
 +    hv_return_t r;
 +
 +    flush_cpu_state(cpu);
 +
 +    if (rt < 31) {
 +        r = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_X0 + rt, val);
 +        assert_hvf_ok(r);
 +    }
 +}
 +
 +static uint64_t hvf_get_reg(CPUState *cpu, int rt)
 +{
 +    uint64_t val = 0;
 +    hv_return_t r;
 +
 +    flush_cpu_state(cpu);
 +
 +    if (rt < 31) {
 +        r = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_X0 + rt, &val);
 +        assert_hvf_ok(r);
 +    }
 +
 +    return val;
 +}
 +
 +void hvf_arch_vcpu_destroy(CPUState *cpu)
 +{
 +}
 +
 +int hvf_arch_init_vcpu(CPUState *cpu)
 +{
 +    ARMCPU *arm_cpu = ARM_CPU(cpu);
 +    CPUARMState *env = &arm_cpu->env;
 +    uint32_t sregs_match_len = ARRAY_SIZE(hvf_sreg_match);
 +    uint32_t sregs_cnt = 0;
 +    uint64_t pfr;
 +    hv_return_t ret;
 +    int i;
 +
 +    env->aarch64 = 1;
 +    asm volatile("mrs %0, cntfrq_el0" : "=r"(arm_cpu->gt_cntfrq_hz));
 +
 +    /* Allocate enough space for our sysreg sync */
 +    arm_cpu->cpreg_indexes = g_renew(uint64_t, arm_cpu->cpreg_indexes,
 +                                     sregs_match_len);
 +    arm_cpu->cpreg_values = g_renew(uint64_t, arm_cpu->cpreg_values,
 +                                    sregs_match_len);
 +    arm_cpu->cpreg_vmstate_indexes = g_renew(uint64_t,
 +                                             arm_cpu->cpreg_vmstate_indexes,
 +                                             sregs_match_len);
 +    arm_cpu->cpreg_vmstate_values = g_renew(uint64_t,
 +                                            arm_cpu->cpreg_vmstate_values,
 +                                            sregs_match_len);
 +
 +    memset(arm_cpu->cpreg_values, 0, sregs_match_len * sizeof(uint64_t));
 +
 +    /* Populate cp list for all known sysregs */
 +    for (i = 0; i < sregs_match_len; i++) {
 +        const ARMCPRegInfo *ri;
 +        uint32_t key = hvf_sreg_match[i].key;
 +
 +        ri = get_arm_cp_reginfo(arm_cpu->cp_regs, key);
 +        if (ri) {
 +            assert(!(ri->type & ARM_CP_NO_RAW));
 +            hvf_sreg_match[i].cp_idx = sregs_cnt;
 +            arm_cpu->cpreg_indexes[sregs_cnt++] = cpreg_to_kvm_id(key);
 +        } else {
 +            hvf_sreg_match[i].cp_idx = -1;
 +        }
 +    }
 +    arm_cpu->cpreg_array_len = sregs_cnt;
 +    arm_cpu->cpreg_vmstate_array_len = sregs_cnt;
 +
 +    assert(write_cpustate_to_list(arm_cpu, false));
 +
 +    /* Set CP_NO_RAW system registers on init */
 +    ret = hv_vcpu_set_sys_reg(cpu->hvf->fd, HV_SYS_REG_MIDR_EL1,
 +                              arm_cpu->midr);
 +    assert_hvf_ok(ret);
 +
 +    ret = hv_vcpu_set_sys_reg(cpu->hvf->fd, HV_SYS_REG_MPIDR_EL1,
 +                              arm_cpu->mp_affinity);
 +    assert_hvf_ok(ret);
 +
 +    ret = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_ID_AA64PFR0_EL1, &pfr);
 +    assert_hvf_ok(ret);
 +    pfr |= env->gicv3state ? (1 << 24) : 0;
 +    ret = hv_vcpu_set_sys_reg(cpu->hvf->fd, HV_SYS_REG_ID_AA64PFR0_EL1, pfr);
 +    assert_hvf_ok(ret);
 +
 +    /* We're limited to underlying hardware caps, override internal versions */
 +    ret = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_ID_AA64MMFR0_EL1,
 +                              &arm_cpu->isar.id_aa64mmfr0);
 +    assert_hvf_ok(ret);
 +
 +    return 0;
 +}
 +
 +void hvf_kick_vcpu_thread(CPUState *cpu)
 +{
 +    hv_vcpus_exit(&cpu->hvf->fd, 1);
 +}
 +
 +static void hvf_raise_exception(CPUState *cpu, uint32_t excp,
 +                                uint32_t syndrome)
 +{
 +    ARMCPU *arm_cpu = ARM_CPU(cpu);
 +    CPUARMState *env = &arm_cpu->env;
 +
 +    cpu->exception_index = excp;
 +    env->exception.target_el = 1;
 +    env->exception.syndrome = syndrome;
 +
 +    arm_cpu_do_interrupt(cpu);
 +}
 +
 +static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
 +{
 +    ARMCPU *arm_cpu = ARM_CPU(cpu);
 +    CPUARMState *env = &arm_cpu->env;
 +    uint64_t val = 0;
 +
 +    switch (reg) {
 +    case SYSREG_CNTPCT_EL0:
 +        val = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) /
 +              gt_cntfrq_period_ns(arm_cpu);
 +        break;
 +    case SYSREG_OSLSR_EL1:
 +        val = env->cp15.oslsr_el1;
 +        break;
 +    case SYSREG_OSDLR_EL1:
 +        /* Dummy register */
 +        break;
 +    default:
 +        cpu_synchronize_state(cpu);
 +        trace_hvf_unhandled_sysreg_read(env->pc, reg,
 +                                        (reg >> 20) & 0x3,
 +                                        (reg >> 14) & 0x7,
 +                                        (reg >> 10) & 0xf,
 +                                        (reg >> 1) & 0xf,
 +                                        (reg >> 17) & 0x7);
 +        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
 +        return 1;
 +    }
 +
 +    trace_hvf_sysreg_read(reg,
 +                          (reg >> 20) & 0x3,
 +                          (reg >> 14) & 0x7,
 +                          (reg >> 10) & 0xf,
 +                          (reg >> 1) & 0xf,
 +                          (reg >> 17) & 0x7,
 +                          val);
 +    hvf_set_reg(cpu, rt, val);
 +
 +    return 0;
 +}
 +
 +static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
 +{
 +    ARMCPU *arm_cpu = ARM_CPU(cpu);
 +    CPUARMState *env = &arm_cpu->env;
 +
 +    trace_hvf_sysreg_write(reg,
 +                           (reg >> 20) & 0x3,
 +                           (reg >> 14) & 0x7,
 +                           (reg >> 10) & 0xf,
 +                           (reg >> 1) & 0xf,
 +                           (reg >> 17) & 0x7,
 +                           val);
 +
 +    switch (reg) {
 +    case SYSREG_OSLAR_EL1:
 +        env->cp15.oslsr_el1 = val & 1;
 +        break;
 +    case SYSREG_OSDLR_EL1:
 +        /* Dummy register */
 +        break;
 +    default:
 +        cpu_synchronize_state(cpu);
 +        trace_hvf_unhandled_sysreg_write(env->pc, reg,
 +                                         (reg >> 20) & 0x3,
 +                                         (reg >> 14) & 0x7,
 +                                         (reg >> 10) & 0xf,
 +                                         (reg >> 1) & 0xf,
 +                                         (reg >> 17) & 0x7);
 +        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
 +        return 1;
 +    }
 +
 +    return 0;
 +}
 +
 +static int hvf_inject_interrupts(CPUState *cpu)
 +{
 +    if (cpu->interrupt_request & CPU_INTERRUPT_FIQ) {
 +        trace_hvf_inject_fiq();
 +        hv_vcpu_set_pending_interrupt(cpu->hvf->fd, HV_INTERRUPT_TYPE_FIQ,
 +                                      true);
 +    }
 +
 +    if (cpu->interrupt_request & CPU_INTERRUPT_HARD) {
 +        trace_hvf_inject_irq();
 +        hv_vcpu_set_pending_interrupt(cpu->hvf->fd, HV_INTERRUPT_TYPE_IRQ,
 +                                      true);
 +    }
 +
 +    return 0;
 +}
 +
 +static uint64_t hvf_vtimer_val_raw(void)
 +{
 +    /*
 +     * mach_absolute_time() returns the vtimer value without the VM
 +     * offset that we define. Add our own offset on top.
 +     */
 +    return mach_absolute_time() - hvf_state->vtimer_offset;
 +}
 +
 +static void hvf_sync_vtimer(CPUState *cpu)
 +{
 +    ARMCPU *arm_cpu = ARM_CPU(cpu);
 +    hv_return_t r;
 +    uint64_t ctl;
 +    bool irq_state;
 +
 +    if (!cpu->hvf->vtimer_masked) {
 +        /* We will get notified on vtimer changes by hvf, nothing to do */
 +        return;
 +    }
 +
 +    r = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_CNTV_CTL_EL0, &ctl);
 +    assert_hvf_ok(r);
 +
 +    irq_state = (ctl & (TMR_CTL_ENABLE | TMR_CTL_IMASK | TMR_CTL_ISTATUS)) ==
 +                (TMR_CTL_ENABLE | TMR_CTL_ISTATUS);
 +    qemu_set_irq(arm_cpu->gt_timer_outputs[GTIMER_VIRT], irq_state);
 +
 +    if (!irq_state) {
 +        /* Timer no longer asserting, we can unmask it */
 +        hv_vcpu_set_vtimer_mask(cpu->hvf->fd, false);
 +        cpu->hvf->vtimer_masked = false;
 +    }
 +}
 +
 +int hvf_vcpu_exec(CPUState *cpu)
 +{
 +    ARMCPU *arm_cpu = ARM_CPU(cpu);
 +    CPUARMState *env = &arm_cpu->env;
 +    hv_vcpu_exit_t *hvf_exit = cpu->hvf->exit;
 +    hv_return_t r;
 +    bool advance_pc = false;
 +
 +    if (hvf_inject_interrupts(cpu)) {
 +        return EXCP_INTERRUPT;
 +    }
 +
 +    if (cpu->halted) {
 +        return EXCP_HLT;
 +    }
 +
 +    flush_cpu_state(cpu);
 +
 +    qemu_mutex_unlock_iothread();
 +    assert_hvf_ok(hv_vcpu_run(cpu->hvf->fd));
 +
 +    /* handle VMEXIT */
 +    uint64_t exit_reason = hvf_exit->reason;
 +    uint64_t syndrome = hvf_exit->exception.syndrome;
 +    uint32_t ec = syn_get_ec(syndrome);
 +
 +    qemu_mutex_lock_iothread();
 +    switch (exit_reason) {
 +    case HV_EXIT_REASON_EXCEPTION:
 +        /* This is the main one, handle below. */
 +        break;
 +    case HV_EXIT_REASON_VTIMER_ACTIVATED:
 +        qemu_set_irq(arm_cpu->gt_timer_outputs[GTIMER_VIRT], 1);
 +        cpu->hvf->vtimer_masked = true;
 +        return 0;
 +    case HV_EXIT_REASON_CANCELED:
 +        /* we got kicked, no exit to process */
 +        return 0;
 +    default:
 +        assert(0);
 +    }
 +
 +    hvf_sync_vtimer(cpu);
 +
 +    switch (ec) {
 +    case EC_DATAABORT: {
 +        bool isv = syndrome & ARM_EL_ISV;
 +        bool iswrite = (syndrome >> 6) & 1;
 +        bool s1ptw = (syndrome >> 7) & 1;
 +        uint32_t sas = (syndrome >> 22) & 3;
 +        uint32_t len = 1 << sas;
 +        uint32_t srt = (syndrome >> 16) & 0x1f;
 +        uint64_t val = 0;
 +
 +        trace_hvf_data_abort(env->pc, hvf_exit->exception.virtual_address,
 +                             hvf_exit->exception.physical_address, isv,
 +                             iswrite, s1ptw, len, srt);
 +
 +        assert(isv);
 +
 +        if (iswrite) {
 +            val = hvf_get_reg(cpu, srt);
 +            address_space_write(&address_space_memory,
 +                                hvf_exit->exception.physical_address,
 +                                MEMTXATTRS_UNSPECIFIED, &val, len);
 +        } else {
 +            address_space_read(&address_space_memory,
 +                               hvf_exit->exception.physical_address,
 +                               MEMTXATTRS_UNSPECIFIED, &val, len);
 +            hvf_set_reg(cpu, srt, val);
 +        }
 +
 +        advance_pc = true;
 +        break;
 +    }
 +    case EC_SYSTEMREGISTERTRAP: {
 +        bool isread = (syndrome >> 0) & 1;
 +        uint32_t rt = (syndrome >> 5) & 0x1f;
 +        uint32_t reg = syndrome & SYSREG_MASK;
 +        uint64_t val;
 +        int ret = 0;
 +
 +        if (isread) {
 +            ret = hvf_sysreg_read(cpu, reg, rt);
 +        } else {
 +            val = hvf_get_reg(cpu, rt);
 +            ret = hvf_sysreg_write(cpu, reg, val);
 +        }
 +
 +        advance_pc = !ret;
 +        break;
 +    }
 +    case EC_WFX_TRAP:
 +        advance_pc = true;
 +        break;
 +    case EC_AA64_HVC:
 +        cpu_synchronize_state(cpu);
 +        trace_hvf_unknown_hvc(env->xregs[0]);
 +        /* SMCCC 1.3 section 5.2 says every unknown SMCCC call returns -1 */
 +        env->xregs[0] = -1;
 +        break;
 +    case EC_AA64_SMC:
 +        cpu_synchronize_state(cpu);
 +        trace_hvf_unknown_smc(env->xregs[0]);
 +        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
 +        break;
 +    default:
 +        cpu_synchronize_state(cpu);
 +        trace_hvf_exit(syndrome, ec, env->pc);
 +        error_report("0x%llx: unhandled exception ec=0x%x", env->pc, ec);
 +    }
 +
 +    if (advance_pc) {
 +        uint64_t pc;
 +
 +        flush_cpu_state(cpu);
 +
 +        r = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_PC, &pc);
 +        assert_hvf_ok(r);
 +        pc += 4;
 +        r = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_PC, pc);
 +        assert_hvf_ok(r);
 +    }
 +
 +    return 0;
 +}
 +
 +static const VMStateDescription vmstate_hvf_vtimer = {
 +    .name = "hvf-vtimer",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT64(vtimer_val, HVFVTimer),
 +        VMSTATE_END_OF_LIST()
 +    },
 +};
 +
-+#endif /* FSL_IMX7_H */
++static void hvf_vm_state_change(void *opaque, bool running, RunState state)
-diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
++{
 +    HVFVTimer *s = opaque;
 +
 +    if (running) {
 +        /* Update vtimer offset on all CPUs */
 +        hvf_state->vtimer_offset = mach_absolute_time() - s->vtimer_val;
 +        cpu_synchronize_all_states();
 +    } else {
 +        /* Remember vtimer value on every pause */
 +        s->vtimer_val = hvf_vtimer_val_raw();
 +    }
 +}
 +
 +int hvf_arch_init(void)
 +{
 +    hvf_state->vtimer_offset = mach_absolute_time();
 +    vmstate_register(NULL, 0, &vmstate_hvf_vtimer, &vtimer);
 +    qemu_add_vm_change_state_handler(hvf_vm_state_change, &vtimer);
 +    return 0;
 +}
 diff --git a/target/i386/hvf/hvf.c b/target/i386/hvf/hvf.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/hvf/hvf.c
 +++ b/target/i386/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@ static inline bool apic_bus_freq_is_known(CPUX86State *env)
      return env->apic_bus_freq != 0;
  }
 +void hvf_kick_vcpu_thread(CPUState *cpu)
 +{
 +    cpus_kick_thread(cpu);
 +}
 +
  int hvf_arch_init(void)
  {
      return 0;
 diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: accel/accel-*.c
  F: accel/Makefile.objs
  F: accel/stubs/Makefile.objs
 +Apple Silicon HVF CPUs
 +M: Alexander Graf <agraf@csgraf.de>
 +S: Maintained
 +F: target/arm/hvf/
 +
  X86 HVF CPUs
  M: Cameron Esfahani <dirty@apple.com>
  M: Roman Bolshakov <r.bolshakov@yadro.com>
 diff --git a/target/arm/hvf/trace-events b/target/arm/hvf/trace-events
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/hw/arm/fsl-imx7.c
++++ b/target/arm/hvf/trace-events
 @@ -XXX,XX +XXX,XX @@
-+/*
++hvf_unhandled_sysreg_read(uint64_t pc, uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_t crm, uint32_t op2) "unhandled sysreg read at pc=0x%"PRIx64": 0x%08x (op0=%d op1=%d crn=%d crm=%d op2=%d)"
-+ * Copyright (c) 2018, Impinj, Inc.
++hvf_unhandled_sysreg_write(uint64_t pc, uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_t crm, uint32_t op2) "unhandled sysreg write at pc=0x%"PRIx64": 0x%08x (op0=%d op1=%d crn=%d crm=%d op2=%d)"
-+ *
++hvf_inject_fiq(void) "injecting FIQ"
-+ * i.MX7 SoC definitions
++hvf_inject_irq(void) "injecting IRQ"
-+ *
++hvf_data_abort(uint64_t pc, uint64_t va, uint64_t pa, bool isv, bool iswrite, bool s1ptw, uint32_t len, uint32_t srt) "data abort: [pc=0x%"PRIx64" va=0x%016"PRIx64" pa=0x%016"PRIx64" isv=%d iswrite=%d s1ptw=%d len=%d srt=%d]"
-+ * Author: Andrey Smirnov <andrew.smirnov@gmail.com>
++hvf_sysreg_read(uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_t crm, uint32_t op2, uint64_t val) "sysreg read 0x%08x (op0=%d op1=%d crn=%d crm=%d op2=%d) = 0x%016"PRIx64
-+ *
++hvf_sysreg_write(uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_t crm, uint32_t op2, uint64_t val) "sysreg write 0x%08x (op0=%d op1=%d crn=%d crm=%d op2=%d, val=0x%016"PRIx64")"
-+ * Based on hw/arm/fsl-imx6.c
++hvf_unknown_hvc(uint64_t x0) "unknown HVC! 0x%016"PRIx64
-+ *
++hvf_unknown_smc(uint64_t x0) "unknown SMC! 0x%016"PRIx64
-+ * This program is free software; you can redistribute it and/or modify
++hvf_exit(uint64_t syndrome, uint32_t ec, uint64_t pc) "exit: 0x%"PRIx64" [ec=0x%x pc=0x%"PRIx64"]"
 + * it under the terms of the GNU General Public License as published by
 + * the Free Software Foundation; either version 2 of the License, or
 + * (at your option) any later version.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 + * GNU General Public License for more details.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "qemu-common.h"
 +#include "hw/arm/fsl-imx7.h"
 +#include "hw/misc/unimp.h"
 +#include "sysemu/sysemu.h"
 +#include "qemu/error-report.h"
 +
 +#define NAME_SIZE 20
 +
 +static void fsl_imx7_init(Object *obj)
 +{
 +    BusState *sysbus = sysbus_get_default();
 +    FslIMX7State *s = FSL_IMX7(obj);
 +    char name[NAME_SIZE];
 +    int i;
 +
 +    if (smp_cpus > FSL_IMX7_NUM_CPUS) {
 +        error_report("%s: Only %d CPUs are supported (%d requested)",
 +                     TYPE_FSL_IMX7, FSL_IMX7_NUM_CPUS, smp_cpus);
 +        exit(1);
 +    }
 +
 +    for (i = 0; i < smp_cpus; i++) {
 +        object_initialize(&s->cpu[i], sizeof(s->cpu[i]),
 +                          ARM_CPU_TYPE_NAME("cortex-a7"));
 +        snprintf(name, NAME_SIZE, "cpu%d", i);
 +        object_property_add_child(obj, name, OBJECT(&s->cpu[i]),
 +                                  &error_fatal);
 +    }
 +
 +    /*
 +     * A7MPCORE
 +     */
 +    object_initialize(&s->a7mpcore, sizeof(s->a7mpcore), TYPE_A15MPCORE_PRIV);
 +    qdev_set_parent_bus(DEVICE(&s->a7mpcore), sysbus);
 +    object_property_add_child(obj, "a7mpcore",
 +                              OBJECT(&s->a7mpcore), &error_fatal);
 +
 +    /*
 +     * GPIOs 1 to 7
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_GPIOS; i++) {
 +        object_initialize(&s->gpio[i], sizeof(s->gpio[i]),
 +                          TYPE_IMX_GPIO);
 +        qdev_set_parent_bus(DEVICE(&s->gpio[i]), sysbus);
 +        snprintf(name, NAME_SIZE, "gpio%d", i);
 +        object_property_add_child(obj, name,
 +                                  OBJECT(&s->gpio[i]), &error_fatal);
 +    }
 +
 +    /*
 +     * GPT1, 2, 3, 4
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_GPTS; i++) {
 +        object_initialize(&s->gpt[i], sizeof(s->gpt[i]), TYPE_IMX7_GPT);
 +        qdev_set_parent_bus(DEVICE(&s->gpt[i]), sysbus);
 +        snprintf(name, NAME_SIZE, "gpt%d", i);
 +        object_property_add_child(obj, name, OBJECT(&s->gpt[i]),
 +                                  &error_fatal);
 +    }
 +
 +    /*
 +     * CCM
 +     */
 +    object_initialize(&s->ccm, sizeof(s->ccm), TYPE_IMX7_CCM);
 +    qdev_set_parent_bus(DEVICE(&s->ccm), sysbus);
 +    object_property_add_child(obj, "ccm", OBJECT(&s->ccm), &error_fatal);
 +
 +    /*
 +     * Analog
 +     */
 +    object_initialize(&s->analog, sizeof(s->analog), TYPE_IMX7_ANALOG);
 +    qdev_set_parent_bus(DEVICE(&s->analog), sysbus);
 +    object_property_add_child(obj, "analog", OBJECT(&s->analog), &error_fatal);
 +
 +    /*
 +     * GPCv2
 +     */
 +    object_initialize(&s->gpcv2, sizeof(s->gpcv2), TYPE_IMX_GPCV2);
 +    qdev_set_parent_bus(DEVICE(&s->gpcv2), sysbus);
 +    object_property_add_child(obj, "gpcv2", OBJECT(&s->gpcv2), &error_fatal);
 +
 +    for (i = 0; i < FSL_IMX7_NUM_ECSPIS; i++) {
 +        object_initialize(&s->spi[i], sizeof(s->spi[i]), TYPE_IMX_SPI);
 +        qdev_set_parent_bus(DEVICE(&s->spi[i]), sysbus_get_default());
 +        snprintf(name, NAME_SIZE, "spi%d", i + 1);
 +        object_property_add_child(obj, name, OBJECT(&s->spi[i]), NULL);
 +    }
 +
 +
 +    for (i = 0; i < FSL_IMX7_NUM_I2CS; i++) {
 +        object_initialize(&s->i2c[i], sizeof(s->i2c[i]), TYPE_IMX_I2C);
 +        qdev_set_parent_bus(DEVICE(&s->i2c[i]), sysbus_get_default());
 +        snprintf(name, NAME_SIZE, "i2c%d", i + 1);
 +        object_property_add_child(obj, name, OBJECT(&s->i2c[i]), NULL);
 +    }
 +
 +    /*
 +     * UART
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_UARTS; i++) {
 +            object_initialize(&s->uart[i], sizeof(s->uart[i]), TYPE_IMX_SERIAL);
 +            qdev_set_parent_bus(DEVICE(&s->uart[i]), sysbus);
 +            snprintf(name, NAME_SIZE, "uart%d", i);
 +            object_property_add_child(obj, name, OBJECT(&s->uart[i]),
 +                                      &error_fatal);
 +    }
 +
 +    /*
 +     * Ethernet
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_ETHS; i++) {
 +            object_initialize(&s->eth[i], sizeof(s->eth[i]), TYPE_IMX_ENET);
 +            qdev_set_parent_bus(DEVICE(&s->eth[i]), sysbus);
 +            snprintf(name, NAME_SIZE, "eth%d", i);
 +            object_property_add_child(obj, name, OBJECT(&s->eth[i]),
 +                                      &error_fatal);
 +    }
 +
 +    /*
 +     * SDHCI
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_USDHCS; i++) {
 +            object_initialize(&s->usdhc[i], sizeof(s->usdhc[i]),
 +                              TYPE_IMX_USDHC);
 +            qdev_set_parent_bus(DEVICE(&s->usdhc[i]), sysbus);
 +            snprintf(name, NAME_SIZE, "usdhc%d", i);
 +            object_property_add_child(obj, name, OBJECT(&s->usdhc[i]),
 +                                      &error_fatal);
 +    }
 +
 +    /*
 +     * SNVS
 +     */
 +    object_initialize(&s->snvs, sizeof(s->snvs), TYPE_IMX7_SNVS);
 +    qdev_set_parent_bus(DEVICE(&s->snvs), sysbus);
 +    object_property_add_child(obj, "snvs", OBJECT(&s->snvs), &error_fatal);
 +
 +    /*
 +     * Watchdog
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_WDTS; i++) {
 +            object_initialize(&s->wdt[i], sizeof(s->wdt[i]), TYPE_IMX2_WDT);
 +            qdev_set_parent_bus(DEVICE(&s->wdt[i]), sysbus);
 +            snprintf(name, NAME_SIZE, "wdt%d", i);
 +            object_property_add_child(obj, name, OBJECT(&s->wdt[i]),
 +                                      &error_fatal);
 +    }
 +
 +    /*
 +     * GPR
 +     */
 +    object_initialize(&s->gpr, sizeof(s->gpr), TYPE_IMX7_GPR);
 +    qdev_set_parent_bus(DEVICE(&s->gpr), sysbus);
 +    object_property_add_child(obj, "gpr", OBJECT(&s->gpr), &error_fatal);
 +
 +    object_initialize(&s->pcie, sizeof(s->pcie), TYPE_DESIGNWARE_PCIE_HOST);
 +    qdev_set_parent_bus(DEVICE(&s->pcie), sysbus);
 +    object_property_add_child(obj, "pcie", OBJECT(&s->pcie), &error_fatal);
 +
 +    for (i = 0; i < FSL_IMX7_NUM_USBS; i++) {
 +        object_initialize(&s->usb[i],
 +                          sizeof(s->usb[i]), TYPE_CHIPIDEA);
 +        qdev_set_parent_bus(DEVICE(&s->usb[i]), sysbus);
 +        snprintf(name, NAME_SIZE, "usb%d", i);
 +        object_property_add_child(obj, name,
 +                                  OBJECT(&s->usb[i]), &error_fatal);
 +    }
 +}
 +
 +static void fsl_imx7_realize(DeviceState *dev, Error **errp)
 +{
 +    FslIMX7State *s = FSL_IMX7(dev);
 +    Object *o;
 +    int i;
 +    qemu_irq irq;
 +    char name[NAME_SIZE];
 +
 +    for (i = 0; i < smp_cpus; i++) {
 +        o = OBJECT(&s->cpu[i]);
 +
 +        object_property_set_int(o, QEMU_PSCI_CONDUIT_SMC,
 +                                "psci-conduit", &error_abort);
 +
 +        /* On uniprocessor, the CBAR is set to 0 */
 +        if (smp_cpus > 1) {
 +            object_property_set_int(o, FSL_IMX7_A7MPCORE_ADDR,
 +                                    "reset-cbar", &error_abort);
 +        }
 +
 +        if (i) {
 +            /* Secondary CPUs start in PSCI powered-down state */
 +            object_property_set_bool(o, true,
 +                                     "start-powered-off", &error_abort);
 +        }
 +
 +        object_property_set_bool(o, true, "realized", &error_abort);
 +    }
 +
 +    /*
 +     * A7MPCORE
 +     */
 +    object_property_set_int(OBJECT(&s->a7mpcore), smp_cpus, "num-cpu",
 +                            &error_abort);
 +    object_property_set_int(OBJECT(&s->a7mpcore),
 +                            FSL_IMX7_MAX_IRQ + GIC_INTERNAL,
 +                            "num-irq", &error_abort);
 +
 +    object_property_set_bool(OBJECT(&s->a7mpcore), true, "realized",
 +                             &error_abort);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&s->a7mpcore), 0, FSL_IMX7_A7MPCORE_ADDR);
 +
 +    for (i = 0; i < smp_cpus; i++) {
 +        SysBusDevice *sbd = SYS_BUS_DEVICE(&s->a7mpcore);
 +        DeviceState  *d   = DEVICE(qemu_get_cpu(i));
 +
 +        irq = qdev_get_gpio_in(d, ARM_CPU_IRQ);
 +        sysbus_connect_irq(sbd, i, irq);
 +        irq = qdev_get_gpio_in(d, ARM_CPU_FIQ);
 +        sysbus_connect_irq(sbd, i + smp_cpus, irq);
 +    }
 +
 +    /*
 +     * A7MPCORE DAP
 +     */
 +    create_unimplemented_device("a7mpcore-dap", FSL_IMX7_A7MPCORE_DAP_ADDR,
 +                                0x100000);
 +
 +    /*
 +     * GPT1, 2, 3, 4
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_GPTS; i++) {
 +        static const hwaddr FSL_IMX7_GPTn_ADDR[FSL_IMX7_NUM_GPTS] = {
 +            FSL_IMX7_GPT1_ADDR,
 +            FSL_IMX7_GPT2_ADDR,
 +            FSL_IMX7_GPT3_ADDR,
 +            FSL_IMX7_GPT4_ADDR,
 +        };
 +
 +        s->gpt[i].ccm = IMX_CCM(&s->ccm);
 +        object_property_set_bool(OBJECT(&s->gpt[i]), true, "realized",
 +                                 &error_abort);
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpt[i]), 0, FSL_IMX7_GPTn_ADDR[i]);
 +    }
 +
 +    for (i = 0; i < FSL_IMX7_NUM_GPIOS; i++) {
 +        static const hwaddr FSL_IMX7_GPIOn_ADDR[FSL_IMX7_NUM_GPIOS] = {
 +            FSL_IMX7_GPIO1_ADDR,
 +            FSL_IMX7_GPIO2_ADDR,
 +            FSL_IMX7_GPIO3_ADDR,
 +            FSL_IMX7_GPIO4_ADDR,
 +            FSL_IMX7_GPIO5_ADDR,
 +            FSL_IMX7_GPIO6_ADDR,
 +            FSL_IMX7_GPIO7_ADDR,
 +        };
 +
 +        object_property_set_bool(OBJECT(&s->gpio[i]), true, "realized",
 +                                 &error_abort);
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpio[i]), 0, FSL_IMX7_GPIOn_ADDR[i]);
 +    }
 +
 +    /*
 +     * IOMUXC and IOMUXC_LPSR
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_IOMUXCS; i++) {
 +        static const hwaddr FSL_IMX7_IOMUXCn_ADDR[FSL_IMX7_NUM_IOMUXCS] = {
 +            FSL_IMX7_IOMUXC_ADDR,
 +            FSL_IMX7_IOMUXC_LPSR_ADDR,
 +        };
 +
 +        snprintf(name, NAME_SIZE, "iomuxc%d", i);
 +        create_unimplemented_device(name, FSL_IMX7_IOMUXCn_ADDR[i],
 +                                    FSL_IMX7_IOMUXCn_SIZE);
 +    }
 +
 +    /*
 +     * CCM
 +     */
 +    object_property_set_bool(OBJECT(&s->ccm), true, "realized", &error_abort);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&s->ccm), 0, FSL_IMX7_CCM_ADDR);
 +
 +    /*
 +     * Analog
 +     */
 +    object_property_set_bool(OBJECT(&s->analog), true, "realized",
 +                             &error_abort);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&s->analog), 0, FSL_IMX7_ANALOG_ADDR);
 +
 +    /*
 +     * GPCv2
 +     */
 +    object_property_set_bool(OBJECT(&s->gpcv2), true,
 +                             "realized", &error_abort);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpcv2), 0, FSL_IMX7_GPC_ADDR);
 +
 +    /* Initialize all ECSPI */
 +    for (i = 0; i < FSL_IMX7_NUM_ECSPIS; i++) {
 +        static const hwaddr FSL_IMX7_SPIn_ADDR[FSL_IMX7_NUM_ECSPIS] = {
 +            FSL_IMX7_ECSPI1_ADDR,
 +            FSL_IMX7_ECSPI2_ADDR,
 +            FSL_IMX7_ECSPI3_ADDR,
 +            FSL_IMX7_ECSPI4_ADDR,
 +        };
 +
 +        static const hwaddr FSL_IMX7_SPIn_IRQ[FSL_IMX7_NUM_ECSPIS] = {
 +            FSL_IMX7_ECSPI1_IRQ,
 +            FSL_IMX7_ECSPI2_IRQ,
 +            FSL_IMX7_ECSPI3_IRQ,
 +            FSL_IMX7_ECSPI4_IRQ,
 +        };
 +
 +        /* Initialize the SPI */
 +        object_property_set_bool(OBJECT(&s->spi[i]), true, "realized",
 +                                 &error_abort);
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0,
 +                        FSL_IMX7_SPIn_ADDR[i]);
 +        sysbus_connect_irq(SYS_BUS_DEVICE(&s->spi[i]), 0,
 +                           qdev_get_gpio_in(DEVICE(&s->a7mpcore),
 +                                            FSL_IMX7_SPIn_IRQ[i]));
 +    }
 +
 +    for (i = 0; i < FSL_IMX7_NUM_I2CS; i++) {
 +        static const hwaddr FSL_IMX7_I2Cn_ADDR[FSL_IMX7_NUM_I2CS] = {
 +            FSL_IMX7_I2C1_ADDR,
 +            FSL_IMX7_I2C2_ADDR,
 +            FSL_IMX7_I2C3_ADDR,
 +            FSL_IMX7_I2C4_ADDR,
 +        };
 +
 +        static const hwaddr FSL_IMX7_I2Cn_IRQ[FSL_IMX7_NUM_I2CS] = {
 +            FSL_IMX7_I2C1_IRQ,
 +            FSL_IMX7_I2C2_IRQ,
 +            FSL_IMX7_I2C3_IRQ,
 +            FSL_IMX7_I2C4_IRQ,
 +        };
 +
 +        object_property_set_bool(OBJECT(&s->i2c[i]), true, "realized",
 +                                 &error_abort);
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c[i]), 0, FSL_IMX7_I2Cn_ADDR[i]);
 +
 +        sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c[i]), 0,
 +                           qdev_get_gpio_in(DEVICE(&s->a7mpcore),
 +                                            FSL_IMX7_I2Cn_IRQ[i]));
 +    }
 +
 +    /*
 +     * UART
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_UARTS; i++) {
 +        static const hwaddr FSL_IMX7_UARTn_ADDR[FSL_IMX7_NUM_UARTS] = {
 +            FSL_IMX7_UART1_ADDR,
 +            FSL_IMX7_UART2_ADDR,
 +            FSL_IMX7_UART3_ADDR,
 +            FSL_IMX7_UART4_ADDR,
 +            FSL_IMX7_UART5_ADDR,
 +            FSL_IMX7_UART6_ADDR,
 +            FSL_IMX7_UART7_ADDR,
 +        };
 +
 +        static const int FSL_IMX7_UARTn_IRQ[FSL_IMX7_NUM_UARTS] = {
 +            FSL_IMX7_UART1_IRQ,
 +            FSL_IMX7_UART2_IRQ,
 +            FSL_IMX7_UART3_IRQ,
 +            FSL_IMX7_UART4_IRQ,
 +            FSL_IMX7_UART5_IRQ,
 +            FSL_IMX7_UART6_IRQ,
 +            FSL_IMX7_UART7_IRQ,
 +        };
 +
 +
 +        if (i < MAX_SERIAL_PORTS) {
 +            qdev_prop_set_chr(DEVICE(&s->uart[i]), "chardev", serial_hds[i]);
 +        }
 +
 +        object_property_set_bool(OBJECT(&s->uart[i]), true, "realized",
 +                                 &error_abort);
 +
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->uart[i]), 0, FSL_IMX7_UARTn_ADDR[i]);
 +
 +        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_UARTn_IRQ[i]);
 +        sysbus_connect_irq(SYS_BUS_DEVICE(&s->uart[i]), 0, irq);
 +    }
 +
 +    /*
 +     * Ethernet
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_ETHS; i++) {
 +        static const hwaddr FSL_IMX7_ENETn_ADDR[FSL_IMX7_NUM_ETHS] = {
 +            FSL_IMX7_ENET1_ADDR,
 +            FSL_IMX7_ENET2_ADDR,
 +        };
 +
 +        object_property_set_uint(OBJECT(&s->eth[i]), FSL_IMX7_ETH_NUM_TX_RINGS,
 +                                 "tx-ring-num", &error_abort);
 +        qdev_set_nic_properties(DEVICE(&s->eth[i]), &nd_table[i]);
 +        object_property_set_bool(OBJECT(&s->eth[i]), true, "realized",
 +                                 &error_abort);
 +
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->eth[i]), 0, FSL_IMX7_ENETn_ADDR[i]);
 +
 +        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_ENET_IRQ(i, 0));
 +        sysbus_connect_irq(SYS_BUS_DEVICE(&s->eth[i]), 0, irq);
 +        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_ENET_IRQ(i, 3));
 +        sysbus_connect_irq(SYS_BUS_DEVICE(&s->eth[i]), 1, irq);
 +    }
 +
 +    /*
 +     * USDHC
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_USDHCS; i++) {
 +        static const hwaddr FSL_IMX7_USDHCn_ADDR[FSL_IMX7_NUM_USDHCS] = {
 +            FSL_IMX7_USDHC1_ADDR,
 +            FSL_IMX7_USDHC2_ADDR,
 +            FSL_IMX7_USDHC3_ADDR,
 +        };
 +
 +        static const int FSL_IMX7_USDHCn_IRQ[FSL_IMX7_NUM_USDHCS] = {
 +            FSL_IMX7_USDHC1_IRQ,
 +            FSL_IMX7_USDHC2_IRQ,
 +            FSL_IMX7_USDHC3_IRQ,
 +        };
 +
 +        object_property_set_bool(OBJECT(&s->usdhc[i]), true, "realized",
 +                                 &error_abort);
 +
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->usdhc[i]), 0,
 +                        FSL_IMX7_USDHCn_ADDR[i]);
 +
 +        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_USDHCn_IRQ[i]);
 +        sysbus_connect_irq(SYS_BUS_DEVICE(&s->usdhc[i]), 0, irq);
 +    }
 +
 +    /*
 +     * SNVS
 +     */
 +    object_property_set_bool(OBJECT(&s->snvs), true, "realized", &error_abort);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&s->snvs), 0, FSL_IMX7_SNVS_ADDR);
 +
 +    /*
 +     * SRC
 +     */
 +    create_unimplemented_device("sdma", FSL_IMX7_SRC_ADDR, FSL_IMX7_SRC_SIZE);
 +
 +    /*
 +     * Watchdog
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_WDTS; i++) {
 +        static const hwaddr FSL_IMX7_WDOGn_ADDR[FSL_IMX7_NUM_WDTS] = {
 +            FSL_IMX7_WDOG1_ADDR,
 +            FSL_IMX7_WDOG2_ADDR,
 +            FSL_IMX7_WDOG3_ADDR,
 +            FSL_IMX7_WDOG4_ADDR,
 +        };
 +
 +        object_property_set_bool(OBJECT(&s->wdt[i]), true, "realized",
 +                                 &error_abort);
 +
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->wdt[i]), 0, FSL_IMX7_WDOGn_ADDR[i]);
 +    }
 +
 +    /*
 +     * SDMA
 +     */
 +    create_unimplemented_device("sdma", FSL_IMX7_SDMA_ADDR, FSL_IMX7_SDMA_SIZE);
 +
 +
 +    object_property_set_bool(OBJECT(&s->gpr), true, "realized",
 +                             &error_abort);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpr), 0, FSL_IMX7_GPR_ADDR);
 +
 +    object_property_set_bool(OBJECT(&s->pcie), true,
 +                             "realized", &error_abort);
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&s->pcie), 0, FSL_IMX7_PCIE_REG_ADDR);
 +
 +    irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_PCI_INTA_IRQ);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie), 0, irq);
 +    irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_PCI_INTB_IRQ);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie), 1, irq);
 +    irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_PCI_INTC_IRQ);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie), 2, irq);
 +    irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_PCI_INTD_IRQ);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie), 3, irq);
 +
 +
 +    for (i = 0; i < FSL_IMX7_NUM_USBS; i++) {
 +        static const hwaddr FSL_IMX7_USBMISCn_ADDR[FSL_IMX7_NUM_USBS] = {
 +            FSL_IMX7_USBMISC1_ADDR,
 +            FSL_IMX7_USBMISC2_ADDR,
 +            FSL_IMX7_USBMISC3_ADDR,
 +        };
 +
 +        static const hwaddr FSL_IMX7_USBn_ADDR[FSL_IMX7_NUM_USBS] = {
 +            FSL_IMX7_USB1_ADDR,
 +            FSL_IMX7_USB2_ADDR,
 +            FSL_IMX7_USB3_ADDR,
 +        };
 +
 +        static const hwaddr FSL_IMX7_USBn_IRQ[FSL_IMX7_NUM_USBS] = {
 +            FSL_IMX7_USB1_IRQ,
 +            FSL_IMX7_USB2_IRQ,
 +            FSL_IMX7_USB3_IRQ,
 +        };
 +
 +        object_property_set_bool(OBJECT(&s->usb[i]), true, "realized",
 +                                 &error_abort);
 +        sysbus_mmio_map(SYS_BUS_DEVICE(&s->usb[i]), 0,
 +                        FSL_IMX7_USBn_ADDR[i]);
 +
 +        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_USBn_IRQ[i]);
 +        sysbus_connect_irq(SYS_BUS_DEVICE(&s->usb[i]), 0, irq);
 +
 +        snprintf(name, NAME_SIZE, "usbmisc%d", i);
 +        create_unimplemented_device(name, FSL_IMX7_USBMISCn_ADDR[i],
 +                                    FSL_IMX7_USBMISCn_SIZE);
 +    }
 +
 +    /*
 +     * ADCs
 +     */
 +    for (i = 0; i < FSL_IMX7_NUM_ADCS; i++) {
 +        static const hwaddr FSL_IMX7_ADCn_ADDR[FSL_IMX7_NUM_ADCS] = {
 +            FSL_IMX7_ADC1_ADDR,
 +            FSL_IMX7_ADC2_ADDR,
 +        };
 +
 +        snprintf(name, NAME_SIZE, "adc%d", i);
 +        create_unimplemented_device(name, FSL_IMX7_ADCn_ADDR[i],
 +                                    FSL_IMX7_ADCn_SIZE);
 +    }
 +
 +    /*
 +     * LCD
 +     */
 +    create_unimplemented_device("lcdif", FSL_IMX7_LCDIF_ADDR,
 +                                FSL_IMX7_LCDIF_SIZE);
 +}
 +
 +static void fsl_imx7_class_init(ObjectClass *oc, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(oc);
 +
 +    dc->realize = fsl_imx7_realize;
 +
 +    /* Reason: Uses serial_hds and nd_table in realize() directly */
 +    dc->user_creatable = false;
 +    dc->desc = "i.MX7 SOC";
 +}
 +
 +static const TypeInfo fsl_imx7_type_info = {
 +    .name = TYPE_FSL_IMX7,
 +    .parent = TYPE_DEVICE,
 +    .instance_size = sizeof(FslIMX7State),
 +    .instance_init = fsl_imx7_init,
 +    .class_init = fsl_imx7_class_init,
 +};
 +
 +static void fsl_imx7_register_types(void)
 +{
 +    type_register_static(&fsl_imx7_type_info);
 +}
 +type_init(fsl_imx7_register_types)
 diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/default-configs/arm-softmmu.mak
 +++ b/default-configs/arm-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_ALLWINNER_A10=y
  CONFIG_FSL_IMX6=y
  CONFIG_FSL_IMX31=y
  CONFIG_FSL_IMX25=y
 +CONFIG_FSL_IMX7=y
  CONFIG_IMX_I2C=y
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 10/25] aarch64-linux-user: Add support for SVE signal frame records
+[PULL 11/27] arm/hvf: Add a WFI handler
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Peter Collingbourne <pcc@google.com>
-Depending on the currently selected size of the SVE vector registers,
+Sleep on WFI until the VTIMER is due but allow ourselves to be woken
-we can either store the data within the "standard" allocation, or we
+up on IPI.
 may beedn to allocate additional space with an EXTRA record.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+In this implementation IPI is blocked on the CPU thread at startup and
-Message-id: 20180303143823.27055-6-richard.henderson@linaro.org
+pselect() is used to atomically unblock the signal and begin sleeping.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+The signal is sent unconditionally so there's no need to worry about
 races between actually sleeping and the "we think we're sleeping"
 state. It may lead to an extra wakeup but that's better than missing
 it entirely.
 Signed-off-by: Peter Collingbourne <pcc@google.com>
 Signed-off-by: Alexander Graf <agraf@csgraf.de>
 Acked-by: Roman Bolshakov <r.bolshakov@yadro.com>
 Reviewed-by: Sergio Lopez <slp@redhat.com>
 Message-id: 20210916155404.86958-6-agraf@csgraf.de
 [agraf: Remove unused 'set' variable, always advance PC on WFX trap,
         support vm stop / continue operations and cntv offsets]
 Signed-off-by: Alexander Graf <agraf@csgraf.de>
 Acked-by: Roman Bolshakov <r.bolshakov@yadro.com>
 Reviewed-by: Sergio Lopez <slp@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/signal.c | 210 +++++++++++++++++++++++++++++++++++++++++++++++-----
+ include/sysemu/hvf_int.h  |  1 +
-file changed, 192 insertions(+), 18 deletions(-)
+ accel/hvf/hvf-accel-ops.c |  5 +--
  target/arm/hvf/hvf.c      | 79 +++++++++++++++++++++++++++++++++++++++
 files changed, 82 insertions(+), 3 deletions(-)
-diff --git a/linux-user/signal.c b/linux-user/signal.c
+diff --git a/include/sysemu/hvf_int.h b/include/sysemu/hvf_int.h
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/signal.c
+--- a/include/sysemu/hvf_int.h
-+++ b/linux-user/signal.c
++++ b/include/sysemu/hvf_int.h
-@@ -XXX,XX +XXX,XX @@ struct target_extra_context {
+@@ -XXX,XX +XXX,XX @@ struct hvf_vcpu_state {
-     uint32_t reserved[3];
+     uint64_t fd;
      void *exit;
      bool vtimer_masked;
 +    sigset_t unblock_ipi_mask;
  };
-+#define TARGET_SVE_MAGIC    0x53564501
+ void assert_hvf_ok(hv_return_t ret);
 diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/hvf/hvf-accel-ops.c
 +++ b/accel/hvf/hvf-accel-ops.c
@@ -XXX,XX +XXX,XX @@ static int hvf_init_vcpu(CPUState *cpu)
      cpu->hvf = g_malloc0(sizeof(*cpu->hvf));
      /* init cpu signals */
 -    sigset_t set;
      struct sigaction sigact;
      memset(&sigact, 0, sizeof(sigact));
      sigact.sa_handler = dummy_signal;
      sigaction(SIG_IPI, &sigact, NULL);
 -    pthread_sigmask(SIG_BLOCK, NULL, &set);
 -    sigdelset(&set, SIG_IPI);
 +    pthread_sigmask(SIG_BLOCK, NULL, &cpu->hvf->unblock_ipi_mask);
 +    sigdelset(&cpu->hvf->unblock_ipi_mask, SIG_IPI);
  #ifdef __aarch64__
      r = hv_vcpu_create(&cpu->hvf->fd, (hv_vcpu_exit_t **)&cpu->hvf->exit, NULL);
 diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/hvf/hvf.c
 +++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@
   * QEMU Hypervisor.framework support for Apple Silicon
   * Copyright 2020 Alexander Graf <agraf@csgraf.de>
 + * Copyright 2020 Google LLC
   *
   * This work is licensed under the terms of the GNU GPL, version 2 or later.
   * See the COPYING file in the top-level directory.
@@ -XXX,XX +XXX,XX @@ int hvf_arch_init_vcpu(CPUState *cpu)
  void hvf_kick_vcpu_thread(CPUState *cpu)
  {
 +    cpus_kick_thread(cpu);
      hv_vcpus_exit(&cpu->hvf->fd, 1);
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t hvf_vtimer_val_raw(void)
      return mach_absolute_time() - hvf_state->vtimer_offset;
  }
 +static uint64_t hvf_vtimer_val(void)
 +{
 +    if (!runstate_is_running()) {
 +        /* VM is paused, the vtimer value is in vtimer.vtimer_val */
 +        return vtimer.vtimer_val;
 +    }
 +
-+struct target_sve_context {
++    return hvf_vtimer_val_raw();
 +    struct target_aarch64_ctx head;
 +    uint16_t vl;
 +    uint16_t reserved[3];
 +    /* The actual SVE data immediately follows.  It is layed out
 +     * according to TARGET_SVE_SIG_{Z,P}REG_OFFSET, based off of
 +     * the original struct pointer.
 +     */
 +};
 +
 +#define TARGET_SVE_VQ_BYTES  16
 +
 +#define TARGET_SVE_SIG_ZREG_SIZE(VQ)  ((VQ) * TARGET_SVE_VQ_BYTES)
 +#define TARGET_SVE_SIG_PREG_SIZE(VQ)  ((VQ) * (TARGET_SVE_VQ_BYTES / 8))
 +
 +#define TARGET_SVE_SIG_REGS_OFFSET \
 +    QEMU_ALIGN_UP(sizeof(struct target_sve_context), TARGET_SVE_VQ_BYTES)
 +#define TARGET_SVE_SIG_ZREG_OFFSET(VQ, N) \
 +    (TARGET_SVE_SIG_REGS_OFFSET + TARGET_SVE_SIG_ZREG_SIZE(VQ) * (N))
 +#define TARGET_SVE_SIG_PREG_OFFSET(VQ, N) \
 +    (TARGET_SVE_SIG_ZREG_OFFSET(VQ, 32) + TARGET_SVE_SIG_PREG_SIZE(VQ) * (N))
 +#define TARGET_SVE_SIG_FFR_OFFSET(VQ) \
 +    (TARGET_SVE_SIG_PREG_OFFSET(VQ, 16))
 +#define TARGET_SVE_SIG_CONTEXT_SIZE(VQ) \
 +    (TARGET_SVE_SIG_PREG_OFFSET(VQ, 17))
 +
  struct target_rt_sigframe {
      struct target_siginfo info;
      struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_end_record(struct target_aarch64_ctx *end)
      __put_user(0, &end->size);
  }
 +static void target_setup_sve_record(struct target_sve_context *sve,
 +                                    CPUARMState *env, int vq, int size)
 +{
 +    int i, j;
 +
 +    __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
 +    __put_user(size, &sve->head.size);
 +    __put_user(vq * TARGET_SVE_VQ_BYTES, &sve->vl);
 +
 +    /* Note that SVE regs are stored as a byte stream, with each byte element
 +     * at a subsequent address.  This corresponds to a little-endian store
 +     * of our 64-bit hunks.
 +     */
 +    for (i = 0; i < 32; ++i) {
 +        uint64_t *z = (void *)sve + TARGET_SVE_SIG_ZREG_OFFSET(vq, i);
 +        for (j = 0; j < vq * 2; ++j) {
 +            __put_user_e(env->vfp.zregs[i].d[j], z + j, le);
 +        }
 +    }
 +    for (i = 0; i <= 16; ++i) {
 +        uint16_t *p = (void *)sve + TARGET_SVE_SIG_PREG_OFFSET(vq, i);
 +        for (j = 0; j < vq; ++j) {
 +            uint64_t r = env->vfp.pregs[i].p[j >> 2];
 +            __put_user_e(r >> ((j & 3) * 16), p + j, le);
 +        }
 +    }
 +}
 +
- static void target_restore_general_frame(CPUARMState *env,
++static void hvf_wait_for_ipi(CPUState *cpu, struct timespec *ts)
                                           struct target_rt_sigframe *sf)
  {
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
      }
  }
 +static void target_restore_sve_record(CPUARMState *env,
 +                                      struct target_sve_context *sve, int vq)
 +{
-+    int i, j;
++    /*
-+
++     * Use pselect to sleep so that other threads can IPI us while we're
-+    /* Note that SVE regs are stored as a byte stream, with each byte element
++     * sleeping.
 +     * at a subsequent address.  This corresponds to a little-endian load
 +     * of our 64-bit hunks.
 +     */
-+    for (i = 0; i < 32; ++i) {
++    qatomic_mb_set(&cpu->thread_kicked, false);
-+        uint64_t *z = (void *)sve + TARGET_SVE_SIG_ZREG_OFFSET(vq, i);
++    qemu_mutex_unlock_iothread();
-+        for (j = 0; j < vq * 2; ++j) {
++    pselect(0, 0, 0, 0, ts, &cpu->hvf->unblock_ipi_mask);
-+            __get_user_e(env->vfp.zregs[i].d[j], z + j, le);
++    qemu_mutex_lock_iothread();
 +        }
 +    }
 +    for (i = 0; i <= 16; ++i) {
 +        uint16_t *p = (void *)sve + TARGET_SVE_SIG_PREG_OFFSET(vq, i);
 +        for (j = 0; j < vq; ++j) {
 +            uint16_t r;
 +            __get_user_e(r, p + j, le);
 +            if (j & 3) {
 +                env->vfp.pregs[i].p[j >> 2] |= (uint64_t)r << ((j & 3) * 16);
 +            } else {
 +                env->vfp.pregs[i].p[j >> 2] = r;
 +            }
 +        }
 +    }
 +}
 +
- static int target_restore_sigframe(CPUARMState *env,
++static void hvf_wfi(CPUState *cpu)
-                                    struct target_rt_sigframe *sf)
++{
- {
++    ARMCPU *arm_cpu = ARM_CPU(cpu);
-     struct target_aarch64_ctx *ctx, *extra = NULL;
++    struct timespec ts;
-     struct target_fpsimd_context *fpsimd = NULL;
++    hv_return_t r;
-+    struct target_sve_context *sve = NULL;
++    uint64_t ctl;
-     uint64_t extra_datap = 0;
++    uint64_t cval;
-     bool used_extra = false;
++    int64_t ticks_to_sleep;
-     bool err = false;
++    uint64_t seconds;
-+    int vq = 0, sve_size = 0;
++    uint64_t nanos;
++    uint32_t cntfrq;
      target_restore_general_frame(env, sf);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
              fpsimd = (struct target_fpsimd_context *)ctx;
              break;
 +        case TARGET_SVE_MAGIC:
 +            if (arm_feature(env, ARM_FEATURE_SVE)) {
 +                vq = (env->vfp.zcr_el[1] & 0xf) + 1;
 +                sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 +                if (!sve && size == sve_size) {
 +                    sve = (struct target_sve_context *)ctx;
 +                    break;
 +                }
 +            }
 +            err = true;
 +            goto exit;
 +
-         case TARGET_EXTRA_MAGIC:
++    if (cpu->interrupt_request & (CPU_INTERRUPT_HARD | CPU_INTERRUPT_FIQ)) {
-             if (extra || size != sizeof(struct target_extra_context)) {
++        /* Interrupt pending, no need to wait */
-                 err = true;
++        return;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
          err = true;
      }
 +    /* SVE data, if present, overwrites FPSIMD data.  */
 +    if (sve) {
 +        target_restore_sve_record(env, sve, vq);
 +    }
 +
-  exit:
++    r = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_CNTV_CTL_EL0, &ctl);
-     unlock_user(extra, extra_datap, 0);
++    assert_hvf_ok(r);
      return err;
  }
 -static abi_ulong get_sigframe(struct target_sigaction *ka, CPUARMState *env)
 +static abi_ulong get_sigframe(struct target_sigaction *ka,
 +                              CPUARMState *env, int size)
  {
      abi_ulong sp;
@@ -XXX,XX +XXX,XX @@ static abi_ulong get_sigframe(struct target_sigaction *ka, CPUARMState *env)
          sp = target_sigaltstack_used.ss_sp + target_sigaltstack_used.ss_size;
      }
 -    sp = (sp - sizeof(struct target_rt_sigframe)) & ~15;
 +    sp = (sp - size) & ~15;
      return sp;
  }
 +typedef struct {
 +    int total_size;
 +    int extra_base;
 +    int extra_size;
 +    int std_end_ofs;
 +    int extra_ofs;
 +    int extra_end_ofs;
 +} target_sigframe_layout;
 +
-+static int alloc_sigframe_space(int this_size, target_sigframe_layout *l)
++    if (!(ctl & 1) || (ctl & 2)) {
-+{
++        /* Timer disabled or masked, just wait for an IPI. */
-+    /* Make sure there will always be space for the end marker.  */
++        hvf_wait_for_ipi(cpu, NULL);
-+    const int std_size = sizeof(struct target_rt_sigframe)
++        return;
-+                         - sizeof(struct target_aarch64_ctx);
++    }
 +    int this_loc = l->total_size;
 +
-+    if (l->extra_base) {
++    r = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_CNTV_CVAL_EL0, &cval);
-+        /* Once we have begun an extra space, all allocations go there.  */
++    assert_hvf_ok(r);
 +        l->extra_size += this_size;
 +    } else if (this_size + this_loc > std_size) {
 +        /* This allocation does not fit in the standard space.  */
 +        /* Allocate the extra record.  */
 +        l->extra_ofs = this_loc;
 +        l->total_size += sizeof(struct target_extra_context);
 +
-+        /* Allocate the standard end record.  */
++    ticks_to_sleep = cval - hvf_vtimer_val();
-+        l->std_end_ofs = l->total_size;
++    if (ticks_to_sleep < 0) {
-+        l->total_size += sizeof(struct target_aarch64_ctx);
++        return;
 +    }
 +
-+        /* Allocate the requested record.  */
++    cntfrq = gt_cntfrq_period_ns(arm_cpu);
-+        l->extra_base = this_loc = l->total_size;
++    seconds = muldiv64(ticks_to_sleep, cntfrq, NANOSECONDS_PER_SECOND);
-+        l->extra_size = this_size;
++    ticks_to_sleep -= muldiv64(seconds, NANOSECONDS_PER_SECOND, cntfrq);
 +    nanos = ticks_to_sleep * cntfrq;
 +
 +    /*
 +     * Don't sleep for less than the time a context switch would take,
 +     * so that we can satisfy fast timer requests on the same CPU.
 +     * Measurements on M1 show the sweet spot to be ~2ms.
 +     */
 +    if (!seconds && nanos < (2 * SCALE_MS)) {
 +        return;
 +    }
-+    l->total_size += this_size;
 +
-+    return this_loc;
++    ts = (struct timespec) { seconds, nanos };
 +    hvf_wait_for_ipi(cpu, &ts);
 +}
 +
- static void target_setup_frame(int usig, struct target_sigaction *ka,
+ static void hvf_sync_vtimer(CPUState *cpu)
                                 target_siginfo_t *info, target_sigset_t *set,
                                 CPUARMState *env)
  {
--    int size = offsetof(struct target_rt_sigframe, uc.tuc_mcontext.__reserved);
+     ARMCPU *arm_cpu = ARM_CPU(cpu);
--    int fpsimd_ofs, end1_ofs, fr_ofs, end2_ofs = 0;
+@@ -XXX,XX +XXX,XX @@ int hvf_vcpu_exec(CPUState *cpu)
 -    int extra_ofs = 0, extra_base = 0, extra_size = 0;
 +    target_sigframe_layout layout = {
 +        /* Begin with the size pointing to the reserved space.  */
 +        .total_size = offsetof(struct target_rt_sigframe,
 +                               uc.tuc_mcontext.__reserved),
 +    };
 +    int fpsimd_ofs, fr_ofs, sve_ofs = 0, vq = 0, sve_size = 0;
      struct target_rt_sigframe *frame;
      struct target_rt_frame_record *fr;
      abi_ulong frame_addr, return_addr;
 -    fpsimd_ofs = size;
 -    size += sizeof(struct target_fpsimd_context);
 -    end1_ofs = size;
 -    size += sizeof(struct target_aarch64_ctx);
 -    fr_ofs = size;
 -    size += sizeof(struct target_rt_frame_record);
 +    /* FPSIMD record is always in the standard space.  */
 +    fpsimd_ofs = alloc_sigframe_space(sizeof(struct target_fpsimd_context),
 +                                      &layout);
 -    frame_addr = get_sigframe(ka, env);
 +    /* SVE state needs saving only if it exists.  */
 +    if (arm_feature(env, ARM_FEATURE_SVE)) {
 +        vq = (env->vfp.zcr_el[1] & 0xf) + 1;
 +        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 +        sve_ofs = alloc_sigframe_space(sve_size, &layout);
 +    }
 +
 +    if (layout.extra_ofs) {
 +        /* Reserve space for the extra end marker.  The standard end marker
 +         * will have been allocated when we allocated the extra record.
 +         */
 +        layout.extra_end_ofs
 +            = alloc_sigframe_space(sizeof(struct target_aarch64_ctx), &layout);
 +    } else {
 +        /* Reserve space for the standard end marker.
 +         * Do not use alloc_sigframe_space because we cheat
 +         * std_size therein to reserve space for this.
 +         */
 +        layout.std_end_ofs = layout.total_size;
 +        layout.total_size += sizeof(struct target_aarch64_ctx);
 +    }
 +
 +    /* Reserve space for the return code.  On a real system this would
 +     * be within the VDSO.  So, despite the name this is not a "real"
 +     * record within the frame.
 +     */
 +    fr_ofs = layout.total_size;
 +    layout.total_size += sizeof(struct target_rt_frame_record);
 +
 +    frame_addr = get_sigframe(ka, env, layout.total_size);
      trace_user_setup_frame(env, frame_addr);
      if (!lock_user_struct(VERIFY_WRITE, frame, frame_addr, 0)) {
          goto give_sigsegv;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
      target_setup_general_frame(frame, env, set);
      target_setup_fpsimd_record((void *)frame + fpsimd_ofs, env);
 -    if (extra_ofs) {
 -        target_setup_extra_record((void *)frame + extra_ofs,
 -                                  frame_addr + extra_base, extra_size);
 +    target_setup_end_record((void *)frame + layout.std_end_ofs);
 +    if (layout.extra_ofs) {
 +        target_setup_extra_record((void *)frame + layout.extra_ofs,
 +                                  frame_addr + layout.extra_base,
 +                                  layout.extra_size);
 +        target_setup_end_record((void *)frame + layout.extra_end_ofs);
      }
--    target_setup_end_record((void *)frame + end1_ofs);
+     case EC_WFX_TRAP:
--    if (end2_ofs) {
+         advance_pc = true;
--        target_setup_end_record((void *)frame + end2_ofs);
++        if (!(syndrome & WFX_IS_WFE)) {
-+    if (sve_ofs) {
++            hvf_wfi(cpu);
-+        target_setup_sve_record((void *)frame + sve_ofs, env, vq, sve_size);
++        }
-     }
+         break;
+     case EC_AA64_HVC:
-     /* Set up the stack frame for unwinding.  */
+         cpu_synchronize_state(cpu);
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 14/25] target/arm: Query host CPU features on-demand at instance init
+[PULL 12/27] hvf: arm: Implement -cpu host
-Currently we query the host CPU features in the class init function
+Now that we have working system register sync, we push more target CPU
-for the TYPE_ARM_HOST_CPU class, so that we can later copy them
+properties into the virtual machine. That might be useful in some
-from the class object into the instance object in the object
+situations, but is not the typical case that users want.
-instance init function. This is awkward for implementing "-cpu max",
-which should work like "-cpu host" for KVM but like "cpu with all
+So let's add a -cpu host option that allows them to explicitly pass all
-implemented features" for TCG.
+CPU capabilities of their host CPU into the guest.
-Move the place where we store the information about the host CPU from
+Signed-off-by: Alexander Graf <agraf@csgraf.de>
-a class object to static variables in kvm.c, and then in the instance
+Acked-by: Roman Bolshakov <r.bolshakov@yadro.com>
-init function call a new kvm_arm_set_cpu_features_from_host()
+Reviewed-by: Sergio Lopez <slp@redhat.com>
-function which will query the host kernel if necessary and then
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-fill in the CPU instance fields.
+Message-id: 20210916155404.86958-7-agraf@csgraf.de
+[PMM: drop unnecessary #include line from .h file]
 This allows us to drop the special class struct and class init
 function for TYPE_ARM_HOST_CPU entirely.
 We can't delay the probe until realize, because the ARM
 instance_post_init hook needs to look at the feature bits we
 set, so we need to do it in the initfn. This is safe because
 the probing doesn't affect the actual VM state (it creates a
 separate scratch VM to do its testing), but the probe might fail.
 Because we can't report errors in retrieving the host features
 in the initfn, we check this belatedly in the realize function
 (the intervening code will be able to cope with the relevant
 fields in the CPU structure being zero).
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20180308130626.12393-2-peter.maydell@linaro.org
 ---
- target/arm/cpu.h     |  5 +++++
+ target/arm/cpu.h     |  2 +
- target/arm/kvm_arm.h | 35 ++++++++++++++++++++++++-----------
+ target/arm/hvf_arm.h | 18 +++++++++
- target/arm/cpu.c     | 13 +++++++++++++
+ target/arm/kvm_arm.h |  2 -
- target/arm/kvm.c     | 36 +++++++++++++++++++-----------------
+ target/arm/cpu.c     | 13 ++++--
- target/arm/kvm32.c   |  8 ++++----
+ target/arm/hvf/hvf.c | 95 ++++++++++++++++++++++++++++++++++++++++++++
- target/arm/kvm64.c   |  8 ++++----
+files changed, 124 insertions(+), 6 deletions(-)
-files changed, 69 insertions(+), 36 deletions(-)
+ create mode 100644 target/arm/hvf_arm.h
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
+@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
-     /* Uniprocessor system with MP extensions */
+ #define ARM_CPU_TYPE_NAME(name) (name ARM_CPU_TYPE_SUFFIX)
-     bool mp_is_up;
+ #define CPU_RESOLVING_TYPE TYPE_ARM_CPU
-+    /* True if we tried kvm_arm_host_cpu_features() during CPU instance_init
++#define TYPE_ARM_HOST_CPU "host-" TYPE_ARM_CPU
-+     * and the probe failed (so we need to report the error in realize)
++
-+     */
+ #define cpu_signal_handler cpu_arm_signal_handler
-+    bool host_cpu_probe_failed;
+ #define cpu_list arm_cpu_list
-+
-     /* Specify the number of cores in this CPU cluster. Used for the L2CTLR
+diff --git a/target/arm/hvf_arm.h b/target/arm/hvf_arm.h
-      * register.
+new file mode 100644
-      */
+index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/target/arm/hvf_arm.h
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QEMU Hypervisor.framework (HVF) support -- ARM specifics
 + *
 + * Copyright (c) 2021 Alexander Graf
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + *
 + */
 +
 +#ifndef QEMU_HVF_ARM_H
 +#define QEMU_HVF_ARM_H
 +
 +#include "cpu.h"
 +
 +void hvf_arm_set_cpu_features_from_host(struct ARMCPU *cpu);
 +
 +#endif
 diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm_arm.h
 +++ b/target/arm/kvm_arm.h
 @@ -XXX,XX +XXX,XX @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try,
+  */
  void kvm_arm_destroy_scratch_host_vcpu(int *fdarray);
- #define TYPE_ARM_HOST_CPU "host-" TYPE_ARM_CPU
+-#define TYPE_ARM_HOST_CPU "host-" TYPE_ARM_CPU
 -#define ARM_HOST_CPU_CLASS(klass) \
 -    OBJECT_CLASS_CHECK(ARMHostCPUClass, (klass), TYPE_ARM_HOST_CPU)
 -#define ARM_HOST_CPU_GET_CLASS(obj) \
 -    OBJECT_GET_CLASS(ARMHostCPUClass, (obj), TYPE_ARM_HOST_CPU)
 -
--typedef struct ARMHostCPUClass {
--    /*< private >*/
--    ARMCPUClass parent_class;
--    /*< public >*/
-+/**
-+ * ARMHostCPUFeatures: information about the host CPU (identified
-+ * by asking the host kernel)
-+ */
-+typedef struct ARMHostCPUFeatures {
-     uint64_t features;
-     uint32_t target;
-     const char *dtb_compatible;
--} ARMHostCPUClass;
-+} ARMHostCPUFeatures;
  /**
-  * kvm_arm_get_host_cpu_features:
+  * ARMHostCPUFeatures: information about the host CPU (identified
-@@ -XXX,XX +XXX,XX @@ typedef struct ARMHostCPUClass {
+  * by asking the host kernel)
   * Probe the capabilities of the host kernel's preferred CPU and fill
   * in the ARMHostCPUClass struct accordingly.
   */
 -bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc);
 +bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf);
 +/**
 + * kvm_arm_set_cpu_features_from_host:
 + * @cpu: ARMCPU to set the features for
 + *
 + * Set up the ARMCPU struct fields up to match the information probed
 + * from the host CPU.
 + */
 +void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
  /**
   * kvm_arm_sync_mpstate_to_kvm
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_init(CPUState *cs);
  #else
 +static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
 +{
 +    /* This should never actually be called in the "not KVM" case,
 +     * but set up the fields to indicate an error anyway.
 +     */
 +    cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
 +    cpu->host_cpu_probe_failed = true;
 +}
 +
  static inline int kvm_arm_vgic_probe(void)
  {
      return 0;
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
+@@ -XXX,XX +XXX,XX @@
+ #include "sysemu/tcg.h"
+ #include "sysemu/hw_accel.h"
+ #include "kvm_arm.h"
++#include "hvf_arm.h"
+ #include "disas/capstone.h"
+ #include "fpu/softfloat.h"
 @@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
-     int pagebits;
+      * this is the first point where we can report it.
-     Error *local_err = NULL;
+      */
+     if (cpu->host_cpu_probe_failed) {
-+    /* If we needed to query the host kernel for the CPU features
+-        if (!kvm_enabled()) {
-+     * then it's possible that might have failed in the initfn, but
+-            error_setg(errp, "The 'host' CPU type can only be used with KVM");
-+     * this is the first point where we can report it.
++        if (!kvm_enabled() && !hvf_enabled()) {
 +            error_setg(errp, "The 'host' CPU type can only be used with KVM or HVF");
          } else {
              error_setg(errp, "Failed to retrieve host CPU features");
          }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
  #endif /* CONFIG_TCG */
  }
 -#ifdef CONFIG_KVM
 +#if defined(CONFIG_KVM) || defined(CONFIG_HVF)
  static void arm_host_initfn(Object *obj)
  {
      ARMCPU *cpu = ARM_CPU(obj);
 +#ifdef CONFIG_KVM
      kvm_arm_set_cpu_features_from_host(cpu);
      if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
          aarch64_add_sve_properties(obj);
      }
 +#else
 +    hvf_arm_set_cpu_features_from_host(cpu);
 +#endif
      arm_cpu_post_init(obj);
  }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_register_types(void)
  {
      type_register_static(&arm_cpu_type_info);
 -#ifdef CONFIG_KVM
 +#if defined(CONFIG_KVM) || defined(CONFIG_HVF)
      type_register_static(&host_arm_cpu_type_info);
  #endif
  }
 diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/hvf/hvf.c
 +++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@
  #include "sysemu/hvf.h"
  #include "sysemu/hvf_int.h"
  #include "sysemu/hw_accel.h"
 +#include "hvf_arm.h"
  #include <mach/mach_time.h>
@@ -XXX,XX +XXX,XX @@ typedef struct HVFVTimer {
  static HVFVTimer vtimer;
 +typedef struct ARMHostCPUFeatures {
 +    ARMISARegisters isar;
 +    uint64_t features;
 +    uint64_t midr;
 +    uint32_t reset_sctlr;
 +    const char *dtb_compatible;
 +} ARMHostCPUFeatures;
 +
 +static ARMHostCPUFeatures arm_host_cpu_features;
 +
  struct hvf_reg_match {
      int reg;
      uint64_t offset;
@@ -XXX,XX +XXX,XX @@ static uint64_t hvf_get_reg(CPUState *cpu, int rt)
      return val;
  }
 +static bool hvf_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
 +{
 +    ARMISARegisters host_isar = {};
 +    const struct isar_regs {
 +        int reg;
 +        uint64_t *val;
 +    } regs[] = {
 +        { HV_SYS_REG_ID_AA64PFR0_EL1, &host_isar.id_aa64pfr0 },
 +        { HV_SYS_REG_ID_AA64PFR1_EL1, &host_isar.id_aa64pfr1 },
 +        { HV_SYS_REG_ID_AA64DFR0_EL1, &host_isar.id_aa64dfr0 },
 +        { HV_SYS_REG_ID_AA64DFR1_EL1, &host_isar.id_aa64dfr1 },
 +        { HV_SYS_REG_ID_AA64ISAR0_EL1, &host_isar.id_aa64isar0 },
 +        { HV_SYS_REG_ID_AA64ISAR1_EL1, &host_isar.id_aa64isar1 },
 +        { HV_SYS_REG_ID_AA64MMFR0_EL1, &host_isar.id_aa64mmfr0 },
 +        { HV_SYS_REG_ID_AA64MMFR1_EL1, &host_isar.id_aa64mmfr1 },
 +        { HV_SYS_REG_ID_AA64MMFR2_EL1, &host_isar.id_aa64mmfr2 },
 +    };
 +    hv_vcpu_t fd;
 +    hv_return_t r = HV_SUCCESS;
 +    hv_vcpu_exit_t *exit;
 +    int i;
 +
 +    ahcf->dtb_compatible = "arm,arm-v8";
 +    ahcf->features = (1ULL << ARM_FEATURE_V8) |
 +                     (1ULL << ARM_FEATURE_NEON) |
 +                     (1ULL << ARM_FEATURE_AARCH64) |
 +                     (1ULL << ARM_FEATURE_PMU) |
 +                     (1ULL << ARM_FEATURE_GENERIC_TIMER);
 +
 +    /* We set up a small vcpu to extract host registers */
 +
 +    if (hv_vcpu_create(&fd, &exit, NULL) != HV_SUCCESS) {
 +        return false;
 +    }
 +
 +    for (i = 0; i < ARRAY_SIZE(regs); i++) {
 +        r |= hv_vcpu_get_sys_reg(fd, regs[i].reg, regs[i].val);
 +    }
 +    r |= hv_vcpu_get_sys_reg(fd, HV_SYS_REG_MIDR_EL1, &ahcf->midr);
 +    r |= hv_vcpu_destroy(fd);
 +
 +    ahcf->isar = host_isar;
 +
 +    /*
 +     * A scratch vCPU returns SCTLR 0, so let's fill our default with the M1
 +     * boot SCTLR from https://github.com/AsahiLinux/m1n1/issues/97
 +     */
-+    if (cpu->host_cpu_probe_failed) {
++    ahcf->reset_sctlr = 0x30100180;
-+        if (!kvm_enabled()) {
++    /*
-+            error_setg(errp, "The 'host' CPU type can only be used with KVM");
++     * SPAN is disabled by default when SCTLR.SPAN=1. To improve compatibility,
-+        } else {
++     * let's disable it on boot and then allow guest software to turn it on by
-+            error_setg(errp, "Failed to retrieve host CPU features");
++     * setting it to 0.
-+        }
++     */
-+        return;
++    ahcf->reset_sctlr |= 0x00800000;
-+    }
++
-+
++    /* Make sure we don't advertise AArch32 support for EL0/EL1 */
-     cpu_exec_realizefn(cs, &local_err);
++    if ((host_isar.id_aa64pfr0 & 0xff) != 0x11) {
-     if (local_err != NULL) {
++        return false;
-         error_propagate(errp, local_err);
++    }
-diff --git a/target/arm/kvm.c b/target/arm/kvm.c
++
-index XXXXXXX..XXXXXXX 100644
++    return r == HV_SUCCESS;
---- a/target/arm/kvm.c
++}
-+++ b/target/arm/kvm.c
++
-@@ -XXX,XX +XXX,XX @@ const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
++void hvf_arm_set_cpu_features_from_host(ARMCPU *cpu)
++{
  static bool cap_has_mp_state;
 +static ARMHostCPUFeatures arm_host_cpu_features;
 +
  int kvm_arm_vcpu_init(CPUState *cs)
  {
      ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ void kvm_arm_destroy_scratch_host_vcpu(int *fdarray)
      }
  }
 -static void kvm_arm_host_cpu_class_init(ObjectClass *oc, void *data)
 +void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
  {
 -    ARMHostCPUClass *ahcc = ARM_HOST_CPU_CLASS(oc);
 +    CPUARMState *env = &cpu->env;
 -    /* All we really need to set up for the 'host' CPU
 -     * is the feature bits -- we rely on the fact that the
 -     * various ID register values in ARMCPU are only used for
 -     * TCG CPUs.
 -     */
 -    if (!kvm_arm_get_host_cpu_features(ahcc)) {
 -        fprintf(stderr, "Failed to retrieve host CPU features!\n");
 -        abort();
 +    if (!arm_host_cpu_features.dtb_compatible) {
-+        if (!kvm_enabled() ||
++        if (!hvf_enabled() ||
-+            !kvm_arm_get_host_cpu_features(&arm_host_cpu_features)) {
++            !hvf_arm_get_host_cpu_features(&arm_host_cpu_features)) {
-+            /* We can't report this error yet, so flag that we need to
++            /*
 +             * We can't report this error yet, so flag that we need to
 +             * in arm_cpu_realizefn().
 +             */
-+            cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
 +            cpu->host_cpu_probe_failed = true;
 +            return;
 +        }
-     }
++    }
 +
 +    cpu->kvm_target = arm_host_cpu_features.target;
 +    cpu->dtb_compatible = arm_host_cpu_features.dtb_compatible;
-+    env->features = arm_host_cpu_features.features;
++    cpu->isar = arm_host_cpu_features.isar;
- }
++    cpu->env.features = arm_host_cpu_features.features;
++    cpu->midr = arm_host_cpu_features.midr;
- static void kvm_arm_host_cpu_initfn(Object *obj)
++    cpu->reset_sctlr = arm_host_cpu_features.reset_sctlr;
 +}
 +
  void hvf_arch_vcpu_destroy(CPUState *cpu)
  {
--    ARMHostCPUClass *ahcc = ARM_HOST_CPU_GET_CLASS(obj);
-     ARMCPU *cpu = ARM_CPU(obj);
--    CPUARMState *env = &cpu->env;
--    cpu->kvm_target = ahcc->target;
--    cpu->dtb_compatible = ahcc->dtb_compatible;
--    env->features = ahcc->features;
-+    kvm_arm_set_cpu_features_from_host(cpu);
- }
- static const TypeInfo host_arm_cpu_type_info = {
-@@ -XXX,XX +XXX,XX @@ static const TypeInfo host_arm_cpu_type_info = {
-     .parent = TYPE_ARM_CPU,
- #endif
-     .instance_init = kvm_arm_host_cpu_initfn,
--    .class_init = kvm_arm_host_cpu_class_init,
--    .class_size = sizeof(ARMHostCPUClass),
- };
- int kvm_arch_init(MachineState *ms, KVMState *s)
-diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm32.c
-+++ b/target/arm/kvm32.c
-@@ -XXX,XX +XXX,XX @@ static inline void set_feature(uint64_t *features, int feature)
-     *features |= 1ULL << feature;
- }
--bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
-+bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
- {
-     /* Identify the feature bits corresponding to the host CPU, and
-      * fill out the ARMHostCPUClass fields accordingly. To do this
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
-         return false;
-     }
--    ahcc->target = init.target;
-+    ahcf->target = init.target;
-     /* This is not strictly blessed by the device tree binding docs yet,
-      * but in practice the kernel does not care about this string so
-      * there is no point maintaining an KVM_ARM_TARGET_* -> string table.
-      */
--    ahcc->dtb_compatible = "arm,arm-v7";
-+    ahcf->dtb_compatible = "arm,arm-v7";
-     for (i = 0; i < ARRAY_SIZE(idregs); i++) {
-         ret = ioctl(fdarray[2], KVM_GET_ONE_REG, &idregs[i]);
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
-         set_feature(&features, ARM_FEATURE_VFP4);
-     }
--    ahcc->features = features;
-+    ahcf->features = features;
-     return true;
- }
-diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm64.c
-+++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ static inline void unset_feature(uint64_t *features, int feature)
-     *features &= ~(1ULL << feature);
- }
--bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
-+bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
- {
-     /* Identify the feature bits corresponding to the host CPU, and
-      * fill out the ARMHostCPUClass fields accordingly. To do this
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
-         return false;
-     }
--    ahcc->target = init.target;
--    ahcc->dtb_compatible = "arm,arm-v8";
-+    ahcf->target = init.target;
-+    ahcf->dtb_compatible = "arm,arm-v8";
-     kvm_arm_destroy_scratch_host_vcpu(fdarray);
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
-     set_feature(&features, ARM_FEATURE_AARCH64);
-     set_feature(&features, ARM_FEATURE_PMU);
--    ahcc->features = features;
-+    ahcf->features = features;
-     return true;
  }
 --
-.16.2
+.20.1

-New patch
+[PULL 13/27] hvf: arm: Implement PSCI handling
+From: Alexander Graf <agraf@csgraf.de>
 We need to handle PSCI calls. Most of the TCG code works for us,
 but we can simplify it to only handle aa64 mode and we need to
 handle SUSPEND differently.
 This patch takes the TCG code as template and duplicates it in HVF.
 To tell the guest that we support PSCI 0.2 now, update the check in
 arm_cpu_initfn() as well.
 Signed-off-by: Alexander Graf <agraf@csgraf.de>
 Reviewed-by: Sergio Lopez <slp@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20210916155404.86958-8-agraf@csgraf.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/cpu.c            |   4 +-
  target/arm/hvf/hvf.c        | 141 ++++++++++++++++++++++++++++++++++--
  target/arm/hvf/trace-events |   1 +
 files changed, 139 insertions(+), 7 deletions(-)
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
      cpu->psci_version = 1; /* By default assume PSCI v0.1 */
      cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
 -    if (tcg_enabled()) {
 -        cpu->psci_version = 2; /* TCG implements PSCI 0.2 */
 +    if (tcg_enabled() || hvf_enabled()) {
 +        cpu->psci_version = 2; /* TCG and HVF implement PSCI 0.2 */
      }
  }
 diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/hvf/hvf.c
 +++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/irq.h"
  #include "qemu/main-loop.h"
  #include "sysemu/cpus.h"
 +#include "arm-powerctl.h"
  #include "target/arm/cpu.h"
  #include "target/arm/internals.h"
  #include "trace/trace-target_arm_hvf.h"
@@ -XXX,XX +XXX,XX @@
  #define TMR_CTL_IMASK   (1 << 1)
  #define TMR_CTL_ISTATUS (1 << 2)
 +static void hvf_wfi(CPUState *cpu);
 +
  typedef struct HVFVTimer {
      /* Vtimer value during migration and paused state */
      uint64_t vtimer_val;
@@ -XXX,XX +XXX,XX @@ static void hvf_raise_exception(CPUState *cpu, uint32_t excp,
      arm_cpu_do_interrupt(cpu);
  }
 +static void hvf_psci_cpu_off(ARMCPU *arm_cpu)
 +{
 +    int32_t ret = arm_set_cpu_off(arm_cpu->mp_affinity);
 +    assert(ret == QEMU_ARM_POWERCTL_RET_SUCCESS);
 +}
 +
 +/*
 + * Handle a PSCI call.
 + *
 + * Returns 0 on success
 + *         -1 when the PSCI call is unknown,
 + */
 +static bool hvf_handle_psci_call(CPUState *cpu)
 +{
 +    ARMCPU *arm_cpu = ARM_CPU(cpu);
 +    CPUARMState *env = &arm_cpu->env;
 +    uint64_t param[4] = {
 +        env->xregs[0],
 +        env->xregs[1],
 +        env->xregs[2],
 +        env->xregs[3]
 +    };
 +    uint64_t context_id, mpidr;
 +    bool target_aarch64 = true;
 +    CPUState *target_cpu_state;
 +    ARMCPU *target_cpu;
 +    target_ulong entry;
 +    int target_el = 1;
 +    int32_t ret = 0;
 +
 +    trace_hvf_psci_call(param[0], param[1], param[2], param[3],
 +                        arm_cpu->mp_affinity);
 +
 +    switch (param[0]) {
 +    case QEMU_PSCI_0_2_FN_PSCI_VERSION:
 +        ret = QEMU_PSCI_0_2_RET_VERSION_0_2;
 +        break;
 +    case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
 +        ret = QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED; /* No trusted OS */
 +        break;
 +    case QEMU_PSCI_0_2_FN_AFFINITY_INFO:
 +    case QEMU_PSCI_0_2_FN64_AFFINITY_INFO:
 +        mpidr = param[1];
 +
 +        switch (param[2]) {
 +        case 0:
 +            target_cpu_state = arm_get_cpu_by_id(mpidr);
 +            if (!target_cpu_state) {
 +                ret = QEMU_PSCI_RET_INVALID_PARAMS;
 +                break;
 +            }
 +            target_cpu = ARM_CPU(target_cpu_state);
 +
 +            ret = target_cpu->power_state;
 +            break;
 +        default:
 +            /* Everything above affinity level 0 is always on. */
 +            ret = 0;
 +        }
 +        break;
 +    case QEMU_PSCI_0_2_FN_SYSTEM_RESET:
 +        qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
 +        /*
 +         * QEMU reset and shutdown are async requests, but PSCI
 +         * mandates that we never return from the reset/shutdown
 +         * call, so power the CPU off now so it doesn't execute
 +         * anything further.
 +         */
 +        hvf_psci_cpu_off(arm_cpu);
 +        break;
 +    case QEMU_PSCI_0_2_FN_SYSTEM_OFF:
 +        qemu_system_shutdown_request(SHUTDOWN_CAUSE_GUEST_SHUTDOWN);
 +        hvf_psci_cpu_off(arm_cpu);
 +        break;
 +    case QEMU_PSCI_0_1_FN_CPU_ON:
 +    case QEMU_PSCI_0_2_FN_CPU_ON:
 +    case QEMU_PSCI_0_2_FN64_CPU_ON:
 +        mpidr = param[1];
 +        entry = param[2];
 +        context_id = param[3];
 +        ret = arm_set_cpu_on(mpidr, entry, context_id,
 +                             target_el, target_aarch64);
 +        break;
 +    case QEMU_PSCI_0_1_FN_CPU_OFF:
 +    case QEMU_PSCI_0_2_FN_CPU_OFF:
 +        hvf_psci_cpu_off(arm_cpu);
 +        break;
 +    case QEMU_PSCI_0_1_FN_CPU_SUSPEND:
 +    case QEMU_PSCI_0_2_FN_CPU_SUSPEND:
 +    case QEMU_PSCI_0_2_FN64_CPU_SUSPEND:
 +        /* Affinity levels are not supported in QEMU */
 +        if (param[1] & 0xfffe0000) {
 +            ret = QEMU_PSCI_RET_INVALID_PARAMS;
 +            break;
 +        }
 +        /* Powerdown is not supported, we always go into WFI */
 +        env->xregs[0] = 0;
 +        hvf_wfi(cpu);
 +        break;
 +    case QEMU_PSCI_0_1_FN_MIGRATE:
 +    case QEMU_PSCI_0_2_FN_MIGRATE:
 +        ret = QEMU_PSCI_RET_NOT_SUPPORTED;
 +        break;
 +    default:
 +        return false;
 +    }
 +
 +    env->xregs[0] = ret;
 +    return true;
 +}
 +
  static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
  {
      ARMCPU *arm_cpu = ARM_CPU(cpu);
@@ -XXX,XX +XXX,XX @@ int hvf_vcpu_exec(CPUState *cpu)
          break;
      case EC_AA64_HVC:
          cpu_synchronize_state(cpu);
 -        trace_hvf_unknown_hvc(env->xregs[0]);
 -        /* SMCCC 1.3 section 5.2 says every unknown SMCCC call returns -1 */
 -        env->xregs[0] = -1;
 +        if (arm_cpu->psci_conduit == QEMU_PSCI_CONDUIT_HVC) {
 +            if (!hvf_handle_psci_call(cpu)) {
 +                trace_hvf_unknown_hvc(env->xregs[0]);
 +                /* SMCCC 1.3 section 5.2 says every unknown SMCCC call returns -1 */
 +                env->xregs[0] = -1;
 +            }
 +        } else {
 +            trace_hvf_unknown_hvc(env->xregs[0]);
 +            hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
 +        }
          break;
      case EC_AA64_SMC:
          cpu_synchronize_state(cpu);
 -        trace_hvf_unknown_smc(env->xregs[0]);
 -        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
 +        if (arm_cpu->psci_conduit == QEMU_PSCI_CONDUIT_SMC) {
 +            advance_pc = true;
 +
 +            if (!hvf_handle_psci_call(cpu)) {
 +                trace_hvf_unknown_smc(env->xregs[0]);
 +                /* SMCCC 1.3 section 5.2 says every unknown SMCCC call returns -1 */
 +                env->xregs[0] = -1;
 +            }
 +        } else {
 +            trace_hvf_unknown_smc(env->xregs[0]);
 +            hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
 +        }
          break;
      default:
          cpu_synchronize_state(cpu);
 diff --git a/target/arm/hvf/trace-events b/target/arm/hvf/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/hvf/trace-events
 +++ b/target/arm/hvf/trace-events
@@ -XXX,XX +XXX,XX @@ hvf_sysreg_write(uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_
  hvf_unknown_hvc(uint64_t x0) "unknown HVC! 0x%016"PRIx64
  hvf_unknown_smc(uint64_t x0) "unknown SMC! 0x%016"PRIx64
  hvf_exit(uint64_t syndrome, uint32_t ec, uint64_t pc) "exit: 0x%"PRIx64" [ec=0x%x pc=0x%"PRIx64"]"
 +hvf_psci_call(uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint32_t cpuid) "PSCI Call x0=0x%016"PRIx64" x1=0x%016"PRIx64" x2=0x%016"PRIx64" x3=0x%016"PRIx64" cpu=0x%x"
 --
 .20.1

-[Qemu-devel] [PULL 11/25] hw/arm: Use more CONFIG switches for the object files
+[PULL 14/27] arm: Add Hypervisor.framework build target
-From: Thomas Huth <thuth@redhat.com>
+From: Alexander Graf <agraf@csgraf.de>
-A lot of ARM object files are linked into the executable unconditionally,
+Now that we have all logic in place that we need to handle Hypervisor.framework
-even though we have corresponding CONFIG switches like CONFIG_PXA2XX or
+on Apple Silicon systems, let's add CONFIG_HVF for aarch64 as well so that we
-CONFIG_OMAP. We should make sure to use these switches in the Makefile so
+can build it.
 that the users can disable certain unwanted boards and devices more easily.
 While we're at it, also add some new switches for the boards that do not
 have a CONFIG option yet.
-Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Alexander Graf <agraf@csgraf.de>
-Message-id: 1520266949-29817-1-git-send-email-thuth@redhat.com
+Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
 Tested-by: Roman Bolshakov <r.bolshakov@yadro.com> (x86 only)
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Sergio Lopez <slp@redhat.com>
 Message-id: 20210916155404.86958-9-agraf@csgraf.de
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs            | 30 +++++++++++++++++++++---------
+ meson.build                | 7 +++++++
- default-configs/arm-softmmu.mak |  7 +++++++
+ target/arm/hvf/meson.build | 3 +++
-files changed, 28 insertions(+), 9 deletions(-)
+ target/arm/meson.build     | 2 ++
 files changed, 12 insertions(+)
  create mode 100644 target/arm/hvf/meson.build
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/meson.build b/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/meson.build
-+++ b/hw/arm/Makefile.objs
++++ b/meson.build
@@ -XXX,XX +XXX,XX @@ else
  endif
  accelerator_targets = { 'CONFIG_KVM': kvm_targets }
 +
 +if cpu in ['aarch64']
 +  accelerator_targets += {
 +    'CONFIG_HVF': ['aarch64-softmmu']
 +  }
 +endif
 +
  if cpu in ['x86', 'x86_64', 'arm', 'aarch64']
    # i386 emulator provides xenpv machine type for multiple architectures
    accelerator_targets += {
 diff --git a/target/arm/hvf/meson.build b/target/arm/hvf/meson.build
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/target/arm/hvf/meson.build
 @@ -XXX,XX +XXX,XX @@
--obj-y += boot.o collie.o exynos4_boards.o gumstix.o highbank.o
++arm_softmmu_ss.add(when: [hvf, 'CONFIG_HVF'], if_true: files(
--obj-$(CONFIG_DIGIC) += digic_boards.o
++  'hvf.c',
--obj-y += integratorcp.o mainstone.o musicpal.o nseries.o
++))
--obj-y += omap_sx1.o palm.o realview.o spitz.o stellaris.o
+diff --git a/target/arm/meson.build b/target/arm/meson.build
 -obj-y += tosa.o versatilepb.o vexpress.o virt.o xilinx_zynq.o z2.o
 +obj-y += boot.o virt.o sysbus-fdt.o
  obj-$(CONFIG_ACPI) += virt-acpi-build.o
 -obj-y += netduino2.o
 -obj-y += sysbus-fdt.o
 +obj-$(CONFIG_DIGIC) += digic_boards.o
 +obj-$(CONFIG_EXYNOS4) += exynos4_boards.o
 +obj-$(CONFIG_HIGHBANK) += highbank.o
 +obj-$(CONFIG_INTEGRATOR) += integratorcp.o
 +obj-$(CONFIG_MAINSTONE) += mainstone.o
 +obj-$(CONFIG_MUSICPAL) += musicpal.o
 +obj-$(CONFIG_NETDUINO2) += netduino2.o
 +obj-$(CONFIG_NSERIES) += nseries.o
 +obj-$(CONFIG_OMAP) += omap_sx1.o palm.o
 +obj-$(CONFIG_PXA2XX) += gumstix.o spitz.o tosa.o z2.o
 +obj-$(CONFIG_REALVIEW) += realview.o
 +obj-$(CONFIG_STELLARIS) += stellaris.o
 +obj-$(CONFIG_STRONGARM) += collie.o
 +obj-$(CONFIG_VERSATILE) += vexpress.o versatilepb.o
 +obj-$(CONFIG_ZYNQ) += xilinx_zynq.o
 -obj-y += armv7m.o exynos4210.o pxa2xx.o pxa2xx_gpio.o pxa2xx_pic.o
 +obj-$(CONFIG_ARM_V7M) += armv7m.o
 +obj-$(CONFIG_EXYNOS4) += exynos4210.o
 +obj-$(CONFIG_PXA2XX) += pxa2xx.o pxa2xx_gpio.o pxa2xx_pic.o
  obj-$(CONFIG_DIGIC) += digic.o
 -obj-y += omap1.o omap2.o strongarm.o
 +obj-$(CONFIG_OMAP) += omap1.o omap2.o
 +obj-$(CONFIG_STRONGARM) += strongarm.o
  obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
  obj-$(CONFIG_RASPI) += bcm2835_peripherals.o bcm2836.o raspi.o
  obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
 diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
---- a/default-configs/arm-softmmu.mak
+--- a/target/arm/meson.build
-+++ b/default-configs/arm-softmmu.mak
++++ b/target/arm/meson.build
-@@ -XXX,XX +XXX,XX @@ CONFIG_A9MPCORE=y
+@@ -XXX,XX +XXX,XX @@ arm_softmmu_ss.add(files(
- CONFIG_A15MPCORE=y
+   'psci.c',
+ ))
- CONFIG_ARM_V7M=y
-+CONFIG_NETDUINO2=y
++subdir('hvf')
  CONFIG_ARM_GIC=y
  CONFIG_ARM_GIC_KVM=$(CONFIG_KVM)
@@ -XXX,XX +XXX,XX @@ CONFIG_TZ_PPC=y
  CONFIG_IOTKIT=y
  CONFIG_IOTKIT_SECCTL=y
 +CONFIG_VERSATILE=y
  CONFIG_VERSATILE_PCI=y
  CONFIG_VERSATILE_I2C=y
@@ -XXX,XX +XXX,XX @@ CONFIG_VFIO_XGMAC=y
  CONFIG_VFIO_AMD_XGBE=y
  CONFIG_SDHCI=y
 +CONFIG_INTEGRATOR=y
  CONFIG_INTEGRATOR_DEBUG=y
  CONFIG_ALLWINNER_A10_PIT=y
@@ -XXX,XX +XXX,XX @@ CONFIG_MSF2=y
  CONFIG_FW_CFG_DMA=y
  CONFIG_XILINX_AXI=y
  CONFIG_PCI_DESIGNWARE=y
 +
-+CONFIG_STRONGARM=y
+ target_arch += {'arm': arm_ss}
-+CONFIG_HIGHBANK=y
+ target_softmmu_arch += {'arm': arm_softmmu_ss}
 +CONFIG_MUSICPAL=y
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 08/25] aarch64-linux-user: Remove struct target_aux_context
+[PULL 15/27] hvf: arm: Add rudimentary PMC support
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Alexander Graf <agraf@csgraf.de>
-This changes the qemu signal frame layout to be more like the kernel's,
+We can expose cycle counters on the PMU easily. To be as compatible as
-in that the various records are dynamically allocated rather than fixed
+possible, let's do so, but make sure we don't expose any other architectural
-in place by a structure.
+counters that we can not model yet.
-For now, all of the allocation is out of uc.tuc_mcontext.__reserved,
+This allows OSs to work that require PMU support.
-so the allocation is actually trivial.  That will change with SVE support.
+Signed-off-by: Alexander Graf <agraf@csgraf.de>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210916155404.86958-10-agraf@csgraf.de
 Message-id: 20180303143823.27055-4-richard.henderson@linaro.org
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/signal.c | 89 ++++++++++++++++++++++++++++++++++++-----------------
+ target/arm/hvf/hvf.c | 179 +++++++++++++++++++++++++++++++++++++++++++
-file changed, 61 insertions(+), 28 deletions(-)
+file changed, 179 insertions(+)
-diff --git a/linux-user/signal.c b/linux-user/signal.c
+diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/signal.c
+--- a/target/arm/hvf/hvf.c
-+++ b/linux-user/signal.c
++++ b/target/arm/hvf/hvf.c
-@@ -XXX,XX +XXX,XX @@ struct target_fpsimd_context {
+@@ -XXX,XX +XXX,XX @@
-     uint64_t vregs[32 * 2]; /* really uint128_t vregs[32] */
+ #define SYSREG_OSLSR_EL1      SYSREG(2, 0, 1, 1, 4)
- };
+ #define SYSREG_OSDLR_EL1      SYSREG(2, 0, 1, 3, 4)
+ #define SYSREG_CNTPCT_EL0     SYSREG(3, 3, 14, 0, 1)
--/*
++#define SYSREG_PMCR_EL0       SYSREG(3, 3, 9, 12, 0)
-- * Auxiliary context saved in the sigcontext.__reserved array. Not exported to
++#define SYSREG_PMUSERENR_EL0  SYSREG(3, 3, 9, 14, 0)
-- * user space as it will change with the addition of new context. User space
++#define SYSREG_PMCNTENSET_EL0 SYSREG(3, 3, 9, 12, 1)
-- * should check the magic/size information.
++#define SYSREG_PMCNTENCLR_EL0 SYSREG(3, 3, 9, 12, 2)
-- */
++#define SYSREG_PMINTENCLR_EL1 SYSREG(3, 0, 9, 14, 2)
--struct target_aux_context {
++#define SYSREG_PMOVSCLR_EL0   SYSREG(3, 3, 9, 12, 3)
--    struct target_fpsimd_context fpsimd;
++#define SYSREG_PMSWINC_EL0    SYSREG(3, 3, 9, 12, 4)
--    /* additional context to be added before "end" */
++#define SYSREG_PMSELR_EL0     SYSREG(3, 3, 9, 12, 5)
--    struct target_aarch64_ctx end;
++#define SYSREG_PMCEID0_EL0    SYSREG(3, 3, 9, 12, 6)
--};
++#define SYSREG_PMCEID1_EL0    SYSREG(3, 3, 9, 12, 7)
--
++#define SYSREG_PMCCNTR_EL0    SYSREG(3, 3, 9, 13, 0)
- struct target_rt_sigframe {
++#define SYSREG_PMCCFILTR_EL0  SYSREG(3, 3, 14, 15, 7)
-     struct target_siginfo info;
-     struct target_ucontext uc;
+ #define WFX_IS_WFE (1 << 0)
-+};
-+
+@@ -XXX,XX +XXX,XX @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
-+struct target_rt_frame_record {
+         val = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) /
-     uint64_t fp;
+               gt_cntfrq_period_ns(arm_cpu);
-     uint64_t lr;
+         break;
-     uint32_t tramp[2];
++    case SYSREG_PMCR_EL0:
-@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
++        val = env->cp15.c9_pmcr;
- static int target_restore_sigframe(CPUARMState *env,
++        break;
-                                    struct target_rt_sigframe *sf)
++    case SYSREG_PMCCNTR_EL0:
- {
++        pmu_op_start(env);
--    struct target_aux_context *aux
++        val = env->cp15.c15_ccnt;
--        = (struct target_aux_context *)sf->uc.tuc_mcontext.__reserved;
++        pmu_op_finish(env);
--    uint32_t magic, size;
++        break;
-+    struct target_aarch64_ctx *ctx;
++    case SYSREG_PMCNTENCLR_EL0:
-+    struct target_fpsimd_context *fpsimd = NULL;
++        val = env->cp15.c9_pmcnten;
++        break;
-     target_restore_general_frame(env, sf);
++    case SYSREG_PMOVSCLR_EL0:
++        val = env->cp15.c9_pmovsr;
--    __get_user(magic, &aux->fpsimd.head.magic);
++        break;
--    __get_user(size, &aux->fpsimd.head.size);
++    case SYSREG_PMSELR_EL0:
--    if (magic == TARGET_FPSIMD_MAGIC
++        val = env->cp15.c9_pmselr;
--        && size == sizeof(struct target_fpsimd_context)) {
++        break;
--        target_restore_fpsimd_record(env, &aux->fpsimd);
++    case SYSREG_PMINTENCLR_EL1:
--    } else {
++        val = env->cp15.c9_pminten;
-+    ctx = (struct target_aarch64_ctx *)sf->uc.tuc_mcontext.__reserved;
++        break;
-+    while (ctx) {
++    case SYSREG_PMCCFILTR_EL0:
-+        uint32_t magic, size;
++        val = env->cp15.pmccfiltr_el0;
-+
++        break;
-+        __get_user(magic, &ctx->magic);
++    case SYSREG_PMCNTENSET_EL0:
-+        __get_user(size, &ctx->size);
++        val = env->cp15.c9_pmcnten;
-+        switch (magic) {
++        break;
-+        case 0:
++    case SYSREG_PMUSERENR_EL0:
-+            if (size != 0) {
++        val = env->cp15.c9_pmuserenr;
-+                return 1;
++        break;
-+            }
++    case SYSREG_PMCEID0_EL0:
-+            ctx = NULL;
++    case SYSREG_PMCEID1_EL0:
-+            continue;
++        /* We can't really count anything yet, declare all events invalid */
-+
++        val = 0;
-+        case TARGET_FPSIMD_MAGIC:
++        break;
-+            if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
+     case SYSREG_OSLSR_EL1:
-+                return 1;
+         val = env->cp15.oslsr_el1;
-+            }
+         break;
-+            fpsimd = (struct target_fpsimd_context *)ctx;
+@@ -XXX,XX +XXX,XX @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
 +            break;
 +
 +        default:
 +            /* Unknown record -- we certainly didn't generate it.
 +             * Did we in fact get out of sync?
 +             */
 +            return 1;
 +        }
 +        ctx = (void *)ctx + size;
 +    }
 +
 +    /* Require FPSIMD always.  */
 +    if (!fpsimd) {
          return 1;
      }
 +    target_restore_fpsimd_record(env, fpsimd);
 +
      return 0;
  }
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
++static void pmu_update_irq(CPUARMState *env)
-                                target_siginfo_t *info, target_sigset_t *set,
++{
-                                CPUARMState *env)
++    ARMCPU *cpu = env_archcpu(env);
 +    qemu_set_irq(cpu->pmu_interrupt, (env->cp15.c9_pmcr & PMCRE) &&
 +            (env->cp15.c9_pminten & env->cp15.c9_pmovsr));
 +}
 +
 +static bool pmu_event_supported(uint16_t number)
 +{
 +    return false;
 +}
 +
 +/* Returns true if the counter (pass 31 for PMCCNTR) should count events using
 + * the current EL, security state, and register configuration.
 + */
 +static bool pmu_counter_enabled(CPUARMState *env, uint8_t counter)
 +{
 +    uint64_t filter;
 +    bool enabled, filtered = true;
 +    int el = arm_current_el(env);
 +
 +    enabled = (env->cp15.c9_pmcr & PMCRE) &&
 +              (env->cp15.c9_pmcnten & (1 << counter));
 +
 +    if (counter == 31) {
 +        filter = env->cp15.pmccfiltr_el0;
 +    } else {
 +        filter = env->cp15.c14_pmevtyper[counter];
 +    }
 +
 +    if (el == 0) {
 +        filtered = filter & PMXEVTYPER_U;
 +    } else if (el == 1) {
 +        filtered = filter & PMXEVTYPER_P;
 +    }
 +
 +    if (counter != 31) {
 +        /*
 +         * If not checking PMCCNTR, ensure the counter is setup to an event we
 +         * support
 +         */
 +        uint16_t event = filter & PMXEVTYPER_EVTCOUNT;
 +        if (!pmu_event_supported(event)) {
 +            return false;
 +        }
 +    }
 +
 +    return enabled && !filtered;
 +}
 +
 +static void pmswinc_write(CPUARMState *env, uint64_t value)
 +{
 +    unsigned int i;
 +    for (i = 0; i < pmu_num_counters(env); i++) {
 +        /* Increment a counter's count iff: */
 +        if ((value & (1 << i)) && /* counter's bit is set */
 +                /* counter is enabled and not filtered */
 +                pmu_counter_enabled(env, i) &&
 +                /* counter is SW_INCR */
 +                (env->cp15.c14_pmevtyper[i] & PMXEVTYPER_EVTCOUNT) == 0x0) {
 +            /*
 +             * Detect if this write causes an overflow since we can't predict
 +             * PMSWINC overflows like we can for other events
 +             */
 +            uint32_t new_pmswinc = env->cp15.c14_pmevcntr[i] + 1;
 +
 +            if (env->cp15.c14_pmevcntr[i] & ~new_pmswinc & INT32_MIN) {
 +                env->cp15.c9_pmovsr |= (1 << i);
 +                pmu_update_irq(env);
 +            }
 +
 +            env->cp15.c14_pmevcntr[i] = new_pmswinc;
 +        }
 +    }
 +}
 +
  static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
  {
-+    int size = offsetof(struct target_rt_sigframe, uc.tuc_mcontext.__reserved);
+     ARMCPU *arm_cpu = ARM_CPU(cpu);
-+    int fpsimd_ofs, end1_ofs, fr_ofs;
+@@ -XXX,XX +XXX,XX @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
-     struct target_rt_sigframe *frame;
+                            val);
--    struct target_aux_context *aux;
-+    struct target_rt_frame_record *fr;
+     switch (reg) {
-     abi_ulong frame_addr, return_addr;
++    case SYSREG_PMCCNTR_EL0:
++        pmu_op_start(env);
-+    fpsimd_ofs = size;
++        env->cp15.c15_ccnt = val;
-+    size += sizeof(struct target_fpsimd_context);
++        pmu_op_finish(env);
-+    end1_ofs = size;
++        break;
-+    size += sizeof(struct target_aarch64_ctx);
++    case SYSREG_PMCR_EL0:
-+    fr_ofs = size;
++        pmu_op_start(env);
-+    size += sizeof(struct target_rt_frame_record);
++
-+
++        if (val & PMCRC) {
-     frame_addr = get_sigframe(ka, env);
++            /* The counter has been reset */
-     trace_user_setup_frame(env, frame_addr);
++            env->cp15.c15_ccnt = 0;
-     if (!lock_user_struct(VERIFY_WRITE, frame, frame_addr, 0)) {
++        }
-         goto give_sigsegv;
++
-     }
++        if (val & PMCRP) {
--    aux = (struct target_aux_context *)frame->uc.tuc_mcontext.__reserved;
++            unsigned int i;
++            for (i = 0; i < pmu_num_counters(env); i++) {
-     target_setup_general_frame(frame, env, set);
++                env->cp15.c14_pmevcntr[i] = 0;
--    target_setup_fpsimd_record(&aux->fpsimd, env);
++            }
--    target_setup_end_record(&aux->end);
++        }
-+    target_setup_fpsimd_record((void *)frame + fpsimd_ofs, env);
++
-+    target_setup_end_record((void *)frame + end1_ofs);
++        env->cp15.c9_pmcr &= ~PMCR_WRITEABLE_MASK;
-+
++        env->cp15.c9_pmcr |= (val & PMCR_WRITEABLE_MASK);
-+    /* Set up the stack frame for unwinding.  */
++
-+    fr = (void *)frame + fr_ofs;
++        pmu_op_finish(env);
-+    __put_user(env->xregs[29], &fr->fp);
++        break;
-+    __put_user(env->xregs[30], &fr->lr);
++    case SYSREG_PMUSERENR_EL0:
++        env->cp15.c9_pmuserenr = val & 0xf;
-     if (ka->sa_flags & TARGET_SA_RESTORER) {
++        break;
-         return_addr = ka->sa_restorer;
++    case SYSREG_PMCNTENSET_EL0:
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
++        env->cp15.c9_pmcnten |= (val & pmu_counter_mask(env));
-          * Since these are instructions they need to be put as little-endian
++        break;
-          * regardless of target default or current CPU endianness.
++    case SYSREG_PMCNTENCLR_EL0:
-          */
++        env->cp15.c9_pmcnten &= ~(val & pmu_counter_mask(env));
--        __put_user_e(0xd2801168, &frame->tramp[0], le);
++        break;
--        __put_user_e(0xd4000001, &frame->tramp[1], le);
++    case SYSREG_PMINTENCLR_EL1:
--        return_addr = frame_addr + offsetof(struct target_rt_sigframe, tramp);
++        pmu_op_start(env);
-+        __put_user_e(0xd2801168, &fr->tramp[0], le);
++        env->cp15.c9_pminten |= val;
-+        __put_user_e(0xd4000001, &fr->tramp[1], le);
++        pmu_op_finish(env);
-+        return_addr = frame_addr + fr_ofs
++        break;
-+            + offsetof(struct target_rt_frame_record, tramp);
++    case SYSREG_PMOVSCLR_EL0:
-     }
++        pmu_op_start(env);
-     env->xregs[0] = usig;
++        env->cp15.c9_pmovsr &= ~val;
-     env->xregs[31] = frame_addr;
++        pmu_op_finish(env);
--    env->xregs[29] = env->xregs[31] + offsetof(struct target_rt_sigframe, fp);
++        break;
-+    env->xregs[29] = frame_addr + fr_ofs;
++    case SYSREG_PMSWINC_EL0:
-     env->pc = ka->_sa_handler;
++        pmu_op_start(env);
-     env->xregs[30] = return_addr;
++        pmswinc_write(env, val);
-     if (info) {
++        pmu_op_finish(env);
 +        break;
 +    case SYSREG_PMSELR_EL0:
 +        env->cp15.c9_pmselr = val & 0x1f;
 +        break;
 +    case SYSREG_PMCCFILTR_EL0:
 +        pmu_op_start(env);
 +        env->cp15.pmccfiltr_el0 = val & PMCCFILTR_EL0;
 +        pmu_op_finish(env);
 +        break;
      case SYSREG_OSLAR_EL1:
          env->cp15.oslsr_el1 = val & 1;
          break;
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 19/25] hw/arm/virt: Support -machine gic-version=max
+[PULL 16/27] target/arm: Avoid goto_tb if we're trying to exit to the main loop
-Add support for passing 'max' to -machine gic-version. By analogy
+Currently gen_jmp_tb() assumes that if it is called then the jump it
-with the -cpu max option, this picks the "best available" GIC version
+is handling is the only reason that we might be trying to end the TB,
-whether you're using KVM or TCG, so it behaves like 'host' when
+so it will use goto_tb if it can.  This is usually the case: mostly
-using KVM, and gives you GICv3 when using TCG.
+"we did something that means we must end the TB" happens on a
 non-branch instruction.  However, there are cases where we decide
 early in handling an instruction that we need to end the TB and
 return to the main loop, and then the insn is a complex one that
 involves gen_jmp_tb().  For instance, for M-profile FP instructions,
 in gen_preserve_fp_state() which is called from vfp_access_check() we
 want to force an exit to the main loop if lazy state preservation is
 active and we are in icount mode.
-Also like '-cpu host', using -machine gic-version=max' means there
+Make gen_jmp_tb() look at the current value of is_jmp, and only use
-is no guarantee of migration compatibility between QEMU versions;
+goto_tb if the previous is_jmp was DISAS_NEXT or DISAS_TOO_MANY.
 in future 'max' might mean '4'.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180308130626.12393-7-peter.maydell@linaro.org
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20210913095440.13462-2-peter.maydell@linaro.org
 ---
- hw/arm/virt.c | 29 +++++++++++++++++++----------
+ target/arm/translate.c | 34 +++++++++++++++++++++++++++++++++-
-file changed, 19 insertions(+), 10 deletions(-)
+file changed, 33 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/target/arm/translate.c
-+++ b/hw/arm/virt.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
+@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
-     /* We can probe only here because during property set
+         /* An indirect jump so that we still trigger the debug exception.  */
-      * KVM is not available yet
+         gen_set_pc_im(s, dest);
-      */
+         s->base.is_jmp = DISAS_JUMP;
--    if (!vms->gic_version) {
+-    } else {
-+    if (vms->gic_version <= 0) {
++        return;
-+        /* "host" or "max" */
++    }
-         if (!kvm_enabled()) {
++    switch (s->base.is_jmp) {
--            error_report("gic-version=host requires KVM");
++    case DISAS_NEXT:
--            exit(1);
++    case DISAS_TOO_MANY:
--        }
++    case DISAS_NORETURN:
--
++        /*
--        vms->gic_version = kvm_arm_vgic_probe();
++         * The normal case: just go to the destination TB.
--        if (!vms->gic_version) {
++         * NB: NORETURN happens if we generate code like
--            error_report("Unable to determine GIC version supported by host");
++         *    gen_brcondi(l);
--            exit(1);
++         *    gen_jmp();
-+            if (vms->gic_version == 0) {
++         *    gen_set_label(l);
-+                error_report("gic-version=host requires KVM");
++         *    gen_jmp();
-+                exit(1);
++         * on the second call to gen_jmp().
-+            } else {
++         */
-+                /* "max": currently means 3 for TCG */
+         gen_goto_tb(s, tbno, dest);
-+                vms->gic_version = 3;
++        break;
-+            }
++    case DISAS_UPDATE_NOCHAIN:
-+        } else {
++    case DISAS_UPDATE_EXIT:
-+            vms->gic_version = kvm_arm_vgic_probe();
++        /*
-+            if (!vms->gic_version) {
++         * We already decided we're leaving the TB for some other reason.
-+                error_report(
++         * Avoid using goto_tb so we really do exit back to the main loop
-+                    "Unable to determine GIC version supported by host");
++         * and don't chain to another TB.
-+                exit(1);
++         */
-+            }
++        gen_set_pc_im(s, dest);
-         }
++        gen_goto_ptr();
-     }
++        s->base.is_jmp = DISAS_NORETURN;
++        break;
-@@ -XXX,XX +XXX,XX @@ static void virt_set_gic_version(Object *obj, const char *value, Error **errp)
++    default:
-         vms->gic_version = 2;
++        /*
-     } else if (!strcmp(value, "host")) {
++         * We shouldn't be emitting code for a jump and also have
-         vms->gic_version = 0; /* Will probe later */
++         * is_jmp set to one of the special cases like DISAS_SWI.
-+    } else if (!strcmp(value, "max")) {
++         */
-+        vms->gic_version = -1; /* Will probe later */
++        g_assert_not_reached();
      } else {
          error_setg(errp, "Invalid gic-version value");
 -        error_append_hint(errp, "Valid values are 3, 2, host.\n");
 +        error_append_hint(errp, "Valid values are 3, 2, host, max.\n");
      }
  }
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 18/25] hw/arm/virt: Add "max" to the list of CPU types "virt" supports
+[PULL 17/27] target/arm: Enforce that FPDSCR.LTPSIZE is 4 on inbound migration
-Allow the virt board to support '-cpu max' in the same way
+Architecturally, for an M-profile CPU with the LOB feature the
-it already handles '-cpu host'.
+LTPSIZE field in FPDSCR is always constant 4.  QEMU's implementation
 enforces this everywhere, except that we don't check that it is true
 in incoming migration data.
 We're going to add come in gen_update_fp_context() which relies on
 the "always 4" property.  Since this is TCG-only, we don't actually
 need to be robust to bogus incoming migration data, and the effect of
 it being wrong would be wrong code generation rather than a QEMU
 crash; but if it did ever happen somehow it would be very difficult
 to track down the cause.  Add a check so that we fail the inbound
 migration if the FPDSCR.LTPSIZE value is incorrect.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180308130626.12393-6-peter.maydell@linaro.org
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20210913095440.13462-3-peter.maydell@linaro.org
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 ---
- hw/arm/virt.c | 1 +
+ target/arm/machine.c | 13 +++++++++++++
-file changed, 1 insertion(+)
+file changed, 13 insertions(+)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+diff --git a/target/arm/machine.c b/target/arm/machine.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/target/arm/machine.c
-+++ b/hw/arm/virt.c
++++ b/target/arm/machine.c
-@@ -XXX,XX +XXX,XX @@ static const char *valid_cpus[] = {
+@@ -XXX,XX +XXX,XX @@ static int cpu_post_load(void *opaque, int version_id)
-     ARM_CPU_TYPE_NAME("cortex-a53"),
+     hw_breakpoint_update_all(cpu);
-     ARM_CPU_TYPE_NAME("cortex-a57"),
+     hw_watchpoint_update_all(cpu);
-     ARM_CPU_TYPE_NAME("host"),
-+    ARM_CPU_TYPE_NAME("max"),
++    /*
- };
++     * TCG gen_update_fp_context() relies on the invariant that
++     * FPDSCR.LTPSIZE is constant 4 for M-profile with the LOB extension;
- static bool cpu_type_valid(const char *cpu)
++     * forbid bogus incoming data with some other value.
 +     */
 +    if (arm_feature(env, ARM_FEATURE_M) && cpu_isar_feature(aa32_lob, cpu)) {
 +        if (extract32(env->v7m.fpdscr[M_REG_NS],
 +                      FPCR_LTPSIZE_SHIFT, FPCR_LTPSIZE_LENGTH) != 4 ||
 +            extract32(env->v7m.fpdscr[M_REG_S],
 +                      FPCR_LTPSIZE_SHIFT, FPCR_LTPSIZE_LENGTH) != 4) {
 +            return -1;
 +        }
 +    }
      if (!kvm_enabled()) {
          pmu_op_finish(&cpu->env);
      }
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 06/25] linux-user: Implement aarch64 PR_SVE_SET/GET_VL
+[PULL 18/27] target/arm: Add TB flag for "MVE insns not predicated"
-From: Richard Henderson <richard.henderson@linaro.org>
+Our current codegen for MVE always calls out to helper functions,
+because some byte lanes might be predicated.  The common case is that
-As an implementation choice, widening VL has zeroed the
+in fact there is no predication active and all lanes should be
-previously inaccessible portion of the sve registers.
+updated together, so we can produce better code by detecting that and
+using the TCG generic vector infrastructure.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Add a TB flag that is set when we can guarantee that there is no
-Acked-by: Alex Bennée <alex.bennee@linaro.org>
+active MVE predication, and a bool in the DisasContext.  Subsequent
-Message-id: 20180303143823.27055-2-richard.henderson@linaro.org
+patches will use this flag to generate improved code for some
 instructions.
 In most cases when the predication state changes we simply end the TB
 after that instruction.  For the code called from vfp_access_check()
 that handles lazy state preservation and creating a new FP context,
 we can usually avoid having to try to end the TB because luckily the
 new value of the flag following the register changes in those
 sequences doesn't depend on any runtime decisions.  We do have to end
 the TB if the guest has enabled lazy FP state preservation but not
 automatic state preservation, but this is an odd corner case that is
 not going to be common in real-world code.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210913095440.13462-4-peter.maydell@linaro.org
 ---
- linux-user/aarch64/target_syscall.h |  3 +++
+ target/arm/cpu.h              |  4 +++-
- target/arm/cpu.h                    |  1 +
+ target/arm/translate.h        |  2 ++
- linux-user/syscall.c                | 27 ++++++++++++++++++++++++
+ target/arm/helper.c           | 33 +++++++++++++++++++++++++++++++++
- target/arm/cpu64.c                  | 41 +++++++++++++++++++++++++++++++++++++
+ target/arm/translate-m-nocp.c |  8 +++++++-
-files changed, 72 insertions(+)
+ target/arm/translate-mve.c    | 13 ++++++++++++-
+ target/arm/translate-vfp.c    | 33 +++++++++++++++++++++++++++------
-diff --git a/linux-user/aarch64/target_syscall.h b/linux-user/aarch64/target_syscall.h
+ target/arm/translate.c        |  8 ++++++++
-index XXXXXXX..XXXXXXX 100644
+files changed, 92 insertions(+), 9 deletions(-)
---- a/linux-user/aarch64/target_syscall.h
 +++ b/linux-user/aarch64/target_syscall.h
@@ -XXX,XX +XXX,XX @@ struct target_pt_regs {
  #define TARGET_MLOCKALL_MCL_CURRENT 1
  #define TARGET_MLOCKALL_MCL_FUTURE  2
 +#define TARGET_PR_SVE_SET_VL  50
 +#define TARGET_PR_SVE_GET_VL  51
 +
  #endif /* AARCH64_TARGET_SYSCALL_H */
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ int arm_cpu_write_elf32_note(WriteCoreDumpFunction f, CPUState *cs,
+@@ -XXX,XX +XXX,XX @@ typedef ARMCPU ArchCPU;
- #ifdef TARGET_AARCH64
+  * | TBFLAG_AM32 |          +-----+----------+
- int aarch64_cpu_gdb_read_register(CPUState *cpu, uint8_t *buf, int reg);
+  * |             |                |TBFLAG_M32|
- int aarch64_cpu_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
+  * +-------------+----------------+----------+
-+void aarch64_sve_narrow_vq(CPUARMState *env, unsigned vq);
+- *  31         23                5 4        0
 + *  31         23                6 5        0
   *
   * Unless otherwise noted, these bits are cached in env->hflags.
   */
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_M32, LSPACT, 2, 1)                 /* Not cached. */
  FIELD(TBFLAG_M32, NEW_FP_CTXT_NEEDED, 3, 1)     /* Not cached. */
  /* Set if FPCCR.S does not match current security state */
  FIELD(TBFLAG_M32, FPCCR_S_WRONG, 4, 1)          /* Not cached. */
 +/* Set if MVE insns are definitely not predicated by VPR or LTPSIZE */
 +FIELD(TBFLAG_M32, MVE_NO_PRED, 5, 1)            /* Not cached. */
  /*
   * Bit usage when in AArch64 state
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      bool align_mem;
      /* True if PSTATE.IL is set */
      bool pstate_il;
 +    /* True if MVE insns are definitely not predicated by VPR or LTPSIZE */
 +    bool mve_no_pred;
      /*
       * >= 0, a copy of PSTATE.BTYPE, which will be 0 without v8.5-BTI.
       *  < 0, set by the current instruction.
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static inline void assert_hflags_rebuild_correctly(CPUARMState *env)
  #endif
+ }
- target_ulong do_arm_semihosting(CPUARMState *env);
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
++static bool mve_no_pred(CPUARMState *env)
-index XXXXXXX..XXXXXXX 100644
++{
---- a/linux-user/syscall.c
++    /*
-+++ b/linux-user/syscall.c
++     * Return true if there is definitely no predication of MVE
-@@ -XXX,XX +XXX,XX @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
++     * instructions by VPR or LTPSIZE. (Returning false even if there
-             break;
++     * isn't any predication is OK; generated code will just be
 +     * a little worse.)
 +     * If the CPU does not implement MVE then this TB flag is always 0.
 +     *
 +     * NOTE: if you change this logic, the "recalculate s->mve_no_pred"
 +     * logic in gen_update_fp_context() needs to be updated to match.
 +     *
 +     * We do not include the effect of the ECI bits here -- they are
 +     * tracked in other TB flags. This simplifies the logic for
 +     * "when did we emit code that changes the MVE_NO_PRED TB flag
 +     * and thus need to end the TB?".
 +     */
 +    if (cpu_isar_feature(aa32_mve, env_archcpu(env))) {
 +        return false;
 +    }
 +    if (env->v7m.vpr) {
 +        return false;
 +    }
 +    if (env->v7m.ltpsize < 4) {
 +        return false;
 +    }
 +    return true;
 +}
 +
  void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
                            target_ulong *cs_base, uint32_t *pflags)
  {
@@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
              if (env->v7m.fpccr[is_secure] & R_V7M_FPCCR_LSPACT_MASK) {
                  DP_TBFLAG_M32(flags, LSPACT, 1);
              }
 +
 +            if (mve_no_pred(env)) {
 +                DP_TBFLAG_M32(flags, MVE_NO_PRED, 1);
 +            }
          } else {
              /*
               * Note that XSCALE_CPAR shares bits with VECSTRIDE.
 diff --git a/target/arm/translate-m-nocp.c b/target/arm/translate-m-nocp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-m-nocp.c
 +++ b/target/arm/translate-m-nocp.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VLLDM_VLSTM(DisasContext *s, arg_VLLDM_VLSTM *a)
      clear_eci_state(s);
 -    /* End the TB, because we have updated FP control bits */
 +    /*
 +     * End the TB, because we have updated FP control bits,
 +     * and possibly VPR or LTPSIZE.
 +     */
      s->base.is_jmp = DISAS_UPDATE_EXIT;
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_write(DisasContext *s, int regno,
          store_cpu_field(control, v7m.control[M_REG_S]);
          tcg_gen_andi_i32(tmp, tmp, ~FPCR_NZCV_MASK);
          gen_helper_vfp_set_fpscr(cpu_env, tmp);
 +        s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
          tcg_temp_free_i32(tmp);
          tcg_temp_free_i32(sfpa);
          break;
@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_write(DisasContext *s, int regno,
          }
- #endif
+         tmp = loadfn(s, opaque, true);
-+#ifdef TARGET_AARCH64
+         store_cpu_field(tmp, v7m.vpr);
-+        case TARGET_PR_SVE_SET_VL:
++        s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
-+            /* We cannot support either PR_SVE_SET_VL_ONEXEC
+         break;
-+               or PR_SVE_VL_INHERIT.  Therefore, anything above
+     case ARM_VFP_P0:
-+               ARM_MAX_VQ results in EINVAL.  */
+     {
-+            ret = -TARGET_EINVAL;
+@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_write(DisasContext *s, int regno,
-+            if (arm_feature(cpu_env, ARM_FEATURE_SVE)
+         tcg_gen_deposit_i32(vpr, vpr, tmp,
-+                && arg2 >= 0 && arg2 <= ARM_MAX_VQ * 16 && !(arg2 & 15)) {
+                             R_V7M_VPR_P0_SHIFT, R_V7M_VPR_P0_LENGTH);
-+                CPUARMState *env = cpu_env;
+         store_cpu_field(vpr, v7m.vpr);
-+                int old_vq = (env->vfp.zcr_el[1] & 0xf) + 1;
++        s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
-+                int vq = MAX(arg2 / 16, 1);
+         tcg_temp_free_i32(tmp);
-+
+         break;
-+                if (vq < old_vq) {
+     }
-+                    aarch64_sve_narrow_vq(env, vq);
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
-+                }
+index XXXXXXX..XXXXXXX 100644
-+                env->vfp.zcr_el[1] = vq - 1;
+--- a/target/arm/translate-mve.c
-+                ret = vq * 16;
++++ b/target/arm/translate-mve.c
-+            }
+@@ -XXX,XX +XXX,XX @@ DO_LOGIC(VORR, gen_helper_mve_vorr)
-+            break;
+ DO_LOGIC(VORN, gen_helper_mve_vorn)
-+        case TARGET_PR_SVE_GET_VL:
+ DO_LOGIC(VEOR, gen_helper_mve_veor)
-+            ret = -TARGET_EINVAL;
-+            if (arm_feature(cpu_env, ARM_FEATURE_SVE)) {
+-DO_LOGIC(VPSEL, gen_helper_mve_vpsel)
-+                CPUARMState *env = cpu_env;
++static bool trans_VPSEL(DisasContext *s, arg_2op *a)
 +                ret = ((env->vfp.zcr_el[1] & 0xf) + 1) * 16;
 +            }
 +            break;
 +#endif /* AARCH64 */
          case PR_GET_SECCOMP:
          case PR_SET_SECCOMP:
              /* Disable seccomp to prevent the target disabling syscalls we
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_register_types(void)
  }
  type_init(aarch64_cpu_register_types)
 +
 +/* The manual says that when SVE is enabled and VQ is widened the
 + * implementation is allowed to zero the previously inaccessible
 + * portion of the registers.  The corollary to that is that when
 + * SVE is enabled and VQ is narrowed we are also allowed to zero
 + * the now inaccessible portion of the registers.
 + *
 + * The intent of this is that no predicate bit beyond VQ is ever set.
 + * Which means that some operations on predicate registers themselves
 + * may operate on full uint64_t or even unrolled across the maximum
 + * uint64_t[4].  Performing 4 bits of host arithmetic unconditionally
 + * may well be cheaper than conditionals to restrict the operation
 + * to the relevant portion of a uint16_t[16].
 + *
 + * TODO: Need to call this for changes to the real system registers
 + * and EL state changes.
 + */
 +void aarch64_sve_narrow_vq(CPUARMState *env, unsigned vq)
 +{
-+    int i, j;
++    /* This insn updates predication bits */
-+    uint64_t pmask;
++    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
-+
++    return do_2op(s, a, gen_helper_mve_vpsel);
-+    assert(vq >= 1 && vq <= ARM_MAX_VQ);
++}
-+
-+    /* Zap the high bits of the zregs.  */
+ #define DO_2OP(INSN, FN) \
-+    for (i = 0; i < 32; i++) {
+     static bool trans_##INSN(DisasContext *s, arg_2op *a)       \
-+        memset(&env->vfp.zregs[i].d[2 * vq], 0, 16 * (ARM_MAX_VQ - vq));
+@@ -XXX,XX +XXX,XX @@ static bool trans_VPNOT(DisasContext *s, arg_VPNOT *a)
-+    }
+     }
-+
-+    /* Zap the high bits of the pregs and ffr.  */
+     gen_helper_mve_vpnot(cpu_env);
-+    pmask = 0;
++    /* This insn updates predication bits */
-+    if (vq & 3) {
++    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
-+        pmask = ~(-1ULL << (16 * (vq & 3)));
+     mve_update_eci(s);
-+    }
+     return true;
-+    for (j = vq / 4; j < ARM_MAX_VQ / 4; j++) {
+ }
-+        for (i = 0; i < 17; ++i) {
+@@ -XXX,XX +XXX,XX @@ static bool do_vcmp(DisasContext *s, arg_vcmp *a, MVEGenCmpFn *fn)
-+            env->vfp.pregs[i].p[j] &= pmask;
+         /* VPT */
          gen_vpst(s, a->mask);
      }
 +    /* This insn updates predication bits */
 +    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
      mve_update_eci(s);
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool do_vcmp_scalar(DisasContext *s, arg_vcmp_scalar *a,
          /* VPT */
          gen_vpst(s, a->mask);
      }
 +    /* This insn updates predication bits */
 +    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
      mve_update_eci(s);
      return true;
  }
 diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.c
 +++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static inline long vfp_f16_offset(unsigned reg, bool top)
   * Generate code for M-profile lazy FP state preservation if needed;
   * this corresponds to the pseudocode PreserveFPState() function.
   */
 -static void gen_preserve_fp_state(DisasContext *s)
 +static void gen_preserve_fp_state(DisasContext *s, bool skip_context_update)
  {
      if (s->v7m_lspact) {
          /*
@@ -XXX,XX +XXX,XX @@ static void gen_preserve_fp_state(DisasContext *s)
           * any further FP insns in this TB.
           */
          s->v7m_lspact = false;
 +        /*
 +         * The helper might have zeroed VPR, so we do not know the
 +         * correct value for the MVE_NO_PRED TB flag any more.
 +         * If we're about to create a new fp context then that
 +         * will precisely determine the MVE_NO_PRED value (see
 +         * gen_update_fp_context()). Otherwise, we must:
 +         *  - set s->mve_no_pred to false, so this instruction
 +         *    is generated to use helper functions
 +         *  - end the TB now, without chaining to the next TB
 +         */
 +        if (skip_context_update || !s->v7m_new_fp_ctxt_needed) {
 +            s->mve_no_pred = false;
 +            s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
 +        }
-+        pmask = 0;
+     }
-+    }
+ }
-+}
@@ -XXX,XX +XXX,XX @@ static void gen_update_fp_context(DisasContext *s)
              TCGv_i32 z32 = tcg_const_i32(0);
              store_cpu_field(z32, v7m.vpr);
          }
 -
          /*
 -         * We don't need to arrange to end the TB, because the only
 -         * parts of FPSCR which we cache in the TB flags are the VECLEN
 -         * and VECSTRIDE, and those don't exist for M-profile.
 +         * We just updated the FPSCR and VPR. Some of this state is cached
 +         * in the MVE_NO_PRED TB flag. We want to avoid having to end the
 +         * TB here, which means we need the new value of the MVE_NO_PRED
 +         * flag to be exactly known here and the same for all executions.
 +         * Luckily FPDSCR.LTPSIZE is always constant 4 and the VPR is
 +         * always set to 0, so the new MVE_NO_PRED flag is always 1
 +         * if and only if we have MVE.
 +         *
 +         * (The other FPSCR state cached in TB flags is VECLEN and VECSTRIDE,
 +         * but those do not exist for M-profile, so are not relevant here.)
           */
 +        s->mve_no_pred = dc_isar_feature(aa32_mve, s);
          if (s->v8m_secure) {
              bits |= R_V7M_CONTROL_SFPA_MASK;
@@ -XXX,XX +XXX,XX @@ bool vfp_access_check_m(DisasContext *s, bool skip_context_update)
      /* Handle M-profile lazy FP state mechanics */
      /* Trigger lazy-state preservation if necessary */
 -    gen_preserve_fp_state(s);
 +    gen_preserve_fp_state(s, skip_context_update);
      if (!skip_context_update) {
          /* Update ownership of FP context and create new FP context if needed */
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static bool trans_DLS(DisasContext *s, arg_DLS *a)
          /* DLSTP: set FPSCR.LTPSIZE */
          tmp = tcg_const_i32(a->size);
          store_cpu_field(tmp, v7m.ltpsize);
 +        s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
      }
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
          assert(ok);
          tmp = tcg_const_i32(a->size);
          store_cpu_field(tmp, v7m.ltpsize);
 +        /*
 +         * LTPSIZE updated, but MVE_NO_PRED will always be the same thing (0)
 +         * when we take this upcoming exit from this TB, so gen_jmp_tb() is OK.
 +         */
      }
      gen_jmp_tb(s, s->base.pc_next, 1);
@@ -XXX,XX +XXX,XX @@ static bool trans_VCTP(DisasContext *s, arg_VCTP *a)
      gen_helper_mve_vctp(cpu_env, masklen);
      tcg_temp_free_i32(masklen);
      tcg_temp_free_i32(rn_shifted);
 +    /* This insn updates predication bits */
 +    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
      mve_update_eci(s);
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
          dc->v7m_new_fp_ctxt_needed =
              EX_TBFLAG_M32(tb_flags, NEW_FP_CTXT_NEEDED);
          dc->v7m_lspact = EX_TBFLAG_M32(tb_flags, LSPACT);
 +        dc->mve_no_pred = EX_TBFLAG_M32(tb_flags, MVE_NO_PRED);
      } else {
          dc->debug_target_el = EX_TBFLAG_ANY(tb_flags, DEBUG_TARGET_EL);
          dc->sctlr_b = EX_TBFLAG_A32(tb_flags, SCTLR__B);
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 15/25] target/arm: Move definition of 'host' cpu type into cpu.c
+[PULL 19/27] target/arm: Optimize MVE logic ops
-Move the definition of the 'host' cpu type into cpu.c, where all the
+When not predicating, implement the MVE bitwise logical insns
-other CPU types are defined.  We can do this now we've decoupled it
+directly using TCG vector operations.
 from the KVM-specific host feature probing.  This means we now create
 the type unconditionally (assuming we were built with KVM support at
 all), but if you try to use it without -enable-kvm this will end
 up in the "host cpu probe failed and KVM not enabled" path in
 arm_cpu_realizefn(), for an appropriate error message.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180308130626.12393-3-peter.maydell@linaro.org
+Message-id: 20210913095440.13462-5-peter.maydell@linaro.org
 ---
- target/arm/cpu.c | 24 ++++++++++++++++++++++++
+ target/arm/translate-mve.c | 51 +++++++++++++++++++++++++++-----------
- target/arm/kvm.c | 19 -------------------
+file changed, 36 insertions(+), 15 deletions(-)
 files changed, 24 insertions(+), 19 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/target/arm/translate-mve.c
-+++ b/target/arm/cpu.c
++++ b/target/arm/translate-mve.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
+@@ -XXX,XX +XXX,XX @@ static TCGv_ptr mve_qreg_ptr(unsigned reg)
- #endif
+     return ret;
  }
-+#ifdef CONFIG_KVM
++static bool mve_no_predication(DisasContext *s)
 +static void arm_host_initfn(Object *obj)
 +{
-+    ARMCPU *cpu = ARM_CPU(obj);
++    /*
-+
++     * Return true if we are executing the entire MVE instruction
-+    kvm_arm_set_cpu_features_from_host(cpu);
++     * with no predication or partial-execution, and so we can safely
 +     * use an inline TCG vector implementation.
 +     */
 +    return s->eci == 0 && s->mve_no_pred;
 +}
 +
-+static const TypeInfo host_arm_cpu_type_info = {
+ static bool mve_check_qreg_bank(DisasContext *s, int qmask)
-+    .name = TYPE_ARM_HOST_CPU,
+ {
-+#ifdef TARGET_AARCH64
+     /*
-+    .parent = TYPE_AARCH64_CPU,
+@@ -XXX,XX +XXX,XX @@ static bool trans_VNEG_fp(DisasContext *s, arg_1op *a)
-+#else
+     return do_1op(s, a, fns[a->size]);
-+    .parent = TYPE_ARM_CPU,
+ }
-+#endif
-+    .instance_init = arm_host_initfn,
+-static bool do_2op(DisasContext *s, arg_2op *a, MVEGenTwoOpFn fn)
-+};
++static bool do_2op_vec(DisasContext *s, arg_2op *a, MVEGenTwoOpFn fn,
 +                       GVecGen3Fn *vecfn)
  {
      TCGv_ptr qd, qn, qm;
@@ -XXX,XX +XXX,XX @@ static bool do_2op(DisasContext *s, arg_2op *a, MVEGenTwoOpFn fn)
          return true;
      }
 -    qd = mve_qreg_ptr(a->qd);
 -    qn = mve_qreg_ptr(a->qn);
 -    qm = mve_qreg_ptr(a->qm);
 -    fn(cpu_env, qd, qn, qm);
 -    tcg_temp_free_ptr(qd);
 -    tcg_temp_free_ptr(qn);
 -    tcg_temp_free_ptr(qm);
 +    if (vecfn && mve_no_predication(s)) {
 +        vecfn(a->size, mve_qreg_offset(a->qd), mve_qreg_offset(a->qn),
 +              mve_qreg_offset(a->qm), 16, 16);
 +    } else {
 +        qd = mve_qreg_ptr(a->qd);
 +        qn = mve_qreg_ptr(a->qn);
 +        qm = mve_qreg_ptr(a->qm);
 +        fn(cpu_env, qd, qn, qm);
 +        tcg_temp_free_ptr(qd);
 +        tcg_temp_free_ptr(qn);
 +        tcg_temp_free_ptr(qm);
 +    }
      mve_update_eci(s);
      return true;
  }
 -#define DO_LOGIC(INSN, HELPER)                                  \
 +static bool do_2op(DisasContext *s, arg_2op *a, MVEGenTwoOpFn *fn)
 +{
 +    return do_2op_vec(s, a, fn, NULL);
 +}
 +
-+#endif
++#define DO_LOGIC(INSN, HELPER, VECFN)                           \
-+
+     static bool trans_##INSN(DisasContext *s, arg_2op *a)       \
- static void cpu_register(const ARMCPUInfo *info)
+     {                                                           \
 -        return do_2op(s, a, HELPER);                            \
 +        return do_2op_vec(s, a, HELPER, VECFN);                 \
      }
 -DO_LOGIC(VAND, gen_helper_mve_vand)
 -DO_LOGIC(VBIC, gen_helper_mve_vbic)
 -DO_LOGIC(VORR, gen_helper_mve_vorr)
 -DO_LOGIC(VORN, gen_helper_mve_vorn)
 -DO_LOGIC(VEOR, gen_helper_mve_veor)
 +DO_LOGIC(VAND, gen_helper_mve_vand, tcg_gen_gvec_and)
 +DO_LOGIC(VBIC, gen_helper_mve_vbic, tcg_gen_gvec_andc)
 +DO_LOGIC(VORR, gen_helper_mve_vorr, tcg_gen_gvec_or)
 +DO_LOGIC(VORN, gen_helper_mve_vorn, tcg_gen_gvec_orc)
 +DO_LOGIC(VEOR, gen_helper_mve_veor, tcg_gen_gvec_xor)
  static bool trans_VPSEL(DisasContext *s, arg_2op *a)
  {
-     TypeInfo type_info = {
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_register_types(void)
-         cpu_register(info);
-         info++;
-     }
-+
-+#ifdef CONFIG_KVM
-+    type_register_static(&host_arm_cpu_type_info);
-+#endif
- }
- type_init(arm_cpu_register_types)
-diff --git a/target/arm/kvm.c b/target/arm/kvm.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm.c
-+++ b/target/arm/kvm.c
-@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
-     env->features = arm_host_cpu_features.features;
- }
--static void kvm_arm_host_cpu_initfn(Object *obj)
--{
--    ARMCPU *cpu = ARM_CPU(obj);
--
--    kvm_arm_set_cpu_features_from_host(cpu);
--}
--
--static const TypeInfo host_arm_cpu_type_info = {
--    .name = TYPE_ARM_HOST_CPU,
--#ifdef TARGET_AARCH64
--    .parent = TYPE_AARCH64_CPU,
--#else
--    .parent = TYPE_ARM_CPU,
--#endif
--    .instance_init = kvm_arm_host_cpu_initfn,
--};
--
- int kvm_arch_init(MachineState *ms, KVMState *s)
- {
-     /* For ARM interrupt delivery is always asynchronous,
-@@ -XXX,XX +XXX,XX @@ int kvm_arch_init(MachineState *ms, KVMState *s)
-     cap_has_mp_state = kvm_check_extension(s, KVM_CAP_MP_STATE);
--    type_register_static(&host_arm_cpu_type_info);
--
-     return 0;
- }
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 22/25] sdcard: Display which protocol is used when tracing (SD or SPI)
+[PULL 20/27] target/arm: Optimize MVE arithmetic ops
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Optimize MVE arithmetic ops when we have a TCG
 vector operation we can use.
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180309153654.13518-4-f4bug@amsat.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210913095440.13462-6-peter.maydell@linaro.org
 ---
- hw/sd/sd.c         | 14 ++++++++++----
+ target/arm/translate-mve.c | 20 +++++++++++---------
- hw/sd/trace-events |  8 ++++----
+file changed, 11 insertions(+), 9 deletions(-)
 files changed, 14 insertions(+), 8 deletions(-)
-diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/sd.c
+--- a/target/arm/translate-mve.c
-+++ b/hw/sd/sd.c
++++ b/target/arm/translate-mve.c
-@@ -XXX,XX +XXX,XX @@ struct SDState {
+@@ -XXX,XX +XXX,XX @@ static bool trans_VPSEL(DisasContext *s, arg_2op *a)
-     qemu_irq readonly_cb;
+     return do_2op(s, a, gen_helper_mve_vpsel);
-     qemu_irq inserted_cb;
+ }
-     QEMUTimer *ocr_power_timer;
-+    const char *proto_name;
+-#define DO_2OP(INSN, FN) \
-     bool enable;
++#define DO_2OP_VEC(INSN, FN, VECFN)                             \
-     uint8_t dat_lines;
+     static bool trans_##INSN(DisasContext *s, arg_2op *a)       \
-     bool cmd_line;
+     {                                                           \
-@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+         static MVEGenTwoOpFn * const fns[] = {                  \
-      * However there is no ACMD55, so we want to trace this particular case.
+@@ -XXX,XX +XXX,XX @@ static bool trans_VPSEL(DisasContext *s, arg_2op *a)
-      */
+             gen_helper_mve_##FN##w,                             \
-     if (req.cmd != 55 || sd->expecting_acmd) {
+             NULL,                                               \
--        trace_sdcard_normal_command(sd_cmd_name(req.cmd), req.cmd,
+         };                                                      \
-+        trace_sdcard_normal_command(sd->proto_name,
+-        return do_2op(s, a, fns[a->size]);                      \
-+                                    sd_cmd_name(req.cmd), req.cmd,
++        return do_2op_vec(s, a, fns[a->size], VECFN);           \
                                      req.arg, sd_state_name(sd->state));
      }
-@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+-DO_2OP(VADD, vadd)
- static sd_rsp_type_t sd_app_command(SDState *sd,
+-DO_2OP(VSUB, vsub)
-                                     SDRequest req)
+-DO_2OP(VMUL, vmul)
- {
++#define DO_2OP(INSN, FN) DO_2OP_VEC(INSN, FN, NULL)
 -    trace_sdcard_app_command(sd_acmd_name(req.cmd),
 +    trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
                               req.cmd, req.arg, sd_state_name(sd->state));
      sd->card_status |= APP_CMD;
      switch (req.cmd) {
@@ -XXX,XX +XXX,XX @@ void sd_write_data(SDState *sd, uint8_t value)
      if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
          return;
 -    trace_sdcard_write_data(sd_acmd_name(sd->current_cmd),
 +    trace_sdcard_write_data(sd->proto_name,
 +                            sd_acmd_name(sd->current_cmd),
                              sd->current_cmd, value);
      switch (sd->current_cmd) {
      case 24:    /* CMD24:  WRITE_SINGLE_BLOCK */
@@ -XXX,XX +XXX,XX @@ uint8_t sd_read_data(SDState *sd)
      io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
 -    trace_sdcard_read_data(sd_acmd_name(sd->current_cmd),
 +    trace_sdcard_read_data(sd->proto_name,
 +                           sd_acmd_name(sd->current_cmd),
                             sd->current_cmd, io_len);
      switch (sd->current_cmd) {
      case 6:    /* CMD6:   SWITCH_FUNCTION */
@@ -XXX,XX +XXX,XX @@ static void sd_realize(DeviceState *dev, Error **errp)
      SDState *sd = SD_CARD(dev);
      int ret;
 +    sd->proto_name = sd->spi ? "SPI" : "SD";
 +
-     if (sd->blk && blk_is_read_only(sd->blk)) {
++DO_2OP_VEC(VADD, vadd, tcg_gen_gvec_add)
-         error_setg(errp, "Cannot use read-only drive as SD card");
++DO_2OP_VEC(VSUB, vsub, tcg_gen_gvec_sub)
-         return;
++DO_2OP_VEC(VMUL, vmul, tcg_gen_gvec_mul)
-diff --git a/hw/sd/trace-events b/hw/sd/trace-events
+ DO_2OP(VMULH_S, vmulhs)
-index XXXXXXX..XXXXXXX 100644
+ DO_2OP(VMULH_U, vmulhu)
---- a/hw/sd/trace-events
+ DO_2OP(VRMULH_S, vrmulhs)
-+++ b/hw/sd/trace-events
+ DO_2OP(VRMULH_U, vrmulhu)
-@@ -XXX,XX +XXX,XX @@ sdhci_write_dataport(uint16_t data_count) "write buffer filled with %u bytes of
+-DO_2OP(VMAX_S, vmaxs)
- sdhci_capareg(const char *desc, uint16_t val) "%s: %u"
+-DO_2OP(VMAX_U, vmaxu)
+-DO_2OP(VMIN_S, vmins)
- # hw/sd/sd.c
+-DO_2OP(VMIN_U, vminu)
--sdcard_normal_command(const char *cmd_desc, uint8_t cmd, uint32_t arg, const char *state) "%20s/ CMD%02d arg 0x%08x (state %s)"
++DO_2OP_VEC(VMAX_S, vmaxs, tcg_gen_gvec_smax)
--sdcard_app_command(const char *acmd_desc, uint8_t acmd, uint32_t arg, const char *state) "%23s/ACMD%02d arg 0x%08x (state %s)"
++DO_2OP_VEC(VMAX_U, vmaxu, tcg_gen_gvec_umax)
-+sdcard_normal_command(const char *proto, const char *cmd_desc, uint8_t cmd, uint32_t arg, const char *state) "%s %20s/ CMD%02d arg 0x%08x (state %s)"
++DO_2OP_VEC(VMIN_S, vmins, tcg_gen_gvec_smin)
-+sdcard_app_command(const char *proto, const char *acmd_desc, uint8_t acmd, uint32_t arg, const char *state) "%s %23s/ACMD%02d arg 0x%08x (state %s)"
++DO_2OP_VEC(VMIN_U, vminu, tcg_gen_gvec_umin)
- sdcard_response(const char *rspdesc, int rsplen) "%s (sz:%d)"
+ DO_2OP(VABD_S, vabds)
- sdcard_powerup(void) ""
+ DO_2OP(VABD_U, vabdu)
- sdcard_inquiry_cmd41(void) ""
+ DO_2OP(VHADD_S, vhadds)
@@ -XXX,XX +XXX,XX @@ sdcard_lock(void) ""
  sdcard_unlock(void) ""
  sdcard_read_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
  sdcard_write_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
 -sdcard_write_data(const char *cmd_desc, uint8_t cmd, uint8_t value) "%20s/ CMD%02d value 0x%02x"
 -sdcard_read_data(const char *cmd_desc, uint8_t cmd, int length) "%20s/ CMD%02d len %d"
 +sdcard_write_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint8_t value) "%s %20s/ CMD%02d value 0x%02x"
 +sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, int length) "%s %20s/ CMD%02d len %d"
  sdcard_set_voltage(uint16_t millivolts) "%u mV"
  # hw/sd/milkymist-memcard.c
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 21/25] sdcard: Display command name when tracing CMD/ACMD
+[PULL 21/27] target/arm: Optimize MVE VNEG, VABS
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Optimize the MVE VNEG and VABS insns by using TCG
 vector ops when possible.
-The SDBus will reuse these functions, so we put them in a new source file.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20210913095440.13462-7-peter.maydell@linaro.org
 ---
  target/arm/translate-mve.c | 32 ++++++++++++++++++++++----------
 file changed, 22 insertions(+), 10 deletions(-)
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
 Message-id: 20180309153654.13518-3-f4bug@amsat.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 [PMM: slight wordsmithing of comments, added note that string
  returned does not need to be freed]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/sd/Makefile.objs    |  2 +-
  hw/sd/sdmmc-internal.h | 24 +++++++++++++++++
  hw/sd/sd.c             | 13 +++++----
  hw/sd/sdmmc-internal.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++
  hw/sd/trace-events     |  8 +++---
 files changed, 109 insertions(+), 10 deletions(-)
  create mode 100644 hw/sd/sdmmc-internal.c
 diff --git a/hw/sd/Makefile.objs b/hw/sd/Makefile.objs
 index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/Makefile.objs
+--- a/target/arm/translate-mve.c
-+++ b/hw/sd/Makefile.objs
++++ b/target/arm/translate-mve.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static bool trans_VDUP(DisasContext *s, arg_VDUP *a)
- common-obj-$(CONFIG_PL181) += pl181.o
+     return true;
- common-obj-$(CONFIG_SSI_SD) += ssi-sd.o
+ }
--common-obj-$(CONFIG_SD) += sd.o core.o
-+common-obj-$(CONFIG_SD) += sd.o core.o sdmmc-internal.o
+-static bool do_1op(DisasContext *s, arg_1op *a, MVEGenOneOpFn fn)
- common-obj-$(CONFIG_SDHCI) += sdhci.o
++static bool do_1op_vec(DisasContext *s, arg_1op *a, MVEGenOneOpFn fn,
++                       GVecGen2Fn vecfn)
- obj-$(CONFIG_MILKYMIST) += milkymist-memcard.o
+ {
-diff --git a/hw/sd/sdmmc-internal.h b/hw/sd/sdmmc-internal.h
+     TCGv_ptr qd, qm;
-index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/sdmmc-internal.h
+@@ -XXX,XX +XXX,XX @@ static bool do_1op(DisasContext *s, arg_1op *a, MVEGenOneOpFn fn)
-+++ b/hw/sd/sdmmc-internal.h
+         return true;
@@ -XXX,XX +XXX,XX @@
  #define SDMMC_CMD_MAX 64
 +/**
 + * sd_cmd_name:
 + * @cmd: A SD "normal" command, up to SDMMC_CMD_MAX.
 + *
 + * Returns a human-readable name describing the command.
 + * The return value is always a static string which does not need
 + * to be freed after use.
 + *
 + * Returns: The command name of @cmd or "UNKNOWN_CMD".
 + */
 +const char *sd_cmd_name(uint8_t cmd);
 +
 +/**
 + * sd_acmd_name:
 + * @cmd: A SD "Application-Specific" command, up to SDMMC_CMD_MAX.
 + *
 + * Returns a human-readable name describing the application command.
 + * The return value is always a static string which does not need
 + * to be freed after use.
 + *
 + * Returns: The application command name of @cmd or "UNKNOWN_ACMD".
 + */
 +const char *sd_acmd_name(uint8_t cmd);
 +
  #endif
 diff --git a/hw/sd/sd.c b/hw/sd/sd.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/sd/sd.c
 +++ b/hw/sd/sd.c
@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
       * However there is no ACMD55, so we want to trace this particular case.
       */
      if (req.cmd != 55 || sd->expecting_acmd) {
 -        trace_sdcard_normal_command(req.cmd, req.arg,
 -                                    sd_state_name(sd->state));
 +        trace_sdcard_normal_command(sd_cmd_name(req.cmd), req.cmd,
 +                                    req.arg, sd_state_name(sd->state));
      }
-     /* Not interpreting this as an app command */
+-    qd = mve_qreg_ptr(a->qd);
-@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+-    qm = mve_qreg_ptr(a->qm);
- static sd_rsp_type_t sd_app_command(SDState *sd,
+-    fn(cpu_env, qd, qm);
-                                     SDRequest req)
+-    tcg_temp_free_ptr(qd);
- {
+-    tcg_temp_free_ptr(qm);
--    trace_sdcard_app_command(req.cmd, req.arg);
++    if (vecfn && mve_no_predication(s)) {
-+    trace_sdcard_app_command(sd_acmd_name(req.cmd),
++        vecfn(a->size, mve_qreg_offset(a->qd), mve_qreg_offset(a->qm), 16, 16);
-+                             req.cmd, req.arg, sd_state_name(sd->state));
++    } else {
-     sd->card_status |= APP_CMD;
++        qd = mve_qreg_ptr(a->qd);
-     switch (req.cmd) {
++        qm = mve_qreg_ptr(a->qm);
-     case 6:    /* ACMD6:  SET_BUS_WIDTH */
++        fn(cpu_env, qd, qm);
-@@ -XXX,XX +XXX,XX @@ void sd_write_data(SDState *sd, uint8_t value)
++        tcg_temp_free_ptr(qd);
-     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
++        tcg_temp_free_ptr(qm);
-         return;
++    }
+     mve_update_eci(s);
--    trace_sdcard_write_data(sd->current_cmd, value);
+     return true;
-+    trace_sdcard_write_data(sd_acmd_name(sd->current_cmd),
+ }
-+                            sd->current_cmd, value);
-     switch (sd->current_cmd) {
+-#define DO_1OP(INSN, FN)                                        \
-     case 24:    /* CMD24:  WRITE_SINGLE_BLOCK */
++static bool do_1op(DisasContext *s, arg_1op *a, MVEGenOneOpFn fn)
          sd->data[sd->data_offset ++] = value;
@@ -XXX,XX +XXX,XX @@ uint8_t sd_read_data(SDState *sd)
      io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
 -    trace_sdcard_read_data(sd->current_cmd, io_len);
 +    trace_sdcard_read_data(sd_acmd_name(sd->current_cmd),
 +                           sd->current_cmd, io_len);
      switch (sd->current_cmd) {
      case 6:    /* CMD6:   SWITCH_FUNCTION */
          ret = sd->data[sd->data_offset ++];
 diff --git a/hw/sd/sdmmc-internal.c b/hw/sd/sdmmc-internal.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/sd/sdmmc-internal.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * SD/MMC cards common helpers
 + *
 + * Copyright (c) 2018  Philippe Mathieu-Daudé <f4bug@amsat.org>
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +
 +#include "qemu/osdep.h"
 +#include "sdmmc-internal.h"
 +
 +const char *sd_cmd_name(uint8_t cmd)
 +{
-+    static const char *cmd_abbrev[SDMMC_CMD_MAX] = {
++    return do_1op_vec(s, a, fn, NULL);
 +         [0]    = "GO_IDLE_STATE",
 +         [2]    = "ALL_SEND_CID",            [3]    = "SEND_RELATIVE_ADDR",
 +         [4]    = "SET_DSR",                 [5]    = "IO_SEND_OP_COND",
 +         [6]    = "SWITCH_FUNC",             [7]    = "SELECT/DESELECT_CARD",
 +         [8]    = "SEND_IF_COND",            [9]    = "SEND_CSD",
 +        [10]    = "SEND_CID",               [11]    = "VOLTAGE_SWITCH",
 +        [12]    = "STOP_TRANSMISSION",      [13]    = "SEND_STATUS",
 +                                            [15]    = "GO_INACTIVE_STATE",
 +        [16]    = "SET_BLOCKLEN",           [17]    = "READ_SINGLE_BLOCK",
 +        [18]    = "READ_MULTIPLE_BLOCK",    [19]    = "SEND_TUNING_BLOCK",
 +        [20]    = "SPEED_CLASS_CONTROL",    [21]    = "DPS_spec",
 +                                            [23]    = "SET_BLOCK_COUNT",
 +        [24]    = "WRITE_BLOCK",            [25]    = "WRITE_MULTIPLE_BLOCK",
 +        [26]    = "MANUF_RSVD",             [27]    = "PROGRAM_CSD",
 +        [28]    = "SET_WRITE_PROT",         [29]    = "CLR_WRITE_PROT",
 +        [30]    = "SEND_WRITE_PROT",
 +        [32]    = "ERASE_WR_BLK_START",     [33]    = "ERASE_WR_BLK_END",
 +        [34]    = "SW_FUNC_RSVD",           [35]    = "SW_FUNC_RSVD",
 +        [36]    = "SW_FUNC_RSVD",           [37]    = "SW_FUNC_RSVD",
 +        [38]    = "ERASE",
 +        [40]    = "DPS_spec",
 +        [42]    = "LOCK_UNLOCK",            [43]    = "Q_MANAGEMENT",
 +        [44]    = "Q_TASK_INFO_A",          [45]    = "Q_TASK_INFO_B",
 +        [46]    = "Q_RD_TASK",              [47]    = "Q_WR_TASK",
 +        [48]    = "READ_EXTR_SINGLE",       [49]    = "WRITE_EXTR_SINGLE",
 +        [50]    = "SW_FUNC_RSVD",
 +        [52]    = "IO_RW_DIRECT",           [53]    = "IO_RW_EXTENDED",
 +        [54]    = "SDIO_RSVD",              [55]    = "APP_CMD",
 +        [56]    = "GEN_CMD",                [57]    = "SW_FUNC_RSVD",
 +        [58]    = "READ_EXTR_MULTI",        [59]    = "WRITE_EXTR_MULTI",
 +        [60]    = "MANUF_RSVD",             [61]    = "MANUF_RSVD",
 +        [62]    = "MANUF_RSVD",             [63]    = "MANUF_RSVD",
 +    };
 +    return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD";
 +}
 +
-+const char *sd_acmd_name(uint8_t cmd)
++#define DO_1OP_VEC(INSN, FN, VECFN)                             \
-+{
+     static bool trans_##INSN(DisasContext *s, arg_1op *a)       \
-+    static const char *acmd_abbrev[SDMMC_CMD_MAX] = {
+     {                                                           \
-+         [6] = "SET_BUS_WIDTH",
+         static MVEGenOneOpFn * const fns[] = {                  \
-+        [13] = "SD_STATUS",
+@@ -XXX,XX +XXX,XX @@ static bool do_1op(DisasContext *s, arg_1op *a, MVEGenOneOpFn fn)
-+        [14] = "DPS_spec",                  [15] = "DPS_spec",
+             gen_helper_mve_##FN##w,                             \
-+        [16] = "DPS_spec",
+             NULL,                                               \
-+        [18] = "SECU_spec",
+         };                                                      \
-+        [22] = "SEND_NUM_WR_BLOCKS",        [23] = "SET_WR_BLK_ERASE_COUNT",
+-        return do_1op(s, a, fns[a->size]);                      \
-+        [41] = "SD_SEND_OP_COND",
++        return do_1op_vec(s, a, fns[a->size], VECFN);           \
-+        [42] = "SET_CLR_CARD_DETECT",
+     }
-+        [51] = "SEND_SCR",
-+        [52] = "SECU_spec",                 [53] = "SECU_spec",
++#define DO_1OP(INSN, FN) DO_1OP_VEC(INSN, FN, NULL)
 +        [54] = "SECU_spec",
 +        [56] = "SECU_spec",                 [57] = "SECU_spec",
 +        [58] = "SECU_spec",                 [59] = "SECU_spec",
 +    };
 +
-+    return acmd_abbrev[cmd] ? acmd_abbrev[cmd] : "UNKNOWN_ACMD";
+ DO_1OP(VCLZ, vclz)
-+}
+ DO_1OP(VCLS, vcls)
-diff --git a/hw/sd/trace-events b/hw/sd/trace-events
+-DO_1OP(VABS, vabs)
-index XXXXXXX..XXXXXXX 100644
+-DO_1OP(VNEG, vneg)
---- a/hw/sd/trace-events
++DO_1OP_VEC(VABS, vabs, tcg_gen_gvec_abs)
-+++ b/hw/sd/trace-events
++DO_1OP_VEC(VNEG, vneg, tcg_gen_gvec_neg)
-@@ -XXX,XX +XXX,XX @@ sdhci_write_dataport(uint16_t data_count) "write buffer filled with %u bytes of
+ DO_1OP(VQABS, vqabs)
- sdhci_capareg(const char *desc, uint16_t val) "%s: %u"
+ DO_1OP(VQNEG, vqneg)
+ DO_1OP(VMAXA, vmaxa)
  # hw/sd/sd.c
 -sdcard_normal_command(uint8_t cmd, uint32_t arg, const char *state) "CMD%d arg 0x%08x (state %s)"
 -sdcard_app_command(uint8_t acmd, uint32_t arg) "ACMD%d arg 0x%08x"
 +sdcard_normal_command(const char *cmd_desc, uint8_t cmd, uint32_t arg, const char *state) "%20s/ CMD%02d arg 0x%08x (state %s)"
 +sdcard_app_command(const char *acmd_desc, uint8_t acmd, uint32_t arg, const char *state) "%23s/ACMD%02d arg 0x%08x (state %s)"
  sdcard_response(const char *rspdesc, int rsplen) "%s (sz:%d)"
  sdcard_powerup(void) ""
  sdcard_inquiry_cmd41(void) ""
@@ -XXX,XX +XXX,XX @@ sdcard_lock(void) ""
  sdcard_unlock(void) ""
  sdcard_read_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
  sdcard_write_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
 -sdcard_write_data(uint8_t cmd, uint8_t value) "CMD%02d value 0x%02x"
 -sdcard_read_data(uint8_t cmd, int length) "CMD%02d len %d"
 +sdcard_write_data(const char *cmd_desc, uint8_t cmd, uint8_t value) "%20s/ CMD%02d value 0x%02x"
 +sdcard_read_data(const char *cmd_desc, uint8_t cmd, int length) "%20s/ CMD%02d len %d"
  sdcard_set_voltage(uint16_t millivolts) "%u mV"
  # hw/sd/milkymist-memcard.c
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 12/25] arm: fix load ELF error leak
+[PULL 22/27] target/arm: Optimize MVE VDUP
-From: Marc-André Lureau <marcandre.lureau@redhat.com>
+Optimize the MVE VDUP insns by using TCG vector ops when possible.
-Spotted by ASAN:
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-QTEST_QEMU_BINARY=aarch64-softmmu/qemu-system-aarch64 tests/boot-serial-test
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20210913095440.13462-8-peter.maydell@linaro.org
 ---
  target/arm/translate-mve.c | 12 ++++++++----
 file changed, 8 insertions(+), 4 deletions(-)
-Direct leak of 48 byte(s) in 1 object(s) allocated from:
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
     #0 0x7ff8a9b0ca38 in __interceptor_calloc (/lib64/libasan.so.4+0xdea38)
     #1 0x7ff8a8ea7f75 in g_malloc0 ../glib/gmem.c:124
     #2 0x55fef3d99129 in error_setv /home/elmarco/src/qemu/util/error.c:59
     #3 0x55fef3d99738 in error_setg_internal /home/elmarco/src/qemu/util/error.c:95
     #4 0x55fef323acb2 in load_elf_hdr /home/elmarco/src/qemu/hw/core/loader.c:393
     #5 0x55fef2d15776 in arm_load_elf /home/elmarco/src/qemu/hw/arm/boot.c:830
     #6 0x55fef2d16d39 in arm_load_kernel_notify /home/elmarco/src/qemu/hw/arm/boot.c:1022
     #7 0x55fef3dc634d in notifier_list_notify /home/elmarco/src/qemu/util/notify.c:40
     #8 0x55fef2fc3182 in qemu_run_machine_init_done_notifiers /home/elmarco/src/qemu/vl.c:2716
     #9 0x55fef2fcbbd1 in main /home/elmarco/src/qemu/vl.c:4679
     #10 0x7ff89dfed009 in __libc_start_main (/lib64/libc.so.6+0x21009)
 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/arm/boot.c | 1 +
 file changed, 1 insertion(+)
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/target/arm/translate-mve.c
-+++ b/hw/arm/boot.c
++++ b/target/arm/translate-mve.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t arm_load_elf(struct arm_boot_info *info, uint64_t *pentry,
+@@ -XXX,XX +XXX,XX @@ static bool trans_VDUP(DisasContext *s, arg_VDUP *a)
+         return true;
      load_elf_hdr(info->kernel_filename, &elf_header, &elf_is64, &err);
      if (err) {
 +        error_free(err);
          return ret;
      }
+-    qd = mve_qreg_ptr(a->qd);
+     rt = load_reg(s, a->rt);
+-    tcg_gen_dup_i32(a->size, rt, rt);
+-    gen_helper_mve_vdup(cpu_env, qd, rt);
+-    tcg_temp_free_ptr(qd);
++    if (mve_no_predication(s)) {
++        tcg_gen_gvec_dup_i32(a->size, mve_qreg_offset(a->qd), 16, 16, rt);
++    } else {
++        qd = mve_qreg_ptr(a->qd);
++        tcg_gen_dup_i32(a->size, rt, rt);
++        gen_helper_mve_vdup(cpu_env, qd, rt);
++        tcg_temp_free_ptr(qd);
++    }
+     tcg_temp_free_i32(rt);
+     mve_update_eci(s);
+     return true;
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 02/25] hw/arm: Set the core count for Xilinx's ZynqMP
+[PULL 23/27] target/arm: Optimize MVE VMVN
-From: Alistair Francis <alistair.francis@xilinx.com>
+Optimize the MVE VMVN insn by using TCG vector ops when possible.
-Set the ARM CPU core count property for the A53's attached to the Xilnx
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-ZynqMP machine.
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20210913095440.13462-9-peter.maydell@linaro.org
 ---
  target/arm/translate-mve.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: fe0dd90b85ac73f9fc9548c253bededa70a07006.1520018138.git.alistair.francis@xilinx.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/arm/xlnx-zynqmp.c | 2 ++
 file changed, 2 insertions(+)
 diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-zynqmp.c
+--- a/target/arm/translate-mve.c
-+++ b/hw/arm/xlnx-zynqmp.c
++++ b/target/arm/translate-mve.c
-@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static bool trans_VREV64(DisasContext *s, arg_1op *a)
-                                  s->virt, "has_el2", NULL);
-         object_property_set_int(OBJECT(&s->apu_cpu[i]), GIC_BASE_ADDR,
+ static bool trans_VMVN(DisasContext *s, arg_1op *a)
-                                 "reset-cbar", &error_abort);
+ {
-+        object_property_set_int(OBJECT(&s->apu_cpu[i]), num_apus,
+-    return do_1op(s, a, gen_helper_mve_vmvn);
-+                                "core-count", &error_abort);
++    return do_1op_vec(s, a, gen_helper_mve_vmvn, tcg_gen_gvec_not);
-         object_property_set_bool(OBJECT(&s->apu_cpu[i]), true, "realized",
+ }
-                                  &err);
-         if (err) {
+ static bool trans_VABS_fp(DisasContext *s, arg_1op *a)
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 05/25] Implement support for i.MX7 Sabre board
+[PULL 24/27] target/arm: Optimize MVE VSHL, VSHR immediate forms
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Optimize the MVE VSHL and VSHR immediate forms by using TCG vector
 ops when possible.
-Implement code needed to set up emulation of MCIMX7SABRE board from
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-NXP. For more info about the HW see:
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20210913095440.13462-10-peter.maydell@linaro.org
 ---
  target/arm/translate-mve.c | 83 +++++++++++++++++++++++++++++---------
 file changed, 63 insertions(+), 20 deletions(-)
-https://www.nxp.com/support/developer-resources/hardware-development-tools/sabre-development-system/sabre-board-for-smart-devices-based-on-the-i.mx-7dual-applications-processors:MCIMX7SABRE
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
 Cc: Peter Maydell <peter.maydell@linaro.org>
 Cc: Jason Wang <jasowang@redhat.com>
 Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Cc: Marcel Apfelbaum <marcel.apfelbaum@zoho.com>
 Cc: Michael S. Tsirkin <mst@redhat.com>
 Cc: qemu-devel@nongnu.org
 Cc: qemu-arm@nongnu.org
 Cc: yurovsky@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/arm/Makefile.objs   |  2 +-
  hw/arm/mcimx7d-sabre.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++
 files changed, 91 insertions(+), 1 deletion(-)
  create mode 100644 hw/arm/mcimx7d-sabre.c
 diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/target/arm/translate-mve.c
-+++ b/hw/arm/Makefile.objs
++++ b/target/arm/translate-mve.c
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MPS2) += mps2.o
+@@ -XXX,XX +XXX,XX @@ static bool trans_Vimm_1r(DisasContext *s, arg_1imm *a)
- obj-$(CONFIG_MPS2) += mps2-tz.o
+     return do_1imm(s, a, fn);
- obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
+ }
- obj-$(CONFIG_IOTKIT) += iotkit.o
--obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o
+-static bool do_2shift(DisasContext *s, arg_2shift *a, MVEGenTwoOpShiftFn fn,
-+obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o mcimx7d-sabre.o
+-                      bool negateshift)
-diff --git a/hw/arm/mcimx7d-sabre.c b/hw/arm/mcimx7d-sabre.c
++static bool do_2shift_vec(DisasContext *s, arg_2shift *a, MVEGenTwoOpShiftFn fn,
-new file mode 100644
++                          bool negateshift, GVecGen2iFn vecfn)
-index XXXXXXX..XXXXXXX
+ {
---- /dev/null
+     TCGv_ptr qd, qm;
-+++ b/hw/arm/mcimx7d-sabre.c
+     int shift = a->shift;
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static bool do_2shift(DisasContext *s, arg_2shift *a, MVEGenTwoOpShiftFn fn,
-+/*
+         shift = -shift;
-+ * Copyright (c) 2018, Impinj, Inc.
+     }
-+ *
-+ * MCIMX7D_SABRE Board System emulation.
+-    qd = mve_qreg_ptr(a->qd);
-+ *
+-    qm = mve_qreg_ptr(a->qm);
-+ * Author: Andrey Smirnov <andrew.smirnov@gmail.com>
+-    fn(cpu_env, qd, qm, tcg_constant_i32(shift));
-+ *
+-    tcg_temp_free_ptr(qd);
-+ * This code is licensed under the GPL, version 2 or later.
+-    tcg_temp_free_ptr(qm);
-+ * See the file `COPYING' in the top level directory.
++    if (vecfn && mve_no_predication(s)) {
-+ *
++        vecfn(a->size, mve_qreg_offset(a->qd), mve_qreg_offset(a->qm),
-+ * It (partially) emulates a mcimx7d_sabre board, with a Freescale
++              shift, 16, 16);
-+ * i.MX7 SoC
++    } else {
-+ */
++        qd = mve_qreg_ptr(a->qd);
 +        qm = mve_qreg_ptr(a->qm);
 +        fn(cpu_env, qd, qm, tcg_constant_i32(shift));
 +        tcg_temp_free_ptr(qd);
 +        tcg_temp_free_ptr(qm);
 +    }
      mve_update_eci(s);
      return true;
  }
 -#define DO_2SHIFT(INSN, FN, NEGATESHIFT)                         \
 -    static bool trans_##INSN(DisasContext *s, arg_2shift *a)    \
 -    {                                                           \
 -        static MVEGenTwoOpShiftFn * const fns[] = {             \
 -            gen_helper_mve_##FN##b,                             \
 -            gen_helper_mve_##FN##h,                             \
 -            gen_helper_mve_##FN##w,                             \
 -            NULL,                                               \
 -        };                                                      \
 -        return do_2shift(s, a, fns[a->size], NEGATESHIFT);      \
 +static bool do_2shift(DisasContext *s, arg_2shift *a, MVEGenTwoOpShiftFn fn,
 +                      bool negateshift)
 +{
 +    return do_2shift_vec(s, a, fn, negateshift, NULL);
 +}
 +
-+#include "qemu/osdep.h"
++#define DO_2SHIFT_VEC(INSN, FN, NEGATESHIFT, VECFN)                     \
-+#include "qapi/error.h"
++    static bool trans_##INSN(DisasContext *s, arg_2shift *a)            \
-+#include "qemu-common.h"
++    {                                                                   \
-+#include "hw/arm/fsl-imx7.h"
++        static MVEGenTwoOpShiftFn * const fns[] = {                     \
-+#include "hw/boards.h"
++            gen_helper_mve_##FN##b,                                     \
-+#include "sysemu/sysemu.h"
++            gen_helper_mve_##FN##h,                                     \
-+#include "sysemu/device_tree.h"
++            gen_helper_mve_##FN##w,                                     \
-+#include "qemu/error-report.h"
++            NULL,                                                       \
-+#include "sysemu/qtest.h"
++        };                                                              \
-+#include "net/net.h"
++        return do_2shift_vec(s, a, fns[a->size], NEGATESHIFT, VECFN);   \
      }
 -DO_2SHIFT(VSHLI, vshli_u, false)
 +#define DO_2SHIFT(INSN, FN, NEGATESHIFT)        \
 +    DO_2SHIFT_VEC(INSN, FN, NEGATESHIFT, NULL)
 +
-+typedef struct {
++static void do_gvec_shri_s(unsigned vece, uint32_t dofs, uint32_t aofs,
-+    FslIMX7State soc;
++                           int64_t shift, uint32_t oprsz, uint32_t maxsz)
-+    MemoryRegion ram;
++{
-+} MCIMX7Sabre;
++    /*
 +     * We get here with a negated shift count, and we must handle
 +     * shifts by the element size, which tcg_gen_gvec_sari() does not do.
 +     */
 +    shift = -shift;
 +    if (shift == (8 << vece)) {
 +        shift--;
 +    }
 +    tcg_gen_gvec_sari(vece, dofs, aofs, shift, oprsz, maxsz);
 +}
 +
-+static void mcimx7d_sabre_init(MachineState *machine)
++static void do_gvec_shri_u(unsigned vece, uint32_t dofs, uint32_t aofs,
 +                           int64_t shift, uint32_t oprsz, uint32_t maxsz)
 +{
-+    static struct arm_boot_info boot_info;
++    /*
-+    MCIMX7Sabre *s = g_new0(MCIMX7Sabre, 1);
++     * We get here with a negated shift count, and we must handle
-+    Object *soc;
++     * shifts by the element size, which tcg_gen_gvec_shri() does not do.
-+    int i;
++     */
-+
++    shift = -shift;
-+    if (machine->ram_size > FSL_IMX7_MMDC_SIZE) {
++    if (shift == (8 << vece)) {
-+        error_report("RAM size " RAM_ADDR_FMT " above max supported (%08x)",
++        tcg_gen_gvec_dup_imm(vece, dofs, oprsz, maxsz, 0);
-+                     machine->ram_size, FSL_IMX7_MMDC_SIZE);
++    } else {
-+        exit(1);
++        tcg_gen_gvec_shri(vece, dofs, aofs, shift, oprsz, maxsz);
 +    }
 +
 +    boot_info = (struct arm_boot_info) {
 +        .loader_start = FSL_IMX7_MMDC_ADDR,
 +        .board_id = -1,
 +        .ram_size = machine->ram_size,
 +        .kernel_filename = machine->kernel_filename,
 +        .kernel_cmdline = machine->kernel_cmdline,
 +        .initrd_filename = machine->initrd_filename,
 +        .nb_cpus = smp_cpus,
 +    };
 +
 +    object_initialize(&s->soc, sizeof(s->soc), TYPE_FSL_IMX7);
 +    soc = OBJECT(&s->soc);
 +    object_property_add_child(OBJECT(machine), "soc", soc, &error_fatal);
 +    object_property_set_bool(soc, true, "realized", &error_fatal);
 +
 +    memory_region_allocate_system_memory(&s->ram, NULL, "mcimx7d-sabre.ram",
 +                                         machine->ram_size);
 +    memory_region_add_subregion(get_system_memory(),
 +                                FSL_IMX7_MMDC_ADDR, &s->ram);
 +
 +    for (i = 0; i < FSL_IMX7_NUM_USDHCS; i++) {
 +        BusState *bus;
 +        DeviceState *carddev;
 +        DriveInfo *di;
 +        BlockBackend *blk;
 +
 +        di = drive_get_next(IF_SD);
 +        blk = di ? blk_by_legacy_dinfo(di) : NULL;
 +        bus = qdev_get_child_bus(DEVICE(&s->soc.usdhc[i]), "sd-bus");
 +        carddev = qdev_create(bus, TYPE_SD_CARD);
 +        qdev_prop_set_drive(carddev, "drive", blk, &error_fatal);
 +        object_property_set_bool(OBJECT(carddev), true,
 +                                 "realized", &error_fatal);
 +    }
 +
 +    if (!qtest_enabled()) {
 +        arm_load_kernel(&s->soc.cpu[0], &boot_info);
 +    }
 +}
 +
-+static void mcimx7d_sabre_machine_init(MachineClass *mc)
++DO_2SHIFT_VEC(VSHLI, vshli_u, false, tcg_gen_gvec_shli)
-+{
+ DO_2SHIFT(VQSHLI_S, vqshli_s, false)
-+    mc->desc = "Freescale i.MX7 DUAL SABRE (Cortex A7)";
+ DO_2SHIFT(VQSHLI_U, vqshli_u, false)
-+    mc->init = mcimx7d_sabre_init;
+ DO_2SHIFT(VQSHLUI, vqshlui_s, false)
-+    mc->max_cpus = FSL_IMX7_NUM_CPUS;
+ /* These right shifts use a left-shift helper with negated shift count */
-+}
+-DO_2SHIFT(VSHRI_S, vshli_s, true)
-+DEFINE_MACHINE("mcimx7d-sabre", mcimx7d_sabre_machine_init)
+-DO_2SHIFT(VSHRI_U, vshli_u, true)
 +DO_2SHIFT_VEC(VSHRI_S, vshli_s, true, do_gvec_shri_s)
 +DO_2SHIFT_VEC(VSHRI_U, vshli_u, true, do_gvec_shri_u)
  DO_2SHIFT(VRSHRI_S, vrshli_s, true)
  DO_2SHIFT(VRSHRI_U, vrshli_u, true)
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 03/25] pci: Add support for Designware IP block
+[PULL 25/27] target/arm: Optimize MVE VSHLL and VMOVL
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Optimize the MVE VSHLL insns by using TCG vector ops when possible.
 This includes the VMOVL insn, which we handle in mve.decode as "VSHLL
 with zero shift count".
-Add code needed to get a functional PCI subsytem when using in
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-conjunction with upstream Linux guest (4.13+). Tested to work against
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-"e1000e" (network adapter, using MSI interrupts) as well as
+Message-id: 20210913095440.13462-11-peter.maydell@linaro.org
-"usb-ehci" (USB controller, using legacy PCI interrupts).
+---
  target/arm/translate-mve.c | 67 +++++++++++++++++++++++++++++++++-----
 file changed, 59 insertions(+), 8 deletions(-)
-Based on "i.MX6 Applications Processor Reference Manual" (Document
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
 Number: IMX6DQRM Rev. 4) as well as corresponding dirver in Linux
 kernel (circa 4.13 - 4.16 found in drivers/pci/dwc/*)
 Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/pci-host/Makefile.objs        |   2 +
  include/hw/pci-host/designware.h | 102 ++++++
  include/hw/pci/pci_ids.h         |   2 +
  hw/pci-host/designware.c         | 754 +++++++++++++++++++++++++++++++++++++++
  default-configs/arm-softmmu.mak  |   1 +
 files changed, 861 insertions(+)
  create mode 100644 include/hw/pci-host/designware.h
  create mode 100644 hw/pci-host/designware.c
 diff --git a/hw/pci-host/Makefile.objs b/hw/pci-host/Makefile.objs
 index XXXXXXX..XXXXXXX 100644
---- a/hw/pci-host/Makefile.objs
+--- a/target/arm/translate-mve.c
-+++ b/hw/pci-host/Makefile.objs
++++ b/target/arm/translate-mve.c
-@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_PCI_PIIX) += piix.o
+@@ -XXX,XX +XXX,XX @@ DO_2SHIFT_SCALAR(VQSHL_U_scalar, vqshli_u)
- common-obj-$(CONFIG_PCI_Q35) += q35.o
+ DO_2SHIFT_SCALAR(VQRSHL_S_scalar, vqrshli_s)
- common-obj-$(CONFIG_PCI_GENERIC) += gpex.o
+ DO_2SHIFT_SCALAR(VQRSHL_U_scalar, vqrshli_u)
- common-obj-$(CONFIG_PCI_XILINX) += xilinx-pcie.o
-+
+-#define DO_VSHLL(INSN, FN)                                      \
-+common-obj-$(CONFIG_PCI_DESIGNWARE) += designware.o
+-    static bool trans_##INSN(DisasContext *s, arg_2shift *a)    \
-diff --git a/include/hw/pci-host/designware.h b/include/hw/pci-host/designware.h
+-    {                                                           \
-new file mode 100644
+-        static MVEGenTwoOpShiftFn * const fns[] = {             \
-index XXXXXXX..XXXXXXX
+-            gen_helper_mve_##FN##b,                             \
---- /dev/null
+-            gen_helper_mve_##FN##h,                             \
-+++ b/include/hw/pci-host/designware.h
+-        };                                                      \
-@@ -XXX,XX +XXX,XX @@
+-        return do_2shift(s, a, fns[a->size], false);            \
 +#define DO_VSHLL(INSN, FN)                                              \
 +    static bool trans_##INSN(DisasContext *s, arg_2shift *a)            \
 +    {                                                                   \
 +        static MVEGenTwoOpShiftFn * const fns[] = {                     \
 +            gen_helper_mve_##FN##b,                                     \
 +            gen_helper_mve_##FN##h,                                     \
 +        };                                                              \
 +        return do_2shift_vec(s, a, fns[a->size], false, do_gvec_##FN);  \
      }
 +/*
-+ * Copyright (c) 2017, Impinj, Inc.
++ * For the VSHLL vector helpers, the vece is the size of the input
-+ *
++ * (ie MO_8 or MO_16); the helpers want to work in the output size.
-+ * Designware PCIe IP block emulation
++ * The shift count can be 0..<input size>, inclusive. (0 is VMOVL.)
 + *
 + * This library is free software; you can redistribute it and/or
 + * modify it under the terms of the GNU Lesser General Public
 + * License as published by the Free Software Foundation; either
 + * version 2 of the License, or (at your option) any later version.
 + *
 + * This library is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 + * Lesser General Public License for more details.
 + *
 + * You should have received a copy of the GNU Lesser General Public
 + * License along with this library; if not, see
 + * <http://www.gnu.org/licenses/>.
 + */
-+
++static void do_gvec_vshllbs(unsigned vece, uint32_t dofs, uint32_t aofs,
-+#ifndef DESIGNWARE_H
++                            int64_t shift, uint32_t oprsz, uint32_t maxsz)
 +#define DESIGNWARE_H
 +
 +#include "hw/hw.h"
 +#include "hw/sysbus.h"
 +#include "hw/pci/pci.h"
 +#include "hw/pci/pci_bus.h"
 +#include "hw/pci/pcie_host.h"
 +#include "hw/pci/pci_bridge.h"
 +
 +#define TYPE_DESIGNWARE_PCIE_HOST "designware-pcie-host"
 +#define DESIGNWARE_PCIE_HOST(obj) \
 +     OBJECT_CHECK(DesignwarePCIEHost, (obj), TYPE_DESIGNWARE_PCIE_HOST)
 +
 +#define TYPE_DESIGNWARE_PCIE_ROOT "designware-pcie-root"
 +#define DESIGNWARE_PCIE_ROOT(obj) \
 +     OBJECT_CHECK(DesignwarePCIERoot, (obj), TYPE_DESIGNWARE_PCIE_ROOT)
 +
 +struct DesignwarePCIERoot;
 +typedef struct DesignwarePCIERoot DesignwarePCIERoot;
 +
 +typedef struct DesignwarePCIEViewport {
 +    DesignwarePCIERoot *root;
 +
 +    MemoryRegion cfg;
 +    MemoryRegion mem;
 +
 +    uint64_t base;
 +    uint64_t target;
 +    uint32_t limit;
 +    uint32_t cr[2];
 +
 +    bool inbound;
 +} DesignwarePCIEViewport;
 +
 +typedef struct DesignwarePCIEMSIBank {
 +    uint32_t enable;
 +    uint32_t mask;
 +    uint32_t status;
 +} DesignwarePCIEMSIBank;
 +
 +typedef struct DesignwarePCIEMSI {
 +    uint64_t     base;
 +    MemoryRegion iomem;
 +
 +#define DESIGNWARE_PCIE_NUM_MSI_BANKS        1
 +
 +    DesignwarePCIEMSIBank intr[DESIGNWARE_PCIE_NUM_MSI_BANKS];
 +} DesignwarePCIEMSI;
 +
 +struct DesignwarePCIERoot {
 +    PCIBridge parent_obj;
 +
 +    uint32_t atu_viewport;
 +
 +#define DESIGNWARE_PCIE_VIEWPORT_OUTBOUND    0
 +#define DESIGNWARE_PCIE_VIEWPORT_INBOUND     1
 +#define DESIGNWARE_PCIE_NUM_VIEWPORTS        4
 +
 +    DesignwarePCIEViewport viewports[2][DESIGNWARE_PCIE_NUM_VIEWPORTS];
 +    DesignwarePCIEMSI msi;
 +};
 +
 +typedef struct DesignwarePCIEHost {
 +    PCIHostState parent_obj;
 +
 +    DesignwarePCIERoot root;
 +
 +    struct {
 +        AddressSpace address_space;
 +        MemoryRegion address_space_root;
 +
 +        MemoryRegion memory;
 +        MemoryRegion io;
 +
 +        qemu_irq     irqs[4];
 +    } pci;
 +
 +    MemoryRegion mmio;
 +} DesignwarePCIEHost;
 +
 +#endif  /* DESIGNWARE_H */
 diff --git a/include/hw/pci/pci_ids.h b/include/hw/pci/pci_ids.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/pci/pci_ids.h
 +++ b/include/hw/pci/pci_ids.h
@@ -XXX,XX +XXX,XX @@
  #define PCI_VENDOR_ID_VMWARE             0x15ad
  #define PCI_DEVICE_ID_VMWARE_PVRDMA      0x0820
 +#define PCI_VENDOR_ID_SYNOPSYS           0x16C3
 +
  #endif
 diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/pci-host/designware.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Copyright (c) 2018, Impinj, Inc.
 + *
 + * Designware PCIe IP block emulation
 + *
 + * This library is free software; you can redistribute it and/or
 + * modify it under the terms of the GNU Lesser General Public
 + * License as published by the Free Software Foundation; either
 + * version 2 of the License, or (at your option) any later version.
 + *
 + * This library is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 + * Lesser General Public License for more details.
 + *
 + * You should have received a copy of the GNU Lesser General Public
 + * License along with this library; if not, see
 + * <http://www.gnu.org/licenses/>.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "hw/pci/msi.h"
 +#include "hw/pci/pci_bridge.h"
 +#include "hw/pci/pci_host.h"
 +#include "hw/pci/pcie_port.h"
 +#include "hw/pci-host/designware.h"
 +
 +#define DESIGNWARE_PCIE_PORT_LINK_CONTROL          0x710
 +#define DESIGNWARE_PCIE_PHY_DEBUG_R1               0x72C
 +#define DESIGNWARE_PCIE_PHY_DEBUG_R1_XMLH_LINK_UP  BIT(4)
 +#define DESIGNWARE_PCIE_LINK_WIDTH_SPEED_CONTROL   0x80C
 +#define DESIGNWARE_PCIE_PORT_LOGIC_SPEED_CHANGE    BIT(17)
 +#define DESIGNWARE_PCIE_MSI_ADDR_LO                0x820
 +#define DESIGNWARE_PCIE_MSI_ADDR_HI                0x824
 +#define DESIGNWARE_PCIE_MSI_INTR0_ENABLE           0x828
 +#define DESIGNWARE_PCIE_MSI_INTR0_MASK             0x82C
 +#define DESIGNWARE_PCIE_MSI_INTR0_STATUS           0x830
 +#define DESIGNWARE_PCIE_ATU_VIEWPORT               0x900
 +#define DESIGNWARE_PCIE_ATU_REGION_INBOUND         BIT(31)
 +#define DESIGNWARE_PCIE_ATU_CR1                    0x904
 +#define DESIGNWARE_PCIE_ATU_TYPE_MEM               (0x0 << 0)
 +#define DESIGNWARE_PCIE_ATU_CR2                    0x908
 +#define DESIGNWARE_PCIE_ATU_ENABLE                 BIT(31)
 +#define DESIGNWARE_PCIE_ATU_LOWER_BASE             0x90C
 +#define DESIGNWARE_PCIE_ATU_UPPER_BASE             0x910
 +#define DESIGNWARE_PCIE_ATU_LIMIT                  0x914
 +#define DESIGNWARE_PCIE_ATU_LOWER_TARGET           0x918
 +#define DESIGNWARE_PCIE_ATU_BUS(x)                 (((x) >> 24) & 0xff)
 +#define DESIGNWARE_PCIE_ATU_DEVFN(x)               (((x) >> 16) & 0xff)
 +#define DESIGNWARE_PCIE_ATU_UPPER_TARGET           0x91C
 +
 +static DesignwarePCIEHost *
 +designware_pcie_root_to_host(DesignwarePCIERoot *root)
 +{
-+    BusState *bus = qdev_get_parent_bus(DEVICE(root));
++    unsigned ovece = vece + 1;
-+    return DESIGNWARE_PCIE_HOST(bus->parent);
++    unsigned ibits = vece == MO_8 ? 8 : 16;
 +    tcg_gen_gvec_shli(ovece, dofs, aofs, ibits, oprsz, maxsz);
 +    tcg_gen_gvec_sari(ovece, dofs, dofs, ibits - shift, oprsz, maxsz);
 +}
 +
-+static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
++static void do_gvec_vshllbu(unsigned vece, uint32_t dofs, uint32_t aofs,
-+                                           uint64_t val, unsigned len)
++                            int64_t shift, uint32_t oprsz, uint32_t maxsz)
 +{
-+    DesignwarePCIERoot *root = DESIGNWARE_PCIE_ROOT(opaque);
++    unsigned ovece = vece + 1;
-+    DesignwarePCIEHost *host = designware_pcie_root_to_host(root);
++    tcg_gen_gvec_andi(ovece, dofs, aofs,
 +                      ovece == MO_16 ? 0xff : 0xffff, oprsz, maxsz);
 +    tcg_gen_gvec_shli(ovece, dofs, dofs, shift, oprsz, maxsz);
 +}
 +
-+    root->msi.intr[0].status |= BIT(val) & root->msi.intr[0].enable;
++static void do_gvec_vshllts(unsigned vece, uint32_t dofs, uint32_t aofs,
-+
++                            int64_t shift, uint32_t oprsz, uint32_t maxsz)
-+    if (root->msi.intr[0].status & ~root->msi.intr[0].mask) {
++{
-+        qemu_set_irq(host->pci.irqs[0], 1);
++    unsigned ovece = vece + 1;
 +    unsigned ibits = vece == MO_8 ? 8 : 16;
 +    if (shift == 0) {
 +        tcg_gen_gvec_sari(ovece, dofs, aofs, ibits, oprsz, maxsz);
 +    } else {
 +        tcg_gen_gvec_andi(ovece, dofs, aofs,
 +                          ovece == MO_16 ? 0xff00 : 0xffff0000, oprsz, maxsz);
 +        tcg_gen_gvec_sari(ovece, dofs, dofs, ibits - shift, oprsz, maxsz);
 +    }
 +}
 +
-+static const MemoryRegionOps designware_pci_host_msi_ops = {
++static void do_gvec_vshlltu(unsigned vece, uint32_t dofs, uint32_t aofs,
-+    .write = designware_pcie_root_msi_write,
++                            int64_t shift, uint32_t oprsz, uint32_t maxsz)
 +    .endianness = DEVICE_LITTLE_ENDIAN,
 +    .valid = {
 +        .min_access_size = 4,
 +        .max_access_size = 4,
 +    },
 +};
 +
 +static void designware_pcie_root_update_msi_mapping(DesignwarePCIERoot *root)
 +
 +{
-+    MemoryRegion *mem   = &root->msi.iomem;
++    unsigned ovece = vece + 1;
-+    const uint64_t base = root->msi.base;
++    unsigned ibits = vece == MO_8 ? 8 : 16;
-+    const bool enable   = root->msi.intr[0].enable;
++    if (shift == 0) {
-+
++        tcg_gen_gvec_shri(ovece, dofs, aofs, ibits, oprsz, maxsz);
 +    memory_region_set_address(mem, base);
 +    memory_region_set_enabled(mem, enable);
 +}
 +
 +static DesignwarePCIEViewport *
 +designware_pcie_root_get_current_viewport(DesignwarePCIERoot *root)
 +{
 +    const unsigned int idx = root->atu_viewport & 0xF;
 +    const unsigned int dir =
 +        !!(root->atu_viewport & DESIGNWARE_PCIE_ATU_REGION_INBOUND);
 +    return &root->viewports[dir][idx];
 +}
 +
 +static uint32_t
 +designware_pcie_root_config_read(PCIDevice *d, uint32_t address, int len)
 +{
 +    DesignwarePCIERoot *root = DESIGNWARE_PCIE_ROOT(d);
 +    DesignwarePCIEViewport *viewport =
 +        designware_pcie_root_get_current_viewport(root);
 +
 +    uint32_t val;
 +
 +    switch (address) {
 +    case DESIGNWARE_PCIE_PORT_LINK_CONTROL:
 +        /*
 +         * Linux guest uses this register only to configure number of
 +         * PCIE lane (which in our case is irrelevant) and doesn't
 +         * really care about the value it reads from this register
 +         */
 +        val = 0xDEADBEEF;
 +        break;
 +
 +    case DESIGNWARE_PCIE_LINK_WIDTH_SPEED_CONTROL:
 +        /*
 +         * To make sure that any code in guest waiting for speed
 +         * change does not time out we always report
 +         * PORT_LOGIC_SPEED_CHANGE as set
 +         */
 +        val = DESIGNWARE_PCIE_PORT_LOGIC_SPEED_CHANGE;
 +        break;
 +
 +    case DESIGNWARE_PCIE_MSI_ADDR_LO:
 +        val = root->msi.base;
 +        break;
 +
 +    case DESIGNWARE_PCIE_MSI_ADDR_HI:
 +        val = root->msi.base >> 32;
 +        break;
 +
 +    case DESIGNWARE_PCIE_MSI_INTR0_ENABLE:
 +        val = root->msi.intr[0].enable;
 +        break;
 +
 +    case DESIGNWARE_PCIE_MSI_INTR0_MASK:
 +        val = root->msi.intr[0].mask;
 +        break;
 +
 +    case DESIGNWARE_PCIE_MSI_INTR0_STATUS:
 +        val = root->msi.intr[0].status;
 +        break;
 +
 +    case DESIGNWARE_PCIE_PHY_DEBUG_R1:
 +        val = DESIGNWARE_PCIE_PHY_DEBUG_R1_XMLH_LINK_UP;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_VIEWPORT:
 +        val = root->atu_viewport;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_LOWER_BASE:
 +        val = viewport->base;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_UPPER_BASE:
 +        val = viewport->base >> 32;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_LOWER_TARGET:
 +        val = viewport->target;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_UPPER_TARGET:
 +        val = viewport->target >> 32;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_LIMIT:
 +        val = viewport->limit;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_CR1:
 +    case DESIGNWARE_PCIE_ATU_CR2:          /* FALLTHROUGH */
 +        val = viewport->cr[(address - DESIGNWARE_PCIE_ATU_CR1) /
 +                           sizeof(uint32_t)];
 +        break;
 +
 +    default:
 +        val = pci_default_read_config(d, address, len);
 +        break;
 +    }
 +
 +    return val;
 +}
 +
 +static uint64_t designware_pcie_root_data_access(void *opaque, hwaddr addr,
 +                                                 uint64_t *val, unsigned len)
 +{
 +    DesignwarePCIEViewport *viewport = opaque;
 +    DesignwarePCIERoot *root = viewport->root;
 +
 +    const uint8_t busnum = DESIGNWARE_PCIE_ATU_BUS(viewport->target);
 +    const uint8_t devfn  = DESIGNWARE_PCIE_ATU_DEVFN(viewport->target);
 +    PCIBus    *pcibus    = pci_get_bus(PCI_DEVICE(root));
 +    PCIDevice *pcidev    = pci_find_device(pcibus, busnum, devfn);
 +
 +    if (pcidev) {
 +        addr &= pci_config_size(pcidev) - 1;
 +
 +        if (val) {
 +            pci_host_config_write_common(pcidev, addr,
 +                                         pci_config_size(pcidev),
 +                                         *val, len);
 +        } else {
 +            return pci_host_config_read_common(pcidev, addr,
 +                                               pci_config_size(pcidev),
 +                                               len);
 +        }
 +    }
 +
 +    return UINT64_MAX;
 +}
 +
 +static uint64_t designware_pcie_root_data_read(void *opaque, hwaddr addr,
 +                                               unsigned len)
 +{
 +    return designware_pcie_root_data_access(opaque, addr, NULL, len);
 +}
 +
 +static void designware_pcie_root_data_write(void *opaque, hwaddr addr,
 +                                            uint64_t val, unsigned len)
 +{
 +    designware_pcie_root_data_access(opaque, addr, &val, len);
 +}
 +
 +static const MemoryRegionOps designware_pci_host_conf_ops = {
 +    .read = designware_pcie_root_data_read,
 +    .write = designware_pcie_root_data_write,
 +    .endianness = DEVICE_LITTLE_ENDIAN,
 +    .valid = {
 +        .min_access_size = 1,
 +        .max_access_size = 4,
 +    },
 +};
 +
 +static void designware_pcie_update_viewport(DesignwarePCIERoot *root,
 +                                            DesignwarePCIEViewport *viewport)
 +{
 +    const uint64_t target = viewport->target;
 +    const uint64_t base   = viewport->base;
 +    const uint64_t size   = (uint64_t)viewport->limit - base + 1;
 +    const bool enabled    = viewport->cr[1] & DESIGNWARE_PCIE_ATU_ENABLE;
 +
 +    MemoryRegion *current, *other;
 +
 +    if (viewport->cr[0] == DESIGNWARE_PCIE_ATU_TYPE_MEM) {
 +        current = &viewport->mem;
 +        other   = &viewport->cfg;
 +        memory_region_set_alias_offset(current, target);
 +    } else {
-+        current = &viewport->cfg;
++        tcg_gen_gvec_andi(ovece, dofs, aofs,
-+        other   = &viewport->mem;
++                          ovece == MO_16 ? 0xff00 : 0xffff0000, oprsz, maxsz);
-+    }
++        tcg_gen_gvec_shri(ovece, dofs, dofs, ibits - shift, oprsz, maxsz);
 +
 +    /*
 +     * An outbound viewport can be reconfigure from being MEM to CFG,
 +     * to account for that we disable the "other" memory region that
 +     * becomes unused due to that fact.
 +     */
 +    memory_region_set_enabled(other, false);
 +    if (enabled) {
 +        memory_region_set_size(current, size);
 +        memory_region_set_address(current, base);
 +    }
 +    memory_region_set_enabled(current, enabled);
 +}
 +
 +static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
 +                                              uint32_t val, int len)
 +{
 +    DesignwarePCIERoot *root = DESIGNWARE_PCIE_ROOT(d);
 +    DesignwarePCIEHost *host = designware_pcie_root_to_host(root);
 +    DesignwarePCIEViewport *viewport =
 +        designware_pcie_root_get_current_viewport(root);
 +
 +    switch (address) {
 +    case DESIGNWARE_PCIE_PORT_LINK_CONTROL:
 +    case DESIGNWARE_PCIE_LINK_WIDTH_SPEED_CONTROL:
 +    case DESIGNWARE_PCIE_PHY_DEBUG_R1:
 +        /* No-op */
 +        break;
 +
 +    case DESIGNWARE_PCIE_MSI_ADDR_LO:
 +        root->msi.base &= 0xFFFFFFFF00000000ULL;
 +        root->msi.base |= val;
 +        break;
 +
 +    case DESIGNWARE_PCIE_MSI_ADDR_HI:
 +        root->msi.base &= 0x00000000FFFFFFFFULL;
 +        root->msi.base |= (uint64_t)val << 32;
 +        break;
 +
 +    case DESIGNWARE_PCIE_MSI_INTR0_ENABLE: {
 +        const bool update_msi_mapping = !root->msi.intr[0].enable ^ !!val;
 +
 +        root->msi.intr[0].enable = val;
 +
 +        if (update_msi_mapping) {
 +            designware_pcie_root_update_msi_mapping(root);
 +        }
 +        break;
 +    }
 +
 +    case DESIGNWARE_PCIE_MSI_INTR0_MASK:
 +        root->msi.intr[0].mask = val;
 +        break;
 +
 +    case DESIGNWARE_PCIE_MSI_INTR0_STATUS:
 +        root->msi.intr[0].status ^= val;
 +        if (!root->msi.intr[0].status) {
 +            qemu_set_irq(host->pci.irqs[0], 0);
 +        }
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_VIEWPORT:
 +        root->atu_viewport = val;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_LOWER_BASE:
 +        viewport->base &= 0xFFFFFFFF00000000ULL;
 +        viewport->base |= val;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_UPPER_BASE:
 +        viewport->base &= 0x00000000FFFFFFFFULL;
 +        viewport->base |= (uint64_t)val << 32;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_LOWER_TARGET:
 +        viewport->target &= 0xFFFFFFFF00000000ULL;
 +        viewport->target |= val;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_UPPER_TARGET:
 +        viewport->target &= 0x00000000FFFFFFFFULL;
 +        viewport->target |= val;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_LIMIT:
 +        viewport->limit = val;
 +        break;
 +
 +    case DESIGNWARE_PCIE_ATU_CR1:
 +        viewport->cr[0] = val;
 +        break;
 +    case DESIGNWARE_PCIE_ATU_CR2:
 +        viewport->cr[1] = val;
 +        designware_pcie_update_viewport(root, viewport);
 +        break;
 +
 +    default:
 +        pci_bridge_write_config(d, address, val, len);
 +        break;
 +    }
 +}
 +
-+static char *designware_pcie_viewport_name(const char *direction,
+ DO_VSHLL(VSHLL_BS, vshllbs)
-+                                           unsigned int i,
+ DO_VSHLL(VSHLL_BU, vshllbu)
-+                                           const char *type)
+ DO_VSHLL(VSHLL_TS, vshllts)
 +{
 +    return g_strdup_printf("PCI %s Viewport %u [%s]",
 +                           direction, i, type);
 +}
 +
 +static void designware_pcie_root_realize(PCIDevice *dev, Error **errp)
 +{
 +    DesignwarePCIERoot *root = DESIGNWARE_PCIE_ROOT(dev);
 +    DesignwarePCIEHost *host = designware_pcie_root_to_host(root);
 +    MemoryRegion *address_space = &host->pci.memory;
 +    PCIBridge *br = PCI_BRIDGE(dev);
 +    DesignwarePCIEViewport *viewport;
 +    /*
 +     * Dummy values used for initial configuration of MemoryRegions
 +     * that belong to a given viewport
 +     */
 +    const hwaddr dummy_offset = 0;
 +    const uint64_t dummy_size = 4;
 +    size_t i;
 +
 +    br->bus_name  = "dw-pcie";
 +
 +    pci_set_word(dev->config + PCI_COMMAND,
 +                 PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
 +
 +    pci_config_set_interrupt_pin(dev->config, 1);
 +    pci_bridge_initfn(dev, TYPE_PCIE_BUS);
 +
 +    pcie_port_init_reg(dev);
 +
 +    pcie_cap_init(dev, 0x70, PCI_EXP_TYPE_ROOT_PORT,
 +                  0, &error_fatal);
 +
 +    msi_nonbroken = true;
 +    msi_init(dev, 0x50, 32, true, true, &error_fatal);
 +
 +    for (i = 0; i < DESIGNWARE_PCIE_NUM_VIEWPORTS; i++) {
 +        MemoryRegion *source, *destination, *mem;
 +        const char *direction;
 +        char *name;
 +
 +        viewport = &root->viewports[DESIGNWARE_PCIE_VIEWPORT_INBOUND][i];
 +        viewport->inbound = true;
 +        viewport->base    = 0x0000000000000000ULL;
 +        viewport->target  = 0x0000000000000000ULL;
 +        viewport->limit   = UINT32_MAX;
 +        viewport->cr[0]   = DESIGNWARE_PCIE_ATU_TYPE_MEM;
 +
 +        source      = &host->pci.address_space_root;
 +        destination = get_system_memory();
 +        direction   = "Inbound";
 +
 +        /*
 +         * Configure MemoryRegion implementing PCI -> CPU memory
 +         * access
 +         */
 +        mem  = &viewport->mem;
 +        name = designware_pcie_viewport_name(direction, i, "MEM");
 +        memory_region_init_alias(mem, OBJECT(root), name, destination,
 +                                 dummy_offset, dummy_size);
 +        memory_region_add_subregion_overlap(source, dummy_offset, mem, -1);
 +        memory_region_set_enabled(mem, false);
 +        g_free(name);
 +
 +        viewport = &root->viewports[DESIGNWARE_PCIE_VIEWPORT_OUTBOUND][i];
 +        viewport->root    = root;
 +        viewport->inbound = false;
 +        viewport->base    = 0x0000000000000000ULL;
 +        viewport->target  = 0x0000000000000000ULL;
 +        viewport->limit   = UINT32_MAX;
 +        viewport->cr[0]   = DESIGNWARE_PCIE_ATU_TYPE_MEM;
 +
 +        destination = &host->pci.memory;
 +        direction   = "Outbound";
 +        source      = get_system_memory();
 +
 +        /*
 +         * Configure MemoryRegion implementing CPU -> PCI memory
 +         * access
 +         */
 +        mem  = &viewport->mem;
 +        name = designware_pcie_viewport_name(direction, i, "MEM");
 +        memory_region_init_alias(mem, OBJECT(root), name, destination,
 +                                 dummy_offset, dummy_size);
 +        memory_region_add_subregion(source, dummy_offset, mem);
 +        memory_region_set_enabled(mem, false);
 +        g_free(name);
 +
 +        /*
 +         * Configure MemoryRegion implementing access to configuration
 +         * space
 +         */
 +        mem  = &viewport->cfg;
 +        name = designware_pcie_viewport_name(direction, i, "CFG");
 +        memory_region_init_io(&viewport->cfg, OBJECT(root),
 +                              &designware_pci_host_conf_ops,
 +                              viewport, name, dummy_size);
 +        memory_region_add_subregion(source, dummy_offset, mem);
 +        memory_region_set_enabled(mem, false);
 +        g_free(name);
 +    }
 +
 +    /*
 +     * If no inbound iATU windows are configured, HW defaults to
 +     * letting inbound TLPs to pass in. We emulate that by exlicitly
 +     * configuring first inbound window to cover all of target's
 +     * address space.
 +     *
 +     * NOTE: This will not work correctly for the case when first
 +     * configured inbound window is window 0
 +     */
 +    viewport = &root->viewports[DESIGNWARE_PCIE_VIEWPORT_INBOUND][0];
 +    viewport->cr[1] = DESIGNWARE_PCIE_ATU_ENABLE;
 +    designware_pcie_update_viewport(root, viewport);
 +
 +    memory_region_init_io(&root->msi.iomem, OBJECT(root),
 +                          &designware_pci_host_msi_ops,
 +                          root, "pcie-msi", 0x4);
 +    /*
 +     * We initially place MSI interrupt I/O region a adress 0 and
 +     * disable it. It'll be later moved to correct offset and enabled
 +     * in designware_pcie_root_update_msi_mapping() as a part of
 +     * initialization done by guest OS
 +     */
 +    memory_region_add_subregion(address_space, dummy_offset, &root->msi.iomem);
 +    memory_region_set_enabled(&root->msi.iomem, false);
 +}
 +
 +static void designware_pcie_set_irq(void *opaque, int irq_num, int level)
 +{
 +    DesignwarePCIEHost *host = DESIGNWARE_PCIE_HOST(opaque);
 +
 +    qemu_set_irq(host->pci.irqs[irq_num], level);
 +}
 +
 +static const char *
 +designware_pcie_host_root_bus_path(PCIHostState *host_bridge, PCIBus *rootbus)
 +{
 +    return "0000:00";
 +}
 +
 +static const VMStateDescription vmstate_designware_pcie_msi_bank = {
 +    .name = "designware-pcie-msi-bank",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT32(enable, DesignwarePCIEMSIBank),
 +        VMSTATE_UINT32(mask, DesignwarePCIEMSIBank),
 +        VMSTATE_UINT32(status, DesignwarePCIEMSIBank),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static const VMStateDescription vmstate_designware_pcie_msi = {
 +    .name = "designware-pcie-msi",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT64(base, DesignwarePCIEMSI),
 +        VMSTATE_STRUCT_ARRAY(intr,
 +                             DesignwarePCIEMSI,
 +                             DESIGNWARE_PCIE_NUM_MSI_BANKS,
 +                             1,
 +                             vmstate_designware_pcie_msi_bank,
 +                             DesignwarePCIEMSIBank),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static const VMStateDescription vmstate_designware_pcie_viewport = {
 +    .name = "designware-pcie-viewport",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT64(base, DesignwarePCIEViewport),
 +        VMSTATE_UINT64(target, DesignwarePCIEViewport),
 +        VMSTATE_UINT32(limit, DesignwarePCIEViewport),
 +        VMSTATE_UINT32_ARRAY(cr, DesignwarePCIEViewport, 2),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static const VMStateDescription vmstate_designware_pcie_root = {
 +    .name = "designware-pcie-root",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_PCI_DEVICE(parent_obj, PCIBridge),
 +        VMSTATE_UINT32(atu_viewport, DesignwarePCIERoot),
 +        VMSTATE_STRUCT_2DARRAY(viewports,
 +                               DesignwarePCIERoot,
 +                               2,
 +                               DESIGNWARE_PCIE_NUM_VIEWPORTS,
 +                               1,
 +                               vmstate_designware_pcie_viewport,
 +                               DesignwarePCIEViewport),
 +        VMSTATE_STRUCT(msi,
 +                       DesignwarePCIERoot,
 +                       1,
 +                       vmstate_designware_pcie_msi,
 +                       DesignwarePCIEMSI),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static void designware_pcie_root_class_init(ObjectClass *klass, void *data)
 +{
 +    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
 +
 +    k->vendor_id = PCI_VENDOR_ID_SYNOPSYS;
 +    k->device_id = 0xABCD;
 +    k->revision = 0;
 +    k->class_id = PCI_CLASS_BRIDGE_PCI;
 +    k->is_bridge = true;
 +    k->exit = pci_bridge_exitfn;
 +    k->realize = designware_pcie_root_realize;
 +    k->config_read = designware_pcie_root_config_read;
 +    k->config_write = designware_pcie_root_config_write;
 +
 +    dc->reset = pci_bridge_reset;
 +    /*
 +     * PCI-facing part of the host bridge, not usable without the
 +     * host-facing part, which can't be device_add'ed, yet.
 +     */
 +    dc->user_creatable = false;
 +    dc->vmsd = &vmstate_designware_pcie_root;
 +}
 +
 +static uint64_t designware_pcie_host_mmio_read(void *opaque, hwaddr addr,
 +                                               unsigned int size)
 +{
 +    PCIHostState *pci = PCI_HOST_BRIDGE(opaque);
 +    PCIDevice *device = pci_find_device(pci->bus, 0, 0);
 +
 +    return pci_host_config_read_common(device,
 +                                       addr,
 +                                       pci_config_size(device),
 +                                       size);
 +}
 +
 +static void designware_pcie_host_mmio_write(void *opaque, hwaddr addr,
 +                                            uint64_t val, unsigned int size)
 +{
 +    PCIHostState *pci = PCI_HOST_BRIDGE(opaque);
 +    PCIDevice *device = pci_find_device(pci->bus, 0, 0);
 +
 +    return pci_host_config_write_common(device,
 +                                        addr,
 +                                        pci_config_size(device),
 +                                        val, size);
 +}
 +
 +static const MemoryRegionOps designware_pci_mmio_ops = {
 +    .read       = designware_pcie_host_mmio_read,
 +    .write      = designware_pcie_host_mmio_write,
 +    .endianness = DEVICE_LITTLE_ENDIAN,
 +    .impl = {
 +        /*
 +         * Our device would not work correctly if the guest was doing
 +         * unaligned access. This might not be a limitation on the real
 +         * device but in practice there is no reason for a guest to access
 +         * this device unaligned.
 +         */
 +        .min_access_size = 4,
 +        .max_access_size = 4,
 +        .unaligned = false,
 +    },
 +};
 +
 +static AddressSpace *designware_pcie_host_set_iommu(PCIBus *bus, void *opaque,
 +                                                    int devfn)
 +{
 +    DesignwarePCIEHost *s = DESIGNWARE_PCIE_HOST(opaque);
 +
 +    return &s->pci.address_space;
 +}
 +
 +static void designware_pcie_host_realize(DeviceState *dev, Error **errp)
 +{
 +    PCIHostState *pci = PCI_HOST_BRIDGE(dev);
 +    DesignwarePCIEHost *s = DESIGNWARE_PCIE_HOST(dev);
 +    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 +    size_t i;
 +
 +    for (i = 0; i < ARRAY_SIZE(s->pci.irqs); i++) {
 +        sysbus_init_irq(sbd, &s->pci.irqs[i]);
 +    }
 +
 +    memory_region_init_io(&s->mmio,
 +                          OBJECT(s),
 +                          &designware_pci_mmio_ops,
 +                          s,
 +                          "pcie.reg", 4 * 1024);
 +    sysbus_init_mmio(sbd, &s->mmio);
 +
 +    memory_region_init(&s->pci.io, OBJECT(s), "pcie-pio", 16);
 +    memory_region_init(&s->pci.memory, OBJECT(s),
 +                       "pcie-bus-memory",
 +                       UINT64_MAX);
 +
 +    pci->bus = pci_register_root_bus(dev, "pcie",
 +                                     designware_pcie_set_irq,
 +                                     pci_swizzle_map_irq_fn,
 +                                     s,
 +                                     &s->pci.memory,
 +                                     &s->pci.io,
 +                                     0, 4,
 +                                     TYPE_PCIE_BUS);
 +
 +    memory_region_init(&s->pci.address_space_root,
 +                       OBJECT(s),
 +                       "pcie-bus-address-space-root",
 +                       UINT64_MAX);
 +    memory_region_add_subregion(&s->pci.address_space_root,
 +                                0x0, &s->pci.memory);
 +    address_space_init(&s->pci.address_space,
 +                       &s->pci.address_space_root,
 +                       "pcie-bus-address-space");
 +    pci_setup_iommu(pci->bus, designware_pcie_host_set_iommu, s);
 +
 +    qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus));
 +    qdev_init_nofail(DEVICE(&s->root));
 +}
 +
 +static const VMStateDescription vmstate_designware_pcie_host = {
 +    .name = "designware-pcie-host",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_STRUCT(root,
 +                       DesignwarePCIEHost,
 +                       1,
 +                       vmstate_designware_pcie_root,
 +                       DesignwarePCIERoot),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static void designware_pcie_host_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +    PCIHostBridgeClass *hc = PCI_HOST_BRIDGE_CLASS(klass);
 +
 +    hc->root_bus_path = designware_pcie_host_root_bus_path;
 +    dc->realize = designware_pcie_host_realize;
 +    set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
 +    dc->fw_name = "pci";
 +    dc->vmsd = &vmstate_designware_pcie_host;
 +}
 +
 +static void designware_pcie_host_init(Object *obj)
 +{
 +    DesignwarePCIEHost *s = DESIGNWARE_PCIE_HOST(obj);
 +    DesignwarePCIERoot *root = &s->root;
 +
 +    object_initialize(root, sizeof(*root), TYPE_DESIGNWARE_PCIE_ROOT);
 +    object_property_add_child(obj, "root", OBJECT(root), NULL);
 +    qdev_prop_set_int32(DEVICE(root), "addr", PCI_DEVFN(0, 0));
 +    qdev_prop_set_bit(DEVICE(root), "multifunction", false);
 +}
 +
 +static const TypeInfo designware_pcie_root_info = {
 +    .name = TYPE_DESIGNWARE_PCIE_ROOT,
 +    .parent = TYPE_PCI_BRIDGE,
 +    .instance_size = sizeof(DesignwarePCIERoot),
 +    .class_init = designware_pcie_root_class_init,
 +    .interfaces = (InterfaceInfo[]) {
 +        { INTERFACE_PCIE_DEVICE },
 +        { }
 +    },
 +};
 +
 +static const TypeInfo designware_pcie_host_info = {
 +    .name       = TYPE_DESIGNWARE_PCIE_HOST,
 +    .parent     = TYPE_PCI_HOST_BRIDGE,
 +    .instance_size = sizeof(DesignwarePCIEHost),
 +    .instance_init = designware_pcie_host_init,
 +    .class_init = designware_pcie_host_class_init,
 +};
 +
 +static void designware_pcie_register(void)
 +{
 +    type_register_static(&designware_pcie_root_info);
 +    type_register_static(&designware_pcie_host_info);
 +}
 +type_init(designware_pcie_register)
 diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/default-configs/arm-softmmu.mak
 +++ b/default-configs/arm-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_GPIO_KEY=y
  CONFIG_MSF2=y
  CONFIG_FW_CFG_DMA=y
  CONFIG_XILINX_AXI=y
 +CONFIG_PCI_DESIGNWARE=y
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 24/25] sdhci: Fix a typo in comment
+[PULL 26/27] target/arm: Optimize MVE VSLI and VSRI
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Optimize the MVE shift-and-insert insns by using TCG
 vector ops when possible.
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180309153654.13518-8-f4bug@amsat.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20210913095440.13462-12-peter.maydell@linaro.org
 ---
- hw/sd/sdhci.c | 4 ++--
+ target/arm/translate-mve.c | 4 ++--
 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/sdhci.c
+--- a/target/arm/translate-mve.c
-+++ b/hw/sd/sdhci.c
++++ b/target/arm/translate-mve.c
-@@ -XXX,XX +XXX,XX @@ static void sdhci_read_block_from_card(SDHCIState *s)
+@@ -XXX,XX +XXX,XX @@ DO_2SHIFT_VEC(VSHRI_U, vshli_u, true, do_gvec_shri_u)
-     for (index = 0; index < blk_size; index++) {
+ DO_2SHIFT(VRSHRI_S, vrshli_s, true)
-         data = sdbus_read_data(&s->sdbus);
+ DO_2SHIFT(VRSHRI_U, vrshli_u, true)
-         if (!FIELD_EX32(s->hostctl2, SDHC_HOSTCTL2, EXECUTE_TUNING)) {
--            /* Device is not in tunning */
+-DO_2SHIFT(VSRI, vsri, false)
-+            /* Device is not in tuning */
+-DO_2SHIFT(VSLI, vsli, false)
-             s->fifo_buffer[index] = data;
++DO_2SHIFT_VEC(VSRI, vsri, false, gen_gvec_sri)
-         }
++DO_2SHIFT_VEC(VSLI, vsli, false, gen_gvec_sli)
-     }
+ #define DO_2SHIFT_FP(INSN, FN)                                  \
-     if (FIELD_EX32(s->hostctl2, SDHC_HOSTCTL2, EXECUTE_TUNING)) {
+     static bool trans_##INSN(DisasContext *s, arg_2shift *a)    \
 -        /* Device is in tunning */
 +        /* Device is in tuning */
          s->hostctl2 &= ~R_SDHC_HOSTCTL2_EXECUTE_TUNING_MASK;
          s->hostctl2 |= R_SDHC_HOSTCTL2_SAMPLING_CLKSEL_MASK;
          s->prnsts &= ~(SDHC_DAT_LINE_ACTIVE | SDHC_DOING_READ |
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 09/25] aarch64-linux-user: Add support for EXTRA signal frame records
+[PULL 27/27] target/arm: Optimize MVE 1op-immediate insns
-From: Richard Henderson <richard.henderson@linaro.org>
+Optimize the MVE 1op-immediate insns (VORR, VBIC, VMOV) to
 use TCG vector ops when possible.
-The EXTRA record allows for additional space to be allocated
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-beyon what is currently reserved.  Add code to emit and read
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-this record type.
+Message-id: 20210913095440.13462-13-peter.maydell@linaro.org
 ---
  target/arm/translate-mve.c | 26 +++++++++++++++++++++-----
 file changed, 21 insertions(+), 5 deletions(-)
-Nothing uses extra space yet.
+diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20180303143823.27055-5-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  linux-user/signal.c | 74 +++++++++++++++++++++++++++++++++++++++++++++--------
 file changed, 63 insertions(+), 11 deletions(-)
 diff --git a/linux-user/signal.c b/linux-user/signal.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/signal.c
+--- a/target/arm/translate-mve.c
-+++ b/linux-user/signal.c
++++ b/target/arm/translate-mve.c
-@@ -XXX,XX +XXX,XX @@ struct target_fpsimd_context {
+@@ -XXX,XX +XXX,XX @@ static bool trans_VADDLV(DisasContext *s, arg_VADDLV *a)
-     uint64_t vregs[32 * 2]; /* really uint128_t vregs[32] */
+     return true;
  };
 +#define TARGET_EXTRA_MAGIC  0x45585401
 +
 +struct target_extra_context {
 +    struct target_aarch64_ctx head;
 +    uint64_t datap; /* 16-byte aligned pointer to extra space cast to __u64 */
 +    uint32_t size; /* size in bytes of the extra space */
 +    uint32_t reserved[3];
 +};
 +
  struct target_rt_sigframe {
      struct target_siginfo info;
      struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_fpsimd_record(struct target_fpsimd_context *fpsimd,
      }
  }
-+static void target_setup_extra_record(struct target_extra_context *extra,
+-static bool do_1imm(DisasContext *s, arg_1imm *a, MVEGenOneOpImmFn *fn)
-+                                      uint64_t datap, uint32_t extra_size)
++static bool do_1imm(DisasContext *s, arg_1imm *a, MVEGenOneOpImmFn *fn,
 +                    GVecGen2iFn *vecfn)
  {
      TCGv_ptr qd;
      uint64_t imm;
@@ -XXX,XX +XXX,XX @@ static bool do_1imm(DisasContext *s, arg_1imm *a, MVEGenOneOpImmFn *fn)
      imm = asimd_imm_const(a->imm, a->cmode, a->op);
 -    qd = mve_qreg_ptr(a->qd);
 -    fn(cpu_env, qd, tcg_constant_i64(imm));
 -    tcg_temp_free_ptr(qd);
 +    if (vecfn && mve_no_predication(s)) {
 +        vecfn(MO_64, mve_qreg_offset(a->qd), mve_qreg_offset(a->qd),
 +              imm, 16, 16);
 +    } else {
 +        qd = mve_qreg_ptr(a->qd);
 +        fn(cpu_env, qd, tcg_constant_i64(imm));
 +        tcg_temp_free_ptr(qd);
 +    }
      mve_update_eci(s);
      return true;
  }
 +static void gen_gvec_vmovi(unsigned vece, uint32_t dofs, uint32_t aofs,
 +                           int64_t c, uint32_t oprsz, uint32_t maxsz)
 +{
-+    __put_user(TARGET_EXTRA_MAGIC, &extra->head.magic);
++    tcg_gen_gvec_dup_imm(vece, dofs, oprsz, maxsz, c);
 +    __put_user(sizeof(struct target_extra_context), &extra->head.size);
 +    __put_user(datap, &extra->datap);
 +    __put_user(extra_size, &extra->size);
 +}
 +
- static void target_setup_end_record(struct target_aarch64_ctx *end)
+ static bool trans_Vimm_1r(DisasContext *s, arg_1imm *a)
  {
-     __put_user(0, &end->magic);
+     /* Handle decode of cmode/op here between VORR/VBIC/VMOV */
-@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
+     MVEGenOneOpImmFn *fn;
- static int target_restore_sigframe(CPUARMState *env,
++    GVecGen2iFn *vecfn;
-                                    struct target_rt_sigframe *sf)
- {
+     if ((a->cmode & 1) && a->cmode < 12) {
--    struct target_aarch64_ctx *ctx;
+         if (a->op) {
-+    struct target_aarch64_ctx *ctx, *extra = NULL;
+@@ -XXX,XX +XXX,XX @@ static bool trans_Vimm_1r(DisasContext *s, arg_1imm *a)
-     struct target_fpsimd_context *fpsimd = NULL;
+              * so the VBIC becomes a logical AND operation.
 +    uint64_t extra_datap = 0;
 +    bool used_extra = false;
 +    bool err = false;
      target_restore_general_frame(env, sf);
      ctx = (struct target_aarch64_ctx *)sf->uc.tuc_mcontext.__reserved;
      while (ctx) {
 -        uint32_t magic, size;
 +        uint32_t magic, size, extra_size;
          __get_user(magic, &ctx->magic);
          __get_user(size, &ctx->size);
          switch (magic) {
          case 0:
              if (size != 0) {
 -                return 1;
 +                err = true;
 +                goto exit;
 +            }
 +            if (used_extra) {
 +                ctx = NULL;
 +            } else {
 +                ctx = extra;
 +                used_extra = true;
              }
 -            ctx = NULL;
              continue;
          case TARGET_FPSIMD_MAGIC:
              if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
 -                return 1;
 +                err = true;
 +                goto exit;
              }
              fpsimd = (struct target_fpsimd_context *)ctx;
              break;
 +        case TARGET_EXTRA_MAGIC:
 +            if (extra || size != sizeof(struct target_extra_context)) {
 +                err = true;
 +                goto exit;
 +            }
 +            __get_user(extra_datap,
 +                       &((struct target_extra_context *)ctx)->datap);
 +            __get_user(extra_size,
 +                       &((struct target_extra_context *)ctx)->size);
 +            extra = lock_user(VERIFY_READ, extra_datap, extra_size, 0);
 +            break;
 +
          default:
              /* Unknown record -- we certainly didn't generate it.
               * Did we in fact get out of sync?
               */
--            return 1;
+             fn = gen_helper_mve_vandi;
-+            err = true;
++            vecfn = tcg_gen_gvec_andi;
-+            goto exit;
+         } else {
              fn = gen_helper_mve_vorri;
 +            vecfn = tcg_gen_gvec_ori;
          }
-         ctx = (void *)ctx + size;
+     } else {
          /* There is one unallocated cmode/op combination in this space */
@@ -XXX,XX +XXX,XX @@ static bool trans_Vimm_1r(DisasContext *s, arg_1imm *a)
          }
          /* asimd_imm_const() sorts out VMVNI vs VMOVI for us */
          fn = gen_helper_mve_vmovi;
 +        vecfn = gen_gvec_vmovi;
      }
+-    return do_1imm(s, a, fn);
-     /* Require FPSIMD always.  */
++    return do_1imm(s, a, fn, vecfn);
 -    if (!fpsimd) {
 -        return 1;
 +    if (fpsimd) {
 +        target_restore_fpsimd_record(env, fpsimd);
 +    } else {
 +        err = true;
      }
 -    target_restore_fpsimd_record(env, fpsimd);
 -    return 0;
 + exit:
 +    unlock_user(extra, extra_datap, 0);
 +    return err;
  }
- static abi_ulong get_sigframe(struct target_sigaction *ka, CPUARMState *env)
+ static bool do_2shift_vec(DisasContext *s, arg_2shift *a, MVEGenTwoOpShiftFn fn,
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
                                 CPUARMState *env)
  {
      int size = offsetof(struct target_rt_sigframe, uc.tuc_mcontext.__reserved);
 -    int fpsimd_ofs, end1_ofs, fr_ofs;
 +    int fpsimd_ofs, end1_ofs, fr_ofs, end2_ofs = 0;
 +    int extra_ofs = 0, extra_base = 0, extra_size = 0;
      struct target_rt_sigframe *frame;
      struct target_rt_frame_record *fr;
      abi_ulong frame_addr, return_addr;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
      target_setup_general_frame(frame, env, set);
      target_setup_fpsimd_record((void *)frame + fpsimd_ofs, env);
 +    if (extra_ofs) {
 +        target_setup_extra_record((void *)frame + extra_ofs,
 +                                  frame_addr + extra_base, extra_size);
 +    }
      target_setup_end_record((void *)frame + end1_ofs);
 +    if (end2_ofs) {
 +        target_setup_end_record((void *)frame + end2_ofs);
 +    }
      /* Set up the stack frame for unwinding.  */
      fr = (void *)frame + fr_ofs;
 --
-.16.2
+.20.1

Arm pullreq for the 2.12 codefreeze...

thanks
-- PMM

The following changes since commit b39b61e410022f96ceb53d4381d25cba5126ac44:

memory: fix flatview_access_valid RCU read lock/unlock imbalance (2018-03-09 15:55:20 +0000)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180309

for you to fetch changes up to 076a0fc32a73a9b960e0f73f04a531bc1bd94308:

MAINTAINERS: Add entries for SD (SDHCI, SDBus, SDCard) (2018-03-09 17:09:45 +0000)

----------------------------------------------------------------
target-arm queue:
 * i.MX: Add i.MX7 SOC implementation and i.MX7 Sabre board
 * Report the correct core count in A53 L2CTLR on the ZynqMP board
 * linux-user: preliminary SVE support work (signal handling)
 * hw/arm/boot: fix memory leak in case of error loading ELF file
 * hw/arm/boot: avoid reading off end of buffer if passed very
   small image file
 * hw/arm: Use more CONFIG switches for the object files
 * target/arm: Add "-cpu max" support
 * hw/arm/virt: Support -machine gic-version=max
 * hw/sd: improve debug tracing
 * hw/sd: sdcard: Add the Tuning Command (CMD 19)
 * MAINTAINERS: add Philippe as odd-fixes maintainer for SD

----------------------------------------------------------------
Alistair Francis (2):
      target/arm: Add a core count property
      hw/arm: Set the core count for Xilinx's ZynqMP

Andrey Smirnov (3):
      pci: Add support for Designware IP block
      i.MX: Add i.MX7 SOC implementation.
      Implement support for i.MX7 Sabre board

Marc-André Lureau (2):
      arm: fix load ELF error leak
      arm: avoid heap-buffer-overflow in load_aarch64_image

Peter Maydell (6):
      target/arm: Query host CPU features on-demand at instance init
      target/arm: Move definition of 'host' cpu type into cpu.c
      target/arm: Add "-cpu max" support
      target/arm: Make 'any' CPU just an alias for 'max'
      hw/arm/virt: Add "max" to the list of CPU types "virt" supports
      hw/arm/virt: Support -machine gic-version=max

Philippe Mathieu-Daudé (6):
      sdcard: Do not trace CMD55, except when we already expect an ACMD
      sdcard: Display command name when tracing CMD/ACMD
      sdcard: Display which protocol is used when tracing (SD or SPI)
      sdcard: Add the Tuning Command (CMD19)
      sdhci: Fix a typo in comment
      MAINTAINERS: Add entries for SD (SDHCI, SDBus, SDCard)

Richard Henderson (5):
      linux-user: Implement aarch64 PR_SVE_SET/GET_VL
      aarch64-linux-user: Split out helpers for guest signal handling
      aarch64-linux-user: Remove struct target_aux_context
      aarch64-linux-user: Add support for EXTRA signal frame records
      aarch64-linux-user: Add support for SVE signal frame records

Thomas Huth (1):
      hw/arm: Use more CONFIG switches for the object files

From: Alistair Francis <alistair.francis@xilinx.com>

The cortex A53 TRM specifies that bits 24 and 25 of the L2CTLR register
specify the number of cores in the processor, not the total number of
cores in the system. To report this correctly on machines with multiple
CPU clusters (ARM's big.LITTLE or Xilinx's ZynqMP) we need to allow
the machine to overwrite this value. To do this let's add an optional
property.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: ef01d95c0759e88f47f22d11b14c91512a658b4f.1520018138.git.alistair.francis@xilinx.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h   | 5 +++++
 target/arm/cpu.c   | 6 ++++++
 target/arm/cpu64.c | 6 ++++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
     /* Uniprocessor system with MP extensions */
     bool mp_is_up;
 
+    /* Specify the number of cores in this CPU cluster. Used for the L2CTLR
+     * register.
+     */
+    int32_t core_count;
+
     /* The instance init functions for implementation-specific subclasses
      * set these fields to specify the implementation-dependent values of
      * various constant registers and reset values of non-constant
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
         cs->num_ases = 1;
     }
     cpu_address_space_init(cs, ARMASIdx_NS, "cpu-memory", cs->memory);
+
+    /* No core_count specified, default to smp_cpus. */
+    if (cpu->core_count == -1) {
+        cpu->core_count = smp_cpus;
+    }
 #endif
 
     qemu_init_vcpu(cs);
@@ -XXX,XX +XXX,XX @@ static Property arm_cpu_properties[] = {
     DEFINE_PROP_UINT64("mp-affinity", ARMCPU,
                         mp_affinity, ARM64_AFFINITY_INVALID),
     DEFINE_PROP_INT32("node-id", ARMCPU, node_id, CPU_UNSET_NUMA_NODE_ID),
+    DEFINE_PROP_INT32("core-count", ARMCPU, core_count, -1),
     DEFINE_PROP_END_OF_LIST()
 };
 
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static inline void unset_feature(CPUARMState *env, int feature)
 #ifndef CONFIG_USER_ONLY
 static uint64_t a57_a53_l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
-    /* Number of processors is in [25:24]; otherwise we RAZ */
-    return (smp_cpus - 1) << 24;
+    ARMCPU *cpu = arm_env_get_cpu(env);
+
+    /* Number of cores is in [25:24]; otherwise we RAZ */
+    return (cpu->core_count - 1) << 24;
 }
 #endif
 
-- 
2.16.2

From: Alistair Francis <alistair.francis@xilinx.com>

Set the ARM CPU core count property for the A53's attached to the Xilnx
ZynqMP machine.

Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: fe0dd90b85ac73f9fc9548c253bededa70a07006.1520018138.git.alistair.francis@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/xlnx-zynqmp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
                                  s->virt, "has_el2", NULL);
         object_property_set_int(OBJECT(&s->apu_cpu[i]), GIC_BASE_ADDR,
                                 "reset-cbar", &error_abort);
+        object_property_set_int(OBJECT(&s->apu_cpu[i]), num_apus,
+                                "core-count", &error_abort);
         object_property_set_bool(OBJECT(&s->apu_cpu[i]), true, "realized",
                                  &err);
         if (err) {
-- 
2.16.2

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Add code needed to get a functional PCI subsytem when using in
conjunction with upstream Linux guest (4.13+). Tested to work against
"e1000e" (network adapter, using MSI interrupts) as well as
"usb-ehci" (USB controller, using legacy PCI interrupts).

Based on "i.MX6 Applications Processor Reference Manual" (Document
Number: IMX6DQRM Rev. 4) as well as corresponding dirver in Linux
kernel (circa 4.13 - 4.16 found in drivers/pci/dwc/*)

Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/pci-host/Makefile.objs        |   2 +
 include/hw/pci-host/designware.h | 102 ++++++
 include/hw/pci/pci_ids.h         |   2 +
 hw/pci-host/designware.c         | 754 +++++++++++++++++++++++++++++++++++++++
 default-configs/arm-softmmu.mak  |   1 +
 5 files changed, 861 insertions(+)
 create mode 100644 include/hw/pci-host/designware.h
 create mode 100644 hw/pci-host/designware.c

diff --git a/hw/pci-host/Makefile.objs b/hw/pci-host/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/pci-host/Makefile.objs
+++ b/hw/pci-host/Makefile.objs
@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_PCI_PIIX) += piix.o
 common-obj-$(CONFIG_PCI_Q35) += q35.o
 common-obj-$(CONFIG_PCI_GENERIC) += gpex.o
 common-obj-$(CONFIG_PCI_XILINX) += xilinx-pcie.o
+
+common-obj-$(CONFIG_PCI_DESIGNWARE) += designware.o
diff --git a/include/hw/pci-host/designware.h b/include/hw/pci-host/designware.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/pci-host/designware.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Copyright (c) 2017, Impinj, Inc.
+ *
+ * Designware PCIe IP block emulation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef DESIGNWARE_H
+#define DESIGNWARE_H
+
+#include "hw/hw.h"
+#include "hw/sysbus.h"
+#include "hw/pci/pci.h"
+#include "hw/pci/pci_bus.h"
+#include "hw/pci/pcie_host.h"
+#include "hw/pci/pci_bridge.h"
+
+#define TYPE_DESIGNWARE_PCIE_HOST "designware-pcie-host"
+#define DESIGNWARE_PCIE_HOST(obj) \
+     OBJECT_CHECK(DesignwarePCIEHost, (obj), TYPE_DESIGNWARE_PCIE_HOST)
+
+#define TYPE_DESIGNWARE_PCIE_ROOT "designware-pcie-root"
+#define DESIGNWARE_PCIE_ROOT(obj) \
+     OBJECT_CHECK(DesignwarePCIERoot, (obj), TYPE_DESIGNWARE_PCIE_ROOT)
+
+struct DesignwarePCIERoot;
+typedef struct DesignwarePCIERoot DesignwarePCIERoot;
+
+typedef struct DesignwarePCIEViewport {
+    DesignwarePCIERoot *root;
+
+    MemoryRegion cfg;
+    MemoryRegion mem;
+
+    uint64_t base;
+    uint64_t target;
+    uint32_t limit;
+    uint32_t cr[2];
+
+    bool inbound;
+} DesignwarePCIEViewport;
+
+typedef struct DesignwarePCIEMSIBank {
+    uint32_t enable;
+    uint32_t mask;
+    uint32_t status;
+} DesignwarePCIEMSIBank;
+
+typedef struct DesignwarePCIEMSI {
+    uint64_t     base;
+    MemoryRegion iomem;
+
+#define DESIGNWARE_PCIE_NUM_MSI_BANKS        1
+
+    DesignwarePCIEMSIBank intr[DESIGNWARE_PCIE_NUM_MSI_BANKS];
+} DesignwarePCIEMSI;
+
+struct DesignwarePCIERoot {
+    PCIBridge parent_obj;
+
+    uint32_t atu_viewport;
+
+#define DESIGNWARE_PCIE_VIEWPORT_OUTBOUND    0
+#define DESIGNWARE_PCIE_VIEWPORT_INBOUND     1
+#define DESIGNWARE_PCIE_NUM_VIEWPORTS        4
+
+    DesignwarePCIEViewport viewports[2][DESIGNWARE_PCIE_NUM_VIEWPORTS];
+    DesignwarePCIEMSI msi;
+};
+
+typedef struct DesignwarePCIEHost {
+    PCIHostState parent_obj;
+
+    DesignwarePCIERoot root;
+
+    struct {
+        AddressSpace address_space;
+        MemoryRegion address_space_root;
+
+        MemoryRegion memory;
+        MemoryRegion io;
+
+        qemu_irq     irqs[4];
+    } pci;
+
+    MemoryRegion mmio;
+} DesignwarePCIEHost;
+
+#endif  /* DESIGNWARE_H */
diff --git a/include/hw/pci/pci_ids.h b/include/hw/pci/pci_ids.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/pci/pci_ids.h
+++ b/include/hw/pci/pci_ids.h
@@ -XXX,XX +XXX,XX @@
 #define PCI_VENDOR_ID_VMWARE             0x15ad
 #define PCI_DEVICE_ID_VMWARE_PVRDMA      0x0820
 
+#define PCI_VENDOR_ID_SYNOPSYS           0x16C3
+
 #endif
diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/pci-host/designware.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Copyright (c) 2018, Impinj, Inc.
+ *
+ * Designware PCIe IP block emulation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "hw/pci/msi.h"
+#include "hw/pci/pci_bridge.h"
+#include "hw/pci/pci_host.h"
+#include "hw/pci/pcie_port.h"
+#include "hw/pci-host/designware.h"
+
+#define DESIGNWARE_PCIE_PORT_LINK_CONTROL          0x710
+#define DESIGNWARE_PCIE_PHY_DEBUG_R1               0x72C
+#define DESIGNWARE_PCIE_PHY_DEBUG_R1_XMLH_LINK_UP  BIT(4)
+#define DESIGNWARE_PCIE_LINK_WIDTH_SPEED_CONTROL   0x80C
+#define DESIGNWARE_PCIE_PORT_LOGIC_SPEED_CHANGE    BIT(17)
+#define DESIGNWARE_PCIE_MSI_ADDR_LO                0x820
+#define DESIGNWARE_PCIE_MSI_ADDR_HI                0x824
+#define DESIGNWARE_PCIE_MSI_INTR0_ENABLE           0x828
+#define DESIGNWARE_PCIE_MSI_INTR0_MASK             0x82C
+#define DESIGNWARE_PCIE_MSI_INTR0_STATUS           0x830
+#define DESIGNWARE_PCIE_ATU_VIEWPORT               0x900
+#define DESIGNWARE_PCIE_ATU_REGION_INBOUND         BIT(31)
+#define DESIGNWARE_PCIE_ATU_CR1                    0x904
+#define DESIGNWARE_PCIE_ATU_TYPE_MEM               (0x0 << 0)
+#define DESIGNWARE_PCIE_ATU_CR2                    0x908
+#define DESIGNWARE_PCIE_ATU_ENABLE                 BIT(31)
+#define DESIGNWARE_PCIE_ATU_LOWER_BASE             0x90C
+#define DESIGNWARE_PCIE_ATU_UPPER_BASE             0x910
+#define DESIGNWARE_PCIE_ATU_LIMIT                  0x914
+#define DESIGNWARE_PCIE_ATU_LOWER_TARGET           0x918
+#define DESIGNWARE_PCIE_ATU_BUS(x)                 (((x) >> 24) & 0xff)
+#define DESIGNWARE_PCIE_ATU_DEVFN(x)               (((x) >> 16) & 0xff)
+#define DESIGNWARE_PCIE_ATU_UPPER_TARGET           0x91C
+
+static DesignwarePCIEHost *
+designware_pcie_root_to_host(DesignwarePCIERoot *root)
+{
+    BusState *bus = qdev_get_parent_bus(DEVICE(root));
+    return DESIGNWARE_PCIE_HOST(bus->parent);
+}
+
+static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
+                                           uint64_t val, unsigned len)
+{
+    DesignwarePCIERoot *root = DESIGNWARE_PCIE_ROOT(opaque);
+    DesignwarePCIEHost *host = designware_pcie_root_to_host(root);
+
+    root->msi.intr[0].status |= BIT(val) & root->msi.intr[0].enable;
+
+    if (root->msi.intr[0].status & ~root->msi.intr[0].mask) {
+        qemu_set_irq(host->pci.irqs[0], 1);
+    }
+}
+
+static const MemoryRegionOps designware_pci_host_msi_ops = {
+    .write = designware_pcie_root_msi_write,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+    },
+};
+
+static void designware_pcie_root_update_msi_mapping(DesignwarePCIERoot *root)
+
+{
+    MemoryRegion *mem   = &root->msi.iomem;
+    const uint64_t base = root->msi.base;
+    const bool enable   = root->msi.intr[0].enable;
+
+    memory_region_set_address(mem, base);
+    memory_region_set_enabled(mem, enable);
+}
+
+static DesignwarePCIEViewport *
+designware_pcie_root_get_current_viewport(DesignwarePCIERoot *root)
+{
+    const unsigned int idx = root->atu_viewport & 0xF;
+    const unsigned int dir =
+        !!(root->atu_viewport & DESIGNWARE_PCIE_ATU_REGION_INBOUND);
+    return &root->viewports[dir][idx];
+}
+
+static uint32_t
+designware_pcie_root_config_read(PCIDevice *d, uint32_t address, int len)
+{
+    DesignwarePCIERoot *root = DESIGNWARE_PCIE_ROOT(d);
+    DesignwarePCIEViewport *viewport =
+        designware_pcie_root_get_current_viewport(root);
+
+    uint32_t val;
+
+    switch (address) {
+    case DESIGNWARE_PCIE_PORT_LINK_CONTROL:
+        /*
+         * Linux guest uses this register only to configure number of
+         * PCIE lane (which in our case is irrelevant) and doesn't
+         * really care about the value it reads from this register
+         */
+        val = 0xDEADBEEF;
+        break;
+
+    case DESIGNWARE_PCIE_LINK_WIDTH_SPEED_CONTROL:
+        /*
+         * To make sure that any code in guest waiting for speed
+         * change does not time out we always report
+         * PORT_LOGIC_SPEED_CHANGE as set
+         */
+        val = DESIGNWARE_PCIE_PORT_LOGIC_SPEED_CHANGE;
+        break;
+
+    case DESIGNWARE_PCIE_MSI_ADDR_LO:
+        val = root->msi.base;
+        break;
+
+    case DESIGNWARE_PCIE_MSI_ADDR_HI:
+        val = root->msi.base >> 32;
+        break;
+
+    case DESIGNWARE_PCIE_MSI_INTR0_ENABLE:
+        val = root->msi.intr[0].enable;
+        break;
+
+    case DESIGNWARE_PCIE_MSI_INTR0_MASK:
+        val = root->msi.intr[0].mask;
+        break;
+
+    case DESIGNWARE_PCIE_MSI_INTR0_STATUS:
+        val = root->msi.intr[0].status;
+        break;
+
+    case DESIGNWARE_PCIE_PHY_DEBUG_R1:
+        val = DESIGNWARE_PCIE_PHY_DEBUG_R1_XMLH_LINK_UP;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_VIEWPORT:
+        val = root->atu_viewport;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_LOWER_BASE:
+        val = viewport->base;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_UPPER_BASE:
+        val = viewport->base >> 32;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_LOWER_TARGET:
+        val = viewport->target;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_UPPER_TARGET:
+        val = viewport->target >> 32;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_LIMIT:
+        val = viewport->limit;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_CR1:
+    case DESIGNWARE_PCIE_ATU_CR2:          /* FALLTHROUGH */
+        val = viewport->cr[(address - DESIGNWARE_PCIE_ATU_CR1) /
+                           sizeof(uint32_t)];
+        break;
+
+    default:
+        val = pci_default_read_config(d, address, len);
+        break;
+    }
+
+    return val;
+}
+
+static uint64_t designware_pcie_root_data_access(void *opaque, hwaddr addr,
+                                                 uint64_t *val, unsigned len)
+{
+    DesignwarePCIEViewport *viewport = opaque;
+    DesignwarePCIERoot *root = viewport->root;
+
+    const uint8_t busnum = DESIGNWARE_PCIE_ATU_BUS(viewport->target);
+    const uint8_t devfn  = DESIGNWARE_PCIE_ATU_DEVFN(viewport->target);
+    PCIBus    *pcibus    = pci_get_bus(PCI_DEVICE(root));
+    PCIDevice *pcidev    = pci_find_device(pcibus, busnum, devfn);
+
+    if (pcidev) {
+        addr &= pci_config_size(pcidev) - 1;
+
+        if (val) {
+            pci_host_config_write_common(pcidev, addr,
+                                         pci_config_size(pcidev),
+                                         *val, len);
+        } else {
+            return pci_host_config_read_common(pcidev, addr,
+                                               pci_config_size(pcidev),
+                                               len);
+        }
+    }
+
+    return UINT64_MAX;
+}
+
+static uint64_t designware_pcie_root_data_read(void *opaque, hwaddr addr,
+                                               unsigned len)
+{
+    return designware_pcie_root_data_access(opaque, addr, NULL, len);
+}
+
+static void designware_pcie_root_data_write(void *opaque, hwaddr addr,
+                                            uint64_t val, unsigned len)
+{
+    designware_pcie_root_data_access(opaque, addr, &val, len);
+}
+
+static const MemoryRegionOps designware_pci_host_conf_ops = {
+    .read = designware_pcie_root_data_read,
+    .write = designware_pcie_root_data_write,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid = {
+        .min_access_size = 1,
+        .max_access_size = 4,
+    },
+};
+
+static void designware_pcie_update_viewport(DesignwarePCIERoot *root,
+                                            DesignwarePCIEViewport *viewport)
+{
+    const uint64_t target = viewport->target;
+    const uint64_t base   = viewport->base;
+    const uint64_t size   = (uint64_t)viewport->limit - base + 1;
+    const bool enabled    = viewport->cr[1] & DESIGNWARE_PCIE_ATU_ENABLE;
+
+    MemoryRegion *current, *other;
+
+    if (viewport->cr[0] == DESIGNWARE_PCIE_ATU_TYPE_MEM) {
+        current = &viewport->mem;
+        other   = &viewport->cfg;
+        memory_region_set_alias_offset(current, target);
+    } else {
+        current = &viewport->cfg;
+        other   = &viewport->mem;
+    }
+
+    /*
+     * An outbound viewport can be reconfigure from being MEM to CFG,
+     * to account for that we disable the "other" memory region that
+     * becomes unused due to that fact.
+     */
+    memory_region_set_enabled(other, false);
+    if (enabled) {
+        memory_region_set_size(current, size);
+        memory_region_set_address(current, base);
+    }
+    memory_region_set_enabled(current, enabled);
+}
+
+static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
+                                              uint32_t val, int len)
+{
+    DesignwarePCIERoot *root = DESIGNWARE_PCIE_ROOT(d);
+    DesignwarePCIEHost *host = designware_pcie_root_to_host(root);
+    DesignwarePCIEViewport *viewport =
+        designware_pcie_root_get_current_viewport(root);
+
+    switch (address) {
+    case DESIGNWARE_PCIE_PORT_LINK_CONTROL:
+    case DESIGNWARE_PCIE_LINK_WIDTH_SPEED_CONTROL:
+    case DESIGNWARE_PCIE_PHY_DEBUG_R1:
+        /* No-op */
+        break;
+
+    case DESIGNWARE_PCIE_MSI_ADDR_LO:
+        root->msi.base &= 0xFFFFFFFF00000000ULL;
+        root->msi.base |= val;
+        break;
+
+    case DESIGNWARE_PCIE_MSI_ADDR_HI:
+        root->msi.base &= 0x00000000FFFFFFFFULL;
+        root->msi.base |= (uint64_t)val << 32;
+        break;
+
+    case DESIGNWARE_PCIE_MSI_INTR0_ENABLE: {
+        const bool update_msi_mapping = !root->msi.intr[0].enable ^ !!val;
+
+        root->msi.intr[0].enable = val;
+
+        if (update_msi_mapping) {
+            designware_pcie_root_update_msi_mapping(root);
+        }
+        break;
+    }
+
+    case DESIGNWARE_PCIE_MSI_INTR0_MASK:
+        root->msi.intr[0].mask = val;
+        break;
+
+    case DESIGNWARE_PCIE_MSI_INTR0_STATUS:
+        root->msi.intr[0].status ^= val;
+        if (!root->msi.intr[0].status) {
+            qemu_set_irq(host->pci.irqs[0], 0);
+        }
+        break;
+
+    case DESIGNWARE_PCIE_ATU_VIEWPORT:
+        root->atu_viewport = val;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_LOWER_BASE:
+        viewport->base &= 0xFFFFFFFF00000000ULL;
+        viewport->base |= val;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_UPPER_BASE:
+        viewport->base &= 0x00000000FFFFFFFFULL;
+        viewport->base |= (uint64_t)val << 32;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_LOWER_TARGET:
+        viewport->target &= 0xFFFFFFFF00000000ULL;
+        viewport->target |= val;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_UPPER_TARGET:
+        viewport->target &= 0x00000000FFFFFFFFULL;
+        viewport->target |= val;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_LIMIT:
+        viewport->limit = val;
+        break;
+
+    case DESIGNWARE_PCIE_ATU_CR1:
+        viewport->cr[0] = val;
+        break;
+    case DESIGNWARE_PCIE_ATU_CR2:
+        viewport->cr[1] = val;
+        designware_pcie_update_viewport(root, viewport);
+        break;
+
+    default:
+        pci_bridge_write_config(d, address, val, len);
+        break;
+    }
+}
+
+static char *designware_pcie_viewport_name(const char *direction,
+                                           unsigned int i,
+                                           const char *type)
+{
+    return g_strdup_printf("PCI %s Viewport %u [%s]",
+                           direction, i, type);
+}
+
+static void designware_pcie_root_realize(PCIDevice *dev, Error **errp)
+{
+    DesignwarePCIERoot *root = DESIGNWARE_PCIE_ROOT(dev);
+    DesignwarePCIEHost *host = designware_pcie_root_to_host(root);
+    MemoryRegion *address_space = &host->pci.memory;
+    PCIBridge *br = PCI_BRIDGE(dev);
+    DesignwarePCIEViewport *viewport;
+    /*
+     * Dummy values used for initial configuration of MemoryRegions
+     * that belong to a given viewport
+     */
+    const hwaddr dummy_offset = 0;
+    const uint64_t dummy_size = 4;
+    size_t i;
+
+    br->bus_name  = "dw-pcie";
+
+    pci_set_word(dev->config + PCI_COMMAND,
+                 PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
+
+    pci_config_set_interrupt_pin(dev->config, 1);
+    pci_bridge_initfn(dev, TYPE_PCIE_BUS);
+
+    pcie_port_init_reg(dev);
+
+    pcie_cap_init(dev, 0x70, PCI_EXP_TYPE_ROOT_PORT,
+                  0, &error_fatal);
+
+    msi_nonbroken = true;
+    msi_init(dev, 0x50, 32, true, true, &error_fatal);
+
+    for (i = 0; i < DESIGNWARE_PCIE_NUM_VIEWPORTS; i++) {
+        MemoryRegion *source, *destination, *mem;
+        const char *direction;
+        char *name;
+
+        viewport = &root->viewports[DESIGNWARE_PCIE_VIEWPORT_INBOUND][i];
+        viewport->inbound = true;
+        viewport->base    = 0x0000000000000000ULL;
+        viewport->target  = 0x0000000000000000ULL;
+        viewport->limit   = UINT32_MAX;
+        viewport->cr[0]   = DESIGNWARE_PCIE_ATU_TYPE_MEM;
+
+        source      = &host->pci.address_space_root;
+        destination = get_system_memory();
+        direction   = "Inbound";
+
+        /*
+         * Configure MemoryRegion implementing PCI -> CPU memory
+         * access
+         */
+        mem  = &viewport->mem;
+        name = designware_pcie_viewport_name(direction, i, "MEM");
+        memory_region_init_alias(mem, OBJECT(root), name, destination,
+                                 dummy_offset, dummy_size);
+        memory_region_add_subregion_overlap(source, dummy_offset, mem, -1);
+        memory_region_set_enabled(mem, false);
+        g_free(name);
+
+        viewport = &root->viewports[DESIGNWARE_PCIE_VIEWPORT_OUTBOUND][i];
+        viewport->root    = root;
+        viewport->inbound = false;
+        viewport->base    = 0x0000000000000000ULL;
+        viewport->target  = 0x0000000000000000ULL;
+        viewport->limit   = UINT32_MAX;
+        viewport->cr[0]   = DESIGNWARE_PCIE_ATU_TYPE_MEM;
+
+        destination = &host->pci.memory;
+        direction   = "Outbound";
+        source      = get_system_memory();
+
+        /*
+         * Configure MemoryRegion implementing CPU -> PCI memory
+         * access
+         */
+        mem  = &viewport->mem;
+        name = designware_pcie_viewport_name(direction, i, "MEM");
+        memory_region_init_alias(mem, OBJECT(root), name, destination,
+                                 dummy_offset, dummy_size);
+        memory_region_add_subregion(source, dummy_offset, mem);
+        memory_region_set_enabled(mem, false);
+        g_free(name);
+
+        /*
+         * Configure MemoryRegion implementing access to configuration
+         * space
+         */
+        mem  = &viewport->cfg;
+        name = designware_pcie_viewport_name(direction, i, "CFG");
+        memory_region_init_io(&viewport->cfg, OBJECT(root),
+                              &designware_pci_host_conf_ops,
+                              viewport, name, dummy_size);
+        memory_region_add_subregion(source, dummy_offset, mem);
+        memory_region_set_enabled(mem, false);
+        g_free(name);
+    }
+
+    /*
+     * If no inbound iATU windows are configured, HW defaults to
+     * letting inbound TLPs to pass in. We emulate that by exlicitly
+     * configuring first inbound window to cover all of target's
+     * address space.
+     *
+     * NOTE: This will not work correctly for the case when first
+     * configured inbound window is window 0
+     */
+    viewport = &root->viewports[DESIGNWARE_PCIE_VIEWPORT_INBOUND][0];
+    viewport->cr[1] = DESIGNWARE_PCIE_ATU_ENABLE;
+    designware_pcie_update_viewport(root, viewport);
+
+    memory_region_init_io(&root->msi.iomem, OBJECT(root),
+                          &designware_pci_host_msi_ops,
+                          root, "pcie-msi", 0x4);
+    /*
+     * We initially place MSI interrupt I/O region a adress 0 and
+     * disable it. It'll be later moved to correct offset and enabled
+     * in designware_pcie_root_update_msi_mapping() as a part of
+     * initialization done by guest OS
+     */
+    memory_region_add_subregion(address_space, dummy_offset, &root->msi.iomem);
+    memory_region_set_enabled(&root->msi.iomem, false);
+}
+
+static void designware_pcie_set_irq(void *opaque, int irq_num, int level)
+{
+    DesignwarePCIEHost *host = DESIGNWARE_PCIE_HOST(opaque);
+
+    qemu_set_irq(host->pci.irqs[irq_num], level);
+}
+
+static const char *
+designware_pcie_host_root_bus_path(PCIHostState *host_bridge, PCIBus *rootbus)
+{
+    return "0000:00";
+}
+
+static const VMStateDescription vmstate_designware_pcie_msi_bank = {
+    .name = "designware-pcie-msi-bank",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(enable, DesignwarePCIEMSIBank),
+        VMSTATE_UINT32(mask, DesignwarePCIEMSIBank),
+        VMSTATE_UINT32(status, DesignwarePCIEMSIBank),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_designware_pcie_msi = {
+    .name = "designware-pcie-msi",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT64(base, DesignwarePCIEMSI),
+        VMSTATE_STRUCT_ARRAY(intr,
+                             DesignwarePCIEMSI,
+                             DESIGNWARE_PCIE_NUM_MSI_BANKS,
+                             1,
+                             vmstate_designware_pcie_msi_bank,
+                             DesignwarePCIEMSIBank),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_designware_pcie_viewport = {
+    .name = "designware-pcie-viewport",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT64(base, DesignwarePCIEViewport),
+        VMSTATE_UINT64(target, DesignwarePCIEViewport),
+        VMSTATE_UINT32(limit, DesignwarePCIEViewport),
+        VMSTATE_UINT32_ARRAY(cr, DesignwarePCIEViewport, 2),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_designware_pcie_root = {
+    .name = "designware-pcie-root",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_PCI_DEVICE(parent_obj, PCIBridge),
+        VMSTATE_UINT32(atu_viewport, DesignwarePCIERoot),
+        VMSTATE_STRUCT_2DARRAY(viewports,
+                               DesignwarePCIERoot,
+                               2,
+                               DESIGNWARE_PCIE_NUM_VIEWPORTS,
+                               1,
+                               vmstate_designware_pcie_viewport,
+                               DesignwarePCIEViewport),
+        VMSTATE_STRUCT(msi,
+                       DesignwarePCIERoot,
+                       1,
+                       vmstate_designware_pcie_msi,
+                       DesignwarePCIEMSI),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void designware_pcie_root_class_init(ObjectClass *klass, void *data)
+{
+    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
+
+    k->vendor_id = PCI_VENDOR_ID_SYNOPSYS;
+    k->device_id = 0xABCD;
+    k->revision = 0;
+    k->class_id = PCI_CLASS_BRIDGE_PCI;
+    k->is_bridge = true;
+    k->exit = pci_bridge_exitfn;
+    k->realize = designware_pcie_root_realize;
+    k->config_read = designware_pcie_root_config_read;
+    k->config_write = designware_pcie_root_config_write;
+
+    dc->reset = pci_bridge_reset;
+    /*
+     * PCI-facing part of the host bridge, not usable without the
+     * host-facing part, which can't be device_add'ed, yet.
+     */
+    dc->user_creatable = false;
+    dc->vmsd = &vmstate_designware_pcie_root;
+}
+
+static uint64_t designware_pcie_host_mmio_read(void *opaque, hwaddr addr,
+                                               unsigned int size)
+{
+    PCIHostState *pci = PCI_HOST_BRIDGE(opaque);
+    PCIDevice *device = pci_find_device(pci->bus, 0, 0);
+
+    return pci_host_config_read_common(device,
+                                       addr,
+                                       pci_config_size(device),
+                                       size);
+}
+
+static void designware_pcie_host_mmio_write(void *opaque, hwaddr addr,
+                                            uint64_t val, unsigned int size)
+{
+    PCIHostState *pci = PCI_HOST_BRIDGE(opaque);
+    PCIDevice *device = pci_find_device(pci->bus, 0, 0);
+
+    return pci_host_config_write_common(device,
+                                        addr,
+                                        pci_config_size(device),
+                                        val, size);
+}
+
+static const MemoryRegionOps designware_pci_mmio_ops = {
+    .read       = designware_pcie_host_mmio_read,
+    .write      = designware_pcie_host_mmio_write,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .impl = {
+        /*
+         * Our device would not work correctly if the guest was doing
+         * unaligned access. This might not be a limitation on the real
+         * device but in practice there is no reason for a guest to access
+         * this device unaligned.
+         */
+        .min_access_size = 4,
+        .max_access_size = 4,
+        .unaligned = false,
+    },
+};
+
+static AddressSpace *designware_pcie_host_set_iommu(PCIBus *bus, void *opaque,
+                                                    int devfn)
+{
+    DesignwarePCIEHost *s = DESIGNWARE_PCIE_HOST(opaque);
+
+    return &s->pci.address_space;
+}
+
+static void designware_pcie_host_realize(DeviceState *dev, Error **errp)
+{
+    PCIHostState *pci = PCI_HOST_BRIDGE(dev);
+    DesignwarePCIEHost *s = DESIGNWARE_PCIE_HOST(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+    size_t i;
+
+    for (i = 0; i < ARRAY_SIZE(s->pci.irqs); i++) {
+        sysbus_init_irq(sbd, &s->pci.irqs[i]);
+    }
+
+    memory_region_init_io(&s->mmio,
+                          OBJECT(s),
+                          &designware_pci_mmio_ops,
+                          s,
+                          "pcie.reg", 4 * 1024);
+    sysbus_init_mmio(sbd, &s->mmio);
+
+    memory_region_init(&s->pci.io, OBJECT(s), "pcie-pio", 16);
+    memory_region_init(&s->pci.memory, OBJECT(s),
+                       "pcie-bus-memory",
+                       UINT64_MAX);
+
+    pci->bus = pci_register_root_bus(dev, "pcie",
+                                     designware_pcie_set_irq,
+                                     pci_swizzle_map_irq_fn,
+                                     s,
+                                     &s->pci.memory,
+                                     &s->pci.io,
+                                     0, 4,
+                                     TYPE_PCIE_BUS);
+
+    memory_region_init(&s->pci.address_space_root,
+                       OBJECT(s),
+                       "pcie-bus-address-space-root",
+                       UINT64_MAX);
+    memory_region_add_subregion(&s->pci.address_space_root,
+                                0x0, &s->pci.memory);
+    address_space_init(&s->pci.address_space,
+                       &s->pci.address_space_root,
+                       "pcie-bus-address-space");
+    pci_setup_iommu(pci->bus, designware_pcie_host_set_iommu, s);
+
+    qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus));
+    qdev_init_nofail(DEVICE(&s->root));
+}
+
+static const VMStateDescription vmstate_designware_pcie_host = {
+    .name = "designware-pcie-host",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_STRUCT(root,
+                       DesignwarePCIEHost,
+                       1,
+                       vmstate_designware_pcie_root,
+                       DesignwarePCIERoot),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void designware_pcie_host_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    PCIHostBridgeClass *hc = PCI_HOST_BRIDGE_CLASS(klass);
+
+    hc->root_bus_path = designware_pcie_host_root_bus_path;
+    dc->realize = designware_pcie_host_realize;
+    set_bit(DEVICE_CATEGORY_BRIDGE, dc->categories);
+    dc->fw_name = "pci";
+    dc->vmsd = &vmstate_designware_pcie_host;
+}
+
+static void designware_pcie_host_init(Object *obj)
+{
+    DesignwarePCIEHost *s = DESIGNWARE_PCIE_HOST(obj);
+    DesignwarePCIERoot *root = &s->root;
+
+    object_initialize(root, sizeof(*root), TYPE_DESIGNWARE_PCIE_ROOT);
+    object_property_add_child(obj, "root", OBJECT(root), NULL);
+    qdev_prop_set_int32(DEVICE(root), "addr", PCI_DEVFN(0, 0));
+    qdev_prop_set_bit(DEVICE(root), "multifunction", false);
+}
+
+static const TypeInfo designware_pcie_root_info = {
+    .name = TYPE_DESIGNWARE_PCIE_ROOT,
+    .parent = TYPE_PCI_BRIDGE,
+    .instance_size = sizeof(DesignwarePCIERoot),
+    .class_init = designware_pcie_root_class_init,
+    .interfaces = (InterfaceInfo[]) {
+        { INTERFACE_PCIE_DEVICE },
+        { }
+    },
+};
+
+static const TypeInfo designware_pcie_host_info = {
+    .name       = TYPE_DESIGNWARE_PCIE_HOST,
+    .parent     = TYPE_PCI_HOST_BRIDGE,
+    .instance_size = sizeof(DesignwarePCIEHost),
+    .instance_init = designware_pcie_host_init,
+    .class_init = designware_pcie_host_class_init,
+};
+
+static void designware_pcie_register(void)
+{
+    type_register_static(&designware_pcie_root_info);
+    type_register_static(&designware_pcie_host_info);
+}
+type_init(designware_pcie_register)
diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_GPIO_KEY=y
 CONFIG_MSF2=y
 CONFIG_FW_CFG_DMA=y
 CONFIG_XILINX_AXI=y
+CONFIG_PCI_DESIGNWARE=y
-- 
2.16.2

From: Andrey Smirnov <andrew.smirnov@gmail.com>

The following interfaces are partially or fully emulated:

* up to 2 Cortex A9 cores (SMP works with PSCI)
    * A7 MPCORE (identical to A15 MPCORE)
    * 4 GPTs modules
    * 7 GPIO controllers
    * 2 IOMUXC controllers
    * 1 CCM module
    * 1 SVNS module
    * 1 SRC module
    * 1 GPCv2 controller
    * 4 eCSPI controllers
    * 4 I2C controllers
    * 7 i.MX UART controllers
    * 2 FlexCAN controllers
    * 2 Ethernet controllers (FEC)
    * 3 SD controllers (USDHC)
    * 4 WDT modules
    * 1 SDMA module
    * 1 GPR module
    * 2 USBMISC modules
    * 2 ADC modules
    * 1 PCIe controller

Tested to boot and work with upstream Linux (4.13+) guest.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
[PMM: folded a couple of long lines]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs            |   1 +
 include/hw/arm/fsl-imx7.h       | 222 +++++++++++++++
 hw/arm/fsl-imx7.c               | 582 ++++++++++++++++++++++++++++++++++++++++
 default-configs/arm-softmmu.mak |   1 +
 4 files changed, 806 insertions(+)
 create mode 100644 include/hw/arm/fsl-imx7.h
 create mode 100644 hw/arm/fsl-imx7.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MPS2) += mps2.o
 obj-$(CONFIG_MPS2) += mps2-tz.o
 obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
 obj-$(CONFIG_IOTKIT) += iotkit.o
+obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o
diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/arm/fsl-imx7.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Copyright (c) 2018, Impinj, Inc.
+ *
+ * i.MX7 SoC definitions
+ *
+ * Author: Andrey Smirnov <andrew.smirnov@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef FSL_IMX7_H
+#define FSL_IMX7_H
+
+#include "hw/arm/arm.h"
+#include "hw/cpu/a15mpcore.h"
+#include "hw/intc/imx_gpcv2.h"
+#include "hw/misc/imx7_ccm.h"
+#include "hw/misc/imx7_snvs.h"
+#include "hw/misc/imx7_gpr.h"
+#include "hw/misc/imx6_src.h"
+#include "hw/misc/imx2_wdt.h"
+#include "hw/gpio/imx_gpio.h"
+#include "hw/char/imx_serial.h"
+#include "hw/timer/imx_gpt.h"
+#include "hw/timer/imx_epit.h"
+#include "hw/i2c/imx_i2c.h"
+#include "hw/gpio/imx_gpio.h"
+#include "hw/sd/sdhci.h"
+#include "hw/ssi/imx_spi.h"
+#include "hw/net/imx_fec.h"
+#include "hw/pci-host/designware.h"
+#include "hw/usb/chipidea.h"
+#include "exec/memory.h"
+#include "cpu.h"
+
+#define TYPE_FSL_IMX7 "fsl,imx7"
+#define FSL_IMX7(obj) OBJECT_CHECK(FslIMX7State, (obj), TYPE_FSL_IMX7)
+
+enum FslIMX7Configuration {
+    FSL_IMX7_NUM_CPUS         = 2,
+    FSL_IMX7_NUM_UARTS        = 7,
+    FSL_IMX7_NUM_ETHS         = 2,
+    FSL_IMX7_ETH_NUM_TX_RINGS = 3,
+    FSL_IMX7_NUM_USDHCS       = 3,
+    FSL_IMX7_NUM_WDTS         = 4,
+    FSL_IMX7_NUM_GPTS         = 4,
+    FSL_IMX7_NUM_IOMUXCS      = 2,
+    FSL_IMX7_NUM_GPIOS        = 7,
+    FSL_IMX7_NUM_I2CS         = 4,
+    FSL_IMX7_NUM_ECSPIS       = 4,
+    FSL_IMX7_NUM_USBS         = 3,
+    FSL_IMX7_NUM_ADCS         = 2,
+};
+
+typedef struct FslIMX7State {
+    /*< private >*/
+    DeviceState    parent_obj;
+
+    /*< public >*/
+    ARMCPU             cpu[FSL_IMX7_NUM_CPUS];
+    A15MPPrivState     a7mpcore;
+    IMXGPTState        gpt[FSL_IMX7_NUM_GPTS];
+    IMXGPIOState       gpio[FSL_IMX7_NUM_GPIOS];
+    IMX7CCMState       ccm;
+    IMX7AnalogState    analog;
+    IMX7SNVSState      snvs;
+    IMXGPCv2State      gpcv2;
+    IMXSPIState        spi[FSL_IMX7_NUM_ECSPIS];
+    IMXI2CState        i2c[FSL_IMX7_NUM_I2CS];
+    IMXSerialState     uart[FSL_IMX7_NUM_UARTS];
+    IMXFECState        eth[FSL_IMX7_NUM_ETHS];
+    SDHCIState         usdhc[FSL_IMX7_NUM_USDHCS];
+    IMX2WdtState       wdt[FSL_IMX7_NUM_WDTS];
+    IMX7GPRState       gpr;
+    ChipideaState      usb[FSL_IMX7_NUM_USBS];
+    DesignwarePCIEHost pcie;
+} FslIMX7State;
+
+enum FslIMX7MemoryMap {
+    FSL_IMX7_MMDC_ADDR            = 0x80000000,
+    FSL_IMX7_MMDC_SIZE            = 2 * 1024 * 1024 * 1024UL,
+
+    FSL_IMX7_GPIO1_ADDR           = 0x30200000,
+    FSL_IMX7_GPIO2_ADDR           = 0x30210000,
+    FSL_IMX7_GPIO3_ADDR           = 0x30220000,
+    FSL_IMX7_GPIO4_ADDR           = 0x30230000,
+    FSL_IMX7_GPIO5_ADDR           = 0x30240000,
+    FSL_IMX7_GPIO6_ADDR           = 0x30250000,
+    FSL_IMX7_GPIO7_ADDR           = 0x30260000,
+
+    FSL_IMX7_IOMUXC_LPSR_GPR_ADDR = 0x30270000,
+
+    FSL_IMX7_WDOG1_ADDR           = 0x30280000,
+    FSL_IMX7_WDOG2_ADDR           = 0x30290000,
+    FSL_IMX7_WDOG3_ADDR           = 0x302A0000,
+    FSL_IMX7_WDOG4_ADDR           = 0x302B0000,
+
+    FSL_IMX7_IOMUXC_LPSR_ADDR     = 0x302C0000,
+
+    FSL_IMX7_GPT1_ADDR            = 0x302D0000,
+    FSL_IMX7_GPT2_ADDR            = 0x302E0000,
+    FSL_IMX7_GPT3_ADDR            = 0x302F0000,
+    FSL_IMX7_GPT4_ADDR            = 0x30300000,
+
+    FSL_IMX7_IOMUXC_ADDR          = 0x30330000,
+    FSL_IMX7_IOMUXC_GPR_ADDR      = 0x30340000,
+    FSL_IMX7_IOMUXCn_SIZE         = 0x1000,
+
+    FSL_IMX7_ANALOG_ADDR          = 0x30360000,
+    FSL_IMX7_SNVS_ADDR            = 0x30370000,
+    FSL_IMX7_CCM_ADDR             = 0x30380000,
+
+    FSL_IMX7_SRC_ADDR             = 0x30390000,
+    FSL_IMX7_SRC_SIZE             = 0x1000,
+
+    FSL_IMX7_ADC1_ADDR            = 0x30610000,
+    FSL_IMX7_ADC2_ADDR            = 0x30620000,
+    FSL_IMX7_ADCn_SIZE            = 0x1000,
+
+    FSL_IMX7_GPC_ADDR             = 0x303A0000,
+
+    FSL_IMX7_I2C1_ADDR            = 0x30A20000,
+    FSL_IMX7_I2C2_ADDR            = 0x30A30000,
+    FSL_IMX7_I2C3_ADDR            = 0x30A40000,
+    FSL_IMX7_I2C4_ADDR            = 0x30A50000,
+
+    FSL_IMX7_ECSPI1_ADDR          = 0x30820000,
+    FSL_IMX7_ECSPI2_ADDR          = 0x30830000,
+    FSL_IMX7_ECSPI3_ADDR          = 0x30840000,
+    FSL_IMX7_ECSPI4_ADDR          = 0x30630000,
+
+    FSL_IMX7_LCDIF_ADDR           = 0x30730000,
+    FSL_IMX7_LCDIF_SIZE           = 0x1000,
+
+    FSL_IMX7_UART1_ADDR           = 0x30860000,
+    /*
+     * Some versions of the reference manual claim that UART2 is @
+     * 0x30870000, but experiments with HW + DT files in upstream
+     * Linux kernel show that not to be true and that block is
+     * acutally located @ 0x30890000
+     */
+    FSL_IMX7_UART2_ADDR           = 0x30890000,
+    FSL_IMX7_UART3_ADDR           = 0x30880000,
+    FSL_IMX7_UART4_ADDR           = 0x30A60000,
+    FSL_IMX7_UART5_ADDR           = 0x30A70000,
+    FSL_IMX7_UART6_ADDR           = 0x30A80000,
+    FSL_IMX7_UART7_ADDR           = 0x30A90000,
+
+    FSL_IMX7_ENET1_ADDR           = 0x30BE0000,
+    FSL_IMX7_ENET2_ADDR           = 0x30BF0000,
+
+    FSL_IMX7_USB1_ADDR            = 0x30B10000,
+    FSL_IMX7_USBMISC1_ADDR        = 0x30B10200,
+    FSL_IMX7_USB2_ADDR            = 0x30B20000,
+    FSL_IMX7_USBMISC2_ADDR        = 0x30B20200,
+    FSL_IMX7_USB3_ADDR            = 0x30B30000,
+    FSL_IMX7_USBMISC3_ADDR        = 0x30B30200,
+    FSL_IMX7_USBMISCn_SIZE        = 0x200,
+
+    FSL_IMX7_USDHC1_ADDR          = 0x30B40000,
+    FSL_IMX7_USDHC2_ADDR          = 0x30B50000,
+    FSL_IMX7_USDHC3_ADDR          = 0x30B60000,
+
+    FSL_IMX7_SDMA_ADDR            = 0x30BD0000,
+    FSL_IMX7_SDMA_SIZE            = 0x1000,
+
+    FSL_IMX7_A7MPCORE_ADDR        = 0x31000000,
+    FSL_IMX7_A7MPCORE_DAP_ADDR    = 0x30000000,
+
+    FSL_IMX7_PCIE_REG_ADDR        = 0x33800000,
+    FSL_IMX7_PCIE_REG_SIZE        = 16 * 1024,
+
+    FSL_IMX7_GPR_ADDR             = 0x30340000,
+};
+
+enum FslIMX7IRQs {
+    FSL_IMX7_USDHC1_IRQ   = 22,
+    FSL_IMX7_USDHC2_IRQ   = 23,
+    FSL_IMX7_USDHC3_IRQ   = 24,
+
+    FSL_IMX7_UART1_IRQ    = 26,
+    FSL_IMX7_UART2_IRQ    = 27,
+    FSL_IMX7_UART3_IRQ    = 28,
+    FSL_IMX7_UART4_IRQ    = 29,
+    FSL_IMX7_UART5_IRQ    = 30,
+    FSL_IMX7_UART6_IRQ    = 16,
+
+    FSL_IMX7_ECSPI1_IRQ   = 31,
+    FSL_IMX7_ECSPI2_IRQ   = 32,
+    FSL_IMX7_ECSPI3_IRQ   = 33,
+    FSL_IMX7_ECSPI4_IRQ   = 34,
+
+    FSL_IMX7_I2C1_IRQ     = 35,
+    FSL_IMX7_I2C2_IRQ     = 36,
+    FSL_IMX7_I2C3_IRQ     = 37,
+    FSL_IMX7_I2C4_IRQ     = 38,
+
+    FSL_IMX7_USB1_IRQ     = 43,
+    FSL_IMX7_USB2_IRQ     = 42,
+    FSL_IMX7_USB3_IRQ     = 40,
+
+    FSL_IMX7_PCI_INTA_IRQ = 122,
+    FSL_IMX7_PCI_INTB_IRQ = 123,
+    FSL_IMX7_PCI_INTC_IRQ = 124,
+    FSL_IMX7_PCI_INTD_IRQ = 125,
+
+    FSL_IMX7_UART7_IRQ    = 126,
+
+#define FSL_IMX7_ENET_IRQ(i, n)  ((n) + ((i) ? 100 : 118))
+
+    FSL_IMX7_MAX_IRQ      = 128,
+};
+
+#endif /* FSL_IMX7_H */
diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/fsl-imx7.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Copyright (c) 2018, Impinj, Inc.
+ *
+ * i.MX7 SoC definitions
+ *
+ * Author: Andrey Smirnov <andrew.smirnov@gmail.com>
+ *
+ * Based on hw/arm/fsl-imx6.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu-common.h"
+#include "hw/arm/fsl-imx7.h"
+#include "hw/misc/unimp.h"
+#include "sysemu/sysemu.h"
+#include "qemu/error-report.h"
+
+#define NAME_SIZE 20
+
+static void fsl_imx7_init(Object *obj)
+{
+    BusState *sysbus = sysbus_get_default();
+    FslIMX7State *s = FSL_IMX7(obj);
+    char name[NAME_SIZE];
+    int i;
+
+    if (smp_cpus > FSL_IMX7_NUM_CPUS) {
+        error_report("%s: Only %d CPUs are supported (%d requested)",
+                     TYPE_FSL_IMX7, FSL_IMX7_NUM_CPUS, smp_cpus);
+        exit(1);
+    }
+
+    for (i = 0; i < smp_cpus; i++) {
+        object_initialize(&s->cpu[i], sizeof(s->cpu[i]),
+                          ARM_CPU_TYPE_NAME("cortex-a7"));
+        snprintf(name, NAME_SIZE, "cpu%d", i);
+        object_property_add_child(obj, name, OBJECT(&s->cpu[i]),
+                                  &error_fatal);
+    }
+
+    /*
+     * A7MPCORE
+     */
+    object_initialize(&s->a7mpcore, sizeof(s->a7mpcore), TYPE_A15MPCORE_PRIV);
+    qdev_set_parent_bus(DEVICE(&s->a7mpcore), sysbus);
+    object_property_add_child(obj, "a7mpcore",
+                              OBJECT(&s->a7mpcore), &error_fatal);
+
+    /*
+     * GPIOs 1 to 7
+     */
+    for (i = 0; i < FSL_IMX7_NUM_GPIOS; i++) {
+        object_initialize(&s->gpio[i], sizeof(s->gpio[i]),
+                          TYPE_IMX_GPIO);
+        qdev_set_parent_bus(DEVICE(&s->gpio[i]), sysbus);
+        snprintf(name, NAME_SIZE, "gpio%d", i);
+        object_property_add_child(obj, name,
+                                  OBJECT(&s->gpio[i]), &error_fatal);
+    }
+
+    /*
+     * GPT1, 2, 3, 4
+     */
+    for (i = 0; i < FSL_IMX7_NUM_GPTS; i++) {
+        object_initialize(&s->gpt[i], sizeof(s->gpt[i]), TYPE_IMX7_GPT);
+        qdev_set_parent_bus(DEVICE(&s->gpt[i]), sysbus);
+        snprintf(name, NAME_SIZE, "gpt%d", i);
+        object_property_add_child(obj, name, OBJECT(&s->gpt[i]),
+                                  &error_fatal);
+    }
+
+    /*
+     * CCM
+     */
+    object_initialize(&s->ccm, sizeof(s->ccm), TYPE_IMX7_CCM);
+    qdev_set_parent_bus(DEVICE(&s->ccm), sysbus);
+    object_property_add_child(obj, "ccm", OBJECT(&s->ccm), &error_fatal);
+
+    /*
+     * Analog
+     */
+    object_initialize(&s->analog, sizeof(s->analog), TYPE_IMX7_ANALOG);
+    qdev_set_parent_bus(DEVICE(&s->analog), sysbus);
+    object_property_add_child(obj, "analog", OBJECT(&s->analog), &error_fatal);
+
+    /*
+     * GPCv2
+     */
+    object_initialize(&s->gpcv2, sizeof(s->gpcv2), TYPE_IMX_GPCV2);
+    qdev_set_parent_bus(DEVICE(&s->gpcv2), sysbus);
+    object_property_add_child(obj, "gpcv2", OBJECT(&s->gpcv2), &error_fatal);
+
+    for (i = 0; i < FSL_IMX7_NUM_ECSPIS; i++) {
+        object_initialize(&s->spi[i], sizeof(s->spi[i]), TYPE_IMX_SPI);
+        qdev_set_parent_bus(DEVICE(&s->spi[i]), sysbus_get_default());
+        snprintf(name, NAME_SIZE, "spi%d", i + 1);
+        object_property_add_child(obj, name, OBJECT(&s->spi[i]), NULL);
+    }
+
+
+    for (i = 0; i < FSL_IMX7_NUM_I2CS; i++) {
+        object_initialize(&s->i2c[i], sizeof(s->i2c[i]), TYPE_IMX_I2C);
+        qdev_set_parent_bus(DEVICE(&s->i2c[i]), sysbus_get_default());
+        snprintf(name, NAME_SIZE, "i2c%d", i + 1);
+        object_property_add_child(obj, name, OBJECT(&s->i2c[i]), NULL);
+    }
+
+    /*
+     * UART
+     */
+    for (i = 0; i < FSL_IMX7_NUM_UARTS; i++) {
+            object_initialize(&s->uart[i], sizeof(s->uart[i]), TYPE_IMX_SERIAL);
+            qdev_set_parent_bus(DEVICE(&s->uart[i]), sysbus);
+            snprintf(name, NAME_SIZE, "uart%d", i);
+            object_property_add_child(obj, name, OBJECT(&s->uart[i]),
+                                      &error_fatal);
+    }
+
+    /*
+     * Ethernet
+     */
+    for (i = 0; i < FSL_IMX7_NUM_ETHS; i++) {
+            object_initialize(&s->eth[i], sizeof(s->eth[i]), TYPE_IMX_ENET);
+            qdev_set_parent_bus(DEVICE(&s->eth[i]), sysbus);
+            snprintf(name, NAME_SIZE, "eth%d", i);
+            object_property_add_child(obj, name, OBJECT(&s->eth[i]),
+                                      &error_fatal);
+    }
+
+    /*
+     * SDHCI
+     */
+    for (i = 0; i < FSL_IMX7_NUM_USDHCS; i++) {
+            object_initialize(&s->usdhc[i], sizeof(s->usdhc[i]),
+                              TYPE_IMX_USDHC);
+            qdev_set_parent_bus(DEVICE(&s->usdhc[i]), sysbus);
+            snprintf(name, NAME_SIZE, "usdhc%d", i);
+            object_property_add_child(obj, name, OBJECT(&s->usdhc[i]),
+                                      &error_fatal);
+    }
+
+    /*
+     * SNVS
+     */
+    object_initialize(&s->snvs, sizeof(s->snvs), TYPE_IMX7_SNVS);
+    qdev_set_parent_bus(DEVICE(&s->snvs), sysbus);
+    object_property_add_child(obj, "snvs", OBJECT(&s->snvs), &error_fatal);
+
+    /*
+     * Watchdog
+     */
+    for (i = 0; i < FSL_IMX7_NUM_WDTS; i++) {
+            object_initialize(&s->wdt[i], sizeof(s->wdt[i]), TYPE_IMX2_WDT);
+            qdev_set_parent_bus(DEVICE(&s->wdt[i]), sysbus);
+            snprintf(name, NAME_SIZE, "wdt%d", i);
+            object_property_add_child(obj, name, OBJECT(&s->wdt[i]),
+                                      &error_fatal);
+    }
+
+    /*
+     * GPR
+     */
+    object_initialize(&s->gpr, sizeof(s->gpr), TYPE_IMX7_GPR);
+    qdev_set_parent_bus(DEVICE(&s->gpr), sysbus);
+    object_property_add_child(obj, "gpr", OBJECT(&s->gpr), &error_fatal);
+
+    object_initialize(&s->pcie, sizeof(s->pcie), TYPE_DESIGNWARE_PCIE_HOST);
+    qdev_set_parent_bus(DEVICE(&s->pcie), sysbus);
+    object_property_add_child(obj, "pcie", OBJECT(&s->pcie), &error_fatal);
+
+    for (i = 0; i < FSL_IMX7_NUM_USBS; i++) {
+        object_initialize(&s->usb[i],
+                          sizeof(s->usb[i]), TYPE_CHIPIDEA);
+        qdev_set_parent_bus(DEVICE(&s->usb[i]), sysbus);
+        snprintf(name, NAME_SIZE, "usb%d", i);
+        object_property_add_child(obj, name,
+                                  OBJECT(&s->usb[i]), &error_fatal);
+    }
+}
+
+static void fsl_imx7_realize(DeviceState *dev, Error **errp)
+{
+    FslIMX7State *s = FSL_IMX7(dev);
+    Object *o;
+    int i;
+    qemu_irq irq;
+    char name[NAME_SIZE];
+
+    for (i = 0; i < smp_cpus; i++) {
+        o = OBJECT(&s->cpu[i]);
+
+        object_property_set_int(o, QEMU_PSCI_CONDUIT_SMC,
+                                "psci-conduit", &error_abort);
+
+        /* On uniprocessor, the CBAR is set to 0 */
+        if (smp_cpus > 1) {
+            object_property_set_int(o, FSL_IMX7_A7MPCORE_ADDR,
+                                    "reset-cbar", &error_abort);
+        }
+
+        if (i) {
+            /* Secondary CPUs start in PSCI powered-down state */
+            object_property_set_bool(o, true,
+                                     "start-powered-off", &error_abort);
+        }
+
+        object_property_set_bool(o, true, "realized", &error_abort);
+    }
+
+    /*
+     * A7MPCORE
+     */
+    object_property_set_int(OBJECT(&s->a7mpcore), smp_cpus, "num-cpu",
+                            &error_abort);
+    object_property_set_int(OBJECT(&s->a7mpcore),
+                            FSL_IMX7_MAX_IRQ + GIC_INTERNAL,
+                            "num-irq", &error_abort);
+
+    object_property_set_bool(OBJECT(&s->a7mpcore), true, "realized",
+                             &error_abort);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->a7mpcore), 0, FSL_IMX7_A7MPCORE_ADDR);
+
+    for (i = 0; i < smp_cpus; i++) {
+        SysBusDevice *sbd = SYS_BUS_DEVICE(&s->a7mpcore);
+        DeviceState  *d   = DEVICE(qemu_get_cpu(i));
+
+        irq = qdev_get_gpio_in(d, ARM_CPU_IRQ);
+        sysbus_connect_irq(sbd, i, irq);
+        irq = qdev_get_gpio_in(d, ARM_CPU_FIQ);
+        sysbus_connect_irq(sbd, i + smp_cpus, irq);
+    }
+
+    /*
+     * A7MPCORE DAP
+     */
+    create_unimplemented_device("a7mpcore-dap", FSL_IMX7_A7MPCORE_DAP_ADDR,
+                                0x100000);
+
+    /*
+     * GPT1, 2, 3, 4
+     */
+    for (i = 0; i < FSL_IMX7_NUM_GPTS; i++) {
+        static const hwaddr FSL_IMX7_GPTn_ADDR[FSL_IMX7_NUM_GPTS] = {
+            FSL_IMX7_GPT1_ADDR,
+            FSL_IMX7_GPT2_ADDR,
+            FSL_IMX7_GPT3_ADDR,
+            FSL_IMX7_GPT4_ADDR,
+        };
+
+        s->gpt[i].ccm = IMX_CCM(&s->ccm);
+        object_property_set_bool(OBJECT(&s->gpt[i]), true, "realized",
+                                 &error_abort);
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpt[i]), 0, FSL_IMX7_GPTn_ADDR[i]);
+    }
+
+    for (i = 0; i < FSL_IMX7_NUM_GPIOS; i++) {
+        static const hwaddr FSL_IMX7_GPIOn_ADDR[FSL_IMX7_NUM_GPIOS] = {
+            FSL_IMX7_GPIO1_ADDR,
+            FSL_IMX7_GPIO2_ADDR,
+            FSL_IMX7_GPIO3_ADDR,
+            FSL_IMX7_GPIO4_ADDR,
+            FSL_IMX7_GPIO5_ADDR,
+            FSL_IMX7_GPIO6_ADDR,
+            FSL_IMX7_GPIO7_ADDR,
+        };
+
+        object_property_set_bool(OBJECT(&s->gpio[i]), true, "realized",
+                                 &error_abort);
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpio[i]), 0, FSL_IMX7_GPIOn_ADDR[i]);
+    }
+
+    /*
+     * IOMUXC and IOMUXC_LPSR
+     */
+    for (i = 0; i < FSL_IMX7_NUM_IOMUXCS; i++) {
+        static const hwaddr FSL_IMX7_IOMUXCn_ADDR[FSL_IMX7_NUM_IOMUXCS] = {
+            FSL_IMX7_IOMUXC_ADDR,
+            FSL_IMX7_IOMUXC_LPSR_ADDR,
+        };
+
+        snprintf(name, NAME_SIZE, "iomuxc%d", i);
+        create_unimplemented_device(name, FSL_IMX7_IOMUXCn_ADDR[i],
+                                    FSL_IMX7_IOMUXCn_SIZE);
+    }
+
+    /*
+     * CCM
+     */
+    object_property_set_bool(OBJECT(&s->ccm), true, "realized", &error_abort);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->ccm), 0, FSL_IMX7_CCM_ADDR);
+
+    /*
+     * Analog
+     */
+    object_property_set_bool(OBJECT(&s->analog), true, "realized",
+                             &error_abort);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->analog), 0, FSL_IMX7_ANALOG_ADDR);
+
+    /*
+     * GPCv2
+     */
+    object_property_set_bool(OBJECT(&s->gpcv2), true,
+                             "realized", &error_abort);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpcv2), 0, FSL_IMX7_GPC_ADDR);
+
+    /* Initialize all ECSPI */
+    for (i = 0; i < FSL_IMX7_NUM_ECSPIS; i++) {
+        static const hwaddr FSL_IMX7_SPIn_ADDR[FSL_IMX7_NUM_ECSPIS] = {
+            FSL_IMX7_ECSPI1_ADDR,
+            FSL_IMX7_ECSPI2_ADDR,
+            FSL_IMX7_ECSPI3_ADDR,
+            FSL_IMX7_ECSPI4_ADDR,
+        };
+
+        static const hwaddr FSL_IMX7_SPIn_IRQ[FSL_IMX7_NUM_ECSPIS] = {
+            FSL_IMX7_ECSPI1_IRQ,
+            FSL_IMX7_ECSPI2_IRQ,
+            FSL_IMX7_ECSPI3_IRQ,
+            FSL_IMX7_ECSPI4_IRQ,
+        };
+
+        /* Initialize the SPI */
+        object_property_set_bool(OBJECT(&s->spi[i]), true, "realized",
+                                 &error_abort);
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0,
+                        FSL_IMX7_SPIn_ADDR[i]);
+        sysbus_connect_irq(SYS_BUS_DEVICE(&s->spi[i]), 0,
+                           qdev_get_gpio_in(DEVICE(&s->a7mpcore),
+                                            FSL_IMX7_SPIn_IRQ[i]));
+    }
+
+    for (i = 0; i < FSL_IMX7_NUM_I2CS; i++) {
+        static const hwaddr FSL_IMX7_I2Cn_ADDR[FSL_IMX7_NUM_I2CS] = {
+            FSL_IMX7_I2C1_ADDR,
+            FSL_IMX7_I2C2_ADDR,
+            FSL_IMX7_I2C3_ADDR,
+            FSL_IMX7_I2C4_ADDR,
+        };
+
+        static const hwaddr FSL_IMX7_I2Cn_IRQ[FSL_IMX7_NUM_I2CS] = {
+            FSL_IMX7_I2C1_IRQ,
+            FSL_IMX7_I2C2_IRQ,
+            FSL_IMX7_I2C3_IRQ,
+            FSL_IMX7_I2C4_IRQ,
+        };
+
+        object_property_set_bool(OBJECT(&s->i2c[i]), true, "realized",
+                                 &error_abort);
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c[i]), 0, FSL_IMX7_I2Cn_ADDR[i]);
+
+        sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c[i]), 0,
+                           qdev_get_gpio_in(DEVICE(&s->a7mpcore),
+                                            FSL_IMX7_I2Cn_IRQ[i]));
+    }
+
+    /*
+     * UART
+     */
+    for (i = 0; i < FSL_IMX7_NUM_UARTS; i++) {
+        static const hwaddr FSL_IMX7_UARTn_ADDR[FSL_IMX7_NUM_UARTS] = {
+            FSL_IMX7_UART1_ADDR,
+            FSL_IMX7_UART2_ADDR,
+            FSL_IMX7_UART3_ADDR,
+            FSL_IMX7_UART4_ADDR,
+            FSL_IMX7_UART5_ADDR,
+            FSL_IMX7_UART6_ADDR,
+            FSL_IMX7_UART7_ADDR,
+        };
+
+        static const int FSL_IMX7_UARTn_IRQ[FSL_IMX7_NUM_UARTS] = {
+            FSL_IMX7_UART1_IRQ,
+            FSL_IMX7_UART2_IRQ,
+            FSL_IMX7_UART3_IRQ,
+            FSL_IMX7_UART4_IRQ,
+            FSL_IMX7_UART5_IRQ,
+            FSL_IMX7_UART6_IRQ,
+            FSL_IMX7_UART7_IRQ,
+        };
+
+
+        if (i < MAX_SERIAL_PORTS) {
+            qdev_prop_set_chr(DEVICE(&s->uart[i]), "chardev", serial_hds[i]);
+        }
+
+        object_property_set_bool(OBJECT(&s->uart[i]), true, "realized",
+                                 &error_abort);
+
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->uart[i]), 0, FSL_IMX7_UARTn_ADDR[i]);
+
+        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_UARTn_IRQ[i]);
+        sysbus_connect_irq(SYS_BUS_DEVICE(&s->uart[i]), 0, irq);
+    }
+
+    /*
+     * Ethernet
+     */
+    for (i = 0; i < FSL_IMX7_NUM_ETHS; i++) {
+        static const hwaddr FSL_IMX7_ENETn_ADDR[FSL_IMX7_NUM_ETHS] = {
+            FSL_IMX7_ENET1_ADDR,
+            FSL_IMX7_ENET2_ADDR,
+        };
+
+        object_property_set_uint(OBJECT(&s->eth[i]), FSL_IMX7_ETH_NUM_TX_RINGS,
+                                 "tx-ring-num", &error_abort);
+        qdev_set_nic_properties(DEVICE(&s->eth[i]), &nd_table[i]);
+        object_property_set_bool(OBJECT(&s->eth[i]), true, "realized",
+                                 &error_abort);
+
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->eth[i]), 0, FSL_IMX7_ENETn_ADDR[i]);
+
+        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_ENET_IRQ(i, 0));
+        sysbus_connect_irq(SYS_BUS_DEVICE(&s->eth[i]), 0, irq);
+        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_ENET_IRQ(i, 3));
+        sysbus_connect_irq(SYS_BUS_DEVICE(&s->eth[i]), 1, irq);
+    }
+
+    /*
+     * USDHC
+     */
+    for (i = 0; i < FSL_IMX7_NUM_USDHCS; i++) {
+        static const hwaddr FSL_IMX7_USDHCn_ADDR[FSL_IMX7_NUM_USDHCS] = {
+            FSL_IMX7_USDHC1_ADDR,
+            FSL_IMX7_USDHC2_ADDR,
+            FSL_IMX7_USDHC3_ADDR,
+        };
+
+        static const int FSL_IMX7_USDHCn_IRQ[FSL_IMX7_NUM_USDHCS] = {
+            FSL_IMX7_USDHC1_IRQ,
+            FSL_IMX7_USDHC2_IRQ,
+            FSL_IMX7_USDHC3_IRQ,
+        };
+
+        object_property_set_bool(OBJECT(&s->usdhc[i]), true, "realized",
+                                 &error_abort);
+
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->usdhc[i]), 0,
+                        FSL_IMX7_USDHCn_ADDR[i]);
+
+        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_USDHCn_IRQ[i]);
+        sysbus_connect_irq(SYS_BUS_DEVICE(&s->usdhc[i]), 0, irq);
+    }
+
+    /*
+     * SNVS
+     */
+    object_property_set_bool(OBJECT(&s->snvs), true, "realized", &error_abort);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->snvs), 0, FSL_IMX7_SNVS_ADDR);
+
+    /*
+     * SRC
+     */
+    create_unimplemented_device("sdma", FSL_IMX7_SRC_ADDR, FSL_IMX7_SRC_SIZE);
+
+    /*
+     * Watchdog
+     */
+    for (i = 0; i < FSL_IMX7_NUM_WDTS; i++) {
+        static const hwaddr FSL_IMX7_WDOGn_ADDR[FSL_IMX7_NUM_WDTS] = {
+            FSL_IMX7_WDOG1_ADDR,
+            FSL_IMX7_WDOG2_ADDR,
+            FSL_IMX7_WDOG3_ADDR,
+            FSL_IMX7_WDOG4_ADDR,
+        };
+
+        object_property_set_bool(OBJECT(&s->wdt[i]), true, "realized",
+                                 &error_abort);
+
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->wdt[i]), 0, FSL_IMX7_WDOGn_ADDR[i]);
+    }
+
+    /*
+     * SDMA
+     */
+    create_unimplemented_device("sdma", FSL_IMX7_SDMA_ADDR, FSL_IMX7_SDMA_SIZE);
+
+
+    object_property_set_bool(OBJECT(&s->gpr), true, "realized",
+                             &error_abort);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->gpr), 0, FSL_IMX7_GPR_ADDR);
+
+    object_property_set_bool(OBJECT(&s->pcie), true,
+                             "realized", &error_abort);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->pcie), 0, FSL_IMX7_PCIE_REG_ADDR);
+
+    irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_PCI_INTA_IRQ);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie), 0, irq);
+    irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_PCI_INTB_IRQ);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie), 1, irq);
+    irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_PCI_INTC_IRQ);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie), 2, irq);
+    irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_PCI_INTD_IRQ);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->pcie), 3, irq);
+
+
+    for (i = 0; i < FSL_IMX7_NUM_USBS; i++) {
+        static const hwaddr FSL_IMX7_USBMISCn_ADDR[FSL_IMX7_NUM_USBS] = {
+            FSL_IMX7_USBMISC1_ADDR,
+            FSL_IMX7_USBMISC2_ADDR,
+            FSL_IMX7_USBMISC3_ADDR,
+        };
+
+        static const hwaddr FSL_IMX7_USBn_ADDR[FSL_IMX7_NUM_USBS] = {
+            FSL_IMX7_USB1_ADDR,
+            FSL_IMX7_USB2_ADDR,
+            FSL_IMX7_USB3_ADDR,
+        };
+
+        static const hwaddr FSL_IMX7_USBn_IRQ[FSL_IMX7_NUM_USBS] = {
+            FSL_IMX7_USB1_IRQ,
+            FSL_IMX7_USB2_IRQ,
+            FSL_IMX7_USB3_IRQ,
+        };
+
+        object_property_set_bool(OBJECT(&s->usb[i]), true, "realized",
+                                 &error_abort);
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->usb[i]), 0,
+                        FSL_IMX7_USBn_ADDR[i]);
+
+        irq = qdev_get_gpio_in(DEVICE(&s->a7mpcore), FSL_IMX7_USBn_IRQ[i]);
+        sysbus_connect_irq(SYS_BUS_DEVICE(&s->usb[i]), 0, irq);
+
+        snprintf(name, NAME_SIZE, "usbmisc%d", i);
+        create_unimplemented_device(name, FSL_IMX7_USBMISCn_ADDR[i],
+                                    FSL_IMX7_USBMISCn_SIZE);
+    }
+
+    /*
+     * ADCs
+     */
+    for (i = 0; i < FSL_IMX7_NUM_ADCS; i++) {
+        static const hwaddr FSL_IMX7_ADCn_ADDR[FSL_IMX7_NUM_ADCS] = {
+            FSL_IMX7_ADC1_ADDR,
+            FSL_IMX7_ADC2_ADDR,
+        };
+
+        snprintf(name, NAME_SIZE, "adc%d", i);
+        create_unimplemented_device(name, FSL_IMX7_ADCn_ADDR[i],
+                                    FSL_IMX7_ADCn_SIZE);
+    }
+
+    /*
+     * LCD
+     */
+    create_unimplemented_device("lcdif", FSL_IMX7_LCDIF_ADDR,
+                                FSL_IMX7_LCDIF_SIZE);
+}
+
+static void fsl_imx7_class_init(ObjectClass *oc, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(oc);
+
+    dc->realize = fsl_imx7_realize;
+
+    /* Reason: Uses serial_hds and nd_table in realize() directly */
+    dc->user_creatable = false;
+    dc->desc = "i.MX7 SOC";
+}
+
+static const TypeInfo fsl_imx7_type_info = {
+    .name = TYPE_FSL_IMX7,
+    .parent = TYPE_DEVICE,
+    .instance_size = sizeof(FslIMX7State),
+    .instance_init = fsl_imx7_init,
+    .class_init = fsl_imx7_class_init,
+};
+
+static void fsl_imx7_register_types(void)
+{
+    type_register_static(&fsl_imx7_type_info);
+}
+type_init(fsl_imx7_register_types)
diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_ALLWINNER_A10=y
 CONFIG_FSL_IMX6=y
 CONFIG_FSL_IMX31=y
 CONFIG_FSL_IMX25=y
+CONFIG_FSL_IMX7=y
 
 CONFIG_IMX_I2C=y
 
-- 
2.16.2

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Implement code needed to set up emulation of MCIMX7SABRE board from
NXP. For more info about the HW see:

https://www.nxp.com/support/developer-resources/hardware-development-tools/sabre-development-system/sabre-board-for-smart-devices-based-on-the-i.mx-7dual-applications-processors:MCIMX7SABRE

Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Philippe Mathieu-Daudé <f4bug@amsat.org>
Cc: Marcel Apfelbaum <marcel.apfelbaum@zoho.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: yurovsky@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs   |  2 +-
 hw/arm/mcimx7d-sabre.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 hw/arm/mcimx7d-sabre.c

From: Richard Henderson <richard.henderson@linaro.org>

As an implementation choice, widening VL has zeroed the
previously inaccessible portion of the sve registers.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180303143823.27055-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_syscall.h |  3 +++
 target/arm/cpu.h                    |  1 +
 linux-user/syscall.c                | 27 ++++++++++++++++++++++++
 target/arm/cpu64.c                  | 41 +++++++++++++++++++++++++++++++++++++
 4 files changed, 72 insertions(+)

diff --git a/linux-user/aarch64/target_syscall.h b/linux-user/aarch64/target_syscall.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_syscall.h
+++ b/linux-user/aarch64/target_syscall.h
@@ -XXX,XX +XXX,XX @@ struct target_pt_regs {
 #define TARGET_MLOCKALL_MCL_CURRENT 1
 #define TARGET_MLOCKALL_MCL_FUTURE  2
 
+#define TARGET_PR_SVE_SET_VL  50
+#define TARGET_PR_SVE_GET_VL  51
+
 #endif /* AARCH64_TARGET_SYSCALL_H */
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ int arm_cpu_write_elf32_note(WriteCoreDumpFunction f, CPUState *cs,
 #ifdef TARGET_AARCH64
 int aarch64_cpu_gdb_read_register(CPUState *cpu, uint8_t *buf, int reg);
 int aarch64_cpu_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
+void aarch64_sve_narrow_vq(CPUARMState *env, unsigned vq);
 #endif
 
 target_ulong do_arm_semihosting(CPUARMState *env);
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
             break;
         }
 #endif
+#ifdef TARGET_AARCH64
+        case TARGET_PR_SVE_SET_VL:
+            /* We cannot support either PR_SVE_SET_VL_ONEXEC
+               or PR_SVE_VL_INHERIT.  Therefore, anything above
+               ARM_MAX_VQ results in EINVAL.  */
+            ret = -TARGET_EINVAL;
+            if (arm_feature(cpu_env, ARM_FEATURE_SVE)
+                && arg2 >= 0 && arg2 <= ARM_MAX_VQ * 16 && !(arg2 & 15)) {
+                CPUARMState *env = cpu_env;
+                int old_vq = (env->vfp.zcr_el[1] & 0xf) + 1;
+                int vq = MAX(arg2 / 16, 1);
+
+                if (vq < old_vq) {
+                    aarch64_sve_narrow_vq(env, vq);
+                }
+                env->vfp.zcr_el[1] = vq - 1;
+                ret = vq * 16;
+            }
+            break;
+        case TARGET_PR_SVE_GET_VL:
+            ret = -TARGET_EINVAL;
+            if (arm_feature(cpu_env, ARM_FEATURE_SVE)) {
+                CPUARMState *env = cpu_env;
+                ret = ((env->vfp.zcr_el[1] & 0xf) + 1) * 16;
+            }
+            break;
+#endif /* AARCH64 */
         case PR_GET_SECCOMP:
         case PR_SET_SECCOMP:
             /* Disable seccomp to prevent the target disabling syscalls we
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_register_types(void)
 }
 
 type_init(aarch64_cpu_register_types)
+
+/* The manual says that when SVE is enabled and VQ is widened the
+ * implementation is allowed to zero the previously inaccessible
+ * portion of the registers.  The corollary to that is that when
+ * SVE is enabled and VQ is narrowed we are also allowed to zero
+ * the now inaccessible portion of the registers.
+ *
+ * The intent of this is that no predicate bit beyond VQ is ever set.
+ * Which means that some operations on predicate registers themselves
+ * may operate on full uint64_t or even unrolled across the maximum
+ * uint64_t[4].  Performing 4 bits of host arithmetic unconditionally
+ * may well be cheaper than conditionals to restrict the operation
+ * to the relevant portion of a uint16_t[16].
+ *
+ * TODO: Need to call this for changes to the real system registers
+ * and EL state changes.
+ */
+void aarch64_sve_narrow_vq(CPUARMState *env, unsigned vq)
+{
+    int i, j;
+    uint64_t pmask;
+
+    assert(vq >= 1 && vq <= ARM_MAX_VQ);
+
+    /* Zap the high bits of the zregs.  */
+    for (i = 0; i < 32; i++) {
+        memset(&env->vfp.zregs[i].d[2 * vq], 0, 16 * (ARM_MAX_VQ - vq));
+    }
+
+    /* Zap the high bits of the pregs and ffr.  */
+    pmask = 0;
+    if (vq & 3) {
+        pmask = ~(-1ULL << (16 * (vq & 3)));
+    }
+    for (j = vq / 4; j < ARM_MAX_VQ / 4; j++) {
+        for (i = 0; i < 17; ++i) {
+            env->vfp.pregs[i].p[j] &= pmask;
+        }
+        pmask = 0;
+    }
+}
-- 
2.16.2

From: Richard Henderson <richard.henderson@linaro.org>

Split out helpers from target_setup_frame and target_restore_sigframe
for dealing with general registers, fpsimd registers, and the end record.

When we add support for sve registers, the relative positions of
these will change.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180303143823.27055-3-richard.henderson@linaro.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/signal.c | 120 ++++++++++++++++++++++++++++++----------------------
 1 file changed, 69 insertions(+), 51 deletions(-)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_rt_sigframe {
     uint32_t tramp[2];
 };
 
-static int target_setup_sigframe(struct target_rt_sigframe *sf,
-                                 CPUARMState *env, target_sigset_t *set)
+static void target_setup_general_frame(struct target_rt_sigframe *sf,
+                                       CPUARMState *env, target_sigset_t *set)
 {
     int i;
-    struct target_aux_context *aux =
-        (struct target_aux_context *)sf->uc.tuc_mcontext.__reserved;
 
-    /* set up the stack frame for unwinding */
-    __put_user(env->xregs[29], &sf->fp);
-    __put_user(env->xregs[30], &sf->lr);
+    __put_user(0, &sf->uc.tuc_flags);
+    __put_user(0, &sf->uc.tuc_link);
+
+    __put_user(target_sigaltstack_used.ss_sp, &sf->uc.tuc_stack.ss_sp);
+    __put_user(sas_ss_flags(env->xregs[31]), &sf->uc.tuc_stack.ss_flags);
+    __put_user(target_sigaltstack_used.ss_size, &sf->uc.tuc_stack.ss_size);
 
     for (i = 0; i < 31; i++) {
         __put_user(env->xregs[i], &sf->uc.tuc_mcontext.regs[i]);
@@ -XXX,XX +XXX,XX @@ static int target_setup_sigframe(struct target_rt_sigframe *sf,
     for (i = 0; i < TARGET_NSIG_WORDS; i++) {
         __put_user(set->sig[i], &sf->uc.tuc_sigmask.sig[i]);
     }
+}
+
+static void target_setup_fpsimd_record(struct target_fpsimd_context *fpsimd,
+                                       CPUARMState *env)
+{
+    int i;
+
+    __put_user(TARGET_FPSIMD_MAGIC, &fpsimd->head.magic);
+    __put_user(sizeof(struct target_fpsimd_context), &fpsimd->head.size);
+    __put_user(vfp_get_fpsr(env), &fpsimd->fpsr);
+    __put_user(vfp_get_fpcr(env), &fpsimd->fpcr);
 
     for (i = 0; i < 32; i++) {
         uint64_t *q = aa64_vfp_qreg(env, i);
 #ifdef TARGET_WORDS_BIGENDIAN
-        __put_user(q[0], &aux->fpsimd.vregs[i * 2 + 1]);
-        __put_user(q[1], &aux->fpsimd.vregs[i * 2]);
+        __put_user(q[0], &fpsimd->vregs[i * 2 + 1]);
+        __put_user(q[1], &fpsimd->vregs[i * 2]);
 #else
-        __put_user(q[0], &aux->fpsimd.vregs[i * 2]);
-        __put_user(q[1], &aux->fpsimd.vregs[i * 2 + 1]);
+        __put_user(q[0], &fpsimd->vregs[i * 2]);
+        __put_user(q[1], &fpsimd->vregs[i * 2 + 1]);
 #endif
     }
-    __put_user(vfp_get_fpsr(env), &aux->fpsimd.fpsr);
-    __put_user(vfp_get_fpcr(env), &aux->fpsimd.fpcr);
-    __put_user(TARGET_FPSIMD_MAGIC, &aux->fpsimd.head.magic);
-    __put_user(sizeof(struct target_fpsimd_context),
-            &aux->fpsimd.head.size);
-
-    /* set the "end" magic */
-    __put_user(0, &aux->end.magic);
-    __put_user(0, &aux->end.size);
-
-    return 0;
 }
 
-static int target_restore_sigframe(CPUARMState *env,
-                                   struct target_rt_sigframe *sf)
+static void target_setup_end_record(struct target_aarch64_ctx *end)
+{
+    __put_user(0, &end->magic);
+    __put_user(0, &end->size);
+}
+
+static void target_restore_general_frame(CPUARMState *env,
+                                         struct target_rt_sigframe *sf)
 {
     sigset_t set;
-    int i;
-    struct target_aux_context *aux =
-        (struct target_aux_context *)sf->uc.tuc_mcontext.__reserved;
-    uint32_t magic, size, fpsr, fpcr;
     uint64_t pstate;
+    int i;
 
     target_to_host_sigset(&set, &sf->uc.tuc_sigmask);
     set_sigmask(&set);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     __get_user(env->pc, &sf->uc.tuc_mcontext.pc);
     __get_user(pstate, &sf->uc.tuc_mcontext.pstate);
     pstate_write(env, pstate);
+}
 
-    __get_user(magic, &aux->fpsimd.head.magic);
-    __get_user(size, &aux->fpsimd.head.size);
+static void target_restore_fpsimd_record(CPUARMState *env,
+                                         struct target_fpsimd_context *fpsimd)
+{
+    uint32_t fpsr, fpcr;
+    int i;
 
-    if (magic != TARGET_FPSIMD_MAGIC
-        || size != sizeof(struct target_fpsimd_context)) {
-        return 1;
-    }
+    __get_user(fpsr, &fpsimd->fpsr);
+    vfp_set_fpsr(env, fpsr);
+    __get_user(fpcr, &fpsimd->fpcr);
+    vfp_set_fpcr(env, fpcr);
 
     for (i = 0; i < 32; i++) {
         uint64_t *q = aa64_vfp_qreg(env, i);
 #ifdef TARGET_WORDS_BIGENDIAN
-        __get_user(q[0], &aux->fpsimd.vregs[i * 2 + 1]);
-        __get_user(q[1], &aux->fpsimd.vregs[i * 2]);
+        __get_user(q[0], &fpsimd->vregs[i * 2 + 1]);
+        __get_user(q[1], &fpsimd->vregs[i * 2]);
 #else
-        __get_user(q[0], &aux->fpsimd.vregs[i * 2]);
-        __get_user(q[1], &aux->fpsimd.vregs[i * 2 + 1]);
+        __get_user(q[0], &fpsimd->vregs[i * 2]);
+        __get_user(q[1], &fpsimd->vregs[i * 2 + 1]);
 #endif
     }
-    __get_user(fpsr, &aux->fpsimd.fpsr);
-    vfp_set_fpsr(env, fpsr);
-    __get_user(fpcr, &aux->fpsimd.fpcr);
-    vfp_set_fpcr(env, fpcr);
+}
 
+static int target_restore_sigframe(CPUARMState *env,
+                                   struct target_rt_sigframe *sf)
+{
+    struct target_aux_context *aux
+        = (struct target_aux_context *)sf->uc.tuc_mcontext.__reserved;
+    uint32_t magic, size;
+
+    target_restore_general_frame(env, sf);
+
+    __get_user(magic, &aux->fpsimd.head.magic);
+    __get_user(size, &aux->fpsimd.head.size);
+    if (magic == TARGET_FPSIMD_MAGIC
+        && size == sizeof(struct target_fpsimd_context)) {
+        target_restore_fpsimd_record(env, &aux->fpsimd);
+    } else {
+        return 1;
+    }
     return 0;
 }
 
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
                                CPUARMState *env)
 {
     struct target_rt_sigframe *frame;
+    struct target_aux_context *aux;
     abi_ulong frame_addr, return_addr;
 
     frame_addr = get_sigframe(ka, env);
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
     if (!lock_user_struct(VERIFY_WRITE, frame, frame_addr, 0)) {
         goto give_sigsegv;
     }
+    aux = (struct target_aux_context *)frame->uc.tuc_mcontext.__reserved;
 
-    __put_user(0, &frame->uc.tuc_flags);
-    __put_user(0, &frame->uc.tuc_link);
+    target_setup_general_frame(frame, env, set);
+    target_setup_fpsimd_record(&aux->fpsimd, env);
+    target_setup_end_record(&aux->end);
 
-    __put_user(target_sigaltstack_used.ss_sp,
-                      &frame->uc.tuc_stack.ss_sp);
-    __put_user(sas_ss_flags(env->xregs[31]),
-                      &frame->uc.tuc_stack.ss_flags);
-    __put_user(target_sigaltstack_used.ss_size,
-                      &frame->uc.tuc_stack.ss_size);
-    target_setup_sigframe(frame, env, set);
     if (ka->sa_flags & TARGET_SA_RESTORER) {
         return_addr = ka->sa_restorer;
     } else {
-- 
2.16.2

From: Richard Henderson <richard.henderson@linaro.org>

This changes the qemu signal frame layout to be more like the kernel's,
in that the various records are dynamically allocated rather than fixed
in place by a structure.

For now, all of the allocation is out of uc.tuc_mcontext.__reserved,
so the allocation is actually trivial.  That will change with SVE support.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180303143823.27055-4-richard.henderson@linaro.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/signal.c | 89 ++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 61 insertions(+), 28 deletions(-)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_fpsimd_context {
     uint64_t vregs[32 * 2]; /* really uint128_t vregs[32] */
 };
 
-/*
- * Auxiliary context saved in the sigcontext.__reserved array. Not exported to
- * user space as it will change with the addition of new context. User space
- * should check the magic/size information.
- */
-struct target_aux_context {
-    struct target_fpsimd_context fpsimd;
-    /* additional context to be added before "end" */
-    struct target_aarch64_ctx end;
-};
-
 struct target_rt_sigframe {
     struct target_siginfo info;
     struct target_ucontext uc;
+};
+
+struct target_rt_frame_record {
     uint64_t fp;
     uint64_t lr;
     uint32_t tramp[2];
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
 static int target_restore_sigframe(CPUARMState *env,
                                    struct target_rt_sigframe *sf)
 {
-    struct target_aux_context *aux
-        = (struct target_aux_context *)sf->uc.tuc_mcontext.__reserved;
-    uint32_t magic, size;
+    struct target_aarch64_ctx *ctx;
+    struct target_fpsimd_context *fpsimd = NULL;
 
     target_restore_general_frame(env, sf);
 
-    __get_user(magic, &aux->fpsimd.head.magic);
-    __get_user(size, &aux->fpsimd.head.size);
-    if (magic == TARGET_FPSIMD_MAGIC
-        && size == sizeof(struct target_fpsimd_context)) {
-        target_restore_fpsimd_record(env, &aux->fpsimd);
-    } else {
+    ctx = (struct target_aarch64_ctx *)sf->uc.tuc_mcontext.__reserved;
+    while (ctx) {
+        uint32_t magic, size;
+
+        __get_user(magic, &ctx->magic);
+        __get_user(size, &ctx->size);
+        switch (magic) {
+        case 0:
+            if (size != 0) {
+                return 1;
+            }
+            ctx = NULL;
+            continue;
+
+        case TARGET_FPSIMD_MAGIC:
+            if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
+                return 1;
+            }
+            fpsimd = (struct target_fpsimd_context *)ctx;
+            break;
+
+        default:
+            /* Unknown record -- we certainly didn't generate it.
+             * Did we in fact get out of sync?
+             */
+            return 1;
+        }
+        ctx = (void *)ctx + size;
+    }
+
+    /* Require FPSIMD always.  */
+    if (!fpsimd) {
         return 1;
     }
+    target_restore_fpsimd_record(env, fpsimd);
+
     return 0;
 }
 
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
                                target_siginfo_t *info, target_sigset_t *set,
                                CPUARMState *env)
 {
+    int size = offsetof(struct target_rt_sigframe, uc.tuc_mcontext.__reserved);
+    int fpsimd_ofs, end1_ofs, fr_ofs;
     struct target_rt_sigframe *frame;
-    struct target_aux_context *aux;
+    struct target_rt_frame_record *fr;
     abi_ulong frame_addr, return_addr;
 
+    fpsimd_ofs = size;
+    size += sizeof(struct target_fpsimd_context);
+    end1_ofs = size;
+    size += sizeof(struct target_aarch64_ctx);
+    fr_ofs = size;
+    size += sizeof(struct target_rt_frame_record);
+
     frame_addr = get_sigframe(ka, env);
     trace_user_setup_frame(env, frame_addr);
     if (!lock_user_struct(VERIFY_WRITE, frame, frame_addr, 0)) {
         goto give_sigsegv;
     }
-    aux = (struct target_aux_context *)frame->uc.tuc_mcontext.__reserved;
 
     target_setup_general_frame(frame, env, set);
-    target_setup_fpsimd_record(&aux->fpsimd, env);
-    target_setup_end_record(&aux->end);
+    target_setup_fpsimd_record((void *)frame + fpsimd_ofs, env);
+    target_setup_end_record((void *)frame + end1_ofs);
+
+    /* Set up the stack frame for unwinding.  */
+    fr = (void *)frame + fr_ofs;
+    __put_user(env->xregs[29], &fr->fp);
+    __put_user(env->xregs[30], &fr->lr);
 
     if (ka->sa_flags & TARGET_SA_RESTORER) {
         return_addr = ka->sa_restorer;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
          * Since these are instructions they need to be put as little-endian
          * regardless of target default or current CPU endianness.
          */
-        __put_user_e(0xd2801168, &frame->tramp[0], le);
-        __put_user_e(0xd4000001, &frame->tramp[1], le);
-        return_addr = frame_addr + offsetof(struct target_rt_sigframe, tramp);
+        __put_user_e(0xd2801168, &fr->tramp[0], le);
+        __put_user_e(0xd4000001, &fr->tramp[1], le);
+        return_addr = frame_addr + fr_ofs
+            + offsetof(struct target_rt_frame_record, tramp);
     }
     env->xregs[0] = usig;
     env->xregs[31] = frame_addr;
-    env->xregs[29] = env->xregs[31] + offsetof(struct target_rt_sigframe, fp);
+    env->xregs[29] = frame_addr + fr_ofs;
     env->pc = ka->_sa_handler;
     env->xregs[30] = return_addr;
     if (info) {
-- 
2.16.2

From: Richard Henderson <richard.henderson@linaro.org>

The EXTRA record allows for additional space to be allocated
beyon what is currently reserved.  Add code to emit and read
this record type.

Nothing uses extra space yet.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180303143823.27055-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/signal.c | 74 +++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 63 insertions(+), 11 deletions(-)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_fpsimd_context {
     uint64_t vregs[32 * 2]; /* really uint128_t vregs[32] */
 };
 
+#define TARGET_EXTRA_MAGIC  0x45585401
+
+struct target_extra_context {
+    struct target_aarch64_ctx head;
+    uint64_t datap; /* 16-byte aligned pointer to extra space cast to __u64 */
+    uint32_t size; /* size in bytes of the extra space */
+    uint32_t reserved[3];
+};
+
 struct target_rt_sigframe {
     struct target_siginfo info;
     struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_fpsimd_record(struct target_fpsimd_context *fpsimd,
     }
 }
 
+static void target_setup_extra_record(struct target_extra_context *extra,
+                                      uint64_t datap, uint32_t extra_size)
+{
+    __put_user(TARGET_EXTRA_MAGIC, &extra->head.magic);
+    __put_user(sizeof(struct target_extra_context), &extra->head.size);
+    __put_user(datap, &extra->datap);
+    __put_user(extra_size, &extra->size);
+}
+
 static void target_setup_end_record(struct target_aarch64_ctx *end)
 {
     __put_user(0, &end->magic);
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
 static int target_restore_sigframe(CPUARMState *env,
                                    struct target_rt_sigframe *sf)
 {
-    struct target_aarch64_ctx *ctx;
+    struct target_aarch64_ctx *ctx, *extra = NULL;
     struct target_fpsimd_context *fpsimd = NULL;
+    uint64_t extra_datap = 0;
+    bool used_extra = false;
+    bool err = false;
 
     target_restore_general_frame(env, sf);
 
     ctx = (struct target_aarch64_ctx *)sf->uc.tuc_mcontext.__reserved;
     while (ctx) {
-        uint32_t magic, size;
+        uint32_t magic, size, extra_size;
 
         __get_user(magic, &ctx->magic);
         __get_user(size, &ctx->size);
         switch (magic) {
         case 0:
             if (size != 0) {
-                return 1;
+                err = true;
+                goto exit;
+            }
+            if (used_extra) {
+                ctx = NULL;
+            } else {
+                ctx = extra;
+                used_extra = true;
             }
-            ctx = NULL;
             continue;
 
         case TARGET_FPSIMD_MAGIC:
             if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
-                return 1;
+                err = true;
+                goto exit;
             }
             fpsimd = (struct target_fpsimd_context *)ctx;
             break;
 
+        case TARGET_EXTRA_MAGIC:
+            if (extra || size != sizeof(struct target_extra_context)) {
+                err = true;
+                goto exit;
+            }
+            __get_user(extra_datap,
+                       &((struct target_extra_context *)ctx)->datap);
+            __get_user(extra_size,
+                       &((struct target_extra_context *)ctx)->size);
+            extra = lock_user(VERIFY_READ, extra_datap, extra_size, 0);
+            break;
+
         default:
             /* Unknown record -- we certainly didn't generate it.
              * Did we in fact get out of sync?
              */
-            return 1;
+            err = true;
+            goto exit;
         }
         ctx = (void *)ctx + size;
     }
 
     /* Require FPSIMD always.  */
-    if (!fpsimd) {
-        return 1;
+    if (fpsimd) {
+        target_restore_fpsimd_record(env, fpsimd);
+    } else {
+        err = true;
     }
-    target_restore_fpsimd_record(env, fpsimd);
 
-    return 0;
+ exit:
+    unlock_user(extra, extra_datap, 0);
+    return err;
 }
 
 static abi_ulong get_sigframe(struct target_sigaction *ka, CPUARMState *env)
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
                                CPUARMState *env)
 {
     int size = offsetof(struct target_rt_sigframe, uc.tuc_mcontext.__reserved);
-    int fpsimd_ofs, end1_ofs, fr_ofs;
+    int fpsimd_ofs, end1_ofs, fr_ofs, end2_ofs = 0;
+    int extra_ofs = 0, extra_base = 0, extra_size = 0;
     struct target_rt_sigframe *frame;
     struct target_rt_frame_record *fr;
     abi_ulong frame_addr, return_addr;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
 
     target_setup_general_frame(frame, env, set);
     target_setup_fpsimd_record((void *)frame + fpsimd_ofs, env);
+    if (extra_ofs) {
+        target_setup_extra_record((void *)frame + extra_ofs,
+                                  frame_addr + extra_base, extra_size);
+    }
     target_setup_end_record((void *)frame + end1_ofs);
+    if (end2_ofs) {
+        target_setup_end_record((void *)frame + end2_ofs);
+    }
 
     /* Set up the stack frame for unwinding.  */
     fr = (void *)frame + fr_ofs;
-- 
2.16.2

From: Richard Henderson <richard.henderson@linaro.org>

Depending on the currently selected size of the SVE vector registers,
we can either store the data within the "standard" allocation, or we
may beedn to allocate additional space with an EXTRA record.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180303143823.27055-6-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/signal.c | 210 +++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 192 insertions(+), 18 deletions(-)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_extra_context {
     uint32_t reserved[3];
 };
 
+#define TARGET_SVE_MAGIC    0x53564501
+
+struct target_sve_context {
+    struct target_aarch64_ctx head;
+    uint16_t vl;
+    uint16_t reserved[3];
+    /* The actual SVE data immediately follows.  It is layed out
+     * according to TARGET_SVE_SIG_{Z,P}REG_OFFSET, based off of
+     * the original struct pointer.
+     */
+};
+
+#define TARGET_SVE_VQ_BYTES  16
+
+#define TARGET_SVE_SIG_ZREG_SIZE(VQ)  ((VQ) * TARGET_SVE_VQ_BYTES)
+#define TARGET_SVE_SIG_PREG_SIZE(VQ)  ((VQ) * (TARGET_SVE_VQ_BYTES / 8))
+
+#define TARGET_SVE_SIG_REGS_OFFSET \
+    QEMU_ALIGN_UP(sizeof(struct target_sve_context), TARGET_SVE_VQ_BYTES)
+#define TARGET_SVE_SIG_ZREG_OFFSET(VQ, N) \
+    (TARGET_SVE_SIG_REGS_OFFSET + TARGET_SVE_SIG_ZREG_SIZE(VQ) * (N))
+#define TARGET_SVE_SIG_PREG_OFFSET(VQ, N) \
+    (TARGET_SVE_SIG_ZREG_OFFSET(VQ, 32) + TARGET_SVE_SIG_PREG_SIZE(VQ) * (N))
+#define TARGET_SVE_SIG_FFR_OFFSET(VQ) \
+    (TARGET_SVE_SIG_PREG_OFFSET(VQ, 16))
+#define TARGET_SVE_SIG_CONTEXT_SIZE(VQ) \
+    (TARGET_SVE_SIG_PREG_OFFSET(VQ, 17))
+
 struct target_rt_sigframe {
     struct target_siginfo info;
     struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_end_record(struct target_aarch64_ctx *end)
     __put_user(0, &end->size);
 }
 
+static void target_setup_sve_record(struct target_sve_context *sve,
+                                    CPUARMState *env, int vq, int size)
+{
+    int i, j;
+
+    __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
+    __put_user(size, &sve->head.size);
+    __put_user(vq * TARGET_SVE_VQ_BYTES, &sve->vl);
+
+    /* Note that SVE regs are stored as a byte stream, with each byte element
+     * at a subsequent address.  This corresponds to a little-endian store
+     * of our 64-bit hunks.
+     */
+    for (i = 0; i < 32; ++i) {
+        uint64_t *z = (void *)sve + TARGET_SVE_SIG_ZREG_OFFSET(vq, i);
+        for (j = 0; j < vq * 2; ++j) {
+            __put_user_e(env->vfp.zregs[i].d[j], z + j, le);
+        }
+    }
+    for (i = 0; i <= 16; ++i) {
+        uint16_t *p = (void *)sve + TARGET_SVE_SIG_PREG_OFFSET(vq, i);
+        for (j = 0; j < vq; ++j) {
+            uint64_t r = env->vfp.pregs[i].p[j >> 2];
+            __put_user_e(r >> ((j & 3) * 16), p + j, le);
+        }
+    }
+}
+
 static void target_restore_general_frame(CPUARMState *env,
                                          struct target_rt_sigframe *sf)
 {
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
     }
 }
 
+static void target_restore_sve_record(CPUARMState *env,
+                                      struct target_sve_context *sve, int vq)
+{
+    int i, j;
+
+    /* Note that SVE regs are stored as a byte stream, with each byte element
+     * at a subsequent address.  This corresponds to a little-endian load
+     * of our 64-bit hunks.
+     */
+    for (i = 0; i < 32; ++i) {
+        uint64_t *z = (void *)sve + TARGET_SVE_SIG_ZREG_OFFSET(vq, i);
+        for (j = 0; j < vq * 2; ++j) {
+            __get_user_e(env->vfp.zregs[i].d[j], z + j, le);
+        }
+    }
+    for (i = 0; i <= 16; ++i) {
+        uint16_t *p = (void *)sve + TARGET_SVE_SIG_PREG_OFFSET(vq, i);
+        for (j = 0; j < vq; ++j) {
+            uint16_t r;
+            __get_user_e(r, p + j, le);
+            if (j & 3) {
+                env->vfp.pregs[i].p[j >> 2] |= (uint64_t)r << ((j & 3) * 16);
+            } else {
+                env->vfp.pregs[i].p[j >> 2] = r;
+            }
+        }
+    }
+}
+
 static int target_restore_sigframe(CPUARMState *env,
                                    struct target_rt_sigframe *sf)
 {
     struct target_aarch64_ctx *ctx, *extra = NULL;
     struct target_fpsimd_context *fpsimd = NULL;
+    struct target_sve_context *sve = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
     bool err = false;
+    int vq = 0, sve_size = 0;
 
     target_restore_general_frame(env, sf);
 
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             fpsimd = (struct target_fpsimd_context *)ctx;
             break;
 
+        case TARGET_SVE_MAGIC:
+            if (arm_feature(env, ARM_FEATURE_SVE)) {
+                vq = (env->vfp.zcr_el[1] & 0xf) + 1;
+                sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
+                if (!sve && size == sve_size) {
+                    sve = (struct target_sve_context *)ctx;
+                    break;
+                }
+            }
+            err = true;
+            goto exit;
+
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
                 err = true;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
         err = true;
     }
 
+    /* SVE data, if present, overwrites FPSIMD data.  */
+    if (sve) {
+        target_restore_sve_record(env, sve, vq);
+    }
+
  exit:
     unlock_user(extra, extra_datap, 0);
     return err;
 }
 
-static abi_ulong get_sigframe(struct target_sigaction *ka, CPUARMState *env)
+static abi_ulong get_sigframe(struct target_sigaction *ka,
+                              CPUARMState *env, int size)
 {
     abi_ulong sp;
 
@@ -XXX,XX +XXX,XX @@ static abi_ulong get_sigframe(struct target_sigaction *ka, CPUARMState *env)
         sp = target_sigaltstack_used.ss_sp + target_sigaltstack_used.ss_size;
     }
 
-    sp = (sp - sizeof(struct target_rt_sigframe)) & ~15;
+    sp = (sp - size) & ~15;
 
     return sp;
 }
 
+typedef struct {
+    int total_size;
+    int extra_base;
+    int extra_size;
+    int std_end_ofs;
+    int extra_ofs;
+    int extra_end_ofs;
+} target_sigframe_layout;
+
+static int alloc_sigframe_space(int this_size, target_sigframe_layout *l)
+{
+    /* Make sure there will always be space for the end marker.  */
+    const int std_size = sizeof(struct target_rt_sigframe)
+                         - sizeof(struct target_aarch64_ctx);
+    int this_loc = l->total_size;
+
+    if (l->extra_base) {
+        /* Once we have begun an extra space, all allocations go there.  */
+        l->extra_size += this_size;
+    } else if (this_size + this_loc > std_size) {
+        /* This allocation does not fit in the standard space.  */
+        /* Allocate the extra record.  */
+        l->extra_ofs = this_loc;
+        l->total_size += sizeof(struct target_extra_context);
+
+        /* Allocate the standard end record.  */
+        l->std_end_ofs = l->total_size;
+        l->total_size += sizeof(struct target_aarch64_ctx);
+
+        /* Allocate the requested record.  */
+        l->extra_base = this_loc = l->total_size;
+        l->extra_size = this_size;
+    }
+    l->total_size += this_size;
+
+    return this_loc;
+}
+
 static void target_setup_frame(int usig, struct target_sigaction *ka,
                                target_siginfo_t *info, target_sigset_t *set,
                                CPUARMState *env)
 {
-    int size = offsetof(struct target_rt_sigframe, uc.tuc_mcontext.__reserved);
-    int fpsimd_ofs, end1_ofs, fr_ofs, end2_ofs = 0;
-    int extra_ofs = 0, extra_base = 0, extra_size = 0;
+    target_sigframe_layout layout = {
+        /* Begin with the size pointing to the reserved space.  */
+        .total_size = offsetof(struct target_rt_sigframe,
+                               uc.tuc_mcontext.__reserved),
+    };
+    int fpsimd_ofs, fr_ofs, sve_ofs = 0, vq = 0, sve_size = 0;
     struct target_rt_sigframe *frame;
     struct target_rt_frame_record *fr;
     abi_ulong frame_addr, return_addr;
 
-    fpsimd_ofs = size;
-    size += sizeof(struct target_fpsimd_context);
-    end1_ofs = size;
-    size += sizeof(struct target_aarch64_ctx);
-    fr_ofs = size;
-    size += sizeof(struct target_rt_frame_record);
+    /* FPSIMD record is always in the standard space.  */
+    fpsimd_ofs = alloc_sigframe_space(sizeof(struct target_fpsimd_context),
+                                      &layout);
 
-    frame_addr = get_sigframe(ka, env);
+    /* SVE state needs saving only if it exists.  */
+    if (arm_feature(env, ARM_FEATURE_SVE)) {
+        vq = (env->vfp.zcr_el[1] & 0xf) + 1;
+        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
+        sve_ofs = alloc_sigframe_space(sve_size, &layout);
+    }
+
+    if (layout.extra_ofs) {
+        /* Reserve space for the extra end marker.  The standard end marker
+         * will have been allocated when we allocated the extra record.
+         */
+        layout.extra_end_ofs
+            = alloc_sigframe_space(sizeof(struct target_aarch64_ctx), &layout);
+    } else {
+        /* Reserve space for the standard end marker.
+         * Do not use alloc_sigframe_space because we cheat
+         * std_size therein to reserve space for this.
+         */
+        layout.std_end_ofs = layout.total_size;
+        layout.total_size += sizeof(struct target_aarch64_ctx);
+    }
+
+    /* Reserve space for the return code.  On a real system this would
+     * be within the VDSO.  So, despite the name this is not a "real"
+     * record within the frame.
+     */
+    fr_ofs = layout.total_size;
+    layout.total_size += sizeof(struct target_rt_frame_record);
+
+    frame_addr = get_sigframe(ka, env, layout.total_size);
     trace_user_setup_frame(env, frame_addr);
     if (!lock_user_struct(VERIFY_WRITE, frame, frame_addr, 0)) {
         goto give_sigsegv;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
 
     target_setup_general_frame(frame, env, set);
     target_setup_fpsimd_record((void *)frame + fpsimd_ofs, env);
-    if (extra_ofs) {
-        target_setup_extra_record((void *)frame + extra_ofs,
-                                  frame_addr + extra_base, extra_size);
+    target_setup_end_record((void *)frame + layout.std_end_ofs);
+    if (layout.extra_ofs) {
+        target_setup_extra_record((void *)frame + layout.extra_ofs,
+                                  frame_addr + layout.extra_base,
+                                  layout.extra_size);
+        target_setup_end_record((void *)frame + layout.extra_end_ofs);
     }
-    target_setup_end_record((void *)frame + end1_ofs);
-    if (end2_ofs) {
-        target_setup_end_record((void *)frame + end2_ofs);
+    if (sve_ofs) {
+        target_setup_sve_record((void *)frame + sve_ofs, env, vq, sve_size);
     }
 
     /* Set up the stack frame for unwinding.  */
-- 
2.16.2

From: Thomas Huth <thuth@redhat.com>

A lot of ARM object files are linked into the executable unconditionally,
even though we have corresponding CONFIG switches like CONFIG_PXA2XX or
CONFIG_OMAP. We should make sure to use these switches in the Makefile so
that the users can disable certain unwanted boards and devices more easily.
While we're at it, also add some new switches for the boards that do not
have a CONFIG option yet.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1520266949-29817-1-git-send-email-thuth@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs            | 30 +++++++++++++++++++++---------
 default-configs/arm-softmmu.mak |  7 +++++++
 2 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@
-obj-y += boot.o collie.o exynos4_boards.o gumstix.o highbank.o
-obj-$(CONFIG_DIGIC) += digic_boards.o
-obj-y += integratorcp.o mainstone.o musicpal.o nseries.o
-obj-y += omap_sx1.o palm.o realview.o spitz.o stellaris.o
-obj-y += tosa.o versatilepb.o vexpress.o virt.o xilinx_zynq.o z2.o
+obj-y += boot.o virt.o sysbus-fdt.o
 obj-$(CONFIG_ACPI) += virt-acpi-build.o
-obj-y += netduino2.o
-obj-y += sysbus-fdt.o
+obj-$(CONFIG_DIGIC) += digic_boards.o
+obj-$(CONFIG_EXYNOS4) += exynos4_boards.o
+obj-$(CONFIG_HIGHBANK) += highbank.o
+obj-$(CONFIG_INTEGRATOR) += integratorcp.o
+obj-$(CONFIG_MAINSTONE) += mainstone.o
+obj-$(CONFIG_MUSICPAL) += musicpal.o
+obj-$(CONFIG_NETDUINO2) += netduino2.o
+obj-$(CONFIG_NSERIES) += nseries.o
+obj-$(CONFIG_OMAP) += omap_sx1.o palm.o
+obj-$(CONFIG_PXA2XX) += gumstix.o spitz.o tosa.o z2.o
+obj-$(CONFIG_REALVIEW) += realview.o
+obj-$(CONFIG_STELLARIS) += stellaris.o
+obj-$(CONFIG_STRONGARM) += collie.o
+obj-$(CONFIG_VERSATILE) += vexpress.o versatilepb.o
+obj-$(CONFIG_ZYNQ) += xilinx_zynq.o
 
-obj-y += armv7m.o exynos4210.o pxa2xx.o pxa2xx_gpio.o pxa2xx_pic.o
+obj-$(CONFIG_ARM_V7M) += armv7m.o
+obj-$(CONFIG_EXYNOS4) += exynos4210.o
+obj-$(CONFIG_PXA2XX) += pxa2xx.o pxa2xx_gpio.o pxa2xx_pic.o
 obj-$(CONFIG_DIGIC) += digic.o
-obj-y += omap1.o omap2.o strongarm.o
+obj-$(CONFIG_OMAP) += omap1.o omap2.o
+obj-$(CONFIG_STRONGARM) += strongarm.o
 obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
 obj-$(CONFIG_RASPI) += bcm2835_peripherals.o bcm2836.o raspi.o
 obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_A9MPCORE=y
 CONFIG_A15MPCORE=y
 
 CONFIG_ARM_V7M=y
+CONFIG_NETDUINO2=y
 
 CONFIG_ARM_GIC=y
 CONFIG_ARM_GIC_KVM=$(CONFIG_KVM)
@@ -XXX,XX +XXX,XX @@ CONFIG_TZ_PPC=y
 CONFIG_IOTKIT=y
 CONFIG_IOTKIT_SECCTL=y
 
+CONFIG_VERSATILE=y
 CONFIG_VERSATILE_PCI=y
 CONFIG_VERSATILE_I2C=y
 
@@ -XXX,XX +XXX,XX @@ CONFIG_VFIO_XGMAC=y
 CONFIG_VFIO_AMD_XGBE=y
 
 CONFIG_SDHCI=y
+CONFIG_INTEGRATOR=y
 CONFIG_INTEGRATOR_DEBUG=y
 
 CONFIG_ALLWINNER_A10_PIT=y
@@ -XXX,XX +XXX,XX @@ CONFIG_MSF2=y
 CONFIG_FW_CFG_DMA=y
 CONFIG_XILINX_AXI=y
 CONFIG_PCI_DESIGNWARE=y
+
+CONFIG_STRONGARM=y
+CONFIG_HIGHBANK=y
+CONFIG_MUSICPAL=y
-- 
2.16.2

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Spotted by ASAN:
QTEST_QEMU_BINARY=aarch64-softmmu/qemu-system-aarch64 tests/boot-serial-test

Direct leak of 48 byte(s) in 1 object(s) allocated from:
    #0 0x7ff8a9b0ca38 in __interceptor_calloc (/lib64/libasan.so.4+0xdea38)
    #1 0x7ff8a8ea7f75 in g_malloc0 ../glib/gmem.c:124
    #2 0x55fef3d99129 in error_setv /home/elmarco/src/qemu/util/error.c:59
    #3 0x55fef3d99738 in error_setg_internal /home/elmarco/src/qemu/util/error.c:95
    #4 0x55fef323acb2 in load_elf_hdr /home/elmarco/src/qemu/hw/core/loader.c:393
    #5 0x55fef2d15776 in arm_load_elf /home/elmarco/src/qemu/hw/arm/boot.c:830
    #6 0x55fef2d16d39 in arm_load_kernel_notify /home/elmarco/src/qemu/hw/arm/boot.c:1022
    #7 0x55fef3dc634d in notifier_list_notify /home/elmarco/src/qemu/util/notify.c:40
    #8 0x55fef2fc3182 in qemu_run_machine_init_done_notifiers /home/elmarco/src/qemu/vl.c:2716
    #9 0x55fef2fcbbd1 in main /home/elmarco/src/qemu/vl.c:4679
    #10 0x7ff89dfed009 in __libc_start_main (/lib64/libc.so.6+0x21009)

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_load_elf(struct arm_boot_info *info, uint64_t *pentry,
 
     load_elf_hdr(info->kernel_filename, &elf_header, &elf_is64, &err);
     if (err) {
+        error_free(err);
         return ret;
     }
 
-- 
2.16.2

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Spotted by ASAN:

elmarco@boraha:~/src/qemu/build (master *%)$ QTEST_QEMU_BINARY=aarch64-softmmu/qemu-system-aarch64 tests/boot-serial-test
/aarch64/boot-serial/virt: ** (process:19740): DEBUG: 18:39:30.275: foo /tmp/qtest-boot-serial-cXaS94D
=================================================================
==19740==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000069648 at pc 0x7f1d2201cc54 bp 0x7fff331f6a40 sp 0x7fff331f61e8
READ of size 4 at 0x603000069648 thread T0
    #0 0x7f1d2201cc53  (/lib64/libasan.so.4+0xafc53)
    #1 0x55bc86685ee3 in load_aarch64_image /home/elmarco/src/qemu/hw/arm/boot.c:894
    #2 0x55bc86687217 in arm_load_kernel_notify /home/elmarco/src/qemu/hw/arm/boot.c:1047
    #3 0x55bc877363b5 in notifier_list_notify /home/elmarco/src/qemu/util/notify.c:40
    #4 0x55bc869331ea in qemu_run_machine_init_done_notifiers /home/elmarco/src/qemu/vl.c:2716
    #5 0x55bc8693bc39 in main /home/elmarco/src/qemu/vl.c:4679
    #6 0x7f1d1652c009 in __libc_start_main (/lib64/libc.so.6+0x21009)
    #7 0x55bc86255cc9 in _start (/home/elmarco/src/qemu/build/aarch64-softmmu/qemu-system-aarch64+0x1ae5cc9)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static uint64_t load_aarch64_image(const char *filename, hwaddr mem_base,
     }
 
     /* check the arm64 magic header value -- very old kernels may not have it */
-    if (memcmp(buffer + ARM64_MAGIC_OFFSET, "ARM\x64", 4) == 0) {
+    if (size > ARM64_MAGIC_OFFSET + 4 &&
+        memcmp(buffer + ARM64_MAGIC_OFFSET, "ARM\x64", 4) == 0) {
         uint64_t hdrvals[2];
 
         /* The arm64 Image header has text_offset and image_size fields at 8 and
-- 
2.16.2

Currently we query the host CPU features in the class init function
for the TYPE_ARM_HOST_CPU class, so that we can later copy them
from the class object into the instance object in the object
instance init function. This is awkward for implementing "-cpu max",
which should work like "-cpu host" for KVM but like "cpu with all
implemented features" for TCG.

Move the place where we store the information about the host CPU from
a class object to static variables in kvm.c, and then in the instance
init function call a new kvm_arm_set_cpu_features_from_host()
function which will query the host kernel if necessary and then
fill in the CPU instance fields.

This allows us to drop the special class struct and class init
function for TYPE_ARM_HOST_CPU entirely.

We can't delay the probe until realize, because the ARM
instance_post_init hook needs to look at the feature bits we
set, so we need to do it in the initfn. This is safe because
the probing doesn't affect the actual VM state (it creates a
separate scratch VM to do its testing), but the probe might fail.
Because we can't report errors in retrieving the host features
in the initfn, we check this belatedly in the realize function
(the intervening code will be able to cope with the relevant
fields in the CPU structure being zero).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180308130626.12393-2-peter.maydell@linaro.org
---
 target/arm/cpu.h     |  5 +++++
 target/arm/kvm_arm.h | 35 ++++++++++++++++++++++++-----------
 target/arm/cpu.c     | 13 +++++++++++++
 target/arm/kvm.c     | 36 +++++++++++++++++++-----------------
 target/arm/kvm32.c   |  8 ++++----
 target/arm/kvm64.c   |  8 ++++----
 6 files changed, 69 insertions(+), 36 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
     /* Uniprocessor system with MP extensions */
     bool mp_is_up;
 
+    /* True if we tried kvm_arm_host_cpu_features() during CPU instance_init
+     * and the probe failed (so we need to report the error in realize)
+     */
+    bool host_cpu_probe_failed;
+
     /* Specify the number of cores in this CPU cluster. Used for the L2CTLR
      * register.
      */
diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try,
 void kvm_arm_destroy_scratch_host_vcpu(int *fdarray);
 
 #define TYPE_ARM_HOST_CPU "host-" TYPE_ARM_CPU
-#define ARM_HOST_CPU_CLASS(klass) \
-    OBJECT_CLASS_CHECK(ARMHostCPUClass, (klass), TYPE_ARM_HOST_CPU)
-#define ARM_HOST_CPU_GET_CLASS(obj) \
-    OBJECT_GET_CLASS(ARMHostCPUClass, (obj), TYPE_ARM_HOST_CPU)
-
-typedef struct ARMHostCPUClass {
-    /*< private >*/
-    ARMCPUClass parent_class;
-    /*< public >*/
 
+/**
+ * ARMHostCPUFeatures: information about the host CPU (identified
+ * by asking the host kernel)
+ */
+typedef struct ARMHostCPUFeatures {
     uint64_t features;
     uint32_t target;
     const char *dtb_compatible;
-} ARMHostCPUClass;
+} ARMHostCPUFeatures;
 
 /**
  * kvm_arm_get_host_cpu_features:
@@ -XXX,XX +XXX,XX @@ typedef struct ARMHostCPUClass {
  * Probe the capabilities of the host kernel's preferred CPU and fill
  * in the ARMHostCPUClass struct accordingly.
  */
-bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc);
+bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf);
 
+/**
+ * kvm_arm_set_cpu_features_from_host:
+ * @cpu: ARMCPU to set the features for
+ *
+ * Set up the ARMCPU struct fields up to match the information probed
+ * from the host CPU.
+ */
+void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
 
 /**
  * kvm_arm_sync_mpstate_to_kvm
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_init(CPUState *cs);
 
 #else
 
+static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
+{
+    /* This should never actually be called in the "not KVM" case,
+     * but set up the fields to indicate an error anyway.
+     */
+    cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
+    cpu->host_cpu_probe_failed = true;
+}
+
 static inline int kvm_arm_vgic_probe(void)
 {
     return 0;
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
     int pagebits;
     Error *local_err = NULL;
 
+    /* If we needed to query the host kernel for the CPU features
+     * then it's possible that might have failed in the initfn, but
+     * this is the first point where we can report it.
+     */
+    if (cpu->host_cpu_probe_failed) {
+        if (!kvm_enabled()) {
+            error_setg(errp, "The 'host' CPU type can only be used with KVM");
+        } else {
+            error_setg(errp, "Failed to retrieve host CPU features");
+        }
+        return;
+    }
+
     cpu_exec_realizefn(cs, &local_err);
     if (local_err != NULL) {
         error_propagate(errp, local_err);
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
 
 static bool cap_has_mp_state;
 
+static ARMHostCPUFeatures arm_host_cpu_features;
+
 int kvm_arm_vcpu_init(CPUState *cs)
 {
     ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ void kvm_arm_destroy_scratch_host_vcpu(int *fdarray)
     }
 }
 
-static void kvm_arm_host_cpu_class_init(ObjectClass *oc, void *data)
+void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
 {
-    ARMHostCPUClass *ahcc = ARM_HOST_CPU_CLASS(oc);
+    CPUARMState *env = &cpu->env;
 
-    /* All we really need to set up for the 'host' CPU
-     * is the feature bits -- we rely on the fact that the
-     * various ID register values in ARMCPU are only used for
-     * TCG CPUs.
-     */
-    if (!kvm_arm_get_host_cpu_features(ahcc)) {
-        fprintf(stderr, "Failed to retrieve host CPU features!\n");
-        abort();
+    if (!arm_host_cpu_features.dtb_compatible) {
+        if (!kvm_enabled() ||
+            !kvm_arm_get_host_cpu_features(&arm_host_cpu_features)) {
+            /* We can't report this error yet, so flag that we need to
+             * in arm_cpu_realizefn().
+             */
+            cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
+            cpu->host_cpu_probe_failed = true;
+            return;
+        }
     }
+
+    cpu->kvm_target = arm_host_cpu_features.target;
+    cpu->dtb_compatible = arm_host_cpu_features.dtb_compatible;
+    env->features = arm_host_cpu_features.features;
 }
 
 static void kvm_arm_host_cpu_initfn(Object *obj)
 {
-    ARMHostCPUClass *ahcc = ARM_HOST_CPU_GET_CLASS(obj);
     ARMCPU *cpu = ARM_CPU(obj);
-    CPUARMState *env = &cpu->env;
 
-    cpu->kvm_target = ahcc->target;
-    cpu->dtb_compatible = ahcc->dtb_compatible;
-    env->features = ahcc->features;
+    kvm_arm_set_cpu_features_from_host(cpu);
 }
 
 static const TypeInfo host_arm_cpu_type_info = {
@@ -XXX,XX +XXX,XX @@ static const TypeInfo host_arm_cpu_type_info = {
     .parent = TYPE_ARM_CPU,
 #endif
     .instance_init = kvm_arm_host_cpu_initfn,
-    .class_init = kvm_arm_host_cpu_class_init,
-    .class_size = sizeof(ARMHostCPUClass),
 };
 
 int kvm_arch_init(MachineState *ms, KVMState *s)
diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@ static inline void set_feature(uint64_t *features, int feature)
     *features |= 1ULL << feature;
 }
 
-bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
+bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
 {
     /* Identify the feature bits corresponding to the host CPU, and
      * fill out the ARMHostCPUClass fields accordingly. To do this
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
         return false;
     }
 
-    ahcc->target = init.target;
+    ahcf->target = init.target;
 
     /* This is not strictly blessed by the device tree binding docs yet,
      * but in practice the kernel does not care about this string so
      * there is no point maintaining an KVM_ARM_TARGET_* -> string table.
      */
-    ahcc->dtb_compatible = "arm,arm-v7";
+    ahcf->dtb_compatible = "arm,arm-v7";
 
     for (i = 0; i < ARRAY_SIZE(idregs); i++) {
         ret = ioctl(fdarray[2], KVM_GET_ONE_REG, &idregs[i]);
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
         set_feature(&features, ARM_FEATURE_VFP4);
     }
 
-    ahcc->features = features;
+    ahcf->features = features;
 
     return true;
 }
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ static inline void unset_feature(uint64_t *features, int feature)
     *features &= ~(1ULL << feature);
 }
 
-bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
+bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
 {
     /* Identify the feature bits corresponding to the host CPU, and
      * fill out the ARMHostCPUClass fields accordingly. To do this
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
         return false;
     }
 
-    ahcc->target = init.target;
-    ahcc->dtb_compatible = "arm,arm-v8";
+    ahcf->target = init.target;
+    ahcf->dtb_compatible = "arm,arm-v8";
 
     kvm_arm_destroy_scratch_host_vcpu(fdarray);
 
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUClass *ahcc)
     set_feature(&features, ARM_FEATURE_AARCH64);
     set_feature(&features, ARM_FEATURE_PMU);
 
-    ahcc->features = features;
+    ahcf->features = features;
 
     return true;
 }
-- 
2.16.2

Move the definition of the 'host' cpu type into cpu.c, where all the
other CPU types are defined.  We can do this now we've decoupled it
from the KVM-specific host feature probing.  This means we now create
the type unconditionally (assuming we were built with KVM support at
all), but if you try to use it without -enable-kvm this will end
up in the "host cpu probe failed and KVM not enabled" path in
arm_cpu_realizefn(), for an appropriate error message.

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
 #endif
 }
 
+#ifdef CONFIG_KVM
+static void arm_host_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    kvm_arm_set_cpu_features_from_host(cpu);
+}
+
+static const TypeInfo host_arm_cpu_type_info = {
+    .name = TYPE_ARM_HOST_CPU,
+#ifdef TARGET_AARCH64
+    .parent = TYPE_AARCH64_CPU,
+#else
+    .parent = TYPE_ARM_CPU,
+#endif
+    .instance_init = arm_host_initfn,
+};
+
+#endif
+
 static void cpu_register(const ARMCPUInfo *info)
 {
     TypeInfo type_info = {
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_register_types(void)
         cpu_register(info);
         info++;
     }
+
+#ifdef CONFIG_KVM
+    type_register_static(&host_arm_cpu_type_info);
+#endif
 }
 
 type_init(arm_cpu_register_types)
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
     env->features = arm_host_cpu_features.features;
 }
 
-static void kvm_arm_host_cpu_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    kvm_arm_set_cpu_features_from_host(cpu);
-}
-
-static const TypeInfo host_arm_cpu_type_info = {
-    .name = TYPE_ARM_HOST_CPU,
-#ifdef TARGET_AARCH64
-    .parent = TYPE_AARCH64_CPU,
-#else
-    .parent = TYPE_ARM_CPU,
-#endif
-    .instance_init = kvm_arm_host_cpu_initfn,
-};
-
 int kvm_arch_init(MachineState *ms, KVMState *s)
 {
     /* For ARM interrupt delivery is always asynchronous,
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init(MachineState *ms, KVMState *s)
 
     cap_has_mp_state = kvm_check_extension(s, KVM_CAP_MP_STATE);
 
-    type_register_static(&host_arm_cpu_type_info);
-
     return 0;
 }
 
-- 
2.16.2

Add support for "-cpu max" for ARM guests. This CPU type behaves
like "-cpu host" when KVM is enabled, and like a system CPU with
the maximum possible feature set otherwise. (Note that this means
it won't be migratable across versions, as we will likely add
features to it in future.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180308130626.12393-4-peter.maydell@linaro.org
---
 target/arm/cpu-qom.h |  2 ++
 target/arm/cpu.c     | 24 ++++++++++++++++++++++++
 target/arm/cpu64.c   | 21 +++++++++++++++++++++
 3 files changed, 47 insertions(+)

diff --git a/target/arm/cpu-qom.h b/target/arm/cpu-qom.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu-qom.h
+++ b/target/arm/cpu-qom.h
@@ -XXX,XX +XXX,XX @@ struct arm_boot_info;
 #define ARM_CPU_GET_CLASS(obj) \
     OBJECT_GET_CLASS(ARMCPUClass, (obj), TYPE_ARM_CPU)
 
+#define TYPE_ARM_MAX_CPU "max-" TYPE_ARM_CPU
+
 /**
  * ARMCPUClass:
  * @parent_realize: The parent class' realize handler.
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void pxa270c5_initfn(Object *obj)
     cpu->reset_sctlr = 0x00000078;
 }
 
+#ifndef TARGET_AARCH64
+/* -cpu max: if KVM is enabled, like -cpu host (best possible with this host);
+ * otherwise, a CPU with as many features enabled as our emulation supports.
+ * The version of '-cpu max' for qemu-system-aarch64 is defined in cpu64.c;
+ * this only needs to handle 32 bits.
+ */
+static void arm_max_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    if (kvm_enabled()) {
+        kvm_arm_set_cpu_features_from_host(cpu);
+    } else {
+        cortex_a15_initfn(obj);
+        /* In future we might add feature bits here even if the
+         * real-world A15 doesn't implement them.
+         */
+    }
+}
+#endif
+
 #ifdef CONFIG_USER_ONLY
 static void arm_any_initfn(Object *obj)
 {
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo arm_cpus[] = {
     { .name = "pxa270-b1",   .initfn = pxa270b1_initfn },
     { .name = "pxa270-c0",   .initfn = pxa270c0_initfn },
     { .name = "pxa270-c5",   .initfn = pxa270c5_initfn },
+#ifndef TARGET_AARCH64
+    { .name = "max",         .initfn = arm_max_initfn },
+#endif
 #ifdef CONFIG_USER_ONLY
     { .name = "any",         .initfn = arm_any_initfn },
 #endif
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/arm.h"
 #include "sysemu/sysemu.h"
 #include "sysemu/kvm.h"
+#include "kvm_arm.h"
 
 static inline void set_feature(CPUARMState *env, int feature)
 {
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
     define_arm_cp_regs(cpu, cortex_a57_a53_cp_reginfo);
 }
 
+/* -cpu max: if KVM is enabled, like -cpu host (best possible with this host);
+ * otherwise, a CPU with as many features enabled as our emulation supports.
+ * The version of '-cpu max' for qemu-system-arm is defined in cpu.c;
+ * this only needs to handle 64 bits.
+ */
+static void aarch64_max_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    if (kvm_enabled()) {
+        kvm_arm_set_cpu_features_from_host(cpu);
+    } else {
+        aarch64_a57_initfn(obj);
+        /* In future we might add feature bits here even if the
+         * real-world A57 doesn't implement them.
+         */
+    }
+}
+
 #ifdef CONFIG_USER_ONLY
 static void aarch64_any_initfn(Object *obj)
 {
@@ -XXX,XX +XXX,XX @@ typedef struct ARMCPUInfo {
 static const ARMCPUInfo aarch64_cpus[] = {
     { .name = "cortex-a57",         .initfn = aarch64_a57_initfn },
     { .name = "cortex-a53",         .initfn = aarch64_a53_initfn },
+    { .name = "max",                .initfn = aarch64_max_initfn },
 #ifdef CONFIG_USER_ONLY
     { .name = "any",         .initfn = aarch64_any_initfn },
 #endif
-- 
2.16.2

Now we have a working '-cpu max', the linux-user-only
'any' CPU is pretty much the same thing, so implement it
that way.

For the moment we don't add any of the extra feature bits
to the system-emulation "max", because we don't set the
ID register bits we would need to to advertise those
features as present.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20180308130626.12393-5-peter.maydell@linaro.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 target/arm/cpu.c   | 52 +++++++++++++++++++++++++----------------------
 target/arm/cpu64.c | 59 ++++++++++++++++++++++++++----------------------------
 2 files changed, 56 insertions(+), 55 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static ObjectClass *arm_cpu_class_by_name(const char *cpu_model)
     ObjectClass *oc;
     char *typename;
     char **cpuname;
+    const char *cpunamestr;
 
     cpuname = g_strsplit(cpu_model, ",", 1);
-    typename = g_strdup_printf(ARM_CPU_TYPE_NAME("%s"), cpuname[0]);
+    cpunamestr = cpuname[0];
+#ifdef CONFIG_USER_ONLY
+    /* For backwards compatibility usermode emulation allows "-cpu any",
+     * which has the same semantics as "-cpu max".
+     */
+    if (!strcmp(cpunamestr, "any")) {
+        cpunamestr = "max";
+    }
+#endif
+    typename = g_strdup_printf(ARM_CPU_TYPE_NAME("%s"), cpunamestr);
     oc = object_class_by_name(typename);
     g_strfreev(cpuname);
     g_free(typename);
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
         kvm_arm_set_cpu_features_from_host(cpu);
     } else {
         cortex_a15_initfn(obj);
-        /* In future we might add feature bits here even if the
-         * real-world A15 doesn't implement them.
-         */
-    }
-}
-#endif
-
 #ifdef CONFIG_USER_ONLY
-static void arm_any_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-    set_feature(&cpu->env, ARM_FEATURE_V8);
-    set_feature(&cpu->env, ARM_FEATURE_VFP4);
-    set_feature(&cpu->env, ARM_FEATURE_NEON);
-    set_feature(&cpu->env, ARM_FEATURE_THUMB2EE);
-    set_feature(&cpu->env, ARM_FEATURE_V8_AES);
-    set_feature(&cpu->env, ARM_FEATURE_V8_SHA1);
-    set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
-    set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
-    set_feature(&cpu->env, ARM_FEATURE_CRC);
-    set_feature(&cpu->env, ARM_FEATURE_V8_RDM);
-    set_feature(&cpu->env, ARM_FEATURE_V8_FCMA);
-    cpu->midr = 0xffffffff;
+        /* We don't set these in system emulation mode for the moment,
+         * since we don't correctly set the ID registers to advertise them,
+         */
+        set_feature(&cpu->env, ARM_FEATURE_V8);
+        set_feature(&cpu->env, ARM_FEATURE_VFP4);
+        set_feature(&cpu->env, ARM_FEATURE_NEON);
+        set_feature(&cpu->env, ARM_FEATURE_THUMB2EE);
+        set_feature(&cpu->env, ARM_FEATURE_V8_AES);
+        set_feature(&cpu->env, ARM_FEATURE_V8_SHA1);
+        set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
+        set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
+        set_feature(&cpu->env, ARM_FEATURE_CRC);
+        set_feature(&cpu->env, ARM_FEATURE_V8_RDM);
+        set_feature(&cpu->env, ARM_FEATURE_V8_FCMA);
+#endif
+    }
 }
 #endif
 
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo arm_cpus[] = {
     { .name = "max",         .initfn = arm_max_initfn },
 #endif
 #ifdef CONFIG_USER_ONLY
-    { .name = "any",         .initfn = arm_any_initfn },
+    { .name = "any",         .initfn = arm_max_initfn },
 #endif
 #endif
     { .name = NULL }
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
         kvm_arm_set_cpu_features_from_host(cpu);
     } else {
         aarch64_a57_initfn(obj);
-        /* In future we might add feature bits here even if the
-         * real-world A57 doesn't implement them.
+#ifdef CONFIG_USER_ONLY
+        /* We don't set these in system emulation mode for the moment,
+         * since we don't correctly set the ID registers to advertise them,
+         * and in some cases they're only available in AArch64 and not AArch32,
+         * whereas the architecture requires them to be present in both if
+         * present in either.
          */
+        set_feature(&cpu->env, ARM_FEATURE_V8);
+        set_feature(&cpu->env, ARM_FEATURE_VFP4);
+        set_feature(&cpu->env, ARM_FEATURE_NEON);
+        set_feature(&cpu->env, ARM_FEATURE_AARCH64);
+        set_feature(&cpu->env, ARM_FEATURE_V8_AES);
+        set_feature(&cpu->env, ARM_FEATURE_V8_SHA1);
+        set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
+        set_feature(&cpu->env, ARM_FEATURE_V8_SHA512);
+        set_feature(&cpu->env, ARM_FEATURE_V8_SHA3);
+        set_feature(&cpu->env, ARM_FEATURE_V8_SM3);
+        set_feature(&cpu->env, ARM_FEATURE_V8_SM4);
+        set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
+        set_feature(&cpu->env, ARM_FEATURE_CRC);
+        set_feature(&cpu->env, ARM_FEATURE_V8_RDM);
+        set_feature(&cpu->env, ARM_FEATURE_V8_FP16);
+        set_feature(&cpu->env, ARM_FEATURE_V8_FCMA);
+        /* For usermode -cpu max we can use a larger and more efficient DCZ
+         * blocksize since we don't have to follow what the hardware does.
+         */
+        cpu->ctr = 0x80038003; /* 32 byte I and D cacheline size, VIPT icache */
+        cpu->dcz_blocksize = 7; /*  512 bytes */
+#endif
     }
 }
 
-#ifdef CONFIG_USER_ONLY
-static void aarch64_any_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    set_feature(&cpu->env, ARM_FEATURE_V8);
-    set_feature(&cpu->env, ARM_FEATURE_VFP4);
-    set_feature(&cpu->env, ARM_FEATURE_NEON);
-    set_feature(&cpu->env, ARM_FEATURE_AARCH64);
-    set_feature(&cpu->env, ARM_FEATURE_V8_AES);
-    set_feature(&cpu->env, ARM_FEATURE_V8_SHA1);
-    set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
-    set_feature(&cpu->env, ARM_FEATURE_V8_SHA512);
-    set_feature(&cpu->env, ARM_FEATURE_V8_SHA3);
-    set_feature(&cpu->env, ARM_FEATURE_V8_SM3);
-    set_feature(&cpu->env, ARM_FEATURE_V8_SM4);
-    set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
-    set_feature(&cpu->env, ARM_FEATURE_CRC);
-    set_feature(&cpu->env, ARM_FEATURE_V8_RDM);
-    set_feature(&cpu->env, ARM_FEATURE_V8_FP16);
-    set_feature(&cpu->env, ARM_FEATURE_V8_FCMA);
-    cpu->ctr = 0x80038003; /* 32 byte I and D cacheline size, VIPT icache */
-    cpu->dcz_blocksize = 7; /*  512 bytes */
-}
-#endif
-
 typedef struct ARMCPUInfo {
     const char *name;
     void (*initfn)(Object *obj);
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo aarch64_cpus[] = {
     { .name = "cortex-a57",         .initfn = aarch64_a57_initfn },
     { .name = "cortex-a53",         .initfn = aarch64_a53_initfn },
     { .name = "max",                .initfn = aarch64_max_initfn },
-#ifdef CONFIG_USER_ONLY
-    { .name = "any",         .initfn = aarch64_any_initfn },
-#endif
     { .name = NULL }
 };
 
-- 
2.16.2

Add support for passing 'max' to -machine gic-version. By analogy
with the -cpu max option, this picks the "best available" GIC version
whether you're using KVM or TCG, so it behaves like 'host' when
using KVM, and gives you GICv3 when using TCG.

Also like '-cpu host', using -machine gic-version=max' means there
is no guarantee of migration compatibility between QEMU versions;
in future 'max' might mean '4'.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20180308130626.12393-7-peter.maydell@linaro.org
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
---
 hw/arm/virt.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
     /* We can probe only here because during property set
      * KVM is not available yet
      */
-    if (!vms->gic_version) {
+    if (vms->gic_version <= 0) {
+        /* "host" or "max" */
         if (!kvm_enabled()) {
-            error_report("gic-version=host requires KVM");
-            exit(1);
-        }
-
-        vms->gic_version = kvm_arm_vgic_probe();
-        if (!vms->gic_version) {
-            error_report("Unable to determine GIC version supported by host");
-            exit(1);
+            if (vms->gic_version == 0) {
+                error_report("gic-version=host requires KVM");
+                exit(1);
+            } else {
+                /* "max": currently means 3 for TCG */
+                vms->gic_version = 3;
+            }
+        } else {
+            vms->gic_version = kvm_arm_vgic_probe();
+            if (!vms->gic_version) {
+                error_report(
+                    "Unable to determine GIC version supported by host");
+                exit(1);
+            }
         }
     }
 
@@ -XXX,XX +XXX,XX @@ static void virt_set_gic_version(Object *obj, const char *value, Error **errp)
         vms->gic_version = 2;
     } else if (!strcmp(value, "host")) {
         vms->gic_version = 0; /* Will probe later */
+    } else if (!strcmp(value, "max")) {
+        vms->gic_version = -1; /* Will probe later */
     } else {
         error_setg(errp, "Invalid gic-version value");
-        error_append_hint(errp, "Valid values are 3, 2, host.\n");
+        error_append_hint(errp, "Valid values are 3, 2, host, max.\n");
     }
 }
 
-- 
2.16.2

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Acked-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20180309153654.13518-2-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sd/sd.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -XXX,XX +XXX,XX @@ static void sd_lock_command(SDState *sd)
         sd->card_status &= ~CARD_IS_LOCKED;
 }
 
-static sd_rsp_type_t sd_normal_command(SDState *sd,
-                                       SDRequest req)
+static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 {
     uint32_t rca = 0x0000;
     uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
 
-    trace_sdcard_normal_command(req.cmd, req.arg, sd_state_name(sd->state));
+    /* CMD55 precedes an ACMD, so we are not interested in tracing it.
+     * However there is no ACMD55, so we want to trace this particular case.
+     */
+    if (req.cmd != 55 || sd->expecting_acmd) {
+        trace_sdcard_normal_command(req.cmd, req.arg,
+                                    sd_state_name(sd->state));
+    }
 
     /* Not interpreting this as an app command */
     sd->card_status &= ~APP_CMD;
-- 
2.16.2

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The SDBus will reuse these functions, so we put them in a new source file.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180309153654.13518-3-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: slight wordsmithing of comments, added note that string
 returned does not need to be freed]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sd/Makefile.objs    |  2 +-
 hw/sd/sdmmc-internal.h | 24 +++++++++++++++++
 hw/sd/sd.c             | 13 +++++----
 hw/sd/sdmmc-internal.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++
 hw/sd/trace-events     |  8 +++---
 5 files changed, 109 insertions(+), 10 deletions(-)
 create mode 100644 hw/sd/sdmmc-internal.c

diff --git a/hw/sd/Makefile.objs b/hw/sd/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/Makefile.objs
+++ b/hw/sd/Makefile.objs
@@ -XXX,XX +XXX,XX @@
 common-obj-$(CONFIG_PL181) += pl181.o
 common-obj-$(CONFIG_SSI_SD) += ssi-sd.o
-common-obj-$(CONFIG_SD) += sd.o core.o
+common-obj-$(CONFIG_SD) += sd.o core.o sdmmc-internal.o
 common-obj-$(CONFIG_SDHCI) += sdhci.o
 
 obj-$(CONFIG_MILKYMIST) += milkymist-memcard.o
diff --git a/hw/sd/sdmmc-internal.h b/hw/sd/sdmmc-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/sdmmc-internal.h
+++ b/hw/sd/sdmmc-internal.h
@@ -XXX,XX +XXX,XX @@
 
 #define SDMMC_CMD_MAX 64
 
+/**
+ * sd_cmd_name:
+ * @cmd: A SD "normal" command, up to SDMMC_CMD_MAX.
+ *
+ * Returns a human-readable name describing the command.
+ * The return value is always a static string which does not need
+ * to be freed after use.
+ *
+ * Returns: The command name of @cmd or "UNKNOWN_CMD".
+ */
+const char *sd_cmd_name(uint8_t cmd);
+
+/**
+ * sd_acmd_name:
+ * @cmd: A SD "Application-Specific" command, up to SDMMC_CMD_MAX.
+ *
+ * Returns a human-readable name describing the application command.
+ * The return value is always a static string which does not need
+ * to be freed after use.
+ *
+ * Returns: The application command name of @cmd or "UNKNOWN_ACMD".
+ */
+const char *sd_acmd_name(uint8_t cmd);
+
 #endif
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
      * However there is no ACMD55, so we want to trace this particular case.
      */
     if (req.cmd != 55 || sd->expecting_acmd) {
-        trace_sdcard_normal_command(req.cmd, req.arg,
-                                    sd_state_name(sd->state));
+        trace_sdcard_normal_command(sd_cmd_name(req.cmd), req.cmd,
+                                    req.arg, sd_state_name(sd->state));
     }
 
     /* Not interpreting this as an app command */
@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 static sd_rsp_type_t sd_app_command(SDState *sd,
                                     SDRequest req)
 {
-    trace_sdcard_app_command(req.cmd, req.arg);
+    trace_sdcard_app_command(sd_acmd_name(req.cmd),
+                             req.cmd, req.arg, sd_state_name(sd->state));
     sd->card_status |= APP_CMD;
     switch (req.cmd) {
     case 6:	/* ACMD6:  SET_BUS_WIDTH */
@@ -XXX,XX +XXX,XX @@ void sd_write_data(SDState *sd, uint8_t value)
     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
         return;
 
-    trace_sdcard_write_data(sd->current_cmd, value);
+    trace_sdcard_write_data(sd_acmd_name(sd->current_cmd),
+                            sd->current_cmd, value);
     switch (sd->current_cmd) {
     case 24:	/* CMD24:  WRITE_SINGLE_BLOCK */
         sd->data[sd->data_offset ++] = value;
@@ -XXX,XX +XXX,XX @@ uint8_t sd_read_data(SDState *sd)
 
     io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
 
-    trace_sdcard_read_data(sd->current_cmd, io_len);
+    trace_sdcard_read_data(sd_acmd_name(sd->current_cmd),
+                           sd->current_cmd, io_len);
     switch (sd->current_cmd) {
     case 6:	/* CMD6:   SWITCH_FUNCTION */
         ret = sd->data[sd->data_offset ++];
diff --git a/hw/sd/sdmmc-internal.c b/hw/sd/sdmmc-internal.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/sd/sdmmc-internal.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * SD/MMC cards common helpers
+ *
+ * Copyright (c) 2018  Philippe Mathieu-Daudé <f4bug@amsat.org>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "sdmmc-internal.h"
+
+const char *sd_cmd_name(uint8_t cmd)
+{
+    static const char *cmd_abbrev[SDMMC_CMD_MAX] = {
+         [0]    = "GO_IDLE_STATE",
+         [2]    = "ALL_SEND_CID",            [3]    = "SEND_RELATIVE_ADDR",
+         [4]    = "SET_DSR",                 [5]    = "IO_SEND_OP_COND",
+         [6]    = "SWITCH_FUNC",             [7]    = "SELECT/DESELECT_CARD",
+         [8]    = "SEND_IF_COND",            [9]    = "SEND_CSD",
+        [10]    = "SEND_CID",               [11]    = "VOLTAGE_SWITCH",
+        [12]    = "STOP_TRANSMISSION",      [13]    = "SEND_STATUS",
+                                            [15]    = "GO_INACTIVE_STATE",
+        [16]    = "SET_BLOCKLEN",           [17]    = "READ_SINGLE_BLOCK",
+        [18]    = "READ_MULTIPLE_BLOCK",    [19]    = "SEND_TUNING_BLOCK",
+        [20]    = "SPEED_CLASS_CONTROL",    [21]    = "DPS_spec",
+                                            [23]    = "SET_BLOCK_COUNT",
+        [24]    = "WRITE_BLOCK",            [25]    = "WRITE_MULTIPLE_BLOCK",
+        [26]    = "MANUF_RSVD",             [27]    = "PROGRAM_CSD",
+        [28]    = "SET_WRITE_PROT",         [29]    = "CLR_WRITE_PROT",
+        [30]    = "SEND_WRITE_PROT",
+        [32]    = "ERASE_WR_BLK_START",     [33]    = "ERASE_WR_BLK_END",
+        [34]    = "SW_FUNC_RSVD",           [35]    = "SW_FUNC_RSVD",
+        [36]    = "SW_FUNC_RSVD",           [37]    = "SW_FUNC_RSVD",
+        [38]    = "ERASE",
+        [40]    = "DPS_spec",
+        [42]    = "LOCK_UNLOCK",            [43]    = "Q_MANAGEMENT",
+        [44]    = "Q_TASK_INFO_A",          [45]    = "Q_TASK_INFO_B",
+        [46]    = "Q_RD_TASK",              [47]    = "Q_WR_TASK",
+        [48]    = "READ_EXTR_SINGLE",       [49]    = "WRITE_EXTR_SINGLE",
+        [50]    = "SW_FUNC_RSVD",
+        [52]    = "IO_RW_DIRECT",           [53]    = "IO_RW_EXTENDED",
+        [54]    = "SDIO_RSVD",              [55]    = "APP_CMD",
+        [56]    = "GEN_CMD",                [57]    = "SW_FUNC_RSVD",
+        [58]    = "READ_EXTR_MULTI",        [59]    = "WRITE_EXTR_MULTI",
+        [60]    = "MANUF_RSVD",             [61]    = "MANUF_RSVD",
+        [62]    = "MANUF_RSVD",             [63]    = "MANUF_RSVD",
+    };
+    return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD";
+}
+
+const char *sd_acmd_name(uint8_t cmd)
+{
+    static const char *acmd_abbrev[SDMMC_CMD_MAX] = {
+         [6] = "SET_BUS_WIDTH",
+        [13] = "SD_STATUS",
+        [14] = "DPS_spec",                  [15] = "DPS_spec",
+        [16] = "DPS_spec",
+        [18] = "SECU_spec",
+        [22] = "SEND_NUM_WR_BLOCKS",        [23] = "SET_WR_BLK_ERASE_COUNT",
+        [41] = "SD_SEND_OP_COND",
+        [42] = "SET_CLR_CARD_DETECT",
+        [51] = "SEND_SCR",
+        [52] = "SECU_spec",                 [53] = "SECU_spec",
+        [54] = "SECU_spec",
+        [56] = "SECU_spec",                 [57] = "SECU_spec",
+        [58] = "SECU_spec",                 [59] = "SECU_spec",
+    };
+
+    return acmd_abbrev[cmd] ? acmd_abbrev[cmd] : "UNKNOWN_ACMD";
+}
diff --git a/hw/sd/trace-events b/hw/sd/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/trace-events
+++ b/hw/sd/trace-events
@@ -XXX,XX +XXX,XX @@ sdhci_write_dataport(uint16_t data_count) "write buffer filled with %u bytes of
 sdhci_capareg(const char *desc, uint16_t val) "%s: %u"
 
 # hw/sd/sd.c
-sdcard_normal_command(uint8_t cmd, uint32_t arg, const char *state) "CMD%d arg 0x%08x (state %s)"
-sdcard_app_command(uint8_t acmd, uint32_t arg) "ACMD%d arg 0x%08x"
+sdcard_normal_command(const char *cmd_desc, uint8_t cmd, uint32_t arg, const char *state) "%20s/ CMD%02d arg 0x%08x (state %s)"
+sdcard_app_command(const char *acmd_desc, uint8_t acmd, uint32_t arg, const char *state) "%23s/ACMD%02d arg 0x%08x (state %s)"
 sdcard_response(const char *rspdesc, int rsplen) "%s (sz:%d)"
 sdcard_powerup(void) ""
 sdcard_inquiry_cmd41(void) ""
@@ -XXX,XX +XXX,XX @@ sdcard_lock(void) ""
 sdcard_unlock(void) ""
 sdcard_read_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
 sdcard_write_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
-sdcard_write_data(uint8_t cmd, uint8_t value) "CMD%02d value 0x%02x"
-sdcard_read_data(uint8_t cmd, int length) "CMD%02d len %d"
+sdcard_write_data(const char *cmd_desc, uint8_t cmd, uint8_t value) "%20s/ CMD%02d value 0x%02x"
+sdcard_read_data(const char *cmd_desc, uint8_t cmd, int length) "%20s/ CMD%02d len %d"
 sdcard_set_voltage(uint16_t millivolts) "%u mV"
 
 # hw/sd/milkymist-memcard.c
-- 
2.16.2

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20180309153654.13518-4-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sd/sd.c         | 14 ++++++++++----
 hw/sd/trace-events |  8 ++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -XXX,XX +XXX,XX @@ struct SDState {
     qemu_irq readonly_cb;
     qemu_irq inserted_cb;
     QEMUTimer *ocr_power_timer;
+    const char *proto_name;
     bool enable;
     uint8_t dat_lines;
     bool cmd_line;
@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
      * However there is no ACMD55, so we want to trace this particular case.
      */
     if (req.cmd != 55 || sd->expecting_acmd) {
-        trace_sdcard_normal_command(sd_cmd_name(req.cmd), req.cmd,
+        trace_sdcard_normal_command(sd->proto_name,
+                                    sd_cmd_name(req.cmd), req.cmd,
                                     req.arg, sd_state_name(sd->state));
     }
 
@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
 static sd_rsp_type_t sd_app_command(SDState *sd,
                                     SDRequest req)
 {
-    trace_sdcard_app_command(sd_acmd_name(req.cmd),
+    trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
                              req.cmd, req.arg, sd_state_name(sd->state));
     sd->card_status |= APP_CMD;
     switch (req.cmd) {
@@ -XXX,XX +XXX,XX @@ void sd_write_data(SDState *sd, uint8_t value)
     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
         return;
 
-    trace_sdcard_write_data(sd_acmd_name(sd->current_cmd),
+    trace_sdcard_write_data(sd->proto_name,
+                            sd_acmd_name(sd->current_cmd),
                             sd->current_cmd, value);
     switch (sd->current_cmd) {
     case 24:	/* CMD24:  WRITE_SINGLE_BLOCK */
@@ -XXX,XX +XXX,XX @@ uint8_t sd_read_data(SDState *sd)
 
     io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
 
-    trace_sdcard_read_data(sd_acmd_name(sd->current_cmd),
+    trace_sdcard_read_data(sd->proto_name,
+                           sd_acmd_name(sd->current_cmd),
                            sd->current_cmd, io_len);
     switch (sd->current_cmd) {
     case 6:	/* CMD6:   SWITCH_FUNCTION */
@@ -XXX,XX +XXX,XX @@ static void sd_realize(DeviceState *dev, Error **errp)
     SDState *sd = SD_CARD(dev);
     int ret;
 
+    sd->proto_name = sd->spi ? "SPI" : "SD";
+
     if (sd->blk && blk_is_read_only(sd->blk)) {
         error_setg(errp, "Cannot use read-only drive as SD card");
         return;
diff --git a/hw/sd/trace-events b/hw/sd/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/trace-events
+++ b/hw/sd/trace-events
@@ -XXX,XX +XXX,XX @@ sdhci_write_dataport(uint16_t data_count) "write buffer filled with %u bytes of
 sdhci_capareg(const char *desc, uint16_t val) "%s: %u"
 
 # hw/sd/sd.c
-sdcard_normal_command(const char *cmd_desc, uint8_t cmd, uint32_t arg, const char *state) "%20s/ CMD%02d arg 0x%08x (state %s)"
-sdcard_app_command(const char *acmd_desc, uint8_t acmd, uint32_t arg, const char *state) "%23s/ACMD%02d arg 0x%08x (state %s)"
+sdcard_normal_command(const char *proto, const char *cmd_desc, uint8_t cmd, uint32_t arg, const char *state) "%s %20s/ CMD%02d arg 0x%08x (state %s)"
+sdcard_app_command(const char *proto, const char *acmd_desc, uint8_t acmd, uint32_t arg, const char *state) "%s %23s/ACMD%02d arg 0x%08x (state %s)"
 sdcard_response(const char *rspdesc, int rsplen) "%s (sz:%d)"
 sdcard_powerup(void) ""
 sdcard_inquiry_cmd41(void) ""
@@ -XXX,XX +XXX,XX @@ sdcard_lock(void) ""
 sdcard_unlock(void) ""
 sdcard_read_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
 sdcard_write_block(uint64_t addr, uint32_t len) "addr 0x%" PRIx64 " size 0x%x"
-sdcard_write_data(const char *cmd_desc, uint8_t cmd, uint8_t value) "%20s/ CMD%02d value 0x%02x"
-sdcard_read_data(const char *cmd_desc, uint8_t cmd, int length) "%20s/ CMD%02d len %d"
+sdcard_write_data(const char *proto, const char *cmd_desc, uint8_t cmd, uint8_t value) "%s %20s/ CMD%02d value 0x%02x"
+sdcard_read_data(const char *proto, const char *cmd_desc, uint8_t cmd, int length) "%s %20s/ CMD%02d len %d"
 sdcard_set_voltage(uint16_t millivolts) "%u mV"
 
 # hw/sd/milkymist-memcard.c
-- 
2.16.2

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

From the "Physical Layer Simplified Specification Version 3.01":

A known data block ("Tuning block") can be used to tune sampling
  point for tuning required hosts. [...]
  This procedure gives the system optimal timing for each specific
  host and card combination and compensates for static delays in
  the timing budget including process, voltage and different PCB
  loads and skews. [...]
  Data block, carried by DAT[3:0], contains a pattern for tuning
  sampling position to receive data on the CMD and DAT[3:0] line.

[based on a patch from Alistair Francis <alistair.francis@xilinx.com>
 from qemu/xilinx tag xilinx-v2015.2]
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 20180309153654.13518-5-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sd/sd.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -XXX,XX +XXX,XX @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
         }
         break;
 
+    case 19:    /* CMD19: SEND_TUNING_BLOCK (SD) */
+        if (sd->state == sd_transfer_state) {
+            sd->state = sd_sendingdata_state;
+            sd->data_offset = 0;
+            return sd_r1;
+        }
+        break;
+
     case 23:    /* CMD23: SET_BLOCK_COUNT */
         switch (sd->state) {
         case sd_transfer_state:
@@ -XXX,XX +XXX,XX @@ void sd_write_data(SDState *sd, uint8_t value)
     }
 }
 
+#define SD_TUNING_BLOCK_SIZE    64
+
+static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
+    /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
+    0xff, 0x0f, 0xff, 0x00,         0x0f, 0xfc, 0xc3, 0xcc,
+    0xc3, 0x3c, 0xcc, 0xff,         0xfe, 0xff, 0xfe, 0xef,
+    0xff, 0xdf, 0xff, 0xdd,         0xff, 0xfb, 0xff, 0xfb,
+    0xbf, 0xff, 0x7f, 0xff,         0x77, 0xf7, 0xbd, 0xef,
+    0xff, 0xf0, 0xff, 0xf0,         0x0f, 0xfc, 0xcc, 0x3c,
+    0xcc, 0x33, 0xcc, 0xcf,         0xff, 0xef, 0xff, 0xee,
+    0xff, 0xfd, 0xff, 0xfd,         0xdf, 0xff, 0xbf, 0xff,
+    0xbb, 0xff, 0xf7, 0xff,         0xf7, 0x7f, 0x7b, 0xde,
+};
+
 uint8_t sd_read_data(SDState *sd)
 {
     /* TODO: Append CRCs */
@@ -XXX,XX +XXX,XX @@ uint8_t sd_read_data(SDState *sd)
         }
         break;
 
+    case 19:    /* CMD19:  SEND_TUNING_BLOCK (SD) */
+        if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
+            sd->state = sd_transfer_state;
+        }
+        ret = sd_tuning_block_pattern[sd->data_offset++];
+        break;
+
     case 22:	/* ACMD22: SEND_NUM_WR_BLOCKS */
         ret = sd->data[sd->data_offset ++];
 
-- 
2.16.2

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20180309153654.13518-8-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/sd/sdhci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -XXX,XX +XXX,XX @@ static void sdhci_read_block_from_card(SDHCIState *s)
     for (index = 0; index < blk_size; index++) {
         data = sdbus_read_data(&s->sdbus);
         if (!FIELD_EX32(s->hostctl2, SDHC_HOSTCTL2, EXECUTE_TUNING)) {
-            /* Device is not in tunning */
+            /* Device is not in tuning */
             s->fifo_buffer[index] = data;
         }
     }
 
     if (FIELD_EX32(s->hostctl2, SDHC_HOSTCTL2, EXECUTE_TUNING)) {
-        /* Device is in tunning */
+        /* Device is in tuning */
         s->hostctl2 &= ~R_SDHC_HOSTCTL2_EXECUTE_TUNING_MASK;
         s->hostctl2 |= R_SDHC_HOSTCTL2_SAMPLING_CLKSEL_MASK;
         s->prnsts &= ~(SDHC_DAT_LINE_ACTIVE | SDHC_DOING_READ |
-- 
2.16.2

arm queue: big stuff here is my MVE codegen optimisation,
and Alex's Apple Silicon hvf support.

-- PMM

The following changes since commit 7adb961995a3744f51396502b33ad04a56a317c3:

Merge remote-tracking branch 'remotes/dgilbert-gitlab/tags/pull-virtiofs-20210916' into staging (2021-09-19 18:53:29 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20210920

for you to fetch changes up to 1dc5a60bfe406bc1122d68cbdefda38d23134b27:

target/arm: Optimize MVE 1op-immediate insns (2021-09-20 14:18:01 +0100)

----------------------------------------------------------------
target-arm queue:
 * Optimize codegen for MVE when predication not active
 * hvf: Add Apple Silicon support
 * hw/intc: Set GIC maintenance interrupt level to only 0 or 1
 * Fix mishandling of MVE FPSCR.LTPSIZE reset for usermode emulator
 * elf2dmp: Fix coverity nits

----------------------------------------------------------------
Alexander Graf (7):
      arm: Move PMC register definitions to internals.h
      hvf: Add execute to dirty log permission bitmap
      hvf: Introduce hvf_arch_init() callback
      hvf: Add Apple Silicon support
      hvf: arm: Implement PSCI handling
      arm: Add Hypervisor.framework build target
      hvf: arm: Add rudimentary PMC support

Peter Collingbourne (1):
      arm/hvf: Add a WFI handler

Peter Maydell (18):
      elf2dmp: Check curl_easy_setopt() return value
      elf2dmp: Fail cleanly if PDB file specifies zero block_size
      target/arm: Don't skip M-profile reset entirely in user mode
      target/arm: Always clear exclusive monitor on reset
      target/arm: Consolidate ifdef blocks in reset
      hvf: arm: Implement -cpu host
      target/arm: Avoid goto_tb if we're trying to exit to the main loop
      target/arm: Enforce that FPDSCR.LTPSIZE is 4 on inbound migration
      target/arm: Add TB flag for "MVE insns not predicated"
      target/arm: Optimize MVE logic ops
      target/arm: Optimize MVE arithmetic ops
      target/arm: Optimize MVE VNEG, VABS
      target/arm: Optimize MVE VDUP
      target/arm: Optimize MVE VMVN
      target/arm: Optimize MVE VSHL, VSHR immediate forms
      target/arm: Optimize MVE VSHLL and VMOVL
      target/arm: Optimize MVE VSLI and VSRI
      target/arm: Optimize MVE 1op-immediate insns

Shashi Mallela (1):
      hw/intc: Set GIC maintenance interrupt level to only 0 or 1

Coverity points out that we aren't checking the return value
from curl_easy_setopt().

Fixes: Coverity CID 1458895
Inspired-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
Tested-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
Message-id: 20210910170656.366592-2-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 contrib/elf2dmp/download.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/contrib/elf2dmp/download.c b/contrib/elf2dmp/download.c
index XXXXXXX..XXXXXXX 100644
--- a/contrib/elf2dmp/download.c
+++ b/contrib/elf2dmp/download.c
@@ -XXX,XX +XXX,XX @@ int download_url(const char *name, const char *url)
         goto out_curl;
     }
 
-    curl_easy_setopt(curl, CURLOPT_URL, url);
-    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, NULL);
-    curl_easy_setopt(curl, CURLOPT_WRITEDATA, file);
-    curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1);
-    curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0);
-
-    if (curl_easy_perform(curl) != CURLE_OK) {
-        err = 1;
-        fclose(file);
+    if (curl_easy_setopt(curl, CURLOPT_URL, url) != CURLE_OK
+            || curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, NULL) != CURLE_OK
+            || curl_easy_setopt(curl, CURLOPT_WRITEDATA, file) != CURLE_OK
+            || curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1) != CURLE_OK
+            || curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0) != CURLE_OK
+            || curl_easy_perform(curl) != CURLE_OK) {
         unlink(name);
-        goto out_curl;
+        fclose(file);
+        err = 1;
+    } else {
+        err = fclose(file);
     }
 
-    err = fclose(file);
-
 out_curl:
     curl_easy_cleanup(curl);
 
-- 
2.20.1

Coverity points out that if the PDB file we're trying to read
has a header specifying a block_size of zero then we will
end up trying to divide by zero in pdb_ds_read_file().
Check for this and fail cleanly instead.

Fixes: Coverity CID 1458869
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Viktor Prutyanov <viktor.prutyanov@phystech.edu>
Message-id: 20210910170656.366592-3-philmd@redhat.com
Message-Id: <20210901143910.17112-3-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
 contrib/elf2dmp/pdb.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/contrib/elf2dmp/pdb.c b/contrib/elf2dmp/pdb.c
index XXXXXXX..XXXXXXX 100644
--- a/contrib/elf2dmp/pdb.c
+++ b/contrib/elf2dmp/pdb.c
@@ -XXX,XX +XXX,XX @@ out_symbols:
 
 static int pdb_reader_ds_init(struct pdb_reader *r, PDB_DS_HEADER *hdr)
 {
+    if (hdr->block_size == 0) {
+        return 1;
+    }
+
     memset(r->file_used, 0, sizeof(r->file_used));
     r->ds.header = hdr;
     r->ds.toc = pdb_ds_read(hdr, (uint32_t *)((uint8_t *)hdr +
-- 
2.20.1

Currently all of the M-profile specific code in arm_cpu_reset() is
inside a !defined(CONFIG_USER_ONLY) ifdef block.  This is
unintentional: it happened because originally the only
M-profile-specific handling was the setup of the initial SP and PC
from the vector table, which is system-emulation only.  But then we
added a lot of other M-profile setup to the same "if (ARM_FEATURE_M)"
code block without noticing that it was all inside a not-user-mode
ifdef.  This has generally been harmless, but with the addition of
v8.1M low-overhead-loop support we ran into a problem: the reset of
FPSCR.LTPSIZE to 4 was only being done for system emulation mode, so
if a user-mode guest tried to execute the LE instruction it would
incorrectly take a UsageFault.

Adjust the ifdefs so only the really system-emulation specific parts
are covered.  Because this means we now run some reset code that sets
up initial values in the FPCCR and similar FPU related registers,
explicitly set up the registers controlling FPU context handling in
user-emulation mode so that the FPU works by design and not by
chance.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/613
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210914120725.24992-2-peter.maydell@linaro.org
---
 target/arm/cpu.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
         env->uncached_cpsr = ARM_CPU_MODE_SVC;
     }
     env->daif = PSTATE_D | PSTATE_A | PSTATE_I | PSTATE_F;
+#endif
 
     if (arm_feature(env, ARM_FEATURE_M)) {
+#ifndef CONFIG_USER_ONLY
         uint32_t initial_msp; /* Loaded from 0x0 */
         uint32_t initial_pc; /* Loaded from 0x4 */
         uint8_t *rom;
         uint32_t vecbase;
+#endif
 
         if (cpu_isar_feature(aa32_lob, cpu)) {
             /*
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
             env->v7m.fpccr[M_REG_S] = R_V7M_FPCCR_ASPEN_MASK |
                 R_V7M_FPCCR_LSPEN_MASK | R_V7M_FPCCR_S_MASK;
         }
+
+#ifndef CONFIG_USER_ONLY
         /* Unlike A/R profile, M profile defines the reset LR value */
         env->regs[14] = 0xffffffff;
 
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
         env->regs[13] = initial_msp & 0xFFFFFFFC;
         env->regs[15] = initial_pc & ~1;
         env->thumb = initial_pc & 1;
+#else
+        /*
+         * For user mode we run non-secure and with access to the FPU.
+         * The FPU context is active (ie does not need further setup)
+         * and is owned by non-secure.
+         */
+        env->v7m.secure = false;
+        env->v7m.nsacr = 0xcff;
+        env->v7m.cpacr[M_REG_NS] = 0xf0ffff;
+        env->v7m.fpccr[M_REG_S] &=
+            ~(R_V7M_FPCCR_LSPEN_MASK | R_V7M_FPCCR_S_MASK);
+        env->v7m.control[M_REG_S] |= R_V7M_CONTROL_FPCA_MASK;
+#endif
     }
 
+#ifndef CONFIG_USER_ONLY
     /* AArch32 has a hard highvec setting of 0xFFFF0000.  If we are currently
      * executing as AArch32 then check if highvecs are enabled and
      * adjust the PC accordingly.
-- 
2.20.1

There's no particular reason why the exclusive monitor should
be only cleared on reset in system emulation mode. It doesn't
hurt if it isn't cleared in user mode, but we might as well
reduce the amount of code we have that's inside an ifdef.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210914120725.24992-3-peter.maydell@linaro.org
---
 target/arm/cpu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
         env->regs[15] = 0xFFFF0000;
     }
 
+    env->vfp.xregs[ARM_VFP_FPEXC] = 0;
+#endif
+
     /* M profile requires that reset clears the exclusive monitor;
      * A profile does not, but clearing it makes more sense than having it
      * set with an exclusive access on address zero.
      */
     arm_clear_exclusive(env);
 
-    env->vfp.xregs[ARM_VFP_FPEXC] = 0;
-#endif
-
     if (arm_feature(env, ARM_FEATURE_PMSA)) {
         if (cpu->pmsav7_dregion > 0) {
             if (arm_feature(env, ARM_FEATURE_V8)) {
-- 
2.20.1

Move an ifndef CONFIG_USER_ONLY code block up in arm_cpu_reset() so
it can be merged with another earlier one.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210914120725.24992-4-peter.maydell@linaro.org
---
 target/arm/cpu.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
         env->uncached_cpsr = ARM_CPU_MODE_SVC;
     }
     env->daif = PSTATE_D | PSTATE_A | PSTATE_I | PSTATE_F;
+
+    /* AArch32 has a hard highvec setting of 0xFFFF0000.  If we are currently
+     * executing as AArch32 then check if highvecs are enabled and
+     * adjust the PC accordingly.
+     */
+    if (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_V) {
+        env->regs[15] = 0xFFFF0000;
+    }
+
+    env->vfp.xregs[ARM_VFP_FPEXC] = 0;
 #endif
 
     if (arm_feature(env, ARM_FEATURE_M)) {
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
 #endif
     }
 
-#ifndef CONFIG_USER_ONLY
-    /* AArch32 has a hard highvec setting of 0xFFFF0000.  If we are currently
-     * executing as AArch32 then check if highvecs are enabled and
-     * adjust the PC accordingly.
-     */
-    if (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_V) {
-        env->regs[15] = 0xFFFF0000;
-    }
-
-    env->vfp.xregs[ARM_VFP_FPEXC] = 0;
-#endif
-
     /* M profile requires that reset clears the exclusive monitor;
      * A profile does not, but clearing it makes more sense than having it
      * set with an exclusive access on address zero.
-- 
2.20.1

From: Shashi Mallela <shashi.mallela@linaro.org>

During sbsa acs level 3 testing, it is seen that the GIC maintenance
interrupts are not triggered and the related test cases fail.  This
is because we were incorrectly passing the value of the MISR register
(from maintenance_interrupt_state()) to qemu_set_irq() as the level
argument, whereas the device on the other end of this irq line
expects a 0/1 value.

Fix the logic to pass a 0/1 level indication, rather than a
0/not-0 value.

Fixes: c5fc89b36c0 ("hw/intc/arm_gicv3: Implement gicv3_cpuif_virt_update()")
Signed-off-by: Shashi Mallela <shashi.mallela@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210915205809.59068-1-shashi.mallela@linaro.org
[PMM: tweaked commit message; collapsed nested if()s into one]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_cpuif.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static void gicv3_cpuif_virt_update(GICv3CPUState *cs)
         }
     }
 
-    if (cs->ich_hcr_el2 & ICH_HCR_EL2_EN) {
-        maintlevel = maintenance_interrupt_state(cs);
+    if ((cs->ich_hcr_el2 & ICH_HCR_EL2_EN) &&
+        maintenance_interrupt_state(cs) != 0) {
+        maintlevel = 1;
     }
 
     trace_gicv3_cpuif_virt_set_irqs(gicv3_redist_affid(cs), fiqlevel,
-- 
2.20.1

From: Alexander Graf <agraf@csgraf.de>

We will need PMC register definitions in accel specific code later.
Move all constant definitions to common arm headers so we can reuse
them.

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210916155404.86958-2-agraf@csgraf.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 44 ++++++++++++++++++++++++++++++++++++++++++
 target/arm/helper.c    | 44 ------------------------------------------
 2 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ enum MVEECIState {
     /* All other values reserved */
 };
 
+/* Definitions for the PMU registers */
+#define PMCRN_MASK  0xf800
+#define PMCRN_SHIFT 11
+#define PMCRLC  0x40
+#define PMCRDP  0x20
+#define PMCRX   0x10
+#define PMCRD   0x8
+#define PMCRC   0x4
+#define PMCRP   0x2
+#define PMCRE   0x1
+/*
+ * Mask of PMCR bits writeable by guest (not including WO bits like C, P,
+ * which can be written as 1 to trigger behaviour but which stay RAZ).
+ */
+#define PMCR_WRITEABLE_MASK (PMCRLC | PMCRDP | PMCRX | PMCRD | PMCRE)
+
+#define PMXEVTYPER_P          0x80000000
+#define PMXEVTYPER_U          0x40000000
+#define PMXEVTYPER_NSK        0x20000000
+#define PMXEVTYPER_NSU        0x10000000
+#define PMXEVTYPER_NSH        0x08000000
+#define PMXEVTYPER_M          0x04000000
+#define PMXEVTYPER_MT         0x02000000
+#define PMXEVTYPER_EVTCOUNT   0x0000ffff
+#define PMXEVTYPER_MASK       (PMXEVTYPER_P | PMXEVTYPER_U | PMXEVTYPER_NSK | \
+                               PMXEVTYPER_NSU | PMXEVTYPER_NSH | \
+                               PMXEVTYPER_M | PMXEVTYPER_MT | \
+                               PMXEVTYPER_EVTCOUNT)
+
+#define PMCCFILTR             0xf8000000
+#define PMCCFILTR_M           PMXEVTYPER_M
+#define PMCCFILTR_EL0         (PMCCFILTR | PMCCFILTR_M)
+
+static inline uint32_t pmu_num_counters(CPUARMState *env)
+{
+  return (env->cp15.c9_pmcr & PMCRN_MASK) >> PMCRN_SHIFT;
+}
+
+/* Bits allowed to be set/cleared for PMCNTEN* and PMINTEN* */
+static inline uint64_t pmu_counter_mask(CPUARMState *env)
+{
+  return (1 << 31) | ((1 << pmu_num_counters(env)) - 1);
+}
+
 #endif
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
     REGINFO_SENTINEL
 };
 
-/* Definitions for the PMU registers */
-#define PMCRN_MASK  0xf800
-#define PMCRN_SHIFT 11
-#define PMCRLC  0x40
-#define PMCRDP  0x20
-#define PMCRX   0x10
-#define PMCRD   0x8
-#define PMCRC   0x4
-#define PMCRP   0x2
-#define PMCRE   0x1
-/*
- * Mask of PMCR bits writeable by guest (not including WO bits like C, P,
- * which can be written as 1 to trigger behaviour but which stay RAZ).
- */
-#define PMCR_WRITEABLE_MASK (PMCRLC | PMCRDP | PMCRX | PMCRD | PMCRE)
-
-#define PMXEVTYPER_P          0x80000000
-#define PMXEVTYPER_U          0x40000000
-#define PMXEVTYPER_NSK        0x20000000
-#define PMXEVTYPER_NSU        0x10000000
-#define PMXEVTYPER_NSH        0x08000000
-#define PMXEVTYPER_M          0x04000000
-#define PMXEVTYPER_MT         0x02000000
-#define PMXEVTYPER_EVTCOUNT   0x0000ffff
-#define PMXEVTYPER_MASK       (PMXEVTYPER_P | PMXEVTYPER_U | PMXEVTYPER_NSK | \
-                               PMXEVTYPER_NSU | PMXEVTYPER_NSH | \
-                               PMXEVTYPER_M | PMXEVTYPER_MT | \
-                               PMXEVTYPER_EVTCOUNT)
-
-#define PMCCFILTR             0xf8000000
-#define PMCCFILTR_M           PMXEVTYPER_M
-#define PMCCFILTR_EL0         (PMCCFILTR | PMCCFILTR_M)
-
-static inline uint32_t pmu_num_counters(CPUARMState *env)
-{
-  return (env->cp15.c9_pmcr & PMCRN_MASK) >> PMCRN_SHIFT;
-}
-
-/* Bits allowed to be set/cleared for PMCNTEN* and PMINTEN* */
-static inline uint64_t pmu_counter_mask(CPUARMState *env)
-{
-  return (1 << 31) | ((1 << pmu_num_counters(env)) - 1);
-}
-
 typedef struct pm_event {
     uint16_t number; /* PMEVTYPER.evtCount is 16 bits wide */
     /* If the event is supported on this CPU (used to generate PMCEID[01]) */
-- 
2.20.1

From: Alexander Graf <agraf@csgraf.de>

Hvf's permission bitmap during and after dirty logging does not include
the HV_MEMORY_EXEC permission. At least on Apple Silicon, this leads to
instruction faults once dirty logging was enabled.

Add the bit to make it work properly.

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210916155404.86958-3-agraf@csgraf.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 accel/hvf/hvf-accel-ops.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/hvf/hvf-accel-ops.c
+++ b/accel/hvf/hvf-accel-ops.c
@@ -XXX,XX +XXX,XX @@ static void hvf_set_dirty_tracking(MemoryRegionSection *section, bool on)
     if (on) {
         slot->flags |= HVF_SLOT_LOG;
         hv_vm_protect((uintptr_t)slot->start, (size_t)slot->size,
-                      HV_MEMORY_READ);
+                      HV_MEMORY_READ | HV_MEMORY_EXEC);
     /* stop tracking region*/
     } else {
         slot->flags &= ~HVF_SLOT_LOG;
         hv_vm_protect((uintptr_t)slot->start, (size_t)slot->size,
-                      HV_MEMORY_READ | HV_MEMORY_WRITE);
+                      HV_MEMORY_READ | HV_MEMORY_WRITE | HV_MEMORY_EXEC);
     }
 }
 
-- 
2.20.1

From: Alexander Graf <agraf@csgraf.de>

We will need to install a migration helper for the ARM hvf backend.
Let's introduce an arch callback for the overall hvf init chain to
do so.

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210916155404.86958-4-agraf@csgraf.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/sysemu/hvf_int.h  | 1 +
 accel/hvf/hvf-accel-ops.c | 3 ++-
 target/i386/hvf/hvf.c     | 5 +++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/include/sysemu/hvf_int.h b/include/sysemu/hvf_int.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/hvf_int.h
+++ b/include/sysemu/hvf_int.h
@@ -XXX,XX +XXX,XX @@ struct hvf_vcpu_state {
 };
 
 void assert_hvf_ok(hv_return_t ret);
+int hvf_arch_init(void);
 int hvf_arch_init_vcpu(CPUState *cpu);
 void hvf_arch_vcpu_destroy(CPUState *cpu);
 int hvf_vcpu_exec(CPUState *);
diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/hvf/hvf-accel-ops.c
+++ b/accel/hvf/hvf-accel-ops.c
@@ -XXX,XX +XXX,XX @@ static int hvf_accel_init(MachineState *ms)
 
     hvf_state = s;
     memory_listener_register(&hvf_memory_listener, &address_space_memory);
-    return 0;
+
+    return hvf_arch_init();
 }
 
 static void hvf_accel_class_init(ObjectClass *oc, void *data)
diff --git a/target/i386/hvf/hvf.c b/target/i386/hvf/hvf.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/hvf/hvf.c
+++ b/target/i386/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@ static inline bool apic_bus_freq_is_known(CPUX86State *env)
     return env->apic_bus_freq != 0;
 }
 
+int hvf_arch_init(void)
+{
+    return 0;
+}
+
 int hvf_arch_init_vcpu(CPUState *cpu)
 {
     X86CPU *x86cpu = X86_CPU(cpu);
-- 
2.20.1

From: Alexander Graf <agraf@csgraf.de>

With Apple Silicon available to the masses, it's a good time to add support
for driving its virtualization extensions from QEMU.

This patch adds all necessary architecture specific code to get basic VMs
working, including save/restore.

Known limitations:

- WFI handling is missing (follows in later patch)
  - No watchpoint/breakpoint support

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210916155404.86958-5-agraf@csgraf.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 meson.build                 |   1 +
 include/sysemu/hvf_int.h    |  10 +-
 accel/hvf/hvf-accel-ops.c   |   9 +
 target/arm/hvf/hvf.c        | 794 ++++++++++++++++++++++++++++++++++++
 target/i386/hvf/hvf.c       |   5 +
 MAINTAINERS                 |   5 +
 target/arm/hvf/trace-events |  10 +
 7 files changed, 833 insertions(+), 1 deletion(-)
 create mode 100644 target/arm/hvf/hvf.c
 create mode 100644 target/arm/hvf/trace-events

diff --git a/meson.build b/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/meson.build
+++ b/meson.build
@@ -XXX,XX +XXX,XX @@ if have_system or have_user
     'accel/tcg',
     'hw/core',
     'target/arm',
+    'target/arm/hvf',
     'target/hppa',
     'target/i386',
     'target/i386/kvm',
diff --git a/include/sysemu/hvf_int.h b/include/sysemu/hvf_int.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/hvf_int.h
+++ b/include/sysemu/hvf_int.h
@@ -XXX,XX +XXX,XX @@
 #ifndef HVF_INT_H
 #define HVF_INT_H
 
+#ifdef __aarch64__
+#include <Hypervisor/Hypervisor.h>
+#else
 #include <Hypervisor/hv.h>
+#endif
 
 /* hvf_slot flags */
 #define HVF_SLOT_LOG (1 << 0)
@@ -XXX,XX +XXX,XX @@ struct HVFState {
     int num_slots;
 
     hvf_vcpu_caps *hvf_caps;
+    uint64_t vtimer_offset;
 };
 extern HVFState *hvf_state;
 
 struct hvf_vcpu_state {
-    int fd;
+    uint64_t fd;
+    void *exit;
+    bool vtimer_masked;
 };
 
 void assert_hvf_ok(hv_return_t ret);
@@ -XXX,XX +XXX,XX @@ int hvf_vcpu_exec(CPUState *);
 hvf_slot *hvf_find_overlap_slot(uint64_t, uint64_t);
 int hvf_put_registers(CPUState *);
 int hvf_get_registers(CPUState *);
+void hvf_kick_vcpu_thread(CPUState *cpu);
 
 #endif
diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/hvf/hvf-accel-ops.c
+++ b/accel/hvf/hvf-accel-ops.c
@@ -XXX,XX +XXX,XX @@
 
 HVFState *hvf_state;
 
+#ifdef __aarch64__
+#define HV_VM_DEFAULT NULL
+#endif
+
 /* Memory slots */
 
 hvf_slot *hvf_find_overlap_slot(uint64_t start, uint64_t size)
@@ -XXX,XX +XXX,XX @@ static int hvf_init_vcpu(CPUState *cpu)
     pthread_sigmask(SIG_BLOCK, NULL, &set);
     sigdelset(&set, SIG_IPI);
 
+#ifdef __aarch64__
+    r = hv_vcpu_create(&cpu->hvf->fd, (hv_vcpu_exit_t **)&cpu->hvf->exit, NULL);
+#else
     r = hv_vcpu_create((hv_vcpuid_t *)&cpu->hvf->fd, HV_VCPU_DEFAULT);
+#endif
     cpu->vcpu_dirty = 1;
     assert_hvf_ok(r);
 
@@ -XXX,XX +XXX,XX @@ static void hvf_accel_ops_class_init(ObjectClass *oc, void *data)
     AccelOpsClass *ops = ACCEL_OPS_CLASS(oc);
 
     ops->create_vcpu_thread = hvf_start_vcpu_thread;
+    ops->kick_vcpu_thread = hvf_kick_vcpu_thread;
 
     ops->synchronize_post_reset = hvf_cpu_synchronize_post_reset;
     ops->synchronize_post_init = hvf_cpu_synchronize_post_init;
diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU Hypervisor.framework support for Apple Silicon
+
+ * Copyright 2020 Alexander Graf <agraf@csgraf.de>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "qemu/error-report.h"
+
+#include "sysemu/runstate.h"
+#include "sysemu/hvf.h"
+#include "sysemu/hvf_int.h"
+#include "sysemu/hw_accel.h"
+
+#include <mach/mach_time.h>
+
+#include "exec/address-spaces.h"
+#include "hw/irq.h"
+#include "qemu/main-loop.h"
+#include "sysemu/cpus.h"
+#include "target/arm/cpu.h"
+#include "target/arm/internals.h"
+#include "trace/trace-target_arm_hvf.h"
+#include "migration/vmstate.h"
+
+#define HVF_SYSREG(crn, crm, op0, op1, op2) \
+        ENCODE_AA64_CP_REG(CP_REG_ARM64_SYSREG_CP, crn, crm, op0, op1, op2)
+#define PL1_WRITE_MASK 0x4
+
+#define SYSREG(op0, op1, crn, crm, op2) \
+    ((op0 << 20) | (op2 << 17) | (op1 << 14) | (crn << 10) | (crm << 1))
+#define SYSREG_MASK           SYSREG(0x3, 0x7, 0xf, 0xf, 0x7)
+#define SYSREG_OSLAR_EL1      SYSREG(2, 0, 1, 0, 4)
+#define SYSREG_OSLSR_EL1      SYSREG(2, 0, 1, 1, 4)
+#define SYSREG_OSDLR_EL1      SYSREG(2, 0, 1, 3, 4)
+#define SYSREG_CNTPCT_EL0     SYSREG(3, 3, 14, 0, 1)
+
+#define WFX_IS_WFE (1 << 0)
+
+#define TMR_CTL_ENABLE  (1 << 0)
+#define TMR_CTL_IMASK   (1 << 1)
+#define TMR_CTL_ISTATUS (1 << 2)
+
+typedef struct HVFVTimer {
+    /* Vtimer value during migration and paused state */
+    uint64_t vtimer_val;
+} HVFVTimer;
+
+static HVFVTimer vtimer;
+
+struct hvf_reg_match {
+    int reg;
+    uint64_t offset;
+};
+
+static const struct hvf_reg_match hvf_reg_match[] = {
+    { HV_REG_X0,   offsetof(CPUARMState, xregs[0]) },
+    { HV_REG_X1,   offsetof(CPUARMState, xregs[1]) },
+    { HV_REG_X2,   offsetof(CPUARMState, xregs[2]) },
+    { HV_REG_X3,   offsetof(CPUARMState, xregs[3]) },
+    { HV_REG_X4,   offsetof(CPUARMState, xregs[4]) },
+    { HV_REG_X5,   offsetof(CPUARMState, xregs[5]) },
+    { HV_REG_X6,   offsetof(CPUARMState, xregs[6]) },
+    { HV_REG_X7,   offsetof(CPUARMState, xregs[7]) },
+    { HV_REG_X8,   offsetof(CPUARMState, xregs[8]) },
+    { HV_REG_X9,   offsetof(CPUARMState, xregs[9]) },
+    { HV_REG_X10,  offsetof(CPUARMState, xregs[10]) },
+    { HV_REG_X11,  offsetof(CPUARMState, xregs[11]) },
+    { HV_REG_X12,  offsetof(CPUARMState, xregs[12]) },
+    { HV_REG_X13,  offsetof(CPUARMState, xregs[13]) },
+    { HV_REG_X14,  offsetof(CPUARMState, xregs[14]) },
+    { HV_REG_X15,  offsetof(CPUARMState, xregs[15]) },
+    { HV_REG_X16,  offsetof(CPUARMState, xregs[16]) },
+    { HV_REG_X17,  offsetof(CPUARMState, xregs[17]) },
+    { HV_REG_X18,  offsetof(CPUARMState, xregs[18]) },
+    { HV_REG_X19,  offsetof(CPUARMState, xregs[19]) },
+    { HV_REG_X20,  offsetof(CPUARMState, xregs[20]) },
+    { HV_REG_X21,  offsetof(CPUARMState, xregs[21]) },
+    { HV_REG_X22,  offsetof(CPUARMState, xregs[22]) },
+    { HV_REG_X23,  offsetof(CPUARMState, xregs[23]) },
+    { HV_REG_X24,  offsetof(CPUARMState, xregs[24]) },
+    { HV_REG_X25,  offsetof(CPUARMState, xregs[25]) },
+    { HV_REG_X26,  offsetof(CPUARMState, xregs[26]) },
+    { HV_REG_X27,  offsetof(CPUARMState, xregs[27]) },
+    { HV_REG_X28,  offsetof(CPUARMState, xregs[28]) },
+    { HV_REG_X29,  offsetof(CPUARMState, xregs[29]) },
+    { HV_REG_X30,  offsetof(CPUARMState, xregs[30]) },
+    { HV_REG_PC,   offsetof(CPUARMState, pc) },
+};
+
+static const struct hvf_reg_match hvf_fpreg_match[] = {
+    { HV_SIMD_FP_REG_Q0,  offsetof(CPUARMState, vfp.zregs[0]) },
+    { HV_SIMD_FP_REG_Q1,  offsetof(CPUARMState, vfp.zregs[1]) },
+    { HV_SIMD_FP_REG_Q2,  offsetof(CPUARMState, vfp.zregs[2]) },
+    { HV_SIMD_FP_REG_Q3,  offsetof(CPUARMState, vfp.zregs[3]) },
+    { HV_SIMD_FP_REG_Q4,  offsetof(CPUARMState, vfp.zregs[4]) },
+    { HV_SIMD_FP_REG_Q5,  offsetof(CPUARMState, vfp.zregs[5]) },
+    { HV_SIMD_FP_REG_Q6,  offsetof(CPUARMState, vfp.zregs[6]) },
+    { HV_SIMD_FP_REG_Q7,  offsetof(CPUARMState, vfp.zregs[7]) },
+    { HV_SIMD_FP_REG_Q8,  offsetof(CPUARMState, vfp.zregs[8]) },
+    { HV_SIMD_FP_REG_Q9,  offsetof(CPUARMState, vfp.zregs[9]) },
+    { HV_SIMD_FP_REG_Q10, offsetof(CPUARMState, vfp.zregs[10]) },
+    { HV_SIMD_FP_REG_Q11, offsetof(CPUARMState, vfp.zregs[11]) },
+    { HV_SIMD_FP_REG_Q12, offsetof(CPUARMState, vfp.zregs[12]) },
+    { HV_SIMD_FP_REG_Q13, offsetof(CPUARMState, vfp.zregs[13]) },
+    { HV_SIMD_FP_REG_Q14, offsetof(CPUARMState, vfp.zregs[14]) },
+    { HV_SIMD_FP_REG_Q15, offsetof(CPUARMState, vfp.zregs[15]) },
+    { HV_SIMD_FP_REG_Q16, offsetof(CPUARMState, vfp.zregs[16]) },
+    { HV_SIMD_FP_REG_Q17, offsetof(CPUARMState, vfp.zregs[17]) },
+    { HV_SIMD_FP_REG_Q18, offsetof(CPUARMState, vfp.zregs[18]) },
+    { HV_SIMD_FP_REG_Q19, offsetof(CPUARMState, vfp.zregs[19]) },
+    { HV_SIMD_FP_REG_Q20, offsetof(CPUARMState, vfp.zregs[20]) },
+    { HV_SIMD_FP_REG_Q21, offsetof(CPUARMState, vfp.zregs[21]) },
+    { HV_SIMD_FP_REG_Q22, offsetof(CPUARMState, vfp.zregs[22]) },
+    { HV_SIMD_FP_REG_Q23, offsetof(CPUARMState, vfp.zregs[23]) },
+    { HV_SIMD_FP_REG_Q24, offsetof(CPUARMState, vfp.zregs[24]) },
+    { HV_SIMD_FP_REG_Q25, offsetof(CPUARMState, vfp.zregs[25]) },
+    { HV_SIMD_FP_REG_Q26, offsetof(CPUARMState, vfp.zregs[26]) },
+    { HV_SIMD_FP_REG_Q27, offsetof(CPUARMState, vfp.zregs[27]) },
+    { HV_SIMD_FP_REG_Q28, offsetof(CPUARMState, vfp.zregs[28]) },
+    { HV_SIMD_FP_REG_Q29, offsetof(CPUARMState, vfp.zregs[29]) },
+    { HV_SIMD_FP_REG_Q30, offsetof(CPUARMState, vfp.zregs[30]) },
+    { HV_SIMD_FP_REG_Q31, offsetof(CPUARMState, vfp.zregs[31]) },
+};
+
+struct hvf_sreg_match {
+    int reg;
+    uint32_t key;
+    uint32_t cp_idx;
+};
+
+static struct hvf_sreg_match hvf_sreg_match[] = {
+    { HV_SYS_REG_DBGBVR0_EL1, HVF_SYSREG(0, 0, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR0_EL1, HVF_SYSREG(0, 0, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR0_EL1, HVF_SYSREG(0, 0, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR0_EL1, HVF_SYSREG(0, 0, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR1_EL1, HVF_SYSREG(0, 1, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR1_EL1, HVF_SYSREG(0, 1, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR1_EL1, HVF_SYSREG(0, 1, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR1_EL1, HVF_SYSREG(0, 1, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR2_EL1, HVF_SYSREG(0, 2, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR2_EL1, HVF_SYSREG(0, 2, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR2_EL1, HVF_SYSREG(0, 2, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR2_EL1, HVF_SYSREG(0, 2, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR3_EL1, HVF_SYSREG(0, 3, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR3_EL1, HVF_SYSREG(0, 3, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR3_EL1, HVF_SYSREG(0, 3, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR3_EL1, HVF_SYSREG(0, 3, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR4_EL1, HVF_SYSREG(0, 4, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR4_EL1, HVF_SYSREG(0, 4, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR4_EL1, HVF_SYSREG(0, 4, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR4_EL1, HVF_SYSREG(0, 4, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR5_EL1, HVF_SYSREG(0, 5, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR5_EL1, HVF_SYSREG(0, 5, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR5_EL1, HVF_SYSREG(0, 5, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR5_EL1, HVF_SYSREG(0, 5, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR6_EL1, HVF_SYSREG(0, 6, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR6_EL1, HVF_SYSREG(0, 6, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR6_EL1, HVF_SYSREG(0, 6, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR6_EL1, HVF_SYSREG(0, 6, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR7_EL1, HVF_SYSREG(0, 7, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR7_EL1, HVF_SYSREG(0, 7, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR7_EL1, HVF_SYSREG(0, 7, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR7_EL1, HVF_SYSREG(0, 7, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR8_EL1, HVF_SYSREG(0, 8, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR8_EL1, HVF_SYSREG(0, 8, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR8_EL1, HVF_SYSREG(0, 8, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR8_EL1, HVF_SYSREG(0, 8, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR9_EL1, HVF_SYSREG(0, 9, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR9_EL1, HVF_SYSREG(0, 9, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR9_EL1, HVF_SYSREG(0, 9, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR9_EL1, HVF_SYSREG(0, 9, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR10_EL1, HVF_SYSREG(0, 10, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR10_EL1, HVF_SYSREG(0, 10, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR10_EL1, HVF_SYSREG(0, 10, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR10_EL1, HVF_SYSREG(0, 10, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR11_EL1, HVF_SYSREG(0, 11, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR11_EL1, HVF_SYSREG(0, 11, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR11_EL1, HVF_SYSREG(0, 11, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR11_EL1, HVF_SYSREG(0, 11, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR12_EL1, HVF_SYSREG(0, 12, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR12_EL1, HVF_SYSREG(0, 12, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR12_EL1, HVF_SYSREG(0, 12, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR12_EL1, HVF_SYSREG(0, 12, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR13_EL1, HVF_SYSREG(0, 13, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR13_EL1, HVF_SYSREG(0, 13, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR13_EL1, HVF_SYSREG(0, 13, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR13_EL1, HVF_SYSREG(0, 13, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR14_EL1, HVF_SYSREG(0, 14, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR14_EL1, HVF_SYSREG(0, 14, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR14_EL1, HVF_SYSREG(0, 14, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR14_EL1, HVF_SYSREG(0, 14, 14, 0, 7) },
+
+    { HV_SYS_REG_DBGBVR15_EL1, HVF_SYSREG(0, 15, 14, 0, 4) },
+    { HV_SYS_REG_DBGBCR15_EL1, HVF_SYSREG(0, 15, 14, 0, 5) },
+    { HV_SYS_REG_DBGWVR15_EL1, HVF_SYSREG(0, 15, 14, 0, 6) },
+    { HV_SYS_REG_DBGWCR15_EL1, HVF_SYSREG(0, 15, 14, 0, 7) },
+
+#ifdef SYNC_NO_RAW_REGS
+    /*
+     * The registers below are manually synced on init because they are
+     * marked as NO_RAW. We still list them to make number space sync easier.
+     */
+    { HV_SYS_REG_MDCCINT_EL1, HVF_SYSREG(0, 2, 2, 0, 0) },
+    { HV_SYS_REG_MIDR_EL1, HVF_SYSREG(0, 0, 3, 0, 0) },
+    { HV_SYS_REG_MPIDR_EL1, HVF_SYSREG(0, 0, 3, 0, 5) },
+    { HV_SYS_REG_ID_AA64PFR0_EL1, HVF_SYSREG(0, 4, 3, 0, 0) },
+#endif
+    { HV_SYS_REG_ID_AA64PFR1_EL1, HVF_SYSREG(0, 4, 3, 0, 2) },
+    { HV_SYS_REG_ID_AA64DFR0_EL1, HVF_SYSREG(0, 5, 3, 0, 0) },
+    { HV_SYS_REG_ID_AA64DFR1_EL1, HVF_SYSREG(0, 5, 3, 0, 1) },
+    { HV_SYS_REG_ID_AA64ISAR0_EL1, HVF_SYSREG(0, 6, 3, 0, 0) },
+    { HV_SYS_REG_ID_AA64ISAR1_EL1, HVF_SYSREG(0, 6, 3, 0, 1) },
+#ifdef SYNC_NO_MMFR0
+    /* We keep the hardware MMFR0 around. HW limits are there anyway */
+    { HV_SYS_REG_ID_AA64MMFR0_EL1, HVF_SYSREG(0, 7, 3, 0, 0) },
+#endif
+    { HV_SYS_REG_ID_AA64MMFR1_EL1, HVF_SYSREG(0, 7, 3, 0, 1) },
+    { HV_SYS_REG_ID_AA64MMFR2_EL1, HVF_SYSREG(0, 7, 3, 0, 2) },
+
+    { HV_SYS_REG_MDSCR_EL1, HVF_SYSREG(0, 2, 2, 0, 2) },
+    { HV_SYS_REG_SCTLR_EL1, HVF_SYSREG(1, 0, 3, 0, 0) },
+    { HV_SYS_REG_CPACR_EL1, HVF_SYSREG(1, 0, 3, 0, 2) },
+    { HV_SYS_REG_TTBR0_EL1, HVF_SYSREG(2, 0, 3, 0, 0) },
+    { HV_SYS_REG_TTBR1_EL1, HVF_SYSREG(2, 0, 3, 0, 1) },
+    { HV_SYS_REG_TCR_EL1, HVF_SYSREG(2, 0, 3, 0, 2) },
+
+    { HV_SYS_REG_APIAKEYLO_EL1, HVF_SYSREG(2, 1, 3, 0, 0) },
+    { HV_SYS_REG_APIAKEYHI_EL1, HVF_SYSREG(2, 1, 3, 0, 1) },
+    { HV_SYS_REG_APIBKEYLO_EL1, HVF_SYSREG(2, 1, 3, 0, 2) },
+    { HV_SYS_REG_APIBKEYHI_EL1, HVF_SYSREG(2, 1, 3, 0, 3) },
+    { HV_SYS_REG_APDAKEYLO_EL1, HVF_SYSREG(2, 2, 3, 0, 0) },
+    { HV_SYS_REG_APDAKEYHI_EL1, HVF_SYSREG(2, 2, 3, 0, 1) },
+    { HV_SYS_REG_APDBKEYLO_EL1, HVF_SYSREG(2, 2, 3, 0, 2) },
+    { HV_SYS_REG_APDBKEYHI_EL1, HVF_SYSREG(2, 2, 3, 0, 3) },
+    { HV_SYS_REG_APGAKEYLO_EL1, HVF_SYSREG(2, 3, 3, 0, 0) },
+    { HV_SYS_REG_APGAKEYHI_EL1, HVF_SYSREG(2, 3, 3, 0, 1) },
+
+    { HV_SYS_REG_SPSR_EL1, HVF_SYSREG(4, 0, 3, 0, 0) },
+    { HV_SYS_REG_ELR_EL1, HVF_SYSREG(4, 0, 3, 0, 1) },
+    { HV_SYS_REG_SP_EL0, HVF_SYSREG(4, 1, 3, 0, 0) },
+    { HV_SYS_REG_AFSR0_EL1, HVF_SYSREG(5, 1, 3, 0, 0) },
+    { HV_SYS_REG_AFSR1_EL1, HVF_SYSREG(5, 1, 3, 0, 1) },
+    { HV_SYS_REG_ESR_EL1, HVF_SYSREG(5, 2, 3, 0, 0) },
+    { HV_SYS_REG_FAR_EL1, HVF_SYSREG(6, 0, 3, 0, 0) },
+    { HV_SYS_REG_PAR_EL1, HVF_SYSREG(7, 4, 3, 0, 0) },
+    { HV_SYS_REG_MAIR_EL1, HVF_SYSREG(10, 2, 3, 0, 0) },
+    { HV_SYS_REG_AMAIR_EL1, HVF_SYSREG(10, 3, 3, 0, 0) },
+    { HV_SYS_REG_VBAR_EL1, HVF_SYSREG(12, 0, 3, 0, 0) },
+    { HV_SYS_REG_CONTEXTIDR_EL1, HVF_SYSREG(13, 0, 3, 0, 1) },
+    { HV_SYS_REG_TPIDR_EL1, HVF_SYSREG(13, 0, 3, 0, 4) },
+    { HV_SYS_REG_CNTKCTL_EL1, HVF_SYSREG(14, 1, 3, 0, 0) },
+    { HV_SYS_REG_CSSELR_EL1, HVF_SYSREG(0, 0, 3, 2, 0) },
+    { HV_SYS_REG_TPIDR_EL0, HVF_SYSREG(13, 0, 3, 3, 2) },
+    { HV_SYS_REG_TPIDRRO_EL0, HVF_SYSREG(13, 0, 3, 3, 3) },
+    { HV_SYS_REG_CNTV_CTL_EL0, HVF_SYSREG(14, 3, 3, 3, 1) },
+    { HV_SYS_REG_CNTV_CVAL_EL0, HVF_SYSREG(14, 3, 3, 3, 2) },
+    { HV_SYS_REG_SP_EL1, HVF_SYSREG(4, 1, 3, 4, 0) },
+};
+
+int hvf_get_registers(CPUState *cpu)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+    hv_return_t ret;
+    uint64_t val;
+    hv_simd_fp_uchar16_t fpval;
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(hvf_reg_match); i++) {
+        ret = hv_vcpu_get_reg(cpu->hvf->fd, hvf_reg_match[i].reg, &val);
+        *(uint64_t *)((void *)env + hvf_reg_match[i].offset) = val;
+        assert_hvf_ok(ret);
+    }
+
+    for (i = 0; i < ARRAY_SIZE(hvf_fpreg_match); i++) {
+        ret = hv_vcpu_get_simd_fp_reg(cpu->hvf->fd, hvf_fpreg_match[i].reg,
+                                      &fpval);
+        memcpy((void *)env + hvf_fpreg_match[i].offset, &fpval, sizeof(fpval));
+        assert_hvf_ok(ret);
+    }
+
+    val = 0;
+    ret = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_FPCR, &val);
+    assert_hvf_ok(ret);
+    vfp_set_fpcr(env, val);
+
+    val = 0;
+    ret = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_FPSR, &val);
+    assert_hvf_ok(ret);
+    vfp_set_fpsr(env, val);
+
+    ret = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_CPSR, &val);
+    assert_hvf_ok(ret);
+    pstate_write(env, val);
+
+    for (i = 0; i < ARRAY_SIZE(hvf_sreg_match); i++) {
+        if (hvf_sreg_match[i].cp_idx == -1) {
+            continue;
+        }
+
+        ret = hv_vcpu_get_sys_reg(cpu->hvf->fd, hvf_sreg_match[i].reg, &val);
+        assert_hvf_ok(ret);
+
+        arm_cpu->cpreg_values[hvf_sreg_match[i].cp_idx] = val;
+    }
+    assert(write_list_to_cpustate(arm_cpu));
+
+    aarch64_restore_sp(env, arm_current_el(env));
+
+    return 0;
+}
+
+int hvf_put_registers(CPUState *cpu)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+    hv_return_t ret;
+    uint64_t val;
+    hv_simd_fp_uchar16_t fpval;
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(hvf_reg_match); i++) {
+        val = *(uint64_t *)((void *)env + hvf_reg_match[i].offset);
+        ret = hv_vcpu_set_reg(cpu->hvf->fd, hvf_reg_match[i].reg, val);
+        assert_hvf_ok(ret);
+    }
+
+    for (i = 0; i < ARRAY_SIZE(hvf_fpreg_match); i++) {
+        memcpy(&fpval, (void *)env + hvf_fpreg_match[i].offset, sizeof(fpval));
+        ret = hv_vcpu_set_simd_fp_reg(cpu->hvf->fd, hvf_fpreg_match[i].reg,
+                                      fpval);
+        assert_hvf_ok(ret);
+    }
+
+    ret = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_FPCR, vfp_get_fpcr(env));
+    assert_hvf_ok(ret);
+
+    ret = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_FPSR, vfp_get_fpsr(env));
+    assert_hvf_ok(ret);
+
+    ret = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_CPSR, pstate_read(env));
+    assert_hvf_ok(ret);
+
+    aarch64_save_sp(env, arm_current_el(env));
+
+    assert(write_cpustate_to_list(arm_cpu, false));
+    for (i = 0; i < ARRAY_SIZE(hvf_sreg_match); i++) {
+        if (hvf_sreg_match[i].cp_idx == -1) {
+            continue;
+        }
+
+        val = arm_cpu->cpreg_values[hvf_sreg_match[i].cp_idx];
+        ret = hv_vcpu_set_sys_reg(cpu->hvf->fd, hvf_sreg_match[i].reg, val);
+        assert_hvf_ok(ret);
+    }
+
+    ret = hv_vcpu_set_vtimer_offset(cpu->hvf->fd, hvf_state->vtimer_offset);
+    assert_hvf_ok(ret);
+
+    return 0;
+}
+
+static void flush_cpu_state(CPUState *cpu)
+{
+    if (cpu->vcpu_dirty) {
+        hvf_put_registers(cpu);
+        cpu->vcpu_dirty = false;
+    }
+}
+
+static void hvf_set_reg(CPUState *cpu, int rt, uint64_t val)
+{
+    hv_return_t r;
+
+    flush_cpu_state(cpu);
+
+    if (rt < 31) {
+        r = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_X0 + rt, val);
+        assert_hvf_ok(r);
+    }
+}
+
+static uint64_t hvf_get_reg(CPUState *cpu, int rt)
+{
+    uint64_t val = 0;
+    hv_return_t r;
+
+    flush_cpu_state(cpu);
+
+    if (rt < 31) {
+        r = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_X0 + rt, &val);
+        assert_hvf_ok(r);
+    }
+
+    return val;
+}
+
+void hvf_arch_vcpu_destroy(CPUState *cpu)
+{
+}
+
+int hvf_arch_init_vcpu(CPUState *cpu)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+    uint32_t sregs_match_len = ARRAY_SIZE(hvf_sreg_match);
+    uint32_t sregs_cnt = 0;
+    uint64_t pfr;
+    hv_return_t ret;
+    int i;
+
+    env->aarch64 = 1;
+    asm volatile("mrs %0, cntfrq_el0" : "=r"(arm_cpu->gt_cntfrq_hz));
+
+    /* Allocate enough space for our sysreg sync */
+    arm_cpu->cpreg_indexes = g_renew(uint64_t, arm_cpu->cpreg_indexes,
+                                     sregs_match_len);
+    arm_cpu->cpreg_values = g_renew(uint64_t, arm_cpu->cpreg_values,
+                                    sregs_match_len);
+    arm_cpu->cpreg_vmstate_indexes = g_renew(uint64_t,
+                                             arm_cpu->cpreg_vmstate_indexes,
+                                             sregs_match_len);
+    arm_cpu->cpreg_vmstate_values = g_renew(uint64_t,
+                                            arm_cpu->cpreg_vmstate_values,
+                                            sregs_match_len);
+
+    memset(arm_cpu->cpreg_values, 0, sregs_match_len * sizeof(uint64_t));
+
+    /* Populate cp list for all known sysregs */
+    for (i = 0; i < sregs_match_len; i++) {
+        const ARMCPRegInfo *ri;
+        uint32_t key = hvf_sreg_match[i].key;
+
+        ri = get_arm_cp_reginfo(arm_cpu->cp_regs, key);
+        if (ri) {
+            assert(!(ri->type & ARM_CP_NO_RAW));
+            hvf_sreg_match[i].cp_idx = sregs_cnt;
+            arm_cpu->cpreg_indexes[sregs_cnt++] = cpreg_to_kvm_id(key);
+        } else {
+            hvf_sreg_match[i].cp_idx = -1;
+        }
+    }
+    arm_cpu->cpreg_array_len = sregs_cnt;
+    arm_cpu->cpreg_vmstate_array_len = sregs_cnt;
+
+    assert(write_cpustate_to_list(arm_cpu, false));
+
+    /* Set CP_NO_RAW system registers on init */
+    ret = hv_vcpu_set_sys_reg(cpu->hvf->fd, HV_SYS_REG_MIDR_EL1,
+                              arm_cpu->midr);
+    assert_hvf_ok(ret);
+
+    ret = hv_vcpu_set_sys_reg(cpu->hvf->fd, HV_SYS_REG_MPIDR_EL1,
+                              arm_cpu->mp_affinity);
+    assert_hvf_ok(ret);
+
+    ret = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_ID_AA64PFR0_EL1, &pfr);
+    assert_hvf_ok(ret);
+    pfr |= env->gicv3state ? (1 << 24) : 0;
+    ret = hv_vcpu_set_sys_reg(cpu->hvf->fd, HV_SYS_REG_ID_AA64PFR0_EL1, pfr);
+    assert_hvf_ok(ret);
+
+    /* We're limited to underlying hardware caps, override internal versions */
+    ret = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_ID_AA64MMFR0_EL1,
+                              &arm_cpu->isar.id_aa64mmfr0);
+    assert_hvf_ok(ret);
+
+    return 0;
+}
+
+void hvf_kick_vcpu_thread(CPUState *cpu)
+{
+    hv_vcpus_exit(&cpu->hvf->fd, 1);
+}
+
+static void hvf_raise_exception(CPUState *cpu, uint32_t excp,
+                                uint32_t syndrome)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+
+    cpu->exception_index = excp;
+    env->exception.target_el = 1;
+    env->exception.syndrome = syndrome;
+
+    arm_cpu_do_interrupt(cpu);
+}
+
+static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+    uint64_t val = 0;
+
+    switch (reg) {
+    case SYSREG_CNTPCT_EL0:
+        val = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) /
+              gt_cntfrq_period_ns(arm_cpu);
+        break;
+    case SYSREG_OSLSR_EL1:
+        val = env->cp15.oslsr_el1;
+        break;
+    case SYSREG_OSDLR_EL1:
+        /* Dummy register */
+        break;
+    default:
+        cpu_synchronize_state(cpu);
+        trace_hvf_unhandled_sysreg_read(env->pc, reg,
+                                        (reg >> 20) & 0x3,
+                                        (reg >> 14) & 0x7,
+                                        (reg >> 10) & 0xf,
+                                        (reg >> 1) & 0xf,
+                                        (reg >> 17) & 0x7);
+        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+        return 1;
+    }
+
+    trace_hvf_sysreg_read(reg,
+                          (reg >> 20) & 0x3,
+                          (reg >> 14) & 0x7,
+                          (reg >> 10) & 0xf,
+                          (reg >> 1) & 0xf,
+                          (reg >> 17) & 0x7,
+                          val);
+    hvf_set_reg(cpu, rt, val);
+
+    return 0;
+}
+
+static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+
+    trace_hvf_sysreg_write(reg,
+                           (reg >> 20) & 0x3,
+                           (reg >> 14) & 0x7,
+                           (reg >> 10) & 0xf,
+                           (reg >> 1) & 0xf,
+                           (reg >> 17) & 0x7,
+                           val);
+
+    switch (reg) {
+    case SYSREG_OSLAR_EL1:
+        env->cp15.oslsr_el1 = val & 1;
+        break;
+    case SYSREG_OSDLR_EL1:
+        /* Dummy register */
+        break;
+    default:
+        cpu_synchronize_state(cpu);
+        trace_hvf_unhandled_sysreg_write(env->pc, reg,
+                                         (reg >> 20) & 0x3,
+                                         (reg >> 14) & 0x7,
+                                         (reg >> 10) & 0xf,
+                                         (reg >> 1) & 0xf,
+                                         (reg >> 17) & 0x7);
+        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+        return 1;
+    }
+
+    return 0;
+}
+
+static int hvf_inject_interrupts(CPUState *cpu)
+{
+    if (cpu->interrupt_request & CPU_INTERRUPT_FIQ) {
+        trace_hvf_inject_fiq();
+        hv_vcpu_set_pending_interrupt(cpu->hvf->fd, HV_INTERRUPT_TYPE_FIQ,
+                                      true);
+    }
+
+    if (cpu->interrupt_request & CPU_INTERRUPT_HARD) {
+        trace_hvf_inject_irq();
+        hv_vcpu_set_pending_interrupt(cpu->hvf->fd, HV_INTERRUPT_TYPE_IRQ,
+                                      true);
+    }
+
+    return 0;
+}
+
+static uint64_t hvf_vtimer_val_raw(void)
+{
+    /*
+     * mach_absolute_time() returns the vtimer value without the VM
+     * offset that we define. Add our own offset on top.
+     */
+    return mach_absolute_time() - hvf_state->vtimer_offset;
+}
+
+static void hvf_sync_vtimer(CPUState *cpu)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    hv_return_t r;
+    uint64_t ctl;
+    bool irq_state;
+
+    if (!cpu->hvf->vtimer_masked) {
+        /* We will get notified on vtimer changes by hvf, nothing to do */
+        return;
+    }
+
+    r = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_CNTV_CTL_EL0, &ctl);
+    assert_hvf_ok(r);
+
+    irq_state = (ctl & (TMR_CTL_ENABLE | TMR_CTL_IMASK | TMR_CTL_ISTATUS)) ==
+                (TMR_CTL_ENABLE | TMR_CTL_ISTATUS);
+    qemu_set_irq(arm_cpu->gt_timer_outputs[GTIMER_VIRT], irq_state);
+
+    if (!irq_state) {
+        /* Timer no longer asserting, we can unmask it */
+        hv_vcpu_set_vtimer_mask(cpu->hvf->fd, false);
+        cpu->hvf->vtimer_masked = false;
+    }
+}
+
+int hvf_vcpu_exec(CPUState *cpu)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+    hv_vcpu_exit_t *hvf_exit = cpu->hvf->exit;
+    hv_return_t r;
+    bool advance_pc = false;
+
+    if (hvf_inject_interrupts(cpu)) {
+        return EXCP_INTERRUPT;
+    }
+
+    if (cpu->halted) {
+        return EXCP_HLT;
+    }
+
+    flush_cpu_state(cpu);
+
+    qemu_mutex_unlock_iothread();
+    assert_hvf_ok(hv_vcpu_run(cpu->hvf->fd));
+
+    /* handle VMEXIT */
+    uint64_t exit_reason = hvf_exit->reason;
+    uint64_t syndrome = hvf_exit->exception.syndrome;
+    uint32_t ec = syn_get_ec(syndrome);
+
+    qemu_mutex_lock_iothread();
+    switch (exit_reason) {
+    case HV_EXIT_REASON_EXCEPTION:
+        /* This is the main one, handle below. */
+        break;
+    case HV_EXIT_REASON_VTIMER_ACTIVATED:
+        qemu_set_irq(arm_cpu->gt_timer_outputs[GTIMER_VIRT], 1);
+        cpu->hvf->vtimer_masked = true;
+        return 0;
+    case HV_EXIT_REASON_CANCELED:
+        /* we got kicked, no exit to process */
+        return 0;
+    default:
+        assert(0);
+    }
+
+    hvf_sync_vtimer(cpu);
+
+    switch (ec) {
+    case EC_DATAABORT: {
+        bool isv = syndrome & ARM_EL_ISV;
+        bool iswrite = (syndrome >> 6) & 1;
+        bool s1ptw = (syndrome >> 7) & 1;
+        uint32_t sas = (syndrome >> 22) & 3;
+        uint32_t len = 1 << sas;
+        uint32_t srt = (syndrome >> 16) & 0x1f;
+        uint64_t val = 0;
+
+        trace_hvf_data_abort(env->pc, hvf_exit->exception.virtual_address,
+                             hvf_exit->exception.physical_address, isv,
+                             iswrite, s1ptw, len, srt);
+
+        assert(isv);
+
+        if (iswrite) {
+            val = hvf_get_reg(cpu, srt);
+            address_space_write(&address_space_memory,
+                                hvf_exit->exception.physical_address,
+                                MEMTXATTRS_UNSPECIFIED, &val, len);
+        } else {
+            address_space_read(&address_space_memory,
+                               hvf_exit->exception.physical_address,
+                               MEMTXATTRS_UNSPECIFIED, &val, len);
+            hvf_set_reg(cpu, srt, val);
+        }
+
+        advance_pc = true;
+        break;
+    }
+    case EC_SYSTEMREGISTERTRAP: {
+        bool isread = (syndrome >> 0) & 1;
+        uint32_t rt = (syndrome >> 5) & 0x1f;
+        uint32_t reg = syndrome & SYSREG_MASK;
+        uint64_t val;
+        int ret = 0;
+
+        if (isread) {
+            ret = hvf_sysreg_read(cpu, reg, rt);
+        } else {
+            val = hvf_get_reg(cpu, rt);
+            ret = hvf_sysreg_write(cpu, reg, val);
+        }
+
+        advance_pc = !ret;
+        break;
+    }
+    case EC_WFX_TRAP:
+        advance_pc = true;
+        break;
+    case EC_AA64_HVC:
+        cpu_synchronize_state(cpu);
+        trace_hvf_unknown_hvc(env->xregs[0]);
+        /* SMCCC 1.3 section 5.2 says every unknown SMCCC call returns -1 */
+        env->xregs[0] = -1;
+        break;
+    case EC_AA64_SMC:
+        cpu_synchronize_state(cpu);
+        trace_hvf_unknown_smc(env->xregs[0]);
+        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+        break;
+    default:
+        cpu_synchronize_state(cpu);
+        trace_hvf_exit(syndrome, ec, env->pc);
+        error_report("0x%llx: unhandled exception ec=0x%x", env->pc, ec);
+    }
+
+    if (advance_pc) {
+        uint64_t pc;
+
+        flush_cpu_state(cpu);
+
+        r = hv_vcpu_get_reg(cpu->hvf->fd, HV_REG_PC, &pc);
+        assert_hvf_ok(r);
+        pc += 4;
+        r = hv_vcpu_set_reg(cpu->hvf->fd, HV_REG_PC, pc);
+        assert_hvf_ok(r);
+    }
+
+    return 0;
+}
+
+static const VMStateDescription vmstate_hvf_vtimer = {
+    .name = "hvf-vtimer",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT64(vtimer_val, HVFVTimer),
+        VMSTATE_END_OF_LIST()
+    },
+};
+
+static void hvf_vm_state_change(void *opaque, bool running, RunState state)
+{
+    HVFVTimer *s = opaque;
+
+    if (running) {
+        /* Update vtimer offset on all CPUs */
+        hvf_state->vtimer_offset = mach_absolute_time() - s->vtimer_val;
+        cpu_synchronize_all_states();
+    } else {
+        /* Remember vtimer value on every pause */
+        s->vtimer_val = hvf_vtimer_val_raw();
+    }
+}
+
+int hvf_arch_init(void)
+{
+    hvf_state->vtimer_offset = mach_absolute_time();
+    vmstate_register(NULL, 0, &vmstate_hvf_vtimer, &vtimer);
+    qemu_add_vm_change_state_handler(hvf_vm_state_change, &vtimer);
+    return 0;
+}
diff --git a/target/i386/hvf/hvf.c b/target/i386/hvf/hvf.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/hvf/hvf.c
+++ b/target/i386/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@ static inline bool apic_bus_freq_is_known(CPUX86State *env)
     return env->apic_bus_freq != 0;
 }
 
+void hvf_kick_vcpu_thread(CPUState *cpu)
+{
+    cpus_kick_thread(cpu);
+}
+
 int hvf_arch_init(void)
 {
     return 0;
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: accel/accel-*.c
 F: accel/Makefile.objs
 F: accel/stubs/Makefile.objs
 
+Apple Silicon HVF CPUs
+M: Alexander Graf <agraf@csgraf.de>
+S: Maintained
+F: target/arm/hvf/
+
 X86 HVF CPUs
 M: Cameron Esfahani <dirty@apple.com>
 M: Roman Bolshakov <r.bolshakov@yadro.com>
diff --git a/target/arm/hvf/trace-events b/target/arm/hvf/trace-events
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/hvf/trace-events
@@ -XXX,XX +XXX,XX @@
+hvf_unhandled_sysreg_read(uint64_t pc, uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_t crm, uint32_t op2) "unhandled sysreg read at pc=0x%"PRIx64": 0x%08x (op0=%d op1=%d crn=%d crm=%d op2=%d)"
+hvf_unhandled_sysreg_write(uint64_t pc, uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_t crm, uint32_t op2) "unhandled sysreg write at pc=0x%"PRIx64": 0x%08x (op0=%d op1=%d crn=%d crm=%d op2=%d)"
+hvf_inject_fiq(void) "injecting FIQ"
+hvf_inject_irq(void) "injecting IRQ"
+hvf_data_abort(uint64_t pc, uint64_t va, uint64_t pa, bool isv, bool iswrite, bool s1ptw, uint32_t len, uint32_t srt) "data abort: [pc=0x%"PRIx64" va=0x%016"PRIx64" pa=0x%016"PRIx64" isv=%d iswrite=%d s1ptw=%d len=%d srt=%d]"
+hvf_sysreg_read(uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_t crm, uint32_t op2, uint64_t val) "sysreg read 0x%08x (op0=%d op1=%d crn=%d crm=%d op2=%d) = 0x%016"PRIx64
+hvf_sysreg_write(uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_t crm, uint32_t op2, uint64_t val) "sysreg write 0x%08x (op0=%d op1=%d crn=%d crm=%d op2=%d, val=0x%016"PRIx64")"
+hvf_unknown_hvc(uint64_t x0) "unknown HVC! 0x%016"PRIx64
+hvf_unknown_smc(uint64_t x0) "unknown SMC! 0x%016"PRIx64
+hvf_exit(uint64_t syndrome, uint32_t ec, uint64_t pc) "exit: 0x%"PRIx64" [ec=0x%x pc=0x%"PRIx64"]"
-- 
2.20.1

From: Peter Collingbourne <pcc@google.com>

Sleep on WFI until the VTIMER is due but allow ourselves to be woken
up on IPI.

In this implementation IPI is blocked on the CPU thread at startup and
pselect() is used to atomically unblock the signal and begin sleeping.
The signal is sent unconditionally so there's no need to worry about
races between actually sleeping and the "we think we're sleeping"
state. It may lead to an extra wakeup but that's better than missing
it entirely.

Signed-off-by: Peter Collingbourne <pcc@google.com>
Signed-off-by: Alexander Graf <agraf@csgraf.de>
Acked-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Message-id: 20210916155404.86958-6-agraf@csgraf.de
[agraf: Remove unused 'set' variable, always advance PC on WFX trap,
        support vm stop / continue operations and cntv offsets]
Signed-off-by: Alexander Graf <agraf@csgraf.de>
Acked-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/sysemu/hvf_int.h  |  1 +
 accel/hvf/hvf-accel-ops.c |  5 +--
 target/arm/hvf/hvf.c      | 79 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 82 insertions(+), 3 deletions(-)

diff --git a/include/sysemu/hvf_int.h b/include/sysemu/hvf_int.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/hvf_int.h
+++ b/include/sysemu/hvf_int.h
@@ -XXX,XX +XXX,XX @@ struct hvf_vcpu_state {
     uint64_t fd;
     void *exit;
     bool vtimer_masked;
+    sigset_t unblock_ipi_mask;
 };
 
 void assert_hvf_ok(hv_return_t ret);
diff --git a/accel/hvf/hvf-accel-ops.c b/accel/hvf/hvf-accel-ops.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/hvf/hvf-accel-ops.c
+++ b/accel/hvf/hvf-accel-ops.c
@@ -XXX,XX +XXX,XX @@ static int hvf_init_vcpu(CPUState *cpu)
     cpu->hvf = g_malloc0(sizeof(*cpu->hvf));
 
     /* init cpu signals */
-    sigset_t set;
     struct sigaction sigact;
 
     memset(&sigact, 0, sizeof(sigact));
     sigact.sa_handler = dummy_signal;
     sigaction(SIG_IPI, &sigact, NULL);
 
-    pthread_sigmask(SIG_BLOCK, NULL, &set);
-    sigdelset(&set, SIG_IPI);
+    pthread_sigmask(SIG_BLOCK, NULL, &cpu->hvf->unblock_ipi_mask);
+    sigdelset(&cpu->hvf->unblock_ipi_mask, SIG_IPI);
 
 #ifdef __aarch64__
     r = hv_vcpu_create(&cpu->hvf->fd, (hv_vcpu_exit_t **)&cpu->hvf->exit, NULL);
diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@
  * QEMU Hypervisor.framework support for Apple Silicon
 
  * Copyright 2020 Alexander Graf <agraf@csgraf.de>
+ * Copyright 2020 Google LLC
  *
  * This work is licensed under the terms of the GNU GPL, version 2 or later.
  * See the COPYING file in the top-level directory.
@@ -XXX,XX +XXX,XX @@ int hvf_arch_init_vcpu(CPUState *cpu)
 
 void hvf_kick_vcpu_thread(CPUState *cpu)
 {
+    cpus_kick_thread(cpu);
     hv_vcpus_exit(&cpu->hvf->fd, 1);
 }
 
@@ -XXX,XX +XXX,XX @@ static uint64_t hvf_vtimer_val_raw(void)
     return mach_absolute_time() - hvf_state->vtimer_offset;
 }
 
+static uint64_t hvf_vtimer_val(void)
+{
+    if (!runstate_is_running()) {
+        /* VM is paused, the vtimer value is in vtimer.vtimer_val */
+        return vtimer.vtimer_val;
+    }
+
+    return hvf_vtimer_val_raw();
+}
+
+static void hvf_wait_for_ipi(CPUState *cpu, struct timespec *ts)
+{
+    /*
+     * Use pselect to sleep so that other threads can IPI us while we're
+     * sleeping.
+     */
+    qatomic_mb_set(&cpu->thread_kicked, false);
+    qemu_mutex_unlock_iothread();
+    pselect(0, 0, 0, 0, ts, &cpu->hvf->unblock_ipi_mask);
+    qemu_mutex_lock_iothread();
+}
+
+static void hvf_wfi(CPUState *cpu)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    struct timespec ts;
+    hv_return_t r;
+    uint64_t ctl;
+    uint64_t cval;
+    int64_t ticks_to_sleep;
+    uint64_t seconds;
+    uint64_t nanos;
+    uint32_t cntfrq;
+
+    if (cpu->interrupt_request & (CPU_INTERRUPT_HARD | CPU_INTERRUPT_FIQ)) {
+        /* Interrupt pending, no need to wait */
+        return;
+    }
+
+    r = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_CNTV_CTL_EL0, &ctl);
+    assert_hvf_ok(r);
+
+    if (!(ctl & 1) || (ctl & 2)) {
+        /* Timer disabled or masked, just wait for an IPI. */
+        hvf_wait_for_ipi(cpu, NULL);
+        return;
+    }
+
+    r = hv_vcpu_get_sys_reg(cpu->hvf->fd, HV_SYS_REG_CNTV_CVAL_EL0, &cval);
+    assert_hvf_ok(r);
+
+    ticks_to_sleep = cval - hvf_vtimer_val();
+    if (ticks_to_sleep < 0) {
+        return;
+    }
+
+    cntfrq = gt_cntfrq_period_ns(arm_cpu);
+    seconds = muldiv64(ticks_to_sleep, cntfrq, NANOSECONDS_PER_SECOND);
+    ticks_to_sleep -= muldiv64(seconds, NANOSECONDS_PER_SECOND, cntfrq);
+    nanos = ticks_to_sleep * cntfrq;
+
+    /*
+     * Don't sleep for less than the time a context switch would take,
+     * so that we can satisfy fast timer requests on the same CPU.
+     * Measurements on M1 show the sweet spot to be ~2ms.
+     */
+    if (!seconds && nanos < (2 * SCALE_MS)) {
+        return;
+    }
+
+    ts = (struct timespec) { seconds, nanos };
+    hvf_wait_for_ipi(cpu, &ts);
+}
+
 static void hvf_sync_vtimer(CPUState *cpu)
 {
     ARMCPU *arm_cpu = ARM_CPU(cpu);
@@ -XXX,XX +XXX,XX @@ int hvf_vcpu_exec(CPUState *cpu)
     }
     case EC_WFX_TRAP:
         advance_pc = true;
+        if (!(syndrome & WFX_IS_WFE)) {
+            hvf_wfi(cpu);
+        }
         break;
     case EC_AA64_HVC:
         cpu_synchronize_state(cpu);
-- 
2.20.1

Now that we have working system register sync, we push more target CPU
properties into the virtual machine. That might be useful in some
situations, but is not the typical case that users want.

So let's add a -cpu host option that allows them to explicitly pass all
CPU capabilities of their host CPU into the guest.

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Acked-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210916155404.86958-7-agraf@csgraf.de
[PMM: drop unnecessary #include line from .h file]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h     |  2 +
 target/arm/hvf_arm.h | 18 +++++++++
 target/arm/kvm_arm.h |  2 -
 target/arm/cpu.c     | 13 ++++--
 target/arm/hvf/hvf.c | 95 ++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 124 insertions(+), 6 deletions(-)
 create mode 100644 target/arm/hvf_arm.h

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
 #define ARM_CPU_TYPE_NAME(name) (name ARM_CPU_TYPE_SUFFIX)
 #define CPU_RESOLVING_TYPE TYPE_ARM_CPU
 
+#define TYPE_ARM_HOST_CPU "host-" TYPE_ARM_CPU
+
 #define cpu_signal_handler cpu_arm_signal_handler
 #define cpu_list arm_cpu_list
 
diff --git a/target/arm/hvf_arm.h b/target/arm/hvf_arm.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/hvf_arm.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU Hypervisor.framework (HVF) support -- ARM specifics
+ *
+ * Copyright (c) 2021 Alexander Graf
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef QEMU_HVF_ARM_H
+#define QEMU_HVF_ARM_H
+
+#include "cpu.h"
+
+void hvf_arm_set_cpu_features_from_host(struct ARMCPU *cpu);
+
+#endif
diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try,
  */
 void kvm_arm_destroy_scratch_host_vcpu(int *fdarray);
 
-#define TYPE_ARM_HOST_CPU "host-" TYPE_ARM_CPU
-
 /**
  * ARMHostCPUFeatures: information about the host CPU (identified
  * by asking the host kernel)
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/tcg.h"
 #include "sysemu/hw_accel.h"
 #include "kvm_arm.h"
+#include "hvf_arm.h"
 #include "disas/capstone.h"
 #include "fpu/softfloat.h"
 
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
      * this is the first point where we can report it.
      */
     if (cpu->host_cpu_probe_failed) {
-        if (!kvm_enabled()) {
-            error_setg(errp, "The 'host' CPU type can only be used with KVM");
+        if (!kvm_enabled() && !hvf_enabled()) {
+            error_setg(errp, "The 'host' CPU type can only be used with KVM or HVF");
         } else {
             error_setg(errp, "Failed to retrieve host CPU features");
         }
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
 #endif /* CONFIG_TCG */
 }
 
-#ifdef CONFIG_KVM
+#if defined(CONFIG_KVM) || defined(CONFIG_HVF)
 static void arm_host_initfn(Object *obj)
 {
     ARMCPU *cpu = ARM_CPU(obj);
 
+#ifdef CONFIG_KVM
     kvm_arm_set_cpu_features_from_host(cpu);
     if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
         aarch64_add_sve_properties(obj);
     }
+#else
+    hvf_arm_set_cpu_features_from_host(cpu);
+#endif
     arm_cpu_post_init(obj);
 }
 
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_register_types(void)
 {
     type_register_static(&arm_cpu_type_info);
 
-#ifdef CONFIG_KVM
+#if defined(CONFIG_KVM) || defined(CONFIG_HVF)
     type_register_static(&host_arm_cpu_type_info);
 #endif
 }
diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/hvf.h"
 #include "sysemu/hvf_int.h"
 #include "sysemu/hw_accel.h"
+#include "hvf_arm.h"
 
 #include <mach/mach_time.h>
 
@@ -XXX,XX +XXX,XX @@ typedef struct HVFVTimer {
 
 static HVFVTimer vtimer;
 
+typedef struct ARMHostCPUFeatures {
+    ARMISARegisters isar;
+    uint64_t features;
+    uint64_t midr;
+    uint32_t reset_sctlr;
+    const char *dtb_compatible;
+} ARMHostCPUFeatures;
+
+static ARMHostCPUFeatures arm_host_cpu_features;
+
 struct hvf_reg_match {
     int reg;
     uint64_t offset;
@@ -XXX,XX +XXX,XX @@ static uint64_t hvf_get_reg(CPUState *cpu, int rt)
     return val;
 }
 
+static bool hvf_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
+{
+    ARMISARegisters host_isar = {};
+    const struct isar_regs {
+        int reg;
+        uint64_t *val;
+    } regs[] = {
+        { HV_SYS_REG_ID_AA64PFR0_EL1, &host_isar.id_aa64pfr0 },
+        { HV_SYS_REG_ID_AA64PFR1_EL1, &host_isar.id_aa64pfr1 },
+        { HV_SYS_REG_ID_AA64DFR0_EL1, &host_isar.id_aa64dfr0 },
+        { HV_SYS_REG_ID_AA64DFR1_EL1, &host_isar.id_aa64dfr1 },
+        { HV_SYS_REG_ID_AA64ISAR0_EL1, &host_isar.id_aa64isar0 },
+        { HV_SYS_REG_ID_AA64ISAR1_EL1, &host_isar.id_aa64isar1 },
+        { HV_SYS_REG_ID_AA64MMFR0_EL1, &host_isar.id_aa64mmfr0 },
+        { HV_SYS_REG_ID_AA64MMFR1_EL1, &host_isar.id_aa64mmfr1 },
+        { HV_SYS_REG_ID_AA64MMFR2_EL1, &host_isar.id_aa64mmfr2 },
+    };
+    hv_vcpu_t fd;
+    hv_return_t r = HV_SUCCESS;
+    hv_vcpu_exit_t *exit;
+    int i;
+
+    ahcf->dtb_compatible = "arm,arm-v8";
+    ahcf->features = (1ULL << ARM_FEATURE_V8) |
+                     (1ULL << ARM_FEATURE_NEON) |
+                     (1ULL << ARM_FEATURE_AARCH64) |
+                     (1ULL << ARM_FEATURE_PMU) |
+                     (1ULL << ARM_FEATURE_GENERIC_TIMER);
+
+    /* We set up a small vcpu to extract host registers */
+
+    if (hv_vcpu_create(&fd, &exit, NULL) != HV_SUCCESS) {
+        return false;
+    }
+
+    for (i = 0; i < ARRAY_SIZE(regs); i++) {
+        r |= hv_vcpu_get_sys_reg(fd, regs[i].reg, regs[i].val);
+    }
+    r |= hv_vcpu_get_sys_reg(fd, HV_SYS_REG_MIDR_EL1, &ahcf->midr);
+    r |= hv_vcpu_destroy(fd);
+
+    ahcf->isar = host_isar;
+
+    /*
+     * A scratch vCPU returns SCTLR 0, so let's fill our default with the M1
+     * boot SCTLR from https://github.com/AsahiLinux/m1n1/issues/97
+     */
+    ahcf->reset_sctlr = 0x30100180;
+    /*
+     * SPAN is disabled by default when SCTLR.SPAN=1. To improve compatibility,
+     * let's disable it on boot and then allow guest software to turn it on by
+     * setting it to 0.
+     */
+    ahcf->reset_sctlr |= 0x00800000;
+
+    /* Make sure we don't advertise AArch32 support for EL0/EL1 */
+    if ((host_isar.id_aa64pfr0 & 0xff) != 0x11) {
+        return false;
+    }
+
+    return r == HV_SUCCESS;
+}
+
+void hvf_arm_set_cpu_features_from_host(ARMCPU *cpu)
+{
+    if (!arm_host_cpu_features.dtb_compatible) {
+        if (!hvf_enabled() ||
+            !hvf_arm_get_host_cpu_features(&arm_host_cpu_features)) {
+            /*
+             * We can't report this error yet, so flag that we need to
+             * in arm_cpu_realizefn().
+             */
+            cpu->host_cpu_probe_failed = true;
+            return;
+        }
+    }
+
+    cpu->dtb_compatible = arm_host_cpu_features.dtb_compatible;
+    cpu->isar = arm_host_cpu_features.isar;
+    cpu->env.features = arm_host_cpu_features.features;
+    cpu->midr = arm_host_cpu_features.midr;
+    cpu->reset_sctlr = arm_host_cpu_features.reset_sctlr;
+}
+
 void hvf_arch_vcpu_destroy(CPUState *cpu)
 {
 }
-- 
2.20.1

From: Alexander Graf <agraf@csgraf.de>

We need to handle PSCI calls. Most of the TCG code works for us,
but we can simplify it to only handle aa64 mode and we need to
handle SUSPEND differently.

This patch takes the TCG code as template and duplicates it in HVF.

To tell the guest that we support PSCI 0.2 now, update the check in
arm_cpu_initfn() as well.

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210916155404.86958-8-agraf@csgraf.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c            |   4 +-
 target/arm/hvf/hvf.c        | 141 ++++++++++++++++++++++++++++++++++--
 target/arm/hvf/trace-events |   1 +
 3 files changed, 139 insertions(+), 7 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
     cpu->psci_version = 1; /* By default assume PSCI v0.1 */
     cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
 
-    if (tcg_enabled()) {
-        cpu->psci_version = 2; /* TCG implements PSCI 0.2 */
+    if (tcg_enabled() || hvf_enabled()) {
+        cpu->psci_version = 2; /* TCG and HVF implement PSCI 0.2 */
     }
 }
 
diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/irq.h"
 #include "qemu/main-loop.h"
 #include "sysemu/cpus.h"
+#include "arm-powerctl.h"
 #include "target/arm/cpu.h"
 #include "target/arm/internals.h"
 #include "trace/trace-target_arm_hvf.h"
@@ -XXX,XX +XXX,XX @@
 #define TMR_CTL_IMASK   (1 << 1)
 #define TMR_CTL_ISTATUS (1 << 2)
 
+static void hvf_wfi(CPUState *cpu);
+
 typedef struct HVFVTimer {
     /* Vtimer value during migration and paused state */
     uint64_t vtimer_val;
@@ -XXX,XX +XXX,XX @@ static void hvf_raise_exception(CPUState *cpu, uint32_t excp,
     arm_cpu_do_interrupt(cpu);
 }
 
+static void hvf_psci_cpu_off(ARMCPU *arm_cpu)
+{
+    int32_t ret = arm_set_cpu_off(arm_cpu->mp_affinity);
+    assert(ret == QEMU_ARM_POWERCTL_RET_SUCCESS);
+}
+
+/*
+ * Handle a PSCI call.
+ *
+ * Returns 0 on success
+ *         -1 when the PSCI call is unknown,
+ */
+static bool hvf_handle_psci_call(CPUState *cpu)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+    uint64_t param[4] = {
+        env->xregs[0],
+        env->xregs[1],
+        env->xregs[2],
+        env->xregs[3]
+    };
+    uint64_t context_id, mpidr;
+    bool target_aarch64 = true;
+    CPUState *target_cpu_state;
+    ARMCPU *target_cpu;
+    target_ulong entry;
+    int target_el = 1;
+    int32_t ret = 0;
+
+    trace_hvf_psci_call(param[0], param[1], param[2], param[3],
+                        arm_cpu->mp_affinity);
+
+    switch (param[0]) {
+    case QEMU_PSCI_0_2_FN_PSCI_VERSION:
+        ret = QEMU_PSCI_0_2_RET_VERSION_0_2;
+        break;
+    case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
+        ret = QEMU_PSCI_0_2_RET_TOS_MIGRATION_NOT_REQUIRED; /* No trusted OS */
+        break;
+    case QEMU_PSCI_0_2_FN_AFFINITY_INFO:
+    case QEMU_PSCI_0_2_FN64_AFFINITY_INFO:
+        mpidr = param[1];
+
+        switch (param[2]) {
+        case 0:
+            target_cpu_state = arm_get_cpu_by_id(mpidr);
+            if (!target_cpu_state) {
+                ret = QEMU_PSCI_RET_INVALID_PARAMS;
+                break;
+            }
+            target_cpu = ARM_CPU(target_cpu_state);
+
+            ret = target_cpu->power_state;
+            break;
+        default:
+            /* Everything above affinity level 0 is always on. */
+            ret = 0;
+        }
+        break;
+    case QEMU_PSCI_0_2_FN_SYSTEM_RESET:
+        qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
+        /*
+         * QEMU reset and shutdown are async requests, but PSCI
+         * mandates that we never return from the reset/shutdown
+         * call, so power the CPU off now so it doesn't execute
+         * anything further.
+         */
+        hvf_psci_cpu_off(arm_cpu);
+        break;
+    case QEMU_PSCI_0_2_FN_SYSTEM_OFF:
+        qemu_system_shutdown_request(SHUTDOWN_CAUSE_GUEST_SHUTDOWN);
+        hvf_psci_cpu_off(arm_cpu);
+        break;
+    case QEMU_PSCI_0_1_FN_CPU_ON:
+    case QEMU_PSCI_0_2_FN_CPU_ON:
+    case QEMU_PSCI_0_2_FN64_CPU_ON:
+        mpidr = param[1];
+        entry = param[2];
+        context_id = param[3];
+        ret = arm_set_cpu_on(mpidr, entry, context_id,
+                             target_el, target_aarch64);
+        break;
+    case QEMU_PSCI_0_1_FN_CPU_OFF:
+    case QEMU_PSCI_0_2_FN_CPU_OFF:
+        hvf_psci_cpu_off(arm_cpu);
+        break;
+    case QEMU_PSCI_0_1_FN_CPU_SUSPEND:
+    case QEMU_PSCI_0_2_FN_CPU_SUSPEND:
+    case QEMU_PSCI_0_2_FN64_CPU_SUSPEND:
+        /* Affinity levels are not supported in QEMU */
+        if (param[1] & 0xfffe0000) {
+            ret = QEMU_PSCI_RET_INVALID_PARAMS;
+            break;
+        }
+        /* Powerdown is not supported, we always go into WFI */
+        env->xregs[0] = 0;
+        hvf_wfi(cpu);
+        break;
+    case QEMU_PSCI_0_1_FN_MIGRATE:
+    case QEMU_PSCI_0_2_FN_MIGRATE:
+        ret = QEMU_PSCI_RET_NOT_SUPPORTED;
+        break;
+    default:
+        return false;
+    }
+
+    env->xregs[0] = ret;
+    return true;
+}
+
 static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
 {
     ARMCPU *arm_cpu = ARM_CPU(cpu);
@@ -XXX,XX +XXX,XX @@ int hvf_vcpu_exec(CPUState *cpu)
         break;
     case EC_AA64_HVC:
         cpu_synchronize_state(cpu);
-        trace_hvf_unknown_hvc(env->xregs[0]);
-        /* SMCCC 1.3 section 5.2 says every unknown SMCCC call returns -1 */
-        env->xregs[0] = -1;
+        if (arm_cpu->psci_conduit == QEMU_PSCI_CONDUIT_HVC) {
+            if (!hvf_handle_psci_call(cpu)) {
+                trace_hvf_unknown_hvc(env->xregs[0]);
+                /* SMCCC 1.3 section 5.2 says every unknown SMCCC call returns -1 */
+                env->xregs[0] = -1;
+            }
+        } else {
+            trace_hvf_unknown_hvc(env->xregs[0]);
+            hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+        }
         break;
     case EC_AA64_SMC:
         cpu_synchronize_state(cpu);
-        trace_hvf_unknown_smc(env->xregs[0]);
-        hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+        if (arm_cpu->psci_conduit == QEMU_PSCI_CONDUIT_SMC) {
+            advance_pc = true;
+
+            if (!hvf_handle_psci_call(cpu)) {
+                trace_hvf_unknown_smc(env->xregs[0]);
+                /* SMCCC 1.3 section 5.2 says every unknown SMCCC call returns -1 */
+                env->xregs[0] = -1;
+            }
+        } else {
+            trace_hvf_unknown_smc(env->xregs[0]);
+            hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+        }
         break;
     default:
         cpu_synchronize_state(cpu);
diff --git a/target/arm/hvf/trace-events b/target/arm/hvf/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/hvf/trace-events
+++ b/target/arm/hvf/trace-events
@@ -XXX,XX +XXX,XX @@ hvf_sysreg_write(uint32_t reg, uint32_t op0, uint32_t op1, uint32_t crn, uint32_
 hvf_unknown_hvc(uint64_t x0) "unknown HVC! 0x%016"PRIx64
 hvf_unknown_smc(uint64_t x0) "unknown SMC! 0x%016"PRIx64
 hvf_exit(uint64_t syndrome, uint32_t ec, uint64_t pc) "exit: 0x%"PRIx64" [ec=0x%x pc=0x%"PRIx64"]"
+hvf_psci_call(uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3, uint32_t cpuid) "PSCI Call x0=0x%016"PRIx64" x1=0x%016"PRIx64" x2=0x%016"PRIx64" x3=0x%016"PRIx64" cpu=0x%x"
-- 
2.20.1

From: Alexander Graf <agraf@csgraf.de>

Now that we have all logic in place that we need to handle Hypervisor.framework
on Apple Silicon systems, let's add CONFIG_HVF for aarch64 as well so that we
can build it.

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Tested-by: Roman Bolshakov <r.bolshakov@yadro.com> (x86 only)
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Message-id: 20210916155404.86958-9-agraf@csgraf.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 meson.build                | 7 +++++++
 target/arm/hvf/meson.build | 3 +++
 target/arm/meson.build     | 2 ++
 3 files changed, 12 insertions(+)
 create mode 100644 target/arm/hvf/meson.build

diff --git a/meson.build b/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/meson.build
+++ b/meson.build
@@ -XXX,XX +XXX,XX @@ else
 endif
 
 accelerator_targets = { 'CONFIG_KVM': kvm_targets }
+
+if cpu in ['aarch64']
+  accelerator_targets += {
+    'CONFIG_HVF': ['aarch64-softmmu']
+  }
+endif
+
 if cpu in ['x86', 'x86_64', 'arm', 'aarch64']
   # i386 emulator provides xenpv machine type for multiple architectures
   accelerator_targets += {
diff --git a/target/arm/hvf/meson.build b/target/arm/hvf/meson.build
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/hvf/meson.build
@@ -XXX,XX +XXX,XX @@
+arm_softmmu_ss.add(when: [hvf, 'CONFIG_HVF'], if_true: files(
+  'hvf.c',
+))
diff --git a/target/arm/meson.build b/target/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/meson.build
+++ b/target/arm/meson.build
@@ -XXX,XX +XXX,XX @@ arm_softmmu_ss.add(files(
   'psci.c',
 ))
 
+subdir('hvf')
+
 target_arch += {'arm': arm_ss}
 target_softmmu_arch += {'arm': arm_softmmu_ss}
-- 
2.20.1

From: Alexander Graf <agraf@csgraf.de>

We can expose cycle counters on the PMU easily. To be as compatible as
possible, let's do so, but make sure we don't expose any other architectural
counters that we can not model yet.

This allows OSs to work that require PMU support.

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20210916155404.86958-10-agraf@csgraf.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/hvf/hvf.c | 179 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 179 insertions(+)

diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@
 #define SYSREG_OSLSR_EL1      SYSREG(2, 0, 1, 1, 4)
 #define SYSREG_OSDLR_EL1      SYSREG(2, 0, 1, 3, 4)
 #define SYSREG_CNTPCT_EL0     SYSREG(3, 3, 14, 0, 1)
+#define SYSREG_PMCR_EL0       SYSREG(3, 3, 9, 12, 0)
+#define SYSREG_PMUSERENR_EL0  SYSREG(3, 3, 9, 14, 0)
+#define SYSREG_PMCNTENSET_EL0 SYSREG(3, 3, 9, 12, 1)
+#define SYSREG_PMCNTENCLR_EL0 SYSREG(3, 3, 9, 12, 2)
+#define SYSREG_PMINTENCLR_EL1 SYSREG(3, 0, 9, 14, 2)
+#define SYSREG_PMOVSCLR_EL0   SYSREG(3, 3, 9, 12, 3)
+#define SYSREG_PMSWINC_EL0    SYSREG(3, 3, 9, 12, 4)
+#define SYSREG_PMSELR_EL0     SYSREG(3, 3, 9, 12, 5)
+#define SYSREG_PMCEID0_EL0    SYSREG(3, 3, 9, 12, 6)
+#define SYSREG_PMCEID1_EL0    SYSREG(3, 3, 9, 12, 7)
+#define SYSREG_PMCCNTR_EL0    SYSREG(3, 3, 9, 13, 0)
+#define SYSREG_PMCCFILTR_EL0  SYSREG(3, 3, 14, 15, 7)
 
 #define WFX_IS_WFE (1 << 0)
 
@@ -XXX,XX +XXX,XX @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
         val = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) /
               gt_cntfrq_period_ns(arm_cpu);
         break;
+    case SYSREG_PMCR_EL0:
+        val = env->cp15.c9_pmcr;
+        break;
+    case SYSREG_PMCCNTR_EL0:
+        pmu_op_start(env);
+        val = env->cp15.c15_ccnt;
+        pmu_op_finish(env);
+        break;
+    case SYSREG_PMCNTENCLR_EL0:
+        val = env->cp15.c9_pmcnten;
+        break;
+    case SYSREG_PMOVSCLR_EL0:
+        val = env->cp15.c9_pmovsr;
+        break;
+    case SYSREG_PMSELR_EL0:
+        val = env->cp15.c9_pmselr;
+        break;
+    case SYSREG_PMINTENCLR_EL1:
+        val = env->cp15.c9_pminten;
+        break;
+    case SYSREG_PMCCFILTR_EL0:
+        val = env->cp15.pmccfiltr_el0;
+        break;
+    case SYSREG_PMCNTENSET_EL0:
+        val = env->cp15.c9_pmcnten;
+        break;
+    case SYSREG_PMUSERENR_EL0:
+        val = env->cp15.c9_pmuserenr;
+        break;
+    case SYSREG_PMCEID0_EL0:
+    case SYSREG_PMCEID1_EL0:
+        /* We can't really count anything yet, declare all events invalid */
+        val = 0;
+        break;
     case SYSREG_OSLSR_EL1:
         val = env->cp15.oslsr_el1;
         break;
@@ -XXX,XX +XXX,XX @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
     return 0;
 }
 
+static void pmu_update_irq(CPUARMState *env)
+{
+    ARMCPU *cpu = env_archcpu(env);
+    qemu_set_irq(cpu->pmu_interrupt, (env->cp15.c9_pmcr & PMCRE) &&
+            (env->cp15.c9_pminten & env->cp15.c9_pmovsr));
+}
+
+static bool pmu_event_supported(uint16_t number)
+{
+    return false;
+}
+
+/* Returns true if the counter (pass 31 for PMCCNTR) should count events using
+ * the current EL, security state, and register configuration.
+ */
+static bool pmu_counter_enabled(CPUARMState *env, uint8_t counter)
+{
+    uint64_t filter;
+    bool enabled, filtered = true;
+    int el = arm_current_el(env);
+
+    enabled = (env->cp15.c9_pmcr & PMCRE) &&
+              (env->cp15.c9_pmcnten & (1 << counter));
+
+    if (counter == 31) {
+        filter = env->cp15.pmccfiltr_el0;
+    } else {
+        filter = env->cp15.c14_pmevtyper[counter];
+    }
+
+    if (el == 0) {
+        filtered = filter & PMXEVTYPER_U;
+    } else if (el == 1) {
+        filtered = filter & PMXEVTYPER_P;
+    }
+
+    if (counter != 31) {
+        /*
+         * If not checking PMCCNTR, ensure the counter is setup to an event we
+         * support
+         */
+        uint16_t event = filter & PMXEVTYPER_EVTCOUNT;
+        if (!pmu_event_supported(event)) {
+            return false;
+        }
+    }
+
+    return enabled && !filtered;
+}
+
+static void pmswinc_write(CPUARMState *env, uint64_t value)
+{
+    unsigned int i;
+    for (i = 0; i < pmu_num_counters(env); i++) {
+        /* Increment a counter's count iff: */
+        if ((value & (1 << i)) && /* counter's bit is set */
+                /* counter is enabled and not filtered */
+                pmu_counter_enabled(env, i) &&
+                /* counter is SW_INCR */
+                (env->cp15.c14_pmevtyper[i] & PMXEVTYPER_EVTCOUNT) == 0x0) {
+            /*
+             * Detect if this write causes an overflow since we can't predict
+             * PMSWINC overflows like we can for other events
+             */
+            uint32_t new_pmswinc = env->cp15.c14_pmevcntr[i] + 1;
+
+            if (env->cp15.c14_pmevcntr[i] & ~new_pmswinc & INT32_MIN) {
+                env->cp15.c9_pmovsr |= (1 << i);
+                pmu_update_irq(env);
+            }
+
+            env->cp15.c14_pmevcntr[i] = new_pmswinc;
+        }
+    }
+}
+
 static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
 {
     ARMCPU *arm_cpu = ARM_CPU(cpu);
@@ -XXX,XX +XXX,XX @@ static int hvf_sysreg_write(CPUState *cpu, uint32_t reg, uint64_t val)
                            val);
 
     switch (reg) {
+    case SYSREG_PMCCNTR_EL0:
+        pmu_op_start(env);
+        env->cp15.c15_ccnt = val;
+        pmu_op_finish(env);
+        break;
+    case SYSREG_PMCR_EL0:
+        pmu_op_start(env);
+
+        if (val & PMCRC) {
+            /* The counter has been reset */
+            env->cp15.c15_ccnt = 0;
+        }
+
+        if (val & PMCRP) {
+            unsigned int i;
+            for (i = 0; i < pmu_num_counters(env); i++) {
+                env->cp15.c14_pmevcntr[i] = 0;
+            }
+        }
+
+        env->cp15.c9_pmcr &= ~PMCR_WRITEABLE_MASK;
+        env->cp15.c9_pmcr |= (val & PMCR_WRITEABLE_MASK);
+
+        pmu_op_finish(env);
+        break;
+    case SYSREG_PMUSERENR_EL0:
+        env->cp15.c9_pmuserenr = val & 0xf;
+        break;
+    case SYSREG_PMCNTENSET_EL0:
+        env->cp15.c9_pmcnten |= (val & pmu_counter_mask(env));
+        break;
+    case SYSREG_PMCNTENCLR_EL0:
+        env->cp15.c9_pmcnten &= ~(val & pmu_counter_mask(env));
+        break;
+    case SYSREG_PMINTENCLR_EL1:
+        pmu_op_start(env);
+        env->cp15.c9_pminten |= val;
+        pmu_op_finish(env);
+        break;
+    case SYSREG_PMOVSCLR_EL0:
+        pmu_op_start(env);
+        env->cp15.c9_pmovsr &= ~val;
+        pmu_op_finish(env);
+        break;
+    case SYSREG_PMSWINC_EL0:
+        pmu_op_start(env);
+        pmswinc_write(env, val);
+        pmu_op_finish(env);
+        break;
+    case SYSREG_PMSELR_EL0:
+        env->cp15.c9_pmselr = val & 0x1f;
+        break;
+    case SYSREG_PMCCFILTR_EL0:
+        pmu_op_start(env);
+        env->cp15.pmccfiltr_el0 = val & PMCCFILTR_EL0;
+        pmu_op_finish(env);
+        break;
     case SYSREG_OSLAR_EL1:
         env->cp15.oslsr_el1 = val & 1;
         break;
-- 
2.20.1

Currently gen_jmp_tb() assumes that if it is called then the jump it
is handling is the only reason that we might be trying to end the TB,
so it will use goto_tb if it can.  This is usually the case: mostly
"we did something that means we must end the TB" happens on a
non-branch instruction.  However, there are cases where we decide
early in handling an instruction that we need to end the TB and
return to the main loop, and then the insn is a complex one that
involves gen_jmp_tb().  For instance, for M-profile FP instructions,
in gen_preserve_fp_state() which is called from vfp_access_check() we
want to force an exit to the main loop if lazy state preservation is
active and we are in icount mode.

Make gen_jmp_tb() look at the current value of is_jmp, and only use
goto_tb if the previous is_jmp was DISAS_NEXT or DISAS_TOO_MANY.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-2-peter.maydell@linaro.org
---
 target/arm/translate.c | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
         /* An indirect jump so that we still trigger the debug exception.  */
         gen_set_pc_im(s, dest);
         s->base.is_jmp = DISAS_JUMP;
-    } else {
+        return;
+    }
+    switch (s->base.is_jmp) {
+    case DISAS_NEXT:
+    case DISAS_TOO_MANY:
+    case DISAS_NORETURN:
+        /*
+         * The normal case: just go to the destination TB.
+         * NB: NORETURN happens if we generate code like
+         *    gen_brcondi(l);
+         *    gen_jmp();
+         *    gen_set_label(l);
+         *    gen_jmp();
+         * on the second call to gen_jmp().
+         */
         gen_goto_tb(s, tbno, dest);
+        break;
+    case DISAS_UPDATE_NOCHAIN:
+    case DISAS_UPDATE_EXIT:
+        /*
+         * We already decided we're leaving the TB for some other reason.
+         * Avoid using goto_tb so we really do exit back to the main loop
+         * and don't chain to another TB.
+         */
+        gen_set_pc_im(s, dest);
+        gen_goto_ptr();
+        s->base.is_jmp = DISAS_NORETURN;
+        break;
+    default:
+        /*
+         * We shouldn't be emitting code for a jump and also have
+         * is_jmp set to one of the special cases like DISAS_SWI.
+         */
+        g_assert_not_reached();
     }
 }
 
-- 
2.20.1

Architecturally, for an M-profile CPU with the LOB feature the
LTPSIZE field in FPDSCR is always constant 4.  QEMU's implementation
enforces this everywhere, except that we don't check that it is true
in incoming migration data.

We're going to add come in gen_update_fp_context() which relies on
the "always 4" property.  Since this is TCG-only, we don't actually
need to be robust to bogus incoming migration data, and the effect of
it being wrong would be wrong code generation rather than a QEMU
crash; but if it did ever happen somehow it would be very difficult
to track down the cause.  Add a check so that we fail the inbound
migration if the FPDSCR.LTPSIZE value is incorrect.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-3-peter.maydell@linaro.org
---
 target/arm/machine.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static int cpu_post_load(void *opaque, int version_id)
     hw_breakpoint_update_all(cpu);
     hw_watchpoint_update_all(cpu);
 
+    /*
+     * TCG gen_update_fp_context() relies on the invariant that
+     * FPDSCR.LTPSIZE is constant 4 for M-profile with the LOB extension;
+     * forbid bogus incoming data with some other value.
+     */
+    if (arm_feature(env, ARM_FEATURE_M) && cpu_isar_feature(aa32_lob, cpu)) {
+        if (extract32(env->v7m.fpdscr[M_REG_NS],
+                      FPCR_LTPSIZE_SHIFT, FPCR_LTPSIZE_LENGTH) != 4 ||
+            extract32(env->v7m.fpdscr[M_REG_S],
+                      FPCR_LTPSIZE_SHIFT, FPCR_LTPSIZE_LENGTH) != 4) {
+            return -1;
+        }
+    }
     if (!kvm_enabled()) {
         pmu_op_finish(&cpu->env);
     }
-- 
2.20.1

Our current codegen for MVE always calls out to helper functions,
because some byte lanes might be predicated.  The common case is that
in fact there is no predication active and all lanes should be
updated together, so we can produce better code by detecting that and
using the TCG generic vector infrastructure.

Add a TB flag that is set when we can guarantee that there is no
active MVE predication, and a bool in the DisasContext.  Subsequent
patches will use this flag to generate improved code for some
instructions.

In most cases when the predication state changes we simply end the TB
after that instruction.  For the code called from vfp_access_check()
that handles lazy state preservation and creating a new FP context,
we can usually avoid having to try to end the TB because luckily the
new value of the flag following the register changes in those
sequences doesn't depend on any runtime decisions.  We do have to end
the TB if the guest has enabled lazy FP state preservation but not
automatic state preservation, but this is an odd corner case that is
not going to be common in real-world code.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-4-peter.maydell@linaro.org
---
 target/arm/cpu.h              |  4 +++-
 target/arm/translate.h        |  2 ++
 target/arm/helper.c           | 33 +++++++++++++++++++++++++++++++++
 target/arm/translate-m-nocp.c |  8 +++++++-
 target/arm/translate-mve.c    | 13 ++++++++++++-
 target/arm/translate-vfp.c    | 33 +++++++++++++++++++++++++++------
 target/arm/translate.c        |  8 ++++++++
 7 files changed, 92 insertions(+), 9 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef ARMCPU ArchCPU;
  * | TBFLAG_AM32 |          +-----+----------+
  * |             |                |TBFLAG_M32|
  * +-------------+----------------+----------+
- *  31         23                5 4        0
+ *  31         23                6 5        0
  *
  * Unless otherwise noted, these bits are cached in env->hflags.
  */
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_M32, LSPACT, 2, 1)                 /* Not cached. */
 FIELD(TBFLAG_M32, NEW_FP_CTXT_NEEDED, 3, 1)     /* Not cached. */
 /* Set if FPCCR.S does not match current security state */
 FIELD(TBFLAG_M32, FPCCR_S_WRONG, 4, 1)          /* Not cached. */
+/* Set if MVE insns are definitely not predicated by VPR or LTPSIZE */
+FIELD(TBFLAG_M32, MVE_NO_PRED, 5, 1)            /* Not cached. */
 
 /*
  * Bit usage when in AArch64 state
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     bool align_mem;
     /* True if PSTATE.IL is set */
     bool pstate_il;
+    /* True if MVE insns are definitely not predicated by VPR or LTPSIZE */
+    bool mve_no_pred;
     /*
      * >= 0, a copy of PSTATE.BTYPE, which will be 0 without v8.5-BTI.
      *  < 0, set by the current instruction.
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static inline void assert_hflags_rebuild_correctly(CPUARMState *env)
 #endif
 }
 
+static bool mve_no_pred(CPUARMState *env)
+{
+    /*
+     * Return true if there is definitely no predication of MVE
+     * instructions by VPR or LTPSIZE. (Returning false even if there
+     * isn't any predication is OK; generated code will just be
+     * a little worse.)
+     * If the CPU does not implement MVE then this TB flag is always 0.
+     *
+     * NOTE: if you change this logic, the "recalculate s->mve_no_pred"
+     * logic in gen_update_fp_context() needs to be updated to match.
+     *
+     * We do not include the effect of the ECI bits here -- they are
+     * tracked in other TB flags. This simplifies the logic for
+     * "when did we emit code that changes the MVE_NO_PRED TB flag
+     * and thus need to end the TB?".
+     */
+    if (cpu_isar_feature(aa32_mve, env_archcpu(env))) {
+        return false;
+    }
+    if (env->v7m.vpr) {
+        return false;
+    }
+    if (env->v7m.ltpsize < 4) {
+        return false;
+    }
+    return true;
+}
+
 void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
                           target_ulong *cs_base, uint32_t *pflags)
 {
@@ -XXX,XX +XXX,XX @@ void cpu_get_tb_cpu_state(CPUARMState *env, target_ulong *pc,
             if (env->v7m.fpccr[is_secure] & R_V7M_FPCCR_LSPACT_MASK) {
                 DP_TBFLAG_M32(flags, LSPACT, 1);
             }
+
+            if (mve_no_pred(env)) {
+                DP_TBFLAG_M32(flags, MVE_NO_PRED, 1);
+            }
         } else {
             /*
              * Note that XSCALE_CPAR shares bits with VECSTRIDE.
diff --git a/target/arm/translate-m-nocp.c b/target/arm/translate-m-nocp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-m-nocp.c
+++ b/target/arm/translate-m-nocp.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VLLDM_VLSTM(DisasContext *s, arg_VLLDM_VLSTM *a)
 
     clear_eci_state(s);
 
-    /* End the TB, because we have updated FP control bits */
+    /*
+     * End the TB, because we have updated FP control bits,
+     * and possibly VPR or LTPSIZE.
+     */
     s->base.is_jmp = DISAS_UPDATE_EXIT;
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_write(DisasContext *s, int regno,
         store_cpu_field(control, v7m.control[M_REG_S]);
         tcg_gen_andi_i32(tmp, tmp, ~FPCR_NZCV_MASK);
         gen_helper_vfp_set_fpscr(cpu_env, tmp);
+        s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
         tcg_temp_free_i32(tmp);
         tcg_temp_free_i32(sfpa);
         break;
@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_write(DisasContext *s, int regno,
         }
         tmp = loadfn(s, opaque, true);
         store_cpu_field(tmp, v7m.vpr);
+        s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
         break;
     case ARM_VFP_P0:
     {
@@ -XXX,XX +XXX,XX @@ static bool gen_M_fp_sysreg_write(DisasContext *s, int regno,
         tcg_gen_deposit_i32(vpr, vpr, tmp,
                             R_V7M_VPR_P0_SHIFT, R_V7M_VPR_P0_LENGTH);
         store_cpu_field(vpr, v7m.vpr);
+        s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
         tcg_temp_free_i32(tmp);
         break;
     }
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -XXX,XX +XXX,XX @@ DO_LOGIC(VORR, gen_helper_mve_vorr)
 DO_LOGIC(VORN, gen_helper_mve_vorn)
 DO_LOGIC(VEOR, gen_helper_mve_veor)
 
-DO_LOGIC(VPSEL, gen_helper_mve_vpsel)
+static bool trans_VPSEL(DisasContext *s, arg_2op *a)
+{
+    /* This insn updates predication bits */
+    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
+    return do_2op(s, a, gen_helper_mve_vpsel);
+}
 
 #define DO_2OP(INSN, FN) \
     static bool trans_##INSN(DisasContext *s, arg_2op *a)       \
@@ -XXX,XX +XXX,XX @@ static bool trans_VPNOT(DisasContext *s, arg_VPNOT *a)
     }
 
     gen_helper_mve_vpnot(cpu_env);
+    /* This insn updates predication bits */
+    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
     mve_update_eci(s);
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool do_vcmp(DisasContext *s, arg_vcmp *a, MVEGenCmpFn *fn)
         /* VPT */
         gen_vpst(s, a->mask);
     }
+    /* This insn updates predication bits */
+    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
     mve_update_eci(s);
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool do_vcmp_scalar(DisasContext *s, arg_vcmp_scalar *a,
         /* VPT */
         gen_vpst(s, a->mask);
     }
+    /* This insn updates predication bits */
+    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
     mve_update_eci(s);
     return true;
 }
diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.c
+++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static inline long vfp_f16_offset(unsigned reg, bool top)
  * Generate code for M-profile lazy FP state preservation if needed;
  * this corresponds to the pseudocode PreserveFPState() function.
  */
-static void gen_preserve_fp_state(DisasContext *s)
+static void gen_preserve_fp_state(DisasContext *s, bool skip_context_update)
 {
     if (s->v7m_lspact) {
         /*
@@ -XXX,XX +XXX,XX @@ static void gen_preserve_fp_state(DisasContext *s)
          * any further FP insns in this TB.
          */
         s->v7m_lspact = false;
+        /*
+         * The helper might have zeroed VPR, so we do not know the
+         * correct value for the MVE_NO_PRED TB flag any more.
+         * If we're about to create a new fp context then that
+         * will precisely determine the MVE_NO_PRED value (see
+         * gen_update_fp_context()). Otherwise, we must:
+         *  - set s->mve_no_pred to false, so this instruction
+         *    is generated to use helper functions
+         *  - end the TB now, without chaining to the next TB
+         */
+        if (skip_context_update || !s->v7m_new_fp_ctxt_needed) {
+            s->mve_no_pred = false;
+            s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
+        }
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void gen_update_fp_context(DisasContext *s)
             TCGv_i32 z32 = tcg_const_i32(0);
             store_cpu_field(z32, v7m.vpr);
         }
-
         /*
-         * We don't need to arrange to end the TB, because the only
-         * parts of FPSCR which we cache in the TB flags are the VECLEN
-         * and VECSTRIDE, and those don't exist for M-profile.
+         * We just updated the FPSCR and VPR. Some of this state is cached
+         * in the MVE_NO_PRED TB flag. We want to avoid having to end the
+         * TB here, which means we need the new value of the MVE_NO_PRED
+         * flag to be exactly known here and the same for all executions.
+         * Luckily FPDSCR.LTPSIZE is always constant 4 and the VPR is
+         * always set to 0, so the new MVE_NO_PRED flag is always 1
+         * if and only if we have MVE.
+         *
+         * (The other FPSCR state cached in TB flags is VECLEN and VECSTRIDE,
+         * but those do not exist for M-profile, so are not relevant here.)
          */
+        s->mve_no_pred = dc_isar_feature(aa32_mve, s);
 
         if (s->v8m_secure) {
             bits |= R_V7M_CONTROL_SFPA_MASK;
@@ -XXX,XX +XXX,XX @@ bool vfp_access_check_m(DisasContext *s, bool skip_context_update)
     /* Handle M-profile lazy FP state mechanics */
 
     /* Trigger lazy-state preservation if necessary */
-    gen_preserve_fp_state(s);
+    gen_preserve_fp_state(s, skip_context_update);
 
     if (!skip_context_update) {
         /* Update ownership of FP context and create new FP context if needed */
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static bool trans_DLS(DisasContext *s, arg_DLS *a)
         /* DLSTP: set FPSCR.LTPSIZE */
         tmp = tcg_const_i32(a->size);
         store_cpu_field(tmp, v7m.ltpsize);
+        s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
         assert(ok);
         tmp = tcg_const_i32(a->size);
         store_cpu_field(tmp, v7m.ltpsize);
+        /*
+         * LTPSIZE updated, but MVE_NO_PRED will always be the same thing (0)
+         * when we take this upcoming exit from this TB, so gen_jmp_tb() is OK.
+         */
     }
     gen_jmp_tb(s, s->base.pc_next, 1);
 
@@ -XXX,XX +XXX,XX @@ static bool trans_VCTP(DisasContext *s, arg_VCTP *a)
     gen_helper_mve_vctp(cpu_env, masklen);
     tcg_temp_free_i32(masklen);
     tcg_temp_free_i32(rn_shifted);
+    /* This insn updates predication bits */
+    s->base.is_jmp = DISAS_UPDATE_NOCHAIN;
     mve_update_eci(s);
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
         dc->v7m_new_fp_ctxt_needed =
             EX_TBFLAG_M32(tb_flags, NEW_FP_CTXT_NEEDED);
         dc->v7m_lspact = EX_TBFLAG_M32(tb_flags, LSPACT);
+        dc->mve_no_pred = EX_TBFLAG_M32(tb_flags, MVE_NO_PRED);
     } else {
         dc->debug_target_el = EX_TBFLAG_ANY(tb_flags, DEBUG_TARGET_EL);
         dc->sctlr_b = EX_TBFLAG_A32(tb_flags, SCTLR__B);
-- 
2.20.1

When not predicating, implement the MVE bitwise logical insns
directly using TCG vector operations.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-5-peter.maydell@linaro.org
---
 target/arm/translate-mve.c | 51 +++++++++++++++++++++++++++-----------
 1 file changed, 36 insertions(+), 15 deletions(-)

diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -XXX,XX +XXX,XX @@ static TCGv_ptr mve_qreg_ptr(unsigned reg)
     return ret;
 }
 
+static bool mve_no_predication(DisasContext *s)
+{
+    /*
+     * Return true if we are executing the entire MVE instruction
+     * with no predication or partial-execution, and so we can safely
+     * use an inline TCG vector implementation.
+     */
+    return s->eci == 0 && s->mve_no_pred;
+}
+
 static bool mve_check_qreg_bank(DisasContext *s, int qmask)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static bool trans_VNEG_fp(DisasContext *s, arg_1op *a)
     return do_1op(s, a, fns[a->size]);
 }
 
-static bool do_2op(DisasContext *s, arg_2op *a, MVEGenTwoOpFn fn)
+static bool do_2op_vec(DisasContext *s, arg_2op *a, MVEGenTwoOpFn fn,
+                       GVecGen3Fn *vecfn)
 {
     TCGv_ptr qd, qn, qm;
 
@@ -XXX,XX +XXX,XX @@ static bool do_2op(DisasContext *s, arg_2op *a, MVEGenTwoOpFn fn)
         return true;
     }
 
-    qd = mve_qreg_ptr(a->qd);
-    qn = mve_qreg_ptr(a->qn);
-    qm = mve_qreg_ptr(a->qm);
-    fn(cpu_env, qd, qn, qm);
-    tcg_temp_free_ptr(qd);
-    tcg_temp_free_ptr(qn);
-    tcg_temp_free_ptr(qm);
+    if (vecfn && mve_no_predication(s)) {
+        vecfn(a->size, mve_qreg_offset(a->qd), mve_qreg_offset(a->qn),
+              mve_qreg_offset(a->qm), 16, 16);
+    } else {
+        qd = mve_qreg_ptr(a->qd);
+        qn = mve_qreg_ptr(a->qn);
+        qm = mve_qreg_ptr(a->qm);
+        fn(cpu_env, qd, qn, qm);
+        tcg_temp_free_ptr(qd);
+        tcg_temp_free_ptr(qn);
+        tcg_temp_free_ptr(qm);
+    }
     mve_update_eci(s);
     return true;
 }
 
-#define DO_LOGIC(INSN, HELPER)                                  \
+static bool do_2op(DisasContext *s, arg_2op *a, MVEGenTwoOpFn *fn)
+{
+    return do_2op_vec(s, a, fn, NULL);
+}
+
+#define DO_LOGIC(INSN, HELPER, VECFN)                           \
     static bool trans_##INSN(DisasContext *s, arg_2op *a)       \
     {                                                           \
-        return do_2op(s, a, HELPER);                            \
+        return do_2op_vec(s, a, HELPER, VECFN);                 \
     }
 
-DO_LOGIC(VAND, gen_helper_mve_vand)
-DO_LOGIC(VBIC, gen_helper_mve_vbic)
-DO_LOGIC(VORR, gen_helper_mve_vorr)
-DO_LOGIC(VORN, gen_helper_mve_vorn)
-DO_LOGIC(VEOR, gen_helper_mve_veor)
+DO_LOGIC(VAND, gen_helper_mve_vand, tcg_gen_gvec_and)
+DO_LOGIC(VBIC, gen_helper_mve_vbic, tcg_gen_gvec_andc)
+DO_LOGIC(VORR, gen_helper_mve_vorr, tcg_gen_gvec_or)
+DO_LOGIC(VORN, gen_helper_mve_vorn, tcg_gen_gvec_orc)
+DO_LOGIC(VEOR, gen_helper_mve_veor, tcg_gen_gvec_xor)
 
 static bool trans_VPSEL(DisasContext *s, arg_2op *a)
 {
-- 
2.20.1

Optimize MVE arithmetic ops when we have a TCG
vector operation we can use.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-6-peter.maydell@linaro.org
---
 target/arm/translate-mve.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

Optimize the MVE VNEG and VABS insns by using TCG
vector ops when possible.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-7-peter.maydell@linaro.org
---
 target/arm/translate-mve.c | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

Optimize the MVE VDUP insns by using TCG vector ops when possible.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-8-peter.maydell@linaro.org
---
 target/arm/translate-mve.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VDUP(DisasContext *s, arg_VDUP *a)
         return true;
     }
 
-    qd = mve_qreg_ptr(a->qd);
     rt = load_reg(s, a->rt);
-    tcg_gen_dup_i32(a->size, rt, rt);
-    gen_helper_mve_vdup(cpu_env, qd, rt);
-    tcg_temp_free_ptr(qd);
+    if (mve_no_predication(s)) {
+        tcg_gen_gvec_dup_i32(a->size, mve_qreg_offset(a->qd), 16, 16, rt);
+    } else {
+        qd = mve_qreg_ptr(a->qd);
+        tcg_gen_dup_i32(a->size, rt, rt);
+        gen_helper_mve_vdup(cpu_env, qd, rt);
+        tcg_temp_free_ptr(qd);
+    }
     tcg_temp_free_i32(rt);
     mve_update_eci(s);
     return true;
-- 
2.20.1

Optimize the MVE VSHL and VSHR immediate forms by using TCG vector
ops when possible.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-10-peter.maydell@linaro.org
---
 target/arm/translate-mve.c | 83 +++++++++++++++++++++++++++++---------
 1 file changed, 63 insertions(+), 20 deletions(-)

diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_Vimm_1r(DisasContext *s, arg_1imm *a)
     return do_1imm(s, a, fn);
 }
 
-static bool do_2shift(DisasContext *s, arg_2shift *a, MVEGenTwoOpShiftFn fn,
-                      bool negateshift)
+static bool do_2shift_vec(DisasContext *s, arg_2shift *a, MVEGenTwoOpShiftFn fn,
+                          bool negateshift, GVecGen2iFn vecfn)
 {
     TCGv_ptr qd, qm;
     int shift = a->shift;
@@ -XXX,XX +XXX,XX @@ static bool do_2shift(DisasContext *s, arg_2shift *a, MVEGenTwoOpShiftFn fn,
         shift = -shift;
     }
 
-    qd = mve_qreg_ptr(a->qd);
-    qm = mve_qreg_ptr(a->qm);
-    fn(cpu_env, qd, qm, tcg_constant_i32(shift));
-    tcg_temp_free_ptr(qd);
-    tcg_temp_free_ptr(qm);
+    if (vecfn && mve_no_predication(s)) {
+        vecfn(a->size, mve_qreg_offset(a->qd), mve_qreg_offset(a->qm),
+              shift, 16, 16);
+    } else {
+        qd = mve_qreg_ptr(a->qd);
+        qm = mve_qreg_ptr(a->qm);
+        fn(cpu_env, qd, qm, tcg_constant_i32(shift));
+        tcg_temp_free_ptr(qd);
+        tcg_temp_free_ptr(qm);
+    }
     mve_update_eci(s);
     return true;
 }
 
-#define DO_2SHIFT(INSN, FN, NEGATESHIFT)                         \
-    static bool trans_##INSN(DisasContext *s, arg_2shift *a)    \
-    {                                                           \
-        static MVEGenTwoOpShiftFn * const fns[] = {             \
-            gen_helper_mve_##FN##b,                             \
-            gen_helper_mve_##FN##h,                             \
-            gen_helper_mve_##FN##w,                             \
-            NULL,                                               \
-        };                                                      \
-        return do_2shift(s, a, fns[a->size], NEGATESHIFT);      \
+static bool do_2shift(DisasContext *s, arg_2shift *a, MVEGenTwoOpShiftFn fn,
+                      bool negateshift)
+{
+    return do_2shift_vec(s, a, fn, negateshift, NULL);
+}
+
+#define DO_2SHIFT_VEC(INSN, FN, NEGATESHIFT, VECFN)                     \
+    static bool trans_##INSN(DisasContext *s, arg_2shift *a)            \
+    {                                                                   \
+        static MVEGenTwoOpShiftFn * const fns[] = {                     \
+            gen_helper_mve_##FN##b,                                     \
+            gen_helper_mve_##FN##h,                                     \
+            gen_helper_mve_##FN##w,                                     \
+            NULL,                                                       \
+        };                                                              \
+        return do_2shift_vec(s, a, fns[a->size], NEGATESHIFT, VECFN);   \
     }
 
-DO_2SHIFT(VSHLI, vshli_u, false)
+#define DO_2SHIFT(INSN, FN, NEGATESHIFT)        \
+    DO_2SHIFT_VEC(INSN, FN, NEGATESHIFT, NULL)
+
+static void do_gvec_shri_s(unsigned vece, uint32_t dofs, uint32_t aofs,
+                           int64_t shift, uint32_t oprsz, uint32_t maxsz)
+{
+    /*
+     * We get here with a negated shift count, and we must handle
+     * shifts by the element size, which tcg_gen_gvec_sari() does not do.
+     */
+    shift = -shift;
+    if (shift == (8 << vece)) {
+        shift--;
+    }
+    tcg_gen_gvec_sari(vece, dofs, aofs, shift, oprsz, maxsz);
+}
+
+static void do_gvec_shri_u(unsigned vece, uint32_t dofs, uint32_t aofs,
+                           int64_t shift, uint32_t oprsz, uint32_t maxsz)
+{
+    /*
+     * We get here with a negated shift count, and we must handle
+     * shifts by the element size, which tcg_gen_gvec_shri() does not do.
+     */
+    shift = -shift;
+    if (shift == (8 << vece)) {
+        tcg_gen_gvec_dup_imm(vece, dofs, oprsz, maxsz, 0);
+    } else {
+        tcg_gen_gvec_shri(vece, dofs, aofs, shift, oprsz, maxsz);
+    }
+}
+
+DO_2SHIFT_VEC(VSHLI, vshli_u, false, tcg_gen_gvec_shli)
 DO_2SHIFT(VQSHLI_S, vqshli_s, false)
 DO_2SHIFT(VQSHLI_U, vqshli_u, false)
 DO_2SHIFT(VQSHLUI, vqshlui_s, false)
 /* These right shifts use a left-shift helper with negated shift count */
-DO_2SHIFT(VSHRI_S, vshli_s, true)
-DO_2SHIFT(VSHRI_U, vshli_u, true)
+DO_2SHIFT_VEC(VSHRI_S, vshli_s, true, do_gvec_shri_s)
+DO_2SHIFT_VEC(VSHRI_U, vshli_u, true, do_gvec_shri_u)
 DO_2SHIFT(VRSHRI_S, vrshli_s, true)
 DO_2SHIFT(VRSHRI_U, vrshli_u, true)
 
-- 
2.20.1

Optimize the MVE VSHLL insns by using TCG vector ops when possible.
This includes the VMOVL insn, which we handle in mve.decode as "VSHLL
with zero shift count".

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-11-peter.maydell@linaro.org
---
 target/arm/translate-mve.c | 67 +++++++++++++++++++++++++++++++++-----
 1 file changed, 59 insertions(+), 8 deletions(-)

diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -XXX,XX +XXX,XX @@ DO_2SHIFT_SCALAR(VQSHL_U_scalar, vqshli_u)
 DO_2SHIFT_SCALAR(VQRSHL_S_scalar, vqrshli_s)
 DO_2SHIFT_SCALAR(VQRSHL_U_scalar, vqrshli_u)
 
-#define DO_VSHLL(INSN, FN)                                      \
-    static bool trans_##INSN(DisasContext *s, arg_2shift *a)    \
-    {                                                           \
-        static MVEGenTwoOpShiftFn * const fns[] = {             \
-            gen_helper_mve_##FN##b,                             \
-            gen_helper_mve_##FN##h,                             \
-        };                                                      \
-        return do_2shift(s, a, fns[a->size], false);            \
+#define DO_VSHLL(INSN, FN)                                              \
+    static bool trans_##INSN(DisasContext *s, arg_2shift *a)            \
+    {                                                                   \
+        static MVEGenTwoOpShiftFn * const fns[] = {                     \
+            gen_helper_mve_##FN##b,                                     \
+            gen_helper_mve_##FN##h,                                     \
+        };                                                              \
+        return do_2shift_vec(s, a, fns[a->size], false, do_gvec_##FN);  \
     }
 
+/*
+ * For the VSHLL vector helpers, the vece is the size of the input
+ * (ie MO_8 or MO_16); the helpers want to work in the output size.
+ * The shift count can be 0..<input size>, inclusive. (0 is VMOVL.)
+ */
+static void do_gvec_vshllbs(unsigned vece, uint32_t dofs, uint32_t aofs,
+                            int64_t shift, uint32_t oprsz, uint32_t maxsz)
+{
+    unsigned ovece = vece + 1;
+    unsigned ibits = vece == MO_8 ? 8 : 16;
+    tcg_gen_gvec_shli(ovece, dofs, aofs, ibits, oprsz, maxsz);
+    tcg_gen_gvec_sari(ovece, dofs, dofs, ibits - shift, oprsz, maxsz);
+}
+
+static void do_gvec_vshllbu(unsigned vece, uint32_t dofs, uint32_t aofs,
+                            int64_t shift, uint32_t oprsz, uint32_t maxsz)
+{
+    unsigned ovece = vece + 1;
+    tcg_gen_gvec_andi(ovece, dofs, aofs,
+                      ovece == MO_16 ? 0xff : 0xffff, oprsz, maxsz);
+    tcg_gen_gvec_shli(ovece, dofs, dofs, shift, oprsz, maxsz);
+}
+
+static void do_gvec_vshllts(unsigned vece, uint32_t dofs, uint32_t aofs,
+                            int64_t shift, uint32_t oprsz, uint32_t maxsz)
+{
+    unsigned ovece = vece + 1;
+    unsigned ibits = vece == MO_8 ? 8 : 16;
+    if (shift == 0) {
+        tcg_gen_gvec_sari(ovece, dofs, aofs, ibits, oprsz, maxsz);
+    } else {
+        tcg_gen_gvec_andi(ovece, dofs, aofs,
+                          ovece == MO_16 ? 0xff00 : 0xffff0000, oprsz, maxsz);
+        tcg_gen_gvec_sari(ovece, dofs, dofs, ibits - shift, oprsz, maxsz);
+    }
+}
+
+static void do_gvec_vshlltu(unsigned vece, uint32_t dofs, uint32_t aofs,
+                            int64_t shift, uint32_t oprsz, uint32_t maxsz)
+{
+    unsigned ovece = vece + 1;
+    unsigned ibits = vece == MO_8 ? 8 : 16;
+    if (shift == 0) {
+        tcg_gen_gvec_shri(ovece, dofs, aofs, ibits, oprsz, maxsz);
+    } else {
+        tcg_gen_gvec_andi(ovece, dofs, aofs,
+                          ovece == MO_16 ? 0xff00 : 0xffff0000, oprsz, maxsz);
+        tcg_gen_gvec_shri(ovece, dofs, dofs, ibits - shift, oprsz, maxsz);
+    }
+}
+
 DO_VSHLL(VSHLL_BS, vshllbs)
 DO_VSHLL(VSHLL_BU, vshllbu)
 DO_VSHLL(VSHLL_TS, vshllts)
-- 
2.20.1

Optimize the MVE 1op-immediate insns (VORR, VBIC, VMOV) to
use TCG vector ops when possible.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210913095440.13462-13-peter.maydell@linaro.org
---
 target/arm/translate-mve.c | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)