Series comparison

-[Qemu-devel] [PULL 00/13] target-arm queue
+[PULL 0/8] target-arm queue
-Arm patch queue -- these are all bug fix patches but we might
+Handful of bugfixes for rc2. None of these are particularly critical
-as well put them in to rc0...
+or exciting.
-thanks
 -- PMM
-The following changes since commit 2c8cfc0b52b5a4d123c26c0b5fdf941be24805be:
+The following changes since commit 45a150aa2b3492acf6691c7bdbeb25a8545d8345:
-  Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2018-03-19 11:44:26 +0000)
+  Merge remote-tracking branch 'remotes/ericb/tags/pull-bitmaps-2020-08-03' into staging (2020-08-03 15:13:49 +0100)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180319
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200803
-for you to fetch changes up to ff72cb6b46b95bb530787add5277c211af3d31c6:
+for you to fetch changes up to 13557fd392890cbd985bceba7f717e01efd674b8:
-  hw/arm/raspi: Provide spin-loop code for AArch64 CPUs (2018-03-19 18:23:24 +0000)
+  hw/timer/imx_epit: Avoid assertion when CR.SWR is written (2020-08-03 17:56:11 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * fsl-imx6: Fix incorrect Ethernet interrupt defines
+ * hw/timer/imx_epit: Avoid assertion when CR.SWR is written
- * dump: Update correct kdump phys_base field for AArch64
+ * netduino2, netduinoplus2, microbit: set system_clock_scale so that
- * char: i.MX: Add support for "TX complete" interrupt
+   SysTick running on the CPU clock works
- * bcm2836/raspi: Fix various bugs resulting in panics trying
+ * target/arm: Avoid maybe-uninitialized warning with gcc 4.9
-   to boot a Debian Linux kernel on raspi3
+ * target/arm: Fix AddPAC error indication
  * Make AIRCR.SYSRESETREQ actually reset the system for the
    microbit, mps2-*, musca-*, netduino* boards
 ----------------------------------------------------------------
-Andrey Smirnov (2):
+Kaige Li (1):
-      char: i.MX: Simplify imx_update()
+      target/arm: Avoid maybe-uninitialized warning with gcc 4.9
       char: i.MX: Add support for "TX complete" interrupt
-Guenter Roeck (1):
+Peter Maydell (6):
-      fsl-imx6: Swap Ethernet interrupt defines
+      hw/arm/netduino2, netduinoplus2: Set system_clock_scale
       include/hw/irq.h: New function qemu_irq_is_connected()
       hw/intc/armv7m_nvic: Provide default "reset the system" behaviour for SYSRESETREQ
       msf2-soc, stellaris: Don't wire up SYSRESETREQ
       hw/arm/nrf51_soc: Set system_clock_scale
       hw/timer/imx_epit: Avoid assertion when CR.SWR is written
-Peter Maydell (9):
+Richard Henderson (1):
-      hw/arm/raspi: Don't do board-setup or secure-boot for raspi3
+      target/arm: Fix AddPAC error indication
       hw/arm/boot: assert that secure_boot and secure_board_setup are false for AArch64
       hw/arm/boot: If booting a kernel in EL2, set SCR_EL3.HCE
       hw/arm/bcm2386: Fix parent type of bcm2386
       hw/arm/bcm2836: Rename bcm2836 type/struct to bcm283x
       hw/arm/bcm2836: Create proper bcm2837 device
       hw/arm/bcm2836: Use correct affinity values for BCM2837
       hw/arm/bcm2836: Hardcode correct CPU type
       hw/arm/raspi: Provide spin-loop code for AArch64 CPUs
-Wei Huang (1):
+ include/hw/arm/armv7m.h           |  4 +++-
-      dump: Update correct kdump phys_base field for AArch64
+ include/hw/irq.h                  | 18 ++++++++++++++++++
  hw/arm/msf2-soc.c                 | 11 -----------
  hw/arm/netduino2.c                | 10 ++++++++++
  hw/arm/netduinoplus2.c            | 10 ++++++++++
  hw/arm/nrf51_soc.c                |  5 +++++
  hw/arm/stellaris.c                | 12 ------------
  hw/intc/armv7m_nvic.c             | 17 ++++++++++++++++-
  hw/timer/imx_epit.c               | 13 ++++++++++---
  target/arm/pauth_helper.c         |  6 +++++-
  target/arm/translate-a64.c        |  2 +-
  tests/tcg/aarch64/pauth-5.c       | 33 +++++++++++++++++++++++++++++++++
  tests/tcg/aarch64/Makefile.target |  2 +-
 files changed, 112 insertions(+), 31 deletions(-)
  create mode 100644 tests/tcg/aarch64/pauth-5.c
- include/hw/arm/bcm2836.h     | 31 +++++++++++++---
- include/hw/arm/fsl-imx6.h    |  4 +-
- include/hw/char/imx_serial.h |  3 ++
- dump.c                       | 14 +++++--
- hw/arm/bcm2836.c             | 87 +++++++++++++++++++++++++++++++-------------
- hw/arm/boot.c                | 12 ++++++
- hw/arm/raspi.c               | 77 +++++++++++++++++++++++++++++++--------
- hw/char/imx_serial.c         | 44 ++++++++++++++++------
- hw/net/imx_fec.c             | 28 +++++++++++++-
-files changed, 237 insertions(+), 63 deletions(-)

-[Qemu-devel] [PULL 12/13] hw/arm/bcm2836: Hardcode correct CPU type
+[PULL 1/8] hw/arm/netduino2, netduinoplus2: Set system_clock_scale
-Now we have separate types for BCM2386 and BCM2387, we might as well
+The netduino2 and netduinoplus2 boards forgot to set the system_clock_scale
-just hard-code the CPU type they use rather than having it passed
+global, which meant that if guest code used the systick timer in "use
-through as an object property. This then lets us put the initialization
+the processor clock" mode it would hang because time never advances.
 of the CPU object in init rather than realize.
-Note that this change means that it's no longer possible on
+Set the global to match the documented CPU clock speed of these boards.
-the command line to use -cpu to ask for a different kind of
+Judging by the data sheet this is slightly simplistic because the
-CPU than the SoC supports. This was never a supported thing to
+SoC allows configuration of the SYSCLK source and frequency via the
-do anyway; we were just not sanity-checking the command line.
+RCC (reset and clock control) module, but we don't model that.
-This does require us to only build the bcm2837 object on
+Fixes: https://bugs.launchpad.net/qemu/+bug/1876187
-TARGET_AARCH64 configs, since otherwise it won't instantiate
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-due to the missing cortex-a53 device and "make check" will fail.
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20200727162617.26227-1-peter.maydell@linaro.org
 ---
  hw/arm/netduino2.c     | 10 ++++++++++
  hw/arm/netduinoplus2.c | 10 ++++++++++
 files changed, 20 insertions(+)
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+diff --git a/hw/arm/netduino2.c b/hw/arm/netduino2.c
 Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20180313153458.26822-9-peter.maydell@linaro.org
 ---
  hw/arm/bcm2836.c | 24 +++++++++++++++---------
  hw/arm/raspi.c   |  2 --
 files changed, 15 insertions(+), 11 deletions(-)
 diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/bcm2836.c
+--- a/hw/arm/netduino2.c
-+++ b/hw/arm/bcm2836.c
++++ b/hw/arm/netduino2.c
 @@ -XXX,XX +XXX,XX @@
+ #include "hw/arm/stm32f205_soc.h"
- struct BCM283XInfo {
+ #include "hw/arm/boot.h"
-     const char *name;
-+    const char *cpu_type;
++/* Main SYSCLK frequency in Hz (120MHz) */
-     int clusterid;
++#define SYSCLK_FRQ 120000000ULL
- };
++
+ static void netduino2_init(MachineState *machine)
  static const BCM283XInfo bcm283x_socs[] = {
      {
          .name = TYPE_BCM2836,
 +        .cpu_type = ARM_CPU_TYPE_NAME("cortex-a15"),
          .clusterid = 0xf,
      },
 +#ifdef TARGET_AARCH64
      {
          .name = TYPE_BCM2837,
 +        .cpu_type = ARM_CPU_TYPE_NAME("cortex-a53"),
          .clusterid = 0x0,
      },
 +#endif
  };
  static void bcm2836_init(Object *obj)
  {
-     BCM283XState *s = BCM283X(obj);
+     DeviceState *dev;
-+    BCM283XClass *bc = BCM283X_GET_CLASS(obj);
-+    const BCM283XInfo *info = bc->info;
++    /*
-+    int n;
++     * TODO: ideally we would model the SoC RCC and let it handle
 +     * system_clock_scale, including its ability to define different
 +     * possible SYSCLK sources.
 +     */
 +    system_clock_scale = NANOSECONDS_PER_SECOND / SYSCLK_FRQ;
 +
-+    for (n = 0; n < BCM283X_NCPUS; n++) {
+     dev = qdev_new(TYPE_STM32F205_SOC);
-+        object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
+     qdev_prop_set_string(dev, "cpu-type", ARM_CPU_TYPE_NAME("cortex-m3"));
-+                          info->cpu_type);
+     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
-+        object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
+diff --git a/hw/arm/netduinoplus2.c b/hw/arm/netduinoplus2.c
 +                                  &error_abort);
 +    }
      object_initialize(&s->control, sizeof(s->control), TYPE_BCM2836_CONTROL);
      object_property_add_child(obj, "control", OBJECT(&s->control), NULL);
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
      /* common peripherals from bcm2835 */
 -    obj = OBJECT(dev);
 -    for (n = 0; n < BCM283X_NCPUS; n++) {
 -        object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
 -                          s->cpu_type);
 -        object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
 -                                  &error_abort);
 -    }
 -
      obj = object_property_get_link(OBJECT(dev), "ram", &err);
      if (obj == NULL) {
          error_setg(errp, "%s: required ram link not found: %s",
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
  }
  static Property bcm2836_props[] = {
 -    DEFINE_PROP_STRING("cpu-type", BCM283XState, cpu_type),
      DEFINE_PROP_UINT32("enabled-cpus", BCM283XState, enabled_cpus,
                         BCM283X_NCPUS),
      DEFINE_PROP_END_OF_LIST()
 diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/raspi.c
+--- a/hw/arm/netduinoplus2.c
-+++ b/hw/arm/raspi.c
++++ b/hw/arm/netduinoplus2.c
-@@ -XXX,XX +XXX,XX @@ static void raspi_init(MachineState *machine, int version)
+@@ -XXX,XX +XXX,XX @@
-     /* Setup the SOC */
+ #include "hw/arm/stm32f405_soc.h"
-     object_property_add_const_link(OBJECT(&s->soc), "ram", OBJECT(&s->ram),
+ #include "hw/arm/boot.h"
-                                    &error_abort);
--    object_property_set_str(OBJECT(&s->soc), machine->cpu_type, "cpu-type",
++/* Main SYSCLK frequency in Hz (168MHz) */
--                            &error_abort);
++#define SYSCLK_FRQ 168000000ULL
-     object_property_set_int(OBJECT(&s->soc), smp_cpus, "enabled-cpus",
++
-                             &error_abort);
+ static void netduinoplus2_init(MachineState *machine)
-     int board_rev = version == 3 ? 0xa02082 : 0xa21041;
+ {
      DeviceState *dev;
 +    /*
 +     * TODO: ideally we would model the SoC RCC and let it handle
 +     * system_clock_scale, including its ability to define different
 +     * possible SYSCLK sources.
 +     */
 +    system_clock_scale = NANOSECONDS_PER_SECOND / SYSCLK_FRQ;
 +
      dev = qdev_new(TYPE_STM32F405_SOC);
      qdev_prop_set_string(dev, "cpu-type", ARM_CPU_TYPE_NAME("cortex-m4"));
      sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 13/13] hw/arm/raspi: Provide spin-loop code for AArch64 CPUs
+[PULL 2/8] include/hw/irq.h: New function qemu_irq_is_connected()
-The raspi3 has AArch64 CPUs, which means that our smpboot
+Mostly devices don't need to care whether one of their output
-code for keeping the secondary CPUs in a pen needs to have
+qemu_irq lines is connected, because functions like qemu_set_irq()
-a version for A64 as well as A32. Without this, the
+silently do nothing if there is nothing on the other end.  However
-secondary CPUs go into an infinite loop of taking undefined
+sometimes a device might want to implement default behaviour for the
-instruction exceptions.
+case where the machine hasn't wired the line up to anywhere.
 Provide a function qemu_irq_is_connected() that devices can use for
 this purpose.  (The test is trivial but encapsulating it in a
 function makes it easier to see where we're doing it in case we need
 to change the implementation later.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180313153458.26822-10-peter.maydell@linaro.org
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20200728103744.6909-2-peter.maydell@linaro.org
 ---
- hw/arm/raspi.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ include/hw/irq.h | 18 ++++++++++++++++++
-file changed, 40 insertions(+), 1 deletion(-)
+file changed, 18 insertions(+)
-diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
+diff --git a/include/hw/irq.h b/include/hw/irq.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/raspi.c
+--- a/include/hw/irq.h
-+++ b/hw/arm/raspi.c
++++ b/include/hw/irq.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ qemu_irq qemu_irq_split(qemu_irq irq1, qemu_irq irq2);
- #define BOARDSETUP_ADDR (MVBAR_ADDR + 0x20) /* board setup code */
+    on an existing vector of qemu_irq.  */
- #define FIRMWARE_ADDR_2 0x8000 /* Pi 2 loads kernel.img here by default */
+ void qemu_irq_intercept_in(qemu_irq *gpio_in, qemu_irq_handler handler, int n);
- #define FIRMWARE_ADDR_3 0x80000 /* Pi 3 loads kernel.img here by default */
-+#define SPINTABLE_ADDR  0xd8 /* Pi 3 bootloader spintable */
++/**
++ * qemu_irq_is_connected: Return true if IRQ line is wired up
- /* Table of Linux board IDs for different Pi versions */
++ *
- static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43, [3] = 0xc44};
++ * If a qemu_irq has a device on the other (receiving) end of it,
-@@ -XXX,XX +XXX,XX @@ static void write_smpboot(ARMCPU *cpu, const struct arm_boot_info *info)
++ * return true; otherwise return false.
-                        info->smp_loader_start);
++ *
- }
++ * Usually device models don't need to care whether the machine model
++ * has wired up their outbound qemu_irq lines, because functions like
-+static void write_smpboot64(ARMCPU *cpu, const struct arm_boot_info *info)
++ * qemu_set_irq() silently do nothing if there is nothing on the other
 + * end of the line. However occasionally a device model will want to
 + * provide default behaviour if its output is left floating, and
 + * it can use this function to identify when that is the case.
 + */
 +static inline bool qemu_irq_is_connected(qemu_irq irq)
 +{
-+    /* Unlike the AArch32 version we don't need to call the board setup hook.
++    return irq != NULL;
 +     * The mechanism for doing the spin-table is also entirely different.
 +     * We must have four 64-bit fields at absolute addresses
 +     * 0xd8, 0xe0, 0xe8, 0xf0 in RAM, which are the flag variables for
 +     * our CPUs, and which we must ensure are zero initialized before
 +     * the primary CPU goes into the kernel. We put these variables inside
 +     * a rom blob, so that the reset for ROM contents zeroes them for us.
 +     */
 +    static const uint32_t smpboot[] = {
 +        0xd2801b05, /*        mov     x5, 0xd8 */
 +        0xd53800a6, /*        mrs     x6, mpidr_el1 */
 +        0x924004c6, /*        and     x6, x6, #0x3 */
 +        0xd503205f, /* spin:  wfe */
 +        0xf86678a4, /*        ldr     x4, [x5,x6,lsl #3] */
 +        0xb4ffffc4, /*        cbz     x4, spin */
 +        0xd2800000, /*        mov     x0, #0x0 */
 +        0xd2800001, /*        mov     x1, #0x0 */
 +        0xd2800002, /*        mov     x2, #0x0 */
 +        0xd2800003, /*        mov     x3, #0x0 */
 +        0xd61f0080, /*        br      x4 */
 +    };
 +
 +    static const uint64_t spintables[] = {
 +        0, 0, 0, 0
 +    };
 +
 +    rom_add_blob_fixed("raspi_smpboot", smpboot, sizeof(smpboot),
 +                       info->smp_loader_start);
 +    rom_add_blob_fixed("raspi_spintables", spintables, sizeof(spintables),
 +                       SPINTABLE_ADDR);
 +}
 +
- static void write_board_setup(ARMCPU *cpu, const struct arm_boot_info *info)
+ #endif
  {
      arm_write_secure_board_setup_dummy_smc(cpu, info, MVBAR_ADDR);
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
      /* Pi2 and Pi3 requires SMP setup */
      if (version >= 2) {
          binfo.smp_loader_start = SMPBOOT_ADDR;
 -        binfo.write_secondary_boot = write_smpboot;
 +        if (version == 2) {
 +            binfo.write_secondary_boot = write_smpboot;
 +        } else {
 +            binfo.write_secondary_boot = write_smpboot64;
 +        }
          binfo.secondary_cpu_reset_hook = reset_secondary;
      }
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 11/13] hw/arm/bcm2836: Use correct affinity values for BCM2837
+[PULL 3/8] hw/intc/armv7m_nvic: Provide default "reset the system" behaviour for SYSRESETREQ
-The BCM2837 sets the Aff1 field of the MPIDR affinity values for the
+The NVIC provides an outbound qemu_irq "SYSRESETREQ" which it signals
-CPUs to 0, whereas the BCM2836 uses 0xf. Set this correctly, as it
+when the guest sets the SYSRESETREQ bit in the AIRCR register.  This
-is required for Linux to boot.
+matches the hardware design (where the CPU has a signal of this name
 and it is up to the SoC to connect that up to an actual reset
 mechanism), but in QEMU it mostly results in duplicated code in SoC
 objects and bugs where SoC model implementors forget to wire up the
 SYSRESETREQ line.
 Provide a default behaviour for the case where SYSRESETREQ is not
 actually connected to anything: use qemu_system_reset_request() to
 perform a system reset.  This will allow us to remove the
 implementations of SYSRESETREQ handling from the boards where that's
 exactly what it does, and also fixes the bugs in the board models
 which forgot to wire up the signal:
  * microbit
  * mps2-an385
  * mps2-an505
  * mps2-an511
  * mps2-an521
  * musca-a
  * musca-b1
  * netduino
  * netduinoplus2
 We still allow the board to wire up the signal if it needs to, in case
 we need to model more complicated reset controller logic or to model
 buggy SoC hardware which forgot to wire up the line itself. But
 defaulting to "reset the system" is more often going to be correct
 than defaulting to "do nothing".
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180313153458.26822-8-peter.maydell@linaro.org
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20200728103744.6909-3-peter.maydell@linaro.org
 ---
- hw/arm/bcm2836.c | 11 +++++++----
+ include/hw/arm/armv7m.h |  4 +++-
-file changed, 7 insertions(+), 4 deletions(-)
+ hw/intc/armv7m_nvic.c   | 17 ++++++++++++++++-
 files changed, 19 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
+diff --git a/include/hw/arm/armv7m.h b/include/hw/arm/armv7m.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/bcm2836.c
+--- a/include/hw/arm/armv7m.h
-+++ b/hw/arm/bcm2836.c
++++ b/include/hw/arm/armv7m.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
  /* ARMv7M container object.
   * + Unnamed GPIO input lines: external IRQ lines for the NVIC
 - * + Named GPIO output SYSRESETREQ: signalled for guest AIRCR.SYSRESETREQ
 + * + Named GPIO output SYSRESETREQ: signalled for guest AIRCR.SYSRESETREQ.
 + *   If this GPIO is not wired up then the NVIC will default to performing
 + *   a qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET).
   * + Property "cpu-type": CPU type to instantiate
   * + Property "num-irq": number of external IRQ lines
   * + Property "memory": MemoryRegion defining the physical address space
 diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/armv7m_nvic.c
 +++ b/hw/intc/armv7m_nvic.c
 @@ -XXX,XX +XXX,XX @@
+ #include "hw/intc/armv7m_nvic.h"
- struct BCM283XInfo {
+ #include "hw/irq.h"
-     const char *name;
+ #include "hw/qdev-properties.h"
-+    int clusterid;
++#include "sysemu/runstate.h"
  #include "target/arm/cpu.h"
  #include "exec/exec-all.h"
  #include "exec/memop.h"
@@ -XXX,XX +XXX,XX @@ static const uint8_t nvic_id[] = {
 x00, 0xb0, 0x1b, 0x00, 0x0d, 0xe0, 0x05, 0xb1
  };
- static const BCM283XInfo bcm283x_socs[] = {
++static void signal_sysresetreq(NVICState *s)
-     {
++{
-         .name = TYPE_BCM2836,
++    if (qemu_irq_is_connected(s->sysresetreq)) {
-+        .clusterid = 0xf,
++        qemu_irq_pulse(s->sysresetreq);
-     },
++    } else {
-     {
++        /*
-         .name = TYPE_BCM2837,
++         * Default behaviour if the SoC doesn't need to wire up
-+        .clusterid = 0x0,
++         * SYSRESETREQ (eg to a system reset controller of some kind):
-     },
++         * perform a system reset via the usual QEMU API.
- };
++         */
++        qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
-@@ -XXX,XX +XXX,XX @@ static void bcm2836_init(Object *obj)
++    }
- static void bcm2836_realize(DeviceState *dev, Error **errp)
++}
 +
  static int nvic_pending_prio(NVICState *s)
  {
-     BCM283XState *s = BCM283X(dev);
+     /* return the group priority of the current pending interrupt,
-+    BCM283XClass *bc = BCM283X_GET_CLASS(dev);
+@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
-+    const BCM283XInfo *info = bc->info;
+             if (value & R_V7M_AIRCR_SYSRESETREQ_MASK) {
-     Object *obj;
+                 if (attrs.secure ||
-     Error *err = NULL;
+                     !(cpu->env.v7m.aircr & R_V7M_AIRCR_SYSRESETREQS_MASK)) {
-     int n;
+-                    qemu_irq_pulse(s->sysresetreq);
-@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
++                    signal_sysresetreq(s);
-         qdev_get_gpio_in_named(DEVICE(&s->control), "gpu-fiq", 0));
+                 }
+             }
-     for (n = 0; n < BCM283X_NCPUS; n++) {
+             if (value & R_V7M_AIRCR_VECTCLRACTIVE_MASK) {
 -        /* Mirror bcm2836, which has clusterid set to 0xf
 -         * TODO: this should be converted to a property of ARM_CPU
 -         */
 -        s->cpus[n].mp_affinity = 0xF00 | n;
 +        /* TODO: this should be converted to a property of ARM_CPU */
 +        s->cpus[n].mp_affinity = (info->clusterid << 8) | n;
          /* set periphbase/CBAR value for CPU-local registers */
          object_property_set_int(OBJECT(&s->cpus[n]),
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 09/13] hw/arm/bcm2836: Rename bcm2836 type/struct to bcm283x
+[PULL 4/8] msf2-soc, stellaris: Don't wire up SYSRESETREQ
-Our BCM2836 type is really a generic one that can be any of
+The MSF2 SoC model and the Stellaris board code both wire
-the bcm283x family. Rename it accordingly. We change only
+SYSRESETREQ up to a function that just invokes
-the names which are visible via the header file to the
+    qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
-rest of the QEMU code, leaving private function names
+This is now the default action that the NVIC does if the line is
-in bcm2836.c as they are.
+not connected, so we can delete the handling code.
 This is a preliminary to making bcm283x be an abstract
 parent class to specific types for the bcm2836 and bcm2837.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180313153458.26822-6-peter.maydell@linaro.org
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20200728103744.6909-4-peter.maydell@linaro.org
 ---
- include/hw/arm/bcm2836.h | 12 ++++++------
+ hw/arm/msf2-soc.c  | 11 -----------
- hw/arm/bcm2836.c         | 17 +++++++++--------
+ hw/arm/stellaris.c | 12 ------------
- hw/arm/raspi.c           | 16 ++++++++--------
+files changed, 23 deletions(-)
 files changed, 23 insertions(+), 22 deletions(-)
-diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
+diff --git a/hw/arm/msf2-soc.c b/hw/arm/msf2-soc.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/bcm2836.h
+--- a/hw/arm/msf2-soc.c
-+++ b/include/hw/arm/bcm2836.h
++++ b/hw/arm/msf2-soc.c
 @@ -XXX,XX +XXX,XX @@
- #include "hw/arm/bcm2835_peripherals.h"
+ #include "hw/irq.h"
- #include "hw/intc/bcm2836_control.h"
+ #include "hw/arm/msf2-soc.h"
+ #include "hw/misc/unimp.h"
--#define TYPE_BCM2836 "bcm2836"
+-#include "sysemu/runstate.h"
--#define BCM2836(obj) OBJECT_CHECK(BCM2836State, (obj), TYPE_BCM2836)
+ #include "sysemu/sysemu.h"
-+#define TYPE_BCM283X "bcm283x"
-+#define BCM283X(obj) OBJECT_CHECK(BCM283XState, (obj), TYPE_BCM283X)
+ #define MSF2_TIMER_BASE       0x40004000
+@@ -XXX,XX +XXX,XX @@ static const int spi_irq[MSF2_NUM_SPIS] = { 2, 3 };
--#define BCM2836_NCPUS 4
+ static const int uart_irq[MSF2_NUM_UARTS] = { 10, 11 };
-+#define BCM283X_NCPUS 4
+ static const int timer_irq[MSF2_NUM_TIMERS] = { 14, 15 };
--typedef struct BCM2836State {
+-static void do_sys_reset(void *opaque, int n, int level)
-+typedef struct BCM283XState {
+-{
-     /*< private >*/
+-    if (level) {
-     DeviceState parent_obj;
+-        qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
-     /*< public >*/
+-    }
-@@ -XXX,XX +XXX,XX @@ typedef struct BCM2836State {
+-}
-     char *cpu_type;
+-
-     uint32_t enabled_cpus;
+ static void m2sxxx_soc_initfn(Object *obj)
+ {
--    ARMCPU cpus[BCM2836_NCPUS];
+     MSF2State *s = MSF2_SOC(obj);
-+    ARMCPU cpus[BCM283X_NCPUS];
+@@ -XXX,XX +XXX,XX @@ static void m2sxxx_soc_realize(DeviceState *dev_soc, Error **errp)
-     BCM2836ControlState control;
+         return;
-     BCM2835PeripheralState peripherals;
+     }
--} BCM2836State;
-+} BCM283XState;
+-    qdev_connect_gpio_out_named(DEVICE(&s->armv7m.nvic), "SYSRESETREQ", 0,
+-                                qemu_allocate_irq(&do_sys_reset, NULL, 0));
- #endif /* BCM2836_H */
+-
-diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
+     system_clock_scale = NANOSECONDS_PER_SECOND / s->m3clk;
      for (i = 0; i < MSF2_NUM_UARTS; i++) {
 diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/bcm2836.c
+--- a/hw/arm/stellaris.c
-+++ b/hw/arm/bcm2836.c
++++ b/hw/arm/stellaris.c
 @@ -XXX,XX +XXX,XX @@
+ #include "hw/boards.h"
- static void bcm2836_init(Object *obj)
+ #include "qemu/log.h"
- {
+ #include "exec/address-spaces.h"
--    BCM2836State *s = BCM2836(obj);
+-#include "sysemu/runstate.h"
-+    BCM283XState *s = BCM283X(obj);
+ #include "sysemu/sysemu.h"
+ #include "hw/arm/armv7m.h"
-     object_initialize(&s->control, sizeof(s->control), TYPE_BCM2836_CONTROL);
+ #include "hw/char/pl011.h"
-     object_property_add_child(obj, "control", OBJECT(&s->control), NULL);
+@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_init(Object *obj)
-@@ -XXX,XX +XXX,XX @@ static void bcm2836_init(Object *obj)
+     qdev_init_gpio_in(dev, stellaris_adc_trigger, 1);
  static void bcm2836_realize(DeviceState *dev, Error **errp)
  {
 -    BCM2836State *s = BCM2836(dev);
 +    BCM283XState *s = BCM283X(dev);
      Object *obj;
      Error *err = NULL;
      int n;
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
      /* common peripherals from bcm2835 */
      obj = OBJECT(dev);
 -    for (n = 0; n < BCM2836_NCPUS; n++) {
 +    for (n = 0; n < BCM283X_NCPUS; n++) {
          object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
                            s->cpu_type);
          object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
      sysbus_connect_irq(SYS_BUS_DEVICE(&s->peripherals), 1,
          qdev_get_gpio_in_named(DEVICE(&s->control), "gpu-fiq", 0));
 -    for (n = 0; n < BCM2836_NCPUS; n++) {
 +    for (n = 0; n < BCM283X_NCPUS; n++) {
          /* Mirror bcm2836, which has clusterid set to 0xf
           * TODO: this should be converted to a property of ARM_CPU
           */
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
  }
- static Property bcm2836_props[] = {
+-static
--    DEFINE_PROP_STRING("cpu-type", BCM2836State, cpu_type),
+-void do_sys_reset(void *opaque, int n, int level)
--    DEFINE_PROP_UINT32("enabled-cpus", BCM2836State, enabled_cpus, BCM2836_NCPUS),
+-{
-+    DEFINE_PROP_STRING("cpu-type", BCM283XState, cpu_type),
+-    if (level) {
-+    DEFINE_PROP_UINT32("enabled-cpus", BCM283XState, enabled_cpus,
+-        qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
-+                       BCM283X_NCPUS),
+-    }
-     DEFINE_PROP_END_OF_LIST()
+-}
- };
+-
+ /* Board init.  */
-@@ -XXX,XX +XXX,XX @@ static void bcm2836_class_init(ObjectClass *oc, void *data)
+ static stellaris_board_info stellaris_boards[] = {
- }
+   { "LM3S811EVB",
+@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
- static const TypeInfo bcm2836_type_info = {
+     /* This will exit with an error if the user passed us a bad cpu_type */
--    .name = TYPE_BCM2836,
+     sysbus_realize_and_unref(SYS_BUS_DEVICE(nvic), &error_fatal);
-+    .name = TYPE_BCM283X,
-     .parent = TYPE_DEVICE,
+-    qdev_connect_gpio_out_named(nvic, "SYSRESETREQ", 0,
--    .instance_size = sizeof(BCM2836State),
+-                                qemu_allocate_irq(&do_sys_reset, NULL, 0));
-+    .instance_size = sizeof(BCM283XState),
+-
-     .instance_init = bcm2836_init,
+     if (board->dc1 & (1 << 16)) {
-     .class_init = bcm2836_class_init,
+         dev = sysbus_create_varargs(TYPE_STELLARIS_ADC, 0x40038000,
- };
+                                     qdev_get_gpio_in(nvic, 14),
 diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/raspi.c
 +++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@
  static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43, [3] = 0xc44};
  typedef struct RasPiState {
 -    BCM2836State soc;
 +    BCM283XState soc;
      MemoryRegion ram;
  } RasPiState;
@@ -XXX,XX +XXX,XX @@ static void raspi_init(MachineState *machine, int version)
      BusState *bus;
      DeviceState *carddev;
 -    object_initialize(&s->soc, sizeof(s->soc), TYPE_BCM2836);
 +    object_initialize(&s->soc, sizeof(s->soc), TYPE_BCM283X);
      object_property_add_child(OBJECT(machine), "soc", OBJECT(&s->soc),
                                &error_abort);
@@ -XXX,XX +XXX,XX @@ static void raspi2_machine_init(MachineClass *mc)
      mc->no_floppy = 1;
      mc->no_cdrom = 1;
      mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a15");
 -    mc->max_cpus = BCM2836_NCPUS;
 -    mc->min_cpus = BCM2836_NCPUS;
 -    mc->default_cpus = BCM2836_NCPUS;
 +    mc->max_cpus = BCM283X_NCPUS;
 +    mc->min_cpus = BCM283X_NCPUS;
 +    mc->default_cpus = BCM283X_NCPUS;
      mc->default_ram_size = 1024 * 1024 * 1024;
      mc->ignore_memory_transaction_failures = true;
  };
@@ -XXX,XX +XXX,XX @@ static void raspi3_machine_init(MachineClass *mc)
      mc->no_floppy = 1;
      mc->no_cdrom = 1;
      mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a53");
 -    mc->max_cpus = BCM2836_NCPUS;
 -    mc->min_cpus = BCM2836_NCPUS;
 -    mc->default_cpus = BCM2836_NCPUS;
 +    mc->max_cpus = BCM283X_NCPUS;
 +    mc->min_cpus = BCM283X_NCPUS;
 +    mc->default_cpus = BCM283X_NCPUS;
      mc->default_ram_size = 1024 * 1024 * 1024;
  }
  DEFINE_MACHINE("raspi3", raspi3_machine_init)
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 01/13] fsl-imx6: Swap Ethernet interrupt defines
+[PULL 5/8] target/arm: Fix AddPAC error indication
-From: Guenter Roeck <linux@roeck-us.net>
+From: Richard Henderson <richard.henderson@linaro.org>
-The sabrelite machine model used by qemu-system-arm is based on the
+The definition of top_bit used in this function is one higher
-Freescale/NXP i.MX6Q processor. This SoC has an on-board ethernet
+than that used in the Arm ARM psuedo-code, which put the error
-controller which is supported in QEMU using the imx_fec.c module
+indication at top_bit - 1 at the wrong place, which meant that
-(actually called imx.enet for this model.)
+it wasn't visible to Auth.
-The include/hw/arm/fsm-imx6.h file defines the interrupt vectors for the
+Fixing the definition of top_bit requires more changes, because
-imx.enet device like this:
+its most common use is for the count of bits in top_bit:bot_bit,
 which would then need to be computed as top_bit - bot_bit + 1.
- #define FSL_IMX6_ENET_MAC_1588_IRQ 118
+For now, prefer the minimal fix to the error indication alone.
  #define FSL_IMX6_ENET_MAC_IRQ 119
-According to https://www.nxp.com/docs/en/reference-manual/IMX6DQRM.pdf,
+Fixes: 63ff0ca94cb
-page 225, in Table 3-1. ARM Cortex A9 domain interrupt summary,
+Reported-by: Derrick McKee <derrick.mckee@gmail.com>
-interrupts are as follows.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20200728195706.11087-1-richard.henderson@linaro.org
 ENET MAC 0 IRQ
 ENET MAC 0 1588 Timer interrupt
 where
 - 32 == 118
 - 32 == 119
 In other words, the vector definitions in the fsl-imx6.h file are reversed.
 Fixing the interrupts alone causes problems with older Linux kernels:
 The Ethernet interface will fail to probe with Linux v4.9 and earlier.
 Linux v4.1 and earlier will crash due to a bug in Ethernet driver probe
 error handling. This is a Linux kernel problem, not a qemu problem:
 the Linux kernel only worked by accident since it requested both interrupts.
 For backward compatibility, generate the Ethernet interrupt on both interrupt
 lines. This was shown to work from all Linux kernel releases starting with
 v3.16.
 Link: https://bugs.launchpad.net/qemu/+bug/1753309
 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
 Message-id: 1520723090-22130-1-git-send-email-linux@roeck-us.net
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: added comment about the divergence from the pseudocode]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/fsl-imx6.h |  4 ++--
+ target/arm/pauth_helper.c         |  6 +++++-
- hw/net/imx_fec.c          | 28 +++++++++++++++++++++++++++-
+ tests/tcg/aarch64/pauth-5.c       | 33 +++++++++++++++++++++++++++++++
-files changed, 29 insertions(+), 3 deletions(-)
+ tests/tcg/aarch64/Makefile.target |  2 +-
 files changed, 39 insertions(+), 2 deletions(-)
  create mode 100644 tests/tcg/aarch64/pauth-5.c
-diff --git a/include/hw/arm/fsl-imx6.h b/include/hw/arm/fsl-imx6.h
+diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx6.h
+--- a/target/arm/pauth_helper.c
-+++ b/include/hw/arm/fsl-imx6.h
++++ b/target/arm/pauth_helper.c
-@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX6State {
+@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_addpac(CPUARMState *env, uint64_t ptr, uint64_t modifier,
- #define FSL_IMX6_HDMI_MASTER_IRQ 115
+      */
- #define FSL_IMX6_HDMI_CEC_IRQ 116
+     test = sextract64(ptr, bot_bit, top_bit - bot_bit);
- #define FSL_IMX6_MLB150_LOW_IRQ 117
+     if (test != 0 && test != -1) {
--#define FSL_IMX6_ENET_MAC_1588_IRQ 118
+-        pac ^= MAKE_64BIT_MASK(top_bit - 1, 1);
--#define FSL_IMX6_ENET_MAC_IRQ 119
++        /*
-+#define FSL_IMX6_ENET_MAC_IRQ 118
++         * Note that our top_bit is one greater than the pseudocode's
-+#define FSL_IMX6_ENET_MAC_1588_IRQ 119
++         * version, hence "- 2" here.
- #define FSL_IMX6_PCIE1_IRQ 120
++         */
- #define FSL_IMX6_PCIE2_IRQ 121
++        pac ^= MAKE_64BIT_MASK(top_bit - 2, 1);
- #define FSL_IMX6_PCIE3_IRQ 122
+     }
-diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
      /*
 diff --git a/tests/tcg/aarch64/pauth-5.c b/tests/tcg/aarch64/pauth-5.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/tcg/aarch64/pauth-5.c
@@ -XXX,XX +XXX,XX @@
 +#include <assert.h>
 +
 +static int x;
 +
 +int main()
 +{
 +    int *p0 = &x, *p1, *p2, *p3;
 +    unsigned long salt = 0;
 +
 +    /*
 +     * With TBI enabled and a 48-bit VA, there are 7 bits of auth, and so
 +     * a 1/128 chance of auth = pac(ptr,key,salt) producing zero.
 +     * Find a salt that creates auth != 0.
 +     */
 +    do {
 +        salt++;
 +        asm("pacda %0, %1" : "=r"(p1) : "r"(salt), "0"(p0));
 +    } while (p0 == p1);
 +
 +    /*
 +     * This pac must fail, because the input pointer bears an encryption,
 +     * and so is not properly extended within bits [55:47].  This will
 +     * toggle bit 54 in the output...
 +     */
 +    asm("pacda %0, %1" : "=r"(p2) : "r"(salt), "0"(p1));
 +
 +    /* ... so that the aut must fail, setting bit 53 in the output ... */
 +    asm("autda %0, %1" : "=r"(p3) : "r"(salt), "0"(p2));
 +
 +    /* ... which means this equality must not hold. */
 +    assert(p3 != p0);
 +    return 0;
 +}
 diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/imx_fec.c
+--- a/tests/tcg/aarch64/Makefile.target
-+++ b/hw/net/imx_fec.c
++++ b/tests/tcg/aarch64/Makefile.target
-@@ -XXX,XX +XXX,XX @@ static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr)
+@@ -XXX,XX +XXX,XX @@ run-fcvt: fcvt
- static void imx_eth_update(IMXFECState *s)
+ # Pauth Tests
- {
+ ifneq ($(DOCKER_IMAGE)$(CROSS_CC_HAS_ARMV8_3),)
--    if (s->regs[ENET_EIR] & s->regs[ENET_EIMR] & ENET_INT_TS_TIMER) {
+-AARCH64_TESTS += pauth-1 pauth-2 pauth-4
-+    /*
++AARCH64_TESTS += pauth-1 pauth-2 pauth-4 pauth-5
-+     * Previous versions of qemu had the ENET_INT_MAC and ENET_INT_TS_TIMER
+ pauth-%: CFLAGS += -march=armv8.3-a
-+     * interrupts swapped. This worked with older versions of Linux (4.14
+ run-pauth-%: QEMU_OPTS += -cpu max
-+     * and older) since Linux associated both interrupt lines with Ethernet
+ run-plugin-pauth-%: QEMU_OPTS += -cpu max
 +     * MAC interrupts. Specifically,
 +     * - Linux 4.15 and later have separate interrupt handlers for the MAC and
 +     *   timer interrupts. Those versions of Linux fail with versions of QEMU
 +     *   with swapped interrupt assignments.
 +     * - In linux 4.14, both interrupt lines were registered with the Ethernet
 +     *   MAC interrupt handler. As a result, all versions of qemu happen to
 +     *   work, though that is accidental.
 +     * - In Linux 4.9 and older, the timer interrupt was registered directly
 +     *   with the Ethernet MAC interrupt handler. The MAC interrupt was
 +     *   redirected to a GPIO interrupt to work around erratum ERR006687.
 +     *   This was implemented using the SOC's IOMUX block. In qemu, this GPIO
 +     *   interrupt never fired since IOMUX is currently not supported in qemu.
 +     *   Linux instead received MAC interrupts on the timer interrupt.
 +     *   As a result, qemu versions with the swapped interrupt assignment work,
 +     *   albeit accidentally, but qemu versions with the correct interrupt
 +     *   assignment fail.
 +     *
 +     * To ensure that all versions of Linux work, generate ENET_INT_MAC
 +     * interrrupts on both interrupt lines. This should be changed if and when
 +     * qemu supports IOMUX.
 +     */
 +    if (s->regs[ENET_EIR] & s->regs[ENET_EIMR] &
 +        (ENET_INT_MAC | ENET_INT_TS_TIMER)) {
          qemu_set_irq(s->irq[1], 1);
      } else {
          qemu_set_irq(s->irq[1], 0);
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 02/13] dump: Update correct kdump phys_base field for AArch64
+Deleted patch
-From: Wei Huang <wei@redhat.com>
-For guest kernel that supports KASLR, the load address can change every
-time when guest VM runs. To find the physical base address correctly,
-current QEMU dump searches VMCOREINFO for the string "NUMBER(phys_base)=".
-However this string pattern is only available on x86_64. AArch64 uses a
-different field, called "NUMBER(PHYS_OFFSET)=". This patch makes sure
-QEMU dump uses the correct string on AArch64.
-Signed-off-by: Wei Huang <wei@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 1520615003-20869-1-git-send-email-wei@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- dump.c | 14 +++++++++++---
-file changed, 11 insertions(+), 3 deletions(-)
-diff --git a/dump.c b/dump.c
-index XXXXXXX..XXXXXXX 100644
---- a/dump.c
-+++ b/dump.c
-@@ -XXX,XX +XXX,XX @@ static void vmcoreinfo_update_phys_base(DumpState *s)
-     lines = g_strsplit((char *)vmci, "\n", -1);
-     for (i = 0; lines[i]; i++) {
--        if (g_str_has_prefix(lines[i], "NUMBER(phys_base)=")) {
--            if (qemu_strtou64(lines[i] + 18, NULL, 16,
-+        const char *prefix = NULL;
-+
-+        if (s->dump_info.d_machine == EM_X86_64) {
-+            prefix = "NUMBER(phys_base)=";
-+        } else if (s->dump_info.d_machine == EM_AARCH64) {
-+            prefix = "NUMBER(PHYS_OFFSET)=";
-+        }
-+
-+        if (prefix && g_str_has_prefix(lines[i], prefix)) {
-+            if (qemu_strtou64(lines[i] + strlen(prefix), NULL, 16,
-                               &phys_base) < 0) {
--                warn_report("Failed to read NUMBER(phys_base)=");
-+                warn_report("Failed to read %s", prefix);
-             } else {
-                 s->dump_info.phys_base = phys_base;
-             }
---
-.16.2

-[Qemu-devel] [PULL 03/13] char: i.MX: Simplify imx_update()
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-Code of imx_update() is slightly confusing since the "flags" variable
-doesn't really corespond to anything in real hardware and server as a
-kitchensink accumulating events normally reported via USR1 and USR2
-registers.
-Change the code to explicitly evaluate state of interrupts reported
-via USR1 and USR2 against corresponding masking bits and use the to
-detemine if IRQ line should be asserted or not.
-NOTE: Check for UTS1_TXEMPTY being set has been dropped for two
-reasons:
-. Emulation code implements a single character FIFO, so this flag
-       will always be set since characters are trasmitted as a part of
-       the code emulating "push" into the FIFO
-. imx_update() is really just a function doing ORing and maksing
-       of reported events, so checking for UTS1_TXEMPTY should happen,
-       if it's ever really needed should probably happen outside of
-       it.
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Cc: Bill Paul <wpaul@windriver.com>
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Message-id: 20180315191141.6789-1-andrew.smirnov@gmail.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/char/imx_serial.c | 24 ++++++++++++++++--------
-file changed, 16 insertions(+), 8 deletions(-)
-diff --git a/hw/char/imx_serial.c b/hw/char/imx_serial.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/char/imx_serial.c
-+++ b/hw/char/imx_serial.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_imx_serial = {
- static void imx_update(IMXSerialState *s)
- {
--    uint32_t flags;
-+    uint32_t usr1;
-+    uint32_t usr2;
-+    uint32_t mask;
--    flags = (s->usr1 & s->ucr1) & (USR1_TRDY|USR1_RRDY);
--    if (s->ucr1 & UCR1_TXMPTYEN) {
--        flags |= (s->uts1 & UTS1_TXEMPTY);
--    } else {
--        flags &= ~USR1_TRDY;
--    }
-+    /*
-+     * Lucky for us TRDY and RRDY has the same offset in both USR1 and
-+     * UCR1, so we can get away with something as simple as the
-+     * following:
-+     */
-+    usr1 = s->usr1 & s->ucr1 & (USR1_TRDY | USR1_RRDY);
-+    /*
-+     * Bits that we want in USR2 are not as conveniently laid out,
-+     * unfortunately.
-+     */
-+    mask = (s->ucr1 & UCR1_TXMPTYEN) ? USR2_TXFE : 0;
-+    usr2 = s->usr2 & mask;
--    qemu_set_irq(s->irq, !!flags);
-+    qemu_set_irq(s->irq, usr1 || usr2);
- }
- static void imx_serial_reset(IMXSerialState *s)
---
-.16.2

-[Qemu-devel] [PULL 04/13] char: i.MX: Add support for "TX complete" interrupt
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-Add support for "TX complete"/TXDC interrupt generate by real HW since
-it is needed to support guests other than Linux.
-Based on the patch by Bill Paul as found here:
-https://bugs.launchpad.net/qemu/+bug/1753314
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Cc: Bill Paul <wpaul@windriver.com>
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Bill Paul <wpaul@windriver.com>
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Message-id: 20180315191141.6789-2-andrew.smirnov@gmail.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/char/imx_serial.h |  3 +++
- hw/char/imx_serial.c         | 20 +++++++++++++++++---
-files changed, 20 insertions(+), 3 deletions(-)
-diff --git a/include/hw/char/imx_serial.h b/include/hw/char/imx_serial.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/char/imx_serial.h
-+++ b/include/hw/char/imx_serial.h
-@@ -XXX,XX +XXX,XX @@
- #define UCR2_RXEN       (1<<1)    /* Receiver enable */
- #define UCR2_SRST       (1<<0)    /* Reset complete */
-+#define UCR4_TCEN       BIT(3)    /* TX complete interrupt enable */
-+
- #define UTS1_TXEMPTY    (1<<6)
- #define UTS1_RXEMPTY    (1<<5)
- #define UTS1_TXFULL     (1<<4)
-@@ -XXX,XX +XXX,XX @@ typedef struct IMXSerialState {
-     uint32_t ubmr;
-     uint32_t ubrc;
-     uint32_t ucr3;
-+    uint32_t ucr4;
-     qemu_irq irq;
-     CharBackend chr;
-diff --git a/hw/char/imx_serial.c b/hw/char/imx_serial.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/char/imx_serial.c
-+++ b/hw/char/imx_serial.c
-@@ -XXX,XX +XXX,XX @@
- static const VMStateDescription vmstate_imx_serial = {
-     .name = TYPE_IMX_SERIAL,
--    .version_id = 1,
--    .minimum_version_id = 1,
-+    .version_id = 2,
-+    .minimum_version_id = 2,
-     .fields = (VMStateField[]) {
-         VMSTATE_INT32(readbuff, IMXSerialState),
-         VMSTATE_UINT32(usr1, IMXSerialState),
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_imx_serial = {
-         VMSTATE_UINT32(ubmr, IMXSerialState),
-         VMSTATE_UINT32(ubrc, IMXSerialState),
-         VMSTATE_UINT32(ucr3, IMXSerialState),
-+        VMSTATE_UINT32(ucr4, IMXSerialState),
-         VMSTATE_END_OF_LIST()
-     },
- };
-@@ -XXX,XX +XXX,XX @@ static void imx_update(IMXSerialState *s)
-      * unfortunately.
-      */
-     mask = (s->ucr1 & UCR1_TXMPTYEN) ? USR2_TXFE : 0;
-+    /*
-+     * TCEN and TXDC are both bit 3
-+     */
-+    mask |= s->ucr4 & UCR4_TCEN;
-+
-     usr2 = s->usr2 & mask;
-     qemu_set_irq(s->irq, usr1 || usr2);
-@@ -XXX,XX +XXX,XX @@ static uint64_t imx_serial_read(void *opaque, hwaddr offset,
-         return s->ucr3;
-     case 0x23: /* UCR4 */
-+        return s->ucr4;
-+
-     case 0x29: /* BRM Incremental */
-         return 0x0; /* TODO */
-@@ -XXX,XX +XXX,XX @@ static void imx_serial_write(void *opaque, hwaddr offset,
-              * qemu_chr_fe_write and background I/O callbacks */
-             qemu_chr_fe_write_all(&s->chr, &ch, 1);
-             s->usr1 &= ~USR1_TRDY;
-+            s->usr2 &= ~USR2_TXDC;
-             imx_update(s);
-             s->usr1 |= USR1_TRDY;
-+            s->usr2 |= USR2_TXDC;
-             imx_update(s);
-         }
-         break;
-@@ -XXX,XX +XXX,XX @@ static void imx_serial_write(void *opaque, hwaddr offset,
-         s->ucr3 = value & 0xffff;
-         break;
--    case 0x2d: /* UTS1 */
-     case 0x23: /* UCR4 */
-+        s->ucr4 = value & 0xffff;
-+        imx_update(s);
-+        break;
-+
-+    case 0x2d: /* UTS1 */
-         qemu_log_mask(LOG_UNIMP, "[%s]%s: Unimplemented reg 0x%"
-                       HWADDR_PRIx "\n", TYPE_IMX_SERIAL, __func__, offset);
-         /* TODO */
---
-.16.2

-[Qemu-devel] [PULL 05/13] hw/arm/raspi: Don't do board-setup or secure-boot for raspi3
+Deleted patch
-For the rpi1 and 2 we want to boot the Linux kernel via some
-custom setup code that makes sure that the SMC instruction
-acts as a no-op, because it's used for cache maintenance.
-The rpi3 boots AArch64 kernels, which don't need SMC for
-cache maintenance and always expect to be booted non-secure.
-Don't fill in the aarch32-specific parts of the binfo struct.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180313153458.26822-2-peter.maydell@linaro.org
----
- hw/arm/raspi.c | 17 +++++++++++++----
-file changed, 13 insertions(+), 4 deletions(-)
-diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/raspi.c
-+++ b/hw/arm/raspi.c
-@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
-     binfo.board_id = raspi_boardid[version];
-     binfo.ram_size = ram_size;
-     binfo.nb_cpus = smp_cpus;
--    binfo.board_setup_addr = BOARDSETUP_ADDR;
--    binfo.write_board_setup = write_board_setup;
--    binfo.secure_board_setup = true;
--    binfo.secure_boot = true;
-+
-+    if (version <= 2) {
-+        /* The rpi1 and 2 require some custom setup code to run in Secure
-+         * mode before booting a kernel (to set up the SMC vectors so
-+         * that we get a no-op SMC; this is used by Linux to call the
-+         * firmware for some cache maintenance operations.
-+         * The rpi3 doesn't need this.
-+         */
-+        binfo.board_setup_addr = BOARDSETUP_ADDR;
-+        binfo.write_board_setup = write_board_setup;
-+        binfo.secure_board_setup = true;
-+        binfo.secure_boot = true;
-+    }
-     /* Pi2 and Pi3 requires SMP setup */
-     if (version >= 2) {
---
-.16.2

-[Qemu-devel] [PULL 06/13] hw/arm/boot: assert that secure_boot and secure_board_setup are false for AArch64
+Deleted patch
-Add some assertions that if we're about to boot an AArch64 kernel,
-the board code has not mistakenly set either secure_boot or
-secure_board_setup. It doesn't make sense to set secure_boot,
-because all AArch64 kernels must be booted in non-secure mode.
-It might in theory make sense to set secure_board_setup, but
-we don't currently support that, because only the AArch32
-bootloader[] code calls this hook; bootloader_aarch64[] does not.
-Since we don't have a current need for this functionality, just
-assert that we don't try to use it. If it's needed we'll add
-it later.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180313153458.26822-3-peter.maydell@linaro.org
----
- hw/arm/boot.c | 7 +++++++
-file changed, 7 insertions(+)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
-+++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
-                     } else {
-                         env->pstate = PSTATE_MODE_EL1h;
-                     }
-+                    /* AArch64 kernels never boot in secure mode */
-+                    assert(!info->secure_boot);
-+                    /* This hook is only supported for AArch32 currently:
-+                     * bootloader_aarch64[] will not call the hook, and
-+                     * the code above has already dropped us into EL2 or EL1.
-+                     */
-+                    assert(!info->secure_board_setup);
-                 }
-                 /* Set to non-secure if not a secure boot */
---
-.16.2

-[Qemu-devel] [PULL 08/13] hw/arm/bcm2386: Fix parent type of bcm2386
+[PULL 6/8] target/arm: Avoid maybe-uninitialized warning with gcc 4.9
-The TypeInfo and state struct for bcm2386 disagree about what the
+From: Kaige Li <likaige@loongson.cn>
 parent class is -- the TypeInfo says it's TYPE_SYS_BUS_DEVICE,
 but the BCM2386State struct only defines the parent_obj field
 as DeviceState. This would have caused problems if anything
 actually tried to treat the object as a TYPE_SYS_BUS_DEVICE.
 Fix the TypeInfo to use TYPE_DEVICE as the parent, since we don't
 need any of the additional functionality TYPE_SYS_BUS_DEVICE
 provides.
+GCC version 4.9.4 isn't clever enough to figure out that all
+execution paths in disas_ldst() that use 'fn' will have initialized
+it first, and so it warns:
+/home/LiKaige/qemu/target/arm/translate-a64.c: In function ‘disas_ldst’:
+/home/LiKaige/qemu/target/arm/translate-a64.c:3392:5: error: ‘fn’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
+     fn(cpu_reg(s, rt), clean_addr, tcg_rs, get_mem_index(s),
+     ^
+/home/LiKaige/qemu/target/arm/translate-a64.c:3318:22: note: ‘fn’ was declared here
+     AtomicThreeOpFn *fn;
+                      ^
+Make it happy by initializing the variable to NULL.
+Signed-off-by: Kaige Li <likaige@loongson.cn>
+Message-id: 1596110248-7366-2-git-send-email-likaige@loongson.cn
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: Clean up commit message and note which gcc version this was]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180313153458.26822-5-peter.maydell@linaro.org
 ---
- hw/arm/bcm2836.c | 2 +-
+ target/arm/translate-a64.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/bcm2836.c
+--- a/target/arm/translate-a64.c
-+++ b/hw/arm/bcm2836.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void bcm2836_class_init(ObjectClass *oc, void *data)
+@@ -XXX,XX +XXX,XX @@ static void disas_ldst_atomic(DisasContext *s, uint32_t insn,
+     bool r = extract32(insn, 22, 1);
- static const TypeInfo bcm2836_type_info = {
+     bool a = extract32(insn, 23, 1);
-     .name = TYPE_BCM2836,
+     TCGv_i64 tcg_rs, clean_addr;
--    .parent = TYPE_SYS_BUS_DEVICE,
+-    AtomicThreeOpFn *fn;
-+    .parent = TYPE_DEVICE,
++    AtomicThreeOpFn *fn = NULL;
-     .instance_size = sizeof(BCM2836State),
-     .instance_init = bcm2836_init,
+     if (is_vector || !dc_isar_feature(aa64_atomics, s)) {
-     .class_init = bcm2836_class_init,
+         unallocated_encoding(s);
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 07/13] hw/arm/boot: If booting a kernel in EL2, set SCR_EL3.HCE
+[PULL 7/8] hw/arm/nrf51_soc: Set system_clock_scale
-If we're directly booting a Linux kernel and the CPU supports both
+The nrf51 SoC model wasn't setting the system_clock_scale
-EL3 and EL2, we start the kernel in EL2, as it expects. We must also
+global.which meant that if guest code used the systick timer in "use
-set the SCR_EL3.HCE bit in this situation, so that the HVC
+the processor clock" mode it would hang because time never advances.
-instruction is enabled rather than UNDEFing. Otherwise at least some
-kernels will panic when trying to initialize KVM in the guest.
+Set the global to match the documented CPU clock speed for this SoC.
 This SoC in fact doesn't have a SysTick timer (which is the only thing
 currently that cares about the system_clock_scale), because it's
 a configurable option in the Cortex-M0. However our Cortex-M0 and
 thus our nrf51 and our micro:bit board do provide a SysTick, so
 we ought to provide a functional one rather than a broken one.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180313153458.26822-4-peter.maydell@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20200727193458.31250-1-peter.maydell@linaro.org
 ---
- hw/arm/boot.c | 5 +++++
+ hw/arm/nrf51_soc.c | 5 +++++
 file changed, 5 insertions(+)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/hw/arm/nrf51_soc.c
-+++ b/hw/arm/boot.c
++++ b/hw/arm/nrf51_soc.c
-@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
+@@ -XXX,XX +XXX,XX @@
-                     assert(!info->secure_board_setup);
-                 }
+ #define BASE_TO_IRQ(base) ((base >> 12) & 0x1F)
-+                if (arm_feature(env, ARM_FEATURE_EL2)) {
++/* HCLK (the main CPU clock) on this SoC is always 16MHz */
-+                    /* If we have EL2 then Linux expects the HVC insn to work */
++#define HCLK_FRQ 16000000
 +                    env->cp15.scr_el3 |= SCR_HCE;
 +                }
 +
-                 /* Set to non-secure if not a secure boot */
+ static uint64_t clock_read(void *opaque, hwaddr addr, unsigned int size)
-                 if (!info->secure_boot &&
+ {
-                     (cs != first_cpu || !info->secure_board_setup)) {
+     qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx " [%u]\n",
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
          return;
      }
 +    system_clock_scale = NANOSECONDS_PER_SECOND / HCLK_FRQ;
 +
      object_property_set_link(OBJECT(&s->cpu), "memory", OBJECT(&s->container),
                               &error_abort);
      if (!sysbus_realize(SYS_BUS_DEVICE(&s->cpu), errp)) {
 --
-.16.2
+.20.1

-[Qemu-devel] [PULL 10/13] hw/arm/bcm2836: Create proper bcm2837 device
+[PULL 8/8] hw/timer/imx_epit: Avoid assertion when CR.SWR is written
-The bcm2837 is pretty similar to the bcm2836, but it does have
+The imx_epit device has a software-controllable reset triggered by
-some differences. Notably, the MPIDR affinity aff1 values it
+setting the SWR bit in the CR register. An error in commit cc2722ec83ad9
-sets for the CPUs are 0x0, rather than the 0xf that the bcm2836
+means that we will end up assert()ing if the guest does this, because
-uses, and if this is wrong Linux will not boot.
+the code in imx_epit_write() starts ptimer transactions, and then
 imx_epit_reset() also starts ptimer transactions, triggering
 "ptimer_transaction_begin: Assertion `!s->in_transaction' failed".
-Rather than trying to have one device with properties that
+The cleanest way to avoid this double-transaction is to move the
-configure it differently for the two cases, create two
+start-transaction for the CR write handling down below the check of
-separate QOM devices for the two SoCs. We use the same approach
+the SWR bit.
 as hw/arm/aspeed_soc.c and share code and have a data table
 that might differ per-SoC. For the moment the two types don't
 actually have different behaviour.
+Fixes: https://bugs.launchpad.net/qemu/+bug/1880424
+Fixes: cc2722ec83ad944505fe
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180313153458.26822-7-peter.maydell@linaro.org
+Message-id: 20200727154550.3409-1-peter.maydell@linaro.org
 ---
- include/hw/arm/bcm2836.h | 19 +++++++++++++++++++
+ hw/timer/imx_epit.c | 13 ++++++++++---
- hw/arm/bcm2836.c         | 37 ++++++++++++++++++++++++++++++++-----
+file changed, 10 insertions(+), 3 deletions(-)
  hw/arm/raspi.c           |  3 ++-
 files changed, 53 insertions(+), 6 deletions(-)
-diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
+diff --git a/hw/timer/imx_epit.c b/hw/timer/imx_epit.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/bcm2836.h
+--- a/hw/timer/imx_epit.c
-+++ b/include/hw/arm/bcm2836.h
++++ b/hw/timer/imx_epit.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void imx_epit_write(void *opaque, hwaddr offset, uint64_t value,
- #define BCM283X_NCPUS 4
+     switch (offset >> 2) {
+     case 0: /* CR */
-+/* These type names are for specific SoCs; other than instantiating
+-        ptimer_transaction_begin(s->timer_cmp);
-+ * them, code using these devices should always handle them via the
+-        ptimer_transaction_begin(s->timer_reload);
-+ * BCM283x base class, so they have no BCM2836(obj) etc macros.
-+ */
+         oldcr = s->cr;
-+#define TYPE_BCM2836 "bcm2836"
+         s->cr = value & 0x03ffffff;
-+#define TYPE_BCM2837 "bcm2837"
+         if (s->cr & CR_SWR) {
              /* handle the reset */
              imx_epit_reset(DEVICE(s));
 -        } else {
 +            /*
 +             * TODO: could we 'break' here? following operations appear
 +             * to duplicate the work imx_epit_reset() already did.
 +             */
 +        }
 +
- typedef struct BCM283XState {
++        ptimer_transaction_begin(s->timer_cmp);
-     /*< private >*/
++        ptimer_transaction_begin(s->timer_reload);
      DeviceState parent_obj;
@@ -XXX,XX +XXX,XX @@ typedef struct BCM283XState {
      BCM2835PeripheralState peripherals;
  } BCM283XState;
 +typedef struct BCM283XInfo BCM283XInfo;
 +
-+typedef struct BCM283XClass {
++        if (!(s->cr & CR_SWR)) {
-+    DeviceClass parent_class;
+             imx_epit_set_freq(s);
-+    const BCM283XInfo *info;
+         }
 +} BCM283XClass;
 +
 +#define BCM283X_CLASS(klass) \
 +    OBJECT_CLASS_CHECK(BCM283XClass, (klass), TYPE_BCM283X)
 +#define BCM283X_GET_CLASS(obj) \
 +    OBJECT_GET_CLASS(BCM283XClass, (obj), TYPE_BCM283X)
 +
  #endif /* BCM2836_H */
 diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/bcm2836.c
 +++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@
  /* "QA7" (Pi2) interrupt controller and mailboxes etc. */
  #define BCM2836_CONTROL_BASE    0x40000000
 +struct BCM283XInfo {
 +    const char *name;
 +};
 +
 +static const BCM283XInfo bcm283x_socs[] = {
 +    {
 +        .name = TYPE_BCM2836,
 +    },
 +    {
 +        .name = TYPE_BCM2837,
 +    },
 +};
 +
  static void bcm2836_init(Object *obj)
  {
      BCM283XState *s = BCM283X(obj);
@@ -XXX,XX +XXX,XX @@ static Property bcm2836_props[] = {
      DEFINE_PROP_END_OF_LIST()
  };
 -static void bcm2836_class_init(ObjectClass *oc, void *data)
 +static void bcm283x_class_init(ObjectClass *oc, void *data)
  {
      DeviceClass *dc = DEVICE_CLASS(oc);
 +    BCM283XClass *bc = BCM283X_CLASS(oc);
 -    dc->props = bcm2836_props;
 +    bc->info = data;
      dc->realize = bcm2836_realize;
 +    dc->props = bcm2836_props;
  }
 -static const TypeInfo bcm2836_type_info = {
 +static const TypeInfo bcm283x_type_info = {
      .name = TYPE_BCM283X,
      .parent = TYPE_DEVICE,
      .instance_size = sizeof(BCM283XState),
      .instance_init = bcm2836_init,
 -    .class_init = bcm2836_class_init,
 +    .class_size = sizeof(BCM283XClass),
 +    .abstract = true,
  };
  static void bcm2836_register_types(void)
  {
 -    type_register_static(&bcm2836_type_info);
 +    int i;
 +
 +    type_register_static(&bcm283x_type_info);
 +    for (i = 0; i < ARRAY_SIZE(bcm283x_socs); i++) {
 +        TypeInfo ti = {
 +            .name = bcm283x_socs[i].name,
 +            .parent = TYPE_BCM283X,
 +            .class_init = bcm283x_class_init,
 +            .class_data = (void *) &bcm283x_socs[i],
 +        };
 +        type_register(&ti);
 +    }
  }
  type_init(bcm2836_register_types)
 diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/raspi.c
 +++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@ static void raspi_init(MachineState *machine, int version)
      BusState *bus;
      DeviceState *carddev;
 -    object_initialize(&s->soc, sizeof(s->soc), TYPE_BCM283X);
 +    object_initialize(&s->soc, sizeof(s->soc),
 +                      version == 3 ? TYPE_BCM2837 : TYPE_BCM2836);
      object_property_add_child(OBJECT(machine), "soc", OBJECT(&s->soc),
                                &error_abort);
 --
-.16.2
+.20.1

Arm patch queue -- these are all bug fix patches but we might
as well put them in to rc0...

thanks
-- PMM

The following changes since commit 2c8cfc0b52b5a4d123c26c0b5fdf941be24805be:

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2018-03-19 11:44:26 +0000)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180319

for you to fetch changes up to ff72cb6b46b95bb530787add5277c211af3d31c6:

hw/arm/raspi: Provide spin-loop code for AArch64 CPUs (2018-03-19 18:23:24 +0000)

----------------------------------------------------------------
target-arm queue:
 * fsl-imx6: Fix incorrect Ethernet interrupt defines
 * dump: Update correct kdump phys_base field for AArch64
 * char: i.MX: Add support for "TX complete" interrupt
 * bcm2836/raspi: Fix various bugs resulting in panics trying
   to boot a Debian Linux kernel on raspi3

----------------------------------------------------------------
Andrey Smirnov (2):
      char: i.MX: Simplify imx_update()
      char: i.MX: Add support for "TX complete" interrupt

Guenter Roeck (1):
      fsl-imx6: Swap Ethernet interrupt defines

Peter Maydell (9):
      hw/arm/raspi: Don't do board-setup or secure-boot for raspi3
      hw/arm/boot: assert that secure_boot and secure_board_setup are false for AArch64
      hw/arm/boot: If booting a kernel in EL2, set SCR_EL3.HCE
      hw/arm/bcm2386: Fix parent type of bcm2386
      hw/arm/bcm2836: Rename bcm2836 type/struct to bcm283x
      hw/arm/bcm2836: Create proper bcm2837 device
      hw/arm/bcm2836: Use correct affinity values for BCM2837
      hw/arm/bcm2836: Hardcode correct CPU type
      hw/arm/raspi: Provide spin-loop code for AArch64 CPUs

Wei Huang (1):
      dump: Update correct kdump phys_base field for AArch64

From: Guenter Roeck <linux@roeck-us.net>

The sabrelite machine model used by qemu-system-arm is based on the
Freescale/NXP i.MX6Q processor. This SoC has an on-board ethernet
controller which is supported in QEMU using the imx_fec.c module
(actually called imx.enet for this model.)

The include/hw/arm/fsm-imx6.h file defines the interrupt vectors for the
imx.enet device like this:

#define FSL_IMX6_ENET_MAC_1588_IRQ 118
 #define FSL_IMX6_ENET_MAC_IRQ 119

According to https://www.nxp.com/docs/en/reference-manual/IMX6DQRM.pdf,
page 225, in Table 3-1. ARM Cortex A9 domain interrupt summary,
interrupts are as follows.

150 ENET MAC 0 IRQ
151 ENET MAC 0 1588 Timer interrupt

where

150 - 32 == 118
151 - 32 == 119

In other words, the vector definitions in the fsl-imx6.h file are reversed.

Fixing the interrupts alone causes problems with older Linux kernels:
The Ethernet interface will fail to probe with Linux v4.9 and earlier.
Linux v4.1 and earlier will crash due to a bug in Ethernet driver probe
error handling. This is a Linux kernel problem, not a qemu problem:
the Linux kernel only worked by accident since it requested both interrupts.

For backward compatibility, generate the Ethernet interrupt on both interrupt
lines. This was shown to work from all Linux kernel releases starting with
v3.16.

Link: https://bugs.launchpad.net/qemu/+bug/1753309
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Message-id: 1520723090-22130-1-git-send-email-linux@roeck-us.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/fsl-imx6.h |  4 ++--
 hw/net/imx_fec.c          | 28 +++++++++++++++++++++++++++-
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/include/hw/arm/fsl-imx6.h b/include/hw/arm/fsl-imx6.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx6.h
+++ b/include/hw/arm/fsl-imx6.h
@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX6State {
 #define FSL_IMX6_HDMI_MASTER_IRQ 115
 #define FSL_IMX6_HDMI_CEC_IRQ 116
 #define FSL_IMX6_MLB150_LOW_IRQ 117
-#define FSL_IMX6_ENET_MAC_1588_IRQ 118
-#define FSL_IMX6_ENET_MAC_IRQ 119
+#define FSL_IMX6_ENET_MAC_IRQ 118
+#define FSL_IMX6_ENET_MAC_1588_IRQ 119
 #define FSL_IMX6_PCIE1_IRQ 120
 #define FSL_IMX6_PCIE2_IRQ 121
 #define FSL_IMX6_PCIE3_IRQ 122
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr)
 
 static void imx_eth_update(IMXFECState *s)
 {
-    if (s->regs[ENET_EIR] & s->regs[ENET_EIMR] & ENET_INT_TS_TIMER) {
+    /*
+     * Previous versions of qemu had the ENET_INT_MAC and ENET_INT_TS_TIMER
+     * interrupts swapped. This worked with older versions of Linux (4.14
+     * and older) since Linux associated both interrupt lines with Ethernet
+     * MAC interrupts. Specifically,
+     * - Linux 4.15 and later have separate interrupt handlers for the MAC and
+     *   timer interrupts. Those versions of Linux fail with versions of QEMU
+     *   with swapped interrupt assignments.
+     * - In linux 4.14, both interrupt lines were registered with the Ethernet
+     *   MAC interrupt handler. As a result, all versions of qemu happen to
+     *   work, though that is accidental.
+     * - In Linux 4.9 and older, the timer interrupt was registered directly
+     *   with the Ethernet MAC interrupt handler. The MAC interrupt was
+     *   redirected to a GPIO interrupt to work around erratum ERR006687.
+     *   This was implemented using the SOC's IOMUX block. In qemu, this GPIO
+     *   interrupt never fired since IOMUX is currently not supported in qemu.
+     *   Linux instead received MAC interrupts on the timer interrupt.
+     *   As a result, qemu versions with the swapped interrupt assignment work,
+     *   albeit accidentally, but qemu versions with the correct interrupt
+     *   assignment fail.
+     *
+     * To ensure that all versions of Linux work, generate ENET_INT_MAC
+     * interrrupts on both interrupt lines. This should be changed if and when
+     * qemu supports IOMUX.
+     */
+    if (s->regs[ENET_EIR] & s->regs[ENET_EIMR] &
+        (ENET_INT_MAC | ENET_INT_TS_TIMER)) {
         qemu_set_irq(s->irq[1], 1);
     } else {
         qemu_set_irq(s->irq[1], 0);
-- 
2.16.2

From: Wei Huang <wei@redhat.com>

For guest kernel that supports KASLR, the load address can change every
time when guest VM runs. To find the physical base address correctly,
current QEMU dump searches VMCOREINFO for the string "NUMBER(phys_base)=".
However this string pattern is only available on x86_64. AArch64 uses a
different field, called "NUMBER(PHYS_OFFSET)=". This patch makes sure
QEMU dump uses the correct string on AArch64.

Signed-off-by: Wei Huang <wei@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1520615003-20869-1-git-send-email-wei@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 dump.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/dump.c b/dump.c
index XXXXXXX..XXXXXXX 100644
--- a/dump.c
+++ b/dump.c
@@ -XXX,XX +XXX,XX @@ static void vmcoreinfo_update_phys_base(DumpState *s)
 
     lines = g_strsplit((char *)vmci, "\n", -1);
     for (i = 0; lines[i]; i++) {
-        if (g_str_has_prefix(lines[i], "NUMBER(phys_base)=")) {
-            if (qemu_strtou64(lines[i] + 18, NULL, 16,
+        const char *prefix = NULL;
+
+        if (s->dump_info.d_machine == EM_X86_64) {
+            prefix = "NUMBER(phys_base)=";
+        } else if (s->dump_info.d_machine == EM_AARCH64) {
+            prefix = "NUMBER(PHYS_OFFSET)=";
+        }
+
+        if (prefix && g_str_has_prefix(lines[i], prefix)) {
+            if (qemu_strtou64(lines[i] + strlen(prefix), NULL, 16,
                               &phys_base) < 0) {
-                warn_report("Failed to read NUMBER(phys_base)=");
+                warn_report("Failed to read %s", prefix);
             } else {
                 s->dump_info.phys_base = phys_base;
             }
-- 
2.16.2

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Code of imx_update() is slightly confusing since the "flags" variable
doesn't really corespond to anything in real hardware and server as a
kitchensink accumulating events normally reported via USR1 and USR2
registers.

Change the code to explicitly evaluate state of interrupts reported
via USR1 and USR2 against corresponding masking bits and use the to
detemine if IRQ line should be asserted or not.

NOTE: Check for UTS1_TXEMPTY being set has been dropped for two
reasons:

1. Emulation code implements a single character FIFO, so this flag
       will always be set since characters are trasmitted as a part of
       the code emulating "push" into the FIFO

2. imx_update() is really just a function doing ORing and maksing
       of reported events, so checking for UTS1_TXEMPTY should happen,
       if it's ever really needed should probably happen outside of
       it.

Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: Bill Paul <wpaul@windriver.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Message-id: 20180315191141.6789-1-andrew.smirnov@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/imx_serial.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/hw/char/imx_serial.c b/hw/char/imx_serial.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/imx_serial.c
+++ b/hw/char/imx_serial.c
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_imx_serial = {
 
 static void imx_update(IMXSerialState *s)
 {
-    uint32_t flags;
+    uint32_t usr1;
+    uint32_t usr2;
+    uint32_t mask;
 
-    flags = (s->usr1 & s->ucr1) & (USR1_TRDY|USR1_RRDY);
-    if (s->ucr1 & UCR1_TXMPTYEN) {
-        flags |= (s->uts1 & UTS1_TXEMPTY);
-    } else {
-        flags &= ~USR1_TRDY;
-    }
+    /*
+     * Lucky for us TRDY and RRDY has the same offset in both USR1 and
+     * UCR1, so we can get away with something as simple as the
+     * following:
+     */
+    usr1 = s->usr1 & s->ucr1 & (USR1_TRDY | USR1_RRDY);
+    /*
+     * Bits that we want in USR2 are not as conveniently laid out,
+     * unfortunately.
+     */
+    mask = (s->ucr1 & UCR1_TXMPTYEN) ? USR2_TXFE : 0;
+    usr2 = s->usr2 & mask;
 
-    qemu_set_irq(s->irq, !!flags);
+    qemu_set_irq(s->irq, usr1 || usr2);
 }
 
 static void imx_serial_reset(IMXSerialState *s)
-- 
2.16.2

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Add support for "TX complete"/TXDC interrupt generate by real HW since
it is needed to support guests other than Linux.

Based on the patch by Bill Paul as found here:
https://bugs.launchpad.net/qemu/+bug/1753314

Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Cc: Bill Paul <wpaul@windriver.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bill Paul <wpaul@windriver.com>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Message-id: 20180315191141.6789-2-andrew.smirnov@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/char/imx_serial.h |  3 +++
 hw/char/imx_serial.c         | 20 +++++++++++++++++---
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/include/hw/char/imx_serial.h b/include/hw/char/imx_serial.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/char/imx_serial.h
+++ b/include/hw/char/imx_serial.h
@@ -XXX,XX +XXX,XX @@
 #define UCR2_RXEN       (1<<1)    /* Receiver enable */
 #define UCR2_SRST       (1<<0)    /* Reset complete */
 
+#define UCR4_TCEN       BIT(3)    /* TX complete interrupt enable */
+
 #define UTS1_TXEMPTY    (1<<6)
 #define UTS1_RXEMPTY    (1<<5)
 #define UTS1_TXFULL     (1<<4)
@@ -XXX,XX +XXX,XX @@ typedef struct IMXSerialState {
     uint32_t ubmr;
     uint32_t ubrc;
     uint32_t ucr3;
+    uint32_t ucr4;
 
     qemu_irq irq;
     CharBackend chr;
diff --git a/hw/char/imx_serial.c b/hw/char/imx_serial.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/imx_serial.c
+++ b/hw/char/imx_serial.c
@@ -XXX,XX +XXX,XX @@
 
 static const VMStateDescription vmstate_imx_serial = {
     .name = TYPE_IMX_SERIAL,
-    .version_id = 1,
-    .minimum_version_id = 1,
+    .version_id = 2,
+    .minimum_version_id = 2,
     .fields = (VMStateField[]) {
         VMSTATE_INT32(readbuff, IMXSerialState),
         VMSTATE_UINT32(usr1, IMXSerialState),
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_imx_serial = {
         VMSTATE_UINT32(ubmr, IMXSerialState),
         VMSTATE_UINT32(ubrc, IMXSerialState),
         VMSTATE_UINT32(ucr3, IMXSerialState),
+        VMSTATE_UINT32(ucr4, IMXSerialState),
         VMSTATE_END_OF_LIST()
     },
 };
@@ -XXX,XX +XXX,XX @@ static void imx_update(IMXSerialState *s)
      * unfortunately.
      */
     mask = (s->ucr1 & UCR1_TXMPTYEN) ? USR2_TXFE : 0;
+    /*
+     * TCEN and TXDC are both bit 3
+     */
+    mask |= s->ucr4 & UCR4_TCEN;
+
     usr2 = s->usr2 & mask;
 
     qemu_set_irq(s->irq, usr1 || usr2);
@@ -XXX,XX +XXX,XX @@ static uint64_t imx_serial_read(void *opaque, hwaddr offset,
         return s->ucr3;
 
     case 0x23: /* UCR4 */
+        return s->ucr4;
+
     case 0x29: /* BRM Incremental */
         return 0x0; /* TODO */
 
@@ -XXX,XX +XXX,XX @@ static void imx_serial_write(void *opaque, hwaddr offset,
              * qemu_chr_fe_write and background I/O callbacks */
             qemu_chr_fe_write_all(&s->chr, &ch, 1);
             s->usr1 &= ~USR1_TRDY;
+            s->usr2 &= ~USR2_TXDC;
             imx_update(s);
             s->usr1 |= USR1_TRDY;
+            s->usr2 |= USR2_TXDC;
             imx_update(s);
         }
         break;
@@ -XXX,XX +XXX,XX @@ static void imx_serial_write(void *opaque, hwaddr offset,
         s->ucr3 = value & 0xffff;
         break;
 
-    case 0x2d: /* UTS1 */
     case 0x23: /* UCR4 */
+        s->ucr4 = value & 0xffff;
+        imx_update(s);
+        break;
+
+    case 0x2d: /* UTS1 */
         qemu_log_mask(LOG_UNIMP, "[%s]%s: Unimplemented reg 0x%"
                       HWADDR_PRIx "\n", TYPE_IMX_SERIAL, __func__, offset);
         /* TODO */
-- 
2.16.2

For the rpi1 and 2 we want to boot the Linux kernel via some
custom setup code that makes sure that the SMC instruction
acts as a no-op, because it's used for cache maintenance.
The rpi3 boots AArch64 kernels, which don't need SMC for
cache maintenance and always expect to be booted non-secure.
Don't fill in the aarch32-specific parts of the binfo struct.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180313153458.26822-2-peter.maydell@linaro.org
---
 hw/arm/raspi.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
     binfo.board_id = raspi_boardid[version];
     binfo.ram_size = ram_size;
     binfo.nb_cpus = smp_cpus;
-    binfo.board_setup_addr = BOARDSETUP_ADDR;
-    binfo.write_board_setup = write_board_setup;
-    binfo.secure_board_setup = true;
-    binfo.secure_boot = true;
+
+    if (version <= 2) {
+        /* The rpi1 and 2 require some custom setup code to run in Secure
+         * mode before booting a kernel (to set up the SMC vectors so
+         * that we get a no-op SMC; this is used by Linux to call the
+         * firmware for some cache maintenance operations.
+         * The rpi3 doesn't need this.
+         */
+        binfo.board_setup_addr = BOARDSETUP_ADDR;
+        binfo.write_board_setup = write_board_setup;
+        binfo.secure_board_setup = true;
+        binfo.secure_boot = true;
+    }
 
     /* Pi2 and Pi3 requires SMP setup */
     if (version >= 2) {
-- 
2.16.2

Add some assertions that if we're about to boot an AArch64 kernel,
the board code has not mistakenly set either secure_boot or
secure_board_setup. It doesn't make sense to set secure_boot,
because all AArch64 kernels must be booted in non-secure mode.

It might in theory make sense to set secure_board_setup, but
we don't currently support that, because only the AArch32
bootloader[] code calls this hook; bootloader_aarch64[] does not.
Since we don't have a current need for this functionality, just
assert that we don't try to use it. If it's needed we'll add
it later.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180313153458.26822-3-peter.maydell@linaro.org
---
 hw/arm/boot.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
                     } else {
                         env->pstate = PSTATE_MODE_EL1h;
                     }
+                    /* AArch64 kernels never boot in secure mode */
+                    assert(!info->secure_boot);
+                    /* This hook is only supported for AArch32 currently:
+                     * bootloader_aarch64[] will not call the hook, and
+                     * the code above has already dropped us into EL2 or EL1.
+                     */
+                    assert(!info->secure_board_setup);
                 }
 
                 /* Set to non-secure if not a secure boot */
-- 
2.16.2

If we're directly booting a Linux kernel and the CPU supports both
EL3 and EL2, we start the kernel in EL2, as it expects. We must also
set the SCR_EL3.HCE bit in this situation, so that the HVC
instruction is enabled rather than UNDEFing. Otherwise at least some
kernels will panic when trying to initialize KVM in the guest.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20180313153458.26822-4-peter.maydell@linaro.org
---
 hw/arm/boot.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
                     assert(!info->secure_board_setup);
                 }
 
+                if (arm_feature(env, ARM_FEATURE_EL2)) {
+                    /* If we have EL2 then Linux expects the HVC insn to work */
+                    env->cp15.scr_el3 |= SCR_HCE;
+                }
+
                 /* Set to non-secure if not a secure boot */
                 if (!info->secure_boot &&
                     (cs != first_cpu || !info->secure_board_setup)) {
-- 
2.16.2

The TypeInfo and state struct for bcm2386 disagree about what the
parent class is -- the TypeInfo says it's TYPE_SYS_BUS_DEVICE,
but the BCM2386State struct only defines the parent_obj field
as DeviceState. This would have caused problems if anything
actually tried to treat the object as a TYPE_SYS_BUS_DEVICE.
Fix the TypeInfo to use TYPE_DEVICE as the parent, since we don't
need any of the additional functionality TYPE_SYS_BUS_DEVICE
provides.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180313153458.26822-5-peter.maydell@linaro.org
---
 hw/arm/bcm2836.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/bcm2836.c
+++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@ static void bcm2836_class_init(ObjectClass *oc, void *data)
 
 static const TypeInfo bcm2836_type_info = {
     .name = TYPE_BCM2836,
-    .parent = TYPE_SYS_BUS_DEVICE,
+    .parent = TYPE_DEVICE,
     .instance_size = sizeof(BCM2836State),
     .instance_init = bcm2836_init,
     .class_init = bcm2836_class_init,
-- 
2.16.2

Our BCM2836 type is really a generic one that can be any of
the bcm283x family. Rename it accordingly. We change only
the names which are visible via the header file to the
rest of the QEMU code, leaving private function names
in bcm2836.c as they are.

This is a preliminary to making bcm283x be an abstract
parent class to specific types for the bcm2836 and bcm2837.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180313153458.26822-6-peter.maydell@linaro.org
---
 include/hw/arm/bcm2836.h | 12 ++++++------
 hw/arm/bcm2836.c         | 17 +++++++++--------
 hw/arm/raspi.c           | 16 ++++++++--------
 3 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/bcm2836.h
+++ b/include/hw/arm/bcm2836.h
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/bcm2835_peripherals.h"
 #include "hw/intc/bcm2836_control.h"
 
-#define TYPE_BCM2836 "bcm2836"
-#define BCM2836(obj) OBJECT_CHECK(BCM2836State, (obj), TYPE_BCM2836)
+#define TYPE_BCM283X "bcm283x"
+#define BCM283X(obj) OBJECT_CHECK(BCM283XState, (obj), TYPE_BCM283X)
 
-#define BCM2836_NCPUS 4
+#define BCM283X_NCPUS 4
 
-typedef struct BCM2836State {
+typedef struct BCM283XState {
     /*< private >*/
     DeviceState parent_obj;
     /*< public >*/
@@ -XXX,XX +XXX,XX @@ typedef struct BCM2836State {
     char *cpu_type;
     uint32_t enabled_cpus;
 
-    ARMCPU cpus[BCM2836_NCPUS];
+    ARMCPU cpus[BCM283X_NCPUS];
     BCM2836ControlState control;
     BCM2835PeripheralState peripherals;
-} BCM2836State;
+} BCM283XState;
 
 #endif /* BCM2836_H */
diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/bcm2836.c
+++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@
 
 static void bcm2836_init(Object *obj)
 {
-    BCM2836State *s = BCM2836(obj);
+    BCM283XState *s = BCM283X(obj);
 
     object_initialize(&s->control, sizeof(s->control), TYPE_BCM2836_CONTROL);
     object_property_add_child(obj, "control", OBJECT(&s->control), NULL);
@@ -XXX,XX +XXX,XX @@ static void bcm2836_init(Object *obj)
 
 static void bcm2836_realize(DeviceState *dev, Error **errp)
 {
-    BCM2836State *s = BCM2836(dev);
+    BCM283XState *s = BCM283X(dev);
     Object *obj;
     Error *err = NULL;
     int n;
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
     /* common peripherals from bcm2835 */
 
     obj = OBJECT(dev);
-    for (n = 0; n < BCM2836_NCPUS; n++) {
+    for (n = 0; n < BCM283X_NCPUS; n++) {
         object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
                           s->cpu_type);
         object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->peripherals), 1,
         qdev_get_gpio_in_named(DEVICE(&s->control), "gpu-fiq", 0));
 
-    for (n = 0; n < BCM2836_NCPUS; n++) {
+    for (n = 0; n < BCM283X_NCPUS; n++) {
         /* Mirror bcm2836, which has clusterid set to 0xf
          * TODO: this should be converted to a property of ARM_CPU
          */
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
 }
 
 static Property bcm2836_props[] = {
-    DEFINE_PROP_STRING("cpu-type", BCM2836State, cpu_type),
-    DEFINE_PROP_UINT32("enabled-cpus", BCM2836State, enabled_cpus, BCM2836_NCPUS),
+    DEFINE_PROP_STRING("cpu-type", BCM283XState, cpu_type),
+    DEFINE_PROP_UINT32("enabled-cpus", BCM283XState, enabled_cpus,
+                       BCM283X_NCPUS),
     DEFINE_PROP_END_OF_LIST()
 };
 
@@ -XXX,XX +XXX,XX @@ static void bcm2836_class_init(ObjectClass *oc, void *data)
 }
 
 static const TypeInfo bcm2836_type_info = {
-    .name = TYPE_BCM2836,
+    .name = TYPE_BCM283X,
     .parent = TYPE_DEVICE,
-    .instance_size = sizeof(BCM2836State),
+    .instance_size = sizeof(BCM283XState),
     .instance_init = bcm2836_init,
     .class_init = bcm2836_class_init,
 };
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@
 static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43, [3] = 0xc44};
 
 typedef struct RasPiState {
-    BCM2836State soc;
+    BCM283XState soc;
     MemoryRegion ram;
 } RasPiState;
 
@@ -XXX,XX +XXX,XX @@ static void raspi_init(MachineState *machine, int version)
     BusState *bus;
     DeviceState *carddev;
 
-    object_initialize(&s->soc, sizeof(s->soc), TYPE_BCM2836);
+    object_initialize(&s->soc, sizeof(s->soc), TYPE_BCM283X);
     object_property_add_child(OBJECT(machine), "soc", OBJECT(&s->soc),
                               &error_abort);
 
@@ -XXX,XX +XXX,XX @@ static void raspi2_machine_init(MachineClass *mc)
     mc->no_floppy = 1;
     mc->no_cdrom = 1;
     mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a15");
-    mc->max_cpus = BCM2836_NCPUS;
-    mc->min_cpus = BCM2836_NCPUS;
-    mc->default_cpus = BCM2836_NCPUS;
+    mc->max_cpus = BCM283X_NCPUS;
+    mc->min_cpus = BCM283X_NCPUS;
+    mc->default_cpus = BCM283X_NCPUS;
     mc->default_ram_size = 1024 * 1024 * 1024;
     mc->ignore_memory_transaction_failures = true;
 };
@@ -XXX,XX +XXX,XX @@ static void raspi3_machine_init(MachineClass *mc)
     mc->no_floppy = 1;
     mc->no_cdrom = 1;
     mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a53");
-    mc->max_cpus = BCM2836_NCPUS;
-    mc->min_cpus = BCM2836_NCPUS;
-    mc->default_cpus = BCM2836_NCPUS;
+    mc->max_cpus = BCM283X_NCPUS;
+    mc->min_cpus = BCM283X_NCPUS;
+    mc->default_cpus = BCM283X_NCPUS;
     mc->default_ram_size = 1024 * 1024 * 1024;
 }
 DEFINE_MACHINE("raspi3", raspi3_machine_init)
-- 
2.16.2

The bcm2837 is pretty similar to the bcm2836, but it does have
some differences. Notably, the MPIDR affinity aff1 values it
sets for the CPUs are 0x0, rather than the 0xf that the bcm2836
uses, and if this is wrong Linux will not boot.

Rather than trying to have one device with properties that
configure it differently for the two cases, create two
separate QOM devices for the two SoCs. We use the same approach
as hw/arm/aspeed_soc.c and share code and have a data table
that might differ per-SoC. For the moment the two types don't
actually have different behaviour.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180313153458.26822-7-peter.maydell@linaro.org
---
 include/hw/arm/bcm2836.h | 19 +++++++++++++++++++
 hw/arm/bcm2836.c         | 37 ++++++++++++++++++++++++++++++++-----
 hw/arm/raspi.c           |  3 ++-
 3 files changed, 53 insertions(+), 6 deletions(-)

diff --git a/include/hw/arm/bcm2836.h b/include/hw/arm/bcm2836.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/bcm2836.h
+++ b/include/hw/arm/bcm2836.h
@@ -XXX,XX +XXX,XX @@
 
 #define BCM283X_NCPUS 4
 
+/* These type names are for specific SoCs; other than instantiating
+ * them, code using these devices should always handle them via the
+ * BCM283x base class, so they have no BCM2836(obj) etc macros.
+ */
+#define TYPE_BCM2836 "bcm2836"
+#define TYPE_BCM2837 "bcm2837"
+
 typedef struct BCM283XState {
     /*< private >*/
     DeviceState parent_obj;
@@ -XXX,XX +XXX,XX @@ typedef struct BCM283XState {
     BCM2835PeripheralState peripherals;
 } BCM283XState;
 
+typedef struct BCM283XInfo BCM283XInfo;
+
+typedef struct BCM283XClass {
+    DeviceClass parent_class;
+    const BCM283XInfo *info;
+} BCM283XClass;
+
+#define BCM283X_CLASS(klass) \
+    OBJECT_CLASS_CHECK(BCM283XClass, (klass), TYPE_BCM283X)
+#define BCM283X_GET_CLASS(obj) \
+    OBJECT_GET_CLASS(BCM283XClass, (obj), TYPE_BCM283X)
+
 #endif /* BCM2836_H */
diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/bcm2836.c
+++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@
 /* "QA7" (Pi2) interrupt controller and mailboxes etc. */
 #define BCM2836_CONTROL_BASE    0x40000000
 
+struct BCM283XInfo {
+    const char *name;
+};
+
+static const BCM283XInfo bcm283x_socs[] = {
+    {
+        .name = TYPE_BCM2836,
+    },
+    {
+        .name = TYPE_BCM2837,
+    },
+};
+
 static void bcm2836_init(Object *obj)
 {
     BCM283XState *s = BCM283X(obj);
@@ -XXX,XX +XXX,XX @@ static Property bcm2836_props[] = {
     DEFINE_PROP_END_OF_LIST()
 };
 
-static void bcm2836_class_init(ObjectClass *oc, void *data)
+static void bcm283x_class_init(ObjectClass *oc, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(oc);
+    BCM283XClass *bc = BCM283X_CLASS(oc);
 
-    dc->props = bcm2836_props;
+    bc->info = data;
     dc->realize = bcm2836_realize;
+    dc->props = bcm2836_props;
 }
 
-static const TypeInfo bcm2836_type_info = {
+static const TypeInfo bcm283x_type_info = {
     .name = TYPE_BCM283X,
     .parent = TYPE_DEVICE,
     .instance_size = sizeof(BCM283XState),
     .instance_init = bcm2836_init,
-    .class_init = bcm2836_class_init,
+    .class_size = sizeof(BCM283XClass),
+    .abstract = true,
 };
 
 static void bcm2836_register_types(void)
 {
-    type_register_static(&bcm2836_type_info);
+    int i;
+
+    type_register_static(&bcm283x_type_info);
+    for (i = 0; i < ARRAY_SIZE(bcm283x_socs); i++) {
+        TypeInfo ti = {
+            .name = bcm283x_socs[i].name,
+            .parent = TYPE_BCM283X,
+            .class_init = bcm283x_class_init,
+            .class_data = (void *) &bcm283x_socs[i],
+        };
+        type_register(&ti);
+    }
 }
 
 type_init(bcm2836_register_types)
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@ static void raspi_init(MachineState *machine, int version)
     BusState *bus;
     DeviceState *carddev;
 
-    object_initialize(&s->soc, sizeof(s->soc), TYPE_BCM283X);
+    object_initialize(&s->soc, sizeof(s->soc),
+                      version == 3 ? TYPE_BCM2837 : TYPE_BCM2836);
     object_property_add_child(OBJECT(machine), "soc", OBJECT(&s->soc),
                               &error_abort);
 
-- 
2.16.2

The BCM2837 sets the Aff1 field of the MPIDR affinity values for the
CPUs to 0, whereas the BCM2836 uses 0xf. Set this correctly, as it
is required for Linux to boot.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180313153458.26822-8-peter.maydell@linaro.org
---
 hw/arm/bcm2836.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

Now we have separate types for BCM2386 and BCM2387, we might as well
just hard-code the CPU type they use rather than having it passed
through as an object property. This then lets us put the initialization
of the CPU object in init rather than realize.

Note that this change means that it's no longer possible on
the command line to use -cpu to ask for a different kind of
CPU than the SoC supports. This was never a supported thing to
do anyway; we were just not sanity-checking the command line.

This does require us to only build the bcm2837 object on
TARGET_AARCH64 configs, since otherwise it won't instantiate
due to the missing cortex-a53 device and "make check" will fail.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andrew Baumann <Andrew.Baumann@microsoft.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180313153458.26822-9-peter.maydell@linaro.org
---
 hw/arm/bcm2836.c | 24 +++++++++++++++---------
 hw/arm/raspi.c   |  2 --
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/bcm2836.c
+++ b/hw/arm/bcm2836.c
@@ -XXX,XX +XXX,XX @@
 
 struct BCM283XInfo {
     const char *name;
+    const char *cpu_type;
     int clusterid;
 };
 
 static const BCM283XInfo bcm283x_socs[] = {
     {
         .name = TYPE_BCM2836,
+        .cpu_type = ARM_CPU_TYPE_NAME("cortex-a15"),
         .clusterid = 0xf,
     },
+#ifdef TARGET_AARCH64
     {
         .name = TYPE_BCM2837,
+        .cpu_type = ARM_CPU_TYPE_NAME("cortex-a53"),
         .clusterid = 0x0,
     },
+#endif
 };
 
 static void bcm2836_init(Object *obj)
 {
     BCM283XState *s = BCM283X(obj);
+    BCM283XClass *bc = BCM283X_GET_CLASS(obj);
+    const BCM283XInfo *info = bc->info;
+    int n;
+
+    for (n = 0; n < BCM283X_NCPUS; n++) {
+        object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
+                          info->cpu_type);
+        object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
+                                  &error_abort);
+    }
 
     object_initialize(&s->control, sizeof(s->control), TYPE_BCM2836_CONTROL);
     object_property_add_child(obj, "control", OBJECT(&s->control), NULL);
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
 
     /* common peripherals from bcm2835 */
 
-    obj = OBJECT(dev);
-    for (n = 0; n < BCM283X_NCPUS; n++) {
-        object_initialize(&s->cpus[n], sizeof(s->cpus[n]),
-                          s->cpu_type);
-        object_property_add_child(obj, "cpu[*]", OBJECT(&s->cpus[n]),
-                                  &error_abort);
-    }
-
     obj = object_property_get_link(OBJECT(dev), "ram", &err);
     if (obj == NULL) {
         error_setg(errp, "%s: required ram link not found: %s",
@@ -XXX,XX +XXX,XX @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
 }
 
 static Property bcm2836_props[] = {
-    DEFINE_PROP_STRING("cpu-type", BCM283XState, cpu_type),
     DEFINE_PROP_UINT32("enabled-cpus", BCM283XState, enabled_cpus,
                        BCM283X_NCPUS),
     DEFINE_PROP_END_OF_LIST()
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@ static void raspi_init(MachineState *machine, int version)
     /* Setup the SOC */
     object_property_add_const_link(OBJECT(&s->soc), "ram", OBJECT(&s->ram),
                                    &error_abort);
-    object_property_set_str(OBJECT(&s->soc), machine->cpu_type, "cpu-type",
-                            &error_abort);
     object_property_set_int(OBJECT(&s->soc), smp_cpus, "enabled-cpus",
                             &error_abort);
     int board_rev = version == 3 ? 0xa02082 : 0xa21041;
-- 
2.16.2

The raspi3 has AArch64 CPUs, which means that our smpboot
code for keeping the secondary CPUs in a pen needs to have
a version for A64 as well as A32. Without this, the
secondary CPUs go into an infinite loop of taking undefined
instruction exceptions.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180313153458.26822-10-peter.maydell@linaro.org
---
 hw/arm/raspi.c | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@
 #define BOARDSETUP_ADDR (MVBAR_ADDR + 0x20) /* board setup code */
 #define FIRMWARE_ADDR_2 0x8000 /* Pi 2 loads kernel.img here by default */
 #define FIRMWARE_ADDR_3 0x80000 /* Pi 3 loads kernel.img here by default */
+#define SPINTABLE_ADDR  0xd8 /* Pi 3 bootloader spintable */
 
 /* Table of Linux board IDs for different Pi versions */
 static const int raspi_boardid[] = {[1] = 0xc42, [2] = 0xc43, [3] = 0xc44};
@@ -XXX,XX +XXX,XX @@ static void write_smpboot(ARMCPU *cpu, const struct arm_boot_info *info)
                        info->smp_loader_start);
 }
 
+static void write_smpboot64(ARMCPU *cpu, const struct arm_boot_info *info)
+{
+    /* Unlike the AArch32 version we don't need to call the board setup hook.
+     * The mechanism for doing the spin-table is also entirely different.
+     * We must have four 64-bit fields at absolute addresses
+     * 0xd8, 0xe0, 0xe8, 0xf0 in RAM, which are the flag variables for
+     * our CPUs, and which we must ensure are zero initialized before
+     * the primary CPU goes into the kernel. We put these variables inside
+     * a rom blob, so that the reset for ROM contents zeroes them for us.
+     */
+    static const uint32_t smpboot[] = {
+        0xd2801b05, /*        mov     x5, 0xd8 */
+        0xd53800a6, /*        mrs     x6, mpidr_el1 */
+        0x924004c6, /*        and     x6, x6, #0x3 */
+        0xd503205f, /* spin:  wfe */
+        0xf86678a4, /*        ldr     x4, [x5,x6,lsl #3] */
+        0xb4ffffc4, /*        cbz     x4, spin */
+        0xd2800000, /*        mov     x0, #0x0 */
+        0xd2800001, /*        mov     x1, #0x0 */
+        0xd2800002, /*        mov     x2, #0x0 */
+        0xd2800003, /*        mov     x3, #0x0 */
+        0xd61f0080, /*        br      x4 */
+    };
+
+    static const uint64_t spintables[] = {
+        0, 0, 0, 0
+    };
+
+    rom_add_blob_fixed("raspi_smpboot", smpboot, sizeof(smpboot),
+                       info->smp_loader_start);
+    rom_add_blob_fixed("raspi_spintables", spintables, sizeof(spintables),
+                       SPINTABLE_ADDR);
+}
+
 static void write_board_setup(ARMCPU *cpu, const struct arm_boot_info *info)
 {
     arm_write_secure_board_setup_dummy_smc(cpu, info, MVBAR_ADDR);
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, int version, size_t ram_size)
     /* Pi2 and Pi3 requires SMP setup */
     if (version >= 2) {
         binfo.smp_loader_start = SMPBOOT_ADDR;
-        binfo.write_secondary_boot = write_smpboot;
+        if (version == 2) {
+            binfo.write_secondary_boot = write_smpboot;
+        } else {
+            binfo.write_secondary_boot = write_smpboot64;
+        }
         binfo.secondary_cpu_reset_hook = reset_secondary;
     }
 
-- 
2.16.2

Handful of bugfixes for rc2. None of these are particularly critical
or exciting.

-- PMM

The following changes since commit 45a150aa2b3492acf6691c7bdbeb25a8545d8345:

Merge remote-tracking branch 'remotes/ericb/tags/pull-bitmaps-2020-08-03' into staging (2020-08-03 15:13:49 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200803

for you to fetch changes up to 13557fd392890cbd985bceba7f717e01efd674b8:

hw/timer/imx_epit: Avoid assertion when CR.SWR is written (2020-08-03 17:56:11 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/timer/imx_epit: Avoid assertion when CR.SWR is written
 * netduino2, netduinoplus2, microbit: set system_clock_scale so that
   SysTick running on the CPU clock works
 * target/arm: Avoid maybe-uninitialized warning with gcc 4.9
 * target/arm: Fix AddPAC error indication
 * Make AIRCR.SYSRESETREQ actually reset the system for the
   microbit, mps2-*, musca-*, netduino* boards

----------------------------------------------------------------
Kaige Li (1):
      target/arm: Avoid maybe-uninitialized warning with gcc 4.9

Peter Maydell (6):
      hw/arm/netduino2, netduinoplus2: Set system_clock_scale
      include/hw/irq.h: New function qemu_irq_is_connected()
      hw/intc/armv7m_nvic: Provide default "reset the system" behaviour for SYSRESETREQ
      msf2-soc, stellaris: Don't wire up SYSRESETREQ
      hw/arm/nrf51_soc: Set system_clock_scale
      hw/timer/imx_epit: Avoid assertion when CR.SWR is written

Richard Henderson (1):
      target/arm: Fix AddPAC error indication

include/hw/arm/armv7m.h           |  4 +++-
 include/hw/irq.h                  | 18 ++++++++++++++++++
 hw/arm/msf2-soc.c                 | 11 -----------
 hw/arm/netduino2.c                | 10 ++++++++++
 hw/arm/netduinoplus2.c            | 10 ++++++++++
 hw/arm/nrf51_soc.c                |  5 +++++
 hw/arm/stellaris.c                | 12 ------------
 hw/intc/armv7m_nvic.c             | 17 ++++++++++++++++-
 hw/timer/imx_epit.c               | 13 ++++++++++---
 target/arm/pauth_helper.c         |  6 +++++-
 target/arm/translate-a64.c        |  2 +-
 tests/tcg/aarch64/pauth-5.c       | 33 +++++++++++++++++++++++++++++++++
 tests/tcg/aarch64/Makefile.target |  2 +-
 13 files changed, 112 insertions(+), 31 deletions(-)
 create mode 100644 tests/tcg/aarch64/pauth-5.c

The netduino2 and netduinoplus2 boards forgot to set the system_clock_scale
global, which meant that if guest code used the systick timer in "use
the processor clock" mode it would hang because time never advances.

Set the global to match the documented CPU clock speed of these boards.
Judging by the data sheet this is slightly simplistic because the
SoC allows configuration of the SYSCLK source and frequency via the
RCC (reset and clock control) module, but we don't model that.

Fixes: https://bugs.launchpad.net/qemu/+bug/1876187
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200727162617.26227-1-peter.maydell@linaro.org
---
 hw/arm/netduino2.c     | 10 ++++++++++
 hw/arm/netduinoplus2.c | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/hw/arm/netduino2.c b/hw/arm/netduino2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/netduino2.c
+++ b/hw/arm/netduino2.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/stm32f205_soc.h"
 #include "hw/arm/boot.h"
 
+/* Main SYSCLK frequency in Hz (120MHz) */
+#define SYSCLK_FRQ 120000000ULL
+
 static void netduino2_init(MachineState *machine)
 {
     DeviceState *dev;
 
+    /*
+     * TODO: ideally we would model the SoC RCC and let it handle
+     * system_clock_scale, including its ability to define different
+     * possible SYSCLK sources.
+     */
+    system_clock_scale = NANOSECONDS_PER_SECOND / SYSCLK_FRQ;
+
     dev = qdev_new(TYPE_STM32F205_SOC);
     qdev_prop_set_string(dev, "cpu-type", ARM_CPU_TYPE_NAME("cortex-m3"));
     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
diff --git a/hw/arm/netduinoplus2.c b/hw/arm/netduinoplus2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/netduinoplus2.c
+++ b/hw/arm/netduinoplus2.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/stm32f405_soc.h"
 #include "hw/arm/boot.h"
 
+/* Main SYSCLK frequency in Hz (168MHz) */
+#define SYSCLK_FRQ 168000000ULL
+
 static void netduinoplus2_init(MachineState *machine)
 {
     DeviceState *dev;
 
+    /*
+     * TODO: ideally we would model the SoC RCC and let it handle
+     * system_clock_scale, including its ability to define different
+     * possible SYSCLK sources.
+     */
+    system_clock_scale = NANOSECONDS_PER_SECOND / SYSCLK_FRQ;
+
     dev = qdev_new(TYPE_STM32F405_SOC);
     qdev_prop_set_string(dev, "cpu-type", ARM_CPU_TYPE_NAME("cortex-m4"));
     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
-- 
2.20.1

Mostly devices don't need to care whether one of their output
qemu_irq lines is connected, because functions like qemu_set_irq()
silently do nothing if there is nothing on the other end.  However
sometimes a device might want to implement default behaviour for the
case where the machine hasn't wired the line up to anywhere.

Provide a function qemu_irq_is_connected() that devices can use for
this purpose.  (The test is trivial but encapsulating it in a
function makes it easier to see where we're doing it in case we need
to change the implementation later.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200728103744.6909-2-peter.maydell@linaro.org
---
 include/hw/irq.h | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/include/hw/irq.h b/include/hw/irq.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/irq.h
+++ b/include/hw/irq.h
@@ -XXX,XX +XXX,XX @@ qemu_irq qemu_irq_split(qemu_irq irq1, qemu_irq irq2);
    on an existing vector of qemu_irq.  */
 void qemu_irq_intercept_in(qemu_irq *gpio_in, qemu_irq_handler handler, int n);
 
+/**
+ * qemu_irq_is_connected: Return true if IRQ line is wired up
+ *
+ * If a qemu_irq has a device on the other (receiving) end of it,
+ * return true; otherwise return false.
+ *
+ * Usually device models don't need to care whether the machine model
+ * has wired up their outbound qemu_irq lines, because functions like
+ * qemu_set_irq() silently do nothing if there is nothing on the other
+ * end of the line. However occasionally a device model will want to
+ * provide default behaviour if its output is left floating, and
+ * it can use this function to identify when that is the case.
+ */
+static inline bool qemu_irq_is_connected(qemu_irq irq)
+{
+    return irq != NULL;
+}
+
 #endif
-- 
2.20.1

The NVIC provides an outbound qemu_irq "SYSRESETREQ" which it signals
when the guest sets the SYSRESETREQ bit in the AIRCR register.  This
matches the hardware design (where the CPU has a signal of this name
and it is up to the SoC to connect that up to an actual reset
mechanism), but in QEMU it mostly results in duplicated code in SoC
objects and bugs where SoC model implementors forget to wire up the
SYSRESETREQ line.

Provide a default behaviour for the case where SYSRESETREQ is not
actually connected to anything: use qemu_system_reset_request() to
perform a system reset.  This will allow us to remove the
implementations of SYSRESETREQ handling from the boards where that's
exactly what it does, and also fixes the bugs in the board models
which forgot to wire up the signal:

* microbit
 * mps2-an385
 * mps2-an505
 * mps2-an511
 * mps2-an521
 * musca-a
 * musca-b1
 * netduino
 * netduinoplus2

We still allow the board to wire up the signal if it needs to, in case
we need to model more complicated reset controller logic or to model
buggy SoC hardware which forgot to wire up the line itself. But
defaulting to "reset the system" is more often going to be correct
than defaulting to "do nothing".

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200728103744.6909-3-peter.maydell@linaro.org
---
 include/hw/arm/armv7m.h |  4 +++-
 hw/intc/armv7m_nvic.c   | 17 ++++++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/include/hw/arm/armv7m.h b/include/hw/arm/armv7m.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/armv7m.h
+++ b/include/hw/arm/armv7m.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
 
 /* ARMv7M container object.
  * + Unnamed GPIO input lines: external IRQ lines for the NVIC
- * + Named GPIO output SYSRESETREQ: signalled for guest AIRCR.SYSRESETREQ
+ * + Named GPIO output SYSRESETREQ: signalled for guest AIRCR.SYSRESETREQ.
+ *   If this GPIO is not wired up then the NVIC will default to performing
+ *   a qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET).
  * + Property "cpu-type": CPU type to instantiate
  * + Property "num-irq": number of external IRQ lines
  * + Property "memory": MemoryRegion defining the physical address space
diff --git a/hw/intc/armv7m_nvic.c b/hw/intc/armv7m_nvic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/armv7m_nvic.c
+++ b/hw/intc/armv7m_nvic.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/intc/armv7m_nvic.h"
 #include "hw/irq.h"
 #include "hw/qdev-properties.h"
+#include "sysemu/runstate.h"
 #include "target/arm/cpu.h"
 #include "exec/exec-all.h"
 #include "exec/memop.h"
@@ -XXX,XX +XXX,XX @@ static const uint8_t nvic_id[] = {
     0x00, 0xb0, 0x1b, 0x00, 0x0d, 0xe0, 0x05, 0xb1
 };
 
+static void signal_sysresetreq(NVICState *s)
+{
+    if (qemu_irq_is_connected(s->sysresetreq)) {
+        qemu_irq_pulse(s->sysresetreq);
+    } else {
+        /*
+         * Default behaviour if the SoC doesn't need to wire up
+         * SYSRESETREQ (eg to a system reset controller of some kind):
+         * perform a system reset via the usual QEMU API.
+         */
+        qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
+    }
+}
+
 static int nvic_pending_prio(NVICState *s)
 {
     /* return the group priority of the current pending interrupt,
@@ -XXX,XX +XXX,XX @@ static void nvic_writel(NVICState *s, uint32_t offset, uint32_t value,
             if (value & R_V7M_AIRCR_SYSRESETREQ_MASK) {
                 if (attrs.secure ||
                     !(cpu->env.v7m.aircr & R_V7M_AIRCR_SYSRESETREQS_MASK)) {
-                    qemu_irq_pulse(s->sysresetreq);
+                    signal_sysresetreq(s);
                 }
             }
             if (value & R_V7M_AIRCR_VECTCLRACTIVE_MASK) {
-- 
2.20.1

The MSF2 SoC model and the Stellaris board code both wire
SYSRESETREQ up to a function that just invokes
    qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
This is now the default action that the NVIC does if the line is
not connected, so we can delete the handling code.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200728103744.6909-4-peter.maydell@linaro.org
---
 hw/arm/msf2-soc.c  | 11 -----------
 hw/arm/stellaris.c | 12 ------------
 2 files changed, 23 deletions(-)

diff --git a/hw/arm/msf2-soc.c b/hw/arm/msf2-soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/msf2-soc.c
+++ b/hw/arm/msf2-soc.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/irq.h"
 #include "hw/arm/msf2-soc.h"
 #include "hw/misc/unimp.h"
-#include "sysemu/runstate.h"
 #include "sysemu/sysemu.h"
 
 #define MSF2_TIMER_BASE       0x40004000
@@ -XXX,XX +XXX,XX @@ static const int spi_irq[MSF2_NUM_SPIS] = { 2, 3 };
 static const int uart_irq[MSF2_NUM_UARTS] = { 10, 11 };
 static const int timer_irq[MSF2_NUM_TIMERS] = { 14, 15 };
 
-static void do_sys_reset(void *opaque, int n, int level)
-{
-    if (level) {
-        qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
-    }
-}
-
 static void m2sxxx_soc_initfn(Object *obj)
 {
     MSF2State *s = MSF2_SOC(obj);
@@ -XXX,XX +XXX,XX @@ static void m2sxxx_soc_realize(DeviceState *dev_soc, Error **errp)
         return;
     }
 
-    qdev_connect_gpio_out_named(DEVICE(&s->armv7m.nvic), "SYSRESETREQ", 0,
-                                qemu_allocate_irq(&do_sys_reset, NULL, 0));
-
     system_clock_scale = NANOSECONDS_PER_SECOND / s->m3clk;
 
     for (i = 0; i < MSF2_NUM_UARTS; i++) {
diff --git a/hw/arm/stellaris.c b/hw/arm/stellaris.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stellaris.c
+++ b/hw/arm/stellaris.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/boards.h"
 #include "qemu/log.h"
 #include "exec/address-spaces.h"
-#include "sysemu/runstate.h"
 #include "sysemu/sysemu.h"
 #include "hw/arm/armv7m.h"
 #include "hw/char/pl011.h"
@@ -XXX,XX +XXX,XX @@ static void stellaris_adc_init(Object *obj)
     qdev_init_gpio_in(dev, stellaris_adc_trigger, 1);
 }
 
-static
-void do_sys_reset(void *opaque, int n, int level)
-{
-    if (level) {
-        qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
-    }
-}
-
 /* Board init.  */
 static stellaris_board_info stellaris_boards[] = {
   { "LM3S811EVB",
@@ -XXX,XX +XXX,XX @@ static void stellaris_init(MachineState *ms, stellaris_board_info *board)
     /* This will exit with an error if the user passed us a bad cpu_type */
     sysbus_realize_and_unref(SYS_BUS_DEVICE(nvic), &error_fatal);
 
-    qdev_connect_gpio_out_named(nvic, "SYSRESETREQ", 0,
-                                qemu_allocate_irq(&do_sys_reset, NULL, 0));
-
     if (board->dc1 & (1 << 16)) {
         dev = sysbus_create_varargs(TYPE_STELLARIS_ADC, 0x40038000,
                                     qdev_get_gpio_in(nvic, 14),
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The definition of top_bit used in this function is one higher
than that used in the Arm ARM psuedo-code, which put the error
indication at top_bit - 1 at the wrong place, which meant that
it wasn't visible to Auth.

Fixing the definition of top_bit requires more changes, because
its most common use is for the count of bits in top_bit:bot_bit,
which would then need to be computed as top_bit - bot_bit + 1.

For now, prefer the minimal fix to the error indication alone.

Fixes: 63ff0ca94cb
Reported-by: Derrick McKee <derrick.mckee@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200728195706.11087-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: added comment about the divergence from the pseudocode]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/pauth_helper.c         |  6 +++++-
 tests/tcg/aarch64/pauth-5.c       | 33 +++++++++++++++++++++++++++++++
 tests/tcg/aarch64/Makefile.target |  2 +-
 3 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 tests/tcg/aarch64/pauth-5.c

diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/pauth_helper.c
+++ b/target/arm/pauth_helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pauth_addpac(CPUARMState *env, uint64_t ptr, uint64_t modifier,
      */
     test = sextract64(ptr, bot_bit, top_bit - bot_bit);
     if (test != 0 && test != -1) {
-        pac ^= MAKE_64BIT_MASK(top_bit - 1, 1);
+        /*
+         * Note that our top_bit is one greater than the pseudocode's
+         * version, hence "- 2" here.
+         */
+        pac ^= MAKE_64BIT_MASK(top_bit - 2, 1);
     }
 
     /*
diff --git a/tests/tcg/aarch64/pauth-5.c b/tests/tcg/aarch64/pauth-5.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/aarch64/pauth-5.c
@@ -XXX,XX +XXX,XX @@
+#include <assert.h>
+
+static int x;
+
+int main()
+{
+    int *p0 = &x, *p1, *p2, *p3;
+    unsigned long salt = 0;
+
+    /*
+     * With TBI enabled and a 48-bit VA, there are 7 bits of auth, and so
+     * a 1/128 chance of auth = pac(ptr,key,salt) producing zero.
+     * Find a salt that creates auth != 0.
+     */
+    do {
+        salt++;
+        asm("pacda %0, %1" : "=r"(p1) : "r"(salt), "0"(p0));
+    } while (p0 == p1);
+
+    /*
+     * This pac must fail, because the input pointer bears an encryption,
+     * and so is not properly extended within bits [55:47].  This will
+     * toggle bit 54 in the output...
+     */
+    asm("pacda %0, %1" : "=r"(p2) : "r"(salt), "0"(p1));
+
+    /* ... so that the aut must fail, setting bit 53 in the output ... */
+    asm("autda %0, %1" : "=r"(p3) : "r"(salt), "0"(p2));
+
+    /* ... which means this equality must not hold. */
+    assert(p3 != p0);
+    return 0;
+}
diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -XXX,XX +XXX,XX @@ run-fcvt: fcvt
 
 # Pauth Tests
 ifneq ($(DOCKER_IMAGE)$(CROSS_CC_HAS_ARMV8_3),)
-AARCH64_TESTS += pauth-1 pauth-2 pauth-4
+AARCH64_TESTS += pauth-1 pauth-2 pauth-4 pauth-5
 pauth-%: CFLAGS += -march=armv8.3-a
 run-pauth-%: QEMU_OPTS += -cpu max
 run-plugin-pauth-%: QEMU_OPTS += -cpu max
-- 
2.20.1

From: Kaige Li <likaige@loongson.cn>

GCC version 4.9.4 isn't clever enough to figure out that all
execution paths in disas_ldst() that use 'fn' will have initialized
it first, and so it warns:

/home/LiKaige/qemu/target/arm/translate-a64.c: In function ‘disas_ldst’:
/home/LiKaige/qemu/target/arm/translate-a64.c:3392:5: error: ‘fn’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
     fn(cpu_reg(s, rt), clean_addr, tcg_rs, get_mem_index(s),
     ^
/home/LiKaige/qemu/target/arm/translate-a64.c:3318:22: note: ‘fn’ was declared here
     AtomicThreeOpFn *fn;
                      ^

Make it happy by initializing the variable to NULL.

Signed-off-by: Kaige Li <likaige@loongson.cn>
Message-id: 1596110248-7366-2-git-send-email-likaige@loongson.cn
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: Clean up commit message and note which gcc version this was]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_ldst_atomic(DisasContext *s, uint32_t insn,
     bool r = extract32(insn, 22, 1);
     bool a = extract32(insn, 23, 1);
     TCGv_i64 tcg_rs, clean_addr;
-    AtomicThreeOpFn *fn;
+    AtomicThreeOpFn *fn = NULL;
 
     if (is_vector || !dc_isar_feature(aa64_atomics, s)) {
         unallocated_encoding(s);
-- 
2.20.1

The nrf51 SoC model wasn't setting the system_clock_scale
global.which meant that if guest code used the systick timer in "use
the processor clock" mode it would hang because time never advances.

Set the global to match the documented CPU clock speed for this SoC.

This SoC in fact doesn't have a SysTick timer (which is the only thing
currently that cares about the system_clock_scale), because it's
a configurable option in the Cortex-M0. However our Cortex-M0 and
thus our nrf51 and our micro:bit board do provide a SysTick, so
we ought to provide a functional one rather than a broken one.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200727193458.31250-1-peter.maydell@linaro.org
---
 hw/arm/nrf51_soc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/nrf51_soc.c
+++ b/hw/arm/nrf51_soc.c
@@ -XXX,XX +XXX,XX @@
 
 #define BASE_TO_IRQ(base) ((base >> 12) & 0x1F)
 
+/* HCLK (the main CPU clock) on this SoC is always 16MHz */
+#define HCLK_FRQ 16000000
+
 static uint64_t clock_read(void *opaque, hwaddr addr, unsigned int size)
 {
     qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx " [%u]\n",
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
         return;
     }
 
+    system_clock_scale = NANOSECONDS_PER_SECOND / HCLK_FRQ;
+
     object_property_set_link(OBJECT(&s->cpu), "memory", OBJECT(&s->container),
                              &error_abort);
     if (!sysbus_realize(SYS_BUS_DEVICE(&s->cpu), errp)) {
-- 
2.20.1

The imx_epit device has a software-controllable reset triggered by
setting the SWR bit in the CR register. An error in commit cc2722ec83ad9
means that we will end up assert()ing if the guest does this, because
the code in imx_epit_write() starts ptimer transactions, and then
imx_epit_reset() also starts ptimer transactions, triggering
"ptimer_transaction_begin: Assertion `!s->in_transaction' failed".

The cleanest way to avoid this double-transaction is to move the
start-transaction for the CR write handling down below the check of
the SWR bit.

Fixes: https://bugs.launchpad.net/qemu/+bug/1880424
Fixes: cc2722ec83ad944505fe
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200727154550.3409-1-peter.maydell@linaro.org
---
 hw/timer/imx_epit.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/hw/timer/imx_epit.c b/hw/timer/imx_epit.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/imx_epit.c
+++ b/hw/timer/imx_epit.c
@@ -XXX,XX +XXX,XX @@ static void imx_epit_write(void *opaque, hwaddr offset, uint64_t value,
 
     switch (offset >> 2) {
     case 0: /* CR */
-        ptimer_transaction_begin(s->timer_cmp);
-        ptimer_transaction_begin(s->timer_reload);
 
         oldcr = s->cr;
         s->cr = value & 0x03ffffff;
         if (s->cr & CR_SWR) {
             /* handle the reset */
             imx_epit_reset(DEVICE(s));
-        } else {
+            /*
+             * TODO: could we 'break' here? following operations appear
+             * to duplicate the work imx_epit_reset() already did.
+             */
+        }
+
+        ptimer_transaction_begin(s->timer_cmp);
+        ptimer_transaction_begin(s->timer_reload);
+
+        if (!(s->cr & CR_SWR)) {
             imx_epit_set_freq(s);
         }
 
-- 
2.20.1