Series comparison

-[Qemu-devel] [PULL 00/12] target-arm queue
+[PULL 00/33] target-arm queue
-Arm patch queue for 2.12 -- a miscellaneous collection
+Hi; here's the first target-arm pullreq for the 7.0 cycle.
 of bug fixes.
 thanks
 -- PMM
+The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:
-The following changes since commit fb4fe32d5b6290deabe752b51cc1cc2a9e8573db:
+  Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging (2021-12-14 12:46:18 -0800)
   Merge remote-tracking branch 'remotes/xtensa/tags/20180409-xtensa' into staging (2018-04-10 10:22:45 +0100)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180410
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211215
-for you to fetch changes up to bd49e6027cbc207c87633c7add3ebd7d3474cd35:
+for you to fetch changes up to aed176558806674d030a8305d989d4e6a5073359:
-  fpu: Fix rounding mode for floatN_to_uintM_round_to_zero (2018-04-10 13:02:26 +0100)
+  tests/acpi: add expected blob for VIOT test on virt machine (2021-12-15 10:35:26 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * fpu: Fix rounding mode for floatN_to_uintM_round_to_zero
+ * ITS: error reporting cleanup
- * tcg: Fix guest state corruption when running 64-bit Arm
+ * aspeed: improve documentation
-   guests on a 32-bit host (especially when using icount)
+ * Fix STM32F2XX USART data register readout
- * linux-user/signal.c: Ensure AArch64 signal frame isn't too small
+ * allow emulated GICv3 to be disabled in non-TCG builds
- * cpus.c: ensure running CPU recalculates icount deadlines on timer expiry
+ * fix exception priority for singlestep, misaligned PC, bp, etc
- * target/arm: Report unsupported MPU region sizes more clearly
+ * Correct calculation of tlb range invalidate length
- * hw/arm/fsl-imx: Fix introspection problem with fsl-imx6 and fsl-imx7
+ * npcm7xx_emc: fix missing queue_flush
- * hw/arm/allwinner-a10: Do not use nd_table in instance_init function
+ * virt: Add VIOT ACPI table for virtio-iommu
- * hw/sd/bcm2835_sdhost: Don't raise spurious interrupts
+ * target/i386: Use assert() to sanity-check b1 in SSE decode
- * hw/sd/bcm2835_sdhost: Add tracepoints
+ * Don't include qemu-common unnecessarily
  * target-arm: Check undefined opcodes for SWP in A32 decoder
  * hw/arm/integratorcp: Don't do things that could be fatal in the instance_init
  * hw/arm: Allow manually specified /psci node
 ----------------------------------------------------------------
-Andrey Smirnov (1):
+Alex Bennée (1):
-      hw/arm: Allow manually specified /psci node
+      hw/intc: clean-up error reporting for failed ITS cmd
-Onur Sahin (1):
+Jean-Philippe Brucker (8):
-      target-arm: Check undefined opcodes for SWP in A32 decoder
+      hw/arm/virt-acpi-build: Add VIOT table for virtio-iommu
       hw/arm/virt: Remove device tree restriction for virtio-iommu
       hw/arm/virt: Reject instantiation of multiple IOMMUs
       hw/arm/virt: Use object_property_set instead of qdev_prop_set
       tests/acpi: allow updates of VIOT expected data files
       tests/acpi: add test case for VIOT
       tests/acpi: add expected blobs for VIOT test on q35 machine
       tests/acpi: add expected blob for VIOT test on virt machine
-Peter Maydell (5):
+Joel Stanley (4):
-      hw/sd/bcm2835_sdhost: Add tracepoints
+      docs: aspeed: Add new boards
-      hw/sd/bcm2835_sdhost: Don't raise spurious interrupts
+      docs: aspeed: Update OpenBMC image URL
-      target/arm: Report unsupported MPU region sizes more clearly
+      docs: aspeed: Give an example of booting a kernel
-      cpus.c: ensure running CPU recalculates icount deadlines on timer expiry
+      docs: aspeed: ADC is now modelled
       linux-user/signal.c: Ensure AArch64 signal frame isn't too small
-Richard Henderson (2):
+Olivier Hériveaux (1):
-      tcg: Introduce tcg_set_insn_start_param
+      Fix STM32F2XX USART data register readout
       fpu: Fix rounding mode for floatN_to_uintM_round_to_zero
-Thomas Huth (3):
+Patrick Venture (1):
-      hw/arm/integratorcp: Don't do things that could be fatal in the instance_init
+      hw/net: npcm7xx_emc fix missing queue_flush
       hw/arm/allwinner-a10: Do not use nd_table in instance_init function
       hw/arm/fsl-imx: Fix introspection problem with fsl-imx6 and fsl-imx7
- target/arm/translate.h |  2 +-
+Peter Maydell (6):
- tcg/tcg.h              | 10 ++++++++++
+      target/i386: Use assert() to sanity-check b1 in SSE decode
- cpus.c                 | 10 +++++++++-
+      include/hw/i386: Don't include qemu-common.h in .h files
- fpu/softfloat.c        |  4 ++--
+      target/hexagon/cpu.h: don't include qemu-common.h
- hw/arm/allwinner-a10.c | 12 +++++------
+      target/rx/cpu.h: Don't include qemu-common.h
- hw/arm/boot.c          | 10 ++++++++++
+      hw/arm: Don't include qemu-common.h unnecessarily
- hw/arm/fsl-imx6.c      | 14 ++++++-------
+      target/arm: Correct calculation of tlb range invalidate length
  hw/arm/fsl-imx7.c      | 13 ++++++------
  hw/arm/integratorcp.c  | 23 +++++++++++++--------
  hw/sd/bcm2835_sdhost.c | 54 ++++++++++++++++++++++++++++++++------------------
  linux-user/signal.c    |  6 ++++++
  target/arm/helper.c    |  6 +++---
  target/arm/translate.c |  9 +++++++--
  hw/sd/trace-events     |  6 ++++++
 files changed, 124 insertions(+), 55 deletions(-)
+Philippe Mathieu-Daudé (2):
+      hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c
+      hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector
+Richard Henderson (10):
+      target/arm: Hoist pc_next to a local variable in aarch64_tr_translate_insn
+      target/arm: Hoist pc_next to a local variable in arm_tr_translate_insn
+      target/arm: Hoist pc_next to a local variable in thumb_tr_translate_insn
+      target/arm: Split arm_pre_translate_insn
+      target/arm: Advance pc for arch single-step exception
+      target/arm: Split compute_fsr_fsc out of arm_deliver_fault
+      target/arm: Take an exception if PC is misaligned
+      target/arm: Assert thumb pc is aligned
+      target/arm: Suppress bp for exceptions with more priority
+      tests/tcg: Add arm and aarch64 pc alignment tests
+ docs/system/arm/aspeed.rst        |  26 ++++++++++++----
+ include/hw/i386/microvm.h         |   1 -
+ include/hw/i386/x86.h             |   1 -
+ target/arm/helper.h               |   1 +
+ target/arm/syndrome.h             |   5 +++
+ target/hexagon/cpu.h              |   1 -
+ target/rx/cpu.h                   |   1 -
+ hw/arm/boot.c                     |   1 -
+ hw/arm/digic_boards.c             |   1 -
+ hw/arm/highbank.c                 |   1 -
+ hw/arm/npcm7xx_boards.c           |   1 -
+ hw/arm/sbsa-ref.c                 |   1 -
+ hw/arm/stm32f405_soc.c            |   1 -
+ hw/arm/vexpress.c                 |   1 -
+ hw/arm/virt-acpi-build.c          |   7 +++++
+ hw/arm/virt.c                     |  21 ++++++-------
+ hw/char/stm32f2xx_usart.c         |   3 +-
+ hw/intc/arm_gicv3.c               |   2 +-
+ hw/intc/arm_gicv3_cpuif.c         |  10 +-----
+ hw/intc/arm_gicv3_cpuif_common.c  |  22 +++++++++++++
+ hw/intc/arm_gicv3_its.c           |  39 +++++++++++++++--------
+ hw/net/npcm7xx_emc.c              |  18 +++++------
+ hw/virtio/virtio-iommu-pci.c      |  12 ++------
+ linux-user/aarch64/cpu_loop.c     |  46 ++++++++++++++++------------
+ linux-user/hexagon/cpu_loop.c     |   1 +
+ target/arm/debug_helper.c         |  23 ++++++++++++++
+ target/arm/gdbstub.c              |   9 ++++--
+ target/arm/helper.c               |   6 ++--
+ target/arm/machine.c              |  10 ++++++
+ target/arm/tlb_helper.c           |  63 ++++++++++++++++++++++++++++----------
+ target/arm/translate-a64.c        |  23 ++++++++++++--
+ target/arm/translate.c            |  58 ++++++++++++++++++++++++++---------
+ target/i386/tcg/translate.c       |  12 ++------
+ tests/qtest/bios-tables-test.c    |  38 +++++++++++++++++++++++
+ tests/tcg/aarch64/pcalign-a64.c   |  37 ++++++++++++++++++++++
+ tests/tcg/arm/pcalign-a32.c       |  46 ++++++++++++++++++++++++++++
+ hw/arm/Kconfig                    |   1 +
+ hw/intc/Kconfig                   |   5 +++
+ hw/intc/meson.build               |  11 ++++---
+ tests/data/acpi/q35/DSDT.viot     | Bin 0 -> 9398 bytes
+ tests/data/acpi/q35/VIOT.viot     | Bin 0 -> 112 bytes
+ tests/data/acpi/virt/VIOT         | Bin 0 -> 88 bytes
+ tests/tcg/aarch64/Makefile.target |   4 +--
+ tests/tcg/arm/Makefile.target     |   4 +++
+files changed, 429 insertions(+), 145 deletions(-)
+ create mode 100644 hw/intc/arm_gicv3_cpuif_common.c
+ create mode 100644 tests/tcg/aarch64/pcalign-a64.c
+ create mode 100644 tests/tcg/arm/pcalign-a32.c
+ create mode 100644 tests/data/acpi/q35/DSDT.viot
+ create mode 100644 tests/data/acpi/q35/VIOT.viot
+ create mode 100644 tests/data/acpi/virt/VIOT

-New patch
+[PULL 01/33] hw/intc: clean-up error reporting for failed ITS cmd
+From: Alex Bennée <alex.bennee@linaro.org>
+While trying to debug a GIC ITS failure I saw some guest errors that
+had poor formatting as well as leaving me confused as to what failed.
+As most of the checks aren't possible without a valid dte split that
+check apart and then check the other conditions in steps. This avoids
+us relying on undefined data.
+I still get a failure with the current kvm-unit-tests but at least I
+know (partially) why now:
+  Exception return from AArch64 EL1 to AArch64 EL1 PC 0x40080588
+  PASS: gicv3: its-trigger: inv/invall: dev2/eventid=20 now triggers an LPI
+  ITS: MAPD devid=2 size = 0x8 itt=0x40430000 valid=0
+  INT dev_id=2 event_id=20
+  process_its_cmd: invalid command attributes: invalid dte: 0 for 2 (MEM_TX: 0)
+  PASS: gicv3: its-trigger: mapd valid=false: no LPI after device unmap
+  SUMMARY: 6 tests, 1 unexpected failures
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20211112170454.3158925-1-alex.bennee@linaro.org
+Cc: Shashi Mallela <shashi.mallela@linaro.org>
+Cc: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/intc/arm_gicv3_its.c | 39 +++++++++++++++++++++++++++------------
+file changed, 27 insertions(+), 12 deletions(-)
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset,
+         if (res != MEMTX_OK) {
+             return result;
+         }
++    } else {
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: invalid command attributes: "
++                      "invalid dte: %"PRIx64" for %d (MEM_TX: %d)\n",
++                      __func__, dte, devid, res);
++        return result;
+     }
+-    if ((devid > s->dt.maxids.max_devids) || !dte_valid || !ite_valid ||
+-            !cte_valid || (eventid > max_eventid)) {
++
++    /*
++     * In this implementation, in case of guest errors we ignore the
++     * command and move onto the next command in the queue.
++     */
++    if (devid > s->dt.maxids.max_devids) {
+         qemu_log_mask(LOG_GUEST_ERROR,
+-                      "%s: invalid command attributes "
+-                      "devid %d or eventid %d or invalid dte %d or"
+-                      "invalid cte %d or invalid ite %d\n",
+-                      __func__, devid, eventid, dte_valid, cte_valid,
+-                      ite_valid);
+-        /*
+-         * in this implementation, in case of error
+-         * we ignore this command and move onto the next
+-         * command in the queue
+-         */
++                      "%s: invalid command attributes: devid %d>%d",
++                      __func__, devid, s->dt.maxids.max_devids);
++
++    } else if (!dte_valid || !ite_valid || !cte_valid) {
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: invalid command attributes: "
++                      "dte: %s, ite: %s, cte: %s\n",
++                      __func__,
++                      dte_valid ? "valid" : "invalid",
++                      ite_valid ? "valid" : "invalid",
++                      cte_valid ? "valid" : "invalid");
++    } else if (eventid > max_eventid) {
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: invalid command attributes: eventid %d > %d\n",
++                      __func__, eventid, max_eventid);
+     } else {
+         /*
+          * Current implementation only supports rdbase == procnum
+--
+.25.1

-New patch
+[PULL 02/33] docs: aspeed: Add new boards
+From: Joel Stanley <joel@jms.id.au>
+Add X11, FP5280G2, G220A, Rainier and Fuji. Mention that Swift will be
+removed in v7.0.
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Message-id: 20211117065752.330632-2-joel@jms.id.au
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/aspeed.rst | 7 ++++++-
+file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/aspeed.rst
++++ b/docs/system/arm/aspeed.rst
+@@ -XXX,XX +XXX,XX @@ AST2400 SoC based machines :
+ - ``palmetto-bmc``         OpenPOWER Palmetto POWER8 BMC
+ - ``quanta-q71l-bmc``      OpenBMC Quanta BMC
++- ``supermicrox11-bmc``    Supermicro X11 BMC
+ AST2500 SoC based machines :
+@@ -XXX,XX +XXX,XX @@ AST2500 SoC based machines :
+ - ``romulus-bmc``          OpenPOWER Romulus POWER9 BMC
+ - ``witherspoon-bmc``      OpenPOWER Witherspoon POWER9 BMC
+ - ``sonorapass-bmc``       OCP SonoraPass BMC
+-- ``swift-bmc``            OpenPOWER Swift BMC POWER9
++- ``swift-bmc``            OpenPOWER Swift BMC POWER9 (to be removed in v7.0)
++- ``fp5280g2-bmc``         Inspur FP5280G2 BMC
++- ``g220a-bmc``            Bytedance G220A BMC
+ AST2600 SoC based machines :
+ - ``ast2600-evb``          Aspeed AST2600 Evaluation board (Cortex-A7)
+ - ``tacoma-bmc``           OpenPOWER Witherspoon POWER9 AST2600 BMC
++- ``rainier-bmc``          IBM Rainier POWER10 BMC
++- ``fuji-bmc``             Facebook Fuji BMC
+ Supported devices
+ -----------------
+--
+.25.1

-New patch
+[PULL 03/33] docs: aspeed: Update OpenBMC image URL
+From: Joel Stanley <joel@jms.id.au>
+This is the latest URL for the OpenBMC CI. The old URL still works, but
+redirects.
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Message-id: 20211117065752.330632-3-joel@jms.id.au
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/aspeed.rst | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/aspeed.rst
++++ b/docs/system/arm/aspeed.rst
+@@ -XXX,XX +XXX,XX @@ The Aspeed machines can be started using the ``-kernel`` option to
+ load a Linux kernel or from a firmware. Images can be downloaded from
+ the OpenBMC jenkins :
+-   https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/distro=ubuntu,label=docker-builder
++   https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/
+ or directly from the OpenBMC GitHub release repository :
+--
+.25.1

-New patch
+[PULL 04/33] docs: aspeed: Give an example of booting a kernel
+From: Joel Stanley <joel@jms.id.au>
+A common use case for the ASPEED machine is to boot a Linux kernel.
+Provide a full example command line.
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Message-id: 20211117065752.330632-4-joel@jms.id.au
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/aspeed.rst | 15 ++++++++++++---
+file changed, 12 insertions(+), 3 deletions(-)
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/aspeed.rst
++++ b/docs/system/arm/aspeed.rst
+@@ -XXX,XX +XXX,XX @@ Missing devices
+ Boot options
+ ------------
+-The Aspeed machines can be started using the ``-kernel`` option to
+-load a Linux kernel or from a firmware. Images can be downloaded from
+-the OpenBMC jenkins :
++The Aspeed machines can be started using the ``-kernel`` and ``-dtb`` options
++to load a Linux kernel or from a firmware. Images can be downloaded from the
++OpenBMC jenkins :
+    https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/
+@@ -XXX,XX +XXX,XX @@ or directly from the OpenBMC GitHub release repository :
+    https://github.com/openbmc/openbmc/releases
++To boot a kernel directly from a Linux build tree:
++
++.. code-block:: bash
++
++  $ qemu-system-arm -M ast2600-evb -nographic \
++        -kernel arch/arm/boot/zImage \
++        -dtb arch/arm/boot/dts/aspeed-ast2600-evb.dtb \
++        -initrd rootfs.cpio
++
+ The image should be attached as an MTD drive. Run :
+ .. code-block:: bash
+--
+.25.1

-New patch
+[PULL 05/33] docs: aspeed: ADC is now modelled
+From: Joel Stanley <joel@jms.id.au>
+Move it to the supported list.
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Message-id: 20211117065752.330632-5-joel@jms.id.au
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/aspeed.rst | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/aspeed.rst
++++ b/docs/system/arm/aspeed.rst
+@@ -XXX,XX +XXX,XX @@ Supported devices
+  * Front LEDs (PCA9552 on I2C bus)
+  * LPC Peripheral Controller (a subset of subdevices are supported)
+  * Hash/Crypto Engine (HACE) - Hash support only. TODO: HMAC and RSA
++ * ADC
+ Missing devices
+ ---------------
+  * Coprocessor support
+- * ADC (out of tree implementation)
+  * PWM and Fan Controller
+  * Slave GPIO Controller
+  * Super I/O Controller
+--
+.25.1

-New patch
+[PULL 06/33] Fix STM32F2XX USART data register readout
+From: Olivier Hériveaux <olivier.heriveaux@ledger.fr>
+Fix issue where the data register may be overwritten by next character
+reception before being read and returned.
+Signed-off-by: Olivier Hériveaux <olivier.heriveaux@ledger.fr>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20211128120723.4053-1-olivier.heriveaux@ledger.fr
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/char/stm32f2xx_usart.c | 3 ++-
+file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/hw/char/stm32f2xx_usart.c b/hw/char/stm32f2xx_usart.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/char/stm32f2xx_usart.c
++++ b/hw/char/stm32f2xx_usart.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t stm32f2xx_usart_read(void *opaque, hwaddr addr,
+         return retvalue;
+     case USART_DR:
+         DB_PRINT("Value: 0x%" PRIx32 ", %c\n", s->usart_dr, (char) s->usart_dr);
++        retvalue = s->usart_dr & 0x3FF;
+         s->usart_sr &= ~USART_SR_RXNE;
+         qemu_chr_fe_accept_input(&s->chr);
+         qemu_set_irq(s->irq, 0);
+-        return s->usart_dr & 0x3FF;
++        return retvalue;
+     case USART_BRR:
+         return s->usart_brr;
+     case USART_CR1:
+--
+.25.1

-New patch
+[PULL 07/33] hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+gicv3_set_gicv3state() is used by arm_gicv3_common.c in
+arm_gicv3_common_realize(). Since we want to restrict
+arm_gicv3_cpuif.c to TCG, extract gicv3_set_gicv3state()
+to a new file. Add this file to the meson 'specific'
+source set, since it needs access to "cpu.h".
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20211115223619.2599282-2-philmd@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/intc/arm_gicv3_cpuif.c        | 10 +---------
+ hw/intc/arm_gicv3_cpuif_common.c | 22 ++++++++++++++++++++++
+ hw/intc/meson.build              |  1 +
+files changed, 24 insertions(+), 9 deletions(-)
+ create mode 100644 hw/intc/arm_gicv3_cpuif_common.c
+diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_cpuif.c
++++ b/hw/intc/arm_gicv3_cpuif.c
+@@ -XXX,XX +XXX,XX @@
+ /*
+- * ARM Generic Interrupt Controller v3
++ * ARM Generic Interrupt Controller v3 (emulation)
+  *
+  * Copyright (c) 2016 Linaro Limited
+  * Written by Peter Maydell
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/irq.h"
+ #include "cpu.h"
+-void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
+-{
+-    ARMCPU *arm_cpu = ARM_CPU(cpu);
+-    CPUARMState *env = &arm_cpu->env;
+-
+-    env->gicv3state = (void *)s;
+-};
+-
+ static GICv3CPUState *icc_cs_from_env(CPUARMState *env)
+ {
+     return env->gicv3state;
+diff --git a/hw/intc/arm_gicv3_cpuif_common.c b/hw/intc/arm_gicv3_cpuif_common.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/hw/intc/arm_gicv3_cpuif_common.c
+@@ -XXX,XX +XXX,XX @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++/*
++ * ARM Generic Interrupt Controller v3
++ *
++ * Copyright (c) 2016 Linaro Limited
++ * Written by Peter Maydell
++ *
++ * This code is licensed under the GPL, version 2 or (at your option)
++ * any later version.
++ */
++
++#include "qemu/osdep.h"
++#include "gicv3_internal.h"
++#include "cpu.h"
++
++void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
++{
++    ARMCPU *arm_cpu = ARM_CPU(cpu);
++    CPUARMState *env = &arm_cpu->env;
++
++    env->gicv3state = (void *)s;
++};
+diff --git a/hw/intc/meson.build b/hw/intc/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/meson.build
++++ b/hw/intc/meson.build
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
+ specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
+ specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
++specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
+ specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
+ specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
+ specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
+--
+.25.1

-New patch
+[PULL 08/33] hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+The TYPE_ARM_GICV3 device is an emulated one.  When using
+KVM, it is recommended to use the TYPE_KVM_ARM_GICV3 device
+(which uses in-kernel support).
+When using --with-devices-FOO, it is possible to build a
+binary with a specific set of devices. When this binary is
+restricted to KVM accelerator, the TYPE_ARM_GICV3 device is
+irrelevant, and it is desirable to remove it from the binary.
+Therefore introduce the CONFIG_ARM_GIC_TCG Kconfig selector
+which select the files required to have the TYPE_ARM_GICV3
+device, but also allowing to de-select this device.
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20211115223619.2599282-3-philmd@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/intc/arm_gicv3.c |  2 +-
+ hw/intc/Kconfig     |  5 +++++
+ hw/intc/meson.build | 10 ++++++----
+files changed, 12 insertions(+), 5 deletions(-)
+diff --git a/hw/intc/arm_gicv3.c b/hw/intc/arm_gicv3.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3.c
++++ b/hw/intc/arm_gicv3.c
+@@ -XXX,XX +XXX,XX @@
+ /*
+- * ARM Generic Interrupt Controller v3
++ * ARM Generic Interrupt Controller v3 (emulation)
+  *
+  * Copyright (c) 2015 Huawei.
+  * Copyright (c) 2016 Linaro Limited
+diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/Kconfig
++++ b/hw/intc/Kconfig
+@@ -XXX,XX +XXX,XX @@ config APIC
+     select MSI_NONBROKEN
+     select I8259
++config ARM_GIC_TCG
++    bool
++    default y
++    depends on ARM_GIC && TCG
++
+ config ARM_GIC_KVM
+     bool
+     default y
+diff --git a/hw/intc/meson.build b/hw/intc/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/meson.build
++++ b/hw/intc/meson.build
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_ARM_GIC', if_true: files(
+   'arm_gic.c',
+   'arm_gic_common.c',
+   'arm_gicv2m.c',
+-  'arm_gicv3.c',
+   'arm_gicv3_common.c',
+-  'arm_gicv3_dist.c',
+   'arm_gicv3_its_common.c',
+-  'arm_gicv3_redist.c',
++))
++softmmu_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files(
++  'arm_gicv3.c',
++  'arm_gicv3_dist.c',
+   'arm_gicv3_its.c',
++  'arm_gicv3_redist.c',
+ ))
+ softmmu_ss.add(when: 'CONFIG_ETRAXFS', if_true: files('etraxfs_pic.c'))
+ softmmu_ss.add(when: 'CONFIG_HEATHROW_PIC', if_true: files('heathrow_pic.c'))
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
+ specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
+ specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
+ specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
+-specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
++specific_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files('arm_gicv3_cpuif.c'))
+ specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
+ specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
+ specific_ss.add(when: 'CONFIG_ARM_V7M', if_true: files('armv7m_nvic.c'))
+--
+.25.1

-New patch
+[PULL 09/33] target/arm: Hoist pc_next to a local variable in aarch64_tr_translate_insn
+From: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/translate-a64.c | 7 ++++---
+file changed, 4 insertions(+), 3 deletions(-)
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-a64.c
++++ b/target/arm/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *s = container_of(dcbase, DisasContext, base);
+     CPUARMState *env = cpu->env_ptr;
++    uint64_t pc = s->base.pc_next;
+     uint32_t insn;
+     if (s->ss_active && !s->pstate_ss) {
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+         return;
+     }
+-    s->pc_curr = s->base.pc_next;
+-    insn = arm_ldl_code(env, &s->base, s->base.pc_next, s->sctlr_b);
++    s->pc_curr = pc;
++    insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
+     s->insn = insn;
+-    s->base.pc_next += 4;
++    s->base.pc_next = pc + 4;
+     s->fp_access_checked = false;
+     s->sve_access_checked = false;
+--
+.25.1

-[Qemu-devel] [PULL 09/12] cpus.c: ensure running CPU recalculates icount deadlines on timer expiry
+[PULL 10/33] target/arm: Hoist pc_next to a local variable in arm_tr_translate_insn
-When we run in TCG icount mode, we calculate the number of instructions
+From: Richard Henderson <richard.henderson@linaro.org>
 to execute using tcg_get_icount_limit(), which ensures that we stop
 execution at the next timer deadline. However there is a bug where
 currently we do not recalculate that limit if the guest reprograms
 a timer so that the next deadline moves closer, and so we will
 continue execution until the original limit and fire the timer
 later than we should.
-Fix this bug in qemu_timer_notify_cb(): if we are currently running
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-a VCPU in icount mode, we simply need to kick it out of the main
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-loop and back to tcg_cpu_exec(), where it will recalculate the
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-icount limit. If we are not currently running a VCPU, then we
+---
-retain the existing logic for waking up a halted CPU.
+ target/arm/translate.c | 9 +++++----
 file changed, 5 insertions(+), 4 deletions(-)
-Cc: qemu-stable@nongnu.org
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 Fixes: https://bugs.launchpad.net/qemu/+bug/1754038
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Message-id: 20180406123838.21249-1-peter.maydell@linaro.org
 ---
  cpus.c | 10 +++++++++-
 file changed, 9 insertions(+), 1 deletion(-)
 diff --git a/cpus.c b/cpus.c
 index XXXXXXX..XXXXXXX 100644
---- a/cpus.c
+--- a/target/arm/translate.c
-+++ b/cpus.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ void qemu_timer_notify_cb(void *opaque, QEMUClockType type)
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *dc = container_of(dcbase, DisasContext, base);
      CPUARMState *env = cpu->env_ptr;
 +    uint32_t pc = dc->base.pc_next;
      unsigned int insn;
      if (arm_pre_translate_insn(dc)) {
 -        dc->base.pc_next += 4;
 +        dc->base.pc_next = pc + 4;
          return;
      }
--    if (!qemu_in_vcpu_thread() && first_cpu) {
+-    dc->pc_curr = dc->base.pc_next;
-+    if (qemu_in_vcpu_thread()) {
+-    insn = arm_ldl_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
-+        /* A CPU is currently running; kick it back out to the
++    dc->pc_curr = pc;
-+         * tcg_cpu_exec() loop so it will recalculate its
++    insn = arm_ldl_code(env, &dc->base, pc, dc->sctlr_b);
-+         * icount deadline immediately.
+     dc->insn = insn;
-+         */
+-    dc->base.pc_next += 4;
-+        qemu_cpu_kick(current_cpu);
++    dc->base.pc_next = pc + 4;
-+    } else if (first_cpu) {
+     disas_arm_insn(dc, insn);
-         /* qemu_cpu_kick is not enough to kick a halted CPU out of
-          * qemu_tcg_wait_io_event.  async_run_on_cpu, instead,
+     arm_post_translate_insn(dc);
           * causes cpu_thread_is_idle to return false.  This way,
           * handle_icount_deadline can run.
 +         * If we have no CPUs at all for some reason, we don't
 +         * need to do anything.
           */
          async_run_on_cpu(first_cpu, do_nothing, RUN_ON_CPU_NULL);
      }
 --
-.16.2
+.25.1

-[Qemu-devel] [PULL 03/12] target-arm: Check undefined opcodes for SWP in A32 decoder
+[PULL 11/33] target/arm: Hoist pc_next to a local variable in thumb_tr_translate_insn
-From: Onur Sahin <onursahin08@gmail.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Make sure we are not treating architecturally Undefined instructions
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 as a SWP, by verifying the opcodes as per section A8.8.229 of ARMv7-A
 specification. Bits [21:20] must be zero for this to be a SWP or SWPB.
 We also choose to UNDEF for the architecturally UNPREDICTABLE case of
 bits [11:8] not being zero.
 Signed-off-by: Onur Sahin <onursahin08@gmail.com>
 [PMM: tweaked commit message]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate.c | 9 +++++++--
+ target/arm/translate.c | 16 ++++++++--------
-file changed, 7 insertions(+), 2 deletions(-)
+file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-                             }
+ {
-                         }
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
-                         tcg_temp_free_i32(addr);
+     CPUARMState *env = cpu->env_ptr;
--                    } else {
++    uint32_t pc = dc->base.pc_next;
-+                    } else if ((insn & 0x00300f00) == 0) {
+     uint32_t insn;
-+                        /* 0bcccc_0001_0x00_xxxx_xxxx_0000_1001_xxxx
+     bool is_16bit;
-+                        *  - SWP, SWPB
-+                        */
+     if (arm_pre_translate_insn(dc)) {
-+
+-        dc->base.pc_next += 2;
-                         TCGv taddr;
++        dc->base.pc_next = pc + 2;
-                         TCGMemOp opc = s->be_data;
+         return;
+     }
--                        /* SWP instruction */
-                         rm = (insn) & 0xf;
+-    dc->pc_curr = dc->base.pc_next;
+-    insn = arm_lduw_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
-                         if (insn & (1 << 22)) {
++    dc->pc_curr = pc;
-@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
++    insn = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
-                                                 get_mem_index(s), opc);
+     is_16bit = thumb_insn_is_16bit(dc, dc->base.pc_next, insn);
-                         tcg_temp_free(taddr);
+-    dc->base.pc_next += 2;
-                         store_reg(s, rd, tmp);
++    pc += 2;
-+                    } else {
+     if (!is_16bit) {
-+                        goto illegal_op;
+-        uint32_t insn2 = arm_lduw_code(env, &dc->base, dc->base.pc_next,
-                     }
+-                                       dc->sctlr_b);
-                 }
+-
-             } else {
++        uint32_t insn2 = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
          insn = insn << 16 | insn2;
 -        dc->base.pc_next += 2;
 +        pc += 2;
      }
 +    dc->base.pc_next = pc;
      dc->insn = insn;
      if (dc->pstate_il) {
 --
-.16.2
+.25.1

-[Qemu-devel] [PULL 12/12] fpu: Fix rounding mode for floatN_to_uintM_round_to_zero
+[PULL 12/33] target/arm: Split arm_pre_translate_insn
 From: Richard Henderson <richard.henderson@linaro.org>
-We incorrectly passed in the current rounding mode
+Create arm_check_ss_active and arm_check_kernelpage.
-instead of float_round_to_zero.
 Reverse the order of the tests.  While it doesn't matter in practice,
 because only user-only has a kernel page and user-only never sets
 ss_active, ss_active has priority over execution exceptions and it
 is best to keep them in the proper order.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180410055912.934-1-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- fpu/softfloat.c | 4 ++--
+ target/arm/translate.c | 10 +++++++---
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 7 insertions(+), 3 deletions(-)
-diff --git a/fpu/softfloat.c b/fpu/softfloat.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/fpu/softfloat.c
+--- a/target/arm/translate.c
-+++ b/fpu/softfloat.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ uint ## isz ## _t float ## fsz ## _to_uint ## isz ## _round_to_zero     \
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
-  (float ## fsz a, float_status *s)                                      \
+     dc->insn_start = tcg_last_op();
  {                                                                       \
      FloatParts p = float ## fsz ## _unpack_canonical(a, s);             \
 -    return round_to_uint_and_pack(p, s->float_rounding_mode,            \
 -                                 UINT ## isz ## _MAX, s);               \
 +    return round_to_uint_and_pack(p, float_round_to_zero,               \
 +                                  UINT ## isz ## _MAX, s);              \
  }
- FLOAT_TO_UINT(16, 16)
+-static bool arm_pre_translate_insn(DisasContext *dc)
 +static bool arm_check_kernelpage(DisasContext *dc)
  {
  #ifdef CONFIG_USER_ONLY
      /* Intercept jump to the magic kernel page.  */
@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
          return true;
      }
  #endif
 +    return false;
 +}
 +static bool arm_check_ss_active(DisasContext *dc)
 +{
      if (dc->ss_active && !dc->pstate_ss) {
          /* Singlestep state is Active-pending.
           * If we're in this state at the start of a TB then either
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      uint32_t pc = dc->base.pc_next;
      unsigned int insn;
 -    if (arm_pre_translate_insn(dc)) {
 +    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
          dc->base.pc_next = pc + 4;
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      uint32_t insn;
      bool is_16bit;
 -    if (arm_pre_translate_insn(dc)) {
 +    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
          dc->base.pc_next = pc + 2;
          return;
      }
 --
-.16.2
+.25.1

-[Qemu-devel] [PULL 06/12] hw/arm/allwinner-a10: Do not use nd_table in instance_init function
+[PULL 13/33] target/arm: Advance pc for arch single-step exception
-From: Thomas Huth <thuth@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The instance_init function of a device can be called at any time, even
+The size of the code covered by a TranslationBlock cannot be 0;
-if the device is not going to be used (i.e. not going to be realized).
+this is checked via assert in tb_gen_code.
 So a instance_init function must not do things that could cause QEMU
 to exit, like calling qemu_check_nic_model(&nd_table[0], ...) for example.
 But this is what the instance_init function of the allwinner-a10 device
 is currently doing - and this causes QEMU to quit unexpectedly when
 you run the 'device-list-properties' QMP command for example:
-$ echo "{'execute':'qmp_capabilities'}"\
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
        "{'execute':'device-list-properties',"\
        " 'arguments':{'typename':'allwinner-a10'}}" \
        | arm-softmmu/qemu-system-arm -M mps2-an505,accel=qtest -qmp stdio
 {"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
  "package": "build-all"}, "capabilities": []}}
 {"return": {}}
 Unsupported NIC model: lan9118
 ... and QEMU quits after printing the last line (which should not happen
 just because of running 'device-list-properties' here).
 And with the cubieboard, this even causes QEMU to abort():
 $ echo "{'execute':'qmp_capabilities'}"\
        "{'execute':'device-list-properties',"\
        " 'arguments':{'typename':'allwinner-a10'}}" \
        | arm-softmmu/qemu-system-arm -M cubieboard,accel=qtest -qmp stdio
 {"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
  "package": "build-all"}, "capabilities": []}}
 {"return": {}}
 Unexpected error in error_set_from_qdev_prop_error() at hw/core/qdev-properties.c:1095:
 Property 'allwinner-emac.netdev' can't take value 'hub0port0', it's in use
 Aborted (core dumped)
 To fix the problem we've got to move the offending code to the realize
 function instead.
 Signed-off-by: Thomas Huth <thuth@redhat.com>
 Message-id: 1522862420-7484-1-git-send-email-thuth@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/allwinner-a10.c | 12 ++++++------
+ target/arm/translate-a64.c | 1 +
-file changed, 6 insertions(+), 6 deletions(-)
+file changed, 1 insertion(+)
-diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/allwinner-a10.c
+--- a/target/arm/translate-a64.c
-+++ b/hw/arm/allwinner-a10.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void aw_a10_init(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+         assert(s->base.num_insns == 1);
-     object_initialize(&s->emac, sizeof(s->emac), TYPE_AW_EMAC);
+         gen_swstep_exception(s, 0, 0);
-     qdev_set_parent_bus(DEVICE(&s->emac), sysbus_get_default());
+         s->base.is_jmp = DISAS_NORETURN;
--    /* FIXME use qdev NIC properties instead of nd_table[] */
++        s->base.pc_next = pc + 4;
--    if (nd_table[0].used) {
+         return;
--        qemu_check_nic_model(&nd_table[0], TYPE_AW_EMAC);
+     }
 -        qdev_set_nic_properties(DEVICE(&s->emac), &nd_table[0]);
 -    }
      object_initialize(&s->sata, sizeof(s->sata), TYPE_ALLWINNER_AHCI);
      qdev_set_parent_bus(DEVICE(&s->sata), sysbus_get_default());
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
      sysbus_connect_irq(sysbusdev, 4, s->irq[67]);
      sysbus_connect_irq(sysbusdev, 5, s->irq[68]);
 +    /* FIXME use qdev NIC properties instead of nd_table[] */
 +    if (nd_table[0].used) {
 +        qemu_check_nic_model(&nd_table[0], TYPE_AW_EMAC);
 +        qdev_set_nic_properties(DEVICE(&s->emac), &nd_table[0]);
 +    }
      object_property_set_bool(OBJECT(&s->emac), true, "realized", &err);
      if (err != NULL) {
          error_propagate(errp, err);
@@ -XXX,XX +XXX,XX @@ static void aw_a10_class_init(ObjectClass *oc, void *data)
      DeviceClass *dc = DEVICE_CLASS(oc);
      dc->realize = aw_a10_realize;
 -    /* Reason: Uses serial_hds in realize and nd_table in instance_init */
 +    /* Reason: Uses serial_hds and nd_table in realize function */
      dc->user_creatable = false;
  }
 --
-.16.2
+.25.1

-[Qemu-devel] [PULL 11/12] tcg: Introduce tcg_set_insn_start_param
+[PULL 14/33] target/arm: Split compute_fsr_fsc out of arm_deliver_fault
 From: Richard Henderson <richard.henderson@linaro.org>
-The parameters for tcg_gen_insn_start are target_ulong, which may be split
+We will reuse this section of arm_deliver_fault for
-into two TCGArg parameters for storage in the opcode on 32-bit hosts.
+raising pc alignment faults.
-Fixes the ARM target and its direct use of tcg_set_insn_param, which would
-set the wrong argument in the 64-on-32 case.
-Cc: qemu-stable@nongnu.org
-Reported-by: alarson@ddci.com
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180410003558.2470-1-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate.h |  2 +-
+ target/arm/tlb_helper.c | 45 +++++++++++++++++++++++++----------------
- tcg/tcg.h              | 10 ++++++++++
+file changed, 28 insertions(+), 17 deletions(-)
 files changed, 11 insertions(+), 1 deletion(-)
-diff --git a/target/arm/translate.h b/target/arm/translate.h
+diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.h
+--- a/target/arm/tlb_helper.c
-+++ b/target/arm/translate.h
++++ b/target/arm/tlb_helper.c
-@@ -XXX,XX +XXX,XX @@ static inline void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
+@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
+     return syn;
      /* We check and clear insn_start_idx to catch multiple updates.  */
      assert(s->insn_start != NULL);
 -    tcg_set_insn_param(s->insn_start, 2, syn);
 +    tcg_set_insn_start_param(s->insn_start, 2, syn);
      s->insn_start = NULL;
  }
-diff --git a/tcg/tcg.h b/tcg/tcg.h
+-static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
-index XXXXXXX..XXXXXXX 100644
+-                                            MMUAccessType access_type,
---- a/tcg/tcg.h
+-                                            int mmu_idx, ARMMMUFaultInfo *fi)
-+++ b/tcg/tcg.h
++static uint32_t compute_fsr_fsc(CPUARMState *env, ARMMMUFaultInfo *fi,
-@@ -XXX,XX +XXX,XX @@ static inline void tcg_set_insn_param(TCGOp *op, int arg, TCGArg v)
++                                int target_el, int mmu_idx, uint32_t *ret_fsc)
-     op->args[arg] = v;
+ {
- }
+-    CPUARMState *env = &cpu->env;
+-    int target_el;
-+static inline void tcg_set_insn_start_param(TCGOp *op, int arg, target_ulong v)
+-    bool same_el;
-+{
+-    uint32_t syn, exc, fsr, fsc;
-+#if TARGET_LONG_BITS <= TCG_TARGET_REG_BITS
+     ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
-+    tcg_set_insn_param(op, arg, v);
+-
-+#else
+-    target_el = exception_target_el(env);
-+    tcg_set_insn_param(op, arg * 2, v);
+-    if (fi->stage2) {
-+    tcg_set_insn_param(op, arg * 2 + 1, v >> 32);
+-        target_el = 2;
-+#endif
+-        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
 -        if (arm_is_secure_below_el3(env) && fi->s1ns) {
 -            env->cp15.hpfar_el2 |= HPFAR_NS;
 -        }
 -    }
 -    same_el = (arm_current_el(env) == target_el);
 +    uint32_t fsr, fsc;
      if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
          arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
@@ -XXX,XX +XXX,XX @@ static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
          fsc = 0x3f;
      }
 +    *ret_fsc = fsc;
 +    return fsr;
 +}
 +
- /* The last op that was emitted.  */
++static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
- static inline TCGOp *tcg_last_op(void)
++                                            MMUAccessType access_type,
- {
++                                            int mmu_idx, ARMMMUFaultInfo *fi)
 +{
 +    CPUARMState *env = &cpu->env;
 +    int target_el;
 +    bool same_el;
 +    uint32_t syn, exc, fsr, fsc;
 +
 +    target_el = exception_target_el(env);
 +    if (fi->stage2) {
 +        target_el = 2;
 +        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
 +        if (arm_is_secure_below_el3(env) && fi->s1ns) {
 +            env->cp15.hpfar_el2 |= HPFAR_NS;
 +        }
 +    }
 +    same_el = (arm_current_el(env) == target_el);
 +
 +    fsr = compute_fsr_fsc(env, fi, target_el, mmu_idx, &fsc);
 +
      if (access_type == MMU_INST_FETCH) {
          syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
          exc = EXCP_PREFETCH_ABORT;
 --
-.16.2
+.25.1

-[Qemu-devel] [PULL 07/12] hw/arm/fsl-imx: Fix introspection problem with fsl-imx6 and fsl-imx7
+[PULL 15/33] target/arm: Take an exception if PC is misaligned
-From: Thomas Huth <thuth@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-QEMU currently exits unexpectedly when trying to introspect the fsl-imx6
+For A64, any input to an indirect branch can cause this.
-and fsl-imx7 devices on systems with many SMP CPUs:
+For A32, many indirect branch paths force the branch to be aligned,
-$ echo "{'execute':'qmp_capabilities'}"\
+but BXWritePC does not.  This includes the BX instruction but also
-       "{'execute':'device-list-properties',"\
+other interworking changes to PC.  Prior to v8, this case is UNDEFINED.
-       " 'arguments':{'typename':'fsl,imx6'}}" \
+With v8, this is CONSTRAINED UNPREDICTABLE and may either raise an
-       | arm-softmmu/qemu-system-arm -M virt,accel=qtest -qmp stdio -smp 8
+exception or force align the PC.
-{"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
- "package": "build-all"}, "capabilities": []}}
+We choose to raise an exception because we have the infrastructure,
-{"return": {}}
+it makes the generated code for gen_bx simpler, and it has the
-fsl,imx6: Only 4 CPUs are supported (8 requested)
+possibility of catching more guest bugs.
-And:
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 $ echo "{'execute':'qmp_capabilities'}"\
        "{'execute':'device-list-properties',"\
        " 'arguments':{'typename':'fsl,imx7'}}" \
        | arm-softmmu/qemu-system-arm -M raspi2,accel=qtest -qmp stdio
 {"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
  "package": "build-all"}, "capabilities": []}}
 {"return": {}}
 fsl,imx7: Only 2 CPUs are supported (4 requested)
 This happens because these devices are doing an exit() from their
 instance_init function - which should never be done since instance_init
 can be called at any time for device introspection! Fix it by moving
 the deadly check into the realize() function instead.
 Signed-off-by: Thomas Huth <thuth@redhat.com>
 Message-id: 1522908551-14885-1-git-send-email-thuth@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/fsl-imx6.c | 14 +++++++-------
+ target/arm/helper.h           |  1 +
- hw/arm/fsl-imx7.c | 13 +++++++------
+ target/arm/syndrome.h         |  5 ++++
-files changed, 14 insertions(+), 13 deletions(-)
+ linux-user/aarch64/cpu_loop.c | 46 ++++++++++++++++++++---------------
+ target/arm/tlb_helper.c       | 18 ++++++++++++++
-diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
+ target/arm/translate-a64.c    | 15 ++++++++++++
-index XXXXXXX..XXXXXXX 100644
+ target/arm/translate.c        | 22 ++++++++++++++++-
---- a/hw/arm/fsl-imx6.c
+files changed, 87 insertions(+), 20 deletions(-)
-+++ b/hw/arm/fsl-imx6.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_init(Object *obj)
+diff --git a/target/arm/helper.h b/target/arm/helper.h
-     char name[NAME_SIZE];
+index XXXXXXX..XXXXXXX 100644
-     int i;
+--- a/target/arm/helper.h
++++ b/target/arm/helper.h
--    if (smp_cpus > FSL_IMX6_NUM_CPUS) {
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(sel_flags, TCG_CALL_NO_RWG_SE,
--        error_report("%s: Only %d CPUs are supported (%d requested)",
+ DEF_HELPER_2(exception_internal, void, env, i32)
--                     TYPE_FSL_IMX6, FSL_IMX6_NUM_CPUS, smp_cpus);
+ DEF_HELPER_4(exception_with_syndrome, void, env, i32, i32, i32)
--        exit(1);
+ DEF_HELPER_2(exception_bkpt_insn, void, env, i32)
--    }
++DEF_HELPER_2(exception_pc_alignment, noreturn, env, tl)
  DEF_HELPER_1(setend, void, env)
  DEF_HELPER_2(wfi, void, env, i32)
  DEF_HELPER_1(wfe, void, env)
 diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/syndrome.h
 +++ b/target/arm/syndrome.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_illegalstate(void)
      return (EC_ILLEGALSTATE << ARM_EL_EC_SHIFT) | ARM_EL_IL;
  }
 +static inline uint32_t syn_pcalignment(void)
 +{
 +    return (EC_PCALIGNMENT << ARM_EL_EC_SHIFT) | ARM_EL_IL;
 +}
 +
  #endif /* TARGET_ARM_SYNDROME_H */
 diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/aarch64/cpu_loop.c
 +++ b/linux-user/aarch64/cpu_loop.c
@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
              break;
          case EXCP_PREFETCH_ABORT:
          case EXCP_DATA_ABORT:
 -            /* We should only arrive here with EC in {DATAABORT, INSNABORT}. */
              ec = syn_get_ec(env->exception.syndrome);
 -            assert(ec == EC_DATAABORT || ec == EC_INSNABORT);
 -
--    for (i = 0; i < smp_cpus; i++) {
+-            /* Both EC have the same format for FSC, or close enough. */
-+    for (i = 0; i < MIN(smp_cpus, FSL_IMX6_NUM_CPUS); i++) {
+-            fsc = extract32(env->exception.syndrome, 0, 6);
-         object_initialize(&s->cpu[i], sizeof(s->cpu[i]),
+-            switch (fsc) {
-                           "cortex-a9-" TYPE_ARM_CPU);
+-            case 0x04 ... 0x07: /* Translation fault, level {0-3} */
-         snprintf(name, NAME_SIZE, "cpu%d", i);
+-                si_signo = TARGET_SIGSEGV;
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_realize(DeviceState *dev, Error **errp)
+-                si_code = TARGET_SEGV_MAPERR;
-     uint16_t i;
++            switch (ec) {
-     Error *err = NULL;
++            case EC_DATAABORT:
++            case EC_INSNABORT:
-+    if (smp_cpus > FSL_IMX6_NUM_CPUS) {
++                /* Both EC have the same format for FSC, or close enough. */
-+        error_setg(errp, "%s: Only %d CPUs are supported (%d requested)",
++                fsc = extract32(env->exception.syndrome, 0, 6);
-+                   TYPE_FSL_IMX6, FSL_IMX6_NUM_CPUS, smp_cpus);
++                switch (fsc) {
 +                case 0x04 ... 0x07: /* Translation fault, level {0-3} */
 +                    si_signo = TARGET_SIGSEGV;
 +                    si_code = TARGET_SEGV_MAPERR;
 +                    break;
 +                case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
 +                case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
 +                    si_signo = TARGET_SIGSEGV;
 +                    si_code = TARGET_SEGV_ACCERR;
 +                    break;
 +                case 0x11: /* Synchronous Tag Check Fault */
 +                    si_signo = TARGET_SIGSEGV;
 +                    si_code = TARGET_SEGV_MTESERR;
 +                    break;
 +                case 0x21: /* Alignment fault */
 +                    si_signo = TARGET_SIGBUS;
 +                    si_code = TARGET_BUS_ADRALN;
 +                    break;
 +                default:
 +                    g_assert_not_reached();
 +                }
                  break;
 -            case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
 -            case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
 -                si_signo = TARGET_SIGSEGV;
 -                si_code = TARGET_SEGV_ACCERR;
 -                break;
 -            case 0x11: /* Synchronous Tag Check Fault */
 -                si_signo = TARGET_SIGSEGV;
 -                si_code = TARGET_SEGV_MTESERR;
 -                break;
 -            case 0x21: /* Alignment fault */
 +            case EC_PCALIGNMENT:
                  si_signo = TARGET_SIGBUS;
                  si_code = TARGET_BUS_ADRALN;
                  break;
 diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tlb_helper.c
 +++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "cpu.h"
  #include "internals.h"
  #include "exec/exec-all.h"
 +#include "exec/helper-proto.h"
  static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
                                              unsigned int target_el,
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
      arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
  }
 +void helper_exception_pc_alignment(CPUARMState *env, target_ulong pc)
 +{
 +    ARMMMUFaultInfo fi = { .type = ARMFault_Alignment };
 +    int target_el = exception_target_el(env);
 +    int mmu_idx = cpu_mmu_index(env, true);
 +    uint32_t fsc;
 +
 +    env->exception.vaddress = pc;
 +
 +    /*
 +     * Note that the fsc is not applicable to this exception,
 +     * since any syndrome is pcalignment not insn_abort.
 +     */
 +    env->exception.fsr = compute_fsr_fsc(env, &fi, target_el, mmu_idx, &fsc);
 +    raise_exception(env, EXCP_PREFETCH_ABORT, syn_pcalignment(), target_el);
 +}
 +
  #if !defined(CONFIG_USER_ONLY)
  /*
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      uint64_t pc = s->base.pc_next;
      uint32_t insn;
 +    /* Singlestep exceptions have the highest priority. */
      if (s->ss_active && !s->pstate_ss) {
          /* Singlestep state is Active-pending.
           * If we're in this state at the start of a TB then either
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 +    if (pc & 3) {
 +        /*
 +         * PC alignment fault.  This has priority over the instruction abort
 +         * that we would receive from a translation fault via arm_ldl_code.
 +         * This should only be possible after an indirect branch, at the
 +         * start of the TB.
 +         */
 +        assert(s->base.num_insns == 1);
 +        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
 +        s->base.is_jmp = DISAS_NORETURN;
 +        s->base.pc_next = QEMU_ALIGN_UP(pc, 4);
 +        return;
 +    }
 +
-     for (i = 0; i < smp_cpus; i++) {
+     s->pc_curr = pc;
+     insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
-         /* On uniprocessor, the CBAR is set to 0 */
+     s->insn = insn;
-diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx7.c
+--- a/target/arm/translate.c
-+++ b/hw/arm/fsl-imx7.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-     char name[NAME_SIZE];
+     uint32_t pc = dc->base.pc_next;
-     int i;
+     unsigned int insn;
--    if (smp_cpus > FSL_IMX7_NUM_CPUS) {
+-    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
--        error_report("%s: Only %d CPUs are supported (%d requested)",
++    /* Singlestep exceptions have the highest priority. */
--                     TYPE_FSL_IMX7, FSL_IMX7_NUM_CPUS, smp_cpus);
++    if (arm_check_ss_active(dc)) {
--        exit(1);
++        dc->base.pc_next = pc + 4;
 -    }
 -    for (i = 0; i < smp_cpus; i++) {
 +    for (i = 0; i < MIN(smp_cpus, FSL_IMX7_NUM_CPUS); i++) {
          object_initialize(&s->cpu[i], sizeof(s->cpu[i]),
                            ARM_CPU_TYPE_NAME("cortex-a7"));
          snprintf(name, NAME_SIZE, "cpu%d", i);
@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
      qemu_irq irq;
      char name[NAME_SIZE];
 +    if (smp_cpus > FSL_IMX7_NUM_CPUS) {
 +        error_setg(errp, "%s: Only %d CPUs are supported (%d requested)",
 +                   TYPE_FSL_IMX7, FSL_IMX7_NUM_CPUS, smp_cpus);
 +        return;
 +    }
 +
-     for (i = 0; i < smp_cpus; i++) {
++    if (pc & 3) {
-         o = OBJECT(&s->cpu[i]);
++        /*
++         * PC alignment fault.  This has priority over the instruction abort
 +         * that we would receive from a translation fault via arm_ldl_code
 +         * (or the execution of the kernelpage entrypoint). This should only
 +         * be possible after an indirect branch, at the start of the TB.
 +         */
 +        assert(dc->base.num_insns == 1);
 +        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
 +        dc->base.is_jmp = DISAS_NORETURN;
 +        dc->base.pc_next = QEMU_ALIGN_UP(pc, 4);
 +        return;
 +    }
 +
 +    if (arm_check_kernelpage(dc)) {
          dc->base.pc_next = pc + 4;
          return;
      }
 --
-.16.2
+.25.1

-New patch
+[PULL 16/33] target/arm: Assert thumb pc is aligned
+From: Richard Henderson <richard.henderson@linaro.org>
+Misaligned thumb PC is architecturally impossible.
+Assert is better than proceeding, in case we've missed
+something somewhere.
+Expand a comment about aligning the pc in gdbstub.
+Fail an incoming migrate if a thumb pc is misaligned.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/gdbstub.c   |  9 +++++++--
+ target/arm/machine.c   | 10 ++++++++++
+ target/arm/translate.c |  3 +++
+files changed, 20 insertions(+), 2 deletions(-)
+diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/gdbstub.c
++++ b/target/arm/gdbstub.c
+@@ -XXX,XX +XXX,XX @@ int arm_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n)
+     tmp = ldl_p(mem_buf);
+-    /* Mask out low bit of PC to workaround gdb bugs.  This will probably
+-       cause problems if we ever implement the Jazelle DBX extensions.  */
++    /*
++     * Mask out low bits of PC to workaround gdb bugs.
++     * This avoids an assert in thumb_tr_translate_insn, because it is
++     * architecturally impossible to misalign the pc.
++     * This will probably cause problems if we ever implement the
++     * Jazelle DBX extensions.
++     */
+     if (n == 15) {
+         tmp &= ~1;
+     }
+diff --git a/target/arm/machine.c b/target/arm/machine.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/machine.c
++++ b/target/arm/machine.c
+@@ -XXX,XX +XXX,XX @@ static int cpu_post_load(void *opaque, int version_id)
+             return -1;
+         }
+     }
++
++    /*
++     * Misaligned thumb pc is architecturally impossible.
++     * We have an assert in thumb_tr_translate_insn to verify this.
++     * Fail an incoming migrate to avoid this assert.
++     */
++    if (!is_a64(env) && env->thumb && (env->regs[15] & 1)) {
++        return -1;
++    }
++
+     if (!kvm_enabled()) {
+         pmu_op_finish(&cpu->env);
+     }
+diff --git a/target/arm/translate.c b/target/arm/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.c
++++ b/target/arm/translate.c
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+     uint32_t insn;
+     bool is_16bit;
++    /* Misaligned thumb PC is architecturally impossible. */
++    assert((dc->base.pc_next & 1) == 0);
++
+     if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
+         dc->base.pc_next = pc + 2;
+         return;
+--
+.25.1

-New patch
+[PULL 17/33] target/arm: Suppress bp for exceptions with more priority
+From: Richard Henderson <richard.henderson@linaro.org>
+Both single-step and pc alignment faults have priority over
+breakpoint exceptions.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/debug_helper.c | 23 +++++++++++++++++++++++
+file changed, 23 insertions(+)
+diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/debug_helper.c
++++ b/target/arm/debug_helper.c
+@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
+ {
+     ARMCPU *cpu = ARM_CPU(cs);
+     CPUARMState *env = &cpu->env;
++    target_ulong pc;
+     int n;
+     /*
+@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
+         return false;
+     }
++    /*
++     * Single-step exceptions have priority over breakpoint exceptions.
++     * If single-step state is active-pending, suppress the bp.
++     */
++    if (arm_singlestep_active(env) && !(env->pstate & PSTATE_SS)) {
++        return false;
++    }
++
++    /*
++     * PC alignment faults have priority over breakpoint exceptions.
++     */
++    pc = is_a64(env) ? env->pc : env->regs[15];
++    if ((is_a64(env) || !env->thumb) && (pc & 3) != 0) {
++        return false;
++    }
++
++    /*
++     * Instruction aborts have priority over breakpoint exceptions.
++     * TODO: We would need to look up the page for PC and verify that
++     * it is present and executable.
++     */
++
+     for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
+         if (bp_wp_matches(cpu, n, false)) {
+             return true;
+--
+.25.1

-New patch
+[PULL 18/33] tests/tcg: Add arm and aarch64 pc alignment tests
+From: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/tcg/aarch64/pcalign-a64.c   | 37 +++++++++++++++++++++++++
+ tests/tcg/arm/pcalign-a32.c       | 46 +++++++++++++++++++++++++++++++
+ tests/tcg/aarch64/Makefile.target |  4 +--
+ tests/tcg/arm/Makefile.target     |  4 +++
+files changed, 89 insertions(+), 2 deletions(-)
+ create mode 100644 tests/tcg/aarch64/pcalign-a64.c
+ create mode 100644 tests/tcg/arm/pcalign-a32.c
+diff --git a/tests/tcg/aarch64/pcalign-a64.c b/tests/tcg/aarch64/pcalign-a64.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tests/tcg/aarch64/pcalign-a64.c
+@@ -XXX,XX +XXX,XX @@
++/* Test PC misalignment exception */
++
++#include <assert.h>
++#include <signal.h>
++#include <stdlib.h>
++#include <stdio.h>
++
++static void *expected;
++
++static void sigbus(int sig, siginfo_t *info, void *vuc)
++{
++    assert(info->si_code == BUS_ADRALN);
++    assert(info->si_addr == expected);
++    exit(EXIT_SUCCESS);
++}
++
++int main()
++{
++    void *tmp;
++
++    struct sigaction sa = {
++        .sa_sigaction = sigbus,
++        .sa_flags = SA_SIGINFO
++    };
++
++    if (sigaction(SIGBUS, &sa, NULL) < 0) {
++        perror("sigaction");
++        return EXIT_FAILURE;
++    }
++
++    asm volatile("adr %0, 1f + 1\n\t"
++                 "str %0, %1\n\t"
++                 "br  %0\n"
++                 "1:"
++                 : "=&r"(tmp), "=m"(expected));
++    abort();
++}
+diff --git a/tests/tcg/arm/pcalign-a32.c b/tests/tcg/arm/pcalign-a32.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tests/tcg/arm/pcalign-a32.c
+@@ -XXX,XX +XXX,XX @@
++/* Test PC misalignment exception */
++
++#ifdef __thumb__
++#error "This test must be compiled for ARM"
++#endif
++
++#include <assert.h>
++#include <signal.h>
++#include <stdlib.h>
++#include <stdio.h>
++
++static void *expected;
++
++static void sigbus(int sig, siginfo_t *info, void *vuc)
++{
++    assert(info->si_code == BUS_ADRALN);
++    assert(info->si_addr == expected);
++    exit(EXIT_SUCCESS);
++}
++
++int main()
++{
++    void *tmp;
++
++    struct sigaction sa = {
++        .sa_sigaction = sigbus,
++        .sa_flags = SA_SIGINFO
++    };
++
++    if (sigaction(SIGBUS, &sa, NULL) < 0) {
++        perror("sigaction");
++        return EXIT_FAILURE;
++    }
++
++    asm volatile("adr %0, 1f + 2\n\t"
++                 "str %0, %1\n\t"
++                 "bx  %0\n"
++                 "1:"
++                 : "=&r"(tmp), "=m"(expected));
++
++    /*
++     * From v8, it is CONSTRAINED UNPREDICTABLE whether BXWritePC aligns
++     * the address or not.  If so, we can legitimately fall through.
++     */
++    return EXIT_SUCCESS;
++}
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -XXX,XX +XXX,XX @@ VPATH         += $(ARM_SRC)
+ AARCH64_SRC=$(SRC_PATH)/tests/tcg/aarch64
+ VPATH         += $(AARCH64_SRC)
+-# Float-convert Tests
+-AARCH64_TESTS=fcvt
++# Base architecture tests
++AARCH64_TESTS=fcvt pcalign-a64
+ fcvt: LDFLAGS+=-lm
+diff --git a/tests/tcg/arm/Makefile.target b/tests/tcg/arm/Makefile.target
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/tcg/arm/Makefile.target
++++ b/tests/tcg/arm/Makefile.target
+@@ -XXX,XX +XXX,XX @@ run-fcvt: fcvt
+     $(call run-test,fcvt,$(QEMU) $<,"$< on $(TARGET_NAME)")
+     $(call diff-out,fcvt,$(ARM_SRC)/fcvt.ref)
++# PC alignment test
++ARM_TESTS += pcalign-a32
++pcalign-a32: CFLAGS+=-marm
++
+ ifeq ($(CONFIG_ARM_COMPATIBLE_SEMIHOSTING),y)
+ # Semihosting smoke test for linux-user
+--
+.25.1

-New patch
+[PULL 19/33] target/i386: Use assert() to sanity-check b1 in SSE decode
+In the SSE decode function gen_sse(), we combine a byte
+'b' and a value 'b1' which can be [0..3], and switch on them:
+   b |= (b1 << 8);
+   switch (b) {
+   ...
+   default:
+   unknown_op:
+       gen_unknown_opcode(env, s);
+       return;
+   }
+In three cases inside this switch, we were then also checking for
+ "if (b1 >= 2) { goto unknown_op; }".
+However, this can never happen, because the 'case' values in each place
+are 0x0nn or 0x1nn and the switch will have directed the b1 == (2, 3)
+cases to the default already.
+This check was added in commit c045af25a52e9 in 2010; the added code
+was unnecessary then as well, and was apparently intended only to
+ensure that we never accidentally ended up indexing off the end
+of an sse_op_table with only 2 entries as a result of future bugs
+in the decode logic.
+Change the checks to assert() instead, and make sure they're always
+immediately before the array access they are protecting.
+Fixes: Coverity CID 1460207
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/i386/tcg/translate.c | 12 +++---------
+file changed, 3 insertions(+), 9 deletions(-)
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
+         case 0x171: /* shift xmm, im */
+         case 0x172:
+         case 0x173:
+-            if (b1 >= 2) {
+-                goto unknown_op;
+-            }
+             val = x86_ldub_code(env, s);
+             if (is_xmm) {
+                 tcg_gen_movi_tl(s->T0, val);
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
+                                 offsetof(CPUX86State, mmx_t0.MMX_L(1)));
+                 op1_offset = offsetof(CPUX86State,mmx_t0);
+             }
++            assert(b1 < 2);
+             sse_fn_epp = sse_op_table2[((b - 1) & 3) * 8 +
+                                        (((modrm >> 3)) & 7)][b1];
+             if (!sse_fn_epp) {
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
+             rm = modrm & 7;
+             reg = ((modrm >> 3) & 7) | REX_R(s);
+             mod = (modrm >> 6) & 3;
+-            if (b1 >= 2) {
+-                goto unknown_op;
+-            }
++            assert(b1 < 2);
+             sse_fn_epp = sse_op_table6[b].op[b1];
+             if (!sse_fn_epp) {
+                 goto unknown_op;
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
+             rm = modrm & 7;
+             reg = ((modrm >> 3) & 7) | REX_R(s);
+             mod = (modrm >> 6) & 3;
+-            if (b1 >= 2) {
+-                goto unknown_op;
+-            }
++            assert(b1 < 2);
+             sse_fn_eppi = sse_op_table7[b].op[b1];
+             if (!sse_fn_eppi) {
+                 goto unknown_op;
+--
+.25.1

-New patch
+[PULL 20/33] include/hw/i386: Don't include qemu-common.h in .h files
+The qemu-common.h header is not supposed to be included from any
+other header files, only from .c files (as documented in a comment at
+the start of it).
+include/hw/i386/x86.h and include/hw/i386/microvm.h break this rule.
+In fact, the include is not required at all, so we can just drop it
+from both files.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20211129200510.1233037-2-peter.maydell@linaro.org
+---
+ include/hw/i386/microvm.h | 1 -
+ include/hw/i386/x86.h     | 1 -
+files changed, 2 deletions(-)
+diff --git a/include/hw/i386/microvm.h b/include/hw/i386/microvm.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/i386/microvm.h
++++ b/include/hw/i386/microvm.h
+@@ -XXX,XX +XXX,XX @@
+ #ifndef HW_I386_MICROVM_H
+ #define HW_I386_MICROVM_H
+-#include "qemu-common.h"
+ #include "exec/hwaddr.h"
+ #include "qemu/notify.h"
+diff --git a/include/hw/i386/x86.h b/include/hw/i386/x86.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/i386/x86.h
++++ b/include/hw/i386/x86.h
+@@ -XXX,XX +XXX,XX @@
+ #ifndef HW_I386_X86_H
+ #define HW_I386_X86_H
+-#include "qemu-common.h"
+ #include "exec/hwaddr.h"
+ #include "qemu/notify.h"
+--
+.25.1

-New patch
+[PULL 21/33] target/hexagon/cpu.h: don't include qemu-common.h
+The qemu-common.h header is not supposed to be included from any
+other header files, only from .c files (as documented in a comment at
+the start of it).
+Move the include to linux-user/hexagon/cpu_loop.c, which needs it for
+the declaration of cpu_exec_step_atomic().
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
+Message-id: 20211129200510.1233037-3-peter.maydell@linaro.org
+---
+ target/hexagon/cpu.h          | 1 -
+ linux-user/hexagon/cpu_loop.c | 1 +
+files changed, 1 insertion(+), 1 deletion(-)
+diff --git a/target/hexagon/cpu.h b/target/hexagon/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/hexagon/cpu.h
++++ b/target/hexagon/cpu.h
+@@ -XXX,XX +XXX,XX @@ typedef struct CPUHexagonState CPUHexagonState;
+ #include "fpu/softfloat-types.h"
+-#include "qemu-common.h"
+ #include "exec/cpu-defs.h"
+ #include "hex_regs.h"
+ #include "mmvec/mmvec.h"
+diff --git a/linux-user/hexagon/cpu_loop.c b/linux-user/hexagon/cpu_loop.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/hexagon/cpu_loop.c
++++ b/linux-user/hexagon/cpu_loop.c
+@@ -XXX,XX +XXX,XX @@
+  */
+ #include "qemu/osdep.h"
++#include "qemu-common.h"
+ #include "qemu.h"
+ #include "user-internals.h"
+ #include "cpu_loop-common.h"
+--
+.25.1

-[Qemu-devel] [PULL 05/12] hw/sd/bcm2835_sdhost: Don't raise spurious interrupts
+[PULL 22/33] target/rx/cpu.h: Don't include qemu-common.h
-The Linux bcm2835_sdhost driver doesn't work on QEMU, because our
+The qemu-common.h header is not supposed to be included from any
-model raises spurious data interrupts.  Our function
+other header files, only from .c files (as documented in a comment at
-bcm2835_sdhost_fifo_run() will flag an interrupt any time it is
+the start of it).
 called with s->datacnt == 0, even if the host hasn't actually issued
 a data read or write command yet.  This means that the driver gets a
 spurious data interrupt as soon as it enables IRQs and then does
 something else that causes us to call the fifo_run routine, like
 writing to SDHCFG, and before it does the write to SDCMD to issue the
 read.  The driver's IRQ handler then spins forever complaining that
 there's no data and the SD controller isn't in a state where there's
 going to be any data:
-[   41.040738] sdhost-bcm2835 3f202000.mmc: fsm 1, hsts 00000000
+Nothing actually relies on target/rx/cpu.h including it, so we can
-[   41.042059] sdhost-bcm2835 3f202000.mmc: fsm 1, hsts 00000000
+just drop the include.
 (continues forever).
 Move the interrupt flag setting to more plausible places:
  * for BUSY, raise this as soon as a BUSYWAIT command has executed
  * for DATA, raise this when the FIFO has any space free (for a write)
    or any data in it (for a read)
  * for BLOCK, raise this when the data count is 0 and we've
    actually done some reading or writing
 This is pure guesswork since the documentation for this hardware is
 not public, but it is sufficient to get the Linux bcm2835_sdhost
 driver to work.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Tested-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
-Message-id: 20180319161556.16446-3-peter.maydell@linaro.org
+Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
 Message-id: 20211129200510.1233037-4-peter.maydell@linaro.org
 ---
- hw/sd/bcm2835_sdhost.c | 46 ++++++++++++++++++++++++++--------------------
+ target/rx/cpu.h | 1 -
-file changed, 26 insertions(+), 20 deletions(-)
+file changed, 1 deletion(-)
-diff --git a/hw/sd/bcm2835_sdhost.c b/hw/sd/bcm2835_sdhost.c
+diff --git a/target/rx/cpu.h b/target/rx/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/bcm2835_sdhost.c
+--- a/target/rx/cpu.h
-+++ b/hw/sd/bcm2835_sdhost.c
++++ b/target/rx/cpu.h
-@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_send_command(BCM2835SDHostState *s)
+@@ -XXX,XX +XXX,XX @@
-         }
+ #define RX_CPU_H
- #undef RWORD
-     }
+ #include "qemu/bitops.h"
-+    /* We never really delay commands, so if this was a 'busywait' command
+-#include "qemu-common.h"
-+     * then we've completed it now and can raise the interrupt.
+ #include "hw/registerfields.h"
-+     */
+ #include "cpu-qom.h"
-+    if ((s->cmd & SDCMD_BUSYWAIT) && (s->config & SDHCFG_BUSY_IRPT_EN)) {
 +        s->status |= SDHSTS_BUSY_IRPT;
 +    }
      return;
  error:
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_fifo_run(BCM2835SDHostState *s)
                  n++;
                  if (n == 4) {
                      bcm2835_sdhost_fifo_push(s, value);
 +                    s->status |= SDHSTS_DATA_FLAG;
 +                    if (s->config & SDHCFG_DATA_IRPT_EN) {
 +                        s->status |= SDHSTS_SDIO_IRPT;
 +                    }
                      n = 0;
                      value = 0;
                  }
              }
              if (n != 0) {
                  bcm2835_sdhost_fifo_push(s, value);
 +                s->status |= SDHSTS_DATA_FLAG;
              }
          } else { /* write */
              n = 0;
              while (s->datacnt > 0 && (s->fifo_len > 0 || n > 0)) {
                  if (n == 0) {
                      value = bcm2835_sdhost_fifo_pop(s);
 +                    s->status |= SDHSTS_DATA_FLAG;
 +                    if (s->config & SDHCFG_DATA_IRPT_EN) {
 +                        s->status |= SDHSTS_SDIO_IRPT;
 +                    }
                      n = 4;
                  }
                  n--;
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_fifo_run(BCM2835SDHostState *s)
                  value >>= 8;
              }
          }
 +        if (s->datacnt == 0) {
 +            s->edm &= ~SDEDM_FSM_MASK;
 +            s->edm |= SDEDM_FSM_DATAMODE;
 +            trace_bcm2835_sdhost_edm_change("datacnt 0", s->edm);
 +
 +            if ((s->cmd & SDCMD_WRITE_CMD) &&
 +                (s->config & SDHCFG_BLOCK_IRPT_EN)) {
 +                s->status |= SDHSTS_BLOCK_IRPT;
 +            }
 +        }
      }
 -    if (s->datacnt == 0) {
 -        s->status |= SDHSTS_DATA_FLAG;
 -        s->edm &= ~0xf;
 -        s->edm |= SDEDM_FSM_DATAMODE;
 -        trace_bcm2835_sdhost_edm_change("datacnt 0", s->edm);
 -
 -        if (s->config & SDHCFG_DATA_IRPT_EN) {
 -            s->status |= SDHSTS_SDIO_IRPT;
 -        }
 -
 -        if ((s->cmd & SDCMD_BUSYWAIT) && (s->config & SDHCFG_BUSY_IRPT_EN)) {
 -            s->status |= SDHSTS_BUSY_IRPT;
 -        }
 -
 -        if ((s->cmd & SDCMD_WRITE_CMD) && (s->config & SDHCFG_BLOCK_IRPT_EN)) {
 -            s->status |= SDHSTS_BLOCK_IRPT;
 -        }
 -
 -        bcm2835_sdhost_update_irq(s);
 -    }
 +    bcm2835_sdhost_update_irq(s);
      s->edm &= ~(0x1f << 4);
      s->edm |= ((s->fifo_len & 0x1f) << 4);
 --
-.16.2
+.25.1

-[Qemu-devel] [PULL 01/12] hw/arm: Allow manually specified /psci node
+[PULL 23/33] hw/arm: Don't include qemu-common.h unnecessarily
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
+A lot of C files in hw/arm include qemu-common.h when they don't
 need anything from it. Drop the include lines.
-Change the code to avoid exiting QEMU if user provided DTB contains
+omap1.c, pxa2xx.c and strongarm.c retain the include because they
-manually specified /psci node and skip any /psci related fixups
+use it for the prototype of qemu_get_timedate().
 instead.
-Fixes: 4cbca7d9b4 ("hw/arm: Move virt's PSCI DT fixup code to
-arm/boot.c")
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Reported-by: Marc Zyngier <marc.zyngier@arm.com>
-Tested-by: Marc Zyngier <marc.zyngier@arm.com>
-Message-id: 20180402205654.14572-1-andrew.smirnov@gmail.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
+Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
+Message-id: 20211129200510.1233037-5-peter.maydell@linaro.org
 ---
- hw/arm/boot.c | 10 ++++++++++
+ hw/arm/boot.c           | 1 -
-file changed, 10 insertions(+)
+ hw/arm/digic_boards.c   | 1 -
  hw/arm/highbank.c       | 1 -
  hw/arm/npcm7xx_boards.c | 1 -
  hw/arm/sbsa-ref.c       | 1 -
  hw/arm/stm32f405_soc.c  | 1 -
  hw/arm/vexpress.c       | 1 -
  hw/arm/virt.c           | 1 -
 files changed, 8 deletions(-)
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/boot.c
 +++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
+@@ -XXX,XX +XXX,XX @@
-     ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(0));
+  */
-     const char *psci_method;
-     int64_t psci_conduit;
+ #include "qemu/osdep.h"
-+    int rc;
+-#include "qemu-common.h"
+ #include "qemu/datadir.h"
-     psci_conduit = object_property_get_int(OBJECT(armcpu),
+ #include "qemu/error-report.h"
-                                            "psci-conduit",
+ #include "qapi/error.h"
-@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
+diff --git a/hw/arm/digic_boards.c b/hw/arm/digic_boards.c
-         g_assert_not_reached();
+index XXXXXXX..XXXXXXX 100644
-     }
+--- a/hw/arm/digic_boards.c
++++ b/hw/arm/digic_boards.c
-+    /*
+@@ -XXX,XX +XXX,XX @@
-+     * If /psci node is present in provided DTB, assume that no fixup
-+     * is necessary and all PSCI configuration should be taken as-is
+ #include "qemu/osdep.h"
-+     */
+ #include "qapi/error.h"
-+    rc = fdt_path_offset(fdt, "/psci");
+-#include "qemu-common.h"
-+    if (rc >= 0) {
+ #include "qemu/datadir.h"
-+        return;
+ #include "hw/boards.h"
-+    }
+ #include "qemu/error-report.h"
-+
+diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
-     qemu_fdt_add_subnode(fdt, "/psci");
+index XXXXXXX..XXXXXXX 100644
-     if (armcpu->psci_version == 2) {
+--- a/hw/arm/highbank.c
-         const char comp[] = "arm,psci-0.2\0arm,psci";
++++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
 -#include "qemu-common.h"
  #include "qemu/datadir.h"
  #include "qapi/error.h"
  #include "hw/sysbus.h"
 diff --git a/hw/arm/npcm7xx_boards.c b/hw/arm/npcm7xx_boards.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/npcm7xx_boards.c
 +++ b/hw/arm/npcm7xx_boards.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/qdev-core.h"
  #include "hw/qdev-properties.h"
  #include "qapi/error.h"
 -#include "qemu-common.h"
  #include "qemu/datadir.h"
  #include "qemu/units.h"
  #include "sysemu/blockdev.h"
 diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/sbsa-ref.c
 +++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
 -#include "qemu-common.h"
  #include "qemu/datadir.h"
  #include "qapi/error.h"
  #include "qemu/error-report.h"
 diff --git a/hw/arm/stm32f405_soc.c b/hw/arm/stm32f405_soc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/stm32f405_soc.c
 +++ b/hw/arm/stm32f405_soc.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qapi/error.h"
 -#include "qemu-common.h"
  #include "exec/address-spaces.h"
  #include "sysemu/sysemu.h"
  #include "hw/arm/stm32f405_soc.h"
 diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/vexpress.c
 +++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qapi/error.h"
 -#include "qemu-common.h"
  #include "qemu/datadir.h"
  #include "cpu.h"
  #include "hw/sysbus.h"
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
 -#include "qemu-common.h"
  #include "qemu/datadir.h"
  #include "qemu/units.h"
  #include "qemu/option.h"
 --
-.16.2
+.25.1

-[Qemu-devel] [PULL 08/12] target/arm: Report unsupported MPU region sizes more clearly
+[PULL 24/33] target/arm: Correct calculation of tlb range invalidate length
-Currently our PMSAv7 and ARMv7M MPU implementation cannot handle
+The calculation of the length of TLB range invalidate operations
-MPU region sizes smaller than our TARGET_PAGE_SIZE. However we
+in tlbi_aa64_range_get_length() is incorrect in two ways:
-report that in a slightly confusing way:
+ * the NUM field is 5 bits, but we read only 4 bits
  * we miscalculate the page_shift value, because of an
    off-by-one error:
     TG 0b00 is invalid
     TG 0b01 is 4K granule size == 4096 == 2^12
     TG 0b10 is 16K granule size == 16384 == 2^14
     TG 0b11 is 64K granule size == 65536 == 2^16
    so page_shift should be (TG - 1) * 2 + 12
- DRSR[3]: No support for MPU (sub)region alignment of 9 bits. Minimum is 10
+Thanks to the bug report submitter Cha HyunSoo for identifying
 both these errors.
-The problem is not the alignment of the region, but its size;
+Fixes: 84940ed82552d3c ("target/arm: Add support for FEAT_TLBIRANGE")
-tweak the error message to say so:
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/734
  DRSR[3]: No support for MPU (sub)region size of 512 bytes. Minimum is 1024.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180405172554.27401-1-peter.maydell@linaro.org
+Message-id: 20211130173257.1274194-1-peter.maydell@linaro.org
 ---
  target/arm/helper.c | 6 +++---
 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
+@@ -XXX,XX +XXX,XX @@ static uint64_t tlbi_aa64_range_get_length(CPUARMState *env,
-             }
+     uint64_t exponent;
-             if (rsize < TARGET_PAGE_BITS) {
+     uint64_t length;
-                 qemu_log_mask(LOG_UNIMP,
--                              "DRSR[%d]: No support for MPU (sub)region "
+-    num = extract64(value, 39, 4);
--                              "alignment of %" PRIu32 " bits. Minimum is %d\n",
++    num = extract64(value, 39, 5);
--                              n, rsize, TARGET_PAGE_BITS);
+     scale = extract64(value, 44, 2);
-+                              "DRSR[%d]: No support for MPU (sub)region size of"
+     page_size_granule = extract64(value, 46, 2);
-+                              " %" PRIu32 " bytes. Minimum is %d.\n",
-+                              n, (1 << rsize), TARGET_PAGE_SIZE);
+-    page_shift = page_size_granule * 2 + 12;
-                 continue;
+-
-             }
+     if (page_size_granule == 0) {
-             if (srdis) {
+         qemu_log_mask(LOG_GUEST_ERROR, "Invalid page size granule %d\n",
                        page_size_granule);
          return 0;
      }
 +    page_shift = (page_size_granule - 1) * 2 + 12;
 +
      exponent = (5 * scale) + 1;
      length = (num + 1) << (exponent + page_shift);
 --
-.16.2
+.25.1

-New patch
+[PULL 25/33] hw/net: npcm7xx_emc fix missing queue_flush
+From: Patrick Venture <venture@google.com>
+The rx_active boolean change to true should always trigger a try_read
+call that flushes the queue.
+Signed-off-by: Patrick Venture <venture@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20211203221002.1719306-1-venture@google.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/net/npcm7xx_emc.c | 18 ++++++++----------
+file changed, 8 insertions(+), 10 deletions(-)
+diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/net/npcm7xx_emc.c
++++ b/hw/net/npcm7xx_emc.c
+@@ -XXX,XX +XXX,XX @@ static void emc_halt_rx(NPCM7xxEMCState *emc, uint32_t mista_flag)
+     emc_set_mista(emc, mista_flag);
+ }
++static void emc_enable_rx_and_flush(NPCM7xxEMCState *emc)
++{
++    emc->rx_active = true;
++    qemu_flush_queued_packets(qemu_get_queue(emc->nic));
++}
++
+ static void emc_set_next_tx_descriptor(NPCM7xxEMCState *emc,
+                                        const NPCM7xxEMCTxDesc *tx_desc,
+                                        uint32_t desc_addr)
+@@ -XXX,XX +XXX,XX @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1)
+     return len;
+ }
+-static void emc_try_receive_next_packet(NPCM7xxEMCState *emc)
+-{
+-    if (emc_can_receive(qemu_get_queue(emc->nic))) {
+-        qemu_flush_queued_packets(qemu_get_queue(emc->nic));
+-    }
+-}
+-
+ static uint64_t npcm7xx_emc_read(void *opaque, hwaddr offset, unsigned size)
+ {
+     NPCM7xxEMCState *emc = opaque;
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
+             emc->regs[REG_MGSTA] |= REG_MGSTA_RXHA;
+         }
+         if (value & REG_MCMDR_RXON) {
+-            emc->rx_active = true;
++            emc_enable_rx_and_flush(emc);
+         } else {
+             emc_halt_rx(emc, 0);
+         }
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
+         break;
+     case REG_RSDR:
+         if (emc->regs[REG_MCMDR] & REG_MCMDR_RXON) {
+-            emc->rx_active = true;
+-            emc_try_receive_next_packet(emc);
++            emc_enable_rx_and_flush(emc);
+         }
+         break;
+     case REG_MIIDA:
+--
+.25.1

-[Qemu-devel] [PULL 02/12] hw/arm/integratorcp: Don't do things that could be fatal in the instance_init
+[PULL 26/33] hw/arm/virt-acpi-build: Add VIOT table for virtio-iommu
-From: Thomas Huth <thuth@redhat.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-An instance_init function must not fail - and might be called multiple times,
+When a virtio-iommu is instantiated, describe it using the ACPI VIOT
-e.g. during device introspection with the 'device-list-properties' QMP
+table.
 command. Since the integratorcm device ignores this rule, QEMU currently
 aborts in this case (though it really should not):
-echo "{'execute':'qmp_capabilities'}"\
+Acked-by: Igor Mammedov <imammedo@redhat.com>
-     "{'execute':'device-list-properties',"\
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-     "'arguments':{'typename':'integrator_core'}}" \
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-     | arm-softmmu/qemu-system-arm -M integratorcp,accel=qtest -qmp stdio
+Message-id: 20211210170415.583179-2-jean-philippe@linaro.org
 {"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
  "package": "build-all"}, "capabilities": []}}
 {"return": {}}
 RAMBlock "integrator.flash" already registered, abort!
 Aborted (core dumped)
 Move the problematic code to the realize() function instead to fix this
 problem.
 Reviewed-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
 Signed-off-by: Thomas Huth <thuth@redhat.com>
 Message-id: 1522906473-11252-1-git-send-email-thuth@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/integratorcp.c | 23 +++++++++++++++--------
+ hw/arm/virt-acpi-build.c | 7 +++++++
-file changed, 15 insertions(+), 8 deletions(-)
+ hw/arm/Kconfig           | 1 +
 files changed, 8 insertions(+)
-diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
+diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/integratorcp.c
+--- a/hw/arm/virt-acpi-build.c
-+++ b/hw/arm/integratorcp.c
++++ b/hw/arm/virt-acpi-build.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps integratorcm_ops = {
+@@ -XXX,XX +XXX,XX @@
- static void integratorcm_init(Object *obj)
+ #include "kvm_arm.h"
- {
+ #include "migration/vmstate.h"
-     IntegratorCMState *s = INTEGRATOR_CM(obj);
+ #include "hw/acpi/ghes.h"
--    SysBusDevice *dev = SYS_BUS_DEVICE(obj);
++#include "hw/acpi/viot.h"
-     s->cm_osc = 0x01000048;
+ #define ARM_SPI_BASE 32
-     /* ??? What should the high bits of this value be?  */
-@@ -XXX,XX +XXX,XX @@ static void integratorcm_init(Object *obj)
+@@ -XXX,XX +XXX,XX @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
-     s->cm_init = 0x00000112;
+     }
-     s->cm_refcnt_offset = muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), 24,
+ #endif
-);
--    memory_region_init_ram(&s->flash, obj, "integrator.flash", 0x100000,
++    if (vms->iommu == VIRT_IOMMU_VIRTIO) {
--                           &error_fatal);
++        acpi_add_table(table_offsets, tables_blob);
++        build_viot(ms, tables_blob, tables->linker, vms->virtio_iommu_bdf,
--    memory_region_init_io(&s->iomem, obj, &integratorcm_ops, s,
++                   vms->oem_id, vms->oem_table_id);
 -                          "integratorcm", 0x00800000);
 -    sysbus_init_mmio(dev, &s->iomem);
 -
 -    integratorcm_do_remap(s);
      /* ??? Save/restore.  */
  }
  static void integratorcm_realize(DeviceState *d, Error **errp)
  {
      IntegratorCMState *s = INTEGRATOR_CM(d);
 +    SysBusDevice *dev = SYS_BUS_DEVICE(d);
 +    Error *local_err = NULL;
 +
 +    memory_region_init_ram(&s->flash, OBJECT(d), "integrator.flash", 0x100000,
 +                           &local_err);
 +    if (local_err) {
 +        error_propagate(errp, local_err);
 +        return;
 +    }
 +
-+    memory_region_init_io(&s->iomem, OBJECT(d), &integratorcm_ops, s,
+     /* XSDT is pointed to by RSDP */
-+                          "integratorcm", 0x00800000);
+     xsdt = tables_blob->len;
-+    sysbus_init_mmio(dev, &s->iomem);
+     build_xsdt(tables_blob, tables->linker, table_offsets, vms->oem_id,
-+
+diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
-+    integratorcm_do_remap(s);
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/Kconfig
-     if (s->memsz >= 256) {
++++ b/hw/arm/Kconfig
-         integrator_spd[31] = 64;
+@@ -XXX,XX +XXX,XX @@ config ARM_VIRT
      select DIMM
      select ACPI_HW_REDUCED
      select ACPI_APEI
 +    select ACPI_VIOT
  config CHEETAH
      bool
 --
-.16.2
+.25.1

-[Qemu-devel] [PULL 04/12] hw/sd/bcm2835_sdhost: Add tracepoints
+[PULL 27/33] hw/arm/virt: Remove device tree restriction for virtio-iommu
-Add some tracepoints to the bcm2835_sdhost driver, to assist
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
 debugging.
+virtio-iommu is now supported with ACPI VIOT as well as device tree.
+Remove the restriction that prevents from instantiating a virtio-iommu
+device under ACPI.
+Acked-by: Igor Mammedov <imammedo@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Message-id: 20211210170415.583179-3-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Tested-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 20180319161556.16446-2-peter.maydell@linaro.org
 ---
- hw/sd/bcm2835_sdhost.c | 10 ++++++++++
+ hw/arm/virt.c                | 10 ++--------
- hw/sd/trace-events     |  6 ++++++
+ hw/virtio/virtio-iommu-pci.c | 12 ++----------
-files changed, 16 insertions(+)
+files changed, 4 insertions(+), 18 deletions(-)
-diff --git a/hw/sd/bcm2835_sdhost.c b/hw/sd/bcm2835_sdhost.c
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/sd/bcm2835_sdhost.c
+--- a/hw/arm/virt.c
-+++ b/hw/sd/bcm2835_sdhost.c
++++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static HotplugHandler *virt_machine_get_hotplug_handler(MachineState *machine,
- #include "qemu/log.h"
+     MachineClass *mc = MACHINE_GET_CLASS(machine);
- #include "sysemu/blockdev.h"
- #include "hw/sd/bcm2835_sdhost.h"
+     if (device_is_dynamic_sysbus(mc, dev) ||
-+#include "trace.h"
+-       (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM))) {
++        object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM) ||
- #define TYPE_BCM2835_SDHOST_BUS "bcm2835-sdhost-bus"
++        object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
- #define BCM2835_SDHOST_BUS(obj) \
+         return HOTPLUG_HANDLER(machine);
-@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_update_irq(BCM2835SDHostState *s)
+     }
- {
+-    if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
-     uint32_t irq = s->status &
+-        VirtMachineState *vms = VIRT_MACHINE(machine);
-         (SDHSTS_BUSY_IRPT | SDHSTS_BLOCK_IRPT | SDHSTS_SDIO_IRPT);
+-
-+    trace_bcm2835_sdhost_update_irq(irq);
+-        if (!vms->bootinfo.firmware_loaded || !virt_is_acpi_enabled(vms)) {
-     qemu_set_irq(s->irq, !!irq);
+-            return HOTPLUG_HANDLER(machine);
 -        }
 -    }
      return NULL;
  }
-@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_fifo_run(BCM2835SDHostState *s)
+diff --git a/hw/virtio/virtio-iommu-pci.c b/hw/virtio/virtio-iommu-pci.c
+index XXXXXXX..XXXXXXX 100644
-         s->edm &= ~0xf;
+--- a/hw/virtio/virtio-iommu-pci.c
-         s->edm |= SDEDM_FSM_DATAMODE;
++++ b/hw/virtio/virtio-iommu-pci.c
-+        trace_bcm2835_sdhost_edm_change("datacnt 0", s->edm);
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
+     VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
-         if (s->config & SDHCFG_DATA_IRPT_EN) {
-             s->status |= SDHSTS_SDIO_IRPT;
+     if (!qdev_get_machine_hotplug_handler(DEVICE(vpci_dev))) {
-@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_fifo_run(BCM2835SDHostState *s)
+-        MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
+-
-     s->edm &= ~(0x1f << 4);
+-        error_setg(errp,
-     s->edm |= ((s->fifo_len & 0x1f) << 4);
+-                   "%s machine fails to create iommu-map device tree bindings",
-+    trace_bcm2835_sdhost_edm_change("fifo run", s->edm);
+-                   mc->name);
- }
+-        error_append_hint(errp,
+-                          "Check your machine implements a hotplug handler "
- static uint64_t bcm2835_sdhost_read(void *opaque, hwaddr offset,
+-                          "for the virtio-iommu-pci device\n");
-@@ -XXX,XX +XXX,XX @@ static uint64_t bcm2835_sdhost_read(void *opaque, hwaddr offset,
+-        error_append_hint(errp, "Check the guest is booted without FW or with "
-         break;
+-                          "-no-acpi\n");
 +        error_setg(errp, "Check your machine implements a hotplug handler "
 +                         "for the virtio-iommu-pci device");
          return;
      }
+     for (int i = 0; i < s->nb_reserved_regions; i++) {
 +    trace_bcm2835_sdhost_read(offset, res, size);
 +
      return res;
  }
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_write(void *opaque, hwaddr offset,
  {
      BCM2835SDHostState *s = (BCM2835SDHostState *)opaque;
 +    trace_bcm2835_sdhost_write(offset, value, size);
 +
      switch (offset) {
      case SDCMD:
          s->cmd = value;
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_write(void *opaque, hwaddr offset,
              value &= ~0xf;
          }
          s->edm = value;
 +        trace_bcm2835_sdhost_edm_change("guest register write", s->edm);
          break;
      case SDHCFG:
          s->config = value;
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_reset(DeviceState *dev)
      s->cmd = 0;
      s->cmdarg = 0;
      s->edm = 0x0000c60f;
 +    trace_bcm2835_sdhost_edm_change("device reset", s->edm);
      s->config = 0;
      s->hbct = 0;
      s->hblc = 0;
 diff --git a/hw/sd/trace-events b/hw/sd/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/sd/trace-events
 +++ b/hw/sd/trace-events
@@ -XXX,XX +XXX,XX @@
  # See docs/devel/tracing.txt for syntax documentation.
 +# hw/sd/bcm2835_sdhost.c
 +bcm2835_sdhost_read(uint64_t offset, uint64_t data, unsigned size) "offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
 +bcm2835_sdhost_write(uint64_t offset, uint64_t data, unsigned size) "offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
 +bcm2835_sdhost_edm_change(const char *why, uint32_t edm) "(%s) EDM now 0x%x"
 +bcm2835_sdhost_update_irq(uint32_t irq) "IRQ bits 0x%x\n"
 +
  # hw/sd/core.c
  sdbus_command(const char *bus_name, uint8_t cmd, uint32_t arg, uint8_t crc) "@%s CMD%02d arg 0x%08x crc 0x%02x"
  sdbus_read(const char *bus_name, uint8_t value) "@%s value 0x%02x"
 --
-.16.2
+.25.1

-New patch
+[PULL 28/33] hw/arm/virt: Reject instantiation of multiple IOMMUs
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+We do not support instantiating multiple IOMMUs. Before adding a
+virtio-iommu, check that no other IOMMU is present. This will detect
+both "iommu=smmuv3" machine parameter and another virtio-iommu instance.
+Fixes: 70e89132c9 ("hw/arm/virt: Add the virtio-iommu device tree mappings")
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Message-id: 20211210170415.583179-4-jean-philippe@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/virt.c | 5 +++++
+file changed, 5 insertions(+)
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/virt.c
++++ b/hw/arm/virt.c
+@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
+         hwaddr db_start = 0, db_end = 0;
+         char *resv_prop_str;
++        if (vms->iommu != VIRT_IOMMU_NONE) {
++            error_setg(errp, "virt machine does not support multiple IOMMUs");
++            return;
++        }
++
+         switch (vms->msi_controller) {
+         case VIRT_MSI_CTRL_NONE:
+             return;
+--
+.25.1

-New patch
+[PULL 29/33] hw/arm/virt: Use object_property_set instead of qdev_prop_set
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+To propagate errors to the caller of the pre_plug callback, use the
+object_poperty_set*() functions directly instead of the qdev_prop_set*()
+helpers.
+Suggested-by: Igor Mammedov <imammedo@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Message-id: 20211210170415.583179-5-jean-philippe@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/virt.c | 5 +++--
+file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/virt.c
++++ b/hw/arm/virt.c
+@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
+                                         db_start, db_end,
+                                         VIRTIO_IOMMU_RESV_MEM_T_MSI);
+-        qdev_prop_set_uint32(dev, "len-reserved-regions", 1);
+-        qdev_prop_set_string(dev, "reserved-regions[0]", resv_prop_str);
++        object_property_set_uint(OBJECT(dev), "len-reserved-regions", 1, errp);
++        object_property_set_str(OBJECT(dev), "reserved-regions[0]",
++                                resv_prop_str, errp);
+         g_free(resv_prop_str);
+     }
+ }
+--
+.25.1

-New patch
+[PULL 30/33] tests/acpi: allow updates of VIOT expected data files
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Create empty data files and allow updates for the upcoming VIOT tests.
+Acked-by: Igor Mammedov <imammedo@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Message-id: 20211210170415.583179-6-jean-philippe@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/qtest/bios-tables-test-allowed-diff.h | 3 +++
+ tests/data/acpi/q35/DSDT.viot               | 0
+ tests/data/acpi/q35/VIOT.viot               | 0
+ tests/data/acpi/virt/VIOT                   | 0
+files changed, 3 insertions(+)
+ create mode 100644 tests/data/acpi/q35/DSDT.viot
+ create mode 100644 tests/data/acpi/q35/VIOT.viot
+ create mode 100644 tests/data/acpi/virt/VIOT
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
+@@ -1 +1,4 @@
+ /* List of comma-separated changed AML files to ignore */
++"tests/data/acpi/virt/VIOT",
++"tests/data/acpi/q35/DSDT.viot",
++"tests/data/acpi/q35/VIOT.viot",
+diff --git a/tests/data/acpi/q35/DSDT.viot b/tests/data/acpi/q35/DSDT.viot
+new file mode 100644
+index XXXXXXX..XXXXXXX
+diff --git a/tests/data/acpi/q35/VIOT.viot b/tests/data/acpi/q35/VIOT.viot
+new file mode 100644
+index XXXXXXX..XXXXXXX
+diff --git a/tests/data/acpi/virt/VIOT b/tests/data/acpi/virt/VIOT
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--
+.25.1

-New patch
+[PULL 31/33] tests/acpi: add test case for VIOT
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Add two test cases for VIOT, one on the q35 machine and the other on
+virt. To test complex topologies the q35 test has two PCIe buses that
+bypass the IOMMU (and are therefore not described by VIOT), and two
+buses that are translated by virtio-iommu.
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Message-id: 20211210170415.583179-7-jean-philippe@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/qtest/bios-tables-test.c | 38 ++++++++++++++++++++++++++++++++++
+file changed, 38 insertions(+)
+diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/qtest/bios-tables-test.c
++++ b/tests/qtest/bios-tables-test.c
+@@ -XXX,XX +XXX,XX @@ static void test_acpi_virt_tcg(void)
+     free_test_data(&data);
+ }
++static void test_acpi_q35_viot(void)
++{
++    test_data data = {
++        .machine = MACHINE_Q35,
++        .variant = ".viot",
++    };
++
++    /*
++     * To keep things interesting, two buses bypass the IOMMU.
++     * VIOT should only describes the other two buses.
++     */
++    test_acpi_one("-machine default_bus_bypass_iommu=on "
++                  "-device virtio-iommu-pci "
++                  "-device pxb-pcie,bus_nr=0x10,id=pcie.100,bus=pcie.0 "
++                  "-device pxb-pcie,bus_nr=0x20,id=pcie.200,bus=pcie.0,bypass_iommu=on "
++                  "-device pxb-pcie,bus_nr=0x30,id=pcie.300,bus=pcie.0",
++                  &data);
++    free_test_data(&data);
++}
++
++static void test_acpi_virt_viot(void)
++{
++    test_data data = {
++        .machine = "virt",
++        .uefi_fl1 = "pc-bios/edk2-aarch64-code.fd",
++        .uefi_fl2 = "pc-bios/edk2-arm-vars.fd",
++        .cd = "tests/data/uefi-boot-images/bios-tables-test.aarch64.iso.qcow2",
++        .ram_start = 0x40000000ULL,
++        .scan_len = 128ULL * 1024 * 1024,
++    };
++
++    test_acpi_one("-cpu cortex-a57 "
++                  "-device virtio-iommu-pci", &data);
++    free_test_data(&data);
++}
++
+ static void test_oem_fields(test_data *data)
+ {
+     int i;
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
+             qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic);
+             qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar);
+         }
++        qtest_add_func("acpi/q35/viot", test_acpi_q35_viot);
+     } else if (strcmp(arch, "aarch64") == 0) {
+         if (has_tcg) {
+             qtest_add_func("acpi/virt", test_acpi_virt_tcg);
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
+             qtest_add_func("acpi/virt/memhp", test_acpi_virt_tcg_memhp);
+             qtest_add_func("acpi/virt/pxb", test_acpi_virt_tcg_pxb);
+             qtest_add_func("acpi/virt/oem-fields", test_acpi_oem_fields_virt);
++            qtest_add_func("acpi/virt/viot", test_acpi_virt_viot);
+         }
+     }
+     ret = g_test_run();
+--
+.25.1

-New patch
+[PULL 32/33] tests/acpi: add expected blobs for VIOT test on q35 machine
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Add expected blobs of the VIOT and DSDT table for the VIOT test on the
 q35 machine.
 Since the test instantiates a virtio device and two PCIe expander
 bridges, DSDT.viot has more blocks than the base DSDT.
 The VIOT table generated for the q35 test is:
 [000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
 [004h 0004   4]                 Table Length : 00000070
 [008h 0008   1]                     Revision : 00
 [009h 0009   1]                     Checksum : 3D
 [00Ah 0010   6]                       Oem ID : "BOCHS "
 [010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001
 [024h 0036   2]                   Node count : 0003
 [026h 0038   2]                  Node offset : 0030
 [028h 0040   8]                     Reserved : 0000000000000000
 [030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
 [031h 0049   1]                     Reserved : 00
 [032h 0050   2]                       Length : 0010
 [034h 0052   2]                  PCI Segment : 0000
 [036h 0054   2]               PCI BDF number : 0010
 [038h 0056   8]                     Reserved : 0000000000000000
 [040h 0064   1]                         Type : 01 [PCI Range]
 [041h 0065   1]                     Reserved : 00
 [042h 0066   2]                       Length : 0018
 [044h 0068   4]               Endpoint start : 00003000
 [048h 0072   2]            PCI Segment start : 0000
 [04Ah 0074   2]              PCI Segment end : 0000
 [04Ch 0076   2]                PCI BDF start : 3000
 [04Eh 0078   2]                  PCI BDF end : 30FF
 [050h 0080   2]                  Output node : 0030
 [052h 0082   6]                     Reserved : 000000000000
 [058h 0088   1]                         Type : 01 [PCI Range]
 [059h 0089   1]                     Reserved : 00
 [05Ah 0090   2]                       Length : 0018
 [05Ch 0092   4]               Endpoint start : 00001000
 [060h 0096   2]            PCI Segment start : 0000
 [062h 0098   2]              PCI Segment end : 0000
 [064h 0100   2]                PCI BDF start : 1000
 [066h 0102   2]                  PCI BDF end : 10FF
 [068h 0104   2]                  Output node : 0030
 [06Ah 0106   6]                     Reserved : 000000000000
 And the DSDT diff is:
@@ -XXX,XX +XXX,XX @@
   *
   * Disassembling to symbolic ASL+ operators
   *
 - * Disassembly of tests/data/acpi/q35/DSDT, Fri Dec 10 15:03:08 2021
 + * Disassembly of /tmp/aml-H9Y5D1, Fri Dec 10 15:02:27 2021
   *
   * Original Table Header:
   *     Signature        "DSDT"
 - *     Length           0x00002061 (8289)
 + *     Length           0x000024B6 (9398)
   *     Revision         0x01 **** 32-bit table (V1), no 64-bit math support
 - *     Checksum         0xFA
 + *     Checksum         0xA7
   *     OEM ID           "BOCHS "
   *     OEM Table ID     "BXPC    "
   *     OEM Revision     0x00000001 (1)
@@ -XXX,XX +XXX,XX @@
          }
      }
 +    Scope (\_SB)
 +    {
 +        Device (PC30)
 +        {
 +            Name (_UID, 0x30)  // _UID: Unique ID
 +            Name (_BBN, 0x30)  // _BBN: BIOS Bus Number
 +            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
 +            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
 +            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
 +            {
 +                CreateDWordField (Arg3, Zero, CDW1)
 +                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
 +                {
 +                    CreateDWordField (Arg3, 0x04, CDW2)
 +                    CreateDWordField (Arg3, 0x08, CDW3)
 +                    Local0 = CDW3 /* \_SB_.PC30._OSC.CDW3 */
 +                    Local0 &= 0x1F
 +                    If ((Arg1 != One))
 +                    {
 +                        CDW1 |= 0x08
 +                    }
 +
 +                    If ((CDW3 != Local0))
 +                    {
 +                        CDW1 |= 0x10
 +                    }
 +
 +                    CDW3 = Local0
 +                }
 +                Else
 +                {
 +                    CDW1 |= 0x04
 +                }
 +
 +                Return (Arg3)
 +            }
 +
 +            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
 +            {
 +                Local0 = Package (0x80){}
 +                Local1 = Zero
 +                While ((Local1 < 0x80))
 +                {
 +                    Local2 = (Local1 >> 0x02)
 +                    Local3 = ((Local1 + Local2) & 0x03)
 +                    If ((Local3 == Zero))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKD,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == One))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKA,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x02))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKB,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x03))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKC,
 +                                Zero
 +                            }
 +                    }
 +
 +                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
 +                    Local4 [One] = (Local1 & 0x03)
 +                    Local0 [Local1] = Local4
 +                    Local1++
 +                }
 +
 +                Return (Local0)
 +            }
 +
 +            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 +            {
 +                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 +                    0x0000,             // Granularity
 +                    0x0030,             // Range Minimum
 +                    0x0030,             // Range Maximum
 +                    0x0000,             // Translation Offset
 +                    0x0001,             // Length
 +                    ,, )
 +            })
 +        }
 +    }
 +
 +    Scope (\_SB)
 +    {
 +        Device (PC20)
 +        {
 +            Name (_UID, 0x20)  // _UID: Unique ID
 +            Name (_BBN, 0x20)  // _BBN: BIOS Bus Number
 +            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
 +            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
 +            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
 +            {
 +                CreateDWordField (Arg3, Zero, CDW1)
 +                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
 +                {
 +                    CreateDWordField (Arg3, 0x04, CDW2)
 +                    CreateDWordField (Arg3, 0x08, CDW3)
 +                    Local0 = CDW3 /* \_SB_.PC20._OSC.CDW3 */
 +                    Local0 &= 0x1F
 +                    If ((Arg1 != One))
 +                    {
 +                        CDW1 |= 0x08
 +                    }
 +
 +                    If ((CDW3 != Local0))
 +                    {
 +                        CDW1 |= 0x10
 +                    }
 +
 +                    CDW3 = Local0
 +                }
 +                Else
 +                {
 +                    CDW1 |= 0x04
 +                }
 +
 +                Return (Arg3)
 +            }
 +
 +            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
 +            {
 +                Local0 = Package (0x80){}
 +                Local1 = Zero
 +                While ((Local1 < 0x80))
 +                {
 +                    Local2 = (Local1 >> 0x02)
 +                    Local3 = ((Local1 + Local2) & 0x03)
 +                    If ((Local3 == Zero))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKD,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == One))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKA,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x02))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKB,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x03))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKC,
 +                                Zero
 +                            }
 +                    }
 +
 +                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
 +                    Local4 [One] = (Local1 & 0x03)
 +                    Local0 [Local1] = Local4
 +                    Local1++
 +                }
 +
 +                Return (Local0)
 +            }
 +
 +            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 +            {
 +                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 +                    0x0000,             // Granularity
 +                    0x0020,             // Range Minimum
 +                    0x0020,             // Range Maximum
 +                    0x0000,             // Translation Offset
 +                    0x0001,             // Length
 +                    ,, )
 +            })
 +        }
 +    }
 +
 +    Scope (\_SB)
 +    {
 +        Device (PC10)
 +        {
 +            Name (_UID, 0x10)  // _UID: Unique ID
 +            Name (_BBN, 0x10)  // _BBN: BIOS Bus Number
 +            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
 +            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
 +            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
 +            {
 +                CreateDWordField (Arg3, Zero, CDW1)
 +                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
 +                {
 +                    CreateDWordField (Arg3, 0x04, CDW2)
 +                    CreateDWordField (Arg3, 0x08, CDW3)
 +                    Local0 = CDW3 /* \_SB_.PC10._OSC.CDW3 */
 +                    Local0 &= 0x1F
 +                    If ((Arg1 != One))
 +                    {
 +                        CDW1 |= 0x08
 +                    }
 +
 +                    If ((CDW3 != Local0))
 +                    {
 +                        CDW1 |= 0x10
 +                    }
 +
 +                    CDW3 = Local0
 +                }
 +                Else
 +                {
 +                    CDW1 |= 0x04
 +                }
 +
 +                Return (Arg3)
 +            }
 +
 +            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
 +            {
 +                Local0 = Package (0x80){}
 +                Local1 = Zero
 +                While ((Local1 < 0x80))
 +                {
 +                    Local2 = (Local1 >> 0x02)
 +                    Local3 = ((Local1 + Local2) & 0x03)
 +                    If ((Local3 == Zero))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKD,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == One))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKA,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x02))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKB,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x03))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKC,
 +                                Zero
 +                            }
 +                    }
 +
 +                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
 +                    Local4 [One] = (Local1 & 0x03)
 +                    Local0 [Local1] = Local4
 +                    Local1++
 +                }
 +
 +                Return (Local0)
 +            }
 +
 +            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 +            {
 +                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 +                    0x0000,             // Granularity
 +                    0x0010,             // Range Minimum
 +                    0x0010,             // Range Maximum
 +                    0x0000,             // Translation Offset
 +                    0x0001,             // Length
 +                    ,, )
 +            })
 +        }
 +    }
 +
      Scope (\_SB.PCI0)
      {
          Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
@@ -XXX,XX +XXX,XX @@
              WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 x0000,             // Granularity
 x0000,             // Range Minimum
 -                0x00FF,             // Range Maximum
 +                0x000F,             // Range Maximum
 x0000,             // Translation Offset
 -                0x0100,             // Length
 +                0x0010,             // Length
                  ,, )
              IO (Decode16,
 x0CF8,             // Range Minimum
@@ -XXX,XX +XXX,XX @@
                  }
              }
 +            Device (S10)
 +            {
 +                Name (_ADR, 0x00020000)  // _ADR: Address
 +            }
 +
 +            Device (S18)
 +            {
 +                Name (_ADR, 0x00030000)  // _ADR: Address
 +            }
 +
 +            Device (S20)
 +            {
 +                Name (_ADR, 0x00040000)  // _ADR: Address
 +            }
 +
 +            Device (S28)
 +            {
 +                Name (_ADR, 0x00050000)  // _ADR: Address
 +            }
 +
              Method (PCNT, 0, NotSerialized)
              {
              }
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-8-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  tests/qtest/bios-tables-test-allowed-diff.h |   2 --
  tests/data/acpi/q35/DSDT.viot               | Bin 0 -> 9398 bytes
  tests/data/acpi/q35/VIOT.viot               | Bin 0 -> 112 bytes
 files changed, 2 deletions(-)
 diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/qtest/bios-tables-test-allowed-diff.h
 +++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -XXX,XX +XXX,XX @@
  /* List of comma-separated changed AML files to ignore */
  "tests/data/acpi/virt/VIOT",
 -"tests/data/acpi/q35/DSDT.viot",
 -"tests/data/acpi/q35/VIOT.viot",
 diff --git a/tests/data/acpi/q35/DSDT.viot b/tests/data/acpi/q35/DSDT.viot
 index XXXXXXX..XXXXXXX 100644
 GIT binary patch
 literal 9398
 zcmeHNO>7&-8J*>iv|O&FB}G~Oi$yp||57BBoWHhc5OS9yDTx$CQgH$r;8Idr*-4Q_
 z5(9Az1F`}niVsB-)<KW7p`g9Br(A2Gm-gmc1N78GFS!;)e2V(MnH_0{q<{#yMgn&C
 zn|*J-d9yqFhO_H6z19~`FlPL*u<DkZ*}|)JH;X@mF-FI<cPg<fti9tEN*yB^i5czN
 zNq&q?!OZ;BE3B7{KWzJ-`Tn~f`9?Qj8~2^N8{Oc8J%57{==w%rS#;nOCp*nTr@iZ1
 zb+?i;JLQUJ=O0?8*>S~D)a>NF1~WVB6^~_B#yhJ`H+JU@=6aXs`?Yv)J2h=N?drcS
 zeLZ*n<<Bm^n}6`jfBx#u8&(W}1?)}iF9o#mZ~E2+zwdn7yK3AbIzKnxpZ>JRPm3~#
 z&ICS{+_OayRW-l=Mtk=~uaS3o8z<_udd|(wqg`&JnVPfCe>BUOO`Su3e>pff_^UW%
 z&JE^NO`)=Amg~iqRB1pPscP?(>#ZuY8GHCmlEvD$9g3%4Db~Dfz2SATnddvrR-Oe^
 z;s;dJec!hnzi)ri^I6YN9vtkm{^TdUF8h7gX8-<Qe4p)GQ=)AtYx2VcwdLVAEXEjG
 z^Mj|UHPqkj-LsWuzQem1>F3atdZn=zv3$#RmZzSHN+6-yyU#8cJb=YDilX&sl}vNm
 znkgAR^O<3kj4if>{ly5fwRfMWuC5=lrlvKPX~i#654Cp}R_d*JS$9laZ$ra6)<ns8
 zFZy28G%xP(nit&F>LDi%G<tIc=TY=gl$jSD&Uv!Yat~XR46h%rI$!}a%!|xG7u8Zn
 zeY8_|n=K>xz_v_W8VX$W-Fg-qFWcT}7MCyz{%%{ia7hZ>Law-k6NOr}VI&_48U=2l
 zwqDKFE8eTwwozDdms#e?x?5a|v>&JF;2_v0L~z5n%BYU^52<*cWuD4|GYUm@1+?))
 zte^45>Rz)t*<T5V#={r>@t@{%?^i#W{i=HAZ*Dc9y59Va-+#P!jrGs;u38a{fLr`N
 zvT@rUu>DljxJ?^&Z?-?vyJn3C>3D=qux{Y*bs5|5n)Qmi$TD^Zdn4GU$ocJS2Hh-<
 z`xPI^^+v0nUVdjMos8k`WGl7hA`{03ju%<lrgAHSpd^DRf-*}_#Ly0mB!LSfVgWcQ
 z&T$@~G9)JI=hz5m0vkrel+Xy{Oh7pkAu-V!j*W7rY(bO}Q$nMH2`FbGB&N)QaV4<4
 zo)~9JXiP9=;}NPl<C@MmXG&;XFlFNrsyfFsonxFSp<}vEgsRSQP3O3#b6nSnP}ON_
 zI!#Tdsp~|j>ckUB>FI=~GokB5sOq#dotCE4(sd$KbtW~PNlj-`*NIToiD#j5J#9^=
 zt?NXn>YUJYPG~wObe#xQos*i*NloXZt`niEb4t@WrRki~bs|)CI+{*L)9L6s5vn><
 zn$DD_Go|Z9sOn5>I@6lYw5}7Os&iV?Ij!lO)^#FOb!If38BJ$K*NIToIiu;E(R9w}
 zIuWWmPiZ<&X*y5oIuWWmF_XaEC!a&Jn$B5WCqh-{X-(&8P3LJ{Cqh-{8P3dyPr@^t
 zSqL9?X9Uwd3W@23*s~h*tj0X6GZCuHa~kuU#yqDp5vt7d8uPryJg+kms?5hU=3^T3
 zF`bD}WnSP+=`t5MQ$FJ_2&Q~+BP6E0f^%BVIW6a$o)e+SX~IDBih-7z6{O~7YTy`&
 zLjy&Cv?7QikV#>n0>>@MV8oK`Gmun34-FKdlm-J8SZSaNlnhir4-FI{S|bfqV8e)V
 zss<{chX#reE#g=hsKAC%sF6d-Km}BWs!kZFsFpKfpbC@>6rprQGEjt4Ck#|zITHq|
 zK*>M_l;<P^MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=xY&!axO<
 zGhv_#lnhirIg<<&q0|Wj6<E%MfhtfkPyyvkGEjt4Ck#|zITHq|K*>M_lrzad5lWpf
 zP=V!47^ngz0~JutBm+e#b;3XemNQ|X3X}{~Ksl2P6rt1!0~J`#gn=qhGEf2KOfpb}
 zQYQ>lU^x>8szAv=1(Y+%KoLrvFi?TzOc<yFB?A>u&LjgxD0RX>1(q{mpbC@>R6seC
 z3>2Z%2?G^a&V+#~P%=;f<xDbAgi<FARA4z12C6{GKn0XD$v_cGoiI>=<xCi;0wn_#
 zP|hR+MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=rz^3{+q_69%e4
 z$v_2^Gs!>^N}VuJf#pmXr~)Me6;RG314Srx!axxz28u{EP=u<1B2)}iVZuNaCK;&0
 zBm-5LFi?dF167!0pbC==RAItE6($T+VUmF=Ofpb~2?JG_Fi?d_2C6X0Kouqo6p_5T
 zFi=FeV!SiSKoR0H$dH(_Z(*Q_WZ%L-5y`$K14StNmJAdjmWs}HV4<vU_xO+1efmLq
 zZ;W>N_U)fP6Qy6Nw5mbt9Y(#emWSi66=>tq#xoh#Ue=0qyhxi8ZOUe5y0V7VfPUhp
 zwX=;ymc+i5%sg9Ja~lZ&8oAV@mHc>&CHP9v4R(jhtT?un;O4e9#pno)Xkh7OWgK&a
 zyj=3Iv0OuoK_;5rOr5f(Kb~ZXDBO+V`OWYo#_C08imwChQxnjdd?wZLDou8aj;$SD
 zGDYiA3<$Tu<JnHL(KPOChi#zrR32t83}naR$+ym4P_h?z_5#|cW-nw$XD_sOtE62l
 zrD3@*)NVyiklt0&yF9%+klsBey&I<Y2E<!f(E8TuJte)z(|ZHyy<^gQVfx}=`q&B5
 z7nSryp1wGczIaUfVwiq$Fn#<4=@*ssi#+|}K>EdF(l3VTOM~ghPLRH&q%ZOGrGfON
 zW73zx^yR_y<0nX8R??Sw`tm^f@-gYlNFSp|*<gA{q?Zp5Oe-+l#rmyYmKozi9y=P>
 zVReJU*h=ZuVXiS$ohTbw-O#v9>(yZbGE|)?8(H1ZIKvV!jWa0>vy!3eMA^vdhQ>`s
 zuMSg{q3T50$m)j1!HixV<}X9liL#N^4c*tL^y)CF8LCc{jjV3yKAqL8!%SzWI#H%q
 z=bSrQ&)%JCRttF5g4Zf`6l?y@>PzD7MA^D>wBlcH6r1ucwJ<p0O%rZ?JzIY3-QdmZ
 zzs|n>`a5r3e|z)wcUaqS>nqFQ-8x}eCF4u`OWUxqst-@1rSmUs%WmKP5e0dcb?e2N
 z;Z|x*!);VwF|Yuhqs^khqOM!@u*jY!WYldISF(V6`BoNd&6Qfk3>X#SuD^7J>p_D=
 zBPa51y^_n#=cpOt#Zf$ya$Ae9Mfz56n|<i!a=ELS@)%a{^NIH3SDuN<R~sah1km#P
 zU@?*f%<rG=4W1wgfi;C?_n|W@%lm$&8YfvNOJodIg&IcIpIJQRHr<+ej11GQ6)&eF
 z2Lam*jIH}#y0>KnY%4JQfOYS$*uU%f#@$U6`N8I3N-lV?5ErFCdv~xDmu2(wexld4
 z4v^;aVAT2k6GJ^m*FD(Wqc(Qg^)6a<?}h$zLoj}4;PP!+(O{@!a1y-hoAhF_7!z+6
 zslpAmNtYbjHrw-~#SPVk_FUf>-Obg6yV`8o$8_`PyJe_;bY5_EMBfBfWU!Q=*9HsG
 z%_Cda{@_Krr!oHVhv9+y+T5qR8zZ2aZ>5r!$*|f$^U%yBUYfR&B!+EYy_PwL!BeUi
 zJH^}r3r9Q+B)X@Z)fk=P13w&7x#wBtXTZ)g>WITPg5r&pQc!nmyrmk#S(>>b9xnNr
 zx_b#v9Xv-Y><Wb%?S^0Xe&<)bbKl_=Z|3C$tf|F<bYzE*mfHB;uC)`q-?buaBe?l?
 zcLTpK*k<49Z32`K?|nSBMFqxTK^_IE-li2fEGdK~(ZdoKBl6ab4a;Hler#`xvEXJG
 zb?<E%EZExfX>jcOVhS*0rS~RS1dA#xhkv@Nct@#q?LyeKS<$uFec!bw>{@uu$gZ6a
 zyVen1i{1BKd%~`D7|m$;U0a<I*3I7%^N%N%lGYdU_GS!gaR8T$NA@GzFi~z`l7hdl
 zarZy6590|88pi(1zq;V(>38zM0sT&<zX;R5$1w3;`_JMG`;&I&0Y23DMx1%@(w(R9
 z4M$j;D5J+Gy%fijRQsctzFKf&cv|BAz#YLq3CZJWDdtL4u1u1|mkdcUp7|sxJC+?Y
 z_@@s`v3j}Q7*z>6X~cwUxUL8G1KT)_XTp!KAbs;vCp{K3&~_X@+ew=-D}v`2MbFV0
 zQsVsL=rXi-pI*G|iiz;VTCutgUs)hDzV1+4?8KcoP3xROf<M%qC6lgVdpFt4<-|uM
 z=#rl_b1#YjSIl6Toj2z_hOZcKupkdE(LozC(fN=FY(x|sk)ym|;Rq2E1xJWD%Z!ol
 Gu>S+TT-130
 literal 0
 HcmV?d00001
 diff --git a/tests/data/acpi/q35/VIOT.viot b/tests/data/acpi/q35/VIOT.viot
 index XXXXXXX..XXXXXXX 100644
 GIT binary patch
 literal 112
 zcmWIZ^baXu00LVle`k+i1*eDrX9XZ&1PX!JAex!M0Hgv8m>C3sGzdcgBZCA3T-xBj
 Q0Zb)W9Hva*zW_`e0M!8s0RR91
 literal 0
 HcmV?d00001
 --
 .25.1

-[Qemu-devel] [PULL 10/12] linux-user/signal.c: Ensure AArch64 signal frame isn't too small
+[PULL 33/33] tests/acpi: add expected blob for VIOT test on virt machine
-The AArch64 signal frame design was extended for SVE in commit
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
 c5931de0ac77388096d79ceb, so that instead of having a fixed setup we
 now add various records to the frame, with some of them possibly
 overflowing into an extra space outside the original 4K reserved
 block in the target_sigcontext.  However, we failed to ensure that we
 always at least allocate the 4K reserved block.  This is ABI, and
 some userspace programs rely on it.  In particular the dash shell
 would segfault if the frame wasn't as big enough.
-(Compare the kernel's sigframe_size() function in
+The VIOT blob contains the following:
 arch/arm64/kernel/signal.c.)
-Reported-by: Richard Henwood <richard.henwood@arm.com>
+[000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
-Reviewed-by: Laurent Vivier <laurent@vivier.eu>
+[004h 0004   4]                 Table Length : 00000058
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+[008h 0008   1]                     Revision : 00
-Message-id: 20180409140714.26841-1-peter.maydell@linaro.org
+[009h 0009   1]                     Checksum : 66
-Fixes: https://bugs.launchpad.net/bugs/1761535
+[00Ah 0010   6]                       Oem ID : "BOCHS "
-Fixes: 8c5931de0ac77388096d79ceb
+[010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001
 [024h 0036   2]                   Node count : 0002
 [026h 0038   2]                  Node offset : 0030
 [028h 0040   8]                     Reserved : 0000000000000000
 [030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
 [031h 0049   1]                     Reserved : 00
 [032h 0050   2]                       Length : 0010
 [034h 0052   2]                  PCI Segment : 0000
 [036h 0054   2]               PCI BDF number : 0008
 [038h 0056   8]                     Reserved : 0000000000000000
 [040h 0064   1]                         Type : 01 [PCI Range]
 [041h 0065   1]                     Reserved : 00
 [042h 0066   2]                       Length : 0018
 [044h 0068   4]               Endpoint start : 00000000
 [048h 0072   2]            PCI Segment start : 0000
 [04Ah 0074   2]              PCI Segment end : 0000
 [04Ch 0076   2]                PCI BDF start : 0000
 [04Eh 0078   2]                  PCI BDF end : 00FF
 [050h 0080   2]                  Output node : 0030
 [052h 0082   6]                     Reserved : 000000000000
 Acked-by: Ani Sinha <ani@anisinha.ca>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-9-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/signal.c | 6 ++++++
+ tests/qtest/bios-tables-test-allowed-diff.h |   1 -
-file changed, 6 insertions(+)
+ tests/data/acpi/virt/VIOT                   | Bin 0 -> 88 bytes
 files changed, 1 deletion(-)
-diff --git a/linux-user/signal.c b/linux-user/signal.c
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/signal.c
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
-+++ b/linux-user/signal.c
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
-@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
+@@ -1,2 +1 @@
-     fr_ofs = layout.total_size;
+ /* List of comma-separated changed AML files to ignore */
-     layout.total_size += sizeof(struct target_rt_frame_record);
+-"tests/data/acpi/virt/VIOT",
+diff --git a/tests/data/acpi/virt/VIOT b/tests/data/acpi/virt/VIOT
-+    /* We must always provide at least the standard 4K reserved space,
+index XXXXXXX..XXXXXXX 100644
-+     * even if we don't use all of it (this is part of the ABI)
+GIT binary patch
-+     */
+literal 88
-+    layout.total_size = MAX(layout.total_size,
+zcmWIZ^bd((0D?3pe`k+i1*eDrX9XZ&1PX!JAexE60Hgv8m>C3sGzXN&z`)2L0cSHX
-+                            sizeof(struct target_rt_sigframe));
+I{D-Rq0Q5fy0RR91
-+
-     frame_addr = get_sigframe(ka, env, layout.total_size);
+literal 0
-     trace_user_setup_frame(env, frame_addr);
+HcmV?d00001
-     if (!lock_user_struct(VERIFY_WRITE, frame, frame_addr, 0)) {
 --
-.16.2
+.25.1

Arm patch queue for 2.12 -- a miscellaneous collection
of bug fixes.

thanks
-- PMM

The following changes since commit fb4fe32d5b6290deabe752b51cc1cc2a9e8573db:

Merge remote-tracking branch 'remotes/xtensa/tags/20180409-xtensa' into staging (2018-04-10 10:22:45 +0100)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180410

for you to fetch changes up to bd49e6027cbc207c87633c7add3ebd7d3474cd35:

fpu: Fix rounding mode for floatN_to_uintM_round_to_zero (2018-04-10 13:02:26 +0100)

----------------------------------------------------------------
target-arm queue:
 * fpu: Fix rounding mode for floatN_to_uintM_round_to_zero
 * tcg: Fix guest state corruption when running 64-bit Arm
   guests on a 32-bit host (especially when using icount)
 * linux-user/signal.c: Ensure AArch64 signal frame isn't too small
 * cpus.c: ensure running CPU recalculates icount deadlines on timer expiry
 * target/arm: Report unsupported MPU region sizes more clearly
 * hw/arm/fsl-imx: Fix introspection problem with fsl-imx6 and fsl-imx7
 * hw/arm/allwinner-a10: Do not use nd_table in instance_init function
 * hw/sd/bcm2835_sdhost: Don't raise spurious interrupts
 * hw/sd/bcm2835_sdhost: Add tracepoints
 * target-arm: Check undefined opcodes for SWP in A32 decoder
 * hw/arm/integratorcp: Don't do things that could be fatal in the instance_init
 * hw/arm: Allow manually specified /psci node

----------------------------------------------------------------
Andrey Smirnov (1):
      hw/arm: Allow manually specified /psci node

Onur Sahin (1):
      target-arm: Check undefined opcodes for SWP in A32 decoder

Peter Maydell (5):
      hw/sd/bcm2835_sdhost: Add tracepoints
      hw/sd/bcm2835_sdhost: Don't raise spurious interrupts
      target/arm: Report unsupported MPU region sizes more clearly
      cpus.c: ensure running CPU recalculates icount deadlines on timer expiry
      linux-user/signal.c: Ensure AArch64 signal frame isn't too small

Richard Henderson (2):
      tcg: Introduce tcg_set_insn_start_param
      fpu: Fix rounding mode for floatN_to_uintM_round_to_zero

Thomas Huth (3):
      hw/arm/integratorcp: Don't do things that could be fatal in the instance_init
      hw/arm/allwinner-a10: Do not use nd_table in instance_init function
      hw/arm/fsl-imx: Fix introspection problem with fsl-imx6 and fsl-imx7

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Change the code to avoid exiting QEMU if user provided DTB contains
manually specified /psci node and skip any /psci related fixups
instead.

Fixes: 4cbca7d9b4 ("hw/arm: Move virt's PSCI DT fixup code to
arm/boot.c")

Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Reported-by: Marc Zyngier <marc.zyngier@arm.com>
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
Message-id: 20180402205654.14572-1-andrew.smirnov@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
     ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(0));
     const char *psci_method;
     int64_t psci_conduit;
+    int rc;
 
     psci_conduit = object_property_get_int(OBJECT(armcpu),
                                            "psci-conduit",
@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
         g_assert_not_reached();
     }
 
+    /*
+     * If /psci node is present in provided DTB, assume that no fixup
+     * is necessary and all PSCI configuration should be taken as-is
+     */
+    rc = fdt_path_offset(fdt, "/psci");
+    if (rc >= 0) {
+        return;
+    }
+
     qemu_fdt_add_subnode(fdt, "/psci");
     if (armcpu->psci_version == 2) {
         const char comp[] = "arm,psci-0.2\0arm,psci";
-- 
2.16.2

From: Thomas Huth <thuth@redhat.com>

An instance_init function must not fail - and might be called multiple times,
e.g. during device introspection with the 'device-list-properties' QMP
command. Since the integratorcm device ignores this rule, QEMU currently
aborts in this case (though it really should not):

echo "{'execute':'qmp_capabilities'}"\
     "{'execute':'device-list-properties',"\
     "'arguments':{'typename':'integrator_core'}}" \
     | arm-softmmu/qemu-system-arm -M integratorcp,accel=qtest -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
 "package": "build-all"}, "capabilities": []}}
{"return": {}}
RAMBlock "integrator.flash" already registered, abort!
Aborted (core dumped)

Move the problematic code to the realize() function instead to fix this
problem.

Reviewed-by: Philippe Mathieu-DaudÃ© <f4bug@amsat.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1522906473-11252-1-git-send-email-thuth@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/integratorcp.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/hw/arm/integratorcp.c b/hw/arm/integratorcp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/integratorcp.c
+++ b/hw/arm/integratorcp.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps integratorcm_ops = {
 static void integratorcm_init(Object *obj)
 {
     IntegratorCMState *s = INTEGRATOR_CM(obj);
-    SysBusDevice *dev = SYS_BUS_DEVICE(obj);
 
     s->cm_osc = 0x01000048;
     /* ??? What should the high bits of this value be?  */
@@ -XXX,XX +XXX,XX @@ static void integratorcm_init(Object *obj)
     s->cm_init = 0x00000112;
     s->cm_refcnt_offset = muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL), 24,
                                    1000);
-    memory_region_init_ram(&s->flash, obj, "integrator.flash", 0x100000,
-                           &error_fatal);
 
-    memory_region_init_io(&s->iomem, obj, &integratorcm_ops, s,
-                          "integratorcm", 0x00800000);
-    sysbus_init_mmio(dev, &s->iomem);
-
-    integratorcm_do_remap(s);
     /* ??? Save/restore.  */
 }
 
 static void integratorcm_realize(DeviceState *d, Error **errp)
 {
     IntegratorCMState *s = INTEGRATOR_CM(d);
+    SysBusDevice *dev = SYS_BUS_DEVICE(d);
+    Error *local_err = NULL;
+
+    memory_region_init_ram(&s->flash, OBJECT(d), "integrator.flash", 0x100000,
+                           &local_err);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        return;
+    }
+
+    memory_region_init_io(&s->iomem, OBJECT(d), &integratorcm_ops, s,
+                          "integratorcm", 0x00800000);
+    sysbus_init_mmio(dev, &s->iomem);
+
+    integratorcm_do_remap(s);
 
     if (s->memsz >= 256) {
         integrator_spd[31] = 64;
-- 
2.16.2

From: Onur Sahin <onursahin08@gmail.com>

Make sure we are not treating architecturally Undefined instructions
as a SWP, by verifying the opcodes as per section A8.8.229 of ARMv7-A
specification. Bits [21:20] must be zero for this to be a SWP or SWPB.
We also choose to UNDEF for the architecturally UNPREDICTABLE case of
bits [11:8] not being zero.

Signed-off-by: Onur Sahin <onursahin08@gmail.com>
[PMM: tweaked commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                             }
                         }
                         tcg_temp_free_i32(addr);
-                    } else {
+                    } else if ((insn & 0x00300f00) == 0) {
+                        /* 0bcccc_0001_0x00_xxxx_xxxx_0000_1001_xxxx
+                        *  - SWP, SWPB
+                        */
+
                         TCGv taddr;
                         TCGMemOp opc = s->be_data;
 
-                        /* SWP instruction */
                         rm = (insn) & 0xf;
 
                         if (insn & (1 << 22)) {
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                                                 get_mem_index(s), opc);
                         tcg_temp_free(taddr);
                         store_reg(s, rd, tmp);
+                    } else {
+                        goto illegal_op;
                     }
                 }
             } else {
-- 
2.16.2

Add some tracepoints to the bcm2835_sdhost driver, to assist
debugging.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20180319161556.16446-2-peter.maydell@linaro.org
---
 hw/sd/bcm2835_sdhost.c | 10 ++++++++++
 hw/sd/trace-events     |  6 ++++++
 2 files changed, 16 insertions(+)

diff --git a/hw/sd/bcm2835_sdhost.c b/hw/sd/bcm2835_sdhost.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/bcm2835_sdhost.c
+++ b/hw/sd/bcm2835_sdhost.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/log.h"
 #include "sysemu/blockdev.h"
 #include "hw/sd/bcm2835_sdhost.h"
+#include "trace.h"
 
 #define TYPE_BCM2835_SDHOST_BUS "bcm2835-sdhost-bus"
 #define BCM2835_SDHOST_BUS(obj) \
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_update_irq(BCM2835SDHostState *s)
 {
     uint32_t irq = s->status &
         (SDHSTS_BUSY_IRPT | SDHSTS_BLOCK_IRPT | SDHSTS_SDIO_IRPT);
+    trace_bcm2835_sdhost_update_irq(irq);
     qemu_set_irq(s->irq, !!irq);
 }
 
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_fifo_run(BCM2835SDHostState *s)
 
         s->edm &= ~0xf;
         s->edm |= SDEDM_FSM_DATAMODE;
+        trace_bcm2835_sdhost_edm_change("datacnt 0", s->edm);
 
         if (s->config & SDHCFG_DATA_IRPT_EN) {
             s->status |= SDHSTS_SDIO_IRPT;
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_fifo_run(BCM2835SDHostState *s)
 
     s->edm &= ~(0x1f << 4);
     s->edm |= ((s->fifo_len & 0x1f) << 4);
+    trace_bcm2835_sdhost_edm_change("fifo run", s->edm);
 }
 
 static uint64_t bcm2835_sdhost_read(void *opaque, hwaddr offset,
@@ -XXX,XX +XXX,XX @@ static uint64_t bcm2835_sdhost_read(void *opaque, hwaddr offset,
         break;
     }
 
+    trace_bcm2835_sdhost_read(offset, res, size);
+
     return res;
 }
 
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_write(void *opaque, hwaddr offset,
 {
     BCM2835SDHostState *s = (BCM2835SDHostState *)opaque;
 
+    trace_bcm2835_sdhost_write(offset, value, size);
+
     switch (offset) {
     case SDCMD:
         s->cmd = value;
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_write(void *opaque, hwaddr offset,
             value &= ~0xf;
         }
         s->edm = value;
+        trace_bcm2835_sdhost_edm_change("guest register write", s->edm);
         break;
     case SDHCFG:
         s->config = value;
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_reset(DeviceState *dev)
     s->cmd = 0;
     s->cmdarg = 0;
     s->edm = 0x0000c60f;
+    trace_bcm2835_sdhost_edm_change("device reset", s->edm);
     s->config = 0;
     s->hbct = 0;
     s->hblc = 0;
diff --git a/hw/sd/trace-events b/hw/sd/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/trace-events
+++ b/hw/sd/trace-events
@@ -XXX,XX +XXX,XX @@
 # See docs/devel/tracing.txt for syntax documentation.
 
+# hw/sd/bcm2835_sdhost.c
+bcm2835_sdhost_read(uint64_t offset, uint64_t data, unsigned size) "offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
+bcm2835_sdhost_write(uint64_t offset, uint64_t data, unsigned size) "offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
+bcm2835_sdhost_edm_change(const char *why, uint32_t edm) "(%s) EDM now 0x%x"
+bcm2835_sdhost_update_irq(uint32_t irq) "IRQ bits 0x%x\n"
+
 # hw/sd/core.c
 sdbus_command(const char *bus_name, uint8_t cmd, uint32_t arg, uint8_t crc) "@%s CMD%02d arg 0x%08x crc 0x%02x"
 sdbus_read(const char *bus_name, uint8_t value) "@%s value 0x%02x"
-- 
2.16.2

The Linux bcm2835_sdhost driver doesn't work on QEMU, because our
model raises spurious data interrupts.  Our function
bcm2835_sdhost_fifo_run() will flag an interrupt any time it is
called with s->datacnt == 0, even if the host hasn't actually issued
a data read or write command yet.  This means that the driver gets a
spurious data interrupt as soon as it enables IRQs and then does
something else that causes us to call the fifo_run routine, like
writing to SDHCFG, and before it does the write to SDCMD to issue the
read.  The driver's IRQ handler then spins forever complaining that
there's no data and the SD controller isn't in a state where there's
going to be any data:

[   41.040738] sdhost-bcm2835 3f202000.mmc: fsm 1, hsts 00000000
[   41.042059] sdhost-bcm2835 3f202000.mmc: fsm 1, hsts 00000000
(continues forever).

Move the interrupt flag setting to more plausible places:
 * for BUSY, raise this as soon as a BUSYWAIT command has executed
 * for DATA, raise this when the FIFO has any space free (for a write)
   or any data in it (for a read)
 * for BLOCK, raise this when the data count is 0 and we've
   actually done some reading or writing

This is pure guesswork since the documentation for this hardware is
not public, but it is sufficient to get the Linux bcm2835_sdhost
driver to work.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20180319161556.16446-3-peter.maydell@linaro.org
---
 hw/sd/bcm2835_sdhost.c | 46 ++++++++++++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 20 deletions(-)

diff --git a/hw/sd/bcm2835_sdhost.c b/hw/sd/bcm2835_sdhost.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/bcm2835_sdhost.c
+++ b/hw/sd/bcm2835_sdhost.c
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_send_command(BCM2835SDHostState *s)
         }
 #undef RWORD
     }
+    /* We never really delay commands, so if this was a 'busywait' command
+     * then we've completed it now and can raise the interrupt.
+     */
+    if ((s->cmd & SDCMD_BUSYWAIT) && (s->config & SDHCFG_BUSY_IRPT_EN)) {
+        s->status |= SDHSTS_BUSY_IRPT;
+    }
     return;
 
 error:
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_fifo_run(BCM2835SDHostState *s)
                 n++;
                 if (n == 4) {
                     bcm2835_sdhost_fifo_push(s, value);
+                    s->status |= SDHSTS_DATA_FLAG;
+                    if (s->config & SDHCFG_DATA_IRPT_EN) {
+                        s->status |= SDHSTS_SDIO_IRPT;
+                    }
                     n = 0;
                     value = 0;
                 }
             }
             if (n != 0) {
                 bcm2835_sdhost_fifo_push(s, value);
+                s->status |= SDHSTS_DATA_FLAG;
             }
         } else { /* write */
             n = 0;
             while (s->datacnt > 0 && (s->fifo_len > 0 || n > 0)) {
                 if (n == 0) {
                     value = bcm2835_sdhost_fifo_pop(s);
+                    s->status |= SDHSTS_DATA_FLAG;
+                    if (s->config & SDHCFG_DATA_IRPT_EN) {
+                        s->status |= SDHSTS_SDIO_IRPT;
+                    }
                     n = 4;
                 }
                 n--;
@@ -XXX,XX +XXX,XX @@ static void bcm2835_sdhost_fifo_run(BCM2835SDHostState *s)
                 value >>= 8;
             }
         }
+        if (s->datacnt == 0) {
+            s->edm &= ~SDEDM_FSM_MASK;
+            s->edm |= SDEDM_FSM_DATAMODE;
+            trace_bcm2835_sdhost_edm_change("datacnt 0", s->edm);
+
+            if ((s->cmd & SDCMD_WRITE_CMD) &&
+                (s->config & SDHCFG_BLOCK_IRPT_EN)) {
+                s->status |= SDHSTS_BLOCK_IRPT;
+            }
+        }
     }
-    if (s->datacnt == 0) {
-        s->status |= SDHSTS_DATA_FLAG;
 
-        s->edm &= ~0xf;
-        s->edm |= SDEDM_FSM_DATAMODE;
-        trace_bcm2835_sdhost_edm_change("datacnt 0", s->edm);
-
-        if (s->config & SDHCFG_DATA_IRPT_EN) {
-            s->status |= SDHSTS_SDIO_IRPT;
-        }
-
-        if ((s->cmd & SDCMD_BUSYWAIT) && (s->config & SDHCFG_BUSY_IRPT_EN)) {
-            s->status |= SDHSTS_BUSY_IRPT;
-        }
-
-        if ((s->cmd & SDCMD_WRITE_CMD) && (s->config & SDHCFG_BLOCK_IRPT_EN)) {
-            s->status |= SDHSTS_BLOCK_IRPT;
-        }
-
-        bcm2835_sdhost_update_irq(s);
-    }
+    bcm2835_sdhost_update_irq(s);
 
     s->edm &= ~(0x1f << 4);
     s->edm |= ((s->fifo_len & 0x1f) << 4);
-- 
2.16.2

From: Thomas Huth <thuth@redhat.com>

The instance_init function of a device can be called at any time, even
if the device is not going to be used (i.e. not going to be realized).
So a instance_init function must not do things that could cause QEMU
to exit, like calling qemu_check_nic_model(&nd_table[0], ...) for example.
But this is what the instance_init function of the allwinner-a10 device
is currently doing - and this causes QEMU to quit unexpectedly when
you run the 'device-list-properties' QMP command for example:

$ echo "{'execute':'qmp_capabilities'}"\
       "{'execute':'device-list-properties',"\
       " 'arguments':{'typename':'allwinner-a10'}}" \
       | arm-softmmu/qemu-system-arm -M mps2-an505,accel=qtest -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
 "package": "build-all"}, "capabilities": []}}
{"return": {}}
Unsupported NIC model: lan9118

... and QEMU quits after printing the last line (which should not happen
just because of running 'device-list-properties' here).

And with the cubieboard, this even causes QEMU to abort():

$ echo "{'execute':'qmp_capabilities'}"\
       "{'execute':'device-list-properties',"\
       " 'arguments':{'typename':'allwinner-a10'}}" \
       | arm-softmmu/qemu-system-arm -M cubieboard,accel=qtest -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
 "package": "build-all"}, "capabilities": []}}
{"return": {}}
Unexpected error in error_set_from_qdev_prop_error() at hw/core/qdev-properties.c:1095:
Property 'allwinner-emac.netdev' can't take value 'hub0port0', it's in use
Aborted (core dumped)

To fix the problem we've got to move the offending code to the realize
function instead.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1522862420-7484-1-git-send-email-thuth@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/allwinner-a10.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/allwinner-a10.c
+++ b/hw/arm/allwinner-a10.c
@@ -XXX,XX +XXX,XX @@ static void aw_a10_init(Object *obj)
 
     object_initialize(&s->emac, sizeof(s->emac), TYPE_AW_EMAC);
     qdev_set_parent_bus(DEVICE(&s->emac), sysbus_get_default());
-    /* FIXME use qdev NIC properties instead of nd_table[] */
-    if (nd_table[0].used) {
-        qemu_check_nic_model(&nd_table[0], TYPE_AW_EMAC);
-        qdev_set_nic_properties(DEVICE(&s->emac), &nd_table[0]);
-    }
 
     object_initialize(&s->sata, sizeof(s->sata), TYPE_ALLWINNER_AHCI);
     qdev_set_parent_bus(DEVICE(&s->sata), sysbus_get_default());
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
     sysbus_connect_irq(sysbusdev, 4, s->irq[67]);
     sysbus_connect_irq(sysbusdev, 5, s->irq[68]);
 
+    /* FIXME use qdev NIC properties instead of nd_table[] */
+    if (nd_table[0].used) {
+        qemu_check_nic_model(&nd_table[0], TYPE_AW_EMAC);
+        qdev_set_nic_properties(DEVICE(&s->emac), &nd_table[0]);
+    }
     object_property_set_bool(OBJECT(&s->emac), true, "realized", &err);
     if (err != NULL) {
         error_propagate(errp, err);
@@ -XXX,XX +XXX,XX @@ static void aw_a10_class_init(ObjectClass *oc, void *data)
     DeviceClass *dc = DEVICE_CLASS(oc);
 
     dc->realize = aw_a10_realize;
-    /* Reason: Uses serial_hds in realize and nd_table in instance_init */
+    /* Reason: Uses serial_hds and nd_table in realize function */
     dc->user_creatable = false;
 }
 
-- 
2.16.2

From: Thomas Huth <thuth@redhat.com>

QEMU currently exits unexpectedly when trying to introspect the fsl-imx6
and fsl-imx7 devices on systems with many SMP CPUs:

$ echo "{'execute':'qmp_capabilities'}"\
       "{'execute':'device-list-properties',"\
       " 'arguments':{'typename':'fsl,imx6'}}" \
       | arm-softmmu/qemu-system-arm -M virt,accel=qtest -qmp stdio -smp 8
{"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
 "package": "build-all"}, "capabilities": []}}
{"return": {}}
fsl,imx6: Only 4 CPUs are supported (8 requested)

And:

$ echo "{'execute':'qmp_capabilities'}"\
       "{'execute':'device-list-properties',"\
       " 'arguments':{'typename':'fsl,imx7'}}" \
       | arm-softmmu/qemu-system-arm -M raspi2,accel=qtest -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 91, "minor": 11, "major": 2},
 "package": "build-all"}, "capabilities": []}}
{"return": {}}
fsl,imx7: Only 2 CPUs are supported (4 requested)

This happens because these devices are doing an exit() from their
instance_init function - which should never be done since instance_init
can be called at any time for device introspection! Fix it by moving
the deadly check into the realize() function instead.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1522908551-14885-1-git-send-email-thuth@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/fsl-imx6.c | 14 +++++++-------
 hw/arm/fsl-imx7.c | 13 +++++++------
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx6.c
+++ b/hw/arm/fsl-imx6.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_init(Object *obj)
     char name[NAME_SIZE];
     int i;
 
-    if (smp_cpus > FSL_IMX6_NUM_CPUS) {
-        error_report("%s: Only %d CPUs are supported (%d requested)",
-                     TYPE_FSL_IMX6, FSL_IMX6_NUM_CPUS, smp_cpus);
-        exit(1);
-    }
-
-    for (i = 0; i < smp_cpus; i++) {
+    for (i = 0; i < MIN(smp_cpus, FSL_IMX6_NUM_CPUS); i++) {
         object_initialize(&s->cpu[i], sizeof(s->cpu[i]),
                           "cortex-a9-" TYPE_ARM_CPU);
         snprintf(name, NAME_SIZE, "cpu%d", i);
@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_realize(DeviceState *dev, Error **errp)
     uint16_t i;
     Error *err = NULL;
 
+    if (smp_cpus > FSL_IMX6_NUM_CPUS) {
+        error_setg(errp, "%s: Only %d CPUs are supported (%d requested)",
+                   TYPE_FSL_IMX6, FSL_IMX6_NUM_CPUS, smp_cpus);
+        return;
+    }
+
     for (i = 0; i < smp_cpus; i++) {
 
         /* On uniprocessor, the CBAR is set to 0 */
diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx7.c
+++ b/hw/arm/fsl-imx7.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_init(Object *obj)
     char name[NAME_SIZE];
     int i;
 
-    if (smp_cpus > FSL_IMX7_NUM_CPUS) {
-        error_report("%s: Only %d CPUs are supported (%d requested)",
-                     TYPE_FSL_IMX7, FSL_IMX7_NUM_CPUS, smp_cpus);
-        exit(1);
-    }
 
-    for (i = 0; i < smp_cpus; i++) {
+    for (i = 0; i < MIN(smp_cpus, FSL_IMX7_NUM_CPUS); i++) {
         object_initialize(&s->cpu[i], sizeof(s->cpu[i]),
                           ARM_CPU_TYPE_NAME("cortex-a7"));
         snprintf(name, NAME_SIZE, "cpu%d", i);
@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
     qemu_irq irq;
     char name[NAME_SIZE];
 
+    if (smp_cpus > FSL_IMX7_NUM_CPUS) {
+        error_setg(errp, "%s: Only %d CPUs are supported (%d requested)",
+                   TYPE_FSL_IMX7, FSL_IMX7_NUM_CPUS, smp_cpus);
+        return;
+    }
+
     for (i = 0; i < smp_cpus; i++) {
         o = OBJECT(&s->cpu[i]);
 
-- 
2.16.2

Currently our PMSAv7 and ARMv7M MPU implementation cannot handle
MPU region sizes smaller than our TARGET_PAGE_SIZE. However we
report that in a slightly confusing way:

DRSR[3]: No support for MPU (sub)region alignment of 9 bits. Minimum is 10

The problem is not the alignment of the region, but its size;
tweak the error message to say so:
 DRSR[3]: No support for MPU (sub)region size of 512 bytes. Minimum is 1024.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180405172554.27401-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
             }
             if (rsize < TARGET_PAGE_BITS) {
                 qemu_log_mask(LOG_UNIMP,
-                              "DRSR[%d]: No support for MPU (sub)region "
-                              "alignment of %" PRIu32 " bits. Minimum is %d\n",
-                              n, rsize, TARGET_PAGE_BITS);
+                              "DRSR[%d]: No support for MPU (sub)region size of"
+                              " %" PRIu32 " bytes. Minimum is %d.\n",
+                              n, (1 << rsize), TARGET_PAGE_SIZE);
                 continue;
             }
             if (srdis) {
-- 
2.16.2

When we run in TCG icount mode, we calculate the number of instructions
to execute using tcg_get_icount_limit(), which ensures that we stop
execution at the next timer deadline. However there is a bug where
currently we do not recalculate that limit if the guest reprograms
a timer so that the next deadline moves closer, and so we will
continue execution until the original limit and fire the timer
later than we should.

Fix this bug in qemu_timer_notify_cb(): if we are currently running
a VCPU in icount mode, we simply need to kick it out of the main
loop and back to tcg_cpu_exec(), where it will recalculate the
icount limit. If we are not currently running a VCPU, then we
retain the existing logic for waking up a halted CPU.

Cc: qemu-stable@nongnu.org
Fixes: https://bugs.launchpad.net/qemu/+bug/1754038
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180406123838.21249-1-peter.maydell@linaro.org
---
 cpus.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/cpus.c b/cpus.c
index XXXXXXX..XXXXXXX 100644
--- a/cpus.c
+++ b/cpus.c
@@ -XXX,XX +XXX,XX @@ void qemu_timer_notify_cb(void *opaque, QEMUClockType type)
         return;
     }
 
-    if (!qemu_in_vcpu_thread() && first_cpu) {
+    if (qemu_in_vcpu_thread()) {
+        /* A CPU is currently running; kick it back out to the
+         * tcg_cpu_exec() loop so it will recalculate its
+         * icount deadline immediately.
+         */
+        qemu_cpu_kick(current_cpu);
+    } else if (first_cpu) {
         /* qemu_cpu_kick is not enough to kick a halted CPU out of
          * qemu_tcg_wait_io_event.  async_run_on_cpu, instead,
          * causes cpu_thread_is_idle to return false.  This way,
          * handle_icount_deadline can run.
+         * If we have no CPUs at all for some reason, we don't
+         * need to do anything.
          */
         async_run_on_cpu(first_cpu, do_nothing, RUN_ON_CPU_NULL);
     }
-- 
2.16.2

The AArch64 signal frame design was extended for SVE in commit
8c5931de0ac77388096d79ceb, so that instead of having a fixed setup we
now add various records to the frame, with some of them possibly
overflowing into an extra space outside the original 4K reserved
block in the target_sigcontext.  However, we failed to ensure that we
always at least allocate the 4K reserved block.  This is ABI, and
some userspace programs rely on it.  In particular the dash shell
would segfault if the frame wasn't as big enough.

(Compare the kernel's sigframe_size() function in
arch/arm64/kernel/signal.c.)

Reported-by: Richard Henwood <richard.henwood@arm.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180409140714.26841-1-peter.maydell@linaro.org
Fixes: https://bugs.launchpad.net/bugs/1761535
Fixes: 8c5931de0ac77388096d79ceb
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/signal.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/linux-user/signal.c b/linux-user/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
     fr_ofs = layout.total_size;
     layout.total_size += sizeof(struct target_rt_frame_record);
 
+    /* We must always provide at least the standard 4K reserved space,
+     * even if we don't use all of it (this is part of the ABI)
+     */
+    layout.total_size = MAX(layout.total_size,
+                            sizeof(struct target_rt_sigframe));
+
     frame_addr = get_sigframe(ka, env, layout.total_size);
     trace_user_setup_frame(env, frame_addr);
     if (!lock_user_struct(VERIFY_WRITE, frame, frame_addr, 0)) {
-- 
2.16.2

From: Richard Henderson <richard.henderson@linaro.org>

The parameters for tcg_gen_insn_start are target_ulong, which may be split
into two TCGArg parameters for storage in the opcode on 32-bit hosts.

Fixes the ARM target and its direct use of tcg_set_insn_param, which would
set the wrong argument in the 64-on-32 case.

Cc: qemu-stable@nongnu.org
Reported-by: alarson@ddci.com
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180410003558.2470-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.h |  2 +-
 tcg/tcg.h              | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ static inline void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
 
     /* We check and clear insn_start_idx to catch multiple updates.  */
     assert(s->insn_start != NULL);
-    tcg_set_insn_param(s->insn_start, 2, syn);
+    tcg_set_insn_start_param(s->insn_start, 2, syn);
     s->insn_start = NULL;
 }
 
diff --git a/tcg/tcg.h b/tcg/tcg.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.h
+++ b/tcg/tcg.h
@@ -XXX,XX +XXX,XX @@ static inline void tcg_set_insn_param(TCGOp *op, int arg, TCGArg v)
     op->args[arg] = v;
 }
 
+static inline void tcg_set_insn_start_param(TCGOp *op, int arg, target_ulong v)
+{
+#if TARGET_LONG_BITS <= TCG_TARGET_REG_BITS
+    tcg_set_insn_param(op, arg, v);
+#else
+    tcg_set_insn_param(op, arg * 2, v);
+    tcg_set_insn_param(op, arg * 2 + 1, v >> 32);
+#endif
+}
+
 /* The last op that was emitted.  */
 static inline TCGOp *tcg_last_op(void)
 {
-- 
2.16.2

From: Richard Henderson <richard.henderson@linaro.org>

We incorrectly passed in the current rounding mode
instead of float_round_to_zero.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180410055912.934-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 fpu/softfloat.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fpu/softfloat.c b/fpu/softfloat.c
index XXXXXXX..XXXXXXX 100644
--- a/fpu/softfloat.c
+++ b/fpu/softfloat.c
@@ -XXX,XX +XXX,XX @@ uint ## isz ## _t float ## fsz ## _to_uint ## isz ## _round_to_zero     \
  (float ## fsz a, float_status *s)                                      \
 {                                                                       \
     FloatParts p = float ## fsz ## _unpack_canonical(a, s);             \
-    return round_to_uint_and_pack(p, s->float_rounding_mode,            \
-                                 UINT ## isz ## _MAX, s);               \
+    return round_to_uint_and_pack(p, float_round_to_zero,               \
+                                  UINT ## isz ## _MAX, s);              \
 }
 
 FLOAT_TO_UINT(16, 16)
-- 
2.16.2

Hi; here's the first target-arm pullreq for the 7.0 cycle.

thanks
-- PMM

The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:

Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging (2021-12-14 12:46:18 -0800)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211215

for you to fetch changes up to aed176558806674d030a8305d989d4e6a5073359:

tests/acpi: add expected blob for VIOT test on virt machine (2021-12-15 10:35:26 +0000)

----------------------------------------------------------------
target-arm queue:
 * ITS: error reporting cleanup
 * aspeed: improve documentation
 * Fix STM32F2XX USART data register readout
 * allow emulated GICv3 to be disabled in non-TCG builds
 * fix exception priority for singlestep, misaligned PC, bp, etc
 * Correct calculation of tlb range invalidate length
 * npcm7xx_emc: fix missing queue_flush
 * virt: Add VIOT ACPI table for virtio-iommu
 * target/i386: Use assert() to sanity-check b1 in SSE decode
 * Don't include qemu-common unnecessarily

----------------------------------------------------------------
Alex Bennée (1):
      hw/intc: clean-up error reporting for failed ITS cmd

Jean-Philippe Brucker (8):
      hw/arm/virt-acpi-build: Add VIOT table for virtio-iommu
      hw/arm/virt: Remove device tree restriction for virtio-iommu
      hw/arm/virt: Reject instantiation of multiple IOMMUs
      hw/arm/virt: Use object_property_set instead of qdev_prop_set
      tests/acpi: allow updates of VIOT expected data files
      tests/acpi: add test case for VIOT
      tests/acpi: add expected blobs for VIOT test on q35 machine
      tests/acpi: add expected blob for VIOT test on virt machine

Joel Stanley (4):
      docs: aspeed: Add new boards
      docs: aspeed: Update OpenBMC image URL
      docs: aspeed: Give an example of booting a kernel
      docs: aspeed: ADC is now modelled

Olivier Hériveaux (1):
      Fix STM32F2XX USART data register readout

Patrick Venture (1):
      hw/net: npcm7xx_emc fix missing queue_flush

Peter Maydell (6):
      target/i386: Use assert() to sanity-check b1 in SSE decode
      include/hw/i386: Don't include qemu-common.h in .h files
      target/hexagon/cpu.h: don't include qemu-common.h
      target/rx/cpu.h: Don't include qemu-common.h
      hw/arm: Don't include qemu-common.h unnecessarily
      target/arm: Correct calculation of tlb range invalidate length

Philippe Mathieu-Daudé (2):
      hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c
      hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector

Richard Henderson (10):
      target/arm: Hoist pc_next to a local variable in aarch64_tr_translate_insn
      target/arm: Hoist pc_next to a local variable in arm_tr_translate_insn
      target/arm: Hoist pc_next to a local variable in thumb_tr_translate_insn
      target/arm: Split arm_pre_translate_insn
      target/arm: Advance pc for arch single-step exception
      target/arm: Split compute_fsr_fsc out of arm_deliver_fault
      target/arm: Take an exception if PC is misaligned
      target/arm: Assert thumb pc is aligned
      target/arm: Suppress bp for exceptions with more priority
      tests/tcg: Add arm and aarch64 pc alignment tests

docs/system/arm/aspeed.rst        |  26 ++++++++++++----
 include/hw/i386/microvm.h         |   1 -
 include/hw/i386/x86.h             |   1 -
 target/arm/helper.h               |   1 +
 target/arm/syndrome.h             |   5 +++
 target/hexagon/cpu.h              |   1 -
 target/rx/cpu.h                   |   1 -
 hw/arm/boot.c                     |   1 -
 hw/arm/digic_boards.c             |   1 -
 hw/arm/highbank.c                 |   1 -
 hw/arm/npcm7xx_boards.c           |   1 -
 hw/arm/sbsa-ref.c                 |   1 -
 hw/arm/stm32f405_soc.c            |   1 -
 hw/arm/vexpress.c                 |   1 -
 hw/arm/virt-acpi-build.c          |   7 +++++
 hw/arm/virt.c                     |  21 ++++++-------
 hw/char/stm32f2xx_usart.c         |   3 +-
 hw/intc/arm_gicv3.c               |   2 +-
 hw/intc/arm_gicv3_cpuif.c         |  10 +-----
 hw/intc/arm_gicv3_cpuif_common.c  |  22 +++++++++++++
 hw/intc/arm_gicv3_its.c           |  39 +++++++++++++++--------
 hw/net/npcm7xx_emc.c              |  18 +++++------
 hw/virtio/virtio-iommu-pci.c      |  12 ++------
 linux-user/aarch64/cpu_loop.c     |  46 ++++++++++++++++------------
 linux-user/hexagon/cpu_loop.c     |   1 +
 target/arm/debug_helper.c         |  23 ++++++++++++++
 target/arm/gdbstub.c              |   9 ++++--
 target/arm/helper.c               |   6 ++--
 target/arm/machine.c              |  10 ++++++
 target/arm/tlb_helper.c           |  63 ++++++++++++++++++++++++++++----------
 target/arm/translate-a64.c        |  23 ++++++++++++--
 target/arm/translate.c            |  58 ++++++++++++++++++++++++++---------
 target/i386/tcg/translate.c       |  12 ++------
 tests/qtest/bios-tables-test.c    |  38 +++++++++++++++++++++++
 tests/tcg/aarch64/pcalign-a64.c   |  37 ++++++++++++++++++++++
 tests/tcg/arm/pcalign-a32.c       |  46 ++++++++++++++++++++++++++++
 hw/arm/Kconfig                    |   1 +
 hw/intc/Kconfig                   |   5 +++
 hw/intc/meson.build               |  11 ++++---
 tests/data/acpi/q35/DSDT.viot     | Bin 0 -> 9398 bytes
 tests/data/acpi/q35/VIOT.viot     | Bin 0 -> 112 bytes
 tests/data/acpi/virt/VIOT         | Bin 0 -> 88 bytes
 tests/tcg/aarch64/Makefile.target |   4 +--
 tests/tcg/arm/Makefile.target     |   4 +++
 44 files changed, 429 insertions(+), 145 deletions(-)
 create mode 100644 hw/intc/arm_gicv3_cpuif_common.c
 create mode 100644 tests/tcg/aarch64/pcalign-a64.c
 create mode 100644 tests/tcg/arm/pcalign-a32.c
 create mode 100644 tests/data/acpi/q35/DSDT.viot
 create mode 100644 tests/data/acpi/q35/VIOT.viot
 create mode 100644 tests/data/acpi/virt/VIOT

From: Alex Bennée <alex.bennee@linaro.org>

While trying to debug a GIC ITS failure I saw some guest errors that
had poor formatting as well as leaving me confused as to what failed.
As most of the checks aren't possible without a valid dte split that
check apart and then check the other conditions in steps. This avoids
us relying on undefined data.

I still get a failure with the current kvm-unit-tests but at least I
know (partially) why now:

Exception return from AArch64 EL1 to AArch64 EL1 PC 0x40080588
  PASS: gicv3: its-trigger: inv/invall: dev2/eventid=20 now triggers an LPI
  ITS: MAPD devid=2 size = 0x8 itt=0x40430000 valid=0
  INT dev_id=2 event_id=20
  process_its_cmd: invalid command attributes: invalid dte: 0 for 2 (MEM_TX: 0)
  PASS: gicv3: its-trigger: mapd valid=false: no LPI after device unmap
  SUMMARY: 6 tests, 1 unexpected failures

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211112170454.3158925-1-alex.bennee@linaro.org
Cc: Shashi Mallela <shashi.mallela@linaro.org>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_its.c | 39 +++++++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset,
         if (res != MEMTX_OK) {
             return result;
         }
+    } else {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid command attributes: "
+                      "invalid dte: %"PRIx64" for %d (MEM_TX: %d)\n",
+                      __func__, dte, devid, res);
+        return result;
     }
 
-    if ((devid > s->dt.maxids.max_devids) || !dte_valid || !ite_valid ||
-            !cte_valid || (eventid > max_eventid)) {
+
+    /*
+     * In this implementation, in case of guest errors we ignore the
+     * command and move onto the next command in the queue.
+     */
+    if (devid > s->dt.maxids.max_devids) {
         qemu_log_mask(LOG_GUEST_ERROR,
-                      "%s: invalid command attributes "
-                      "devid %d or eventid %d or invalid dte %d or"
-                      "invalid cte %d or invalid ite %d\n",
-                      __func__, devid, eventid, dte_valid, cte_valid,
-                      ite_valid);
-        /*
-         * in this implementation, in case of error
-         * we ignore this command and move onto the next
-         * command in the queue
-         */
+                      "%s: invalid command attributes: devid %d>%d",
+                      __func__, devid, s->dt.maxids.max_devids);
+
+    } else if (!dte_valid || !ite_valid || !cte_valid) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid command attributes: "
+                      "dte: %s, ite: %s, cte: %s\n",
+                      __func__,
+                      dte_valid ? "valid" : "invalid",
+                      ite_valid ? "valid" : "invalid",
+                      cte_valid ? "valid" : "invalid");
+    } else if (eventid > max_eventid) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid command attributes: eventid %d > %d\n",
+                      __func__, eventid, max_eventid);
     } else {
         /*
          * Current implementation only supports rdbase == procnum
-- 
2.25.1

From: Joel Stanley <joel@jms.id.au>

Add X11, FP5280G2, G220A, Rainier and Fuji. Mention that Swift will be
removed in v7.0.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20211117065752.330632-2-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/aspeed.rst | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/aspeed.rst
+++ b/docs/system/arm/aspeed.rst
@@ -XXX,XX +XXX,XX @@ AST2400 SoC based machines :
 
 - ``palmetto-bmc``         OpenPOWER Palmetto POWER8 BMC
 - ``quanta-q71l-bmc``      OpenBMC Quanta BMC
+- ``supermicrox11-bmc``    Supermicro X11 BMC
 
 AST2500 SoC based machines :
 
@@ -XXX,XX +XXX,XX @@ AST2500 SoC based machines :
 - ``romulus-bmc``          OpenPOWER Romulus POWER9 BMC
 - ``witherspoon-bmc``      OpenPOWER Witherspoon POWER9 BMC
 - ``sonorapass-bmc``       OCP SonoraPass BMC
-- ``swift-bmc``            OpenPOWER Swift BMC POWER9
+- ``swift-bmc``            OpenPOWER Swift BMC POWER9 (to be removed in v7.0)
+- ``fp5280g2-bmc``         Inspur FP5280G2 BMC
+- ``g220a-bmc``            Bytedance G220A BMC
 
 AST2600 SoC based machines :
 
 - ``ast2600-evb``          Aspeed AST2600 Evaluation board (Cortex-A7)
 - ``tacoma-bmc``           OpenPOWER Witherspoon POWER9 AST2600 BMC
+- ``rainier-bmc``          IBM Rainier POWER10 BMC
+- ``fuji-bmc``             Facebook Fuji BMC
 
 Supported devices
 -----------------
-- 
2.25.1

From: Joel Stanley <joel@jms.id.au>

A common use case for the ASPEED machine is to boot a Linux kernel.
Provide a full example command line.

Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Joel Stanley <joel@jms.id.au>
Message-id: 20211117065752.330632-4-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/aspeed.rst | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/aspeed.rst
+++ b/docs/system/arm/aspeed.rst
@@ -XXX,XX +XXX,XX @@ Missing devices
 Boot options
 ------------
 
-The Aspeed machines can be started using the ``-kernel`` option to
-load a Linux kernel or from a firmware. Images can be downloaded from
-the OpenBMC jenkins :
+The Aspeed machines can be started using the ``-kernel`` and ``-dtb`` options
+to load a Linux kernel or from a firmware. Images can be downloaded from the
+OpenBMC jenkins :
 
    https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/
 
@@ -XXX,XX +XXX,XX @@ or directly from the OpenBMC GitHub release repository :
 
    https://github.com/openbmc/openbmc/releases
 
+To boot a kernel directly from a Linux build tree:
+
+.. code-block:: bash
+
+  $ qemu-system-arm -M ast2600-evb -nographic \
+        -kernel arch/arm/boot/zImage \
+        -dtb arch/arm/boot/dts/aspeed-ast2600-evb.dtb \
+        -initrd rootfs.cpio
+
 The image should be attached as an MTD drive. Run :
 
 .. code-block:: bash
-- 
2.25.1

From: Olivier Hériveaux <olivier.heriveaux@ledger.fr>

Fix issue where the data register may be overwritten by next character
reception before being read and returned.

Signed-off-by: Olivier Hériveaux <olivier.heriveaux@ledger.fr>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20211128120723.4053-1-olivier.heriveaux@ledger.fr
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/stm32f2xx_usart.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/char/stm32f2xx_usart.c b/hw/char/stm32f2xx_usart.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/stm32f2xx_usart.c
+++ b/hw/char/stm32f2xx_usart.c
@@ -XXX,XX +XXX,XX @@ static uint64_t stm32f2xx_usart_read(void *opaque, hwaddr addr,
         return retvalue;
     case USART_DR:
         DB_PRINT("Value: 0x%" PRIx32 ", %c\n", s->usart_dr, (char) s->usart_dr);
+        retvalue = s->usart_dr & 0x3FF;
         s->usart_sr &= ~USART_SR_RXNE;
         qemu_chr_fe_accept_input(&s->chr);
         qemu_set_irq(s->irq, 0);
-        return s->usart_dr & 0x3FF;
+        return retvalue;
     case USART_BRR:
         return s->usart_brr;
     case USART_CR1:
-- 
2.25.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

gicv3_set_gicv3state() is used by arm_gicv3_common.c in
arm_gicv3_common_realize(). Since we want to restrict
arm_gicv3_cpuif.c to TCG, extract gicv3_set_gicv3state()
to a new file. Add this file to the meson 'specific'
source set, since it needs access to "cpu.h".

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211115223619.2599282-2-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_cpuif.c        | 10 +---------
 hw/intc/arm_gicv3_cpuif_common.c | 22 ++++++++++++++++++++++
 hw/intc/meson.build              |  1 +
 3 files changed, 24 insertions(+), 9 deletions(-)
 create mode 100644 hw/intc/arm_gicv3_cpuif_common.c

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@
 /*
- * ARM Generic Interrupt Controller v3
+ * ARM Generic Interrupt Controller v3 (emulation)
  *
  * Copyright (c) 2016 Linaro Limited
  * Written by Peter Maydell
@@ -XXX,XX +XXX,XX @@
 #include "hw/irq.h"
 #include "cpu.h"
 
-void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
-{
-    ARMCPU *arm_cpu = ARM_CPU(cpu);
-    CPUARMState *env = &arm_cpu->env;
-
-    env->gicv3state = (void *)s;
-};
-
 static GICv3CPUState *icc_cs_from_env(CPUARMState *env)
 {
     return env->gicv3state;
diff --git a/hw/intc/arm_gicv3_cpuif_common.c b/hw/intc/arm_gicv3_cpuif_common.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/intc/arm_gicv3_cpuif_common.c
@@ -XXX,XX +XXX,XX @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * ARM Generic Interrupt Controller v3
+ *
+ * Copyright (c) 2016 Linaro Limited
+ * Written by Peter Maydell
+ *
+ * This code is licensed under the GPL, version 2 or (at your option)
+ * any later version.
+ */
+
+#include "qemu/osdep.h"
+#include "gicv3_internal.h"
+#include "cpu.h"
+
+void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+
+    env->gicv3state = (void *)s;
+};
diff --git a/hw/intc/meson.build b/hw/intc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/meson.build
+++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
 
 specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
 specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
+specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
 specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
-- 
2.25.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

The TYPE_ARM_GICV3 device is an emulated one.  When using
KVM, it is recommended to use the TYPE_KVM_ARM_GICV3 device
(which uses in-kernel support).

When using --with-devices-FOO, it is possible to build a
binary with a specific set of devices. When this binary is
restricted to KVM accelerator, the TYPE_ARM_GICV3 device is
irrelevant, and it is desirable to remove it from the binary.

Therefore introduce the CONFIG_ARM_GIC_TCG Kconfig selector
which select the files required to have the TYPE_ARM_GICV3
device, but also allowing to de-select this device.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211115223619.2599282-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3.c |  2 +-
 hw/intc/Kconfig     |  5 +++++
 hw/intc/meson.build | 10 ++++++----
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/hw/intc/arm_gicv3.c b/hw/intc/arm_gicv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3.c
+++ b/hw/intc/arm_gicv3.c
@@ -XXX,XX +XXX,XX @@
 /*
- * ARM Generic Interrupt Controller v3
+ * ARM Generic Interrupt Controller v3 (emulation)
  *
  * Copyright (c) 2015 Huawei.
  * Copyright (c) 2016 Linaro Limited
diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/Kconfig
+++ b/hw/intc/Kconfig
@@ -XXX,XX +XXX,XX @@ config APIC
     select MSI_NONBROKEN
     select I8259
 
+config ARM_GIC_TCG
+    bool
+    default y
+    depends on ARM_GIC && TCG
+
 config ARM_GIC_KVM
     bool
     default y
diff --git a/hw/intc/meson.build b/hw/intc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/meson.build
+++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_ARM_GIC', if_true: files(
   'arm_gic.c',
   'arm_gic_common.c',
   'arm_gicv2m.c',
-  'arm_gicv3.c',
   'arm_gicv3_common.c',
-  'arm_gicv3_dist.c',
   'arm_gicv3_its_common.c',
-  'arm_gicv3_redist.c',
+))
+softmmu_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files(
+  'arm_gicv3.c',
+  'arm_gicv3_dist.c',
   'arm_gicv3_its.c',
+  'arm_gicv3_redist.c',
 ))
 softmmu_ss.add(when: 'CONFIG_ETRAXFS', if_true: files('etraxfs_pic.c'))
 softmmu_ss.add(when: 'CONFIG_HEATHROW_PIC', if_true: files('heathrow_pic.c'))
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
 specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
 specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
-specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
+specific_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files('arm_gicv3_cpuif.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
 specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
 specific_ss.add(when: 'CONFIG_ARM_V7M', if_true: files('armv7m_nvic.c'))
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *s = container_of(dcbase, DisasContext, base);
     CPUARMState *env = cpu->env_ptr;
+    uint64_t pc = s->base.pc_next;
     uint32_t insn;
 
     if (s->ss_active && !s->pstate_ss) {
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
-    s->pc_curr = s->base.pc_next;
-    insn = arm_ldl_code(env, &s->base, s->base.pc_next, s->sctlr_b);
+    s->pc_curr = pc;
+    insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
     s->insn = insn;
-    s->base.pc_next += 4;
+    s->base.pc_next = pc + 4;
 
     s->fp_access_checked = false;
     s->sve_access_checked = false;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     CPUARMState *env = cpu->env_ptr;
+    uint32_t pc = dc->base.pc_next;
     unsigned int insn;
 
     if (arm_pre_translate_insn(dc)) {
-        dc->base.pc_next += 4;
+        dc->base.pc_next = pc + 4;
         return;
     }
 
-    dc->pc_curr = dc->base.pc_next;
-    insn = arm_ldl_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
+    dc->pc_curr = pc;
+    insn = arm_ldl_code(env, &dc->base, pc, dc->sctlr_b);
     dc->insn = insn;
-    dc->base.pc_next += 4;
+    dc->base.pc_next = pc + 4;
     disas_arm_insn(dc, insn);
 
     arm_post_translate_insn(dc);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     CPUARMState *env = cpu->env_ptr;
+    uint32_t pc = dc->base.pc_next;
     uint32_t insn;
     bool is_16bit;
 
     if (arm_pre_translate_insn(dc)) {
-        dc->base.pc_next += 2;
+        dc->base.pc_next = pc + 2;
         return;
     }
 
-    dc->pc_curr = dc->base.pc_next;
-    insn = arm_lduw_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
+    dc->pc_curr = pc;
+    insn = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
     is_16bit = thumb_insn_is_16bit(dc, dc->base.pc_next, insn);
-    dc->base.pc_next += 2;
+    pc += 2;
     if (!is_16bit) {
-        uint32_t insn2 = arm_lduw_code(env, &dc->base, dc->base.pc_next,
-                                       dc->sctlr_b);
-
+        uint32_t insn2 = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
         insn = insn << 16 | insn2;
-        dc->base.pc_next += 2;
+        pc += 2;
     }
+    dc->base.pc_next = pc;
     dc->insn = insn;
 
     if (dc->pstate_il) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Create arm_check_ss_active and arm_check_kernelpage.

Reverse the order of the tests.  While it doesn't matter in practice,
because only user-only has a kernel page and user-only never sets
ss_active, ss_active has priority over execution exceptions and it
is best to keep them in the proper order.

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     dc->insn_start = tcg_last_op();
 }
 
-static bool arm_pre_translate_insn(DisasContext *dc)
+static bool arm_check_kernelpage(DisasContext *dc)
 {
 #ifdef CONFIG_USER_ONLY
     /* Intercept jump to the magic kernel page.  */
@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
         return true;
     }
 #endif
+    return false;
+}
 
+static bool arm_check_ss_active(DisasContext *dc)
+{
     if (dc->ss_active && !dc->pstate_ss) {
         /* Singlestep state is Active-pending.
          * If we're in this state at the start of a TB then either
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint32_t pc = dc->base.pc_next;
     unsigned int insn;
 
-    if (arm_pre_translate_insn(dc)) {
+    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
         dc->base.pc_next = pc + 4;
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint32_t insn;
     bool is_16bit;
 
-    if (arm_pre_translate_insn(dc)) {
+    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
         dc->base.pc_next = pc + 2;
         return;
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We will reuse this section of arm_deliver_fault for
raising pc alignment faults.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tlb_helper.c | 45 +++++++++++++++++++++++++----------------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
     return syn;
 }
 
-static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
-                                            MMUAccessType access_type,
-                                            int mmu_idx, ARMMMUFaultInfo *fi)
+static uint32_t compute_fsr_fsc(CPUARMState *env, ARMMMUFaultInfo *fi,
+                                int target_el, int mmu_idx, uint32_t *ret_fsc)
 {
-    CPUARMState *env = &cpu->env;
-    int target_el;
-    bool same_el;
-    uint32_t syn, exc, fsr, fsc;
     ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
-
-    target_el = exception_target_el(env);
-    if (fi->stage2) {
-        target_el = 2;
-        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
-        if (arm_is_secure_below_el3(env) && fi->s1ns) {
-            env->cp15.hpfar_el2 |= HPFAR_NS;
-        }
-    }
-    same_el = (arm_current_el(env) == target_el);
+    uint32_t fsr, fsc;
 
     if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
         arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
@@ -XXX,XX +XXX,XX @@ static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
         fsc = 0x3f;
     }
 
+    *ret_fsc = fsc;
+    return fsr;
+}
+
+static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
+                                            MMUAccessType access_type,
+                                            int mmu_idx, ARMMMUFaultInfo *fi)
+{
+    CPUARMState *env = &cpu->env;
+    int target_el;
+    bool same_el;
+    uint32_t syn, exc, fsr, fsc;
+
+    target_el = exception_target_el(env);
+    if (fi->stage2) {
+        target_el = 2;
+        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
+        if (arm_is_secure_below_el3(env) && fi->s1ns) {
+            env->cp15.hpfar_el2 |= HPFAR_NS;
+        }
+    }
+    same_el = (arm_current_el(env) == target_el);
+
+    fsr = compute_fsr_fsc(env, fi, target_el, mmu_idx, &fsc);
+
     if (access_type == MMU_INST_FETCH) {
         syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
         exc = EXCP_PREFETCH_ABORT;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

For A64, any input to an indirect branch can cause this.

For A32, many indirect branch paths force the branch to be aligned,
but BXWritePC does not.  This includes the BX instruction but also
other interworking changes to PC.  Prior to v8, this case is UNDEFINED.
With v8, this is CONSTRAINED UNPREDICTABLE and may either raise an
exception or force align the PC.

We choose to raise an exception because we have the infrastructure,
it makes the generated code for gen_bx simpler, and it has the
possibility of catching more guest bugs.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h           |  1 +
 target/arm/syndrome.h         |  5 ++++
 linux-user/aarch64/cpu_loop.c | 46 ++++++++++++++++++++---------------
 target/arm/tlb_helper.c       | 18 ++++++++++++++
 target/arm/translate-a64.c    | 15 ++++++++++++
 target/arm/translate.c        | 22 ++++++++++++++++-
 6 files changed, 87 insertions(+), 20 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(sel_flags, TCG_CALL_NO_RWG_SE,
 DEF_HELPER_2(exception_internal, void, env, i32)
 DEF_HELPER_4(exception_with_syndrome, void, env, i32, i32, i32)
 DEF_HELPER_2(exception_bkpt_insn, void, env, i32)
+DEF_HELPER_2(exception_pc_alignment, noreturn, env, tl)
 DEF_HELPER_1(setend, void, env)
 DEF_HELPER_2(wfi, void, env, i32)
 DEF_HELPER_1(wfe, void, env)
diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/syndrome.h
+++ b/target/arm/syndrome.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_illegalstate(void)
     return (EC_ILLEGALSTATE << ARM_EL_EC_SHIFT) | ARM_EL_IL;
 }
 
+static inline uint32_t syn_pcalignment(void)
+{
+    return (EC_PCALIGNMENT << ARM_EL_EC_SHIFT) | ARM_EL_IL;
+}
+
 #endif /* TARGET_ARM_SYNDROME_H */
diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/cpu_loop.c
+++ b/linux-user/aarch64/cpu_loop.c
@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
             break;
         case EXCP_PREFETCH_ABORT:
         case EXCP_DATA_ABORT:
-            /* We should only arrive here with EC in {DATAABORT, INSNABORT}. */
             ec = syn_get_ec(env->exception.syndrome);
-            assert(ec == EC_DATAABORT || ec == EC_INSNABORT);
-
-            /* Both EC have the same format for FSC, or close enough. */
-            fsc = extract32(env->exception.syndrome, 0, 6);
-            switch (fsc) {
-            case 0x04 ... 0x07: /* Translation fault, level {0-3} */
-                si_signo = TARGET_SIGSEGV;
-                si_code = TARGET_SEGV_MAPERR;
+            switch (ec) {
+            case EC_DATAABORT:
+            case EC_INSNABORT:
+                /* Both EC have the same format for FSC, or close enough. */
+                fsc = extract32(env->exception.syndrome, 0, 6);
+                switch (fsc) {
+                case 0x04 ... 0x07: /* Translation fault, level {0-3} */
+                    si_signo = TARGET_SIGSEGV;
+                    si_code = TARGET_SEGV_MAPERR;
+                    break;
+                case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
+                case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
+                    si_signo = TARGET_SIGSEGV;
+                    si_code = TARGET_SEGV_ACCERR;
+                    break;
+                case 0x11: /* Synchronous Tag Check Fault */
+                    si_signo = TARGET_SIGSEGV;
+                    si_code = TARGET_SEGV_MTESERR;
+                    break;
+                case 0x21: /* Alignment fault */
+                    si_signo = TARGET_SIGBUS;
+                    si_code = TARGET_BUS_ADRALN;
+                    break;
+                default:
+                    g_assert_not_reached();
+                }
                 break;
-            case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
-            case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
-                si_signo = TARGET_SIGSEGV;
-                si_code = TARGET_SEGV_ACCERR;
-                break;
-            case 0x11: /* Synchronous Tag Check Fault */
-                si_signo = TARGET_SIGSEGV;
-                si_code = TARGET_SEGV_MTESERR;
-                break;
-            case 0x21: /* Alignment fault */
+            case EC_PCALIGNMENT:
                 si_signo = TARGET_SIGBUS;
                 si_code = TARGET_BUS_ADRALN;
                 break;
diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "internals.h"
 #include "exec/exec-all.h"
+#include "exec/helper-proto.h"
 
 static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
                                             unsigned int target_el,
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
     arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
 }
 
+void helper_exception_pc_alignment(CPUARMState *env, target_ulong pc)
+{
+    ARMMMUFaultInfo fi = { .type = ARMFault_Alignment };
+    int target_el = exception_target_el(env);
+    int mmu_idx = cpu_mmu_index(env, true);
+    uint32_t fsc;
+
+    env->exception.vaddress = pc;
+
+    /*
+     * Note that the fsc is not applicable to this exception,
+     * since any syndrome is pcalignment not insn_abort.
+     */
+    env->exception.fsr = compute_fsr_fsc(env, &fi, target_el, mmu_idx, &fsc);
+    raise_exception(env, EXCP_PREFETCH_ABORT, syn_pcalignment(), target_el);
+}
+
 #if !defined(CONFIG_USER_ONLY)
 
 /*
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint64_t pc = s->base.pc_next;
     uint32_t insn;
 
+    /* Singlestep exceptions have the highest priority. */
     if (s->ss_active && !s->pstate_ss) {
         /* Singlestep state is Active-pending.
          * If we're in this state at the start of a TB then either
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
+    if (pc & 3) {
+        /*
+         * PC alignment fault.  This has priority over the instruction abort
+         * that we would receive from a translation fault via arm_ldl_code.
+         * This should only be possible after an indirect branch, at the
+         * start of the TB.
+         */
+        assert(s->base.num_insns == 1);
+        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
+        s->base.is_jmp = DISAS_NORETURN;
+        s->base.pc_next = QEMU_ALIGN_UP(pc, 4);
+        return;
+    }
+
     s->pc_curr = pc;
     insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
     s->insn = insn;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint32_t pc = dc->base.pc_next;
     unsigned int insn;
 
-    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
+    /* Singlestep exceptions have the highest priority. */
+    if (arm_check_ss_active(dc)) {
+        dc->base.pc_next = pc + 4;
+        return;
+    }
+
+    if (pc & 3) {
+        /*
+         * PC alignment fault.  This has priority over the instruction abort
+         * that we would receive from a translation fault via arm_ldl_code
+         * (or the execution of the kernelpage entrypoint). This should only
+         * be possible after an indirect branch, at the start of the TB.
+         */
+        assert(dc->base.num_insns == 1);
+        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
+        dc->base.is_jmp = DISAS_NORETURN;
+        dc->base.pc_next = QEMU_ALIGN_UP(pc, 4);
+        return;
+    }
+
+    if (arm_check_kernelpage(dc)) {
         dc->base.pc_next = pc + 4;
         return;
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Misaligned thumb PC is architecturally impossible.
Assert is better than proceeding, in case we've missed
something somewhere.

Expand a comment about aligning the pc in gdbstub.
Fail an incoming migrate if a thumb pc is misaligned.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/gdbstub.c   |  9 +++++++--
 target/arm/machine.c   | 10 ++++++++++
 target/arm/translate.c |  3 +++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -XXX,XX +XXX,XX @@ int arm_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n)
 
     tmp = ldl_p(mem_buf);
 
-    /* Mask out low bit of PC to workaround gdb bugs.  This will probably
-       cause problems if we ever implement the Jazelle DBX extensions.  */
+    /*
+     * Mask out low bits of PC to workaround gdb bugs.
+     * This avoids an assert in thumb_tr_translate_insn, because it is
+     * architecturally impossible to misalign the pc.
+     * This will probably cause problems if we ever implement the
+     * Jazelle DBX extensions.
+     */
     if (n == 15) {
         tmp &= ~1;
     }
diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static int cpu_post_load(void *opaque, int version_id)
             return -1;
         }
     }
+
+    /*
+     * Misaligned thumb pc is architecturally impossible.
+     * We have an assert in thumb_tr_translate_insn to verify this.
+     * Fail an incoming migrate to avoid this assert.
+     */
+    if (!is_a64(env) && env->thumb && (env->regs[15] & 1)) {
+        return -1;
+    }
+
     if (!kvm_enabled()) {
         pmu_op_finish(&cpu->env);
     }
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint32_t insn;
     bool is_16bit;
 
+    /* Misaligned thumb PC is architecturally impossible. */
+    assert((dc->base.pc_next & 1) == 0);
+
     if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
         dc->base.pc_next = pc + 2;
         return;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Both single-step and pc alignment faults have priority over
breakpoint exceptions.

diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
 {
     ARMCPU *cpu = ARM_CPU(cs);
     CPUARMState *env = &cpu->env;
+    target_ulong pc;
     int n;
 
     /*
@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
         return false;
     }
 
+    /*
+     * Single-step exceptions have priority over breakpoint exceptions.
+     * If single-step state is active-pending, suppress the bp.
+     */
+    if (arm_singlestep_active(env) && !(env->pstate & PSTATE_SS)) {
+        return false;
+    }
+
+    /*
+     * PC alignment faults have priority over breakpoint exceptions.
+     */
+    pc = is_a64(env) ? env->pc : env->regs[15];
+    if ((is_a64(env) || !env->thumb) && (pc & 3) != 0) {
+        return false;
+    }
+
+    /*
+     * Instruction aborts have priority over breakpoint exceptions.
+     * TODO: We would need to look up the page for PC and verify that
+     * it is present and executable.
+     */
+
     for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
         if (bp_wp_matches(cpu, n, false)) {
             return true;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/tcg/aarch64/pcalign-a64.c   | 37 +++++++++++++++++++++++++
 tests/tcg/arm/pcalign-a32.c       | 46 +++++++++++++++++++++++++++++++
 tests/tcg/aarch64/Makefile.target |  4 +--
 tests/tcg/arm/Makefile.target     |  4 +++
 4 files changed, 89 insertions(+), 2 deletions(-)
 create mode 100644 tests/tcg/aarch64/pcalign-a64.c
 create mode 100644 tests/tcg/arm/pcalign-a32.c

diff --git a/tests/tcg/aarch64/pcalign-a64.c b/tests/tcg/aarch64/pcalign-a64.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/aarch64/pcalign-a64.c
@@ -XXX,XX +XXX,XX @@
+/* Test PC misalignment exception */
+
+#include <assert.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+static void *expected;
+
+static void sigbus(int sig, siginfo_t *info, void *vuc)
+{
+    assert(info->si_code == BUS_ADRALN);
+    assert(info->si_addr == expected);
+    exit(EXIT_SUCCESS);
+}
+
+int main()
+{
+    void *tmp;
+
+    struct sigaction sa = {
+        .sa_sigaction = sigbus,
+        .sa_flags = SA_SIGINFO
+    };
+
+    if (sigaction(SIGBUS, &sa, NULL) < 0) {
+        perror("sigaction");
+        return EXIT_FAILURE;
+    }
+
+    asm volatile("adr %0, 1f + 1\n\t"
+                 "str %0, %1\n\t"
+                 "br  %0\n"
+                 "1:"
+                 : "=&r"(tmp), "=m"(expected));
+    abort();
+}
diff --git a/tests/tcg/arm/pcalign-a32.c b/tests/tcg/arm/pcalign-a32.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/arm/pcalign-a32.c
@@ -XXX,XX +XXX,XX @@
+/* Test PC misalignment exception */
+
+#ifdef __thumb__
+#error "This test must be compiled for ARM"
+#endif
+
+#include <assert.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+static void *expected;
+
+static void sigbus(int sig, siginfo_t *info, void *vuc)
+{
+    assert(info->si_code == BUS_ADRALN);
+    assert(info->si_addr == expected);
+    exit(EXIT_SUCCESS);
+}
+
+int main()
+{
+    void *tmp;
+
+    struct sigaction sa = {
+        .sa_sigaction = sigbus,
+        .sa_flags = SA_SIGINFO
+    };
+
+    if (sigaction(SIGBUS, &sa, NULL) < 0) {
+        perror("sigaction");
+        return EXIT_FAILURE;
+    }
+
+    asm volatile("adr %0, 1f + 2\n\t"
+                 "str %0, %1\n\t"
+                 "bx  %0\n"
+                 "1:"
+                 : "=&r"(tmp), "=m"(expected));
+
+    /*
+     * From v8, it is CONSTRAINED UNPREDICTABLE whether BXWritePC aligns
+     * the address or not.  If so, we can legitimately fall through.
+     */
+    return EXIT_SUCCESS;
+}
diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -XXX,XX +XXX,XX @@ VPATH 		+= $(ARM_SRC)
 AARCH64_SRC=$(SRC_PATH)/tests/tcg/aarch64
 VPATH 		+= $(AARCH64_SRC)
 
-# Float-convert Tests
-AARCH64_TESTS=fcvt
+# Base architecture tests
+AARCH64_TESTS=fcvt pcalign-a64
 
 fcvt: LDFLAGS+=-lm
 
diff --git a/tests/tcg/arm/Makefile.target b/tests/tcg/arm/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/arm/Makefile.target
+++ b/tests/tcg/arm/Makefile.target
@@ -XXX,XX +XXX,XX @@ run-fcvt: fcvt
 	$(call run-test,fcvt,$(QEMU) $<,"$< on $(TARGET_NAME)")
 	$(call diff-out,fcvt,$(ARM_SRC)/fcvt.ref)
 
+# PC alignment test
+ARM_TESTS += pcalign-a32
+pcalign-a32: CFLAGS+=-marm
+
 ifeq ($(CONFIG_ARM_COMPATIBLE_SEMIHOSTING),y)
 
 # Semihosting smoke test for linux-user
-- 
2.25.1

In the SSE decode function gen_sse(), we combine a byte
'b' and a value 'b1' which can be [0..3], and switch on them:
   b |= (b1 << 8);
   switch (b) {
   ...
   default:
   unknown_op:
       gen_unknown_opcode(env, s);
       return;
   }

In three cases inside this switch, we were then also checking for
 "if (b1 >= 2) { goto unknown_op; }".
However, this can never happen, because the 'case' values in each place
are 0x0nn or 0x1nn and the switch will have directed the b1 == (2, 3)
cases to the default already.

This check was added in commit c045af25a52e9 in 2010; the added code
was unnecessary then as well, and was apparently intended only to
ensure that we never accidentally ended up indexing off the end
of an sse_op_table with only 2 entries as a result of future bugs
in the decode logic.

Change the checks to assert() instead, and make sure they're always
immediately before the array access they are protecting.

Fixes: Coverity CID 1460207
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/tcg/translate.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
         case 0x171: /* shift xmm, im */
         case 0x172:
         case 0x173:
-            if (b1 >= 2) {
-                goto unknown_op;
-            }
             val = x86_ldub_code(env, s);
             if (is_xmm) {
                 tcg_gen_movi_tl(s->T0, val);
@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
                                 offsetof(CPUX86State, mmx_t0.MMX_L(1)));
                 op1_offset = offsetof(CPUX86State,mmx_t0);
             }
+            assert(b1 < 2);
             sse_fn_epp = sse_op_table2[((b - 1) & 3) * 8 +
                                        (((modrm >> 3)) & 7)][b1];
             if (!sse_fn_epp) {
@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
             rm = modrm & 7;
             reg = ((modrm >> 3) & 7) | REX_R(s);
             mod = (modrm >> 6) & 3;
-            if (b1 >= 2) {
-                goto unknown_op;
-            }
 
+            assert(b1 < 2);
             sse_fn_epp = sse_op_table6[b].op[b1];
             if (!sse_fn_epp) {
                 goto unknown_op;
@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
             rm = modrm & 7;
             reg = ((modrm >> 3) & 7) | REX_R(s);
             mod = (modrm >> 6) & 3;
-            if (b1 >= 2) {
-                goto unknown_op;
-            }
 
+            assert(b1 < 2);
             sse_fn_eppi = sse_op_table7[b].op[b1];
             if (!sse_fn_eppi) {
                 goto unknown_op;
-- 
2.25.1

The qemu-common.h header is not supposed to be included from any
other header files, only from .c files (as documented in a comment at
the start of it).

include/hw/i386/x86.h and include/hw/i386/microvm.h break this rule.
In fact, the include is not required at all, so we can just drop it
from both files.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20211129200510.1233037-2-peter.maydell@linaro.org
---
 include/hw/i386/microvm.h | 1 -
 include/hw/i386/x86.h     | 1 -
 2 files changed, 2 deletions(-)

diff --git a/include/hw/i386/microvm.h b/include/hw/i386/microvm.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/i386/microvm.h
+++ b/include/hw/i386/microvm.h
@@ -XXX,XX +XXX,XX @@
 #ifndef HW_I386_MICROVM_H
 #define HW_I386_MICROVM_H
 
-#include "qemu-common.h"
 #include "exec/hwaddr.h"
 #include "qemu/notify.h"
 
diff --git a/include/hw/i386/x86.h b/include/hw/i386/x86.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/i386/x86.h
+++ b/include/hw/i386/x86.h
@@ -XXX,XX +XXX,XX @@
 #ifndef HW_I386_X86_H
 #define HW_I386_X86_H
 
-#include "qemu-common.h"
 #include "exec/hwaddr.h"
 #include "qemu/notify.h"
 
-- 
2.25.1

The qemu-common.h header is not supposed to be included from any
other header files, only from .c files (as documented in a comment at
the start of it).

Move the include to linux-user/hexagon/cpu_loop.c, which needs it for
the declaration of cpu_exec_step_atomic().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
Message-id: 20211129200510.1233037-3-peter.maydell@linaro.org
---
 target/hexagon/cpu.h          | 1 -
 linux-user/hexagon/cpu_loop.c | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/hexagon/cpu.h b/target/hexagon/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/hexagon/cpu.h
+++ b/target/hexagon/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUHexagonState CPUHexagonState;
 
 #include "fpu/softfloat-types.h"
 
-#include "qemu-common.h"
 #include "exec/cpu-defs.h"
 #include "hex_regs.h"
 #include "mmvec/mmvec.h"
diff --git a/linux-user/hexagon/cpu_loop.c b/linux-user/hexagon/cpu_loop.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/hexagon/cpu_loop.c
+++ b/linux-user/hexagon/cpu_loop.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "qemu.h"
 #include "user-internals.h"
 #include "cpu_loop-common.h"
-- 
2.25.1

A lot of C files in hw/arm include qemu-common.h when they don't
need anything from it. Drop the include lines.

omap1.c, pxa2xx.c and strongarm.c retain the include because they
use it for the prototype of qemu_get_timedate().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
Message-id: 20211129200510.1233037-5-peter.maydell@linaro.org
---
 hw/arm/boot.c           | 1 -
 hw/arm/digic_boards.c   | 1 -
 hw/arm/highbank.c       | 1 -
 hw/arm/npcm7xx_boards.c | 1 -
 hw/arm/sbsa-ref.c       | 1 -
 hw/arm/stm32f405_soc.c  | 1 -
 hw/arm/vexpress.c       | 1 -
 hw/arm/virt.c           | 1 -
 8 files changed, 8 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qemu/error-report.h"
 #include "qapi/error.h"
diff --git a/hw/arm/digic_boards.c b/hw/arm/digic_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/digic_boards.c
+++ b/hw/arm/digic_boards.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "qapi/error.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "hw/boards.h"
 #include "qemu/error-report.h"
diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qapi/error.h"
 #include "hw/sysbus.h"
diff --git a/hw/arm/npcm7xx_boards.c b/hw/arm/npcm7xx_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/npcm7xx_boards.c
+++ b/hw/arm/npcm7xx_boards.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/qdev-core.h"
 #include "hw/qdev-properties.h"
 #include "qapi/error.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qemu/units.h"
 #include "sysemu/blockdev.h"
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
diff --git a/hw/arm/stm32f405_soc.c b/hw/arm/stm32f405_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stm32f405_soc.c
+++ b/hw/arm/stm32f405_soc.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "qapi/error.h"
-#include "qemu-common.h"
 #include "exec/address-spaces.h"
 #include "sysemu/sysemu.h"
 #include "hw/arm/stm32f405_soc.h"
diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "qapi/error.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qemu/units.h"
 #include "qemu/option.h"
-- 
2.25.1

The calculation of the length of TLB range invalidate operations
in tlbi_aa64_range_get_length() is incorrect in two ways:
 * the NUM field is 5 bits, but we read only 4 bits
 * we miscalculate the page_shift value, because of an
   off-by-one error:
    TG 0b00 is invalid
    TG 0b01 is 4K granule size == 4096 == 2^12
    TG 0b10 is 16K granule size == 16384 == 2^14
    TG 0b11 is 64K granule size == 65536 == 2^16
   so page_shift should be (TG - 1) * 2 + 12

Thanks to the bug report submitter Cha HyunSoo for identifying
both these errors.

Fixes: 84940ed82552d3c ("target/arm: Add support for FEAT_TLBIRANGE")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/734
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20211130173257.1274194-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t tlbi_aa64_range_get_length(CPUARMState *env,
     uint64_t exponent;
     uint64_t length;
 
-    num = extract64(value, 39, 4);
+    num = extract64(value, 39, 5);
     scale = extract64(value, 44, 2);
     page_size_granule = extract64(value, 46, 2);
 
-    page_shift = page_size_granule * 2 + 12;
-
     if (page_size_granule == 0) {
         qemu_log_mask(LOG_GUEST_ERROR, "Invalid page size granule %d\n",
                       page_size_granule);
         return 0;
     }
 
+    page_shift = (page_size_granule - 1) * 2 + 12;
+
     exponent = (5 * scale) + 1;
     length = (num + 1) << (exponent + page_shift);
 
-- 
2.25.1

From: Patrick Venture <venture@google.com>

The rx_active boolean change to true should always trigger a try_read
call that flushes the queue.

Signed-off-by: Patrick Venture <venture@google.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20211203221002.1719306-1-venture@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/npcm7xx_emc.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/npcm7xx_emc.c
+++ b/hw/net/npcm7xx_emc.c
@@ -XXX,XX +XXX,XX @@ static void emc_halt_rx(NPCM7xxEMCState *emc, uint32_t mista_flag)
     emc_set_mista(emc, mista_flag);
 }
 
+static void emc_enable_rx_and_flush(NPCM7xxEMCState *emc)
+{
+    emc->rx_active = true;
+    qemu_flush_queued_packets(qemu_get_queue(emc->nic));
+}
+
 static void emc_set_next_tx_descriptor(NPCM7xxEMCState *emc,
                                        const NPCM7xxEMCTxDesc *tx_desc,
                                        uint32_t desc_addr)
@@ -XXX,XX +XXX,XX @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1)
     return len;
 }
 
-static void emc_try_receive_next_packet(NPCM7xxEMCState *emc)
-{
-    if (emc_can_receive(qemu_get_queue(emc->nic))) {
-        qemu_flush_queued_packets(qemu_get_queue(emc->nic));
-    }
-}
-
 static uint64_t npcm7xx_emc_read(void *opaque, hwaddr offset, unsigned size)
 {
     NPCM7xxEMCState *emc = opaque;
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
             emc->regs[REG_MGSTA] |= REG_MGSTA_RXHA;
         }
         if (value & REG_MCMDR_RXON) {
-            emc->rx_active = true;
+            emc_enable_rx_and_flush(emc);
         } else {
             emc_halt_rx(emc, 0);
         }
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
         break;
     case REG_RSDR:
         if (emc->regs[REG_MCMDR] & REG_MCMDR_RXON) {
-            emc->rx_active = true;
-            emc_try_receive_next_packet(emc);
+            emc_enable_rx_and_flush(emc);
         }
         break;
     case REG_MIIDA:
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

When a virtio-iommu is instantiated, describe it using the ACPI VIOT
table.

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@
 #include "kvm_arm.h"
 #include "migration/vmstate.h"
 #include "hw/acpi/ghes.h"
+#include "hw/acpi/viot.h"
 
 #define ARM_SPI_BASE 32
 
@@ -XXX,XX +XXX,XX @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
     }
 #endif
 
+    if (vms->iommu == VIRT_IOMMU_VIRTIO) {
+        acpi_add_table(table_offsets, tables_blob);
+        build_viot(ms, tables_blob, tables->linker, vms->virtio_iommu_bdf,
+                   vms->oem_id, vms->oem_table_id);
+    }
+
     /* XSDT is pointed to by RSDP */
     xsdt = tables_blob->len;
     build_xsdt(tables_blob, tables->linker, table_offsets, vms->oem_id,
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config ARM_VIRT
     select DIMM
     select ACPI_HW_REDUCED
     select ACPI_APEI
+    select ACPI_VIOT
 
 config CHEETAH
     bool
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

virtio-iommu is now supported with ACPI VIOT as well as device tree.
Remove the restriction that prevents from instantiating a virtio-iommu
device under ACPI.

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static HotplugHandler *virt_machine_get_hotplug_handler(MachineState *machine,
     MachineClass *mc = MACHINE_GET_CLASS(machine);
 
     if (device_is_dynamic_sysbus(mc, dev) ||
-       (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM))) {
+        object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM) ||
+        object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
         return HOTPLUG_HANDLER(machine);
     }
-    if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
-        VirtMachineState *vms = VIRT_MACHINE(machine);
-
-        if (!vms->bootinfo.firmware_loaded || !virt_is_acpi_enabled(vms)) {
-            return HOTPLUG_HANDLER(machine);
-        }
-    }
     return NULL;
 }
 
diff --git a/hw/virtio/virtio-iommu-pci.c b/hw/virtio/virtio-iommu-pci.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/virtio-iommu-pci.c
+++ b/hw/virtio/virtio-iommu-pci.c
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
     VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
 
     if (!qdev_get_machine_hotplug_handler(DEVICE(vpci_dev))) {
-        MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
-
-        error_setg(errp,
-                   "%s machine fails to create iommu-map device tree bindings",
-                   mc->name);
-        error_append_hint(errp,
-                          "Check your machine implements a hotplug handler "
-                          "for the virtio-iommu-pci device\n");
-        error_append_hint(errp, "Check the guest is booted without FW or with "
-                          "-no-acpi\n");
+        error_setg(errp, "Check your machine implements a hotplug handler "
+                         "for the virtio-iommu-pci device");
         return;
     }
     for (int i = 0; i < s->nb_reserved_regions; i++) {
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

We do not support instantiating multiple IOMMUs. Before adding a
virtio-iommu, check that no other IOMMU is present. This will detect
both "iommu=smmuv3" machine parameter and another virtio-iommu instance.

Fixes: 70e89132c9 ("hw/arm/virt: Add the virtio-iommu device tree mappings")
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-4-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
         hwaddr db_start = 0, db_end = 0;
         char *resv_prop_str;
 
+        if (vms->iommu != VIRT_IOMMU_NONE) {
+            error_setg(errp, "virt machine does not support multiple IOMMUs");
+            return;
+        }
+
         switch (vms->msi_controller) {
         case VIRT_MSI_CTRL_NONE:
             return;
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

To propagate errors to the caller of the pre_plug callback, use the
object_poperty_set*() functions directly instead of the qdev_prop_set*()
helpers.

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-5-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
                                         db_start, db_end,
                                         VIRTIO_IOMMU_RESV_MEM_T_MSI);
 
-        qdev_prop_set_uint32(dev, "len-reserved-regions", 1);
-        qdev_prop_set_string(dev, "reserved-regions[0]", resv_prop_str);
+        object_property_set_uint(OBJECT(dev), "len-reserved-regions", 1, errp);
+        object_property_set_str(OBJECT(dev), "reserved-regions[0]",
+                                resv_prop_str, errp);
         g_free(resv_prop_str);
     }
 }
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

Create empty data files and allow updates for the upcoming VIOT tests.

Acked-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-6-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h | 3 +++
 tests/data/acpi/q35/DSDT.viot               | 0
 tests/data/acpi/q35/VIOT.viot               | 0
 tests/data/acpi/virt/VIOT                   | 0
 4 files changed, 3 insertions(+)
 create mode 100644 tests/data/acpi/q35/DSDT.viot
 create mode 100644 tests/data/acpi/q35/VIOT.viot
 create mode 100644 tests/data/acpi/virt/VIOT

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

Add two test cases for VIOT, one on the q35 machine and the other on
virt. To test complex topologies the q35 test has two PCIe buses that
bypass the IOMMU (and are therefore not described by VIOT), and two
buses that are translated by virtio-iommu.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-7-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test.c | 38 ++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -XXX,XX +XXX,XX @@ static void test_acpi_virt_tcg(void)
     free_test_data(&data);
 }
 
+static void test_acpi_q35_viot(void)
+{
+    test_data data = {
+        .machine = MACHINE_Q35,
+        .variant = ".viot",
+    };
+
+    /*
+     * To keep things interesting, two buses bypass the IOMMU.
+     * VIOT should only describes the other two buses.
+     */
+    test_acpi_one("-machine default_bus_bypass_iommu=on "
+                  "-device virtio-iommu-pci "
+                  "-device pxb-pcie,bus_nr=0x10,id=pcie.100,bus=pcie.0 "
+                  "-device pxb-pcie,bus_nr=0x20,id=pcie.200,bus=pcie.0,bypass_iommu=on "
+                  "-device pxb-pcie,bus_nr=0x30,id=pcie.300,bus=pcie.0",
+                  &data);
+    free_test_data(&data);
+}
+
+static void test_acpi_virt_viot(void)
+{
+    test_data data = {
+        .machine = "virt",
+        .uefi_fl1 = "pc-bios/edk2-aarch64-code.fd",
+        .uefi_fl2 = "pc-bios/edk2-arm-vars.fd",
+        .cd = "tests/data/uefi-boot-images/bios-tables-test.aarch64.iso.qcow2",
+        .ram_start = 0x40000000ULL,
+        .scan_len = 128ULL * 1024 * 1024,
+    };
+
+    test_acpi_one("-cpu cortex-a57 "
+                  "-device virtio-iommu-pci", &data);
+    free_test_data(&data);
+}
+
 static void test_oem_fields(test_data *data)
 {
     int i;
@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
             qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic);
             qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar);
         }
+        qtest_add_func("acpi/q35/viot", test_acpi_q35_viot);
     } else if (strcmp(arch, "aarch64") == 0) {
         if (has_tcg) {
             qtest_add_func("acpi/virt", test_acpi_virt_tcg);
@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
             qtest_add_func("acpi/virt/memhp", test_acpi_virt_tcg_memhp);
             qtest_add_func("acpi/virt/pxb", test_acpi_virt_tcg_pxb);
             qtest_add_func("acpi/virt/oem-fields", test_acpi_oem_fields_virt);
+            qtest_add_func("acpi/virt/viot", test_acpi_virt_viot);
         }
     }
     ret = g_test_run();
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

Add expected blobs of the VIOT and DSDT table for the VIOT test on the
q35 machine.

Since the test instantiates a virtio device and two PCIe expander
bridges, DSDT.viot has more blocks than the base DSDT.

The VIOT table generated for the q35 test is:

[000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
[004h 0004   4]                 Table Length : 00000070
[008h 0008   1]                     Revision : 00
[009h 0009   1]                     Checksum : 3D
[00Ah 0010   6]                       Oem ID : "BOCHS "
[010h 0016   8]                 Oem Table ID : "BXPC    "
[018h 0024   4]                 Oem Revision : 00000001
[01Ch 0028   4]              Asl Compiler ID : "BXPC"
[020h 0032   4]        Asl Compiler Revision : 00000001

[024h 0036   2]                   Node count : 0003
[026h 0038   2]                  Node offset : 0030
[028h 0040   8]                     Reserved : 0000000000000000

[030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
[031h 0049   1]                     Reserved : 00
[032h 0050   2]                       Length : 0010

[034h 0052   2]                  PCI Segment : 0000
[036h 0054   2]               PCI BDF number : 0010
[038h 0056   8]                     Reserved : 0000000000000000

[040h 0064   1]                         Type : 01 [PCI Range]
[041h 0065   1]                     Reserved : 00
[042h 0066   2]                       Length : 0018

[044h 0068   4]               Endpoint start : 00003000
[048h 0072   2]            PCI Segment start : 0000
[04Ah 0074   2]              PCI Segment end : 0000
[04Ch 0076   2]                PCI BDF start : 3000
[04Eh 0078   2]                  PCI BDF end : 30FF
[050h 0080   2]                  Output node : 0030
[052h 0082   6]                     Reserved : 000000000000

[058h 0088   1]                         Type : 01 [PCI Range]
[059h 0089   1]                     Reserved : 00
[05Ah 0090   2]                       Length : 0018

[05Ch 0092   4]               Endpoint start : 00001000
[060h 0096   2]            PCI Segment start : 0000
[062h 0098   2]              PCI Segment end : 0000
[064h 0100   2]                PCI BDF start : 1000
[066h 0102   2]                  PCI BDF end : 10FF
[068h 0104   2]                  Output node : 0030
[06Ah 0106   6]                     Reserved : 000000000000

And the DSDT diff is:

@@ -XXX,XX +XXX,XX @@
  *
  * Disassembling to symbolic ASL+ operators
  *
- * Disassembly of tests/data/acpi/q35/DSDT, Fri Dec 10 15:03:08 2021
+ * Disassembly of /tmp/aml-H9Y5D1, Fri Dec 10 15:02:27 2021
  *
  * Original Table Header:
  *     Signature        "DSDT"
- *     Length           0x00002061 (8289)
+ *     Length           0x000024B6 (9398)
  *     Revision         0x01 **** 32-bit table (V1), no 64-bit math support
- *     Checksum         0xFA
+ *     Checksum         0xA7
  *     OEM ID           "BOCHS "
  *     OEM Table ID     "BXPC    "
  *     OEM Revision     0x00000001 (1)
@@ -XXX,XX +XXX,XX @@
         }
     }

+    Scope (\_SB)
+    {
+        Device (PC30)
+        {
+            Name (_UID, 0x30)  // _UID: Unique ID
+            Name (_BBN, 0x30)  // _BBN: BIOS Bus Number
+            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
+            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
+            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
+            {
+                CreateDWordField (Arg3, Zero, CDW1)
+                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
+                {
+                    CreateDWordField (Arg3, 0x04, CDW2)
+                    CreateDWordField (Arg3, 0x08, CDW3)
+                    Local0 = CDW3 /* \_SB_.PC30._OSC.CDW3 */
+                    Local0 &= 0x1F
+                    If ((Arg1 != One))
+                    {
+                        CDW1 |= 0x08
+                    }
+
+                    If ((CDW3 != Local0))
+                    {
+                        CDW1 |= 0x10
+                    }
+
+                    CDW3 = Local0
+                }
+                Else
+                {
+                    CDW1 |= 0x04
+                }
+
+                Return (Arg3)
+            }
+
+            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
+            {
+                Local0 = Package (0x80){}
+                Local1 = Zero
+                While ((Local1 < 0x80))
+                {
+                    Local2 = (Local1 >> 0x02)
+                    Local3 = ((Local1 + Local2) & 0x03)
+                    If ((Local3 == Zero))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKD,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == One))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKA,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x02))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKB,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x03))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKC,
+                                Zero
+                            }
+                    }
+
+                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
+                    Local4 [One] = (Local1 & 0x03)
+                    Local0 [Local1] = Local4
+                    Local1++
+                }
+
+                Return (Local0)
+            }
+
+            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
+            {
+                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
+                    0x0000,             // Granularity
+                    0x0030,             // Range Minimum
+                    0x0030,             // Range Maximum
+                    0x0000,             // Translation Offset
+                    0x0001,             // Length
+                    ,, )
+            })
+        }
+    }
+
+    Scope (\_SB)
+    {
+        Device (PC20)
+        {
+            Name (_UID, 0x20)  // _UID: Unique ID
+            Name (_BBN, 0x20)  // _BBN: BIOS Bus Number
+            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
+            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
+            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
+            {
+                CreateDWordField (Arg3, Zero, CDW1)
+                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
+                {
+                    CreateDWordField (Arg3, 0x04, CDW2)
+                    CreateDWordField (Arg3, 0x08, CDW3)
+                    Local0 = CDW3 /* \_SB_.PC20._OSC.CDW3 */
+                    Local0 &= 0x1F
+                    If ((Arg1 != One))
+                    {
+                        CDW1 |= 0x08
+                    }
+
+                    If ((CDW3 != Local0))
+                    {
+                        CDW1 |= 0x10
+                    }
+
+                    CDW3 = Local0
+                }
+                Else
+                {
+                    CDW1 |= 0x04
+                }
+
+                Return (Arg3)
+            }
+
+            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
+            {
+                Local0 = Package (0x80){}
+                Local1 = Zero
+                While ((Local1 < 0x80))
+                {
+                    Local2 = (Local1 >> 0x02)
+                    Local3 = ((Local1 + Local2) & 0x03)
+                    If ((Local3 == Zero))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKD,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == One))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKA,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x02))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKB,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x03))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKC,
+                                Zero
+                            }
+                    }
+
+                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
+                    Local4 [One] = (Local1 & 0x03)
+                    Local0 [Local1] = Local4
+                    Local1++
+                }
+
+                Return (Local0)
+            }
+
+            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
+            {
+                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
+                    0x0000,             // Granularity
+                    0x0020,             // Range Minimum
+                    0x0020,             // Range Maximum
+                    0x0000,             // Translation Offset
+                    0x0001,             // Length
+                    ,, )
+            })
+        }
+    }
+
+    Scope (\_SB)
+    {
+        Device (PC10)
+        {
+            Name (_UID, 0x10)  // _UID: Unique ID
+            Name (_BBN, 0x10)  // _BBN: BIOS Bus Number
+            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
+            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
+            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
+            {
+                CreateDWordField (Arg3, Zero, CDW1)
+                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
+                {
+                    CreateDWordField (Arg3, 0x04, CDW2)
+                    CreateDWordField (Arg3, 0x08, CDW3)
+                    Local0 = CDW3 /* \_SB_.PC10._OSC.CDW3 */
+                    Local0 &= 0x1F
+                    If ((Arg1 != One))
+                    {
+                        CDW1 |= 0x08
+                    }
+
+                    If ((CDW3 != Local0))
+                    {
+                        CDW1 |= 0x10
+                    }
+
+                    CDW3 = Local0
+                }
+                Else
+                {
+                    CDW1 |= 0x04
+                }
+
+                Return (Arg3)
+            }
+
+            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
+            {
+                Local0 = Package (0x80){}
+                Local1 = Zero
+                While ((Local1 < 0x80))
+                {
+                    Local2 = (Local1 >> 0x02)
+                    Local3 = ((Local1 + Local2) & 0x03)
+                    If ((Local3 == Zero))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKD,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == One))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKA,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x02))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKB,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x03))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKC,
+                                Zero
+                            }
+                    }
+
+                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
+                    Local4 [One] = (Local1 & 0x03)
+                    Local0 [Local1] = Local4
+                    Local1++
+                }
+
+                Return (Local0)
+            }
+
+            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
+            {
+                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
+                    0x0000,             // Granularity
+                    0x0010,             // Range Minimum
+                    0x0010,             // Range Maximum
+                    0x0000,             // Translation Offset
+                    0x0001,             // Length
+                    ,, )
+            })
+        }
+    }
+
     Scope (\_SB.PCI0)
     {
         Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
@@ -XXX,XX +XXX,XX @@
             WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
                 0x0000,             // Granularity
                 0x0000,             // Range Minimum
-                0x00FF,             // Range Maximum
+                0x000F,             // Range Maximum
                 0x0000,             // Translation Offset
-                0x0100,             // Length
+                0x0010,             // Length
                 ,, )
             IO (Decode16,
                 0x0CF8,             // Range Minimum
@@ -XXX,XX +XXX,XX @@
                 }
             }

+            Device (S10)
+            {
+                Name (_ADR, 0x00020000)  // _ADR: Address
+            }
+
+            Device (S18)
+            {
+                Name (_ADR, 0x00030000)  // _ADR: Address
+            }
+
+            Device (S20)
+            {
+                Name (_ADR, 0x00040000)  // _ADR: Address
+            }
+
+            Device (S28)
+            {
+                Name (_ADR, 0x00050000)  // _ADR: Address
+            }
+
             Method (PCNT, 0, NotSerialized)
             {
             }

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-8-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h |   2 --
 tests/data/acpi/q35/DSDT.viot               | Bin 0 -> 9398 bytes
 tests/data/acpi/q35/VIOT.viot               | Bin 0 -> 112 bytes
 3 files changed, 2 deletions(-)

diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -XXX,XX +XXX,XX @@
 /* List of comma-separated changed AML files to ignore */
 "tests/data/acpi/virt/VIOT",
-"tests/data/acpi/q35/DSDT.viot",
-"tests/data/acpi/q35/VIOT.viot",
diff --git a/tests/data/acpi/q35/DSDT.viot b/tests/data/acpi/q35/DSDT.viot
index XXXXXXX..XXXXXXX 100644
GIT binary patch
literal 9398
zcmeHNO>7&-8J*>iv|O&FB}G~Oi$yp||57BBoWHhc5OS9yDTx$CQgH$r;8Idr*-4Q_
z5(9Az1F`}niVsB-)<KW7p`g9Br(A2Gm-gmc1N78GFS!;)e2V(MnH_0{q<{#yMgn&C
zn|*J-d9yqFhO_H6z19~`FlPL*u<DkZ*}|)JH;X@mF-FI<cPg<fti9tEN*yB^i5czN
zNq&q?!OZ;BE3B7{KWzJ-`Tn~f`9?Qj8~2^N8{Oc8J%57{==w%rS#;nOCp*nTr@iZ1
zb+?i;JLQUJ=O0?8*>S~D)a>NF1~WVB6^~_B#yhJ`H+JU@=6aXs`?Yv)J2h=N?drcS
zeLZ*n<<Bm^n}6`jfBx#u8&(W}1?)}iF9o#mZ~E2+zwdn7yK3AbIzKnxpZ>JRPm3~#
z&ICS{+_OayRW-l=Mtk=~uaS3o8z<_udd|(wqg`&JnVPfCe>BUOO`Su3e>pff_^UW%
z&JE^NO`)=Amg~iqRB1pPscP?(>#ZuY8GHCmlEvD$9g3%4Db~Dfz2SATnddvrR-Oe^
z;s;dJec!hnzi)ri^I6YN9vtkm{^TdUF8h7gX8-<Qe4p)GQ=)AtYx2VcwdLVAEXEjG
z^Mj|UHPqkj-LsWuzQem1>F3atdZn=zv3$#RmZzSHN+6-yyU#8cJb=YDilX&sl}vNm
znkgAR^O<3kj4if>{ly5fwRfMWuC5=lrlvKPX~i#654Cp}R_d*JS$9laZ$ra6)<ns8
zFZy28G%xP(nit&F>LDi%G<tIc=TY=gl$jSD&Uv!Yat~XR46h%rI$!}a%!|xG7u8Zn
zeY8_|n=K>xz_v_W8VX$W-Fg-qFWcT}7MCyz{%%{ia7hZ>Law-k6NOr}VI&_48U=2l
zwqDKFE8eTwwozDdms#e?x?5a|v>&JF;2_v0L~z5n%BYU^52<*cWuD4|GYUm@1+?))
zte^45>Rz)t*<T5V#={r>@t@{%?^i#W{i=HAZ*Dc9y59Va-+#P!jrGs;u38a{fLr`N
zvT@rUu>DljxJ?^&Z?-?vyJn3C>3D=qux{Y*bs5|5n)Qmi$TD^Zdn4GU$ocJS2Hh-<
z`xPI^^+v0nUVdjMos8k`WGl7hA`{03ju%<lrgAHSpd^DRf-*}_#Ly0mB!LSfVgWcQ
z&T$@~G9)JI=hz5m0vkrel+Xy{Oh7pkAu-V!j*W7rY(bO}Q$nMH2`FbGB&N)QaV4<4
zo)~9JXiP9=;}NPl<C@MmXG&;XFlFNrsyfFsonxFSp<}vEgsRSQP3O3#b6nSnP}ON_
zI!#Tdsp~|j>ckUB>FI=~GokB5sOq#dotCE4(sd$KbtW~PNlj-`*NIToiD#j5J#9^=
zt?NXn>YUJYPG~wObe#xQos*i*NloXZt`niEb4t@WrRki~bs|)CI+{*L)9L6s5vn><
zn$DD_Go|Z9sOn5>I@6lYw5}7Os&iV?Ij!lO)^#FOb!If38BJ$K*NIToIiu;E(R9w}
zIuWWmPiZ<&X*y5oIuWWmF_XaEC!a&Jn$B5WCqh-{X-(&8P3LJ{Cqh-{8P3dyPr@^t
zSqL9?X9Uwd3W@23*s~h*tj0X6GZCuHa~kuU#yqDp5vt7d8uPryJg+kms?5hU=3^T3
zF`bD}WnSP+=`t5MQ$FJ_2&Q~+BP6E0f^%BVIW6a$o)e+SX~IDBih-7z6{O~7YTy`&
zLjy&Cv?7QikV#>n0>>@MV8oK`Gmun34-FKdlm-J8SZSaNlnhir4-FI{S|bfqV8e)V
zss<{chX#reE#g=hsKAC%sF6d-Km}BWs!kZFsFpKfpbC@>6rprQGEjt4Ck#|zITHq|
zK*>M_l;<P^MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=xY&!axO<
zGhv_#lnhirIg<<&q0|Wj6<E%MfhtfkPyyvkGEjt4Ck#|zITHq|K*>M_lrzad5lWpf
zP=V!47^ngz0~JutBm+e#b;3XemNQ|X3X}{~Ksl2P6rt1!0~J`#gn=qhGEf2KOfpb}
zQYQ>lU^x>8szAv=1(Y+%KoLrvFi?TzOc<yFB?A>u&LjgxD0RX>1(q{mpbC@>R6seC
z3>2Z%2?G^a&V+#~P%=;f<xDbAgi<FARA4z12C6{GKn0XD$v_cGoiI>=<xCi;0wn_#
zP|hR+MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=rz^3{+q_69%e4
z$v_2^Gs!>^N}VuJf#pmXr~)Me6;RG314Srx!axxz28u{EP=u<1B2)}iVZuNaCK;&0
zBm-5LFi?dF167!0pbC==RAItE6($T+VUmF=Ofpb~2?JG_Fi?d_2C6X0Kouqo6p_5T
zFi=FeV!SiSKoR0H$dH(_Z(*Q_WZ%L-5y`$K14StNmJAdjmWs}HV4<vU_xO+1efmLq
zZ;W>N_U)fP6Qy6Nw5mbt9Y(#emWSi66=>tq#xoh#Ue=0qyhxi8ZOUe5y0V7VfPUhp
zwX=;ymc+i5%sg9Ja~lZ&8oAV@mHc>&CHP9v4R(jhtT?un;O4e9#pno)Xkh7OWgK&a
zyj=3Iv0OuoK_;5rOr5f(Kb~ZXDBO+V`OWYo#_C08imwChQxnjdd?wZLDou8aj;$SD
zGDYiA3<$Tu<JnHL(KPOChi#zrR32t83}naR$+ym4P_h?z_5#|cW-nw$XD_sOtE62l
zrD3@*)NVyiklt0&yF9%+klsBey&I<Y2E<!f(E8TuJte)z(|ZHyy<^gQVfx}=`q&B5
z7nSryp1wGczIaUfVwiq$Fn#<4=@*ssi#+|}K>EdF(l3VTOM~ghPLRH&q%ZOGrGfON
zW73zx^yR_y<0nX8R??Sw`tm^f@-gYlNFSp|*<gA{q?Zp5Oe-+l#rmyYmKozi9y=P>
zVReJU*h=ZuVXiS$ohTbw-O#v9>(yZbGE|)?8(H1ZIKvV!jWa0>vy!3eMA^vdhQ>`s
zuMSg{q3T50$m)j1!HixV<}X9liL#N^4c*tL^y)CF8LCc{jjV3yKAqL8!%SzWI#H%q
z=bSrQ&)%JCRttF5g4Zf`6l?y@>PzD7MA^D>wBlcH6r1ucwJ<p0O%rZ?JzIY3-QdmZ
zzs|n>`a5r3e|z)wcUaqS>nqFQ-8x}eCF4u`OWUxqst-@1rSmUs%WmKP5e0dcb?e2N
z;Z|x*!);VwF|Yuhqs^khqOM!@u*jY!WYldISF(V6`BoNd&6Qfk3>X#SuD^7J>p_D=
zBPa51y^_n#=cpOt#Zf$ya$Ae9Mfz56n|<i!a=ELS@)%a{^NIH3SDuN<R~sah1km#P
zU@?*f%<rG=4W1wgfi;C?_n|W@%lm$&8YfvNOJodIg&IcIpIJQRHr<+ej11GQ6)&eF
z2Lam*jIH}#y0>KnY%4JQfOYS$*uU%f#@$U6`N8I3N-lV?5ErFCdv~xDmu2(wexld4
z4v^;aVAT2k6GJ^m*FD(Wqc(Qg^)6a<?}h$zLoj}4;PP!+(O{@!a1y-hoAhF_7!z+6
zslpAmNtYbjHrw-~#SPVk_FUf>-Obg6yV`8o$8_`PyJe_;bY5_EMBfBfWU!Q=*9HsG
z%_Cda{@_Krr!oHVhv9+y+T5qR8zZ2aZ>5r!$*|f$^U%yBUYfR&B!+EYy_PwL!BeUi
zJH^}r3r9Q+B)X@Z)fk=P13w&7x#wBtXTZ)g>WITPg5r&pQc!nmyrmk#S(>>b9xnNr
zx_b#v9Xv-Y><Wb%?S^0Xe&<)bbKl_=Z|3C$tf|F<bYzE*mfHB;uC)`q-?buaBe?l?
zcLTpK*k<49Z32`K?|nSBMFqxTK^_IE-li2fEGdK~(ZdoKBl6ab4a;Hler#`xvEXJG
zb?<E%EZExfX>jcOVhS*0rS~RS1dA#xhkv@Nct@#q?LyeKS<$uFec!bw>{@uu$gZ6a
zyVen1i{1BKd%~`D7|m$;U0a<I*3I7%^N%N%lGYdU_GS!gaR8T$NA@GzFi~z`l7hdl
zarZy6590|88pi(1zq;V(>38zM0sT&<zX;R5$1w3;`_JMG`;&I&0Y23DMx1%@(w(R9
z4M$j;D5J+Gy%fijRQsctzFKf&cv|BAz#YLq3CZJWDdtL4u1u1|mkdcUp7|sxJC+?Y
z_@@s`v3j}Q7*z>6X~cwUxUL8G1KT)_XTp!KAbs;vCp{K3&~_X@+ew=-D}v`2MbFV0
zQsVsL=rXi-pI*G|iiz;VTCutgUs)hDzV1+4?8KcoP3xROf<M%qC6lgVdpFt4<-|uM
z=#rl_b1#YjSIl6Toj2z_hOZcKupkdE(LozC(fN=FY(x|sk)ym|;Rq2E1xJWD%Z!ol
Gu>S+TT-130

literal 0
HcmV?d00001

diff --git a/tests/data/acpi/q35/VIOT.viot b/tests/data/acpi/q35/VIOT.viot
index XXXXXXX..XXXXXXX 100644
GIT binary patch
literal 112
zcmWIZ^baXu00LVle`k+i1*eDrX9XZ&1PX!JAex!M0Hgv8m>C3sGzdcgBZCA3T-xBj
Q0Zb)W9Hva*zW_`e0M!8s0RR91

literal 0
HcmV?d00001

-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

The VIOT blob contains the following:

[000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
[004h 0004   4]                 Table Length : 00000058
[008h 0008   1]                     Revision : 00
[009h 0009   1]                     Checksum : 66
[00Ah 0010   6]                       Oem ID : "BOCHS "
[010h 0016   8]                 Oem Table ID : "BXPC    "
[018h 0024   4]                 Oem Revision : 00000001
[01Ch 0028   4]              Asl Compiler ID : "BXPC"
[020h 0032   4]        Asl Compiler Revision : 00000001

[024h 0036   2]                   Node count : 0002
[026h 0038   2]                  Node offset : 0030
[028h 0040   8]                     Reserved : 0000000000000000

[030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
[031h 0049   1]                     Reserved : 00
[032h 0050   2]                       Length : 0010

[034h 0052   2]                  PCI Segment : 0000
[036h 0054   2]               PCI BDF number : 0008
[038h 0056   8]                     Reserved : 0000000000000000

[040h 0064   1]                         Type : 01 [PCI Range]
[041h 0065   1]                     Reserved : 00
[042h 0066   2]                       Length : 0018

[044h 0068   4]               Endpoint start : 00000000
[048h 0072   2]            PCI Segment start : 0000
[04Ah 0074   2]              PCI Segment end : 0000
[04Ch 0076   2]                PCI BDF start : 0000
[04Eh 0078   2]                  PCI BDF end : 00FF
[050h 0080   2]                  Output node : 0030
[052h 0082   6]                     Reserved : 000000000000

Acked-by: Ani Sinha <ani@anisinha.ca>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-9-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h |   1 -
 tests/data/acpi/virt/VIOT                   | Bin 0 -> 88 bytes
 2 files changed, 1 deletion(-)

literal 0
HcmV?d00001

-- 
2.25.1