Series comparison

-[Qemu-devel] [PULL 00/19] target-arm queue
+[PULL 0/3] target-arm queue
-First arm pullreq of the 2.13 cycle!
+Only thing for Arm for rc1 is RTH's fix for the KVM SVE probe code.
 -- PMM
-The following changes since commit 4743c23509a51bd4ee85cc272287a41917d1be35:
+The following changes since commit 4e06b3fc1b5e1ec03f22190eabe56891dc9c2236:
-  Update version for v2.12.0 release (2018-04-24 16:44:55 +0100)
+  Merge tag 'pull-hex-20220731' of https://github.com/quic/qemu into staging (2022-07-31 21:38:54 -0700)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180426
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220801
-for you to fetch changes up to fbf32752663878947de455ff57cb5b9318f14bec:
+for you to fetch changes up to 5265d24c981dfdda8d29b44f7e84a514da75eedc:
-  xilinx_spips: Correct SNOOP_NONE state when flushing the txfifo (2018-04-26 11:04:40 +0100)
+  target/arm: Move sve probe inside kvm >= 4.15 branch (2022-08-01 16:21:18 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * xilinx_spips: Correct SNOOP_NONE state when flushing the txfifo
+ * Fix KVM SVE ID register probe code
  * timer/aspeed: fix vmstate version id
  * hw/arm/aspeed_soc: don't use vmstate_register_ram_global for SRAM
  * hw/arm/aspeed: don't make 'boot_rom' region 'nomigrate'
  * hw/arm/highbank: don't make sysram 'nomigrate'
  * hw/arm/raspi: Don't bother setting default_cpu_type
  * PMU emulation: some minor bugfixes and preparation for
    support of other events than just the cycle counter
  * target/arm: Use v7m_stack_read() for reading the frame signature
  * target/arm: Remove stale TODO comment
  * arm: always start from first_cpu when registering loader cpu reset callback
  * device_tree: Increase FDT_MAX_SIZE to 1 MiB
 ----------------------------------------------------------------
-Aaron Lindsay (9):
+Richard Henderson (3):
-      target/arm: Check PMCNTEN for whether PMCCNTR is enabled
+      target/arm: Use kvm_arm_sve_supported in kvm_arm_get_host_cpu_features
-      target/arm: Treat PMCCNTR as alias of PMCCNTR_EL0
+      target/arm: Set KVM_ARM_VCPU_SVE while probing the host
-      target/arm: Mask PMU register writes based on PMCR_EL0.N
+      target/arm: Move sve probe inside kvm >= 4.15 branch
       target/arm: Fetch GICv3 state directly from CPUARMState
       target/arm: Support multiple EL change hooks
       target/arm: Add pre-EL change hooks
       target/arm: Allow EL change hooks to do IO
       target/arm: Fix bitmask for PMCCFILTR writes
       target/arm: Make PMOVSCLR and PMUSERENR 64 bits wide
-Cédric Le Goater (1):
+ target/arm/kvm64.c | 45 ++++++++++++++++++++++-----------------------
-      timer/aspeed: fix vmstate version id
+file changed, 22 insertions(+), 23 deletions(-)
 Geert Uytterhoeven (1):
       device_tree: Increase FDT_MAX_SIZE to 1 MiB
 Igor Mammedov (1):
       arm: always start from first_cpu when registering loader cpu reset callback
 Peter Maydell (6):
       target/arm: Remove stale TODO comment
       target/arm: Use v7m_stack_read() for reading the frame signature
       hw/arm/raspi: Don't bother setting default_cpu_type
       hw/arm/highbank: don't make sysram 'nomigrate'
       hw/arm/aspeed: don't make 'boot_rom' region 'nomigrate'
       hw/arm/aspeed_soc: don't use vmstate_register_ram_global for SRAM
 Sai Pavan Boddu (1):
       xilinx_spips: Correct SNOOP_NONE state when flushing the txfifo
  target/arm/cpu.h           | 48 +++++++++++++++++-------------
  target/arm/internals.h     | 14 +++++++--
  device_tree.c              |  2 +-
  hw/arm/aspeed.c            |  2 +-
  hw/arm/aspeed_soc.c        |  3 +-
  hw/arm/boot.c              |  2 +-
  hw/arm/highbank.c          |  2 +-
  hw/arm/raspi.c             |  2 --
  hw/intc/arm_gicv3_cpuif.c  | 10 ++-----
  hw/ssi/xilinx_spips.c      |  3 +-
  hw/timer/aspeed_timer.c    |  2 +-
  target/arm/cpu.c           | 37 +++++++++++++++++++----
  target/arm/helper.c        | 73 ++++++++++++++++++++++++++--------------------
  target/arm/op_helper.c     |  8 +++++
  target/arm/translate-a64.c |  6 ++++
  target/arm/translate.c     | 12 ++++++++
 files changed, 148 insertions(+), 78 deletions(-)

-[Qemu-devel] [PULL 18/19] timer/aspeed: fix vmstate version id
+[PULL 1/3] target/arm: Use kvm_arm_sve_supported in kvm_arm_get_host_cpu_features
-From: Cédric Le Goater <clg@kaod.org>
+From: Richard Henderson <richard.henderson@linaro.org>
-commit 1d3e65aa7ac5 ("hw/timer: Add value matching support to
+Indication for support for SVE will not depend on whether we
-aspeed_timer") increased the vmstate version of aspeed.timer because
+perform the query on the main kvm_state or the temp vcpu.
 the state had changed, but it also bumped the version of the
 VMSTATE_STRUCT_ARRAY under the aspeed.timerctrl which did not need to.
-Change back this version to fix migration.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220726045828.53697-2-richard.henderson@linaro.org
 Signed-off-by: Cédric Le Goater <clg@kaod.org>
 Message-id: 20180423101433.17759-1-clg@kaod.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/timer/aspeed_timer.c | 2 +-
+ target/arm/kvm64.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/aspeed_timer.c
+--- a/target/arm/kvm64.c
-+++ b/hw/timer/aspeed_timer.c
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_aspeed_timer_state = {
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-         VMSTATE_UINT32(ctrl, AspeedTimerCtrlState),
+         }
          VMSTATE_UINT32(ctrl2, AspeedTimerCtrlState),
          VMSTATE_STRUCT_ARRAY(timers, AspeedTimerCtrlState,
 -                             ASPEED_TIMER_NR_TIMERS, 2, vmstate_aspeed_timer,
 +                             ASPEED_TIMER_NR_TIMERS, 1, vmstate_aspeed_timer,
                               AspeedTimer),
          VMSTATE_END_OF_LIST()
      }
+-    sve_supported = ioctl(fdarray[0], KVM_CHECK_EXTENSION, KVM_CAP_ARM_SVE) > 0;
++    sve_supported = kvm_arm_sve_supported();
+     /* Add feature bits that can't appear until after VCPU init. */
+     if (sve_supported) {
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 01/19] device_tree: Increase FDT_MAX_SIZE to 1 MiB
+[PULL 2/3] target/arm: Set KVM_ARM_VCPU_SVE while probing the host
-From: Geert Uytterhoeven <geert+renesas@glider.be>
+From: Richard Henderson <richard.henderson@linaro.org>
-It is not uncommon for a contemporary FDT to be larger than 64 KiB,
+Because we weren't setting this flag, our probe of ID_AA64ZFR0
-leading to failures loading the device tree from sysfs:
+was always returning zero.  This also obviates the adjustment
 of ID_AA64PFR0, which had sanitized the SVE field.
-    qemu-system-aarch64: qemu_fdt_setprop: Couldn't set ...: FDT_ERR_NOSPACE
+The effects of the bug are not visible, because the only thing that
 ID_AA64ZFR0 is used for within qemu at present is tcg translation.
 The other tests for SVE within KVM are via ID_AA64PFR0.SVE.
-Hence increase the limit to 1 MiB, like on PPC.
+Reported-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-For reference, the largest arm64 DTB created from the Linux sources is
+Message-id: 20220726045828.53697-3-richard.henderson@linaro.org
 ca. 75 KiB large (100 KiB when built with symbols/fixup support).
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
 Message-id: 1523541337-23919-1-git-send-email-geert+renesas@glider.be
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- device_tree.c | 2 +-
+ target/arm/kvm64.c | 27 +++++++++++++--------------
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 13 insertions(+), 14 deletions(-)
-diff --git a/device_tree.c b/device_tree.c
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/device_tree.c
+--- a/target/arm/kvm64.c
-+++ b/device_tree.c
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
+     bool sve_supported;
- #include <libfdt.h>
+     bool pmu_supported = false;
+     uint64_t features = 0;
--#define FDT_MAX_SIZE  0x10000
+-    uint64_t t;
-+#define FDT_MAX_SIZE  0x100000
+     int err;
- void *create_device_tree(int *sizep)
+     /* Old kernels may not know about the PREFERRED_TARGET ioctl: however
- {
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
      struct kvm_vcpu_init init = { .target = -1, };
      /*
 -     * Ask for Pointer Authentication if supported. We can't play the
 -     * SVE trick of synthesising the ID reg as KVM won't tell us
 -     * whether we have the architected or IMPDEF version of PAuth, so
 -     * we have to use the actual ID regs.
 +     * Ask for SVE if supported, so that we can query ID_AA64ZFR0,
 +     * which is otherwise RAZ.
 +     */
 +    sve_supported = kvm_arm_sve_supported();
 +    if (sve_supported) {
 +        init.features[0] |= 1 << KVM_ARM_VCPU_SVE;
 +    }
 +
 +    /*
 +     * Ask for Pointer Authentication if supported, so that we get
 +     * the unsanitized field values for AA64ISAR1_EL1.
       */
      if (kvm_arm_pauth_supported()) {
          init.features[0] |= (1 << KVM_ARM_VCPU_PTRAUTH_ADDRESS |
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
          }
      }
 -    sve_supported = kvm_arm_sve_supported();
 -
 -    /* Add feature bits that can't appear until after VCPU init. */
      if (sve_supported) {
 -        t = ahcf->isar.id_aa64pfr0;
 -        t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
 -        ahcf->isar.id_aa64pfr0 = t;
 -
          /*
           * There is a range of kernels between kernel commit 73433762fcae
           * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
           * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
 -         * SVE support, so we only read it here, rather than together with all
 -         * the other ID registers earlier.
 +         * SVE support, which resulted in an error rather than RAZ.
 +         * So only read the register if we set KVM_ARM_VCPU_SVE above.
           */
          err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
                                ARM64_SYS_REG(3, 0, 0, 4, 4));
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 02/19] arm: always start from first_cpu when registering loader cpu reset callback
+Deleted patch
-From: Igor Mammedov <imammedo@redhat.com>
-if arm_load_kernel() were passed non first_cpu, QEMU would end up
-with partially set do_cpu_reset() callback leaving some CPUs without it.
-Make sure that do_cpu_reset() is registered for all CPUs by enumerating
-CPUs from first_cpu.
-(In practice every board that we have was passing us the first CPU
-as the boot CPU, either directly or indirectly, so this wasn't
-causing incorrect behaviour.)
-Signed-off-by: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-[PMM: added a note that this isn't a behaviour change]
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/boot.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
-+++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
-      * actually loading a kernel, the handler is also responsible for
-      * arranging that we start it correctly.
-      */
--    for (cs = CPU(cpu); cs; cs = CPU_NEXT(cs)) {
-+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
-         qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
-     }
- }
---
-.17.0

-[Qemu-devel] [PULL 03/19] target/arm: Remove stale TODO comment
+Deleted patch
-Remove a stale TODO comment -- we have now made the arm_ldl_ptw()
-and arm_ldq_ptw() functions propagate physical memory read errors
-out to their callers.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180419142151.9862-1-peter.maydell@linaro.org
----
- target/arm/helper.c | 8 +-------
-file changed, 1 insertion(+), 7 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-     return addr;
- }
--/* All loads done in the course of a page table walk go through here.
-- * TODO: rather than ignoring errors from physical memory reads (which
-- * are external aborts in ARM terminology) we should propagate this
-- * error out so that we can turn it into a Data Abort if this walk
-- * was being done for a CPU load/store or an address translation instruction
-- * (but not if it was for a debug access).
-- */
-+/* All loads done in the course of a page table walk go through here. */
- static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure,
-                             ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
- {
---
-.17.0

-[Qemu-devel] [PULL 04/19] target/arm: Use v7m_stack_read() for reading the frame signature
+Deleted patch
-In commit 95695effe8caa552b8f2 we changed the v7M/v8M stack
-pop code to use a new v7m_stack_read() function that checks
-whether the read should fail due to an MPU or bus abort.
-We missed one call though, the one which reads the signature
-word for the callee-saved register part of the frame.
-Correct the omission.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180419142106.9694-1-peter.maydell@linaro.org
----
- target/arm/helper.c | 9 +++++----
-file changed, 5 insertions(+), 4 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static bool v7m_push_stack(ARMCPU *cpu)
- static void do_v7m_exception_exit(ARMCPU *cpu)
- {
-     CPUARMState *env = &cpu->env;
--    CPUState *cs = CPU(cpu);
-     uint32_t excret;
-     uint32_t xpsr;
-     bool ufault = false;
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
-             ((excret & R_V7M_EXCRET_ES_MASK) == 0 ||
-              (excret & R_V7M_EXCRET_DCRS_MASK) == 0)) {
-             uint32_t expected_sig = 0xfefa125b;
--            uint32_t actual_sig = ldl_phys(cs->as, frameptr);
-+            uint32_t actual_sig;
--            if (expected_sig != actual_sig) {
-+            pop_ok = v7m_stack_read(cpu, &actual_sig, frameptr, mmu_idx);
-+
-+            if (pop_ok && expected_sig != actual_sig) {
-                 /* Take a SecureFault on the current stack */
-                 env->v7m.sfsr |= R_V7M_SFSR_INVIS_MASK;
-                 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
-                 return;
-             }
--            pop_ok =
-+            pop_ok = pop_ok &&
-                 v7m_stack_read(cpu, &env->regs[4], frameptr + 0x8, mmu_idx) &&
-                 v7m_stack_read(cpu, &env->regs[4], frameptr + 0x8, mmu_idx) &&
-                 v7m_stack_read(cpu, &env->regs[5], frameptr + 0xc, mmu_idx) &&
---
-.17.0

-[Qemu-devel] [PULL 05/19] target/arm: Check PMCNTEN for whether PMCCNTR is enabled
+Deleted patch
-From: Aaron Lindsay <alindsay@codeaurora.org>
-Signed-off-by: Aaron Lindsay <alindsay@codeaurora.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1523997485-1905-2-git-send-email-alindsay@codeaurora.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_ccnt_enabled(CPUARMState *env)
- {
-     /* This does not support checking PMCCFILTR_EL0 register */
--    if (!(env->cp15.c9_pmcr & PMCRE)) {
-+    if (!(env->cp15.c9_pmcr & PMCRE) || !(env->cp15.c9_pmcnten & (1 << 31))) {
-         return false;
-     }
---
-.17.0

-[Qemu-devel] [PULL 06/19] target/arm: Treat PMCCNTR as alias of PMCCNTR_EL0
+Deleted patch
-From: Aaron Lindsay <alindsay@codeaurora.org>
-They share the same underlying state
-Signed-off-by: Aaron Lindsay <alindsay@codeaurora.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1523997485-1905-3-git-send-email-alindsay@codeaurora.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
-       .fieldoffset = offsetof(CPUARMState, cp15.c9_pmselr),
-       .writefn = pmselr_write, .raw_writefn = raw_write, },
-     { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0,
--      .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_IO,
-+      .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_ALIAS | ARM_CP_IO,
-       .readfn = pmccntr_read, .writefn = pmccntr_write32,
-       .accessfn = pmreg_access_ccntr },
-     { .name = "PMCCNTR_EL0", .state = ARM_CP_STATE_AA64,
---
-.17.0

-[Qemu-devel] [PULL 07/19] target/arm: Mask PMU register writes based on PMCR_EL0.N
+Deleted patch
-From: Aaron Lindsay <alindsay@codeaurora.org>
-This is in preparation for enabling counters other than PMCCNTR
-Signed-off-by: Aaron Lindsay <alindsay@codeaurora.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1523997485-1905-5-git-send-email-alindsay@codeaurora.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 31 ++++++++++++++++++++++---------
-file changed, 22 insertions(+), 9 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ typedef struct V8M_SAttributes {
- static void v8m_security_lookup(CPUARMState *env, uint32_t address,
-                                 MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                                 V8M_SAttributes *sattrs);
--
--/* Definitions for the PMCCNTR and PMCR registers */
--#define PMCRD   0x8
--#define PMCRC   0x4
--#define PMCRE   0x1
- #endif
- static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
-     REGINFO_SENTINEL
- };
-+/* Definitions for the PMU registers */
-+#define PMCRN_MASK  0xf800
-+#define PMCRN_SHIFT 11
-+#define PMCRD   0x8
-+#define PMCRC   0x4
-+#define PMCRE   0x1
-+
-+static inline uint32_t pmu_num_counters(CPUARMState *env)
-+{
-+  return (env->cp15.c9_pmcr & PMCRN_MASK) >> PMCRN_SHIFT;
-+}
-+
-+/* Bits allowed to be set/cleared for PMCNTEN* and PMINTEN* */
-+static inline uint64_t pmu_counter_mask(CPUARMState *env)
-+{
-+  return (1 << 31) | ((1 << pmu_num_counters(env)) - 1);
-+}
-+
- static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri,
-                                    bool isread)
- {
-@@ -XXX,XX +XXX,XX @@ static void pmccfiltr_write(CPUARMState *env, const ARMCPRegInfo *ri,
- static void pmcntenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
-                             uint64_t value)
- {
--    value &= (1 << 31);
-+    value &= pmu_counter_mask(env);
-     env->cp15.c9_pmcnten |= value;
- }
- static void pmcntenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-                              uint64_t value)
- {
--    value &= (1 << 31);
-+    value &= pmu_counter_mask(env);
-     env->cp15.c9_pmcnten &= ~value;
- }
-@@ -XXX,XX +XXX,XX @@ static void pmintenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
-                              uint64_t value)
- {
-     /* We have no event counters so only the C bit can be changed */
--    value &= (1 << 31);
-+    value &= pmu_counter_mask(env);
-     env->cp15.c9_pminten |= value;
- }
- static void pmintenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-                              uint64_t value)
- {
--    value &= (1 << 31);
-+    value &= pmu_counter_mask(env);
-     env->cp15.c9_pminten &= ~value;
- }
---
-.17.0

-[Qemu-devel] [PULL 08/19] target/arm: Fetch GICv3 state directly from CPUARMState
+Deleted patch
-From: Aaron Lindsay <alindsay@codeaurora.org>
-This eliminates the need for fetching it from el_change_hook_opaque, and
-allows for supporting multiple el_change_hooks without having to hack
-something together to find the registered opaque belonging to GICv3.
-Signed-off-by: Aaron Lindsay <alindsay@codeaurora.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1523997485-1905-6-git-send-email-alindsay@codeaurora.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h          | 10 ----------
- hw/intc/arm_gicv3_cpuif.c | 10 ++--------
-files changed, 2 insertions(+), 18 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline AddressSpace *arm_addressspace(CPUState *cs, MemTxAttrs attrs)
- void arm_register_el_change_hook(ARMCPU *cpu, ARMELChangeHook *hook,
-                                  void *opaque);
--/**
-- * arm_get_el_change_hook_opaque:
-- * Return the opaque data that will be used by the el_change_hook
-- * for this CPU.
-- */
--static inline void *arm_get_el_change_hook_opaque(ARMCPU *cpu)
--{
--    return cpu->el_change_hook_opaque;
--}
--
- /**
-  * aa32_vfp_dreg:
-  * Return a pointer to the Dn register within env in 32-bit mode.
-diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_cpuif.c
-+++ b/hw/intc/arm_gicv3_cpuif.c
-@@ -XXX,XX +XXX,XX @@ void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
- static GICv3CPUState *icc_cs_from_env(CPUARMState *env)
- {
--    /* Given the CPU, find the right GICv3CPUState struct.
--     * Since we registered the CPU interface with the EL change hook as
--     * the opaque pointer, we can just directly get from the CPU to it.
--     */
--    return arm_get_el_change_hook_opaque(arm_env_get_cpu(env));
-+    return env->gicv3state;
- }
- static bool gicv3_use_ns_bank(CPUARMState *env)
-@@ -XXX,XX +XXX,XX @@ void gicv3_init_cpuif(GICv3State *s)
-          * it might be with code translated by CPU 0 but run by CPU 1, in
-          * which case we'd get the wrong value.
-          * So instead we define the regs with no ri->opaque info, and
--         * get back to the GICv3CPUState from the ARMCPU by reading back
--         * the opaque pointer from the el_change_hook, which we're going
--         * to need to register anyway.
-+         * get back to the GICv3CPUState from the CPUARMState.
-          */
-         define_arm_cp_regs(cpu, gicv3_cpuif_reginfo);
-         if (arm_feature(&cpu->env, ARM_FEATURE_EL2)
---
-.17.0

-[Qemu-devel] [PULL 09/19] target/arm: Support multiple EL change hooks
+Deleted patch
-From: Aaron Lindsay <alindsay@codeaurora.org>
-Signed-off-by: Aaron Lindsay <alindsay@codeaurora.org>
-Message-id: 1523997485-1905-7-git-send-email-alindsay@codeaurora.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h       | 20 ++++++++++----------
- target/arm/internals.h |  7 ++++---
- target/arm/cpu.c       | 21 ++++++++++++++++-----
-files changed, 30 insertions(+), 18 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
- } CPUARMState;
- /**
-- * ARMELChangeHook:
-+ * ARMELChangeHookFn:
-  * type of a function which can be registered via arm_register_el_change_hook()
-  * to get callbacks when the CPU changes its exception level or mode.
-  */
--typedef void ARMELChangeHook(ARMCPU *cpu, void *opaque);
--
-+typedef void ARMELChangeHookFn(ARMCPU *cpu, void *opaque);
-+typedef struct ARMELChangeHook ARMELChangeHook;
-+struct ARMELChangeHook {
-+    ARMELChangeHookFn *hook;
-+    void *opaque;
-+    QLIST_ENTRY(ARMELChangeHook) node;
-+};
- /* These values map onto the return values for
-  * QEMU_PSCI_0_2_FN_AFFINITY_INFO */
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-      */
-     bool cfgend;
--    ARMELChangeHook *el_change_hook;
--    void *el_change_hook_opaque;
-+    QLIST_HEAD(, ARMELChangeHook) el_change_hooks;
-     int32_t node_id; /* NUMA node this CPU belongs to */
-@@ -XXX,XX +XXX,XX @@ static inline AddressSpace *arm_addressspace(CPUState *cs, MemTxAttrs attrs)
-  * CPU changes exception level or mode. The hook function will be
-  * passed a pointer to the ARMCPU and the opaque data pointer passed
-  * to this function when the hook was registered.
-- *
-- * Note that we currently only support registering a single hook function,
-- * and will assert if this function is called twice.
-- * This facility is intended for the use of the GICv3 emulation.
-  */
--void arm_register_el_change_hook(ARMCPU *cpu, ARMELChangeHook *hook,
-+void arm_register_el_change_hook(ARMCPU *cpu, ARMELChangeHookFn *hook,
-                                  void *opaque);
- /**
-diff --git a/target/arm/internals.h b/target/arm/internals.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
-+++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
-                                    int mmu_idx, MemTxAttrs attrs,
-                                    MemTxResult response, uintptr_t retaddr);
--/* Call the EL change hook if one has been registered */
-+/* Call any registered EL change hooks */
- static inline void arm_call_el_change_hook(ARMCPU *cpu)
- {
--    if (cpu->el_change_hook) {
--        cpu->el_change_hook(cpu, cpu->el_change_hook_opaque);
-+    ARMELChangeHook *hook, *next;
-+    QLIST_FOREACH_SAFE(hook, &cpu->el_change_hooks, node, next) {
-+        hook->hook(cpu, hook->opaque);
-     }
- }
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static bool arm_cpu_has_work(CPUState *cs)
-          | CPU_INTERRUPT_EXITTB);
- }
--void arm_register_el_change_hook(ARMCPU *cpu, ARMELChangeHook *hook,
-+void arm_register_el_change_hook(ARMCPU *cpu, ARMELChangeHookFn *hook,
-                                  void *opaque)
- {
--    /* We currently only support registering a single hook function */
--    assert(!cpu->el_change_hook);
--    cpu->el_change_hook = hook;
--    cpu->el_change_hook_opaque = opaque;
-+    ARMELChangeHook *entry = g_new0(ARMELChangeHook, 1);
-+
-+    entry->hook = hook;
-+    entry->opaque = opaque;
-+
-+    QLIST_INSERT_HEAD(&cpu->el_change_hooks, entry, node);
- }
- static void cp_reg_reset(gpointer key, gpointer value, gpointer opaque)
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
-     cpu->cp_regs = g_hash_table_new_full(g_int_hash, g_int_equal,
-                                          g_free, g_free);
-+    QLIST_INIT(&cpu->el_change_hooks);
-+
- #ifndef CONFIG_USER_ONLY
-     /* Our inbound IRQ and FIQ lines */
-     if (kvm_enabled()) {
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_post_init(Object *obj)
- static void arm_cpu_finalizefn(Object *obj)
- {
-     ARMCPU *cpu = ARM_CPU(obj);
-+    ARMELChangeHook *hook, *next;
-+
-     g_hash_table_destroy(cpu->cp_regs);
-+
-+    QLIST_FOREACH_SAFE(hook, &cpu->el_change_hooks, node, next) {
-+        QLIST_REMOVE(hook, node);
-+        g_free(hook);
-+    }
- }
- static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
---
-.17.0

-[Qemu-devel] [PULL 10/19] target/arm: Add pre-EL change hooks
+[PULL 3/3] target/arm: Move sve probe inside kvm >= 4.15 branch
-From: Aaron Lindsay <alindsay@codeaurora.org>
+From: Richard Henderson <richard.henderson@linaro.org>
-Because the design of the PMU requires that the counter values be
+The test for the IF block indicates no ID registers are exposed, much
-converted between their delta and guest-visible forms for mode
+less host support for SVE.  Move the SVE probe into the ELSE block.
 filtering, an additional hook which occurs before the EL is changed is
 necessary.
-Signed-off-by: Aaron Lindsay <alindsay@codeaurora.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 1523997485-1905-8-git-send-email-alindsay@codeaurora.org
+Message-id: 20220726045828.53697-4-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h       | 22 +++++++++++++++++++---
+ target/arm/kvm64.c | 22 +++++++++++-----------
- target/arm/internals.h |  7 +++++++
+file changed, 11 insertions(+), 11 deletions(-)
  target/arm/cpu.c       | 16 ++++++++++++++++
  target/arm/helper.c    | 14 ++++++++------
  target/arm/op_helper.c |  8 ++++++++
 files changed, 58 insertions(+), 9 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/arm/kvm64.c
-+++ b/target/arm/cpu.h
++++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
+@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-      */
+             err |= read_sys_reg64(fdarray[2], &ahcf->isar.reset_pmcr_el0,
-     bool cfgend;
+                                   ARM64_SYS_REG(3, 3, 9, 12, 0));
+         }
-+    QLIST_HEAD(, ARMELChangeHook) pre_el_change_hooks;
+-    }
-     QLIST_HEAD(, ARMELChangeHook) el_change_hooks;
+-    if (sve_supported) {
-     int32_t node_id; /* NUMA node this CPU belongs to */
+-        /*
-@@ -XXX,XX +XXX,XX @@ static inline AddressSpace *arm_addressspace(CPUState *cs, MemTxAttrs attrs)
+-         * There is a range of kernels between kernel commit 73433762fcae
- #endif
+-         * and f81cb2c3ad41 which have a bug where the kernel doesn't expose
+-         * SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has enabled
- /**
+-         * SVE support, which resulted in an error rather than RAZ.
-- * arm_register_el_change_hook:
+-         * So only read the register if we set KVM_ARM_VCPU_SVE above.
-- * Register a hook function which will be called back whenever this
+-         */
-+ * arm_register_pre_el_change_hook:
+-        err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
-+ * Register a hook function which will be called immediately before this
+-                              ARM64_SYS_REG(3, 0, 0, 4, 4));
-  * CPU changes exception level or mode. The hook function will be
++        if (sve_supported) {
-  * passed a pointer to the ARMCPU and the opaque data pointer passed
++            /*
-  * to this function when the hook was registered.
++             * There is a range of kernels between kernel commit 73433762fcae
-+ *
++             * and f81cb2c3ad41 which have a bug where the kernel doesn't
-+ * Note that if a pre-change hook is called, any registered post-change hooks
++             * expose SYS_ID_AA64ZFR0_EL1 via the ONE_REG API unless the VM has
-+ * are guaranteed to subsequently be called.
++             * enabled SVE support, which resulted in an error rather than RAZ.
-  */
++             * So only read the register if we set KVM_ARM_VCPU_SVE above.
--void arm_register_el_change_hook(ARMCPU *cpu, ARMELChangeHookFn *hook,
++             */
-+void arm_register_pre_el_change_hook(ARMCPU *cpu, ARMELChangeHookFn *hook,
++            err |= read_sys_reg64(fdarray[2], &ahcf->isar.id_aa64zfr0,
-                                  void *opaque);
++                                  ARM64_SYS_REG(3, 0, 0, 4, 4));
-+/**
++        }
 + * arm_register_el_change_hook:
 + * Register a hook function which will be called immediately after this
 + * CPU changes exception level or mode. The hook function will be
 + * passed a pointer to the ARMCPU and the opaque data pointer passed
 + * to this function when the hook was registered.
 + *
 + * Note that any registered hooks registered here are guaranteed to be called
 + * if pre-change hooks have been.
 + */
 +void arm_register_el_change_hook(ARMCPU *cpu, ARMELChangeHookFn *hook, void
 +        *opaque);
  /**
   * aa32_vfp_dreg:
 diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/internals.h
 +++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
                                     MemTxResult response, uintptr_t retaddr);
  /* Call any registered EL change hooks */
 +static inline void arm_call_pre_el_change_hook(ARMCPU *cpu)
 +{
 +    ARMELChangeHook *hook, *next;
 +    QLIST_FOREACH_SAFE(hook, &cpu->pre_el_change_hooks, node, next) {
 +        hook->hook(cpu, hook->opaque);
 +    }
 +}
  static inline void arm_call_el_change_hook(ARMCPU *cpu)
  {
      ARMELChangeHook *hook, *next;
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static bool arm_cpu_has_work(CPUState *cs)
           | CPU_INTERRUPT_EXITTB);
  }
 +void arm_register_pre_el_change_hook(ARMCPU *cpu, ARMELChangeHookFn *hook,
 +                                 void *opaque)
 +{
 +    ARMELChangeHook *entry = g_new0(ARMELChangeHook, 1);
 +
 +    entry->hook = hook;
 +    entry->opaque = opaque;
 +
 +    QLIST_INSERT_HEAD(&cpu->pre_el_change_hooks, entry, node);
 +}
 +
  void arm_register_el_change_hook(ARMCPU *cpu, ARMELChangeHookFn *hook,
                                   void *opaque)
  {
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
      cpu->cp_regs = g_hash_table_new_full(g_int_hash, g_int_equal,
                                           g_free, g_free);
 +    QLIST_INIT(&cpu->pre_el_change_hooks);
      QLIST_INIT(&cpu->el_change_hooks);
  #ifndef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_finalizefn(Object *obj)
      g_hash_table_destroy(cpu->cp_regs);
 +    QLIST_FOREACH_SAFE(hook, &cpu->pre_el_change_hooks, node, next) {
 +        QLIST_REMOVE(hook, node);
 +        g_free(hook);
 +    }
      QLIST_FOREACH_SAFE(hook, &cpu->el_change_hooks, node, next) {
          QLIST_REMOVE(hook, node);
          g_free(hook);
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_interrupt(CPUState *cs)
          return;
      }
-+    /* Hooks may change global state so BQL should be held, also the
+     kvm_arm_destroy_scratch_host_vcpu(fdarray);
 +     * BQL needs to be held for any modification of
 +     * cs->interrupt_request.
 +     */
 +    g_assert(qemu_mutex_iothread_locked());
 +
 +    arm_call_pre_el_change_hook(cpu);
 +
      assert(!excp_is_internal(cs->exception_index));
      if (arm_el_is_aa64(env, new_el)) {
          arm_cpu_do_interrupt_aarch64(cs);
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_interrupt(CPUState *cs)
          arm_cpu_do_interrupt_aarch32(cs);
      }
 -    /* Hooks may change global state so BQL should be held, also the
 -     * BQL needs to be held for any modification of
 -     * cs->interrupt_request.
 -     */
 -    g_assert(qemu_mutex_iothread_locked());
 -
      arm_call_el_change_hook(cpu);
      if (!kvm_enabled()) {
 diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/op_helper.c
 +++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(cpsr_write)(CPUARMState *env, uint32_t val, uint32_t mask)
  /* Write the CPSR for a 32-bit exception return */
  void HELPER(cpsr_write_eret)(CPUARMState *env, uint32_t val)
  {
 +    qemu_mutex_lock_iothread();
 +    arm_call_pre_el_change_hook(arm_env_get_cpu(env));
 +    qemu_mutex_unlock_iothread();
 +
      cpsr_write(env, val, CPSR_ERET_MASK, CPSRWriteExceptionReturn);
      /* Generated code has already stored the new PC value, but
@@ -XXX,XX +XXX,XX @@ void HELPER(exception_return)(CPUARMState *env)
          goto illegal_return;
      }
 +    qemu_mutex_lock_iothread();
 +    arm_call_pre_el_change_hook(arm_env_get_cpu(env));
 +    qemu_mutex_unlock_iothread();
 +
      if (!return_to_aa64) {
          env->aarch64 = 0;
          /* We do a raw CPSR write because aarch64_sync_64_to_32()
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 11/19] target/arm: Allow EL change hooks to do IO
+Deleted patch
-From: Aaron Lindsay <alindsay@codeaurora.org>
-During code generation, surround CPSR writes and exception returns which
-call the EL change hooks with gen_io_start/end. The immediate need is
-for the PMU to access the clock and icount during EL change to support
-mode filtering.
-Signed-off-by: Aaron Lindsay <alindsay@codeaurora.org>
-Message-id: 1523997485-1905-9-git-send-email-alindsay@codeaurora.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate-a64.c |  6 ++++++
- target/arm/translate.c     | 12 ++++++++++++
-files changed, 18 insertions(+)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
-+++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
-             unallocated_encoding(s);
-             return;
-         }
-+        if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
-+            gen_io_start();
-+        }
-         gen_helper_exception_return(cpu_env);
-+        if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
-+            gen_io_end();
-+        }
-         /* Must exit loop to check un-masked IRQs */
-         s->base.is_jmp = DISAS_EXIT;
-         return;
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void gen_rfe(DisasContext *s, TCGv_i32 pc, TCGv_i32 cpsr)
-      * appropriately depending on the new Thumb bit, so it must
-      * be called after storing the new PC.
-      */
-+    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
-+        gen_io_start();
-+    }
-     gen_helper_cpsr_write_eret(cpu_env, cpsr);
-+    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
-+        gen_io_end();
-+    }
-     tcg_temp_free_i32(cpsr);
-     /* Must exit loop to check un-masked IRQs */
-     s->base.is_jmp = DISAS_EXIT;
-@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-                 if (exc_return) {
-                     /* Restore CPSR from SPSR.  */
-                     tmp = load_cpu_field(spsr);
-+                    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
-+                        gen_io_start();
-+                    }
-                     gen_helper_cpsr_write_eret(cpu_env, tmp);
-+                    if (tb_cflags(s->base.tb) & CF_USE_ICOUNT) {
-+                        gen_io_end();
-+                    }
-                     tcg_temp_free_i32(tmp);
-                     /* Must exit loop to check un-masked IRQs */
-                     s->base.is_jmp = DISAS_EXIT;
---
-.17.0

-[Qemu-devel] [PULL 12/19] target/arm: Fix bitmask for PMCCFILTR writes
+Deleted patch
-From: Aaron Lindsay <alindsay@codeaurora.org>
-It was shifted to the left one bit too few.
-Signed-off-by: Aaron Lindsay <alindsay@codeaurora.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1523997485-1905-10-git-send-email-alindsay@codeaurora.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void pmccfiltr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-                             uint64_t value)
- {
-     pmccntr_sync(env);
--    env->cp15.pmccfiltr_el0 = value & 0x7E000000;
-+    env->cp15.pmccfiltr_el0 = value & 0xfc000000;
-     pmccntr_sync(env);
- }
---
-.17.0

-[Qemu-devel] [PULL 13/19] target/arm: Make PMOVSCLR and PMUSERENR 64 bits wide
+Deleted patch
-From: Aaron Lindsay <alindsay@codeaurora.org>
-This is a bug fix to ensure 64-bit reads of these registers don't read
-adjacent data.
-Signed-off-by: Aaron Lindsay <alindsay@codeaurora.org>
-Message-id: 1523997485-1905-13-git-send-email-alindsay@codeaurora.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.h    | 4 ++--
- target/arm/helper.c | 5 +++--
-files changed, 5 insertions(+), 4 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
-         uint32_t c9_data;
-         uint64_t c9_pmcr; /* performance monitor control register */
-         uint64_t c9_pmcnten; /* perf monitor counter enables */
--        uint32_t c9_pmovsr; /* perf monitor overflow status */
--        uint32_t c9_pmuserenr; /* perf monitor user enable */
-+        uint64_t c9_pmovsr; /* perf monitor overflow status */
-+        uint64_t c9_pmuserenr; /* perf monitor user enable */
-         uint64_t c9_pmselr; /* perf monitor counter selection register */
-         uint64_t c9_pminten; /* perf monitor interrupt enables */
-         union { /* Memory attribute redirection */
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
-       .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten),
-       .writefn = pmcntenclr_write },
-     { .name = "PMOVSR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 3,
--      .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
-+      .access = PL0_RW,
-+      .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmovsr),
-       .accessfn = pmreg_access,
-       .writefn = pmovsr_write,
-       .raw_writefn = raw_write },
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
-       .accessfn = pmreg_access_xevcntr },
-     { .name = "PMUSERENR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 0,
-       .access = PL0_R | PL1_RW, .accessfn = access_tpm,
--      .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr),
-+      .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmuserenr),
-       .resetvalue = 0,
-       .writefn = pmuserenr_write, .raw_writefn = raw_write },
-     { .name = "PMUSERENR_EL0", .state = ARM_CP_STATE_AA64,
---
-.17.0

-[Qemu-devel] [PULL 14/19] hw/arm/raspi: Don't bother setting default_cpu_type
+Deleted patch
-In commit 210f47840dd62, we changed the bcm2836 SoC object to
-always create a CPU of the correct type for that SoC model. This
-makes the default_cpu_type settings in the MachineClass structs
-for the raspi2 and raspi3 boards redundant. We didn't change
-those at the time because it would have meant a temporary
-regression in a corner case of error handling if the user
-requested a non-existing CPU type. The -cpu parse handling
-changes in 2278b93941d42c3 mean that it no longer implicitly
-depends on default_cpu_type for this to work, so we can now
-delete the redundant default_cpu_type fields.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20180420155547.9497-1-peter.maydell@linaro.org
----
- hw/arm/raspi.c | 2 --
-file changed, 2 deletions(-)
-diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/raspi.c
-+++ b/hw/arm/raspi.c
-@@ -XXX,XX +XXX,XX @@ static void raspi2_machine_init(MachineClass *mc)
-     mc->no_parallel = 1;
-     mc->no_floppy = 1;
-     mc->no_cdrom = 1;
--    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a7");
-     mc->max_cpus = BCM283X_NCPUS;
-     mc->min_cpus = BCM283X_NCPUS;
-     mc->default_cpus = BCM283X_NCPUS;
-@@ -XXX,XX +XXX,XX @@ static void raspi3_machine_init(MachineClass *mc)
-     mc->no_parallel = 1;
-     mc->no_floppy = 1;
-     mc->no_cdrom = 1;
--    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a53");
-     mc->max_cpus = BCM283X_NCPUS;
-     mc->min_cpus = BCM283X_NCPUS;
-     mc->default_cpus = BCM283X_NCPUS;
---
-.17.0

-[Qemu-devel] [PULL 15/19] hw/arm/highbank: don't make sysram 'nomigrate'
+Deleted patch
-Currently we use memory_region_init_ram_nomigrate() to create
-the "highbank.sysram" memory region, and we don't manually
-register it with vmstate_register_ram(). This currently
-means that its contents are migrated but as a ram block
-whose name is the empty string; in future it may mean they
-are not migrated at all. Use memory_region_init_ram() instead.
-Note that this is a cross-version migration compatibility
-break for the "highbank" and "midway" machines.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180420124835.7268-2-peter.maydell@linaro.org
----
- hw/arm/highbank.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/highbank.c
-+++ b/hw/arm/highbank.c
-@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
-     memory_region_add_subregion(sysmem, 0, dram);
-     sysram = g_new(MemoryRegion, 1);
--    memory_region_init_ram_nomigrate(sysram, NULL, "highbank.sysram", 0x8000,
-+    memory_region_init_ram(sysram, NULL, "highbank.sysram", 0x8000,
-                            &error_fatal);
-     memory_region_add_subregion(sysmem, 0xfff88000, sysram);
-     if (bios_name != NULL) {
---
-.17.0

-[Qemu-devel] [PULL 16/19] hw/arm/aspeed: don't make 'boot_rom' region 'nomigrate'
+Deleted patch
-Currently we use memory_region_init_ram_nomigrate() to create
-the "aspeed.boot_rom" memory region, and we don't manually
-register it with vmstate_register_ram(). This currently
-means that its contents are migrated but as a ram block
-whose name is the empty string; in future it may mean they
-are not migrated at all. Use memory_region_init_ram() instead.
-Note that would be a cross-version migration compatibility break
-for the "palmetto-bmc", "ast2500-evb" and "romulus-bmc" machines,
-but migration is currently broken for them.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Tested-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20180420124835.7268-3-peter.maydell@linaro.org
----
- hw/arm/aspeed.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
-+++ b/hw/arm/aspeed.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-          * SoC and 128MB for the AST2500 SoC, which is twice as big as
-          * needed by the flash modules of the Aspeed machines.
-          */
--        memory_region_init_rom_nomigrate(boot_rom, OBJECT(bmc), "aspeed.boot_rom",
-+        memory_region_init_rom(boot_rom, OBJECT(bmc), "aspeed.boot_rom",
-                                fl->size, &error_abort);
-         memory_region_add_subregion(get_system_memory(), FIRMWARE_ADDR,
-                                     boot_rom);
---
-.17.0

-[Qemu-devel] [PULL 17/19] hw/arm/aspeed_soc: don't use vmstate_register_ram_global for SRAM
+Deleted patch
-Currently we use vmstate_register_ram_global() for the SRAM;
-this is not a good idea for devices, because it means that
-you can only ever create one instance of the device, as
-the second instance would get a RAM block name clash.
-Instead, use memory_region_init_ram(), which automatically
-registers the RAM block with a local-to-the-device name.
-Note that this would be a cross-version migration compatibility break
-for the "palmetto-bmc", "ast2500-evb" and "romulus-bmc" machines,
-but migration is currently broken for them.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Tested-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20180420124835.7268-4-peter.maydell@linaro.org
----
- hw/arm/aspeed_soc.c | 3 +--
-file changed, 1 insertion(+), 2 deletions(-)
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
-+++ b/hw/arm/aspeed_soc.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     }
-     /* SRAM */
--    memory_region_init_ram_nomigrate(&s->sram, OBJECT(dev), "aspeed.sram",
-+    memory_region_init_ram(&s->sram, OBJECT(dev), "aspeed.sram",
-                            sc->info->sram_size, &err);
-     if (err) {
-         error_propagate(errp, err);
-         return;
-     }
--    vmstate_register_ram_global(&s->sram);
-     memory_region_add_subregion(get_system_memory(), ASPEED_SOC_SRAM_BASE,
-                                 &s->sram);
---
-.17.0

-[Qemu-devel] [PULL 19/19] xilinx_spips: Correct SNOOP_NONE state when flushing the txfifo
+Deleted patch
-From: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
-SNOOP_NONE state handle is moved above in the if ladder, as it's same
-as SNOOP_STRIPPING during data cycles.
-Signed-off-by: Sai Pavan Boddu <saipava@xilinx.com>
-Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
-Message-id: 1524119244-1240-1-git-send-email-saipava@xilinx.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/ssi/xilinx_spips.c | 3 ++-
-file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/xilinx_spips.c
-+++ b/hw/ssi/xilinx_spips.c
-@@ -XXX,XX +XXX,XX @@ static void xilinx_spips_flush_txfifo(XilinxSPIPS *s)
-         if (fifo8_is_empty(&s->tx_fifo)) {
-             xilinx_spips_update_ixr(s);
-             return;
--        } else if (s->snoop_state == SNOOP_STRIPING) {
-+        } else if (s->snoop_state == SNOOP_STRIPING ||
-+                   s->snoop_state == SNOOP_NONE) {
-             for (i = 0; i < num_effective_busses(s); ++i) {
-                 tx_rx[i] = fifo8_pop(&s->tx_fifo);
-             }
---
-.17.0

First arm pullreq of the 2.13 cycle!

-- PMM

The following changes since commit 4743c23509a51bd4ee85cc272287a41917d1be35:

Update version for v2.12.0 release (2018-04-24 16:44:55 +0100)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180426

for you to fetch changes up to fbf32752663878947de455ff57cb5b9318f14bec:

xilinx_spips: Correct SNOOP_NONE state when flushing the txfifo (2018-04-26 11:04:40 +0100)

----------------------------------------------------------------
target-arm queue:
 * xilinx_spips: Correct SNOOP_NONE state when flushing the txfifo
 * timer/aspeed: fix vmstate version id
 * hw/arm/aspeed_soc: don't use vmstate_register_ram_global for SRAM
 * hw/arm/aspeed: don't make 'boot_rom' region 'nomigrate'
 * hw/arm/highbank: don't make sysram 'nomigrate'
 * hw/arm/raspi: Don't bother setting default_cpu_type
 * PMU emulation: some minor bugfixes and preparation for
   support of other events than just the cycle counter
 * target/arm: Use v7m_stack_read() for reading the frame signature
 * target/arm: Remove stale TODO comment
 * arm: always start from first_cpu when registering loader cpu reset callback
 * device_tree: Increase FDT_MAX_SIZE to 1 MiB

----------------------------------------------------------------
Aaron Lindsay (9):
      target/arm: Check PMCNTEN for whether PMCCNTR is enabled
      target/arm: Treat PMCCNTR as alias of PMCCNTR_EL0
      target/arm: Mask PMU register writes based on PMCR_EL0.N
      target/arm: Fetch GICv3 state directly from CPUARMState
      target/arm: Support multiple EL change hooks
      target/arm: Add pre-EL change hooks
      target/arm: Allow EL change hooks to do IO
      target/arm: Fix bitmask for PMCCFILTR writes
      target/arm: Make PMOVSCLR and PMUSERENR 64 bits wide

Cédric Le Goater (1):
      timer/aspeed: fix vmstate version id

Geert Uytterhoeven (1):
      device_tree: Increase FDT_MAX_SIZE to 1 MiB

Igor Mammedov (1):
      arm: always start from first_cpu when registering loader cpu reset callback

Peter Maydell (6):
      target/arm: Remove stale TODO comment
      target/arm: Use v7m_stack_read() for reading the frame signature
      hw/arm/raspi: Don't bother setting default_cpu_type
      hw/arm/highbank: don't make sysram 'nomigrate'
      hw/arm/aspeed: don't make 'boot_rom' region 'nomigrate'
      hw/arm/aspeed_soc: don't use vmstate_register_ram_global for SRAM

Sai Pavan Boddu (1):
      xilinx_spips: Correct SNOOP_NONE state when flushing the txfifo

From: Geert Uytterhoeven <geert+renesas@glider.be>

It is not uncommon for a contemporary FDT to be larger than 64 KiB,
leading to failures loading the device tree from sysfs:

qemu-system-aarch64: qemu_fdt_setprop: Couldn't set ...: FDT_ERR_NOSPACE

Hence increase the limit to 1 MiB, like on PPC.

For reference, the largest arm64 DTB created from the Linux sources is
ca. 75 KiB large (100 KiB when built with symbols/fixup support).

Cc: qemu-stable@nongnu.org
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Message-id: 1523541337-23919-1-git-send-email-geert+renesas@glider.be
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 device_tree.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/device_tree.c b/device_tree.c
index XXXXXXX..XXXXXXX 100644
--- a/device_tree.c
+++ b/device_tree.c
@@ -XXX,XX +XXX,XX @@
 
 #include <libfdt.h>
 
-#define FDT_MAX_SIZE  0x10000
+#define FDT_MAX_SIZE  0x100000
 
 void *create_device_tree(int *sizep)
 {
-- 
2.17.0

From: Igor Mammedov <imammedo@redhat.com>

if arm_load_kernel() were passed non first_cpu, QEMU would end up
with partially set do_cpu_reset() callback leaving some CPUs without it.

Make sure that do_cpu_reset() is registered for all CPUs by enumerating
CPUs from first_cpu.

(In practice every board that we have was passing us the first CPU
as the boot CPU, either directly or indirectly, so this wasn't
causing incorrect behaviour.)

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: added a note that this isn't a behaviour change]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
      * actually loading a kernel, the handler is also responsible for
      * arranging that we start it correctly.
      */
-    for (cs = CPU(cpu); cs; cs = CPU_NEXT(cs)) {
+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
         qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
     }
 }
-- 
2.17.0

Remove a stale TODO comment -- we have now made the arm_ldl_ptw()
and arm_ldq_ptw() functions propagate physical memory read errors
out to their callers.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180419142151.9862-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
     return addr;
 }
 
-/* All loads done in the course of a page table walk go through here.
- * TODO: rather than ignoring errors from physical memory reads (which
- * are external aborts in ARM terminology) we should propagate this
- * error out so that we can turn it into a Data Abort if this walk
- * was being done for a CPU load/store or an address translation instruction
- * (but not if it was for a debug access).
- */
+/* All loads done in the course of a page table walk go through here. */
 static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure,
                             ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
 {
-- 
2.17.0

In commit 95695effe8caa552b8f2 we changed the v7M/v8M stack
pop code to use a new v7m_stack_read() function that checks
whether the read should fail due to an MPU or bus abort.
We missed one call though, the one which reads the signature
word for the callee-saved register part of the frame.

Correct the omission.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180419142106.9694-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool v7m_push_stack(ARMCPU *cpu)
 static void do_v7m_exception_exit(ARMCPU *cpu)
 {
     CPUARMState *env = &cpu->env;
-    CPUState *cs = CPU(cpu);
     uint32_t excret;
     uint32_t xpsr;
     bool ufault = false;
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
             ((excret & R_V7M_EXCRET_ES_MASK) == 0 ||
              (excret & R_V7M_EXCRET_DCRS_MASK) == 0)) {
             uint32_t expected_sig = 0xfefa125b;
-            uint32_t actual_sig = ldl_phys(cs->as, frameptr);
+            uint32_t actual_sig;
 
-            if (expected_sig != actual_sig) {
+            pop_ok = v7m_stack_read(cpu, &actual_sig, frameptr, mmu_idx);
+
+            if (pop_ok && expected_sig != actual_sig) {
                 /* Take a SecureFault on the current stack */
                 env->v7m.sfsr |= R_V7M_SFSR_INVIS_MASK;
                 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
                 return;
             }
 
-            pop_ok =
+            pop_ok = pop_ok &&
                 v7m_stack_read(cpu, &env->regs[4], frameptr + 0x8, mmu_idx) &&
                 v7m_stack_read(cpu, &env->regs[4], frameptr + 0x8, mmu_idx) &&
                 v7m_stack_read(cpu, &env->regs[5], frameptr + 0xc, mmu_idx) &&
-- 
2.17.0