Series comparison

-[Qemu-devel] [PULL 00/24] target-arm queue
+[PULL 00/23] target-arm queue
-target-arm queue: Eric's SMMUv3 patchset, and an array
+Two small bugfixes, plus most of RTH's refactoring of cpregs
-of minor bugfixes and improvements from various others.
+handling.
-thanks
 -- PMM
-The following changes since commit c8b7e627b4269a3bc3ae41d9f420547a47e6d9b9:
+The following changes since commit 1fba9dc71a170b3a05b9d3272dd8ecfe7f26e215:
-  Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-05-04' into staging (2018-05-04 14:42:46 +0100)
+  Merge tag 'pull-request-2022-05-04' of https://gitlab.com/thuth/qemu into staging (2022-05-04 08:07:02 -0700)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180504
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220505
-for you to fetch changes up to 5680740c92993e9b3f3e011f2a2c394070e33f56:
+for you to fetch changes up to 99a50d1a67c602126fc2b3a4812d3000eba9bf34:
-  hw/arm/virt: Introduce the iommu option (2018-05-04 18:05:52 +0100)
+  target/arm: read access to performance counters from EL0 (2022-05-05 09:36:22 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * Emulate the SMMUv3 (IOMMU); one will be created in the 'virt' board
+ * Enable read access to performance counters from EL0
-   if the commandline includes "-machine iommu=smmuv3"
+ * Enable SCTLR_EL1.BT0 for aarch64-linux-user
- * target/arm: Implement v8M VLLDM and VLSTM
+ * Refactoring of cpreg handling
  * hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode
  * Some fixes to silence Coverity false-positives
  * arm: boot: set boot_info starting from first_cpu
    (fixes a technical bug not visible in practice)
  * hw/net/smc91c111: Convert away from old_mmio
  * hw/usb/tusb6010: Convert away from old_mmio
  * hw/char/cmsdk-apb-uart.c: Accept more input after character read
  * target/arm: Make MPUIR write-ignored on OMAP, StrongARM
  * hw/arm/virt: Add linux,pci-domain property
 ----------------------------------------------------------------
-Eric Auger (11):
+Alex Zuepke (1):
-      hw/arm/smmu-common: smmu base device and datatypes
+      target/arm: read access to performance counters from EL0
       hw/arm/smmu-common: IOMMU memory region and address space setup
       hw/arm/smmu-common: VMSAv8-64 page table walk
       hw/arm/smmuv3: Wired IRQ and GERROR helpers
       hw/arm/smmuv3: Queue helpers
       hw/arm/smmuv3: Implement MMIO write operations
       hw/arm/smmuv3: Event queue recording helper
       hw/arm/smmuv3: Implement translate callback
       hw/arm/smmuv3: Abort on vfio or vhost case
       target/arm/kvm: Translate the MSI doorbell in kvm_arch_fixup_msi_route
       hw/arm/virt: Introduce the iommu option
-Igor Mammedov (1):
+Richard Henderson (22):
-      arm: boot: set boot_info starting from first_cpu
+      target/arm: Enable SCTLR_EL1.BT0 for aarch64-linux-user
       target/arm: Split out cpregs.h
       target/arm: Reorg CPAccessResult and access_check_cp_reg
       target/arm: Replace sentinels with ARRAY_SIZE in cpregs.h
       target/arm: Make some more cpreg data static const
       target/arm: Reorg ARMCPRegInfo type field bits
       target/arm: Avoid bare abort() or assert(0)
       target/arm: Change cpreg access permissions to enum
       target/arm: Name CPState type
       target/arm: Name CPSecureState type
       target/arm: Drop always-true test in define_arm_vh_e2h_redirects_aliases
       target/arm: Store cpregs key in the hash table directly
       target/arm: Merge allocation of the cpreg and its name
       target/arm: Hoist computation of key in add_cpreg_to_hashtable
       target/arm: Consolidate cpreg updates in add_cpreg_to_hashtable
       target/arm: Use bool for is64 and ns in add_cpreg_to_hashtable
       target/arm: Hoist isbanked computation in add_cpreg_to_hashtable
       target/arm: Perform override check early in add_cpreg_to_hashtable
       target/arm: Reformat comments in add_cpreg_to_hashtable
       target/arm: Remove HOST_BIG_ENDIAN ifdef in add_cpreg_to_hashtable
       target/arm: Add isar predicates for FEAT_Debugv8p2
       target/arm: Add isar_feature_{aa64,any}_ras
-Jan Kiszka (1):
+ target/arm/cpregs.h               | 453 ++++++++++++++++++++++++++++++++++++++
-      hw/arm/virt: Add linux,pci-domain property
+ target/arm/cpu.h                  | 393 +++------------------------------
+ hw/arm/pxa2xx.c                   |   2 +-
-Mathew Maidment (1):
+ hw/arm/pxa2xx_pic.c               |   2 +-
-      target/arm: Correct MPUIR privilege level in register_cp_regs_for_features() conditional case
+ hw/intc/arm_gicv3_cpuif.c         |   6 +-
+ hw/intc/arm_gicv3_kvm.c           |   3 +-
-Patrick Oppenlander (1):
+ target/arm/cpu.c                  |  25 +--
-      hw/char/cmsdk-apb-uart.c: Accept more input after character read
+ target/arm/cpu64.c                |   2 +-
+ target/arm/cpu_tcg.c              |   5 +-
-Peter Maydell (3):
+ target/arm/gdbstub.c              |   5 +-
-      hw/usb/tusb6010: Convert away from old_mmio
+ target/arm/helper.c               | 358 +++++++++++++-----------------
-      hw/net/smc91c111: Convert away from old_mmio
+ target/arm/hvf/hvf.c              |   2 +-
-      target/arm: Implement v8M VLLDM and VLSTM
+ target/arm/kvm-stub.c             |   4 +-
+ target/arm/kvm.c                  |   4 +-
-Prem Mallappa (3):
+ target/arm/machine.c              |   4 +-
-      hw/arm/smmuv3: Skeleton
+ target/arm/op_helper.c            |  57 ++---
-      hw/arm/virt: Add SMMUv3 to the virt board
+ target/arm/translate-a64.c        |  14 +-
-      hw/arm/virt-acpi-build: Add smmuv3 node in IORT table
+ target/arm/translate-neon.c       |   2 +-
+ target/arm/translate.c            |  13 +-
-Richard Henderson (2):
+ tests/tcg/aarch64/bti-3.c         |  42 ++++
-      target/arm: Tidy conditions in handle_vec_simd_shri
+ tests/tcg/aarch64/Makefile.target |   6 +-
-      target/arm: Tidy condition in disas_simd_two_reg_misc
+files changed, 738 insertions(+), 664 deletions(-)
+ create mode 100644 target/arm/cpregs.h
-Thomas Huth (1):
+ create mode 100644 tests/tcg/aarch64/bti-3.c
       hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode
  hw/arm/Makefile.objs                |    1 +
  hw/arm/smmu-internal.h              |   99 +++
  hw/arm/smmuv3-internal.h            |  621 ++++++++++++++++++
  include/hw/acpi/acpi-defs.h         |   15 +
  include/hw/arm/smmu-common.h        |  145 +++++
  include/hw/arm/smmuv3.h             |   87 +++
  include/hw/arm/virt.h               |   10 +
  hw/arm/boot.c                       |    2 +-
  hw/arm/omap1.c                      |    8 +-
  hw/arm/omap2.c                      |    8 +-
  hw/arm/pxa2xx.c                     |   15 +-
  hw/arm/smmu-common.c                |  372 +++++++++++
  hw/arm/smmuv3.c                     | 1191 +++++++++++++++++++++++++++++++++++
  hw/arm/virt-acpi-build.c            |   55 +-
  hw/arm/virt.c                       |  101 ++-
  hw/char/cmsdk-apb-uart.c            |    1 +
  hw/net/smc91c111.c                  |   54 +-
  hw/usb/tusb6010.c                   |   40 +-
  target/arm/helper.c                 |    2 +-
  target/arm/kvm.c                    |   38 +-
  target/arm/translate-a64.c          |   12 +-
  target/arm/translate.c              |   17 +-
  default-configs/aarch64-softmmu.mak |    1 +
  hw/arm/trace-events                 |   37 ++
  target/arm/trace-events             |    3 +
 files changed, 2868 insertions(+), 67 deletions(-)
  create mode 100644 hw/arm/smmu-internal.h
  create mode 100644 hw/arm/smmuv3-internal.h
  create mode 100644 include/hw/arm/smmu-common.h
  create mode 100644 include/hw/arm/smmuv3.h
  create mode 100644 hw/arm/smmu-common.c
  create mode 100644 hw/arm/smmuv3.c

-[Qemu-devel] [PULL 13/24] hw/arm/smmu-common: VMSAv8-64 page table walk
+[PULL 01/23] target/arm: Enable SCTLR_EL1.BT0 for aarch64-linux-user
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This patch implements the page table walk for VMSAv8-64.
+This controls whether the PACI{A,B}SP instructions trap with BTYPE=3
 (indirect branch from register other than x16/x17).  The linux kernel
 sets this in bti_enable().
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/998
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 1524665762-31355-4-git-send-email-eric.auger@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20220427042312.294300-1-richard.henderson@linaro.org
+[PMM: remove stray change to makefile comment]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmu-internal.h       |  99 ++++++++++++++++
+ target/arm/cpu.c                  |  2 ++
- include/hw/arm/smmu-common.h |  14 +++
+ tests/tcg/aarch64/bti-3.c         | 42 +++++++++++++++++++++++++++++++
- hw/arm/smmu-common.c         | 222 +++++++++++++++++++++++++++++++++++
+ tests/tcg/aarch64/Makefile.target |  6 ++---
- hw/arm/trace-events          |   9 +-
+files changed, 47 insertions(+), 3 deletions(-)
-files changed, 343 insertions(+), 1 deletion(-)
+ create mode 100644 tests/tcg/aarch64/bti-3.c
  create mode 100644 hw/arm/smmu-internal.h
-diff --git a/hw/arm/smmu-internal.h b/hw/arm/smmu-internal.h
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
          /* Enable all PAC keys.  */
          env->cp15.sctlr_el[1] |= (SCTLR_EnIA | SCTLR_EnIB |
                                    SCTLR_EnDA | SCTLR_EnDB);
 +        /* Trap on btype=3 for PACIxSP. */
 +        env->cp15.sctlr_el[1] |= SCTLR_BT0;
          /* and to the FP/Neon instructions */
          env->cp15.cpacr_el1 = deposit64(env->cp15.cpacr_el1, 20, 2, 3);
          /* and to the SVE instructions */
 diff --git a/tests/tcg/aarch64/bti-3.c b/tests/tcg/aarch64/bti-3.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/hw/arm/smmu-internal.h
++++ b/tests/tcg/aarch64/bti-3.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * ARM SMMU support - Internal API
++ * BTI vs PACIASP
 + *
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Copyright (C) 2014-2016 Broadcom Corporation
 + * Written by Prem Mallappa, Eric Auger
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * General Public License for more details.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
-+#ifndef HW_ARM_SMMU_INTERNAL_H
++#include "bti-crt.inc.c"
 +#define HW_ARM_SMMU_INTERNAL_H
 +
-+#define TBI0(tbi) ((tbi) & 0x1)
++static void skip2_sigill(int sig, siginfo_t *info, ucontext_t *uc)
 +#define TBI1(tbi) ((tbi) & 0x2 >> 1)
 +
 +/* PTE Manipulation */
 +
 +#define ARM_LPAE_PTE_TYPE_SHIFT         0
 +#define ARM_LPAE_PTE_TYPE_MASK          0x3
 +
 +#define ARM_LPAE_PTE_TYPE_BLOCK         1
 +#define ARM_LPAE_PTE_TYPE_TABLE         3
 +
 +#define ARM_LPAE_L3_PTE_TYPE_RESERVED   1
 +#define ARM_LPAE_L3_PTE_TYPE_PAGE       3
 +
 +#define ARM_LPAE_PTE_VALID              (1 << 0)
 +
 +#define PTE_ADDRESS(pte, shift) \
 +    (extract64(pte, shift, 47 - shift + 1) << shift)
 +
 +#define is_invalid_pte(pte) (!(pte & ARM_LPAE_PTE_VALID))
 +
 +#define is_reserved_pte(pte, level)                                      \
 +    ((level == 3) &&                                                     \
 +     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_L3_PTE_TYPE_RESERVED))
 +
 +#define is_block_pte(pte, level)                                         \
 +    ((level < 3) &&                                                      \
 +     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_PTE_TYPE_BLOCK))
 +
 +#define is_table_pte(pte, level)                                        \
 +    ((level < 3) &&                                                     \
 +     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_PTE_TYPE_TABLE))
 +
 +#define is_page_pte(pte, level)                                         \
 +    ((level == 3) &&                                                    \
 +     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_L3_PTE_TYPE_PAGE))
 +
 +/* access permissions */
 +
 +#define PTE_AP(pte) \
 +    (extract64(pte, 6, 2))
 +
 +#define PTE_APTABLE(pte) \
 +    (extract64(pte, 61, 2))
 +
 +/*
 + * TODO: At the moment all transactions are considered as privileged (EL1)
 + * as IOMMU translation callback does not pass user/priv attributes.
 + */
 +#define is_permission_fault(ap, perm) \
 +    (((perm) & IOMMU_WO) && ((ap) & 0x2))
 +
 +#define PTE_AP_TO_PERM(ap) \
 +    (IOMMU_ACCESS_FLAG(true, !((ap) & 0x2)))
 +
 +/* Level Indexing */
 +
 +static inline int level_shift(int level, int granule_sz)
 +{
-+    return granule_sz + (3 - level) * (granule_sz - 3);
++    uc->uc_mcontext.pc += 8;
 +    uc->uc_mcontext.pstate = 1;
 +}
 +
-+static inline uint64_t level_page_mask(int level, int granule_sz)
++#define BTYPE_1() \
 +    asm("mov %0,#1; adr x16, 1f; br x16; 1: hint #25; mov %0,#0" \
 +        : "=r"(skipped) : : "x16", "x30")
 +
 +#define BTYPE_2() \
 +    asm("mov %0,#1; adr x16, 1f; blr x16; 1: hint #25; mov %0,#0" \
 +        : "=r"(skipped) : : "x16", "x30")
 +
 +#define BTYPE_3() \
 +    asm("mov %0,#1; adr x15, 1f; br x15; 1: hint #25; mov %0,#0" \
 +        : "=r"(skipped) : : "x15", "x30")
 +
 +#define TEST(WHICH, EXPECT) \
 +    do { WHICH(); fail += skipped ^ EXPECT; } while (0)
 +
 +int main()
 +{
-+    return ~(MAKE_64BIT_MASK(0, level_shift(level, granule_sz)));
++    int fail = 0;
 +    int skipped;
 +
 +    /* Signal-like with SA_SIGINFO.  */
 +    signal_info(SIGILL, skip2_sigill);
 +
 +    /* With SCTLR_EL1.BT0 set, PACIASP is not compatible with type=3. */
 +    TEST(BTYPE_1, 0);
 +    TEST(BTYPE_2, 0);
 +    TEST(BTYPE_3, 1);
 +
 +    return fail;
 +}
-+
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
 +static inline
 +uint64_t iova_level_offset(uint64_t iova, int inputsize,
 +                           int level, int gsz)
 +{
 +    return ((iova & MAKE_64BIT_MASK(0, inputsize)) >> level_shift(level, gsz)) &
 +            MAKE_64BIT_MASK(0, gsz - 3);
 +}
 +
 +#endif
 diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
+--- a/tests/tcg/aarch64/Makefile.target
-+++ b/include/hw/arm/smmu-common.h
++++ b/tests/tcg/aarch64/Makefile.target
-@@ -XXX,XX +XXX,XX @@ static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
+@@ -XXX,XX +XXX,XX @@ endif
- {
+ # BTI Tests
-     return PCI_BUILD_BDF(pci_bus_num(sdev->bus), sdev->devfn);
+ # bti-1 tests the elf notes, so we require special compiler support.
- }
+ ifneq ($(CROSS_CC_HAS_ARMV8_BTI),)
-+
+-AARCH64_TESTS += bti-1
-+/**
+-bti-1: CFLAGS += -mbranch-protection=standard
-+ * smmu_ptw - Perform the page table walk for a given iova / access flags
+-bti-1: LDFLAGS += -nostdlib
-+ * pair, according to @cfg translation config
++AARCH64_TESTS += bti-1 bti-3
-+ */
++bti-1 bti-3: CFLAGS += -mbranch-protection=standard
-+int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
++bti-1 bti-3: LDFLAGS += -nostdlib
-+             IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info);
+ endif
-+
+ # bti-2 tests PROT_BTI, so no special compiler support required.
-+/**
+ AARCH64_TESTS += bti-2
 + * select_tt - compute which translation table shall be used according to
 + * the input iova and translation config and return the TT specific info
 + */
 +SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova);
 +
  #endif  /* HW_ARM_SMMU_COMMON */
 diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/smmu-common.c
 +++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/error-report.h"
  #include "hw/arm/smmu-common.h"
 +#include "smmu-internal.h"
 +
 +/* VMSAv8-64 Translation */
 +
 +/**
 + * get_pte - Get the content of a page table entry located at
 + * @base_addr[@index]
 + */
 +static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte,
 +                   SMMUPTWEventInfo *info)
 +{
 +    int ret;
 +    dma_addr_t addr = baseaddr + index * sizeof(*pte);
 +
 +    /* TODO: guarantee 64-bit single-copy atomicity */
 +    ret = dma_memory_read(&address_space_memory, addr,
 +                          (uint8_t *)pte, sizeof(*pte));
 +
 +    if (ret != MEMTX_OK) {
 +        info->type = SMMU_PTW_ERR_WALK_EABT;
 +        info->addr = addr;
 +        return -EINVAL;
 +    }
 +    trace_smmu_get_pte(baseaddr, index, addr, *pte);
 +    return 0;
 +}
 +
 +/* VMSAv8-64 Translation Table Format Descriptor Decoding */
 +
 +/**
 + * get_page_pte_address - returns the L3 descriptor output address,
 + * ie. the page frame
 + * ARM ARM spec: Figure D4-17 VMSAv8-64 level 3 descriptor format
 + */
 +static inline hwaddr get_page_pte_address(uint64_t pte, int granule_sz)
 +{
 +    return PTE_ADDRESS(pte, granule_sz);
 +}
 +
 +/**
 + * get_table_pte_address - return table descriptor output address,
 + * ie. address of next level table
 + * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
 + */
 +static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
 +{
 +    return PTE_ADDRESS(pte, granule_sz);
 +}
 +
 +/**
 + * get_block_pte_address - return block descriptor output address and block size
 + * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
 + */
 +static inline hwaddr get_block_pte_address(uint64_t pte, int level,
 +                                           int granule_sz, uint64_t *bsz)
 +{
 +    int n = (granule_sz - 3) * (4 - level) + 3;
 +
 +    *bsz = 1 << n;
 +    return PTE_ADDRESS(pte, n);
 +}
 +
 +SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)
 +{
 +    bool tbi = extract64(iova, 55, 1) ? TBI1(cfg->tbi) : TBI0(cfg->tbi);
 +    uint8_t tbi_byte = tbi * 8;
 +
 +    if (cfg->tt[0].tsz &&
 +        !extract64(iova, 64 - cfg->tt[0].tsz, cfg->tt[0].tsz - tbi_byte)) {
 +        /* there is a ttbr0 region and we are in it (high bits all zero) */
 +        return &cfg->tt[0];
 +    } else if (cfg->tt[1].tsz &&
 +           !extract64(iova, 64 - cfg->tt[1].tsz, cfg->tt[1].tsz - tbi_byte)) {
 +        /* there is a ttbr1 region and we are in it (high bits all one) */
 +        return &cfg->tt[1];
 +    } else if (!cfg->tt[0].tsz) {
 +        /* ttbr0 region is "everything not in the ttbr1 region" */
 +        return &cfg->tt[0];
 +    } else if (!cfg->tt[1].tsz) {
 +        /* ttbr1 region is "everything not in the ttbr0 region" */
 +        return &cfg->tt[1];
 +    }
 +    /* in the gap between the two regions, this is a Translation fault */
 +    return NULL;
 +}
 +
 +/**
 + * smmu_ptw_64 - VMSAv8-64 Walk of the page tables for a given IOVA
 + * @cfg: translation config
 + * @iova: iova to translate
 + * @perm: access type
 + * @tlbe: IOMMUTLBEntry (out)
 + * @info: handle to an error info
 + *
 + * Return 0 on success, < 0 on error. In case of error, @info is filled
 + * and tlbe->perm is set to IOMMU_NONE.
 + * Upon success, @tlbe is filled with translated_addr and entry
 + * permission rights.
 + */
 +static int smmu_ptw_64(SMMUTransCfg *cfg,
 +                       dma_addr_t iova, IOMMUAccessFlags perm,
 +                       IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
 +{
 +    dma_addr_t baseaddr, indexmask;
 +    int stage = cfg->stage;
 +    SMMUTransTableInfo *tt = select_tt(cfg, iova);
 +    uint8_t level, granule_sz, inputsize, stride;
 +
 +    if (!tt || tt->disabled) {
 +        info->type = SMMU_PTW_ERR_TRANSLATION;
 +        goto error;
 +    }
 +
 +    granule_sz = tt->granule_sz;
 +    stride = granule_sz - 3;
 +    inputsize = 64 - tt->tsz;
 +    level = 4 - (inputsize - 4) / stride;
 +    indexmask = (1ULL << (inputsize - (stride * (4 - level)))) - 1;
 +    baseaddr = extract64(tt->ttb, 0, 48);
 +    baseaddr &= ~indexmask;
 +
 +    tlbe->iova = iova;
 +    tlbe->addr_mask = (1 << granule_sz) - 1;
 +
 +    while (level <= 3) {
 +        uint64_t subpage_size = 1ULL << level_shift(level, granule_sz);
 +        uint64_t mask = subpage_size - 1;
 +        uint32_t offset = iova_level_offset(iova, inputsize, level, granule_sz);
 +        uint64_t pte;
 +        dma_addr_t pte_addr = baseaddr + offset * sizeof(pte);
 +        uint8_t ap;
 +
 +        if (get_pte(baseaddr, offset, &pte, info)) {
 +                goto error;
 +        }
 +        trace_smmu_ptw_level(level, iova, subpage_size,
 +                             baseaddr, offset, pte);
 +
 +        if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) {
 +            trace_smmu_ptw_invalid_pte(stage, level, baseaddr,
 +                                       pte_addr, offset, pte);
 +            info->type = SMMU_PTW_ERR_TRANSLATION;
 +            goto error;
 +        }
 +
 +        if (is_page_pte(pte, level)) {
 +            uint64_t gpa = get_page_pte_address(pte, granule_sz);
 +
 +            ap = PTE_AP(pte);
 +            if (is_permission_fault(ap, perm)) {
 +                info->type = SMMU_PTW_ERR_PERMISSION;
 +                goto error;
 +            }
 +
 +            tlbe->translated_addr = gpa + (iova & mask);
 +            tlbe->perm = PTE_AP_TO_PERM(ap);
 +            trace_smmu_ptw_page_pte(stage, level, iova,
 +                                    baseaddr, pte_addr, pte, gpa);
 +            return 0;
 +        }
 +        if (is_block_pte(pte, level)) {
 +            uint64_t block_size;
 +            hwaddr gpa = get_block_pte_address(pte, level, granule_sz,
 +                                               &block_size);
 +
 +            ap = PTE_AP(pte);
 +            if (is_permission_fault(ap, perm)) {
 +                info->type = SMMU_PTW_ERR_PERMISSION;
 +                goto error;
 +            }
 +
 +            trace_smmu_ptw_block_pte(stage, level, baseaddr,
 +                                     pte_addr, pte, iova, gpa,
 +                                     block_size >> 20);
 +
 +            tlbe->translated_addr = gpa + (iova & mask);
 +            tlbe->perm = PTE_AP_TO_PERM(ap);
 +            return 0;
 +        }
 +
 +        /* table pte */
 +        ap = PTE_APTABLE(pte);
 +
 +        if (is_permission_fault(ap, perm)) {
 +            info->type = SMMU_PTW_ERR_PERMISSION;
 +            goto error;
 +        }
 +        baseaddr = get_table_pte_address(pte, granule_sz);
 +        level++;
 +    }
 +
 +    info->type = SMMU_PTW_ERR_TRANSLATION;
 +
 +error:
 +    tlbe->perm = IOMMU_NONE;
 +    return -EINVAL;
 +}
 +
 +/**
 + * smmu_ptw - Walk the page tables for an IOVA, according to @cfg
 + *
 + * @cfg: translation configuration
 + * @iova: iova to translate
 + * @perm: tentative access type
 + * @tlbe: returned entry
 + * @info: ptw event handle
 + *
 + * return 0 on success
 + */
 +inline int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
 +             IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
 +{
 +    if (!cfg->aa64) {
 +        /*
 +         * This code path is not entered as we check this while decoding
 +         * the configuration data in the derived SMMU model.
 +         */
 +        g_assert_not_reached();
 +    }
 +
 +    return smmu_ptw_64(cfg, iova, perm, tlbe, info);
 +}
  /**
   * The bus number is used for lookup when SID based invalidation occurs.
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@
  virt_acpi_setup(void) "No fw cfg or ACPI disabled. Bailing out."
  # hw/arm/smmu-common.c
 -smmu_add_mr(const char *name) "%s"
 \ No newline at end of file
 +smmu_add_mr(const char *name) "%s"
 +smmu_page_walk(int stage, uint64_t baseaddr, int first_level, uint64_t start, uint64_t end) "stage=%d, baseaddr=0x%"PRIx64", first level=%d, start=0x%"PRIx64", end=0x%"PRIx64
 +smmu_lookup_table(int level, uint64_t baseaddr, int granule_sz, uint64_t start, uint64_t end, int flags, uint64_t subpage_size) "level=%d baseaddr=0x%"PRIx64" granule=%d, start=0x%"PRIx64" end=0x%"PRIx64" flags=%d subpage_size=0x%"PRIx64
 +smmu_ptw_level(int level, uint64_t iova, size_t subpage_size, uint64_t baseaddr, uint32_t offset, uint64_t pte) "level=%d iova=0x%"PRIx64" subpage_sz=0x%lx baseaddr=0x%"PRIx64" offset=%d => pte=0x%"PRIx64
 +smmu_ptw_invalid_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint32_t offset, uint64_t pte) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" offset=%d pte=0x%"PRIx64
 +smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t address) "stage=%d level=%d iova=0x%"PRIx64" base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" page address = 0x%"PRIx64
 +smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
 +smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 14/24] hw/arm/smmuv3: Skeleton
+[PULL 02/23] target/arm: Split out cpregs.h
-From: Prem Mallappa <prem.mallappa@broadcom.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This patch implements a skeleton for the smmuv3 device.
+Move ARMCPRegInfo and all related declarations to a new
-Datatypes and register definitions are introduced. The MMIO
+internal header, out of the public cpu.h.
 region, the interrupts and the queue are initialized.
-Only the MMIO read operation is implemented here.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-5-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220501055028.646596-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs     |   2 +-
+ target/arm/cpregs.h        | 413 +++++++++++++++++++++++++++++++++++++
- hw/arm/smmuv3-internal.h | 142 +++++++++++++++
+ target/arm/cpu.h           | 368 ---------------------------------
- include/hw/arm/smmuv3.h  |  87 ++++++++++
+ hw/arm/pxa2xx.c            |   1 +
- hw/arm/smmuv3.c          | 366 +++++++++++++++++++++++++++++++++++++++
+ hw/arm/pxa2xx_pic.c        |   1 +
- hw/arm/trace-events      |   3 +
+ hw/intc/arm_gicv3_cpuif.c  |   1 +
-files changed, 599 insertions(+), 1 deletion(-)
+ hw/intc/arm_gicv3_kvm.c    |   2 +
- create mode 100644 hw/arm/smmuv3-internal.h
+ target/arm/cpu.c           |   1 +
- create mode 100644 include/hw/arm/smmuv3.h
+ target/arm/cpu64.c         |   1 +
- create mode 100644 hw/arm/smmuv3.c
+ target/arm/cpu_tcg.c       |   1 +
  target/arm/gdbstub.c       |   3 +-
  target/arm/helper.c        |   1 +
  target/arm/op_helper.c     |   1 +
  target/arm/translate-a64.c |   4 +-
  target/arm/translate.c     |   3 +-
 files changed, 427 insertions(+), 374 deletions(-)
  create mode 100644 target/arm/cpregs.h
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/Makefile.objs
 +++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MPS2) += mps2-tz.o
  obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
  obj-$(CONFIG_IOTKIT) += iotkit.o
  obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o mcimx7d-sabre.o
 -obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o
 +obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o smmuv3.o
 diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/cpregs.h
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * ARM SMMUv3 support - Internal API
++ * QEMU ARM CP Register access and descriptions
 + *
-+ * Copyright (C) 2014-2016 Broadcom Corporation
++ * Copyright (c) 2022 Linaro Ltd
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Written by Prem Mallappa, Eric Auger
 + *
-+ * This program is free software; you can redistribute it and/or modify
++ * This program is free software; you can redistribute it and/or
-+ * it under the terms of the GNU General Public License version 2 as
++ * modify it under the terms of the GNU General Public License
-+ * published by the Free Software Foundation.
++ * as published by the Free Software Foundation; either version 2
 + * of the License, or (at your option) any later version.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * GNU General Public License for more details.
 + *
-+ * You should have received a copy of the GNU General Public License along
++ * You should have received a copy of the GNU General Public License
-+ * with this program; if not, see <http://www.gnu.org/licenses/>.
++ * along with this program; if not, see
-+ */
++ * <http://www.gnu.org/licenses/gpl-2.0.html>
-+
++ */
-+#ifndef HW_ARM_SMMU_V3_INTERNAL_H
++
-+#define HW_ARM_SMMU_V3_INTERNAL_H
++#ifndef TARGET_ARM_CPREGS_H
-+
++#define TARGET_ARM_CPREGS_H
-+#include "hw/arm/smmu-common.h"
++
-+
++/*
-+/* MMIO Registers */
++ * ARMCPRegInfo type field bits. If the SPECIAL bit is set this is a
-+
++ * special-behaviour cp reg and bits [11..8] indicate what behaviour
-+REG32(IDR0,                0x0)
++ * it has. Otherwise it is a simple cp reg, where CONST indicates that
-+    FIELD(IDR0, S1P,         1 , 1)
++ * TCG can assume the value to be constant (ie load at translate time)
-+    FIELD(IDR0, TTF,         2 , 2)
++ * and 64BIT indicates a 64 bit wide coprocessor register. SUPPRESS_TB_END
-+    FIELD(IDR0, COHACC,      4 , 1)
++ * indicates that the TB should not be ended after a write to this register
-+    FIELD(IDR0, ASID16,      12, 1)
++ * (the default is that the TB ends after cp writes). OVERRIDE permits
-+    FIELD(IDR0, TTENDIAN,    21, 2)
++ * a register definition to override a previous definition for the
-+    FIELD(IDR0, STALL_MODEL, 24, 2)
++ * same (cp, is64, crn, crm, opc1, opc2) tuple: either the new or the
-+    FIELD(IDR0, TERM_MODEL,  26, 1)
++ * old must have the OVERRIDE bit set.
-+    FIELD(IDR0, STLEVEL,     27, 2)
++ * ALIAS indicates that this register is an alias view of some underlying
-+
++ * state which is also visible via another register, and that the other
-+REG32(IDR1,                0x4)
++ * register is handling migration and reset; registers marked ALIAS will not be
-+    FIELD(IDR1, SIDSIZE,      0 , 6)
++ * migrated but may have their state set by syncing of register state from KVM.
-+    FIELD(IDR1, EVENTQS,      16, 5)
++ * NO_RAW indicates that this register has no underlying state and does not
-+    FIELD(IDR1, CMDQS,        21, 5)
++ * support raw access for state saving/loading; it will not be used for either
-+
++ * migration or KVM state synchronization. (Typically this is for "registers"
-+#define SMMU_IDR1_SIDSIZE 16
++ * which are actually used as instructions for cache maintenance and so on.)
-+#define SMMU_CMDQS   19
++ * IO indicates that this register does I/O and therefore its accesses
-+#define SMMU_EVENTQS 19
++ * need to be marked with gen_io_start() and also end the TB. In particular,
-+
++ * registers which implement clocks or timers require this.
-+REG32(IDR2,                0x8)
++ * RAISES_EXC is for when the read or write hook might raise an exception;
-+REG32(IDR3,                0xc)
++ * the generated code will synchronize the CPU state before calling the hook
-+REG32(IDR4,                0x10)
++ * so that it is safe for the hook to call raise_exception().
-+REG32(IDR5,                0x14)
++ * NEWEL is for writes to registers that might change the exception
-+     FIELD(IDR5, OAS,         0, 3);
++ * level - typically on older ARM chips. For those cases we need to
-+     FIELD(IDR5, GRAN4K,      4, 1);
++ * re-read the new el when recomputing the translation flags.
-+     FIELD(IDR5, GRAN16K,     5, 1);
++ */
-+     FIELD(IDR5, GRAN64K,     6, 1);
++#define ARM_CP_SPECIAL           0x0001
-+
++#define ARM_CP_CONST             0x0002
-+#define SMMU_IDR5_OAS 4
++#define ARM_CP_64BIT             0x0004
-+
++#define ARM_CP_SUPPRESS_TB_END   0x0008
-+REG32(IIDR,                0x1c)
++#define ARM_CP_OVERRIDE          0x0010
-+REG32(CR0,                 0x20)
++#define ARM_CP_ALIAS             0x0020
-+    FIELD(CR0, SMMU_ENABLE,   0, 1)
++#define ARM_CP_IO                0x0040
-+    FIELD(CR0, EVENTQEN,      2, 1)
++#define ARM_CP_NO_RAW            0x0080
-+    FIELD(CR0, CMDQEN,        3, 1)
++#define ARM_CP_NOP               (ARM_CP_SPECIAL | 0x0100)
-+
++#define ARM_CP_WFI               (ARM_CP_SPECIAL | 0x0200)
-+REG32(CR0ACK,              0x24)
++#define ARM_CP_NZCV              (ARM_CP_SPECIAL | 0x0300)
-+REG32(CR1,                 0x28)
++#define ARM_CP_CURRENTEL         (ARM_CP_SPECIAL | 0x0400)
-+REG32(CR2,                 0x2c)
++#define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
-+REG32(STATUSR,             0x40)
++#define ARM_CP_DC_GVA            (ARM_CP_SPECIAL | 0x0600)
-+REG32(IRQ_CTRL,            0x50)
++#define ARM_CP_DC_GZVA           (ARM_CP_SPECIAL | 0x0700)
-+    FIELD(IRQ_CTRL, GERROR_IRQEN,        0, 1)
++#define ARM_LAST_SPECIAL         ARM_CP_DC_GZVA
-+    FIELD(IRQ_CTRL, PRI_IRQEN,           1, 1)
++#define ARM_CP_FPU               0x1000
-+    FIELD(IRQ_CTRL, EVENTQ_IRQEN,        2, 1)
++#define ARM_CP_SVE               0x2000
-+
++#define ARM_CP_NO_GDB            0x4000
-+REG32(IRQ_CTRL_ACK,        0x54)
++#define ARM_CP_RAISES_EXC        0x8000
-+REG32(GERROR,              0x60)
++#define ARM_CP_NEWEL             0x10000
-+    FIELD(GERROR, CMDQ_ERR,           0, 1)
++/* Used only as a terminator for ARMCPRegInfo lists */
-+    FIELD(GERROR, EVENTQ_ABT_ERR,     2, 1)
++#define ARM_CP_SENTINEL          0xfffff
-+    FIELD(GERROR, PRIQ_ABT_ERR,       3, 1)
++/* Mask of only the flag bits in a type field */
-+    FIELD(GERROR, MSI_CMDQ_ABT_ERR,   4, 1)
++#define ARM_CP_FLAG_MASK         0x1f0ff
-+    FIELD(GERROR, MSI_EVENTQ_ABT_ERR, 5, 1)
++
-+    FIELD(GERROR, MSI_PRIQ_ABT_ERR,   6, 1)
++/*
-+    FIELD(GERROR, MSI_GERROR_ABT_ERR, 7, 1)
++ * Valid values for ARMCPRegInfo state field, indicating which of
-+    FIELD(GERROR, MSI_SFM_ERR,        8, 1)
++ * the AArch32 and AArch64 execution states this register is visible in.
-+
++ * If the reginfo doesn't explicitly specify then it is AArch32 only.
-+REG32(GERRORN,             0x64)
++ * If the reginfo is declared to be visible in both states then a second
-+
++ * reginfo is synthesised for the AArch32 view of the AArch64 register,
-+#define A_GERROR_IRQ_CFG0  0x68 /* 64b */
++ * such that the AArch32 view is the lower 32 bits of the AArch64 one.
-+REG32(GERROR_IRQ_CFG1, 0x70)
++ * Note that we rely on the values of these enums as we iterate through
-+REG32(GERROR_IRQ_CFG2, 0x74)
++ * the various states in some places.
-+
++ */
-+#define A_STRTAB_BASE      0x80 /* 64b */
++enum {
-+
++    ARM_CP_STATE_AA32 = 0,
-+#define SMMU_BASE_ADDR_MASK 0xffffffffffe0
++    ARM_CP_STATE_AA64 = 1,
-+
++    ARM_CP_STATE_BOTH = 2,
-+REG32(STRTAB_BASE_CFG,     0x88)
++};
-+    FIELD(STRTAB_BASE_CFG, FMT,      16, 2)
++
-+    FIELD(STRTAB_BASE_CFG, SPLIT,    6 , 5)
++/*
-+    FIELD(STRTAB_BASE_CFG, LOG2SIZE, 0 , 6)
++ * ARM CP register secure state flags.  These flags identify security state
-+
++ * attributes for a given CP register entry.
-+#define A_CMDQ_BASE        0x90 /* 64b */
++ * The existence of both or neither secure and non-secure flags indicates that
-+REG32(CMDQ_PROD,           0x98)
++ * the register has both a secure and non-secure hash entry.  A single one of
-+REG32(CMDQ_CONS,           0x9c)
++ * these flags causes the register to only be hashed for the specified
-+    FIELD(CMDQ_CONS, ERR, 24, 7)
++ * security state.
-+
++ * Although definitions may have any combination of the S/NS bits, each
-+#define A_EVENTQ_BASE      0xa0 /* 64b */
++ * registered entry will only have one to identify whether the entry is secure
-+REG32(EVENTQ_PROD,         0xa8)
++ * or non-secure.
-+REG32(EVENTQ_CONS,         0xac)
++ */
-+
++enum {
-+#define A_EVENTQ_IRQ_CFG0  0xb0 /* 64b */
++    ARM_CP_SECSTATE_S =   (1 << 0), /* bit[0]: Secure state register */
-+REG32(EVENTQ_IRQ_CFG1,     0xb8)
++    ARM_CP_SECSTATE_NS =  (1 << 1), /* bit[1]: Non-secure state register */
-+REG32(EVENTQ_IRQ_CFG2,     0xbc)
++};
 +
-+#define A_IDREGS           0xfd0
++/*
-+
++ * Return true if cptype is a valid type field. This is used to try to
-+static inline int smmu_enabled(SMMUv3State *s)
++ * catch errors where the sentinel has been accidentally left off the end
 + * of a list of registers.
 + */
 +static inline bool cptype_valid(int cptype)
 +{
-+    return FIELD_EX32(s->cr[0], CR0, SMMU_ENABLE);
++    return ((cptype & ~ARM_CP_FLAG_MASK) == 0)
 +        || ((cptype & ARM_CP_SPECIAL) &&
 +            ((cptype & ~ARM_CP_FLAG_MASK) <= ARM_LAST_SPECIAL));
 +}
 +
-+/* Command Queue Entry */
++/*
-+typedef struct Cmd {
++ * Access rights:
-+    uint32_t word[4];
++ * We define bits for Read and Write access for what rev C of the v7-AR ARM ARM
-+} Cmd;
++ * defines as PL0 (user), PL1 (fiq/irq/svc/abt/und/sys, ie privileged), and
-+
++ * PL2 (hyp). The other level which has Read and Write bits is Secure PL1
-+/* Event Queue Entry */
++ * (ie any of the privileged modes in Secure state, or Monitor mode).
-+typedef struct Evt  {
++ * If a register is accessible in one privilege level it's always accessible
-+    uint32_t word[8];
++ * in higher privilege levels too. Since "Secure PL1" also follows this rule
-+} Evt;
++ * (ie anything visible in PL2 is visible in S-PL1, some things are only
-+
++ * visible in S-PL1) but "Secure PL1" is a bit of a mouthful, we bend the
-+static inline uint32_t smmuv3_idreg(int regoffset)
++ * terminology a little and call this PL3.
 + * In AArch64 things are somewhat simpler as the PLx bits line up exactly
 + * with the ELx exception levels.
 + *
 + * If access permissions for a register are more complex than can be
 + * described with these bits, then use a laxer set of restrictions, and
 + * do the more restrictive/complex check inside a helper function.
 + */
 +#define PL3_R 0x80
 +#define PL3_W 0x40
 +#define PL2_R (0x20 | PL3_R)
 +#define PL2_W (0x10 | PL3_W)
 +#define PL1_R (0x08 | PL2_R)
 +#define PL1_W (0x04 | PL2_W)
 +#define PL0_R (0x02 | PL1_R)
 +#define PL0_W (0x01 | PL1_W)
 +
 +/*
 + * For user-mode some registers are accessible to EL0 via a kernel
 + * trap-and-emulate ABI. In this case we define the read permissions
 + * as actually being PL0_R. However some bits of any given register
 + * may still be masked.
 + */
 +#ifdef CONFIG_USER_ONLY
 +#define PL0U_R PL0_R
 +#else
 +#define PL0U_R PL1_R
 +#endif
 +
 +#define PL3_RW (PL3_R | PL3_W)
 +#define PL2_RW (PL2_R | PL2_W)
 +#define PL1_RW (PL1_R | PL1_W)
 +#define PL0_RW (PL0_R | PL0_W)
 +
 +typedef enum CPAccessResult {
 +    /* Access is permitted */
 +    CP_ACCESS_OK = 0,
 +    /*
 +     * Access fails due to a configurable trap or enable which would
 +     * result in a categorized exception syndrome giving information about
 +     * the failing instruction (ie syndrome category 0x3, 0x4, 0x5, 0x6,
 +     * 0xc or 0x18). The exception is taken to the usual target EL (EL1 or
 +     * PL1 if in EL0, otherwise to the current EL).
 +     */
 +    CP_ACCESS_TRAP = 1,
 +    /*
 +     * Access fails and results in an exception syndrome 0x0 ("uncategorized").
 +     * Note that this is not a catch-all case -- the set of cases which may
 +     * result in this failure is specifically defined by the architecture.
 +     */
 +    CP_ACCESS_TRAP_UNCATEGORIZED = 2,
 +    /* As CP_ACCESS_TRAP, but for traps directly to EL2 or EL3 */
 +    CP_ACCESS_TRAP_EL2 = 3,
 +    CP_ACCESS_TRAP_EL3 = 4,
 +    /* As CP_ACCESS_UNCATEGORIZED, but for traps directly to EL2 or EL3 */
 +    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = 5,
 +    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = 6,
 +} CPAccessResult;
 +
 +typedef struct ARMCPRegInfo ARMCPRegInfo;
 +
 +/*
 + * Access functions for coprocessor registers. These cannot fail and
 + * may not raise exceptions.
 + */
 +typedef uint64_t CPReadFn(CPUARMState *env, const ARMCPRegInfo *opaque);
 +typedef void CPWriteFn(CPUARMState *env, const ARMCPRegInfo *opaque,
 +                       uint64_t value);
 +/* Access permission check functions for coprocessor registers. */
 +typedef CPAccessResult CPAccessFn(CPUARMState *env,
 +                                  const ARMCPRegInfo *opaque,
 +                                  bool isread);
 +/* Hook function for register reset */
 +typedef void CPResetFn(CPUARMState *env, const ARMCPRegInfo *opaque);
 +
 +#define CP_ANY 0xff
 +
 +/* Definition of an ARM coprocessor register */
 +struct ARMCPRegInfo {
 +    /* Name of register (useful mainly for debugging, need not be unique) */
 +    const char *name;
 +    /*
 +     * Location of register: coprocessor number and (crn,crm,opc1,opc2)
 +     * tuple. Any of crm, opc1 and opc2 may be CP_ANY to indicate a
 +     * 'wildcard' field -- any value of that field in the MRC/MCR insn
 +     * will be decoded to this register. The register read and write
 +     * callbacks will be passed an ARMCPRegInfo with the crn/crm/opc1/opc2
 +     * used by the program, so it is possible to register a wildcard and
 +     * then behave differently on read/write if necessary.
 +     * For 64 bit registers, only crm and opc1 are relevant; crn and opc2
 +     * must both be zero.
 +     * For AArch64-visible registers, opc0 is also used.
 +     * Since there are no "coprocessors" in AArch64, cp is purely used as a
 +     * way to distinguish (for KVM's benefit) guest-visible system registers
 +     * from demuxed ones provided to preserve the "no side effects on
 +     * KVM register read/write from QEMU" semantics. cp==0x13 is guest
 +     * visible (to match KVM's encoding); cp==0 will be converted to
 +     * cp==0x13 when the ARMCPRegInfo is registered, for convenience.
 +     */
 +    uint8_t cp;
 +    uint8_t crn;
 +    uint8_t crm;
 +    uint8_t opc0;
 +    uint8_t opc1;
 +    uint8_t opc2;
 +    /* Execution state in which this register is visible: ARM_CP_STATE_* */
 +    int state;
 +    /* Register type: ARM_CP_* bits/values */
 +    int type;
 +    /* Access rights: PL*_[RW] */
 +    int access;
 +    /* Security state: ARM_CP_SECSTATE_* bits/values */
 +    int secure;
 +    /*
 +     * The opaque pointer passed to define_arm_cp_regs_with_opaque() when
 +     * this register was defined: can be used to hand data through to the
 +     * register read/write functions, since they are passed the ARMCPRegInfo*.
 +     */
 +    void *opaque;
 +    /*
 +     * Value of this register, if it is ARM_CP_CONST. Otherwise, if
 +     * fieldoffset is non-zero, the reset value of the register.
 +     */
 +    uint64_t resetvalue;
 +    /*
 +     * Offset of the field in CPUARMState for this register.
 +     * This is not needed if either:
 +     *  1. type is ARM_CP_CONST or one of the ARM_CP_SPECIALs
 +     *  2. both readfn and writefn are specified
 +     */
 +    ptrdiff_t fieldoffset; /* offsetof(CPUARMState, field) */
 +
 +    /*
 +     * Offsets of the secure and non-secure fields in CPUARMState for the
 +     * register if it is banked.  These fields are only used during the static
 +     * registration of a register.  During hashing the bank associated
 +     * with a given security state is copied to fieldoffset which is used from
 +     * there on out.
 +     *
 +     * It is expected that register definitions use either fieldoffset or
 +     * bank_fieldoffsets in the definition but not both.  It is also expected
 +     * that both bank offsets are set when defining a banked register.  This
 +     * use indicates that a register is banked.
 +     */
 +    ptrdiff_t bank_fieldoffsets[2];
 +
 +    /*
 +     * Function for making any access checks for this register in addition to
 +     * those specified by the 'access' permissions bits. If NULL, no extra
 +     * checks required. The access check is performed at runtime, not at
 +     * translate time.
 +     */
 +    CPAccessFn *accessfn;
 +    /*
 +     * Function for handling reads of this register. If NULL, then reads
 +     * will be done by loading from the offset into CPUARMState specified
 +     * by fieldoffset.
 +     */
 +    CPReadFn *readfn;
 +    /*
 +     * Function for handling writes of this register. If NULL, then writes
 +     * will be done by writing to the offset into CPUARMState specified
 +     * by fieldoffset.
 +     */
 +    CPWriteFn *writefn;
 +    /*
 +     * Function for doing a "raw" read; used when we need to copy
 +     * coprocessor state to the kernel for KVM or out for
 +     * migration. This only needs to be provided if there is also a
 +     * readfn and it has side effects (for instance clear-on-read bits).
 +     */
 +    CPReadFn *raw_readfn;
 +    /*
 +     * Function for doing a "raw" write; used when we need to copy KVM
 +     * kernel coprocessor state into userspace, or for inbound
 +     * migration. This only needs to be provided if there is also a
 +     * writefn and it masks out "unwritable" bits or has write-one-to-clear
 +     * or similar behaviour.
 +     */
 +    CPWriteFn *raw_writefn;
 +    /*
 +     * Function for resetting the register. If NULL, then reset will be done
 +     * by writing resetvalue to the field specified in fieldoffset. If
 +     * fieldoffset is 0 then no reset will be done.
 +     */
 +    CPResetFn *resetfn;
 +
 +    /*
 +     * "Original" writefn and readfn.
 +     * For ARMv8.1-VHE register aliases, we overwrite the read/write
 +     * accessor functions of various EL1/EL0 to perform the runtime
 +     * check for which sysreg should actually be modified, and then
 +     * forwards the operation.  Before overwriting the accessors,
 +     * the original function is copied here, so that accesses that
 +     * really do go to the EL1/EL0 version proceed normally.
 +     * (The corresponding EL2 register is linked via opaque.)
 +     */
 +    CPReadFn *orig_readfn;
 +    CPWriteFn *orig_writefn;
 +};
 +
 +/*
 + * Macros which are lvalues for the field in CPUARMState for the
 + * ARMCPRegInfo *ri.
 + */
 +#define CPREG_FIELD32(env, ri) \
 +    (*(uint32_t *)((char *)(env) + (ri)->fieldoffset))
 +#define CPREG_FIELD64(env, ri) \
 +    (*(uint64_t *)((char *)(env) + (ri)->fieldoffset))
 +
 +#define REGINFO_SENTINEL { .type = ARM_CP_SENTINEL }
 +
 +void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
 +                                    const ARMCPRegInfo *regs, void *opaque);
 +void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
 +                                       const ARMCPRegInfo *regs, void *opaque);
 +static inline void define_arm_cp_regs(ARMCPU *cpu, const ARMCPRegInfo *regs)
 +{
-+    /*
++    define_arm_cp_regs_with_opaque(cpu, regs, 0);
 +     * Return the value of the Primecell/Corelink ID registers at the
 +     * specified offset from the first ID register.
 +     * These value indicate an ARM implementation of MMU600 p1
 +     */
 +    static const uint8_t smmuv3_ids[] = {
 +        0x04, 0, 0, 0, 0x84, 0xB4, 0xF0, 0x10, 0x0D, 0xF0, 0x05, 0xB1
 +    };
 +    return smmuv3_ids[regoffset / 4];
 +}
-+
++static inline void define_one_arm_cp_reg(ARMCPU *cpu, const ARMCPRegInfo *regs)
 +#endif
 diff --git a/include/hw/arm/smmuv3.h b/include/hw/arm/smmuv3.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/include/hw/arm/smmuv3.h
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Copyright (C) 2014-2016 Broadcom Corporation
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Written by Prem Mallappa, Eric Auger
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * GNU General Public License for more details.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
 +#ifndef HW_ARM_SMMUV3_H
 +#define HW_ARM_SMMUV3_H
 +
 +#include "hw/arm/smmu-common.h"
 +#include "hw/registerfields.h"
 +
 +#define TYPE_SMMUV3_IOMMU_MEMORY_REGION "smmuv3-iommu-memory-region"
 +
 +typedef struct SMMUQueue {
 +     uint64_t base; /* base register */
 +     uint32_t prod;
 +     uint32_t cons;
 +     uint8_t entry_size;
 +     uint8_t log2size;
 +} SMMUQueue;
 +
 +typedef struct SMMUv3State {
 +    SMMUState     smmu_state;
 +
 +    uint32_t features;
 +    uint8_t sid_size;
 +    uint8_t sid_split;
 +
 +    uint32_t idr[6];
 +    uint32_t iidr;
 +    uint32_t cr[3];
 +    uint32_t cr0ack;
 +    uint32_t statusr;
 +    uint32_t irq_ctrl;
 +    uint32_t gerror;
 +    uint32_t gerrorn;
 +    uint64_t gerror_irq_cfg0;
 +    uint32_t gerror_irq_cfg1;
 +    uint32_t gerror_irq_cfg2;
 +    uint64_t strtab_base;
 +    uint32_t strtab_base_cfg;
 +    uint64_t eventq_irq_cfg0;
 +    uint32_t eventq_irq_cfg1;
 +    uint32_t eventq_irq_cfg2;
 +
 +    SMMUQueue eventq, cmdq;
 +
 +    qemu_irq     irq[4];
 +} SMMUv3State;
 +
 +typedef enum {
 +    SMMU_IRQ_EVTQ,
 +    SMMU_IRQ_PRIQ,
 +    SMMU_IRQ_CMD_SYNC,
 +    SMMU_IRQ_GERROR,
 +} SMMUIrq;
 +
 +typedef struct {
 +    /*< private >*/
 +    SMMUBaseClass smmu_base_class;
 +    /*< public >*/
 +
 +    DeviceRealize parent_realize;
 +    DeviceReset   parent_reset;
 +} SMMUv3Class;
 +
 +#define TYPE_ARM_SMMUV3   "arm-smmuv3"
 +#define ARM_SMMUV3(obj) OBJECT_CHECK(SMMUv3State, (obj), TYPE_ARM_SMMUV3)
 +#define ARM_SMMUV3_CLASS(klass)                              \
 +    OBJECT_CLASS_CHECK(SMMUv3Class, (klass), TYPE_ARM_SMMUV3)
 +#define ARM_SMMUV3_GET_CLASS(obj) \
 +     OBJECT_GET_CLASS(SMMUv3Class, (obj), TYPE_ARM_SMMUV3)
 +
 +#endif
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Copyright (C) 2014-2016 Broadcom Corporation
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Written by Prem Mallappa, Eric Auger
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * GNU General Public License for more details.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "hw/boards.h"
 +#include "sysemu/sysemu.h"
 +#include "hw/sysbus.h"
 +#include "hw/qdev-core.h"
 +#include "hw/pci/pci.h"
 +#include "exec/address-spaces.h"
 +#include "trace.h"
 +#include "qemu/log.h"
 +#include "qemu/error-report.h"
 +#include "qapi/error.h"
 +
 +#include "hw/arm/smmuv3.h"
 +#include "smmuv3-internal.h"
 +
 +static void smmuv3_init_regs(SMMUv3State *s)
 +{
-+    /**
++    define_one_arm_cp_reg_with_opaque(cpu, regs, 0);
 +     * IDR0: stage1 only, AArch64 only, coherent access, 16b ASID,
 +     *       multi-level stream table
 +     */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1); /* stage 1 supported */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTF, 2); /* AArch64 PTW only */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, COHACC, 1); /* IO coherent */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, ASID16, 1); /* 16-bit ASID */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTENDIAN, 2); /* little endian */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STALL_MODEL, 1); /* No stall */
 +    /* terminated transaction will always be aborted/error returned */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TERM_MODEL, 1);
 +    /* 2-level stream table supported */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STLEVEL, 1);
 +
 +    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, SIDSIZE, SMMU_IDR1_SIDSIZE);
 +    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, EVENTQS, SMMU_EVENTQS);
 +    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, CMDQS,   SMMU_CMDQS);
 +
 +   /* 4K and 64K granule support */
 +    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN4K, 1);
 +    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1);
 +    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 bits */
 +
 +    s->cmdq.base = deposit64(s->cmdq.base, 0, 5, SMMU_CMDQS);
 +    s->cmdq.prod = 0;
 +    s->cmdq.cons = 0;
 +    s->cmdq.entry_size = sizeof(struct Cmd);
 +    s->eventq.base = deposit64(s->eventq.base, 0, 5, SMMU_EVENTQS);
 +    s->eventq.prod = 0;
 +    s->eventq.cons = 0;
 +    s->eventq.entry_size = sizeof(struct Evt);
 +
 +    s->features = 0;
 +    s->sid_split = 0;
 +}
-+
++const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp);
-+static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
++
-+                                   unsigned size, MemTxAttrs attrs)
++/*
 + * Definition of an ARM co-processor register as viewed from
 + * userspace. This is used for presenting sanitised versions of
 + * registers to userspace when emulating the Linux AArch64 CPU
 + * ID/feature ABI (advertised as HWCAP_CPUID).
 + */
 +typedef struct ARMCPRegUserSpaceInfo {
 +    /* Name of register */
 +    const char *name;
 +
 +    /* Is the name actually a glob pattern */
 +    bool is_glob;
 +
 +    /* Only some bits are exported to user space */
 +    uint64_t exported_bits;
 +
 +    /* Fixed bits are applied after the mask */
 +    uint64_t fixed_bits;
 +} ARMCPRegUserSpaceInfo;
 +
 +#define REGUSERINFO_SENTINEL { .name = NULL }
 +
 +void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods);
 +
 +/* CPWriteFn that can be used to implement writes-ignored behaviour */
 +void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
 +                         uint64_t value);
 +/* CPReadFn that can be used for read-as-zero behaviour */
 +uint64_t arm_cp_read_zero(CPUARMState *env, const ARMCPRegInfo *ri);
 +
 +/*
 + * CPResetFn that does nothing, for use if no reset is required even
 + * if fieldoffset is non zero.
 + */
 +void arm_cp_reset_ignore(CPUARMState *env, const ARMCPRegInfo *opaque);
 +
 +/*
 + * Return true if this reginfo struct's field in the cpu state struct
 + * is 64 bits wide.
 + */
 +static inline bool cpreg_field_is_64bit(const ARMCPRegInfo *ri)
 +{
-+    /* not yet implemented */
++    return (ri->state == ARM_CP_STATE_AA64) || (ri->type & ARM_CP_64BIT);
 +    return MEMTX_ERROR;
 +}
 +
-+static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
++static inline bool cp_access_ok(int current_el,
-+                               uint64_t *data, MemTxAttrs attrs)
++                                const ARMCPRegInfo *ri, int isread)
 +{
-+    switch (offset) {
++    return (ri->access >> ((current_el * 2) + isread)) & 1;
 +    case A_GERROR_IRQ_CFG0:
 +        *data = s->gerror_irq_cfg0;
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE:
 +        *data = s->strtab_base;
 +        return MEMTX_OK;
 +    case A_CMDQ_BASE:
 +        *data = s->cmdq.base;
 +        return MEMTX_OK;
 +    case A_EVENTQ_BASE:
 +        *data = s->eventq.base;
 +        return MEMTX_OK;
 +    default:
 +        *data = 0;
 +        qemu_log_mask(LOG_UNIMP,
 +                      "%s Unexpected 64-bit access to 0x%"PRIx64" (RAZ)\n",
 +                      __func__, offset);
 +        return MEMTX_OK;
 +    }
 +}
 +
-+static MemTxResult smmu_readl(SMMUv3State *s, hwaddr offset,
++/* Raw read of a coprocessor register (as needed for migration, etc) */
-+                              uint64_t *data, MemTxAttrs attrs)
++uint64_t read_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri);
-+{
++
-+    switch (offset) {
++#endif /* TARGET_ARM_CPREGS_H */
-+    case A_IDREGS ... A_IDREGS + 0x1f:
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-+        *data = smmuv3_idreg(offset - A_IDREGS);
+index XXXXXXX..XXXXXXX 100644
-+        return MEMTX_OK;
+--- a/target/arm/cpu.h
-+    case A_IDR0 ... A_IDR5:
++++ b/target/arm/cpu.h
-+        *data = s->idr[(offset - A_IDR0) / 4];
+@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
-+        return MEMTX_OK;
+     return kvmid;
-+    case A_IIDR:
+ }
-+        *data = s->iidr;
-+        return MEMTX_OK;
+-/* ARMCPRegInfo type field bits. If the SPECIAL bit is set this is a
-+    case A_CR0:
+- * special-behaviour cp reg and bits [11..8] indicate what behaviour
-+        *data = s->cr[0];
+- * it has. Otherwise it is a simple cp reg, where CONST indicates that
-+        return MEMTX_OK;
+- * TCG can assume the value to be constant (ie load at translate time)
-+    case A_CR0ACK:
+- * and 64BIT indicates a 64 bit wide coprocessor register. SUPPRESS_TB_END
-+        *data = s->cr0ack;
+- * indicates that the TB should not be ended after a write to this register
-+        return MEMTX_OK;
+- * (the default is that the TB ends after cp writes). OVERRIDE permits
-+    case A_CR1:
+- * a register definition to override a previous definition for the
-+        *data = s->cr[1];
+- * same (cp, is64, crn, crm, opc1, opc2) tuple: either the new or the
-+        return MEMTX_OK;
+- * old must have the OVERRIDE bit set.
-+    case A_CR2:
+- * ALIAS indicates that this register is an alias view of some underlying
-+        *data = s->cr[2];
+- * state which is also visible via another register, and that the other
-+        return MEMTX_OK;
+- * register is handling migration and reset; registers marked ALIAS will not be
-+    case A_STATUSR:
+- * migrated but may have their state set by syncing of register state from KVM.
-+        *data = s->statusr;
+- * NO_RAW indicates that this register has no underlying state and does not
-+        return MEMTX_OK;
+- * support raw access for state saving/loading; it will not be used for either
-+    case A_IRQ_CTRL:
+- * migration or KVM state synchronization. (Typically this is for "registers"
-+    case A_IRQ_CTRL_ACK:
+- * which are actually used as instructions for cache maintenance and so on.)
-+        *data = s->irq_ctrl;
+- * IO indicates that this register does I/O and therefore its accesses
-+        return MEMTX_OK;
+- * need to be marked with gen_io_start() and also end the TB. In particular,
-+    case A_GERROR:
+- * registers which implement clocks or timers require this.
-+        *data = s->gerror;
+- * RAISES_EXC is for when the read or write hook might raise an exception;
-+        return MEMTX_OK;
+- * the generated code will synchronize the CPU state before calling the hook
-+    case A_GERRORN:
+- * so that it is safe for the hook to call raise_exception().
-+        *data = s->gerrorn;
+- * NEWEL is for writes to registers that might change the exception
-+        return MEMTX_OK;
+- * level - typically on older ARM chips. For those cases we need to
-+    case A_GERROR_IRQ_CFG0: /* 64b */
+- * re-read the new el when recomputing the translation flags.
-+        *data = extract64(s->gerror_irq_cfg0, 0, 32);
+- */
-+        return MEMTX_OK;
+-#define ARM_CP_SPECIAL           0x0001
-+    case A_GERROR_IRQ_CFG0 + 4:
+-#define ARM_CP_CONST             0x0002
-+        *data = extract64(s->gerror_irq_cfg0, 32, 32);
+-#define ARM_CP_64BIT             0x0004
-+        return MEMTX_OK;
+-#define ARM_CP_SUPPRESS_TB_END   0x0008
-+    case A_GERROR_IRQ_CFG1:
+-#define ARM_CP_OVERRIDE          0x0010
-+        *data = s->gerror_irq_cfg1;
+-#define ARM_CP_ALIAS             0x0020
-+        return MEMTX_OK;
+-#define ARM_CP_IO                0x0040
-+    case A_GERROR_IRQ_CFG2:
+-#define ARM_CP_NO_RAW            0x0080
-+        *data = s->gerror_irq_cfg2;
+-#define ARM_CP_NOP               (ARM_CP_SPECIAL | 0x0100)
-+        return MEMTX_OK;
+-#define ARM_CP_WFI               (ARM_CP_SPECIAL | 0x0200)
-+    case A_STRTAB_BASE: /* 64b */
+-#define ARM_CP_NZCV              (ARM_CP_SPECIAL | 0x0300)
-+        *data = extract64(s->strtab_base, 0, 32);
+-#define ARM_CP_CURRENTEL         (ARM_CP_SPECIAL | 0x0400)
-+        return MEMTX_OK;
+-#define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
-+    case A_STRTAB_BASE + 4: /* 64b */
+-#define ARM_CP_DC_GVA            (ARM_CP_SPECIAL | 0x0600)
-+        *data = extract64(s->strtab_base, 32, 32);
+-#define ARM_CP_DC_GZVA           (ARM_CP_SPECIAL | 0x0700)
-+        return MEMTX_OK;
+-#define ARM_LAST_SPECIAL         ARM_CP_DC_GZVA
-+    case A_STRTAB_BASE_CFG:
+-#define ARM_CP_FPU               0x1000
-+        *data = s->strtab_base_cfg;
+-#define ARM_CP_SVE               0x2000
-+        return MEMTX_OK;
+-#define ARM_CP_NO_GDB            0x4000
-+    case A_CMDQ_BASE: /* 64b */
+-#define ARM_CP_RAISES_EXC        0x8000
-+        *data = extract64(s->cmdq.base, 0, 32);
+-#define ARM_CP_NEWEL             0x10000
-+        return MEMTX_OK;
+-/* Used only as a terminator for ARMCPRegInfo lists */
-+    case A_CMDQ_BASE + 4:
+-#define ARM_CP_SENTINEL          0xfffff
-+        *data = extract64(s->cmdq.base, 32, 32);
+-/* Mask of only the flag bits in a type field */
-+        return MEMTX_OK;
+-#define ARM_CP_FLAG_MASK         0x1f0ff
-+    case A_CMDQ_PROD:
+-
-+        *data = s->cmdq.prod;
+-/* Valid values for ARMCPRegInfo state field, indicating which of
-+        return MEMTX_OK;
+- * the AArch32 and AArch64 execution states this register is visible in.
-+    case A_CMDQ_CONS:
+- * If the reginfo doesn't explicitly specify then it is AArch32 only.
-+        *data = s->cmdq.cons;
+- * If the reginfo is declared to be visible in both states then a second
-+        return MEMTX_OK;
+- * reginfo is synthesised for the AArch32 view of the AArch64 register,
-+    case A_EVENTQ_BASE: /* 64b */
+- * such that the AArch32 view is the lower 32 bits of the AArch64 one.
-+        *data = extract64(s->eventq.base, 0, 32);
+- * Note that we rely on the values of these enums as we iterate through
-+        return MEMTX_OK;
+- * the various states in some places.
-+    case A_EVENTQ_BASE + 4: /* 64b */
+- */
-+        *data = extract64(s->eventq.base, 32, 32);
+-enum {
-+        return MEMTX_OK;
+-    ARM_CP_STATE_AA32 = 0,
-+    case A_EVENTQ_PROD:
+-    ARM_CP_STATE_AA64 = 1,
-+        *data = s->eventq.prod;
+-    ARM_CP_STATE_BOTH = 2,
-+        return MEMTX_OK;
+-};
-+    case A_EVENTQ_CONS:
+-
-+        *data = s->eventq.cons;
+-/* ARM CP register secure state flags.  These flags identify security state
-+        return MEMTX_OK;
+- * attributes for a given CP register entry.
-+    default:
+- * The existence of both or neither secure and non-secure flags indicates that
-+        *data = 0;
+- * the register has both a secure and non-secure hash entry.  A single one of
-+        qemu_log_mask(LOG_UNIMP,
+- * these flags causes the register to only be hashed for the specified
-+                      "%s unhandled 32-bit access at 0x%"PRIx64" (RAZ)\n",
+- * security state.
-+                      __func__, offset);
+- * Although definitions may have any combination of the S/NS bits, each
-+        return MEMTX_OK;
+- * registered entry will only have one to identify whether the entry is secure
-+    }
+- * or non-secure.
-+}
+- */
-+
+-enum {
-+static MemTxResult smmu_read_mmio(void *opaque, hwaddr offset, uint64_t *data,
+-    ARM_CP_SECSTATE_S =   (1 << 0), /* bit[0]: Secure state register */
-+                                  unsigned size, MemTxAttrs attrs)
+-    ARM_CP_SECSTATE_NS =  (1 << 1), /* bit[1]: Non-secure state register */
-+{
+-};
-+    SMMUState *sys = opaque;
+-
-+    SMMUv3State *s = ARM_SMMUV3(sys);
+-/* Return true if cptype is a valid type field. This is used to try to
-+    MemTxResult r;
+- * catch errors where the sentinel has been accidentally left off the end
-+
+- * of a list of registers.
-+    /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
+- */
-+    offset &= ~0x10000;
+-static inline bool cptype_valid(int cptype)
-+
+-{
-+    switch (size) {
+-    return ((cptype & ~ARM_CP_FLAG_MASK) == 0)
-+    case 8:
+-        || ((cptype & ARM_CP_SPECIAL) &&
-+        r = smmu_readll(s, offset, data, attrs);
+-            ((cptype & ~ARM_CP_FLAG_MASK) <= ARM_LAST_SPECIAL));
-+        break;
+-}
-+    case 4:
+-
-+        r = smmu_readl(s, offset, data, attrs);
+-/* Access rights:
-+        break;
+- * We define bits for Read and Write access for what rev C of the v7-AR ARM ARM
-+    default:
+- * defines as PL0 (user), PL1 (fiq/irq/svc/abt/und/sys, ie privileged), and
-+        r = MEMTX_ERROR;
+- * PL2 (hyp). The other level which has Read and Write bits is Secure PL1
-+        break;
+- * (ie any of the privileged modes in Secure state, or Monitor mode).
-+    }
+- * If a register is accessible in one privilege level it's always accessible
-+
+- * in higher privilege levels too. Since "Secure PL1" also follows this rule
-+    trace_smmuv3_read_mmio(offset, *data, size, r);
+- * (ie anything visible in PL2 is visible in S-PL1, some things are only
-+    return r;
+- * visible in S-PL1) but "Secure PL1" is a bit of a mouthful, we bend the
-+}
+- * terminology a little and call this PL3.
-+
+- * In AArch64 things are somewhat simpler as the PLx bits line up exactly
-+static const MemoryRegionOps smmu_mem_ops = {
+- * with the ELx exception levels.
-+    .read_with_attrs = smmu_read_mmio,
+- *
-+    .write_with_attrs = smmu_write_mmio,
+- * If access permissions for a register are more complex than can be
-+    .endianness = DEVICE_LITTLE_ENDIAN,
+- * described with these bits, then use a laxer set of restrictions, and
-+    .valid = {
+- * do the more restrictive/complex check inside a helper function.
-+        .min_access_size = 4,
+- */
-+        .max_access_size = 8,
+-#define PL3_R 0x80
-+    },
+-#define PL3_W 0x40
-+    .impl = {
+-#define PL2_R (0x20 | PL3_R)
-+        .min_access_size = 4,
+-#define PL2_W (0x10 | PL3_W)
-+        .max_access_size = 8,
+-#define PL1_R (0x08 | PL2_R)
-+    },
+-#define PL1_W (0x04 | PL2_W)
-+};
+-#define PL0_R (0x02 | PL1_R)
-+
+-#define PL0_W (0x01 | PL1_W)
-+static void smmu_init_irq(SMMUv3State *s, SysBusDevice *dev)
+-
-+{
+-/*
-+    int i;
+- * For user-mode some registers are accessible to EL0 via a kernel
-+
+- * trap-and-emulate ABI. In this case we define the read permissions
-+    for (i = 0; i < ARRAY_SIZE(s->irq); i++) {
+- * as actually being PL0_R. However some bits of any given register
-+        sysbus_init_irq(dev, &s->irq[i]);
+- * may still be masked.
-+    }
+- */
-+}
+-#ifdef CONFIG_USER_ONLY
-+
+-#define PL0U_R PL0_R
-+static void smmu_reset(DeviceState *dev)
+-#else
-+{
+-#define PL0U_R PL1_R
-+    SMMUv3State *s = ARM_SMMUV3(dev);
+-#endif
-+    SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s);
+-
-+
+-#define PL3_RW (PL3_R | PL3_W)
-+    c->parent_reset(dev);
+-#define PL2_RW (PL2_R | PL2_W)
-+
+-#define PL1_RW (PL1_R | PL1_W)
-+    smmuv3_init_regs(s);
+-#define PL0_RW (PL0_R | PL0_W)
-+}
+-
-+
+ /* Return the highest implemented Exception Level */
-+static void smmu_realize(DeviceState *d, Error **errp)
+ static inline int arm_highest_el(CPUARMState *env)
-+{
+ {
-+    SMMUState *sys = ARM_SMMU(d);
+@@ -XXX,XX +XXX,XX @@ static inline int arm_current_el(CPUARMState *env)
-+    SMMUv3State *s = ARM_SMMUV3(sys);
+     }
-+    SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s);
+ }
-+    SysBusDevice *dev = SYS_BUS_DEVICE(d);
-+    Error *local_err = NULL;
+-typedef struct ARMCPRegInfo ARMCPRegInfo;
-+
+-
-+    c->parent_realize(d, &local_err);
+-typedef enum CPAccessResult {
-+    if (local_err) {
+-    /* Access is permitted */
-+        error_propagate(errp, local_err);
+-    CP_ACCESS_OK = 0,
-+        return;
+-    /* Access fails due to a configurable trap or enable which would
-+    }
+-     * result in a categorized exception syndrome giving information about
-+
+-     * the failing instruction (ie syndrome category 0x3, 0x4, 0x5, 0x6,
-+    memory_region_init_io(&sys->iomem, OBJECT(s),
+-     * 0xc or 0x18). The exception is taken to the usual target EL (EL1 or
-+                          &smmu_mem_ops, sys, TYPE_ARM_SMMUV3, 0x20000);
+-     * PL1 if in EL0, otherwise to the current EL).
-+
+-     */
-+    sys->mrtypename = TYPE_SMMUV3_IOMMU_MEMORY_REGION;
+-    CP_ACCESS_TRAP = 1,
-+
+-    /* Access fails and results in an exception syndrome 0x0 ("uncategorized").
-+    sysbus_init_mmio(dev, &sys->iomem);
+-     * Note that this is not a catch-all case -- the set of cases which may
-+
+-     * result in this failure is specifically defined by the architecture.
-+    smmu_init_irq(s, dev);
+-     */
-+}
+-    CP_ACCESS_TRAP_UNCATEGORIZED = 2,
-+
+-    /* As CP_ACCESS_TRAP, but for traps directly to EL2 or EL3 */
-+static const VMStateDescription vmstate_smmuv3_queue = {
+-    CP_ACCESS_TRAP_EL2 = 3,
-+    .name = "smmuv3_queue",
+-    CP_ACCESS_TRAP_EL3 = 4,
-+    .version_id = 1,
+-    /* As CP_ACCESS_UNCATEGORIZED, but for traps directly to EL2 or EL3 */
-+    .minimum_version_id = 1,
+-    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = 5,
-+    .fields = (VMStateField[]) {
+-    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = 6,
-+        VMSTATE_UINT64(base, SMMUQueue),
+-} CPAccessResult;
-+        VMSTATE_UINT32(prod, SMMUQueue),
+-
-+        VMSTATE_UINT32(cons, SMMUQueue),
+-/* Access functions for coprocessor registers. These cannot fail and
-+        VMSTATE_UINT8(log2size, SMMUQueue),
+- * may not raise exceptions.
-+    },
+- */
-+};
+-typedef uint64_t CPReadFn(CPUARMState *env, const ARMCPRegInfo *opaque);
-+
+-typedef void CPWriteFn(CPUARMState *env, const ARMCPRegInfo *opaque,
-+static const VMStateDescription vmstate_smmuv3 = {
+-                       uint64_t value);
-+    .name = "smmuv3",
+-/* Access permission check functions for coprocessor registers. */
-+    .version_id = 1,
+-typedef CPAccessResult CPAccessFn(CPUARMState *env,
-+    .minimum_version_id = 1,
+-                                  const ARMCPRegInfo *opaque,
-+    .fields = (VMStateField[]) {
+-                                  bool isread);
-+        VMSTATE_UINT32(features, SMMUv3State),
+-/* Hook function for register reset */
-+        VMSTATE_UINT8(sid_size, SMMUv3State),
+-typedef void CPResetFn(CPUARMState *env, const ARMCPRegInfo *opaque);
-+        VMSTATE_UINT8(sid_split, SMMUv3State),
+-
-+
+-#define CP_ANY 0xff
-+        VMSTATE_UINT32_ARRAY(cr, SMMUv3State, 3),
+-
-+        VMSTATE_UINT32(cr0ack, SMMUv3State),
+-/* Definition of an ARM coprocessor register */
-+        VMSTATE_UINT32(statusr, SMMUv3State),
+-struct ARMCPRegInfo {
-+        VMSTATE_UINT32(irq_ctrl, SMMUv3State),
+-    /* Name of register (useful mainly for debugging, need not be unique) */
-+        VMSTATE_UINT32(gerror, SMMUv3State),
+-    const char *name;
-+        VMSTATE_UINT32(gerrorn, SMMUv3State),
+-    /* Location of register: coprocessor number and (crn,crm,opc1,opc2)
-+        VMSTATE_UINT64(gerror_irq_cfg0, SMMUv3State),
+-     * tuple. Any of crm, opc1 and opc2 may be CP_ANY to indicate a
-+        VMSTATE_UINT32(gerror_irq_cfg1, SMMUv3State),
+-     * 'wildcard' field -- any value of that field in the MRC/MCR insn
-+        VMSTATE_UINT32(gerror_irq_cfg2, SMMUv3State),
+-     * will be decoded to this register. The register read and write
-+        VMSTATE_UINT64(strtab_base, SMMUv3State),
+-     * callbacks will be passed an ARMCPRegInfo with the crn/crm/opc1/opc2
-+        VMSTATE_UINT32(strtab_base_cfg, SMMUv3State),
+-     * used by the program, so it is possible to register a wildcard and
-+        VMSTATE_UINT64(eventq_irq_cfg0, SMMUv3State),
+-     * then behave differently on read/write if necessary.
-+        VMSTATE_UINT32(eventq_irq_cfg1, SMMUv3State),
+-     * For 64 bit registers, only crm and opc1 are relevant; crn and opc2
-+        VMSTATE_UINT32(eventq_irq_cfg2, SMMUv3State),
+-     * must both be zero.
-+
+-     * For AArch64-visible registers, opc0 is also used.
-+        VMSTATE_STRUCT(cmdq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue),
+-     * Since there are no "coprocessors" in AArch64, cp is purely used as a
-+        VMSTATE_STRUCT(eventq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue),
+-     * way to distinguish (for KVM's benefit) guest-visible system registers
-+
+-     * from demuxed ones provided to preserve the "no side effects on
-+        VMSTATE_END_OF_LIST(),
+-     * KVM register read/write from QEMU" semantics. cp==0x13 is guest
-+    },
+-     * visible (to match KVM's encoding); cp==0 will be converted to
-+};
+-     * cp==0x13 when the ARMCPRegInfo is registered, for convenience.
-+
+-     */
-+static void smmuv3_instance_init(Object *obj)
+-    uint8_t cp;
-+{
+-    uint8_t crn;
-+    /* Nothing much to do here as of now */
+-    uint8_t crm;
-+}
+-    uint8_t opc0;
-+
+-    uint8_t opc1;
-+static void smmuv3_class_init(ObjectClass *klass, void *data)
+-    uint8_t opc2;
-+{
+-    /* Execution state in which this register is visible: ARM_CP_STATE_* */
-+    DeviceClass *dc = DEVICE_CLASS(klass);
+-    int state;
-+    SMMUv3Class *c = ARM_SMMUV3_CLASS(klass);
+-    /* Register type: ARM_CP_* bits/values */
-+
+-    int type;
-+    dc->vmsd = &vmstate_smmuv3;
+-    /* Access rights: PL*_[RW] */
-+    device_class_set_parent_reset(dc, smmu_reset, &c->parent_reset);
+-    int access;
-+    c->parent_realize = dc->realize;
+-    /* Security state: ARM_CP_SECSTATE_* bits/values */
-+    dc->realize = smmu_realize;
+-    int secure;
-+}
+-    /* The opaque pointer passed to define_arm_cp_regs_with_opaque() when
-+
+-     * this register was defined: can be used to hand data through to the
-+static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
+-     * register read/write functions, since they are passed the ARMCPRegInfo*.
-+                                                  void *data)
+-     */
-+{
+-    void *opaque;
-+}
+-    /* Value of this register, if it is ARM_CP_CONST. Otherwise, if
-+
+-     * fieldoffset is non-zero, the reset value of the register.
-+static const TypeInfo smmuv3_type_info = {
+-     */
-+    .name          = TYPE_ARM_SMMUV3,
+-    uint64_t resetvalue;
-+    .parent        = TYPE_ARM_SMMU,
+-    /* Offset of the field in CPUARMState for this register.
-+    .instance_size = sizeof(SMMUv3State),
+-     *
-+    .instance_init = smmuv3_instance_init,
+-     * This is not needed if either:
-+    .class_size    = sizeof(SMMUv3Class),
+-     *  1. type is ARM_CP_CONST or one of the ARM_CP_SPECIALs
-+    .class_init    = smmuv3_class_init,
+-     *  2. both readfn and writefn are specified
-+};
+-     */
-+
+-    ptrdiff_t fieldoffset; /* offsetof(CPUARMState, field) */
-+static const TypeInfo smmuv3_iommu_memory_region_info = {
+-
-+    .parent = TYPE_IOMMU_MEMORY_REGION,
+-    /* Offsets of the secure and non-secure fields in CPUARMState for the
-+    .name = TYPE_SMMUV3_IOMMU_MEMORY_REGION,
+-     * register if it is banked.  These fields are only used during the static
-+    .class_init = smmuv3_iommu_memory_region_class_init,
+-     * registration of a register.  During hashing the bank associated
-+};
+-     * with a given security state is copied to fieldoffset which is used from
-+
+-     * there on out.
-+static void smmuv3_register_types(void)
+-     *
-+{
+-     * It is expected that register definitions use either fieldoffset or
-+    type_register(&smmuv3_type_info);
+-     * bank_fieldoffsets in the definition but not both.  It is also expected
-+    type_register(&smmuv3_iommu_memory_region_info);
+-     * that both bank offsets are set when defining a banked register.  This
-+}
+-     * use indicates that a register is banked.
-+
+-     */
-+type_init(smmuv3_register_types)
+-    ptrdiff_t bank_fieldoffsets[2];
-+
+-
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
+-    /* Function for making any access checks for this register in addition to
-index XXXXXXX..XXXXXXX 100644
+-     * those specified by the 'access' permissions bits. If NULL, no extra
---- a/hw/arm/trace-events
+-     * checks required. The access check is performed at runtime, not at
-+++ b/hw/arm/trace-events
+-     * translate time.
-@@ -XXX,XX +XXX,XX @@ smmu_ptw_invalid_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr,
+-     */
- smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t address) "stage=%d level=%d iova=0x%"PRIx64" base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" page address = 0x%"PRIx64
+-    CPAccessFn *accessfn;
- smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
+-    /* Function for handling reads of this register. If NULL, then reads
- smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
+-     * will be done by loading from the offset into CPUARMState specified
-+
+-     * by fieldoffset.
-+#hw/arm/smmuv3.c
+-     */
-+smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
+-    CPReadFn *readfn;
 -    /* Function for handling writes of this register. If NULL, then writes
 -     * will be done by writing to the offset into CPUARMState specified
 -     * by fieldoffset.
 -     */
 -    CPWriteFn *writefn;
 -    /* Function for doing a "raw" read; used when we need to copy
 -     * coprocessor state to the kernel for KVM or out for
 -     * migration. This only needs to be provided if there is also a
 -     * readfn and it has side effects (for instance clear-on-read bits).
 -     */
 -    CPReadFn *raw_readfn;
 -    /* Function for doing a "raw" write; used when we need to copy KVM
 -     * kernel coprocessor state into userspace, or for inbound
 -     * migration. This only needs to be provided if there is also a
 -     * writefn and it masks out "unwritable" bits or has write-one-to-clear
 -     * or similar behaviour.
 -     */
 -    CPWriteFn *raw_writefn;
 -    /* Function for resetting the register. If NULL, then reset will be done
 -     * by writing resetvalue to the field specified in fieldoffset. If
 -     * fieldoffset is 0 then no reset will be done.
 -     */
 -    CPResetFn *resetfn;
 -
 -    /*
 -     * "Original" writefn and readfn.
 -     * For ARMv8.1-VHE register aliases, we overwrite the read/write
 -     * accessor functions of various EL1/EL0 to perform the runtime
 -     * check for which sysreg should actually be modified, and then
 -     * forwards the operation.  Before overwriting the accessors,
 -     * the original function is copied here, so that accesses that
 -     * really do go to the EL1/EL0 version proceed normally.
 -     * (The corresponding EL2 register is linked via opaque.)
 -     */
 -    CPReadFn *orig_readfn;
 -    CPWriteFn *orig_writefn;
 -};
 -
 -/* Macros which are lvalues for the field in CPUARMState for the
 - * ARMCPRegInfo *ri.
 - */
 -#define CPREG_FIELD32(env, ri) \
 -    (*(uint32_t *)((char *)(env) + (ri)->fieldoffset))
 -#define CPREG_FIELD64(env, ri) \
 -    (*(uint64_t *)((char *)(env) + (ri)->fieldoffset))
 -
 -#define REGINFO_SENTINEL { .type = ARM_CP_SENTINEL }
 -
 -void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
 -                                    const ARMCPRegInfo *regs, void *opaque);
 -void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
 -                                       const ARMCPRegInfo *regs, void *opaque);
 -static inline void define_arm_cp_regs(ARMCPU *cpu, const ARMCPRegInfo *regs)
 -{
 -    define_arm_cp_regs_with_opaque(cpu, regs, 0);
 -}
 -static inline void define_one_arm_cp_reg(ARMCPU *cpu, const ARMCPRegInfo *regs)
 -{
 -    define_one_arm_cp_reg_with_opaque(cpu, regs, 0);
 -}
 -const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp);
 -
 -/*
 - * Definition of an ARM co-processor register as viewed from
 - * userspace. This is used for presenting sanitised versions of
 - * registers to userspace when emulating the Linux AArch64 CPU
 - * ID/feature ABI (advertised as HWCAP_CPUID).
 - */
 -typedef struct ARMCPRegUserSpaceInfo {
 -    /* Name of register */
 -    const char *name;
 -
 -    /* Is the name actually a glob pattern */
 -    bool is_glob;
 -
 -    /* Only some bits are exported to user space */
 -    uint64_t exported_bits;
 -
 -    /* Fixed bits are applied after the mask */
 -    uint64_t fixed_bits;
 -} ARMCPRegUserSpaceInfo;
 -
 -#define REGUSERINFO_SENTINEL { .name = NULL }
 -
 -void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods);
 -
 -/* CPWriteFn that can be used to implement writes-ignored behaviour */
 -void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
 -                         uint64_t value);
 -/* CPReadFn that can be used for read-as-zero behaviour */
 -uint64_t arm_cp_read_zero(CPUARMState *env, const ARMCPRegInfo *ri);
 -
 -/* CPResetFn that does nothing, for use if no reset is required even
 - * if fieldoffset is non zero.
 - */
 -void arm_cp_reset_ignore(CPUARMState *env, const ARMCPRegInfo *opaque);
 -
 -/* Return true if this reginfo struct's field in the cpu state struct
 - * is 64 bits wide.
 - */
 -static inline bool cpreg_field_is_64bit(const ARMCPRegInfo *ri)
 -{
 -    return (ri->state == ARM_CP_STATE_AA64) || (ri->type & ARM_CP_64BIT);
 -}
 -
 -static inline bool cp_access_ok(int current_el,
 -                                const ARMCPRegInfo *ri, int isread)
 -{
 -    return (ri->access >> ((current_el * 2) + isread)) & 1;
 -}
 -
 -/* Raw read of a coprocessor register (as needed for migration, etc) */
 -uint64_t read_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri);
 -
  /**
   * write_list_to_cpustate
   * @cpu: ARMCPU
 diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/pxa2xx.c
 +++ b/hw/arm/pxa2xx.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/cutils.h"
  #include "qemu/log.h"
  #include "qom/object.h"
 +#include "target/arm/cpregs.h"
  static struct {
      hwaddr io_base;
 diff --git a/hw/arm/pxa2xx_pic.c b/hw/arm/pxa2xx_pic.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/pxa2xx_pic.c
 +++ b/hw/arm/pxa2xx_pic.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/sysbus.h"
  #include "migration/vmstate.h"
  #include "qom/object.h"
 +#include "target/arm/cpregs.h"
  #define ICIP    0x00    /* Interrupt Controller IRQ Pending register */
  #define ICMR    0x04    /* Interrupt Controller Mask register */
 diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_cpuif.c
 +++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@
  #include "gicv3_internal.h"
  #include "hw/irq.h"
  #include "cpu.h"
 +#include "target/arm/cpregs.h"
  /*
   * Special case return value from hppvi_index(); must be larger than
 diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_kvm.c
 +++ b/hw/intc/arm_gicv3_kvm.c
@@ -XXX,XX +XXX,XX @@
  #include "vgic_common.h"
  #include "migration/blocker.h"
  #include "qom/object.h"
 +#include "target/arm/cpregs.h"
 +
  #ifdef DEBUG_GICV3_KVM
  #define DPRINTF(fmt, ...) \
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@
  #include "kvm_arm.h"
  #include "disas/capstone.h"
  #include "fpu/softfloat.h"
 +#include "cpregs.h"
  static void arm_cpu_set_pc(CPUState *cs, vaddr value)
  {
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@
  #include "hvf_arm.h"
  #include "qapi/visitor.h"
  #include "hw/qdev-properties.h"
 +#include "cpregs.h"
  #ifndef CONFIG_USER_ONLY
 diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu_tcg.c
 +++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@
  #if !defined(CONFIG_USER_ONLY)
  #include "hw/boards.h"
  #endif
 +#include "cpregs.h"
  /* CPU models. These are not needed for the AArch64 linux-user build. */
  #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
 diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/gdbstub.c
 +++ b/target/arm/gdbstub.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
  #include "cpu.h"
 -#include "internals.h"
  #include "exec/gdbstub.h"
 +#include "internals.h"
 +#include "cpregs.h"
  typedef struct RegisterSysregXmlParam {
      CPUState *cs;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
  #include "exec/cpu_ldst.h"
  #include "semihosting/common-semi.h"
  #endif
 +#include "cpregs.h"
  #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
  #define PMCR_NUM_COUNTERS 4 /* QEMU IMPDEF choice */
 diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/op_helper.c
 +++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "internals.h"
  #include "exec/exec-all.h"
  #include "exec/cpu_ldst.h"
 +#include "cpregs.h"
  #define SIGNBIT (uint32_t)0x80000000
  #define SIGNBIT64 ((uint64_t)1 << 63)
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@
  #include "translate.h"
  #include "internals.h"
  #include "qemu/host-utils.h"
 -
  #include "semihosting/semihost.h"
  #include "exec/gen-icount.h"
 -
  #include "exec/helper-proto.h"
  #include "exec/helper-gen.h"
  #include "exec/log.h"
 -
 +#include "cpregs.h"
  #include "translate-a64.h"
  #include "qemu/atomic128.h"
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/bitops.h"
  #include "arm_ldst.h"
  #include "semihosting/semihost.h"
 -
  #include "exec/helper-proto.h"
  #include "exec/helper-gen.h"
 -
  #include "exec/log.h"
 +#include "cpregs.h"
  #define ENABLE_ARCH_4T    arm_dc_feature(s, ARM_FEATURE_V4T)
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 17/24] hw/arm/smmuv3: Implement MMIO write operations
+[PULL 03/23] target/arm: Reorg CPAccessResult and access_check_cp_reg
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Now we have relevant helpers for queue and irq
+Rearrange the values of the enumerators of CPAccessResult
-management, let's implement MMIO write operations.
+so that we may directly extract the target el. For the two
 special cases in access_check_cp_reg, use CPAccessResult.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-8-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220501055028.646596-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h |   8 +-
+ target/arm/cpregs.h    | 26 ++++++++++++--------
- hw/arm/smmuv3.c          | 170 +++++++++++++++++++++++++++++++++++++--
+ target/arm/op_helper.c | 56 +++++++++++++++++++++---------------------
- hw/arm/trace-events      |   6 ++
+files changed, 44 insertions(+), 38 deletions(-)
 files changed, 174 insertions(+), 10 deletions(-)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/target/arm/cpregs.h
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/cpregs.h
-@@ -XXX,XX +XXX,XX @@ REG32(CR0,                 0x20)
+@@ -XXX,XX +XXX,XX @@ static inline bool cptype_valid(int cptype)
-     FIELD(CR0, EVENTQEN,      2, 1)
+ typedef enum CPAccessResult {
-     FIELD(CR0, CMDQEN,        3, 1)
+     /* Access is permitted */
+     CP_ACCESS_OK = 0,
 +#define SMMU_CR0_RESERVED 0xFFFFFC20
 +
- REG32(CR0ACK,              0x24)
++    /*
- REG32(CR1,                 0x28)
++     * Combined with one of the following, the low 2 bits indicate the
- REG32(CR2,                 0x2c)
++     * target exception level.  If 0, the exception is taken to the usual
-@@ -XXX,XX +XXX,XX @@ static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
++     * target EL (EL1 or PL1 if in EL0, otherwise to the current EL).
-     return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, GERROR_IRQEN);
++     */
- }
++    CP_ACCESS_EL_MASK = 3,
++
--/* public until callers get introduced */
+     /*
--void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
+      * Access fails due to a configurable trap or enable which would
--void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
+      * result in a categorized exception syndrome giving information about
--
+      * the failing instruction (ie syndrome category 0x3, 0x4, 0x5, 0x6,
- /* Queue Handling */
+-     * 0xc or 0x18). The exception is taken to the usual target EL (EL1 or
+-     * PL1 if in EL0, otherwise to the current EL).
- #define Q_BASE(q)          ((q)->base & SMMU_BASE_ADDR_MASK)
++     * 0xc or 0x18).
-@@ -XXX,XX +XXX,XX @@ enum { /* Command completion notification */
+      */
-             addr;                                             \
+-    CP_ACCESS_TRAP = 1,
-         })
++    CP_ACCESS_TRAP = (1 << 2),
++    CP_ACCESS_TRAP_EL2 = CP_ACCESS_TRAP | 2,
--int smmuv3_cmdq_consume(SMMUv3State *s);
++    CP_ACCESS_TRAP_EL3 = CP_ACCESS_TRAP | 3,
-+#define SMMU_FEATURE_2LVL_STE (1 << 0)
++
+     /*
- #endif
+      * Access fails and results in an exception syndrome 0x0 ("uncategorized").
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+      * Note that this is not a catch-all case -- the set of cases which may
       * result in this failure is specifically defined by the architecture.
       */
 -    CP_ACCESS_TRAP_UNCATEGORIZED = 2,
 -    /* As CP_ACCESS_TRAP, but for traps directly to EL2 or EL3 */
 -    CP_ACCESS_TRAP_EL2 = 3,
 -    CP_ACCESS_TRAP_EL3 = 4,
 -    /* As CP_ACCESS_UNCATEGORIZED, but for traps directly to EL2 or EL3 */
 -    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = 5,
 -    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = 6,
 +    CP_ACCESS_TRAP_UNCATEGORIZED = (2 << 2),
 +    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = CP_ACCESS_TRAP_UNCATEGORIZED | 2,
 +    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = CP_ACCESS_TRAP_UNCATEGORIZED | 3,
  } CPAccessResult;
  typedef struct ARMCPRegInfo ARMCPRegInfo;
 diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/target/arm/op_helper.c
-+++ b/hw/arm/smmuv3.c
++++ b/target/arm/op_helper.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ void HELPER(access_check_cp_reg)(CPUARMState *env, void *rip, uint32_t syndrome,
-  * @irq: irq type
+                                  uint32_t isread)
   * @gerror_mask: mask of gerrors to toggle (relevant if @irq is GERROR)
   */
 -void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
 +static void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq,
 +                               uint32_t gerror_mask)
  {
+     const ARMCPRegInfo *ri = rip;
-     bool pulse = false;
++    CPAccessResult res = CP_ACCESS_OK;
-@@ -XXX,XX +XXX,XX @@ void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
+     int target_el;
      if (arm_feature(env, ARM_FEATURE_XSCALE) && ri->cp < 14
          && extract32(env->cp15.c15_cpar, ri->cp, 1) == 0) {
 -        raise_exception(env, EXCP_UDEF, syndrome, exception_target_el(env));
 +        res = CP_ACCESS_TRAP;
 +        goto fail;
      }
- }
+     /*
--void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
+@@ -XXX,XX +XXX,XX @@ void HELPER(access_check_cp_reg)(CPUARMState *env, void *rip, uint32_t syndrome,
-+static void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
+         mask &= ~((1 << 4) | (1 << 14));
- {
-     uint32_t pending = s->gerror ^ s->gerrorn;
+         if (env->cp15.hstr_el2 & mask) {
-     uint32_t toggled = s->gerrorn ^ new_gerrorn;
+-            target_el = 2;
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
+-            goto exept;
-     s->sid_split = 0;
++            res = CP_ACCESS_TRAP_EL2;
- }
++            goto fail;
+         }
--int smmuv3_cmdq_consume(SMMUv3State *s)
+     }
-+static int smmuv3_cmdq_consume(SMMUv3State *s)
- {
+-    if (!ri->accessfn) {
-     SMMUCmdError cmd_error = SMMU_CERROR_NONE;
++    if (ri->accessfn) {
-     SMMUQueue *q = &s->cmdq;
++        res = ri->accessfn(env, ri, isread);
@@ -XXX,XX +XXX,XX @@ int smmuv3_cmdq_consume(SMMUv3State *s)
      return 0;
  }
 +static MemTxResult smmu_writell(SMMUv3State *s, hwaddr offset,
 +                               uint64_t data, MemTxAttrs attrs)
 +{
 +    switch (offset) {
 +    case A_GERROR_IRQ_CFG0:
 +        s->gerror_irq_cfg0 = data;
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE:
 +        s->strtab_base = data;
 +        return MEMTX_OK;
 +    case A_CMDQ_BASE:
 +        s->cmdq.base = data;
 +        s->cmdq.log2size = extract64(s->cmdq.base, 0, 5);
 +        if (s->cmdq.log2size > SMMU_CMDQS) {
 +            s->cmdq.log2size = SMMU_CMDQS;
 +        }
 +        return MEMTX_OK;
 +    case A_EVENTQ_BASE:
 +        s->eventq.base = data;
 +        s->eventq.log2size = extract64(s->eventq.base, 0, 5);
 +        if (s->eventq.log2size > SMMU_EVENTQS) {
 +            s->eventq.log2size = SMMU_EVENTQS;
 +        }
 +        return MEMTX_OK;
 +    case A_EVENTQ_IRQ_CFG0:
 +        s->eventq_irq_cfg0 = data;
 +        return MEMTX_OK;
 +    default:
 +        qemu_log_mask(LOG_UNIMP,
 +                      "%s Unexpected 64-bit access to 0x%"PRIx64" (WI)\n",
 +                      __func__, offset);
 +        return MEMTX_OK;
 +    }
-+}
++    if (likely(res == CP_ACCESS_OK)) {
-+
+         return;
-+static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset,
+     }
-+                               uint64_t data, MemTxAttrs attrs)
-+{
+-    switch (ri->accessfn(env, ri, isread)) {
-+    switch (offset) {
+-    case CP_ACCESS_OK:
-+    case A_CR0:
+-        return;
-+        s->cr[0] = data;
++ fail:
-+        s->cr0ack = data & ~SMMU_CR0_RESERVED;
++    switch (res & ~CP_ACCESS_EL_MASK) {
-+        /* in case the command queue has been enabled */
+     case CP_ACCESS_TRAP:
-+        smmuv3_cmdq_consume(s);
+-        target_el = exception_target_el(env);
-+        return MEMTX_OK;
+-        break;
-+    case A_CR1:
+-    case CP_ACCESS_TRAP_EL2:
-+        s->cr[1] = data;
+-        /* Requesting a trap to EL2 when we're in EL3 is
-+        return MEMTX_OK;
+-         * a bug in the access function.
-+    case A_CR2:
+-         */
-+        s->cr[2] = data;
+-        assert(arm_current_el(env) != 3);
-+        return MEMTX_OK;
+-        target_el = 2;
-+    case A_IRQ_CTRL:
+-        break;
-+        s->irq_ctrl = data;
+-    case CP_ACCESS_TRAP_EL3:
-+        return MEMTX_OK;
+-        target_el = 3;
-+    case A_GERRORN:
+         break;
-+        smmuv3_write_gerrorn(s, data);
+     case CP_ACCESS_TRAP_UNCATEGORIZED:
-+        /*
+-        target_el = exception_target_el(env);
-+         * By acknowledging the CMDQ_ERR, SW may notify cmds can
+-        syndrome = syn_uncategorized();
-+         * be processed again
+-        break;
-+         */
+-    case CP_ACCESS_TRAP_UNCATEGORIZED_EL2:
-+        smmuv3_cmdq_consume(s);
+-        target_el = 2;
-+        return MEMTX_OK;
+-        syndrome = syn_uncategorized();
-+    case A_GERROR_IRQ_CFG0: /* 64b */
+-        break;
-+        s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 0, 32, data);
+-    case CP_ACCESS_TRAP_UNCATEGORIZED_EL3:
-+        return MEMTX_OK;
+-        target_el = 3;
-+    case A_GERROR_IRQ_CFG0 + 4:
+         syndrome = syn_uncategorized();
-+        s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 32, 32, data);
+         break;
-+        return MEMTX_OK;
+     default:
-+    case A_GERROR_IRQ_CFG1:
+         g_assert_not_reached();
-+        s->gerror_irq_cfg1 = data;
+     }
-+        return MEMTX_OK;
-+    case A_GERROR_IRQ_CFG2:
+-exept:
-+        s->gerror_irq_cfg2 = data;
++    target_el = res & CP_ACCESS_EL_MASK;
-+        return MEMTX_OK;
++    switch (target_el) {
-+    case A_STRTAB_BASE: /* 64b */
++    case 0:
-+        s->strtab_base = deposit64(s->strtab_base, 0, 32, data);
++        target_el = exception_target_el(env);
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE + 4:
 +        s->strtab_base = deposit64(s->strtab_base, 32, 32, data);
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE_CFG:
 +        s->strtab_base_cfg = data;
 +        if (FIELD_EX32(data, STRTAB_BASE_CFG, FMT) == 1) {
 +            s->sid_split = FIELD_EX32(data, STRTAB_BASE_CFG, SPLIT);
 +            s->features |= SMMU_FEATURE_2LVL_STE;
 +        }
 +        return MEMTX_OK;
 +    case A_CMDQ_BASE: /* 64b */
 +        s->cmdq.base = deposit64(s->cmdq.base, 0, 32, data);
 +        s->cmdq.log2size = extract64(s->cmdq.base, 0, 5);
 +        if (s->cmdq.log2size > SMMU_CMDQS) {
 +            s->cmdq.log2size = SMMU_CMDQS;
 +        }
 +        return MEMTX_OK;
 +    case A_CMDQ_BASE + 4: /* 64b */
 +        s->cmdq.base = deposit64(s->cmdq.base, 32, 32, data);
 +        return MEMTX_OK;
 +    case A_CMDQ_PROD:
 +        s->cmdq.prod = data;
 +        smmuv3_cmdq_consume(s);
 +        return MEMTX_OK;
 +    case A_CMDQ_CONS:
 +        s->cmdq.cons = data;
 +        return MEMTX_OK;
 +    case A_EVENTQ_BASE: /* 64b */
 +        s->eventq.base = deposit64(s->eventq.base, 0, 32, data);
 +        s->eventq.log2size = extract64(s->eventq.base, 0, 5);
 +        if (s->eventq.log2size > SMMU_EVENTQS) {
 +            s->eventq.log2size = SMMU_EVENTQS;
 +        }
 +        return MEMTX_OK;
 +    case A_EVENTQ_BASE + 4:
 +        s->eventq.base = deposit64(s->eventq.base, 32, 32, data);
 +        return MEMTX_OK;
 +    case A_EVENTQ_PROD:
 +        s->eventq.prod = data;
 +        return MEMTX_OK;
 +    case A_EVENTQ_CONS:
 +        s->eventq.cons = data;
 +        return MEMTX_OK;
 +    case A_EVENTQ_IRQ_CFG0: /* 64b */
 +        s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 0, 32, data);
 +        return MEMTX_OK;
 +    case A_EVENTQ_IRQ_CFG0 + 4:
 +        s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 32, 32, data);
 +        return MEMTX_OK;
 +    case A_EVENTQ_IRQ_CFG1:
 +        s->eventq_irq_cfg1 = data;
 +        return MEMTX_OK;
 +    case A_EVENTQ_IRQ_CFG2:
 +        s->eventq_irq_cfg2 = data;
 +        return MEMTX_OK;
 +    default:
 +        qemu_log_mask(LOG_UNIMP,
 +                      "%s Unexpected 32-bit access to 0x%"PRIx64" (WI)\n",
 +                      __func__, offset);
 +        return MEMTX_OK;
 +    }
 +}
 +
  static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
                                     unsigned size, MemTxAttrs attrs)
  {
 -    /* not yet implemented */
 -    return MEMTX_ERROR;
 +    SMMUState *sys = opaque;
 +    SMMUv3State *s = ARM_SMMUV3(sys);
 +    MemTxResult r;
 +
 +    /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
 +    offset &= ~0x10000;
 +
 +    switch (size) {
 +    case 8:
 +        r = smmu_writell(s, offset, data, attrs);
 +        break;
-+    case 4:
++    case 2:
-+        r = smmu_writel(s, offset, data, attrs);
++        assert(arm_current_el(env) != 3);
 +        assert(arm_is_el2_enabled(env));
 +        break;
 +    case 3:
 +        assert(arm_feature(env, ARM_FEATURE_EL3));
 +        break;
 +    default:
-+        r = MEMTX_ERROR;
++        /* No "direct" traps to EL1 */
-+        break;
++        g_assert_not_reached();
 +    }
 +
-+    trace_smmuv3_write_mmio(offset, data, size, r);
+     raise_exception(env, EXCP_UDEF, syndrome, target_el);
 +    return r;
  }
- static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/trace-events
-+++ b/hw/arm/trace-events
-@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_consume(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t con
- smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
- smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
- smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
-+smmuv3_update(bool is_empty, uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "q empty:%d prod:%d cons:%d p.wrap:%d p.cons:%d"
-+smmuv3_update_check_cmd(int error) "cmdq not enabled or error :0x%x"
-+smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
-+smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx val64:0x%lx"
-+smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
-+smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 09/24] hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode
+[PULL 04/23] target/arm: Replace sentinels with ARRAY_SIZE in cpregs.h
-From: Thomas Huth <thuth@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-When running omap1/2 or pxa2xx based ARM machines with -nodefaults,
+Remove a possible source of error by removing REGINFO_SENTINEL
-they bail out immediately complaining about a "missing SecureDigital
+and using ARRAY_SIZE (convinently hidden inside a macro) to
-device". That's not how the "default" devices in vl.c are meant to
+find the end of the set of regs being registered or modified.
 work - it should be possible for a board to also start up without
 default devices. So let's turn the error message and exit() into
 a warning instead.
-Signed-off-by: Thomas Huth <thuth@redhat.com>
+The space saved by not having the extra array element reduces
-Message-id: 1525326811-3233-1-git-send-email-thuth@redhat.com
+the executable's .data.rel.ro section by about 9k.
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220501055028.646596-4-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/omap1.c  |  8 ++++----
+ target/arm/cpregs.h       |  53 +++++++++---------
- hw/arm/omap2.c  |  8 ++++----
+ hw/arm/pxa2xx.c           |   1 -
- hw/arm/pxa2xx.c | 15 +++++++--------
+ hw/arm/pxa2xx_pic.c       |   1 -
-files changed, 15 insertions(+), 16 deletions(-)
+ hw/intc/arm_gicv3_cpuif.c |   5 --
  hw/intc/arm_gicv3_kvm.c   |   1 -
  target/arm/cpu64.c        |   1 -
  target/arm/cpu_tcg.c      |   4 --
  target/arm/helper.c       | 111 ++++++++------------------------------
 files changed, 48 insertions(+), 129 deletions(-)
-diff --git a/hw/arm/omap1.c b/hw/arm/omap1.c
+diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/omap1.c
+--- a/target/arm/cpregs.h
-+++ b/hw/arm/omap1.c
++++ b/target/arm/cpregs.h
 @@ -XXX,XX +XXX,XX @@
- #include "hw/arm/soc_dma.h"
+ #define ARM_CP_NO_GDB            0x4000
- #include "sysemu/block-backend.h"
+ #define ARM_CP_RAISES_EXC        0x8000
- #include "sysemu/blockdev.h"
+ #define ARM_CP_NEWEL             0x10000
-+#include "sysemu/qtest.h"
+-/* Used only as a terminator for ARMCPRegInfo lists */
- #include "qemu/range.h"
+-#define ARM_CP_SENTINEL          0xfffff
- #include "hw/sysbus.h"
+ /* Mask of only the flag bits in a type field */
- #include "qemu/cutils.h"
+ #define ARM_CP_FLAG_MASK         0x1f0ff
-@@ -XXX,XX +XXX,XX @@ struct omap_mpu_state_s *omap310_mpu_init(MemoryRegion *system_memory,
-                                 omap_findclk(s, "dpll3"));
+@@ -XXX,XX +XXX,XX @@ enum {
+     ARM_CP_SECSTATE_NS =  (1 << 1), /* bit[1]: Non-secure state register */
-     dinfo = drive_get(IF_SD, 0, 0);
+ };
--    if (!dinfo) {
--        error_report("missing SecureDigital device");
+-/*
--        exit(1);
+- * Return true if cptype is a valid type field. This is used to try to
-+    if (!dinfo && !qtest_enabled()) {
+- * catch errors where the sentinel has been accidentally left off the end
-+        warn_report("missing SecureDigital device");
+- * of a list of registers.
-     }
+- */
-     s->mmc = omap_mmc_init(0xfffb7800, system_memory,
+-static inline bool cptype_valid(int cptype)
--                           blk_by_legacy_dinfo(dinfo),
+-{
-+                           dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+-    return ((cptype & ~ARM_CP_FLAG_MASK) == 0)
-                            qdev_get_gpio_in(s->ih[1], OMAP_INT_OQN),
+-        || ((cptype & ARM_CP_SPECIAL) &&
-                            &s->drq[OMAP_DMA_MMC_TX],
+-            ((cptype & ~ARM_CP_FLAG_MASK) <= ARM_LAST_SPECIAL));
-                     omap_findclk(s, "mmc_ck"));
+-}
-diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
+-
-index XXXXXXX..XXXXXXX 100644
+ /*
---- a/hw/arm/omap2.c
+  * Access rights:
-+++ b/hw/arm/omap2.c
+  * We define bits for Read and Write access for what rev C of the v7-AR ARM ARM
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ struct ARMCPRegInfo {
- #include "cpu.h"
+ #define CPREG_FIELD64(env, ri) \
- #include "sysemu/block-backend.h"
+     (*(uint64_t *)((char *)(env) + (ri)->fieldoffset))
- #include "sysemu/blockdev.h"
-+#include "sysemu/qtest.h"
+-#define REGINFO_SENTINEL { .type = ARM_CP_SENTINEL }
- #include "hw/boards.h"
++void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu, const ARMCPRegInfo *reg,
- #include "hw/hw.h"
++                                       void *opaque);
- #include "hw/arm/arm.h"
-@@ -XXX,XX +XXX,XX @@ struct omap_mpu_state_s *omap2420_mpu_init(MemoryRegion *sysmem,
+-void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
-                              s->drq[OMAP24XX_DMA_GPMC]);
+-                                    const ARMCPRegInfo *regs, void *opaque);
+-void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
-     dinfo = drive_get(IF_SD, 0, 0);
+-                                       const ARMCPRegInfo *regs, void *opaque);
--    if (!dinfo) {
+-static inline void define_arm_cp_regs(ARMCPU *cpu, const ARMCPRegInfo *regs)
--        error_report("missing SecureDigital device");
+-{
--        exit(1);
+-    define_arm_cp_regs_with_opaque(cpu, regs, 0);
-+    if (!dinfo && !qtest_enabled()) {
+-}
-+        warn_report("missing SecureDigital device");
+ static inline void define_one_arm_cp_reg(ARMCPU *cpu, const ARMCPRegInfo *regs)
-     }
+ {
-     s->mmc = omap2_mmc_init(omap_l4tao(s->l4, 9),
+-    define_one_arm_cp_reg_with_opaque(cpu, regs, 0);
--                    blk_by_legacy_dinfo(dinfo),
++    define_one_arm_cp_reg_with_opaque(cpu, regs, NULL);
-+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+ }
-                     qdev_get_gpio_in(s->ih[0], OMAP_INT_24XX_MMC_IRQ),
++
-                     &s->drq[OMAP24XX_DMA_MMC1_TX],
++void define_arm_cp_regs_with_opaque_len(ARMCPU *cpu, const ARMCPRegInfo *regs,
-                     omap_findclk(s, "mmc_fclk"), omap_findclk(s, "mmc_iclk"));
++                                        void *opaque, size_t len);
 +
 +#define define_arm_cp_regs_with_opaque(CPU, REGS, OPAQUE)               \
 +    do {                                                                \
 +        QEMU_BUILD_BUG_ON(ARRAY_SIZE(REGS) == 0);                       \
 +        define_arm_cp_regs_with_opaque_len(CPU, REGS, OPAQUE,           \
 +                                           ARRAY_SIZE(REGS));           \
 +    } while (0)
 +
 +#define define_arm_cp_regs(CPU, REGS) \
 +    define_arm_cp_regs_with_opaque(CPU, REGS, NULL)
 +
  const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp);
  /*
@@ -XXX,XX +XXX,XX @@ typedef struct ARMCPRegUserSpaceInfo {
      uint64_t fixed_bits;
  } ARMCPRegUserSpaceInfo;
 -#define REGUSERINFO_SENTINEL { .name = NULL }
 +void modify_arm_cp_regs_with_len(ARMCPRegInfo *regs, size_t regs_len,
 +                                 const ARMCPRegUserSpaceInfo *mods,
 +                                 size_t mods_len);
 -void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods);
 +#define modify_arm_cp_regs(REGS, MODS)                                  \
 +    do {                                                                \
 +        QEMU_BUILD_BUG_ON(ARRAY_SIZE(REGS) == 0);                       \
 +        QEMU_BUILD_BUG_ON(ARRAY_SIZE(MODS) == 0);                       \
 +        modify_arm_cp_regs_with_len(REGS, ARRAY_SIZE(REGS),             \
 +                                    MODS, ARRAY_SIZE(MODS));            \
 +    } while (0)
  /* CPWriteFn that can be used to implement writes-ignored behaviour */
  void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
 diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/pxa2xx.c
 +++ b/hw/arm/pxa2xx.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pxa_cp_reginfo[] = {
- #include "chardev/char-fe.h"
+     { .name = "PWRMODE", .cp = 14, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 0,
- #include "sysemu/block-backend.h"
+       .access = PL1_RW, .type = ARM_CP_IO,
- #include "sysemu/blockdev.h"
+       .readfn = arm_cp_read_zero, .writefn = pxa2xx_pwrmode_write },
-+#include "sysemu/qtest.h"
+-    REGINFO_SENTINEL
- #include "qemu/cutils.h"
+ };
- static struct {
+ static void pxa2xx_setup_cp14(PXA2xxState *s)
-@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa270_init(MemoryRegion *address_space,
+diff --git a/hw/arm/pxa2xx_pic.c b/hw/arm/pxa2xx_pic.c
-     s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 121);
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/pxa2xx_pic.c
-     dinfo = drive_get(IF_SD, 0, 0);
++++ b/hw/arm/pxa2xx_pic.c
--    if (!dinfo) {
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pxa_pic_cp_reginfo[] = {
--        error_report("missing SecureDigital device");
+     REGINFO_FOR_PIC_CP("ICLR2", 8),
--        exit(1);
+     REGINFO_FOR_PIC_CP("ICFP2", 9),
-+    if (!dinfo && !qtest_enabled()) {
+     REGINFO_FOR_PIC_CP("ICPR2", 0xa),
-+        warn_report("missing SecureDigital device");
+-    REGINFO_SENTINEL
  };
  static const MemoryRegionOps pxa2xx_pic_ops = {
 diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_cpuif.c
 +++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_reginfo[] = {
        .readfn = icc_igrpen1_el3_read,
        .writefn = icc_igrpen1_el3_write,
      },
 -    REGINFO_SENTINEL
  };
  static uint64_t ich_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_hcr_reginfo[] = {
        .readfn = ich_vmcr_read,
        .writefn = ich_vmcr_write,
      },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo gicv3_cpuif_ich_apxr1_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_ich_apxr1_reginfo[] = {
        .readfn = ich_ap_read,
        .writefn = ich_ap_write,
      },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo gicv3_cpuif_ich_apxr23_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_ich_apxr23_reginfo[] = {
        .readfn = ich_ap_read,
        .writefn = ich_ap_write,
      },
 -    REGINFO_SENTINEL
  };
  static void gicv3_cpuif_el_change_hook(ARMCPU *cpu, void *opaque)
@@ -XXX,XX +XXX,XX @@ void gicv3_init_cpuif(GICv3State *s)
                        .readfn = ich_lr_read,
                        .writefn = ich_lr_write,
                      },
 -                    REGINFO_SENTINEL
                  };
                  define_arm_cp_regs(cpu, lr_regset);
              }
 diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_kvm.c
 +++ b/hw/intc/arm_gicv3_kvm.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_reginfo[] = {
         */
        .resetfn = arm_gicv3_icc_reset,
      },
 -    REGINFO_SENTINEL
  };
  /**
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
      { .name = "L2MERRSR",
        .cp = 15, .opc1 = 3, .crm = 15,
        .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  static void aarch64_a57_initfn(Object *obj)
 diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu_tcg.c
 +++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortexa8_cp_reginfo[] = {
        .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
      { .name = "L2AUXCR", .cp = 15, .crn = 9, .crm = 0, .opc1 = 1, .opc2 = 2,
        .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  static void cortex_a8_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortexa9_cp_reginfo[] = {
        .access = PL1_RW, .resetvalue = 0, .type = ARM_CP_CONST },
      { .name = "TLB_ATTR", .cp = 15, .crn = 15, .crm = 7, .opc1 = 5, .opc2 = 2,
        .access = PL1_RW, .resetvalue = 0, .type = ARM_CP_CONST },
 -    REGINFO_SENTINEL
  };
  static void cortex_a9_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortexa15_cp_reginfo[] = {
  #endif
      { .name = "L2ECTLR", .cp = 15, .crn = 9, .crm = 0, .opc1 = 1, .opc2 = 3,
        .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  static void cortex_a7_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortexr5_cp_reginfo[] = {
        .access = PL1_RW, .type = ARM_CP_CONST },
      { .name = "DCACHE_INVAL", .cp = 15, .opc1 = 0, .crn = 15, .crm = 5,
        .opc2 = 0, .access = PL1_W, .type = ARM_CP_NOP },
 -    REGINFO_SENTINEL
  };
  static void cortex_r5_initfn(Object *obj)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cp_reginfo[] = {
        .secure = ARM_CP_SECSTATE_S,
        .fieldoffset = offsetof(CPUARMState, cp15.contextidr_s),
        .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo not_v8_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo not_v8_cp_reginfo[] = {
      { .name = "CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
        .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
        .type = ARM_CP_NOP | ARM_CP_OVERRIDE },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo not_v6_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo not_v6_cp_reginfo[] = {
       */
      { .name = "WFI_v5", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = 2,
        .access = PL1_W, .type = ARM_CP_WFI },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo not_v7_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo not_v7_cp_reginfo[] = {
        .opc1 = 0, .opc2 = 0, .access = PL1_RW, .type = ARM_CP_NOP },
      { .name = "NMRR", .cp = 15, .crn = 10, .crm = 2,
        .opc1 = 0, .opc2 = 1, .access = PL1_RW, .type = ARM_CP_NOP },
 -    REGINFO_SENTINEL
  };
  static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
        .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
        .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
        .resetfn = cpacr_reset, .writefn = cpacr_write, .readfn = cpacr_read },
 -    REGINFO_SENTINEL
  };
  typedef struct pm_event {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
      { .name = "TLBIMVAA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3,
        .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb,
        .writefn = tlbimvaa_write },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo v7mp_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7mp_cp_reginfo[] = {
      { .name = "TLBIMVAAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3,
        .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb,
        .writefn = tlbimvaa_is_write },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo pmovsset_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pmovsset_cp_reginfo[] = {
        .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
        .writefn = pmovsset_write,
        .raw_writefn = raw_write },
 -    REGINFO_SENTINEL
  };
  static void teecr_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo t2ee_cp_reginfo[] = {
      { .name = "TEEHBR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 6, .opc2 = 0,
        .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, teehbr),
        .accessfn = teehbr_access, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo v6k_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6k_cp_reginfo[] = {
        .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrprw_s),
                               offsetoflow32(CPUARMState, cp15.tpidrprw_ns) },
        .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  #ifndef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
        .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
        .writefn = gt_sec_cval_write, .raw_writefn = raw_write,
      },
 -    REGINFO_SENTINEL
  };
  static CPAccessResult e2h_access(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
        .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
        .readfn = gt_virt_cnt_read,
      },
 -    REGINFO_SENTINEL
  };
  #endif
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vapa_cp_reginfo[] = {
        .access = PL1_W, .accessfn = ats_access,
        .writefn = ats_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
  #endif
 -    REGINFO_SENTINEL
  };
  /* Return basic MPU access permission bits.  */
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pmsav7_cp_reginfo[] = {
        .fieldoffset = offsetof(CPUARMState, pmsav7.rnr[M_REG_NS]),
        .writefn = pmsav7_rgnr_write,
        .resetfn = arm_cp_reset_ignore },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo pmsav5_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pmsav5_cp_reginfo[] = {
      { .name = "946_PRBS7", .cp = 15, .crn = 6, .crm = 7, .opc1 = 0,
        .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
        .fieldoffset = offsetof(CPUARMState, cp15.c6_region[7]) },
 -    REGINFO_SENTINEL
  };
  static void vmsa_ttbcr_raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = {
        .access = PL1_RW, .accessfn = access_tvm_trvm,
        .fieldoffset = offsetof(CPUARMState, cp15.far_el[1]),
        .resetvalue = 0, },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo vmsa_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {
        /* No offsetoflow32 -- pass the entire TCR to writefn/raw_writefn. */
        .bank_fieldoffsets = { offsetof(CPUARMState, cp15.tcr_el[3]),
                               offsetof(CPUARMState, cp15.tcr_el[1])} },
 -    REGINFO_SENTINEL
  };
  /* Note that unlike TTBCR, writing to TTBCR2 does not require flushing
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo omap_cp_reginfo[] = {
      { .name = "C9", .cp = 15, .crn = 9,
        .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW,
        .type = ARM_CP_CONST | ARM_CP_OVERRIDE, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  static void xscale_cpar_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo xscale_cp_reginfo[] = {
      { .name = "XSCALE_UNLOCK_DCACHE",
        .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 1,
        .access = PL1_W, .type = ARM_CP_NOP },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo dummy_c15_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo dummy_c15_cp_reginfo[] = {
        .access = PL1_RW,
        .type = ARM_CP_CONST | ARM_CP_NO_RAW | ARM_CP_OVERRIDE,
        .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo cache_dirty_status_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cache_dirty_status_cp_reginfo[] = {
      { .name = "CDSR", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 6,
        .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
        .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo cache_block_ops_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cache_block_ops_cp_reginfo[] = {
        .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
      { .name = "CIDCR", .cp = 15, .crm = 14, .opc1 = 0,
        .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo cache_test_clean_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cache_test_clean_cp_reginfo[] = {
      { .name = "TCI_DCACHE", .cp = 15, .crn = 7, .crm = 14, .opc1 = 0, .opc2 = 3,
        .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
        .resetvalue = (1 << 30) },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo strongarm_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo strongarm_cp_reginfo[] = {
        .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
        .access = PL1_RW, .resetvalue = 0,
        .type = ARM_CP_CONST | ARM_CP_OVERRIDE | ARM_CP_NO_RAW },
 -    REGINFO_SENTINEL
  };
  static uint64_t midr_read(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo lpae_cp_reginfo[] = {
        .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
                               offsetof(CPUARMState, cp15.ttbr1_ns) },
        .writefn = vmsa_ttbr_write, },
 -    REGINFO_SENTINEL
  };
  static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
        .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
        .writefn = sdcr_write,
        .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) },
 -    REGINFO_SENTINEL
  };
  /* Used to describe the behaviour of EL2 regs when EL2 does not exist.  */
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
        .type = ARM_CP_CONST,
        .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 2,
        .access = PL2_RW, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  /* Ditto, but for registers which exist in ARMv8 but not v7 */
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_v8_cp_reginfo[] = {
        .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 4,
        .access = PL2_RW,
        .type = ARM_CP_CONST, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
        .cp = 15, .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 3,
        .access = PL2_RW,
        .fieldoffset = offsetof(CPUARMState, cp15.hstr_el2) },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo el2_v8_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_v8_cp_reginfo[] = {
        .access = PL2_RW,
        .fieldoffset = offsetofhigh32(CPUARMState, cp15.hcr_el2),
        .writefn = hcr_writehigh },
 -    REGINFO_SENTINEL
  };
  static CPAccessResult sel2_access(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_sec_cp_reginfo[] = {
        .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 6, .opc2 = 2,
        .access = PL2_RW, .accessfn = sel2_access,
        .fieldoffset = offsetof(CPUARMState, cp15.vstcr_el2) },
 -    REGINFO_SENTINEL
  };
  static CPAccessResult nsacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_cp_reginfo[] = {
        .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 5,
        .access = PL3_W, .type = ARM_CP_NO_RAW,
        .writefn = tlbi_aa64_vae3_write },
 -    REGINFO_SENTINEL
  };
  #ifndef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
        .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
        .access = PL1_RW, .accessfn = access_tda,
        .type = ARM_CP_NOP },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
        .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
      { .name = "DBGDSAR", .cp = 14, .crm = 2, .opc1 = 0,
        .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  /* Return the exception level to which exceptions should be taken
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
                .fieldoffset = offsetof(CPUARMState, cp15.dbgbcr[i]),
                .writefn = dbgbcr_write, .raw_writefn = raw_write
              },
 -            REGINFO_SENTINEL
          };
          define_arm_cp_regs(cpu, dbgregs);
      }
-     s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
+@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
--                    blk_by_legacy_dinfo(dinfo),
+               .fieldoffset = offsetof(CPUARMState, cp15.dbgwcr[i]),
-+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+               .writefn = dbgwcr_write, .raw_writefn = raw_write
-                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
+             },
-                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
+-            REGINFO_SENTINEL
-                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
+         };
-@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa255_init(MemoryRegion *address_space, unsigned int sdram_size)
+         define_arm_cp_regs(cpu, dbgregs);
      s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 85);
      dinfo = drive_get(IF_SD, 0, 0);
 -    if (!dinfo) {
 -        error_report("missing SecureDigital device");
 -        exit(1);
 +    if (!dinfo && !qtest_enabled()) {
 +        warn_report("missing SecureDigital device");
      }
-     s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
+@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
--                    blk_by_legacy_dinfo(dinfo),
+               .type = ARM_CP_IO,
-+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+               .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
-                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
+               .raw_writefn = pmevtyper_rawwrite },
-                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
+-            REGINFO_SENTINEL
-                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
+         };
          define_arm_cp_regs(cpu, pmev_regs);
          g_free(pmevcntr_name);
@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
                .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 5,
                .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
                .resetvalue = extract64(cpu->pmceid1, 32, 32) },
 -            REGINFO_SENTINEL
          };
          define_arm_cp_regs(cpu, v81_pmu_regs);
      }
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo lor_reginfo[] = {
        .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 7,
        .access = PL1_R, .accessfn = access_lor_ns,
        .type = ARM_CP_CONST, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  #ifdef TARGET_AARCH64
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pauth_reginfo[] = {
        .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 3,
        .access = PL1_RW, .accessfn = access_pauth,
        .fieldoffset = offsetof(CPUARMState, keys.apib.hi) },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo tlbirange_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
        .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 6, .opc2 = 5,
        .access = PL3_W, .type = ARM_CP_NO_RAW,
        .writefn = tlbi_aa64_rvae3_write },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo tlbios_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbios_reginfo[] = {
        .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 1, .opc2 = 5,
        .access = PL3_W, .type = ARM_CP_NO_RAW,
        .writefn = tlbi_aa64_vae3is_write },
 -    REGINFO_SENTINEL
  };
  static uint64_t rndr_readfn(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo rndr_reginfo[] = {
        .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END | ARM_CP_IO,
        .opc0 = 3, .opc1 = 3, .crn = 2, .crm = 4, .opc2 = 1,
        .access = PL0_R, .readfn = rndr_readfn },
 -    REGINFO_SENTINEL
  };
  #ifndef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo dcpop_reg[] = {
        .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 12, .opc2 = 1,
        .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END,
        .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo dcpodp_reg[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo dcpodp_reg[] = {
        .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 13, .opc2 = 1,
        .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END,
        .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn },
 -    REGINFO_SENTINEL
  };
  #endif /*CONFIG_USER_ONLY*/
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo mte_reginfo[] = {
      { .name = "DC_CIGDSW", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 6,
        .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo mte_tco_ro_reginfo[] = {
      { .name = "TCO", .state = ARM_CP_STATE_AA64,
        .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 7,
        .type = ARM_CP_CONST, .access = PL0_RW, },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo mte_el0_cacheop_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo mte_el0_cacheop_reginfo[] = {
        .accessfn = aa64_zva_access,
  #endif
      },
 -    REGINFO_SENTINEL
  };
  #endif
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo predinv_reginfo[] = {
      { .name = "CPPRCTX", .state = ARM_CP_STATE_AA32,
        .cp = 15, .opc1 = 0, .crn = 7, .crm = 3, .opc2 = 7,
        .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv },
 -    REGINFO_SENTINEL
  };
  static uint64_t ccsidr2_read(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ccsidr2_reginfo[] = {
        .access = PL1_R,
        .accessfn = access_aa64_tid2,
        .readfn = ccsidr2_read, .type = ARM_CP_NO_RAW },
 -    REGINFO_SENTINEL
  };
  static CPAccessResult access_aa64_tid3(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo jazelle_regs[] = {
        .cp = 14, .crn = 2, .crm = 0, .opc1 = 7, .opc2 = 0,
        .accessfn = access_joscr_jmcr,
        .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo vhe_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vhe_reginfo[] = {
        .access = PL2_RW, .accessfn = e2h_access,
        .writefn = gt_virt_cval_write, .raw_writefn = raw_write },
  #endif
 -    REGINFO_SENTINEL
  };
  #ifndef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ats1e1_reginfo[] = {
        .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1,
        .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
        .writefn = ats_write64 },
 -    REGINFO_SENTINEL
  };
  static const ARMCPRegInfo ats1cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ats1cp_reginfo[] = {
        .cp = 15, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1,
        .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
        .writefn = ats_write },
 -    REGINFO_SENTINEL
  };
  #endif
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo actlr2_hactlr2_reginfo[] = {
        .cp = 15, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 3,
        .access = PL2_RW, .type = ARM_CP_CONST,
        .resetvalue = 0 },
 -    REGINFO_SENTINEL
  };
  void register_cp_regs_for_features(ARMCPU *cpu)
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .access = PL1_R, .type = ARM_CP_CONST,
                .accessfn = access_aa32_tid3,
                .resetvalue = cpu->isar.id_isar6 },
 -            REGINFO_SENTINEL
          };
          define_arm_cp_regs(cpu, v6_idregs);
          define_arm_cp_regs(cpu, v6_cp_reginfo);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 7,
                .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
                .resetvalue = cpu->pmceid1 },
 -            REGINFO_SENTINEL
          };
  #ifdef CONFIG_USER_ONLY
          ARMCPRegUserSpaceInfo v8_user_idregs[] = {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .exported_bits = 0x000000f0ffffffff },
              { .name = "ID_AA64ISAR*_EL1_RESERVED",
                .is_glob = true                     },
 -            REGUSERINFO_SENTINEL
          };
          modify_arm_cp_regs(v8_idregs, v8_user_idregs);
  #endif
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .access = PL2_RW,
                .resetvalue = vmpidr_def,
                .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) },
 -            REGINFO_SENTINEL
          };
          define_arm_cp_regs(cpu, vpidr_regs);
          define_arm_cp_regs(cpu, el2_cp_reginfo);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                    .access = PL2_RW, .accessfn = access_el3_aa32ns,
                    .type = ARM_CP_NO_RAW,
                    .writefn = arm_cp_write_ignore, .readfn = mpidr_read },
 -                REGINFO_SENTINEL
              };
              define_arm_cp_regs(cpu, vpidr_regs);
              define_arm_cp_regs(cpu, el3_no_el2_cp_reginfo);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .raw_writefn = raw_write, .writefn = sctlr_write,
                .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[3]),
                .resetvalue = cpu->reset_sctlr },
 -            REGINFO_SENTINEL
          };
          define_arm_cp_regs(cpu, el3_regs);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
              { .name = "DUMMY",
                .cp = 15, .crn = 0, .crm = 7, .opc1 = 0, .opc2 = CP_ANY,
                .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
 -            REGINFO_SENTINEL
          };
          ARMCPRegInfo id_v8_midr_cp_reginfo[] = {
              { .name = "MIDR_EL1", .state = ARM_CP_STATE_BOTH,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .access = PL1_R,
                .accessfn = access_aa64_tid1,
                .type = ARM_CP_CONST, .resetvalue = cpu->revidr },
 -            REGINFO_SENTINEL
          };
          ARMCPRegInfo id_cp_reginfo[] = {
              /* These are common to v8 and pre-v8 */
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .access = PL1_R,
                .accessfn = access_aa32_tid1,
                .type = ARM_CP_CONST, .resetvalue = 0 },
 -            REGINFO_SENTINEL
          };
          /* TLBTR is specific to VMSA */
          ARMCPRegInfo id_tlbtr_reginfo = {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
              { .name = "MIDR_EL1",
                .exported_bits = 0x00000000ffffffff },
              { .name = "REVIDR_EL1"                },
 -            REGUSERINFO_SENTINEL
          };
          modify_arm_cp_regs(id_v8_midr_cp_reginfo, id_v8_user_midr_cp_reginfo);
  #endif
          if (arm_feature(env, ARM_FEATURE_OMAPCP) ||
              arm_feature(env, ARM_FEATURE_STRONGARM)) {
 -            ARMCPRegInfo *r;
 +            size_t i;
              /* Register the blanket "writes ignored" value first to cover the
               * whole space. Then update the specific ID registers to allow write
               * access, so that they ignore writes rather than causing them to
               * UNDEF.
               */
              define_one_arm_cp_reg(cpu, &crn0_wi_reginfo);
 -            for (r = id_pre_v8_midr_cp_reginfo;
 -                 r->type != ARM_CP_SENTINEL; r++) {
 -                r->access = PL1_RW;
 +            for (i = 0; i < ARRAY_SIZE(id_pre_v8_midr_cp_reginfo); ++i) {
 +                id_pre_v8_midr_cp_reginfo[i].access = PL1_RW;
              }
 -            for (r = id_cp_reginfo; r->type != ARM_CP_SENTINEL; r++) {
 -                r->access = PL1_RW;
 +            for (i = 0; i < ARRAY_SIZE(id_cp_reginfo); ++i) {
 +                id_cp_reginfo[i].access = PL1_RW;
              }
              id_mpuir_reginfo.access = PL1_RW;
              id_tlbtr_reginfo.access = PL1_RW;
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
              { .name = "MPIDR_EL1", .state = ARM_CP_STATE_BOTH,
                .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
                .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
 -            REGINFO_SENTINEL
          };
  #ifdef CONFIG_USER_ONLY
          ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = {
              { .name = "MPIDR_EL1",
                .fixed_bits = 0x0000000080000000 },
 -            REGUSERINFO_SENTINEL
          };
          modify_arm_cp_regs(mpidr_cp_reginfo, mpidr_user_cp_reginfo);
  #endif
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 1,
                .access = PL3_RW, .type = ARM_CP_CONST,
                .resetvalue = 0 },
 -            REGINFO_SENTINEL
          };
          define_arm_cp_regs(cpu, auxcr_reginfo);
          if (cpu_isar_feature(aa32_ac2, cpu)) {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                    .type = ARM_CP_CONST,
                    .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 0,
                    .access = PL1_R, .resetvalue = cpu->reset_cbar },
 -                REGINFO_SENTINEL
              };
              /* We don't implement a r/w 64 bit CBAR currently */
              assert(arm_feature(env, ARM_FEATURE_CBAR_RO));
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                .bank_fieldoffsets = { offsetof(CPUARMState, cp15.vbar_s),
                                       offsetof(CPUARMState, cp15.vbar_ns) },
                .resetvalue = 0 },
 -            REGINFO_SENTINEL
          };
          define_arm_cp_regs(cpu, vbar_cp_reginfo);
      }
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
                     r->writefn);
          }
      }
 -    /* Bad type field probably means missing sentinel at end of reg list */
 -    assert(cptype_valid(r->type));
 +
      for (crm = crmmin; crm <= crmmax; crm++) {
          for (opc1 = opc1min; opc1 <= opc1max; opc1++) {
              for (opc2 = opc2min; opc2 <= opc2max; opc2++) {
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
      }
  }
 -void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
 -                                    const ARMCPRegInfo *regs, void *opaque)
 +/* Define a whole list of registers */
 +void define_arm_cp_regs_with_opaque_len(ARMCPU *cpu, const ARMCPRegInfo *regs,
 +                                        void *opaque, size_t len)
  {
 -    /* Define a whole list of registers */
 -    const ARMCPRegInfo *r;
 -    for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
 -        define_one_arm_cp_reg_with_opaque(cpu, r, opaque);
 +    size_t i;
 +    for (i = 0; i < len; ++i) {
 +        define_one_arm_cp_reg_with_opaque(cpu, regs + i, opaque);
      }
  }
@@ -XXX,XX +XXX,XX @@ void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
   * user-space cannot alter any values and dynamic values pertaining to
   * execution state are hidden from user space view anyway.
   */
 -void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods)
 +void modify_arm_cp_regs_with_len(ARMCPRegInfo *regs, size_t regs_len,
 +                                 const ARMCPRegUserSpaceInfo *mods,
 +                                 size_t mods_len)
  {
 -    const ARMCPRegUserSpaceInfo *m;
 -    ARMCPRegInfo *r;
 -
 -    for (m = mods; m->name; m++) {
 +    for (size_t mi = 0; mi < mods_len; ++mi) {
 +        const ARMCPRegUserSpaceInfo *m = mods + mi;
          GPatternSpec *pat = NULL;
 +
          if (m->is_glob) {
              pat = g_pattern_spec_new(m->name);
          }
 -        for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
 +        for (size_t ri = 0; ri < regs_len; ++ri) {
 +            ARMCPRegInfo *r = regs + ri;
 +
              if (pat && g_pattern_match_string(pat, r->name)) {
                  r->type = ARM_CP_CONST;
                  r->access = PL0U_R;
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 02/24] target/arm: Correct MPUIR privilege level in register_cp_regs_for_features() conditional case
+[PULL 05/23] target/arm: Make some more cpreg data static const
-From: Mathew Maidment <mathew1800@gmail.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The duplication of id_tlbtr_reginfo was unintentionally added within
+These particular data structures are not modified at runtime.
 af8114c6b8ead02f08b58e3c36895c1ea047 which should have been
 id_mpuir_reginfo.
-The effect was that for OMAP and StrongARM CPUs we would
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 incorrectly UNDEF writes to MPUIR rather than NOPing them.
 Signed-off-by: Mathew Maidment <mathew1800@gmail.com>
 Message-id: 20180501184933.37609-2-mathew1800@gmail.com
 [PMM: tweak commit message]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220501055028.646596-5-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 2 +-
+ target/arm/helper.c | 16 ++++++++--------
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
 @@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-             for (r = id_cp_reginfo; r->type != ARM_CP_SENTINEL; r++) {
+               .resetvalue = cpu->pmceid1 },
-                 r->access = PL1_RW;
+         };
-             }
+ #ifdef CONFIG_USER_ONLY
--            id_tlbtr_reginfo.access = PL1_RW;
+-        ARMCPRegUserSpaceInfo v8_user_idregs[] = {
-+            id_mpuir_reginfo.access = PL1_RW;
++        static const ARMCPRegUserSpaceInfo v8_user_idregs[] = {
-             id_tlbtr_reginfo.access = PL1_RW;
+             { .name = "ID_AA64PFR0_EL1",
                .exported_bits = 0x000f000f00ff0000,
                .fixed_bits    = 0x0000000000000011 },
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
       */
      if (arm_feature(env, ARM_FEATURE_EL3)) {
          if (arm_feature(env, ARM_FEATURE_AARCH64)) {
 -            ARMCPRegInfo nsacr = {
 +            static const ARMCPRegInfo nsacr = {
                  .name = "NSACR", .type = ARM_CP_CONST,
                  .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
                  .access = PL1_RW, .accessfn = nsacr_access,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
              };
              define_one_arm_cp_reg(cpu, &nsacr);
          } else {
 -            ARMCPRegInfo nsacr = {
 +            static const ARMCPRegInfo nsacr = {
                  .name = "NSACR",
                  .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
                  .access = PL3_RW | PL1_R,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
          }
+     } else {
          if (arm_feature(env, ARM_FEATURE_V8)) {
+-            ARMCPRegInfo nsacr = {
++            static const ARMCPRegInfo nsacr = {
+                 .name = "NSACR", .type = ARM_CP_CONST,
+                 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
+                 .access = PL1_R,
+@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
+               .access = PL1_R, .type = ARM_CP_CONST,
+               .resetvalue = cpu->pmsav7_dregion << 8
+         };
+-        ARMCPRegInfo crn0_wi_reginfo = {
++        static const ARMCPRegInfo crn0_wi_reginfo = {
+             .name = "CRN0_WI", .cp = 15, .crn = 0, .crm = CP_ANY,
+             .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_W,
+             .type = ARM_CP_NOP | ARM_CP_OVERRIDE
+         };
+ #ifdef CONFIG_USER_ONLY
+-        ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
++        static const ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
+             { .name = "MIDR_EL1",
+               .exported_bits = 0x00000000ffffffff },
+             { .name = "REVIDR_EL1"                },
+@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
+               .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
+         };
+ #ifdef CONFIG_USER_ONLY
+-        ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = {
++        static const ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = {
+             { .name = "MPIDR_EL1",
+               .fixed_bits = 0x0000000080000000 },
+         };
+@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
+     }
+     if (arm_feature(env, ARM_FEATURE_VBAR)) {
+-        ARMCPRegInfo vbar_cp_reginfo[] = {
++        static const ARMCPRegInfo vbar_cp_reginfo[] = {
+             { .name = "VBAR", .state = ARM_CP_STATE_BOTH,
+               .opc0 = 3, .crn = 12, .crm = 0, .opc1 = 0, .opc2 = 0,
+               .access = PL1_RW, .writefn = vbar_write,
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 07/24] target/arm: Tidy conditions in handle_vec_simd_shri
+[PULL 06/23] target/arm: Reorg ARMCPRegInfo type field bits
 From: Richard Henderson <richard.henderson@linaro.org>
-The (size > 3 && !is_q) condition is identical to the preceeding test
+Instead of defining ARM_CP_FLAG_MASK to remove flags,
-of bit 3 in immh; eliminate it.  For the benefit of Coverity, assert
+define ARM_CP_SPECIAL_MASK to isolate special cases.
-that size is within the bounds we expect.
+Sort the specials to the low bits. Use an enum.
-Fixes: Coverity CID1385846
+Split the large comment block so as to document each
-Fixes: Coverity CID1385849
+value separately.
-Fixes: Coverity CID1385852
 Fixes: Coverity CID1385857
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180501180455.11214-2-richard.henderson@linaro.org
+Message-id: 20220501055028.646596-6-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 6 +-----
+ target/arm/cpregs.h        | 130 +++++++++++++++++++++++--------------
-file changed, 1 insertion(+), 5 deletions(-)
+ target/arm/cpu.c           |   4 +-
+ target/arm/helper.c        |   4 +-
  target/arm/translate-a64.c |   6 +-
  target/arm/translate.c     |   6 +-
 files changed, 92 insertions(+), 58 deletions(-)
 diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpregs.h
 +++ b/target/arm/cpregs.h
@@ -XXX,XX +XXX,XX @@
  #define TARGET_ARM_CPREGS_H
  /*
 - * ARMCPRegInfo type field bits. If the SPECIAL bit is set this is a
 - * special-behaviour cp reg and bits [11..8] indicate what behaviour
 - * it has. Otherwise it is a simple cp reg, where CONST indicates that
 - * TCG can assume the value to be constant (ie load at translate time)
 - * and 64BIT indicates a 64 bit wide coprocessor register. SUPPRESS_TB_END
 - * indicates that the TB should not be ended after a write to this register
 - * (the default is that the TB ends after cp writes). OVERRIDE permits
 - * a register definition to override a previous definition for the
 - * same (cp, is64, crn, crm, opc1, opc2) tuple: either the new or the
 - * old must have the OVERRIDE bit set.
 - * ALIAS indicates that this register is an alias view of some underlying
 - * state which is also visible via another register, and that the other
 - * register is handling migration and reset; registers marked ALIAS will not be
 - * migrated but may have their state set by syncing of register state from KVM.
 - * NO_RAW indicates that this register has no underlying state and does not
 - * support raw access for state saving/loading; it will not be used for either
 - * migration or KVM state synchronization. (Typically this is for "registers"
 - * which are actually used as instructions for cache maintenance and so on.)
 - * IO indicates that this register does I/O and therefore its accesses
 - * need to be marked with gen_io_start() and also end the TB. In particular,
 - * registers which implement clocks or timers require this.
 - * RAISES_EXC is for when the read or write hook might raise an exception;
 - * the generated code will synchronize the CPU state before calling the hook
 - * so that it is safe for the hook to call raise_exception().
 - * NEWEL is for writes to registers that might change the exception
 - * level - typically on older ARM chips. For those cases we need to
 - * re-read the new el when recomputing the translation flags.
 + * ARMCPRegInfo type field bits:
   */
 -#define ARM_CP_SPECIAL           0x0001
 -#define ARM_CP_CONST             0x0002
 -#define ARM_CP_64BIT             0x0004
 -#define ARM_CP_SUPPRESS_TB_END   0x0008
 -#define ARM_CP_OVERRIDE          0x0010
 -#define ARM_CP_ALIAS             0x0020
 -#define ARM_CP_IO                0x0040
 -#define ARM_CP_NO_RAW            0x0080
 -#define ARM_CP_NOP               (ARM_CP_SPECIAL | 0x0100)
 -#define ARM_CP_WFI               (ARM_CP_SPECIAL | 0x0200)
 -#define ARM_CP_NZCV              (ARM_CP_SPECIAL | 0x0300)
 -#define ARM_CP_CURRENTEL         (ARM_CP_SPECIAL | 0x0400)
 -#define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
 -#define ARM_CP_DC_GVA            (ARM_CP_SPECIAL | 0x0600)
 -#define ARM_CP_DC_GZVA           (ARM_CP_SPECIAL | 0x0700)
 -#define ARM_LAST_SPECIAL         ARM_CP_DC_GZVA
 -#define ARM_CP_FPU               0x1000
 -#define ARM_CP_SVE               0x2000
 -#define ARM_CP_NO_GDB            0x4000
 -#define ARM_CP_RAISES_EXC        0x8000
 -#define ARM_CP_NEWEL             0x10000
 -/* Mask of only the flag bits in a type field */
 -#define ARM_CP_FLAG_MASK         0x1f0ff
 +enum {
 +    /*
 +     * Register must be handled specially during translation.
 +     * The method is one of the values below:
 +     */
 +    ARM_CP_SPECIAL_MASK          = 0x000f,
 +    /* Special: no change to PE state: writes ignored, reads ignored. */
 +    ARM_CP_NOP                   = 0x0001,
 +    /* Special: sysreg is WFI, for v5 and v6. */
 +    ARM_CP_WFI                   = 0x0002,
 +    /* Special: sysreg is NZCV. */
 +    ARM_CP_NZCV                  = 0x0003,
 +    /* Special: sysreg is CURRENTEL. */
 +    ARM_CP_CURRENTEL             = 0x0004,
 +    /* Special: sysreg is DC ZVA or similar. */
 +    ARM_CP_DC_ZVA                = 0x0005,
 +    ARM_CP_DC_GVA                = 0x0006,
 +    ARM_CP_DC_GZVA               = 0x0007,
 +
 +    /* Flag: reads produce resetvalue; writes ignored. */
 +    ARM_CP_CONST                 = 1 << 4,
 +    /* Flag: For ARM_CP_STATE_AA32, sysreg is 64-bit. */
 +    ARM_CP_64BIT                 = 1 << 5,
 +    /*
 +     * Flag: TB should not be ended after a write to this register
 +     * (the default is that the TB ends after cp writes).
 +     */
 +    ARM_CP_SUPPRESS_TB_END       = 1 << 6,
 +    /*
 +     * Flag: Permit a register definition to override a previous definition
 +     * for the same (cp, is64, crn, crm, opc1, opc2) tuple: either the new
 +     * or the old must have the ARM_CP_OVERRIDE bit set.
 +     */
 +    ARM_CP_OVERRIDE              = 1 << 7,
 +    /*
 +     * Flag: Register is an alias view of some underlying state which is also
 +     * visible via another register, and that the other register is handling
 +     * migration and reset; registers marked ARM_CP_ALIAS will not be migrated
 +     * but may have their state set by syncing of register state from KVM.
 +     */
 +    ARM_CP_ALIAS                 = 1 << 8,
 +    /*
 +     * Flag: Register does I/O and therefore its accesses need to be marked
 +     * with gen_io_start() and also end the TB. In particular, registers which
 +     * implement clocks or timers require this.
 +     */
 +    ARM_CP_IO                    = 1 << 9,
 +    /*
 +     * Flag: Register has no underlying state and does not support raw access
 +     * for state saving/loading; it will not be used for either migration or
 +     * KVM state synchronization. Typically this is for "registers" which are
 +     * actually used as instructions for cache maintenance and so on.
 +     */
 +    ARM_CP_NO_RAW                = 1 << 10,
 +    /*
 +     * Flag: The read or write hook might raise an exception; the generated
 +     * code will synchronize the CPU state before calling the hook so that it
 +     * is safe for the hook to call raise_exception().
 +     */
 +    ARM_CP_RAISES_EXC            = 1 << 11,
 +    /*
 +     * Flag: Writes to the sysreg might change the exception level - typically
 +     * on older ARM chips. For those cases we need to re-read the new el when
 +     * recomputing the translation flags.
 +     */
 +    ARM_CP_NEWEL                 = 1 << 12,
 +    /*
 +     * Flag: Access check for this sysreg is identical to accessing FPU state
 +     * from an instruction: use translation fp_access_check().
 +     */
 +    ARM_CP_FPU                   = 1 << 13,
 +    /*
 +     * Flag: Access check for this sysreg is identical to accessing SVE state
 +     * from an instruction: use translation sve_access_check().
 +     */
 +    ARM_CP_SVE                   = 1 << 14,
 +    /* Flag: Do not expose in gdb sysreg xml. */
 +    ARM_CP_NO_GDB                = 1 << 15,
 +};
  /*
   * Valid values for ARMCPRegInfo state field, indicating which of
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void cp_reg_reset(gpointer key, gpointer value, gpointer opaque)
      ARMCPRegInfo *ri = value;
      ARMCPU *cpu = opaque;
 -    if (ri->type & (ARM_CP_SPECIAL | ARM_CP_ALIAS)) {
 +    if (ri->type & (ARM_CP_SPECIAL_MASK | ARM_CP_ALIAS)) {
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void cp_reg_check_reset(gpointer key, gpointer value,  gpointer opaque)
      ARMCPU *cpu = opaque;
      uint64_t oldvalue, newvalue;
 -    if (ri->type & (ARM_CP_SPECIAL | ARM_CP_ALIAS | ARM_CP_NO_RAW)) {
 +    if (ri->type & (ARM_CP_SPECIAL_MASK | ARM_CP_ALIAS | ARM_CP_NO_RAW)) {
          return;
      }
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
       * multiple times. Special registers (ie NOP/WFI) are
       * never migratable and not even raw-accessible.
       */
 -    if ((r->type & ARM_CP_SPECIAL)) {
 +    if (r->type & ARM_CP_SPECIAL_MASK) {
          r2->type |= ARM_CP_NO_RAW;
      }
      if (((r->crm == CP_ANY) && crm != 0) ||
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
      /* Check that the register definition has enough info to handle
       * reads and writes if they are permitted.
       */
 -    if (!(r->type & (ARM_CP_SPECIAL|ARM_CP_CONST))) {
 +    if (!(r->type & (ARM_CP_SPECIAL_MASK | ARM_CP_CONST))) {
          if (r->access & PL3_R) {
              assert((r->fieldoffset ||
                     (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) ||
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shri(DisasContext *s, bool is_q, bool is_u,
+@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
-         unallocated_encoding(s);
+     }
-         return;
-     }
+     /* Handle special cases first */
--
+-    switch (ri->type & ~(ARM_CP_FLAG_MASK & ~ARM_CP_SPECIAL)) {
--    if (size > 3 && !is_q) {
++    switch (ri->type & ARM_CP_SPECIAL_MASK) {
--        unallocated_encoding(s);
++    case 0:
--        return;
++        break;
--    }
+     case ARM_CP_NOP:
-+    tcg_debug_assert(size <= 3);
+         return;
+     case ARM_CP_NZCV:
-     if (!fp_access_check(s)) {
+@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
-         return;
+         }
          return;
      default:
 -        break;
 +        g_assert_not_reached();
      }
      if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
          return;
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
          }
          /* Handle special cases first */
 -        switch (ri->type & ~(ARM_CP_FLAG_MASK & ~ARM_CP_SPECIAL)) {
 +        switch (ri->type & ARM_CP_SPECIAL_MASK) {
 +        case 0:
 +            break;
          case ARM_CP_NOP:
              return;
          case ARM_CP_WFI:
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
              s->base.is_jmp = DISAS_WFI;
              return;
          default:
 -            break;
 +            g_assert_not_reached();
          }
          if ((tb_cflags(s->base.tb) & CF_USE_ICOUNT) && (ri->type & ARM_CP_IO)) {
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 21/24] target/arm/kvm: Translate the MSI doorbell in kvm_arch_fixup_msi_route
+[PULL 07/23] target/arm: Avoid bare abort() or assert(0)
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-In case the MSI is translated by an IOMMU we need to fixup the
+Standardize on g_assert_not_reached() for "should not happen".
-MSI route with the translated address.
+Retain abort() when preceeded by fprintf or error_report.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Bharat Bhushan <Bharat.Bhushan@nxp.com>
 Message-id: 1524665762-31355-12-git-send-email-eric.auger@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20220501055028.646596-7-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/kvm.c        | 38 +++++++++++++++++++++++++++++++++++++-
+ target/arm/helper.c         | 7 +++----
- target/arm/trace-events |  3 +++
+ target/arm/hvf/hvf.c        | 2 +-
-files changed, 40 insertions(+), 1 deletion(-)
+ target/arm/kvm-stub.c       | 4 ++--
  target/arm/kvm.c            | 4 ++--
  target/arm/machine.c        | 4 ++--
  target/arm/translate-a64.c  | 4 ++--
  target/arm/translate-neon.c | 2 +-
  target/arm/translate.c      | 4 ++--
 files changed, 15 insertions(+), 16 deletions(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
+             break;
+         default:
+             /* broken reginfo with out-of-range opc1 */
+-            assert(false);
+-            break;
++            g_assert_not_reached();
+         }
+         /* assert our permissions are not too lax (stricter is fine) */
+         assert((r->access & ~mask) == 0);
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
+             break;
+         default:
+             /* Never happens, but compiler isn't smart enough to tell.  */
+-            abort();
++            g_assert_not_reached();
+         }
+     }
+     *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
+             break;
+         default:
+             /* Never happens, but compiler isn't smart enough to tell.  */
+-            abort();
++            g_assert_not_reached();
+         }
+     }
+     if (domain_prot == 3) {
+diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/hvf/hvf.c
++++ b/target/arm/hvf/hvf.c
+@@ -XXX,XX +XXX,XX @@ int hvf_vcpu_exec(CPUState *cpu)
+         /* we got kicked, no exit to process */
+         return 0;
+     default:
+-        assert(0);
++        g_assert_not_reached();
+     }
+     hvf_sync_vtimer(cpu);
+diff --git a/target/arm/kvm-stub.c b/target/arm/kvm-stub.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/kvm-stub.c
++++ b/target/arm/kvm-stub.c
+@@ -XXX,XX +XXX,XX @@
+ bool write_kvmstate_to_list(ARMCPU *cpu)
+ {
+-    abort();
++    g_assert_not_reached();
+ }
+ bool write_list_to_kvmstate(ARMCPU *cpu, int level)
+ {
+-    abort();
++    g_assert_not_reached();
+ }
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ bool write_kvmstate_to_list(ARMCPU *cpu)
- #include "sysemu/kvm.h"
+             ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &r);
- #include "kvm_arm.h"
+             break;
- #include "cpu.h"
+         default:
-+#include "trace.h"
+-            abort();
- #include "internals.h"
++            g_assert_not_reached();
- #include "hw/arm/arm.h"
+         }
-+#include "hw/pci/pci.h"
+         if (ret) {
- #include "exec/memattrs.h"
+             ok = false;
- #include "exec/address-spaces.h"
+@@ -XXX,XX +XXX,XX @@ bool write_list_to_kvmstate(ARMCPU *cpu, int level)
- #include "hw/boards.h"
+             r.addr = (uintptr_t)(cpu->cpreg_values + i);
-@@ -XXX,XX +XXX,XX @@ int kvm_arm_vgic_probe(void)
+             break;
- int kvm_arch_fixup_msi_route(struct kvm_irq_routing_entry *route,
+         default:
-                              uint64_t address, uint32_t data, PCIDevice *dev)
+-            abort();
- {
++            g_assert_not_reached();
--    return 0;
+         }
-+    AddressSpace *as = pci_device_iommu_address_space(dev);
+         ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &r);
-+    hwaddr xlat, len, doorbell_gpa;
+         if (ret) {
-+    MemoryRegionSection mrs;
+diff --git a/target/arm/machine.c b/target/arm/machine.c
-+    MemoryRegion *mr;
+index XXXXXXX..XXXXXXX 100644
-+    int ret = 1;
+--- a/target/arm/machine.c
-+
++++ b/target/arm/machine.c
-+    if (as == &address_space_memory) {
+@@ -XXX,XX +XXX,XX @@ static int cpu_pre_save(void *opaque)
-+        return 0;
+     if (kvm_enabled()) {
-+    }
+         if (!write_kvmstate_to_list(cpu)) {
-+
+             /* This should never fail */
-+    /* MSI doorbell address is translated by an IOMMU */
+-            abort();
-+
++            g_assert_not_reached();
-+    rcu_read_lock();
+         }
-+    mr = address_space_translate(as, address, &xlat, &len, true);
-+    if (!mr) {
+         /*
-+        goto unlock;
+@@ -XXX,XX +XXX,XX @@ static int cpu_pre_save(void *opaque)
-+    }
+     } else {
-+    mrs = memory_region_find(mr, xlat, 1);
+         if (!write_cpustate_to_list(cpu, false)) {
-+    if (!mrs.mr) {
+             /* This should never fail. */
-+        goto unlock;
+-            abort();
-+    }
++            g_assert_not_reached();
-+
+         }
-+    doorbell_gpa = mrs.offset_within_address_space;
+     }
-+    memory_region_unref(mrs.mr);
-+
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-+    route->u.msi.address_lo = doorbell_gpa;
+index XXXXXXX..XXXXXXX 100644
-+    route->u.msi.address_hi = doorbell_gpa >> 32;
+--- a/target/arm/translate-a64.c
-+
++++ b/target/arm/translate-a64.c
-+    trace_kvm_arm_fixup_msi_route(address, doorbell_gpa);
+@@ -XXX,XX +XXX,XX @@ static void handle_fp_1src_half(DisasContext *s, int opcode, int rd, int rn)
-+
+         gen_helper_advsimd_rinth(tcg_res, tcg_op, fpst);
-+    ret = 0;
+         break;
-+
+     default:
-+unlock:
+-        abort();
-+    rcu_read_unlock();
++        g_assert_not_reached();
-+    return ret;
+     }
      write_fp_sreg(s, rd, tcg_res);
@@ -XXX,XX +XXX,XX @@ static void handle_fp_fcvt(DisasContext *s, int opcode,
          break;
      }
      default:
 -        abort();
 +        g_assert_not_reached();
      }
  }
- int kvm_arch_add_msi_route_post(struct kvm_irq_routing_entry *route,
+diff --git a/target/arm/translate-neon.c b/target/arm/translate-neon.c
 diff --git a/target/arm/trace-events b/target/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/trace-events
+--- a/target/arm/translate-neon.c
-+++ b/target/arm/trace-events
++++ b/target/arm/translate-neon.c
-@@ -XXX,XX +XXX,XX @@ arm_gt_tval_write(int timer, uint64_t value) "gt_tval_write: timer %d value 0x%"
+@@ -XXX,XX +XXX,XX @@ static bool trans_VLDST_single(DisasContext *s, arg_VLDST_single *a)
- arm_gt_ctl_write(int timer, uint64_t value) "gt_ctl_write: timer %d value 0x%" PRIx64
+         }
- arm_gt_imask_toggle(int timer, int irqstate) "gt_ctl_write: timer %d IMASK toggle, new irqstate %d"
+         break;
- arm_gt_cntvoff_write(uint64_t value) "gt_cntvoff_write: value 0x%" PRIx64
+     default:
-+
+-        abort();
-+# target/arm/kvm.c
++        g_assert_not_reached();
-+kvm_arm_fixup_msi_route(uint64_t iova, uint64_t gpa) "MSI iova = 0x%"PRIx64" is translated into 0x%"PRIx64
+     }
      if ((vd + a->stride * (nregs - 1)) > 31) {
          /*
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
          offset = 4;
          break;
      default:
 -        abort();
 +        g_assert_not_reached();
      }
      tcg_gen_addi_i32(addr, addr, offset);
      tmp = load_reg(s, 14);
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
              offset = 0;
              break;
          default:
 -            abort();
 +            g_assert_not_reached();
          }
          tcg_gen_addi_i32(addr, addr, offset);
          gen_helper_set_r13_banked(cpu_env, tcg_constant_i32(mode), addr);
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 12/24] hw/arm/smmu-common: IOMMU memory region and address space setup
+[PULL 08/23] target/arm: Change cpreg access permissions to enum
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-We set up the infrastructure to enumerate all the PCI devices
+Create a typedef as well, and use it in ARMCPRegInfo.
-attached to the SMMU and create an associated IOMMU memory
+This won't be perfect for debugging, but it'll nicely
-region and address space.
+display the most common cases.
-Those info are stored in SMMUDevice objects. The devices are
-grouped according to the PCIBus they belong to. A hash table
-indexed by the PCIBus pointer is used. Also an array indexed by
-the bus number allows to find the list of SMMUDevices.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-3-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220501055028.646596-8-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/smmu-common.h |  8 +++++
+ target/arm/cpregs.h | 44 +++++++++++++++++++++++---------------------
- hw/arm/smmu-common.c         | 69 ++++++++++++++++++++++++++++++++++++
+ target/arm/helper.c |  2 +-
- hw/arm/trace-events          |  3 ++
+files changed, 24 insertions(+), 22 deletions(-)
 files changed, 80 insertions(+)
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
+diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
+--- a/target/arm/cpregs.h
-+++ b/include/hw/arm/smmu-common.h
++++ b/target/arm/cpregs.h
-@@ -XXX,XX +XXX,XX @@ typedef struct {
+@@ -XXX,XX +XXX,XX @@ enum {
- #define ARM_SMMU_GET_CLASS(obj)                              \
+  * described with these bits, then use a laxer set of restrictions, and
-     OBJECT_GET_CLASS(SMMUBaseClass, (obj), TYPE_ARM_SMMU)
+  * do the more restrictive/complex check inside a helper function.
+  */
-+/* Return the SMMUPciBus handle associated to a PCI bus number */
+-#define PL3_R 0x80
-+SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num);
+-#define PL3_W 0x40
-+
+-#define PL2_R (0x20 | PL3_R)
-+/* Return the stream ID of an SMMU device */
+-#define PL2_W (0x10 | PL3_W)
-+static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
+-#define PL1_R (0x08 | PL2_R)
-+{
+-#define PL1_W (0x04 | PL2_W)
-+    return PCI_BUILD_BDF(pci_bus_num(sdev->bus), sdev->devfn);
+-#define PL0_R (0x02 | PL1_R)
-+}
+-#define PL0_W (0x01 | PL1_W)
- #endif  /* HW_ARM_SMMU_COMMON */
++typedef enum {
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
++    PL3_R = 0x80,
 +    PL3_W = 0x40,
 +    PL2_R = 0x20 | PL3_R,
 +    PL2_W = 0x10 | PL3_W,
 +    PL1_R = 0x08 | PL2_R,
 +    PL1_W = 0x04 | PL2_W,
 +    PL0_R = 0x02 | PL1_R,
 +    PL0_W = 0x01 | PL1_W,
 -/*
 - * For user-mode some registers are accessible to EL0 via a kernel
 - * trap-and-emulate ABI. In this case we define the read permissions
 - * as actually being PL0_R. However some bits of any given register
 - * may still be masked.
 - */
 +    /*
 +     * For user-mode some registers are accessible to EL0 via a kernel
 +     * trap-and-emulate ABI. In this case we define the read permissions
 +     * as actually being PL0_R. However some bits of any given register
 +     * may still be masked.
 +     */
  #ifdef CONFIG_USER_ONLY
 -#define PL0U_R PL0_R
 +    PL0U_R = PL0_R,
  #else
 -#define PL0U_R PL1_R
 +    PL0U_R = PL1_R,
  #endif
 -#define PL3_RW (PL3_R | PL3_W)
 -#define PL2_RW (PL2_R | PL2_W)
 -#define PL1_RW (PL1_R | PL1_W)
 -#define PL0_RW (PL0_R | PL0_W)
 +    PL3_RW = PL3_R | PL3_W,
 +    PL2_RW = PL2_R | PL2_W,
 +    PL1_RW = PL1_R | PL1_W,
 +    PL0_RW = PL0_R | PL0_W,
 +} CPAccessRights;
  typedef enum CPAccessResult {
      /* Access is permitted */
@@ -XXX,XX +XXX,XX @@ struct ARMCPRegInfo {
      /* Register type: ARM_CP_* bits/values */
      int type;
      /* Access rights: PL*_[RW] */
 -    int access;
 +    CPAccessRights access;
      /* Security state: ARM_CP_SECSTATE_* bits/values */
      int secure;
      /*
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmu-common.c
+--- a/target/arm/helper.c
-+++ b/hw/arm/smmu-common.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
- #include "qemu/error-report.h"
+      * to encompass the generic architectural permission check.
- #include "hw/arm/smmu-common.h"
+      */
+     if (r->state != ARM_CP_STATE_AA32) {
-+/**
+-        int mask = 0;
-+ * The bus number is used for lookup when SID based invalidation occurs.
++        CPAccessRights mask;
-+ * In that case we lazily populate the SMMUPciBus array from the bus hash
+         switch (r->opc1) {
-+ * table. At the time the SMMUPciBus is created (smmu_find_add_as), the bus
+         case 0:
-+ * numbers may not be always initialized yet.
+             /* min_EL EL1, but some accessible to EL0 via kernel ABI */
 + */
 +SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num)
 +{
 +    SMMUPciBus *smmu_pci_bus = s->smmu_pcibus_by_bus_num[bus_num];
 +
 +    if (!smmu_pci_bus) {
 +        GHashTableIter iter;
 +
 +        g_hash_table_iter_init(&iter, s->smmu_pcibus_by_busptr);
 +        while (g_hash_table_iter_next(&iter, NULL, (void **)&smmu_pci_bus)) {
 +            if (pci_bus_num(smmu_pci_bus->bus) == bus_num) {
 +                s->smmu_pcibus_by_bus_num[bus_num] = smmu_pci_bus;
 +                return smmu_pci_bus;
 +            }
 +        }
 +    }
 +    return smmu_pci_bus;
 +}
 +
 +static AddressSpace *smmu_find_add_as(PCIBus *bus, void *opaque, int devfn)
 +{
 +    SMMUState *s = opaque;
 +    SMMUPciBus *sbus = g_hash_table_lookup(s->smmu_pcibus_by_busptr, bus);
 +    SMMUDevice *sdev;
 +
 +    if (!sbus) {
 +        sbus = g_malloc0(sizeof(SMMUPciBus) +
 +                         sizeof(SMMUDevice *) * SMMU_PCI_DEVFN_MAX);
 +        sbus->bus = bus;
 +        g_hash_table_insert(s->smmu_pcibus_by_busptr, bus, sbus);
 +    }
 +
 +    sdev = sbus->pbdev[devfn];
 +    if (!sdev) {
 +        char *name = g_strdup_printf("%s-%d-%d",
 +                                     s->mrtypename,
 +                                     pci_bus_num(bus), devfn);
 +        sdev = sbus->pbdev[devfn] = g_new0(SMMUDevice, 1);
 +
 +        sdev->smmu = s;
 +        sdev->bus = bus;
 +        sdev->devfn = devfn;
 +
 +        memory_region_init_iommu(&sdev->iommu, sizeof(sdev->iommu),
 +                                 s->mrtypename,
 +                                 OBJECT(s), name, 1ULL << SMMU_MAX_VA_BITS);
 +        address_space_init(&sdev->as,
 +                           MEMORY_REGION(&sdev->iommu), name);
 +        trace_smmu_add_mr(name);
 +        g_free(name);
 +    }
 +
 +    return &sdev->as;
 +}
 +
  static void smmu_base_realize(DeviceState *dev, Error **errp)
  {
 +    SMMUState *s = ARM_SMMU(dev);
      SMMUBaseClass *sbc = ARM_SMMU_GET_CLASS(dev);
      Error *local_err = NULL;
@@ -XXX,XX +XXX,XX @@ static void smmu_base_realize(DeviceState *dev, Error **errp)
          error_propagate(errp, local_err);
          return;
      }
 +
 +    s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL);
 +
 +    if (s->primary_bus) {
 +        pci_setup_iommu(s->primary_bus, smmu_find_add_as, s);
 +    } else {
 +        error_setg(errp, "SMMU is not attached to any PCI bus!");
 +    }
  }
  static void smmu_base_reset(DeviceState *dev)
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@
  # hw/arm/virt-acpi-build.c
  virt_acpi_setup(void) "No fw cfg or ACPI disabled. Bailing out."
 +
 +# hw/arm/smmu-common.c
 +smmu_add_mr(const char *name) "%s"
 \ No newline at end of file
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 11/24] hw/arm/smmu-common: smmu base device and datatypes
+[PULL 09/23] target/arm: Name CPState type
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The patch introduces the smmu base device and class for the ARM
+Give this enum a name and use in ARMCPRegInfo,
-smmu. Devices for specific versions will be derived from this
+add_cpreg_to_hashtable and define_one_arm_cp_reg_with_opaque.
 base device.
-We also introduce some important datatypes.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-2-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220501055028.646596-9-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs                |   1 +
+ target/arm/cpregs.h | 6 +++---
- include/hw/arm/smmu-common.h        | 123 ++++++++++++++++++++++++++++
+ target/arm/helper.c | 6 ++++--
- hw/arm/smmu-common.c                |  81 ++++++++++++++++++
+files changed, 7 insertions(+), 5 deletions(-)
  default-configs/aarch64-softmmu.mak |   1 +
 files changed, 206 insertions(+)
  create mode 100644 include/hw/arm/smmu-common.h
  create mode 100644 hw/arm/smmu-common.c
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/target/arm/cpregs.h
-+++ b/hw/arm/Makefile.objs
++++ b/target/arm/cpregs.h
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MPS2) += mps2-tz.o
+@@ -XXX,XX +XXX,XX @@ enum {
- obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
+  * Note that we rely on the values of these enums as we iterate through
- obj-$(CONFIG_IOTKIT) += iotkit.o
+  * the various states in some places.
- obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o mcimx7d-sabre.o
+  */
-+obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o
+-enum {
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
++typedef enum {
-new file mode 100644
+     ARM_CP_STATE_AA32 = 0,
-index XXXXXXX..XXXXXXX
+     ARM_CP_STATE_AA64 = 1,
---- /dev/null
+     ARM_CP_STATE_BOTH = 2,
-+++ b/include/hw/arm/smmu-common.h
+-};
-@@ -XXX,XX +XXX,XX @@
++} CPState;
-+/*
-+ * ARM SMMU Support
+ /*
-+ *
+  * ARM CP register secure state flags.  These flags identify security state
-+ * Copyright (C) 2015-2016 Broadcom Corporation
+@@ -XXX,XX +XXX,XX @@ struct ARMCPRegInfo {
-+ * Copyright (c) 2017 Red Hat, Inc.
+     uint8_t opc1;
-+ * Written by Prem Mallappa, Eric Auger
+     uint8_t opc2;
-+ *
+     /* Execution state in which this register is visible: ARM_CP_STATE_* */
-+ * This program is free software; you can redistribute it and/or modify
+-    int state;
-+ * it under the terms of the GNU General Public License version 2 as
++    CPState state;
-+ * published by the Free Software Foundation.
+     /* Register type: ARM_CP_* bits/values */
-+ *
+     int type;
-+ * This program is distributed in the hope that it will be useful,
+     /* Access rights: PL*_[RW] */
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+diff --git a/target/arm/helper.c b/target/arm/helper.c
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+index XXXXXXX..XXXXXXX 100644
-+ * GNU General Public License for more details.
+--- a/target/arm/helper.c
-+ *
++++ b/target/arm/helper.c
-+ */
+@@ -XXX,XX +XXX,XX @@ CpuDefinitionInfoList *qmp_query_cpu_definitions(Error **errp)
  }
  static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
 -                                   void *opaque, int state, int secstate,
 +                                   void *opaque, CPState state, int secstate,
                                     int crm, int opc1, int opc2,
                                     const char *name)
  {
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
       * bits; the ARM_CP_64BIT* flag applies only to the AArch32 view of
       * the register, if any.
       */
 -    int crm, opc1, opc2, state;
 +    int crm, opc1, opc2;
      int crmmin = (r->crm == CP_ANY) ? 0 : r->crm;
      int crmmax = (r->crm == CP_ANY) ? 15 : r->crm;
      int opc1min = (r->opc1 == CP_ANY) ? 0 : r->opc1;
      int opc1max = (r->opc1 == CP_ANY) ? 7 : r->opc1;
      int opc2min = (r->opc2 == CP_ANY) ? 0 : r->opc2;
      int opc2max = (r->opc2 == CP_ANY) ? 7 : r->opc2;
 +    CPState state;
 +
-+#ifndef HW_ARM_SMMU_COMMON_H
+     /* 64 bit registers have only CRm and Opc1 fields */
-+#define HW_ARM_SMMU_COMMON_H
+     assert(!((r->type & ARM_CP_64BIT) && (r->opc2 || r->crn)));
-+
+     /* op0 only exists in the AArch64 encodings */
 +#include "hw/sysbus.h"
 +#include "hw/pci/pci.h"
 +
 +#define SMMU_PCI_BUS_MAX      256
 +#define SMMU_PCI_DEVFN_MAX    256
 +
 +#define SMMU_MAX_VA_BITS      48
 +
 +/*
 + * Page table walk error types
 + */
 +typedef enum {
 +    SMMU_PTW_ERR_NONE,
 +    SMMU_PTW_ERR_WALK_EABT,   /* Translation walk external abort */
 +    SMMU_PTW_ERR_TRANSLATION, /* Translation fault */
 +    SMMU_PTW_ERR_ADDR_SIZE,   /* Address Size fault */
 +    SMMU_PTW_ERR_ACCESS,      /* Access fault */
 +    SMMU_PTW_ERR_PERMISSION,  /* Permission fault */
 +} SMMUPTWEventType;
 +
 +typedef struct SMMUPTWEventInfo {
 +    SMMUPTWEventType type;
 +    dma_addr_t addr; /* fetched address that induced an abort, if any */
 +} SMMUPTWEventInfo;
 +
 +typedef struct SMMUTransTableInfo {
 +    bool disabled;             /* is the translation table disabled? */
 +    uint64_t ttb;              /* TT base address */
 +    uint8_t tsz;               /* input range, ie. 2^(64 -tsz)*/
 +    uint8_t granule_sz;        /* granule page shift */
 +} SMMUTransTableInfo;
 +
 +/*
 + * Generic structure populated by derived SMMU devices
 + * after decoding the configuration information and used as
 + * input to the page table walk
 + */
 +typedef struct SMMUTransCfg {
 +    int stage;                 /* translation stage */
 +    bool aa64;                 /* arch64 or aarch32 translation table */
 +    bool disabled;             /* smmu is disabled */
 +    bool bypassed;             /* translation is bypassed */
 +    bool aborted;              /* translation is aborted */
 +    uint64_t ttb;              /* TT base address */
 +    uint8_t oas;               /* output address width */
 +    uint8_t tbi;               /* Top Byte Ignore */
 +    uint16_t asid;
 +    SMMUTransTableInfo tt[2];
 +} SMMUTransCfg;
 +
 +typedef struct SMMUDevice {
 +    void               *smmu;
 +    PCIBus             *bus;
 +    int                devfn;
 +    IOMMUMemoryRegion  iommu;
 +    AddressSpace       as;
 +} SMMUDevice;
 +
 +typedef struct SMMUNotifierNode {
 +    SMMUDevice *sdev;
 +    QLIST_ENTRY(SMMUNotifierNode) next;
 +} SMMUNotifierNode;
 +
 +typedef struct SMMUPciBus {
 +    PCIBus       *bus;
 +    SMMUDevice   *pbdev[0]; /* Parent array is sparse, so dynamically alloc */
 +} SMMUPciBus;
 +
 +typedef struct SMMUState {
 +    /* <private> */
 +    SysBusDevice  dev;
 +    const char *mrtypename;
 +    MemoryRegion iomem;
 +
 +    GHashTable *smmu_pcibus_by_busptr;
 +    GHashTable *configs; /* cache for configuration data */
 +    GHashTable *iotlb;
 +    SMMUPciBus *smmu_pcibus_by_bus_num[SMMU_PCI_BUS_MAX];
 +    PCIBus *pci_bus;
 +    QLIST_HEAD(, SMMUNotifierNode) notifiers_list;
 +    uint8_t bus_num;
 +    PCIBus *primary_bus;
 +} SMMUState;
 +
 +typedef struct {
 +    /* <private> */
 +    SysBusDeviceClass parent_class;
 +
 +    /*< public >*/
 +
 +    DeviceRealize parent_realize;
 +
 +} SMMUBaseClass;
 +
 +#define TYPE_ARM_SMMU "arm-smmu"
 +#define ARM_SMMU(obj) OBJECT_CHECK(SMMUState, (obj), TYPE_ARM_SMMU)
 +#define ARM_SMMU_CLASS(klass)                                    \
 +    OBJECT_CLASS_CHECK(SMMUBaseClass, (klass), TYPE_ARM_SMMU)
 +#define ARM_SMMU_GET_CLASS(obj)                              \
 +    OBJECT_GET_CLASS(SMMUBaseClass, (obj), TYPE_ARM_SMMU)
 +
 +#endif  /* HW_ARM_SMMU_COMMON */
 diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Copyright (C) 2014-2016 Broadcom Corporation
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Written by Prem Mallappa, Eric Auger
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * GNU General Public License for more details.
 + *
 + * Author: Prem Mallappa <pmallapp@broadcom.com>
 + *
 + */
 +
 +#include "qemu/osdep.h"
 +#include "sysemu/sysemu.h"
 +#include "exec/address-spaces.h"
 +#include "trace.h"
 +#include "exec/target_page.h"
 +#include "qom/cpu.h"
 +#include "hw/qdev-properties.h"
 +#include "qapi/error.h"
 +
 +#include "qemu/error-report.h"
 +#include "hw/arm/smmu-common.h"
 +
 +static void smmu_base_realize(DeviceState *dev, Error **errp)
 +{
 +    SMMUBaseClass *sbc = ARM_SMMU_GET_CLASS(dev);
 +    Error *local_err = NULL;
 +
 +    sbc->parent_realize(dev, &local_err);
 +    if (local_err) {
 +        error_propagate(errp, local_err);
 +        return;
 +    }
 +}
 +
 +static void smmu_base_reset(DeviceState *dev)
 +{
 +    /* will be filled later on */
 +}
 +
 +static Property smmu_dev_properties[] = {
 +    DEFINE_PROP_UINT8("bus_num", SMMUState, bus_num, 0),
 +    DEFINE_PROP_LINK("primary-bus", SMMUState, primary_bus, "PCI", PCIBus *),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static void smmu_base_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +    SMMUBaseClass *sbc = ARM_SMMU_CLASS(klass);
 +
 +    dc->props = smmu_dev_properties;
 +    device_class_set_parent_realize(dc, smmu_base_realize,
 +                                    &sbc->parent_realize);
 +    dc->reset = smmu_base_reset;
 +}
 +
 +static const TypeInfo smmu_base_info = {
 +    .name          = TYPE_ARM_SMMU,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(SMMUState),
 +    .class_data    = NULL,
 +    .class_size    = sizeof(SMMUBaseClass),
 +    .class_init    = smmu_base_class_init,
 +    .abstract      = true,
 +};
 +
 +static void smmu_base_register_types(void)
 +{
 +    type_register_static(&smmu_base_info);
 +}
 +
 +type_init(smmu_base_register_types)
 +
 diff --git a/default-configs/aarch64-softmmu.mak b/default-configs/aarch64-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/default-configs/aarch64-softmmu.mak
 +++ b/default-configs/aarch64-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_DDC=y
  CONFIG_DPCD=y
  CONFIG_XLNX_ZYNQMP=y
  CONFIG_XLNX_ZYNQMP_ARM=y
 +CONFIG_ARM_SMMUV3=y
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 19/24] hw/arm/smmuv3: Implement translate callback
+[PULL 10/23] target/arm: Name CPSecureState type
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This patch implements the IOMMU Memory Region translate()
+Give this enum a name and use in ARMCPRegInfo and add_cpreg_to_hashtable.
-callback. Most of the code relates to the translation
+Add the enumerator ARM_CP_SECSTATE_BOTH to clarify how 0
-configuration decoding and check (STE, CD).
+is handled in define_one_arm_cp_reg_with_opaque.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
-Message-id: 1524665762-31355-10-git-send-email-eric.auger@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220501055028.646596-10-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h | 160 +++++++++++++++++
+ target/arm/cpregs.h | 7 ++++---
- hw/arm/smmuv3.c          | 358 +++++++++++++++++++++++++++++++++++++++
+ target/arm/helper.c | 7 +++++--
- hw/arm/trace-events      |   9 +
+files changed, 9 insertions(+), 5 deletions(-)
 files changed, 527 insertions(+)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/target/arm/cpregs.h
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/cpregs.h
-@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
+@@ -XXX,XX +XXX,XX @@ typedef enum {
+  * registered entry will only have one to identify whether the entry is secure
- void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
+  * or non-secure.
+  */
-+/* Configuration Data */
+-enum {
-+
++typedef enum {
-+/* STE Level 1 Descriptor */
++    ARM_CP_SECSTATE_BOTH = 0,       /* define one cpreg for each secstate */
-+typedef struct STEDesc {
+     ARM_CP_SECSTATE_S =   (1 << 0), /* bit[0]: Secure state register */
-+    uint32_t word[2];
+     ARM_CP_SECSTATE_NS =  (1 << 1), /* bit[1]: Non-secure state register */
-+} STEDesc;
+-};
-+
++} CPSecureState;
-+/* CD Level 1 Descriptor */
-+typedef struct CDDesc {
+ /*
-+    uint32_t word[2];
+  * Access rights:
-+} CDDesc;
+@@ -XXX,XX +XXX,XX @@ struct ARMCPRegInfo {
-+
+     /* Access rights: PL*_[RW] */
-+/* Stream Table Entry(STE) */
+     CPAccessRights access;
-+typedef struct STE {
+     /* Security state: ARM_CP_SECSTATE_* bits/values */
-+    uint32_t word[16];
+-    int secure;
-+} STE;
++    CPSecureState secure;
-+
+     /*
-+/* Context Descriptor(CD) */
+      * The opaque pointer passed to define_arm_cp_regs_with_opaque() when
-+typedef struct CD {
+      * this register was defined: can be used to hand data through to the
-+    uint32_t word[16];
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 +} CD;
 +
 +/* STE fields */
 +
 +#define STE_VALID(x)   extract32((x)->word[0], 0, 1)
 +
 +#define STE_CONFIG(x)  extract32((x)->word[0], 1, 3)
 +#define STE_CFG_S1_ENABLED(config) (config & 0x1)
 +#define STE_CFG_S2_ENABLED(config) (config & 0x2)
 +#define STE_CFG_ABORT(config)      (!(config & 0x4))
 +#define STE_CFG_BYPASS(config)     (config == 0x4)
 +
 +#define STE_S1FMT(x)       extract32((x)->word[0], 4 , 2)
 +#define STE_S1CDMAX(x)     extract32((x)->word[1], 27, 5)
 +#define STE_S1STALLD(x)    extract32((x)->word[2], 27, 1)
 +#define STE_EATS(x)        extract32((x)->word[2], 28, 2)
 +#define STE_STRW(x)        extract32((x)->word[2], 30, 2)
 +#define STE_S2VMID(x)      extract32((x)->word[4], 0 , 16)
 +#define STE_S2T0SZ(x)      extract32((x)->word[5], 0 , 6)
 +#define STE_S2SL0(x)       extract32((x)->word[5], 6 , 2)
 +#define STE_S2TG(x)        extract32((x)->word[5], 14, 2)
 +#define STE_S2PS(x)        extract32((x)->word[5], 16, 3)
 +#define STE_S2AA64(x)      extract32((x)->word[5], 19, 1)
 +#define STE_S2HD(x)        extract32((x)->word[5], 24, 1)
 +#define STE_S2HA(x)        extract32((x)->word[5], 25, 1)
 +#define STE_S2S(x)         extract32((x)->word[5], 26, 1)
 +#define STE_CTXPTR(x)                                           \
 +    ({                                                          \
 +        unsigned long addr;                                     \
 +        addr = (uint64_t)extract32((x)->word[1], 0, 16) << 32;  \
 +        addr |= (uint64_t)((x)->word[0] & 0xffffffc0);          \
 +        addr;                                                   \
 +    })
 +
 +#define STE_S2TTB(x)                                            \
 +    ({                                                          \
 +        unsigned long addr;                                     \
 +        addr = (uint64_t)extract32((x)->word[7], 0, 16) << 32;  \
 +        addr |= (uint64_t)((x)->word[6] & 0xfffffff0);          \
 +        addr;                                                   \
 +    })
 +
 +static inline int oas2bits(int oas_field)
 +{
 +    switch (oas_field) {
 +    case 0:
 +        return 32;
 +    case 1:
 +        return 36;
 +    case 2:
 +        return 40;
 +    case 3:
 +        return 42;
 +    case 4:
 +        return 44;
 +    case 5:
 +        return 48;
 +    }
 +    return -1;
 +}
 +
 +static inline int pa_range(STE *ste)
 +{
 +    int oas_field = MIN(STE_S2PS(ste), SMMU_IDR5_OAS);
 +
 +    if (!STE_S2AA64(ste)) {
 +        return 40;
 +    }
 +
 +    return oas2bits(oas_field);
 +}
 +
 +#define MAX_PA(ste) ((1 << pa_range(ste)) - 1)
 +
 +/* CD fields */
 +
 +#define CD_VALID(x)   extract32((x)->word[0], 30, 1)
 +#define CD_ASID(x)    extract32((x)->word[1], 16, 16)
 +#define CD_TTB(x, sel)                                      \
 +    ({                                                      \
 +        uint64_t hi, lo;                                    \
 +        hi = extract32((x)->word[(sel) * 2 + 3], 0, 19);    \
 +        hi <<= 32;                                          \
 +        lo = (x)->word[(sel) * 2 + 2] & ~0xfULL;            \
 +        hi | lo;                                            \
 +    })
 +
 +#define CD_TSZ(x, sel)   extract32((x)->word[0], (16 * (sel)) + 0, 6)
 +#define CD_TG(x, sel)    extract32((x)->word[0], (16 * (sel)) + 6, 2)
 +#define CD_EPD(x, sel)   extract32((x)->word[0], (16 * (sel)) + 14, 1)
 +#define CD_ENDI(x)       extract32((x)->word[0], 15, 1)
 +#define CD_IPS(x)        extract32((x)->word[1], 0 , 3)
 +#define CD_TBI(x)        extract32((x)->word[1], 6 , 2)
 +#define CD_HD(x)         extract32((x)->word[1], 10 , 1)
 +#define CD_HA(x)         extract32((x)->word[1], 11 , 1)
 +#define CD_S(x)          extract32((x)->word[1], 12, 1)
 +#define CD_R(x)          extract32((x)->word[1], 13, 1)
 +#define CD_A(x)          extract32((x)->word[1], 14, 1)
 +#define CD_AARCH64(x)    extract32((x)->word[1], 9 , 1)
 +
 +#define CDM_VALID(x)    ((x)->word[0] & 0x1)
 +
 +static inline int is_cd_valid(SMMUv3State *s, STE *ste, CD *cd)
 +{
 +    return CD_VALID(cd);
 +}
 +
 +/**
 + * tg2granule - Decodes the CD translation granule size field according
 + * to the ttbr in use
 + * @bits: TG0/1 fields
 + * @ttbr: ttbr index in use
 + */
 +static inline int tg2granule(int bits, int ttbr)
 +{
 +    switch (bits) {
 +    case 0:
 +        return ttbr ? 0  : 12;
 +    case 1:
 +        return ttbr ? 14 : 16;
 +    case 2:
 +        return ttbr ? 12 : 14;
 +    case 3:
 +        return ttbr ? 16 :  0;
 +    default:
 +        return 0;
 +    }
 +}
 +
 +static inline uint64_t l1std_l2ptr(STEDesc *desc)
 +{
 +    uint64_t hi, lo;
 +
 +    hi = desc->word[1];
 +    lo = desc->word[0] & ~0x1fULL;
 +    return hi << 32 | lo;
 +}
 +
 +#define L1STD_SPAN(stm) (extract32((stm)->word[0], 0, 4))
 +
  #endif
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/target/arm/helper.c
-+++ b/hw/arm/smmuv3.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
+@@ -XXX,XX +XXX,XX @@ CpuDefinitionInfoList *qmp_query_cpu_definitions(Error **errp)
      s->sid_split = 0;
  }
-+static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
+ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-+                        SMMUEventInfo *event)
+-                                   void *opaque, CPState state, int secstate,
-+{
++                                   void *opaque, CPState state,
-+    int ret;
++                                   CPSecureState secstate,
-+
+                                    int crm, int opc1, int opc2,
-+    trace_smmuv3_get_ste(addr);
+                                    const char *name)
 +    /* TODO: guarantee 64-bit single-copy atomicity */
 +    ret = dma_memory_read(&address_space_memory, addr,
 +                          (void *)buf, sizeof(*buf));
 +    if (ret != MEMTX_OK) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
 +        event->type = SMMU_EVT_F_STE_FETCH;
 +        event->u.f_ste_fetch.addr = addr;
 +        return -EINVAL;
 +    }
 +    return 0;
 +
 +}
 +
 +/* @ssid > 0 not supported yet */
 +static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,
 +                       CD *buf, SMMUEventInfo *event)
 +{
 +    dma_addr_t addr = STE_CTXPTR(ste);
 +    int ret;
 +
 +    trace_smmuv3_get_cd(addr);
 +    /* TODO: guarantee 64-bit single-copy atomicity */
 +    ret = dma_memory_read(&address_space_memory, addr,
 +                           (void *)buf, sizeof(*buf));
 +    if (ret != MEMTX_OK) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
 +        event->type = SMMU_EVT_F_CD_FETCH;
 +        event->u.f_ste_fetch.addr = addr;
 +        return -EINVAL;
 +    }
 +    return 0;
 +}
 +
 +/* Returns <0 if the caller has no need to continue the translation */
 +static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
 +                      STE *ste, SMMUEventInfo *event)
 +{
 +    uint32_t config;
 +    int ret = -EINVAL;
 +
 +    if (!STE_VALID(ste)) {
 +        goto bad_ste;
 +    }
 +
 +    config = STE_CONFIG(ste);
 +
 +    if (STE_CFG_ABORT(config)) {
 +        cfg->aborted = true; /* abort but don't record any event */
 +        return ret;
 +    }
 +
 +    if (STE_CFG_BYPASS(config)) {
 +        cfg->bypassed = true;
 +        return ret;
 +    }
 +
 +    if (STE_CFG_S2_ENABLED(config)) {
 +        qemu_log_mask(LOG_UNIMP, "SMMUv3 does not support stage 2 yet\n");
 +        goto bad_ste;
 +    }
 +
 +    if (STE_S1CDMAX(ste) != 0) {
 +        qemu_log_mask(LOG_UNIMP,
 +                      "SMMUv3 does not support multiple context descriptors yet\n");
 +        goto bad_ste;
 +    }
 +
 +    if (STE_S1STALLD(ste)) {
 +        qemu_log_mask(LOG_UNIMP,
 +                      "SMMUv3 S1 stalling fault model not allowed yet\n");
 +        goto bad_ste;
 +    }
 +    return 0;
 +
 +bad_ste:
 +    event->type = SMMU_EVT_C_BAD_STE;
 +    return -EINVAL;
 +}
 +
 +/**
 + * smmu_find_ste - Return the stream table entry associated
 + * to the sid
 + *
 + * @s: smmuv3 handle
 + * @sid: stream ID
 + * @ste: returned stream table entry
 + * @event: handle to an event info
 + *
 + * Supports linear and 2-level stream table
 + * Return 0 on success, -EINVAL otherwise
 + */
 +static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
 +                         SMMUEventInfo *event)
 +{
 +    dma_addr_t addr;
 +    int ret;
 +
 +    trace_smmuv3_find_ste(sid, s->features, s->sid_split);
 +    /* Check SID range */
 +    if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
 +        event->type = SMMU_EVT_C_BAD_STREAMID;
 +        return -EINVAL;
 +    }
 +    if (s->features & SMMU_FEATURE_2LVL_STE) {
 +        int l1_ste_offset, l2_ste_offset, max_l2_ste, span;
 +        dma_addr_t strtab_base, l1ptr, l2ptr;
 +        STEDesc l1std;
 +
 +        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK;
 +        l1_ste_offset = sid >> s->sid_split;
 +        l2_ste_offset = sid & ((1 << s->sid_split) - 1);
 +        l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
 +        /* TODO: guarantee 64-bit single-copy atomicity */
 +        ret = dma_memory_read(&address_space_memory, l1ptr,
 +                              (uint8_t *)&l1std, sizeof(l1std));
 +        if (ret != MEMTX_OK) {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr);
 +            event->type = SMMU_EVT_F_STE_FETCH;
 +            event->u.f_ste_fetch.addr = l1ptr;
 +            return -EINVAL;
 +        }
 +
 +        span = L1STD_SPAN(&l1std);
 +
 +        if (!span) {
 +            /* l2ptr is not valid */
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "invalid sid=%d (L1STD span=0)\n", sid);
 +            event->type = SMMU_EVT_C_BAD_STREAMID;
 +            return -EINVAL;
 +        }
 +        max_l2_ste = (1 << span) - 1;
 +        l2ptr = l1std_l2ptr(&l1std);
 +        trace_smmuv3_find_ste_2lvl(s->strtab_base, l1ptr, l1_ste_offset,
 +                                   l2ptr, l2_ste_offset, max_l2_ste);
 +        if (l2_ste_offset > max_l2_ste) {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "l2_ste_offset=%d > max_l2_ste=%d\n",
 +                          l2_ste_offset, max_l2_ste);
 +            event->type = SMMU_EVT_C_BAD_STE;
 +            return -EINVAL;
 +        }
 +        addr = l2ptr + l2_ste_offset * sizeof(*ste);
 +    } else {
 +        addr = s->strtab_base + sid * sizeof(*ste);
 +    }
 +
 +    if (smmu_get_ste(s, addr, ste, event)) {
 +        return -EINVAL;
 +    }
 +
 +    return 0;
 +}
 +
 +static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
 +{
 +    int ret = -EINVAL;
 +    int i;
 +
 +    if (!CD_VALID(cd) || !CD_AARCH64(cd)) {
 +        goto bad_cd;
 +    }
 +    if (!CD_A(cd)) {
 +        goto bad_cd; /* SMMU_IDR0.TERM_MODEL == 1 */
 +    }
 +    if (CD_S(cd)) {
 +        goto bad_cd; /* !STE_SECURE && SMMU_IDR0.STALL_MODEL == 1 */
 +    }
 +    if (CD_HA(cd) || CD_HD(cd)) {
 +        goto bad_cd; /* HTTU = 0 */
 +    }
 +
 +    /* we support only those at the moment */
 +    cfg->aa64 = true;
 +    cfg->stage = 1;
 +
 +    cfg->oas = oas2bits(CD_IPS(cd));
 +    cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
 +    cfg->tbi = CD_TBI(cd);
 +    cfg->asid = CD_ASID(cd);
 +
 +    trace_smmuv3_decode_cd(cfg->oas);
 +
 +    /* decode data dependent on TT */
 +    for (i = 0; i <= 1; i++) {
 +        int tg, tsz;
 +        SMMUTransTableInfo *tt = &cfg->tt[i];
 +
 +        cfg->tt[i].disabled = CD_EPD(cd, i);
 +        if (cfg->tt[i].disabled) {
 +            continue;
 +        }
 +
 +        tsz = CD_TSZ(cd, i);
 +        if (tsz < 16 || tsz > 39) {
 +            goto bad_cd;
 +        }
 +
 +        tg = CD_TG(cd, i);
 +        tt->granule_sz = tg2granule(tg, i);
 +        if ((tt->granule_sz != 12 && tt->granule_sz != 16) || CD_ENDI(cd)) {
 +            goto bad_cd;
 +        }
 +
 +        tt->tsz = tsz;
 +        tt->ttb = CD_TTB(cd, i);
 +        if (tt->ttb & ~(MAKE_64BIT_MASK(0, cfg->oas))) {
 +            goto bad_cd;
 +        }
 +        trace_smmuv3_decode_cd_tt(i, tt->tsz, tt->ttb, tt->granule_sz);
 +    }
 +
 +    event->record_trans_faults = CD_R(cd);
 +
 +    return 0;
 +
 +bad_cd:
 +    event->type = SMMU_EVT_C_BAD_CD;
 +    return ret;
 +}
 +
 +/**
 + * smmuv3_decode_config - Prepare the translation configuration
 + * for the @mr iommu region
 + * @mr: iommu memory region the translation config must be prepared for
 + * @cfg: output translation configuration which is populated through
 + *       the different configuration decoding steps
 + * @event: must be zero'ed by the caller
 + *
 + * return < 0 if the translation needs to be aborted (@event is filled
 + * accordingly). Return 0 otherwise.
 + */
 +static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,
 +                                SMMUEventInfo *event)
 +{
 +    SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
 +    uint32_t sid = smmu_get_sid(sdev);
 +    SMMUv3State *s = sdev->smmu;
 +    int ret = -EINVAL;
 +    STE ste;
 +    CD cd;
 +
 +    if (smmu_find_ste(s, sid, &ste, event)) {
 +        return ret;
 +    }
 +
 +    if (decode_ste(s, cfg, &ste, event)) {
 +        return ret;
 +    }
 +
 +    if (smmu_get_cd(s, &ste, 0 /* ssid */, &cd, event)) {
 +        return ret;
 +    }
 +
 +    return decode_cd(cfg, &cd, event);
 +}
 +
 +static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
 +                                      IOMMUAccessFlags flag)
 +{
 +    SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
 +    SMMUv3State *s = sdev->smmu;
 +    uint32_t sid = smmu_get_sid(sdev);
 +    SMMUEventInfo event = {.type = SMMU_EVT_OK, .sid = sid};
 +    SMMUPTWEventInfo ptw_info = {};
 +    SMMUTransCfg cfg = {};
 +    IOMMUTLBEntry entry = {
 +        .target_as = &address_space_memory,
 +        .iova = addr,
 +        .translated_addr = addr,
 +        .addr_mask = ~(hwaddr)0,
 +        .perm = IOMMU_NONE,
 +    };
 +    int ret = 0;
 +
 +    if (!smmu_enabled(s)) {
 +        goto out;
 +    }
 +
 +    ret = smmuv3_decode_config(mr, &cfg, &event);
 +    if (ret) {
 +        goto out;
 +    }
 +
 +    if (cfg.aborted) {
 +        goto out;
 +    }
 +
 +    ret = smmu_ptw(&cfg, addr, flag, &entry, &ptw_info);
 +    if (ret) {
 +        switch (ptw_info.type) {
 +        case SMMU_PTW_ERR_WALK_EABT:
 +            event.type = SMMU_EVT_F_WALK_EABT;
 +            event.u.f_walk_eabt.addr = addr;
 +            event.u.f_walk_eabt.rnw = flag & 0x1;
 +            event.u.f_walk_eabt.class = 0x1;
 +            event.u.f_walk_eabt.addr2 = ptw_info.addr;
 +            break;
 +        case SMMU_PTW_ERR_TRANSLATION:
 +            if (event.record_trans_faults) {
 +                event.type = SMMU_EVT_F_TRANSLATION;
 +                event.u.f_translation.addr = addr;
 +                event.u.f_translation.rnw = flag & 0x1;
 +            }
 +            break;
 +        case SMMU_PTW_ERR_ADDR_SIZE:
 +            if (event.record_trans_faults) {
 +                event.type = SMMU_EVT_F_ADDR_SIZE;
 +                event.u.f_addr_size.addr = addr;
 +                event.u.f_addr_size.rnw = flag & 0x1;
 +            }
 +            break;
 +        case SMMU_PTW_ERR_ACCESS:
 +            if (event.record_trans_faults) {
 +                event.type = SMMU_EVT_F_ACCESS;
 +                event.u.f_access.addr = addr;
 +                event.u.f_access.rnw = flag & 0x1;
 +            }
 +            break;
 +        case SMMU_PTW_ERR_PERMISSION:
 +            if (event.record_trans_faults) {
 +                event.type = SMMU_EVT_F_PERMISSION;
 +                event.u.f_permission.addr = addr;
 +                event.u.f_permission.rnw = flag & 0x1;
 +            }
 +            break;
 +        default:
 +            g_assert_not_reached();
 +        }
 +    }
 +out:
 +    if (ret) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "%s translation failed for iova=0x%"PRIx64"(%d)\n",
 +                      mr->parent_obj.name, addr, ret);
 +        entry.perm = IOMMU_NONE;
 +        smmuv3_record_event(s, &event);
 +    } else if (!cfg.aborted) {
 +        entry.perm = flag;
 +        trace_smmuv3_translate(mr->parent_obj.name, sid, addr,
 +                               entry.translated_addr, entry.perm);
 +    }
 +
 +    return entry;
 +}
 +
  static int smmuv3_cmdq_consume(SMMUv3State *s)
  {
-     SMMUCmdError cmd_error = SMMU_CERROR_NONE;
+@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_class_init(ObjectClass *klass, void *data)
+                                                    r->secure, crm, opc1, opc2,
- static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
+                                                    r->name);
-                                                   void *data)
+                             break;
- {
+-                        default:
-+    IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
++                        case ARM_CP_SECSTATE_BOTH:
-+
+                             name = g_strdup_printf("%s_S", r->name);
-+    imrc->translate = smmuv3_translate;
+                             add_cpreg_to_hashtable(cpu, r, opaque, state,
- }
+                                                    ARM_CP_SECSTATE_S,
+@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
- static const TypeInfo smmuv3_type_info = {
+                                                    ARM_CP_SECSTATE_NS,
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
+                                                    crm, opc1, opc2, r->name);
-index XXXXXXX..XXXXXXX 100644
+                             break;
---- a/hw/arm/trace-events
++                        default:
-+++ b/hw/arm/trace-events
++                            g_assert_not_reached();
-@@ -XXX,XX +XXX,XX @@ smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx
+                         }
- smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
+                     } else {
- smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
+                         /* AArch64 registers get mapped to non-secure instance
  smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
 +smmuv3_find_ste(uint16_t sid, uint32_t features, uint16_t sid_split) "SID:0x%x features:0x%x, sid_split:0x%x"
 +smmuv3_find_ste_2lvl(uint64_t strtab_base, uint64_t l1ptr, int l1_ste_offset, uint64_t l2ptr, int l2_ste_offset, int max_l2_ste) "strtab_base:0x%lx l1ptr:0x%"PRIx64" l1_off:0x%x, l2ptr:0x%"PRIx64" l2_off:0x%x max_l2_ste:%d"
 +smmuv3_get_ste(uint64_t addr) "STE addr: 0x%"PRIx64
 +smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d bypass iova:0x%"PRIx64" is_write=%d"
 +smmuv3_translate_in(uint16_t sid, int pci_bus_num, uint64_t strtab_base) "SID:0x%x bus:%d strtab_base:0x%"PRIx64
 +smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64
 +smmuv3_translate(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=%d iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
 +smmuv3_decode_cd(uint32_t oas) "oas=%d"
 +smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d"
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 06/24] arm: boot: set boot_info starting from first_cpu
+[PULL 11/23] target/arm: Drop always-true test in define_arm_vh_e2h_redirects_aliases
-From: Igor Mammedov <imammedo@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Even though nothing is currently broken (since all boards
+The new_key field is always non-zero -- drop the if.
 use first_cpu as boot cpu), make sure that boot_info is set
 on all CPUs.
 If some board would like support heterogenuos setup (i.e.
 init boot_info on subset of CPUs) in future, it should add
 a reasonable API to do it, instead of starting assigning
 boot_info from some CPU and till the end of present CPUs
 list.
-Ref:
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 "Message-ID: <CAFEAcA_NMWuA8WSs3cNeY6xX1kerO_uAcN_3=fK02BEhHJW86g@mail.gmail.com>"
 Signed-off-by: Igor Mammedov <imammedo@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1525176522-200354-5-git-send-email-imammedo@redhat.com
+Message-id: 20220501055028.646596-11-richard.henderson@linaro.org
 [PMM: reinstated dropped PL3_RW mask]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/boot.c | 2 +-
+ target/arm/helper.c | 23 +++++++++++------------
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 11 insertions(+), 12 deletions(-)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/target/arm/helper.c
-+++ b/hw/arm/boot.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
+@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
-     }
-     info->is_linux = is_linux;
+     for (i = 0; i < ARRAY_SIZE(aliases); i++) {
+         const struct E2HAlias *a = &aliases[i];
--    for (cs = CPU(cpu); cs; cs = CPU_NEXT(cs)) {
+-        ARMCPRegInfo *src_reg, *dst_reg;
-+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
++        ARMCPRegInfo *src_reg, *dst_reg, *new_reg;
-         ARM_CPU(cs)->env.boot_info = info;
++        uint32_t *new_key;
-     }
++        bool ok;
- }
          if (a->feature && !a->feature(&cpu->isar)) {
              continue;
@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
          g_assert(src_reg->opaque == NULL);
          /* Create alias before redirection so we dup the right data. */
 -        if (a->new_key) {
 -            ARMCPRegInfo *new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo));
 -            uint32_t *new_key = g_memdup(&a->new_key, sizeof(uint32_t));
 -            bool ok;
 +        new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo));
 +        new_key = g_memdup(&a->new_key, sizeof(uint32_t));
 -            new_reg->name = a->new_name;
 -            new_reg->type |= ARM_CP_ALIAS;
 -            /* Remove PL1/PL0 access, leaving PL2/PL3 R/W in place.  */
 -            new_reg->access &= PL2_RW | PL3_RW;
 +        new_reg->name = a->new_name;
 +        new_reg->type |= ARM_CP_ALIAS;
 +        /* Remove PL1/PL0 access, leaving PL2/PL3 R/W in place.  */
 +        new_reg->access &= PL2_RW | PL3_RW;
 -            ok = g_hash_table_insert(cpu->cp_regs, new_key, new_reg);
 -            g_assert(ok);
 -        }
 +        ok = g_hash_table_insert(cpu->cp_regs, new_key, new_reg);
 +        g_assert(ok);
          src_reg->opaque = dst_reg;
          src_reg->orig_readfn = src_reg->readfn ?: raw_read;
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 16/24] hw/arm/smmuv3: Queue helpers
+[PULL 12/23] target/arm: Store cpregs key in the hash table directly
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-We introduce helpers to read/write into the command and event
+Cast the uint32_t key into a gpointer directly, which
-circular queues.
+allows us to avoid allocating storage for each key.
-smmuv3_write_eventq and smmuv3_cmq_consume will become static
+Use g_hash_table_lookup when we already have a gpointer
-in subsequent patches.
+(e.g. for callbacks like count_cpreg), or when using
 get_arm_cp_reginfo would require casting away const.
-Invalidation commands are not yet dealt with. We do not cache
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 data that need to be invalidated. This will change with vhost
 integration.
 Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-7-git-send-email-eric.auger@redhat.com
+Message-id: 20220501055028.646596-12-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h | 163 +++++++++++++++++++++++++++++++++++++++
+ target/arm/cpu.c     |  4 ++--
- hw/arm/smmuv3.c          | 136 ++++++++++++++++++++++++++++++++
+ target/arm/gdbstub.c |  2 +-
- hw/arm/trace-events      |   5 ++
+ target/arm/helper.c  | 41 ++++++++++++++++++-----------------------
-files changed, 304 insertions(+)
+files changed, 21 insertions(+), 26 deletions(-)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/target/arm/cpu.c
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
- void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
+     ARMCPU *cpu = ARM_CPU(obj);
- void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
+     cpu_set_cpustate_pointers(cpu);
-+/* Queue Handling */
+-    cpu->cp_regs = g_hash_table_new_full(g_int_hash, g_int_equal,
-+
+-                                         g_free, cpreg_hashtable_data_destroy);
-+#define Q_BASE(q)          ((q)->base & SMMU_BASE_ADDR_MASK)
++    cpu->cp_regs = g_hash_table_new_full(g_direct_hash, g_direct_equal,
-+#define WRAP_MASK(q)       (1 << (q)->log2size)
++                                         NULL, cpreg_hashtable_data_destroy);
-+#define INDEX_MASK(q)      (((1 << (q)->log2size)) - 1)
-+#define WRAP_INDEX_MASK(q) ((1 << ((q)->log2size + 1)) - 1)
+     QLIST_INIT(&cpu->pre_el_change_hooks);
-+
+     QLIST_INIT(&cpu->el_change_hooks);
-+#define Q_CONS(q) ((q)->cons & INDEX_MASK(q))
+diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
 +#define Q_PROD(q) ((q)->prod & INDEX_MASK(q))
 +
 +#define Q_CONS_ENTRY(q)  (Q_BASE(q) + (q)->entry_size * Q_CONS(q))
 +#define Q_PROD_ENTRY(q)  (Q_BASE(q) + (q)->entry_size * Q_PROD(q))
 +
 +#define Q_CONS_WRAP(q) (((q)->cons & WRAP_MASK(q)) >> (q)->log2size)
 +#define Q_PROD_WRAP(q) (((q)->prod & WRAP_MASK(q)) >> (q)->log2size)
 +
 +static inline bool smmuv3_q_full(SMMUQueue *q)
 +{
 +    return ((q->cons ^ q->prod) & WRAP_INDEX_MASK(q)) == WRAP_MASK(q);
 +}
 +
 +static inline bool smmuv3_q_empty(SMMUQueue *q)
 +{
 +    return (q->cons & WRAP_INDEX_MASK(q)) == (q->prod & WRAP_INDEX_MASK(q));
 +}
 +
 +static inline void queue_prod_incr(SMMUQueue *q)
 +{
 +    q->prod = (q->prod + 1) & WRAP_INDEX_MASK(q);
 +}
 +
 +static inline void queue_cons_incr(SMMUQueue *q)
 +{
 +    /*
 +     * We have to use deposit for the CONS registers to preserve
 +     * the ERR field in the high bits.
 +     */
 +    q->cons = deposit32(q->cons, 0, q->log2size + 1, q->cons + 1);
 +}
 +
 +static inline bool smmuv3_cmdq_enabled(SMMUv3State *s)
 +{
 +    return FIELD_EX32(s->cr[0], CR0, CMDQEN);
 +}
 +
 +static inline bool smmuv3_eventq_enabled(SMMUv3State *s)
 +{
 +    return FIELD_EX32(s->cr[0], CR0, EVENTQEN);
 +}
 +
 +static inline void smmu_write_cmdq_err(SMMUv3State *s, uint32_t err_type)
 +{
 +    s->cmdq.cons = FIELD_DP32(s->cmdq.cons, CMDQ_CONS, ERR, err_type);
 +}
 +
 +void smmuv3_write_eventq(SMMUv3State *s, Evt *evt);
 +
 +/* Commands */
 +
 +typedef enum SMMUCommandType {
 +    SMMU_CMD_NONE            = 0x00,
 +    SMMU_CMD_PREFETCH_CONFIG       ,
 +    SMMU_CMD_PREFETCH_ADDR,
 +    SMMU_CMD_CFGI_STE,
 +    SMMU_CMD_CFGI_STE_RANGE,
 +    SMMU_CMD_CFGI_CD,
 +    SMMU_CMD_CFGI_CD_ALL,
 +    SMMU_CMD_CFGI_ALL,
 +    SMMU_CMD_TLBI_NH_ALL     = 0x10,
 +    SMMU_CMD_TLBI_NH_ASID,
 +    SMMU_CMD_TLBI_NH_VA,
 +    SMMU_CMD_TLBI_NH_VAA,
 +    SMMU_CMD_TLBI_EL3_ALL    = 0x18,
 +    SMMU_CMD_TLBI_EL3_VA     = 0x1a,
 +    SMMU_CMD_TLBI_EL2_ALL    = 0x20,
 +    SMMU_CMD_TLBI_EL2_ASID,
 +    SMMU_CMD_TLBI_EL2_VA,
 +    SMMU_CMD_TLBI_EL2_VAA,
 +    SMMU_CMD_TLBI_S12_VMALL  = 0x28,
 +    SMMU_CMD_TLBI_S2_IPA     = 0x2a,
 +    SMMU_CMD_TLBI_NSNH_ALL   = 0x30,
 +    SMMU_CMD_ATC_INV         = 0x40,
 +    SMMU_CMD_PRI_RESP,
 +    SMMU_CMD_RESUME          = 0x44,
 +    SMMU_CMD_STALL_TERM,
 +    SMMU_CMD_SYNC,
 +} SMMUCommandType;
 +
 +static const char *cmd_stringify[] = {
 +    [SMMU_CMD_PREFETCH_CONFIG] = "SMMU_CMD_PREFETCH_CONFIG",
 +    [SMMU_CMD_PREFETCH_ADDR]   = "SMMU_CMD_PREFETCH_ADDR",
 +    [SMMU_CMD_CFGI_STE]        = "SMMU_CMD_CFGI_STE",
 +    [SMMU_CMD_CFGI_STE_RANGE]  = "SMMU_CMD_CFGI_STE_RANGE",
 +    [SMMU_CMD_CFGI_CD]         = "SMMU_CMD_CFGI_CD",
 +    [SMMU_CMD_CFGI_CD_ALL]     = "SMMU_CMD_CFGI_CD_ALL",
 +    [SMMU_CMD_CFGI_ALL]        = "SMMU_CMD_CFGI_ALL",
 +    [SMMU_CMD_TLBI_NH_ALL]     = "SMMU_CMD_TLBI_NH_ALL",
 +    [SMMU_CMD_TLBI_NH_ASID]    = "SMMU_CMD_TLBI_NH_ASID",
 +    [SMMU_CMD_TLBI_NH_VA]      = "SMMU_CMD_TLBI_NH_VA",
 +    [SMMU_CMD_TLBI_NH_VAA]     = "SMMU_CMD_TLBI_NH_VAA",
 +    [SMMU_CMD_TLBI_EL3_ALL]    = "SMMU_CMD_TLBI_EL3_ALL",
 +    [SMMU_CMD_TLBI_EL3_VA]     = "SMMU_CMD_TLBI_EL3_VA",
 +    [SMMU_CMD_TLBI_EL2_ALL]    = "SMMU_CMD_TLBI_EL2_ALL",
 +    [SMMU_CMD_TLBI_EL2_ASID]   = "SMMU_CMD_TLBI_EL2_ASID",
 +    [SMMU_CMD_TLBI_EL2_VA]     = "SMMU_CMD_TLBI_EL2_VA",
 +    [SMMU_CMD_TLBI_EL2_VAA]    = "SMMU_CMD_TLBI_EL2_VAA",
 +    [SMMU_CMD_TLBI_S12_VMALL]  = "SMMU_CMD_TLBI_S12_VMALL",
 +    [SMMU_CMD_TLBI_S2_IPA]     = "SMMU_CMD_TLBI_S2_IPA",
 +    [SMMU_CMD_TLBI_NSNH_ALL]   = "SMMU_CMD_TLBI_NSNH_ALL",
 +    [SMMU_CMD_ATC_INV]         = "SMMU_CMD_ATC_INV",
 +    [SMMU_CMD_PRI_RESP]        = "SMMU_CMD_PRI_RESP",
 +    [SMMU_CMD_RESUME]          = "SMMU_CMD_RESUME",
 +    [SMMU_CMD_STALL_TERM]      = "SMMU_CMD_STALL_TERM",
 +    [SMMU_CMD_SYNC]            = "SMMU_CMD_SYNC",
 +};
 +
 +static inline const char *smmu_cmd_string(SMMUCommandType type)
 +{
 +    if (type > SMMU_CMD_NONE && type < ARRAY_SIZE(cmd_stringify)) {
 +        return cmd_stringify[type] ? cmd_stringify[type] : "UNKNOWN";
 +    } else {
 +        return "INVALID";
 +    }
 +}
 +
 +/* CMDQ fields */
 +
 +typedef enum {
 +    SMMU_CERROR_NONE = 0,
 +    SMMU_CERROR_ILL,
 +    SMMU_CERROR_ABT,
 +    SMMU_CERROR_ATC_INV_SYNC,
 +} SMMUCmdError;
 +
 +enum { /* Command completion notification */
 +    CMD_SYNC_SIG_NONE,
 +    CMD_SYNC_SIG_IRQ,
 +    CMD_SYNC_SIG_SEV,
 +};
 +
 +#define CMD_TYPE(x)         extract32((x)->word[0], 0 , 8)
 +#define CMD_SSEC(x)         extract32((x)->word[0], 10, 1)
 +#define CMD_SSV(x)          extract32((x)->word[0], 11, 1)
 +#define CMD_RESUME_AC(x)    extract32((x)->word[0], 12, 1)
 +#define CMD_RESUME_AB(x)    extract32((x)->word[0], 13, 1)
 +#define CMD_SYNC_CS(x)      extract32((x)->word[0], 12, 2)
 +#define CMD_SSID(x)         extract32((x)->word[0], 12, 20)
 +#define CMD_SID(x)          ((x)->word[1])
 +#define CMD_VMID(x)         extract32((x)->word[1], 0 , 16)
 +#define CMD_ASID(x)         extract32((x)->word[1], 16, 16)
 +#define CMD_RESUME_STAG(x)  extract32((x)->word[2], 0 , 16)
 +#define CMD_RESP(x)         extract32((x)->word[2], 11, 2)
 +#define CMD_LEAF(x)         extract32((x)->word[2], 0 , 1)
 +#define CMD_STE_RANGE(x)    extract32((x)->word[2], 0 , 5)
 +#define CMD_ADDR(x) ({                                        \
 +            uint64_t high = (uint64_t)(x)->word[3];           \
 +            uint64_t low = extract32((x)->word[2], 12, 20);    \
 +            uint64_t addr = high << 32 | (low << 12);         \
 +            addr;                                             \
 +        })
 +
 +int smmuv3_cmdq_consume(SMMUv3State *s);
 +
  #endif
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/target/arm/gdbstub.c
-+++ b/hw/arm/smmuv3.c
++++ b/target/arm/gdbstub.c
-@@ -XXX,XX +XXX,XX @@ void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
+@@ -XXX,XX +XXX,XX @@ static void arm_gen_one_xml_sysreg_tag(GString *s, DynamicGDBXMLInfo *dyn_xml,
-     trace_smmuv3_write_gerrorn(toggled & pending, s->gerrorn);
+ static void arm_register_sysreg_for_xml(gpointer key, gpointer value,
                                          gpointer p)
  {
 -    uint32_t ri_key = *(uint32_t *)key;
 +    uint32_t ri_key = (uintptr_t)key;
      ARMCPRegInfo *ri = value;
      RegisterSysregXmlParam *param = (RegisterSysregXmlParam *)p;
      GString *s = param->s;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ bool write_list_to_cpustate(ARMCPU *cpu)
  static void add_cpreg_to_list(gpointer key, gpointer opaque)
  {
      ARMCPU *cpu = opaque;
 -    uint64_t regidx;
 -    const ARMCPRegInfo *ri;
 -
 -    regidx = *(uint32_t *)key;
 -    ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
 +    uint32_t regidx = (uintptr_t)key;
 +    const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
      if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
          cpu->cpreg_indexes[cpu->cpreg_array_len] = cpreg_to_kvm_id(regidx);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_list(gpointer key, gpointer opaque)
  static void count_cpreg(gpointer key, gpointer opaque)
  {
      ARMCPU *cpu = opaque;
 -    uint64_t regidx;
      const ARMCPRegInfo *ri;
 -    regidx = *(uint32_t *)key;
 -    ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
 +    ri = g_hash_table_lookup(cpu->cp_regs, key);
      if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
          cpu->cpreg_array_len++;
@@ -XXX,XX +XXX,XX @@ static void count_cpreg(gpointer key, gpointer opaque)
  static gint cpreg_key_compare(gconstpointer a, gconstpointer b)
  {
 -    uint64_t aidx = cpreg_to_kvm_id(*(uint32_t *)a);
 -    uint64_t bidx = cpreg_to_kvm_id(*(uint32_t *)b);
 +    uint64_t aidx = cpreg_to_kvm_id((uintptr_t)a);
 +    uint64_t bidx = cpreg_to_kvm_id((uintptr_t)b);
      if (aidx > bidx) {
          return 1;
@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
      for (i = 0; i < ARRAY_SIZE(aliases); i++) {
          const struct E2HAlias *a = &aliases[i];
          ARMCPRegInfo *src_reg, *dst_reg, *new_reg;
 -        uint32_t *new_key;
          bool ok;
          if (a->feature && !a->feature(&cpu->isar)) {
              continue;
          }
 -        src_reg = g_hash_table_lookup(cpu->cp_regs, &a->src_key);
 -        dst_reg = g_hash_table_lookup(cpu->cp_regs, &a->dst_key);
 +        src_reg = g_hash_table_lookup(cpu->cp_regs,
 +                                      (gpointer)(uintptr_t)a->src_key);
 +        dst_reg = g_hash_table_lookup(cpu->cp_regs,
 +                                      (gpointer)(uintptr_t)a->dst_key);
          g_assert(src_reg != NULL);
          g_assert(dst_reg != NULL);
@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
          /* Create alias before redirection so we dup the right data. */
          new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo));
 -        new_key = g_memdup(&a->new_key, sizeof(uint32_t));
          new_reg->name = a->new_name;
          new_reg->type |= ARM_CP_ALIAS;
          /* Remove PL1/PL0 access, leaving PL2/PL3 R/W in place.  */
          new_reg->access &= PL2_RW | PL3_RW;
 -        ok = g_hash_table_insert(cpu->cp_regs, new_key, new_reg);
 +        ok = g_hash_table_insert(cpu->cp_regs,
 +                                 (gpointer)(uintptr_t)a->new_key, new_reg);
          g_assert(ok);
          src_reg->opaque = dst_reg;
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
      /* Private utility function for define_one_arm_cp_reg_with_opaque():
       * add a single reginfo struct to the hash table.
       */
 -    uint32_t *key = g_new(uint32_t, 1);
 +    uint32_t key;
      ARMCPRegInfo *r2 = g_memdup(r, sizeof(ARMCPRegInfo));
      int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
      int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0;
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
          if (r->cp == 0 || r->state == ARM_CP_STATE_BOTH) {
              r2->cp = CP_REG_ARM64_SYSREG_CP;
          }
 -        *key = ENCODE_AA64_CP_REG(r2->cp, r2->crn, crm,
 -                                  r2->opc0, opc1, opc2);
 +        key = ENCODE_AA64_CP_REG(r2->cp, r2->crn, crm,
 +                                 r2->opc0, opc1, opc2);
      } else {
 -        *key = ENCODE_CP_REG(r2->cp, is64, ns, r2->crn, crm, opc1, opc2);
 +        key = ENCODE_CP_REG(r2->cp, is64, ns, r2->crn, crm, opc1, opc2);
      }
      if (opaque) {
          r2->opaque = opaque;
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
       * requested.
       */
      if (!(r->type & ARM_CP_OVERRIDE)) {
 -        ARMCPRegInfo *oldreg;
 -        oldreg = g_hash_table_lookup(cpu->cp_regs, key);
 +        const ARMCPRegInfo *oldreg = get_arm_cp_reginfo(cpu->cp_regs, key);
          if (oldreg && !(oldreg->type & ARM_CP_OVERRIDE)) {
              fprintf(stderr, "Register redefined: cp=%d %d bit "
                      "crn=%d crm=%d opc1=%d opc2=%d, "
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
              g_assert_not_reached();
          }
      }
 -    g_hash_table_insert(cpu->cp_regs, key, r2);
 +    g_hash_table_insert(cpu->cp_regs, (gpointer)(uintptr_t)key, r2);
  }
-+static inline MemTxResult queue_read(SMMUQueue *q, void *data)
-+{
+@@ -XXX,XX +XXX,XX @@ void modify_arm_cp_regs_with_len(ARMCPRegInfo *regs, size_t regs_len,
-+    dma_addr_t addr = Q_CONS_ENTRY(q);
-+
+ const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp)
 +    return dma_memory_read(&address_space_memory, addr, data, q->entry_size);
 +}
 +
 +static MemTxResult queue_write(SMMUQueue *q, void *data)
 +{
 +    dma_addr_t addr = Q_PROD_ENTRY(q);
 +    MemTxResult ret;
 +
 +    ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size);
 +    if (ret != MEMTX_OK) {
 +        return ret;
 +    }
 +
 +    queue_prod_incr(q);
 +    return MEMTX_OK;
 +}
 +
 +void smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
 +{
 +    SMMUQueue *q = &s->eventq;
 +
 +    if (!smmuv3_eventq_enabled(s)) {
 +        return;
 +    }
 +
 +    if (smmuv3_q_full(q)) {
 +        return;
 +    }
 +
 +    queue_write(q, evt);
 +
 +    if (smmuv3_q_empty(q)) {
 +        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
 +    }
 +}
 +
  static void smmuv3_init_regs(SMMUv3State *s)
  {
-     /**
+-    return g_hash_table_lookup(cpregs, &encoded_cp);
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
++    return g_hash_table_lookup(cpregs, (gpointer)(uintptr_t)encoded_cp);
      s->sid_split = 0;
  }
-+int smmuv3_cmdq_consume(SMMUv3State *s)
+ void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
 +{
 +    SMMUCmdError cmd_error = SMMU_CERROR_NONE;
 +    SMMUQueue *q = &s->cmdq;
 +    SMMUCommandType type = 0;
 +
 +    if (!smmuv3_cmdq_enabled(s)) {
 +        return 0;
 +    }
 +    /*
 +     * some commands depend on register values, typically CR0. In case those
 +     * register values change while handling the command, spec says it
 +     * is UNPREDICTABLE whether the command is interpreted under the new
 +     * or old value.
 +     */
 +
 +    while (!smmuv3_q_empty(q)) {
 +        uint32_t pending = s->gerror ^ s->gerrorn;
 +        Cmd cmd;
 +
 +        trace_smmuv3_cmdq_consume(Q_PROD(q), Q_CONS(q),
 +                                  Q_PROD_WRAP(q), Q_CONS_WRAP(q));
 +
 +        if (FIELD_EX32(pending, GERROR, CMDQ_ERR)) {
 +            break;
 +        }
 +
 +        if (queue_read(q, &cmd) != MEMTX_OK) {
 +            cmd_error = SMMU_CERROR_ABT;
 +            break;
 +        }
 +
 +        type = CMD_TYPE(&cmd);
 +
 +        trace_smmuv3_cmdq_opcode(smmu_cmd_string(type));
 +
 +        switch (type) {
 +        case SMMU_CMD_SYNC:
 +            if (CMD_SYNC_CS(&cmd) & CMD_SYNC_SIG_IRQ) {
 +                smmuv3_trigger_irq(s, SMMU_IRQ_CMD_SYNC, 0);
 +            }
 +            break;
 +        case SMMU_CMD_PREFETCH_CONFIG:
 +        case SMMU_CMD_PREFETCH_ADDR:
 +        case SMMU_CMD_CFGI_STE:
 +        case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */
 +        case SMMU_CMD_CFGI_CD:
 +        case SMMU_CMD_CFGI_CD_ALL:
 +        case SMMU_CMD_TLBI_NH_ALL:
 +        case SMMU_CMD_TLBI_NH_ASID:
 +        case SMMU_CMD_TLBI_NH_VA:
 +        case SMMU_CMD_TLBI_NH_VAA:
 +        case SMMU_CMD_TLBI_EL3_ALL:
 +        case SMMU_CMD_TLBI_EL3_VA:
 +        case SMMU_CMD_TLBI_EL2_ALL:
 +        case SMMU_CMD_TLBI_EL2_ASID:
 +        case SMMU_CMD_TLBI_EL2_VA:
 +        case SMMU_CMD_TLBI_EL2_VAA:
 +        case SMMU_CMD_TLBI_S12_VMALL:
 +        case SMMU_CMD_TLBI_S2_IPA:
 +        case SMMU_CMD_TLBI_NSNH_ALL:
 +        case SMMU_CMD_ATC_INV:
 +        case SMMU_CMD_PRI_RESP:
 +        case SMMU_CMD_RESUME:
 +        case SMMU_CMD_STALL_TERM:
 +            trace_smmuv3_unhandled_cmd(type);
 +            break;
 +        default:
 +            cmd_error = SMMU_CERROR_ILL;
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "Illegal command type: %d\n", CMD_TYPE(&cmd));
 +            break;
 +        }
 +        if (cmd_error) {
 +            break;
 +        }
 +        /*
 +         * We only increment the cons index after the completion of
 +         * the command. We do that because the SYNC returns immediately
 +         * and does not check the completion of previous commands
 +         */
 +        queue_cons_incr(q);
 +    }
 +
 +    if (cmd_error) {
 +        trace_smmuv3_cmdq_consume_error(smmu_cmd_string(type), cmd_error);
 +        smmu_write_cmdq_err(s, cmd_error);
 +        smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_CMDQ_ERR_MASK);
 +    }
 +
 +    trace_smmuv3_cmdq_consume_out(Q_PROD(q), Q_CONS(q),
 +                                  Q_PROD_WRAP(q), Q_CONS_WRAP(q));
 +
 +    return 0;
 +}
 +
  static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
                                     unsigned size, MemTxAttrs attrs)
  {
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr:
  smmuv3_trigger_irq(int irq) "irq=%d"
  smmuv3_write_gerror(uint32_t toggled, uint32_t gerror) "toggled=0x%x, new GERROR=0x%x"
  smmuv3_write_gerrorn(uint32_t acked, uint32_t gerrorn) "acked=0x%x, new GERRORN=0x%x"
 +smmuv3_unhandled_cmd(uint32_t type) "Unhandled command type=%d"
 +smmuv3_cmdq_consume(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod=%d cons=%d prod.wrap=%d cons.wrap=%d"
 +smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
 +smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
 +smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 05/24] hw/net/smc91c111: Convert away from old_mmio
+[PULL 13/23] target/arm: Merge allocation of the cpreg and its name
-Convert the smc91c111 device away from using the old_mmio field of
+From: Richard Henderson <richard.henderson@linaro.org>
 MemoryRegionOps. This device is used by several Arm board models.
+Simplify freeing cp_regs hash table entries by using a single
+allocation for the entire value.
+This fixes a theoretical bug if we were to ever free the entire
+hash table, because we've been installing string literal constants
+into the cpreg structure in define_arm_vh_e2h_redirects_aliases.
+However, at present we only free entries created for AArch32
+wildcard cpregs which get overwritten by more specific cpregs,
+so this bug is never exposed.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20220501055028.646596-13-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180427173611.10281-3-peter.maydell@linaro.org
 ---
- hw/net/smc91c111.c | 54 +++++++++++++++++++++-------------------------
+ target/arm/cpu.c    | 16 +---------------
-file changed, 25 insertions(+), 29 deletions(-)
+ target/arm/helper.c | 10 ++++++++--
 files changed, 9 insertions(+), 17 deletions(-)
-diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/smc91c111.c
+--- a/target/arm/cpu.c
-+++ b/hw/net/smc91c111.c
++++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static uint32_t smc91c111_readb(void *opaque, hwaddr offset)
+@@ -XXX,XX +XXX,XX @@ uint64_t arm_cpu_mp_affinity(int idx, uint8_t clustersz)
-     return 0;
+     return (Aff1 << ARM_AFF1_SHIFT) | Aff0;
  }
--static void smc91c111_writew(void *opaque, hwaddr offset,
+-static void cpreg_hashtable_data_destroy(gpointer data)
 -                             uint32_t value)
 +static uint64_t smc91c111_readfn(void *opaque, hwaddr addr, unsigned size)
  {
 -    smc91c111_writeb(opaque, offset, value & 0xff);
 -    smc91c111_writeb(opaque, offset + 1, value >> 8);
 +    int i;
 +    uint32_t val = 0;
 +
 +    for (i = 0; i < size; i++) {
 +        val |= smc91c111_readb(opaque, addr + i) << (i * 8);
 +    }
 +    return val;
  }
 -static void smc91c111_writel(void *opaque, hwaddr offset,
 -                             uint32_t value)
 +static void smc91c111_writefn(void *opaque, hwaddr addr,
 +                               uint64_t value, unsigned size)
  {
 +    int i = 0;
 +
      /* 32-bit writes to offset 0xc only actually write to the bank select
 -       register (offset 0xe)  */
 -    if (offset != 0xc)
 -        smc91c111_writew(opaque, offset, value & 0xffff);
 -    smc91c111_writew(opaque, offset + 2, value >> 16);
 -}
 +     * register (offset 0xe), so skip the first two bytes we would write.
 +     */
 +    if (addr == 0xc && size == 4) {
 +        i += 2;
 +    }
 -static uint32_t smc91c111_readw(void *opaque, hwaddr offset)
 -{
--    uint32_t val;
+-    /*
--    val = smc91c111_readb(opaque, offset);
+-     * Destroy function for cpu->cp_regs hashtable data entries.
--    val |= smc91c111_readb(opaque, offset + 1) << 8;
+-     * We must free the name string because it was g_strdup()ed in
--    return val;
+-     * add_cpreg_to_hashtable(). It's OK to cast away the 'const'
 -     * from r->name because we know we definitely allocated it.
 -     */
 -    ARMCPRegInfo *r = data;
 -
 -    g_free((void *)r->name);
 -    g_free(r);
 -}
 -
--static uint32_t smc91c111_readl(void *opaque, hwaddr offset)
+ static void arm_cpu_initfn(Object *obj)
--{
+ {
--    uint32_t val;
+     ARMCPU *cpu = ARM_CPU(obj);
--    val = smc91c111_readw(opaque, offset);
--    val |= smc91c111_readw(opaque, offset + 2) << 16;
+     cpu_set_cpustate_pointers(cpu);
--    return val;
+     cpu->cp_regs = g_hash_table_new_full(g_direct_hash, g_direct_equal,
-+    for (; i < size; i++) {
+-                                         NULL, cpreg_hashtable_data_destroy);
-+        smc91c111_writeb(opaque, addr + i,
++                                         NULL, g_free);
-+                         extract32(value, i * 8, 8));
-+    }
+     QLIST_INIT(&cpu->pre_el_change_hooks);
- }
+     QLIST_INIT(&cpu->el_change_hooks);
+diff --git a/target/arm/helper.c b/target/arm/helper.c
- static int smc91c111_can_receive_nc(NetClientState *nc)
+index XXXXXXX..XXXXXXX 100644
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps smc91c111_mem_ops = {
+--- a/target/arm/helper.c
-     /* The special case for 32 bit writes to 0xc means we can't just
++++ b/target/arm/helper.c
-      * set .impl.min/max_access_size to 1, unfortunately
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
       * add a single reginfo struct to the hash table.
       */
--    .old_mmio = {
+     uint32_t key;
--        .read = { smc91c111_readb, smc91c111_readw, smc91c111_readl, },
+-    ARMCPRegInfo *r2 = g_memdup(r, sizeof(ARMCPRegInfo));
--        .write = { smc91c111_writeb, smc91c111_writew, smc91c111_writel, },
++    ARMCPRegInfo *r2;
--    },
+     int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
-+    .read = smc91c111_readfn,
+     int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0;
-+    .write = smc91c111_writefn,
++    size_t name_len;
-+    .valid.min_access_size = 1,
++
-+    .valid.max_access_size = 4,
++    /* Combine cpreg and name into one allocation. */
-     .endianness = DEVICE_NATIVE_ENDIAN,
++    name_len = strlen(name) + 1;
- };
++    r2 = g_malloc(sizeof(*r2) + name_len);
++    *r2 = *r;
 +    r2->name = memcpy(r2 + 1, name, name_len);
 -    r2->name = g_strdup(name);
      /* Reset the secure state to the specific incoming state.  This is
       * necessary as the register may have been defined with both states.
       */
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 04/24] hw/usb/tusb6010: Convert away from old_mmio
+[PULL 14/23] target/arm: Hoist computation of key in add_cpreg_to_hashtable
-Convert the tusb6010 device away from using the old_mmio field
+From: Richard Henderson <richard.henderson@linaro.org>
 of MemoryRegionOps. This device is used only in the n800 and n810
 boards.
+Move the computation of key to the top of the function.
+Hoist the resolution of cp as well, as an input to the
+computation of key.
+This will be required by a subsequent patch.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20220501055028.646596-14-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180427173611.10281-2-peter.maydell@linaro.org
 ---
- hw/usb/tusb6010.c | 40 ++++++++++++++++++++++++++++++++++++----
+ target/arm/helper.c | 49 +++++++++++++++++++++++++--------------------
-file changed, 36 insertions(+), 4 deletions(-)
+file changed, 27 insertions(+), 22 deletions(-)
-diff --git a/hw/usb/tusb6010.c b/hw/usb/tusb6010.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/usb/tusb6010.c
+--- a/target/arm/helper.c
-+++ b/hw/usb/tusb6010.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void tusb_async_writew(void *opaque, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-     }
+     ARMCPRegInfo *r2;
- }
+     int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
+     int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0;
-+static uint64_t tusb_async_readfn(void *opaque, hwaddr addr, unsigned size)
++    int cp = r->cp;
-+{
+     size_t name_len;
-+    switch (size) {
-+    case 1:
++    switch (state) {
-+        return tusb_async_readb(opaque, addr);
++    case ARM_CP_STATE_AA32:
-+    case 2:
++        /* We assume it is a cp15 register if the .cp field is left unset. */
-+        return tusb_async_readh(opaque, addr);
++        if (cp == 0 && r->state == ARM_CP_STATE_BOTH) {
-+    case 4:
++            cp = 15;
-+        return tusb_async_readw(opaque, addr);
++        }
-+    default:
++        key = ENCODE_CP_REG(cp, is64, ns, r->crn, crm, opc1, opc2);
 +        g_assert_not_reached();
 +    }
 +}
 +
 +static void tusb_async_writefn(void *opaque, hwaddr addr,
 +                               uint64_t value, unsigned size)
 +{
 +    switch (size) {
 +    case 1:
 +        tusb_async_writeb(opaque, addr, value);
 +        break;
-+    case 2:
++    case ARM_CP_STATE_AA64:
-+        tusb_async_writeh(opaque, addr, value);
++        /*
-+        break;
++         * To allow abbreviation of ARMCPRegInfo definitions, we treat
-+    case 4:
++         * cp == 0 as equivalent to the value for "standard guest-visible
-+        tusb_async_writew(opaque, addr, value);
++         * sysreg".  STATE_BOTH definitions are also always "standard sysreg"
 +         * in their AArch64 view (the .cp value may be non-zero for the
 +         * benefit of the AArch32 view).
 +         */
 +        if (cp == 0 || r->state == ARM_CP_STATE_BOTH) {
 +            cp = CP_REG_ARM64_SYSREG_CP;
 +        }
 +        key = ENCODE_AA64_CP_REG(cp, r->crn, crm, r->opc0, opc1, opc2);
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
-+}
 +
- static const MemoryRegionOps tusb_async_ops = {
+     /* Combine cpreg and name into one allocation. */
--    .old_mmio = {
+     name_len = strlen(name) + 1;
--        .read = { tusb_async_readb, tusb_async_readh, tusb_async_readw, },
+     r2 = g_malloc(sizeof(*r2) + name_len);
--        .write =  { tusb_async_writeb, tusb_async_writeh, tusb_async_writew, },
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
--    },
+         }
-+    .read = tusb_async_readfn,
-+    .write = tusb_async_writefn,
+         if (r->state == ARM_CP_STATE_BOTH) {
-+    .valid.min_access_size = 1,
+-            /* We assume it is a cp15 register if the .cp field is left unset.
-+    .valid.max_access_size = 4,
+-             */
-     .endianness = DEVICE_NATIVE_ENDIAN,
+-            if (r2->cp == 0) {
- };
+-                r2->cp = 15;
+-            }
 -
  #if HOST_BIG_ENDIAN
              if (r2->fieldoffset) {
                  r2->fieldoffset += sizeof(uint32_t);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
  #endif
          }
      }
 -    if (state == ARM_CP_STATE_AA64) {
 -        /* To allow abbreviation of ARMCPRegInfo
 -         * definitions, we treat cp == 0 as equivalent to
 -         * the value for "standard guest-visible sysreg".
 -         * STATE_BOTH definitions are also always "standard
 -         * sysreg" in their AArch64 view (the .cp value may
 -         * be non-zero for the benefit of the AArch32 view).
 -         */
 -        if (r->cp == 0 || r->state == ARM_CP_STATE_BOTH) {
 -            r2->cp = CP_REG_ARM64_SYSREG_CP;
 -        }
 -        key = ENCODE_AA64_CP_REG(r2->cp, r2->crn, crm,
 -                                 r2->opc0, opc1, opc2);
 -    } else {
 -        key = ENCODE_CP_REG(r2->cp, is64, ns, r2->crn, crm, opc1, opc2);
 -    }
      if (opaque) {
          r2->opaque = opaque;
      }
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
      /* Make sure reginfo passed to helpers for wildcarded regs
       * has the correct crm/opc1/opc2 for this reg, not CP_ANY:
       */
 +    r2->cp = cp;
      r2->crm = crm;
      r2->opc1 = opc1;
      r2->opc2 = opc2;
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 01/24] hw/arm/virt: Add linux, pci-domain property
+[PULL 15/23] target/arm: Consolidate cpreg updates in add_cpreg_to_hashtable
-From: Jan Kiszka <jan.kiszka@siemens.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This allows to pin the host controller in the Linux PCI domain space.
+Put most of the value writeback to the same place,
-Linux requires that property to be available consistently or not at all,
+and improve the comment that goes with them.
 in which case the domain number becomes unstable on additions/removals.
 Adding it here won't make a difference in practice for most setups as we
 only expose one controller.
-However, enabling Jailhouse on top may introduce another controller, and
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 that one would like to have stable address as well. So the property is
 needed for the first controller as well.
 Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
 Message-id: 3301c5bc-7b47-1b0e-8ce4-30435057a276@web.de
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20220501055028.646596-15-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 1 +
+ target/arm/helper.c | 28 ++++++++++++----------------
-file changed, 1 insertion(+)
+file changed, 12 insertions(+), 16 deletions(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/target/arm/helper.c
-+++ b/hw/arm/virt.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-     qemu_fdt_setprop_string(vms->fdt, nodename, "device_type", "pci");
+     *r2 = *r;
-     qemu_fdt_setprop_cell(vms->fdt, nodename, "#address-cells", 3);
+     r2->name = memcpy(r2 + 1, name, name_len);
-     qemu_fdt_setprop_cell(vms->fdt, nodename, "#size-cells", 2);
-+    qemu_fdt_setprop_cell(vms->fdt, nodename, "linux,pci-domain", 0);
+-    /* Reset the secure state to the specific incoming state.  This is
-     qemu_fdt_setprop_cells(vms->fdt, nodename, "bus-range", 0,
+-     * necessary as the register may have been defined with both states.
-                            nr_pcie_buses - 1);
++    /*
-     qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
++     * Update fields to match the instantiation, overwiting wildcards
 +     * such as CP_ANY, ARM_CP_STATE_BOTH, or ARM_CP_SECSTATE_BOTH.
       */
 +    r2->cp = cp;
 +    r2->crm = crm;
 +    r2->opc1 = opc1;
 +    r2->opc2 = opc2;
 +    r2->state = state;
      r2->secure = secstate;
 +    if (opaque) {
 +        r2->opaque = opaque;
 +    }
      if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
          /* Register is banked (using both entries in array).
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
  #endif
          }
      }
 -    if (opaque) {
 -        r2->opaque = opaque;
 -    }
 -    /* reginfo passed to helpers is correct for the actual access,
 -     * and is never ARM_CP_STATE_BOTH:
 -     */
 -    r2->state = state;
 -    /* Make sure reginfo passed to helpers for wildcarded regs
 -     * has the correct crm/opc1/opc2 for this reg, not CP_ANY:
 -     */
 -    r2->cp = cp;
 -    r2->crm = crm;
 -    r2->opc1 = opc1;
 -    r2->opc2 = opc2;
 +
      /* By convention, for wildcarded registers only the first
       * entry is used for migration; the others are marked as
       * ALIAS so we don't try to transfer the register
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 08/24] target/arm: Tidy condition in disas_simd_two_reg_misc
+[PULL 16/23] target/arm: Use bool for is64 and ns in add_cpreg_to_hashtable
 From: Richard Henderson <richard.henderson@linaro.org>
-Path analysis shows that size == 3 && !is_q has been eliminated.
+Bool is a more appropriate type for these variables.
-Fixes: Coverity CID1385853
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180501180455.11214-3-richard.henderson@linaro.org
+Message-id: 20220501055028.646596-16-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 6 +++++-
+ target/arm/helper.c | 4 ++--
-file changed, 5 insertions(+), 1 deletion(-)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/target/arm/helper.c
-+++ b/target/arm/translate-a64.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-         /* All 64-bit element operations can be shared with scalar 2misc */
+      */
-         int pass;
+     uint32_t key;
+     ARMCPRegInfo *r2;
--        for (pass = 0; pass < (is_q ? 2 : 1); pass++) {
+-    int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
-+        /* Coverity claims (size == 3 && !is_q) has been eliminated
+-    int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0;
-+         * from all paths leading to here.
++    bool is64 = r->type & ARM_CP_64BIT;
-+         */
++    bool ns = secstate & ARM_CP_SECSTATE_NS;
-+        tcg_debug_assert(is_q);
+     int cp = r->cp;
-+        for (pass = 0; pass < 2; pass++) {
+     size_t name_len;
              TCGv_i64 tcg_op = tcg_temp_new_i64();
              TCGv_i64 tcg_res = tcg_temp_new_i64();
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 24/24] hw/arm/virt: Introduce the iommu option
+[PULL 17/23] target/arm: Hoist isbanked computation in add_cpreg_to_hashtable
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-ARM virt machine now exposes a new "iommu" option.
+Computing isbanked only once makes the code
-The SMMUv3 IOMMU is instantiated using -machine virt,iommu=smmuv3.
+a bit easier to read.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-15-git-send-email-eric.auger@redhat.com
+Message-id: 20220501055028.646596-17-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 36 ++++++++++++++++++++++++++++++++++++
+ target/arm/helper.c | 6 ++++--
-file changed, 36 insertions(+)
+file changed, 4 insertions(+), 2 deletions(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/target/arm/helper.c
-+++ b/hw/arm/virt.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void virt_set_gic_version(Object *obj, const char *value, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
      bool is64 = r->type & ARM_CP_64BIT;
      bool ns = secstate & ARM_CP_SECSTATE_NS;
      int cp = r->cp;
 +    bool isbanked;
      size_t name_len;
      switch (state) {
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
          r2->opaque = opaque;
      }
- }
+-    if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
-+static char *virt_get_iommu(Object *obj, Error **errp)
++    isbanked = r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1];
-+{
++    if (isbanked) {
-+    VirtMachineState *vms = VIRT_MACHINE(obj);
+         /* Register is banked (using both entries in array).
-+
+          * Overwriting fieldoffset as the array is only used to define
-+    switch (vms->iommu) {
+          * banked registers but later only fieldoffset is used.
-+    case VIRT_IOMMU_NONE:
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
 +        return g_strdup("none");
 +    case VIRT_IOMMU_SMMUV3:
 +        return g_strdup("smmuv3");
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
 +static void virt_set_iommu(Object *obj, const char *value, Error **errp)
 +{
 +    VirtMachineState *vms = VIRT_MACHINE(obj);
 +
 +    if (!strcmp(value, "smmuv3")) {
 +        vms->iommu = VIRT_IOMMU_SMMUV3;
 +    } else if (!strcmp(value, "none")) {
 +        vms->iommu = VIRT_IOMMU_NONE;
 +    } else {
 +        error_setg(errp, "Invalid iommu value");
 +        error_append_hint(errp, "Valid values are none, smmuv3.\n");
 +    }
 +}
 +
  static CpuInstanceProperties
  virt_cpu_index_to_props(MachineState *ms, unsigned cpu_index)
  {
@@ -XXX,XX +XXX,XX @@ static void virt_2_12_instance_init(Object *obj)
                                          NULL);
      }
-+    /* Default disallows iommu instantiation */
+     if (state == ARM_CP_STATE_AA32) {
-+    vms->iommu = VIRT_IOMMU_NONE;
+-        if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
-+    object_property_add_str(obj, "iommu", virt_get_iommu, virt_set_iommu, NULL);
++        if (isbanked) {
-+    object_property_set_description(obj, "iommu",
+             /* If the register is banked then we don't need to migrate or
-+                                    "Set the IOMMU type. "
+              * reset the 32-bit instance in certain cases:
-+                                    "Valid values are none and smmuv3",
+              *
 +                                    NULL);
 +
      vms->memmap = a15memmap;
      vms->irqmap = a15irqmap;
  }
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 22/24] hw/arm/virt: Add SMMUv3 to the virt board
+[PULL 18/23] target/arm: Perform override check early in add_cpreg_to_hashtable
-From: Prem Mallappa <prem.mallappa@broadcom.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Add code to instantiate an smmuv3 in virt machine. A new iommu
+Perform the override check early, so that it is still done
-integer member is introduced in VirtMachineState to store the type
+even when we decide to discard an unreachable cpreg.
 of the iommu in use.
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
+Use assert not printf+abort.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-13-git-send-email-eric.auger@redhat.com
+Message-id: 20220501055028.646596-18-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/virt.h | 10 +++++++
+ target/arm/helper.c | 22 ++++++++--------------
- hw/arm/virt.c         | 64 ++++++++++++++++++++++++++++++++++++++++++-
+file changed, 8 insertions(+), 14 deletions(-)
 files changed, 73 insertions(+), 1 deletion(-)
-diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/virt.h
+--- a/target/arm/helper.c
-+++ b/include/hw/arm/virt.h
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
+         g_assert_not_reached();
- #define NUM_GICV2M_SPIS       64
+     }
- #define NUM_VIRTIO_TRANSPORTS 32
-+#define NUM_SMMU_IRQS          4
++    /* Overriding of an existing definition must be explicitly requested. */
++    if (!(r->type & ARM_CP_OVERRIDE)) {
- #define ARCH_GICV3_MAINT_IRQ  9
++        const ARMCPRegInfo *oldreg = get_arm_cp_reginfo(cpu->cp_regs, key);
++        if (oldreg) {
-@@ -XXX,XX +XXX,XX @@ enum {
++            assert(oldreg->type & ARM_CP_OVERRIDE);
-     VIRT_GIC_V2M,
++        }
      VIRT_GIC_ITS,
      VIRT_GIC_REDIST,
 +    VIRT_SMMU,
      VIRT_UART,
      VIRT_MMIO,
      VIRT_RTC,
@@ -XXX,XX +XXX,XX @@ enum {
      VIRT_SECURE_MEM,
  };
 +typedef enum VirtIOMMUType {
 +    VIRT_IOMMU_NONE,
 +    VIRT_IOMMU_SMMUV3,
 +    VIRT_IOMMU_VIRTIO,
 +} VirtIOMMUType;
 +
  typedef struct MemMapEntry {
      hwaddr base;
      hwaddr size;
@@ -XXX,XX +XXX,XX @@ typedef struct {
      bool its;
      bool virt;
      int32_t gic_version;
 +    VirtIOMMUType iommu;
      struct arm_boot_info bootinfo;
      const MemMapEntry *memmap;
      const int *irqmap;
@@ -XXX,XX +XXX,XX @@ typedef struct {
      uint32_t clock_phandle;
      uint32_t gic_phandle;
      uint32_t msi_phandle;
 +    uint32_t iommu_phandle;
      int psci_conduit;
  } VirtMachineState;
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/smbios/smbios.h"
  #include "qapi/visitor.h"
  #include "standard-headers/linux/input.h"
 +#include "hw/arm/smmuv3.h"
  #define DEFINE_VIRT_MACHINE_LATEST(major, minor, latest) \
      static void virt_##major##_##minor##_class_init(ObjectClass *oc, \
@@ -XXX,XX +XXX,XX @@ static const MemMapEntry a15memmap[] = {
      [VIRT_FW_CFG] =             { 0x09020000, 0x00000018 },
      [VIRT_GPIO] =               { 0x09030000, 0x00001000 },
      [VIRT_SECURE_UART] =        { 0x09040000, 0x00001000 },
 +    [VIRT_SMMU] =               { 0x09050000, 0x00020000 },
      [VIRT_MMIO] =               { 0x0a000000, 0x00000200 },
      /* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
      [VIRT_PLATFORM_BUS] =       { 0x0c000000, 0x02000000 },
@@ -XXX,XX +XXX,XX @@ static const int a15irqmap[] = {
      [VIRT_SECURE_UART] = 8,
      [VIRT_MMIO] = 16, /* ...to 16 + NUM_VIRTIO_TRANSPORTS - 1 */
      [VIRT_GIC_V2M] = 48, /* ...to 48 + NUM_GICV2M_SPIS - 1 */
 +    [VIRT_SMMU] = 74,    /* ...to 74 + NUM_SMMU_IRQS - 1 */
      [VIRT_PLATFORM_BUS] = 112, /* ...to 112 + PLATFORM_BUS_NUM_IRQS -1 */
  };
@@ -XXX,XX +XXX,XX @@ static void create_pcie_irq_map(const VirtMachineState *vms,
 x7           /* PCI irq */);
  }
 -static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
 +static void create_smmu(const VirtMachineState *vms, qemu_irq *pic,
 +                        PCIBus *bus)
 +{
 +    char *node;
 +    const char compat[] = "arm,smmu-v3";
 +    int irq =  vms->irqmap[VIRT_SMMU];
 +    int i;
 +    hwaddr base = vms->memmap[VIRT_SMMU].base;
 +    hwaddr size = vms->memmap[VIRT_SMMU].size;
 +    const char irq_names[] = "eventq\0priq\0cmdq-sync\0gerror";
 +    DeviceState *dev;
 +
 +    if (vms->iommu != VIRT_IOMMU_SMMUV3 || !vms->iommu_phandle) {
 +        return;
 +    }
 +
-+    dev = qdev_create(NULL, "arm-smmuv3");
+     /* Combine cpreg and name into one allocation. */
-+
+     name_len = strlen(name) + 1;
-+    object_property_set_link(OBJECT(dev), OBJECT(bus), "primary-bus",
+     r2 = g_malloc(sizeof(*r2) + name_len);
-+                             &error_abort);
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-+    qdev_init_nofail(dev);
+         assert(!raw_accessors_invalid(r2));
-+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
+     }
-+    for (i = 0; i < NUM_SMMU_IRQS; i++) {
-+        sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, pic[irq + i]);
+-    /* Overriding of an existing definition must be explicitly
-+    }
+-     * requested.
-+
+-     */
-+    node = g_strdup_printf("/smmuv3@%" PRIx64, base);
+-    if (!(r->type & ARM_CP_OVERRIDE)) {
-+    qemu_fdt_add_subnode(vms->fdt, node);
+-        const ARMCPRegInfo *oldreg = get_arm_cp_reginfo(cpu->cp_regs, key);
-+    qemu_fdt_setprop(vms->fdt, node, "compatible", compat, sizeof(compat));
+-        if (oldreg && !(oldreg->type & ARM_CP_OVERRIDE)) {
-+    qemu_fdt_setprop_sized_cells(vms->fdt, node, "reg", 2, base, 2, size);
+-            fprintf(stderr, "Register redefined: cp=%d %d bit "
-+
+-                    "crn=%d crm=%d opc1=%d opc2=%d, "
-+    qemu_fdt_setprop_cells(vms->fdt, node, "interrupts",
+-                    "was %s, now %s\n", r2->cp, 32 + 32 * is64,
-+            GIC_FDT_IRQ_TYPE_SPI, irq    , GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+-                    r2->crn, r2->crm, r2->opc1, r2->opc2,
-+            GIC_FDT_IRQ_TYPE_SPI, irq + 1, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+-                    oldreg->name, r2->name);
-+            GIC_FDT_IRQ_TYPE_SPI, irq + 2, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+-            g_assert_not_reached();
-+            GIC_FDT_IRQ_TYPE_SPI, irq + 3, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
+-        }
-+
+-    }
-+    qemu_fdt_setprop(vms->fdt, node, "interrupt-names", irq_names,
+     g_hash_table_insert(cpu->cp_regs, (gpointer)(uintptr_t)key, r2);
 +                     sizeof(irq_names));
 +
 +    qemu_fdt_setprop_cell(vms->fdt, node, "clocks", vms->clock_phandle);
 +    qemu_fdt_setprop_string(vms->fdt, node, "clock-names", "apb_pclk");
 +    qemu_fdt_setprop(vms->fdt, node, "dma-coherent", NULL, 0);
 +
 +    qemu_fdt_setprop_cell(vms->fdt, node, "#iommu-cells", 1);
 +
 +    qemu_fdt_setprop_cell(vms->fdt, node, "phandle", vms->iommu_phandle);
 +    g_free(node);
 +}
 +
 +static void create_pcie(VirtMachineState *vms, qemu_irq *pic)
  {
      hwaddr base_mmio = vms->memmap[VIRT_PCIE_MMIO].base;
      hwaddr size_mmio = vms->memmap[VIRT_PCIE_MMIO].size;
@@ -XXX,XX +XXX,XX @@ static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
      qemu_fdt_setprop_cell(vms->fdt, nodename, "#interrupt-cells", 1);
      create_pcie_irq_map(vms, vms->gic_phandle, irq, nodename);
 +    if (vms->iommu) {
 +        vms->iommu_phandle = qemu_fdt_alloc_phandle(vms->fdt);
 +
 +        create_smmu(vms, pic, pci->bus);
 +
 +        qemu_fdt_setprop_cells(vms->fdt, nodename, "iommu-map",
 +                               0x0, vms->iommu_phandle, 0x0, 0x10000);
 +    }
 +
      g_free(nodename);
  }
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 18/24] hw/arm/smmuv3: Event queue recording helper
+[PULL 19/23] target/arm: Reformat comments in add_cpreg_to_hashtable
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Let's introduce a helper function aiming at recording an
+Put the block comments into the current coding style.
 event in the event queue.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-9-git-send-email-eric.auger@redhat.com
+Message-id: 20220501055028.646596-19-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h | 148 ++++++++++++++++++++++++++++++++++++++-
+ target/arm/helper.c | 24 +++++++++++++++---------
- hw/arm/smmuv3.c          | 108 ++++++++++++++++++++++++++--
+file changed, 15 insertions(+), 9 deletions(-)
  hw/arm/trace-events      |   1 +
 files changed, 249 insertions(+), 8 deletions(-)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/target/arm/helper.c
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static inline void smmu_write_cmdq_err(SMMUv3State *s, uint32_t err_type)
+@@ -XXX,XX +XXX,XX @@ CpuDefinitionInfoList *qmp_query_cpu_definitions(Error **errp)
-     s->cmdq.cons = FIELD_DP32(s->cmdq.cons, CMDQ_CONS, ERR, err_type);
+     return cpu_list;
  }
--void smmuv3_write_eventq(SMMUv3State *s, Evt *evt);
++/*
--
++ * Private utility function for define_one_arm_cp_reg_with_opaque():
- /* Commands */
++ * add a single reginfo struct to the hash table.
++ */
- typedef enum SMMUCommandType {
+ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-@@ -XXX,XX +XXX,XX @@ enum { /* Command completion notification */
+                                    void *opaque, CPState state,
+                                    CPSecureState secstate,
- #define SMMU_FEATURE_2LVL_STE (1 << 0)
+                                    int crm, int opc1, int opc2,
+                                    const char *name)
 +/* Events */
 +
 +typedef enum SMMUEventType {
 +    SMMU_EVT_OK                 = 0x00,
 +    SMMU_EVT_F_UUT                    ,
 +    SMMU_EVT_C_BAD_STREAMID           ,
 +    SMMU_EVT_F_STE_FETCH              ,
 +    SMMU_EVT_C_BAD_STE                ,
 +    SMMU_EVT_F_BAD_ATS_TREQ           ,
 +    SMMU_EVT_F_STREAM_DISABLED        ,
 +    SMMU_EVT_F_TRANS_FORBIDDEN        ,
 +    SMMU_EVT_C_BAD_SUBSTREAMID        ,
 +    SMMU_EVT_F_CD_FETCH               ,
 +    SMMU_EVT_C_BAD_CD                 ,
 +    SMMU_EVT_F_WALK_EABT              ,
 +    SMMU_EVT_F_TRANSLATION      = 0x10,
 +    SMMU_EVT_F_ADDR_SIZE              ,
 +    SMMU_EVT_F_ACCESS                 ,
 +    SMMU_EVT_F_PERMISSION             ,
 +    SMMU_EVT_F_TLB_CONFLICT     = 0x20,
 +    SMMU_EVT_F_CFG_CONFLICT           ,
 +    SMMU_EVT_E_PAGE_REQ         = 0x24,
 +} SMMUEventType;
 +
 +static const char *event_stringify[] = {
 +    [SMMU_EVT_OK]                       = "SMMU_EVT_OK",
 +    [SMMU_EVT_F_UUT]                    = "SMMU_EVT_F_UUT",
 +    [SMMU_EVT_C_BAD_STREAMID]           = "SMMU_EVT_C_BAD_STREAMID",
 +    [SMMU_EVT_F_STE_FETCH]              = "SMMU_EVT_F_STE_FETCH",
 +    [SMMU_EVT_C_BAD_STE]                = "SMMU_EVT_C_BAD_STE",
 +    [SMMU_EVT_F_BAD_ATS_TREQ]           = "SMMU_EVT_F_BAD_ATS_TREQ",
 +    [SMMU_EVT_F_STREAM_DISABLED]        = "SMMU_EVT_F_STREAM_DISABLED",
 +    [SMMU_EVT_F_TRANS_FORBIDDEN]        = "SMMU_EVT_F_TRANS_FORBIDDEN",
 +    [SMMU_EVT_C_BAD_SUBSTREAMID]        = "SMMU_EVT_C_BAD_SUBSTREAMID",
 +    [SMMU_EVT_F_CD_FETCH]               = "SMMU_EVT_F_CD_FETCH",
 +    [SMMU_EVT_C_BAD_CD]                 = "SMMU_EVT_C_BAD_CD",
 +    [SMMU_EVT_F_WALK_EABT]              = "SMMU_EVT_F_WALK_EABT",
 +    [SMMU_EVT_F_TRANSLATION]            = "SMMU_EVT_F_TRANSLATION",
 +    [SMMU_EVT_F_ADDR_SIZE]              = "SMMU_EVT_F_ADDR_SIZE",
 +    [SMMU_EVT_F_ACCESS]                 = "SMMU_EVT_F_ACCESS",
 +    [SMMU_EVT_F_PERMISSION]             = "SMMU_EVT_F_PERMISSION",
 +    [SMMU_EVT_F_TLB_CONFLICT]           = "SMMU_EVT_F_TLB_CONFLICT",
 +    [SMMU_EVT_F_CFG_CONFLICT]           = "SMMU_EVT_F_CFG_CONFLICT",
 +    [SMMU_EVT_E_PAGE_REQ]               = "SMMU_EVT_E_PAGE_REQ",
 +};
 +
 +static inline const char *smmu_event_string(SMMUEventType type)
 +{
 +    if (type < ARRAY_SIZE(event_stringify)) {
 +        return event_stringify[type] ? event_stringify[type] : "UNKNOWN";
 +    } else {
 +        return "INVALID";
 +    }
 +}
 +
 +/*  Encode an event record */
 +typedef struct SMMUEventInfo {
 +    SMMUEventType type;
 +    uint32_t sid;
 +    bool recorded;
 +    bool record_trans_faults;
 +    union {
 +        struct {
 +            uint32_t ssid;
 +            bool ssv;
 +            dma_addr_t addr;
 +            bool rnw;
 +            bool pnu;
 +            bool ind;
 +       } f_uut;
 +       struct SSIDInfo {
 +            uint32_t ssid;
 +            bool ssv;
 +       } c_bad_streamid;
 +       struct SSIDAddrInfo {
 +            uint32_t ssid;
 +            bool ssv;
 +            dma_addr_t addr;
 +       } f_ste_fetch;
 +       struct SSIDInfo c_bad_ste;
 +       struct {
 +            dma_addr_t addr;
 +            bool rnw;
 +       } f_transl_forbidden;
 +       struct {
 +            uint32_t ssid;
 +       } c_bad_substream;
 +       struct SSIDAddrInfo f_cd_fetch;
 +       struct SSIDInfo c_bad_cd;
 +       struct FullInfo {
 +            bool stall;
 +            uint16_t stag;
 +            uint32_t ssid;
 +            bool ssv;
 +            bool s2;
 +            dma_addr_t addr;
 +            bool rnw;
 +            bool pnu;
 +            bool ind;
 +            uint8_t class;
 +            dma_addr_t addr2;
 +       } f_walk_eabt;
 +       struct FullInfo f_translation;
 +       struct FullInfo f_addr_size;
 +       struct FullInfo f_access;
 +       struct FullInfo f_permission;
 +       struct SSIDInfo f_cfg_conflict;
 +       /**
 +        * not supported yet:
 +        * F_BAD_ATS_TREQ
 +        * F_BAD_ATS_TREQ
 +        * F_TLB_CONFLICT
 +        * E_PAGE_REQUEST
 +        * IMPDEF_EVENTn
 +        */
 +    } u;
 +} SMMUEventInfo;
 +
 +/* EVTQ fields */
 +
 +#define EVT_Q_OVERFLOW        (1 << 31)
 +
 +#define EVT_SET_TYPE(x, v)              deposit32((x)->word[0], 0 , 8 , v)
 +#define EVT_SET_SSV(x, v)               deposit32((x)->word[0], 11, 1 , v)
 +#define EVT_SET_SSID(x, v)              deposit32((x)->word[0], 12, 20, v)
 +#define EVT_SET_SID(x, v)               ((x)->word[1] = v)
 +#define EVT_SET_STAG(x, v)              deposit32((x)->word[2], 0 , 16, v)
 +#define EVT_SET_STALL(x, v)             deposit32((x)->word[2], 31, 1 , v)
 +#define EVT_SET_PNU(x, v)               deposit32((x)->word[3], 1 , 1 , v)
 +#define EVT_SET_IND(x, v)               deposit32((x)->word[3], 2 , 1 , v)
 +#define EVT_SET_RNW(x, v)               deposit32((x)->word[3], 3 , 1 , v)
 +#define EVT_SET_S2(x, v)                deposit32((x)->word[3], 7 , 1 , v)
 +#define EVT_SET_CLASS(x, v)             deposit32((x)->word[3], 8 , 2 , v)
 +#define EVT_SET_ADDR(x, addr)                             \
 +    do {                                                  \
 +            (x)->word[5] = (uint32_t)(addr >> 32);        \
 +            (x)->word[4] = (uint32_t)(addr & 0xffffffff); \
 +    } while (0)
 +#define EVT_SET_ADDR2(x, addr)                            \
 +    do {                                                  \
 +            deposit32((x)->word[7], 3, 29, addr >> 16);   \
 +            deposit32((x)->word[7], 0, 16, addr & 0xffff);\
 +    } while (0)
 +
 +void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
 +
  #endif
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/smmuv3.c
 +++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult queue_write(SMMUQueue *q, void *data)
      return MEMTX_OK;
  }
 -void smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
 +static MemTxResult smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
  {
-     SMMUQueue *q = &s->eventq;
+-    /* Private utility function for define_one_arm_cp_reg_with_opaque():
-+    MemTxResult r;
+-     * add a single reginfo struct to the hash table.
-+
+-     */
-+    if (!smmuv3_eventq_enabled(s)) {
+     uint32_t key;
-+        return MEMTX_ERROR;
+     ARMCPRegInfo *r2;
-+    }
+     bool is64 = r->type & ARM_CP_64BIT;
-+
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-+    if (smmuv3_q_full(q)) {
-+        return MEMTX_ERROR;
+     isbanked = r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1];
-+    }
+     if (isbanked) {
-+
+-        /* Register is banked (using both entries in array).
-+    r = queue_write(q, evt);
++        /*
-+    if (r != MEMTX_OK) {
++         * Register is banked (using both entries in array).
-+        return r;
+          * Overwriting fieldoffset as the array is only used to define
-+    }
+          * banked registers but later only fieldoffset is used.
-+
+          */
-+    if (smmuv3_q_empty(q)) {
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-+        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
-+    }
+     if (state == ARM_CP_STATE_AA32) {
-+    return MEMTX_OK;
+         if (isbanked) {
-+}
+-            /* If the register is banked then we don't need to migrate or
-+
++            /*
-+void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
++             * If the register is banked then we don't need to migrate or
-+{
+              * reset the 32-bit instance in certain cases:
-+    Evt evt;
+              *
-+    MemTxResult r;
+              * 1) If the register has both 32-bit and 64-bit instances then we
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-     if (!smmuv3_eventq_enabled(s)) {
+                 r2->type |= ARM_CP_ALIAS;
-         return;
+             }
          } else if ((secstate != r->secure) && !ns) {
 -            /* The register is not banked so we only want to allow migration of
 -             * the non-secure instance.
 +            /*
 +             * The register is not banked so we only want to allow migration
 +             * of the non-secure instance.
               */
              r2->type |= ARM_CP_ALIAS;
          }
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
          }
      }
--    if (smmuv3_q_full(q)) {
+-    /* By convention, for wildcarded registers only the first
-+    EVT_SET_TYPE(&evt, info->type);
++    /*
-+    EVT_SET_SID(&evt, info->sid);
++     * By convention, for wildcarded registers only the first
-+
+      * entry is used for migration; the others are marked as
-+    switch (info->type) {
+      * ALIAS so we don't try to transfer the register
-+    case SMMU_EVT_OK:
+      * multiple times. Special registers (ie NOP/WFI) are
-         return;
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-+    case SMMU_EVT_F_UUT:
+         r2->type |= ARM_CP_ALIAS | ARM_CP_NO_GDB;
 +        EVT_SET_SSID(&evt, info->u.f_uut.ssid);
 +        EVT_SET_SSV(&evt,  info->u.f_uut.ssv);
 +        EVT_SET_ADDR(&evt, info->u.f_uut.addr);
 +        EVT_SET_RNW(&evt,  info->u.f_uut.rnw);
 +        EVT_SET_PNU(&evt,  info->u.f_uut.pnu);
 +        EVT_SET_IND(&evt,  info->u.f_uut.ind);
 +        break;
 +    case SMMU_EVT_C_BAD_STREAMID:
 +        EVT_SET_SSID(&evt, info->u.c_bad_streamid.ssid);
 +        EVT_SET_SSV(&evt,  info->u.c_bad_streamid.ssv);
 +        break;
 +    case SMMU_EVT_F_STE_FETCH:
 +        EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid);
 +        EVT_SET_SSV(&evt,  info->u.f_ste_fetch.ssv);
 +        EVT_SET_ADDR(&evt, info->u.f_ste_fetch.addr);
 +        break;
 +    case SMMU_EVT_C_BAD_STE:
 +        EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid);
 +        EVT_SET_SSV(&evt,  info->u.c_bad_ste.ssv);
 +        break;
 +    case SMMU_EVT_F_STREAM_DISABLED:
 +        break;
 +    case SMMU_EVT_F_TRANS_FORBIDDEN:
 +        EVT_SET_ADDR(&evt, info->u.f_transl_forbidden.addr);
 +        EVT_SET_RNW(&evt, info->u.f_transl_forbidden.rnw);
 +        break;
 +    case SMMU_EVT_C_BAD_SUBSTREAMID:
 +        EVT_SET_SSID(&evt, info->u.c_bad_substream.ssid);
 +        break;
 +    case SMMU_EVT_F_CD_FETCH:
 +        EVT_SET_SSID(&evt, info->u.f_cd_fetch.ssid);
 +        EVT_SET_SSV(&evt,  info->u.f_cd_fetch.ssv);
 +        EVT_SET_ADDR(&evt, info->u.f_cd_fetch.addr);
 +        break;
 +    case SMMU_EVT_C_BAD_CD:
 +        EVT_SET_SSID(&evt, info->u.c_bad_cd.ssid);
 +        EVT_SET_SSV(&evt,  info->u.c_bad_cd.ssv);
 +        break;
 +    case SMMU_EVT_F_WALK_EABT:
 +    case SMMU_EVT_F_TRANSLATION:
 +    case SMMU_EVT_F_ADDR_SIZE:
 +    case SMMU_EVT_F_ACCESS:
 +    case SMMU_EVT_F_PERMISSION:
 +        EVT_SET_STALL(&evt, info->u.f_walk_eabt.stall);
 +        EVT_SET_STAG(&evt, info->u.f_walk_eabt.stag);
 +        EVT_SET_SSID(&evt, info->u.f_walk_eabt.ssid);
 +        EVT_SET_SSV(&evt, info->u.f_walk_eabt.ssv);
 +        EVT_SET_S2(&evt, info->u.f_walk_eabt.s2);
 +        EVT_SET_ADDR(&evt, info->u.f_walk_eabt.addr);
 +        EVT_SET_RNW(&evt, info->u.f_walk_eabt.rnw);
 +        EVT_SET_PNU(&evt, info->u.f_walk_eabt.pnu);
 +        EVT_SET_IND(&evt, info->u.f_walk_eabt.ind);
 +        EVT_SET_CLASS(&evt, info->u.f_walk_eabt.class);
 +        EVT_SET_ADDR2(&evt, info->u.f_walk_eabt.addr2);
 +        break;
 +    case SMMU_EVT_F_CFG_CONFLICT:
 +        EVT_SET_SSID(&evt, info->u.f_cfg_conflict.ssid);
 +        EVT_SET_SSV(&evt,  info->u.f_cfg_conflict.ssv);
 +        break;
 +    /* rest is not implemented */
 +    case SMMU_EVT_F_BAD_ATS_TREQ:
 +    case SMMU_EVT_F_TLB_CONFLICT:
 +    case SMMU_EVT_E_PAGE_REQ:
 +    default:
 +        g_assert_not_reached();
      }
--    queue_write(q, evt);
+-    /* Check that raw accesses are either forbidden or handled. Note that
--
++    /*
--    if (smmuv3_q_empty(q)) {
++     * Check that raw accesses are either forbidden or handled. Note that
--        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
+      * we can't assert this earlier because the setup of fieldoffset for
-+    trace_smmuv3_record_event(smmu_event_string(info->type), info->sid);
+      * banked registers has to be done first.
-+    r = smmuv3_write_eventq(s, &evt);
+      */
 +    if (r != MEMTX_OK) {
 +        smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_EVENTQ_ABT_ERR_MASK);
      }
 +    info->recorded = true;
  }
  static void smmuv3_init_regs(SMMUv3State *s)
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr:
  smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx val64:0x%lx"
  smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
  smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
 +smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 23/24] hw/arm/virt-acpi-build: Add smmuv3 node in IORT table
+[PULL 20/23] target/arm: Remove HOST_BIG_ENDIAN ifdef in add_cpreg_to_hashtable
-From: Prem Mallappa <prem.mallappa@broadcom.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This patch builds the smmuv3 node in the ACPI IORT table.
+Since e03b56863d2bc, our host endian indicator is unconditionally
 set, which means that we can use a normal C condition.
-The RID space of the root complex, which spans 0x0-0x10000
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-maps to streamid space 0x0-0x10000 in smmuv3, which in turn
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-maps to deviceid space 0x0-0x10000 in the ITS group.
+Message-id: 20220501055028.646596-20-richard.henderson@linaro.org
+[PMM: quote correct git hash in commit message]
 The guest must feature the IOMMU probe deferral series
 (https://lkml.org/lkml/2017/4/10/214) which fixes streamid
 multiple lookup. This bug is not related to the SMMU emulation.
 Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Shannon Zhao <zhaoshenglong@huawei.com>
 Message-id: 1524665762-31355-14-git-send-email-eric.auger@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/acpi/acpi-defs.h | 15 ++++++++++
+ target/arm/helper.c | 9 +++------
- hw/arm/virt-acpi-build.c    | 55 ++++++++++++++++++++++++++++++++-----
+file changed, 3 insertions(+), 6 deletions(-)
 files changed, 63 insertions(+), 7 deletions(-)
-diff --git a/include/hw/acpi/acpi-defs.h b/include/hw/acpi/acpi-defs.h
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/acpi/acpi-defs.h
+--- a/target/arm/helper.c
-+++ b/include/hw/acpi/acpi-defs.h
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ struct AcpiIortItsGroup {
+@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
- } QEMU_PACKED;
+             r2->type |= ARM_CP_ALIAS;
- typedef struct AcpiIortItsGroup AcpiIortItsGroup;
+         }
-+struct AcpiIortSmmu3 {
+-        if (r->state == ARM_CP_STATE_BOTH) {
-+    ACPI_IORT_NODE_HEADER_DEF
+-#if HOST_BIG_ENDIAN
-+    uint64_t base_address;
+-            if (r2->fieldoffset) {
-+    uint32_t flags;
+-                r2->fieldoffset += sizeof(uint32_t);
-+    uint32_t reserved2;
+-            }
-+    uint64_t vatos_address;
+-#endif
-+    uint32_t model;
++        if (HOST_BIG_ENDIAN &&
-+    uint32_t event_gsiv;
++            r->state == ARM_CP_STATE_BOTH && r2->fieldoffset) {
-+    uint32_t pri_gsiv;
++            r2->fieldoffset += sizeof(uint32_t);
-+    uint32_t gerr_gsiv;
+         }
 +    uint32_t sync_gsiv;
 +    AcpiIortIdMapping id_mapping_array[0];
 +} QEMU_PACKED;
 +typedef struct AcpiIortSmmu3 AcpiIortSmmu3;
 +
  struct AcpiIortRC {
      ACPI_IORT_NODE_HEADER_DEF
      AcpiIortMemoryAccess memory_properties;
 diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt-acpi-build.c
 +++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ build_rsdp(GArray *rsdp_table, BIOSLinker *linker, unsigned xsdt_tbl_offset)
  }
  static void
 -build_iort(GArray *table_data, BIOSLinker *linker)
 +build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
  {
 -    int iort_start = table_data->len;
 +    int nb_nodes, iort_start = table_data->len;
      AcpiIortIdMapping *idmap;
      AcpiIortItsGroup *its;
      AcpiIortTable *iort;
 -    size_t node_size, iort_length;
 +    AcpiIortSmmu3 *smmu;
 +    size_t node_size, iort_length, smmu_offset = 0;
      AcpiIortRC *rc;
      iort = acpi_data_push(table_data, sizeof(*iort));
 +    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
 +        nb_nodes = 3; /* RC, ITS, SMMUv3 */
 +    } else {
 +        nb_nodes = 2; /* RC, ITS */
 +    }
 +
      iort_length = sizeof(*iort);
 -    iort->node_count = cpu_to_le32(2); /* RC and ITS nodes */
 +    iort->node_count = cpu_to_le32(nb_nodes);
      iort->node_offset = cpu_to_le32(sizeof(*iort));
      /* ITS group node */
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker)
      its->its_count = cpu_to_le32(1);
      its->identifiers[0] = 0; /* MADT translation_id */
 +    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
 +        int irq =  vms->irqmap[VIRT_SMMU];
 +
 +        /* SMMUv3 node */
 +        smmu_offset = iort->node_offset + node_size;
 +        node_size = sizeof(*smmu) + sizeof(*idmap);
 +        iort_length += node_size;
 +        smmu = acpi_data_push(table_data, node_size);
 +
 +        smmu->type = ACPI_IORT_NODE_SMMU_V3;
 +        smmu->length = cpu_to_le16(node_size);
 +        smmu->mapping_count = cpu_to_le32(1);
 +        smmu->mapping_offset = cpu_to_le32(sizeof(*smmu));
 +        smmu->base_address = cpu_to_le64(vms->memmap[VIRT_SMMU].base);
 +        smmu->event_gsiv = cpu_to_le32(irq);
 +        smmu->pri_gsiv = cpu_to_le32(irq + 1);
 +        smmu->gerr_gsiv = cpu_to_le32(irq + 2);
 +        smmu->sync_gsiv = cpu_to_le32(irq + 3);
 +
 +        /* Identity RID mapping covering the whole input RID range */
 +        idmap = &smmu->id_mapping_array[0];
 +        idmap->input_base = 0;
 +        idmap->id_count = cpu_to_le32(0xFFFF);
 +        idmap->output_base = 0;
 +        /* output IORT node is the ITS group node (the first node) */
 +        idmap->output_reference = cpu_to_le32(iort->node_offset);
 +    }
 +
      /* Root Complex Node */
      node_size = sizeof(*rc) + sizeof(*idmap);
      iort_length += node_size;
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker)
      idmap->input_base = 0;
      idmap->id_count = cpu_to_le32(0xFFFF);
      idmap->output_base = 0;
 -    /* output IORT node is the ITS group node (the first node) */
 -    idmap->output_reference = cpu_to_le32(iort->node_offset);
 +
 +    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
 +        /* output IORT node is the smmuv3 node */
 +        idmap->output_reference = cpu_to_le32(smmu_offset);
 +    } else {
 +        /* output IORT node is the ITS group node (the first node) */
 +        idmap->output_reference = cpu_to_le32(iort->node_offset);
 +    }
      iort->length = cpu_to_le32(iort_length);
@@ -XXX,XX +XXX,XX @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
      if (its_class_name() && !vmc->no_its) {
          acpi_add_table(table_offsets, tables_blob);
 -        build_iort(tables_blob, tables->linker);
 +        build_iort(tables_blob, tables->linker, vms);
      }
-     /* XSDT is pointed to by RSDP */
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 15/24] hw/arm/smmuv3: Wired IRQ and GERROR helpers
+[PULL 21/23] target/arm: Add isar predicates for FEAT_Debugv8p2
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-We introduce some helpers to handle wired IRQs and especially
-GERROR interrupt. SMMU writes GERROR register on GERROR event
-and SW acks GERROR interrupts by setting GERRORn.
-The Wired interrupts are edge sensitive hence the pulse usage.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-6-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220501055028.646596-24-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h | 14 +++++++++
+ target/arm/cpu.h | 15 +++++++++++++++
- hw/arm/smmuv3.c          | 64 ++++++++++++++++++++++++++++++++++++++++
+file changed, 15 insertions(+)
  hw/arm/trace-events      |  3 ++
 files changed, 81 insertions(+)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/target/arm/cpu.h
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t smmuv3_idreg(int regoffset)
+@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_ssbs(const ARMISARegisters *id)
-     return smmuv3_ids[regoffset / 4];
+     return FIELD_EX32(id->id_pfr2, ID_PFR2, SSBS) != 0;
  }
-+static inline bool smmuv3_eventq_irq_enabled(SMMUv3State *s)
++static inline bool isar_feature_aa32_debugv8p2(const ARMISARegisters *id)
 +{
-+    return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, EVENTQ_IRQEN);
++    return FIELD_EX32(id->id_dfr0, ID_DFR0, COPDBG) >= 8;
 +}
 +
-+static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
+ /*
   * 64-bit feature tests via id registers.
   */
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_ssbs(const ARMISARegisters *id)
      return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, SSBS) != 0;
  }
 +static inline bool isar_feature_aa64_debugv8p2(const ARMISARegisters *id)
 +{
-+    return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, GERROR_IRQEN);
++    return FIELD_EX64(id->id_aa64dfr0, ID_AA64DFR0, DEBUGVER) >= 8;
 +}
 +
-+/* public until callers get introduced */
+ static inline bool isar_feature_aa64_sve2(const ARMISARegisters *id)
-+void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
+ {
-+void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
+     return FIELD_EX64(id->id_aa64zfr0, ID_AA64ZFR0, SVEVER) != 0;
-+
+@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_any_tts2uxn(const ARMISARegisters *id)
- #endif
+     return isar_feature_aa64_tts2uxn(id) || isar_feature_aa32_tts2uxn(id);
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+ }
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
++static inline bool isar_feature_any_debugv8p2(const ARMISARegisters *id)
 +++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/arm/smmuv3.h"
  #include "smmuv3-internal.h"
 +/**
 + * smmuv3_trigger_irq - pulse @irq if enabled and update
 + * GERROR register in case of GERROR interrupt
 + *
 + * @irq: irq type
 + * @gerror_mask: mask of gerrors to toggle (relevant if @irq is GERROR)
 + */
 +void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
 +{
-+
++    return isar_feature_aa64_debugv8p2(id) || isar_feature_aa32_debugv8p2(id);
 +    bool pulse = false;
 +
 +    switch (irq) {
 +    case SMMU_IRQ_EVTQ:
 +        pulse = smmuv3_eventq_irq_enabled(s);
 +        break;
 +    case SMMU_IRQ_PRIQ:
 +        qemu_log_mask(LOG_UNIMP, "PRI not yet supported\n");
 +        break;
 +    case SMMU_IRQ_CMD_SYNC:
 +        pulse = true;
 +        break;
 +    case SMMU_IRQ_GERROR:
 +    {
 +        uint32_t pending = s->gerror ^ s->gerrorn;
 +        uint32_t new_gerrors = ~pending & gerror_mask;
 +
 +        if (!new_gerrors) {
 +            /* only toggle non pending errors */
 +            return;
 +        }
 +        s->gerror ^= new_gerrors;
 +        trace_smmuv3_write_gerror(new_gerrors, s->gerror);
 +
 +        pulse = smmuv3_gerror_irq_enabled(s);
 +        break;
 +    }
 +    }
 +    if (pulse) {
 +            trace_smmuv3_trigger_irq(irq);
 +            qemu_irq_pulse(s->irq[irq]);
 +    }
 +}
 +
-+void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
+ /*
-+{
+  * Forward to the above feature tests given an ARMCPU pointer.
-+    uint32_t pending = s->gerror ^ s->gerrorn;
+  */
 +    uint32_t toggled = s->gerrorn ^ new_gerrorn;
 +
 +    if (toggled & ~pending) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "guest toggles non pending errors = 0x%x\n",
 +                      toggled & ~pending);
 +    }
 +
 +    /*
 +     * We do not raise any error in case guest toggles bits corresponding
 +     * to not active IRQs (CONSTRAINED UNPREDICTABLE)
 +     */
 +    s->gerrorn = new_gerrorn;
 +
 +    trace_smmuv3_write_gerrorn(toggled & pending, s->gerrorn);
 +}
 +
  static void smmuv3_init_regs(SMMUv3State *s)
  {
      /**
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "base
  #hw/arm/smmuv3.c
  smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
 +smmuv3_trigger_irq(int irq) "irq=%d"
 +smmuv3_write_gerror(uint32_t toggled, uint32_t gerror) "toggled=0x%x, new GERROR=0x%x"
 +smmuv3_write_gerrorn(uint32_t acked, uint32_t gerrorn) "acked=0x%x, new GERRORN=0x%x"
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 20/24] hw/arm/smmuv3: Abort on vfio or vhost case
+[PULL 22/23] target/arm: Add isar_feature_{aa64,any}_ras
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-At the moment, the SMMUv3 does not support notification on
+Add the aa64 predicate for detecting RAS support from id registers.
-TLB invalidation. So let's log an error as soon as such notifier
+We already have the aa32 version from the M-profile work.
-gets enabled.
+Add the 'any' predicate for testing both aa64 and aa32.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-11-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220501055028.646596-34-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3.c | 11 +++++++++++
+ target/arm/cpu.h | 10 ++++++++++
-file changed, 11 insertions(+)
+file changed, 10 insertions(+)
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/target/arm/cpu.h
-+++ b/hw/arm/smmuv3.c
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_class_init(ObjectClass *klass, void *data)
+@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_aa32_el1(const ARMISARegisters *id)
-     dc->realize = smmu_realize;
+     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, EL1) >= 2;
  }
-+static void smmuv3_notify_flag_changed(IOMMUMemoryRegion *iommu,
++static inline bool isar_feature_aa64_ras(const ARMISARegisters *id)
 +                                       IOMMUNotifierFlag old,
 +                                       IOMMUNotifierFlag new)
 +{
-+    if (old == IOMMU_NOTIFIER_NONE) {
++    return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, RAS) != 0;
 +        warn_report("SMMUV3 does not support vhost/vfio integration yet: "
 +                    "devices of those types will not function properly");
 +    }
 +}
 +
- static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
+ static inline bool isar_feature_aa64_sve(const ARMISARegisters *id)
                                                    void *data)
  {
-     IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
+     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, SVE) != 0;
+@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_any_debugv8p2(const ARMISARegisters *id)
-     imrc->translate = smmuv3_translate;
+     return isar_feature_aa64_debugv8p2(id) || isar_feature_aa32_debugv8p2(id);
 +    imrc->notify_flag_changed = smmuv3_notify_flag_changed;
  }
- static const TypeInfo smmuv3_type_info = {
++static inline bool isar_feature_any_ras(const ARMISARegisters *id)
 +{
 +    return isar_feature_aa64_ras(id) || isar_feature_aa32_ras(id);
 +}
 +
  /*
   * Forward to the above feature tests given an ARMCPU pointer.
   */
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 03/24] hw/char/cmsdk-apb-uart.c: Accept more input after character read
+[PULL 23/23] target/arm: read access to performance counters from EL0
-From: Patrick Oppenlander <patrick.oppenlander@gmail.com>
+From: Alex Zuepke <alex.zuepke@tum.de>
-The character frontend needs to be notified that the uart receive buffer
+The ARMv8 manual defines that PMUSERENR_EL0.ER enables read-access
-is empty and ready to handle another character.
+to both PMXEVCNTR_EL0 and PMEVCNTR<n>_EL0 registers, however,
 we only use it for PMXEVCNTR_EL0. Extend to PMEVCNTR<n>_EL0 as well.
-Previously, the uart only worked correctly when receiving one character
+Signed-off-by: Alex Zuepke <alex.zuepke@tum.de>
-at a time.
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220428132717.84190-1-alex.zuepke@tum.de
 Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
 Message-id: CAEg67GkRTw=cXei3o9hvpxG_L4zSrNzR0bFyAgny+sSEUb_kPw@mail.gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/char/cmsdk-apb-uart.c | 1 +
+ target/arm/helper.c | 4 ++--
-file changed, 1 insertion(+)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/char/cmsdk-apb-uart.c b/hw/char/cmsdk-apb-uart.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/char/cmsdk-apb-uart.c
+--- a/target/arm/helper.c
-+++ b/hw/char/cmsdk-apb-uart.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t uart_read(void *opaque, hwaddr offset, unsigned size)
+@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
-         r = s->rxbuf;
+               .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
-         s->state &= ~R_STATE_RXFULL_MASK;
+               .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
-         cmsdk_apb_uart_update(s);
+               .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
-+        qemu_chr_fe_accept_input(&s->chr);
+-              .accessfn = pmreg_access },
-         break;
++              .accessfn = pmreg_access_xevcntr },
-     case A_STATE:
+             { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64,
-         r = s->state;
+               .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)),
 -              .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
 +              .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access_xevcntr,
                .type = ARM_CP_IO,
                .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
                .raw_readfn = pmevcntr_rawread,
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 10/24] target/arm: Implement v8M VLLDM and VLSTM
+Deleted patch
-For v8M the instructions VLLDM and VLSTM support lazy saving
-and restoring of the secure floating-point registers. Even
-if the floating point extension is not implemented, these
-instructions must act as NOPs in Secure state, so they can
-be used as part of the secure-to-nonsecure call sequence.
-Fixes: https://bugs.launchpad.net/qemu/+bug/1768295
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180503105730.5958-1-peter.maydell@linaro.org
----
- target/arm/translate.c | 17 ++++++++++++++++-
-file changed, 16 insertions(+), 1 deletion(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
-         /* Coprocessor.  */
-         if (arm_dc_feature(s, ARM_FEATURE_M)) {
-             /* We don't currently implement M profile FP support,
--             * so this entire space should give a NOCP fault.
-+             * so this entire space should give a NOCP fault, with
-+             * the exception of the v8M VLLDM and VLSTM insns, which
-+             * must be NOPs in Secure state and UNDEF in Nonsecure state.
-              */
-+            if (arm_dc_feature(s, ARM_FEATURE_V8) &&
-+                (insn & 0xffa00f00) == 0xec200a00) {
-+                /* 0b1110_1100_0x1x_xxxx_xxxx_1010_xxxx_xxxx
-+                 *  - VLLDM, VLSTM
-+                 * We choose to UNDEF if the RAZ bits are non-zero.
-+                 */
-+                if (!s->v8m_secure || (insn & 0x0040f0ff)) {
-+                    goto illegal_op;
-+                }
-+                /* Just NOP since FP support is not implemented */
-+                break;
-+            }
-+            /* All other insns: NOCP */
-             gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
-                                default_exception_el(s));
-             break;
---
-.17.0

target-arm queue: Eric's SMMUv3 patchset, and an array
of minor bugfixes and improvements from various others.

thanks
-- PMM

The following changes since commit c8b7e627b4269a3bc3ae41d9f420547a47e6d9b9:

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-05-04' into staging (2018-05-04 14:42:46 +0100)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180504

for you to fetch changes up to 5680740c92993e9b3f3e011f2a2c394070e33f56:

hw/arm/virt: Introduce the iommu option (2018-05-04 18:05:52 +0100)

----------------------------------------------------------------
target-arm queue:
 * Emulate the SMMUv3 (IOMMU); one will be created in the 'virt' board
   if the commandline includes "-machine iommu=smmuv3"
 * target/arm: Implement v8M VLLDM and VLSTM
 * hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode
 * Some fixes to silence Coverity false-positives
 * arm: boot: set boot_info starting from first_cpu
   (fixes a technical bug not visible in practice)
 * hw/net/smc91c111: Convert away from old_mmio
 * hw/usb/tusb6010: Convert away from old_mmio
 * hw/char/cmsdk-apb-uart.c: Accept more input after character read
 * target/arm: Make MPUIR write-ignored on OMAP, StrongARM
 * hw/arm/virt: Add linux,pci-domain property

----------------------------------------------------------------
Eric Auger (11):
      hw/arm/smmu-common: smmu base device and datatypes
      hw/arm/smmu-common: IOMMU memory region and address space setup
      hw/arm/smmu-common: VMSAv8-64 page table walk
      hw/arm/smmuv3: Wired IRQ and GERROR helpers
      hw/arm/smmuv3: Queue helpers
      hw/arm/smmuv3: Implement MMIO write operations
      hw/arm/smmuv3: Event queue recording helper
      hw/arm/smmuv3: Implement translate callback
      hw/arm/smmuv3: Abort on vfio or vhost case
      target/arm/kvm: Translate the MSI doorbell in kvm_arch_fixup_msi_route
      hw/arm/virt: Introduce the iommu option

Igor Mammedov (1):
      arm: boot: set boot_info starting from first_cpu

Jan Kiszka (1):
      hw/arm/virt: Add linux,pci-domain property

Mathew Maidment (1):
      target/arm: Correct MPUIR privilege level in register_cp_regs_for_features() conditional case

Patrick Oppenlander (1):
      hw/char/cmsdk-apb-uart.c: Accept more input after character read

Peter Maydell (3):
      hw/usb/tusb6010: Convert away from old_mmio
      hw/net/smc91c111: Convert away from old_mmio
      target/arm: Implement v8M VLLDM and VLSTM

Prem Mallappa (3):
      hw/arm/smmuv3: Skeleton
      hw/arm/virt: Add SMMUv3 to the virt board
      hw/arm/virt-acpi-build: Add smmuv3 node in IORT table

Richard Henderson (2):
      target/arm: Tidy conditions in handle_vec_simd_shri
      target/arm: Tidy condition in disas_simd_two_reg_misc

Thomas Huth (1):
      hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode

From: Jan Kiszka <jan.kiszka@siemens.com>

This allows to pin the host controller in the Linux PCI domain space.
Linux requires that property to be available consistently or not at all,
in which case the domain number becomes unstable on additions/removals.
Adding it here won't make a difference in practice for most setups as we
only expose one controller.

However, enabling Jailhouse on top may introduce another controller, and
that one would like to have stable address as well. So the property is
needed for the first controller as well.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Message-id: 3301c5bc-7b47-1b0e-8ce4-30435057a276@web.de
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
     qemu_fdt_setprop_string(vms->fdt, nodename, "device_type", "pci");
     qemu_fdt_setprop_cell(vms->fdt, nodename, "#address-cells", 3);
     qemu_fdt_setprop_cell(vms->fdt, nodename, "#size-cells", 2);
+    qemu_fdt_setprop_cell(vms->fdt, nodename, "linux,pci-domain", 0);
     qemu_fdt_setprop_cells(vms->fdt, nodename, "bus-range", 0,
                            nr_pcie_buses - 1);
     qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
-- 
2.17.0

From: Mathew Maidment <mathew1800@gmail.com>

The duplication of id_tlbtr_reginfo was unintentionally added within
3281af8114c6b8ead02f08b58e3c36895c1ea047 which should have been
id_mpuir_reginfo.

The effect was that for OMAP and StrongARM CPUs we would
incorrectly UNDEF writes to MPUIR rather than NOPing them.

Signed-off-by: Mathew Maidment <mathew1800@gmail.com>
Message-id: 20180501184933.37609-2-mathew1800@gmail.com
[PMM: tweak commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             for (r = id_cp_reginfo; r->type != ARM_CP_SENTINEL; r++) {
                 r->access = PL1_RW;
             }
-            id_tlbtr_reginfo.access = PL1_RW;
+            id_mpuir_reginfo.access = PL1_RW;
             id_tlbtr_reginfo.access = PL1_RW;
         }
         if (arm_feature(env, ARM_FEATURE_V8)) {
-- 
2.17.0

From: Patrick Oppenlander <patrick.oppenlander@gmail.com>

The character frontend needs to be notified that the uart receive buffer
is empty and ready to handle another character.

Previously, the uart only worked correctly when receiving one character
at a time.

Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Message-id: CAEg67GkRTw=cXei3o9hvpxG_L4zSrNzR0bFyAgny+sSEUb_kPw@mail.gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/cmsdk-apb-uart.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/char/cmsdk-apb-uart.c b/hw/char/cmsdk-apb-uart.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/cmsdk-apb-uart.c
+++ b/hw/char/cmsdk-apb-uart.c
@@ -XXX,XX +XXX,XX @@ static uint64_t uart_read(void *opaque, hwaddr offset, unsigned size)
         r = s->rxbuf;
         s->state &= ~R_STATE_RXFULL_MASK;
         cmsdk_apb_uart_update(s);
+        qemu_chr_fe_accept_input(&s->chr);
         break;
     case A_STATE:
         r = s->state;
-- 
2.17.0

Convert the tusb6010 device away from using the old_mmio field
of MemoryRegionOps. This device is used only in the n800 and n810
boards.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180427173611.10281-2-peter.maydell@linaro.org
---
 hw/usb/tusb6010.c | 40 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/hw/usb/tusb6010.c b/hw/usb/tusb6010.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/tusb6010.c
+++ b/hw/usb/tusb6010.c
@@ -XXX,XX +XXX,XX @@ static void tusb_async_writew(void *opaque, hwaddr addr,
     }
 }
 
+static uint64_t tusb_async_readfn(void *opaque, hwaddr addr, unsigned size)
+{
+    switch (size) {
+    case 1:
+        return tusb_async_readb(opaque, addr);
+    case 2:
+        return tusb_async_readh(opaque, addr);
+    case 4:
+        return tusb_async_readw(opaque, addr);
+    default:
+        g_assert_not_reached();
+    }
+}
+
+static void tusb_async_writefn(void *opaque, hwaddr addr,
+                               uint64_t value, unsigned size)
+{
+    switch (size) {
+    case 1:
+        tusb_async_writeb(opaque, addr, value);
+        break;
+    case 2:
+        tusb_async_writeh(opaque, addr, value);
+        break;
+    case 4:
+        tusb_async_writew(opaque, addr, value);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+}
+
 static const MemoryRegionOps tusb_async_ops = {
-    .old_mmio = {
-        .read = { tusb_async_readb, tusb_async_readh, tusb_async_readw, },
-        .write =  { tusb_async_writeb, tusb_async_writeh, tusb_async_writew, },
-    },
+    .read = tusb_async_readfn,
+    .write = tusb_async_writefn,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.17.0

Convert the smc91c111 device away from using the old_mmio field of
MemoryRegionOps. This device is used by several Arm board models.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180427173611.10281-3-peter.maydell@linaro.org
---
 hw/net/smc91c111.c | 54 +++++++++++++++++++++-------------------------
 1 file changed, 25 insertions(+), 29 deletions(-)

diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -XXX,XX +XXX,XX @@ static uint32_t smc91c111_readb(void *opaque, hwaddr offset)
     return 0;
 }
 
-static void smc91c111_writew(void *opaque, hwaddr offset,
-                             uint32_t value)
+static uint64_t smc91c111_readfn(void *opaque, hwaddr addr, unsigned size)
 {
-    smc91c111_writeb(opaque, offset, value & 0xff);
-    smc91c111_writeb(opaque, offset + 1, value >> 8);
+    int i;
+    uint32_t val = 0;
+
+    for (i = 0; i < size; i++) {
+        val |= smc91c111_readb(opaque, addr + i) << (i * 8);
+    }
+    return val;
 }
 
-static void smc91c111_writel(void *opaque, hwaddr offset,
-                             uint32_t value)
+static void smc91c111_writefn(void *opaque, hwaddr addr,
+                               uint64_t value, unsigned size)
 {
+    int i = 0;
+
     /* 32-bit writes to offset 0xc only actually write to the bank select
-       register (offset 0xe)  */
-    if (offset != 0xc)
-        smc91c111_writew(opaque, offset, value & 0xffff);
-    smc91c111_writew(opaque, offset + 2, value >> 16);
-}
+     * register (offset 0xe), so skip the first two bytes we would write.
+     */
+    if (addr == 0xc && size == 4) {
+        i += 2;
+    }
 
-static uint32_t smc91c111_readw(void *opaque, hwaddr offset)
-{
-    uint32_t val;
-    val = smc91c111_readb(opaque, offset);
-    val |= smc91c111_readb(opaque, offset + 1) << 8;
-    return val;
-}
-
-static uint32_t smc91c111_readl(void *opaque, hwaddr offset)
-{
-    uint32_t val;
-    val = smc91c111_readw(opaque, offset);
-    val |= smc91c111_readw(opaque, offset + 2) << 16;
-    return val;
+    for (; i < size; i++) {
+        smc91c111_writeb(opaque, addr + i,
+                         extract32(value, i * 8, 8));
+    }
 }
 
 static int smc91c111_can_receive_nc(NetClientState *nc)
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps smc91c111_mem_ops = {
     /* The special case for 32 bit writes to 0xc means we can't just
      * set .impl.min/max_access_size to 1, unfortunately
      */
-    .old_mmio = {
-        .read = { smc91c111_readb, smc91c111_readw, smc91c111_readl, },
-        .write = { smc91c111_writeb, smc91c111_writew, smc91c111_writel, },
-    },
+    .read = smc91c111_readfn,
+    .write = smc91c111_writefn,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.17.0

From: Igor Mammedov <imammedo@redhat.com>

Even though nothing is currently broken (since all boards
use first_cpu as boot cpu), make sure that boot_info is set
on all CPUs.
If some board would like support heterogenuos setup (i.e.
init boot_info on subset of CPUs) in future, it should add
a reasonable API to do it, instead of starting assigning
boot_info from some CPU and till the end of present CPUs
list.

Ref:
"Message-ID: <CAFEAcA_NMWuA8WSs3cNeY6xX1kerO_uAcN_3=fK02BEhHJW86g@mail.gmail.com>"

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1525176522-200354-5-git-send-email-imammedo@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
     }
     info->is_linux = is_linux;
 
-    for (cs = CPU(cpu); cs; cs = CPU_NEXT(cs)) {
+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
         ARM_CPU(cs)->env.boot_info = info;
     }
 }
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

The (size > 3 && !is_q) condition is identical to the preceeding test
of bit 3 in immh; eliminate it.  For the benefit of Coverity, assert
that size is within the bounds we expect.

Fixes: Coverity CID1385846
Fixes: Coverity CID1385849
Fixes: Coverity CID1385852
Fixes: Coverity CID1385857
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180501180455.11214-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shri(DisasContext *s, bool is_q, bool is_u,
         unallocated_encoding(s);
         return;
     }
-
-    if (size > 3 && !is_q) {
-        unallocated_encoding(s);
-        return;
-    }
+    tcg_debug_assert(size <= 3);
 
     if (!fp_access_check(s)) {
         return;
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

Path analysis shows that size == 3 && !is_q has been eliminated.

Fixes: Coverity CID1385853
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180501180455.11214-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc(DisasContext *s, uint32_t insn)
         /* All 64-bit element operations can be shared with scalar 2misc */
         int pass;
 
-        for (pass = 0; pass < (is_q ? 2 : 1); pass++) {
+        /* Coverity claims (size == 3 && !is_q) has been eliminated
+         * from all paths leading to here.
+         */
+        tcg_debug_assert(is_q);
+        for (pass = 0; pass < 2; pass++) {
             TCGv_i64 tcg_op = tcg_temp_new_i64();
             TCGv_i64 tcg_res = tcg_temp_new_i64();
 
-- 
2.17.0

From: Thomas Huth <thuth@redhat.com>

When running omap1/2 or pxa2xx based ARM machines with -nodefaults,
they bail out immediately complaining about a "missing SecureDigital
device". That's not how the "default" devices in vl.c are meant to
work - it should be possible for a board to also start up without
default devices. So let's turn the error message and exit() into
a warning instead.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1525326811-3233-1-git-send-email-thuth@redhat.com
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/omap1.c  |  8 ++++----
 hw/arm/omap2.c  |  8 ++++----
 hw/arm/pxa2xx.c | 15 +++++++--------
 3 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/hw/arm/omap1.c b/hw/arm/omap1.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap1.c
+++ b/hw/arm/omap1.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/soc_dma.h"
 #include "sysemu/block-backend.h"
 #include "sysemu/blockdev.h"
+#include "sysemu/qtest.h"
 #include "qemu/range.h"
 #include "hw/sysbus.h"
 #include "qemu/cutils.h"
@@ -XXX,XX +XXX,XX @@ struct omap_mpu_state_s *omap310_mpu_init(MemoryRegion *system_memory,
                                 omap_findclk(s, "dpll3"));
 
     dinfo = drive_get(IF_SD, 0, 0);
-    if (!dinfo) {
-        error_report("missing SecureDigital device");
-        exit(1);
+    if (!dinfo && !qtest_enabled()) {
+        warn_report("missing SecureDigital device");
     }
     s->mmc = omap_mmc_init(0xfffb7800, system_memory,
-                           blk_by_legacy_dinfo(dinfo),
+                           dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                            qdev_get_gpio_in(s->ih[1], OMAP_INT_OQN),
                            &s->drq[OMAP_DMA_MMC_TX],
                     omap_findclk(s, "mmc_ck"));
diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap2.c
+++ b/hw/arm/omap2.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "sysemu/block-backend.h"
 #include "sysemu/blockdev.h"
+#include "sysemu/qtest.h"
 #include "hw/boards.h"
 #include "hw/hw.h"
 #include "hw/arm/arm.h"
@@ -XXX,XX +XXX,XX @@ struct omap_mpu_state_s *omap2420_mpu_init(MemoryRegion *sysmem,
                              s->drq[OMAP24XX_DMA_GPMC]);
 
     dinfo = drive_get(IF_SD, 0, 0);
-    if (!dinfo) {
-        error_report("missing SecureDigital device");
-        exit(1);
+    if (!dinfo && !qtest_enabled()) {
+        warn_report("missing SecureDigital device");
     }
     s->mmc = omap2_mmc_init(omap_l4tao(s->l4, 9),
-                    blk_by_legacy_dinfo(dinfo),
+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                     qdev_get_gpio_in(s->ih[0], OMAP_INT_24XX_MMC_IRQ),
                     &s->drq[OMAP24XX_DMA_MMC1_TX],
                     omap_findclk(s, "mmc_fclk"), omap_findclk(s, "mmc_iclk"));
diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -XXX,XX +XXX,XX @@
 #include "chardev/char-fe.h"
 #include "sysemu/block-backend.h"
 #include "sysemu/blockdev.h"
+#include "sysemu/qtest.h"
 #include "qemu/cutils.h"
 
 static struct {
@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa270_init(MemoryRegion *address_space,
     s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 121);
 
     dinfo = drive_get(IF_SD, 0, 0);
-    if (!dinfo) {
-        error_report("missing SecureDigital device");
-        exit(1);
+    if (!dinfo && !qtest_enabled()) {
+        warn_report("missing SecureDigital device");
     }
     s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
-                    blk_by_legacy_dinfo(dinfo),
+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa255_init(MemoryRegion *address_space, unsigned int sdram_size)
     s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 85);
 
     dinfo = drive_get(IF_SD, 0, 0);
-    if (!dinfo) {
-        error_report("missing SecureDigital device");
-        exit(1);
+    if (!dinfo && !qtest_enabled()) {
+        warn_report("missing SecureDigital device");
     }
     s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
-                    blk_by_legacy_dinfo(dinfo),
+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
-- 
2.17.0

For v8M the instructions VLLDM and VLSTM support lazy saving
and restoring of the secure floating-point registers. Even
if the floating point extension is not implemented, these
instructions must act as NOPs in Secure state, so they can
be used as part of the secure-to-nonsecure call sequence.

Fixes: https://bugs.launchpad.net/qemu/+bug/1768295
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180503105730.5958-1-peter.maydell@linaro.org
---
 target/arm/translate.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
         /* Coprocessor.  */
         if (arm_dc_feature(s, ARM_FEATURE_M)) {
             /* We don't currently implement M profile FP support,
-             * so this entire space should give a NOCP fault.
+             * so this entire space should give a NOCP fault, with
+             * the exception of the v8M VLLDM and VLSTM insns, which
+             * must be NOPs in Secure state and UNDEF in Nonsecure state.
              */
+            if (arm_dc_feature(s, ARM_FEATURE_V8) &&
+                (insn & 0xffa00f00) == 0xec200a00) {
+                /* 0b1110_1100_0x1x_xxxx_xxxx_1010_xxxx_xxxx
+                 *  - VLLDM, VLSTM
+                 * We choose to UNDEF if the RAZ bits are non-zero.
+                 */
+                if (!s->v8m_secure || (insn & 0x0040f0ff)) {
+                    goto illegal_op;
+                }
+                /* Just NOP since FP support is not implemented */
+                break;
+            }
+            /* All other insns: NOCP */
             gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
                                default_exception_el(s));
             break;
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

The patch introduces the smmu base device and class for the ARM
smmu. Devices for specific versions will be derived from this
base device.

We also introduce some important datatypes.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-2-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs                |   1 +
 include/hw/arm/smmu-common.h        | 123 ++++++++++++++++++++++++++++
 hw/arm/smmu-common.c                |  81 ++++++++++++++++++
 default-configs/aarch64-softmmu.mak |   1 +
 4 files changed, 206 insertions(+)
 create mode 100644 include/hw/arm/smmu-common.h
 create mode 100644 hw/arm/smmu-common.c

From: Eric Auger <eric.auger@redhat.com>

We set up the infrastructure to enumerate all the PCI devices
attached to the SMMU and create an associated IOMMU memory
region and address space.

Those info are stored in SMMUDevice objects. The devices are
grouped according to the PCIBus they belong to. A hash table
indexed by the PCIBus pointer is used. Also an array indexed by
the bus number allows to find the list of SMMUDevices.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-3-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h |  8 +++++
 hw/arm/smmu-common.c         | 69 ++++++++++++++++++++++++++++++++++++
 hw/arm/trace-events          |  3 ++
 3 files changed, 80 insertions(+)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
 #define ARM_SMMU_GET_CLASS(obj)                              \
     OBJECT_GET_CLASS(SMMUBaseClass, (obj), TYPE_ARM_SMMU)
 
+/* Return the SMMUPciBus handle associated to a PCI bus number */
+SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num);
+
+/* Return the stream ID of an SMMU device */
+static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
+{
+    return PCI_BUILD_BDF(pci_bus_num(sdev->bus), sdev->devfn);
+}
 #endif  /* HW_ARM_SMMU_COMMON */
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/error-report.h"
 #include "hw/arm/smmu-common.h"
 
+/**
+ * The bus number is used for lookup when SID based invalidation occurs.
+ * In that case we lazily populate the SMMUPciBus array from the bus hash
+ * table. At the time the SMMUPciBus is created (smmu_find_add_as), the bus
+ * numbers may not be always initialized yet.
+ */
+SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num)
+{
+    SMMUPciBus *smmu_pci_bus = s->smmu_pcibus_by_bus_num[bus_num];
+
+    if (!smmu_pci_bus) {
+        GHashTableIter iter;
+
+        g_hash_table_iter_init(&iter, s->smmu_pcibus_by_busptr);
+        while (g_hash_table_iter_next(&iter, NULL, (void **)&smmu_pci_bus)) {
+            if (pci_bus_num(smmu_pci_bus->bus) == bus_num) {
+                s->smmu_pcibus_by_bus_num[bus_num] = smmu_pci_bus;
+                return smmu_pci_bus;
+            }
+        }
+    }
+    return smmu_pci_bus;
+}
+
+static AddressSpace *smmu_find_add_as(PCIBus *bus, void *opaque, int devfn)
+{
+    SMMUState *s = opaque;
+    SMMUPciBus *sbus = g_hash_table_lookup(s->smmu_pcibus_by_busptr, bus);
+    SMMUDevice *sdev;
+
+    if (!sbus) {
+        sbus = g_malloc0(sizeof(SMMUPciBus) +
+                         sizeof(SMMUDevice *) * SMMU_PCI_DEVFN_MAX);
+        sbus->bus = bus;
+        g_hash_table_insert(s->smmu_pcibus_by_busptr, bus, sbus);
+    }
+
+    sdev = sbus->pbdev[devfn];
+    if (!sdev) {
+        char *name = g_strdup_printf("%s-%d-%d",
+                                     s->mrtypename,
+                                     pci_bus_num(bus), devfn);
+        sdev = sbus->pbdev[devfn] = g_new0(SMMUDevice, 1);
+
+        sdev->smmu = s;
+        sdev->bus = bus;
+        sdev->devfn = devfn;
+
+        memory_region_init_iommu(&sdev->iommu, sizeof(sdev->iommu),
+                                 s->mrtypename,
+                                 OBJECT(s), name, 1ULL << SMMU_MAX_VA_BITS);
+        address_space_init(&sdev->as,
+                           MEMORY_REGION(&sdev->iommu), name);
+        trace_smmu_add_mr(name);
+        g_free(name);
+    }
+
+    return &sdev->as;
+}
+
 static void smmu_base_realize(DeviceState *dev, Error **errp)
 {
+    SMMUState *s = ARM_SMMU(dev);
     SMMUBaseClass *sbc = ARM_SMMU_GET_CLASS(dev);
     Error *local_err = NULL;
 
@@ -XXX,XX +XXX,XX @@ static void smmu_base_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, local_err);
         return;
     }
+
+    s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL);
+
+    if (s->primary_bus) {
+        pci_setup_iommu(s->primary_bus, smmu_find_add_as, s);
+    } else {
+        error_setg(errp, "SMMU is not attached to any PCI bus!");
+    }
 }
 
 static void smmu_base_reset(DeviceState *dev)
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@
 
 # hw/arm/virt-acpi-build.c
 virt_acpi_setup(void) "No fw cfg or ACPI disabled. Bailing out."
+
+# hw/arm/smmu-common.c
+smmu_add_mr(const char *name) "%s"
\ No newline at end of file
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

This patch implements the page table walk for VMSAv8-64.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Message-id: 1524665762-31355-4-git-send-email-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmu-internal.h       |  99 ++++++++++++++++
 include/hw/arm/smmu-common.h |  14 +++
 hw/arm/smmu-common.c         | 222 +++++++++++++++++++++++++++++++++++
 hw/arm/trace-events          |   9 +-
 4 files changed, 343 insertions(+), 1 deletion(-)
 create mode 100644 hw/arm/smmu-internal.h

diff --git a/hw/arm/smmu-internal.h b/hw/arm/smmu-internal.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/smmu-internal.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * ARM SMMU support - Internal API
+ *
+ * Copyright (c) 2017 Red Hat, Inc.
+ * Copyright (C) 2014-2016 Broadcom Corporation
+ * Written by Prem Mallappa, Eric Auger
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef HW_ARM_SMMU_INTERNAL_H
+#define HW_ARM_SMMU_INTERNAL_H
+
+#define TBI0(tbi) ((tbi) & 0x1)
+#define TBI1(tbi) ((tbi) & 0x2 >> 1)
+
+/* PTE Manipulation */
+
+#define ARM_LPAE_PTE_TYPE_SHIFT         0
+#define ARM_LPAE_PTE_TYPE_MASK          0x3
+
+#define ARM_LPAE_PTE_TYPE_BLOCK         1
+#define ARM_LPAE_PTE_TYPE_TABLE         3
+
+#define ARM_LPAE_L3_PTE_TYPE_RESERVED   1
+#define ARM_LPAE_L3_PTE_TYPE_PAGE       3
+
+#define ARM_LPAE_PTE_VALID              (1 << 0)
+
+#define PTE_ADDRESS(pte, shift) \
+    (extract64(pte, shift, 47 - shift + 1) << shift)
+
+#define is_invalid_pte(pte) (!(pte & ARM_LPAE_PTE_VALID))
+
+#define is_reserved_pte(pte, level)                                      \
+    ((level == 3) &&                                                     \
+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_L3_PTE_TYPE_RESERVED))
+
+#define is_block_pte(pte, level)                                         \
+    ((level < 3) &&                                                      \
+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_PTE_TYPE_BLOCK))
+
+#define is_table_pte(pte, level)                                        \
+    ((level < 3) &&                                                     \
+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_PTE_TYPE_TABLE))
+
+#define is_page_pte(pte, level)                                         \
+    ((level == 3) &&                                                    \
+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_L3_PTE_TYPE_PAGE))
+
+/* access permissions */
+
+#define PTE_AP(pte) \
+    (extract64(pte, 6, 2))
+
+#define PTE_APTABLE(pte) \
+    (extract64(pte, 61, 2))
+
+/*
+ * TODO: At the moment all transactions are considered as privileged (EL1)
+ * as IOMMU translation callback does not pass user/priv attributes.
+ */
+#define is_permission_fault(ap, perm) \
+    (((perm) & IOMMU_WO) && ((ap) & 0x2))
+
+#define PTE_AP_TO_PERM(ap) \
+    (IOMMU_ACCESS_FLAG(true, !((ap) & 0x2)))
+
+/* Level Indexing */
+
+static inline int level_shift(int level, int granule_sz)
+{
+    return granule_sz + (3 - level) * (granule_sz - 3);
+}
+
+static inline uint64_t level_page_mask(int level, int granule_sz)
+{
+    return ~(MAKE_64BIT_MASK(0, level_shift(level, granule_sz)));
+}
+
+static inline
+uint64_t iova_level_offset(uint64_t iova, int inputsize,
+                           int level, int gsz)
+{
+    return ((iova & MAKE_64BIT_MASK(0, inputsize)) >> level_shift(level, gsz)) &
+            MAKE_64BIT_MASK(0, gsz - 3);
+}
+
+#endif
diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
 {
     return PCI_BUILD_BDF(pci_bus_num(sdev->bus), sdev->devfn);
 }
+
+/**
+ * smmu_ptw - Perform the page table walk for a given iova / access flags
+ * pair, according to @cfg translation config
+ */
+int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
+             IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info);
+
+/**
+ * select_tt - compute which translation table shall be used according to
+ * the input iova and translation config and return the TT specific info
+ */
+SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova);
+
 #endif  /* HW_ARM_SMMU_COMMON */
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/error-report.h"
 #include "hw/arm/smmu-common.h"
+#include "smmu-internal.h"
+
+/* VMSAv8-64 Translation */
+
+/**
+ * get_pte - Get the content of a page table entry located at
+ * @base_addr[@index]
+ */
+static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte,
+                   SMMUPTWEventInfo *info)
+{
+    int ret;
+    dma_addr_t addr = baseaddr + index * sizeof(*pte);
+
+    /* TODO: guarantee 64-bit single-copy atomicity */
+    ret = dma_memory_read(&address_space_memory, addr,
+                          (uint8_t *)pte, sizeof(*pte));
+
+    if (ret != MEMTX_OK) {
+        info->type = SMMU_PTW_ERR_WALK_EABT;
+        info->addr = addr;
+        return -EINVAL;
+    }
+    trace_smmu_get_pte(baseaddr, index, addr, *pte);
+    return 0;
+}
+
+/* VMSAv8-64 Translation Table Format Descriptor Decoding */
+
+/**
+ * get_page_pte_address - returns the L3 descriptor output address,
+ * ie. the page frame
+ * ARM ARM spec: Figure D4-17 VMSAv8-64 level 3 descriptor format
+ */
+static inline hwaddr get_page_pte_address(uint64_t pte, int granule_sz)
+{
+    return PTE_ADDRESS(pte, granule_sz);
+}
+
+/**
+ * get_table_pte_address - return table descriptor output address,
+ * ie. address of next level table
+ * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
+ */
+static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
+{
+    return PTE_ADDRESS(pte, granule_sz);
+}
+
+/**
+ * get_block_pte_address - return block descriptor output address and block size
+ * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
+ */
+static inline hwaddr get_block_pte_address(uint64_t pte, int level,
+                                           int granule_sz, uint64_t *bsz)
+{
+    int n = (granule_sz - 3) * (4 - level) + 3;
+
+    *bsz = 1 << n;
+    return PTE_ADDRESS(pte, n);
+}
+
+SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)
+{
+    bool tbi = extract64(iova, 55, 1) ? TBI1(cfg->tbi) : TBI0(cfg->tbi);
+    uint8_t tbi_byte = tbi * 8;
+
+    if (cfg->tt[0].tsz &&
+        !extract64(iova, 64 - cfg->tt[0].tsz, cfg->tt[0].tsz - tbi_byte)) {
+        /* there is a ttbr0 region and we are in it (high bits all zero) */
+        return &cfg->tt[0];
+    } else if (cfg->tt[1].tsz &&
+           !extract64(iova, 64 - cfg->tt[1].tsz, cfg->tt[1].tsz - tbi_byte)) {
+        /* there is a ttbr1 region and we are in it (high bits all one) */
+        return &cfg->tt[1];
+    } else if (!cfg->tt[0].tsz) {
+        /* ttbr0 region is "everything not in the ttbr1 region" */
+        return &cfg->tt[0];
+    } else if (!cfg->tt[1].tsz) {
+        /* ttbr1 region is "everything not in the ttbr0 region" */
+        return &cfg->tt[1];
+    }
+    /* in the gap between the two regions, this is a Translation fault */
+    return NULL;
+}
+
+/**
+ * smmu_ptw_64 - VMSAv8-64 Walk of the page tables for a given IOVA
+ * @cfg: translation config
+ * @iova: iova to translate
+ * @perm: access type
+ * @tlbe: IOMMUTLBEntry (out)
+ * @info: handle to an error info
+ *
+ * Return 0 on success, < 0 on error. In case of error, @info is filled
+ * and tlbe->perm is set to IOMMU_NONE.
+ * Upon success, @tlbe is filled with translated_addr and entry
+ * permission rights.
+ */
+static int smmu_ptw_64(SMMUTransCfg *cfg,
+                       dma_addr_t iova, IOMMUAccessFlags perm,
+                       IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
+{
+    dma_addr_t baseaddr, indexmask;
+    int stage = cfg->stage;
+    SMMUTransTableInfo *tt = select_tt(cfg, iova);
+    uint8_t level, granule_sz, inputsize, stride;
+
+    if (!tt || tt->disabled) {
+        info->type = SMMU_PTW_ERR_TRANSLATION;
+        goto error;
+    }
+
+    granule_sz = tt->granule_sz;
+    stride = granule_sz - 3;
+    inputsize = 64 - tt->tsz;
+    level = 4 - (inputsize - 4) / stride;
+    indexmask = (1ULL << (inputsize - (stride * (4 - level)))) - 1;
+    baseaddr = extract64(tt->ttb, 0, 48);
+    baseaddr &= ~indexmask;
+
+    tlbe->iova = iova;
+    tlbe->addr_mask = (1 << granule_sz) - 1;
+
+    while (level <= 3) {
+        uint64_t subpage_size = 1ULL << level_shift(level, granule_sz);
+        uint64_t mask = subpage_size - 1;
+        uint32_t offset = iova_level_offset(iova, inputsize, level, granule_sz);
+        uint64_t pte;
+        dma_addr_t pte_addr = baseaddr + offset * sizeof(pte);
+        uint8_t ap;
+
+        if (get_pte(baseaddr, offset, &pte, info)) {
+                goto error;
+        }
+        trace_smmu_ptw_level(level, iova, subpage_size,
+                             baseaddr, offset, pte);
+
+        if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) {
+            trace_smmu_ptw_invalid_pte(stage, level, baseaddr,
+                                       pte_addr, offset, pte);
+            info->type = SMMU_PTW_ERR_TRANSLATION;
+            goto error;
+        }
+
+        if (is_page_pte(pte, level)) {
+            uint64_t gpa = get_page_pte_address(pte, granule_sz);
+
+            ap = PTE_AP(pte);
+            if (is_permission_fault(ap, perm)) {
+                info->type = SMMU_PTW_ERR_PERMISSION;
+                goto error;
+            }
+
+            tlbe->translated_addr = gpa + (iova & mask);
+            tlbe->perm = PTE_AP_TO_PERM(ap);
+            trace_smmu_ptw_page_pte(stage, level, iova,
+                                    baseaddr, pte_addr, pte, gpa);
+            return 0;
+        }
+        if (is_block_pte(pte, level)) {
+            uint64_t block_size;
+            hwaddr gpa = get_block_pte_address(pte, level, granule_sz,
+                                               &block_size);
+
+            ap = PTE_AP(pte);
+            if (is_permission_fault(ap, perm)) {
+                info->type = SMMU_PTW_ERR_PERMISSION;
+                goto error;
+            }
+
+            trace_smmu_ptw_block_pte(stage, level, baseaddr,
+                                     pte_addr, pte, iova, gpa,
+                                     block_size >> 20);
+
+            tlbe->translated_addr = gpa + (iova & mask);
+            tlbe->perm = PTE_AP_TO_PERM(ap);
+            return 0;
+        }
+
+        /* table pte */
+        ap = PTE_APTABLE(pte);
+
+        if (is_permission_fault(ap, perm)) {
+            info->type = SMMU_PTW_ERR_PERMISSION;
+            goto error;
+        }
+        baseaddr = get_table_pte_address(pte, granule_sz);
+        level++;
+    }
+
+    info->type = SMMU_PTW_ERR_TRANSLATION;
+
+error:
+    tlbe->perm = IOMMU_NONE;
+    return -EINVAL;
+}
+
+/**
+ * smmu_ptw - Walk the page tables for an IOVA, according to @cfg
+ *
+ * @cfg: translation configuration
+ * @iova: iova to translate
+ * @perm: tentative access type
+ * @tlbe: returned entry
+ * @info: ptw event handle
+ *
+ * return 0 on success
+ */
+inline int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
+             IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
+{
+    if (!cfg->aa64) {
+        /*
+         * This code path is not entered as we check this while decoding
+         * the configuration data in the derived SMMU model.
+         */
+        g_assert_not_reached();
+    }
+
+    return smmu_ptw_64(cfg, iova, perm, tlbe, info);
+}
 
 /**
  * The bus number is used for lookup when SID based invalidation occurs.
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@
 virt_acpi_setup(void) "No fw cfg or ACPI disabled. Bailing out."
 
 # hw/arm/smmu-common.c
-smmu_add_mr(const char *name) "%s"
\ No newline at end of file
+smmu_add_mr(const char *name) "%s"
+smmu_page_walk(int stage, uint64_t baseaddr, int first_level, uint64_t start, uint64_t end) "stage=%d, baseaddr=0x%"PRIx64", first level=%d, start=0x%"PRIx64", end=0x%"PRIx64
+smmu_lookup_table(int level, uint64_t baseaddr, int granule_sz, uint64_t start, uint64_t end, int flags, uint64_t subpage_size) "level=%d baseaddr=0x%"PRIx64" granule=%d, start=0x%"PRIx64" end=0x%"PRIx64" flags=%d subpage_size=0x%"PRIx64
+smmu_ptw_level(int level, uint64_t iova, size_t subpage_size, uint64_t baseaddr, uint32_t offset, uint64_t pte) "level=%d iova=0x%"PRIx64" subpage_sz=0x%lx baseaddr=0x%"PRIx64" offset=%d => pte=0x%"PRIx64
+smmu_ptw_invalid_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint32_t offset, uint64_t pte) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" offset=%d pte=0x%"PRIx64
+smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t address) "stage=%d level=%d iova=0x%"PRIx64" base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" page address = 0x%"PRIx64
+smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
+smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
-- 
2.17.0

From: Prem Mallappa <prem.mallappa@broadcom.com>

This patch implements a skeleton for the smmuv3 device.
Datatypes and register definitions are introduced. The MMIO
region, the interrupts and the queue are initialized.

Only the MMIO read operation is implemented here.

Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-5-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs     |   2 +-
 hw/arm/smmuv3-internal.h | 142 +++++++++++++++
 include/hw/arm/smmuv3.h  |  87 ++++++++++
 hw/arm/smmuv3.c          | 366 +++++++++++++++++++++++++++++++++++++++
 hw/arm/trace-events      |   3 +
 5 files changed, 599 insertions(+), 1 deletion(-)
 create mode 100644 hw/arm/smmuv3-internal.h
 create mode 100644 include/hw/arm/smmuv3.h
 create mode 100644 hw/arm/smmuv3.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MPS2) += mps2-tz.o
 obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
 obj-$(CONFIG_IOTKIT) += iotkit.o
 obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o mcimx7d-sabre.o
-obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o
+obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o smmuv3.o
diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * ARM SMMUv3 support - Internal API
+ *
+ * Copyright (C) 2014-2016 Broadcom Corporation
+ * Copyright (c) 2017 Red Hat, Inc.
+ * Written by Prem Mallappa, Eric Auger
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef HW_ARM_SMMU_V3_INTERNAL_H
+#define HW_ARM_SMMU_V3_INTERNAL_H
+
+#include "hw/arm/smmu-common.h"
+
+/* MMIO Registers */
+
+REG32(IDR0,                0x0)
+    FIELD(IDR0, S1P,         1 , 1)
+    FIELD(IDR0, TTF,         2 , 2)
+    FIELD(IDR0, COHACC,      4 , 1)
+    FIELD(IDR0, ASID16,      12, 1)
+    FIELD(IDR0, TTENDIAN,    21, 2)
+    FIELD(IDR0, STALL_MODEL, 24, 2)
+    FIELD(IDR0, TERM_MODEL,  26, 1)
+    FIELD(IDR0, STLEVEL,     27, 2)
+
+REG32(IDR1,                0x4)
+    FIELD(IDR1, SIDSIZE,      0 , 6)
+    FIELD(IDR1, EVENTQS,      16, 5)
+    FIELD(IDR1, CMDQS,        21, 5)
+
+#define SMMU_IDR1_SIDSIZE 16
+#define SMMU_CMDQS   19
+#define SMMU_EVENTQS 19
+
+REG32(IDR2,                0x8)
+REG32(IDR3,                0xc)
+REG32(IDR4,                0x10)
+REG32(IDR5,                0x14)
+     FIELD(IDR5, OAS,         0, 3);
+     FIELD(IDR5, GRAN4K,      4, 1);
+     FIELD(IDR5, GRAN16K,     5, 1);
+     FIELD(IDR5, GRAN64K,     6, 1);
+
+#define SMMU_IDR5_OAS 4
+
+REG32(IIDR,                0x1c)
+REG32(CR0,                 0x20)
+    FIELD(CR0, SMMU_ENABLE,   0, 1)
+    FIELD(CR0, EVENTQEN,      2, 1)
+    FIELD(CR0, CMDQEN,        3, 1)
+
+REG32(CR0ACK,              0x24)
+REG32(CR1,                 0x28)
+REG32(CR2,                 0x2c)
+REG32(STATUSR,             0x40)
+REG32(IRQ_CTRL,            0x50)
+    FIELD(IRQ_CTRL, GERROR_IRQEN,        0, 1)
+    FIELD(IRQ_CTRL, PRI_IRQEN,           1, 1)
+    FIELD(IRQ_CTRL, EVENTQ_IRQEN,        2, 1)
+
+REG32(IRQ_CTRL_ACK,        0x54)
+REG32(GERROR,              0x60)
+    FIELD(GERROR, CMDQ_ERR,           0, 1)
+    FIELD(GERROR, EVENTQ_ABT_ERR,     2, 1)
+    FIELD(GERROR, PRIQ_ABT_ERR,       3, 1)
+    FIELD(GERROR, MSI_CMDQ_ABT_ERR,   4, 1)
+    FIELD(GERROR, MSI_EVENTQ_ABT_ERR, 5, 1)
+    FIELD(GERROR, MSI_PRIQ_ABT_ERR,   6, 1)
+    FIELD(GERROR, MSI_GERROR_ABT_ERR, 7, 1)
+    FIELD(GERROR, MSI_SFM_ERR,        8, 1)
+
+REG32(GERRORN,             0x64)
+
+#define A_GERROR_IRQ_CFG0  0x68 /* 64b */
+REG32(GERROR_IRQ_CFG1, 0x70)
+REG32(GERROR_IRQ_CFG2, 0x74)
+
+#define A_STRTAB_BASE      0x80 /* 64b */
+
+#define SMMU_BASE_ADDR_MASK 0xffffffffffe0
+
+REG32(STRTAB_BASE_CFG,     0x88)
+    FIELD(STRTAB_BASE_CFG, FMT,      16, 2)
+    FIELD(STRTAB_BASE_CFG, SPLIT,    6 , 5)
+    FIELD(STRTAB_BASE_CFG, LOG2SIZE, 0 , 6)
+
+#define A_CMDQ_BASE        0x90 /* 64b */
+REG32(CMDQ_PROD,           0x98)
+REG32(CMDQ_CONS,           0x9c)
+    FIELD(CMDQ_CONS, ERR, 24, 7)
+
+#define A_EVENTQ_BASE      0xa0 /* 64b */
+REG32(EVENTQ_PROD,         0xa8)
+REG32(EVENTQ_CONS,         0xac)
+
+#define A_EVENTQ_IRQ_CFG0  0xb0 /* 64b */
+REG32(EVENTQ_IRQ_CFG1,     0xb8)
+REG32(EVENTQ_IRQ_CFG2,     0xbc)
+
+#define A_IDREGS           0xfd0
+
+static inline int smmu_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->cr[0], CR0, SMMU_ENABLE);
+}
+
+/* Command Queue Entry */
+typedef struct Cmd {
+    uint32_t word[4];
+} Cmd;
+
+/* Event Queue Entry */
+typedef struct Evt  {
+    uint32_t word[8];
+} Evt;
+
+static inline uint32_t smmuv3_idreg(int regoffset)
+{
+    /*
+     * Return the value of the Primecell/Corelink ID registers at the
+     * specified offset from the first ID register.
+     * These value indicate an ARM implementation of MMU600 p1
+     */
+    static const uint8_t smmuv3_ids[] = {
+        0x04, 0, 0, 0, 0x84, 0xB4, 0xF0, 0x10, 0x0D, 0xF0, 0x05, 0xB1
+    };
+    return smmuv3_ids[regoffset / 4];
+}
+
+#endif
diff --git a/include/hw/arm/smmuv3.h b/include/hw/arm/smmuv3.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/arm/smmuv3.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Copyright (C) 2014-2016 Broadcom Corporation
+ * Copyright (c) 2017 Red Hat, Inc.
+ * Written by Prem Mallappa, Eric Auger
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef HW_ARM_SMMUV3_H
+#define HW_ARM_SMMUV3_H
+
+#include "hw/arm/smmu-common.h"
+#include "hw/registerfields.h"
+
+#define TYPE_SMMUV3_IOMMU_MEMORY_REGION "smmuv3-iommu-memory-region"
+
+typedef struct SMMUQueue {
+     uint64_t base; /* base register */
+     uint32_t prod;
+     uint32_t cons;
+     uint8_t entry_size;
+     uint8_t log2size;
+} SMMUQueue;
+
+typedef struct SMMUv3State {
+    SMMUState     smmu_state;
+
+    uint32_t features;
+    uint8_t sid_size;
+    uint8_t sid_split;
+
+    uint32_t idr[6];
+    uint32_t iidr;
+    uint32_t cr[3];
+    uint32_t cr0ack;
+    uint32_t statusr;
+    uint32_t irq_ctrl;
+    uint32_t gerror;
+    uint32_t gerrorn;
+    uint64_t gerror_irq_cfg0;
+    uint32_t gerror_irq_cfg1;
+    uint32_t gerror_irq_cfg2;
+    uint64_t strtab_base;
+    uint32_t strtab_base_cfg;
+    uint64_t eventq_irq_cfg0;
+    uint32_t eventq_irq_cfg1;
+    uint32_t eventq_irq_cfg2;
+
+    SMMUQueue eventq, cmdq;
+
+    qemu_irq     irq[4];
+} SMMUv3State;
+
+typedef enum {
+    SMMU_IRQ_EVTQ,
+    SMMU_IRQ_PRIQ,
+    SMMU_IRQ_CMD_SYNC,
+    SMMU_IRQ_GERROR,
+} SMMUIrq;
+
+typedef struct {
+    /*< private >*/
+    SMMUBaseClass smmu_base_class;
+    /*< public >*/
+
+    DeviceRealize parent_realize;
+    DeviceReset   parent_reset;
+} SMMUv3Class;
+
+#define TYPE_ARM_SMMUV3   "arm-smmuv3"
+#define ARM_SMMUV3(obj) OBJECT_CHECK(SMMUv3State, (obj), TYPE_ARM_SMMUV3)
+#define ARM_SMMUV3_CLASS(klass)                              \
+    OBJECT_CLASS_CHECK(SMMUv3Class, (klass), TYPE_ARM_SMMUV3)
+#define ARM_SMMUV3_GET_CLASS(obj) \
+     OBJECT_GET_CLASS(SMMUv3Class, (obj), TYPE_ARM_SMMUV3)
+
+#endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Copyright (C) 2014-2016 Broadcom Corporation
+ * Copyright (c) 2017 Red Hat, Inc.
+ * Written by Prem Mallappa, Eric Auger
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/boards.h"
+#include "sysemu/sysemu.h"
+#include "hw/sysbus.h"
+#include "hw/qdev-core.h"
+#include "hw/pci/pci.h"
+#include "exec/address-spaces.h"
+#include "trace.h"
+#include "qemu/log.h"
+#include "qemu/error-report.h"
+#include "qapi/error.h"
+
+#include "hw/arm/smmuv3.h"
+#include "smmuv3-internal.h"
+
+static void smmuv3_init_regs(SMMUv3State *s)
+{
+    /**
+     * IDR0: stage1 only, AArch64 only, coherent access, 16b ASID,
+     *       multi-level stream table
+     */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1); /* stage 1 supported */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTF, 2); /* AArch64 PTW only */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, COHACC, 1); /* IO coherent */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, ASID16, 1); /* 16-bit ASID */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTENDIAN, 2); /* little endian */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STALL_MODEL, 1); /* No stall */
+    /* terminated transaction will always be aborted/error returned */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TERM_MODEL, 1);
+    /* 2-level stream table supported */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STLEVEL, 1);
+
+    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, SIDSIZE, SMMU_IDR1_SIDSIZE);
+    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, EVENTQS, SMMU_EVENTQS);
+    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, CMDQS,   SMMU_CMDQS);
+
+   /* 4K and 64K granule support */
+    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN4K, 1);
+    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1);
+    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 bits */
+
+    s->cmdq.base = deposit64(s->cmdq.base, 0, 5, SMMU_CMDQS);
+    s->cmdq.prod = 0;
+    s->cmdq.cons = 0;
+    s->cmdq.entry_size = sizeof(struct Cmd);
+    s->eventq.base = deposit64(s->eventq.base, 0, 5, SMMU_EVENTQS);
+    s->eventq.prod = 0;
+    s->eventq.cons = 0;
+    s->eventq.entry_size = sizeof(struct Evt);
+
+    s->features = 0;
+    s->sid_split = 0;
+}
+
+static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
+                                   unsigned size, MemTxAttrs attrs)
+{
+    /* not yet implemented */
+    return MEMTX_ERROR;
+}
+
+static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
+                               uint64_t *data, MemTxAttrs attrs)
+{
+    switch (offset) {
+    case A_GERROR_IRQ_CFG0:
+        *data = s->gerror_irq_cfg0;
+        return MEMTX_OK;
+    case A_STRTAB_BASE:
+        *data = s->strtab_base;
+        return MEMTX_OK;
+    case A_CMDQ_BASE:
+        *data = s->cmdq.base;
+        return MEMTX_OK;
+    case A_EVENTQ_BASE:
+        *data = s->eventq.base;
+        return MEMTX_OK;
+    default:
+        *data = 0;
+        qemu_log_mask(LOG_UNIMP,
+                      "%s Unexpected 64-bit access to 0x%"PRIx64" (RAZ)\n",
+                      __func__, offset);
+        return MEMTX_OK;
+    }
+}
+
+static MemTxResult smmu_readl(SMMUv3State *s, hwaddr offset,
+                              uint64_t *data, MemTxAttrs attrs)
+{
+    switch (offset) {
+    case A_IDREGS ... A_IDREGS + 0x1f:
+        *data = smmuv3_idreg(offset - A_IDREGS);
+        return MEMTX_OK;
+    case A_IDR0 ... A_IDR5:
+        *data = s->idr[(offset - A_IDR0) / 4];
+        return MEMTX_OK;
+    case A_IIDR:
+        *data = s->iidr;
+        return MEMTX_OK;
+    case A_CR0:
+        *data = s->cr[0];
+        return MEMTX_OK;
+    case A_CR0ACK:
+        *data = s->cr0ack;
+        return MEMTX_OK;
+    case A_CR1:
+        *data = s->cr[1];
+        return MEMTX_OK;
+    case A_CR2:
+        *data = s->cr[2];
+        return MEMTX_OK;
+    case A_STATUSR:
+        *data = s->statusr;
+        return MEMTX_OK;
+    case A_IRQ_CTRL:
+    case A_IRQ_CTRL_ACK:
+        *data = s->irq_ctrl;
+        return MEMTX_OK;
+    case A_GERROR:
+        *data = s->gerror;
+        return MEMTX_OK;
+    case A_GERRORN:
+        *data = s->gerrorn;
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG0: /* 64b */
+        *data = extract64(s->gerror_irq_cfg0, 0, 32);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG0 + 4:
+        *data = extract64(s->gerror_irq_cfg0, 32, 32);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG1:
+        *data = s->gerror_irq_cfg1;
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG2:
+        *data = s->gerror_irq_cfg2;
+        return MEMTX_OK;
+    case A_STRTAB_BASE: /* 64b */
+        *data = extract64(s->strtab_base, 0, 32);
+        return MEMTX_OK;
+    case A_STRTAB_BASE + 4: /* 64b */
+        *data = extract64(s->strtab_base, 32, 32);
+        return MEMTX_OK;
+    case A_STRTAB_BASE_CFG:
+        *data = s->strtab_base_cfg;
+        return MEMTX_OK;
+    case A_CMDQ_BASE: /* 64b */
+        *data = extract64(s->cmdq.base, 0, 32);
+        return MEMTX_OK;
+    case A_CMDQ_BASE + 4:
+        *data = extract64(s->cmdq.base, 32, 32);
+        return MEMTX_OK;
+    case A_CMDQ_PROD:
+        *data = s->cmdq.prod;
+        return MEMTX_OK;
+    case A_CMDQ_CONS:
+        *data = s->cmdq.cons;
+        return MEMTX_OK;
+    case A_EVENTQ_BASE: /* 64b */
+        *data = extract64(s->eventq.base, 0, 32);
+        return MEMTX_OK;
+    case A_EVENTQ_BASE + 4: /* 64b */
+        *data = extract64(s->eventq.base, 32, 32);
+        return MEMTX_OK;
+    case A_EVENTQ_PROD:
+        *data = s->eventq.prod;
+        return MEMTX_OK;
+    case A_EVENTQ_CONS:
+        *data = s->eventq.cons;
+        return MEMTX_OK;
+    default:
+        *data = 0;
+        qemu_log_mask(LOG_UNIMP,
+                      "%s unhandled 32-bit access at 0x%"PRIx64" (RAZ)\n",
+                      __func__, offset);
+        return MEMTX_OK;
+    }
+}
+
+static MemTxResult smmu_read_mmio(void *opaque, hwaddr offset, uint64_t *data,
+                                  unsigned size, MemTxAttrs attrs)
+{
+    SMMUState *sys = opaque;
+    SMMUv3State *s = ARM_SMMUV3(sys);
+    MemTxResult r;
+
+    /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
+    offset &= ~0x10000;
+
+    switch (size) {
+    case 8:
+        r = smmu_readll(s, offset, data, attrs);
+        break;
+    case 4:
+        r = smmu_readl(s, offset, data, attrs);
+        break;
+    default:
+        r = MEMTX_ERROR;
+        break;
+    }
+
+    trace_smmuv3_read_mmio(offset, *data, size, r);
+    return r;
+}
+
+static const MemoryRegionOps smmu_mem_ops = {
+    .read_with_attrs = smmu_read_mmio,
+    .write_with_attrs = smmu_write_mmio,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 8,
+    },
+    .impl = {
+        .min_access_size = 4,
+        .max_access_size = 8,
+    },
+};
+
+static void smmu_init_irq(SMMUv3State *s, SysBusDevice *dev)
+{
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->irq); i++) {
+        sysbus_init_irq(dev, &s->irq[i]);
+    }
+}
+
+static void smmu_reset(DeviceState *dev)
+{
+    SMMUv3State *s = ARM_SMMUV3(dev);
+    SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s);
+
+    c->parent_reset(dev);
+
+    smmuv3_init_regs(s);
+}
+
+static void smmu_realize(DeviceState *d, Error **errp)
+{
+    SMMUState *sys = ARM_SMMU(d);
+    SMMUv3State *s = ARM_SMMUV3(sys);
+    SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s);
+    SysBusDevice *dev = SYS_BUS_DEVICE(d);
+    Error *local_err = NULL;
+
+    c->parent_realize(d, &local_err);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        return;
+    }
+
+    memory_region_init_io(&sys->iomem, OBJECT(s),
+                          &smmu_mem_ops, sys, TYPE_ARM_SMMUV3, 0x20000);
+
+    sys->mrtypename = TYPE_SMMUV3_IOMMU_MEMORY_REGION;
+
+    sysbus_init_mmio(dev, &sys->iomem);
+
+    smmu_init_irq(s, dev);
+}
+
+static const VMStateDescription vmstate_smmuv3_queue = {
+    .name = "smmuv3_queue",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT64(base, SMMUQueue),
+        VMSTATE_UINT32(prod, SMMUQueue),
+        VMSTATE_UINT32(cons, SMMUQueue),
+        VMSTATE_UINT8(log2size, SMMUQueue),
+    },
+};
+
+static const VMStateDescription vmstate_smmuv3 = {
+    .name = "smmuv3",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(features, SMMUv3State),
+        VMSTATE_UINT8(sid_size, SMMUv3State),
+        VMSTATE_UINT8(sid_split, SMMUv3State),
+
+        VMSTATE_UINT32_ARRAY(cr, SMMUv3State, 3),
+        VMSTATE_UINT32(cr0ack, SMMUv3State),
+        VMSTATE_UINT32(statusr, SMMUv3State),
+        VMSTATE_UINT32(irq_ctrl, SMMUv3State),
+        VMSTATE_UINT32(gerror, SMMUv3State),
+        VMSTATE_UINT32(gerrorn, SMMUv3State),
+        VMSTATE_UINT64(gerror_irq_cfg0, SMMUv3State),
+        VMSTATE_UINT32(gerror_irq_cfg1, SMMUv3State),
+        VMSTATE_UINT32(gerror_irq_cfg2, SMMUv3State),
+        VMSTATE_UINT64(strtab_base, SMMUv3State),
+        VMSTATE_UINT32(strtab_base_cfg, SMMUv3State),
+        VMSTATE_UINT64(eventq_irq_cfg0, SMMUv3State),
+        VMSTATE_UINT32(eventq_irq_cfg1, SMMUv3State),
+        VMSTATE_UINT32(eventq_irq_cfg2, SMMUv3State),
+
+        VMSTATE_STRUCT(cmdq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue),
+        VMSTATE_STRUCT(eventq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue),
+
+        VMSTATE_END_OF_LIST(),
+    },
+};
+
+static void smmuv3_instance_init(Object *obj)
+{
+    /* Nothing much to do here as of now */
+}
+
+static void smmuv3_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SMMUv3Class *c = ARM_SMMUV3_CLASS(klass);
+
+    dc->vmsd = &vmstate_smmuv3;
+    device_class_set_parent_reset(dc, smmu_reset, &c->parent_reset);
+    c->parent_realize = dc->realize;
+    dc->realize = smmu_realize;
+}
+
+static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
+                                                  void *data)
+{
+}
+
+static const TypeInfo smmuv3_type_info = {
+    .name          = TYPE_ARM_SMMUV3,
+    .parent        = TYPE_ARM_SMMU,
+    .instance_size = sizeof(SMMUv3State),
+    .instance_init = smmuv3_instance_init,
+    .class_size    = sizeof(SMMUv3Class),
+    .class_init    = smmuv3_class_init,
+};
+
+static const TypeInfo smmuv3_iommu_memory_region_info = {
+    .parent = TYPE_IOMMU_MEMORY_REGION,
+    .name = TYPE_SMMUV3_IOMMU_MEMORY_REGION,
+    .class_init = smmuv3_iommu_memory_region_class_init,
+};
+
+static void smmuv3_register_types(void)
+{
+    type_register(&smmuv3_type_info);
+    type_register(&smmuv3_iommu_memory_region_info);
+}
+
+type_init(smmuv3_register_types)
+
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_ptw_invalid_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr,
 smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t address) "stage=%d level=%d iova=0x%"PRIx64" base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" page address = 0x%"PRIx64
 smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
 smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
+
+#hw/arm/smmuv3.c
+smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

We introduce some helpers to handle wired IRQs and especially
GERROR interrupt. SMMU writes GERROR register on GERROR event
and SW acks GERROR interrupts by setting GERRORn.

The Wired interrupts are edge sensitive hence the pulse usage.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-6-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 14 +++++++++
 hw/arm/smmuv3.c          | 64 ++++++++++++++++++++++++++++++++++++++++
 hw/arm/trace-events      |  3 ++
 3 files changed, 81 insertions(+)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t smmuv3_idreg(int regoffset)
     return smmuv3_ids[regoffset / 4];
 }
 
+static inline bool smmuv3_eventq_irq_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, EVENTQ_IRQEN);
+}
+
+static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, GERROR_IRQEN);
+}
+
+/* public until callers get introduced */
+void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
+void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
+
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/smmuv3.h"
 #include "smmuv3-internal.h"
 
+/**
+ * smmuv3_trigger_irq - pulse @irq if enabled and update
+ * GERROR register in case of GERROR interrupt
+ *
+ * @irq: irq type
+ * @gerror_mask: mask of gerrors to toggle (relevant if @irq is GERROR)
+ */
+void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
+{
+
+    bool pulse = false;
+
+    switch (irq) {
+    case SMMU_IRQ_EVTQ:
+        pulse = smmuv3_eventq_irq_enabled(s);
+        break;
+    case SMMU_IRQ_PRIQ:
+        qemu_log_mask(LOG_UNIMP, "PRI not yet supported\n");
+        break;
+    case SMMU_IRQ_CMD_SYNC:
+        pulse = true;
+        break;
+    case SMMU_IRQ_GERROR:
+    {
+        uint32_t pending = s->gerror ^ s->gerrorn;
+        uint32_t new_gerrors = ~pending & gerror_mask;
+
+        if (!new_gerrors) {
+            /* only toggle non pending errors */
+            return;
+        }
+        s->gerror ^= new_gerrors;
+        trace_smmuv3_write_gerror(new_gerrors, s->gerror);
+
+        pulse = smmuv3_gerror_irq_enabled(s);
+        break;
+    }
+    }
+    if (pulse) {
+            trace_smmuv3_trigger_irq(irq);
+            qemu_irq_pulse(s->irq[irq]);
+    }
+}
+
+void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
+{
+    uint32_t pending = s->gerror ^ s->gerrorn;
+    uint32_t toggled = s->gerrorn ^ new_gerrorn;
+
+    if (toggled & ~pending) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "guest toggles non pending errors = 0x%x\n",
+                      toggled & ~pending);
+    }
+
+    /*
+     * We do not raise any error in case guest toggles bits corresponding
+     * to not active IRQs (CONSTRAINED UNPREDICTABLE)
+     */
+    s->gerrorn = new_gerrorn;
+
+    trace_smmuv3_write_gerrorn(toggled & pending, s->gerrorn);
+}
+
 static void smmuv3_init_regs(SMMUv3State *s)
 {
     /**
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "base
 
 #hw/arm/smmuv3.c
 smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
+smmuv3_trigger_irq(int irq) "irq=%d"
+smmuv3_write_gerror(uint32_t toggled, uint32_t gerror) "toggled=0x%x, new GERROR=0x%x"
+smmuv3_write_gerrorn(uint32_t acked, uint32_t gerrorn) "acked=0x%x, new GERRORN=0x%x"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

We introduce helpers to read/write into the command and event
circular queues.

smmuv3_write_eventq and smmuv3_cmq_consume will become static
in subsequent patches.

Invalidation commands are not yet dealt with. We do not cache
data that need to be invalidated. This will change with vhost
integration.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-7-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 163 +++++++++++++++++++++++++++++++++++++++
 hw/arm/smmuv3.c          | 136 ++++++++++++++++++++++++++++++++
 hw/arm/trace-events      |   5 ++
 3 files changed, 304 insertions(+)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
 void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
 void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
 
+/* Queue Handling */
+
+#define Q_BASE(q)          ((q)->base & SMMU_BASE_ADDR_MASK)
+#define WRAP_MASK(q)       (1 << (q)->log2size)
+#define INDEX_MASK(q)      (((1 << (q)->log2size)) - 1)
+#define WRAP_INDEX_MASK(q) ((1 << ((q)->log2size + 1)) - 1)
+
+#define Q_CONS(q) ((q)->cons & INDEX_MASK(q))
+#define Q_PROD(q) ((q)->prod & INDEX_MASK(q))
+
+#define Q_CONS_ENTRY(q)  (Q_BASE(q) + (q)->entry_size * Q_CONS(q))
+#define Q_PROD_ENTRY(q)  (Q_BASE(q) + (q)->entry_size * Q_PROD(q))
+
+#define Q_CONS_WRAP(q) (((q)->cons & WRAP_MASK(q)) >> (q)->log2size)
+#define Q_PROD_WRAP(q) (((q)->prod & WRAP_MASK(q)) >> (q)->log2size)
+
+static inline bool smmuv3_q_full(SMMUQueue *q)
+{
+    return ((q->cons ^ q->prod) & WRAP_INDEX_MASK(q)) == WRAP_MASK(q);
+}
+
+static inline bool smmuv3_q_empty(SMMUQueue *q)
+{
+    return (q->cons & WRAP_INDEX_MASK(q)) == (q->prod & WRAP_INDEX_MASK(q));
+}
+
+static inline void queue_prod_incr(SMMUQueue *q)
+{
+    q->prod = (q->prod + 1) & WRAP_INDEX_MASK(q);
+}
+
+static inline void queue_cons_incr(SMMUQueue *q)
+{
+    /*
+     * We have to use deposit for the CONS registers to preserve
+     * the ERR field in the high bits.
+     */
+    q->cons = deposit32(q->cons, 0, q->log2size + 1, q->cons + 1);
+}
+
+static inline bool smmuv3_cmdq_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->cr[0], CR0, CMDQEN);
+}
+
+static inline bool smmuv3_eventq_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->cr[0], CR0, EVENTQEN);
+}
+
+static inline void smmu_write_cmdq_err(SMMUv3State *s, uint32_t err_type)
+{
+    s->cmdq.cons = FIELD_DP32(s->cmdq.cons, CMDQ_CONS, ERR, err_type);
+}
+
+void smmuv3_write_eventq(SMMUv3State *s, Evt *evt);
+
+/* Commands */
+
+typedef enum SMMUCommandType {
+    SMMU_CMD_NONE            = 0x00,
+    SMMU_CMD_PREFETCH_CONFIG       ,
+    SMMU_CMD_PREFETCH_ADDR,
+    SMMU_CMD_CFGI_STE,
+    SMMU_CMD_CFGI_STE_RANGE,
+    SMMU_CMD_CFGI_CD,
+    SMMU_CMD_CFGI_CD_ALL,
+    SMMU_CMD_CFGI_ALL,
+    SMMU_CMD_TLBI_NH_ALL     = 0x10,
+    SMMU_CMD_TLBI_NH_ASID,
+    SMMU_CMD_TLBI_NH_VA,
+    SMMU_CMD_TLBI_NH_VAA,
+    SMMU_CMD_TLBI_EL3_ALL    = 0x18,
+    SMMU_CMD_TLBI_EL3_VA     = 0x1a,
+    SMMU_CMD_TLBI_EL2_ALL    = 0x20,
+    SMMU_CMD_TLBI_EL2_ASID,
+    SMMU_CMD_TLBI_EL2_VA,
+    SMMU_CMD_TLBI_EL2_VAA,
+    SMMU_CMD_TLBI_S12_VMALL  = 0x28,
+    SMMU_CMD_TLBI_S2_IPA     = 0x2a,
+    SMMU_CMD_TLBI_NSNH_ALL   = 0x30,
+    SMMU_CMD_ATC_INV         = 0x40,
+    SMMU_CMD_PRI_RESP,
+    SMMU_CMD_RESUME          = 0x44,
+    SMMU_CMD_STALL_TERM,
+    SMMU_CMD_SYNC,
+} SMMUCommandType;
+
+static const char *cmd_stringify[] = {
+    [SMMU_CMD_PREFETCH_CONFIG] = "SMMU_CMD_PREFETCH_CONFIG",
+    [SMMU_CMD_PREFETCH_ADDR]   = "SMMU_CMD_PREFETCH_ADDR",
+    [SMMU_CMD_CFGI_STE]        = "SMMU_CMD_CFGI_STE",
+    [SMMU_CMD_CFGI_STE_RANGE]  = "SMMU_CMD_CFGI_STE_RANGE",
+    [SMMU_CMD_CFGI_CD]         = "SMMU_CMD_CFGI_CD",
+    [SMMU_CMD_CFGI_CD_ALL]     = "SMMU_CMD_CFGI_CD_ALL",
+    [SMMU_CMD_CFGI_ALL]        = "SMMU_CMD_CFGI_ALL",
+    [SMMU_CMD_TLBI_NH_ALL]     = "SMMU_CMD_TLBI_NH_ALL",
+    [SMMU_CMD_TLBI_NH_ASID]    = "SMMU_CMD_TLBI_NH_ASID",
+    [SMMU_CMD_TLBI_NH_VA]      = "SMMU_CMD_TLBI_NH_VA",
+    [SMMU_CMD_TLBI_NH_VAA]     = "SMMU_CMD_TLBI_NH_VAA",
+    [SMMU_CMD_TLBI_EL3_ALL]    = "SMMU_CMD_TLBI_EL3_ALL",
+    [SMMU_CMD_TLBI_EL3_VA]     = "SMMU_CMD_TLBI_EL3_VA",
+    [SMMU_CMD_TLBI_EL2_ALL]    = "SMMU_CMD_TLBI_EL2_ALL",
+    [SMMU_CMD_TLBI_EL2_ASID]   = "SMMU_CMD_TLBI_EL2_ASID",
+    [SMMU_CMD_TLBI_EL2_VA]     = "SMMU_CMD_TLBI_EL2_VA",
+    [SMMU_CMD_TLBI_EL2_VAA]    = "SMMU_CMD_TLBI_EL2_VAA",
+    [SMMU_CMD_TLBI_S12_VMALL]  = "SMMU_CMD_TLBI_S12_VMALL",
+    [SMMU_CMD_TLBI_S2_IPA]     = "SMMU_CMD_TLBI_S2_IPA",
+    [SMMU_CMD_TLBI_NSNH_ALL]   = "SMMU_CMD_TLBI_NSNH_ALL",
+    [SMMU_CMD_ATC_INV]         = "SMMU_CMD_ATC_INV",
+    [SMMU_CMD_PRI_RESP]        = "SMMU_CMD_PRI_RESP",
+    [SMMU_CMD_RESUME]          = "SMMU_CMD_RESUME",
+    [SMMU_CMD_STALL_TERM]      = "SMMU_CMD_STALL_TERM",
+    [SMMU_CMD_SYNC]            = "SMMU_CMD_SYNC",
+};
+
+static inline const char *smmu_cmd_string(SMMUCommandType type)
+{
+    if (type > SMMU_CMD_NONE && type < ARRAY_SIZE(cmd_stringify)) {
+        return cmd_stringify[type] ? cmd_stringify[type] : "UNKNOWN";
+    } else {
+        return "INVALID";
+    }
+}
+
+/* CMDQ fields */
+
+typedef enum {
+    SMMU_CERROR_NONE = 0,
+    SMMU_CERROR_ILL,
+    SMMU_CERROR_ABT,
+    SMMU_CERROR_ATC_INV_SYNC,
+} SMMUCmdError;
+
+enum { /* Command completion notification */
+    CMD_SYNC_SIG_NONE,
+    CMD_SYNC_SIG_IRQ,
+    CMD_SYNC_SIG_SEV,
+};
+
+#define CMD_TYPE(x)         extract32((x)->word[0], 0 , 8)
+#define CMD_SSEC(x)         extract32((x)->word[0], 10, 1)
+#define CMD_SSV(x)          extract32((x)->word[0], 11, 1)
+#define CMD_RESUME_AC(x)    extract32((x)->word[0], 12, 1)
+#define CMD_RESUME_AB(x)    extract32((x)->word[0], 13, 1)
+#define CMD_SYNC_CS(x)      extract32((x)->word[0], 12, 2)
+#define CMD_SSID(x)         extract32((x)->word[0], 12, 20)
+#define CMD_SID(x)          ((x)->word[1])
+#define CMD_VMID(x)         extract32((x)->word[1], 0 , 16)
+#define CMD_ASID(x)         extract32((x)->word[1], 16, 16)
+#define CMD_RESUME_STAG(x)  extract32((x)->word[2], 0 , 16)
+#define CMD_RESP(x)         extract32((x)->word[2], 11, 2)
+#define CMD_LEAF(x)         extract32((x)->word[2], 0 , 1)
+#define CMD_STE_RANGE(x)    extract32((x)->word[2], 0 , 5)
+#define CMD_ADDR(x) ({                                        \
+            uint64_t high = (uint64_t)(x)->word[3];           \
+            uint64_t low = extract32((x)->word[2], 12, 20);    \
+            uint64_t addr = high << 32 | (low << 12);         \
+            addr;                                             \
+        })
+
+int smmuv3_cmdq_consume(SMMUv3State *s);
+
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
     trace_smmuv3_write_gerrorn(toggled & pending, s->gerrorn);
 }
 
+static inline MemTxResult queue_read(SMMUQueue *q, void *data)
+{
+    dma_addr_t addr = Q_CONS_ENTRY(q);
+
+    return dma_memory_read(&address_space_memory, addr, data, q->entry_size);
+}
+
+static MemTxResult queue_write(SMMUQueue *q, void *data)
+{
+    dma_addr_t addr = Q_PROD_ENTRY(q);
+    MemTxResult ret;
+
+    ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size);
+    if (ret != MEMTX_OK) {
+        return ret;
+    }
+
+    queue_prod_incr(q);
+    return MEMTX_OK;
+}
+
+void smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
+{
+    SMMUQueue *q = &s->eventq;
+
+    if (!smmuv3_eventq_enabled(s)) {
+        return;
+    }
+
+    if (smmuv3_q_full(q)) {
+        return;
+    }
+
+    queue_write(q, evt);
+
+    if (smmuv3_q_empty(q)) {
+        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
+    }
+}
+
 static void smmuv3_init_regs(SMMUv3State *s)
 {
     /**
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
     s->sid_split = 0;
 }
 
+int smmuv3_cmdq_consume(SMMUv3State *s)
+{
+    SMMUCmdError cmd_error = SMMU_CERROR_NONE;
+    SMMUQueue *q = &s->cmdq;
+    SMMUCommandType type = 0;
+
+    if (!smmuv3_cmdq_enabled(s)) {
+        return 0;
+    }
+    /*
+     * some commands depend on register values, typically CR0. In case those
+     * register values change while handling the command, spec says it
+     * is UNPREDICTABLE whether the command is interpreted under the new
+     * or old value.
+     */
+
+    while (!smmuv3_q_empty(q)) {
+        uint32_t pending = s->gerror ^ s->gerrorn;
+        Cmd cmd;
+
+        trace_smmuv3_cmdq_consume(Q_PROD(q), Q_CONS(q),
+                                  Q_PROD_WRAP(q), Q_CONS_WRAP(q));
+
+        if (FIELD_EX32(pending, GERROR, CMDQ_ERR)) {
+            break;
+        }
+
+        if (queue_read(q, &cmd) != MEMTX_OK) {
+            cmd_error = SMMU_CERROR_ABT;
+            break;
+        }
+
+        type = CMD_TYPE(&cmd);
+
+        trace_smmuv3_cmdq_opcode(smmu_cmd_string(type));
+
+        switch (type) {
+        case SMMU_CMD_SYNC:
+            if (CMD_SYNC_CS(&cmd) & CMD_SYNC_SIG_IRQ) {
+                smmuv3_trigger_irq(s, SMMU_IRQ_CMD_SYNC, 0);
+            }
+            break;
+        case SMMU_CMD_PREFETCH_CONFIG:
+        case SMMU_CMD_PREFETCH_ADDR:
+        case SMMU_CMD_CFGI_STE:
+        case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */
+        case SMMU_CMD_CFGI_CD:
+        case SMMU_CMD_CFGI_CD_ALL:
+        case SMMU_CMD_TLBI_NH_ALL:
+        case SMMU_CMD_TLBI_NH_ASID:
+        case SMMU_CMD_TLBI_NH_VA:
+        case SMMU_CMD_TLBI_NH_VAA:
+        case SMMU_CMD_TLBI_EL3_ALL:
+        case SMMU_CMD_TLBI_EL3_VA:
+        case SMMU_CMD_TLBI_EL2_ALL:
+        case SMMU_CMD_TLBI_EL2_ASID:
+        case SMMU_CMD_TLBI_EL2_VA:
+        case SMMU_CMD_TLBI_EL2_VAA:
+        case SMMU_CMD_TLBI_S12_VMALL:
+        case SMMU_CMD_TLBI_S2_IPA:
+        case SMMU_CMD_TLBI_NSNH_ALL:
+        case SMMU_CMD_ATC_INV:
+        case SMMU_CMD_PRI_RESP:
+        case SMMU_CMD_RESUME:
+        case SMMU_CMD_STALL_TERM:
+            trace_smmuv3_unhandled_cmd(type);
+            break;
+        default:
+            cmd_error = SMMU_CERROR_ILL;
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "Illegal command type: %d\n", CMD_TYPE(&cmd));
+            break;
+        }
+        if (cmd_error) {
+            break;
+        }
+        /*
+         * We only increment the cons index after the completion of
+         * the command. We do that because the SYNC returns immediately
+         * and does not check the completion of previous commands
+         */
+        queue_cons_incr(q);
+    }
+
+    if (cmd_error) {
+        trace_smmuv3_cmdq_consume_error(smmu_cmd_string(type), cmd_error);
+        smmu_write_cmdq_err(s, cmd_error);
+        smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_CMDQ_ERR_MASK);
+    }
+
+    trace_smmuv3_cmdq_consume_out(Q_PROD(q), Q_CONS(q),
+                                  Q_PROD_WRAP(q), Q_CONS_WRAP(q));
+
+    return 0;
+}
+
 static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
                                    unsigned size, MemTxAttrs attrs)
 {
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr:
 smmuv3_trigger_irq(int irq) "irq=%d"
 smmuv3_write_gerror(uint32_t toggled, uint32_t gerror) "toggled=0x%x, new GERROR=0x%x"
 smmuv3_write_gerrorn(uint32_t acked, uint32_t gerrorn) "acked=0x%x, new GERRORN=0x%x"
+smmuv3_unhandled_cmd(uint32_t type) "Unhandled command type=%d"
+smmuv3_cmdq_consume(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod=%d cons=%d prod.wrap=%d cons.wrap=%d"
+smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
+smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
+smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

Now we have relevant helpers for queue and irq
management, let's implement MMIO write operations.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-8-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h |   8 +-
 hw/arm/smmuv3.c          | 170 +++++++++++++++++++++++++++++++++++++--
 hw/arm/trace-events      |   6 ++
 3 files changed, 174 insertions(+), 10 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ REG32(CR0,                 0x20)
     FIELD(CR0, EVENTQEN,      2, 1)
     FIELD(CR0, CMDQEN,        3, 1)
 
+#define SMMU_CR0_RESERVED 0xFFFFFC20
+
 REG32(CR0ACK,              0x24)
 REG32(CR1,                 0x28)
 REG32(CR2,                 0x2c)
@@ -XXX,XX +XXX,XX @@ static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
     return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, GERROR_IRQEN);
 }
 
-/* public until callers get introduced */
-void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
-void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
-
 /* Queue Handling */
 
 #define Q_BASE(q)          ((q)->base & SMMU_BASE_ADDR_MASK)
@@ -XXX,XX +XXX,XX @@ enum { /* Command completion notification */
             addr;                                             \
         })
 
-int smmuv3_cmdq_consume(SMMUv3State *s);
+#define SMMU_FEATURE_2LVL_STE (1 << 0)
 
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
  * @irq: irq type
  * @gerror_mask: mask of gerrors to toggle (relevant if @irq is GERROR)
  */
-void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
+static void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq,
+                               uint32_t gerror_mask)
 {
 
     bool pulse = false;
@@ -XXX,XX +XXX,XX @@ void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
     }
 }
 
-void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
+static void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
 {
     uint32_t pending = s->gerror ^ s->gerrorn;
     uint32_t toggled = s->gerrorn ^ new_gerrorn;
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
     s->sid_split = 0;
 }
 
-int smmuv3_cmdq_consume(SMMUv3State *s)
+static int smmuv3_cmdq_consume(SMMUv3State *s)
 {
     SMMUCmdError cmd_error = SMMU_CERROR_NONE;
     SMMUQueue *q = &s->cmdq;
@@ -XXX,XX +XXX,XX @@ int smmuv3_cmdq_consume(SMMUv3State *s)
     return 0;
 }
 
+static MemTxResult smmu_writell(SMMUv3State *s, hwaddr offset,
+                               uint64_t data, MemTxAttrs attrs)
+{
+    switch (offset) {
+    case A_GERROR_IRQ_CFG0:
+        s->gerror_irq_cfg0 = data;
+        return MEMTX_OK;
+    case A_STRTAB_BASE:
+        s->strtab_base = data;
+        return MEMTX_OK;
+    case A_CMDQ_BASE:
+        s->cmdq.base = data;
+        s->cmdq.log2size = extract64(s->cmdq.base, 0, 5);
+        if (s->cmdq.log2size > SMMU_CMDQS) {
+            s->cmdq.log2size = SMMU_CMDQS;
+        }
+        return MEMTX_OK;
+    case A_EVENTQ_BASE:
+        s->eventq.base = data;
+        s->eventq.log2size = extract64(s->eventq.base, 0, 5);
+        if (s->eventq.log2size > SMMU_EVENTQS) {
+            s->eventq.log2size = SMMU_EVENTQS;
+        }
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG0:
+        s->eventq_irq_cfg0 = data;
+        return MEMTX_OK;
+    default:
+        qemu_log_mask(LOG_UNIMP,
+                      "%s Unexpected 64-bit access to 0x%"PRIx64" (WI)\n",
+                      __func__, offset);
+        return MEMTX_OK;
+    }
+}
+
+static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset,
+                               uint64_t data, MemTxAttrs attrs)
+{
+    switch (offset) {
+    case A_CR0:
+        s->cr[0] = data;
+        s->cr0ack = data & ~SMMU_CR0_RESERVED;
+        /* in case the command queue has been enabled */
+        smmuv3_cmdq_consume(s);
+        return MEMTX_OK;
+    case A_CR1:
+        s->cr[1] = data;
+        return MEMTX_OK;
+    case A_CR2:
+        s->cr[2] = data;
+        return MEMTX_OK;
+    case A_IRQ_CTRL:
+        s->irq_ctrl = data;
+        return MEMTX_OK;
+    case A_GERRORN:
+        smmuv3_write_gerrorn(s, data);
+        /*
+         * By acknowledging the CMDQ_ERR, SW may notify cmds can
+         * be processed again
+         */
+        smmuv3_cmdq_consume(s);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG0: /* 64b */
+        s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 0, 32, data);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG0 + 4:
+        s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 32, 32, data);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG1:
+        s->gerror_irq_cfg1 = data;
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG2:
+        s->gerror_irq_cfg2 = data;
+        return MEMTX_OK;
+    case A_STRTAB_BASE: /* 64b */
+        s->strtab_base = deposit64(s->strtab_base, 0, 32, data);
+        return MEMTX_OK;
+    case A_STRTAB_BASE + 4:
+        s->strtab_base = deposit64(s->strtab_base, 32, 32, data);
+        return MEMTX_OK;
+    case A_STRTAB_BASE_CFG:
+        s->strtab_base_cfg = data;
+        if (FIELD_EX32(data, STRTAB_BASE_CFG, FMT) == 1) {
+            s->sid_split = FIELD_EX32(data, STRTAB_BASE_CFG, SPLIT);
+            s->features |= SMMU_FEATURE_2LVL_STE;
+        }
+        return MEMTX_OK;
+    case A_CMDQ_BASE: /* 64b */
+        s->cmdq.base = deposit64(s->cmdq.base, 0, 32, data);
+        s->cmdq.log2size = extract64(s->cmdq.base, 0, 5);
+        if (s->cmdq.log2size > SMMU_CMDQS) {
+            s->cmdq.log2size = SMMU_CMDQS;
+        }
+        return MEMTX_OK;
+    case A_CMDQ_BASE + 4: /* 64b */
+        s->cmdq.base = deposit64(s->cmdq.base, 32, 32, data);
+        return MEMTX_OK;
+    case A_CMDQ_PROD:
+        s->cmdq.prod = data;
+        smmuv3_cmdq_consume(s);
+        return MEMTX_OK;
+    case A_CMDQ_CONS:
+        s->cmdq.cons = data;
+        return MEMTX_OK;
+    case A_EVENTQ_BASE: /* 64b */
+        s->eventq.base = deposit64(s->eventq.base, 0, 32, data);
+        s->eventq.log2size = extract64(s->eventq.base, 0, 5);
+        if (s->eventq.log2size > SMMU_EVENTQS) {
+            s->eventq.log2size = SMMU_EVENTQS;
+        }
+        return MEMTX_OK;
+    case A_EVENTQ_BASE + 4:
+        s->eventq.base = deposit64(s->eventq.base, 32, 32, data);
+        return MEMTX_OK;
+    case A_EVENTQ_PROD:
+        s->eventq.prod = data;
+        return MEMTX_OK;
+    case A_EVENTQ_CONS:
+        s->eventq.cons = data;
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG0: /* 64b */
+        s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 0, 32, data);
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG0 + 4:
+        s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 32, 32, data);
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG1:
+        s->eventq_irq_cfg1 = data;
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG2:
+        s->eventq_irq_cfg2 = data;
+        return MEMTX_OK;
+    default:
+        qemu_log_mask(LOG_UNIMP,
+                      "%s Unexpected 32-bit access to 0x%"PRIx64" (WI)\n",
+                      __func__, offset);
+        return MEMTX_OK;
+    }
+}
+
 static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
                                    unsigned size, MemTxAttrs attrs)
 {
-    /* not yet implemented */
-    return MEMTX_ERROR;
+    SMMUState *sys = opaque;
+    SMMUv3State *s = ARM_SMMUV3(sys);
+    MemTxResult r;
+
+    /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
+    offset &= ~0x10000;
+
+    switch (size) {
+    case 8:
+        r = smmu_writell(s, offset, data, attrs);
+        break;
+    case 4:
+        r = smmu_writel(s, offset, data, attrs);
+        break;
+    default:
+        r = MEMTX_ERROR;
+        break;
+    }
+
+    trace_smmuv3_write_mmio(offset, data, size, r);
+    return r;
 }
 
 static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_consume(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t con
 smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
 smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
 smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
+smmuv3_update(bool is_empty, uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "q empty:%d prod:%d cons:%d p.wrap:%d p.cons:%d"
+smmuv3_update_check_cmd(int error) "cmdq not enabled or error :0x%x"
+smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
+smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx val64:0x%lx"
+smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
+smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

Let's introduce a helper function aiming at recording an
event in the event queue.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-9-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 148 ++++++++++++++++++++++++++++++++++++++-
 hw/arm/smmuv3.c          | 108 ++++++++++++++++++++++++++--
 hw/arm/trace-events      |   1 +
 3 files changed, 249 insertions(+), 8 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ static inline void smmu_write_cmdq_err(SMMUv3State *s, uint32_t err_type)
     s->cmdq.cons = FIELD_DP32(s->cmdq.cons, CMDQ_CONS, ERR, err_type);
 }
 
-void smmuv3_write_eventq(SMMUv3State *s, Evt *evt);
-
 /* Commands */
 
 typedef enum SMMUCommandType {
@@ -XXX,XX +XXX,XX @@ enum { /* Command completion notification */
 
 #define SMMU_FEATURE_2LVL_STE (1 << 0)
 
+/* Events */
+
+typedef enum SMMUEventType {
+    SMMU_EVT_OK                 = 0x00,
+    SMMU_EVT_F_UUT                    ,
+    SMMU_EVT_C_BAD_STREAMID           ,
+    SMMU_EVT_F_STE_FETCH              ,
+    SMMU_EVT_C_BAD_STE                ,
+    SMMU_EVT_F_BAD_ATS_TREQ           ,
+    SMMU_EVT_F_STREAM_DISABLED        ,
+    SMMU_EVT_F_TRANS_FORBIDDEN        ,
+    SMMU_EVT_C_BAD_SUBSTREAMID        ,
+    SMMU_EVT_F_CD_FETCH               ,
+    SMMU_EVT_C_BAD_CD                 ,
+    SMMU_EVT_F_WALK_EABT              ,
+    SMMU_EVT_F_TRANSLATION      = 0x10,
+    SMMU_EVT_F_ADDR_SIZE              ,
+    SMMU_EVT_F_ACCESS                 ,
+    SMMU_EVT_F_PERMISSION             ,
+    SMMU_EVT_F_TLB_CONFLICT     = 0x20,
+    SMMU_EVT_F_CFG_CONFLICT           ,
+    SMMU_EVT_E_PAGE_REQ         = 0x24,
+} SMMUEventType;
+
+static const char *event_stringify[] = {
+    [SMMU_EVT_OK]                       = "SMMU_EVT_OK",
+    [SMMU_EVT_F_UUT]                    = "SMMU_EVT_F_UUT",
+    [SMMU_EVT_C_BAD_STREAMID]           = "SMMU_EVT_C_BAD_STREAMID",
+    [SMMU_EVT_F_STE_FETCH]              = "SMMU_EVT_F_STE_FETCH",
+    [SMMU_EVT_C_BAD_STE]                = "SMMU_EVT_C_BAD_STE",
+    [SMMU_EVT_F_BAD_ATS_TREQ]           = "SMMU_EVT_F_BAD_ATS_TREQ",
+    [SMMU_EVT_F_STREAM_DISABLED]        = "SMMU_EVT_F_STREAM_DISABLED",
+    [SMMU_EVT_F_TRANS_FORBIDDEN]        = "SMMU_EVT_F_TRANS_FORBIDDEN",
+    [SMMU_EVT_C_BAD_SUBSTREAMID]        = "SMMU_EVT_C_BAD_SUBSTREAMID",
+    [SMMU_EVT_F_CD_FETCH]               = "SMMU_EVT_F_CD_FETCH",
+    [SMMU_EVT_C_BAD_CD]                 = "SMMU_EVT_C_BAD_CD",
+    [SMMU_EVT_F_WALK_EABT]              = "SMMU_EVT_F_WALK_EABT",
+    [SMMU_EVT_F_TRANSLATION]            = "SMMU_EVT_F_TRANSLATION",
+    [SMMU_EVT_F_ADDR_SIZE]              = "SMMU_EVT_F_ADDR_SIZE",
+    [SMMU_EVT_F_ACCESS]                 = "SMMU_EVT_F_ACCESS",
+    [SMMU_EVT_F_PERMISSION]             = "SMMU_EVT_F_PERMISSION",
+    [SMMU_EVT_F_TLB_CONFLICT]           = "SMMU_EVT_F_TLB_CONFLICT",
+    [SMMU_EVT_F_CFG_CONFLICT]           = "SMMU_EVT_F_CFG_CONFLICT",
+    [SMMU_EVT_E_PAGE_REQ]               = "SMMU_EVT_E_PAGE_REQ",
+};
+
+static inline const char *smmu_event_string(SMMUEventType type)
+{
+    if (type < ARRAY_SIZE(event_stringify)) {
+        return event_stringify[type] ? event_stringify[type] : "UNKNOWN";
+    } else {
+        return "INVALID";
+    }
+}
+
+/*  Encode an event record */
+typedef struct SMMUEventInfo {
+    SMMUEventType type;
+    uint32_t sid;
+    bool recorded;
+    bool record_trans_faults;
+    union {
+        struct {
+            uint32_t ssid;
+            bool ssv;
+            dma_addr_t addr;
+            bool rnw;
+            bool pnu;
+            bool ind;
+       } f_uut;
+       struct SSIDInfo {
+            uint32_t ssid;
+            bool ssv;
+       } c_bad_streamid;
+       struct SSIDAddrInfo {
+            uint32_t ssid;
+            bool ssv;
+            dma_addr_t addr;
+       } f_ste_fetch;
+       struct SSIDInfo c_bad_ste;
+       struct {
+            dma_addr_t addr;
+            bool rnw;
+       } f_transl_forbidden;
+       struct {
+            uint32_t ssid;
+       } c_bad_substream;
+       struct SSIDAddrInfo f_cd_fetch;
+       struct SSIDInfo c_bad_cd;
+       struct FullInfo {
+            bool stall;
+            uint16_t stag;
+            uint32_t ssid;
+            bool ssv;
+            bool s2;
+            dma_addr_t addr;
+            bool rnw;
+            bool pnu;
+            bool ind;
+            uint8_t class;
+            dma_addr_t addr2;
+       } f_walk_eabt;
+       struct FullInfo f_translation;
+       struct FullInfo f_addr_size;
+       struct FullInfo f_access;
+       struct FullInfo f_permission;
+       struct SSIDInfo f_cfg_conflict;
+       /**
+        * not supported yet:
+        * F_BAD_ATS_TREQ
+        * F_BAD_ATS_TREQ
+        * F_TLB_CONFLICT
+        * E_PAGE_REQUEST
+        * IMPDEF_EVENTn
+        */
+    } u;
+} SMMUEventInfo;
+
+/* EVTQ fields */
+
+#define EVT_Q_OVERFLOW        (1 << 31)
+
+#define EVT_SET_TYPE(x, v)              deposit32((x)->word[0], 0 , 8 , v)
+#define EVT_SET_SSV(x, v)               deposit32((x)->word[0], 11, 1 , v)
+#define EVT_SET_SSID(x, v)              deposit32((x)->word[0], 12, 20, v)
+#define EVT_SET_SID(x, v)               ((x)->word[1] = v)
+#define EVT_SET_STAG(x, v)              deposit32((x)->word[2], 0 , 16, v)
+#define EVT_SET_STALL(x, v)             deposit32((x)->word[2], 31, 1 , v)
+#define EVT_SET_PNU(x, v)               deposit32((x)->word[3], 1 , 1 , v)
+#define EVT_SET_IND(x, v)               deposit32((x)->word[3], 2 , 1 , v)
+#define EVT_SET_RNW(x, v)               deposit32((x)->word[3], 3 , 1 , v)
+#define EVT_SET_S2(x, v)                deposit32((x)->word[3], 7 , 1 , v)
+#define EVT_SET_CLASS(x, v)             deposit32((x)->word[3], 8 , 2 , v)
+#define EVT_SET_ADDR(x, addr)                             \
+    do {                                                  \
+            (x)->word[5] = (uint32_t)(addr >> 32);        \
+            (x)->word[4] = (uint32_t)(addr & 0xffffffff); \
+    } while (0)
+#define EVT_SET_ADDR2(x, addr)                            \
+    do {                                                  \
+            deposit32((x)->word[7], 3, 29, addr >> 16);   \
+            deposit32((x)->word[7], 0, 16, addr & 0xffff);\
+    } while (0)
+
+void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
+
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult queue_write(SMMUQueue *q, void *data)
     return MEMTX_OK;
 }
 
-void smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
+static MemTxResult smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
 {
     SMMUQueue *q = &s->eventq;
+    MemTxResult r;
+
+    if (!smmuv3_eventq_enabled(s)) {
+        return MEMTX_ERROR;
+    }
+
+    if (smmuv3_q_full(q)) {
+        return MEMTX_ERROR;
+    }
+
+    r = queue_write(q, evt);
+    if (r != MEMTX_OK) {
+        return r;
+    }
+
+    if (smmuv3_q_empty(q)) {
+        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
+    }
+    return MEMTX_OK;
+}
+
+void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
+{
+    Evt evt;
+    MemTxResult r;
 
     if (!smmuv3_eventq_enabled(s)) {
         return;
     }
 
-    if (smmuv3_q_full(q)) {
+    EVT_SET_TYPE(&evt, info->type);
+    EVT_SET_SID(&evt, info->sid);
+
+    switch (info->type) {
+    case SMMU_EVT_OK:
         return;
+    case SMMU_EVT_F_UUT:
+        EVT_SET_SSID(&evt, info->u.f_uut.ssid);
+        EVT_SET_SSV(&evt,  info->u.f_uut.ssv);
+        EVT_SET_ADDR(&evt, info->u.f_uut.addr);
+        EVT_SET_RNW(&evt,  info->u.f_uut.rnw);
+        EVT_SET_PNU(&evt,  info->u.f_uut.pnu);
+        EVT_SET_IND(&evt,  info->u.f_uut.ind);
+        break;
+    case SMMU_EVT_C_BAD_STREAMID:
+        EVT_SET_SSID(&evt, info->u.c_bad_streamid.ssid);
+        EVT_SET_SSV(&evt,  info->u.c_bad_streamid.ssv);
+        break;
+    case SMMU_EVT_F_STE_FETCH:
+        EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid);
+        EVT_SET_SSV(&evt,  info->u.f_ste_fetch.ssv);
+        EVT_SET_ADDR(&evt, info->u.f_ste_fetch.addr);
+        break;
+    case SMMU_EVT_C_BAD_STE:
+        EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid);
+        EVT_SET_SSV(&evt,  info->u.c_bad_ste.ssv);
+        break;
+    case SMMU_EVT_F_STREAM_DISABLED:
+        break;
+    case SMMU_EVT_F_TRANS_FORBIDDEN:
+        EVT_SET_ADDR(&evt, info->u.f_transl_forbidden.addr);
+        EVT_SET_RNW(&evt, info->u.f_transl_forbidden.rnw);
+        break;
+    case SMMU_EVT_C_BAD_SUBSTREAMID:
+        EVT_SET_SSID(&evt, info->u.c_bad_substream.ssid);
+        break;
+    case SMMU_EVT_F_CD_FETCH:
+        EVT_SET_SSID(&evt, info->u.f_cd_fetch.ssid);
+        EVT_SET_SSV(&evt,  info->u.f_cd_fetch.ssv);
+        EVT_SET_ADDR(&evt, info->u.f_cd_fetch.addr);
+        break;
+    case SMMU_EVT_C_BAD_CD:
+        EVT_SET_SSID(&evt, info->u.c_bad_cd.ssid);
+        EVT_SET_SSV(&evt,  info->u.c_bad_cd.ssv);
+        break;
+    case SMMU_EVT_F_WALK_EABT:
+    case SMMU_EVT_F_TRANSLATION:
+    case SMMU_EVT_F_ADDR_SIZE:
+    case SMMU_EVT_F_ACCESS:
+    case SMMU_EVT_F_PERMISSION:
+        EVT_SET_STALL(&evt, info->u.f_walk_eabt.stall);
+        EVT_SET_STAG(&evt, info->u.f_walk_eabt.stag);
+        EVT_SET_SSID(&evt, info->u.f_walk_eabt.ssid);
+        EVT_SET_SSV(&evt, info->u.f_walk_eabt.ssv);
+        EVT_SET_S2(&evt, info->u.f_walk_eabt.s2);
+        EVT_SET_ADDR(&evt, info->u.f_walk_eabt.addr);
+        EVT_SET_RNW(&evt, info->u.f_walk_eabt.rnw);
+        EVT_SET_PNU(&evt, info->u.f_walk_eabt.pnu);
+        EVT_SET_IND(&evt, info->u.f_walk_eabt.ind);
+        EVT_SET_CLASS(&evt, info->u.f_walk_eabt.class);
+        EVT_SET_ADDR2(&evt, info->u.f_walk_eabt.addr2);
+        break;
+    case SMMU_EVT_F_CFG_CONFLICT:
+        EVT_SET_SSID(&evt, info->u.f_cfg_conflict.ssid);
+        EVT_SET_SSV(&evt,  info->u.f_cfg_conflict.ssv);
+        break;
+    /* rest is not implemented */
+    case SMMU_EVT_F_BAD_ATS_TREQ:
+    case SMMU_EVT_F_TLB_CONFLICT:
+    case SMMU_EVT_E_PAGE_REQ:
+    default:
+        g_assert_not_reached();
     }
 
-    queue_write(q, evt);
-
-    if (smmuv3_q_empty(q)) {
-        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
+    trace_smmuv3_record_event(smmu_event_string(info->type), info->sid);
+    r = smmuv3_write_eventq(s, &evt);
+    if (r != MEMTX_OK) {
+        smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_EVENTQ_ABT_ERR_MASK);
     }
+    info->recorded = true;
 }
 
 static void smmuv3_init_regs(SMMUv3State *s)
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr:
 smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx val64:0x%lx"
 smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
 smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
+smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

This patch implements the IOMMU Memory Region translate()
callback. Most of the code relates to the translation
configuration decoding and check (STE, CD).

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Message-id: 1524665762-31355-10-git-send-email-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 160 +++++++++++++++++
 hw/arm/smmuv3.c          | 358 +++++++++++++++++++++++++++++++++++++++
 hw/arm/trace-events      |   9 +
 3 files changed, 527 insertions(+)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
 
 void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
 
+/* Configuration Data */
+
+/* STE Level 1 Descriptor */
+typedef struct STEDesc {
+    uint32_t word[2];
+} STEDesc;
+
+/* CD Level 1 Descriptor */
+typedef struct CDDesc {
+    uint32_t word[2];
+} CDDesc;
+
+/* Stream Table Entry(STE) */
+typedef struct STE {
+    uint32_t word[16];
+} STE;
+
+/* Context Descriptor(CD) */
+typedef struct CD {
+    uint32_t word[16];
+} CD;
+
+/* STE fields */
+
+#define STE_VALID(x)   extract32((x)->word[0], 0, 1)
+
+#define STE_CONFIG(x)  extract32((x)->word[0], 1, 3)
+#define STE_CFG_S1_ENABLED(config) (config & 0x1)
+#define STE_CFG_S2_ENABLED(config) (config & 0x2)
+#define STE_CFG_ABORT(config)      (!(config & 0x4))
+#define STE_CFG_BYPASS(config)     (config == 0x4)
+
+#define STE_S1FMT(x)       extract32((x)->word[0], 4 , 2)
+#define STE_S1CDMAX(x)     extract32((x)->word[1], 27, 5)
+#define STE_S1STALLD(x)    extract32((x)->word[2], 27, 1)
+#define STE_EATS(x)        extract32((x)->word[2], 28, 2)
+#define STE_STRW(x)        extract32((x)->word[2], 30, 2)
+#define STE_S2VMID(x)      extract32((x)->word[4], 0 , 16)
+#define STE_S2T0SZ(x)      extract32((x)->word[5], 0 , 6)
+#define STE_S2SL0(x)       extract32((x)->word[5], 6 , 2)
+#define STE_S2TG(x)        extract32((x)->word[5], 14, 2)
+#define STE_S2PS(x)        extract32((x)->word[5], 16, 3)
+#define STE_S2AA64(x)      extract32((x)->word[5], 19, 1)
+#define STE_S2HD(x)        extract32((x)->word[5], 24, 1)
+#define STE_S2HA(x)        extract32((x)->word[5], 25, 1)
+#define STE_S2S(x)         extract32((x)->word[5], 26, 1)
+#define STE_CTXPTR(x)                                           \
+    ({                                                          \
+        unsigned long addr;                                     \
+        addr = (uint64_t)extract32((x)->word[1], 0, 16) << 32;  \
+        addr |= (uint64_t)((x)->word[0] & 0xffffffc0);          \
+        addr;                                                   \
+    })
+
+#define STE_S2TTB(x)                                            \
+    ({                                                          \
+        unsigned long addr;                                     \
+        addr = (uint64_t)extract32((x)->word[7], 0, 16) << 32;  \
+        addr |= (uint64_t)((x)->word[6] & 0xfffffff0);          \
+        addr;                                                   \
+    })
+
+static inline int oas2bits(int oas_field)
+{
+    switch (oas_field) {
+    case 0:
+        return 32;
+    case 1:
+        return 36;
+    case 2:
+        return 40;
+    case 3:
+        return 42;
+    case 4:
+        return 44;
+    case 5:
+        return 48;
+    }
+    return -1;
+}
+
+static inline int pa_range(STE *ste)
+{
+    int oas_field = MIN(STE_S2PS(ste), SMMU_IDR5_OAS);
+
+    if (!STE_S2AA64(ste)) {
+        return 40;
+    }
+
+    return oas2bits(oas_field);
+}
+
+#define MAX_PA(ste) ((1 << pa_range(ste)) - 1)
+
+/* CD fields */
+
+#define CD_VALID(x)   extract32((x)->word[0], 30, 1)
+#define CD_ASID(x)    extract32((x)->word[1], 16, 16)
+#define CD_TTB(x, sel)                                      \
+    ({                                                      \
+        uint64_t hi, lo;                                    \
+        hi = extract32((x)->word[(sel) * 2 + 3], 0, 19);    \
+        hi <<= 32;                                          \
+        lo = (x)->word[(sel) * 2 + 2] & ~0xfULL;            \
+        hi | lo;                                            \
+    })
+
+#define CD_TSZ(x, sel)   extract32((x)->word[0], (16 * (sel)) + 0, 6)
+#define CD_TG(x, sel)    extract32((x)->word[0], (16 * (sel)) + 6, 2)
+#define CD_EPD(x, sel)   extract32((x)->word[0], (16 * (sel)) + 14, 1)
+#define CD_ENDI(x)       extract32((x)->word[0], 15, 1)
+#define CD_IPS(x)        extract32((x)->word[1], 0 , 3)
+#define CD_TBI(x)        extract32((x)->word[1], 6 , 2)
+#define CD_HD(x)         extract32((x)->word[1], 10 , 1)
+#define CD_HA(x)         extract32((x)->word[1], 11 , 1)
+#define CD_S(x)          extract32((x)->word[1], 12, 1)
+#define CD_R(x)          extract32((x)->word[1], 13, 1)
+#define CD_A(x)          extract32((x)->word[1], 14, 1)
+#define CD_AARCH64(x)    extract32((x)->word[1], 9 , 1)
+
+#define CDM_VALID(x)    ((x)->word[0] & 0x1)
+
+static inline int is_cd_valid(SMMUv3State *s, STE *ste, CD *cd)
+{
+    return CD_VALID(cd);
+}
+
+/**
+ * tg2granule - Decodes the CD translation granule size field according
+ * to the ttbr in use
+ * @bits: TG0/1 fields
+ * @ttbr: ttbr index in use
+ */
+static inline int tg2granule(int bits, int ttbr)
+{
+    switch (bits) {
+    case 0:
+        return ttbr ? 0  : 12;
+    case 1:
+        return ttbr ? 14 : 16;
+    case 2:
+        return ttbr ? 12 : 14;
+    case 3:
+        return ttbr ? 16 :  0;
+    default:
+        return 0;
+    }
+}
+
+static inline uint64_t l1std_l2ptr(STEDesc *desc)
+{
+    uint64_t hi, lo;
+
+    hi = desc->word[1];
+    lo = desc->word[0] & ~0x1fULL;
+    return hi << 32 | lo;
+}
+
+#define L1STD_SPAN(stm) (extract32((stm)->word[0], 0, 4))
+
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
     s->sid_split = 0;
 }
 
+static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
+                        SMMUEventInfo *event)
+{
+    int ret;
+
+    trace_smmuv3_get_ste(addr);
+    /* TODO: guarantee 64-bit single-copy atomicity */
+    ret = dma_memory_read(&address_space_memory, addr,
+                          (void *)buf, sizeof(*buf));
+    if (ret != MEMTX_OK) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
+        event->type = SMMU_EVT_F_STE_FETCH;
+        event->u.f_ste_fetch.addr = addr;
+        return -EINVAL;
+    }
+    return 0;
+
+}
+
+/* @ssid > 0 not supported yet */
+static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,
+                       CD *buf, SMMUEventInfo *event)
+{
+    dma_addr_t addr = STE_CTXPTR(ste);
+    int ret;
+
+    trace_smmuv3_get_cd(addr);
+    /* TODO: guarantee 64-bit single-copy atomicity */
+    ret = dma_memory_read(&address_space_memory, addr,
+                           (void *)buf, sizeof(*buf));
+    if (ret != MEMTX_OK) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
+        event->type = SMMU_EVT_F_CD_FETCH;
+        event->u.f_ste_fetch.addr = addr;
+        return -EINVAL;
+    }
+    return 0;
+}
+
+/* Returns <0 if the caller has no need to continue the translation */
+static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
+                      STE *ste, SMMUEventInfo *event)
+{
+    uint32_t config;
+    int ret = -EINVAL;
+
+    if (!STE_VALID(ste)) {
+        goto bad_ste;
+    }
+
+    config = STE_CONFIG(ste);
+
+    if (STE_CFG_ABORT(config)) {
+        cfg->aborted = true; /* abort but don't record any event */
+        return ret;
+    }
+
+    if (STE_CFG_BYPASS(config)) {
+        cfg->bypassed = true;
+        return ret;
+    }
+
+    if (STE_CFG_S2_ENABLED(config)) {
+        qemu_log_mask(LOG_UNIMP, "SMMUv3 does not support stage 2 yet\n");
+        goto bad_ste;
+    }
+
+    if (STE_S1CDMAX(ste) != 0) {
+        qemu_log_mask(LOG_UNIMP,
+                      "SMMUv3 does not support multiple context descriptors yet\n");
+        goto bad_ste;
+    }
+
+    if (STE_S1STALLD(ste)) {
+        qemu_log_mask(LOG_UNIMP,
+                      "SMMUv3 S1 stalling fault model not allowed yet\n");
+        goto bad_ste;
+    }
+    return 0;
+
+bad_ste:
+    event->type = SMMU_EVT_C_BAD_STE;
+    return -EINVAL;
+}
+
+/**
+ * smmu_find_ste - Return the stream table entry associated
+ * to the sid
+ *
+ * @s: smmuv3 handle
+ * @sid: stream ID
+ * @ste: returned stream table entry
+ * @event: handle to an event info
+ *
+ * Supports linear and 2-level stream table
+ * Return 0 on success, -EINVAL otherwise
+ */
+static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
+                         SMMUEventInfo *event)
+{
+    dma_addr_t addr;
+    int ret;
+
+    trace_smmuv3_find_ste(sid, s->features, s->sid_split);
+    /* Check SID range */
+    if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
+        event->type = SMMU_EVT_C_BAD_STREAMID;
+        return -EINVAL;
+    }
+    if (s->features & SMMU_FEATURE_2LVL_STE) {
+        int l1_ste_offset, l2_ste_offset, max_l2_ste, span;
+        dma_addr_t strtab_base, l1ptr, l2ptr;
+        STEDesc l1std;
+
+        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK;
+        l1_ste_offset = sid >> s->sid_split;
+        l2_ste_offset = sid & ((1 << s->sid_split) - 1);
+        l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
+        /* TODO: guarantee 64-bit single-copy atomicity */
+        ret = dma_memory_read(&address_space_memory, l1ptr,
+                              (uint8_t *)&l1std, sizeof(l1std));
+        if (ret != MEMTX_OK) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr);
+            event->type = SMMU_EVT_F_STE_FETCH;
+            event->u.f_ste_fetch.addr = l1ptr;
+            return -EINVAL;
+        }
+
+        span = L1STD_SPAN(&l1std);
+
+        if (!span) {
+            /* l2ptr is not valid */
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "invalid sid=%d (L1STD span=0)\n", sid);
+            event->type = SMMU_EVT_C_BAD_STREAMID;
+            return -EINVAL;
+        }
+        max_l2_ste = (1 << span) - 1;
+        l2ptr = l1std_l2ptr(&l1std);
+        trace_smmuv3_find_ste_2lvl(s->strtab_base, l1ptr, l1_ste_offset,
+                                   l2ptr, l2_ste_offset, max_l2_ste);
+        if (l2_ste_offset > max_l2_ste) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "l2_ste_offset=%d > max_l2_ste=%d\n",
+                          l2_ste_offset, max_l2_ste);
+            event->type = SMMU_EVT_C_BAD_STE;
+            return -EINVAL;
+        }
+        addr = l2ptr + l2_ste_offset * sizeof(*ste);
+    } else {
+        addr = s->strtab_base + sid * sizeof(*ste);
+    }
+
+    if (smmu_get_ste(s, addr, ste, event)) {
+        return -EINVAL;
+    }
+
+    return 0;
+}
+
+static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
+{
+    int ret = -EINVAL;
+    int i;
+
+    if (!CD_VALID(cd) || !CD_AARCH64(cd)) {
+        goto bad_cd;
+    }
+    if (!CD_A(cd)) {
+        goto bad_cd; /* SMMU_IDR0.TERM_MODEL == 1 */
+    }
+    if (CD_S(cd)) {
+        goto bad_cd; /* !STE_SECURE && SMMU_IDR0.STALL_MODEL == 1 */
+    }
+    if (CD_HA(cd) || CD_HD(cd)) {
+        goto bad_cd; /* HTTU = 0 */
+    }
+
+    /* we support only those at the moment */
+    cfg->aa64 = true;
+    cfg->stage = 1;
+
+    cfg->oas = oas2bits(CD_IPS(cd));
+    cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
+    cfg->tbi = CD_TBI(cd);
+    cfg->asid = CD_ASID(cd);
+
+    trace_smmuv3_decode_cd(cfg->oas);
+
+    /* decode data dependent on TT */
+    for (i = 0; i <= 1; i++) {
+        int tg, tsz;
+        SMMUTransTableInfo *tt = &cfg->tt[i];
+
+        cfg->tt[i].disabled = CD_EPD(cd, i);
+        if (cfg->tt[i].disabled) {
+            continue;
+        }
+
+        tsz = CD_TSZ(cd, i);
+        if (tsz < 16 || tsz > 39) {
+            goto bad_cd;
+        }
+
+        tg = CD_TG(cd, i);
+        tt->granule_sz = tg2granule(tg, i);
+        if ((tt->granule_sz != 12 && tt->granule_sz != 16) || CD_ENDI(cd)) {
+            goto bad_cd;
+        }
+
+        tt->tsz = tsz;
+        tt->ttb = CD_TTB(cd, i);
+        if (tt->ttb & ~(MAKE_64BIT_MASK(0, cfg->oas))) {
+            goto bad_cd;
+        }
+        trace_smmuv3_decode_cd_tt(i, tt->tsz, tt->ttb, tt->granule_sz);
+    }
+
+    event->record_trans_faults = CD_R(cd);
+
+    return 0;
+
+bad_cd:
+    event->type = SMMU_EVT_C_BAD_CD;
+    return ret;
+}
+
+/**
+ * smmuv3_decode_config - Prepare the translation configuration
+ * for the @mr iommu region
+ * @mr: iommu memory region the translation config must be prepared for
+ * @cfg: output translation configuration which is populated through
+ *       the different configuration decoding steps
+ * @event: must be zero'ed by the caller
+ *
+ * return < 0 if the translation needs to be aborted (@event is filled
+ * accordingly). Return 0 otherwise.
+ */
+static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,
+                                SMMUEventInfo *event)
+{
+    SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
+    uint32_t sid = smmu_get_sid(sdev);
+    SMMUv3State *s = sdev->smmu;
+    int ret = -EINVAL;
+    STE ste;
+    CD cd;
+
+    if (smmu_find_ste(s, sid, &ste, event)) {
+        return ret;
+    }
+
+    if (decode_ste(s, cfg, &ste, event)) {
+        return ret;
+    }
+
+    if (smmu_get_cd(s, &ste, 0 /* ssid */, &cd, event)) {
+        return ret;
+    }
+
+    return decode_cd(cfg, &cd, event);
+}
+
+static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
+                                      IOMMUAccessFlags flag)
+{
+    SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
+    SMMUv3State *s = sdev->smmu;
+    uint32_t sid = smmu_get_sid(sdev);
+    SMMUEventInfo event = {.type = SMMU_EVT_OK, .sid = sid};
+    SMMUPTWEventInfo ptw_info = {};
+    SMMUTransCfg cfg = {};
+    IOMMUTLBEntry entry = {
+        .target_as = &address_space_memory,
+        .iova = addr,
+        .translated_addr = addr,
+        .addr_mask = ~(hwaddr)0,
+        .perm = IOMMU_NONE,
+    };
+    int ret = 0;
+
+    if (!smmu_enabled(s)) {
+        goto out;
+    }
+
+    ret = smmuv3_decode_config(mr, &cfg, &event);
+    if (ret) {
+        goto out;
+    }
+
+    if (cfg.aborted) {
+        goto out;
+    }
+
+    ret = smmu_ptw(&cfg, addr, flag, &entry, &ptw_info);
+    if (ret) {
+        switch (ptw_info.type) {
+        case SMMU_PTW_ERR_WALK_EABT:
+            event.type = SMMU_EVT_F_WALK_EABT;
+            event.u.f_walk_eabt.addr = addr;
+            event.u.f_walk_eabt.rnw = flag & 0x1;
+            event.u.f_walk_eabt.class = 0x1;
+            event.u.f_walk_eabt.addr2 = ptw_info.addr;
+            break;
+        case SMMU_PTW_ERR_TRANSLATION:
+            if (event.record_trans_faults) {
+                event.type = SMMU_EVT_F_TRANSLATION;
+                event.u.f_translation.addr = addr;
+                event.u.f_translation.rnw = flag & 0x1;
+            }
+            break;
+        case SMMU_PTW_ERR_ADDR_SIZE:
+            if (event.record_trans_faults) {
+                event.type = SMMU_EVT_F_ADDR_SIZE;
+                event.u.f_addr_size.addr = addr;
+                event.u.f_addr_size.rnw = flag & 0x1;
+            }
+            break;
+        case SMMU_PTW_ERR_ACCESS:
+            if (event.record_trans_faults) {
+                event.type = SMMU_EVT_F_ACCESS;
+                event.u.f_access.addr = addr;
+                event.u.f_access.rnw = flag & 0x1;
+            }
+            break;
+        case SMMU_PTW_ERR_PERMISSION:
+            if (event.record_trans_faults) {
+                event.type = SMMU_EVT_F_PERMISSION;
+                event.u.f_permission.addr = addr;
+                event.u.f_permission.rnw = flag & 0x1;
+            }
+            break;
+        default:
+            g_assert_not_reached();
+        }
+    }
+out:
+    if (ret) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s translation failed for iova=0x%"PRIx64"(%d)\n",
+                      mr->parent_obj.name, addr, ret);
+        entry.perm = IOMMU_NONE;
+        smmuv3_record_event(s, &event);
+    } else if (!cfg.aborted) {
+        entry.perm = flag;
+        trace_smmuv3_translate(mr->parent_obj.name, sid, addr,
+                               entry.translated_addr, entry.perm);
+    }
+
+    return entry;
+}
+
 static int smmuv3_cmdq_consume(SMMUv3State *s)
 {
     SMMUCmdError cmd_error = SMMU_CERROR_NONE;
@@ -XXX,XX +XXX,XX @@ static void smmuv3_class_init(ObjectClass *klass, void *data)
 static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
                                                   void *data)
 {
+    IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
+
+    imrc->translate = smmuv3_translate;
 }
 
 static const TypeInfo smmuv3_type_info = {
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx
 smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
 smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
 smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
+smmuv3_find_ste(uint16_t sid, uint32_t features, uint16_t sid_split) "SID:0x%x features:0x%x, sid_split:0x%x"
+smmuv3_find_ste_2lvl(uint64_t strtab_base, uint64_t l1ptr, int l1_ste_offset, uint64_t l2ptr, int l2_ste_offset, int max_l2_ste) "strtab_base:0x%lx l1ptr:0x%"PRIx64" l1_off:0x%x, l2ptr:0x%"PRIx64" l2_off:0x%x max_l2_ste:%d"
+smmuv3_get_ste(uint64_t addr) "STE addr: 0x%"PRIx64
+smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d bypass iova:0x%"PRIx64" is_write=%d"
+smmuv3_translate_in(uint16_t sid, int pci_bus_num, uint64_t strtab_base) "SID:0x%x bus:%d strtab_base:0x%"PRIx64
+smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64
+smmuv3_translate(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=%d iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
+smmuv3_decode_cd(uint32_t oas) "oas=%d"
+smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

At the moment, the SMMUv3 does not support notification on
TLB invalidation. So let's log an error as soon as such notifier
gets enabled.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-11-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_class_init(ObjectClass *klass, void *data)
     dc->realize = smmu_realize;
 }
 
+static void smmuv3_notify_flag_changed(IOMMUMemoryRegion *iommu,
+                                       IOMMUNotifierFlag old,
+                                       IOMMUNotifierFlag new)
+{
+    if (old == IOMMU_NOTIFIER_NONE) {
+        warn_report("SMMUV3 does not support vhost/vfio integration yet: "
+                    "devices of those types will not function properly");
+    }
+}
+
 static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
                                                   void *data)
 {
     IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
 
     imrc->translate = smmuv3_translate;
+    imrc->notify_flag_changed = smmuv3_notify_flag_changed;
 }
 
 static const TypeInfo smmuv3_type_info = {
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

In case the MSI is translated by an IOMMU we need to fixup the
MSI route with the translated address.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Bharat Bhushan <Bharat.Bhushan@nxp.com>
Message-id: 1524665762-31355-12-git-send-email-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm.c        | 38 +++++++++++++++++++++++++++++++++++++-
 target/arm/trace-events |  3 +++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/kvm.h"
 #include "kvm_arm.h"
 #include "cpu.h"
+#include "trace.h"
 #include "internals.h"
 #include "hw/arm/arm.h"
+#include "hw/pci/pci.h"
 #include "exec/memattrs.h"
 #include "exec/address-spaces.h"
 #include "hw/boards.h"
@@ -XXX,XX +XXX,XX @@ int kvm_arm_vgic_probe(void)
 int kvm_arch_fixup_msi_route(struct kvm_irq_routing_entry *route,
                              uint64_t address, uint32_t data, PCIDevice *dev)
 {
-    return 0;
+    AddressSpace *as = pci_device_iommu_address_space(dev);
+    hwaddr xlat, len, doorbell_gpa;
+    MemoryRegionSection mrs;
+    MemoryRegion *mr;
+    int ret = 1;
+
+    if (as == &address_space_memory) {
+        return 0;
+    }
+
+    /* MSI doorbell address is translated by an IOMMU */
+
+    rcu_read_lock();
+    mr = address_space_translate(as, address, &xlat, &len, true);
+    if (!mr) {
+        goto unlock;
+    }
+    mrs = memory_region_find(mr, xlat, 1);
+    if (!mrs.mr) {
+        goto unlock;
+    }
+
+    doorbell_gpa = mrs.offset_within_address_space;
+    memory_region_unref(mrs.mr);
+
+    route->u.msi.address_lo = doorbell_gpa;
+    route->u.msi.address_hi = doorbell_gpa >> 32;
+
+    trace_kvm_arm_fixup_msi_route(address, doorbell_gpa);
+
+    ret = 0;
+
+unlock:
+    rcu_read_unlock();
+    return ret;
 }
 
 int kvm_arch_add_msi_route_post(struct kvm_irq_routing_entry *route,
diff --git a/target/arm/trace-events b/target/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/trace-events
+++ b/target/arm/trace-events
@@ -XXX,XX +XXX,XX @@ arm_gt_tval_write(int timer, uint64_t value) "gt_tval_write: timer %d value 0x%"
 arm_gt_ctl_write(int timer, uint64_t value) "gt_ctl_write: timer %d value 0x%" PRIx64
 arm_gt_imask_toggle(int timer, int irqstate) "gt_ctl_write: timer %d IMASK toggle, new irqstate %d"
 arm_gt_cntvoff_write(uint64_t value) "gt_cntvoff_write: value 0x%" PRIx64
+
+# target/arm/kvm.c
+kvm_arm_fixup_msi_route(uint64_t iova, uint64_t gpa) "MSI iova = 0x%"PRIx64" is translated into 0x%"PRIx64
-- 
2.17.0

From: Prem Mallappa <prem.mallappa@broadcom.com>

Add code to instantiate an smmuv3 in virt machine. A new iommu
integer member is introduced in VirtMachineState to store the type
of the iommu in use.

diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -XXX,XX +XXX,XX @@
 
 #define NUM_GICV2M_SPIS       64
 #define NUM_VIRTIO_TRANSPORTS 32
+#define NUM_SMMU_IRQS          4
 
 #define ARCH_GICV3_MAINT_IRQ  9
 
@@ -XXX,XX +XXX,XX @@ enum {
     VIRT_GIC_V2M,
     VIRT_GIC_ITS,
     VIRT_GIC_REDIST,
+    VIRT_SMMU,
     VIRT_UART,
     VIRT_MMIO,
     VIRT_RTC,
@@ -XXX,XX +XXX,XX @@ enum {
     VIRT_SECURE_MEM,
 };
 
+typedef enum VirtIOMMUType {
+    VIRT_IOMMU_NONE,
+    VIRT_IOMMU_SMMUV3,
+    VIRT_IOMMU_VIRTIO,
+} VirtIOMMUType;
+
 typedef struct MemMapEntry {
     hwaddr base;
     hwaddr size;
@@ -XXX,XX +XXX,XX @@ typedef struct {
     bool its;
     bool virt;
     int32_t gic_version;
+    VirtIOMMUType iommu;
     struct arm_boot_info bootinfo;
     const MemMapEntry *memmap;
     const int *irqmap;
@@ -XXX,XX +XXX,XX @@ typedef struct {
     uint32_t clock_phandle;
     uint32_t gic_phandle;
     uint32_t msi_phandle;
+    uint32_t iommu_phandle;
     int psci_conduit;
 } VirtMachineState;
 
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/smbios/smbios.h"
 #include "qapi/visitor.h"
 #include "standard-headers/linux/input.h"
+#include "hw/arm/smmuv3.h"
 
 #define DEFINE_VIRT_MACHINE_LATEST(major, minor, latest) \
     static void virt_##major##_##minor##_class_init(ObjectClass *oc, \
@@ -XXX,XX +XXX,XX @@ static const MemMapEntry a15memmap[] = {
     [VIRT_FW_CFG] =             { 0x09020000, 0x00000018 },
     [VIRT_GPIO] =               { 0x09030000, 0x00001000 },
     [VIRT_SECURE_UART] =        { 0x09040000, 0x00001000 },
+    [VIRT_SMMU] =               { 0x09050000, 0x00020000 },
     [VIRT_MMIO] =               { 0x0a000000, 0x00000200 },
     /* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
     [VIRT_PLATFORM_BUS] =       { 0x0c000000, 0x02000000 },
@@ -XXX,XX +XXX,XX @@ static const int a15irqmap[] = {
     [VIRT_SECURE_UART] = 8,
     [VIRT_MMIO] = 16, /* ...to 16 + NUM_VIRTIO_TRANSPORTS - 1 */
     [VIRT_GIC_V2M] = 48, /* ...to 48 + NUM_GICV2M_SPIS - 1 */
+    [VIRT_SMMU] = 74,    /* ...to 74 + NUM_SMMU_IRQS - 1 */
     [VIRT_PLATFORM_BUS] = 112, /* ...to 112 + PLATFORM_BUS_NUM_IRQS -1 */
 };
 
@@ -XXX,XX +XXX,XX @@ static void create_pcie_irq_map(const VirtMachineState *vms,
                            0x7           /* PCI irq */);
 }
 
-static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
+static void create_smmu(const VirtMachineState *vms, qemu_irq *pic,
+                        PCIBus *bus)
+{
+    char *node;
+    const char compat[] = "arm,smmu-v3";
+    int irq =  vms->irqmap[VIRT_SMMU];
+    int i;
+    hwaddr base = vms->memmap[VIRT_SMMU].base;
+    hwaddr size = vms->memmap[VIRT_SMMU].size;
+    const char irq_names[] = "eventq\0priq\0cmdq-sync\0gerror";
+    DeviceState *dev;
+
+    if (vms->iommu != VIRT_IOMMU_SMMUV3 || !vms->iommu_phandle) {
+        return;
+    }
+
+    dev = qdev_create(NULL, "arm-smmuv3");
+
+    object_property_set_link(OBJECT(dev), OBJECT(bus), "primary-bus",
+                             &error_abort);
+    qdev_init_nofail(dev);
+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
+    for (i = 0; i < NUM_SMMU_IRQS; i++) {
+        sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, pic[irq + i]);
+    }
+
+    node = g_strdup_printf("/smmuv3@%" PRIx64, base);
+    qemu_fdt_add_subnode(vms->fdt, node);
+    qemu_fdt_setprop(vms->fdt, node, "compatible", compat, sizeof(compat));
+    qemu_fdt_setprop_sized_cells(vms->fdt, node, "reg", 2, base, 2, size);
+
+    qemu_fdt_setprop_cells(vms->fdt, node, "interrupts",
+            GIC_FDT_IRQ_TYPE_SPI, irq    , GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+            GIC_FDT_IRQ_TYPE_SPI, irq + 1, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+            GIC_FDT_IRQ_TYPE_SPI, irq + 2, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+            GIC_FDT_IRQ_TYPE_SPI, irq + 3, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
+
+    qemu_fdt_setprop(vms->fdt, node, "interrupt-names", irq_names,
+                     sizeof(irq_names));
+
+    qemu_fdt_setprop_cell(vms->fdt, node, "clocks", vms->clock_phandle);
+    qemu_fdt_setprop_string(vms->fdt, node, "clock-names", "apb_pclk");
+    qemu_fdt_setprop(vms->fdt, node, "dma-coherent", NULL, 0);
+
+    qemu_fdt_setprop_cell(vms->fdt, node, "#iommu-cells", 1);
+
+    qemu_fdt_setprop_cell(vms->fdt, node, "phandle", vms->iommu_phandle);
+    g_free(node);
+}
+
+static void create_pcie(VirtMachineState *vms, qemu_irq *pic)
 {
     hwaddr base_mmio = vms->memmap[VIRT_PCIE_MMIO].base;
     hwaddr size_mmio = vms->memmap[VIRT_PCIE_MMIO].size;
@@ -XXX,XX +XXX,XX @@ static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
     qemu_fdt_setprop_cell(vms->fdt, nodename, "#interrupt-cells", 1);
     create_pcie_irq_map(vms, vms->gic_phandle, irq, nodename);
 
+    if (vms->iommu) {
+        vms->iommu_phandle = qemu_fdt_alloc_phandle(vms->fdt);
+
+        create_smmu(vms, pic, pci->bus);
+
+        qemu_fdt_setprop_cells(vms->fdt, nodename, "iommu-map",
+                               0x0, vms->iommu_phandle, 0x0, 0x10000);
+    }
+
     g_free(nodename);
 }
 
-- 
2.17.0

From: Prem Mallappa <prem.mallappa@broadcom.com>

This patch builds the smmuv3 node in the ACPI IORT table.

The RID space of the root complex, which spans 0x0-0x10000
maps to streamid space 0x0-0x10000 in smmuv3, which in turn
maps to deviceid space 0x0-0x10000 in the ITS group.

The guest must feature the IOMMU probe deferral series
(https://lkml.org/lkml/2017/4/10/214) which fixes streamid
multiple lookup. This bug is not related to the SMMU emulation.

Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Shannon Zhao <zhaoshenglong@huawei.com>
Message-id: 1524665762-31355-14-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/acpi/acpi-defs.h | 15 ++++++++++
 hw/arm/virt-acpi-build.c    | 55 ++++++++++++++++++++++++++++++++-----
 2 files changed, 63 insertions(+), 7 deletions(-)

diff --git a/include/hw/acpi/acpi-defs.h b/include/hw/acpi/acpi-defs.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/acpi/acpi-defs.h
+++ b/include/hw/acpi/acpi-defs.h
@@ -XXX,XX +XXX,XX @@ struct AcpiIortItsGroup {
 } QEMU_PACKED;
 typedef struct AcpiIortItsGroup AcpiIortItsGroup;
 
+struct AcpiIortSmmu3 {
+    ACPI_IORT_NODE_HEADER_DEF
+    uint64_t base_address;
+    uint32_t flags;
+    uint32_t reserved2;
+    uint64_t vatos_address;
+    uint32_t model;
+    uint32_t event_gsiv;
+    uint32_t pri_gsiv;
+    uint32_t gerr_gsiv;
+    uint32_t sync_gsiv;
+    AcpiIortIdMapping id_mapping_array[0];
+} QEMU_PACKED;
+typedef struct AcpiIortSmmu3 AcpiIortSmmu3;
+
 struct AcpiIortRC {
     ACPI_IORT_NODE_HEADER_DEF
     AcpiIortMemoryAccess memory_properties;
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ build_rsdp(GArray *rsdp_table, BIOSLinker *linker, unsigned xsdt_tbl_offset)
 }
 
 static void
-build_iort(GArray *table_data, BIOSLinker *linker)
+build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
 {
-    int iort_start = table_data->len;
+    int nb_nodes, iort_start = table_data->len;
     AcpiIortIdMapping *idmap;
     AcpiIortItsGroup *its;
     AcpiIortTable *iort;
-    size_t node_size, iort_length;
+    AcpiIortSmmu3 *smmu;
+    size_t node_size, iort_length, smmu_offset = 0;
     AcpiIortRC *rc;
 
     iort = acpi_data_push(table_data, sizeof(*iort));
 
+    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
+        nb_nodes = 3; /* RC, ITS, SMMUv3 */
+    } else {
+        nb_nodes = 2; /* RC, ITS */
+    }
+
     iort_length = sizeof(*iort);
-    iort->node_count = cpu_to_le32(2); /* RC and ITS nodes */
+    iort->node_count = cpu_to_le32(nb_nodes);
     iort->node_offset = cpu_to_le32(sizeof(*iort));
 
     /* ITS group node */
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker)
     its->its_count = cpu_to_le32(1);
     its->identifiers[0] = 0; /* MADT translation_id */
 
+    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
+        int irq =  vms->irqmap[VIRT_SMMU];
+
+        /* SMMUv3 node */
+        smmu_offset = iort->node_offset + node_size;
+        node_size = sizeof(*smmu) + sizeof(*idmap);
+        iort_length += node_size;
+        smmu = acpi_data_push(table_data, node_size);
+
+        smmu->type = ACPI_IORT_NODE_SMMU_V3;
+        smmu->length = cpu_to_le16(node_size);
+        smmu->mapping_count = cpu_to_le32(1);
+        smmu->mapping_offset = cpu_to_le32(sizeof(*smmu));
+        smmu->base_address = cpu_to_le64(vms->memmap[VIRT_SMMU].base);
+        smmu->event_gsiv = cpu_to_le32(irq);
+        smmu->pri_gsiv = cpu_to_le32(irq + 1);
+        smmu->gerr_gsiv = cpu_to_le32(irq + 2);
+        smmu->sync_gsiv = cpu_to_le32(irq + 3);
+
+        /* Identity RID mapping covering the whole input RID range */
+        idmap = &smmu->id_mapping_array[0];
+        idmap->input_base = 0;
+        idmap->id_count = cpu_to_le32(0xFFFF);
+        idmap->output_base = 0;
+        /* output IORT node is the ITS group node (the first node) */
+        idmap->output_reference = cpu_to_le32(iort->node_offset);
+    }
+
     /* Root Complex Node */
     node_size = sizeof(*rc) + sizeof(*idmap);
     iort_length += node_size;
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker)
     idmap->input_base = 0;
     idmap->id_count = cpu_to_le32(0xFFFF);
     idmap->output_base = 0;
-    /* output IORT node is the ITS group node (the first node) */
-    idmap->output_reference = cpu_to_le32(iort->node_offset);
+
+    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
+        /* output IORT node is the smmuv3 node */
+        idmap->output_reference = cpu_to_le32(smmu_offset);
+    } else {
+        /* output IORT node is the ITS group node (the first node) */
+        idmap->output_reference = cpu_to_le32(iort->node_offset);
+    }
 
     iort->length = cpu_to_le32(iort_length);
 
@@ -XXX,XX +XXX,XX @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
 
     if (its_class_name() && !vmc->no_its) {
         acpi_add_table(table_offsets, tables_blob);
-        build_iort(tables_blob, tables->linker);
+        build_iort(tables_blob, tables->linker, vms);
     }
 
     /* XSDT is pointed to by RSDP */
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

ARM virt machine now exposes a new "iommu" option.
The SMMUv3 IOMMU is instantiated using -machine virt,iommu=smmuv3.

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void virt_set_gic_version(Object *obj, const char *value, Error **errp)
     }
 }
 
+static char *virt_get_iommu(Object *obj, Error **errp)
+{
+    VirtMachineState *vms = VIRT_MACHINE(obj);
+
+    switch (vms->iommu) {
+    case VIRT_IOMMU_NONE:
+        return g_strdup("none");
+    case VIRT_IOMMU_SMMUV3:
+        return g_strdup("smmuv3");
+    default:
+        g_assert_not_reached();
+    }
+}
+
+static void virt_set_iommu(Object *obj, const char *value, Error **errp)
+{
+    VirtMachineState *vms = VIRT_MACHINE(obj);
+
+    if (!strcmp(value, "smmuv3")) {
+        vms->iommu = VIRT_IOMMU_SMMUV3;
+    } else if (!strcmp(value, "none")) {
+        vms->iommu = VIRT_IOMMU_NONE;
+    } else {
+        error_setg(errp, "Invalid iommu value");
+        error_append_hint(errp, "Valid values are none, smmuv3.\n");
+    }
+}
+
 static CpuInstanceProperties
 virt_cpu_index_to_props(MachineState *ms, unsigned cpu_index)
 {
@@ -XXX,XX +XXX,XX @@ static void virt_2_12_instance_init(Object *obj)
                                         NULL);
     }
 
+    /* Default disallows iommu instantiation */
+    vms->iommu = VIRT_IOMMU_NONE;
+    object_property_add_str(obj, "iommu", virt_get_iommu, virt_set_iommu, NULL);
+    object_property_set_description(obj, "iommu",
+                                    "Set the IOMMU type. "
+                                    "Valid values are none and smmuv3",
+                                    NULL);
+
     vms->memmap = a15memmap;
     vms->irqmap = a15irqmap;
 }
-- 
2.17.0

Two small bugfixes, plus most of RTH's refactoring of cpregs
handling.

-- PMM

The following changes since commit 1fba9dc71a170b3a05b9d3272dd8ecfe7f26e215:

Merge tag 'pull-request-2022-05-04' of https://gitlab.com/thuth/qemu into staging (2022-05-04 08:07:02 -0700)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220505

for you to fetch changes up to 99a50d1a67c602126fc2b3a4812d3000eba9bf34:

target/arm: read access to performance counters from EL0 (2022-05-05 09:36:22 +0100)

----------------------------------------------------------------
target-arm queue:
 * Enable read access to performance counters from EL0
 * Enable SCTLR_EL1.BT0 for aarch64-linux-user
 * Refactoring of cpreg handling

----------------------------------------------------------------
Alex Zuepke (1):
      target/arm: read access to performance counters from EL0

Richard Henderson (22):
      target/arm: Enable SCTLR_EL1.BT0 for aarch64-linux-user
      target/arm: Split out cpregs.h
      target/arm: Reorg CPAccessResult and access_check_cp_reg
      target/arm: Replace sentinels with ARRAY_SIZE in cpregs.h
      target/arm: Make some more cpreg data static const
      target/arm: Reorg ARMCPRegInfo type field bits
      target/arm: Avoid bare abort() or assert(0)
      target/arm: Change cpreg access permissions to enum
      target/arm: Name CPState type
      target/arm: Name CPSecureState type
      target/arm: Drop always-true test in define_arm_vh_e2h_redirects_aliases
      target/arm: Store cpregs key in the hash table directly
      target/arm: Merge allocation of the cpreg and its name
      target/arm: Hoist computation of key in add_cpreg_to_hashtable
      target/arm: Consolidate cpreg updates in add_cpreg_to_hashtable
      target/arm: Use bool for is64 and ns in add_cpreg_to_hashtable
      target/arm: Hoist isbanked computation in add_cpreg_to_hashtable
      target/arm: Perform override check early in add_cpreg_to_hashtable
      target/arm: Reformat comments in add_cpreg_to_hashtable
      target/arm: Remove HOST_BIG_ENDIAN ifdef in add_cpreg_to_hashtable
      target/arm: Add isar predicates for FEAT_Debugv8p2
      target/arm: Add isar_feature_{aa64,any}_ras

From: Richard Henderson <richard.henderson@linaro.org>

This controls whether the PACI{A,B}SP instructions trap with BTYPE=3
(indirect branch from register other than x16/x17).  The linux kernel
sets this in bti_enable().

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/998
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220427042312.294300-1-richard.henderson@linaro.org
[PMM: remove stray change to makefile comment]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c                  |  2 ++
 tests/tcg/aarch64/bti-3.c         | 42 +++++++++++++++++++++++++++++++
 tests/tcg/aarch64/Makefile.target |  6 ++---
 3 files changed, 47 insertions(+), 3 deletions(-)
 create mode 100644 tests/tcg/aarch64/bti-3.c

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
         /* Enable all PAC keys.  */
         env->cp15.sctlr_el[1] |= (SCTLR_EnIA | SCTLR_EnIB |
                                   SCTLR_EnDA | SCTLR_EnDB);
+        /* Trap on btype=3 for PACIxSP. */
+        env->cp15.sctlr_el[1] |= SCTLR_BT0;
         /* and to the FP/Neon instructions */
         env->cp15.cpacr_el1 = deposit64(env->cp15.cpacr_el1, 20, 2, 3);
         /* and to the SVE instructions */
diff --git a/tests/tcg/aarch64/bti-3.c b/tests/tcg/aarch64/bti-3.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/aarch64/bti-3.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * BTI vs PACIASP
+ */
+
+#include "bti-crt.inc.c"
+
+static void skip2_sigill(int sig, siginfo_t *info, ucontext_t *uc)
+{
+    uc->uc_mcontext.pc += 8;
+    uc->uc_mcontext.pstate = 1;
+}
+
+#define BTYPE_1() \
+    asm("mov %0,#1; adr x16, 1f; br x16; 1: hint #25; mov %0,#0" \
+        : "=r"(skipped) : : "x16", "x30")
+
+#define BTYPE_2() \
+    asm("mov %0,#1; adr x16, 1f; blr x16; 1: hint #25; mov %0,#0" \
+        : "=r"(skipped) : : "x16", "x30")
+
+#define BTYPE_3() \
+    asm("mov %0,#1; adr x15, 1f; br x15; 1: hint #25; mov %0,#0" \
+        : "=r"(skipped) : : "x15", "x30")
+
+#define TEST(WHICH, EXPECT) \
+    do { WHICH(); fail += skipped ^ EXPECT; } while (0)
+
+int main()
+{
+    int fail = 0;
+    int skipped;
+
+    /* Signal-like with SA_SIGINFO.  */
+    signal_info(SIGILL, skip2_sigill);
+
+    /* With SCTLR_EL1.BT0 set, PACIASP is not compatible with type=3. */
+    TEST(BTYPE_1, 0);
+    TEST(BTYPE_2, 0);
+    TEST(BTYPE_3, 1);
+
+    return fail;
+}
diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -XXX,XX +XXX,XX @@ endif
 # BTI Tests
 # bti-1 tests the elf notes, so we require special compiler support.
 ifneq ($(CROSS_CC_HAS_ARMV8_BTI),)
-AARCH64_TESTS += bti-1
-bti-1: CFLAGS += -mbranch-protection=standard
-bti-1: LDFLAGS += -nostdlib
+AARCH64_TESTS += bti-1 bti-3
+bti-1 bti-3: CFLAGS += -mbranch-protection=standard
+bti-1 bti-3: LDFLAGS += -nostdlib
 endif
 # bti-2 tests PROT_BTI, so no special compiler support required.
 AARCH64_TESTS += bti-2
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Move ARMCPRegInfo and all related declarations to a new
internal header, out of the public cpu.h.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220501055028.646596-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpregs.h        | 413 +++++++++++++++++++++++++++++++++++++
 target/arm/cpu.h           | 368 ---------------------------------
 hw/arm/pxa2xx.c            |   1 +
 hw/arm/pxa2xx_pic.c        |   1 +
 hw/intc/arm_gicv3_cpuif.c  |   1 +
 hw/intc/arm_gicv3_kvm.c    |   2 +
 target/arm/cpu.c           |   1 +
 target/arm/cpu64.c         |   1 +
 target/arm/cpu_tcg.c       |   1 +
 target/arm/gdbstub.c       |   3 +-
 target/arm/helper.c        |   1 +
 target/arm/op_helper.c     |   1 +
 target/arm/translate-a64.c |   4 +-
 target/arm/translate.c     |   3 +-
 14 files changed, 427 insertions(+), 374 deletions(-)
 create mode 100644 target/arm/cpregs.h

diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/cpregs.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU ARM CP Register access and descriptions
+ *
+ * Copyright (c) 2022 Linaro Ltd
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see
+ * <http://www.gnu.org/licenses/gpl-2.0.html>
+ */
+
+#ifndef TARGET_ARM_CPREGS_H
+#define TARGET_ARM_CPREGS_H
+
+/*
+ * ARMCPRegInfo type field bits. If the SPECIAL bit is set this is a
+ * special-behaviour cp reg and bits [11..8] indicate what behaviour
+ * it has. Otherwise it is a simple cp reg, where CONST indicates that
+ * TCG can assume the value to be constant (ie load at translate time)
+ * and 64BIT indicates a 64 bit wide coprocessor register. SUPPRESS_TB_END
+ * indicates that the TB should not be ended after a write to this register
+ * (the default is that the TB ends after cp writes). OVERRIDE permits
+ * a register definition to override a previous definition for the
+ * same (cp, is64, crn, crm, opc1, opc2) tuple: either the new or the
+ * old must have the OVERRIDE bit set.
+ * ALIAS indicates that this register is an alias view of some underlying
+ * state which is also visible via another register, and that the other
+ * register is handling migration and reset; registers marked ALIAS will not be
+ * migrated but may have their state set by syncing of register state from KVM.
+ * NO_RAW indicates that this register has no underlying state and does not
+ * support raw access for state saving/loading; it will not be used for either
+ * migration or KVM state synchronization. (Typically this is for "registers"
+ * which are actually used as instructions for cache maintenance and so on.)
+ * IO indicates that this register does I/O and therefore its accesses
+ * need to be marked with gen_io_start() and also end the TB. In particular,
+ * registers which implement clocks or timers require this.
+ * RAISES_EXC is for when the read or write hook might raise an exception;
+ * the generated code will synchronize the CPU state before calling the hook
+ * so that it is safe for the hook to call raise_exception().
+ * NEWEL is for writes to registers that might change the exception
+ * level - typically on older ARM chips. For those cases we need to
+ * re-read the new el when recomputing the translation flags.
+ */
+#define ARM_CP_SPECIAL           0x0001
+#define ARM_CP_CONST             0x0002
+#define ARM_CP_64BIT             0x0004
+#define ARM_CP_SUPPRESS_TB_END   0x0008
+#define ARM_CP_OVERRIDE          0x0010
+#define ARM_CP_ALIAS             0x0020
+#define ARM_CP_IO                0x0040
+#define ARM_CP_NO_RAW            0x0080
+#define ARM_CP_NOP               (ARM_CP_SPECIAL | 0x0100)
+#define ARM_CP_WFI               (ARM_CP_SPECIAL | 0x0200)
+#define ARM_CP_NZCV              (ARM_CP_SPECIAL | 0x0300)
+#define ARM_CP_CURRENTEL         (ARM_CP_SPECIAL | 0x0400)
+#define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
+#define ARM_CP_DC_GVA            (ARM_CP_SPECIAL | 0x0600)
+#define ARM_CP_DC_GZVA           (ARM_CP_SPECIAL | 0x0700)
+#define ARM_LAST_SPECIAL         ARM_CP_DC_GZVA
+#define ARM_CP_FPU               0x1000
+#define ARM_CP_SVE               0x2000
+#define ARM_CP_NO_GDB            0x4000
+#define ARM_CP_RAISES_EXC        0x8000
+#define ARM_CP_NEWEL             0x10000
+/* Used only as a terminator for ARMCPRegInfo lists */
+#define ARM_CP_SENTINEL          0xfffff
+/* Mask of only the flag bits in a type field */
+#define ARM_CP_FLAG_MASK         0x1f0ff
+
+/*
+ * Valid values for ARMCPRegInfo state field, indicating which of
+ * the AArch32 and AArch64 execution states this register is visible in.
+ * If the reginfo doesn't explicitly specify then it is AArch32 only.
+ * If the reginfo is declared to be visible in both states then a second
+ * reginfo is synthesised for the AArch32 view of the AArch64 register,
+ * such that the AArch32 view is the lower 32 bits of the AArch64 one.
+ * Note that we rely on the values of these enums as we iterate through
+ * the various states in some places.
+ */
+enum {
+    ARM_CP_STATE_AA32 = 0,
+    ARM_CP_STATE_AA64 = 1,
+    ARM_CP_STATE_BOTH = 2,
+};
+
+/*
+ * ARM CP register secure state flags.  These flags identify security state
+ * attributes for a given CP register entry.
+ * The existence of both or neither secure and non-secure flags indicates that
+ * the register has both a secure and non-secure hash entry.  A single one of
+ * these flags causes the register to only be hashed for the specified
+ * security state.
+ * Although definitions may have any combination of the S/NS bits, each
+ * registered entry will only have one to identify whether the entry is secure
+ * or non-secure.
+ */
+enum {
+    ARM_CP_SECSTATE_S =   (1 << 0), /* bit[0]: Secure state register */
+    ARM_CP_SECSTATE_NS =  (1 << 1), /* bit[1]: Non-secure state register */
+};
+
+/*
+ * Return true if cptype is a valid type field. This is used to try to
+ * catch errors where the sentinel has been accidentally left off the end
+ * of a list of registers.
+ */
+static inline bool cptype_valid(int cptype)
+{
+    return ((cptype & ~ARM_CP_FLAG_MASK) == 0)
+        || ((cptype & ARM_CP_SPECIAL) &&
+            ((cptype & ~ARM_CP_FLAG_MASK) <= ARM_LAST_SPECIAL));
+}
+
+/*
+ * Access rights:
+ * We define bits for Read and Write access for what rev C of the v7-AR ARM ARM
+ * defines as PL0 (user), PL1 (fiq/irq/svc/abt/und/sys, ie privileged), and
+ * PL2 (hyp). The other level which has Read and Write bits is Secure PL1
+ * (ie any of the privileged modes in Secure state, or Monitor mode).
+ * If a register is accessible in one privilege level it's always accessible
+ * in higher privilege levels too. Since "Secure PL1" also follows this rule
+ * (ie anything visible in PL2 is visible in S-PL1, some things are only
+ * visible in S-PL1) but "Secure PL1" is a bit of a mouthful, we bend the
+ * terminology a little and call this PL3.
+ * In AArch64 things are somewhat simpler as the PLx bits line up exactly
+ * with the ELx exception levels.
+ *
+ * If access permissions for a register are more complex than can be
+ * described with these bits, then use a laxer set of restrictions, and
+ * do the more restrictive/complex check inside a helper function.
+ */
+#define PL3_R 0x80
+#define PL3_W 0x40
+#define PL2_R (0x20 | PL3_R)
+#define PL2_W (0x10 | PL3_W)
+#define PL1_R (0x08 | PL2_R)
+#define PL1_W (0x04 | PL2_W)
+#define PL0_R (0x02 | PL1_R)
+#define PL0_W (0x01 | PL1_W)
+
+/*
+ * For user-mode some registers are accessible to EL0 via a kernel
+ * trap-and-emulate ABI. In this case we define the read permissions
+ * as actually being PL0_R. However some bits of any given register
+ * may still be masked.
+ */
+#ifdef CONFIG_USER_ONLY
+#define PL0U_R PL0_R
+#else
+#define PL0U_R PL1_R
+#endif
+
+#define PL3_RW (PL3_R | PL3_W)
+#define PL2_RW (PL2_R | PL2_W)
+#define PL1_RW (PL1_R | PL1_W)
+#define PL0_RW (PL0_R | PL0_W)
+
+typedef enum CPAccessResult {
+    /* Access is permitted */
+    CP_ACCESS_OK = 0,
+    /*
+     * Access fails due to a configurable trap or enable which would
+     * result in a categorized exception syndrome giving information about
+     * the failing instruction (ie syndrome category 0x3, 0x4, 0x5, 0x6,
+     * 0xc or 0x18). The exception is taken to the usual target EL (EL1 or
+     * PL1 if in EL0, otherwise to the current EL).
+     */
+    CP_ACCESS_TRAP = 1,
+    /*
+     * Access fails and results in an exception syndrome 0x0 ("uncategorized").
+     * Note that this is not a catch-all case -- the set of cases which may
+     * result in this failure is specifically defined by the architecture.
+     */
+    CP_ACCESS_TRAP_UNCATEGORIZED = 2,
+    /* As CP_ACCESS_TRAP, but for traps directly to EL2 or EL3 */
+    CP_ACCESS_TRAP_EL2 = 3,
+    CP_ACCESS_TRAP_EL3 = 4,
+    /* As CP_ACCESS_UNCATEGORIZED, but for traps directly to EL2 or EL3 */
+    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = 5,
+    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = 6,
+} CPAccessResult;
+
+typedef struct ARMCPRegInfo ARMCPRegInfo;
+
+/*
+ * Access functions for coprocessor registers. These cannot fail and
+ * may not raise exceptions.
+ */
+typedef uint64_t CPReadFn(CPUARMState *env, const ARMCPRegInfo *opaque);
+typedef void CPWriteFn(CPUARMState *env, const ARMCPRegInfo *opaque,
+                       uint64_t value);
+/* Access permission check functions for coprocessor registers. */
+typedef CPAccessResult CPAccessFn(CPUARMState *env,
+                                  const ARMCPRegInfo *opaque,
+                                  bool isread);
+/* Hook function for register reset */
+typedef void CPResetFn(CPUARMState *env, const ARMCPRegInfo *opaque);
+
+#define CP_ANY 0xff
+
+/* Definition of an ARM coprocessor register */
+struct ARMCPRegInfo {
+    /* Name of register (useful mainly for debugging, need not be unique) */
+    const char *name;
+    /*
+     * Location of register: coprocessor number and (crn,crm,opc1,opc2)
+     * tuple. Any of crm, opc1 and opc2 may be CP_ANY to indicate a
+     * 'wildcard' field -- any value of that field in the MRC/MCR insn
+     * will be decoded to this register. The register read and write
+     * callbacks will be passed an ARMCPRegInfo with the crn/crm/opc1/opc2
+     * used by the program, so it is possible to register a wildcard and
+     * then behave differently on read/write if necessary.
+     * For 64 bit registers, only crm and opc1 are relevant; crn and opc2
+     * must both be zero.
+     * For AArch64-visible registers, opc0 is also used.
+     * Since there are no "coprocessors" in AArch64, cp is purely used as a
+     * way to distinguish (for KVM's benefit) guest-visible system registers
+     * from demuxed ones provided to preserve the "no side effects on
+     * KVM register read/write from QEMU" semantics. cp==0x13 is guest
+     * visible (to match KVM's encoding); cp==0 will be converted to
+     * cp==0x13 when the ARMCPRegInfo is registered, for convenience.
+     */
+    uint8_t cp;
+    uint8_t crn;
+    uint8_t crm;
+    uint8_t opc0;
+    uint8_t opc1;
+    uint8_t opc2;
+    /* Execution state in which this register is visible: ARM_CP_STATE_* */
+    int state;
+    /* Register type: ARM_CP_* bits/values */
+    int type;
+    /* Access rights: PL*_[RW] */
+    int access;
+    /* Security state: ARM_CP_SECSTATE_* bits/values */
+    int secure;
+    /*
+     * The opaque pointer passed to define_arm_cp_regs_with_opaque() when
+     * this register was defined: can be used to hand data through to the
+     * register read/write functions, since they are passed the ARMCPRegInfo*.
+     */
+    void *opaque;
+    /*
+     * Value of this register, if it is ARM_CP_CONST. Otherwise, if
+     * fieldoffset is non-zero, the reset value of the register.
+     */
+    uint64_t resetvalue;
+    /*
+     * Offset of the field in CPUARMState for this register.
+     * This is not needed if either:
+     *  1. type is ARM_CP_CONST or one of the ARM_CP_SPECIALs
+     *  2. both readfn and writefn are specified
+     */
+    ptrdiff_t fieldoffset; /* offsetof(CPUARMState, field) */
+
+    /*
+     * Offsets of the secure and non-secure fields in CPUARMState for the
+     * register if it is banked.  These fields are only used during the static
+     * registration of a register.  During hashing the bank associated
+     * with a given security state is copied to fieldoffset which is used from
+     * there on out.
+     *
+     * It is expected that register definitions use either fieldoffset or
+     * bank_fieldoffsets in the definition but not both.  It is also expected
+     * that both bank offsets are set when defining a banked register.  This
+     * use indicates that a register is banked.
+     */
+    ptrdiff_t bank_fieldoffsets[2];
+
+    /*
+     * Function for making any access checks for this register in addition to
+     * those specified by the 'access' permissions bits. If NULL, no extra
+     * checks required. The access check is performed at runtime, not at
+     * translate time.
+     */
+    CPAccessFn *accessfn;
+    /*
+     * Function for handling reads of this register. If NULL, then reads
+     * will be done by loading from the offset into CPUARMState specified
+     * by fieldoffset.
+     */
+    CPReadFn *readfn;
+    /*
+     * Function for handling writes of this register. If NULL, then writes
+     * will be done by writing to the offset into CPUARMState specified
+     * by fieldoffset.
+     */
+    CPWriteFn *writefn;
+    /*
+     * Function for doing a "raw" read; used when we need to copy
+     * coprocessor state to the kernel for KVM or out for
+     * migration. This only needs to be provided if there is also a
+     * readfn and it has side effects (for instance clear-on-read bits).
+     */
+    CPReadFn *raw_readfn;
+    /*
+     * Function for doing a "raw" write; used when we need to copy KVM
+     * kernel coprocessor state into userspace, or for inbound
+     * migration. This only needs to be provided if there is also a
+     * writefn and it masks out "unwritable" bits or has write-one-to-clear
+     * or similar behaviour.
+     */
+    CPWriteFn *raw_writefn;
+    /*
+     * Function for resetting the register. If NULL, then reset will be done
+     * by writing resetvalue to the field specified in fieldoffset. If
+     * fieldoffset is 0 then no reset will be done.
+     */
+    CPResetFn *resetfn;
+
+    /*
+     * "Original" writefn and readfn.
+     * For ARMv8.1-VHE register aliases, we overwrite the read/write
+     * accessor functions of various EL1/EL0 to perform the runtime
+     * check for which sysreg should actually be modified, and then
+     * forwards the operation.  Before overwriting the accessors,
+     * the original function is copied here, so that accesses that
+     * really do go to the EL1/EL0 version proceed normally.
+     * (The corresponding EL2 register is linked via opaque.)
+     */
+    CPReadFn *orig_readfn;
+    CPWriteFn *orig_writefn;
+};
+
+/*
+ * Macros which are lvalues for the field in CPUARMState for the
+ * ARMCPRegInfo *ri.
+ */
+#define CPREG_FIELD32(env, ri) \
+    (*(uint32_t *)((char *)(env) + (ri)->fieldoffset))
+#define CPREG_FIELD64(env, ri) \
+    (*(uint64_t *)((char *)(env) + (ri)->fieldoffset))
+
+#define REGINFO_SENTINEL { .type = ARM_CP_SENTINEL }
+
+void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
+                                    const ARMCPRegInfo *regs, void *opaque);
+void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
+                                       const ARMCPRegInfo *regs, void *opaque);
+static inline void define_arm_cp_regs(ARMCPU *cpu, const ARMCPRegInfo *regs)
+{
+    define_arm_cp_regs_with_opaque(cpu, regs, 0);
+}
+static inline void define_one_arm_cp_reg(ARMCPU *cpu, const ARMCPRegInfo *regs)
+{
+    define_one_arm_cp_reg_with_opaque(cpu, regs, 0);
+}
+const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp);
+
+/*
+ * Definition of an ARM co-processor register as viewed from
+ * userspace. This is used for presenting sanitised versions of
+ * registers to userspace when emulating the Linux AArch64 CPU
+ * ID/feature ABI (advertised as HWCAP_CPUID).
+ */
+typedef struct ARMCPRegUserSpaceInfo {
+    /* Name of register */
+    const char *name;
+
+    /* Is the name actually a glob pattern */
+    bool is_glob;
+
+    /* Only some bits are exported to user space */
+    uint64_t exported_bits;
+
+    /* Fixed bits are applied after the mask */
+    uint64_t fixed_bits;
+} ARMCPRegUserSpaceInfo;
+
+#define REGUSERINFO_SENTINEL { .name = NULL }
+
+void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods);
+
+/* CPWriteFn that can be used to implement writes-ignored behaviour */
+void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
+                         uint64_t value);
+/* CPReadFn that can be used for read-as-zero behaviour */
+uint64_t arm_cp_read_zero(CPUARMState *env, const ARMCPRegInfo *ri);
+
+/*
+ * CPResetFn that does nothing, for use if no reset is required even
+ * if fieldoffset is non zero.
+ */
+void arm_cp_reset_ignore(CPUARMState *env, const ARMCPRegInfo *opaque);
+
+/*
+ * Return true if this reginfo struct's field in the cpu state struct
+ * is 64 bits wide.
+ */
+static inline bool cpreg_field_is_64bit(const ARMCPRegInfo *ri)
+{
+    return (ri->state == ARM_CP_STATE_AA64) || (ri->type & ARM_CP_64BIT);
+}
+
+static inline bool cp_access_ok(int current_el,
+                                const ARMCPRegInfo *ri, int isread)
+{
+    return (ri->access >> ((current_el * 2) + isread)) & 1;
+}
+
+/* Raw read of a coprocessor register (as needed for migration, etc) */
+uint64_t read_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri);
+
+#endif /* TARGET_ARM_CPREGS_H */
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
     return kvmid;
 }
 
-/* ARMCPRegInfo type field bits. If the SPECIAL bit is set this is a
- * special-behaviour cp reg and bits [11..8] indicate what behaviour
- * it has. Otherwise it is a simple cp reg, where CONST indicates that
- * TCG can assume the value to be constant (ie load at translate time)
- * and 64BIT indicates a 64 bit wide coprocessor register. SUPPRESS_TB_END
- * indicates that the TB should not be ended after a write to this register
- * (the default is that the TB ends after cp writes). OVERRIDE permits
- * a register definition to override a previous definition for the
- * same (cp, is64, crn, crm, opc1, opc2) tuple: either the new or the
- * old must have the OVERRIDE bit set.
- * ALIAS indicates that this register is an alias view of some underlying
- * state which is also visible via another register, and that the other
- * register is handling migration and reset; registers marked ALIAS will not be
- * migrated but may have their state set by syncing of register state from KVM.
- * NO_RAW indicates that this register has no underlying state and does not
- * support raw access for state saving/loading; it will not be used for either
- * migration or KVM state synchronization. (Typically this is for "registers"
- * which are actually used as instructions for cache maintenance and so on.)
- * IO indicates that this register does I/O and therefore its accesses
- * need to be marked with gen_io_start() and also end the TB. In particular,
- * registers which implement clocks or timers require this.
- * RAISES_EXC is for when the read or write hook might raise an exception;
- * the generated code will synchronize the CPU state before calling the hook
- * so that it is safe for the hook to call raise_exception().
- * NEWEL is for writes to registers that might change the exception
- * level - typically on older ARM chips. For those cases we need to
- * re-read the new el when recomputing the translation flags.
- */
-#define ARM_CP_SPECIAL           0x0001
-#define ARM_CP_CONST             0x0002
-#define ARM_CP_64BIT             0x0004
-#define ARM_CP_SUPPRESS_TB_END   0x0008
-#define ARM_CP_OVERRIDE          0x0010
-#define ARM_CP_ALIAS             0x0020
-#define ARM_CP_IO                0x0040
-#define ARM_CP_NO_RAW            0x0080
-#define ARM_CP_NOP               (ARM_CP_SPECIAL | 0x0100)
-#define ARM_CP_WFI               (ARM_CP_SPECIAL | 0x0200)
-#define ARM_CP_NZCV              (ARM_CP_SPECIAL | 0x0300)
-#define ARM_CP_CURRENTEL         (ARM_CP_SPECIAL | 0x0400)
-#define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
-#define ARM_CP_DC_GVA            (ARM_CP_SPECIAL | 0x0600)
-#define ARM_CP_DC_GZVA           (ARM_CP_SPECIAL | 0x0700)
-#define ARM_LAST_SPECIAL         ARM_CP_DC_GZVA
-#define ARM_CP_FPU               0x1000
-#define ARM_CP_SVE               0x2000
-#define ARM_CP_NO_GDB            0x4000
-#define ARM_CP_RAISES_EXC        0x8000
-#define ARM_CP_NEWEL             0x10000
-/* Used only as a terminator for ARMCPRegInfo lists */
-#define ARM_CP_SENTINEL          0xfffff
-/* Mask of only the flag bits in a type field */
-#define ARM_CP_FLAG_MASK         0x1f0ff
-
-/* Valid values for ARMCPRegInfo state field, indicating which of
- * the AArch32 and AArch64 execution states this register is visible in.
- * If the reginfo doesn't explicitly specify then it is AArch32 only.
- * If the reginfo is declared to be visible in both states then a second
- * reginfo is synthesised for the AArch32 view of the AArch64 register,
- * such that the AArch32 view is the lower 32 bits of the AArch64 one.
- * Note that we rely on the values of these enums as we iterate through
- * the various states in some places.
- */
-enum {
-    ARM_CP_STATE_AA32 = 0,
-    ARM_CP_STATE_AA64 = 1,
-    ARM_CP_STATE_BOTH = 2,
-};
-
-/* ARM CP register secure state flags.  These flags identify security state
- * attributes for a given CP register entry.
- * The existence of both or neither secure and non-secure flags indicates that
- * the register has both a secure and non-secure hash entry.  A single one of
- * these flags causes the register to only be hashed for the specified
- * security state.
- * Although definitions may have any combination of the S/NS bits, each
- * registered entry will only have one to identify whether the entry is secure
- * or non-secure.
- */
-enum {
-    ARM_CP_SECSTATE_S =   (1 << 0), /* bit[0]: Secure state register */
-    ARM_CP_SECSTATE_NS =  (1 << 1), /* bit[1]: Non-secure state register */
-};
-
-/* Return true if cptype is a valid type field. This is used to try to
- * catch errors where the sentinel has been accidentally left off the end
- * of a list of registers.
- */
-static inline bool cptype_valid(int cptype)
-{
-    return ((cptype & ~ARM_CP_FLAG_MASK) == 0)
-        || ((cptype & ARM_CP_SPECIAL) &&
-            ((cptype & ~ARM_CP_FLAG_MASK) <= ARM_LAST_SPECIAL));
-}
-
-/* Access rights:
- * We define bits for Read and Write access for what rev C of the v7-AR ARM ARM
- * defines as PL0 (user), PL1 (fiq/irq/svc/abt/und/sys, ie privileged), and
- * PL2 (hyp). The other level which has Read and Write bits is Secure PL1
- * (ie any of the privileged modes in Secure state, or Monitor mode).
- * If a register is accessible in one privilege level it's always accessible
- * in higher privilege levels too. Since "Secure PL1" also follows this rule
- * (ie anything visible in PL2 is visible in S-PL1, some things are only
- * visible in S-PL1) but "Secure PL1" is a bit of a mouthful, we bend the
- * terminology a little and call this PL3.
- * In AArch64 things are somewhat simpler as the PLx bits line up exactly
- * with the ELx exception levels.
- *
- * If access permissions for a register are more complex than can be
- * described with these bits, then use a laxer set of restrictions, and
- * do the more restrictive/complex check inside a helper function.
- */
-#define PL3_R 0x80
-#define PL3_W 0x40
-#define PL2_R (0x20 | PL3_R)
-#define PL2_W (0x10 | PL3_W)
-#define PL1_R (0x08 | PL2_R)
-#define PL1_W (0x04 | PL2_W)
-#define PL0_R (0x02 | PL1_R)
-#define PL0_W (0x01 | PL1_W)
-
-/*
- * For user-mode some registers are accessible to EL0 via a kernel
- * trap-and-emulate ABI. In this case we define the read permissions
- * as actually being PL0_R. However some bits of any given register
- * may still be masked.
- */
-#ifdef CONFIG_USER_ONLY
-#define PL0U_R PL0_R
-#else
-#define PL0U_R PL1_R
-#endif
-
-#define PL3_RW (PL3_R | PL3_W)
-#define PL2_RW (PL2_R | PL2_W)
-#define PL1_RW (PL1_R | PL1_W)
-#define PL0_RW (PL0_R | PL0_W)
-
 /* Return the highest implemented Exception Level */
 static inline int arm_highest_el(CPUARMState *env)
 {
@@ -XXX,XX +XXX,XX @@ static inline int arm_current_el(CPUARMState *env)
     }
 }
 
-typedef struct ARMCPRegInfo ARMCPRegInfo;
-
-typedef enum CPAccessResult {
-    /* Access is permitted */
-    CP_ACCESS_OK = 0,
-    /* Access fails due to a configurable trap or enable which would
-     * result in a categorized exception syndrome giving information about
-     * the failing instruction (ie syndrome category 0x3, 0x4, 0x5, 0x6,
-     * 0xc or 0x18). The exception is taken to the usual target EL (EL1 or
-     * PL1 if in EL0, otherwise to the current EL).
-     */
-    CP_ACCESS_TRAP = 1,
-    /* Access fails and results in an exception syndrome 0x0 ("uncategorized").
-     * Note that this is not a catch-all case -- the set of cases which may
-     * result in this failure is specifically defined by the architecture.
-     */
-    CP_ACCESS_TRAP_UNCATEGORIZED = 2,
-    /* As CP_ACCESS_TRAP, but for traps directly to EL2 or EL3 */
-    CP_ACCESS_TRAP_EL2 = 3,
-    CP_ACCESS_TRAP_EL3 = 4,
-    /* As CP_ACCESS_UNCATEGORIZED, but for traps directly to EL2 or EL3 */
-    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = 5,
-    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = 6,
-} CPAccessResult;
-
-/* Access functions for coprocessor registers. These cannot fail and
- * may not raise exceptions.
- */
-typedef uint64_t CPReadFn(CPUARMState *env, const ARMCPRegInfo *opaque);
-typedef void CPWriteFn(CPUARMState *env, const ARMCPRegInfo *opaque,
-                       uint64_t value);
-/* Access permission check functions for coprocessor registers. */
-typedef CPAccessResult CPAccessFn(CPUARMState *env,
-                                  const ARMCPRegInfo *opaque,
-                                  bool isread);
-/* Hook function for register reset */
-typedef void CPResetFn(CPUARMState *env, const ARMCPRegInfo *opaque);
-
-#define CP_ANY 0xff
-
-/* Definition of an ARM coprocessor register */
-struct ARMCPRegInfo {
-    /* Name of register (useful mainly for debugging, need not be unique) */
-    const char *name;
-    /* Location of register: coprocessor number and (crn,crm,opc1,opc2)
-     * tuple. Any of crm, opc1 and opc2 may be CP_ANY to indicate a
-     * 'wildcard' field -- any value of that field in the MRC/MCR insn
-     * will be decoded to this register. The register read and write
-     * callbacks will be passed an ARMCPRegInfo with the crn/crm/opc1/opc2
-     * used by the program, so it is possible to register a wildcard and
-     * then behave differently on read/write if necessary.
-     * For 64 bit registers, only crm and opc1 are relevant; crn and opc2
-     * must both be zero.
-     * For AArch64-visible registers, opc0 is also used.
-     * Since there are no "coprocessors" in AArch64, cp is purely used as a
-     * way to distinguish (for KVM's benefit) guest-visible system registers
-     * from demuxed ones provided to preserve the "no side effects on
-     * KVM register read/write from QEMU" semantics. cp==0x13 is guest
-     * visible (to match KVM's encoding); cp==0 will be converted to
-     * cp==0x13 when the ARMCPRegInfo is registered, for convenience.
-     */
-    uint8_t cp;
-    uint8_t crn;
-    uint8_t crm;
-    uint8_t opc0;
-    uint8_t opc1;
-    uint8_t opc2;
-    /* Execution state in which this register is visible: ARM_CP_STATE_* */
-    int state;
-    /* Register type: ARM_CP_* bits/values */
-    int type;
-    /* Access rights: PL*_[RW] */
-    int access;
-    /* Security state: ARM_CP_SECSTATE_* bits/values */
-    int secure;
-    /* The opaque pointer passed to define_arm_cp_regs_with_opaque() when
-     * this register was defined: can be used to hand data through to the
-     * register read/write functions, since they are passed the ARMCPRegInfo*.
-     */
-    void *opaque;
-    /* Value of this register, if it is ARM_CP_CONST. Otherwise, if
-     * fieldoffset is non-zero, the reset value of the register.
-     */
-    uint64_t resetvalue;
-    /* Offset of the field in CPUARMState for this register.
-     *
-     * This is not needed if either:
-     *  1. type is ARM_CP_CONST or one of the ARM_CP_SPECIALs
-     *  2. both readfn and writefn are specified
-     */
-    ptrdiff_t fieldoffset; /* offsetof(CPUARMState, field) */
-
-    /* Offsets of the secure and non-secure fields in CPUARMState for the
-     * register if it is banked.  These fields are only used during the static
-     * registration of a register.  During hashing the bank associated
-     * with a given security state is copied to fieldoffset which is used from
-     * there on out.
-     *
-     * It is expected that register definitions use either fieldoffset or
-     * bank_fieldoffsets in the definition but not both.  It is also expected
-     * that both bank offsets are set when defining a banked register.  This
-     * use indicates that a register is banked.
-     */
-    ptrdiff_t bank_fieldoffsets[2];
-
-    /* Function for making any access checks for this register in addition to
-     * those specified by the 'access' permissions bits. If NULL, no extra
-     * checks required. The access check is performed at runtime, not at
-     * translate time.
-     */
-    CPAccessFn *accessfn;
-    /* Function for handling reads of this register. If NULL, then reads
-     * will be done by loading from the offset into CPUARMState specified
-     * by fieldoffset.
-     */
-    CPReadFn *readfn;
-    /* Function for handling writes of this register. If NULL, then writes
-     * will be done by writing to the offset into CPUARMState specified
-     * by fieldoffset.
-     */
-    CPWriteFn *writefn;
-    /* Function for doing a "raw" read; used when we need to copy
-     * coprocessor state to the kernel for KVM or out for
-     * migration. This only needs to be provided if there is also a
-     * readfn and it has side effects (for instance clear-on-read bits).
-     */
-    CPReadFn *raw_readfn;
-    /* Function for doing a "raw" write; used when we need to copy KVM
-     * kernel coprocessor state into userspace, or for inbound
-     * migration. This only needs to be provided if there is also a
-     * writefn and it masks out "unwritable" bits or has write-one-to-clear
-     * or similar behaviour.
-     */
-    CPWriteFn *raw_writefn;
-    /* Function for resetting the register. If NULL, then reset will be done
-     * by writing resetvalue to the field specified in fieldoffset. If
-     * fieldoffset is 0 then no reset will be done.
-     */
-    CPResetFn *resetfn;
-
-    /*
-     * "Original" writefn and readfn.
-     * For ARMv8.1-VHE register aliases, we overwrite the read/write
-     * accessor functions of various EL1/EL0 to perform the runtime
-     * check for which sysreg should actually be modified, and then
-     * forwards the operation.  Before overwriting the accessors,
-     * the original function is copied here, so that accesses that
-     * really do go to the EL1/EL0 version proceed normally.
-     * (The corresponding EL2 register is linked via opaque.)
-     */
-    CPReadFn *orig_readfn;
-    CPWriteFn *orig_writefn;
-};
-
-/* Macros which are lvalues for the field in CPUARMState for the
- * ARMCPRegInfo *ri.
- */
-#define CPREG_FIELD32(env, ri) \
-    (*(uint32_t *)((char *)(env) + (ri)->fieldoffset))
-#define CPREG_FIELD64(env, ri) \
-    (*(uint64_t *)((char *)(env) + (ri)->fieldoffset))
-
-#define REGINFO_SENTINEL { .type = ARM_CP_SENTINEL }
-
-void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
-                                    const ARMCPRegInfo *regs, void *opaque);
-void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
-                                       const ARMCPRegInfo *regs, void *opaque);
-static inline void define_arm_cp_regs(ARMCPU *cpu, const ARMCPRegInfo *regs)
-{
-    define_arm_cp_regs_with_opaque(cpu, regs, 0);
-}
-static inline void define_one_arm_cp_reg(ARMCPU *cpu, const ARMCPRegInfo *regs)
-{
-    define_one_arm_cp_reg_with_opaque(cpu, regs, 0);
-}
-const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp);
-
-/*
- * Definition of an ARM co-processor register as viewed from
- * userspace. This is used for presenting sanitised versions of
- * registers to userspace when emulating the Linux AArch64 CPU
- * ID/feature ABI (advertised as HWCAP_CPUID).
- */
-typedef struct ARMCPRegUserSpaceInfo {
-    /* Name of register */
-    const char *name;
-
-    /* Is the name actually a glob pattern */
-    bool is_glob;
-
-    /* Only some bits are exported to user space */
-    uint64_t exported_bits;
-
-    /* Fixed bits are applied after the mask */
-    uint64_t fixed_bits;
-} ARMCPRegUserSpaceInfo;
-
-#define REGUSERINFO_SENTINEL { .name = NULL }
-
-void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods);
-
-/* CPWriteFn that can be used to implement writes-ignored behaviour */
-void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
-                         uint64_t value);
-/* CPReadFn that can be used for read-as-zero behaviour */
-uint64_t arm_cp_read_zero(CPUARMState *env, const ARMCPRegInfo *ri);
-
-/* CPResetFn that does nothing, for use if no reset is required even
- * if fieldoffset is non zero.
- */
-void arm_cp_reset_ignore(CPUARMState *env, const ARMCPRegInfo *opaque);
-
-/* Return true if this reginfo struct's field in the cpu state struct
- * is 64 bits wide.
- */
-static inline bool cpreg_field_is_64bit(const ARMCPRegInfo *ri)
-{
-    return (ri->state == ARM_CP_STATE_AA64) || (ri->type & ARM_CP_64BIT);
-}
-
-static inline bool cp_access_ok(int current_el,
-                                const ARMCPRegInfo *ri, int isread)
-{
-    return (ri->access >> ((current_el * 2) + isread)) & 1;
-}
-
-/* Raw read of a coprocessor register (as needed for migration, etc) */
-uint64_t read_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri);
-
 /**
  * write_list_to_cpustate
  * @cpu: ARMCPU
diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/cutils.h"
 #include "qemu/log.h"
 #include "qom/object.h"
+#include "target/arm/cpregs.h"
 
 static struct {
     hwaddr io_base;
diff --git a/hw/arm/pxa2xx_pic.c b/hw/arm/pxa2xx_pic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/pxa2xx_pic.c
+++ b/hw/arm/pxa2xx_pic.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/sysbus.h"
 #include "migration/vmstate.h"
 #include "qom/object.h"
+#include "target/arm/cpregs.h"
 
 #define ICIP	0x00	/* Interrupt Controller IRQ Pending register */
 #define ICMR	0x04	/* Interrupt Controller Mask register */
diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@
 #include "gicv3_internal.h"
 #include "hw/irq.h"
 #include "cpu.h"
+#include "target/arm/cpregs.h"
 
 /*
  * Special case return value from hppvi_index(); must be larger than
diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_kvm.c
+++ b/hw/intc/arm_gicv3_kvm.c
@@ -XXX,XX +XXX,XX @@
 #include "vgic_common.h"
 #include "migration/blocker.h"
 #include "qom/object.h"
+#include "target/arm/cpregs.h"
+
 
 #ifdef DEBUG_GICV3_KVM
 #define DPRINTF(fmt, ...) \
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@
 #include "kvm_arm.h"
 #include "disas/capstone.h"
 #include "fpu/softfloat.h"
+#include "cpregs.h"
 
 static void arm_cpu_set_pc(CPUState *cs, vaddr value)
 {
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@
 #include "hvf_arm.h"
 #include "qapi/visitor.h"
 #include "hw/qdev-properties.h"
+#include "cpregs.h"
 
 
 #ifndef CONFIG_USER_ONLY
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@
 #if !defined(CONFIG_USER_ONLY)
 #include "hw/boards.h"
 #endif
+#include "cpregs.h"
 
 /* CPU models. These are not needed for the AArch64 linux-user build. */
 #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -XXX,XX +XXX,XX @@
  */
 #include "qemu/osdep.h"
 #include "cpu.h"
-#include "internals.h"
 #include "exec/gdbstub.h"
+#include "internals.h"
+#include "cpregs.h"
 
 typedef struct RegisterSysregXmlParam {
     CPUState *cs;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
 #include "exec/cpu_ldst.h"
 #include "semihosting/common-semi.h"
 #endif
+#include "cpregs.h"
 
 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
 #define PMCR_NUM_COUNTERS 4 /* QEMU IMPDEF choice */
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@
 #include "internals.h"
 #include "exec/exec-all.h"
 #include "exec/cpu_ldst.h"
+#include "cpregs.h"
 
 #define SIGNBIT (uint32_t)0x80000000
 #define SIGNBIT64 ((uint64_t)1 << 63)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@
 #include "translate.h"
 #include "internals.h"
 #include "qemu/host-utils.h"
-
 #include "semihosting/semihost.h"
 #include "exec/gen-icount.h"
-
 #include "exec/helper-proto.h"
 #include "exec/helper-gen.h"
 #include "exec/log.h"
-
+#include "cpregs.h"
 #include "translate-a64.h"
 #include "qemu/atomic128.h"
 
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/bitops.h"
 #include "arm_ldst.h"
 #include "semihosting/semihost.h"
-
 #include "exec/helper-proto.h"
 #include "exec/helper-gen.h"
-
 #include "exec/log.h"
+#include "cpregs.h"
 
 
 #define ENABLE_ARCH_4T    arm_dc_feature(s, ARM_FEATURE_V4T)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Rearrange the values of the enumerators of CPAccessResult
so that we may directly extract the target el. For the two
special cases in access_check_cp_reg, use CPAccessResult.

diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpregs.h
+++ b/target/arm/cpregs.h
@@ -XXX,XX +XXX,XX @@ static inline bool cptype_valid(int cptype)
 typedef enum CPAccessResult {
     /* Access is permitted */
     CP_ACCESS_OK = 0,
+
+    /*
+     * Combined with one of the following, the low 2 bits indicate the
+     * target exception level.  If 0, the exception is taken to the usual
+     * target EL (EL1 or PL1 if in EL0, otherwise to the current EL).
+     */
+    CP_ACCESS_EL_MASK = 3,
+
     /*
      * Access fails due to a configurable trap or enable which would
      * result in a categorized exception syndrome giving information about
      * the failing instruction (ie syndrome category 0x3, 0x4, 0x5, 0x6,
-     * 0xc or 0x18). The exception is taken to the usual target EL (EL1 or
-     * PL1 if in EL0, otherwise to the current EL).
+     * 0xc or 0x18).
      */
-    CP_ACCESS_TRAP = 1,
+    CP_ACCESS_TRAP = (1 << 2),
+    CP_ACCESS_TRAP_EL2 = CP_ACCESS_TRAP | 2,
+    CP_ACCESS_TRAP_EL3 = CP_ACCESS_TRAP | 3,
+
     /*
      * Access fails and results in an exception syndrome 0x0 ("uncategorized").
      * Note that this is not a catch-all case -- the set of cases which may
      * result in this failure is specifically defined by the architecture.
      */
-    CP_ACCESS_TRAP_UNCATEGORIZED = 2,
-    /* As CP_ACCESS_TRAP, but for traps directly to EL2 or EL3 */
-    CP_ACCESS_TRAP_EL2 = 3,
-    CP_ACCESS_TRAP_EL3 = 4,
-    /* As CP_ACCESS_UNCATEGORIZED, but for traps directly to EL2 or EL3 */
-    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = 5,
-    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = 6,
+    CP_ACCESS_TRAP_UNCATEGORIZED = (2 << 2),
+    CP_ACCESS_TRAP_UNCATEGORIZED_EL2 = CP_ACCESS_TRAP_UNCATEGORIZED | 2,
+    CP_ACCESS_TRAP_UNCATEGORIZED_EL3 = CP_ACCESS_TRAP_UNCATEGORIZED | 3,
 } CPAccessResult;
 
 typedef struct ARMCPRegInfo ARMCPRegInfo;
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(access_check_cp_reg)(CPUARMState *env, void *rip, uint32_t syndrome,
                                  uint32_t isread)
 {
     const ARMCPRegInfo *ri = rip;
+    CPAccessResult res = CP_ACCESS_OK;
     int target_el;
 
     if (arm_feature(env, ARM_FEATURE_XSCALE) && ri->cp < 14
         && extract32(env->cp15.c15_cpar, ri->cp, 1) == 0) {
-        raise_exception(env, EXCP_UDEF, syndrome, exception_target_el(env));
+        res = CP_ACCESS_TRAP;
+        goto fail;
     }
 
     /*
@@ -XXX,XX +XXX,XX @@ void HELPER(access_check_cp_reg)(CPUARMState *env, void *rip, uint32_t syndrome,
         mask &= ~((1 << 4) | (1 << 14));
 
         if (env->cp15.hstr_el2 & mask) {
-            target_el = 2;
-            goto exept;
+            res = CP_ACCESS_TRAP_EL2;
+            goto fail;
         }
     }
 
-    if (!ri->accessfn) {
+    if (ri->accessfn) {
+        res = ri->accessfn(env, ri, isread);
+    }
+    if (likely(res == CP_ACCESS_OK)) {
         return;
     }
 
-    switch (ri->accessfn(env, ri, isread)) {
-    case CP_ACCESS_OK:
-        return;
+ fail:
+    switch (res & ~CP_ACCESS_EL_MASK) {
     case CP_ACCESS_TRAP:
-        target_el = exception_target_el(env);
-        break;
-    case CP_ACCESS_TRAP_EL2:
-        /* Requesting a trap to EL2 when we're in EL3 is
-         * a bug in the access function.
-         */
-        assert(arm_current_el(env) != 3);
-        target_el = 2;
-        break;
-    case CP_ACCESS_TRAP_EL3:
-        target_el = 3;
         break;
     case CP_ACCESS_TRAP_UNCATEGORIZED:
-        target_el = exception_target_el(env);
-        syndrome = syn_uncategorized();
-        break;
-    case CP_ACCESS_TRAP_UNCATEGORIZED_EL2:
-        target_el = 2;
-        syndrome = syn_uncategorized();
-        break;
-    case CP_ACCESS_TRAP_UNCATEGORIZED_EL3:
-        target_el = 3;
         syndrome = syn_uncategorized();
         break;
     default:
         g_assert_not_reached();
     }
 
-exept:
+    target_el = res & CP_ACCESS_EL_MASK;
+    switch (target_el) {
+    case 0:
+        target_el = exception_target_el(env);
+        break;
+    case 2:
+        assert(arm_current_el(env) != 3);
+        assert(arm_is_el2_enabled(env));
+        break;
+    case 3:
+        assert(arm_feature(env, ARM_FEATURE_EL3));
+        break;
+    default:
+        /* No "direct" traps to EL1 */
+        g_assert_not_reached();
+    }
+
     raise_exception(env, EXCP_UDEF, syndrome, target_el);
 }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Remove a possible source of error by removing REGINFO_SENTINEL
and using ARRAY_SIZE (convinently hidden inside a macro) to
find the end of the set of regs being registered or modified.

The space saved by not having the extra array element reduces
the executable's .data.rel.ro section by about 9k.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220501055028.646596-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpregs.h       |  53 +++++++++---------
 hw/arm/pxa2xx.c           |   1 -
 hw/arm/pxa2xx_pic.c       |   1 -
 hw/intc/arm_gicv3_cpuif.c |   5 --
 hw/intc/arm_gicv3_kvm.c   |   1 -
 target/arm/cpu64.c        |   1 -
 target/arm/cpu_tcg.c      |   4 --
 target/arm/helper.c       | 111 ++++++++------------------------------
 8 files changed, 48 insertions(+), 129 deletions(-)

diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpregs.h
+++ b/target/arm/cpregs.h
@@ -XXX,XX +XXX,XX @@
 #define ARM_CP_NO_GDB            0x4000
 #define ARM_CP_RAISES_EXC        0x8000
 #define ARM_CP_NEWEL             0x10000
-/* Used only as a terminator for ARMCPRegInfo lists */
-#define ARM_CP_SENTINEL          0xfffff
 /* Mask of only the flag bits in a type field */
 #define ARM_CP_FLAG_MASK         0x1f0ff
 
@@ -XXX,XX +XXX,XX @@ enum {
     ARM_CP_SECSTATE_NS =  (1 << 1), /* bit[1]: Non-secure state register */
 };
 
-/*
- * Return true if cptype is a valid type field. This is used to try to
- * catch errors where the sentinel has been accidentally left off the end
- * of a list of registers.
- */
-static inline bool cptype_valid(int cptype)
-{
-    return ((cptype & ~ARM_CP_FLAG_MASK) == 0)
-        || ((cptype & ARM_CP_SPECIAL) &&
-            ((cptype & ~ARM_CP_FLAG_MASK) <= ARM_LAST_SPECIAL));
-}
-
 /*
  * Access rights:
  * We define bits for Read and Write access for what rev C of the v7-AR ARM ARM
@@ -XXX,XX +XXX,XX @@ struct ARMCPRegInfo {
 #define CPREG_FIELD64(env, ri) \
     (*(uint64_t *)((char *)(env) + (ri)->fieldoffset))
 
-#define REGINFO_SENTINEL { .type = ARM_CP_SENTINEL }
+void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu, const ARMCPRegInfo *reg,
+                                       void *opaque);
 
-void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
-                                    const ARMCPRegInfo *regs, void *opaque);
-void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
-                                       const ARMCPRegInfo *regs, void *opaque);
-static inline void define_arm_cp_regs(ARMCPU *cpu, const ARMCPRegInfo *regs)
-{
-    define_arm_cp_regs_with_opaque(cpu, regs, 0);
-}
 static inline void define_one_arm_cp_reg(ARMCPU *cpu, const ARMCPRegInfo *regs)
 {
-    define_one_arm_cp_reg_with_opaque(cpu, regs, 0);
+    define_one_arm_cp_reg_with_opaque(cpu, regs, NULL);
 }
+
+void define_arm_cp_regs_with_opaque_len(ARMCPU *cpu, const ARMCPRegInfo *regs,
+                                        void *opaque, size_t len);
+
+#define define_arm_cp_regs_with_opaque(CPU, REGS, OPAQUE)               \
+    do {                                                                \
+        QEMU_BUILD_BUG_ON(ARRAY_SIZE(REGS) == 0);                       \
+        define_arm_cp_regs_with_opaque_len(CPU, REGS, OPAQUE,           \
+                                           ARRAY_SIZE(REGS));           \
+    } while (0)
+
+#define define_arm_cp_regs(CPU, REGS) \
+    define_arm_cp_regs_with_opaque(CPU, REGS, NULL)
+
 const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp);
 
 /*
@@ -XXX,XX +XXX,XX @@ typedef struct ARMCPRegUserSpaceInfo {
     uint64_t fixed_bits;
 } ARMCPRegUserSpaceInfo;
 
-#define REGUSERINFO_SENTINEL { .name = NULL }
+void modify_arm_cp_regs_with_len(ARMCPRegInfo *regs, size_t regs_len,
+                                 const ARMCPRegUserSpaceInfo *mods,
+                                 size_t mods_len);
 
-void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods);
+#define modify_arm_cp_regs(REGS, MODS)                                  \
+    do {                                                                \
+        QEMU_BUILD_BUG_ON(ARRAY_SIZE(REGS) == 0);                       \
+        QEMU_BUILD_BUG_ON(ARRAY_SIZE(MODS) == 0);                       \
+        modify_arm_cp_regs_with_len(REGS, ARRAY_SIZE(REGS),             \
+                                    MODS, ARRAY_SIZE(MODS));            \
+    } while (0)
 
 /* CPWriteFn that can be used to implement writes-ignored behaviour */
 void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pxa_cp_reginfo[] = {
     { .name = "PWRMODE", .cp = 14, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 0,
       .access = PL1_RW, .type = ARM_CP_IO,
       .readfn = arm_cp_read_zero, .writefn = pxa2xx_pwrmode_write },
-    REGINFO_SENTINEL
 };
 
 static void pxa2xx_setup_cp14(PXA2xxState *s)
diff --git a/hw/arm/pxa2xx_pic.c b/hw/arm/pxa2xx_pic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/pxa2xx_pic.c
+++ b/hw/arm/pxa2xx_pic.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pxa_pic_cp_reginfo[] = {
     REGINFO_FOR_PIC_CP("ICLR2", 8),
     REGINFO_FOR_PIC_CP("ICFP2", 9),
     REGINFO_FOR_PIC_CP("ICPR2", 0xa),
-    REGINFO_SENTINEL
 };
 
 static const MemoryRegionOps pxa2xx_pic_ops = {
diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_reginfo[] = {
       .readfn = icc_igrpen1_el3_read,
       .writefn = icc_igrpen1_el3_write,
     },
-    REGINFO_SENTINEL
 };
 
 static uint64_t ich_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_hcr_reginfo[] = {
       .readfn = ich_vmcr_read,
       .writefn = ich_vmcr_write,
     },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo gicv3_cpuif_ich_apxr1_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_ich_apxr1_reginfo[] = {
       .readfn = ich_ap_read,
       .writefn = ich_ap_write,
     },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo gicv3_cpuif_ich_apxr23_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_ich_apxr23_reginfo[] = {
       .readfn = ich_ap_read,
       .writefn = ich_ap_write,
     },
-    REGINFO_SENTINEL
 };
 
 static void gicv3_cpuif_el_change_hook(ARMCPU *cpu, void *opaque)
@@ -XXX,XX +XXX,XX @@ void gicv3_init_cpuif(GICv3State *s)
                       .readfn = ich_lr_read,
                       .writefn = ich_lr_write,
                     },
-                    REGINFO_SENTINEL
                 };
                 define_arm_cp_regs(cpu, lr_regset);
             }
diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_kvm.c
+++ b/hw/intc/arm_gicv3_kvm.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo gicv3_cpuif_reginfo[] = {
        */
       .resetfn = arm_gicv3_icc_reset,
     },
-    REGINFO_SENTINEL
 };
 
 /**
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
     { .name = "L2MERRSR",
       .cp = 15, .opc1 = 3, .crm = 15,
       .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 static void aarch64_a57_initfn(Object *obj)
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortexa8_cp_reginfo[] = {
       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
     { .name = "L2AUXCR", .cp = 15, .crn = 9, .crm = 0, .opc1 = 1, .opc2 = 2,
       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 static void cortex_a8_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortexa9_cp_reginfo[] = {
       .access = PL1_RW, .resetvalue = 0, .type = ARM_CP_CONST },
     { .name = "TLB_ATTR", .cp = 15, .crn = 15, .crm = 7, .opc1 = 5, .opc2 = 2,
       .access = PL1_RW, .resetvalue = 0, .type = ARM_CP_CONST },
-    REGINFO_SENTINEL
 };
 
 static void cortex_a9_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortexa15_cp_reginfo[] = {
 #endif
     { .name = "L2ECTLR", .cp = 15, .crn = 9, .crm = 0, .opc1 = 1, .opc2 = 3,
       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 static void cortex_a7_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cortexr5_cp_reginfo[] = {
       .access = PL1_RW, .type = ARM_CP_CONST },
     { .name = "DCACHE_INVAL", .cp = 15, .opc1 = 0, .crn = 15, .crm = 5,
       .opc2 = 0, .access = PL1_W, .type = ARM_CP_NOP },
-    REGINFO_SENTINEL
 };
 
 static void cortex_r5_initfn(Object *obj)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cp_reginfo[] = {
       .secure = ARM_CP_SECSTATE_S,
       .fieldoffset = offsetof(CPUARMState, cp15.contextidr_s),
       .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo not_v8_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo not_v8_cp_reginfo[] = {
     { .name = "CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
       .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
       .type = ARM_CP_NOP | ARM_CP_OVERRIDE },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo not_v6_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo not_v6_cp_reginfo[] = {
      */
     { .name = "WFI_v5", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = 2,
       .access = PL1_W, .type = ARM_CP_WFI },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo not_v7_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo not_v7_cp_reginfo[] = {
       .opc1 = 0, .opc2 = 0, .access = PL1_RW, .type = ARM_CP_NOP },
     { .name = "NMRR", .cp = 15, .crn = 10, .crm = 2,
       .opc1 = 0, .opc2 = 1, .access = PL1_RW, .type = ARM_CP_NOP },
-    REGINFO_SENTINEL
 };
 
 static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
       .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
       .resetfn = cpacr_reset, .writefn = cpacr_write, .readfn = cpacr_read },
-    REGINFO_SENTINEL
 };
 
 typedef struct pm_event {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
     { .name = "TLBIMVAA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3,
       .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb,
       .writefn = tlbimvaa_write },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo v7mp_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v7mp_cp_reginfo[] = {
     { .name = "TLBIMVAAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3,
       .type = ARM_CP_NO_RAW, .access = PL1_W, .accessfn = access_ttlb,
       .writefn = tlbimvaa_is_write },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo pmovsset_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pmovsset_cp_reginfo[] = {
       .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
       .writefn = pmovsset_write,
       .raw_writefn = raw_write },
-    REGINFO_SENTINEL
 };
 
 static void teecr_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo t2ee_cp_reginfo[] = {
     { .name = "TEEHBR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 6, .opc2 = 0,
       .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, teehbr),
       .accessfn = teehbr_access, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo v6k_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6k_cp_reginfo[] = {
       .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrprw_s),
                              offsetoflow32(CPUARMState, cp15.tpidrprw_ns) },
       .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 #ifndef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
       .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_SEC].cval),
       .writefn = gt_sec_cval_write, .raw_writefn = raw_write,
     },
-    REGINFO_SENTINEL
 };
 
 static CPAccessResult e2h_access(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
       .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
       .readfn = gt_virt_cnt_read,
     },
-    REGINFO_SENTINEL
 };
 
 #endif
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vapa_cp_reginfo[] = {
       .access = PL1_W, .accessfn = ats_access,
       .writefn = ats_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
 #endif
-    REGINFO_SENTINEL
 };
 
 /* Return basic MPU access permission bits.  */
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pmsav7_cp_reginfo[] = {
       .fieldoffset = offsetof(CPUARMState, pmsav7.rnr[M_REG_NS]),
       .writefn = pmsav7_rgnr_write,
       .resetfn = arm_cp_reset_ignore },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo pmsav5_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pmsav5_cp_reginfo[] = {
     { .name = "946_PRBS7", .cp = 15, .crn = 6, .crm = 7, .opc1 = 0,
       .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
       .fieldoffset = offsetof(CPUARMState, cp15.c6_region[7]) },
-    REGINFO_SENTINEL
 };
 
 static void vmsa_ttbcr_raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = {
       .access = PL1_RW, .accessfn = access_tvm_trvm,
       .fieldoffset = offsetof(CPUARMState, cp15.far_el[1]),
       .resetvalue = 0, },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo vmsa_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {
       /* No offsetoflow32 -- pass the entire TCR to writefn/raw_writefn. */
       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.tcr_el[3]),
                              offsetof(CPUARMState, cp15.tcr_el[1])} },
-    REGINFO_SENTINEL
 };
 
 /* Note that unlike TTBCR, writing to TTBCR2 does not require flushing
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo omap_cp_reginfo[] = {
     { .name = "C9", .cp = 15, .crn = 9,
       .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW,
       .type = ARM_CP_CONST | ARM_CP_OVERRIDE, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 static void xscale_cpar_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo xscale_cp_reginfo[] = {
     { .name = "XSCALE_UNLOCK_DCACHE",
       .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 1,
       .access = PL1_W, .type = ARM_CP_NOP },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo dummy_c15_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo dummy_c15_cp_reginfo[] = {
       .access = PL1_RW,
       .type = ARM_CP_CONST | ARM_CP_NO_RAW | ARM_CP_OVERRIDE,
       .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo cache_dirty_status_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cache_dirty_status_cp_reginfo[] = {
     { .name = "CDSR", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 6,
       .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
       .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo cache_block_ops_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cache_block_ops_cp_reginfo[] = {
       .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
     { .name = "CIDCR", .cp = 15, .crm = 14, .opc1 = 0,
       .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo cache_test_clean_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo cache_test_clean_cp_reginfo[] = {
     { .name = "TCI_DCACHE", .cp = 15, .crn = 7, .crm = 14, .opc1 = 0, .opc2 = 3,
       .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
       .resetvalue = (1 << 30) },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo strongarm_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo strongarm_cp_reginfo[] = {
       .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
       .access = PL1_RW, .resetvalue = 0,
       .type = ARM_CP_CONST | ARM_CP_OVERRIDE | ARM_CP_NO_RAW },
-    REGINFO_SENTINEL
 };
 
 static uint64_t midr_read(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo lpae_cp_reginfo[] = {
       .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
                              offsetof(CPUARMState, cp15.ttbr1_ns) },
       .writefn = vmsa_ttbr_write, },
-    REGINFO_SENTINEL
 };
 
 static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
       .writefn = sdcr_write,
       .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) },
-    REGINFO_SENTINEL
 };
 
 /* Used to describe the behaviour of EL2 regs when EL2 does not exist.  */
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
       .type = ARM_CP_CONST,
       .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 2,
       .access = PL2_RW, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 /* Ditto, but for registers which exist in ARMv8 but not v7 */
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_v8_cp_reginfo[] = {
       .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 4,
       .access = PL2_RW,
       .type = ARM_CP_CONST, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
       .cp = 15, .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 3,
       .access = PL2_RW,
       .fieldoffset = offsetof(CPUARMState, cp15.hstr_el2) },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo el2_v8_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_v8_cp_reginfo[] = {
       .access = PL2_RW,
       .fieldoffset = offsetofhigh32(CPUARMState, cp15.hcr_el2),
       .writefn = hcr_writehigh },
-    REGINFO_SENTINEL
 };
 
 static CPAccessResult sel2_access(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_sec_cp_reginfo[] = {
       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 6, .opc2 = 2,
       .access = PL2_RW, .accessfn = sel2_access,
       .fieldoffset = offsetof(CPUARMState, cp15.vstcr_el2) },
-    REGINFO_SENTINEL
 };
 
 static CPAccessResult nsacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_cp_reginfo[] = {
       .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 7, .opc2 = 5,
       .access = PL3_W, .type = ARM_CP_NO_RAW,
       .writefn = tlbi_aa64_vae3_write },
-    REGINFO_SENTINEL
 };
 
 #ifndef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
       .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
       .access = PL1_RW, .accessfn = access_tda,
       .type = ARM_CP_NOP },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
       .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
     { .name = "DBGDSAR", .cp = 14, .crm = 2, .opc1 = 0,
       .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 /* Return the exception level to which exceptions should be taken
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
               .fieldoffset = offsetof(CPUARMState, cp15.dbgbcr[i]),
               .writefn = dbgbcr_write, .raw_writefn = raw_write
             },
-            REGINFO_SENTINEL
         };
         define_arm_cp_regs(cpu, dbgregs);
     }
@@ -XXX,XX +XXX,XX @@ static void define_debug_regs(ARMCPU *cpu)
               .fieldoffset = offsetof(CPUARMState, cp15.dbgwcr[i]),
               .writefn = dbgwcr_write, .raw_writefn = raw_write
             },
-            REGINFO_SENTINEL
         };
         define_arm_cp_regs(cpu, dbgregs);
     }
@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
               .type = ARM_CP_IO,
               .readfn = pmevtyper_readfn, .writefn = pmevtyper_writefn,
               .raw_writefn = pmevtyper_rawwrite },
-            REGINFO_SENTINEL
         };
         define_arm_cp_regs(cpu, pmev_regs);
         g_free(pmevcntr_name);
@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
               .cp = 15, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 5,
               .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
               .resetvalue = extract64(cpu->pmceid1, 32, 32) },
-            REGINFO_SENTINEL
         };
         define_arm_cp_regs(cpu, v81_pmu_regs);
     }
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo lor_reginfo[] = {
       .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 4, .opc2 = 7,
       .access = PL1_R, .accessfn = access_lor_ns,
       .type = ARM_CP_CONST, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 #ifdef TARGET_AARCH64
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo pauth_reginfo[] = {
       .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 1, .opc2 = 3,
       .access = PL1_RW, .accessfn = access_pauth,
       .fieldoffset = offsetof(CPUARMState, keys.apib.hi) },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo tlbirange_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
       .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 6, .opc2 = 5,
       .access = PL3_W, .type = ARM_CP_NO_RAW,
       .writefn = tlbi_aa64_rvae3_write },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo tlbios_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbios_reginfo[] = {
       .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 1, .opc2 = 5,
       .access = PL3_W, .type = ARM_CP_NO_RAW,
       .writefn = tlbi_aa64_vae3is_write },
-    REGINFO_SENTINEL
 };
 
 static uint64_t rndr_readfn(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo rndr_reginfo[] = {
       .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END | ARM_CP_IO,
       .opc0 = 3, .opc1 = 3, .crn = 2, .crm = 4, .opc2 = 1,
       .access = PL0_R, .readfn = rndr_readfn },
-    REGINFO_SENTINEL
 };
 
 #ifndef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo dcpop_reg[] = {
       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 12, .opc2 = 1,
       .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END,
       .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo dcpodp_reg[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo dcpodp_reg[] = {
       .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 13, .opc2 = 1,
       .access = PL0_W, .type = ARM_CP_NO_RAW | ARM_CP_SUPPRESS_TB_END,
       .accessfn = aa64_cacheop_poc_access, .writefn = dccvap_writefn },
-    REGINFO_SENTINEL
 };
 #endif /*CONFIG_USER_ONLY*/
 
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo mte_reginfo[] = {
     { .name = "DC_CIGDSW", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 6,
       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = access_tsw },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo mte_tco_ro_reginfo[] = {
     { .name = "TCO", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 3, .crn = 4, .crm = 2, .opc2 = 7,
       .type = ARM_CP_CONST, .access = PL0_RW, },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo mte_el0_cacheop_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo mte_el0_cacheop_reginfo[] = {
       .accessfn = aa64_zva_access,
 #endif
     },
-    REGINFO_SENTINEL
 };
 
 #endif
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo predinv_reginfo[] = {
     { .name = "CPPRCTX", .state = ARM_CP_STATE_AA32,
       .cp = 15, .opc1 = 0, .crn = 7, .crm = 3, .opc2 = 7,
       .type = ARM_CP_NOP, .access = PL0_W, .accessfn = access_predinv },
-    REGINFO_SENTINEL
 };
 
 static uint64_t ccsidr2_read(CPUARMState *env, const ARMCPRegInfo *ri)
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ccsidr2_reginfo[] = {
       .access = PL1_R,
       .accessfn = access_aa64_tid2,
       .readfn = ccsidr2_read, .type = ARM_CP_NO_RAW },
-    REGINFO_SENTINEL
 };
 
 static CPAccessResult access_aa64_tid3(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo jazelle_regs[] = {
       .cp = 14, .crn = 2, .crm = 0, .opc1 = 7, .opc2 = 0,
       .accessfn = access_joscr_jmcr,
       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo vhe_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vhe_reginfo[] = {
       .access = PL2_RW, .accessfn = e2h_access,
       .writefn = gt_virt_cval_write, .raw_writefn = raw_write },
 #endif
-    REGINFO_SENTINEL
 };
 
 #ifndef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ats1e1_reginfo[] = {
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1,
       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
       .writefn = ats_write64 },
-    REGINFO_SENTINEL
 };
 
 static const ARMCPRegInfo ats1cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ats1cp_reginfo[] = {
       .cp = 15, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1,
       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
       .writefn = ats_write },
-    REGINFO_SENTINEL
 };
 #endif
 
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo actlr2_hactlr2_reginfo[] = {
       .cp = 15, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 3,
       .access = PL2_RW, .type = ARM_CP_CONST,
       .resetvalue = 0 },
-    REGINFO_SENTINEL
 };
 
 void register_cp_regs_for_features(ARMCPU *cpu)
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .access = PL1_R, .type = ARM_CP_CONST,
               .accessfn = access_aa32_tid3,
               .resetvalue = cpu->isar.id_isar6 },
-            REGINFO_SENTINEL
         };
         define_arm_cp_regs(cpu, v6_idregs);
         define_arm_cp_regs(cpu, v6_cp_reginfo);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 7,
               .access = PL0_R, .accessfn = pmreg_access, .type = ARM_CP_CONST,
               .resetvalue = cpu->pmceid1 },
-            REGINFO_SENTINEL
         };
 #ifdef CONFIG_USER_ONLY
         ARMCPRegUserSpaceInfo v8_user_idregs[] = {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .exported_bits = 0x000000f0ffffffff },
             { .name = "ID_AA64ISAR*_EL1_RESERVED",
               .is_glob = true                     },
-            REGUSERINFO_SENTINEL
         };
         modify_arm_cp_regs(v8_idregs, v8_user_idregs);
 #endif
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .access = PL2_RW,
               .resetvalue = vmpidr_def,
               .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) },
-            REGINFO_SENTINEL
         };
         define_arm_cp_regs(cpu, vpidr_regs);
         define_arm_cp_regs(cpu, el2_cp_reginfo);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                   .access = PL2_RW, .accessfn = access_el3_aa32ns,
                   .type = ARM_CP_NO_RAW,
                   .writefn = arm_cp_write_ignore, .readfn = mpidr_read },
-                REGINFO_SENTINEL
             };
             define_arm_cp_regs(cpu, vpidr_regs);
             define_arm_cp_regs(cpu, el3_no_el2_cp_reginfo);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .raw_writefn = raw_write, .writefn = sctlr_write,
               .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[3]),
               .resetvalue = cpu->reset_sctlr },
-            REGINFO_SENTINEL
         };
 
         define_arm_cp_regs(cpu, el3_regs);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "DUMMY",
               .cp = 15, .crn = 0, .crm = 7, .opc1 = 0, .opc2 = CP_ANY,
               .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
-            REGINFO_SENTINEL
         };
         ARMCPRegInfo id_v8_midr_cp_reginfo[] = {
             { .name = "MIDR_EL1", .state = ARM_CP_STATE_BOTH,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .access = PL1_R,
               .accessfn = access_aa64_tid1,
               .type = ARM_CP_CONST, .resetvalue = cpu->revidr },
-            REGINFO_SENTINEL
         };
         ARMCPRegInfo id_cp_reginfo[] = {
             /* These are common to v8 and pre-v8 */
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .access = PL1_R,
               .accessfn = access_aa32_tid1,
               .type = ARM_CP_CONST, .resetvalue = 0 },
-            REGINFO_SENTINEL
         };
         /* TLBTR is specific to VMSA */
         ARMCPRegInfo id_tlbtr_reginfo = {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "MIDR_EL1",
               .exported_bits = 0x00000000ffffffff },
             { .name = "REVIDR_EL1"                },
-            REGUSERINFO_SENTINEL
         };
         modify_arm_cp_regs(id_v8_midr_cp_reginfo, id_v8_user_midr_cp_reginfo);
 #endif
         if (arm_feature(env, ARM_FEATURE_OMAPCP) ||
             arm_feature(env, ARM_FEATURE_STRONGARM)) {
-            ARMCPRegInfo *r;
+            size_t i;
             /* Register the blanket "writes ignored" value first to cover the
              * whole space. Then update the specific ID registers to allow write
              * access, so that they ignore writes rather than causing them to
              * UNDEF.
              */
             define_one_arm_cp_reg(cpu, &crn0_wi_reginfo);
-            for (r = id_pre_v8_midr_cp_reginfo;
-                 r->type != ARM_CP_SENTINEL; r++) {
-                r->access = PL1_RW;
+            for (i = 0; i < ARRAY_SIZE(id_pre_v8_midr_cp_reginfo); ++i) {
+                id_pre_v8_midr_cp_reginfo[i].access = PL1_RW;
             }
-            for (r = id_cp_reginfo; r->type != ARM_CP_SENTINEL; r++) {
-                r->access = PL1_RW;
+            for (i = 0; i < ARRAY_SIZE(id_cp_reginfo); ++i) {
+                id_cp_reginfo[i].access = PL1_RW;
             }
             id_mpuir_reginfo.access = PL1_RW;
             id_tlbtr_reginfo.access = PL1_RW;
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "MPIDR_EL1", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
               .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
-            REGINFO_SENTINEL
         };
 #ifdef CONFIG_USER_ONLY
         ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = {
             { .name = "MPIDR_EL1",
               .fixed_bits = 0x0000000080000000 },
-            REGUSERINFO_SENTINEL
         };
         modify_arm_cp_regs(mpidr_cp_reginfo, mpidr_user_cp_reginfo);
 #endif
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 1,
               .access = PL3_RW, .type = ARM_CP_CONST,
               .resetvalue = 0 },
-            REGINFO_SENTINEL
         };
         define_arm_cp_regs(cpu, auxcr_reginfo);
         if (cpu_isar_feature(aa32_ac2, cpu)) {
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
                   .type = ARM_CP_CONST,
                   .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 0,
                   .access = PL1_R, .resetvalue = cpu->reset_cbar },
-                REGINFO_SENTINEL
             };
             /* We don't implement a r/w 64 bit CBAR currently */
             assert(arm_feature(env, ARM_FEATURE_CBAR_RO));
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .bank_fieldoffsets = { offsetof(CPUARMState, cp15.vbar_s),
                                      offsetof(CPUARMState, cp15.vbar_ns) },
               .resetvalue = 0 },
-            REGINFO_SENTINEL
         };
         define_arm_cp_regs(cpu, vbar_cp_reginfo);
     }
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
                    r->writefn);
         }
     }
-    /* Bad type field probably means missing sentinel at end of reg list */
-    assert(cptype_valid(r->type));
+
     for (crm = crmmin; crm <= crmmax; crm++) {
         for (opc1 = opc1min; opc1 <= opc1max; opc1++) {
             for (opc2 = opc2min; opc2 <= opc2max; opc2++) {
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
     }
 }
 
-void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
-                                    const ARMCPRegInfo *regs, void *opaque)
+/* Define a whole list of registers */
+void define_arm_cp_regs_with_opaque_len(ARMCPU *cpu, const ARMCPRegInfo *regs,
+                                        void *opaque, size_t len)
 {
-    /* Define a whole list of registers */
-    const ARMCPRegInfo *r;
-    for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
-        define_one_arm_cp_reg_with_opaque(cpu, r, opaque);
+    size_t i;
+    for (i = 0; i < len; ++i) {
+        define_one_arm_cp_reg_with_opaque(cpu, regs + i, opaque);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
  * user-space cannot alter any values and dynamic values pertaining to
  * execution state are hidden from user space view anyway.
  */
-void modify_arm_cp_regs(ARMCPRegInfo *regs, const ARMCPRegUserSpaceInfo *mods)
+void modify_arm_cp_regs_with_len(ARMCPRegInfo *regs, size_t regs_len,
+                                 const ARMCPRegUserSpaceInfo *mods,
+                                 size_t mods_len)
 {
-    const ARMCPRegUserSpaceInfo *m;
-    ARMCPRegInfo *r;
-
-    for (m = mods; m->name; m++) {
+    for (size_t mi = 0; mi < mods_len; ++mi) {
+        const ARMCPRegUserSpaceInfo *m = mods + mi;
         GPatternSpec *pat = NULL;
+
         if (m->is_glob) {
             pat = g_pattern_spec_new(m->name);
         }
-        for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
+        for (size_t ri = 0; ri < regs_len; ++ri) {
+            ARMCPRegInfo *r = regs + ri;
+
             if (pat && g_pattern_match_string(pat, r->name)) {
                 r->type = ARM_CP_CONST;
                 r->access = PL0U_R;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

These particular data structures are not modified at runtime.

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .resetvalue = cpu->pmceid1 },
         };
 #ifdef CONFIG_USER_ONLY
-        ARMCPRegUserSpaceInfo v8_user_idregs[] = {
+        static const ARMCPRegUserSpaceInfo v8_user_idregs[] = {
             { .name = "ID_AA64PFR0_EL1",
               .exported_bits = 0x000f000f00ff0000,
               .fixed_bits    = 0x0000000000000011 },
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
      */
     if (arm_feature(env, ARM_FEATURE_EL3)) {
         if (arm_feature(env, ARM_FEATURE_AARCH64)) {
-            ARMCPRegInfo nsacr = {
+            static const ARMCPRegInfo nsacr = {
                 .name = "NSACR", .type = ARM_CP_CONST,
                 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
                 .access = PL1_RW, .accessfn = nsacr_access,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             };
             define_one_arm_cp_reg(cpu, &nsacr);
         } else {
-            ARMCPRegInfo nsacr = {
+            static const ARMCPRegInfo nsacr = {
                 .name = "NSACR",
                 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
                 .access = PL3_RW | PL1_R,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
         }
     } else {
         if (arm_feature(env, ARM_FEATURE_V8)) {
-            ARMCPRegInfo nsacr = {
+            static const ARMCPRegInfo nsacr = {
                 .name = "NSACR", .type = ARM_CP_CONST,
                 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
                 .access = PL1_R,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .access = PL1_R, .type = ARM_CP_CONST,
               .resetvalue = cpu->pmsav7_dregion << 8
         };
-        ARMCPRegInfo crn0_wi_reginfo = {
+        static const ARMCPRegInfo crn0_wi_reginfo = {
             .name = "CRN0_WI", .cp = 15, .crn = 0, .crm = CP_ANY,
             .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_W,
             .type = ARM_CP_NOP | ARM_CP_OVERRIDE
         };
 #ifdef CONFIG_USER_ONLY
-        ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
+        static const ARMCPRegUserSpaceInfo id_v8_user_midr_cp_reginfo[] = {
             { .name = "MIDR_EL1",
               .exported_bits = 0x00000000ffffffff },
             { .name = "REVIDR_EL1"                },
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
               .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
         };
 #ifdef CONFIG_USER_ONLY
-        ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = {
+        static const ARMCPRegUserSpaceInfo mpidr_user_cp_reginfo[] = {
             { .name = "MPIDR_EL1",
               .fixed_bits = 0x0000000080000000 },
         };
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
     }
 
     if (arm_feature(env, ARM_FEATURE_VBAR)) {
-        ARMCPRegInfo vbar_cp_reginfo[] = {
+        static const ARMCPRegInfo vbar_cp_reginfo[] = {
             { .name = "VBAR", .state = ARM_CP_STATE_BOTH,
               .opc0 = 3, .crn = 12, .crm = 0, .opc1 = 0, .opc2 = 0,
               .access = PL1_RW, .writefn = vbar_write,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Instead of defining ARM_CP_FLAG_MASK to remove flags,
define ARM_CP_SPECIAL_MASK to isolate special cases.
Sort the specials to the low bits. Use an enum.

Split the large comment block so as to document each
value separately.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpregs.h        | 130 +++++++++++++++++++++++--------------
 target/arm/cpu.c           |   4 +-
 target/arm/helper.c        |   4 +-
 target/arm/translate-a64.c |   6 +-
 target/arm/translate.c     |   6 +-
 5 files changed, 92 insertions(+), 58 deletions(-)

diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpregs.h
+++ b/target/arm/cpregs.h
@@ -XXX,XX +XXX,XX @@
 #define TARGET_ARM_CPREGS_H
 
 /*
- * ARMCPRegInfo type field bits. If the SPECIAL bit is set this is a
- * special-behaviour cp reg and bits [11..8] indicate what behaviour
- * it has. Otherwise it is a simple cp reg, where CONST indicates that
- * TCG can assume the value to be constant (ie load at translate time)
- * and 64BIT indicates a 64 bit wide coprocessor register. SUPPRESS_TB_END
- * indicates that the TB should not be ended after a write to this register
- * (the default is that the TB ends after cp writes). OVERRIDE permits
- * a register definition to override a previous definition for the
- * same (cp, is64, crn, crm, opc1, opc2) tuple: either the new or the
- * old must have the OVERRIDE bit set.
- * ALIAS indicates that this register is an alias view of some underlying
- * state which is also visible via another register, and that the other
- * register is handling migration and reset; registers marked ALIAS will not be
- * migrated but may have their state set by syncing of register state from KVM.
- * NO_RAW indicates that this register has no underlying state and does not
- * support raw access for state saving/loading; it will not be used for either
- * migration or KVM state synchronization. (Typically this is for "registers"
- * which are actually used as instructions for cache maintenance and so on.)
- * IO indicates that this register does I/O and therefore its accesses
- * need to be marked with gen_io_start() and also end the TB. In particular,
- * registers which implement clocks or timers require this.
- * RAISES_EXC is for when the read or write hook might raise an exception;
- * the generated code will synchronize the CPU state before calling the hook
- * so that it is safe for the hook to call raise_exception().
- * NEWEL is for writes to registers that might change the exception
- * level - typically on older ARM chips. For those cases we need to
- * re-read the new el when recomputing the translation flags.
+ * ARMCPRegInfo type field bits:
  */
-#define ARM_CP_SPECIAL           0x0001
-#define ARM_CP_CONST             0x0002
-#define ARM_CP_64BIT             0x0004
-#define ARM_CP_SUPPRESS_TB_END   0x0008
-#define ARM_CP_OVERRIDE          0x0010
-#define ARM_CP_ALIAS             0x0020
-#define ARM_CP_IO                0x0040
-#define ARM_CP_NO_RAW            0x0080
-#define ARM_CP_NOP               (ARM_CP_SPECIAL | 0x0100)
-#define ARM_CP_WFI               (ARM_CP_SPECIAL | 0x0200)
-#define ARM_CP_NZCV              (ARM_CP_SPECIAL | 0x0300)
-#define ARM_CP_CURRENTEL         (ARM_CP_SPECIAL | 0x0400)
-#define ARM_CP_DC_ZVA            (ARM_CP_SPECIAL | 0x0500)
-#define ARM_CP_DC_GVA            (ARM_CP_SPECIAL | 0x0600)
-#define ARM_CP_DC_GZVA           (ARM_CP_SPECIAL | 0x0700)
-#define ARM_LAST_SPECIAL         ARM_CP_DC_GZVA
-#define ARM_CP_FPU               0x1000
-#define ARM_CP_SVE               0x2000
-#define ARM_CP_NO_GDB            0x4000
-#define ARM_CP_RAISES_EXC        0x8000
-#define ARM_CP_NEWEL             0x10000
-/* Mask of only the flag bits in a type field */
-#define ARM_CP_FLAG_MASK         0x1f0ff
+enum {
+    /*
+     * Register must be handled specially during translation.
+     * The method is one of the values below:
+     */
+    ARM_CP_SPECIAL_MASK          = 0x000f,
+    /* Special: no change to PE state: writes ignored, reads ignored. */
+    ARM_CP_NOP                   = 0x0001,
+    /* Special: sysreg is WFI, for v5 and v6. */
+    ARM_CP_WFI                   = 0x0002,
+    /* Special: sysreg is NZCV. */
+    ARM_CP_NZCV                  = 0x0003,
+    /* Special: sysreg is CURRENTEL. */
+    ARM_CP_CURRENTEL             = 0x0004,
+    /* Special: sysreg is DC ZVA or similar. */
+    ARM_CP_DC_ZVA                = 0x0005,
+    ARM_CP_DC_GVA                = 0x0006,
+    ARM_CP_DC_GZVA               = 0x0007,
+
+    /* Flag: reads produce resetvalue; writes ignored. */
+    ARM_CP_CONST                 = 1 << 4,
+    /* Flag: For ARM_CP_STATE_AA32, sysreg is 64-bit. */
+    ARM_CP_64BIT                 = 1 << 5,
+    /*
+     * Flag: TB should not be ended after a write to this register
+     * (the default is that the TB ends after cp writes).
+     */
+    ARM_CP_SUPPRESS_TB_END       = 1 << 6,
+    /*
+     * Flag: Permit a register definition to override a previous definition
+     * for the same (cp, is64, crn, crm, opc1, opc2) tuple: either the new
+     * or the old must have the ARM_CP_OVERRIDE bit set.
+     */
+    ARM_CP_OVERRIDE              = 1 << 7,
+    /*
+     * Flag: Register is an alias view of some underlying state which is also
+     * visible via another register, and that the other register is handling
+     * migration and reset; registers marked ARM_CP_ALIAS will not be migrated
+     * but may have their state set by syncing of register state from KVM.
+     */
+    ARM_CP_ALIAS                 = 1 << 8,
+    /*
+     * Flag: Register does I/O and therefore its accesses need to be marked
+     * with gen_io_start() and also end the TB. In particular, registers which
+     * implement clocks or timers require this.
+     */
+    ARM_CP_IO                    = 1 << 9,
+    /*
+     * Flag: Register has no underlying state and does not support raw access
+     * for state saving/loading; it will not be used for either migration or
+     * KVM state synchronization. Typically this is for "registers" which are
+     * actually used as instructions for cache maintenance and so on.
+     */
+    ARM_CP_NO_RAW                = 1 << 10,
+    /*
+     * Flag: The read or write hook might raise an exception; the generated
+     * code will synchronize the CPU state before calling the hook so that it
+     * is safe for the hook to call raise_exception().
+     */
+    ARM_CP_RAISES_EXC            = 1 << 11,
+    /*
+     * Flag: Writes to the sysreg might change the exception level - typically
+     * on older ARM chips. For those cases we need to re-read the new el when
+     * recomputing the translation flags.
+     */
+    ARM_CP_NEWEL                 = 1 << 12,
+    /*
+     * Flag: Access check for this sysreg is identical to accessing FPU state
+     * from an instruction: use translation fp_access_check().
+     */
+    ARM_CP_FPU                   = 1 << 13,
+    /*
+     * Flag: Access check for this sysreg is identical to accessing SVE state
+     * from an instruction: use translation sve_access_check().
+     */
+    ARM_CP_SVE                   = 1 << 14,
+    /* Flag: Do not expose in gdb sysreg xml. */
+    ARM_CP_NO_GDB                = 1 << 15,
+};
 
 /*
  * Valid values for ARMCPRegInfo state field, indicating which of
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void cp_reg_reset(gpointer key, gpointer value, gpointer opaque)
     ARMCPRegInfo *ri = value;
     ARMCPU *cpu = opaque;
 
-    if (ri->type & (ARM_CP_SPECIAL | ARM_CP_ALIAS)) {
+    if (ri->type & (ARM_CP_SPECIAL_MASK | ARM_CP_ALIAS)) {
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void cp_reg_check_reset(gpointer key, gpointer value,  gpointer opaque)
     ARMCPU *cpu = opaque;
     uint64_t oldvalue, newvalue;
 
-    if (ri->type & (ARM_CP_SPECIAL | ARM_CP_ALIAS | ARM_CP_NO_RAW)) {
+    if (ri->type & (ARM_CP_SPECIAL_MASK | ARM_CP_ALIAS | ARM_CP_NO_RAW)) {
         return;
     }
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
      * multiple times. Special registers (ie NOP/WFI) are
      * never migratable and not even raw-accessible.
      */
-    if ((r->type & ARM_CP_SPECIAL)) {
+    if (r->type & ARM_CP_SPECIAL_MASK) {
         r2->type |= ARM_CP_NO_RAW;
     }
     if (((r->crm == CP_ANY) && crm != 0) ||
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
     /* Check that the register definition has enough info to handle
      * reads and writes if they are permitted.
      */
-    if (!(r->type & (ARM_CP_SPECIAL|ARM_CP_CONST))) {
+    if (!(r->type & (ARM_CP_SPECIAL_MASK | ARM_CP_CONST))) {
         if (r->access & PL3_R) {
             assert((r->fieldoffset ||
                    (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) ||
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
     }
 
     /* Handle special cases first */
-    switch (ri->type & ~(ARM_CP_FLAG_MASK & ~ARM_CP_SPECIAL)) {
+    switch (ri->type & ARM_CP_SPECIAL_MASK) {
+    case 0:
+        break;
     case ARM_CP_NOP:
         return;
     case ARM_CP_NZCV:
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
         }
         return;
     default:
-        break;
+        g_assert_not_reached();
     }
     if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
         return;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
         }
 
         /* Handle special cases first */
-        switch (ri->type & ~(ARM_CP_FLAG_MASK & ~ARM_CP_SPECIAL)) {
+        switch (ri->type & ARM_CP_SPECIAL_MASK) {
+        case 0:
+            break;
         case ARM_CP_NOP:
             return;
         case ARM_CP_WFI:
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
             s->base.is_jmp = DISAS_WFI;
             return;
         default:
-            break;
+            g_assert_not_reached();
         }
 
         if ((tb_cflags(s->base.tb) & CF_USE_ICOUNT) && (ri->type & ARM_CP_IO)) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Standardize on g_assert_not_reached() for "should not happen".
Retain abort() when preceeded by fprintf or error_report.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c         | 7 +++----
 target/arm/hvf/hvf.c        | 2 +-
 target/arm/kvm-stub.c       | 4 ++--
 target/arm/kvm.c            | 4 ++--
 target/arm/machine.c        | 4 ++--
 target/arm/translate-a64.c  | 4 ++--
 target/arm/translate-neon.c | 2 +-
 target/arm/translate.c      | 4 ++--
 8 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
             break;
         default:
             /* broken reginfo with out-of-range opc1 */
-            assert(false);
-            break;
+            g_assert_not_reached();
         }
         /* assert our permissions are not too lax (stricter is fine) */
         assert((r->access & ~mask) == 0);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
             break;
         default:
             /* Never happens, but compiler isn't smart enough to tell.  */
-            abort();
+            g_assert_not_reached();
         }
     }
     *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
             break;
         default:
             /* Never happens, but compiler isn't smart enough to tell.  */
-            abort();
+            g_assert_not_reached();
         }
     }
     if (domain_prot == 3) {
diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -XXX,XX +XXX,XX @@ int hvf_vcpu_exec(CPUState *cpu)
         /* we got kicked, no exit to process */
         return 0;
     default:
-        assert(0);
+        g_assert_not_reached();
     }
 
     hvf_sync_vtimer(cpu);
diff --git a/target/arm/kvm-stub.c b/target/arm/kvm-stub.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm-stub.c
+++ b/target/arm/kvm-stub.c
@@ -XXX,XX +XXX,XX @@
 
 bool write_kvmstate_to_list(ARMCPU *cpu)
 {
-    abort();
+    g_assert_not_reached();
 }
 
 bool write_list_to_kvmstate(ARMCPU *cpu, int level)
 {
-    abort();
+    g_assert_not_reached();
 }
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ bool write_kvmstate_to_list(ARMCPU *cpu)
             ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &r);
             break;
         default:
-            abort();
+            g_assert_not_reached();
         }
         if (ret) {
             ok = false;
@@ -XXX,XX +XXX,XX @@ bool write_list_to_kvmstate(ARMCPU *cpu, int level)
             r.addr = (uintptr_t)(cpu->cpreg_values + i);
             break;
         default:
-            abort();
+            g_assert_not_reached();
         }
         ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &r);
         if (ret) {
diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static int cpu_pre_save(void *opaque)
     if (kvm_enabled()) {
         if (!write_kvmstate_to_list(cpu)) {
             /* This should never fail */
-            abort();
+            g_assert_not_reached();
         }
 
         /*
@@ -XXX,XX +XXX,XX @@ static int cpu_pre_save(void *opaque)
     } else {
         if (!write_cpustate_to_list(cpu, false)) {
             /* This should never fail. */
-            abort();
+            g_assert_not_reached();
         }
     }
 
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_fp_1src_half(DisasContext *s, int opcode, int rd, int rn)
         gen_helper_advsimd_rinth(tcg_res, tcg_op, fpst);
         break;
     default:
-        abort();
+        g_assert_not_reached();
     }
 
     write_fp_sreg(s, rd, tcg_res);
@@ -XXX,XX +XXX,XX @@ static void handle_fp_fcvt(DisasContext *s, int opcode,
         break;
     }
     default:
-        abort();
+        g_assert_not_reached();
     }
 }
 
diff --git a/target/arm/translate-neon.c b/target/arm/translate-neon.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-neon.c
+++ b/target/arm/translate-neon.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VLDST_single(DisasContext *s, arg_VLDST_single *a)
         }
         break;
     default:
-        abort();
+        g_assert_not_reached();
     }
     if ((vd + a->stride * (nregs - 1)) > 31) {
         /*
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
         offset = 4;
         break;
     default:
-        abort();
+        g_assert_not_reached();
     }
     tcg_gen_addi_i32(addr, addr, offset);
     tmp = load_reg(s, 14);
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
             offset = 0;
             break;
         default:
-            abort();
+            g_assert_not_reached();
         }
         tcg_gen_addi_i32(addr, addr, offset);
         gen_helper_set_r13_banked(cpu_env, tcg_constant_i32(mode), addr);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Create a typedef as well, and use it in ARMCPRegInfo.
This won't be perfect for debugging, but it'll nicely
display the most common cases.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220501055028.646596-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpregs.h | 44 +++++++++++++++++++++++---------------------
 target/arm/helper.c |  2 +-
 2 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpregs.h
+++ b/target/arm/cpregs.h
@@ -XXX,XX +XXX,XX @@ enum {
  * described with these bits, then use a laxer set of restrictions, and
  * do the more restrictive/complex check inside a helper function.
  */
-#define PL3_R 0x80
-#define PL3_W 0x40
-#define PL2_R (0x20 | PL3_R)
-#define PL2_W (0x10 | PL3_W)
-#define PL1_R (0x08 | PL2_R)
-#define PL1_W (0x04 | PL2_W)
-#define PL0_R (0x02 | PL1_R)
-#define PL0_W (0x01 | PL1_W)
+typedef enum {
+    PL3_R = 0x80,
+    PL3_W = 0x40,
+    PL2_R = 0x20 | PL3_R,
+    PL2_W = 0x10 | PL3_W,
+    PL1_R = 0x08 | PL2_R,
+    PL1_W = 0x04 | PL2_W,
+    PL0_R = 0x02 | PL1_R,
+    PL0_W = 0x01 | PL1_W,
 
-/*
- * For user-mode some registers are accessible to EL0 via a kernel
- * trap-and-emulate ABI. In this case we define the read permissions
- * as actually being PL0_R. However some bits of any given register
- * may still be masked.
- */
+    /*
+     * For user-mode some registers are accessible to EL0 via a kernel
+     * trap-and-emulate ABI. In this case we define the read permissions
+     * as actually being PL0_R. However some bits of any given register
+     * may still be masked.
+     */
 #ifdef CONFIG_USER_ONLY
-#define PL0U_R PL0_R
+    PL0U_R = PL0_R,
 #else
-#define PL0U_R PL1_R
+    PL0U_R = PL1_R,
 #endif
 
-#define PL3_RW (PL3_R | PL3_W)
-#define PL2_RW (PL2_R | PL2_W)
-#define PL1_RW (PL1_R | PL1_W)
-#define PL0_RW (PL0_R | PL0_W)
+    PL3_RW = PL3_R | PL3_W,
+    PL2_RW = PL2_R | PL2_W,
+    PL1_RW = PL1_R | PL1_W,
+    PL0_RW = PL0_R | PL0_W,
+} CPAccessRights;
 
 typedef enum CPAccessResult {
     /* Access is permitted */
@@ -XXX,XX +XXX,XX @@ struct ARMCPRegInfo {
     /* Register type: ARM_CP_* bits/values */
     int type;
     /* Access rights: PL*_[RW] */
-    int access;
+    CPAccessRights access;
     /* Security state: ARM_CP_SECSTATE_* bits/values */
     int secure;
     /*
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
      * to encompass the generic architectural permission check.
      */
     if (r->state != ARM_CP_STATE_AA32) {
-        int mask = 0;
+        CPAccessRights mask;
         switch (r->opc1) {
         case 0:
             /* min_EL EL1, but some accessible to EL0 via kernel ABI */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Give this enum a name and use in ARMCPRegInfo,
add_cpreg_to_hashtable and define_one_arm_cp_reg_with_opaque.

diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpregs.h
+++ b/target/arm/cpregs.h
@@ -XXX,XX +XXX,XX @@ enum {
  * Note that we rely on the values of these enums as we iterate through
  * the various states in some places.
  */
-enum {
+typedef enum {
     ARM_CP_STATE_AA32 = 0,
     ARM_CP_STATE_AA64 = 1,
     ARM_CP_STATE_BOTH = 2,
-};
+} CPState;
 
 /*
  * ARM CP register secure state flags.  These flags identify security state
@@ -XXX,XX +XXX,XX @@ struct ARMCPRegInfo {
     uint8_t opc1;
     uint8_t opc2;
     /* Execution state in which this register is visible: ARM_CP_STATE_* */
-    int state;
+    CPState state;
     /* Register type: ARM_CP_* bits/values */
     int type;
     /* Access rights: PL*_[RW] */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ CpuDefinitionInfoList *qmp_query_cpu_definitions(Error **errp)
 }
 
 static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-                                   void *opaque, int state, int secstate,
+                                   void *opaque, CPState state, int secstate,
                                    int crm, int opc1, int opc2,
                                    const char *name)
 {
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
      * bits; the ARM_CP_64BIT* flag applies only to the AArch32 view of
      * the register, if any.
      */
-    int crm, opc1, opc2, state;
+    int crm, opc1, opc2;
     int crmmin = (r->crm == CP_ANY) ? 0 : r->crm;
     int crmmax = (r->crm == CP_ANY) ? 15 : r->crm;
     int opc1min = (r->opc1 == CP_ANY) ? 0 : r->opc1;
     int opc1max = (r->opc1 == CP_ANY) ? 7 : r->opc1;
     int opc2min = (r->opc2 == CP_ANY) ? 0 : r->opc2;
     int opc2max = (r->opc2 == CP_ANY) ? 7 : r->opc2;
+    CPState state;
+
     /* 64 bit registers have only CRm and Opc1 fields */
     assert(!((r->type & ARM_CP_64BIT) && (r->opc2 || r->crn)));
     /* op0 only exists in the AArch64 encodings */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Give this enum a name and use in ARMCPRegInfo and add_cpreg_to_hashtable.
Add the enumerator ARM_CP_SECSTATE_BOTH to clarify how 0
is handled in define_one_arm_cp_reg_with_opaque.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220501055028.646596-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpregs.h | 7 ++++---
 target/arm/helper.c | 7 +++++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpregs.h
+++ b/target/arm/cpregs.h
@@ -XXX,XX +XXX,XX @@ typedef enum {
  * registered entry will only have one to identify whether the entry is secure
  * or non-secure.
  */
-enum {
+typedef enum {
+    ARM_CP_SECSTATE_BOTH = 0,       /* define one cpreg for each secstate */
     ARM_CP_SECSTATE_S =   (1 << 0), /* bit[0]: Secure state register */
     ARM_CP_SECSTATE_NS =  (1 << 1), /* bit[1]: Non-secure state register */
-};
+} CPSecureState;
 
 /*
  * Access rights:
@@ -XXX,XX +XXX,XX @@ struct ARMCPRegInfo {
     /* Access rights: PL*_[RW] */
     CPAccessRights access;
     /* Security state: ARM_CP_SECSTATE_* bits/values */
-    int secure;
+    CPSecureState secure;
     /*
      * The opaque pointer passed to define_arm_cp_regs_with_opaque() when
      * this register was defined: can be used to hand data through to the
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ CpuDefinitionInfoList *qmp_query_cpu_definitions(Error **errp)
 }
 
 static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
-                                   void *opaque, CPState state, int secstate,
+                                   void *opaque, CPState state,
+                                   CPSecureState secstate,
                                    int crm, int opc1, int opc2,
                                    const char *name)
 {
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
                                                    r->secure, crm, opc1, opc2,
                                                    r->name);
                             break;
-                        default:
+                        case ARM_CP_SECSTATE_BOTH:
                             name = g_strdup_printf("%s_S", r->name);
                             add_cpreg_to_hashtable(cpu, r, opaque, state,
                                                    ARM_CP_SECSTATE_S,
@@ -XXX,XX +XXX,XX @@ void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
                                                    ARM_CP_SECSTATE_NS,
                                                    crm, opc1, opc2, r->name);
                             break;
+                        default:
+                            g_assert_not_reached();
                         }
                     } else {
                         /* AArch64 registers get mapped to non-secure instance
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The new_key field is always non-zero -- drop the if.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-11-richard.henderson@linaro.org
[PMM: reinstated dropped PL3_RW mask]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
 
     for (i = 0; i < ARRAY_SIZE(aliases); i++) {
         const struct E2HAlias *a = &aliases[i];
-        ARMCPRegInfo *src_reg, *dst_reg;
+        ARMCPRegInfo *src_reg, *dst_reg, *new_reg;
+        uint32_t *new_key;
+        bool ok;
 
         if (a->feature && !a->feature(&cpu->isar)) {
             continue;
@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
         g_assert(src_reg->opaque == NULL);
 
         /* Create alias before redirection so we dup the right data. */
-        if (a->new_key) {
-            ARMCPRegInfo *new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo));
-            uint32_t *new_key = g_memdup(&a->new_key, sizeof(uint32_t));
-            bool ok;
+        new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo));
+        new_key = g_memdup(&a->new_key, sizeof(uint32_t));
 
-            new_reg->name = a->new_name;
-            new_reg->type |= ARM_CP_ALIAS;
-            /* Remove PL1/PL0 access, leaving PL2/PL3 R/W in place.  */
-            new_reg->access &= PL2_RW | PL3_RW;
+        new_reg->name = a->new_name;
+        new_reg->type |= ARM_CP_ALIAS;
+        /* Remove PL1/PL0 access, leaving PL2/PL3 R/W in place.  */
+        new_reg->access &= PL2_RW | PL3_RW;
 
-            ok = g_hash_table_insert(cpu->cp_regs, new_key, new_reg);
-            g_assert(ok);
-        }
+        ok = g_hash_table_insert(cpu->cp_regs, new_key, new_reg);
+        g_assert(ok);
 
         src_reg->opaque = dst_reg;
         src_reg->orig_readfn = src_reg->readfn ?: raw_read;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Cast the uint32_t key into a gpointer directly, which
allows us to avoid allocating storage for each key.

Use g_hash_table_lookup when we already have a gpointer
(e.g. for callbacks like count_cpreg), or when using
get_arm_cp_reginfo would require casting away const.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c     |  4 ++--
 target/arm/gdbstub.c |  2 +-
 target/arm/helper.c  | 41 ++++++++++++++++++-----------------------
 3 files changed, 21 insertions(+), 26 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_initfn(Object *obj)
     ARMCPU *cpu = ARM_CPU(obj);
 
     cpu_set_cpustate_pointers(cpu);
-    cpu->cp_regs = g_hash_table_new_full(g_int_hash, g_int_equal,
-                                         g_free, cpreg_hashtable_data_destroy);
+    cpu->cp_regs = g_hash_table_new_full(g_direct_hash, g_direct_equal,
+                                         NULL, cpreg_hashtable_data_destroy);
 
     QLIST_INIT(&cpu->pre_el_change_hooks);
     QLIST_INIT(&cpu->el_change_hooks);
diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -XXX,XX +XXX,XX @@ static void arm_gen_one_xml_sysreg_tag(GString *s, DynamicGDBXMLInfo *dyn_xml,
 static void arm_register_sysreg_for_xml(gpointer key, gpointer value,
                                         gpointer p)
 {
-    uint32_t ri_key = *(uint32_t *)key;
+    uint32_t ri_key = (uintptr_t)key;
     ARMCPRegInfo *ri = value;
     RegisterSysregXmlParam *param = (RegisterSysregXmlParam *)p;
     GString *s = param->s;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ bool write_list_to_cpustate(ARMCPU *cpu)
 static void add_cpreg_to_list(gpointer key, gpointer opaque)
 {
     ARMCPU *cpu = opaque;
-    uint64_t regidx;
-    const ARMCPRegInfo *ri;
-
-    regidx = *(uint32_t *)key;
-    ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
+    uint32_t regidx = (uintptr_t)key;
+    const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
 
     if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
         cpu->cpreg_indexes[cpu->cpreg_array_len] = cpreg_to_kvm_id(regidx);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_list(gpointer key, gpointer opaque)
 static void count_cpreg(gpointer key, gpointer opaque)
 {
     ARMCPU *cpu = opaque;
-    uint64_t regidx;
     const ARMCPRegInfo *ri;
 
-    regidx = *(uint32_t *)key;
-    ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
+    ri = g_hash_table_lookup(cpu->cp_regs, key);
 
     if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
         cpu->cpreg_array_len++;
@@ -XXX,XX +XXX,XX @@ static void count_cpreg(gpointer key, gpointer opaque)
 
 static gint cpreg_key_compare(gconstpointer a, gconstpointer b)
 {
-    uint64_t aidx = cpreg_to_kvm_id(*(uint32_t *)a);
-    uint64_t bidx = cpreg_to_kvm_id(*(uint32_t *)b);
+    uint64_t aidx = cpreg_to_kvm_id((uintptr_t)a);
+    uint64_t bidx = cpreg_to_kvm_id((uintptr_t)b);
 
     if (aidx > bidx) {
         return 1;
@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
     for (i = 0; i < ARRAY_SIZE(aliases); i++) {
         const struct E2HAlias *a = &aliases[i];
         ARMCPRegInfo *src_reg, *dst_reg, *new_reg;
-        uint32_t *new_key;
         bool ok;
 
         if (a->feature && !a->feature(&cpu->isar)) {
             continue;
         }
 
-        src_reg = g_hash_table_lookup(cpu->cp_regs, &a->src_key);
-        dst_reg = g_hash_table_lookup(cpu->cp_regs, &a->dst_key);
+        src_reg = g_hash_table_lookup(cpu->cp_regs,
+                                      (gpointer)(uintptr_t)a->src_key);
+        dst_reg = g_hash_table_lookup(cpu->cp_regs,
+                                      (gpointer)(uintptr_t)a->dst_key);
         g_assert(src_reg != NULL);
         g_assert(dst_reg != NULL);
 
@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
 
         /* Create alias before redirection so we dup the right data. */
         new_reg = g_memdup(src_reg, sizeof(ARMCPRegInfo));
-        new_key = g_memdup(&a->new_key, sizeof(uint32_t));
 
         new_reg->name = a->new_name;
         new_reg->type |= ARM_CP_ALIAS;
         /* Remove PL1/PL0 access, leaving PL2/PL3 R/W in place.  */
         new_reg->access &= PL2_RW | PL3_RW;
 
-        ok = g_hash_table_insert(cpu->cp_regs, new_key, new_reg);
+        ok = g_hash_table_insert(cpu->cp_regs,
+                                 (gpointer)(uintptr_t)a->new_key, new_reg);
         g_assert(ok);
 
         src_reg->opaque = dst_reg;
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
     /* Private utility function for define_one_arm_cp_reg_with_opaque():
      * add a single reginfo struct to the hash table.
      */
-    uint32_t *key = g_new(uint32_t, 1);
+    uint32_t key;
     ARMCPRegInfo *r2 = g_memdup(r, sizeof(ARMCPRegInfo));
     int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
     int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0;
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
         if (r->cp == 0 || r->state == ARM_CP_STATE_BOTH) {
             r2->cp = CP_REG_ARM64_SYSREG_CP;
         }
-        *key = ENCODE_AA64_CP_REG(r2->cp, r2->crn, crm,
-                                  r2->opc0, opc1, opc2);
+        key = ENCODE_AA64_CP_REG(r2->cp, r2->crn, crm,
+                                 r2->opc0, opc1, opc2);
     } else {
-        *key = ENCODE_CP_REG(r2->cp, is64, ns, r2->crn, crm, opc1, opc2);
+        key = ENCODE_CP_REG(r2->cp, is64, ns, r2->crn, crm, opc1, opc2);
     }
     if (opaque) {
         r2->opaque = opaque;
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
      * requested.
      */
     if (!(r->type & ARM_CP_OVERRIDE)) {
-        ARMCPRegInfo *oldreg;
-        oldreg = g_hash_table_lookup(cpu->cp_regs, key);
+        const ARMCPRegInfo *oldreg = get_arm_cp_reginfo(cpu->cp_regs, key);
         if (oldreg && !(oldreg->type & ARM_CP_OVERRIDE)) {
             fprintf(stderr, "Register redefined: cp=%d %d bit "
                     "crn=%d crm=%d opc1=%d opc2=%d, "
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
             g_assert_not_reached();
         }
     }
-    g_hash_table_insert(cpu->cp_regs, key, r2);
+    g_hash_table_insert(cpu->cp_regs, (gpointer)(uintptr_t)key, r2);
 }
 
 
@@ -XXX,XX +XXX,XX @@ void modify_arm_cp_regs_with_len(ARMCPRegInfo *regs, size_t regs_len,
 
 const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp)
 {
-    return g_hash_table_lookup(cpregs, &encoded_cp);
+    return g_hash_table_lookup(cpregs, (gpointer)(uintptr_t)encoded_cp);
 }
 
 void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Simplify freeing cp_regs hash table entries by using a single
allocation for the entire value.

This fixes a theoretical bug if we were to ever free the entire
hash table, because we've been installing string literal constants
into the cpreg structure in define_arm_vh_e2h_redirects_aliases.
However, at present we only free entries created for AArch32
wildcard cpregs which get overwritten by more specific cpregs,
so this bug is never exposed.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c    | 16 +---------------
 target/arm/helper.c | 10 ++++++++--
 2 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ uint64_t arm_cpu_mp_affinity(int idx, uint8_t clustersz)
     return (Aff1 << ARM_AFF1_SHIFT) | Aff0;
 }
 
-static void cpreg_hashtable_data_destroy(gpointer data)
-{
-    /*
-     * Destroy function for cpu->cp_regs hashtable data entries.
-     * We must free the name string because it was g_strdup()ed in
-     * add_cpreg_to_hashtable(). It's OK to cast away the 'const'
-     * from r->name because we know we definitely allocated it.
-     */
-    ARMCPRegInfo *r = data;
-
-    g_free((void *)r->name);
-    g_free(r);
-}
-
 static void arm_cpu_initfn(Object *obj)
 {
     ARMCPU *cpu = ARM_CPU(obj);
 
     cpu_set_cpustate_pointers(cpu);
     cpu->cp_regs = g_hash_table_new_full(g_direct_hash, g_direct_equal,
-                                         NULL, cpreg_hashtable_data_destroy);
+                                         NULL, g_free);
 
     QLIST_INIT(&cpu->pre_el_change_hooks);
     QLIST_INIT(&cpu->el_change_hooks);
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
      * add a single reginfo struct to the hash table.
      */
     uint32_t key;
-    ARMCPRegInfo *r2 = g_memdup(r, sizeof(ARMCPRegInfo));
+    ARMCPRegInfo *r2;
     int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
     int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0;
+    size_t name_len;
+
+    /* Combine cpreg and name into one allocation. */
+    name_len = strlen(name) + 1;
+    r2 = g_malloc(sizeof(*r2) + name_len);
+    *r2 = *r;
+    r2->name = memcpy(r2 + 1, name, name_len);
 
-    r2->name = g_strdup(name);
     /* Reset the secure state to the specific incoming state.  This is
      * necessary as the register may have been defined with both states.
      */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Move the computation of key to the top of the function.
Hoist the resolution of cp as well, as an input to the
computation of key.

This will be required by a subsequent patch.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 49 +++++++++++++++++++++++++--------------------
 1 file changed, 27 insertions(+), 22 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
     ARMCPRegInfo *r2;
     int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
     int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0;
+    int cp = r->cp;
     size_t name_len;
 
+    switch (state) {
+    case ARM_CP_STATE_AA32:
+        /* We assume it is a cp15 register if the .cp field is left unset. */
+        if (cp == 0 && r->state == ARM_CP_STATE_BOTH) {
+            cp = 15;
+        }
+        key = ENCODE_CP_REG(cp, is64, ns, r->crn, crm, opc1, opc2);
+        break;
+    case ARM_CP_STATE_AA64:
+        /*
+         * To allow abbreviation of ARMCPRegInfo definitions, we treat
+         * cp == 0 as equivalent to the value for "standard guest-visible
+         * sysreg".  STATE_BOTH definitions are also always "standard sysreg"
+         * in their AArch64 view (the .cp value may be non-zero for the
+         * benefit of the AArch32 view).
+         */
+        if (cp == 0 || r->state == ARM_CP_STATE_BOTH) {
+            cp = CP_REG_ARM64_SYSREG_CP;
+        }
+        key = ENCODE_AA64_CP_REG(cp, r->crn, crm, r->opc0, opc1, opc2);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
     /* Combine cpreg and name into one allocation. */
     name_len = strlen(name) + 1;
     r2 = g_malloc(sizeof(*r2) + name_len);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
         }
 
         if (r->state == ARM_CP_STATE_BOTH) {
-            /* We assume it is a cp15 register if the .cp field is left unset.
-             */
-            if (r2->cp == 0) {
-                r2->cp = 15;
-            }
-
 #if HOST_BIG_ENDIAN
             if (r2->fieldoffset) {
                 r2->fieldoffset += sizeof(uint32_t);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
 #endif
         }
     }
-    if (state == ARM_CP_STATE_AA64) {
-        /* To allow abbreviation of ARMCPRegInfo
-         * definitions, we treat cp == 0 as equivalent to
-         * the value for "standard guest-visible sysreg".
-         * STATE_BOTH definitions are also always "standard
-         * sysreg" in their AArch64 view (the .cp value may
-         * be non-zero for the benefit of the AArch32 view).
-         */
-        if (r->cp == 0 || r->state == ARM_CP_STATE_BOTH) {
-            r2->cp = CP_REG_ARM64_SYSREG_CP;
-        }
-        key = ENCODE_AA64_CP_REG(r2->cp, r2->crn, crm,
-                                 r2->opc0, opc1, opc2);
-    } else {
-        key = ENCODE_CP_REG(r2->cp, is64, ns, r2->crn, crm, opc1, opc2);
-    }
     if (opaque) {
         r2->opaque = opaque;
     }
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
     /* Make sure reginfo passed to helpers for wildcarded regs
      * has the correct crm/opc1/opc2 for this reg, not CP_ANY:
      */
+    r2->cp = cp;
     r2->crm = crm;
     r2->opc1 = opc1;
     r2->opc2 = opc2;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Put most of the value writeback to the same place,
and improve the comment that goes with them.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
     *r2 = *r;
     r2->name = memcpy(r2 + 1, name, name_len);
 
-    /* Reset the secure state to the specific incoming state.  This is
-     * necessary as the register may have been defined with both states.
+    /*
+     * Update fields to match the instantiation, overwiting wildcards
+     * such as CP_ANY, ARM_CP_STATE_BOTH, or ARM_CP_SECSTATE_BOTH.
      */
+    r2->cp = cp;
+    r2->crm = crm;
+    r2->opc1 = opc1;
+    r2->opc2 = opc2;
+    r2->state = state;
     r2->secure = secstate;
+    if (opaque) {
+        r2->opaque = opaque;
+    }
 
     if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
         /* Register is banked (using both entries in array).
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
 #endif
         }
     }
-    if (opaque) {
-        r2->opaque = opaque;
-    }
-    /* reginfo passed to helpers is correct for the actual access,
-     * and is never ARM_CP_STATE_BOTH:
-     */
-    r2->state = state;
-    /* Make sure reginfo passed to helpers for wildcarded regs
-     * has the correct crm/opc1/opc2 for this reg, not CP_ANY:
-     */
-    r2->cp = cp;
-    r2->crm = crm;
-    r2->opc1 = opc1;
-    r2->opc2 = opc2;
+
     /* By convention, for wildcarded registers only the first
      * entry is used for migration; the others are marked as
      * ALIAS so we don't try to transfer the register
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Computing isbanked only once makes the code
a bit easier to read.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-17-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Perform the override check early, so that it is still done
even when we decide to discard an unreachable cpreg.

Use assert not printf+abort.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-18-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
         g_assert_not_reached();
     }
 
+    /* Overriding of an existing definition must be explicitly requested. */
+    if (!(r->type & ARM_CP_OVERRIDE)) {
+        const ARMCPRegInfo *oldreg = get_arm_cp_reginfo(cpu->cp_regs, key);
+        if (oldreg) {
+            assert(oldreg->type & ARM_CP_OVERRIDE);
+        }
+    }
+
     /* Combine cpreg and name into one allocation. */
     name_len = strlen(name) + 1;
     r2 = g_malloc(sizeof(*r2) + name_len);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
         assert(!raw_accessors_invalid(r2));
     }
 
-    /* Overriding of an existing definition must be explicitly
-     * requested.
-     */
-    if (!(r->type & ARM_CP_OVERRIDE)) {
-        const ARMCPRegInfo *oldreg = get_arm_cp_reginfo(cpu->cp_regs, key);
-        if (oldreg && !(oldreg->type & ARM_CP_OVERRIDE)) {
-            fprintf(stderr, "Register redefined: cp=%d %d bit "
-                    "crn=%d crm=%d opc1=%d opc2=%d, "
-                    "was %s, now %s\n", r2->cp, 32 + 32 * is64,
-                    r2->crn, r2->crm, r2->opc1, r2->opc2,
-                    oldreg->name, r2->name);
-            g_assert_not_reached();
-        }
-    }
     g_hash_table_insert(cpu->cp_regs, (gpointer)(uintptr_t)key, r2);
 }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Put the block comments into the current coding style.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-19-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ CpuDefinitionInfoList *qmp_query_cpu_definitions(Error **errp)
     return cpu_list;
 }
 
+/*
+ * Private utility function for define_one_arm_cp_reg_with_opaque():
+ * add a single reginfo struct to the hash table.
+ */
 static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
                                    void *opaque, CPState state,
                                    CPSecureState secstate,
                                    int crm, int opc1, int opc2,
                                    const char *name)
 {
-    /* Private utility function for define_one_arm_cp_reg_with_opaque():
-     * add a single reginfo struct to the hash table.
-     */
     uint32_t key;
     ARMCPRegInfo *r2;
     bool is64 = r->type & ARM_CP_64BIT;
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
 
     isbanked = r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1];
     if (isbanked) {
-        /* Register is banked (using both entries in array).
+        /*
+         * Register is banked (using both entries in array).
          * Overwriting fieldoffset as the array is only used to define
          * banked registers but later only fieldoffset is used.
          */
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
 
     if (state == ARM_CP_STATE_AA32) {
         if (isbanked) {
-            /* If the register is banked then we don't need to migrate or
+            /*
+             * If the register is banked then we don't need to migrate or
              * reset the 32-bit instance in certain cases:
              *
              * 1) If the register has both 32-bit and 64-bit instances then we
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
                 r2->type |= ARM_CP_ALIAS;
             }
         } else if ((secstate != r->secure) && !ns) {
-            /* The register is not banked so we only want to allow migration of
-             * the non-secure instance.
+            /*
+             * The register is not banked so we only want to allow migration
+             * of the non-secure instance.
              */
             r2->type |= ARM_CP_ALIAS;
         }
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
         }
     }
 
-    /* By convention, for wildcarded registers only the first
+    /*
+     * By convention, for wildcarded registers only the first
      * entry is used for migration; the others are marked as
      * ALIAS so we don't try to transfer the register
      * multiple times. Special registers (ie NOP/WFI) are
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
         r2->type |= ARM_CP_ALIAS | ARM_CP_NO_GDB;
     }
 
-    /* Check that raw accesses are either forbidden or handled. Note that
+    /*
+     * Check that raw accesses are either forbidden or handled. Note that
      * we can't assert this earlier because the setup of fieldoffset for
      * banked registers has to be done first.
      */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Since e03b56863d2bc, our host endian indicator is unconditionally
set, which means that we can use a normal C condition.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20220501055028.646596-20-richard.henderson@linaro.org
[PMM: quote correct git hash in commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
             r2->type |= ARM_CP_ALIAS;
         }
 
-        if (r->state == ARM_CP_STATE_BOTH) {
-#if HOST_BIG_ENDIAN
-            if (r2->fieldoffset) {
-                r2->fieldoffset += sizeof(uint32_t);
-            }
-#endif
+        if (HOST_BIG_ENDIAN &&
+            r->state == ARM_CP_STATE_BOTH && r2->fieldoffset) {
+            r2->fieldoffset += sizeof(uint32_t);
         }
     }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220501055028.646596-24-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa32_ssbs(const ARMISARegisters *id)
     return FIELD_EX32(id->id_pfr2, ID_PFR2, SSBS) != 0;
 }
 
+static inline bool isar_feature_aa32_debugv8p2(const ARMISARegisters *id)
+{
+    return FIELD_EX32(id->id_dfr0, ID_DFR0, COPDBG) >= 8;
+}
+
 /*
  * 64-bit feature tests via id registers.
  */
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_ssbs(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, SSBS) != 0;
 }
 
+static inline bool isar_feature_aa64_debugv8p2(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64dfr0, ID_AA64DFR0, DEBUGVER) >= 8;
+}
+
 static inline bool isar_feature_aa64_sve2(const ARMISARegisters *id)
 {
     return FIELD_EX64(id->id_aa64zfr0, ID_AA64ZFR0, SVEVER) != 0;
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_any_tts2uxn(const ARMISARegisters *id)
     return isar_feature_aa64_tts2uxn(id) || isar_feature_aa32_tts2uxn(id);
 }
 
+static inline bool isar_feature_any_debugv8p2(const ARMISARegisters *id)
+{
+    return isar_feature_aa64_debugv8p2(id) || isar_feature_aa32_debugv8p2(id);
+}
+
 /*
  * Forward to the above feature tests given an ARMCPU pointer.
  */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Add the aa64 predicate for detecting RAS support from id registers.
We already have the aa32 version from the M-profile work.
Add the 'any' predicate for testing both aa64 and aa32.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220501055028.646596-34-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_aa32_el1(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, EL1) >= 2;
 }
 
+static inline bool isar_feature_aa64_ras(const ARMISARegisters *id)
+{
+    return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, RAS) != 0;
+}
+
 static inline bool isar_feature_aa64_sve(const ARMISARegisters *id)
 {
     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, SVE) != 0;
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_any_debugv8p2(const ARMISARegisters *id)
     return isar_feature_aa64_debugv8p2(id) || isar_feature_aa32_debugv8p2(id);
 }
 
+static inline bool isar_feature_any_ras(const ARMISARegisters *id)
+{
+    return isar_feature_aa64_ras(id) || isar_feature_aa32_ras(id);
+}
+
 /*
  * Forward to the above feature tests given an ARMCPU pointer.
  */
-- 
2.25.1

From: Alex Zuepke <alex.zuepke@tum.de>

The ARMv8 manual defines that PMUSERENR_EL0.ER enables read-access
to both PMXEVCNTR_EL0 and PMEVCNTR<n>_EL0 registers, however,
we only use it for PMXEVCNTR_EL0. Extend to PMEVCNTR<n>_EL0 as well.

Signed-off-by: Alex Zuepke <alex.zuepke@tum.de>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220428132717.84190-1-alex.zuepke@tum.de
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void define_pmu_regs(ARMCPU *cpu)
               .crm = 8 | (3 & (i >> 3)), .opc1 = 0, .opc2 = i & 7,
               .access = PL0_RW, .type = ARM_CP_IO | ARM_CP_ALIAS,
               .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
-              .accessfn = pmreg_access },
+              .accessfn = pmreg_access_xevcntr },
             { .name = pmevcntr_el0_name, .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 8 | (3 & (i >> 3)),
-              .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access,
+              .opc2 = i & 7, .access = PL0_RW, .accessfn = pmreg_access_xevcntr,
               .type = ARM_CP_IO,
               .readfn = pmevcntr_readfn, .writefn = pmevcntr_writefn,
               .raw_readfn = pmevcntr_rawread,
-- 
2.25.1