Series comparison

-[Qemu-devel] [PULL 00/24] target-arm queue
+[PULL 00/45] target-arm queue
-target-arm queue: Eric's SMMUv3 patchset, and an array
+I don't have anything else queued up at the moment, so this is just
-of minor bugfixes and improvements from various others.
+Richard's SME patches.
-thanks
 -- PMM
-The following changes since commit c8b7e627b4269a3bc3ae41d9f420547a47e6d9b9:
+The following changes since commit 63b38f6c85acd312c2cab68554abf33adf4ee2b3:
-  Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-05-04' into staging (2018-05-04 14:42:46 +0100)
+  Merge tag 'pull-target-arm-20220707' of https://git.linaro.org/people/pmaydell/qemu-arm into staging (2022-07-08 06:17:11 +0530)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180504
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220711
-for you to fetch changes up to 5680740c92993e9b3f3e011f2a2c394070e33f56:
+for you to fetch changes up to f9982ceaf26df27d15547a3a7990a95019e9e3a8:
-  hw/arm/virt: Introduce the iommu option (2018-05-04 18:05:52 +0100)
+  linux-user/aarch64: Add SME related hwcap entries (2022-07-11 13:43:52 +0100)
 ----------------------------------------------------------------
-target-arm queue:
+target-arm:
- * Emulate the SMMUv3 (IOMMU); one will be created in the 'virt' board
+ * Implement SME emulation, for both system and linux-user
    if the commandline includes "-machine iommu=smmuv3"
  * target/arm: Implement v8M VLLDM and VLSTM
  * hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode
  * Some fixes to silence Coverity false-positives
  * arm: boot: set boot_info starting from first_cpu
    (fixes a technical bug not visible in practice)
  * hw/net/smc91c111: Convert away from old_mmio
  * hw/usb/tusb6010: Convert away from old_mmio
  * hw/char/cmsdk-apb-uart.c: Accept more input after character read
  * target/arm: Make MPUIR write-ignored on OMAP, StrongARM
  * hw/arm/virt: Add linux,pci-domain property
 ----------------------------------------------------------------
-Eric Auger (11):
+Richard Henderson (45):
-      hw/arm/smmu-common: smmu base device and datatypes
+      target/arm: Handle SME in aarch64_cpu_dump_state
-      hw/arm/smmu-common: IOMMU memory region and address space setup
+      target/arm: Add infrastructure for disas_sme
-      hw/arm/smmu-common: VMSAv8-64 page table walk
+      target/arm: Trap non-streaming usage when Streaming SVE is active
-      hw/arm/smmuv3: Wired IRQ and GERROR helpers
+      target/arm: Mark ADR as non-streaming
-      hw/arm/smmuv3: Queue helpers
+      target/arm: Mark RDFFR, WRFFR, SETFFR as non-streaming
-      hw/arm/smmuv3: Implement MMIO write operations
+      target/arm: Mark BDEP, BEXT, BGRP, COMPACT, FEXPA, FTSSEL as non-streaming
-      hw/arm/smmuv3: Event queue recording helper
+      target/arm: Mark PMULL, FMMLA as non-streaming
-      hw/arm/smmuv3: Implement translate callback
+      target/arm: Mark FTSMUL, FTMAD, FADDA as non-streaming
-      hw/arm/smmuv3: Abort on vfio or vhost case
+      target/arm: Mark SMMLA, UMMLA, USMMLA as non-streaming
-      target/arm/kvm: Translate the MSI doorbell in kvm_arch_fixup_msi_route
+      target/arm: Mark string/histo/crypto as non-streaming
-      hw/arm/virt: Introduce the iommu option
+      target/arm: Mark gather/scatter load/store as non-streaming
       target/arm: Mark gather prefetch as non-streaming
       target/arm: Mark LDFF1 and LDNF1 as non-streaming
       target/arm: Mark LD1RO as non-streaming
       target/arm: Add SME enablement checks
       target/arm: Handle SME in sve_access_check
       target/arm: Implement SME RDSVL, ADDSVL, ADDSPL
       target/arm: Implement SME ZERO
       target/arm: Implement SME MOVA
       target/arm: Implement SME LD1, ST1
       target/arm: Export unpredicated ld/st from translate-sve.c
       target/arm: Implement SME LDR, STR
       target/arm: Implement SME ADDHA, ADDVA
       target/arm: Implement FMOPA, FMOPS (non-widening)
       target/arm: Implement BFMOPA, BFMOPS
       target/arm: Implement FMOPA, FMOPS (widening)
       target/arm: Implement SME integer outer product
       target/arm: Implement PSEL
       target/arm: Implement REVD
       target/arm: Implement SCLAMP, UCLAMP
       target/arm: Reset streaming sve state on exception boundaries
       target/arm: Enable SME for -cpu max
       linux-user/aarch64: Clear tpidr2_el0 if CLONE_SETTLS
       linux-user/aarch64: Reset PSTATE.SM on syscalls
       linux-user/aarch64: Add SM bit to SVE signal context
       linux-user/aarch64: Tidy target_restore_sigframe error return
       linux-user/aarch64: Do not allow duplicate or short sve records
       linux-user/aarch64: Verify extra record lock succeeded
       linux-user/aarch64: Move sve record checks into restore
       linux-user/aarch64: Implement SME signal handling
       linux-user: Rename sve prctls
       linux-user/aarch64: Implement PR_SME_GET_VL, PR_SME_SET_VL
       target/arm: Only set ZEN in reset if SVE present
       target/arm: Enable SME for user-only
       linux-user/aarch64: Add SME related hwcap entries
-Igor Mammedov (1):
+ docs/system/arm/emulation.rst     |    4 +
-      arm: boot: set boot_info starting from first_cpu
+ linux-user/aarch64/target_cpu.h   |    5 +-
+ linux-user/aarch64/target_prctl.h |   62 +-
-Jan Kiszka (1):
+ target/arm/cpu.h                  |    7 +
-      hw/arm/virt: Add linux,pci-domain property
+ target/arm/helper-sme.h           |  126 ++++
+ target/arm/helper-sve.h           |    4 +
-Mathew Maidment (1):
+ target/arm/helper.h               |   18 +
-      target/arm: Correct MPUIR privilege level in register_cp_regs_for_features() conditional case
+ target/arm/translate-a64.h        |   45 ++
+ target/arm/translate.h            |   16 +
-Patrick Oppenlander (1):
+ target/arm/sme-fa64.decode        |   60 ++
-      hw/char/cmsdk-apb-uart.c: Accept more input after character read
+ target/arm/sme.decode             |   88 +++
+ target/arm/sve.decode             |   41 +-
-Peter Maydell (3):
+ linux-user/aarch64/cpu_loop.c     |    9 +
-      hw/usb/tusb6010: Convert away from old_mmio
+ linux-user/aarch64/signal.c       |  243 ++++++--
-      hw/net/smc91c111: Convert away from old_mmio
+ linux-user/elfload.c              |   20 +
-      target/arm: Implement v8M VLLDM and VLSTM
+ linux-user/syscall.c              |   28 +-
+ target/arm/cpu.c                  |   35 +-
-Prem Mallappa (3):
+ target/arm/cpu64.c                |   11 +
-      hw/arm/smmuv3: Skeleton
+ target/arm/helper.c               |   56 +-
-      hw/arm/virt: Add SMMUv3 to the virt board
+ target/arm/sme_helper.c           | 1140 +++++++++++++++++++++++++++++++++++++
-      hw/arm/virt-acpi-build: Add smmuv3 node in IORT table
+ target/arm/sve_helper.c           |   28 +
+ target/arm/translate-a64.c        |  103 +++-
-Richard Henderson (2):
+ target/arm/translate-sme.c        |  373 ++++++++++++
-      target/arm: Tidy conditions in handle_vec_simd_shri
+ target/arm/translate-sve.c        |  393 ++++++++++---
-      target/arm: Tidy condition in disas_simd_two_reg_misc
+ target/arm/translate-vfp.c        |   12 +
+ target/arm/translate.c            |    2 +
-Thomas Huth (1):
+ target/arm/vec_helper.c           |   24 +
-      hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode
+ target/arm/meson.build            |    3 +
+files changed, 2821 insertions(+), 135 deletions(-)
- hw/arm/Makefile.objs                |    1 +
+ create mode 100644 target/arm/sme-fa64.decode
- hw/arm/smmu-internal.h              |   99 +++
+ create mode 100644 target/arm/sme.decode
- hw/arm/smmuv3-internal.h            |  621 ++++++++++++++++++
+ create mode 100644 target/arm/translate-sme.c
  include/hw/acpi/acpi-defs.h         |   15 +
  include/hw/arm/smmu-common.h        |  145 +++++
  include/hw/arm/smmuv3.h             |   87 +++
  include/hw/arm/virt.h               |   10 +
  hw/arm/boot.c                       |    2 +-
  hw/arm/omap1.c                      |    8 +-
  hw/arm/omap2.c                      |    8 +-
  hw/arm/pxa2xx.c                     |   15 +-
  hw/arm/smmu-common.c                |  372 +++++++++++
  hw/arm/smmuv3.c                     | 1191 +++++++++++++++++++++++++++++++++++
  hw/arm/virt-acpi-build.c            |   55 +-
  hw/arm/virt.c                       |  101 ++-
  hw/char/cmsdk-apb-uart.c            |    1 +
  hw/net/smc91c111.c                  |   54 +-
  hw/usb/tusb6010.c                   |   40 +-
  target/arm/helper.c                 |    2 +-
  target/arm/kvm.c                    |   38 +-
  target/arm/translate-a64.c          |   12 +-
  target/arm/translate.c              |   17 +-
  default-configs/aarch64-softmmu.mak |    1 +
  hw/arm/trace-events                 |   37 ++
  target/arm/trace-events             |    3 +
 files changed, 2868 insertions(+), 67 deletions(-)
  create mode 100644 hw/arm/smmu-internal.h
  create mode 100644 hw/arm/smmuv3-internal.h
  create mode 100644 include/hw/arm/smmu-common.h
  create mode 100644 include/hw/arm/smmuv3.h
  create mode 100644 hw/arm/smmu-common.c
  create mode 100644 hw/arm/smmuv3.c

-New patch
+[PULL 01/45] target/arm: Handle SME in aarch64_cpu_dump_state
+From: Richard Henderson <richard.henderson@linaro.org>
+Dump SVCR, plus use the correct access check for Streaming Mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-2-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/cpu.c | 17 ++++++++++++++++-
+file changed, 16 insertions(+), 1 deletion(-)
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.c
++++ b/target/arm/cpu.c
+@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
+     int i;
+     int el = arm_current_el(env);
+     const char *ns_status;
++    bool sve;
+     qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
+     for (i = 0; i < 32; i++) {
+@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
+                  el,
+                  psr & PSTATE_SP ? 'h' : 't');
++    if (cpu_isar_feature(aa64_sme, cpu)) {
++        qemu_fprintf(f, "  SVCR=%08" PRIx64 " %c%c",
++                     env->svcr,
++                     (FIELD_EX64(env->svcr, SVCR, ZA) ? 'Z' : '-'),
++                     (FIELD_EX64(env->svcr, SVCR, SM) ? 'S' : '-'));
++    }
+     if (cpu_isar_feature(aa64_bti, cpu)) {
+         qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
+     }
+@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
+     qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
+                  vfp_get_fpcr(env), vfp_get_fpsr(env));
+-    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
++    if (cpu_isar_feature(aa64_sme, cpu) && FIELD_EX64(env->svcr, SVCR, SM)) {
++        sve = sme_exception_el(env, el) == 0;
++    } else if (cpu_isar_feature(aa64_sve, cpu)) {
++        sve = sve_exception_el(env, el) == 0;
++    } else {
++        sve = false;
++    }
++
++    if (sve) {
+         int j, zcr_len = sve_vqm1_for_el(env, el);
+         for (i = 0; i <= FFR_PRED_NUM; i++) {
+--
+.25.1

-[Qemu-devel] [PULL 11/24] hw/arm/smmu-common: smmu base device and datatypes
+[PULL 02/45] target/arm: Add infrastructure for disas_sme
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The patch introduces the smmu base device and class for the ARM
+This includes the build rules for the decoder, and the
-smmu. Devices for specific versions will be derived from this
+new file for translation, but excludes any instructions.
 base device.
-We also introduce some important datatypes.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-2-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs                |   1 +
+ target/arm/translate-a64.h |  1 +
- include/hw/arm/smmu-common.h        | 123 ++++++++++++++++++++++++++++
+ target/arm/sme.decode      | 20 ++++++++++++++++++++
- hw/arm/smmu-common.c                |  81 ++++++++++++++++++
+ target/arm/translate-a64.c |  7 ++++++-
- default-configs/aarch64-softmmu.mak |   1 +
+ target/arm/translate-sme.c | 35 +++++++++++++++++++++++++++++++++++
-files changed, 206 insertions(+)
+ target/arm/meson.build     |  2 ++
- create mode 100644 include/hw/arm/smmu-common.h
+files changed, 64 insertions(+), 1 deletion(-)
- create mode 100644 hw/arm/smmu-common.c
+ create mode 100644 target/arm/sme.decode
  create mode 100644 target/arm/translate-sme.c
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/target/arm/translate-a64.h
-+++ b/hw/arm/Makefile.objs
++++ b/target/arm/translate-a64.h
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MPS2) += mps2-tz.o
+@@ -XXX,XX +XXX,XX @@ static inline int pred_gvec_reg_size(DisasContext *s)
- obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
+ }
- obj-$(CONFIG_IOTKIT) += iotkit.o
- obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o mcimx7d-sabre.o
+ bool disas_sve(DisasContext *, uint32_t);
-+obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o
++bool disas_sme(DisasContext *, uint32_t);
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
  void gen_gvec_rax1(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
                     uint32_t rm_ofs, uint32_t opr_sz, uint32_t max_sz);
 diff --git a/target/arm/sme.decode b/target/arm/sme.decode
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/include/hw/arm/smmu-common.h
++++ b/target/arm/sme.decode
 @@ -XXX,XX +XXX,XX @@
-+/*
++# AArch64 SME instruction descriptions
-+ * ARM SMMU Support
++#
-+ *
++#  Copyright (c) 2022 Linaro, Ltd
-+ * Copyright (C) 2015-2016 Broadcom Corporation
++#
-+ * Copyright (c) 2017 Red Hat, Inc.
++# This library is free software; you can redistribute it and/or
-+ * Written by Prem Mallappa, Eric Auger
++# modify it under the terms of the GNU Lesser General Public
-+ *
++# License as published by the Free Software Foundation; either
-+ * This program is free software; you can redistribute it and/or modify
++# version 2.1 of the License, or (at your option) any later version.
-+ * it under the terms of the GNU General Public License version 2 as
++#
-+ * published by the Free Software Foundation.
++# This library is distributed in the hope that it will be useful,
-+ *
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * This program is distributed in the hope that it will be useful,
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++# Lesser General Public License for more details.
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++#
-+ * GNU General Public License for more details.
++# You should have received a copy of the GNU Lesser General Public
-+ *
++# License along with this library; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
-+#ifndef HW_ARM_SMMU_COMMON_H
++#
-+#define HW_ARM_SMMU_COMMON_H
++# This file is processed by scripts/decodetree.py
-+
++#
-+#include "hw/sysbus.h"
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-+#include "hw/pci/pci.h"
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/target/arm/translate-a64.c
-+#define SMMU_PCI_BUS_MAX      256
++++ b/target/arm/translate-a64.c
-+#define SMMU_PCI_DEVFN_MAX    256
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-+
+     }
-+#define SMMU_MAX_VA_BITS      48
-+
+     switch (extract32(insn, 25, 4)) {
-+/*
+-    case 0x0: case 0x1: case 0x3: /* UNALLOCATED */
-+ * Page table walk error types
++    case 0x0:
-+ */
++        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
-+typedef enum {
++            unallocated_encoding(s);
-+    SMMU_PTW_ERR_NONE,
++        }
-+    SMMU_PTW_ERR_WALK_EABT,   /* Translation walk external abort */
++        break;
-+    SMMU_PTW_ERR_TRANSLATION, /* Translation fault */
++    case 0x1: case 0x3: /* UNALLOCATED */
-+    SMMU_PTW_ERR_ADDR_SIZE,   /* Address Size fault */
+         unallocated_encoding(s);
-+    SMMU_PTW_ERR_ACCESS,      /* Access fault */
+         break;
-+    SMMU_PTW_ERR_PERMISSION,  /* Permission fault */
+     case 0x2:
-+} SMMUPTWEventType;
+diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 +
 +typedef struct SMMUPTWEventInfo {
 +    SMMUPTWEventType type;
 +    dma_addr_t addr; /* fetched address that induced an abort, if any */
 +} SMMUPTWEventInfo;
 +
 +typedef struct SMMUTransTableInfo {
 +    bool disabled;             /* is the translation table disabled? */
 +    uint64_t ttb;              /* TT base address */
 +    uint8_t tsz;               /* input range, ie. 2^(64 -tsz)*/
 +    uint8_t granule_sz;        /* granule page shift */
 +} SMMUTransTableInfo;
 +
 +/*
 + * Generic structure populated by derived SMMU devices
 + * after decoding the configuration information and used as
 + * input to the page table walk
 + */
 +typedef struct SMMUTransCfg {
 +    int stage;                 /* translation stage */
 +    bool aa64;                 /* arch64 or aarch32 translation table */
 +    bool disabled;             /* smmu is disabled */
 +    bool bypassed;             /* translation is bypassed */
 +    bool aborted;              /* translation is aborted */
 +    uint64_t ttb;              /* TT base address */
 +    uint8_t oas;               /* output address width */
 +    uint8_t tbi;               /* Top Byte Ignore */
 +    uint16_t asid;
 +    SMMUTransTableInfo tt[2];
 +} SMMUTransCfg;
 +
 +typedef struct SMMUDevice {
 +    void               *smmu;
 +    PCIBus             *bus;
 +    int                devfn;
 +    IOMMUMemoryRegion  iommu;
 +    AddressSpace       as;
 +} SMMUDevice;
 +
 +typedef struct SMMUNotifierNode {
 +    SMMUDevice *sdev;
 +    QLIST_ENTRY(SMMUNotifierNode) next;
 +} SMMUNotifierNode;
 +
 +typedef struct SMMUPciBus {
 +    PCIBus       *bus;
 +    SMMUDevice   *pbdev[0]; /* Parent array is sparse, so dynamically alloc */
 +} SMMUPciBus;
 +
 +typedef struct SMMUState {
 +    /* <private> */
 +    SysBusDevice  dev;
 +    const char *mrtypename;
 +    MemoryRegion iomem;
 +
 +    GHashTable *smmu_pcibus_by_busptr;
 +    GHashTable *configs; /* cache for configuration data */
 +    GHashTable *iotlb;
 +    SMMUPciBus *smmu_pcibus_by_bus_num[SMMU_PCI_BUS_MAX];
 +    PCIBus *pci_bus;
 +    QLIST_HEAD(, SMMUNotifierNode) notifiers_list;
 +    uint8_t bus_num;
 +    PCIBus *primary_bus;
 +} SMMUState;
 +
 +typedef struct {
 +    /* <private> */
 +    SysBusDeviceClass parent_class;
 +
 +    /*< public >*/
 +
 +    DeviceRealize parent_realize;
 +
 +} SMMUBaseClass;
 +
 +#define TYPE_ARM_SMMU "arm-smmu"
 +#define ARM_SMMU(obj) OBJECT_CHECK(SMMUState, (obj), TYPE_ARM_SMMU)
 +#define ARM_SMMU_CLASS(klass)                                    \
 +    OBJECT_CLASS_CHECK(SMMUBaseClass, (klass), TYPE_ARM_SMMU)
 +#define ARM_SMMU_GET_CLASS(obj)                              \
 +    OBJECT_GET_CLASS(SMMUBaseClass, (obj), TYPE_ARM_SMMU)
 +
 +#endif  /* HW_ARM_SMMU_COMMON */
 diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/hw/arm/smmu-common.c
++++ b/target/arm/translate-sme.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * Copyright (C) 2014-2016 Broadcom Corporation
++ * AArch64 SME translation
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Written by Prem Mallappa, Eric Auger
 + *
-+ * This program is free software; you can redistribute it and/or modify
++ * Copyright (c) 2022 Linaro, Ltd
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + *
-+ * This program is distributed in the hope that it will be useful,
++ * This library is free software; you can redistribute it and/or
 + * modify it under the terms of the GNU Lesser General Public
 + * License as published by the Free Software Foundation; either
 + * version 2.1 of the License, or (at your option) any later version.
 + *
 + * This library is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * GNU General Public License for more details.
++ * Lesser General Public License for more details.
 + *
-+ * Author: Prem Mallappa <pmallapp@broadcom.com>
++ * You should have received a copy of the GNU Lesser General Public
-+ *
++ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
 +#include "qemu/osdep.h"
-+#include "sysemu/sysemu.h"
++#include "cpu.h"
-+#include "exec/address-spaces.h"
++#include "tcg/tcg-op.h"
-+#include "trace.h"
++#include "tcg/tcg-op-gvec.h"
-+#include "exec/target_page.h"
++#include "tcg/tcg-gvec-desc.h"
-+#include "qom/cpu.h"
++#include "translate.h"
-+#include "hw/qdev-properties.h"
++#include "exec/helper-gen.h"
-+#include "qapi/error.h"
++#include "translate-a64.h"
 +#include "fpu/softfloat.h"
 +
-+#include "qemu/error-report.h"
-+#include "hw/arm/smmu-common.h"
 +
-+static void smmu_base_realize(DeviceState *dev, Error **errp)
++/*
-+{
++ * Include the generated decoder.
-+    SMMUBaseClass *sbc = ARM_SMMU_GET_CLASS(dev);
++ */
 +    Error *local_err = NULL;
 +
-+    sbc->parent_realize(dev, &local_err);
++#include "decode-sme.c.inc"
-+    if (local_err) {
+diff --git a/target/arm/meson.build b/target/arm/meson.build
 +        error_propagate(errp, local_err);
 +        return;
 +    }
 +}
 +
 +static void smmu_base_reset(DeviceState *dev)
 +{
 +    /* will be filled later on */
 +}
 +
 +static Property smmu_dev_properties[] = {
 +    DEFINE_PROP_UINT8("bus_num", SMMUState, bus_num, 0),
 +    DEFINE_PROP_LINK("primary-bus", SMMUState, primary_bus, "PCI", PCIBus *),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static void smmu_base_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +    SMMUBaseClass *sbc = ARM_SMMU_CLASS(klass);
 +
 +    dc->props = smmu_dev_properties;
 +    device_class_set_parent_realize(dc, smmu_base_realize,
 +                                    &sbc->parent_realize);
 +    dc->reset = smmu_base_reset;
 +}
 +
 +static const TypeInfo smmu_base_info = {
 +    .name          = TYPE_ARM_SMMU,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(SMMUState),
 +    .class_data    = NULL,
 +    .class_size    = sizeof(SMMUBaseClass),
 +    .class_init    = smmu_base_class_init,
 +    .abstract      = true,
 +};
 +
 +static void smmu_base_register_types(void)
 +{
 +    type_register_static(&smmu_base_info);
 +}
 +
 +type_init(smmu_base_register_types)
 +
 diff --git a/default-configs/aarch64-softmmu.mak b/default-configs/aarch64-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
---- a/default-configs/aarch64-softmmu.mak
+--- a/target/arm/meson.build
-+++ b/default-configs/aarch64-softmmu.mak
++++ b/target/arm/meson.build
-@@ -XXX,XX +XXX,XX @@ CONFIG_DDC=y
+@@ -XXX,XX +XXX,XX @@
- CONFIG_DPCD=y
+ gen = [
- CONFIG_XLNX_ZYNQMP=y
+   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
- CONFIG_XLNX_ZYNQMP_ARM=y
++  decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
-+CONFIG_ARM_SMMUV3=y
+   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
    decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
    decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
    'sme_helper.c',
    'translate-a64.c',
    'translate-sve.c',
 +  'translate-sme.c',
  ))
  arm_softmmu_ss = ss.source_set()
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 10/24] target/arm: Implement v8M VLLDM and VLSTM
+[PULL 03/45] target/arm: Trap non-streaming usage when Streaming SVE is active
-For v8M the instructions VLLDM and VLSTM support lazy saving
+From: Richard Henderson <richard.henderson@linaro.org>
-and restoring of the secure floating-point registers. Even
-if the floating point extension is not implemented, these
+This new behaviour is in the ARM pseudocode function
-instructions must act as NOPs in Secure state, so they can
+AArch64.CheckFPAdvSIMDEnabled, which applies to AArch32
-be used as part of the secure-to-nonsecure call sequence.
+via AArch32.CheckAdvSIMDOrFPEnabled when the EL to which
+the trap would be delivered is in AArch64 mode.
-Fixes: https://bugs.launchpad.net/qemu/+bug/1768295
-Cc: qemu-stable@nongnu.org
+Given that ARMv9 drops support for AArch32 outside EL0, the trap EL
 detection ought to be trivially true, but the pseudocode still contains
 a number of conditions, and QEMU has not yet committed to dropping A32
 support for EL[12] when v9 features are present.
 Since the computation of SME_TRAP_NONSTREAMING is necessarily different
 for the two modes, we might as well preserve bits within TBFLAG_ANY and
 allocate separate bits within TBFLAG_A32 and TBFLAG_A64 instead.
 Note that DDI0616A.a has typos for bits [22:21] of LD1RO in the table
 of instructions illegal in streaming mode.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-4-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180503105730.5958-1-peter.maydell@linaro.org
 ---
- target/arm/translate.c | 17 ++++++++++++++++-
+ target/arm/cpu.h           |  7 +++
-file changed, 16 insertions(+), 1 deletion(-)
+ target/arm/translate.h     |  4 ++
+ target/arm/sme-fa64.decode | 90 ++++++++++++++++++++++++++++++++++++++
  target/arm/helper.c        | 41 +++++++++++++++++
  target/arm/translate-a64.c | 40 ++++++++++++++++-
  target/arm/translate-vfp.c | 12 +++++
  target/arm/translate.c     |  2 +
  target/arm/meson.build     |  1 +
 files changed, 195 insertions(+), 2 deletions(-)
  create mode 100644 target/arm/sme-fa64.decode
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A32, HSTR_ACTIVE, 9, 1)
   * the same thing as the current security state of the processor!
   */
  FIELD(TBFLAG_A32, NS, 10, 1)
 +/*
 + * Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not.
 + * This requires an SME trap from AArch32 mode when using NEON.
 + */
 +FIELD(TBFLAG_A32, SME_TRAP_NONSTREAMING, 11, 1)
  /*
   * Bit usage when in AArch32 state, for M-profile only.
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A64, SMEEXC_EL, 20, 2)
  FIELD(TBFLAG_A64, PSTATE_SM, 22, 1)
  FIELD(TBFLAG_A64, PSTATE_ZA, 23, 1)
  FIELD(TBFLAG_A64, SVL, 24, 4)
 +/* Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not. */
 +FIELD(TBFLAG_A64, SME_TRAP_NONSTREAMING, 28, 1)
  /*
   * Helpers for using the above.
 diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.h
 +++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      bool pstate_sm;
      /* True if PSTATE.ZA is set. */
      bool pstate_za;
 +    /* True if non-streaming insns should raise an SME Streaming exception. */
 +    bool sme_trap_nonstreaming;
 +    /* True if the current instruction is non-streaming. */
 +    bool is_nonstreaming;
      /* True if MVE insns are definitely not predicated by VPR or LTPSIZE */
      bool mve_no_pred;
      /*
 diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@
 +# AArch64 SME allowed instruction decoding
 +#
 +#  Copyright (c) 2022 Linaro, Ltd
 +#
 +# This library is free software; you can redistribute it and/or
 +# modify it under the terms of the GNU Lesser General Public
 +# License as published by the Free Software Foundation; either
 +# version 2.1 of the License, or (at your option) any later version.
 +#
 +# This library is distributed in the hope that it will be useful,
 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +# Lesser General Public License for more details.
 +#
 +# You should have received a copy of the GNU Lesser General Public
 +# License along with this library; if not, see <http://www.gnu.org/licenses/>.
 +
 +#
 +# This file is processed by scripts/decodetree.py
 +#
 +
 +# These patterns are taken from Appendix E1.1 of DDI0616 A.a,
 +# Arm Architecture Reference Manual Supplement,
 +# The Scalable Matrix Extension (SME), for Armv9-A
 +
 +{
 +  [
 +    OK  0-00 1110 0000 0001 0010 11-- ---- ----   # SMOV W|Xd,Vn.B[0]
 +    OK  0-00 1110 0000 0010 0010 11-- ---- ----   # SMOV W|Xd,Vn.H[0]
 +    OK  0100 1110 0000 0100 0010 11-- ---- ----   # SMOV Xd,Vn.S[0]
 +    OK  0000 1110 0000 0001 0011 11-- ---- ----   # UMOV Wd,Vn.B[0]
 +    OK  0000 1110 0000 0010 0011 11-- ---- ----   # UMOV Wd,Vn.H[0]
 +    OK  0000 1110 0000 0100 0011 11-- ---- ----   # UMOV Wd,Vn.S[0]
 +    OK  0100 1110 0000 1000 0011 11-- ---- ----   # UMOV Xd,Vn.D[0]
 +  ]
 +  FAIL  0--0 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD vector operations
 +}
 +
 +{
 +  [
 +    OK  0101 1110 --1- ---- 11-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar)
 +    OK  0101 1110 -10- ---- 00-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar, FP16)
 +    OK  01-1 1110 1-10 0001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar)
 +    OK  01-1 1110 1111 1001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar, FP16)
 +  ]
 +  FAIL  01-1 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD single-element operations
 +}
 +
 +FAIL    0-00 110- ---- ---- ---- ---- ---- ----   # Advanced SIMD structure load/store
 +FAIL    1100 1110 ---- ---- ---- ---- ---- ----   # Advanced SIMD cryptography extensions
 +FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 +
 +# These are the "avoidance of doubt" final table of Illegal Advanced SIMD instructions
 +# We don't actually need to include these, as the default is OK.
 +#       -001 111- ---- ---- ---- ---- ---- ----   # Scalar floating-point operations
 +#       --10 110- ---- ---- ---- ---- ---- ----   # Load/store pair of FP registers
 +#       --01 1100 ---- ---- ---- ---- ---- ----   # Load FP register (PC-relative literal)
 +#       --11 1100 --0- ---- ---- ---- ---- ----   # Load/store FP register (unscaled imm)
 +#       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 +#       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 +
 +FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
 +FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
 +FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
 +FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
 +FAIL    0010 0101 --10 1--- 1001 ---- ---- ----   # WRFFR, SETFFR
 +FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
 +FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
 +FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
 +FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
 +FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
 +FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
 +FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
 +FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
 +FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
 +FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
 +FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
 +FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
 +FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
 +FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
 +FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
 +FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
 +FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
 +FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
 +FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
 +FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
 +FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
 +FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
 +FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
 +FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ int sme_exception_el(CPUARMState *env, int el)
      return 0;
  }
 +/* This corresponds to the ARM pseudocode function IsFullA64Enabled(). */
 +static bool sme_fa64(CPUARMState *env, int el)
 +{
 +    if (!cpu_isar_feature(aa64_sme_fa64, env_archcpu(env))) {
 +        return false;
 +    }
 +
 +    if (el <= 1 && !el_is_in_host(env, el)) {
 +        if (!FIELD_EX64(env->vfp.smcr_el[1], SMCR, FA64)) {
 +            return false;
 +        }
 +    }
 +    if (el <= 2 && arm_is_el2_enabled(env)) {
 +        if (!FIELD_EX64(env->vfp.smcr_el[2], SMCR, FA64)) {
 +            return false;
 +        }
 +    }
 +    if (arm_feature(env, ARM_FEATURE_EL3)) {
 +        if (!FIELD_EX64(env->vfp.smcr_el[3], SMCR, FA64)) {
 +            return false;
 +        }
 +    }
 +
 +    return true;
 +}
 +
  /*
   * Given that SVE is enabled, return the vector length for EL.
   */
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a32(CPUARMState *env, int fp_el,
          DP_TBFLAG_ANY(flags, PSTATE__IL, 1);
      }
 +    /*
 +     * The SME exception we are testing for is raised via
 +     * AArch64.CheckFPAdvSIMDEnabled(), as called from
 +     * AArch32.CheckAdvSIMDOrFPEnabled().
 +     */
 +    if (el == 0
 +        && FIELD_EX64(env->svcr, SVCR, SM)
 +        && (!arm_is_el2_enabled(env)
 +            || (arm_el_is_aa64(env, 2) && !(env->cp15.hcr_el2 & HCR_TGE)))
 +        && arm_el_is_aa64(env, 1)
 +        && !sme_fa64(env, el)) {
 +        DP_TBFLAG_A32(flags, SME_TRAP_NONSTREAMING, 1);
 +    }
 +
      return rebuild_hflags_common_32(env, fp_el, mmu_idx, flags);
  }
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
          }
          if (FIELD_EX64(env->svcr, SVCR, SM)) {
              DP_TBFLAG_A64(flags, PSTATE_SM, 1);
 +            DP_TBFLAG_A64(flags, SME_TRAP_NONSTREAMING, !sme_fa64(env, el));
          }
          DP_TBFLAG_A64(flags, PSTATE_ZA, FIELD_EX64(env->svcr, SVCR, ZA));
      }
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void do_vec_ld(DisasContext *s, int destidx, int element,
   * unallocated-encoding checks (otherwise the syndrome information
   * for the resulting exception will be incorrect).
   */
 -static bool fp_access_check(DisasContext *s)
 +static bool fp_access_check_only(DisasContext *s)
  {
      if (s->fp_excp_el) {
          assert(!s->fp_access_checked);
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
      return true;
  }
 +static bool fp_access_check(DisasContext *s)
 +{
 +    if (!fp_access_check_only(s)) {
 +        return false;
 +    }
 +    if (s->sme_trap_nonstreaming && s->is_nonstreaming) {
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                           syn_smetrap(SME_ET_Streaming, false));
 +        return false;
 +    }
 +    return true;
 +}
 +
  /* Check that SVE access is enabled.  If it is, return true.
   * If not, emit code to generate an appropriate exception and return false.
   */
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
      default:
          g_assert_not_reached();
      }
 -    if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
 +    if ((ri->type & ARM_CP_FPU) && !fp_access_check_only(s)) {
          return;
      } else if ((ri->type & ARM_CP_SVE) && !sve_access_check(s)) {
          return;
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
      }
  }
 +/*
 + * Include the generated SME FA64 decoder.
 + */
 +
 +#include "decode-sme-fa64.c.inc"
 +
 +static bool trans_OK(DisasContext *s, arg_OK *a)
 +{
 +    return true;
 +}
 +
 +static bool trans_FAIL(DisasContext *s, arg_OK *a)
 +{
 +    s->is_nonstreaming = true;
 +    return true;
 +}
 +
  /**
   * is_guarded_page:
   * @env: The cpu environment
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
      dc->mte_active[1] = EX_TBFLAG_A64(tb_flags, MTE0_ACTIVE);
      dc->pstate_sm = EX_TBFLAG_A64(tb_flags, PSTATE_SM);
      dc->pstate_za = EX_TBFLAG_A64(tb_flags, PSTATE_ZA);
 +    dc->sme_trap_nonstreaming = EX_TBFLAG_A64(tb_flags, SME_TRAP_NONSTREAMING);
      dc->vec_len = 0;
      dc->vec_stride = 0;
      dc->cp_regs = arm_cpu->cp_regs;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          }
      }
 +    s->is_nonstreaming = false;
 +    if (s->sme_trap_nonstreaming) {
 +        disas_sme_fa64(s, insn);
 +    }
 +
      switch (extract32(insn, 25, 4)) {
      case 0x0:
          if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
 diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.c
 +++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
          return false;
      }
 +    /*
 +     * Note that rebuild_hflags_a32 has already accounted for being in EL0
 +     * and the higher EL in A64 mode, etc.  Unlike A64 mode, there do not
 +     * appear to be any insns which touch VFP which are allowed.
 +     */
 +    if (s->sme_trap_nonstreaming) {
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                           syn_smetrap(SME_ET_Streaming,
 +                                       s->base.pc_next - s->pc_curr == 2));
 +        return false;
 +    }
 +
      if (!s->vfp_enabled && !ignore_vfp_enabled) {
          assert(!arm_dc_feature(s, ARM_FEATURE_M));
          unallocated_encoding(s);
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
-         /* Coprocessor.  */
+             dc->vec_len = EX_TBFLAG_A32(tb_flags, VECLEN);
-         if (arm_dc_feature(s, ARM_FEATURE_M)) {
+             dc->vec_stride = EX_TBFLAG_A32(tb_flags, VECSTRIDE);
-             /* We don't currently implement M profile FP support,
+         }
--             * so this entire space should give a NOCP fault.
++        dc->sme_trap_nonstreaming =
-+             * so this entire space should give a NOCP fault, with
++            EX_TBFLAG_A32(tb_flags, SME_TRAP_NONSTREAMING);
-+             * the exception of the v8M VLLDM and VLSTM insns, which
+     }
-+             * must be NOPs in Secure state and UNDEF in Nonsecure state.
+     dc->cp_regs = cpu->cp_regs;
-              */
+     dc->features = env->features;
-+            if (arm_dc_feature(s, ARM_FEATURE_V8) &&
+diff --git a/target/arm/meson.build b/target/arm/meson.build
-+                (insn & 0xffa00f00) == 0xec200a00) {
+index XXXXXXX..XXXXXXX 100644
-+                /* 0b1110_1100_0x1x_xxxx_xxxx_1010_xxxx_xxxx
+--- a/target/arm/meson.build
-+                 *  - VLLDM, VLSTM
++++ b/target/arm/meson.build
-+                 * We choose to UNDEF if the RAZ bits are non-zero.
+@@ -XXX,XX +XXX,XX @@
-+                 */
+ gen = [
-+                if (!s->v8m_secure || (insn & 0x0040f0ff)) {
+   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
-+                    goto illegal_op;
+   decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
-+                }
++  decodetree.process('sme-fa64.decode', extra_args: '--static-decode=disas_sme_fa64'),
-+                /* Just NOP since FP support is not implemented */
+   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
-+                break;
+   decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
-+            }
+   decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
 +            /* All other insns: NOCP */
              gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
                                 default_exception_el(s));
              break;
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 21/24] target/arm/kvm: Translate the MSI doorbell in kvm_arch_fixup_msi_route
+[PULL 04/45] target/arm: Mark ADR as non-streaming
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-In case the MSI is translated by an IOMMU we need to fixup the
+Mark ADR as a non-streaming instruction, which should trap
-MSI route with the translated address.
+if full a64 support is not enabled in streaming mode.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Removing entries from sme-fa64.decode is an easy way to see
-Signed-off-by: Bharat Bhushan <Bharat.Bhushan@nxp.com>
+what remains to be done.
-Message-id: 1524665762-31355-12-git-send-email-eric.auger@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-5-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/kvm.c        | 38 +++++++++++++++++++++++++++++++++++++-
+ target/arm/translate.h     | 7 +++++++
- target/arm/trace-events |  3 +++
+ target/arm/sme-fa64.decode | 1 -
-files changed, 40 insertions(+), 1 deletion(-)
+ target/arm/translate-sve.c | 8 ++++----
 files changed, 11 insertions(+), 5 deletions(-)
-diff --git a/target/arm/kvm.c b/target/arm/kvm.c
+diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm.c
+--- a/target/arm/translate.h
-+++ b/target/arm/kvm.c
++++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ uint64_t asimd_imm_const(uint32_t imm, int cmode, int op);
- #include "sysemu/kvm.h"
+     static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \
- #include "kvm_arm.h"
+     { return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__); }
- #include "cpu.h"
-+#include "trace.h"
++#define TRANS_FEAT_NONSTREAMING(NAME, FEAT, FUNC, ...)            \
- #include "internals.h"
++    static bool trans_##NAME(DisasContext *s, arg_##NAME *a)      \
- #include "hw/arm/arm.h"
++    {                                                             \
-+#include "hw/pci/pci.h"
++        s->is_nonstreaming = true;                                \
- #include "exec/memattrs.h"
++        return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__);  \
  #include "exec/address-spaces.h"
  #include "hw/boards.h"
@@ -XXX,XX +XXX,XX @@ int kvm_arm_vgic_probe(void)
  int kvm_arch_fixup_msi_route(struct kvm_irq_routing_entry *route,
                               uint64_t address, uint32_t data, PCIDevice *dev)
  {
 -    return 0;
 +    AddressSpace *as = pci_device_iommu_address_space(dev);
 +    hwaddr xlat, len, doorbell_gpa;
 +    MemoryRegionSection mrs;
 +    MemoryRegion *mr;
 +    int ret = 1;
 +
 +    if (as == &address_space_memory) {
 +        return 0;
 +    }
 +
-+    /* MSI doorbell address is translated by an IOMMU */
+ #endif /* TARGET_ARM_TRANSLATE_H */
-+
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-+    rcu_read_lock();
+index XXXXXXX..XXXXXXX 100644
-+    mr = address_space_translate(as, address, &xlat, &len, true);
+--- a/target/arm/sme-fa64.decode
-+    if (!mr) {
++++ b/target/arm/sme-fa64.decode
-+        goto unlock;
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
-+    }
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
-+    mrs = memory_region_find(mr, xlat, 1);
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
-+    if (!mrs.mr) {
-+        goto unlock;
+-FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
-+    }
+ FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
-+
+ FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
-+    doorbell_gpa = mrs.offset_within_address_space;
+ FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
-+    memory_region_unref(mrs.mr);
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-+
+index XXXXXXX..XXXXXXX 100644
-+    route->u.msi.address_lo = doorbell_gpa;
+--- a/target/arm/translate-sve.c
-+    route->u.msi.address_hi = doorbell_gpa >> 32;
++++ b/target/arm/translate-sve.c
-+
+@@ -XXX,XX +XXX,XX @@ static bool do_adr(DisasContext *s, arg_rrri *a, gen_helper_gvec_3 *fn)
-+    trace_kvm_arm_fixup_msi_route(address, doorbell_gpa);
+     return gen_gvec_ool_zzz(s, fn, a->rd, a->rn, a->rm, a->imm);
 +
 +    ret = 0;
 +
 +unlock:
 +    rcu_read_unlock();
 +    return ret;
  }
- int kvm_arch_add_msi_route_post(struct kvm_irq_routing_entry *route,
+-TRANS_FEAT(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
-diff --git a/target/arm/trace-events b/target/arm/trace-events
+-TRANS_FEAT(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
-index XXXXXXX..XXXXXXX 100644
+-TRANS_FEAT(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
---- a/target/arm/trace-events
+-TRANS_FEAT(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
-+++ b/target/arm/trace-events
++TRANS_FEAT_NONSTREAMING(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
-@@ -XXX,XX +XXX,XX @@ arm_gt_tval_write(int timer, uint64_t value) "gt_tval_write: timer %d value 0x%"
++TRANS_FEAT_NONSTREAMING(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
- arm_gt_ctl_write(int timer, uint64_t value) "gt_ctl_write: timer %d value 0x%" PRIx64
++TRANS_FEAT_NONSTREAMING(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
- arm_gt_imask_toggle(int timer, int irqstate) "gt_ctl_write: timer %d IMASK toggle, new irqstate %d"
++TRANS_FEAT_NONSTREAMING(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
- arm_gt_cntvoff_write(uint64_t value) "gt_cntvoff_write: value 0x%" PRIx64
-+
+ /*
-+# target/arm/kvm.c
+  *** SVE Integer Misc - Unpredicated Group
 +kvm_arm_fixup_msi_route(uint64_t iova, uint64_t gpa) "MSI iova = 0x%"PRIx64" is translated into 0x%"PRIx64
 --
-.17.0
+.25.1

-New patch
+[PULL 05/45] target/arm: Mark RDFFR, WRFFR, SETFFR as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as a non-streaming instructions, which should trap
+if full a64 support is not enabled in streaming mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-6-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode | 2 --
+ target/arm/translate-sve.c | 9 ++++++---
+files changed, 6 insertions(+), 5 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
+ FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
+-FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
+-FAIL    0010 0101 --10 1--- 1001 ---- ---- ----   # WRFFR, SETFFR
+ FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
+ FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
+ FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static bool do_predset(DisasContext *s, int esz, int rd, int pat, bool setflag)
+ TRANS_FEAT(PTRUE, aa64_sve, do_predset, a->esz, a->rd, a->pat, a->s)
+ /* Note pat == 31 is #all, to set all elements.  */
+-TRANS_FEAT(SETFFR, aa64_sve, do_predset, 0, FFR_PRED_NUM, 31, false)
++TRANS_FEAT_NONSTREAMING(SETFFR, aa64_sve,
++                        do_predset, 0, FFR_PRED_NUM, 31, false)
+ /* Note pat == 32 is #unimp, to set no elements.  */
+ TRANS_FEAT(PFALSE, aa64_sve, do_predset, 0, a->rd, 32, false)
+@@ -XXX,XX +XXX,XX @@ static bool trans_RDFFR_p(DisasContext *s, arg_RDFFR_p *a)
+         .rd = a->rd, .pg = a->pg, .s = a->s,
+         .rn = FFR_PRED_NUM, .rm = FFR_PRED_NUM,
+     };
++
++    s->is_nonstreaming = true;
+     return trans_AND_pppp(s, &alt_a);
+ }
+-TRANS_FEAT(RDFFR, aa64_sve, do_mov_p, a->rd, FFR_PRED_NUM)
+-TRANS_FEAT(WRFFR, aa64_sve, do_mov_p, FFR_PRED_NUM, a->rn)
++TRANS_FEAT_NONSTREAMING(RDFFR, aa64_sve, do_mov_p, a->rd, FFR_PRED_NUM)
++TRANS_FEAT_NONSTREAMING(WRFFR, aa64_sve, do_mov_p, FFR_PRED_NUM, a->rn)
+ static bool do_pfirst_pnext(DisasContext *s, arg_rr_esz *a,
+                             void (*gen_fn)(TCGv_i32, TCGv_ptr,
+--
+.25.1

-New patch
+[PULL 06/45] target/arm: Mark BDEP, BEXT, BGRP, COMPACT, FEXPA, FTSSEL as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as a non-streaming instructions, which should trap
+if full a64 support is not enabled in streaming mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-7-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode |  3 ---
+ target/arm/translate-sve.c | 22 ++++++++++++----------
+files changed, 12 insertions(+), 13 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+-FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
+-FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
+-FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
+ FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
+ FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
+ FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_2 * const fexpa_fns[4] = {
+     NULL,                   gen_helper_sve_fexpa_h,
+     gen_helper_sve_fexpa_s, gen_helper_sve_fexpa_d,
+ };
+-TRANS_FEAT(FEXPA, aa64_sve, gen_gvec_ool_zz,
+-           fexpa_fns[a->esz], a->rd, a->rn, 0)
++TRANS_FEAT_NONSTREAMING(FEXPA, aa64_sve, gen_gvec_ool_zz,
++                        fexpa_fns[a->esz], a->rd, a->rn, 0)
+ static gen_helper_gvec_3 * const ftssel_fns[4] = {
+     NULL,                    gen_helper_sve_ftssel_h,
+     gen_helper_sve_ftssel_s, gen_helper_sve_ftssel_d,
+ };
+-TRANS_FEAT(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz, ftssel_fns[a->esz], a, 0)
++TRANS_FEAT_NONSTREAMING(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz,
++                        ftssel_fns[a->esz], a, 0)
+ /*
+  *** SVE Predicate Logical Operations Group
+@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(TRN2_q, aa64_sve_f64mm, gen_gvec_ool_arg_zzz,
+ static gen_helper_gvec_3 * const compact_fns[4] = {
+     NULL, NULL, gen_helper_sve_compact_s, gen_helper_sve_compact_d
+ };
+-TRANS_FEAT(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz, compact_fns[a->esz], a, 0)
++TRANS_FEAT_NONSTREAMING(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz,
++                        compact_fns[a->esz], a, 0)
+ /* Call the helper that computes the ARM LastActiveElement pseudocode
+  * function, scaled by the element size.  This includes the not found
+@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_3 * const bext_fns[4] = {
+     gen_helper_sve2_bext_b, gen_helper_sve2_bext_h,
+     gen_helper_sve2_bext_s, gen_helper_sve2_bext_d,
+ };
+-TRANS_FEAT(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+-           bext_fns[a->esz], a, 0)
++TRANS_FEAT_NONSTREAMING(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
++                        bext_fns[a->esz], a, 0)
+ static gen_helper_gvec_3 * const bdep_fns[4] = {
+     gen_helper_sve2_bdep_b, gen_helper_sve2_bdep_h,
+     gen_helper_sve2_bdep_s, gen_helper_sve2_bdep_d,
+ };
+-TRANS_FEAT(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+-           bdep_fns[a->esz], a, 0)
++TRANS_FEAT_NONSTREAMING(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
++                        bdep_fns[a->esz], a, 0)
+ static gen_helper_gvec_3 * const bgrp_fns[4] = {
+     gen_helper_sve2_bgrp_b, gen_helper_sve2_bgrp_h,
+     gen_helper_sve2_bgrp_s, gen_helper_sve2_bgrp_d,
+ };
+-TRANS_FEAT(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+-           bgrp_fns[a->esz], a, 0)
++TRANS_FEAT_NONSTREAMING(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
++                        bgrp_fns[a->esz], a, 0)
+ static gen_helper_gvec_3 * const cadd_fns[4] = {
+     gen_helper_sve2_cadd_b, gen_helper_sve2_cadd_h,
+--
+.25.1

-New patch
+[PULL 07/45] target/arm: Mark PMULL, FMMLA as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as a non-streaming instructions, which should trap
+if full a64 support is not enabled in streaming mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-8-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode |  2 --
+ target/arm/translate-sve.c | 24 +++++++++++++++---------
+files changed, 15 insertions(+), 11 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+-FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
+-FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
+ FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
+ FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
+ FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static bool do_trans_pmull(DisasContext *s, arg_rrr_esz *a, bool sel)
+         gen_helper_gvec_pmull_q, gen_helper_sve2_pmull_h,
+         NULL,                    gen_helper_sve2_pmull_d,
+     };
+-    if (a->esz == 0
+-        ? !dc_isar_feature(aa64_sve2_pmull128, s)
+-        : !dc_isar_feature(aa64_sve, s)) {
++
++    if (a->esz == 0) {
++        if (!dc_isar_feature(aa64_sve2_pmull128, s)) {
++            return false;
++        }
++        s->is_nonstreaming = true;
++    } else if (!dc_isar_feature(aa64_sve, s)) {
+         return false;
+     }
+     return gen_gvec_ool_arg_zzz(s, fns[a->esz], a, sel);
+@@ -XXX,XX +XXX,XX @@ DO_ZPZZ_FP(FMINP, aa64_sve2, sve2_fminp_zpzz)
+  * SVE Integer Multiply-Add (unpredicated)
+  */
+-TRANS_FEAT(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_s,
+-           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
+-TRANS_FEAT(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_d,
+-           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
++TRANS_FEAT_NONSTREAMING(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz,
++                        gen_helper_fmmla_s, a->rd, a->rn, a->rm, a->ra,
++                        0, FPST_FPCR)
++TRANS_FEAT_NONSTREAMING(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz,
++                        gen_helper_fmmla_d, a->rd, a->rn, a->rm, a->ra,
++                        0, FPST_FPCR)
+ static gen_helper_gvec_4 * const sqdmlal_zzzw_fns[] = {
+     NULL,                           gen_helper_sve2_sqdmlal_zzzw_h,
+@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(BFDOT_zzzz, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
+ TRANS_FEAT(BFDOT_zzxz, aa64_sve_bf16, gen_gvec_ool_arg_zzxz,
+            gen_helper_gvec_bfdot_idx, a)
+-TRANS_FEAT(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
+-           gen_helper_gvec_bfmmla, a, 0)
++TRANS_FEAT_NONSTREAMING(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
++                        gen_helper_gvec_bfmmla, a, 0)
+ static bool do_BFMLAL_zzzw(DisasContext *s, arg_rrrr_esz *a, bool sel)
+ {
+--
+.25.1

-New patch
+[PULL 08/45] target/arm: Mark FTSMUL, FTMAD, FADDA as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as a non-streaming instructions, which should trap
+if full a64 support is not enabled in streaming mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-9-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode |  3 ---
+ target/arm/translate-sve.c | 15 +++++++++++----
+files changed, 11 insertions(+), 7 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+-FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
+-FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
+-FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
+ FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
+ FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
+ FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_3_ptr * const ftmad_fns[4] = {
+     NULL,                   gen_helper_sve_ftmad_h,
+     gen_helper_sve_ftmad_s, gen_helper_sve_ftmad_d,
+ };
+-TRANS_FEAT(FTMAD, aa64_sve, gen_gvec_fpst_zzz,
+-           ftmad_fns[a->esz], a->rd, a->rn, a->rm, a->imm,
+-           a->esz == MO_16 ? FPST_FPCR_F16 : FPST_FPCR)
++TRANS_FEAT_NONSTREAMING(FTMAD, aa64_sve, gen_gvec_fpst_zzz,
++                        ftmad_fns[a->esz], a->rd, a->rn, a->rm, a->imm,
++                        a->esz == MO_16 ? FPST_FPCR_F16 : FPST_FPCR)
+ /*
+  *** SVE Floating Point Accumulating Reduction Group
+@@ -XXX,XX +XXX,XX @@ static bool trans_FADDA(DisasContext *s, arg_rprr_esz *a)
+     if (a->esz == 0 || !dc_isar_feature(aa64_sve, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (!sve_access_check(s)) {
+         return true;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool trans_FADDA(DisasContext *s, arg_rprr_esz *a)
+ DO_FP3(FADD_zzz, fadd)
+ DO_FP3(FSUB_zzz, fsub)
+ DO_FP3(FMUL_zzz, fmul)
+-DO_FP3(FTSMUL, ftsmul)
+ DO_FP3(FRECPS, recps)
+ DO_FP3(FRSQRTS, rsqrts)
+ #undef DO_FP3
++static gen_helper_gvec_3_ptr * const ftsmul_fns[4] = {
++    NULL,                     gen_helper_gvec_ftsmul_h,
++    gen_helper_gvec_ftsmul_s, gen_helper_gvec_ftsmul_d
++};
++TRANS_FEAT_NONSTREAMING(FTSMUL, aa64_sve, gen_gvec_fpst_arg_zzz,
++                        ftsmul_fns[a->esz], a, 0)
++
+ /*
+  *** SVE Floating Point Arithmetic - Predicated Group
+  */
+--
+.25.1

-New patch
+[PULL 09/45] target/arm: Mark SMMLA, UMMLA, USMMLA as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as a non-streaming instructions, which should trap
+if full a64 support is not enabled in streaming mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-10-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode |  1 -
+ target/arm/translate-sve.c | 12 ++++++------
+files changed, 6 insertions(+), 7 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+-FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
+ FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
+ FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
+ FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(FMLALT_zzxw, aa64_sve2, do_FMLAL_zzxw, a, false, true)
+ TRANS_FEAT(FMLSLB_zzxw, aa64_sve2, do_FMLAL_zzxw, a, true, false)
+ TRANS_FEAT(FMLSLT_zzxw, aa64_sve2, do_FMLAL_zzxw, a, true, true)
+-TRANS_FEAT(SMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
+-           gen_helper_gvec_smmla_b, a, 0)
+-TRANS_FEAT(USMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
+-           gen_helper_gvec_usmmla_b, a, 0)
+-TRANS_FEAT(UMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
+-           gen_helper_gvec_ummla_b, a, 0)
++TRANS_FEAT_NONSTREAMING(SMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
++                        gen_helper_gvec_smmla_b, a, 0)
++TRANS_FEAT_NONSTREAMING(USMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
++                        gen_helper_gvec_usmmla_b, a, 0)
++TRANS_FEAT_NONSTREAMING(UMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
++                        gen_helper_gvec_ummla_b, a, 0)
+ TRANS_FEAT(BFDOT_zzzz, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
+            gen_helper_gvec_bfdot, a, 0)
+--
+.25.1

-New patch
+[PULL 10/45] target/arm: Mark string/histo/crypto as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as non-streaming instructions, which should trap
+if full a64 support is not enabled in streaming mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-11-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode |  1 -
+ target/arm/translate-sve.c | 35 ++++++++++++++++++-----------------
+files changed, 18 insertions(+), 18 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+-FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
+ FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
+ FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
+ FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ DO_SVE2_ZZZ_NARROW(RSUBHNT, rsubhnt)
+ static gen_helper_gvec_flags_4 * const match_fns[4] = {
+     gen_helper_sve2_match_ppzz_b, gen_helper_sve2_match_ppzz_h, NULL, NULL
+ };
+-TRANS_FEAT(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
++TRANS_FEAT_NONSTREAMING(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
+ static gen_helper_gvec_flags_4 * const nmatch_fns[4] = {
+     gen_helper_sve2_nmatch_ppzz_b, gen_helper_sve2_nmatch_ppzz_h, NULL, NULL
+ };
+-TRANS_FEAT(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
++TRANS_FEAT_NONSTREAMING(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
+ static gen_helper_gvec_4 * const histcnt_fns[4] = {
+     NULL, NULL, gen_helper_sve2_histcnt_s, gen_helper_sve2_histcnt_d
+ };
+-TRANS_FEAT(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
+-           histcnt_fns[a->esz], a, 0)
++TRANS_FEAT_NONSTREAMING(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
++                        histcnt_fns[a->esz], a, 0)
+-TRANS_FEAT(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
+-           a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
++TRANS_FEAT_NONSTREAMING(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
++                        a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
+ DO_ZPZZ_FP(FADDP, aa64_sve2, sve2_faddp_zpzz)
+ DO_ZPZZ_FP(FMAXNMP, aa64_sve2, sve2_fmaxnmp_zpzz)
+@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(SQRDCMLAH_zzzz, aa64_sve2, gen_gvec_ool_zzzz,
+ TRANS_FEAT(USDOT_zzzz, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
+            a->esz == 2 ? gen_helper_gvec_usdot_b : NULL, a, 0)
+-TRANS_FEAT(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
+-           gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
++TRANS_FEAT_NONSTREAMING(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
++                        gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
+-TRANS_FEAT(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
+-           gen_helper_crypto_aese, a, false)
+-TRANS_FEAT(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
+-           gen_helper_crypto_aese, a, true)
++TRANS_FEAT_NONSTREAMING(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
++                        gen_helper_crypto_aese, a, false)
++TRANS_FEAT_NONSTREAMING(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
++                        gen_helper_crypto_aese, a, true)
+-TRANS_FEAT(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
+-           gen_helper_crypto_sm4e, a, 0)
+-TRANS_FEAT(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
+-           gen_helper_crypto_sm4ekey, a, 0)
++TRANS_FEAT_NONSTREAMING(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
++                        gen_helper_crypto_sm4e, a, 0)
++TRANS_FEAT_NONSTREAMING(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
++                        gen_helper_crypto_sm4ekey, a, 0)
+-TRANS_FEAT(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz, gen_gvec_rax1, a)
++TRANS_FEAT_NONSTREAMING(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz,
++                        gen_gvec_rax1, a)
+ TRANS_FEAT(FCVTNT_sh, aa64_sve2, gen_gvec_fpst_arg_zpz,
+            gen_helper_sve2_fcvtnt_sh, a, 0, FPST_FPCR)
+--
+.25.1

-New patch
+[PULL 11/45] target/arm: Mark gather/scatter load/store as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as a non-streaming instructions, which should trap
+if full a64 support is not enabled in streaming mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-12-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode | 9 ---------
+ target/arm/translate-sve.c | 6 ++++++
+files changed, 6 insertions(+), 9 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+-FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
+ FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
+ FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
+-FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
+-FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
+-FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
+-FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
+ FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
+ FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
+ FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
+ FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
+ FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
+-FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
+-FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
+-FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
+-FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zprz(DisasContext *s, arg_LD1_zprz *a)
+     if (!dc_isar_feature(aa64_sve, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (!sve_access_check(s)) {
+         return true;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zpiz(DisasContext *s, arg_LD1_zpiz *a)
+     if (!dc_isar_feature(aa64_sve, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (!sve_access_check(s)) {
+         return true;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDNT1_zprz(DisasContext *s, arg_LD1_zprz *a)
+     if (!dc_isar_feature(aa64_sve2, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (!sve_access_check(s)) {
+         return true;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zprz(DisasContext *s, arg_ST1_zprz *a)
+     if (!dc_isar_feature(aa64_sve, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (!sve_access_check(s)) {
+         return true;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zpiz(DisasContext *s, arg_ST1_zpiz *a)
+     if (!dc_isar_feature(aa64_sve, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (!sve_access_check(s)) {
+         return true;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool trans_STNT1_zprz(DisasContext *s, arg_ST1_zprz *a)
+     if (!dc_isar_feature(aa64_sve2, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (!sve_access_check(s)) {
+         return true;
+     }
+--
+.25.1

-New patch
+[PULL 12/45] target/arm: Mark gather prefetch as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as a non-streaming instructions, which should trap if full
+a64 support is not enabled in streaming mode.  In this case, introduce
+PRF_ns (prefetch non-streaming) to handle the checks.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-13-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode |  3 ---
+ target/arm/sve.decode      | 10 +++++-----
+ target/arm/translate-sve.c | 11 +++++++++++
+files changed, 16 insertions(+), 8 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+-FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
+-FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
+ FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
+ FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
+ FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
+ FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
+-FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
+diff --git a/target/arm/sve.decode b/target/arm/sve.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve.decode
++++ b/target/arm/sve.decode
+@@ -XXX,XX +XXX,XX @@ LD1RO_zpri      1010010 .. 01 0.... 001 ... ..... ..... \
+                 @rpri_load_msz nreg=0
+ # SVE 32-bit gather prefetch (scalar plus 32-bit scaled offsets)
+-PRF             1000010 00 -1 ----- 0-- --- ----- 0 ----
++PRF_ns          1000010 00 -1 ----- 0-- --- ----- 0 ----
+ # SVE 32-bit gather prefetch (vector plus immediate)
+-PRF             1000010 -- 00 ----- 111 --- ----- 0 ----
++PRF_ns          1000010 -- 00 ----- 111 --- ----- 0 ----
+ # SVE contiguous prefetch (scalar plus immediate)
+ PRF             1000010 11 1- ----- 0-- --- ----- 0 ----
+@@ -XXX,XX +XXX,XX @@ LD1_zpiz        1100010 .. 01 ..... 1.. ... ..... ..... \
+                 @rpri_g_load esz=3
+ # SVE 64-bit gather prefetch (scalar plus 64-bit scaled offsets)
+-PRF             1100010 00 11 ----- 1-- --- ----- 0 ----
++PRF_ns          1100010 00 11 ----- 1-- --- ----- 0 ----
+ # SVE 64-bit gather prefetch (scalar plus unpacked 32-bit scaled offsets)
+-PRF             1100010 00 -1 ----- 0-- --- ----- 0 ----
++PRF_ns          1100010 00 -1 ----- 0-- --- ----- 0 ----
+ # SVE 64-bit gather prefetch (vector plus immediate)
+-PRF             1100010 -- 00 ----- 111 --- ----- 0 ----
++PRF_ns          1100010 -- 00 ----- 111 --- ----- 0 ----
+ ### SVE Memory Store Group
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_PRF_rr(DisasContext *s, arg_PRF_rr *a)
+     return true;
+ }
++static bool trans_PRF_ns(DisasContext *s, arg_PRF_ns *a)
++{
++    if (!dc_isar_feature(aa64_sve, s)) {
++        return false;
++    }
++    /* Prefetch is a nop within QEMU.  */
++    s->is_nonstreaming = true;
++    (void)sve_access_check(s);
++    return true;
++}
++
+ /*
+  * Move Prefix
+  *
+--
+.25.1

-New patch
+[PULL 13/45] target/arm: Mark LDFF1 and LDNF1 as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as a non-streaming instructions, which should trap
+if full a64 support is not enabled in streaming mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-14-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode | 2 --
+ target/arm/translate-sve.c | 2 ++
+files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+-FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
+-FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
+ FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
+ FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDFF1_zprr(DisasContext *s, arg_rprr_load *a)
+     if (!dc_isar_feature(aa64_sve, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (sve_access_check(s)) {
+         TCGv_i64 addr = new_tmp_a64(s);
+         tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), dtype_msz(a->dtype));
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDNF1_zpri(DisasContext *s, arg_rpri_load *a)
+     if (!dc_isar_feature(aa64_sve, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (sve_access_check(s)) {
+         int vsz = vec_full_reg_size(s);
+         int elements = vsz >> dtype_esz[a->dtype];
+--
+.25.1

-New patch
+[PULL 14/45] target/arm: Mark LD1RO as non-streaming
+From: Richard Henderson <richard.henderson@linaro.org>
+Mark these as a non-streaming instructions, which should trap
+if full a64 support is not enabled in streaming mode.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-15-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme-fa64.decode | 3 ---
+ target/arm/translate-sve.c | 2 ++
+files changed, 2 insertions(+), 3 deletions(-)
+diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme-fa64.decode
++++ b/target/arm/sme-fa64.decode
+@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+ #       --11 1100 --0- ---- ---- ---- ---- ----   # Load/store FP register (unscaled imm)
+ #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+ #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+-
+-FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
+-FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_LD1RO_zprr(DisasContext *s, arg_rprr_load *a)
+     if (a->rm == 31) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (sve_access_check(s)) {
+         TCGv_i64 addr = new_tmp_a64(s);
+         tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), dtype_msz(a->dtype));
+@@ -XXX,XX +XXX,XX @@ static bool trans_LD1RO_zpri(DisasContext *s, arg_rpri_load *a)
+     if (!dc_isar_feature(aa64_sve_f64mm, s)) {
+         return false;
+     }
++    s->is_nonstreaming = true;
+     if (sve_access_check(s)) {
+         TCGv_i64 addr = new_tmp_a64(s);
+         tcg_gen_addi_i64(addr, cpu_reg_sp(s, a->rn), a->imm * 32);
+--
+.25.1

-[Qemu-devel] [PULL 16/24] hw/arm/smmuv3: Queue helpers
+[PULL 15/45] target/arm: Add SME enablement checks
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-We introduce helpers to read/write into the command and event
+These functions will be used to verify that the cpu
-circular queues.
+is in the correct state for a given instruction.
-smmuv3_write_eventq and smmuv3_cmq_consume will become static
-in subsequent patches.
-Invalidation commands are not yet dealt with. We do not cache
-data that need to be invalidated. This will change with vhost
-integration.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-7-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-16-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h | 163 +++++++++++++++++++++++++++++++++++++++
+ target/arm/translate-a64.h | 21 +++++++++++++++++++++
- hw/arm/smmuv3.c          | 136 ++++++++++++++++++++++++++++++++
+ target/arm/translate-a64.c | 34 ++++++++++++++++++++++++++++++++++
- hw/arm/trace-events      |   5 ++
+files changed, 55 insertions(+)
 files changed, 304 insertions(+)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/target/arm/translate-a64.h
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/translate-a64.h
-@@ -XXX,XX +XXX,XX @@ static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
+@@ -XXX,XX +XXX,XX @@ void write_fp_dreg(DisasContext *s, int reg, TCGv_i64 v);
- void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
+ bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
- void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
+                             unsigned int imms, unsigned int immr);
+ bool sve_access_check(DisasContext *s);
-+/* Queue Handling */
++bool sme_enabled_check(DisasContext *s);
 +bool sme_enabled_check_with_svcr(DisasContext *s, unsigned);
 +
-+#define Q_BASE(q)          ((q)->base & SMMU_BASE_ADDR_MASK)
++/* This function corresponds to CheckStreamingSVEEnabled. */
-+#define WRAP_MASK(q)       (1 << (q)->log2size)
++static inline bool sme_sm_enabled_check(DisasContext *s)
 +#define INDEX_MASK(q)      (((1 << (q)->log2size)) - 1)
 +#define WRAP_INDEX_MASK(q) ((1 << ((q)->log2size + 1)) - 1)
 +
 +#define Q_CONS(q) ((q)->cons & INDEX_MASK(q))
 +#define Q_PROD(q) ((q)->prod & INDEX_MASK(q))
 +
 +#define Q_CONS_ENTRY(q)  (Q_BASE(q) + (q)->entry_size * Q_CONS(q))
 +#define Q_PROD_ENTRY(q)  (Q_BASE(q) + (q)->entry_size * Q_PROD(q))
 +
 +#define Q_CONS_WRAP(q) (((q)->cons & WRAP_MASK(q)) >> (q)->log2size)
 +#define Q_PROD_WRAP(q) (((q)->prod & WRAP_MASK(q)) >> (q)->log2size)
 +
 +static inline bool smmuv3_q_full(SMMUQueue *q)
 +{
-+    return ((q->cons ^ q->prod) & WRAP_INDEX_MASK(q)) == WRAP_MASK(q);
++    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK);
 +}
 +
-+static inline bool smmuv3_q_empty(SMMUQueue *q)
++/* This function corresponds to CheckSMEAndZAEnabled. */
 +static inline bool sme_za_enabled_check(DisasContext *s)
 +{
-+    return (q->cons & WRAP_INDEX_MASK(q)) == (q->prod & WRAP_INDEX_MASK(q));
++    return sme_enabled_check_with_svcr(s, R_SVCR_ZA_MASK);
 +}
 +
-+static inline void queue_prod_incr(SMMUQueue *q)
++/* Note that this function corresponds to CheckStreamingSVEAndZAEnabled. */
 +static inline bool sme_smza_enabled_check(DisasContext *s)
 +{
-+    q->prod = (q->prod + 1) & WRAP_INDEX_MASK(q);
++    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK | R_SVCR_ZA_MASK);
 +}
 +
-+static inline void queue_cons_incr(SMMUQueue *q)
+ TCGv_i64 clean_data_tbi(DisasContext *s, TCGv_i64 addr);
  TCGv_i64 gen_mte_check1(DisasContext *s, TCGv_i64 addr, bool is_write,
                          bool tag_checked, int log2_size);
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool sme_access_check(DisasContext *s)
      return true;
  }
 +/* This function corresponds to CheckSMEEnabled. */
 +bool sme_enabled_check(DisasContext *s)
 +{
 +    /*
-+     * We have to use deposit for the CONS registers to preserve
++     * Note that unlike sve_excp_el, we have not constrained sme_excp_el
-+     * the ERR field in the high bits.
++     * to be zero when fp_excp_el has priority.  This is because we need
 +     * sme_excp_el by itself for cpregs access checks.
 +     */
-+    q->cons = deposit32(q->cons, 0, q->log2size + 1, q->cons + 1);
++    if (!s->fp_excp_el || s->sme_excp_el < s->fp_excp_el) {
 +        s->fp_access_checked = true;
 +        return sme_access_check(s);
 +    }
 +    return fp_access_check_only(s);
 +}
 +
-+static inline bool smmuv3_cmdq_enabled(SMMUv3State *s)
++/* Common subroutine for CheckSMEAnd*Enabled. */
 +bool sme_enabled_check_with_svcr(DisasContext *s, unsigned req)
 +{
-+    return FIELD_EX32(s->cr[0], CR0, CMDQEN);
++    if (!sme_enabled_check(s)) {
 +        return false;
 +    }
 +    if (FIELD_EX64(req, SVCR, SM) && !s->pstate_sm) {
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                           syn_smetrap(SME_ET_NotStreaming, false));
 +        return false;
 +    }
 +    if (FIELD_EX64(req, SVCR, ZA) && !s->pstate_za) {
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                           syn_smetrap(SME_ET_InactiveZA, false));
 +        return false;
 +    }
 +    return true;
 +}
 +
-+static inline bool smmuv3_eventq_enabled(SMMUv3State *s)
+ /*
-+{
+  * This utility function is for doing register extension with an
-+    return FIELD_EX32(s->cr[0], CR0, EVENTQEN);
+  * optional shift. You will likely want to pass a temporary for the
 +}
 +
 +static inline void smmu_write_cmdq_err(SMMUv3State *s, uint32_t err_type)
 +{
 +    s->cmdq.cons = FIELD_DP32(s->cmdq.cons, CMDQ_CONS, ERR, err_type);
 +}
 +
 +void smmuv3_write_eventq(SMMUv3State *s, Evt *evt);
 +
 +/* Commands */
 +
 +typedef enum SMMUCommandType {
 +    SMMU_CMD_NONE            = 0x00,
 +    SMMU_CMD_PREFETCH_CONFIG       ,
 +    SMMU_CMD_PREFETCH_ADDR,
 +    SMMU_CMD_CFGI_STE,
 +    SMMU_CMD_CFGI_STE_RANGE,
 +    SMMU_CMD_CFGI_CD,
 +    SMMU_CMD_CFGI_CD_ALL,
 +    SMMU_CMD_CFGI_ALL,
 +    SMMU_CMD_TLBI_NH_ALL     = 0x10,
 +    SMMU_CMD_TLBI_NH_ASID,
 +    SMMU_CMD_TLBI_NH_VA,
 +    SMMU_CMD_TLBI_NH_VAA,
 +    SMMU_CMD_TLBI_EL3_ALL    = 0x18,
 +    SMMU_CMD_TLBI_EL3_VA     = 0x1a,
 +    SMMU_CMD_TLBI_EL2_ALL    = 0x20,
 +    SMMU_CMD_TLBI_EL2_ASID,
 +    SMMU_CMD_TLBI_EL2_VA,
 +    SMMU_CMD_TLBI_EL2_VAA,
 +    SMMU_CMD_TLBI_S12_VMALL  = 0x28,
 +    SMMU_CMD_TLBI_S2_IPA     = 0x2a,
 +    SMMU_CMD_TLBI_NSNH_ALL   = 0x30,
 +    SMMU_CMD_ATC_INV         = 0x40,
 +    SMMU_CMD_PRI_RESP,
 +    SMMU_CMD_RESUME          = 0x44,
 +    SMMU_CMD_STALL_TERM,
 +    SMMU_CMD_SYNC,
 +} SMMUCommandType;
 +
 +static const char *cmd_stringify[] = {
 +    [SMMU_CMD_PREFETCH_CONFIG] = "SMMU_CMD_PREFETCH_CONFIG",
 +    [SMMU_CMD_PREFETCH_ADDR]   = "SMMU_CMD_PREFETCH_ADDR",
 +    [SMMU_CMD_CFGI_STE]        = "SMMU_CMD_CFGI_STE",
 +    [SMMU_CMD_CFGI_STE_RANGE]  = "SMMU_CMD_CFGI_STE_RANGE",
 +    [SMMU_CMD_CFGI_CD]         = "SMMU_CMD_CFGI_CD",
 +    [SMMU_CMD_CFGI_CD_ALL]     = "SMMU_CMD_CFGI_CD_ALL",
 +    [SMMU_CMD_CFGI_ALL]        = "SMMU_CMD_CFGI_ALL",
 +    [SMMU_CMD_TLBI_NH_ALL]     = "SMMU_CMD_TLBI_NH_ALL",
 +    [SMMU_CMD_TLBI_NH_ASID]    = "SMMU_CMD_TLBI_NH_ASID",
 +    [SMMU_CMD_TLBI_NH_VA]      = "SMMU_CMD_TLBI_NH_VA",
 +    [SMMU_CMD_TLBI_NH_VAA]     = "SMMU_CMD_TLBI_NH_VAA",
 +    [SMMU_CMD_TLBI_EL3_ALL]    = "SMMU_CMD_TLBI_EL3_ALL",
 +    [SMMU_CMD_TLBI_EL3_VA]     = "SMMU_CMD_TLBI_EL3_VA",
 +    [SMMU_CMD_TLBI_EL2_ALL]    = "SMMU_CMD_TLBI_EL2_ALL",
 +    [SMMU_CMD_TLBI_EL2_ASID]   = "SMMU_CMD_TLBI_EL2_ASID",
 +    [SMMU_CMD_TLBI_EL2_VA]     = "SMMU_CMD_TLBI_EL2_VA",
 +    [SMMU_CMD_TLBI_EL2_VAA]    = "SMMU_CMD_TLBI_EL2_VAA",
 +    [SMMU_CMD_TLBI_S12_VMALL]  = "SMMU_CMD_TLBI_S12_VMALL",
 +    [SMMU_CMD_TLBI_S2_IPA]     = "SMMU_CMD_TLBI_S2_IPA",
 +    [SMMU_CMD_TLBI_NSNH_ALL]   = "SMMU_CMD_TLBI_NSNH_ALL",
 +    [SMMU_CMD_ATC_INV]         = "SMMU_CMD_ATC_INV",
 +    [SMMU_CMD_PRI_RESP]        = "SMMU_CMD_PRI_RESP",
 +    [SMMU_CMD_RESUME]          = "SMMU_CMD_RESUME",
 +    [SMMU_CMD_STALL_TERM]      = "SMMU_CMD_STALL_TERM",
 +    [SMMU_CMD_SYNC]            = "SMMU_CMD_SYNC",
 +};
 +
 +static inline const char *smmu_cmd_string(SMMUCommandType type)
 +{
 +    if (type > SMMU_CMD_NONE && type < ARRAY_SIZE(cmd_stringify)) {
 +        return cmd_stringify[type] ? cmd_stringify[type] : "UNKNOWN";
 +    } else {
 +        return "INVALID";
 +    }
 +}
 +
 +/* CMDQ fields */
 +
 +typedef enum {
 +    SMMU_CERROR_NONE = 0,
 +    SMMU_CERROR_ILL,
 +    SMMU_CERROR_ABT,
 +    SMMU_CERROR_ATC_INV_SYNC,
 +} SMMUCmdError;
 +
 +enum { /* Command completion notification */
 +    CMD_SYNC_SIG_NONE,
 +    CMD_SYNC_SIG_IRQ,
 +    CMD_SYNC_SIG_SEV,
 +};
 +
 +#define CMD_TYPE(x)         extract32((x)->word[0], 0 , 8)
 +#define CMD_SSEC(x)         extract32((x)->word[0], 10, 1)
 +#define CMD_SSV(x)          extract32((x)->word[0], 11, 1)
 +#define CMD_RESUME_AC(x)    extract32((x)->word[0], 12, 1)
 +#define CMD_RESUME_AB(x)    extract32((x)->word[0], 13, 1)
 +#define CMD_SYNC_CS(x)      extract32((x)->word[0], 12, 2)
 +#define CMD_SSID(x)         extract32((x)->word[0], 12, 20)
 +#define CMD_SID(x)          ((x)->word[1])
 +#define CMD_VMID(x)         extract32((x)->word[1], 0 , 16)
 +#define CMD_ASID(x)         extract32((x)->word[1], 16, 16)
 +#define CMD_RESUME_STAG(x)  extract32((x)->word[2], 0 , 16)
 +#define CMD_RESP(x)         extract32((x)->word[2], 11, 2)
 +#define CMD_LEAF(x)         extract32((x)->word[2], 0 , 1)
 +#define CMD_STE_RANGE(x)    extract32((x)->word[2], 0 , 5)
 +#define CMD_ADDR(x) ({                                        \
 +            uint64_t high = (uint64_t)(x)->word[3];           \
 +            uint64_t low = extract32((x)->word[2], 12, 20);    \
 +            uint64_t addr = high << 32 | (low << 12);         \
 +            addr;                                             \
 +        })
 +
 +int smmuv3_cmdq_consume(SMMUv3State *s);
 +
  #endif
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/smmuv3.c
 +++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
      trace_smmuv3_write_gerrorn(toggled & pending, s->gerrorn);
  }
 +static inline MemTxResult queue_read(SMMUQueue *q, void *data)
 +{
 +    dma_addr_t addr = Q_CONS_ENTRY(q);
 +
 +    return dma_memory_read(&address_space_memory, addr, data, q->entry_size);
 +}
 +
 +static MemTxResult queue_write(SMMUQueue *q, void *data)
 +{
 +    dma_addr_t addr = Q_PROD_ENTRY(q);
 +    MemTxResult ret;
 +
 +    ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size);
 +    if (ret != MEMTX_OK) {
 +        return ret;
 +    }
 +
 +    queue_prod_incr(q);
 +    return MEMTX_OK;
 +}
 +
 +void smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
 +{
 +    SMMUQueue *q = &s->eventq;
 +
 +    if (!smmuv3_eventq_enabled(s)) {
 +        return;
 +    }
 +
 +    if (smmuv3_q_full(q)) {
 +        return;
 +    }
 +
 +    queue_write(q, evt);
 +
 +    if (smmuv3_q_empty(q)) {
 +        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
 +    }
 +}
 +
  static void smmuv3_init_regs(SMMUv3State *s)
  {
      /**
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
      s->sid_split = 0;
  }
 +int smmuv3_cmdq_consume(SMMUv3State *s)
 +{
 +    SMMUCmdError cmd_error = SMMU_CERROR_NONE;
 +    SMMUQueue *q = &s->cmdq;
 +    SMMUCommandType type = 0;
 +
 +    if (!smmuv3_cmdq_enabled(s)) {
 +        return 0;
 +    }
 +    /*
 +     * some commands depend on register values, typically CR0. In case those
 +     * register values change while handling the command, spec says it
 +     * is UNPREDICTABLE whether the command is interpreted under the new
 +     * or old value.
 +     */
 +
 +    while (!smmuv3_q_empty(q)) {
 +        uint32_t pending = s->gerror ^ s->gerrorn;
 +        Cmd cmd;
 +
 +        trace_smmuv3_cmdq_consume(Q_PROD(q), Q_CONS(q),
 +                                  Q_PROD_WRAP(q), Q_CONS_WRAP(q));
 +
 +        if (FIELD_EX32(pending, GERROR, CMDQ_ERR)) {
 +            break;
 +        }
 +
 +        if (queue_read(q, &cmd) != MEMTX_OK) {
 +            cmd_error = SMMU_CERROR_ABT;
 +            break;
 +        }
 +
 +        type = CMD_TYPE(&cmd);
 +
 +        trace_smmuv3_cmdq_opcode(smmu_cmd_string(type));
 +
 +        switch (type) {
 +        case SMMU_CMD_SYNC:
 +            if (CMD_SYNC_CS(&cmd) & CMD_SYNC_SIG_IRQ) {
 +                smmuv3_trigger_irq(s, SMMU_IRQ_CMD_SYNC, 0);
 +            }
 +            break;
 +        case SMMU_CMD_PREFETCH_CONFIG:
 +        case SMMU_CMD_PREFETCH_ADDR:
 +        case SMMU_CMD_CFGI_STE:
 +        case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */
 +        case SMMU_CMD_CFGI_CD:
 +        case SMMU_CMD_CFGI_CD_ALL:
 +        case SMMU_CMD_TLBI_NH_ALL:
 +        case SMMU_CMD_TLBI_NH_ASID:
 +        case SMMU_CMD_TLBI_NH_VA:
 +        case SMMU_CMD_TLBI_NH_VAA:
 +        case SMMU_CMD_TLBI_EL3_ALL:
 +        case SMMU_CMD_TLBI_EL3_VA:
 +        case SMMU_CMD_TLBI_EL2_ALL:
 +        case SMMU_CMD_TLBI_EL2_ASID:
 +        case SMMU_CMD_TLBI_EL2_VA:
 +        case SMMU_CMD_TLBI_EL2_VAA:
 +        case SMMU_CMD_TLBI_S12_VMALL:
 +        case SMMU_CMD_TLBI_S2_IPA:
 +        case SMMU_CMD_TLBI_NSNH_ALL:
 +        case SMMU_CMD_ATC_INV:
 +        case SMMU_CMD_PRI_RESP:
 +        case SMMU_CMD_RESUME:
 +        case SMMU_CMD_STALL_TERM:
 +            trace_smmuv3_unhandled_cmd(type);
 +            break;
 +        default:
 +            cmd_error = SMMU_CERROR_ILL;
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "Illegal command type: %d\n", CMD_TYPE(&cmd));
 +            break;
 +        }
 +        if (cmd_error) {
 +            break;
 +        }
 +        /*
 +         * We only increment the cons index after the completion of
 +         * the command. We do that because the SYNC returns immediately
 +         * and does not check the completion of previous commands
 +         */
 +        queue_cons_incr(q);
 +    }
 +
 +    if (cmd_error) {
 +        trace_smmuv3_cmdq_consume_error(smmu_cmd_string(type), cmd_error);
 +        smmu_write_cmdq_err(s, cmd_error);
 +        smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_CMDQ_ERR_MASK);
 +    }
 +
 +    trace_smmuv3_cmdq_consume_out(Q_PROD(q), Q_CONS(q),
 +                                  Q_PROD_WRAP(q), Q_CONS_WRAP(q));
 +
 +    return 0;
 +}
 +
  static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
                                     unsigned size, MemTxAttrs attrs)
  {
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr:
  smmuv3_trigger_irq(int irq) "irq=%d"
  smmuv3_write_gerror(uint32_t toggled, uint32_t gerror) "toggled=0x%x, new GERROR=0x%x"
  smmuv3_write_gerrorn(uint32_t acked, uint32_t gerrorn) "acked=0x%x, new GERRORN=0x%x"
 +smmuv3_unhandled_cmd(uint32_t type) "Unhandled command type=%d"
 +smmuv3_cmdq_consume(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod=%d cons=%d prod.wrap=%d cons.wrap=%d"
 +smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
 +smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
 +smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 08/24] target/arm: Tidy condition in disas_simd_two_reg_misc
+[PULL 16/45] target/arm: Handle SME in sve_access_check
 From: Richard Henderson <richard.henderson@linaro.org>
-Path analysis shows that size == 3 && !is_q has been eliminated.
+The pseudocode for CheckSVEEnabled gains a check for Streaming
 SVE mode, and for SME present but SVE absent.
-Fixes: Coverity CID1385853
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20220708151540.18136-17-richard.henderson@linaro.org
 Message-id: 20180501180455.11214-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 6 +++++-
+ target/arm/translate-a64.c | 22 ++++++++++++++++------
-file changed, 5 insertions(+), 1 deletion(-)
+file changed, 16 insertions(+), 6 deletions(-)
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
-         /* All 64-bit element operations can be shared with scalar 2misc */
+     return true;
-         int pass;
+ }
--        for (pass = 0; pass < (is_q ? 2 : 1); pass++) {
+-/* Check that SVE access is enabled.  If it is, return true.
-+        /* Coverity claims (size == 3 && !is_q) has been eliminated
++/*
-+         * from all paths leading to here.
++ * Check that SVE access is enabled.  If it is, return true.
-+         */
+  * If not, emit code to generate an appropriate exception and return false.
-+        tcg_debug_assert(is_q);
++ * This function corresponds to CheckSVEEnabled().
-+        for (pass = 0; pass < 2; pass++) {
+  */
-             TCGv_i64 tcg_op = tcg_temp_new_i64();
+ bool sve_access_check(DisasContext *s)
-             TCGv_i64 tcg_res = tcg_temp_new_i64();
+ {
+-    if (s->sve_excp_el) {
 -        assert(!s->sve_access_checked);
 -        s->sve_access_checked = true;
 -
 +    if (s->pstate_sm || !dc_isar_feature(aa64_sve, s)) {
 +        assert(dc_isar_feature(aa64_sme, s));
 +        if (!sme_sm_enabled_check(s)) {
 +            goto fail_exit;
 +        }
 +    } else if (s->sve_excp_el) {
          gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
                                syn_sve_access_trap(), s->sve_excp_el);
 -        return false;
 +        goto fail_exit;
      }
      s->sve_access_checked = true;
      return fp_access_check(s);
 +
 + fail_exit:
 +    /* Assert that we only raise one exception per instruction. */
 +    assert(!s->sve_access_checked);
 +    s->sve_access_checked = true;
 +    return false;
  }
  /*
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 15/24] hw/arm/smmuv3: Wired IRQ and GERROR helpers
+[PULL 17/45] target/arm: Implement SME RDSVL, ADDSVL, ADDSPL
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-We introduce some helpers to handle wired IRQs and especially
+These SME instructions are nominally within the SVE decode space,
-GERROR interrupt. SMMU writes GERROR register on GERROR event
+so we add them to sve.decode and translate-sve.c.
 and SW acks GERROR interrupts by setting GERRORn.
-The Wired interrupts are edge sensitive hence the pulse usage.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-6-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-18-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h | 14 +++++++++
+ target/arm/translate-a64.h | 12 ++++++++++++
- hw/arm/smmuv3.c          | 64 ++++++++++++++++++++++++++++++++++++++++
+ target/arm/sve.decode      |  5 ++++-
- hw/arm/trace-events      |  3 ++
+ target/arm/translate-sve.c | 38 ++++++++++++++++++++++++++++++++++++++
-files changed, 81 insertions(+)
+files changed, 54 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/target/arm/translate-a64.h
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/translate-a64.h
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t smmuv3_idreg(int regoffset)
+@@ -XXX,XX +XXX,XX @@ static inline int vec_full_reg_size(DisasContext *s)
-     return smmuv3_ids[regoffset / 4];
+     return s->vl;
  }
-+static inline bool smmuv3_eventq_irq_enabled(SMMUv3State *s)
++/* Return the byte size of the vector register, SVL / 8. */
 +static inline int streaming_vec_reg_size(DisasContext *s)
 +{
-+    return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, EVENTQ_IRQEN);
++    return s->svl;
 +}
 +
-+static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
+ /*
   * Return the offset info CPUARMState of the predicate vector register Pn.
   * Note for this purpose, FFR is P16.
@@ -XXX,XX +XXX,XX @@ static inline int pred_full_reg_size(DisasContext *s)
      return s->vl >> 3;
  }
 +/* Return the byte size of the predicate register, SVL / 64.  */
 +static inline int streaming_pred_reg_size(DisasContext *s)
 +{
-+    return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, GERROR_IRQEN);
++    return s->svl >> 3;
 +}
 +
-+/* public until callers get introduced */
+ /*
-+void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
+  * Round up the size of a register to a size allowed by
-+void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
+  * the tcg vector infrastructure.  Any operation which uses this
-+
+diff --git a/target/arm/sve.decode b/target/arm/sve.decode
  #endif
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/target/arm/sve.decode
-+++ b/hw/arm/smmuv3.c
++++ b/target/arm/sve.decode
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ INDEX_ri        00000100 esz:2 1 imm:s5 010001 rn:5 rd:5
- #include "hw/arm/smmuv3.h"
+ # SVE index generation (register start, register increment)
- #include "smmuv3-internal.h"
+ INDEX_rr        00000100 .. 1 ..... 010011 ..... .....          @rd_rn_rm
-+/**
+-### SVE Stack Allocation Group
-+ * smmuv3_trigger_irq - pulse @irq if enabled and update
++### SVE / Streaming SVE Stack Allocation Group
-+ * GERROR register in case of GERROR interrupt
-+ *
+ # SVE stack frame adjustment
-+ * @irq: irq type
+ ADDVL           00000100 001 ..... 01010 ...... .....           @rd_rn_i6
-+ * @gerror_mask: mask of gerrors to toggle (relevant if @irq is GERROR)
++ADDSVL          00000100 001 ..... 01011 ...... .....           @rd_rn_i6
-+ */
+ ADDPL           00000100 011 ..... 01010 ...... .....           @rd_rn_i6
-+void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
++ADDSPL          00000100 011 ..... 01011 ...... .....           @rd_rn_i6
  # SVE stack frame size
  RDVL            00000100 101 11111 01010 imm:s6 rd:5
 +RDSVL           00000100 101 11111 01011 imm:s6 rd:5
  ### SVE Bitwise Shift - Unpredicated Group
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_ADDVL(DisasContext *s, arg_ADDVL *a)
      return true;
  }
 +static bool trans_ADDSVL(DisasContext *s, arg_ADDSVL *a)
 +{
-+
++    if (!dc_isar_feature(aa64_sme, s)) {
-+    bool pulse = false;
++        return false;
 +
 +    switch (irq) {
 +    case SMMU_IRQ_EVTQ:
 +        pulse = smmuv3_eventq_irq_enabled(s);
 +        break;
 +    case SMMU_IRQ_PRIQ:
 +        qemu_log_mask(LOG_UNIMP, "PRI not yet supported\n");
 +        break;
 +    case SMMU_IRQ_CMD_SYNC:
 +        pulse = true;
 +        break;
 +    case SMMU_IRQ_GERROR:
 +    {
 +        uint32_t pending = s->gerror ^ s->gerrorn;
 +        uint32_t new_gerrors = ~pending & gerror_mask;
 +
 +        if (!new_gerrors) {
 +            /* only toggle non pending errors */
 +            return;
 +        }
 +        s->gerror ^= new_gerrors;
 +        trace_smmuv3_write_gerror(new_gerrors, s->gerror);
 +
 +        pulse = smmuv3_gerror_irq_enabled(s);
 +        break;
 +    }
++    if (sme_enabled_check(s)) {
++        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
++        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
++        tcg_gen_addi_i64(rd, rn, a->imm * streaming_vec_reg_size(s));
 +    }
-+    if (pulse) {
++    return true;
 +            trace_smmuv3_trigger_irq(irq);
 +            qemu_irq_pulse(s->irq[irq]);
 +    }
 +}
 +
-+void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
+ static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
  {
      if (!dc_isar_feature(aa64_sve, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
      return true;
  }
 +static bool trans_ADDSPL(DisasContext *s, arg_ADDSPL *a)
 +{
-+    uint32_t pending = s->gerror ^ s->gerrorn;
++    if (!dc_isar_feature(aa64_sme, s)) {
-+    uint32_t toggled = s->gerrorn ^ new_gerrorn;
++        return false;
 +
 +    if (toggled & ~pending) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "guest toggles non pending errors = 0x%x\n",
 +                      toggled & ~pending);
 +    }
-+
++    if (sme_enabled_check(s)) {
-+    /*
++        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
-+     * We do not raise any error in case guest toggles bits corresponding
++        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
-+     * to not active IRQs (CONSTRAINED UNPREDICTABLE)
++        tcg_gen_addi_i64(rd, rn, a->imm * streaming_pred_reg_size(s));
-+     */
++    }
-+    s->gerrorn = new_gerrorn;
++    return true;
 +
 +    trace_smmuv3_write_gerrorn(toggled & pending, s->gerrorn);
 +}
 +
- static void smmuv3_init_regs(SMMUv3State *s)
+ static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
  {
-     /**
+     if (!dc_isar_feature(aa64_sve, s)) {
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
+@@ -XXX,XX +XXX,XX @@ static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
-index XXXXXXX..XXXXXXX 100644
+     return true;
---- a/hw/arm/trace-events
+ }
-+++ b/hw/arm/trace-events
-@@ -XXX,XX +XXX,XX @@ smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "base
++static bool trans_RDSVL(DisasContext *s, arg_RDSVL *a)
++{
- #hw/arm/smmuv3.c
++    if (!dc_isar_feature(aa64_sme, s)) {
- smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
++        return false;
-+smmuv3_trigger_irq(int irq) "irq=%d"
++    }
-+smmuv3_write_gerror(uint32_t toggled, uint32_t gerror) "toggled=0x%x, new GERROR=0x%x"
++    if (sme_enabled_check(s)) {
-+smmuv3_write_gerrorn(uint32_t acked, uint32_t gerrorn) "acked=0x%x, new GERRORN=0x%x"
++        TCGv_i64 reg = cpu_reg(s, a->rd);
 +        tcg_gen_movi_i64(reg, a->imm * streaming_vec_reg_size(s));
 +    }
 +    return true;
 +}
 +
  /*
   *** SVE Compute Vector Address Group
   */
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 22/24] hw/arm/virt: Add SMMUv3 to the virt board
+[PULL 18/45] target/arm: Implement SME ZERO
-From: Prem Mallappa <prem.mallappa@broadcom.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Add code to instantiate an smmuv3 in virt machine. A new iommu
-integer member is introduced in VirtMachineState to store the type
-of the iommu in use.
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-13-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-19-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/virt.h | 10 +++++++
+ target/arm/helper-sme.h    |  2 ++
- hw/arm/virt.c         | 64 ++++++++++++++++++++++++++++++++++++++++++-
+ target/arm/sme.decode      |  4 ++++
-files changed, 73 insertions(+), 1 deletion(-)
+ target/arm/sme_helper.c    | 25 +++++++++++++++++++++++++
  target/arm/translate-sme.c | 13 +++++++++++++
 files changed, 44 insertions(+)
-diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
+diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/virt.h
+--- a/target/arm/helper-sme.h
-+++ b/include/hw/arm/virt.h
++++ b/target/arm/helper-sme.h
 @@ -XXX,XX +XXX,XX @@
- #define NUM_GICV2M_SPIS       64
+ DEF_HELPER_FLAGS_2(set_pstate_sm, TCG_CALL_NO_RWG, void, env, i32)
- #define NUM_VIRTIO_TRANSPORTS 32
+ DEF_HELPER_FLAGS_2(set_pstate_za, TCG_CALL_NO_RWG, void, env, i32)
 +#define NUM_SMMU_IRQS          4
  #define ARCH_GICV3_MAINT_IRQ  9
@@ -XXX,XX +XXX,XX @@ enum {
      VIRT_GIC_V2M,
      VIRT_GIC_ITS,
      VIRT_GIC_REDIST,
 +    VIRT_SMMU,
      VIRT_UART,
      VIRT_MMIO,
      VIRT_RTC,
@@ -XXX,XX +XXX,XX @@ enum {
      VIRT_SECURE_MEM,
  };
 +typedef enum VirtIOMMUType {
 +    VIRT_IOMMU_NONE,
 +    VIRT_IOMMU_SMMUV3,
 +    VIRT_IOMMU_VIRTIO,
 +} VirtIOMMUType;
 +
- typedef struct MemMapEntry {
++DEF_HELPER_FLAGS_3(sme_zero, TCG_CALL_NO_RWG, void, env, i32, i32)
-     hwaddr base;
+diff --git a/target/arm/sme.decode b/target/arm/sme.decode
      hwaddr size;
@@ -XXX,XX +XXX,XX @@ typedef struct {
      bool its;
      bool virt;
      int32_t gic_version;
 +    VirtIOMMUType iommu;
      struct arm_boot_info bootinfo;
      const MemMapEntry *memmap;
      const int *irqmap;
@@ -XXX,XX +XXX,XX @@ typedef struct {
      uint32_t clock_phandle;
      uint32_t gic_phandle;
      uint32_t msi_phandle;
 +    uint32_t iommu_phandle;
      int psci_conduit;
  } VirtMachineState;
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/target/arm/sme.decode
-+++ b/hw/arm/virt.c
++++ b/target/arm/sme.decode
 @@ -XXX,XX +XXX,XX @@
- #include "hw/smbios/smbios.h"
+ #
- #include "qapi/visitor.h"
+ # This file is processed by scripts/decodetree.py
- #include "standard-headers/linux/input.h"
+ #
-+#include "hw/arm/smmuv3.h"
++
++### SME Misc
- #define DEFINE_VIRT_MACHINE_LATEST(major, minor, latest) \
++
-     static void virt_##major##_##minor##_class_init(ObjectClass *oc, \
++ZERO            11000000 00 001 00000000000 imm:8
-@@ -XXX,XX +XXX,XX @@ static const MemMapEntry a15memmap[] = {
+diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-     [VIRT_FW_CFG] =             { 0x09020000, 0x00000018 },
+index XXXXXXX..XXXXXXX 100644
-     [VIRT_GPIO] =               { 0x09030000, 0x00001000 },
+--- a/target/arm/sme_helper.c
-     [VIRT_SECURE_UART] =        { 0x09040000, 0x00001000 },
++++ b/target/arm/sme_helper.c
-+    [VIRT_SMMU] =               { 0x09050000, 0x00020000 },
+@@ -XXX,XX +XXX,XX @@ void helper_set_pstate_za(CPUARMState *env, uint32_t i)
-     [VIRT_MMIO] =               { 0x0a000000, 0x00000200 },
+         memset(env->zarray, 0, sizeof(env->zarray));
-     /* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
+     }
      [VIRT_PLATFORM_BUS] =       { 0x0c000000, 0x02000000 },
@@ -XXX,XX +XXX,XX @@ static const int a15irqmap[] = {
      [VIRT_SECURE_UART] = 8,
      [VIRT_MMIO] = 16, /* ...to 16 + NUM_VIRTIO_TRANSPORTS - 1 */
      [VIRT_GIC_V2M] = 48, /* ...to 48 + NUM_GICV2M_SPIS - 1 */
 +    [VIRT_SMMU] = 74,    /* ...to 74 + NUM_SMMU_IRQS - 1 */
      [VIRT_PLATFORM_BUS] = 112, /* ...to 112 + PLATFORM_BUS_NUM_IRQS -1 */
  };
@@ -XXX,XX +XXX,XX @@ static void create_pcie_irq_map(const VirtMachineState *vms,
 x7           /* PCI irq */);
  }
++
--static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
++void helper_sme_zero(CPUARMState *env, uint32_t imm, uint32_t svl)
 +static void create_smmu(const VirtMachineState *vms, qemu_irq *pic,
 +                        PCIBus *bus)
 +{
-+    char *node;
++    uint32_t i;
 +    const char compat[] = "arm,smmu-v3";
 +    int irq =  vms->irqmap[VIRT_SMMU];
 +    int i;
 +    hwaddr base = vms->memmap[VIRT_SMMU].base;
 +    hwaddr size = vms->memmap[VIRT_SMMU].size;
 +    const char irq_names[] = "eventq\0priq\0cmdq-sync\0gerror";
 +    DeviceState *dev;
 +
-+    if (vms->iommu != VIRT_IOMMU_SMMUV3 || !vms->iommu_phandle) {
++    /*
 +     * Special case clearing the entire ZA space.
 +     * This falls into the CONSTRAINED UNPREDICTABLE zeroing of any
 +     * parts of the ZA storage outside of SVL.
 +     */
 +    if (imm == 0xff) {
 +        memset(env->zarray, 0, sizeof(env->zarray));
 +        return;
 +    }
 +
-+    dev = qdev_create(NULL, "arm-smmuv3");
++    /*
 +     * Recall that ZAnH.D[m] is spread across ZA[n+8*m],
 +     * so each row is discontiguous within ZA[].
 +     */
 +    for (i = 0; i < svl; i++) {
 +        if (imm & (1 << (i % 8))) {
 +            memset(&env->zarray[i], 0, svl);
 +        }
 +    }
 +}
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sme.c
 +++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "decode-sme.c.inc"
 +
-+    object_property_set_link(OBJECT(dev), OBJECT(bus), "primary-bus",
++
-+                             &error_abort);
++static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
-+    qdev_init_nofail(dev);
++{
-+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
++    if (!dc_isar_feature(aa64_sme, s)) {
-+    for (i = 0; i < NUM_SMMU_IRQS; i++) {
++        return false;
 +        sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, pic[irq + i]);
 +    }
-+
++    if (sme_za_enabled_check(s)) {
-+    node = g_strdup_printf("/smmuv3@%" PRIx64, base);
++        gen_helper_sme_zero(cpu_env, tcg_constant_i32(a->imm),
-+    qemu_fdt_add_subnode(vms->fdt, node);
++                            tcg_constant_i32(streaming_vec_reg_size(s)));
-+    qemu_fdt_setprop(vms->fdt, node, "compatible", compat, sizeof(compat));
++    }
-+    qemu_fdt_setprop_sized_cells(vms->fdt, node, "reg", 2, base, 2, size);
++    return true;
 +
 +    qemu_fdt_setprop_cells(vms->fdt, node, "interrupts",
 +            GIC_FDT_IRQ_TYPE_SPI, irq    , GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
 +            GIC_FDT_IRQ_TYPE_SPI, irq + 1, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
 +            GIC_FDT_IRQ_TYPE_SPI, irq + 2, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
 +            GIC_FDT_IRQ_TYPE_SPI, irq + 3, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
 +
 +    qemu_fdt_setprop(vms->fdt, node, "interrupt-names", irq_names,
 +                     sizeof(irq_names));
 +
 +    qemu_fdt_setprop_cell(vms->fdt, node, "clocks", vms->clock_phandle);
 +    qemu_fdt_setprop_string(vms->fdt, node, "clock-names", "apb_pclk");
 +    qemu_fdt_setprop(vms->fdt, node, "dma-coherent", NULL, 0);
 +
 +    qemu_fdt_setprop_cell(vms->fdt, node, "#iommu-cells", 1);
 +
 +    qemu_fdt_setprop_cell(vms->fdt, node, "phandle", vms->iommu_phandle);
 +    g_free(node);
 +}
-+
-+static void create_pcie(VirtMachineState *vms, qemu_irq *pic)
- {
-     hwaddr base_mmio = vms->memmap[VIRT_PCIE_MMIO].base;
-     hwaddr size_mmio = vms->memmap[VIRT_PCIE_MMIO].size;
-@@ -XXX,XX +XXX,XX @@ static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
-     qemu_fdt_setprop_cell(vms->fdt, nodename, "#interrupt-cells", 1);
-     create_pcie_irq_map(vms, vms->gic_phandle, irq, nodename);
-+    if (vms->iommu) {
-+        vms->iommu_phandle = qemu_fdt_alloc_phandle(vms->fdt);
-+
-+        create_smmu(vms, pic, pci->bus);
-+
-+        qemu_fdt_setprop_cells(vms->fdt, nodename, "iommu-map",
-+                               0x0, vms->iommu_phandle, 0x0, 0x10000);
-+    }
-+
-     g_free(nodename);
- }
 --
-.17.0
+.25.1

-New patch
+[PULL 19/45] target/arm: Implement SME MOVA
+From: Richard Henderson <richard.henderson@linaro.org>
+We can reuse the SVE functions for implementing moves to/from
+horizontal tile slices, but we need new ones for moves to/from
+vertical tile slices.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-20-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper-sme.h    |  12 +++
+ target/arm/helper-sve.h    |   2 +
+ target/arm/translate-a64.h |   8 ++
+ target/arm/translate.h     |   5 ++
+ target/arm/sme.decode      |  15 ++++
+ target/arm/sme_helper.c    | 151 ++++++++++++++++++++++++++++++++++++-
+ target/arm/sve_helper.c    |  12 +++
+ target/arm/translate-sme.c | 127 +++++++++++++++++++++++++++++++
+files changed, 331 insertions(+), 1 deletion(-)
+diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper-sme.h
++++ b/target/arm/helper-sme.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_2(set_pstate_sm, TCG_CALL_NO_RWG, void, env, i32)
+ DEF_HELPER_FLAGS_2(set_pstate_za, TCG_CALL_NO_RWG, void, env, i32)
+ DEF_HELPER_FLAGS_3(sme_zero, TCG_CALL_NO_RWG, void, env, i32, i32)
++
++/* Move to/from vertical array slices, i.e. columns, so 'c'.  */
++DEF_HELPER_FLAGS_4(sme_mova_cz_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_4(sme_mova_zc_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_4(sme_mova_cz_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_4(sme_mova_zc_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_4(sme_mova_cz_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_4(sme_mova_zc_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_4(sme_mova_cz_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_4(sme_mova_zc_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_4(sme_mova_cz_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_4(sme_mova_zc_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper-sve.h
++++ b/target/arm/helper-sve.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sve_sel_zpzz_s, TCG_CALL_NO_RWG,
+                    void, ptr, ptr, ptr, ptr, i32)
+ DEF_HELPER_FLAGS_5(sve_sel_zpzz_d, TCG_CALL_NO_RWG,
+                    void, ptr, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_5(sve_sel_zpzz_q, TCG_CALL_NO_RWG,
++                   void, ptr, ptr, ptr, ptr, i32)
+ DEF_HELPER_FLAGS_5(sve2_addp_zpzz_b, TCG_CALL_NO_RWG,
+                    void, ptr, ptr, ptr, ptr, i32)
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-a64.h
++++ b/target/arm/translate-a64.h
+@@ -XXX,XX +XXX,XX @@ static inline int pred_gvec_reg_size(DisasContext *s)
+     return size_for_gvec(pred_full_reg_size(s));
+ }
++/* Return a newly allocated pointer to the predicate register.  */
++static inline TCGv_ptr pred_full_reg_ptr(DisasContext *s, int regno)
++{
++    TCGv_ptr ret = tcg_temp_new_ptr();
++    tcg_gen_addi_ptr(ret, cpu_env, pred_full_reg_offset(s, regno));
++    return ret;
++}
++
+ bool disas_sve(DisasContext *, uint32_t);
+ bool disas_sme(DisasContext *, uint32_t);
+diff --git a/target/arm/translate.h b/target/arm/translate.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.h
++++ b/target/arm/translate.h
+@@ -XXX,XX +XXX,XX @@ static inline int plus_2(DisasContext *s, int x)
+     return x + 2;
+ }
++static inline int plus_12(DisasContext *s, int x)
++{
++    return x + 12;
++}
++
+ static inline int times_2(DisasContext *s, int x)
+ {
+     return x * 2;
+diff --git a/target/arm/sme.decode b/target/arm/sme.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme.decode
++++ b/target/arm/sme.decode
+@@ -XXX,XX +XXX,XX @@
+ ### SME Misc
+ ZERO            11000000 00 001 00000000000 imm:8
++
++### SME Move into/from Array
++
++%mova_rs        13:2 !function=plus_12
++&mova           esz rs pg zr za_imm v:bool to_vec:bool
++
++MOVA            11000000 esz:2 00000 0 v:1 .. pg:3 zr:5 0 za_imm:4  \
++                &mova to_vec=0 rs=%mova_rs
++MOVA            11000000 11    00000 1 v:1 .. pg:3 zr:5 0 za_imm:4  \
++                &mova to_vec=0 rs=%mova_rs esz=4
++
++MOVA            11000000 esz:2 00001 0 v:1 .. pg:3 0 za_imm:4 zr:5  \
++                &mova to_vec=1 rs=%mova_rs
++MOVA            11000000 11    00001 1 v:1 .. pg:3 0 za_imm:4 zr:5  \
++                &mova to_vec=1 rs=%mova_rs esz=4
+diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme_helper.c
++++ b/target/arm/sme_helper.c
+@@ -XXX,XX +XXX,XX @@
+ #include "qemu/osdep.h"
+ #include "cpu.h"
+-#include "internals.h"
++#include "tcg/tcg-gvec-desc.h"
+ #include "exec/helper-proto.h"
++#include "qemu/int128.h"
++#include "vec_internal.h"
+ /* ResetSVEState */
+ void arm_reset_sve_state(CPUARMState *env)
+@@ -XXX,XX +XXX,XX @@ void helper_sme_zero(CPUARMState *env, uint32_t imm, uint32_t svl)
+         }
+     }
+ }
++
++
++/*
++ * When considering the ZA storage as an array of elements of
++ * type T, the index within that array of the Nth element of
++ * a vertical slice of a tile can be calculated like this,
++ * regardless of the size of type T. This is because the tiles
++ * are interleaved, so if type T is size N bytes then row 1 of
++ * the tile is N rows away from row 0. The division by N to
++ * convert a byte offset into an array index and the multiplication
++ * by N to convert from vslice-index-within-the-tile to
++ * the index within the ZA storage cancel out.
++ */
++#define tile_vslice_index(i) ((i) * sizeof(ARMVectorReg))
++
++/*
++ * When doing byte arithmetic on the ZA storage, the element
++ * byteoff bytes away in a tile vertical slice is always this
++ * many bytes away in the ZA storage, regardless of the
++ * size of the tile element, assuming that byteoff is a multiple
++ * of the element size. Again this is because of the interleaving
++ * of the tiles. For instance if we have 1 byte per element then
++ * each row of the ZA storage has one byte of the vslice data,
++ * and (counting from 0) byte 8 goes in row 8 of the storage
++ * at offset (8 * row-size-in-bytes).
++ * If we have 8 bytes per element then each row of the ZA storage
++ * has 8 bytes of the data, but there are 8 interleaved tiles and
++ * so byte 8 of the data goes into row 1 of the tile,
++ * which is again row 8 of the storage, so the offset is still
++ * (8 * row-size-in-bytes). Similarly for other element sizes.
++ */
++#define tile_vslice_offset(byteoff) ((byteoff) * sizeof(ARMVectorReg))
++
++
++/*
++ * Move Zreg vector to ZArray column.
++ */
++#define DO_MOVA_C(NAME, TYPE, H)                                        \
++void HELPER(NAME)(void *za, void *vn, void *vg, uint32_t desc)          \
++{                                                                       \
++    int i, oprsz = simd_oprsz(desc);                                    \
++    for (i = 0; i < oprsz; ) {                                          \
++        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
++        do {                                                            \
++            if (pg & 1) {                                               \
++                *(TYPE *)(za + tile_vslice_offset(i)) = *(TYPE *)(vn + H(i)); \
++            }                                                           \
++            i += sizeof(TYPE);                                          \
++            pg >>= sizeof(TYPE);                                        \
++        } while (i & 15);                                               \
++    }                                                                   \
++}
++
++DO_MOVA_C(sme_mova_cz_b, uint8_t, H1)
++DO_MOVA_C(sme_mova_cz_h, uint16_t, H1_2)
++DO_MOVA_C(sme_mova_cz_s, uint32_t, H1_4)
++
++void HELPER(sme_mova_cz_d)(void *za, void *vn, void *vg, uint32_t desc)
++{
++    int i, oprsz = simd_oprsz(desc) / 8;
++    uint8_t *pg = vg;
++    uint64_t *n = vn;
++    uint64_t *a = za;
++
++    for (i = 0; i < oprsz; i++) {
++        if (pg[H1(i)] & 1) {
++            a[tile_vslice_index(i)] = n[i];
++        }
++    }
++}
++
++void HELPER(sme_mova_cz_q)(void *za, void *vn, void *vg, uint32_t desc)
++{
++    int i, oprsz = simd_oprsz(desc) / 16;
++    uint16_t *pg = vg;
++    Int128 *n = vn;
++    Int128 *a = za;
++
++    /*
++     * Int128 is used here simply to copy 16 bytes, and to simplify
++     * the address arithmetic.
++     */
++    for (i = 0; i < oprsz; i++) {
++        if (pg[H2(i)] & 1) {
++            a[tile_vslice_index(i)] = n[i];
++        }
++    }
++}
++
++#undef DO_MOVA_C
++
++/*
++ * Move ZArray column to Zreg vector.
++ */
++#define DO_MOVA_Z(NAME, TYPE, H)                                        \
++void HELPER(NAME)(void *vd, void *za, void *vg, uint32_t desc)          \
++{                                                                       \
++    int i, oprsz = simd_oprsz(desc);                                    \
++    for (i = 0; i < oprsz; ) {                                          \
++        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
++        do {                                                            \
++            if (pg & 1) {                                               \
++                *(TYPE *)(vd + H(i)) = *(TYPE *)(za + tile_vslice_offset(i)); \
++            }                                                           \
++            i += sizeof(TYPE);                                          \
++            pg >>= sizeof(TYPE);                                        \
++        } while (i & 15);                                               \
++    }                                                                   \
++}
++
++DO_MOVA_Z(sme_mova_zc_b, uint8_t, H1)
++DO_MOVA_Z(sme_mova_zc_h, uint16_t, H1_2)
++DO_MOVA_Z(sme_mova_zc_s, uint32_t, H1_4)
++
++void HELPER(sme_mova_zc_d)(void *vd, void *za, void *vg, uint32_t desc)
++{
++    int i, oprsz = simd_oprsz(desc) / 8;
++    uint8_t *pg = vg;
++    uint64_t *d = vd;
++    uint64_t *a = za;
++
++    for (i = 0; i < oprsz; i++) {
++        if (pg[H1(i)] & 1) {
++            d[i] = a[tile_vslice_index(i)];
++        }
++    }
++}
++
++void HELPER(sme_mova_zc_q)(void *vd, void *za, void *vg, uint32_t desc)
++{
++    int i, oprsz = simd_oprsz(desc) / 16;
++    uint16_t *pg = vg;
++    Int128 *d = vd;
++    Int128 *a = za;
++
++    /*
++     * Int128 is used here simply to copy 16 bytes, and to simplify
++     * the address arithmetic.
++     */
++    for (i = 0; i < oprsz; i++, za += sizeof(ARMVectorReg)) {
++        if (pg[H2(i)] & 1) {
++            d[i] = a[tile_vslice_index(i)];
++        }
++    }
++}
++
++#undef DO_MOVA_Z
+diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve_helper.c
++++ b/target/arm/sve_helper.c
+@@ -XXX,XX +XXX,XX @@ void HELPER(sve_sel_zpzz_d)(void *vd, void *vn, void *vm,
+     }
+ }
++void HELPER(sve_sel_zpzz_q)(void *vd, void *vn, void *vm,
++                            void *vg, uint32_t desc)
++{
++    intptr_t i, opr_sz = simd_oprsz(desc) / 16;
++    Int128 *d = vd, *n = vn, *m = vm;
++    uint16_t *pg = vg;
++
++    for (i = 0; i < opr_sz; i += 1) {
++        d[i] = (pg[H2(i)] & 1 ? n : m)[i];
++    }
++}
++
+ /* Two operand comparison controlled by a predicate.
+  * ??? It is very tempting to want to be able to expand this inline
+  * with x86 instructions, e.g.
+diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sme.c
++++ b/target/arm/translate-sme.c
+@@ -XXX,XX +XXX,XX @@
+ #include "decode-sme.c.inc"
++/*
++ * Resolve tile.size[index] to a host pointer, where tile and index
++ * are always decoded together, dependent on the element size.
++ */
++static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,
++                                int tile_index, bool vertical)
++{
++    int tile = tile_index >> (4 - esz);
++    int index = esz == MO_128 ? 0 : extract32(tile_index, 0, 4 - esz);
++    int pos, len, offset;
++    TCGv_i32 tmp;
++    TCGv_ptr addr;
++
++    /* Compute the final index, which is Rs+imm. */
++    tmp = tcg_temp_new_i32();
++    tcg_gen_trunc_tl_i32(tmp, cpu_reg(s, rs));
++    tcg_gen_addi_i32(tmp, tmp, index);
++
++    /* Prepare a power-of-two modulo via extraction of @len bits. */
++    len = ctz32(streaming_vec_reg_size(s)) - esz;
++
++    if (vertical) {
++        /*
++         * Compute the byte offset of the index within the tile:
++         *     (index % (svl / size)) * size
++         *   = (index % (svl >> esz)) << esz
++         * Perform the power-of-two modulo via extraction of the low @len bits.
++         * Perform the multiply by shifting left by @pos bits.
++         * Perform these operations simultaneously via deposit into zero.
++         */
++        pos = esz;
++        tcg_gen_deposit_z_i32(tmp, tmp, pos, len);
++
++        /*
++         * For big-endian, adjust the indexed column byte offset within
++         * the uint64_t host words that make up env->zarray[].
++         */
++        if (HOST_BIG_ENDIAN && esz < MO_64) {
++            tcg_gen_xori_i32(tmp, tmp, 8 - (1 << esz));
++        }
++    } else {
++        /*
++         * Compute the byte offset of the index within the tile:
++         *     (index % (svl / size)) * (size * sizeof(row))
++         *   = (index % (svl >> esz)) << (esz + log2(sizeof(row)))
++         */
++        pos = esz + ctz32(sizeof(ARMVectorReg));
++        tcg_gen_deposit_z_i32(tmp, tmp, pos, len);
++
++        /* Row slices are always aligned and need no endian adjustment. */
++    }
++
++    /* The tile byte offset within env->zarray is the row. */
++    offset = tile * sizeof(ARMVectorReg);
++
++    /* Include the byte offset of zarray to make this relative to env. */
++    offset += offsetof(CPUARMState, zarray);
++    tcg_gen_addi_i32(tmp, tmp, offset);
++
++    /* Add the byte offset to env to produce the final pointer. */
++    addr = tcg_temp_new_ptr();
++    tcg_gen_ext_i32_ptr(addr, tmp);
++    tcg_temp_free_i32(tmp);
++    tcg_gen_add_ptr(addr, addr, cpu_env);
++
++    return addr;
++}
++
+ static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
+ {
+     if (!dc_isar_feature(aa64_sme, s)) {
+@@ -XXX,XX +XXX,XX @@ static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
+     }
+     return true;
+ }
++
++static bool trans_MOVA(DisasContext *s, arg_MOVA *a)
++{
++    static gen_helper_gvec_4 * const h_fns[5] = {
++        gen_helper_sve_sel_zpzz_b, gen_helper_sve_sel_zpzz_h,
++        gen_helper_sve_sel_zpzz_s, gen_helper_sve_sel_zpzz_d,
++        gen_helper_sve_sel_zpzz_q
++    };
++    static gen_helper_gvec_3 * const cz_fns[5] = {
++        gen_helper_sme_mova_cz_b, gen_helper_sme_mova_cz_h,
++        gen_helper_sme_mova_cz_s, gen_helper_sme_mova_cz_d,
++        gen_helper_sme_mova_cz_q,
++    };
++    static gen_helper_gvec_3 * const zc_fns[5] = {
++        gen_helper_sme_mova_zc_b, gen_helper_sme_mova_zc_h,
++        gen_helper_sme_mova_zc_s, gen_helper_sme_mova_zc_d,
++        gen_helper_sme_mova_zc_q,
++    };
++
++    TCGv_ptr t_za, t_zr, t_pg;
++    TCGv_i32 t_desc;
++    int svl;
++
++    if (!dc_isar_feature(aa64_sme, s)) {
++        return false;
++    }
++    if (!sme_smza_enabled_check(s)) {
++        return true;
++    }
++
++    t_za = get_tile_rowcol(s, a->esz, a->rs, a->za_imm, a->v);
++    t_zr = vec_full_reg_ptr(s, a->zr);
++    t_pg = pred_full_reg_ptr(s, a->pg);
++
++    svl = streaming_vec_reg_size(s);
++    t_desc = tcg_constant_i32(simd_desc(svl, svl, 0));
++
++    if (a->v) {
++        /* Vertical slice -- use sme mova helpers. */
++        if (a->to_vec) {
++            zc_fns[a->esz](t_zr, t_za, t_pg, t_desc);
++        } else {
++            cz_fns[a->esz](t_za, t_zr, t_pg, t_desc);
++        }
++    } else {
++        /* Horizontal slice -- reuse sve sel helpers. */
++        if (a->to_vec) {
++            h_fns[a->esz](t_zr, t_za, t_zr, t_pg, t_desc);
++        } else {
++            h_fns[a->esz](t_za, t_zr, t_za, t_pg, t_desc);
++        }
++    }
++
++    tcg_temp_free_ptr(t_za);
++    tcg_temp_free_ptr(t_zr);
++    tcg_temp_free_ptr(t_pg);
++
++    return true;
++}
+--
+.25.1

-[Qemu-devel] [PULL 13/24] hw/arm/smmu-common: VMSAv8-64 page table walk
+[PULL 20/45] target/arm: Implement SME LD1, ST1
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This patch implements the page table walk for VMSAv8-64.
+We cannot reuse the SVE functions for LD[1-4] and ST[1-4],
 because those functions accept only a Zreg register number.
 For SME, we want to pass a pointer into ZA storage.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
-Message-id: 1524665762-31355-4-git-send-email-eric.auger@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-21-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmu-internal.h       |  99 ++++++++++++++++
+ target/arm/helper-sme.h    |  82 +++++
- include/hw/arm/smmu-common.h |  14 +++
+ target/arm/sme.decode      |   9 +
- hw/arm/smmu-common.c         | 222 +++++++++++++++++++++++++++++++++++
+ target/arm/sme_helper.c    | 595 +++++++++++++++++++++++++++++++++++++
- hw/arm/trace-events          |   9 +-
+ target/arm/translate-sme.c |  70 +++++
-files changed, 343 insertions(+), 1 deletion(-)
+files changed, 756 insertions(+)
  create mode 100644 hw/arm/smmu-internal.h
-diff --git a/hw/arm/smmu-internal.h b/hw/arm/smmu-internal.h
+diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-new file mode 100644
+index XXXXXXX..XXXXXXX 100644
-index XXXXXXX..XXXXXXX
+--- a/target/arm/helper-sme.h
---- /dev/null
++++ b/target/arm/helper-sme.h
-+++ b/hw/arm/smmu-internal.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sme_mova_cz_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_4(sme_mova_zc_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_4(sme_mova_cz_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_4(sme_mova_zc_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_ld1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_ld1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_ld1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_ld1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_ld1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_ld1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +
 +DEF_HELPER_FLAGS_5(sme_st1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 +DEF_HELPER_FLAGS_5(sme_st1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 diff --git a/target/arm/sme.decode b/target/arm/sme.decode
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme.decode
 +++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ MOVA            11000000 esz:2 00001 0 v:1 .. pg:3 0 za_imm:4 zr:5  \
                  &mova to_vec=1 rs=%mova_rs
  MOVA            11000000 11    00001 1 v:1 .. pg:3 0 za_imm:4 zr:5  \
                  &mova to_vec=1 rs=%mova_rs esz=4
 +
 +### SME Memory
 +
 +&ldst           esz rs pg rn rm za_imm v:bool st:bool
 +
 +LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
 +                &ldst rs=%mova_rs
 +LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
 +                &ldst esz=4 rs=%mova_rs
 diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
 @@ -XXX,XX +XXX,XX @@
+ #include "qemu/osdep.h"
+ #include "cpu.h"
++#include "internals.h"
+ #include "tcg/tcg-gvec-desc.h"
+ #include "exec/helper-proto.h"
++#include "exec/cpu_ldst.h"
++#include "exec/exec-all.h"
+ #include "qemu/int128.h"
+ #include "vec_internal.h"
++#include "sve_ldst_internal.h"
+ /* ResetSVEState */
+ void arm_reset_sve_state(CPUARMState *env)
+@@ -XXX,XX +XXX,XX @@ void HELPER(sme_mova_zc_q)(void *vd, void *za, void *vg, uint32_t desc)
+ }
+ #undef DO_MOVA_Z
++
 +/*
-+ * ARM SMMU support - Internal API
++ * Clear elements in a tile slice comprising len bytes.
 + *
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Copyright (C) 2014-2016 Broadcom Corporation
 + * Written by Prem Mallappa, Eric Auger
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * General Public License for more details.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
-+#ifndef HW_ARM_SMMU_INTERNAL_H
++typedef void ClearFn(void *ptr, size_t off, size_t len);
-+#define HW_ARM_SMMU_INTERNAL_H
++
-+
++static void clear_horizontal(void *ptr, size_t off, size_t len)
-+#define TBI0(tbi) ((tbi) & 0x1)
++{
-+#define TBI1(tbi) ((tbi) & 0x2 >> 1)
++    memset(ptr + off, 0, len);
-+
++}
-+/* PTE Manipulation */
++
-+
++static void clear_vertical_b(void *vptr, size_t off, size_t len)
-+#define ARM_LPAE_PTE_TYPE_SHIFT         0
++{
-+#define ARM_LPAE_PTE_TYPE_MASK          0x3
++    for (size_t i = 0; i < len; ++i) {
-+
++        *(uint8_t *)(vptr + tile_vslice_offset(i + off)) = 0;
-+#define ARM_LPAE_PTE_TYPE_BLOCK         1
++    }
-+#define ARM_LPAE_PTE_TYPE_TABLE         3
++}
 +
-+#define ARM_LPAE_L3_PTE_TYPE_RESERVED   1
++static void clear_vertical_h(void *vptr, size_t off, size_t len)
-+#define ARM_LPAE_L3_PTE_TYPE_PAGE       3
++{
-+
++    for (size_t i = 0; i < len; i += 2) {
-+#define ARM_LPAE_PTE_VALID              (1 << 0)
++        *(uint16_t *)(vptr + tile_vslice_offset(i + off)) = 0;
-+
++    }
-+#define PTE_ADDRESS(pte, shift) \
++}
-+    (extract64(pte, shift, 47 - shift + 1) << shift)
++
-+
++static void clear_vertical_s(void *vptr, size_t off, size_t len)
-+#define is_invalid_pte(pte) (!(pte & ARM_LPAE_PTE_VALID))
++{
-+
++    for (size_t i = 0; i < len; i += 4) {
-+#define is_reserved_pte(pte, level)                                      \
++        *(uint32_t *)(vptr + tile_vslice_offset(i + off)) = 0;
-+    ((level == 3) &&                                                     \
++    }
-+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_L3_PTE_TYPE_RESERVED))
++}
 +
-+#define is_block_pte(pte, level)                                         \
++static void clear_vertical_d(void *vptr, size_t off, size_t len)
-+    ((level < 3) &&                                                      \
++{
-+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_PTE_TYPE_BLOCK))
++    for (size_t i = 0; i < len; i += 8) {
-+
++        *(uint64_t *)(vptr + tile_vslice_offset(i + off)) = 0;
-+#define is_table_pte(pte, level)                                        \
++    }
-+    ((level < 3) &&                                                     \
++}
-+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_PTE_TYPE_TABLE))
++
-+
++static void clear_vertical_q(void *vptr, size_t off, size_t len)
-+#define is_page_pte(pte, level)                                         \
++{
-+    ((level == 3) &&                                                    \
++    for (size_t i = 0; i < len; i += 16) {
-+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_L3_PTE_TYPE_PAGE))
++        memset(vptr + tile_vslice_offset(i + off), 0, 16);
-+
++    }
-+/* access permissions */
++}
 +
 +#define PTE_AP(pte) \
 +    (extract64(pte, 6, 2))
 +
 +#define PTE_APTABLE(pte) \
 +    (extract64(pte, 61, 2))
 +
 +/*
-+ * TODO: At the moment all transactions are considered as privileged (EL1)
++ * Copy elements from an array into a tile slice comprising len bytes.
 + * as IOMMU translation callback does not pass user/priv attributes.
 + */
-+#define is_permission_fault(ap, perm) \
++
-+    (((perm) & IOMMU_WO) && ((ap) & 0x2))
++typedef void CopyFn(void *dst, const void *src, size_t len);
 +
-+#define PTE_AP_TO_PERM(ap) \
++static void copy_horizontal(void *dst, const void *src, size_t len)
-+    (IOMMU_ACCESS_FLAG(true, !((ap) & 0x2)))
++{
-+
++    memcpy(dst, src, len);
-+/* Level Indexing */
++}
 +
-+static inline int level_shift(int level, int granule_sz)
++static void copy_vertical_b(void *vdst, const void *vsrc, size_t len)
 +{
-+    return granule_sz + (3 - level) * (granule_sz - 3);
++    const uint8_t *src = vsrc;
-+}
++    uint8_t *dst = vdst;
-+
++    size_t i;
-+static inline uint64_t level_page_mask(int level, int granule_sz)
++
-+{
++    for (i = 0; i < len; ++i) {
-+    return ~(MAKE_64BIT_MASK(0, level_shift(level, granule_sz)));
++        dst[tile_vslice_index(i)] = src[i];
-+}
++    }
-+
++}
-+static inline
++
-+uint64_t iova_level_offset(uint64_t iova, int inputsize,
++static void copy_vertical_h(void *vdst, const void *vsrc, size_t len)
-+                           int level, int gsz)
++{
-+{
++    const uint16_t *src = vsrc;
-+    return ((iova & MAKE_64BIT_MASK(0, inputsize)) >> level_shift(level, gsz)) &
++    uint16_t *dst = vdst;
-+            MAKE_64BIT_MASK(0, gsz - 3);
++    size_t i;
-+}
++
-+
++    for (i = 0; i < len / 2; ++i) {
 +        dst[tile_vslice_index(i)] = src[i];
 +    }
 +}
 +
 +static void copy_vertical_s(void *vdst, const void *vsrc, size_t len)
 +{
 +    const uint32_t *src = vsrc;
 +    uint32_t *dst = vdst;
 +    size_t i;
 +
 +    for (i = 0; i < len / 4; ++i) {
 +        dst[tile_vslice_index(i)] = src[i];
 +    }
 +}
 +
 +static void copy_vertical_d(void *vdst, const void *vsrc, size_t len)
 +{
 +    const uint64_t *src = vsrc;
 +    uint64_t *dst = vdst;
 +    size_t i;
 +
 +    for (i = 0; i < len / 8; ++i) {
 +        dst[tile_vslice_index(i)] = src[i];
 +    }
 +}
 +
 +static void copy_vertical_q(void *vdst, const void *vsrc, size_t len)
 +{
 +    for (size_t i = 0; i < len; i += 16) {
 +        memcpy(vdst + tile_vslice_offset(i), vsrc + i, 16);
 +    }
 +}
 +
 +/*
 + * Host and TLB primitives for vertical tile slice addressing.
 + */
 +
 +#define DO_LD(NAME, TYPE, HOST, TLB)                                        \
 +static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
 +{                                                                           \
 +    TYPE val = HOST(host);                                                  \
 +    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
 +}                                                                           \
 +static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
 +                        intptr_t off, target_ulong addr, uintptr_t ra)      \
 +{                                                                           \
 +    TYPE val = TLB(env, useronly_clean_ptr(addr), ra);                      \
 +    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
 +}
 +
 +#define DO_ST(NAME, TYPE, HOST, TLB)                                        \
 +static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
 +{                                                                           \
 +    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
 +    HOST(host, val);                                                        \
 +}                                                                           \
 +static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
 +                        intptr_t off, target_ulong addr, uintptr_t ra)      \
 +{                                                                           \
 +    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
 +    TLB(env, useronly_clean_ptr(addr), val, ra);                            \
 +}
 +
 +/*
 + * The ARMVectorReg elements are stored in host-endian 64-bit units.
 + * For 128-bit quantities, the sequence defined by the Elem[] pseudocode
 + * corresponds to storing the two 64-bit pieces in little-endian order.
 + */
 +#define DO_LDQ(HNAME, VNAME, BE, HOST, TLB)                                 \
 +static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
 +{                                                                           \
 +    uint64_t val0 = HOST(host), val1 = HOST(host + 8);                      \
 +    uint64_t *ptr = za + off;                                               \
 +    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
 +}                                                                           \
 +static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
 +{                                                                           \
 +    HNAME##_host(za, tile_vslice_offset(off), host);                        \
 +}                                                                           \
 +static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
 +                               target_ulong addr, uintptr_t ra)             \
 +{                                                                           \
 +    uint64_t val0 = TLB(env, useronly_clean_ptr(addr), ra);                 \
 +    uint64_t val1 = TLB(env, useronly_clean_ptr(addr + 8), ra);             \
 +    uint64_t *ptr = za + off;                                               \
 +    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
 +}                                                                           \
 +static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
 +                               target_ulong addr, uintptr_t ra)             \
 +{                                                                           \
 +    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
 +}
 +
 +#define DO_STQ(HNAME, VNAME, BE, HOST, TLB)                                 \
 +static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
 +{                                                                           \
 +    uint64_t *ptr = za + off;                                               \
 +    HOST(host, ptr[BE]);                                                    \
 +    HOST(host + 1, ptr[!BE]);                                               \
 +}                                                                           \
 +static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
 +{                                                                           \
 +    HNAME##_host(za, tile_vslice_offset(off), host);                        \
 +}                                                                           \
 +static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
 +                               target_ulong addr, uintptr_t ra)             \
 +{                                                                           \
 +    uint64_t *ptr = za + off;                                               \
 +    TLB(env, useronly_clean_ptr(addr), ptr[BE], ra);                        \
 +    TLB(env, useronly_clean_ptr(addr + 8), ptr[!BE], ra);                   \
 +}                                                                           \
 +static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
 +                               target_ulong addr, uintptr_t ra)             \
 +{                                                                           \
 +    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
 +}
 +
 +DO_LD(ld1b, uint8_t, ldub_p, cpu_ldub_data_ra)
 +DO_LD(ld1h_be, uint16_t, lduw_be_p, cpu_lduw_be_data_ra)
 +DO_LD(ld1h_le, uint16_t, lduw_le_p, cpu_lduw_le_data_ra)
 +DO_LD(ld1s_be, uint32_t, ldl_be_p, cpu_ldl_be_data_ra)
 +DO_LD(ld1s_le, uint32_t, ldl_le_p, cpu_ldl_le_data_ra)
 +DO_LD(ld1d_be, uint64_t, ldq_be_p, cpu_ldq_be_data_ra)
 +DO_LD(ld1d_le, uint64_t, ldq_le_p, cpu_ldq_le_data_ra)
 +
 +DO_LDQ(sve_ld1qq_be, sme_ld1q_be, 1, ldq_be_p, cpu_ldq_be_data_ra)
 +DO_LDQ(sve_ld1qq_le, sme_ld1q_le, 0, ldq_le_p, cpu_ldq_le_data_ra)
 +
 +DO_ST(st1b, uint8_t, stb_p, cpu_stb_data_ra)
 +DO_ST(st1h_be, uint16_t, stw_be_p, cpu_stw_be_data_ra)
 +DO_ST(st1h_le, uint16_t, stw_le_p, cpu_stw_le_data_ra)
 +DO_ST(st1s_be, uint32_t, stl_be_p, cpu_stl_be_data_ra)
 +DO_ST(st1s_le, uint32_t, stl_le_p, cpu_stl_le_data_ra)
 +DO_ST(st1d_be, uint64_t, stq_be_p, cpu_stq_be_data_ra)
 +DO_ST(st1d_le, uint64_t, stq_le_p, cpu_stq_le_data_ra)
 +
 +DO_STQ(sve_st1qq_be, sme_st1q_be, 1, stq_be_p, cpu_stq_be_data_ra)
 +DO_STQ(sve_st1qq_le, sme_st1q_le, 0, stq_le_p, cpu_stq_le_data_ra)
 +
 +#undef DO_LD
 +#undef DO_ST
 +#undef DO_LDQ
 +#undef DO_STQ
 +
 +/*
 + * Common helper for all contiguous predicated loads.
 + */
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sme_ld1(CPUARMState *env, void *za, uint64_t *vg,
 +             const target_ulong addr, uint32_t desc, const uintptr_t ra,
 +             const int esz, uint32_t mtedesc, bool vertical,
 +             sve_ldst1_host_fn *host_fn,
 +             sve_ldst1_tlb_fn *tlb_fn,
 +             ClearFn *clr_fn,
 +             CopyFn *cpy_fn)
 +{
 +    const intptr_t reg_max = simd_oprsz(desc);
 +    const intptr_t esize = 1 << esz;
 +    intptr_t reg_off, reg_last;
 +    SVEContLdSt info;
 +    void *host;
 +    int flags;
 +
 +    /* Find the active elements.  */
 +    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
 +        /* The entire predicate was false; no load occurs.  */
 +        clr_fn(za, 0, reg_max);
 +        return;
 +    }
 +
 +    /* Probe the page(s).  Exit with exception for any invalid page. */
 +    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, ra);
 +
 +    /* Handle watchpoints for all active elements. */
 +    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
 +                              BP_MEM_READ, ra);
 +
 +    /*
 +     * Handle mte checks for all active elements.
 +     * Since TBI must be set for MTE, !mtedesc => !mte_active.
 +     */
 +    if (mtedesc) {
 +        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
 +                                mtedesc, ra);
 +    }
 +
 +    flags = info.page[0].flags | info.page[1].flags;
 +    if (unlikely(flags != 0)) {
 +#ifdef CONFIG_USER_ONLY
 +        g_assert_not_reached();
 +#else
 +        /*
 +         * At least one page includes MMIO.
 +         * Any bus operation can fail with cpu_transaction_failed,
 +         * which for ARM will raise SyncExternal.  Perform the load
 +         * into scratch memory to preserve register state until the end.
 +         */
 +        ARMVectorReg scratch = { };
 +
 +        reg_off = info.reg_off_first[0];
 +        reg_last = info.reg_off_last[1];
 +        if (reg_last < 0) {
 +            reg_last = info.reg_off_split;
 +            if (reg_last < 0) {
 +                reg_last = info.reg_off_last[0];
 +            }
 +        }
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    tlb_fn(env, &scratch, reg_off, addr + reg_off, ra);
 +                }
 +                reg_off += esize;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +
 +        cpy_fn(za, &scratch, reg_max);
 +        return;
 +#endif
-diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
++    }
 +
 +    /* The entire operation is in RAM, on valid pages. */
 +
 +    reg_off = info.reg_off_first[0];
 +    reg_last = info.reg_off_last[0];
 +    host = info.page[0].host;
 +
 +    if (!vertical) {
 +        memset(za, 0, reg_max);
 +    } else if (reg_off) {
 +        clr_fn(za, 0, reg_off);
 +    }
 +
 +    while (reg_off <= reg_last) {
 +        uint64_t pg = vg[reg_off >> 6];
 +        do {
 +            if ((pg >> (reg_off & 63)) & 1) {
 +                host_fn(za, reg_off, host + reg_off);
 +            } else if (vertical) {
 +                clr_fn(za, reg_off, esize);
 +            }
 +            reg_off += esize;
 +        } while (reg_off <= reg_last && (reg_off & 63));
 +    }
 +
 +    /*
 +     * Use the slow path to manage the cross-page misalignment.
 +     * But we know this is RAM and cannot trap.
 +     */
 +    reg_off = info.reg_off_split;
 +    if (unlikely(reg_off >= 0)) {
 +        tlb_fn(env, za, reg_off, addr + reg_off, ra);
 +    }
 +
 +    reg_off = info.reg_off_first[1];
 +    if (unlikely(reg_off >= 0)) {
 +        reg_last = info.reg_off_last[1];
 +        host = info.page[1].host;
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    host_fn(za, reg_off, host + reg_off);
 +                } else if (vertical) {
 +                    clr_fn(za, reg_off, esize);
 +                }
 +                reg_off += esize;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +    }
 +}
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,
 +                 target_ulong addr, uint32_t desc, uintptr_t ra,
 +                 const int esz, bool vertical,
 +                 sve_ldst1_host_fn *host_fn,
 +                 sve_ldst1_tlb_fn *tlb_fn,
 +                 ClearFn *clr_fn,
 +                 CopyFn *cpy_fn)
 +{
 +    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 +    int bit55 = extract64(addr, 55, 1);
 +
 +    /* Remove mtedesc from the normal sve descriptor. */
 +    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 +
 +    /* Perform gross MTE suppression early. */
 +    if (!tbi_check(desc, bit55) ||
 +        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
 +        mtedesc = 0;
 +    }
 +
 +    sme_ld1(env, za, vg, addr, desc, ra, esz, mtedesc, vertical,
 +            host_fn, tlb_fn, clr_fn, cpy_fn);
 +}
 +
 +#define DO_LD(L, END, ESZ)                                                 \
 +void HELPER(sme_ld1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
 +                                 target_ulong addr, uint32_t desc)         \
 +{                                                                          \
 +    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
 +            sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,           \
 +            clear_horizontal, copy_horizontal);                            \
 +}                                                                          \
 +void HELPER(sme_ld1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
 +                                 target_ulong addr, uint32_t desc)         \
 +{                                                                          \
 +    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
 +            sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,             \
 +            clear_vertical_##L, copy_vertical_##L);                        \
 +}                                                                          \
 +void HELPER(sme_ld1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
 +                                     target_ulong addr, uint32_t desc)     \
 +{                                                                          \
 +    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
 +                sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,       \
 +                clear_horizontal, copy_horizontal);                        \
 +}                                                                          \
 +void HELPER(sme_ld1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
 +                                     target_ulong addr, uint32_t desc)     \
 +{                                                                          \
 +    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
 +                sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,         \
 +                clear_vertical_##L, copy_vertical_##L);                    \
 +}
 +
 +DO_LD(b, , MO_8)
 +DO_LD(h, _be, MO_16)
 +DO_LD(h, _le, MO_16)
 +DO_LD(s, _be, MO_32)
 +DO_LD(s, _le, MO_32)
 +DO_LD(d, _be, MO_64)
 +DO_LD(d, _le, MO_64)
 +DO_LD(q, _be, MO_128)
 +DO_LD(q, _le, MO_128)
 +
 +#undef DO_LD
 +
 +/*
 + * Common helper for all contiguous predicated stores.
 + */
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sme_st1(CPUARMState *env, void *za, uint64_t *vg,
 +             const target_ulong addr, uint32_t desc, const uintptr_t ra,
 +             const int esz, uint32_t mtedesc, bool vertical,
 +             sve_ldst1_host_fn *host_fn,
 +             sve_ldst1_tlb_fn *tlb_fn)
 +{
 +    const intptr_t reg_max = simd_oprsz(desc);
 +    const intptr_t esize = 1 << esz;
 +    intptr_t reg_off, reg_last;
 +    SVEContLdSt info;
 +    void *host;
 +    int flags;
 +
 +    /* Find the active elements.  */
 +    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
 +        /* The entire predicate was false; no store occurs.  */
 +        return;
 +    }
 +
 +    /* Probe the page(s).  Exit with exception for any invalid page. */
 +    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_STORE, ra);
 +
 +    /* Handle watchpoints for all active elements. */
 +    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
 +                              BP_MEM_WRITE, ra);
 +
 +    /*
 +     * Handle mte checks for all active elements.
 +     * Since TBI must be set for MTE, !mtedesc => !mte_active.
 +     */
 +    if (mtedesc) {
 +        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
 +                                mtedesc, ra);
 +    }
 +
 +    flags = info.page[0].flags | info.page[1].flags;
 +    if (unlikely(flags != 0)) {
 +#ifdef CONFIG_USER_ONLY
 +        g_assert_not_reached();
 +#else
 +        /*
 +         * At least one page includes MMIO.
 +         * Any bus operation can fail with cpu_transaction_failed,
 +         * which for ARM will raise SyncExternal.  We cannot avoid
 +         * this fault and will leave with the store incomplete.
 +         */
 +        reg_off = info.reg_off_first[0];
 +        reg_last = info.reg_off_last[1];
 +        if (reg_last < 0) {
 +            reg_last = info.reg_off_split;
 +            if (reg_last < 0) {
 +                reg_last = info.reg_off_last[0];
 +            }
 +        }
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    tlb_fn(env, za, reg_off, addr + reg_off, ra);
 +                }
 +                reg_off += esize;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +        return;
 +#endif
 +    }
 +
 +    reg_off = info.reg_off_first[0];
 +    reg_last = info.reg_off_last[0];
 +    host = info.page[0].host;
 +
 +    while (reg_off <= reg_last) {
 +        uint64_t pg = vg[reg_off >> 6];
 +        do {
 +            if ((pg >> (reg_off & 63)) & 1) {
 +                host_fn(za, reg_off, host + reg_off);
 +            }
 +            reg_off += 1 << esz;
 +        } while (reg_off <= reg_last && (reg_off & 63));
 +    }
 +
 +    /*
 +     * Use the slow path to manage the cross-page misalignment.
 +     * But we know this is RAM and cannot trap.
 +     */
 +    reg_off = info.reg_off_split;
 +    if (unlikely(reg_off >= 0)) {
 +        tlb_fn(env, za, reg_off, addr + reg_off, ra);
 +    }
 +
 +    reg_off = info.reg_off_first[1];
 +    if (unlikely(reg_off >= 0)) {
 +        reg_last = info.reg_off_last[1];
 +        host = info.page[1].host;
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    host_fn(za, reg_off, host + reg_off);
 +                }
 +                reg_off += 1 << esz;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +    }
 +}
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,
 +                 uint32_t desc, uintptr_t ra, int esz, bool vertical,
 +                 sve_ldst1_host_fn *host_fn,
 +                 sve_ldst1_tlb_fn *tlb_fn)
 +{
 +    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 +    int bit55 = extract64(addr, 55, 1);
 +
 +    /* Remove mtedesc from the normal sve descriptor. */
 +    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
 +
 +    /* Perform gross MTE suppression early. */
 +    if (!tbi_check(desc, bit55) ||
 +        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
 +        mtedesc = 0;
 +    }
 +
 +    sme_st1(env, za, vg, addr, desc, ra, esz, mtedesc,
 +            vertical, host_fn, tlb_fn);
 +}
 +
 +#define DO_ST(L, END, ESZ)                                                 \
 +void HELPER(sme_st1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
 +                                 target_ulong addr, uint32_t desc)         \
 +{                                                                          \
 +    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
 +            sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);          \
 +}                                                                          \
 +void HELPER(sme_st1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
 +                                 target_ulong addr, uint32_t desc)         \
 +{                                                                          \
 +    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
 +            sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);            \
 +}                                                                          \
 +void HELPER(sme_st1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
 +                                     target_ulong addr, uint32_t desc)     \
 +{                                                                          \
 +    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
 +                sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);      \
 +}                                                                          \
 +void HELPER(sme_st1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
 +                                     target_ulong addr, uint32_t desc)     \
 +{                                                                          \
 +    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
 +                sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);        \
 +}
 +
 +DO_ST(b, , MO_8)
 +DO_ST(h, _be, MO_16)
 +DO_ST(h, _le, MO_16)
 +DO_ST(s, _be, MO_32)
 +DO_ST(s, _le, MO_32)
 +DO_ST(d, _be, MO_64)
 +DO_ST(d, _le, MO_64)
 +DO_ST(q, _be, MO_128)
 +DO_ST(q, _le, MO_128)
 +
 +#undef DO_ST
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
+--- a/target/arm/translate-sme.c
-+++ b/include/hw/arm/smmu-common.h
++++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
+@@ -XXX,XX +XXX,XX @@ static bool trans_MOVA(DisasContext *s, arg_MOVA *a)
- {
-     return PCI_BUILD_BDF(pci_bus_num(sdev->bus), sdev->devfn);
+     return true;
  }
 +
-+/**
++static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
-+ * smmu_ptw - Perform the page table walk for a given iova / access flags
++{
-+ * pair, according to @cfg translation config
++    typedef void GenLdSt1(TCGv_env, TCGv_ptr, TCGv_ptr, TCGv, TCGv_i32);
-+ */
++
-+int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
++    /*
-+             IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info);
++     * Indexed by [esz][be][v][mte][st], which is (except for load/store)
-+
++     * also the order in which the elements appear in the function names,
-+/**
++     * and so how we must concatenate the pieces.
-+ * select_tt - compute which translation table shall be used according to
++     */
-+ * the input iova and translation config and return the TT specific info
++
-+ */
++#define FN_LS(F)     { gen_helper_sme_ld1##F, gen_helper_sme_st1##F }
-+SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova);
++#define FN_MTE(F)    { FN_LS(F), FN_LS(F##_mte) }
-+
++#define FN_HV(F)     { FN_MTE(F##_h), FN_MTE(F##_v) }
- #endif  /* HW_ARM_SMMU_COMMON */
++#define FN_END(L, B) { FN_HV(L), FN_HV(B) }
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
++
-index XXXXXXX..XXXXXXX 100644
++    static GenLdSt1 * const fns[5][2][2][2][2] = {
---- a/hw/arm/smmu-common.c
++        FN_END(b, b),
-+++ b/hw/arm/smmu-common.c
++        FN_END(h_le, h_be),
-@@ -XXX,XX +XXX,XX @@
++        FN_END(s_le, s_be),
++        FN_END(d_le, d_be),
- #include "qemu/error-report.h"
++        FN_END(q_le, q_be),
- #include "hw/arm/smmu-common.h"
++    };
-+#include "smmu-internal.h"
++
-+
++#undef FN_LS
-+/* VMSAv8-64 Translation */
++#undef FN_MTE
-+
++#undef FN_HV
-+/**
++#undef FN_END
-+ * get_pte - Get the content of a page table entry located at
++
-+ * @base_addr[@index]
++    TCGv_ptr t_za, t_pg;
-+ */
++    TCGv_i64 addr;
-+static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte,
++    int svl, desc = 0;
-+                   SMMUPTWEventInfo *info)
++    bool be = s->be_data == MO_BE;
-+{
++    bool mte = s->mte_active[0];
-+    int ret;
++
-+    dma_addr_t addr = baseaddr + index * sizeof(*pte);
++    if (!dc_isar_feature(aa64_sme, s)) {
-+
++        return false;
-+    /* TODO: guarantee 64-bit single-copy atomicity */
++    }
-+    ret = dma_memory_read(&address_space_memory, addr,
++    if (!sme_smza_enabled_check(s)) {
-+                          (uint8_t *)pte, sizeof(*pte));
++        return true;
-+
++    }
-+    if (ret != MEMTX_OK) {
++
-+        info->type = SMMU_PTW_ERR_WALK_EABT;
++    t_za = get_tile_rowcol(s, a->esz, a->rs, a->za_imm, a->v);
-+        info->addr = addr;
++    t_pg = pred_full_reg_ptr(s, a->pg);
-+        return -EINVAL;
++    addr = tcg_temp_new_i64();
-+    }
++
-+    trace_smmu_get_pte(baseaddr, index, addr, *pte);
++    tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), a->esz);
-+    return 0;
++    tcg_gen_add_i64(addr, addr, cpu_reg_sp(s, a->rn));
-+}
++
-+
++    if (mte) {
-+/* VMSAv8-64 Translation Table Format Descriptor Decoding */
++        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
-+
++        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
-+/**
++        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
-+ * get_page_pte_address - returns the L3 descriptor output address,
++        desc = FIELD_DP32(desc, MTEDESC, WRITE, a->st);
-+ * ie. the page frame
++        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << a->esz) - 1);
-+ * ARM ARM spec: Figure D4-17 VMSAv8-64 level 3 descriptor format
++        desc <<= SVE_MTEDESC_SHIFT;
-+ */
++    } else {
-+static inline hwaddr get_page_pte_address(uint64_t pte, int granule_sz)
++        addr = clean_data_tbi(s, addr);
-+{
++    }
-+    return PTE_ADDRESS(pte, granule_sz);
++    svl = streaming_vec_reg_size(s);
-+}
++    desc = simd_desc(svl, svl, desc);
 +
-+/**
++    fns[a->esz][be][a->v][mte][a->st](cpu_env, t_za, t_pg, addr,
-+ * get_table_pte_address - return table descriptor output address,
++                                      tcg_constant_i32(desc));
-+ * ie. address of next level table
++
-+ * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
++    tcg_temp_free_ptr(t_za);
-+ */
++    tcg_temp_free_ptr(t_pg);
-+static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
++    tcg_temp_free_i64(addr);
-+{
++    return true;
-+    return PTE_ADDRESS(pte, granule_sz);
++}
 +}
 +
 +/**
 + * get_block_pte_address - return block descriptor output address and block size
 + * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
 + */
 +static inline hwaddr get_block_pte_address(uint64_t pte, int level,
 +                                           int granule_sz, uint64_t *bsz)
 +{
 +    int n = (granule_sz - 3) * (4 - level) + 3;
 +
 +    *bsz = 1 << n;
 +    return PTE_ADDRESS(pte, n);
 +}
 +
 +SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)
 +{
 +    bool tbi = extract64(iova, 55, 1) ? TBI1(cfg->tbi) : TBI0(cfg->tbi);
 +    uint8_t tbi_byte = tbi * 8;
 +
 +    if (cfg->tt[0].tsz &&
 +        !extract64(iova, 64 - cfg->tt[0].tsz, cfg->tt[0].tsz - tbi_byte)) {
 +        /* there is a ttbr0 region and we are in it (high bits all zero) */
 +        return &cfg->tt[0];
 +    } else if (cfg->tt[1].tsz &&
 +           !extract64(iova, 64 - cfg->tt[1].tsz, cfg->tt[1].tsz - tbi_byte)) {
 +        /* there is a ttbr1 region and we are in it (high bits all one) */
 +        return &cfg->tt[1];
 +    } else if (!cfg->tt[0].tsz) {
 +        /* ttbr0 region is "everything not in the ttbr1 region" */
 +        return &cfg->tt[0];
 +    } else if (!cfg->tt[1].tsz) {
 +        /* ttbr1 region is "everything not in the ttbr0 region" */
 +        return &cfg->tt[1];
 +    }
 +    /* in the gap between the two regions, this is a Translation fault */
 +    return NULL;
 +}
 +
 +/**
 + * smmu_ptw_64 - VMSAv8-64 Walk of the page tables for a given IOVA
 + * @cfg: translation config
 + * @iova: iova to translate
 + * @perm: access type
 + * @tlbe: IOMMUTLBEntry (out)
 + * @info: handle to an error info
 + *
 + * Return 0 on success, < 0 on error. In case of error, @info is filled
 + * and tlbe->perm is set to IOMMU_NONE.
 + * Upon success, @tlbe is filled with translated_addr and entry
 + * permission rights.
 + */
 +static int smmu_ptw_64(SMMUTransCfg *cfg,
 +                       dma_addr_t iova, IOMMUAccessFlags perm,
 +                       IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
 +{
 +    dma_addr_t baseaddr, indexmask;
 +    int stage = cfg->stage;
 +    SMMUTransTableInfo *tt = select_tt(cfg, iova);
 +    uint8_t level, granule_sz, inputsize, stride;
 +
 +    if (!tt || tt->disabled) {
 +        info->type = SMMU_PTW_ERR_TRANSLATION;
 +        goto error;
 +    }
 +
 +    granule_sz = tt->granule_sz;
 +    stride = granule_sz - 3;
 +    inputsize = 64 - tt->tsz;
 +    level = 4 - (inputsize - 4) / stride;
 +    indexmask = (1ULL << (inputsize - (stride * (4 - level)))) - 1;
 +    baseaddr = extract64(tt->ttb, 0, 48);
 +    baseaddr &= ~indexmask;
 +
 +    tlbe->iova = iova;
 +    tlbe->addr_mask = (1 << granule_sz) - 1;
 +
 +    while (level <= 3) {
 +        uint64_t subpage_size = 1ULL << level_shift(level, granule_sz);
 +        uint64_t mask = subpage_size - 1;
 +        uint32_t offset = iova_level_offset(iova, inputsize, level, granule_sz);
 +        uint64_t pte;
 +        dma_addr_t pte_addr = baseaddr + offset * sizeof(pte);
 +        uint8_t ap;
 +
 +        if (get_pte(baseaddr, offset, &pte, info)) {
 +                goto error;
 +        }
 +        trace_smmu_ptw_level(level, iova, subpage_size,
 +                             baseaddr, offset, pte);
 +
 +        if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) {
 +            trace_smmu_ptw_invalid_pte(stage, level, baseaddr,
 +                                       pte_addr, offset, pte);
 +            info->type = SMMU_PTW_ERR_TRANSLATION;
 +            goto error;
 +        }
 +
 +        if (is_page_pte(pte, level)) {
 +            uint64_t gpa = get_page_pte_address(pte, granule_sz);
 +
 +            ap = PTE_AP(pte);
 +            if (is_permission_fault(ap, perm)) {
 +                info->type = SMMU_PTW_ERR_PERMISSION;
 +                goto error;
 +            }
 +
 +            tlbe->translated_addr = gpa + (iova & mask);
 +            tlbe->perm = PTE_AP_TO_PERM(ap);
 +            trace_smmu_ptw_page_pte(stage, level, iova,
 +                                    baseaddr, pte_addr, pte, gpa);
 +            return 0;
 +        }
 +        if (is_block_pte(pte, level)) {
 +            uint64_t block_size;
 +            hwaddr gpa = get_block_pte_address(pte, level, granule_sz,
 +                                               &block_size);
 +
 +            ap = PTE_AP(pte);
 +            if (is_permission_fault(ap, perm)) {
 +                info->type = SMMU_PTW_ERR_PERMISSION;
 +                goto error;
 +            }
 +
 +            trace_smmu_ptw_block_pte(stage, level, baseaddr,
 +                                     pte_addr, pte, iova, gpa,
 +                                     block_size >> 20);
 +
 +            tlbe->translated_addr = gpa + (iova & mask);
 +            tlbe->perm = PTE_AP_TO_PERM(ap);
 +            return 0;
 +        }
 +
 +        /* table pte */
 +        ap = PTE_APTABLE(pte);
 +
 +        if (is_permission_fault(ap, perm)) {
 +            info->type = SMMU_PTW_ERR_PERMISSION;
 +            goto error;
 +        }
 +        baseaddr = get_table_pte_address(pte, granule_sz);
 +        level++;
 +    }
 +
 +    info->type = SMMU_PTW_ERR_TRANSLATION;
 +
 +error:
 +    tlbe->perm = IOMMU_NONE;
 +    return -EINVAL;
 +}
 +
 +/**
 + * smmu_ptw - Walk the page tables for an IOVA, according to @cfg
 + *
 + * @cfg: translation configuration
 + * @iova: iova to translate
 + * @perm: tentative access type
 + * @tlbe: returned entry
 + * @info: ptw event handle
 + *
 + * return 0 on success
 + */
 +inline int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
 +             IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
 +{
 +    if (!cfg->aa64) {
 +        /*
 +         * This code path is not entered as we check this while decoding
 +         * the configuration data in the derived SMMU model.
 +         */
 +        g_assert_not_reached();
 +    }
 +
 +    return smmu_ptw_64(cfg, iova, perm, tlbe, info);
 +}
  /**
   * The bus number is used for lookup when SID based invalidation occurs.
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@
  virt_acpi_setup(void) "No fw cfg or ACPI disabled. Bailing out."
  # hw/arm/smmu-common.c
 -smmu_add_mr(const char *name) "%s"
 \ No newline at end of file
 +smmu_add_mr(const char *name) "%s"
 +smmu_page_walk(int stage, uint64_t baseaddr, int first_level, uint64_t start, uint64_t end) "stage=%d, baseaddr=0x%"PRIx64", first level=%d, start=0x%"PRIx64", end=0x%"PRIx64
 +smmu_lookup_table(int level, uint64_t baseaddr, int granule_sz, uint64_t start, uint64_t end, int flags, uint64_t subpage_size) "level=%d baseaddr=0x%"PRIx64" granule=%d, start=0x%"PRIx64" end=0x%"PRIx64" flags=%d subpage_size=0x%"PRIx64
 +smmu_ptw_level(int level, uint64_t iova, size_t subpage_size, uint64_t baseaddr, uint32_t offset, uint64_t pte) "level=%d iova=0x%"PRIx64" subpage_sz=0x%lx baseaddr=0x%"PRIx64" offset=%d => pte=0x%"PRIx64
 +smmu_ptw_invalid_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint32_t offset, uint64_t pte) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" offset=%d pte=0x%"PRIx64
 +smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t address) "stage=%d level=%d iova=0x%"PRIx64" base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" page address = 0x%"PRIx64
 +smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
 +smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 24/24] hw/arm/virt: Introduce the iommu option
+[PULL 21/45] target/arm: Export unpredicated ld/st from translate-sve.c
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-ARM virt machine now exposes a new "iommu" option.
+Add a TCGv_ptr base argument, which will be cpu_env for SVE.
-The SMMUv3 IOMMU is instantiated using -machine virt,iommu=smmuv3.
+We will reuse this for SME save and restore array insns.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-15-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-22-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 36 ++++++++++++++++++++++++++++++++++++
+ target/arm/translate-a64.h |  3 +++
-file changed, 36 insertions(+)
+ target/arm/translate-sve.c | 48 ++++++++++++++++++++++++++++----------
 files changed, 39 insertions(+), 12 deletions(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/target/arm/translate-a64.h
-+++ b/hw/arm/virt.c
++++ b/target/arm/translate-a64.h
-@@ -XXX,XX +XXX,XX @@ static void virt_set_gic_version(Object *obj, const char *value, Error **errp)
+@@ -XXX,XX +XXX,XX @@ void gen_gvec_xar(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
                    uint32_t rm_ofs, int64_t shift,
                    uint32_t opr_sz, uint32_t max_sz);
 +void gen_sve_ldr(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
 +void gen_sve_str(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
 +
  #endif /* TARGET_ARM_TRANSLATE_A64_H */
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(UCVTF_dd, aa64_sve, gen_gvec_fpst_arg_zpz,
   * The load should begin at the address Rn + IMM.
   */
 -static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 +void gen_sve_ldr(DisasContext *s, TCGv_ptr base, int vofs,
 +                 int len, int rn, int imm)
  {
      int len_align = QEMU_ALIGN_DOWN(len, 8);
      int len_remain = len % 8;
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          t0 = tcg_temp_new_i64();
          for (i = 0; i < len_align; i += 8) {
              tcg_gen_qemu_ld_i64(t0, clean_addr, midx, MO_LEUQ);
 -            tcg_gen_st_i64(t0, cpu_env, vofs + i);
 +            tcg_gen_st_i64(t0, base, vofs + i);
              tcg_gen_addi_i64(clean_addr, clean_addr, 8);
          }
          tcg_temp_free_i64(t0);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          clean_addr = new_tmp_a64_local(s);
          tcg_gen_mov_i64(clean_addr, t0);
 +        if (base != cpu_env) {
 +            TCGv_ptr b = tcg_temp_local_new_ptr();
 +            tcg_gen_mov_ptr(b, base);
 +            base = b;
 +        }
 +
          gen_set_label(loop);
          t0 = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          tcg_gen_addi_i64(clean_addr, clean_addr, 8);
          tp = tcg_temp_new_ptr();
 -        tcg_gen_add_ptr(tp, cpu_env, i);
 +        tcg_gen_add_ptr(tp, base, i);
          tcg_gen_addi_ptr(i, i, 8);
          tcg_gen_st_i64(t0, tp, vofs);
          tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
          tcg_temp_free_ptr(i);
 +
 +        if (base != cpu_env) {
 +            tcg_temp_free_ptr(base);
 +            assert(len_remain == 0);
 +        }
      }
      /*
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          default:
              g_assert_not_reached();
          }
 -        tcg_gen_st_i64(t0, cpu_env, vofs + len_align);
 +        tcg_gen_st_i64(t0, base, vofs + len_align);
          tcg_temp_free_i64(t0);
      }
  }
-+static char *virt_get_iommu(Object *obj, Error **errp)
+ /* Similarly for stores.  */
-+{
+-static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
-+    VirtMachineState *vms = VIRT_MACHINE(obj);
++void gen_sve_str(DisasContext *s, TCGv_ptr base, int vofs,
 +                 int len, int rn, int imm)
  {
      int len_align = QEMU_ALIGN_DOWN(len, 8);
      int len_remain = len % 8;
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          t0 = tcg_temp_new_i64();
          for (i = 0; i < len_align; i += 8) {
 -            tcg_gen_ld_i64(t0, cpu_env, vofs + i);
 +            tcg_gen_ld_i64(t0, base, vofs + i);
              tcg_gen_qemu_st_i64(t0, clean_addr, midx, MO_LEUQ);
              tcg_gen_addi_i64(clean_addr, clean_addr, 8);
          }
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          clean_addr = new_tmp_a64_local(s);
          tcg_gen_mov_i64(clean_addr, t0);
 +        if (base != cpu_env) {
 +            TCGv_ptr b = tcg_temp_local_new_ptr();
 +            tcg_gen_mov_ptr(b, base);
 +            base = b;
 +        }
 +
-+    switch (vms->iommu) {
+         gen_set_label(loop);
-+    case VIRT_IOMMU_NONE:
-+        return g_strdup("none");
+         t0 = tcg_temp_new_i64();
-+    case VIRT_IOMMU_SMMUV3:
+         tp = tcg_temp_new_ptr();
-+        return g_strdup("smmuv3");
+-        tcg_gen_add_ptr(tp, cpu_env, i);
-+    default:
++        tcg_gen_add_ptr(tp, base, i);
-+        g_assert_not_reached();
+         tcg_gen_ld_i64(t0, tp, vofs);
-+    }
+         tcg_gen_addi_ptr(i, i, 8);
-+}
+         tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
          tcg_temp_free_ptr(i);
 +
-+static void virt_set_iommu(Object *obj, const char *value, Error **errp)
++        if (base != cpu_env) {
-+{
++            tcg_temp_free_ptr(base);
-+    VirtMachineState *vms = VIRT_MACHINE(obj);
++            assert(len_remain == 0);
-+
++        }
 +    if (!strcmp(value, "smmuv3")) {
 +        vms->iommu = VIRT_IOMMU_SMMUV3;
 +    } else if (!strcmp(value, "none")) {
 +        vms->iommu = VIRT_IOMMU_NONE;
 +    } else {
 +        error_setg(errp, "Invalid iommu value");
 +        error_append_hint(errp, "Valid values are none, smmuv3.\n");
 +    }
 +}
 +
  static CpuInstanceProperties
  virt_cpu_index_to_props(MachineState *ms, unsigned cpu_index)
  {
@@ -XXX,XX +XXX,XX @@ static void virt_2_12_instance_init(Object *obj)
                                          NULL);
      }
-+    /* Default disallows iommu instantiation */
+     /* Predicate register stores can be any multiple of 2.  */
-+    vms->iommu = VIRT_IOMMU_NONE;
+     if (len_remain) {
-+    object_property_add_str(obj, "iommu", virt_get_iommu, virt_set_iommu, NULL);
+         t0 = tcg_temp_new_i64();
-+    object_property_set_description(obj, "iommu",
+-        tcg_gen_ld_i64(t0, cpu_env, vofs + len_align);
-+                                    "Set the IOMMU type. "
++        tcg_gen_ld_i64(t0, base, vofs + len_align);
-+                                    "Valid values are none and smmuv3",
-+                                    NULL);
+         switch (len_remain) {
-+
+         case 2:
-     vms->memmap = a15memmap;
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_zri(DisasContext *s, arg_rri *a)
-     vms->irqmap = a15irqmap;
+     if (sve_access_check(s)) {
          int size = vec_full_reg_size(s);
          int off = vec_full_reg_offset(s, a->rd);
 -        do_ldr(s, off, size, a->rn, a->imm * size);
 +        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
      }
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_pri(DisasContext *s, arg_rri *a)
      if (sve_access_check(s)) {
          int size = pred_full_reg_size(s);
          int off = pred_full_reg_offset(s, a->rd);
 -        do_ldr(s, off, size, a->rn, a->imm * size);
 +        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
      }
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_zri(DisasContext *s, arg_rri *a)
      if (sve_access_check(s)) {
          int size = vec_full_reg_size(s);
          int off = vec_full_reg_offset(s, a->rd);
 -        do_str(s, off, size, a->rn, a->imm * size);
 +        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
      }
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_pri(DisasContext *s, arg_rri *a)
      if (sve_access_check(s)) {
          int size = pred_full_reg_size(s);
          int off = pred_full_reg_offset(s, a->rd);
 -        do_str(s, off, size, a->rn, a->imm * size);
 +        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
      }
      return true;
  }
 --
-.17.0
+.25.1

-New patch
+[PULL 22/45] target/arm: Implement SME LDR, STR
+From: Richard Henderson <richard.henderson@linaro.org>
+We can reuse the SVE functions for LDR and STR, passing in the
+base of the ZA vector and a zero offset.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-23-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/sme.decode      |  7 +++++++
+ target/arm/translate-sme.c | 24 ++++++++++++++++++++++++
+files changed, 31 insertions(+)
+diff --git a/target/arm/sme.decode b/target/arm/sme.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sme.decode
++++ b/target/arm/sme.decode
+@@ -XXX,XX +XXX,XX @@ LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
+                 &ldst rs=%mova_rs
+ LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
+                 &ldst esz=4 rs=%mova_rs
++
++&ldstr          rv rn imm
++@ldstr          ....... ... . ...... .. ... rn:5 . imm:4 \
++                &ldstr rv=%mova_rs
++
++LDR             1110000 100 0 000000 .. 000 ..... 0 ....        @ldstr
++STR             1110000 100 1 000000 .. 000 ..... 0 ....        @ldstr
+diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sme.c
++++ b/target/arm/translate-sme.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
+     tcg_temp_free_i64(addr);
+     return true;
+ }
++
++typedef void GenLdStR(DisasContext *, TCGv_ptr, int, int, int, int);
++
++static bool do_ldst_r(DisasContext *s, arg_ldstr *a, GenLdStR *fn)
++{
++    int svl = streaming_vec_reg_size(s);
++    int imm = a->imm;
++    TCGv_ptr base;
++
++    if (!sme_za_enabled_check(s)) {
++        return true;
++    }
++
++    /* ZA[n] equates to ZA0H.B[n]. */
++    base = get_tile_rowcol(s, MO_8, a->rv, imm, false);
++
++    fn(s, base, 0, svl, a->rn, imm * svl);
++
++    tcg_temp_free_ptr(base);
++    return true;
++}
++
++TRANS_FEAT(LDR, aa64_sme, do_ldst_r, a, gen_sve_ldr)
++TRANS_FEAT(STR, aa64_sme, do_ldst_r, a, gen_sve_str)
+--
+.25.1

-[Qemu-devel] [PULL 14/24] hw/arm/smmuv3: Skeleton
+[PULL 23/45] target/arm: Implement SME ADDHA, ADDVA
-From: Prem Mallappa <prem.mallappa@broadcom.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This patch implements a skeleton for the smmuv3 device.
-Datatypes and register definitions are introduced. The MMIO
-region, the interrupts and the queue are initialized.
-Only the MMIO read operation is implemented here.
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-5-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-24-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs     |   2 +-
+ target/arm/helper-sme.h    |  5 +++
- hw/arm/smmuv3-internal.h | 142 +++++++++++++++
+ target/arm/sme.decode      | 11 +++++
- include/hw/arm/smmuv3.h  |  87 ++++++++++
+ target/arm/sme_helper.c    | 90 ++++++++++++++++++++++++++++++++++++++
- hw/arm/smmuv3.c          | 366 +++++++++++++++++++++++++++++++++++++++
+ target/arm/translate-sme.c | 31 +++++++++++++
- hw/arm/trace-events      |   3 +
+files changed, 137 insertions(+)
 files changed, 599 insertions(+), 1 deletion(-)
  create mode 100644 hw/arm/smmuv3-internal.h
  create mode 100644 include/hw/arm/smmuv3.h
  create mode 100644 hw/arm/smmuv3.c
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/target/arm/helper-sme.h
-+++ b/hw/arm/Makefile.objs
++++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MPS2) += mps2-tz.o
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sme_st1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i
- obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
+ DEF_HELPER_FLAGS_5(sme_st1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
- obj-$(CONFIG_IOTKIT) += iotkit.o
+ DEF_HELPER_FLAGS_5(sme_st1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
- obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o mcimx7d-sabre.o
+ DEF_HELPER_FLAGS_5(sme_st1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
 -obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o
 +obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o smmuv3.o
 diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@
 +/*
 + * ARM SMMUv3 support - Internal API
 + *
 + * Copyright (C) 2014-2016 Broadcom Corporation
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Written by Prem Mallappa, Eric Auger
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * GNU General Public License for more details.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
-+#ifndef HW_ARM_SMMU_V3_INTERNAL_H
++DEF_HELPER_FLAGS_5(sme_addha_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-+#define HW_ARM_SMMU_V3_INTERNAL_H
++DEF_HELPER_FLAGS_5(sme_addva_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 diff --git a/target/arm/sme.decode b/target/arm/sme.decode
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme.decode
 +++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
  LDR             1110000 100 0 000000 .. 000 ..... 0 ....        @ldstr
  STR             1110000 100 1 000000 .. 000 ..... 0 ....        @ldstr
 +
-+#include "hw/arm/smmu-common.h"
++### SME Add Vector to Array
 +
-+/* MMIO Registers */
++&adda           zad zn pm pn
 +@adda_32        ........ .. ..... . pm:3 pn:3 zn:5 ... zad:2    &adda
 +@adda_64        ........ .. ..... . pm:3 pn:3 zn:5 ..  zad:3    &adda
 +
-+REG32(IDR0,                0x0)
++ADDHA_s         11000000 10 01000 0 ... ... ..... 000 ..        @adda_32
-+    FIELD(IDR0, S1P,         1 , 1)
++ADDVA_s         11000000 10 01000 1 ... ... ..... 000 ..        @adda_32
-+    FIELD(IDR0, TTF,         2 , 2)
++ADDHA_d         11000000 11 01000 0 ... ... ..... 00 ...        @adda_64
-+    FIELD(IDR0, COHACC,      4 , 1)
++ADDVA_d         11000000 11 01000 1 ... ... ..... 00 ...        @adda_64
-+    FIELD(IDR0, ASID16,      12, 1)
+diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-+    FIELD(IDR0, TTENDIAN,    21, 2)
+index XXXXXXX..XXXXXXX 100644
-+    FIELD(IDR0, STALL_MODEL, 24, 2)
+--- a/target/arm/sme_helper.c
-+    FIELD(IDR0, TERM_MODEL,  26, 1)
++++ b/target/arm/sme_helper.c
-+    FIELD(IDR0, STLEVEL,     27, 2)
+@@ -XXX,XX +XXX,XX @@ DO_ST(q, _be, MO_128)
  DO_ST(q, _le, MO_128)
  #undef DO_ST
 +
-+REG32(IDR1,                0x4)
++void HELPER(sme_addha_s)(void *vzda, void *vzn, void *vpn,
-+    FIELD(IDR1, SIDSIZE,      0 , 6)
++                         void *vpm, uint32_t desc)
-+    FIELD(IDR1, EVENTQS,      16, 5)
++{
-+    FIELD(IDR1, CMDQS,        21, 5)
++    intptr_t row, col, oprsz = simd_oprsz(desc) / 4;
 +    uint64_t *pn = vpn, *pm = vpm;
 +    uint32_t *zda = vzda, *zn = vzn;
 +
-+#define SMMU_IDR1_SIDSIZE 16
++    for (row = 0; row < oprsz; ) {
-+#define SMMU_CMDQS   19
++        uint64_t pa = pn[row >> 4];
-+#define SMMU_EVENTQS 19
++        do {
-+
++            if (pa & 1) {
-+REG32(IDR2,                0x8)
++                for (col = 0; col < oprsz; ) {
-+REG32(IDR3,                0xc)
++                    uint64_t pb = pm[col >> 4];
-+REG32(IDR4,                0x10)
++                    do {
-+REG32(IDR5,                0x14)
++                        if (pb & 1) {
-+     FIELD(IDR5, OAS,         0, 3);
++                            zda[tile_vslice_index(row) + H4(col)] += zn[H4(col)];
-+     FIELD(IDR5, GRAN4K,      4, 1);
++                        }
-+     FIELD(IDR5, GRAN16K,     5, 1);
++                        pb >>= 4;
-+     FIELD(IDR5, GRAN64K,     6, 1);
++                    } while (++col & 15);
-+
++                }
-+#define SMMU_IDR5_OAS 4
++            }
-+
++            pa >>= 4;
-+REG32(IIDR,                0x1c)
++        } while (++row & 15);
 +REG32(CR0,                 0x20)
 +    FIELD(CR0, SMMU_ENABLE,   0, 1)
 +    FIELD(CR0, EVENTQEN,      2, 1)
 +    FIELD(CR0, CMDQEN,        3, 1)
 +
 +REG32(CR0ACK,              0x24)
 +REG32(CR1,                 0x28)
 +REG32(CR2,                 0x2c)
 +REG32(STATUSR,             0x40)
 +REG32(IRQ_CTRL,            0x50)
 +    FIELD(IRQ_CTRL, GERROR_IRQEN,        0, 1)
 +    FIELD(IRQ_CTRL, PRI_IRQEN,           1, 1)
 +    FIELD(IRQ_CTRL, EVENTQ_IRQEN,        2, 1)
 +
 +REG32(IRQ_CTRL_ACK,        0x54)
 +REG32(GERROR,              0x60)
 +    FIELD(GERROR, CMDQ_ERR,           0, 1)
 +    FIELD(GERROR, EVENTQ_ABT_ERR,     2, 1)
 +    FIELD(GERROR, PRIQ_ABT_ERR,       3, 1)
 +    FIELD(GERROR, MSI_CMDQ_ABT_ERR,   4, 1)
 +    FIELD(GERROR, MSI_EVENTQ_ABT_ERR, 5, 1)
 +    FIELD(GERROR, MSI_PRIQ_ABT_ERR,   6, 1)
 +    FIELD(GERROR, MSI_GERROR_ABT_ERR, 7, 1)
 +    FIELD(GERROR, MSI_SFM_ERR,        8, 1)
 +
 +REG32(GERRORN,             0x64)
 +
 +#define A_GERROR_IRQ_CFG0  0x68 /* 64b */
 +REG32(GERROR_IRQ_CFG1, 0x70)
 +REG32(GERROR_IRQ_CFG2, 0x74)
 +
 +#define A_STRTAB_BASE      0x80 /* 64b */
 +
 +#define SMMU_BASE_ADDR_MASK 0xffffffffffe0
 +
 +REG32(STRTAB_BASE_CFG,     0x88)
 +    FIELD(STRTAB_BASE_CFG, FMT,      16, 2)
 +    FIELD(STRTAB_BASE_CFG, SPLIT,    6 , 5)
 +    FIELD(STRTAB_BASE_CFG, LOG2SIZE, 0 , 6)
 +
 +#define A_CMDQ_BASE        0x90 /* 64b */
 +REG32(CMDQ_PROD,           0x98)
 +REG32(CMDQ_CONS,           0x9c)
 +    FIELD(CMDQ_CONS, ERR, 24, 7)
 +
 +#define A_EVENTQ_BASE      0xa0 /* 64b */
 +REG32(EVENTQ_PROD,         0xa8)
 +REG32(EVENTQ_CONS,         0xac)
 +
 +#define A_EVENTQ_IRQ_CFG0  0xb0 /* 64b */
 +REG32(EVENTQ_IRQ_CFG1,     0xb8)
 +REG32(EVENTQ_IRQ_CFG2,     0xbc)
 +
 +#define A_IDREGS           0xfd0
 +
 +static inline int smmu_enabled(SMMUv3State *s)
 +{
 +    return FIELD_EX32(s->cr[0], CR0, SMMU_ENABLE);
 +}
 +
 +/* Command Queue Entry */
 +typedef struct Cmd {
 +    uint32_t word[4];
 +} Cmd;
 +
 +/* Event Queue Entry */
 +typedef struct Evt  {
 +    uint32_t word[8];
 +} Evt;
 +
 +static inline uint32_t smmuv3_idreg(int regoffset)
 +{
 +    /*
 +     * Return the value of the Primecell/Corelink ID registers at the
 +     * specified offset from the first ID register.
 +     * These value indicate an ARM implementation of MMU600 p1
 +     */
 +    static const uint8_t smmuv3_ids[] = {
 +        0x04, 0, 0, 0, 0x84, 0xB4, 0xF0, 0x10, 0x0D, 0xF0, 0x05, 0xB1
 +    };
 +    return smmuv3_ids[regoffset / 4];
 +}
 +
 +#endif
 diff --git a/include/hw/arm/smmuv3.h b/include/hw/arm/smmuv3.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/include/hw/arm/smmuv3.h
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Copyright (C) 2014-2016 Broadcom Corporation
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Written by Prem Mallappa, Eric Auger
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * GNU General Public License for more details.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
 +#ifndef HW_ARM_SMMUV3_H
 +#define HW_ARM_SMMUV3_H
 +
 +#include "hw/arm/smmu-common.h"
 +#include "hw/registerfields.h"
 +
 +#define TYPE_SMMUV3_IOMMU_MEMORY_REGION "smmuv3-iommu-memory-region"
 +
 +typedef struct SMMUQueue {
 +     uint64_t base; /* base register */
 +     uint32_t prod;
 +     uint32_t cons;
 +     uint8_t entry_size;
 +     uint8_t log2size;
 +} SMMUQueue;
 +
 +typedef struct SMMUv3State {
 +    SMMUState     smmu_state;
 +
 +    uint32_t features;
 +    uint8_t sid_size;
 +    uint8_t sid_split;
 +
 +    uint32_t idr[6];
 +    uint32_t iidr;
 +    uint32_t cr[3];
 +    uint32_t cr0ack;
 +    uint32_t statusr;
 +    uint32_t irq_ctrl;
 +    uint32_t gerror;
 +    uint32_t gerrorn;
 +    uint64_t gerror_irq_cfg0;
 +    uint32_t gerror_irq_cfg1;
 +    uint32_t gerror_irq_cfg2;
 +    uint64_t strtab_base;
 +    uint32_t strtab_base_cfg;
 +    uint64_t eventq_irq_cfg0;
 +    uint32_t eventq_irq_cfg1;
 +    uint32_t eventq_irq_cfg2;
 +
 +    SMMUQueue eventq, cmdq;
 +
 +    qemu_irq     irq[4];
 +} SMMUv3State;
 +
 +typedef enum {
 +    SMMU_IRQ_EVTQ,
 +    SMMU_IRQ_PRIQ,
 +    SMMU_IRQ_CMD_SYNC,
 +    SMMU_IRQ_GERROR,
 +} SMMUIrq;
 +
 +typedef struct {
 +    /*< private >*/
 +    SMMUBaseClass smmu_base_class;
 +    /*< public >*/
 +
 +    DeviceRealize parent_realize;
 +    DeviceReset   parent_reset;
 +} SMMUv3Class;
 +
 +#define TYPE_ARM_SMMUV3   "arm-smmuv3"
 +#define ARM_SMMUV3(obj) OBJECT_CHECK(SMMUv3State, (obj), TYPE_ARM_SMMUV3)
 +#define ARM_SMMUV3_CLASS(klass)                              \
 +    OBJECT_CLASS_CHECK(SMMUv3Class, (klass), TYPE_ARM_SMMUV3)
 +#define ARM_SMMUV3_GET_CLASS(obj) \
 +     OBJECT_GET_CLASS(SMMUv3Class, (obj), TYPE_ARM_SMMUV3)
 +
 +#endif
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Copyright (C) 2014-2016 Broadcom Corporation
 + * Copyright (c) 2017 Red Hat, Inc.
 + * Written by Prem Mallappa, Eric Auger
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * GNU General Public License for more details.
 + *
 + * You should have received a copy of the GNU General Public License along
 + * with this program; if not, see <http://www.gnu.org/licenses/>.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "hw/boards.h"
 +#include "sysemu/sysemu.h"
 +#include "hw/sysbus.h"
 +#include "hw/qdev-core.h"
 +#include "hw/pci/pci.h"
 +#include "exec/address-spaces.h"
 +#include "trace.h"
 +#include "qemu/log.h"
 +#include "qemu/error-report.h"
 +#include "qapi/error.h"
 +
 +#include "hw/arm/smmuv3.h"
 +#include "smmuv3-internal.h"
 +
 +static void smmuv3_init_regs(SMMUv3State *s)
 +{
 +    /**
 +     * IDR0: stage1 only, AArch64 only, coherent access, 16b ASID,
 +     *       multi-level stream table
 +     */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1); /* stage 1 supported */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTF, 2); /* AArch64 PTW only */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, COHACC, 1); /* IO coherent */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, ASID16, 1); /* 16-bit ASID */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTENDIAN, 2); /* little endian */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STALL_MODEL, 1); /* No stall */
 +    /* terminated transaction will always be aborted/error returned */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TERM_MODEL, 1);
 +    /* 2-level stream table supported */
 +    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STLEVEL, 1);
 +
 +    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, SIDSIZE, SMMU_IDR1_SIDSIZE);
 +    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, EVENTQS, SMMU_EVENTQS);
 +    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, CMDQS,   SMMU_CMDQS);
 +
 +   /* 4K and 64K granule support */
 +    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN4K, 1);
 +    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1);
 +    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 bits */
 +
 +    s->cmdq.base = deposit64(s->cmdq.base, 0, 5, SMMU_CMDQS);
 +    s->cmdq.prod = 0;
 +    s->cmdq.cons = 0;
 +    s->cmdq.entry_size = sizeof(struct Cmd);
 +    s->eventq.base = deposit64(s->eventq.base, 0, 5, SMMU_EVENTQS);
 +    s->eventq.prod = 0;
 +    s->eventq.cons = 0;
 +    s->eventq.entry_size = sizeof(struct Evt);
 +
 +    s->features = 0;
 +    s->sid_split = 0;
 +}
 +
 +static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
 +                                   unsigned size, MemTxAttrs attrs)
 +{
 +    /* not yet implemented */
 +    return MEMTX_ERROR;
 +}
 +
 +static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
 +                               uint64_t *data, MemTxAttrs attrs)
 +{
 +    switch (offset) {
 +    case A_GERROR_IRQ_CFG0:
 +        *data = s->gerror_irq_cfg0;
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE:
 +        *data = s->strtab_base;
 +        return MEMTX_OK;
 +    case A_CMDQ_BASE:
 +        *data = s->cmdq.base;
 +        return MEMTX_OK;
 +    case A_EVENTQ_BASE:
 +        *data = s->eventq.base;
 +        return MEMTX_OK;
 +    default:
 +        *data = 0;
 +        qemu_log_mask(LOG_UNIMP,
 +                      "%s Unexpected 64-bit access to 0x%"PRIx64" (RAZ)\n",
 +                      __func__, offset);
 +        return MEMTX_OK;
 +    }
 +}
 +
-+static MemTxResult smmu_readl(SMMUv3State *s, hwaddr offset,
++void HELPER(sme_addha_d)(void *vzda, void *vzn, void *vpn,
-+                              uint64_t *data, MemTxAttrs attrs)
++                         void *vpm, uint32_t desc)
 +{
-+    switch (offset) {
++    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
-+    case A_IDREGS ... A_IDREGS + 0x1f:
++    uint8_t *pn = vpn, *pm = vpm;
-+        *data = smmuv3_idreg(offset - A_IDREGS);
++    uint64_t *zda = vzda, *zn = vzn;
-+        return MEMTX_OK;
++
-+    case A_IDR0 ... A_IDR5:
++    for (row = 0; row < oprsz; ++row) {
-+        *data = s->idr[(offset - A_IDR0) / 4];
++        if (pn[H1(row)] & 1) {
-+        return MEMTX_OK;
++            for (col = 0; col < oprsz; ++col) {
-+    case A_IIDR:
++                if (pm[H1(col)] & 1) {
-+        *data = s->iidr;
++                    zda[tile_vslice_index(row) + col] += zn[col];
-+        return MEMTX_OK;
++                }
-+    case A_CR0:
++            }
-+        *data = s->cr[0];
++        }
 +        return MEMTX_OK;
 +    case A_CR0ACK:
 +        *data = s->cr0ack;
 +        return MEMTX_OK;
 +    case A_CR1:
 +        *data = s->cr[1];
 +        return MEMTX_OK;
 +    case A_CR2:
 +        *data = s->cr[2];
 +        return MEMTX_OK;
 +    case A_STATUSR:
 +        *data = s->statusr;
 +        return MEMTX_OK;
 +    case A_IRQ_CTRL:
 +    case A_IRQ_CTRL_ACK:
 +        *data = s->irq_ctrl;
 +        return MEMTX_OK;
 +    case A_GERROR:
 +        *data = s->gerror;
 +        return MEMTX_OK;
 +    case A_GERRORN:
 +        *data = s->gerrorn;
 +        return MEMTX_OK;
 +    case A_GERROR_IRQ_CFG0: /* 64b */
 +        *data = extract64(s->gerror_irq_cfg0, 0, 32);
 +        return MEMTX_OK;
 +    case A_GERROR_IRQ_CFG0 + 4:
 +        *data = extract64(s->gerror_irq_cfg0, 32, 32);
 +        return MEMTX_OK;
 +    case A_GERROR_IRQ_CFG1:
 +        *data = s->gerror_irq_cfg1;
 +        return MEMTX_OK;
 +    case A_GERROR_IRQ_CFG2:
 +        *data = s->gerror_irq_cfg2;
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE: /* 64b */
 +        *data = extract64(s->strtab_base, 0, 32);
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE + 4: /* 64b */
 +        *data = extract64(s->strtab_base, 32, 32);
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE_CFG:
 +        *data = s->strtab_base_cfg;
 +        return MEMTX_OK;
 +    case A_CMDQ_BASE: /* 64b */
 +        *data = extract64(s->cmdq.base, 0, 32);
 +        return MEMTX_OK;
 +    case A_CMDQ_BASE + 4:
 +        *data = extract64(s->cmdq.base, 32, 32);
 +        return MEMTX_OK;
 +    case A_CMDQ_PROD:
 +        *data = s->cmdq.prod;
 +        return MEMTX_OK;
 +    case A_CMDQ_CONS:
 +        *data = s->cmdq.cons;
 +        return MEMTX_OK;
 +    case A_EVENTQ_BASE: /* 64b */
 +        *data = extract64(s->eventq.base, 0, 32);
 +        return MEMTX_OK;
 +    case A_EVENTQ_BASE + 4: /* 64b */
 +        *data = extract64(s->eventq.base, 32, 32);
 +        return MEMTX_OK;
 +    case A_EVENTQ_PROD:
 +        *data = s->eventq.prod;
 +        return MEMTX_OK;
 +    case A_EVENTQ_CONS:
 +        *data = s->eventq.cons;
 +        return MEMTX_OK;
 +    default:
 +        *data = 0;
 +        qemu_log_mask(LOG_UNIMP,
 +                      "%s unhandled 32-bit access at 0x%"PRIx64" (RAZ)\n",
 +                      __func__, offset);
 +        return MEMTX_OK;
 +    }
 +}
 +
-+static MemTxResult smmu_read_mmio(void *opaque, hwaddr offset, uint64_t *data,
++void HELPER(sme_addva_s)(void *vzda, void *vzn, void *vpn,
-+                                  unsigned size, MemTxAttrs attrs)
++                         void *vpm, uint32_t desc)
 +{
-+    SMMUState *sys = opaque;
++    intptr_t row, col, oprsz = simd_oprsz(desc) / 4;
-+    SMMUv3State *s = ARM_SMMUV3(sys);
++    uint64_t *pn = vpn, *pm = vpm;
-+    MemTxResult r;
++    uint32_t *zda = vzda, *zn = vzn;
 +
-+    /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
++    for (row = 0; row < oprsz; ) {
-+    offset &= ~0x10000;
++        uint64_t pa = pn[row >> 4];
-+
++        do {
-+    switch (size) {
++            if (pa & 1) {
-+    case 8:
++                uint32_t zn_row = zn[H4(row)];
-+        r = smmu_readll(s, offset, data, attrs);
++                for (col = 0; col < oprsz; ) {
-+        break;
++                    uint64_t pb = pm[col >> 4];
-+    case 4:
++                    do {
-+        r = smmu_readl(s, offset, data, attrs);
++                        if (pb & 1) {
-+        break;
++                            zda[tile_vslice_index(row) + H4(col)] += zn_row;
-+    default:
++                        }
-+        r = MEMTX_ERROR;
++                        pb >>= 4;
-+        break;
++                    } while (++col & 15);
-+    }
++                }
-+
++            }
-+    trace_smmuv3_read_mmio(offset, *data, size, r);
++            pa >>= 4;
-+    return r;
++        } while (++row & 15);
 +}
 +
 +static const MemoryRegionOps smmu_mem_ops = {
 +    .read_with_attrs = smmu_read_mmio,
 +    .write_with_attrs = smmu_write_mmio,
 +    .endianness = DEVICE_LITTLE_ENDIAN,
 +    .valid = {
 +        .min_access_size = 4,
 +        .max_access_size = 8,
 +    },
 +    .impl = {
 +        .min_access_size = 4,
 +        .max_access_size = 8,
 +    },
 +};
 +
 +static void smmu_init_irq(SMMUv3State *s, SysBusDevice *dev)
 +{
 +    int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(s->irq); i++) {
 +        sysbus_init_irq(dev, &s->irq[i]);
 +    }
 +}
 +
-+static void smmu_reset(DeviceState *dev)
++void HELPER(sme_addva_d)(void *vzda, void *vzn, void *vpn,
 +                         void *vpm, uint32_t desc)
 +{
-+    SMMUv3State *s = ARM_SMMUV3(dev);
++    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
-+    SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s);
++    uint8_t *pn = vpn, *pm = vpm;
 +    uint64_t *zda = vzda, *zn = vzn;
 +
-+    c->parent_reset(dev);
++    for (row = 0; row < oprsz; ++row) {
 +        if (pn[H1(row)] & 1) {
 +            uint64_t zn_row = zn[row];
 +            for (col = 0; col < oprsz; ++col) {
 +                if (pm[H1(col)] & 1) {
 +                    zda[tile_vslice_index(row) + col] += zn_row;
 +                }
 +            }
 +        }
 +    }
 +}
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sme.c
 +++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool do_ldst_r(DisasContext *s, arg_ldstr *a, GenLdStR *fn)
  TRANS_FEAT(LDR, aa64_sme, do_ldst_r, a, gen_sve_ldr)
  TRANS_FEAT(STR, aa64_sme, do_ldst_r, a, gen_sve_str)
 +
-+    smmuv3_init_regs(s);
++static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,
 +                    gen_helper_gvec_4 *fn)
 +{
 +    int svl = streaming_vec_reg_size(s);
 +    uint32_t desc = simd_desc(svl, svl, 0);
 +    TCGv_ptr za, zn, pn, pm;
 +
 +    if (!sme_smza_enabled_check(s)) {
 +        return true;
 +    }
 +
 +    /* Sum XZR+zad to find ZAd. */
 +    za = get_tile_rowcol(s, esz, 31, a->zad, false);
 +    zn = vec_full_reg_ptr(s, a->zn);
 +    pn = pred_full_reg_ptr(s, a->pn);
 +    pm = pred_full_reg_ptr(s, a->pm);
 +
 +    fn(za, zn, pn, pm, tcg_constant_i32(desc));
 +
 +    tcg_temp_free_ptr(za);
 +    tcg_temp_free_ptr(zn);
 +    tcg_temp_free_ptr(pn);
 +    tcg_temp_free_ptr(pm);
 +    return true;
 +}
 +
-+static void smmu_realize(DeviceState *d, Error **errp)
++TRANS_FEAT(ADDHA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addha_s)
-+{
++TRANS_FEAT(ADDVA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addva_s)
-+    SMMUState *sys = ARM_SMMU(d);
++TRANS_FEAT(ADDHA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addha_d)
-+    SMMUv3State *s = ARM_SMMUV3(sys);
++TRANS_FEAT(ADDVA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addva_d)
 +    SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s);
 +    SysBusDevice *dev = SYS_BUS_DEVICE(d);
 +    Error *local_err = NULL;
 +
 +    c->parent_realize(d, &local_err);
 +    if (local_err) {
 +        error_propagate(errp, local_err);
 +        return;
 +    }
 +
 +    memory_region_init_io(&sys->iomem, OBJECT(s),
 +                          &smmu_mem_ops, sys, TYPE_ARM_SMMUV3, 0x20000);
 +
 +    sys->mrtypename = TYPE_SMMUV3_IOMMU_MEMORY_REGION;
 +
 +    sysbus_init_mmio(dev, &sys->iomem);
 +
 +    smmu_init_irq(s, dev);
 +}
 +
 +static const VMStateDescription vmstate_smmuv3_queue = {
 +    .name = "smmuv3_queue",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT64(base, SMMUQueue),
 +        VMSTATE_UINT32(prod, SMMUQueue),
 +        VMSTATE_UINT32(cons, SMMUQueue),
 +        VMSTATE_UINT8(log2size, SMMUQueue),
 +    },
 +};
 +
 +static const VMStateDescription vmstate_smmuv3 = {
 +    .name = "smmuv3",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT32(features, SMMUv3State),
 +        VMSTATE_UINT8(sid_size, SMMUv3State),
 +        VMSTATE_UINT8(sid_split, SMMUv3State),
 +
 +        VMSTATE_UINT32_ARRAY(cr, SMMUv3State, 3),
 +        VMSTATE_UINT32(cr0ack, SMMUv3State),
 +        VMSTATE_UINT32(statusr, SMMUv3State),
 +        VMSTATE_UINT32(irq_ctrl, SMMUv3State),
 +        VMSTATE_UINT32(gerror, SMMUv3State),
 +        VMSTATE_UINT32(gerrorn, SMMUv3State),
 +        VMSTATE_UINT64(gerror_irq_cfg0, SMMUv3State),
 +        VMSTATE_UINT32(gerror_irq_cfg1, SMMUv3State),
 +        VMSTATE_UINT32(gerror_irq_cfg2, SMMUv3State),
 +        VMSTATE_UINT64(strtab_base, SMMUv3State),
 +        VMSTATE_UINT32(strtab_base_cfg, SMMUv3State),
 +        VMSTATE_UINT64(eventq_irq_cfg0, SMMUv3State),
 +        VMSTATE_UINT32(eventq_irq_cfg1, SMMUv3State),
 +        VMSTATE_UINT32(eventq_irq_cfg2, SMMUv3State),
 +
 +        VMSTATE_STRUCT(cmdq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue),
 +        VMSTATE_STRUCT(eventq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue),
 +
 +        VMSTATE_END_OF_LIST(),
 +    },
 +};
 +
 +static void smmuv3_instance_init(Object *obj)
 +{
 +    /* Nothing much to do here as of now */
 +}
 +
 +static void smmuv3_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +    SMMUv3Class *c = ARM_SMMUV3_CLASS(klass);
 +
 +    dc->vmsd = &vmstate_smmuv3;
 +    device_class_set_parent_reset(dc, smmu_reset, &c->parent_reset);
 +    c->parent_realize = dc->realize;
 +    dc->realize = smmu_realize;
 +}
 +
 +static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
 +                                                  void *data)
 +{
 +}
 +
 +static const TypeInfo smmuv3_type_info = {
 +    .name          = TYPE_ARM_SMMUV3,
 +    .parent        = TYPE_ARM_SMMU,
 +    .instance_size = sizeof(SMMUv3State),
 +    .instance_init = smmuv3_instance_init,
 +    .class_size    = sizeof(SMMUv3Class),
 +    .class_init    = smmuv3_class_init,
 +};
 +
 +static const TypeInfo smmuv3_iommu_memory_region_info = {
 +    .parent = TYPE_IOMMU_MEMORY_REGION,
 +    .name = TYPE_SMMUV3_IOMMU_MEMORY_REGION,
 +    .class_init = smmuv3_iommu_memory_region_class_init,
 +};
 +
 +static void smmuv3_register_types(void)
 +{
 +    type_register(&smmuv3_type_info);
 +    type_register(&smmuv3_iommu_memory_region_info);
 +}
 +
 +type_init(smmuv3_register_types)
 +
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_ptw_invalid_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr,
  smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t address) "stage=%d level=%d iova=0x%"PRIx64" base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" page address = 0x%"PRIx64
  smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
  smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
 +
 +#hw/arm/smmuv3.c
 +smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 17/24] hw/arm/smmuv3: Implement MMIO write operations
+[PULL 24/45] target/arm: Implement FMOPA, FMOPS (non-widening)
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Now we have relevant helpers for queue and irq
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-management, let's implement MMIO write operations.
+Message-id: 20220708151540.18136-25-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/helper-sme.h    |  5 +++
  target/arm/sme.decode      |  9 +++++
  target/arm/sme_helper.c    | 69 ++++++++++++++++++++++++++++++++++++++
  target/arm/translate-sme.c | 32 ++++++++++++++++++
 files changed, 115 insertions(+)
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
 Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 1524665762-31355-8-git-send-email-eric.auger@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/arm/smmuv3-internal.h |   8 +-
  hw/arm/smmuv3.c          | 170 +++++++++++++++++++++++++++++++++++++--
  hw/arm/trace-events      |   6 ++
 files changed, 174 insertions(+), 10 deletions(-)
 diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/target/arm/helper-sme.h
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ REG32(CR0,                 0x20)
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sme_addha_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-     FIELD(CR0, EVENTQEN,      2, 1)
+ DEF_HELPER_FLAGS_5(sme_addva_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-     FIELD(CR0, CMDQEN,        3, 1)
+ DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+ DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 +#define SMMU_CR0_RESERVED 0xFFFFFC20
 +
- REG32(CR0ACK,              0x24)
++DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
- REG32(CR1,                 0x28)
++                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
- REG32(CR2,                 0x2c)
++DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
-@@ -XXX,XX +XXX,XX @@ static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
++                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
-     return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, GERROR_IRQEN);
+diff --git a/target/arm/sme.decode b/target/arm/sme.decode
  }
 -/* public until callers get introduced */
 -void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
 -void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
 -
  /* Queue Handling */
  #define Q_BASE(q)          ((q)->base & SMMU_BASE_ADDR_MASK)
@@ -XXX,XX +XXX,XX @@ enum { /* Command completion notification */
              addr;                                             \
          })
 -int smmuv3_cmdq_consume(SMMUv3State *s);
 +#define SMMU_FEATURE_2LVL_STE (1 << 0)
  #endif
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/target/arm/sme.decode
-+++ b/hw/arm/smmuv3.c
++++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ ADDHA_s         11000000 10 01000 0 ... ... ..... 000 ..        @adda_32
  ADDVA_s         11000000 10 01000 1 ... ... ..... 000 ..        @adda_32
  ADDHA_d         11000000 11 01000 0 ... ... ..... 00 ...        @adda_64
  ADDVA_d         11000000 11 01000 1 ... ... ..... 00 ...        @adda_64
 +
 +### SME Outer Product
 +
 +&op             zad zn zm pm pn sub:bool
 +@op_32          ........ ... zm:5 pm:3 pn:3 zn:5 sub:1 .. zad:2 &op
 +@op_64          ........ ... zm:5 pm:3 pn:3 zn:5 sub:1 .  zad:3 &op
 +
 +FMOPA_s         10000000 100 ..... ... ... ..... . 00 ..        @op_32
 +FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
 diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
 @@ -XXX,XX +XXX,XX @@
-  * @irq: irq type
+ #include "exec/cpu_ldst.h"
-  * @gerror_mask: mask of gerrors to toggle (relevant if @irq is GERROR)
+ #include "exec/exec-all.h"
-  */
+ #include "qemu/int128.h"
--void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
++#include "fpu/softfloat.h"
-+static void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq,
+ #include "vec_internal.h"
-+                               uint32_t gerror_mask)
+ #include "sve_ldst_internal.h"
- {
+@@ -XXX,XX +XXX,XX @@ void HELPER(sme_addva_d)(void *vzda, void *vzn, void *vpn,
-     bool pulse = false;
+         }
@@ -XXX,XX +XXX,XX @@ void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
      }
  }
++
--void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
++void HELPER(sme_fmopa_s)(void *vza, void *vzn, void *vzm, void *vpn,
-+static void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
++                         void *vpm, void *vst, uint32_t desc)
  {
      uint32_t pending = s->gerror ^ s->gerrorn;
      uint32_t toggled = s->gerrorn ^ new_gerrorn;
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
      s->sid_split = 0;
  }
 -int smmuv3_cmdq_consume(SMMUv3State *s)
 +static int smmuv3_cmdq_consume(SMMUv3State *s)
  {
      SMMUCmdError cmd_error = SMMU_CERROR_NONE;
      SMMUQueue *q = &s->cmdq;
@@ -XXX,XX +XXX,XX @@ int smmuv3_cmdq_consume(SMMUv3State *s)
      return 0;
  }
 +static MemTxResult smmu_writell(SMMUv3State *s, hwaddr offset,
 +                               uint64_t data, MemTxAttrs attrs)
 +{
-+    switch (offset) {
++    intptr_t row, col, oprsz = simd_maxsz(desc);
-+    case A_GERROR_IRQ_CFG0:
++    uint32_t neg = simd_data(desc) << 31;
-+        s->gerror_irq_cfg0 = data;
++    uint16_t *pn = vpn, *pm = vpm;
-+        return MEMTX_OK;
++    float_status fpst;
-+    case A_STRTAB_BASE:
++
-+        s->strtab_base = data;
++    /*
-+        return MEMTX_OK;
++     * Make a copy of float_status because this operation does not
-+    case A_CMDQ_BASE:
++     * update the cumulative fp exception status.  It also produces
-+        s->cmdq.base = data;
++     * default nans.
-+        s->cmdq.log2size = extract64(s->cmdq.base, 0, 5);
++     */
-+        if (s->cmdq.log2size > SMMU_CMDQS) {
++    fpst = *(float_status *)vst;
-+            s->cmdq.log2size = SMMU_CMDQS;
++    set_default_nan_mode(true, &fpst);
-+        }
++
-+        return MEMTX_OK;
++    for (row = 0; row < oprsz; ) {
-+    case A_EVENTQ_BASE:
++        uint16_t pa = pn[H2(row >> 4)];
-+        s->eventq.base = data;
++        do {
-+        s->eventq.log2size = extract64(s->eventq.base, 0, 5);
++            if (pa & 1) {
-+        if (s->eventq.log2size > SMMU_EVENTQS) {
++                void *vza_row = vza + tile_vslice_offset(row);
-+            s->eventq.log2size = SMMU_EVENTQS;
++                uint32_t n = *(uint32_t *)(vzn + H1_4(row)) ^ neg;
-+        }
++
-+        return MEMTX_OK;
++                for (col = 0; col < oprsz; ) {
-+    case A_EVENTQ_IRQ_CFG0:
++                    uint16_t pb = pm[H2(col >> 4)];
-+        s->eventq_irq_cfg0 = data;
++                    do {
-+        return MEMTX_OK;
++                        if (pb & 1) {
-+    default:
++                            uint32_t *a = vza_row + H1_4(col);
-+        qemu_log_mask(LOG_UNIMP,
++                            uint32_t *m = vzm + H1_4(col);
-+                      "%s Unexpected 64-bit access to 0x%"PRIx64" (WI)\n",
++                            *a = float32_muladd(n, *m, *a, 0, vst);
-+                      __func__, offset);
++                        }
-+        return MEMTX_OK;
++                        col += 4;
 +                        pb >>= 4;
 +                    } while (col & 15);
 +                }
 +            }
 +            row += 4;
 +            pa >>= 4;
 +        } while (row & 15);
 +    }
 +}
 +
-+static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset,
++void HELPER(sme_fmopa_d)(void *vza, void *vzn, void *vzm, void *vpn,
-+                               uint64_t data, MemTxAttrs attrs)
++                         void *vpm, void *vst, uint32_t desc)
 +{
-+    switch (offset) {
++    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
-+    case A_CR0:
++    uint64_t neg = (uint64_t)simd_data(desc) << 63;
-+        s->cr[0] = data;
++    uint64_t *za = vza, *zn = vzn, *zm = vzm;
-+        s->cr0ack = data & ~SMMU_CR0_RESERVED;
++    uint8_t *pn = vpn, *pm = vpm;
-+        /* in case the command queue has been enabled */
++    float_status fpst = *(float_status *)vst;
-+        smmuv3_cmdq_consume(s);
++
-+        return MEMTX_OK;
++    set_default_nan_mode(true, &fpst);
-+    case A_CR1:
++
-+        s->cr[1] = data;
++    for (row = 0; row < oprsz; ++row) {
-+        return MEMTX_OK;
++        if (pn[H1(row)] & 1) {
-+    case A_CR2:
++            uint64_t *za_row = &za[tile_vslice_index(row)];
-+        s->cr[2] = data;
++            uint64_t n = zn[row] ^ neg;
-+        return MEMTX_OK;
++
-+    case A_IRQ_CTRL:
++            for (col = 0; col < oprsz; ++col) {
-+        s->irq_ctrl = data;
++                if (pm[H1(col)] & 1) {
-+        return MEMTX_OK;
++                    uint64_t *a = &za_row[col];
-+    case A_GERRORN:
++                    *a = float64_muladd(n, zm[col], *a, 0, &fpst);
-+        smmuv3_write_gerrorn(s, data);
++                }
-+        /*
++            }
 +         * By acknowledging the CMDQ_ERR, SW may notify cmds can
 +         * be processed again
 +         */
 +        smmuv3_cmdq_consume(s);
 +        return MEMTX_OK;
 +    case A_GERROR_IRQ_CFG0: /* 64b */
 +        s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 0, 32, data);
 +        return MEMTX_OK;
 +    case A_GERROR_IRQ_CFG0 + 4:
 +        s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 32, 32, data);
 +        return MEMTX_OK;
 +    case A_GERROR_IRQ_CFG1:
 +        s->gerror_irq_cfg1 = data;
 +        return MEMTX_OK;
 +    case A_GERROR_IRQ_CFG2:
 +        s->gerror_irq_cfg2 = data;
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE: /* 64b */
 +        s->strtab_base = deposit64(s->strtab_base, 0, 32, data);
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE + 4:
 +        s->strtab_base = deposit64(s->strtab_base, 32, 32, data);
 +        return MEMTX_OK;
 +    case A_STRTAB_BASE_CFG:
 +        s->strtab_base_cfg = data;
 +        if (FIELD_EX32(data, STRTAB_BASE_CFG, FMT) == 1) {
 +            s->sid_split = FIELD_EX32(data, STRTAB_BASE_CFG, SPLIT);
 +            s->features |= SMMU_FEATURE_2LVL_STE;
 +        }
-+        return MEMTX_OK;
-+    case A_CMDQ_BASE: /* 64b */
-+        s->cmdq.base = deposit64(s->cmdq.base, 0, 32, data);
-+        s->cmdq.log2size = extract64(s->cmdq.base, 0, 5);
-+        if (s->cmdq.log2size > SMMU_CMDQS) {
-+            s->cmdq.log2size = SMMU_CMDQS;
-+        }
-+        return MEMTX_OK;
-+    case A_CMDQ_BASE + 4: /* 64b */
-+        s->cmdq.base = deposit64(s->cmdq.base, 32, 32, data);
-+        return MEMTX_OK;
-+    case A_CMDQ_PROD:
-+        s->cmdq.prod = data;
-+        smmuv3_cmdq_consume(s);
-+        return MEMTX_OK;
-+    case A_CMDQ_CONS:
-+        s->cmdq.cons = data;
-+        return MEMTX_OK;
-+    case A_EVENTQ_BASE: /* 64b */
-+        s->eventq.base = deposit64(s->eventq.base, 0, 32, data);
-+        s->eventq.log2size = extract64(s->eventq.base, 0, 5);
-+        if (s->eventq.log2size > SMMU_EVENTQS) {
-+            s->eventq.log2size = SMMU_EVENTQS;
-+        }
-+        return MEMTX_OK;
-+    case A_EVENTQ_BASE + 4:
-+        s->eventq.base = deposit64(s->eventq.base, 32, 32, data);
-+        return MEMTX_OK;
-+    case A_EVENTQ_PROD:
-+        s->eventq.prod = data;
-+        return MEMTX_OK;
-+    case A_EVENTQ_CONS:
-+        s->eventq.cons = data;
-+        return MEMTX_OK;
-+    case A_EVENTQ_IRQ_CFG0: /* 64b */
-+        s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 0, 32, data);
-+        return MEMTX_OK;
-+    case A_EVENTQ_IRQ_CFG0 + 4:
-+        s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 32, 32, data);
-+        return MEMTX_OK;
-+    case A_EVENTQ_IRQ_CFG1:
-+        s->eventq_irq_cfg1 = data;
-+        return MEMTX_OK;
-+    case A_EVENTQ_IRQ_CFG2:
-+        s->eventq_irq_cfg2 = data;
-+        return MEMTX_OK;
-+    default:
-+        qemu_log_mask(LOG_UNIMP,
-+                      "%s Unexpected 32-bit access to 0x%"PRIx64" (WI)\n",
-+                      __func__, offset);
-+        return MEMTX_OK;
 +    }
 +}
+diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sme.c
++++ b/target/arm/translate-sme.c
+@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(ADDHA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addha_s)
+ TRANS_FEAT(ADDVA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addva_s)
+ TRANS_FEAT(ADDHA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addha_d)
+ TRANS_FEAT(ADDVA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addva_d)
 +
- static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
++static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
-                                    unsigned size, MemTxAttrs attrs)
++                            gen_helper_gvec_5_ptr *fn)
- {
++{
--    /* not yet implemented */
++    int svl = streaming_vec_reg_size(s);
--    return MEMTX_ERROR;
++    uint32_t desc = simd_desc(svl, svl, a->sub);
-+    SMMUState *sys = opaque;
++    TCGv_ptr za, zn, zm, pn, pm, fpst;
 +    SMMUv3State *s = ARM_SMMUV3(sys);
 +    MemTxResult r;
 +
-+    /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
++    if (!sme_smza_enabled_check(s)) {
-+    offset &= ~0x10000;
++        return true;
 +
 +    switch (size) {
 +    case 8:
 +        r = smmu_writell(s, offset, data, attrs);
 +        break;
 +    case 4:
 +        r = smmu_writel(s, offset, data, attrs);
 +        break;
 +    default:
 +        r = MEMTX_ERROR;
 +        break;
 +    }
 +
-+    trace_smmuv3_write_mmio(offset, data, size, r);
++    /* Sum XZR+zad to find ZAd. */
-+    return r;
++    za = get_tile_rowcol(s, esz, 31, a->zad, false);
- }
++    zn = vec_full_reg_ptr(s, a->zn);
++    zm = vec_full_reg_ptr(s, a->zm);
- static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
++    pn = pred_full_reg_ptr(s, a->pn);
-diff --git a/hw/arm/trace-events b/hw/arm/trace-events
++    pm = pred_full_reg_ptr(s, a->pm);
-index XXXXXXX..XXXXXXX 100644
++    fpst = fpstatus_ptr(FPST_FPCR);
---- a/hw/arm/trace-events
++
-+++ b/hw/arm/trace-events
++    fn(za, zn, zm, pn, pm, fpst, tcg_constant_i32(desc));
-@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_consume(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t con
++
- smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
++    tcg_temp_free_ptr(za);
- smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
++    tcg_temp_free_ptr(zn);
- smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
++    tcg_temp_free_ptr(pn);
-+smmuv3_update(bool is_empty, uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "q empty:%d prod:%d cons:%d p.wrap:%d p.cons:%d"
++    tcg_temp_free_ptr(pm);
-+smmuv3_update_check_cmd(int error) "cmdq not enabled or error :0x%x"
++    tcg_temp_free_ptr(fpst);
-+smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
++    return true;
-+smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx val64:0x%lx"
++}
-+smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
++
-+smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
++TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
 +TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 12/24] hw/arm/smmu-common: IOMMU memory region and address space setup
+[PULL 25/45] target/arm: Implement BFMOPA, BFMOPS
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-We set up the infrastructure to enumerate all the PCI devices
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-attached to the SMMU and create an associated IOMMU memory
+Message-id: 20220708151540.18136-26-richard.henderson@linaro.org
-region and address space.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/helper-sme.h    |  2 ++
  target/arm/sme.decode      |  2 ++
  target/arm/sme_helper.c    | 56 ++++++++++++++++++++++++++++++++++++++
  target/arm/translate-sme.c | 30 ++++++++++++++++++++
 files changed, 90 insertions(+)
-Those info are stored in SMMUDevice objects. The devices are
+diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
 grouped according to the PCIBus they belong to. A hash table
 indexed by the PCIBus pointer is used. Also an array indexed by
 the bus number allows to find the list of SMMUDevices.
 Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 1524665762-31355-3-git-send-email-eric.auger@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  include/hw/arm/smmu-common.h |  8 +++++
  hw/arm/smmu-common.c         | 69 ++++++++++++++++++++++++++++++++++++
  hw/arm/trace-events          |  3 ++
 files changed, 80 insertions(+)
 diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/smmu-common.h
+--- a/target/arm/helper-sme.h
-+++ b/include/hw/arm/smmu-common.h
++++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ typedef struct {
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
- #define ARM_SMMU_GET_CLASS(obj)                              \
+                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
-     OBJECT_GET_CLASS(SMMUBaseClass, (obj), TYPE_ARM_SMMU)
+ DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
+                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
-+/* Return the SMMUPciBus handle associated to a PCI bus number */
++DEF_HELPER_FLAGS_6(sme_bfmopa, TCG_CALL_NO_RWG,
-+SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num);
++                   void, ptr, ptr, ptr, ptr, ptr, i32)
 diff --git a/target/arm/sme.decode b/target/arm/sme.decode
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme.decode
 +++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ ADDVA_d         11000000 11 01000 1 ... ... ..... 00 ...        @adda_64
  FMOPA_s         10000000 100 ..... ... ... ..... . 00 ..        @op_32
  FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
 +
-+/* Return the stream ID of an SMMU device */
++BFMOPA          10000001 100 ..... ... ... ..... . 00 ..        @op_32
-+static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
+diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(sme_fmopa_d)(void *vza, void *vzn, void *vzm, void *vpn,
          }
      }
  }
 +
 +/*
 + * Alter PAIR as needed for controlling predicates being false,
 + * and for NEG on an enabled row element.
 + */
 +static inline uint32_t f16mop_adj_pair(uint32_t pair, uint32_t pg, uint32_t neg)
 +{
-+    return PCI_BUILD_BDF(pci_bus_num(sdev->bus), sdev->devfn);
++    /*
-+}
++     * The pseudocode uses a conditional negate after the conditional zero.
- #endif  /* HW_ARM_SMMU_COMMON */
++     * It is simpler here to unconditionally negate before conditional zero.
-diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
++     */
-index XXXXXXX..XXXXXXX 100644
++    pair ^= neg;
---- a/hw/arm/smmu-common.c
++    if (!(pg & 1)) {
-+++ b/hw/arm/smmu-common.c
++        pair &= 0xffff0000u;
@@ -XXX,XX +XXX,XX @@
  #include "qemu/error-report.h"
  #include "hw/arm/smmu-common.h"
 +/**
 + * The bus number is used for lookup when SID based invalidation occurs.
 + * In that case we lazily populate the SMMUPciBus array from the bus hash
 + * table. At the time the SMMUPciBus is created (smmu_find_add_as), the bus
 + * numbers may not be always initialized yet.
 + */
 +SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num)
 +{
 +    SMMUPciBus *smmu_pci_bus = s->smmu_pcibus_by_bus_num[bus_num];
 +
 +    if (!smmu_pci_bus) {
 +        GHashTableIter iter;
 +
 +        g_hash_table_iter_init(&iter, s->smmu_pcibus_by_busptr);
 +        while (g_hash_table_iter_next(&iter, NULL, (void **)&smmu_pci_bus)) {
 +            if (pci_bus_num(smmu_pci_bus->bus) == bus_num) {
 +                s->smmu_pcibus_by_bus_num[bus_num] = smmu_pci_bus;
 +                return smmu_pci_bus;
 +            }
 +        }
 +    }
-+    return smmu_pci_bus;
++    if (!(pg & 4)) {
 +        pair &= 0x0000ffffu;
 +    }
 +    return pair;
 +}
 +
-+static AddressSpace *smmu_find_add_as(PCIBus *bus, void *opaque, int devfn)
++void HELPER(sme_bfmopa)(void *vza, void *vzn, void *vzm, void *vpn,
 +                        void *vpm, uint32_t desc)
 +{
-+    SMMUState *s = opaque;
++    intptr_t row, col, oprsz = simd_maxsz(desc);
-+    SMMUPciBus *sbus = g_hash_table_lookup(s->smmu_pcibus_by_busptr, bus);
++    uint32_t neg = simd_data(desc) * 0x80008000u;
-+    SMMUDevice *sdev;
++    uint16_t *pn = vpn, *pm = vpm;
 +
-+    if (!sbus) {
++    for (row = 0; row < oprsz; ) {
-+        sbus = g_malloc0(sizeof(SMMUPciBus) +
++        uint16_t prow = pn[H2(row >> 4)];
-+                         sizeof(SMMUDevice *) * SMMU_PCI_DEVFN_MAX);
++        do {
-+        sbus->bus = bus;
++            void *vza_row = vza + tile_vslice_offset(row);
-+        g_hash_table_insert(s->smmu_pcibus_by_busptr, bus, sbus);
++            uint32_t n = *(uint32_t *)(vzn + H1_4(row));
 +
 +            n = f16mop_adj_pair(n, prow, neg);
 +
 +            for (col = 0; col < oprsz; ) {
 +                uint16_t pcol = pm[H2(col >> 4)];
 +                do {
 +                    if (prow & pcol & 0b0101) {
 +                        uint32_t *a = vza_row + H1_4(col);
 +                        uint32_t m = *(uint32_t *)(vzm + H1_4(col));
 +
 +                        m = f16mop_adj_pair(m, pcol, 0);
 +                        *a = bfdotadd(*a, n, m);
 +
 +                        col += 4;
 +                        pcol >>= 4;
 +                    }
 +                } while (col & 15);
 +            }
 +            row += 4;
 +            prow >>= 4;
 +        } while (row & 15);
 +    }
 +}
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sme.c
 +++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(ADDVA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addva_s)
  TRANS_FEAT(ADDHA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addha_d)
  TRANS_FEAT(ADDVA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addva_d)
 +static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
 +                       gen_helper_gvec_5 *fn)
 +{
 +    int svl = streaming_vec_reg_size(s);
 +    uint32_t desc = simd_desc(svl, svl, a->sub);
 +    TCGv_ptr za, zn, zm, pn, pm;
 +
 +    if (!sme_smza_enabled_check(s)) {
 +        return true;
 +    }
 +
-+    sdev = sbus->pbdev[devfn];
++    /* Sum XZR+zad to find ZAd. */
-+    if (!sdev) {
++    za = get_tile_rowcol(s, esz, 31, a->zad, false);
-+        char *name = g_strdup_printf("%s-%d-%d",
++    zn = vec_full_reg_ptr(s, a->zn);
-+                                     s->mrtypename,
++    zm = vec_full_reg_ptr(s, a->zm);
-+                                     pci_bus_num(bus), devfn);
++    pn = pred_full_reg_ptr(s, a->pn);
-+        sdev = sbus->pbdev[devfn] = g_new0(SMMUDevice, 1);
++    pm = pred_full_reg_ptr(s, a->pm);
 +
-+        sdev->smmu = s;
++    fn(za, zn, zm, pn, pm, tcg_constant_i32(desc));
 +        sdev->bus = bus;
 +        sdev->devfn = devfn;
 +
-+        memory_region_init_iommu(&sdev->iommu, sizeof(sdev->iommu),
++    tcg_temp_free_ptr(za);
-+                                 s->mrtypename,
++    tcg_temp_free_ptr(zn);
-+                                 OBJECT(s), name, 1ULL << SMMU_MAX_VA_BITS);
++    tcg_temp_free_ptr(pn);
-+        address_space_init(&sdev->as,
++    tcg_temp_free_ptr(pm);
-+                           MEMORY_REGION(&sdev->iommu), name);
++    return true;
 +        trace_smmu_add_mr(name);
 +        g_free(name);
 +    }
 +
 +    return &sdev->as;
 +}
 +
- static void smmu_base_realize(DeviceState *dev, Error **errp)
+ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
                              gen_helper_gvec_5_ptr *fn)
  {
-+    SMMUState *s = ARM_SMMU(dev);
+@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
-     SMMUBaseClass *sbc = ARM_SMMU_GET_CLASS(dev);
-     Error *local_err = NULL;
+ TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
+ TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
@@ -XXX,XX +XXX,XX @@ static void smmu_base_realize(DeviceState *dev, Error **errp)
          error_propagate(errp, local_err);
          return;
      }
 +
-+    s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL);
++/* TODO: FEAT_EBF16 */
-+
++TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)
 +    if (s->primary_bus) {
 +        pci_setup_iommu(s->primary_bus, smmu_find_add_as, s);
 +    } else {
 +        error_setg(errp, "SMMU is not attached to any PCI bus!");
 +    }
  }
  static void smmu_base_reset(DeviceState *dev)
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@
  # hw/arm/virt-acpi-build.c
  virt_acpi_setup(void) "No fw cfg or ACPI disabled. Bailing out."
 +
 +# hw/arm/smmu-common.c
 +smmu_add_mr(const char *name) "%s"
 \ No newline at end of file
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 05/24] hw/net/smc91c111: Convert away from old_mmio
+[PULL 26/45] target/arm: Implement FMOPA, FMOPS (widening)
-Convert the smc91c111 device away from using the old_mmio field of
+From: Richard Henderson <richard.henderson@linaro.org>
 MemoryRegionOps. This device is used by several Arm board models.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-27-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20180427173611.10281-3-peter.maydell@linaro.org
 ---
- hw/net/smc91c111.c | 54 +++++++++++++++++++++-------------------------
+ target/arm/helper-sme.h    |  2 ++
-file changed, 25 insertions(+), 29 deletions(-)
+ target/arm/sme.decode      |  1 +
  target/arm/sme_helper.c    | 74 ++++++++++++++++++++++++++++++++++++++
  target/arm/translate-sme.c |  1 +
 files changed, 78 insertions(+)
-diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
+diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/net/smc91c111.c
+--- a/target/arm/helper-sme.h
-+++ b/hw/net/smc91c111.c
++++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ static uint32_t smc91c111_readb(void *opaque, hwaddr offset)
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sme_addva_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-     return 0;
+ DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sme_fmopa_h, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
                     void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
 diff --git a/target/arm/sme.decode b/target/arm/sme.decode
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme.decode
 +++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ FMOPA_s         10000000 100 ..... ... ... ..... . 00 ..        @op_32
  FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
  BFMOPA          10000001 100 ..... ... ... ..... . 00 ..        @op_32
 +FMOPA_h         10000001 101 ..... ... ... ..... . 00 ..        @op_32
 diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t f16mop_adj_pair(uint32_t pair, uint32_t pg, uint32_t neg)
      return pair;
  }
--static void smc91c111_writew(void *opaque, hwaddr offset,
++static float32 f16_dotadd(float32 sum, uint32_t e1, uint32_t e2,
--                             uint32_t value)
++                          float_status *s_std, float_status *s_odd)
-+static uint64_t smc91c111_readfn(void *opaque, hwaddr addr, unsigned size)
++{
 +    float64 e1r = float16_to_float64(e1 & 0xffff, true, s_std);
 +    float64 e1c = float16_to_float64(e1 >> 16, true, s_std);
 +    float64 e2r = float16_to_float64(e2 & 0xffff, true, s_std);
 +    float64 e2c = float16_to_float64(e2 >> 16, true, s_std);
 +    float64 t64;
 +    float32 t32;
 +
 +    /*
 +     * The ARM pseudocode function FPDot performs both multiplies
 +     * and the add with a single rounding operation.  Emulate this
 +     * by performing the first multiply in round-to-odd, then doing
 +     * the second multiply as fused multiply-add, and rounding to
 +     * float32 all in one step.
 +     */
 +    t64 = float64_mul(e1r, e2r, s_odd);
 +    t64 = float64r32_muladd(e1c, e2c, t64, 0, s_std);
 +
 +    /* This conversion is exact, because we've already rounded. */
 +    t32 = float64_to_float32(t64, s_std);
 +
 +    /* The final accumulation step is not fused. */
 +    return float32_add(sum, t32, s_std);
 +}
 +
 +void HELPER(sme_fmopa_h)(void *vza, void *vzn, void *vzm, void *vpn,
 +                         void *vpm, void *vst, uint32_t desc)
 +{
 +    intptr_t row, col, oprsz = simd_maxsz(desc);
 +    uint32_t neg = simd_data(desc) * 0x80008000u;
 +    uint16_t *pn = vpn, *pm = vpm;
 +    float_status fpst_odd, fpst_std;
 +
 +    /*
 +     * Make a copy of float_status because this operation does not
 +     * update the cumulative fp exception status.  It also produces
 +     * default nans.  Make a second copy with round-to-odd -- see above.
 +     */
 +    fpst_std = *(float_status *)vst;
 +    set_default_nan_mode(true, &fpst_std);
 +    fpst_odd = fpst_std;
 +    set_float_rounding_mode(float_round_to_odd, &fpst_odd);
 +
 +    for (row = 0; row < oprsz; ) {
 +        uint16_t prow = pn[H2(row >> 4)];
 +        do {
 +            void *vza_row = vza + tile_vslice_offset(row);
 +            uint32_t n = *(uint32_t *)(vzn + H1_4(row));
 +
 +            n = f16mop_adj_pair(n, prow, neg);
 +
 +            for (col = 0; col < oprsz; ) {
 +                uint16_t pcol = pm[H2(col >> 4)];
 +                do {
 +                    if (prow & pcol & 0b0101) {
 +                        uint32_t *a = vza_row + H1_4(col);
 +                        uint32_t m = *(uint32_t *)(vzm + H1_4(col));
 +
 +                        m = f16mop_adj_pair(m, pcol, 0);
 +                        *a = f16_dotadd(*a, n, m, &fpst_std, &fpst_odd);
 +
 +                        col += 4;
 +                        pcol >>= 4;
 +                    }
 +                } while (col & 15);
 +            }
 +            row += 4;
 +            prow >>= 4;
 +        } while (row & 15);
 +    }
 +}
 +
  void HELPER(sme_bfmopa)(void *vza, void *vzn, void *vzm, void *vpn,
                          void *vpm, uint32_t desc)
  {
--    smc91c111_writeb(opaque, offset, value & 0xff);
+diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
--    smc91c111_writeb(opaque, offset + 1, value >> 8);
+index XXXXXXX..XXXXXXX 100644
-+    int i;
+--- a/target/arm/translate-sme.c
-+    uint32_t val = 0;
++++ b/target/arm/translate-sme.c
-+
+@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
-+    for (i = 0; i < size; i++) {
+     return true;
 +        val |= smc91c111_readb(opaque, addr + i) << (i * 8);
 +    }
 +    return val;
  }
--static void smc91c111_writel(void *opaque, hwaddr offset,
++TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_h)
--                             uint32_t value)
+ TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
-+static void smc91c111_writefn(void *opaque, hwaddr addr,
+ TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
 +                               uint64_t value, unsigned size)
  {
 +    int i = 0;
 +
      /* 32-bit writes to offset 0xc only actually write to the bank select
 -       register (offset 0xe)  */
 -    if (offset != 0xc)
 -        smc91c111_writew(opaque, offset, value & 0xffff);
 -    smc91c111_writew(opaque, offset + 2, value >> 16);
 -}
 +     * register (offset 0xe), so skip the first two bytes we would write.
 +     */
 +    if (addr == 0xc && size == 4) {
 +        i += 2;
 +    }
 -static uint32_t smc91c111_readw(void *opaque, hwaddr offset)
 -{
 -    uint32_t val;
 -    val = smc91c111_readb(opaque, offset);
 -    val |= smc91c111_readb(opaque, offset + 1) << 8;
 -    return val;
 -}
 -
 -static uint32_t smc91c111_readl(void *opaque, hwaddr offset)
 -{
 -    uint32_t val;
 -    val = smc91c111_readw(opaque, offset);
 -    val |= smc91c111_readw(opaque, offset + 2) << 16;
 -    return val;
 +    for (; i < size; i++) {
 +        smc91c111_writeb(opaque, addr + i,
 +                         extract32(value, i * 8, 8));
 +    }
  }
  static int smc91c111_can_receive_nc(NetClientState *nc)
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps smc91c111_mem_ops = {
      /* The special case for 32 bit writes to 0xc means we can't just
       * set .impl.min/max_access_size to 1, unfortunately
       */
 -    .old_mmio = {
 -        .read = { smc91c111_readb, smc91c111_readw, smc91c111_readl, },
 -        .write = { smc91c111_writeb, smc91c111_writew, smc91c111_writel, },
 -    },
 +    .read = smc91c111_readfn,
 +    .write = smc91c111_writefn,
 +    .valid.min_access_size = 1,
 +    .valid.max_access_size = 4,
      .endianness = DEVICE_NATIVE_ENDIAN,
  };
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 19/24] hw/arm/smmuv3: Implement translate callback
+[PULL 27/45] target/arm: Implement SME integer outer product
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This patch implements the IOMMU Memory Region translate()
+This is SMOPA, SUMOPA, USMOPA_s, UMOPA, for both Int8 and Int16.
 callback. Most of the code relates to the translation
 configuration decoding and check (STE, CD).
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
-Message-id: 1524665762-31355-10-git-send-email-eric.auger@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-28-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h | 160 +++++++++++++++++
+ target/arm/helper-sme.h    | 16 ++++++++
- hw/arm/smmuv3.c          | 358 +++++++++++++++++++++++++++++++++++++++
+ target/arm/sme.decode      | 10 +++++
- hw/arm/trace-events      |   9 +
+ target/arm/sme_helper.c    | 82 ++++++++++++++++++++++++++++++++++++++
-files changed, 527 insertions(+)
+ target/arm/translate-sme.c | 10 +++++
 files changed, 118 insertions(+)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/target/arm/helper-sme.h
-+++ b/hw/arm/smmuv3-internal.h
++++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
+                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
- void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
+ DEF_HELPER_FLAGS_6(sme_bfmopa, TCG_CALL_NO_RWG,
+                    void, ptr, ptr, ptr, ptr, ptr, i32)
-+/* Configuration Data */
++DEF_HELPER_FLAGS_6(sme_smopa_s, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_6(sme_umopa_s, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_6(sme_sumopa_s, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_6(sme_usmopa_s, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_6(sme_smopa_d, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_6(sme_umopa_d, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_6(sme_sumopa_d, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_6(sme_usmopa_d, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, i32)
 diff --git a/target/arm/sme.decode b/target/arm/sme.decode
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme.decode
 +++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
  BFMOPA          10000001 100 ..... ... ... ..... . 00 ..        @op_32
  FMOPA_h         10000001 101 ..... ... ... ..... . 00 ..        @op_32
 +
-+/* STE Level 1 Descriptor */
++SMOPA_s         1010000 0 10 0 ..... ... ... ..... . 00 ..      @op_32
-+typedef struct STEDesc {
++SUMOPA_s        1010000 0 10 1 ..... ... ... ..... . 00 ..      @op_32
-+    uint32_t word[2];
++USMOPA_s        1010000 1 10 0 ..... ... ... ..... . 00 ..      @op_32
-+} STEDesc;
++UMOPA_s         1010000 1 10 1 ..... ... ... ..... . 00 ..      @op_32
 +
-+/* CD Level 1 Descriptor */
++SMOPA_d         1010000 0 11 0 ..... ... ... ..... . 0 ...      @op_64
-+typedef struct CDDesc {
++SUMOPA_d        1010000 0 11 1 ..... ... ... ..... . 0 ...      @op_64
-+    uint32_t word[2];
++USMOPA_d        1010000 1 11 0 ..... ... ... ..... . 0 ...      @op_64
-+} CDDesc;
++UMOPA_d         1010000 1 11 1 ..... ... ... ..... . 0 ...      @op_64
 diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(sme_bfmopa)(void *vza, void *vzn, void *vzm, void *vpn,
          } while (row & 15);
      }
  }
 +
-+/* Stream Table Entry(STE) */
++typedef uint64_t IMOPFn(uint64_t, uint64_t, uint64_t, uint8_t, bool);
 +typedef struct STE {
 +    uint32_t word[16];
 +} STE;
 +
-+/* Context Descriptor(CD) */
++static inline void do_imopa(uint64_t *za, uint64_t *zn, uint64_t *zm,
-+typedef struct CD {
++                            uint8_t *pn, uint8_t *pm,
-+    uint32_t word[16];
++                            uint32_t desc, IMOPFn *fn)
-+} CD;
++{
 +    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
 +    bool neg = simd_data(desc);
 +
-+/* STE fields */
++    for (row = 0; row < oprsz; ++row) {
 +        uint8_t pa = pn[H1(row)];
 +        uint64_t *za_row = &za[tile_vslice_index(row)];
 +        uint64_t n = zn[row];
 +
-+#define STE_VALID(x)   extract32((x)->word[0], 0, 1)
++        for (col = 0; col < oprsz; ++col) {
 +            uint8_t pb = pm[H1(col)];
 +            uint64_t *a = &za_row[col];
 +
-+#define STE_CONFIG(x)  extract32((x)->word[0], 1, 3)
++            *a = fn(n, zm[col], *a, pa & pb, neg);
-+#define STE_CFG_S1_ENABLED(config) (config & 0x1)
++        }
 +#define STE_CFG_S2_ENABLED(config) (config & 0x2)
 +#define STE_CFG_ABORT(config)      (!(config & 0x4))
 +#define STE_CFG_BYPASS(config)     (config == 0x4)
 +
 +#define STE_S1FMT(x)       extract32((x)->word[0], 4 , 2)
 +#define STE_S1CDMAX(x)     extract32((x)->word[1], 27, 5)
 +#define STE_S1STALLD(x)    extract32((x)->word[2], 27, 1)
 +#define STE_EATS(x)        extract32((x)->word[2], 28, 2)
 +#define STE_STRW(x)        extract32((x)->word[2], 30, 2)
 +#define STE_S2VMID(x)      extract32((x)->word[4], 0 , 16)
 +#define STE_S2T0SZ(x)      extract32((x)->word[5], 0 , 6)
 +#define STE_S2SL0(x)       extract32((x)->word[5], 6 , 2)
 +#define STE_S2TG(x)        extract32((x)->word[5], 14, 2)
 +#define STE_S2PS(x)        extract32((x)->word[5], 16, 3)
 +#define STE_S2AA64(x)      extract32((x)->word[5], 19, 1)
 +#define STE_S2HD(x)        extract32((x)->word[5], 24, 1)
 +#define STE_S2HA(x)        extract32((x)->word[5], 25, 1)
 +#define STE_S2S(x)         extract32((x)->word[5], 26, 1)
 +#define STE_CTXPTR(x)                                           \
 +    ({                                                          \
 +        unsigned long addr;                                     \
 +        addr = (uint64_t)extract32((x)->word[1], 0, 16) << 32;  \
 +        addr |= (uint64_t)((x)->word[0] & 0xffffffc0);          \
 +        addr;                                                   \
 +    })
 +
 +#define STE_S2TTB(x)                                            \
 +    ({                                                          \
 +        unsigned long addr;                                     \
 +        addr = (uint64_t)extract32((x)->word[7], 0, 16) << 32;  \
 +        addr |= (uint64_t)((x)->word[6] & 0xfffffff0);          \
 +        addr;                                                   \
 +    })
 +
 +static inline int oas2bits(int oas_field)
 +{
 +    switch (oas_field) {
 +    case 0:
 +        return 32;
 +    case 1:
 +        return 36;
 +    case 2:
 +        return 40;
 +    case 3:
 +        return 42;
 +    case 4:
 +        return 44;
 +    case 5:
 +        return 48;
 +    }
 +    return -1;
 +}
 +
 +static inline int pa_range(STE *ste)
 +{
 +    int oas_field = MIN(STE_S2PS(ste), SMMU_IDR5_OAS);
 +
 +    if (!STE_S2AA64(ste)) {
 +        return 40;
 +    }
 +
 +    return oas2bits(oas_field);
 +}
 +
 +#define MAX_PA(ste) ((1 << pa_range(ste)) - 1)
 +
 +/* CD fields */
 +
 +#define CD_VALID(x)   extract32((x)->word[0], 30, 1)
 +#define CD_ASID(x)    extract32((x)->word[1], 16, 16)
 +#define CD_TTB(x, sel)                                      \
 +    ({                                                      \
 +        uint64_t hi, lo;                                    \
 +        hi = extract32((x)->word[(sel) * 2 + 3], 0, 19);    \
 +        hi <<= 32;                                          \
 +        lo = (x)->word[(sel) * 2 + 2] & ~0xfULL;            \
 +        hi | lo;                                            \
 +    })
 +
 +#define CD_TSZ(x, sel)   extract32((x)->word[0], (16 * (sel)) + 0, 6)
 +#define CD_TG(x, sel)    extract32((x)->word[0], (16 * (sel)) + 6, 2)
 +#define CD_EPD(x, sel)   extract32((x)->word[0], (16 * (sel)) + 14, 1)
 +#define CD_ENDI(x)       extract32((x)->word[0], 15, 1)
 +#define CD_IPS(x)        extract32((x)->word[1], 0 , 3)
 +#define CD_TBI(x)        extract32((x)->word[1], 6 , 2)
 +#define CD_HD(x)         extract32((x)->word[1], 10 , 1)
 +#define CD_HA(x)         extract32((x)->word[1], 11 , 1)
 +#define CD_S(x)          extract32((x)->word[1], 12, 1)
 +#define CD_R(x)          extract32((x)->word[1], 13, 1)
 +#define CD_A(x)          extract32((x)->word[1], 14, 1)
 +#define CD_AARCH64(x)    extract32((x)->word[1], 9 , 1)
 +
 +#define CDM_VALID(x)    ((x)->word[0] & 0x1)
 +
 +static inline int is_cd_valid(SMMUv3State *s, STE *ste, CD *cd)
 +{
 +    return CD_VALID(cd);
 +}
 +
 +/**
 + * tg2granule - Decodes the CD translation granule size field according
 + * to the ttbr in use
 + * @bits: TG0/1 fields
 + * @ttbr: ttbr index in use
 + */
 +static inline int tg2granule(int bits, int ttbr)
 +{
 +    switch (bits) {
 +    case 0:
 +        return ttbr ? 0  : 12;
 +    case 1:
 +        return ttbr ? 14 : 16;
 +    case 2:
 +        return ttbr ? 12 : 14;
 +    case 3:
 +        return ttbr ? 16 :  0;
 +    default:
 +        return 0;
 +    }
 +}
 +
-+static inline uint64_t l1std_l2ptr(STEDesc *desc)
++#define DEF_IMOP_32(NAME, NTYPE, MTYPE) \
-+{
++static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \
-+    uint64_t hi, lo;
++{                                                                           \
-+
++    uint32_t sum0 = 0, sum1 = 0;                                            \
-+    hi = desc->word[1];
++    /* Apply P to N as a mask, making the inactive elements 0. */           \
-+    lo = desc->word[0] & ~0x1fULL;
++    n &= expand_pred_b(p);                                                  \
-+    return hi << 32 | lo;
++    sum0 += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);                              \
 +    sum0 += (NTYPE)(n >> 8) * (MTYPE)(m >> 8);                              \
 +    sum0 += (NTYPE)(n >> 16) * (MTYPE)(m >> 16);                            \
 +    sum0 += (NTYPE)(n >> 24) * (MTYPE)(m >> 24);                            \
 +    sum1 += (NTYPE)(n >> 32) * (MTYPE)(m >> 32);                            \
 +    sum1 += (NTYPE)(n >> 40) * (MTYPE)(m >> 40);                            \
 +    sum1 += (NTYPE)(n >> 48) * (MTYPE)(m >> 48);                            \
 +    sum1 += (NTYPE)(n >> 56) * (MTYPE)(m >> 56);                            \
 +    if (neg) {                                                              \
 +        sum0 = (uint32_t)a - sum0, sum1 = (uint32_t)(a >> 32) - sum1;       \
 +    } else {                                                                \
 +        sum0 = (uint32_t)a + sum0, sum1 = (uint32_t)(a >> 32) + sum1;       \
 +    }                                                                       \
 +    return ((uint64_t)sum1 << 32) | sum0;                                   \
 +}
 +
-+#define L1STD_SPAN(stm) (extract32((stm)->word[0], 0, 4))
++#define DEF_IMOP_64(NAME, NTYPE, MTYPE) \
-+
++static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \
- #endif
++{                                                                           \
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
++    uint64_t sum = 0;                                                       \
-index XXXXXXX..XXXXXXX 100644
++    /* Apply P to N as a mask, making the inactive elements 0. */           \
---- a/hw/arm/smmuv3.c
++    n &= expand_pred_h(p);                                                  \
-+++ b/hw/arm/smmuv3.c
++    sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);                               \
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
++    sum += (NTYPE)(n >> 16) * (MTYPE)(m >> 16);                             \
-     s->sid_split = 0;
++    sum += (NTYPE)(n >> 32) * (MTYPE)(m >> 32);                             \
- }
++    sum += (NTYPE)(n >> 48) * (MTYPE)(m >> 48);                             \
++    return neg ? a - sum : a + sum;                                         \
 +static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
 +                        SMMUEventInfo *event)
 +{
 +    int ret;
 +
 +    trace_smmuv3_get_ste(addr);
 +    /* TODO: guarantee 64-bit single-copy atomicity */
 +    ret = dma_memory_read(&address_space_memory, addr,
 +                          (void *)buf, sizeof(*buf));
 +    if (ret != MEMTX_OK) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
 +        event->type = SMMU_EVT_F_STE_FETCH;
 +        event->u.f_ste_fetch.addr = addr;
 +        return -EINVAL;
 +    }
 +    return 0;
 +
 +}
 +
-+/* @ssid > 0 not supported yet */
++DEF_IMOP_32(smopa_s, int8_t, int8_t)
-+static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,
++DEF_IMOP_32(umopa_s, uint8_t, uint8_t)
-+                       CD *buf, SMMUEventInfo *event)
++DEF_IMOP_32(sumopa_s, int8_t, uint8_t)
-+{
++DEF_IMOP_32(usmopa_s, uint8_t, int8_t)
 +    dma_addr_t addr = STE_CTXPTR(ste);
 +    int ret;
 +
-+    trace_smmuv3_get_cd(addr);
++DEF_IMOP_64(smopa_d, int16_t, int16_t)
-+    /* TODO: guarantee 64-bit single-copy atomicity */
++DEF_IMOP_64(umopa_d, uint16_t, uint16_t)
-+    ret = dma_memory_read(&address_space_memory, addr,
++DEF_IMOP_64(sumopa_d, int16_t, uint16_t)
-+                           (void *)buf, sizeof(*buf));
++DEF_IMOP_64(usmopa_d, uint16_t, int16_t)
 +    if (ret != MEMTX_OK) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
 +        event->type = SMMU_EVT_F_CD_FETCH;
 +        event->u.f_ste_fetch.addr = addr;
 +        return -EINVAL;
 +    }
 +    return 0;
 +}
 +
-+/* Returns <0 if the caller has no need to continue the translation */
++#define DEF_IMOPH(NAME) \
-+static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
++    void HELPER(sme_##NAME)(void *vza, void *vzn, void *vzm, void *vpn,      \
-+                      STE *ste, SMMUEventInfo *event)
++                            void *vpm, uint32_t desc)                        \
-+{
++    { do_imopa(vza, vzn, vzm, vpn, vpm, desc, NAME); }
 +    uint32_t config;
 +    int ret = -EINVAL;
 +
-+    if (!STE_VALID(ste)) {
++DEF_IMOPH(smopa_s)
-+        goto bad_ste;
++DEF_IMOPH(umopa_s)
-+    }
++DEF_IMOPH(sumopa_s)
 +DEF_IMOPH(usmopa_s)
 +DEF_IMOPH(smopa_d)
 +DEF_IMOPH(umopa_d)
 +DEF_IMOPH(sumopa_d)
 +DEF_IMOPH(usmopa_d)
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sme.c
 +++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_f
  /* TODO: FEAT_EBF16 */
  TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)
 +
-+    config = STE_CONFIG(ste);
++TRANS_FEAT(SMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_smopa_s)
 +TRANS_FEAT(UMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_umopa_s)
 +TRANS_FEAT(SUMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_sumopa_s)
 +TRANS_FEAT(USMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_usmopa_s)
 +
-+    if (STE_CFG_ABORT(config)) {
++TRANS_FEAT(SMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_smopa_d)
-+        cfg->aborted = true; /* abort but don't record any event */
++TRANS_FEAT(UMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_umopa_d)
-+        return ret;
++TRANS_FEAT(SUMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_sumopa_d)
-+    }
++TRANS_FEAT(USMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_usmopa_d)
 +
 +    if (STE_CFG_BYPASS(config)) {
 +        cfg->bypassed = true;
 +        return ret;
 +    }
 +
 +    if (STE_CFG_S2_ENABLED(config)) {
 +        qemu_log_mask(LOG_UNIMP, "SMMUv3 does not support stage 2 yet\n");
 +        goto bad_ste;
 +    }
 +
 +    if (STE_S1CDMAX(ste) != 0) {
 +        qemu_log_mask(LOG_UNIMP,
 +                      "SMMUv3 does not support multiple context descriptors yet\n");
 +        goto bad_ste;
 +    }
 +
 +    if (STE_S1STALLD(ste)) {
 +        qemu_log_mask(LOG_UNIMP,
 +                      "SMMUv3 S1 stalling fault model not allowed yet\n");
 +        goto bad_ste;
 +    }
 +    return 0;
 +
 +bad_ste:
 +    event->type = SMMU_EVT_C_BAD_STE;
 +    return -EINVAL;
 +}
 +
 +/**
 + * smmu_find_ste - Return the stream table entry associated
 + * to the sid
 + *
 + * @s: smmuv3 handle
 + * @sid: stream ID
 + * @ste: returned stream table entry
 + * @event: handle to an event info
 + *
 + * Supports linear and 2-level stream table
 + * Return 0 on success, -EINVAL otherwise
 + */
 +static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
 +                         SMMUEventInfo *event)
 +{
 +    dma_addr_t addr;
 +    int ret;
 +
 +    trace_smmuv3_find_ste(sid, s->features, s->sid_split);
 +    /* Check SID range */
 +    if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
 +        event->type = SMMU_EVT_C_BAD_STREAMID;
 +        return -EINVAL;
 +    }
 +    if (s->features & SMMU_FEATURE_2LVL_STE) {
 +        int l1_ste_offset, l2_ste_offset, max_l2_ste, span;
 +        dma_addr_t strtab_base, l1ptr, l2ptr;
 +        STEDesc l1std;
 +
 +        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK;
 +        l1_ste_offset = sid >> s->sid_split;
 +        l2_ste_offset = sid & ((1 << s->sid_split) - 1);
 +        l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
 +        /* TODO: guarantee 64-bit single-copy atomicity */
 +        ret = dma_memory_read(&address_space_memory, l1ptr,
 +                              (uint8_t *)&l1std, sizeof(l1std));
 +        if (ret != MEMTX_OK) {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr);
 +            event->type = SMMU_EVT_F_STE_FETCH;
 +            event->u.f_ste_fetch.addr = l1ptr;
 +            return -EINVAL;
 +        }
 +
 +        span = L1STD_SPAN(&l1std);
 +
 +        if (!span) {
 +            /* l2ptr is not valid */
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "invalid sid=%d (L1STD span=0)\n", sid);
 +            event->type = SMMU_EVT_C_BAD_STREAMID;
 +            return -EINVAL;
 +        }
 +        max_l2_ste = (1 << span) - 1;
 +        l2ptr = l1std_l2ptr(&l1std);
 +        trace_smmuv3_find_ste_2lvl(s->strtab_base, l1ptr, l1_ste_offset,
 +                                   l2ptr, l2_ste_offset, max_l2_ste);
 +        if (l2_ste_offset > max_l2_ste) {
 +            qemu_log_mask(LOG_GUEST_ERROR,
 +                          "l2_ste_offset=%d > max_l2_ste=%d\n",
 +                          l2_ste_offset, max_l2_ste);
 +            event->type = SMMU_EVT_C_BAD_STE;
 +            return -EINVAL;
 +        }
 +        addr = l2ptr + l2_ste_offset * sizeof(*ste);
 +    } else {
 +        addr = s->strtab_base + sid * sizeof(*ste);
 +    }
 +
 +    if (smmu_get_ste(s, addr, ste, event)) {
 +        return -EINVAL;
 +    }
 +
 +    return 0;
 +}
 +
 +static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
 +{
 +    int ret = -EINVAL;
 +    int i;
 +
 +    if (!CD_VALID(cd) || !CD_AARCH64(cd)) {
 +        goto bad_cd;
 +    }
 +    if (!CD_A(cd)) {
 +        goto bad_cd; /* SMMU_IDR0.TERM_MODEL == 1 */
 +    }
 +    if (CD_S(cd)) {
 +        goto bad_cd; /* !STE_SECURE && SMMU_IDR0.STALL_MODEL == 1 */
 +    }
 +    if (CD_HA(cd) || CD_HD(cd)) {
 +        goto bad_cd; /* HTTU = 0 */
 +    }
 +
 +    /* we support only those at the moment */
 +    cfg->aa64 = true;
 +    cfg->stage = 1;
 +
 +    cfg->oas = oas2bits(CD_IPS(cd));
 +    cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
 +    cfg->tbi = CD_TBI(cd);
 +    cfg->asid = CD_ASID(cd);
 +
 +    trace_smmuv3_decode_cd(cfg->oas);
 +
 +    /* decode data dependent on TT */
 +    for (i = 0; i <= 1; i++) {
 +        int tg, tsz;
 +        SMMUTransTableInfo *tt = &cfg->tt[i];
 +
 +        cfg->tt[i].disabled = CD_EPD(cd, i);
 +        if (cfg->tt[i].disabled) {
 +            continue;
 +        }
 +
 +        tsz = CD_TSZ(cd, i);
 +        if (tsz < 16 || tsz > 39) {
 +            goto bad_cd;
 +        }
 +
 +        tg = CD_TG(cd, i);
 +        tt->granule_sz = tg2granule(tg, i);
 +        if ((tt->granule_sz != 12 && tt->granule_sz != 16) || CD_ENDI(cd)) {
 +            goto bad_cd;
 +        }
 +
 +        tt->tsz = tsz;
 +        tt->ttb = CD_TTB(cd, i);
 +        if (tt->ttb & ~(MAKE_64BIT_MASK(0, cfg->oas))) {
 +            goto bad_cd;
 +        }
 +        trace_smmuv3_decode_cd_tt(i, tt->tsz, tt->ttb, tt->granule_sz);
 +    }
 +
 +    event->record_trans_faults = CD_R(cd);
 +
 +    return 0;
 +
 +bad_cd:
 +    event->type = SMMU_EVT_C_BAD_CD;
 +    return ret;
 +}
 +
 +/**
 + * smmuv3_decode_config - Prepare the translation configuration
 + * for the @mr iommu region
 + * @mr: iommu memory region the translation config must be prepared for
 + * @cfg: output translation configuration which is populated through
 + *       the different configuration decoding steps
 + * @event: must be zero'ed by the caller
 + *
 + * return < 0 if the translation needs to be aborted (@event is filled
 + * accordingly). Return 0 otherwise.
 + */
 +static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,
 +                                SMMUEventInfo *event)
 +{
 +    SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
 +    uint32_t sid = smmu_get_sid(sdev);
 +    SMMUv3State *s = sdev->smmu;
 +    int ret = -EINVAL;
 +    STE ste;
 +    CD cd;
 +
 +    if (smmu_find_ste(s, sid, &ste, event)) {
 +        return ret;
 +    }
 +
 +    if (decode_ste(s, cfg, &ste, event)) {
 +        return ret;
 +    }
 +
 +    if (smmu_get_cd(s, &ste, 0 /* ssid */, &cd, event)) {
 +        return ret;
 +    }
 +
 +    return decode_cd(cfg, &cd, event);
 +}
 +
 +static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
 +                                      IOMMUAccessFlags flag)
 +{
 +    SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
 +    SMMUv3State *s = sdev->smmu;
 +    uint32_t sid = smmu_get_sid(sdev);
 +    SMMUEventInfo event = {.type = SMMU_EVT_OK, .sid = sid};
 +    SMMUPTWEventInfo ptw_info = {};
 +    SMMUTransCfg cfg = {};
 +    IOMMUTLBEntry entry = {
 +        .target_as = &address_space_memory,
 +        .iova = addr,
 +        .translated_addr = addr,
 +        .addr_mask = ~(hwaddr)0,
 +        .perm = IOMMU_NONE,
 +    };
 +    int ret = 0;
 +
 +    if (!smmu_enabled(s)) {
 +        goto out;
 +    }
 +
 +    ret = smmuv3_decode_config(mr, &cfg, &event);
 +    if (ret) {
 +        goto out;
 +    }
 +
 +    if (cfg.aborted) {
 +        goto out;
 +    }
 +
 +    ret = smmu_ptw(&cfg, addr, flag, &entry, &ptw_info);
 +    if (ret) {
 +        switch (ptw_info.type) {
 +        case SMMU_PTW_ERR_WALK_EABT:
 +            event.type = SMMU_EVT_F_WALK_EABT;
 +            event.u.f_walk_eabt.addr = addr;
 +            event.u.f_walk_eabt.rnw = flag & 0x1;
 +            event.u.f_walk_eabt.class = 0x1;
 +            event.u.f_walk_eabt.addr2 = ptw_info.addr;
 +            break;
 +        case SMMU_PTW_ERR_TRANSLATION:
 +            if (event.record_trans_faults) {
 +                event.type = SMMU_EVT_F_TRANSLATION;
 +                event.u.f_translation.addr = addr;
 +                event.u.f_translation.rnw = flag & 0x1;
 +            }
 +            break;
 +        case SMMU_PTW_ERR_ADDR_SIZE:
 +            if (event.record_trans_faults) {
 +                event.type = SMMU_EVT_F_ADDR_SIZE;
 +                event.u.f_addr_size.addr = addr;
 +                event.u.f_addr_size.rnw = flag & 0x1;
 +            }
 +            break;
 +        case SMMU_PTW_ERR_ACCESS:
 +            if (event.record_trans_faults) {
 +                event.type = SMMU_EVT_F_ACCESS;
 +                event.u.f_access.addr = addr;
 +                event.u.f_access.rnw = flag & 0x1;
 +            }
 +            break;
 +        case SMMU_PTW_ERR_PERMISSION:
 +            if (event.record_trans_faults) {
 +                event.type = SMMU_EVT_F_PERMISSION;
 +                event.u.f_permission.addr = addr;
 +                event.u.f_permission.rnw = flag & 0x1;
 +            }
 +            break;
 +        default:
 +            g_assert_not_reached();
 +        }
 +    }
 +out:
 +    if (ret) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "%s translation failed for iova=0x%"PRIx64"(%d)\n",
 +                      mr->parent_obj.name, addr, ret);
 +        entry.perm = IOMMU_NONE;
 +        smmuv3_record_event(s, &event);
 +    } else if (!cfg.aborted) {
 +        entry.perm = flag;
 +        trace_smmuv3_translate(mr->parent_obj.name, sid, addr,
 +                               entry.translated_addr, entry.perm);
 +    }
 +
 +    return entry;
 +}
 +
  static int smmuv3_cmdq_consume(SMMUv3State *s)
  {
      SMMUCmdError cmd_error = SMMU_CERROR_NONE;
@@ -XXX,XX +XXX,XX @@ static void smmuv3_class_init(ObjectClass *klass, void *data)
  static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
                                                    void *data)
  {
 +    IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
 +
 +    imrc->translate = smmuv3_translate;
  }
  static const TypeInfo smmuv3_type_info = {
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx
  smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
  smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
  smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
 +smmuv3_find_ste(uint16_t sid, uint32_t features, uint16_t sid_split) "SID:0x%x features:0x%x, sid_split:0x%x"
 +smmuv3_find_ste_2lvl(uint64_t strtab_base, uint64_t l1ptr, int l1_ste_offset, uint64_t l2ptr, int l2_ste_offset, int max_l2_ste) "strtab_base:0x%lx l1ptr:0x%"PRIx64" l1_off:0x%x, l2ptr:0x%"PRIx64" l2_off:0x%x max_l2_ste:%d"
 +smmuv3_get_ste(uint64_t addr) "STE addr: 0x%"PRIx64
 +smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d bypass iova:0x%"PRIx64" is_write=%d"
 +smmuv3_translate_in(uint16_t sid, int pci_bus_num, uint64_t strtab_base) "SID:0x%x bus:%d strtab_base:0x%"PRIx64
 +smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64
 +smmuv3_translate(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=%d iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
 +smmuv3_decode_cd(uint32_t oas) "oas=%d"
 +smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d"
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 23/24] hw/arm/virt-acpi-build: Add smmuv3 node in IORT table
+[PULL 28/45] target/arm: Implement PSEL
-From: Prem Mallappa <prem.mallappa@broadcom.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This patch builds the smmuv3 node in the ACPI IORT table.
+This is an SVE instruction that operates using the SVE vector
 length but that it is present only if SME is implemented.
-The RID space of the root complex, which spans 0x0-0x10000
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-maps to streamid space 0x0-0x10000 in smmuv3, which in turn
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-maps to deviceid space 0x0-0x10000 in the ITS group.
+Message-id: 20220708151540.18136-29-richard.henderson@linaro.org
 The guest must feature the IOMMU probe deferral series
 (https://lkml.org/lkml/2017/4/10/214) which fixes streamid
 multiple lookup. This bug is not related to the SMMU emulation.
 Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
 Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Shannon Zhao <zhaoshenglong@huawei.com>
 Message-id: 1524665762-31355-14-git-send-email-eric.auger@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/acpi/acpi-defs.h | 15 ++++++++++
+ target/arm/sve.decode      | 20 +++++++++++++
- hw/arm/virt-acpi-build.c    | 55 ++++++++++++++++++++++++++++++++-----
+ target/arm/translate-sve.c | 57 ++++++++++++++++++++++++++++++++++++++
-files changed, 63 insertions(+), 7 deletions(-)
+files changed, 77 insertions(+)
-diff --git a/include/hw/acpi/acpi-defs.h b/include/hw/acpi/acpi-defs.h
+diff --git a/target/arm/sve.decode b/target/arm/sve.decode
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/acpi/acpi-defs.h
+--- a/target/arm/sve.decode
-+++ b/include/hw/acpi/acpi-defs.h
++++ b/target/arm/sve.decode
-@@ -XXX,XX +XXX,XX @@ struct AcpiIortItsGroup {
+@@ -XXX,XX +XXX,XX @@ BFMLALT_zzxw    01100100 11 1 ..... 0100.1 ..... .....     @rrxr_3a esz=2
- } QEMU_PACKED;
- typedef struct AcpiIortItsGroup AcpiIortItsGroup;
+ ### SVE2 floating-point bfloat16 dot-product (indexed)
+ BFDOT_zzxz      01100100 01 1 ..... 010000 ..... .....     @rrxr_2 esz=2
 +struct AcpiIortSmmu3 {
 +    ACPI_IORT_NODE_HEADER_DEF
 +    uint64_t base_address;
 +    uint32_t flags;
 +    uint32_t reserved2;
 +    uint64_t vatos_address;
 +    uint32_t model;
 +    uint32_t event_gsiv;
 +    uint32_t pri_gsiv;
 +    uint32_t gerr_gsiv;
 +    uint32_t sync_gsiv;
 +    AcpiIortIdMapping id_mapping_array[0];
 +} QEMU_PACKED;
 +typedef struct AcpiIortSmmu3 AcpiIortSmmu3;
 +
- struct AcpiIortRC {
++### SVE broadcast predicate element
-     ACPI_IORT_NODE_HEADER_DEF
++
-     AcpiIortMemoryAccess memory_properties;
++&psel           esz pd pn pm rv imm
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
++%psel_rv        16:2 !function=plus_12
 +%psel_imm_b     22:2 19:2
 +%psel_imm_h     22:2 20:1
 +%psel_imm_s     22:2
 +%psel_imm_d     23:1
 +@psel           ........ .. . ... .. .. pn:4 . pm:4 . pd:4  \
 +                &psel rv=%psel_rv
 +
 +PSEL            00100101 .. 1 ..1 .. 01 .... 0 .... 0 ....  \
 +                @psel esz=0 imm=%psel_imm_b
 +PSEL            00100101 .. 1 .10 .. 01 .... 0 .... 0 ....  \
 +                @psel esz=1 imm=%psel_imm_h
 +PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
 +                @psel esz=2 imm=%psel_imm_s
 +PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
 +                @psel esz=3 imm=%psel_imm_d
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
+--- a/target/arm/translate-sve.c
-+++ b/hw/arm/virt-acpi-build.c
++++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ build_rsdp(GArray *rsdp_table, BIOSLinker *linker, unsigned xsdt_tbl_offset)
+@@ -XXX,XX +XXX,XX @@ static bool do_BFMLAL_zzxw(DisasContext *s, arg_rrxr_esz *a, bool sel)
- }
+ TRANS_FEAT(BFMLALB_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, false)
- static void
+ TRANS_FEAT(BFMLALT_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, true)
--build_iort(GArray *table_data, BIOSLinker *linker)
++
-+build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
++static bool trans_PSEL(DisasContext *s, arg_psel *a)
- {
++{
--    int iort_start = table_data->len;
++    int vl = vec_full_reg_size(s);
-+    int nb_nodes, iort_start = table_data->len;
++    int pl = pred_gvec_reg_size(s);
-     AcpiIortIdMapping *idmap;
++    int elements = vl >> a->esz;
-     AcpiIortItsGroup *its;
++    TCGv_i64 tmp, didx, dbit;
-     AcpiIortTable *iort;
++    TCGv_ptr ptr;
--    size_t node_size, iort_length;
++
-+    AcpiIortSmmu3 *smmu;
++    if (!dc_isar_feature(aa64_sme, s)) {
-+    size_t node_size, iort_length, smmu_offset = 0;
++        return false;
-     AcpiIortRC *rc;
++    }
++    if (!sve_access_check(s)) {
-     iort = acpi_data_push(table_data, sizeof(*iort));
++        return true;
 +    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
 +        nb_nodes = 3; /* RC, ITS, SMMUv3 */
 +    } else {
 +        nb_nodes = 2; /* RC, ITS */
 +    }
 +
-     iort_length = sizeof(*iort);
++    tmp = tcg_temp_new_i64();
--    iort->node_count = cpu_to_le32(2); /* RC and ITS nodes */
++    dbit = tcg_temp_new_i64();
-+    iort->node_count = cpu_to_le32(nb_nodes);
++    didx = tcg_temp_new_i64();
-     iort->node_offset = cpu_to_le32(sizeof(*iort));
++    ptr = tcg_temp_new_ptr();
      /* ITS group node */
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker)
      its->its_count = cpu_to_le32(1);
      its->identifiers[0] = 0; /* MADT translation_id */
 +    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
 +        int irq =  vms->irqmap[VIRT_SMMU];
 +
-+        /* SMMUv3 node */
++    /* Compute the predicate element. */
-+        smmu_offset = iort->node_offset + node_size;
++    tcg_gen_addi_i64(tmp, cpu_reg(s, a->rv), a->imm);
-+        node_size = sizeof(*smmu) + sizeof(*idmap);
++    if (is_power_of_2(elements)) {
-+        iort_length += node_size;
++        tcg_gen_andi_i64(tmp, tmp, elements - 1);
-+        smmu = acpi_data_push(table_data, node_size);
++    } else {
-+
++        tcg_gen_remu_i64(tmp, tmp, tcg_constant_i64(elements));
 +        smmu->type = ACPI_IORT_NODE_SMMU_V3;
 +        smmu->length = cpu_to_le16(node_size);
 +        smmu->mapping_count = cpu_to_le32(1);
 +        smmu->mapping_offset = cpu_to_le32(sizeof(*smmu));
 +        smmu->base_address = cpu_to_le64(vms->memmap[VIRT_SMMU].base);
 +        smmu->event_gsiv = cpu_to_le32(irq);
 +        smmu->pri_gsiv = cpu_to_le32(irq + 1);
 +        smmu->gerr_gsiv = cpu_to_le32(irq + 2);
 +        smmu->sync_gsiv = cpu_to_le32(irq + 3);
 +
 +        /* Identity RID mapping covering the whole input RID range */
 +        idmap = &smmu->id_mapping_array[0];
 +        idmap->input_base = 0;
 +        idmap->id_count = cpu_to_le32(0xFFFF);
 +        idmap->output_base = 0;
 +        /* output IORT node is the ITS group node (the first node) */
 +        idmap->output_reference = cpu_to_le32(iort->node_offset);
 +    }
 +
-     /* Root Complex Node */
++    /* Extract the predicate byte and bit indices. */
-     node_size = sizeof(*rc) + sizeof(*idmap);
++    tcg_gen_shli_i64(tmp, tmp, a->esz);
-     iort_length += node_size;
++    tcg_gen_andi_i64(dbit, tmp, 7);
-@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker)
++    tcg_gen_shri_i64(didx, tmp, 3);
-     idmap->input_base = 0;
++    if (HOST_BIG_ENDIAN) {
-     idmap->id_count = cpu_to_le32(0xFFFF);
++        tcg_gen_xori_i64(didx, didx, 7);
-     idmap->output_base = 0;
++    }
 -    /* output IORT node is the ITS group node (the first node) */
 -    idmap->output_reference = cpu_to_le32(iort->node_offset);
 +
-+    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
++    /* Load the predicate word. */
-+        /* output IORT node is the smmuv3 node */
++    tcg_gen_trunc_i64_ptr(ptr, didx);
-+        idmap->output_reference = cpu_to_le32(smmu_offset);
++    tcg_gen_add_ptr(ptr, ptr, cpu_env);
-+    } else {
++    tcg_gen_ld8u_i64(tmp, ptr, pred_full_reg_offset(s, a->pm));
-+        /* output IORT node is the ITS group node (the first node) */
++
-+        idmap->output_reference = cpu_to_le32(iort->node_offset);
++    /* Extract the predicate bit and replicate to MO_64. */
-+    }
++    tcg_gen_shr_i64(tmp, tmp, dbit);
++    tcg_gen_andi_i64(tmp, tmp, 1);
-     iort->length = cpu_to_le32(iort_length);
++    tcg_gen_neg_i64(tmp, tmp);
++
-@@ -XXX,XX +XXX,XX @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
++    /* Apply to either copy the source, or write zeros. */
++    tcg_gen_gvec_ands(MO_64, pred_full_reg_offset(s, a->pd),
-     if (its_class_name() && !vmc->no_its) {
++                      pred_full_reg_offset(s, a->pn), tmp, pl, pl);
-         acpi_add_table(table_offsets, tables_blob);
++
--        build_iort(tables_blob, tables->linker);
++    tcg_temp_free_i64(tmp);
-+        build_iort(tables_blob, tables->linker, vms);
++    tcg_temp_free_i64(dbit);
-     }
++    tcg_temp_free_i64(didx);
++    tcg_temp_free_ptr(ptr);
-     /* XSDT is pointed to by RSDP */
++    return true;
 +}
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 04/24] hw/usb/tusb6010: Convert away from old_mmio
+[PULL 29/45] target/arm: Implement REVD
-Convert the tusb6010 device away from using the old_mmio field
+From: Richard Henderson <richard.henderson@linaro.org>
 of MemoryRegionOps. This device is used only in the n800 and n810
 boards.
+This is an SVE instruction that operates using the SVE vector
+length but that it is present only if SME is implemented.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-30-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180427173611.10281-2-peter.maydell@linaro.org
 ---
- hw/usb/tusb6010.c | 40 ++++++++++++++++++++++++++++++++++++----
+ target/arm/helper-sve.h    |  2 ++
-file changed, 36 insertions(+), 4 deletions(-)
+ target/arm/sve.decode      |  1 +
  target/arm/sve_helper.c    | 16 ++++++++++++++++
  target/arm/translate-sve.c |  2 ++
 files changed, 21 insertions(+)
-diff --git a/hw/usb/tusb6010.c b/hw/usb/tusb6010.c
+diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/usb/tusb6010.c
+--- a/target/arm/helper-sve.h
-+++ b/hw/usb/tusb6010.c
++++ b/target/arm/helper-sve.h
-@@ -XXX,XX +XXX,XX @@ static void tusb_async_writew(void *opaque, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sve_revh_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
-     }
- }
+ DEF_HELPER_FLAGS_4(sve_revw_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
-+static uint64_t tusb_async_readfn(void *opaque, hwaddr addr, unsigned size)
++DEF_HELPER_FLAGS_4(sme_revd_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +
  DEF_HELPER_FLAGS_4(sve_rbit_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_4(sve_rbit_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_4(sve_rbit_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 diff --git a/target/arm/sve.decode b/target/arm/sve.decode
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve.decode
 +++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ REVB            00000101 .. 1001 00 100 ... ..... .....         @rd_pg_rn
  REVH            00000101 .. 1001 01 100 ... ..... .....         @rd_pg_rn
  REVW            00000101 .. 1001 10 100 ... ..... .....         @rd_pg_rn
  RBIT            00000101 .. 1001 11 100 ... ..... .....         @rd_pg_rn
 +REVD            00000101 00 1011 10 100 ... ..... .....         @rd_pg_rn_e0
  # SVE vector splice (predicated, destructive)
  SPLICE          00000101 .. 101 100 100 ... ..... .....         @rdn_pg_rm
 diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve_helper.c
 +++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ DO_ZPZ_D(sve_revh_d, uint64_t, hswap64)
  DO_ZPZ_D(sve_revw_d, uint64_t, wswap64)
 +void HELPER(sme_revd_q)(void *vd, void *vn, void *vg, uint32_t desc)
 +{
-+    switch (size) {
++    intptr_t i, opr_sz = simd_oprsz(desc) / 8;
-+    case 1:
++    uint64_t *d = vd, *n = vn;
-+        return tusb_async_readb(opaque, addr);
++    uint8_t *pg = vg;
-+    case 2:
++
-+        return tusb_async_readh(opaque, addr);
++    for (i = 0; i < opr_sz; i += 2) {
-+    case 4:
++        if (pg[H1(i)] & 1) {
-+        return tusb_async_readw(opaque, addr);
++            uint64_t n0 = n[i + 0];
-+    default:
++            uint64_t n1 = n[i + 1];
-+        g_assert_not_reached();
++            d[i + 0] = n1;
 +            d[i + 1] = n0;
 +        }
 +    }
 +}
 +
-+static void tusb_async_writefn(void *opaque, hwaddr addr,
+ DO_ZPZ(sve_rbit_b, uint8_t, H1, revbit8)
-+                               uint64_t value, unsigned size)
+ DO_ZPZ(sve_rbit_h, uint16_t, H1_2, revbit16)
-+{
+ DO_ZPZ(sve_rbit_s, uint32_t, H1_4, revbit32)
-+    switch (size) {
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-+    case 1:
+index XXXXXXX..XXXXXXX 100644
-+        tusb_async_writeb(opaque, addr, value);
+--- a/target/arm/translate-sve.c
-+        break;
++++ b/target/arm/translate-sve.c
-+    case 2:
+@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(REVH, aa64_sve, gen_gvec_ool_arg_zpz, revh_fns[a->esz], a, 0)
-+        tusb_async_writeh(opaque, addr, value);
+ TRANS_FEAT(REVW, aa64_sve, gen_gvec_ool_arg_zpz,
-+        break;
+            a->esz == 3 ? gen_helper_sve_revw_d : NULL, a, 0)
-+    case 4:
-+        tusb_async_writew(opaque, addr, value);
++TRANS_FEAT(REVD, aa64_sme, gen_gvec_ool_arg_zpz, gen_helper_sme_revd_q, a, 0)
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
- static const MemoryRegionOps tusb_async_ops = {
+ TRANS_FEAT(SPLICE, aa64_sve, gen_gvec_ool_arg_zpzz,
--    .old_mmio = {
+            gen_helper_sve_splice, a, a->esz)
 -        .read = { tusb_async_readb, tusb_async_readh, tusb_async_readw, },
 -        .write =  { tusb_async_writeb, tusb_async_writeh, tusb_async_writew, },
 -    },
 +    .read = tusb_async_readfn,
 +    .write = tusb_async_writefn,
 +    .valid.min_access_size = 1,
 +    .valid.max_access_size = 4,
      .endianness = DEVICE_NATIVE_ENDIAN,
  };
 --
-.17.0
+.25.1

-New patch
+[PULL 30/45] target/arm: Implement SCLAMP, UCLAMP
+From: Richard Henderson <richard.henderson@linaro.org>
+This is an SVE instruction that operates using the SVE vector
+length but that it is present only if SME is implemented.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-31-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper.h        |  18 +++++++
+ target/arm/sve.decode      |   5 ++
+ target/arm/translate-sve.c | 102 +++++++++++++++++++++++++++++++++++++
+ target/arm/vec_helper.c    |  24 +++++++++
+files changed, 149 insertions(+)
+diff --git a/target/arm/helper.h b/target/arm/helper.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.h
++++ b/target/arm/helper.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(gvec_bfmlal, TCG_CALL_NO_RWG,
+ DEF_HELPER_FLAGS_6(gvec_bfmlal_idx, TCG_CALL_NO_RWG,
+                    void, ptr, ptr, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_5(gvec_sclamp_b, TCG_CALL_NO_RWG,
++                   void, ptr, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_5(gvec_sclamp_h, TCG_CALL_NO_RWG,
++                   void, ptr, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_5(gvec_sclamp_s, TCG_CALL_NO_RWG,
++                   void, ptr, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_5(gvec_sclamp_d, TCG_CALL_NO_RWG,
++                   void, ptr, ptr, ptr, ptr, i32)
++
++DEF_HELPER_FLAGS_5(gvec_uclamp_b, TCG_CALL_NO_RWG,
++                   void, ptr, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_5(gvec_uclamp_h, TCG_CALL_NO_RWG,
++                   void, ptr, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_5(gvec_uclamp_s, TCG_CALL_NO_RWG,
++                   void, ptr, ptr, ptr, ptr, i32)
++DEF_HELPER_FLAGS_5(gvec_uclamp_d, TCG_CALL_NO_RWG,
++                   void, ptr, ptr, ptr, ptr, i32)
++
+ #ifdef TARGET_AARCH64
+ #include "helper-a64.h"
+ #include "helper-sve.h"
+diff --git a/target/arm/sve.decode b/target/arm/sve.decode
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/sve.decode
++++ b/target/arm/sve.decode
+@@ -XXX,XX +XXX,XX @@ PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
+                 @psel esz=2 imm=%psel_imm_s
+ PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
+                 @psel esz=3 imm=%psel_imm_d
++
++### SVE clamp
++
++SCLAMP          01000100 .. 0 ..... 110000 ..... .....          @rda_rn_rm
++UCLAMP          01000100 .. 0 ..... 110001 ..... .....          @rda_rn_rm
+diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-sve.c
++++ b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static bool trans_PSEL(DisasContext *s, arg_psel *a)
+     tcg_temp_free_ptr(ptr);
+     return true;
+ }
++
++static void gen_sclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
++{
++    tcg_gen_smax_i32(d, a, n);
++    tcg_gen_smin_i32(d, d, m);
++}
++
++static void gen_sclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
++{
++    tcg_gen_smax_i64(d, a, n);
++    tcg_gen_smin_i64(d, d, m);
++}
++
++static void gen_sclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
++                           TCGv_vec m, TCGv_vec a)
++{
++    tcg_gen_smax_vec(vece, d, a, n);
++    tcg_gen_smin_vec(vece, d, d, m);
++}
++
++static void gen_sclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
++                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
++{
++    static const TCGOpcode vecop[] = {
++        INDEX_op_smin_vec, INDEX_op_smax_vec, 0
++    };
++    static const GVecGen4 ops[4] = {
++        { .fniv = gen_sclamp_vec,
++          .fno  = gen_helper_gvec_sclamp_b,
++          .opt_opc = vecop,
++          .vece = MO_8 },
++        { .fniv = gen_sclamp_vec,
++          .fno  = gen_helper_gvec_sclamp_h,
++          .opt_opc = vecop,
++          .vece = MO_16 },
++        { .fni4 = gen_sclamp_i32,
++          .fniv = gen_sclamp_vec,
++          .fno  = gen_helper_gvec_sclamp_s,
++          .opt_opc = vecop,
++          .vece = MO_32 },
++        { .fni8 = gen_sclamp_i64,
++          .fniv = gen_sclamp_vec,
++          .fno  = gen_helper_gvec_sclamp_d,
++          .opt_opc = vecop,
++          .vece = MO_64,
++          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
++    };
++    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
++}
++
++TRANS_FEAT(SCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_sclamp, a)
++
++static void gen_uclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
++{
++    tcg_gen_umax_i32(d, a, n);
++    tcg_gen_umin_i32(d, d, m);
++}
++
++static void gen_uclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
++{
++    tcg_gen_umax_i64(d, a, n);
++    tcg_gen_umin_i64(d, d, m);
++}
++
++static void gen_uclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
++                           TCGv_vec m, TCGv_vec a)
++{
++    tcg_gen_umax_vec(vece, d, a, n);
++    tcg_gen_umin_vec(vece, d, d, m);
++}
++
++static void gen_uclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
++                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
++{
++    static const TCGOpcode vecop[] = {
++        INDEX_op_umin_vec, INDEX_op_umax_vec, 0
++    };
++    static const GVecGen4 ops[4] = {
++        { .fniv = gen_uclamp_vec,
++          .fno  = gen_helper_gvec_uclamp_b,
++          .opt_opc = vecop,
++          .vece = MO_8 },
++        { .fniv = gen_uclamp_vec,
++          .fno  = gen_helper_gvec_uclamp_h,
++          .opt_opc = vecop,
++          .vece = MO_16 },
++        { .fni4 = gen_uclamp_i32,
++          .fniv = gen_uclamp_vec,
++          .fno  = gen_helper_gvec_uclamp_s,
++          .opt_opc = vecop,
++          .vece = MO_32 },
++        { .fni8 = gen_uclamp_i64,
++          .fniv = gen_uclamp_vec,
++          .fno  = gen_helper_gvec_uclamp_d,
++          .opt_opc = vecop,
++          .vece = MO_64,
++          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
++    };
++    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
++}
++
++TRANS_FEAT(UCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_uclamp, a)
+diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/vec_helper.c
++++ b/target/arm/vec_helper.c
+@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_bfmlal_idx)(void *vd, void *vn, void *vm,
+     }
+     clear_tail(d, opr_sz, simd_maxsz(desc));
+ }
++
++#define DO_CLAMP(NAME, TYPE) \
++void HELPER(NAME)(void *d, void *n, void *m, void *a, uint32_t desc)    \
++{                                                                       \
++    intptr_t i, opr_sz = simd_oprsz(desc);                              \
++    for (i = 0; i < opr_sz; i += sizeof(TYPE)) {                        \
++        TYPE aa = *(TYPE *)(a + i);                                     \
++        TYPE nn = *(TYPE *)(n + i);                                     \
++        TYPE mm = *(TYPE *)(m + i);                                     \
++        TYPE dd = MIN(MAX(aa, nn), mm);                                 \
++        *(TYPE *)(d + i) = dd;                                          \
++    }                                                                   \
++    clear_tail(d, opr_sz, simd_maxsz(desc));                            \
++}
++
++DO_CLAMP(gvec_sclamp_b, int8_t)
++DO_CLAMP(gvec_sclamp_h, int16_t)
++DO_CLAMP(gvec_sclamp_s, int32_t)
++DO_CLAMP(gvec_sclamp_d, int64_t)
++
++DO_CLAMP(gvec_uclamp_b, uint8_t)
++DO_CLAMP(gvec_uclamp_h, uint16_t)
++DO_CLAMP(gvec_uclamp_s, uint32_t)
++DO_CLAMP(gvec_uclamp_d, uint64_t)
+--
+.25.1

-[Qemu-devel] [PULL 02/24] target/arm: Correct MPUIR privilege level in register_cp_regs_for_features() conditional case
+[PULL 31/45] target/arm: Reset streaming sve state on exception boundaries
-From: Mathew Maidment <mathew1800@gmail.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The duplication of id_tlbtr_reginfo was unintentionally added within
+We can handle both exception entry and exception return by
-af8114c6b8ead02f08b58e3c36895c1ea047 which should have been
+hooking into aarch64_sve_change_el.
 id_mpuir_reginfo.
-The effect was that for OMAP and StrongARM CPUs we would
-incorrectly UNDEF writes to MPUIR rather than NOPing them.
-Signed-off-by: Mathew Maidment <mathew1800@gmail.com>
-Message-id: 20180501184933.37609-2-mathew1800@gmail.com
-[PMM: tweak commit message]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-32-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 2 +-
+ target/arm/helper.c | 15 +++++++++++++--
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 13 insertions(+), 2 deletions(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
+@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
-             for (r = id_cp_reginfo; r->type != ARM_CP_SENTINEL; r++) {
+         return;
-                 r->access = PL1_RW;
+     }
-             }
--            id_tlbtr_reginfo.access = PL1_RW;
++    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
-+            id_mpuir_reginfo.access = PL1_RW;
++    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
-             id_tlbtr_reginfo.access = PL1_RW;
++
-         }
++    /*
-         if (arm_feature(env, ARM_FEATURE_V8)) {
++     * Both AArch64.TakeException and AArch64.ExceptionReturn
 +     * invoke ResetSVEState when taking an exception from, or
 +     * returning to, AArch32 state when PSTATE.SM is enabled.
 +     */
 +    if (old_a64 != new_a64 && FIELD_EX64(env->svcr, SVCR, SM)) {
 +        arm_reset_sve_state(env);
 +        return;
 +    }
 +
      /*
       * DDI0584A.d sec 3.2: "If SVE instructions are disabled or trapped
       * at ELx, or not available because the EL is in AArch32 state, then
@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
       * we already have the correct register contents when encountering the
       * vq0->vq0 transition between EL0->EL1.
       */
 -    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
      old_len = (old_a64 && !sve_exception_el(env, old_el)
                 ? sve_vqm1_for_el(env, old_el) : 0);
 -    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
      new_len = (new_a64 && !sve_exception_el(env, new_el)
                 ? sve_vqm1_for_el(env, new_el) : 0);
 --
-.17.0
+.25.1

-New patch
+[PULL 32/45] target/arm: Enable SME for -cpu max
+From: Richard Henderson <richard.henderson@linaro.org>
+Note that SME remains effectively disabled for user-only,
+because we do not yet set CPACR_EL1.SMEN.  This needs to
+wait until the kernel ABI is implemented.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-33-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/emulation.rst |  4 ++++
+ target/arm/cpu64.c            | 11 +++++++++++
+files changed, 15 insertions(+)
+diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/emulation.rst
++++ b/docs/system/arm/emulation.rst
+@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+ - FEAT_SHA512 (Advanced SIMD SHA512 instructions)
+ - FEAT_SM3 (Advanced SIMD SM3 instructions)
+ - FEAT_SM4 (Advanced SIMD SM4 instructions)
++- FEAT_SME (Scalable Matrix Extension)
++- FEAT_SME_FA64 (Full A64 instruction set in Streaming SVE mode)
++- FEAT_SME_F64F64 (Double-precision floating-point outer product instructions)
++- FEAT_SME_I16I64 (16-bit to 64-bit integer widening outer product instructions)
+ - FEAT_SPECRES (Speculation restriction instructions)
+ - FEAT_SSBS (Speculative Store Bypass Safe)
+ - FEAT_TLBIOS (TLB invalidate instructions in Outer Shareable domain)
+diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu64.c
++++ b/target/arm/cpu64.c
+@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+      */
+     t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
+     t = FIELD_DP64(t, ID_AA64PFR1, RAS_FRAC, 0);  /* FEAT_RASv1p1 + FEAT_DoubleFault */
++    t = FIELD_DP64(t, ID_AA64PFR1, SME, 1);       /* FEAT_SME */
+     t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
+     cpu->isar.id_aa64pfr1 = t;
+@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+     t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
+     cpu->isar.id_aa64dfr0 = t;
++    t = cpu->isar.id_aa64smfr0;
++    t = FIELD_DP64(t, ID_AA64SMFR0, F32F32, 1);   /* FEAT_SME */
++    t = FIELD_DP64(t, ID_AA64SMFR0, B16F32, 1);   /* FEAT_SME */
++    t = FIELD_DP64(t, ID_AA64SMFR0, F16F32, 1);   /* FEAT_SME */
++    t = FIELD_DP64(t, ID_AA64SMFR0, I8I32, 0xf);  /* FEAT_SME */
++    t = FIELD_DP64(t, ID_AA64SMFR0, F64F64, 1);   /* FEAT_SME_F64F64 */
++    t = FIELD_DP64(t, ID_AA64SMFR0, I16I64, 0xf); /* FEAT_SME_I16I64 */
++    t = FIELD_DP64(t, ID_AA64SMFR0, FA64, 1);     /* FEAT_SME_FA64 */
++    cpu->isar.id_aa64smfr0 = t;
++
+     /* Replicate the same data to the 32-bit id registers.  */
+     aa32_max_features(cpu);
+--
+.25.1

-New patch
+[PULL 33/45] linux-user/aarch64: Clear tpidr2_el0 if CLONE_SETTLS
+From: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-34-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ linux-user/aarch64/target_cpu.h | 5 ++++-
+file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/linux-user/aarch64/target_cpu.h b/linux-user/aarch64/target_cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/aarch64/target_cpu.h
++++ b/linux-user/aarch64/target_cpu.h
+@@ -XXX,XX +XXX,XX @@ static inline void cpu_clone_regs_parent(CPUARMState *env, unsigned flags)
+ static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls)
+ {
+-    /* Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
++    /*
++     * Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
+      * different from AArch32 Linux, which uses TPIDRRO.
+      */
+     env->cp15.tpidr_el[0] = newtls;
++    /* TPIDR2_EL0 is cleared with CLONE_SETTLS. */
++    env->cp15.tpidr2_el0 = 0;
+ }
+ static inline abi_ulong get_sp_from_cpustate(CPUARMState *state)
+--
+.25.1

-New patch
+[PULL 34/45] linux-user/aarch64: Reset PSTATE.SM on syscalls
+From: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-35-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ linux-user/aarch64/cpu_loop.c | 9 +++++++++
+file changed, 9 insertions(+)
+diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/aarch64/cpu_loop.c
++++ b/linux-user/aarch64/cpu_loop.c
+@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
+         switch (trapnr) {
+         case EXCP_SWI:
++            /*
++             * On syscall, PSTATE.ZA is preserved, along with the ZA matrix.
++             * PSTATE.SM is cleared, per SMSTOP, which does ResetSVEState.
++             */
++            if (FIELD_EX64(env->svcr, SVCR, SM)) {
++                env->svcr = FIELD_DP64(env->svcr, SVCR, SM, 0);
++                arm_rebuild_hflags(env);
++                arm_reset_sve_state(env);
++            }
+             ret = do_syscall(env,
+                              env->xregs[8],
+                              env->xregs[0],
+--
+.25.1

-New patch
+[PULL 35/45] linux-user/aarch64: Add SM bit to SVE signal context
+From: Richard Henderson <richard.henderson@linaro.org>
+Make sure to zero the currently reserved fields.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-36-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ linux-user/aarch64/signal.c | 9 ++++++++-
+file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/aarch64/signal.c
++++ b/linux-user/aarch64/signal.c
+@@ -XXX,XX +XXX,XX @@ struct target_extra_context {
+ struct target_sve_context {
+     struct target_aarch64_ctx head;
+     uint16_t vl;
+-    uint16_t reserved[3];
++    uint16_t flags;
++    uint16_t reserved[2];
+     /* The actual SVE data immediately follows.  It is laid out
+      * according to TARGET_SVE_SIG_{Z,P}REG_OFFSET, based off of
+      * the original struct pointer.
+@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
+ #define TARGET_SVE_SIG_CONTEXT_SIZE(VQ) \
+     (TARGET_SVE_SIG_PREG_OFFSET(VQ, 17))
++#define TARGET_SVE_SIG_FLAG_SM  1
++
+ struct target_rt_sigframe {
+     struct target_siginfo info;
+     struct target_ucontext uc;
+@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
+ {
+     int i, j;
++    memset(sve, 0, sizeof(*sve));
+     __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
+     __put_user(size, &sve->head.size);
+     __put_user(vq * TARGET_SVE_VQ_BYTES, &sve->vl);
++    if (FIELD_EX64(env->svcr, SVCR, SM)) {
++        __put_user(TARGET_SVE_SIG_FLAG_SM, &sve->flags);
++    }
+     /* Note that SVE regs are stored as a byte stream, with each byte element
+      * at a subsequent address.  This corresponds to a little-endian store
+--
+.25.1

-[Qemu-devel] [PULL 07/24] target/arm: Tidy conditions in handle_vec_simd_shri
+[PULL 36/45] linux-user/aarch64: Tidy target_restore_sigframe error return
 From: Richard Henderson <richard.henderson@linaro.org>
-The (size > 3 && !is_q) condition is identical to the preceeding test
+Fold the return value setting into the goto, so each
-of bit 3 in immh; eliminate it.  For the benefit of Coverity, assert
+point of failure need not do both.
 that size is within the bounds we expect.
-Fixes: Coverity CID1385846
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Fixes: Coverity CID1385849
 Fixes: Coverity CID1385852
 Fixes: Coverity CID1385857
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20220708151540.18136-37-richard.henderson@linaro.org
 Message-id: 20180501180455.11214-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.c | 6 +-----
+ linux-user/aarch64/signal.c | 26 +++++++++++---------------
-file changed, 1 insertion(+), 5 deletions(-)
+file changed, 11 insertions(+), 15 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/linux-user/aarch64/signal.c
-+++ b/target/arm/translate-a64.c
++++ b/linux-user/aarch64/signal.c
-@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shri(DisasContext *s, bool is_q, bool is_u,
+@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
-         unallocated_encoding(s);
+     struct target_sve_context *sve = NULL;
-         return;
+     uint64_t extra_datap = 0;
      bool used_extra = false;
 -    bool err = false;
      int vq = 0, sve_size = 0;
      target_restore_general_frame(env, sf);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
          switch (magic) {
          case 0:
              if (size != 0) {
 -                err = true;
 -                goto exit;
 +                goto err;
              }
              if (used_extra) {
                  ctx = NULL;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
          case TARGET_FPSIMD_MAGIC:
              if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
 -                err = true;
 -                goto exit;
 +                goto err;
              }
              fpsimd = (struct target_fpsimd_context *)ctx;
              break;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
                      break;
                  }
              }
 -            err = true;
 -            goto exit;
 +            goto err;
          case TARGET_EXTRA_MAGIC:
              if (extra || size != sizeof(struct target_extra_context)) {
 -                err = true;
 -                goto exit;
 +                goto err;
              }
              __get_user(extra_datap,
                         &((struct target_extra_context *)ctx)->datap);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
              /* Unknown record -- we certainly didn't generate it.
               * Did we in fact get out of sync?
               */
 -            err = true;
 -            goto exit;
 +            goto err;
          }
          ctx = (void *)ctx + size;
      }
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
      if (fpsimd) {
          target_restore_fpsimd_record(env, fpsimd);
      } else {
 -        err = true;
 +        goto err;
      }
      /* SVE data, if present, overwrites FPSIMD data.  */
      if (sve) {
          target_restore_sve_record(env, sve, vq);
      }
 -
--    if (size > 3 && !is_q) {
+- exit:
--        unallocated_encoding(s);
+     unlock_user(extra, extra_datap, 0);
--        return;
+-    return err;
--    }
++    return 0;
-+    tcg_debug_assert(size <= 3);
++
++ err:
-     if (!fp_access_check(s)) {
++    unlock_user(extra, extra_datap, 0);
-         return;
++    return 1;
  }
  static abi_ulong get_sigframe(struct target_sigaction *ka,
 --
-.17.0
+.25.1

-New patch
+[PULL 37/45] linux-user/aarch64: Do not allow duplicate or short sve records
+From: Richard Henderson <richard.henderson@linaro.org>
+In parse_user_sigframe, the kernel rejects duplicate sve records,
+or records that are smaller than the header.  We were silently
+allowing these cases to pass, dropping the record.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-38-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ linux-user/aarch64/signal.c | 5 ++++-
+file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/aarch64/signal.c
++++ b/linux-user/aarch64/signal.c
+@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+             break;
+         case TARGET_SVE_MAGIC:
++            if (sve || size < sizeof(struct target_sve_context)) {
++                goto err;
++            }
+             if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
+                 vq = sve_vq(env);
+                 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
+-                if (!sve && size == sve_size) {
++                if (size == sve_size) {
+                     sve = (struct target_sve_context *)ctx;
+                     break;
+                 }
+--
+.25.1

-New patch
+[PULL 38/45] linux-user/aarch64: Verify extra record lock succeeded
+From: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-39-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ linux-user/aarch64/signal.c | 3 +++
+file changed, 3 insertions(+)
+diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/aarch64/signal.c
++++ b/linux-user/aarch64/signal.c
+@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+             __get_user(extra_size,
+                        &((struct target_extra_context *)ctx)->size);
+             extra = lock_user(VERIFY_READ, extra_datap, extra_size, 0);
++            if (!extra) {
++                return 1;
++            }
+             break;
+         default:
+--
+.25.1

-[Qemu-devel] [PULL 18/24] hw/arm/smmuv3: Event queue recording helper
+[PULL 39/45] linux-user/aarch64: Move sve record checks into restore
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Let's introduce a helper function aiming at recording an
+Move the checks out of the parsing loop and into the
-event in the event queue.
+restore function.  This more closely mirrors the code
 structure in the kernel, and is slightly clearer.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reject rather than silently skip incorrect VL and SVE record sizes,
 bringing our checks in to line with those the kernel does.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-9-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-40-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3-internal.h | 148 ++++++++++++++++++++++++++++++++++++++-
+ linux-user/aarch64/signal.c | 51 +++++++++++++++++++++++++------------
- hw/arm/smmuv3.c          | 108 ++++++++++++++++++++++++++--
+file changed, 35 insertions(+), 16 deletions(-)
  hw/arm/trace-events      |   1 +
 files changed, 249 insertions(+), 8 deletions(-)
-diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
+diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3-internal.h
+--- a/linux-user/aarch64/signal.c
-+++ b/hw/arm/smmuv3-internal.h
++++ b/linux-user/aarch64/signal.c
-@@ -XXX,XX +XXX,XX @@ static inline void smmu_write_cmdq_err(SMMUv3State *s, uint32_t err_type)
+@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
-     s->cmdq.cons = FIELD_DP32(s->cmdq.cons, CMDQ_CONS, ERR, err_type);
+     }
  }
--void smmuv3_write_eventq(SMMUv3State *s, Evt *evt);
+-static void target_restore_sve_record(CPUARMState *env,
--
+-                                      struct target_sve_context *sve, int vq)
- /* Commands */
++static bool target_restore_sve_record(CPUARMState *env,
++                                      struct target_sve_context *sve,
- typedef enum SMMUCommandType {
++                                      int size)
@@ -XXX,XX +XXX,XX @@ enum { /* Command completion notification */
  #define SMMU_FEATURE_2LVL_STE (1 << 0)
 +/* Events */
 +
 +typedef enum SMMUEventType {
 +    SMMU_EVT_OK                 = 0x00,
 +    SMMU_EVT_F_UUT                    ,
 +    SMMU_EVT_C_BAD_STREAMID           ,
 +    SMMU_EVT_F_STE_FETCH              ,
 +    SMMU_EVT_C_BAD_STE                ,
 +    SMMU_EVT_F_BAD_ATS_TREQ           ,
 +    SMMU_EVT_F_STREAM_DISABLED        ,
 +    SMMU_EVT_F_TRANS_FORBIDDEN        ,
 +    SMMU_EVT_C_BAD_SUBSTREAMID        ,
 +    SMMU_EVT_F_CD_FETCH               ,
 +    SMMU_EVT_C_BAD_CD                 ,
 +    SMMU_EVT_F_WALK_EABT              ,
 +    SMMU_EVT_F_TRANSLATION      = 0x10,
 +    SMMU_EVT_F_ADDR_SIZE              ,
 +    SMMU_EVT_F_ACCESS                 ,
 +    SMMU_EVT_F_PERMISSION             ,
 +    SMMU_EVT_F_TLB_CONFLICT     = 0x20,
 +    SMMU_EVT_F_CFG_CONFLICT           ,
 +    SMMU_EVT_E_PAGE_REQ         = 0x24,
 +} SMMUEventType;
 +
 +static const char *event_stringify[] = {
 +    [SMMU_EVT_OK]                       = "SMMU_EVT_OK",
 +    [SMMU_EVT_F_UUT]                    = "SMMU_EVT_F_UUT",
 +    [SMMU_EVT_C_BAD_STREAMID]           = "SMMU_EVT_C_BAD_STREAMID",
 +    [SMMU_EVT_F_STE_FETCH]              = "SMMU_EVT_F_STE_FETCH",
 +    [SMMU_EVT_C_BAD_STE]                = "SMMU_EVT_C_BAD_STE",
 +    [SMMU_EVT_F_BAD_ATS_TREQ]           = "SMMU_EVT_F_BAD_ATS_TREQ",
 +    [SMMU_EVT_F_STREAM_DISABLED]        = "SMMU_EVT_F_STREAM_DISABLED",
 +    [SMMU_EVT_F_TRANS_FORBIDDEN]        = "SMMU_EVT_F_TRANS_FORBIDDEN",
 +    [SMMU_EVT_C_BAD_SUBSTREAMID]        = "SMMU_EVT_C_BAD_SUBSTREAMID",
 +    [SMMU_EVT_F_CD_FETCH]               = "SMMU_EVT_F_CD_FETCH",
 +    [SMMU_EVT_C_BAD_CD]                 = "SMMU_EVT_C_BAD_CD",
 +    [SMMU_EVT_F_WALK_EABT]              = "SMMU_EVT_F_WALK_EABT",
 +    [SMMU_EVT_F_TRANSLATION]            = "SMMU_EVT_F_TRANSLATION",
 +    [SMMU_EVT_F_ADDR_SIZE]              = "SMMU_EVT_F_ADDR_SIZE",
 +    [SMMU_EVT_F_ACCESS]                 = "SMMU_EVT_F_ACCESS",
 +    [SMMU_EVT_F_PERMISSION]             = "SMMU_EVT_F_PERMISSION",
 +    [SMMU_EVT_F_TLB_CONFLICT]           = "SMMU_EVT_F_TLB_CONFLICT",
 +    [SMMU_EVT_F_CFG_CONFLICT]           = "SMMU_EVT_F_CFG_CONFLICT",
 +    [SMMU_EVT_E_PAGE_REQ]               = "SMMU_EVT_E_PAGE_REQ",
 +};
 +
 +static inline const char *smmu_event_string(SMMUEventType type)
 +{
 +    if (type < ARRAY_SIZE(event_stringify)) {
 +        return event_stringify[type] ? event_stringify[type] : "UNKNOWN";
 +    } else {
 +        return "INVALID";
 +    }
 +}
 +
 +/*  Encode an event record */
 +typedef struct SMMUEventInfo {
 +    SMMUEventType type;
 +    uint32_t sid;
 +    bool recorded;
 +    bool record_trans_faults;
 +    union {
 +        struct {
 +            uint32_t ssid;
 +            bool ssv;
 +            dma_addr_t addr;
 +            bool rnw;
 +            bool pnu;
 +            bool ind;
 +       } f_uut;
 +       struct SSIDInfo {
 +            uint32_t ssid;
 +            bool ssv;
 +       } c_bad_streamid;
 +       struct SSIDAddrInfo {
 +            uint32_t ssid;
 +            bool ssv;
 +            dma_addr_t addr;
 +       } f_ste_fetch;
 +       struct SSIDInfo c_bad_ste;
 +       struct {
 +            dma_addr_t addr;
 +            bool rnw;
 +       } f_transl_forbidden;
 +       struct {
 +            uint32_t ssid;
 +       } c_bad_substream;
 +       struct SSIDAddrInfo f_cd_fetch;
 +       struct SSIDInfo c_bad_cd;
 +       struct FullInfo {
 +            bool stall;
 +            uint16_t stag;
 +            uint32_t ssid;
 +            bool ssv;
 +            bool s2;
 +            dma_addr_t addr;
 +            bool rnw;
 +            bool pnu;
 +            bool ind;
 +            uint8_t class;
 +            dma_addr_t addr2;
 +       } f_walk_eabt;
 +       struct FullInfo f_translation;
 +       struct FullInfo f_addr_size;
 +       struct FullInfo f_access;
 +       struct FullInfo f_permission;
 +       struct SSIDInfo f_cfg_conflict;
 +       /**
 +        * not supported yet:
 +        * F_BAD_ATS_TREQ
 +        * F_BAD_ATS_TREQ
 +        * F_TLB_CONFLICT
 +        * E_PAGE_REQUEST
 +        * IMPDEF_EVENTn
 +        */
 +    } u;
 +} SMMUEventInfo;
 +
 +/* EVTQ fields */
 +
 +#define EVT_Q_OVERFLOW        (1 << 31)
 +
 +#define EVT_SET_TYPE(x, v)              deposit32((x)->word[0], 0 , 8 , v)
 +#define EVT_SET_SSV(x, v)               deposit32((x)->word[0], 11, 1 , v)
 +#define EVT_SET_SSID(x, v)              deposit32((x)->word[0], 12, 20, v)
 +#define EVT_SET_SID(x, v)               ((x)->word[1] = v)
 +#define EVT_SET_STAG(x, v)              deposit32((x)->word[2], 0 , 16, v)
 +#define EVT_SET_STALL(x, v)             deposit32((x)->word[2], 31, 1 , v)
 +#define EVT_SET_PNU(x, v)               deposit32((x)->word[3], 1 , 1 , v)
 +#define EVT_SET_IND(x, v)               deposit32((x)->word[3], 2 , 1 , v)
 +#define EVT_SET_RNW(x, v)               deposit32((x)->word[3], 3 , 1 , v)
 +#define EVT_SET_S2(x, v)                deposit32((x)->word[3], 7 , 1 , v)
 +#define EVT_SET_CLASS(x, v)             deposit32((x)->word[3], 8 , 2 , v)
 +#define EVT_SET_ADDR(x, addr)                             \
 +    do {                                                  \
 +            (x)->word[5] = (uint32_t)(addr >> 32);        \
 +            (x)->word[4] = (uint32_t)(addr & 0xffffffff); \
 +    } while (0)
 +#define EVT_SET_ADDR2(x, addr)                            \
 +    do {                                                  \
 +            deposit32((x)->word[7], 3, 29, addr >> 16);   \
 +            deposit32((x)->word[7], 0, 16, addr & 0xffff);\
 +    } while (0)
 +
 +void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
 +
  #endif
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/smmuv3.c
 +++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult queue_write(SMMUQueue *q, void *data)
      return MEMTX_OK;
  }
 -void smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
 +static MemTxResult smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
  {
-     SMMUQueue *q = &s->eventq;
+-    int i, j;
-+    MemTxResult r;
++    int i, j, vl, vq;
-+
-+    if (!smmuv3_eventq_enabled(s)) {
+-    /* Note that SVE regs are stored as a byte stream, with each byte element
-+        return MEMTX_ERROR;
++    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 +        return false;
 +    }
 +
-+    if (smmuv3_q_full(q)) {
++    __get_user(vl, &sve->vl);
-+        return MEMTX_ERROR;
++    vq = sve_vq(env);
 +
 +    /* Reject mismatched VL. */
 +    if (vl != vq * TARGET_SVE_VQ_BYTES) {
 +        return false;
 +    }
 +
-+    r = queue_write(q, evt);
++    /* Accept empty record -- used to clear PSTATE.SM. */
-+    if (r != MEMTX_OK) {
++    if (size <= sizeof(*sve)) {
-+        return r;
++        return true;
 +    }
 +
-+    if (smmuv3_q_empty(q)) {
++    /* Reject non-empty but incomplete record. */
-+        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
++    if (size < TARGET_SVE_SIG_CONTEXT_SIZE(vq)) {
 +        return false;
 +    }
-+    return MEMTX_OK;
-+}
 +
-+void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
++    /*
-+{
++     * Note that SVE regs are stored as a byte stream, with each byte element
-+    Evt evt;
+      * at a subsequent address.  This corresponds to a little-endian load
-+    MemTxResult r;
+      * of our 64-bit hunks.
+      */
-     if (!smmuv3_eventq_enabled(s)) {
+@@ -XXX,XX +XXX,XX @@ static void target_restore_sve_record(CPUARMState *env,
-         return;
+             }
          }
      }
++    return true;
--    if (smmuv3_q_full(q)) {
+ }
-+    EVT_SET_TYPE(&evt, info->type);
-+    EVT_SET_SID(&evt, info->sid);
+ static int target_restore_sigframe(CPUARMState *env,
-+
+@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
-+    switch (info->type) {
+     struct target_sve_context *sve = NULL;
-+    case SMMU_EVT_OK:
+     uint64_t extra_datap = 0;
-         return;
+     bool used_extra = false;
-+    case SMMU_EVT_F_UUT:
+-    int vq = 0, sve_size = 0;
-+        EVT_SET_SSID(&evt, info->u.f_uut.ssid);
++    int sve_size = 0;
-+        EVT_SET_SSV(&evt,  info->u.f_uut.ssv);
-+        EVT_SET_ADDR(&evt, info->u.f_uut.addr);
+     target_restore_general_frame(env, sf);
-+        EVT_SET_RNW(&evt,  info->u.f_uut.rnw);
-+        EVT_SET_PNU(&evt,  info->u.f_uut.pnu);
+@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
-+        EVT_SET_IND(&evt,  info->u.f_uut.ind);
+             if (sve || size < sizeof(struct target_sve_context)) {
-+        break;
+                 goto err;
-+    case SMMU_EVT_C_BAD_STREAMID:
+             }
-+        EVT_SET_SSID(&evt, info->u.c_bad_streamid.ssid);
+-            if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
-+        EVT_SET_SSV(&evt,  info->u.c_bad_streamid.ssv);
+-                vq = sve_vq(env);
-+        break;
+-                sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
-+    case SMMU_EVT_F_STE_FETCH:
+-                if (size == sve_size) {
-+        EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid);
+-                    sve = (struct target_sve_context *)ctx;
-+        EVT_SET_SSV(&evt,  info->u.f_ste_fetch.ssv);
+-                    break;
-+        EVT_SET_ADDR(&evt, info->u.f_ste_fetch.addr);
+-                }
-+        break;
+-            }
-+    case SMMU_EVT_C_BAD_STE:
+-            goto err;
-+        EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid);
++            sve = (struct target_sve_context *)ctx;
-+        EVT_SET_SSV(&evt,  info->u.c_bad_ste.ssv);
++            sve_size = size;
-+        break;
++            break;
-+    case SMMU_EVT_F_STREAM_DISABLED:
-+        break;
+         case TARGET_EXTRA_MAGIC:
-+    case SMMU_EVT_F_TRANS_FORBIDDEN:
+             if (extra || size != sizeof(struct target_extra_context)) {
-+        EVT_SET_ADDR(&evt, info->u.f_transl_forbidden.addr);
+@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
 +        EVT_SET_RNW(&evt, info->u.f_transl_forbidden.rnw);
 +        break;
 +    case SMMU_EVT_C_BAD_SUBSTREAMID:
 +        EVT_SET_SSID(&evt, info->u.c_bad_substream.ssid);
 +        break;
 +    case SMMU_EVT_F_CD_FETCH:
 +        EVT_SET_SSID(&evt, info->u.f_cd_fetch.ssid);
 +        EVT_SET_SSV(&evt,  info->u.f_cd_fetch.ssv);
 +        EVT_SET_ADDR(&evt, info->u.f_cd_fetch.addr);
 +        break;
 +    case SMMU_EVT_C_BAD_CD:
 +        EVT_SET_SSID(&evt, info->u.c_bad_cd.ssid);
 +        EVT_SET_SSV(&evt,  info->u.c_bad_cd.ssv);
 +        break;
 +    case SMMU_EVT_F_WALK_EABT:
 +    case SMMU_EVT_F_TRANSLATION:
 +    case SMMU_EVT_F_ADDR_SIZE:
 +    case SMMU_EVT_F_ACCESS:
 +    case SMMU_EVT_F_PERMISSION:
 +        EVT_SET_STALL(&evt, info->u.f_walk_eabt.stall);
 +        EVT_SET_STAG(&evt, info->u.f_walk_eabt.stag);
 +        EVT_SET_SSID(&evt, info->u.f_walk_eabt.ssid);
 +        EVT_SET_SSV(&evt, info->u.f_walk_eabt.ssv);
 +        EVT_SET_S2(&evt, info->u.f_walk_eabt.s2);
 +        EVT_SET_ADDR(&evt, info->u.f_walk_eabt.addr);
 +        EVT_SET_RNW(&evt, info->u.f_walk_eabt.rnw);
 +        EVT_SET_PNU(&evt, info->u.f_walk_eabt.pnu);
 +        EVT_SET_IND(&evt, info->u.f_walk_eabt.ind);
 +        EVT_SET_CLASS(&evt, info->u.f_walk_eabt.class);
 +        EVT_SET_ADDR2(&evt, info->u.f_walk_eabt.addr2);
 +        break;
 +    case SMMU_EVT_F_CFG_CONFLICT:
 +        EVT_SET_SSID(&evt, info->u.f_cfg_conflict.ssid);
 +        EVT_SET_SSV(&evt,  info->u.f_cfg_conflict.ssv);
 +        break;
 +    /* rest is not implemented */
 +    case SMMU_EVT_F_BAD_ATS_TREQ:
 +    case SMMU_EVT_F_TLB_CONFLICT:
 +    case SMMU_EVT_E_PAGE_REQ:
 +    default:
 +        g_assert_not_reached();
      }
--    queue_write(q, evt);
+     /* SVE data, if present, overwrites FPSIMD data.  */
--
+-    if (sve) {
--    if (smmuv3_q_empty(q)) {
+-        target_restore_sve_record(env, sve, vq);
--        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
++    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
-+    trace_smmuv3_record_event(smmu_event_string(info->type), info->sid);
++        goto err;
 +    r = smmuv3_write_eventq(s, &evt);
 +    if (r != MEMTX_OK) {
 +        smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_EVENTQ_ABT_ERR_MASK);
      }
-+    info->recorded = true;
+     unlock_user(extra, extra_datap, 0);
- }
+     return 0;
  static void smmuv3_init_regs(SMMUv3State *s)
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr:
  smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx val64:0x%lx"
  smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
  smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
 +smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 20/24] hw/arm/smmuv3: Abort on vfio or vhost case
+[PULL 40/45] linux-user/aarch64: Implement SME signal handling
-From: Eric Auger <eric.auger@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-At the moment, the SMMUv3 does not support notification on
+Set the SM bit in the SVE record on signal delivery, create the ZA record.
-TLB invalidation. So let's log an error as soon as such notifier
+Restore SM and ZA state according to the records present on return.
 gets enabled.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1524665762-31355-11-git-send-email-eric.auger@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-41-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/smmuv3.c | 11 +++++++++++
+ linux-user/aarch64/signal.c | 167 +++++++++++++++++++++++++++++++++---
-file changed, 11 insertions(+)
+file changed, 154 insertions(+), 13 deletions(-)
-diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/smmuv3.c
+--- a/linux-user/aarch64/signal.c
-+++ b/hw/arm/smmuv3.c
++++ b/linux-user/aarch64/signal.c
-@@ -XXX,XX +XXX,XX @@ static void smmuv3_class_init(ObjectClass *klass, void *data)
+@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
-     dc->realize = smmu_realize;
  #define TARGET_SVE_SIG_FLAG_SM  1
 +#define TARGET_ZA_MAGIC        0x54366345
 +
 +struct target_za_context {
 +    struct target_aarch64_ctx head;
 +    uint16_t vl;
 +    uint16_t reserved[3];
 +    /* The actual ZA data immediately follows. */
 +};
 +
 +#define TARGET_ZA_SIG_REGS_OFFSET \
 +    QEMU_ALIGN_UP(sizeof(struct target_za_context), TARGET_SVE_VQ_BYTES)
 +#define TARGET_ZA_SIG_ZAV_OFFSET(VQ, N) \
 +    (TARGET_ZA_SIG_REGS_OFFSET + (VQ) * TARGET_SVE_VQ_BYTES * (N))
 +#define TARGET_ZA_SIG_CONTEXT_SIZE(VQ) \
 +    TARGET_ZA_SIG_ZAV_OFFSET(VQ, VQ * TARGET_SVE_VQ_BYTES)
 +
  struct target_rt_sigframe {
      struct target_siginfo info;
      struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_end_record(struct target_aarch64_ctx *end)
  }
-+static void smmuv3_notify_flag_changed(IOMMUMemoryRegion *iommu,
+ static void target_setup_sve_record(struct target_sve_context *sve,
-+                                       IOMMUNotifierFlag old,
+-                                    CPUARMState *env, int vq, int size)
-+                                       IOMMUNotifierFlag new)
++                                    CPUARMState *env, int size)
  {
 -    int i, j;
 +    int i, j, vq = sve_vq(env);
      memset(sve, 0, sizeof(*sve));
      __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
      }
  }
 +static void target_setup_za_record(struct target_za_context *za,
 +                                   CPUARMState *env, int size)
 +{
-+    if (old == IOMMU_NOTIFIER_NONE) {
++    int vq = sme_vq(env);
-+        warn_report("SMMUV3 does not support vhost/vfio integration yet: "
++    int vl = vq * TARGET_SVE_VQ_BYTES;
-+                    "devices of those types will not function properly");
++    int i, j;
 +
 +    memset(za, 0, sizeof(*za));
 +    __put_user(TARGET_ZA_MAGIC, &za->head.magic);
 +    __put_user(size, &za->head.size);
 +    __put_user(vl, &za->vl);
 +
 +    if (size == TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
 +        return;
 +    }
 +    assert(size == TARGET_ZA_SIG_CONTEXT_SIZE(vq));
 +
 +    /*
 +     * Note that ZA vectors are stored as a byte stream,
 +     * with each byte element at a subsequent address.
 +     */
 +    for (i = 0; i < vl; ++i) {
 +        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
 +        for (j = 0; j < vq * 2; ++j) {
 +            __put_user_e(env->zarray[i].d[j], z + j, le);
 +        }
 +    }
 +}
 +
- static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
+ static void target_restore_general_frame(CPUARMState *env,
-                                                   void *data)
+                                          struct target_rt_sigframe *sf)
  {
-     IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
+@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
-     imrc->translate = smmuv3_translate;
+ static bool target_restore_sve_record(CPUARMState *env,
-+    imrc->notify_flag_changed = smmuv3_notify_flag_changed;
+                                       struct target_sve_context *sve,
 -                                      int size)
 +                                      int size, int *svcr)
  {
 -    int i, j, vl, vq;
 +    int i, j, vl, vq, flags;
 +    bool sm;
 -    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 +    __get_user(vl, &sve->vl);
 +    __get_user(flags, &sve->flags);
 +
 +    sm = flags & TARGET_SVE_SIG_FLAG_SM;
 +
 +    /* The cpu must support Streaming or Non-streaming SVE. */
 +    if (sm
 +        ? !cpu_isar_feature(aa64_sme, env_archcpu(env))
 +        : !cpu_isar_feature(aa64_sve, env_archcpu(env))) {
          return false;
      }
 -    __get_user(vl, &sve->vl);
 -    vq = sve_vq(env);
 +    /*
 +     * Note that we cannot use sve_vq() because that depends on the
 +     * current setting of PSTATE.SM, not the state to be restored.
 +     */
 +    vq = sve_vqm1_for_el_sm(env, 0, sm) + 1;
      /* Reject mismatched VL. */
      if (vl != vq * TARGET_SVE_VQ_BYTES) {
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
          return false;
      }
 +    *svcr = FIELD_DP64(*svcr, SVCR, SM, sm);
 +
      /*
       * Note that SVE regs are stored as a byte stream, with each byte element
       * at a subsequent address.  This corresponds to a little-endian load
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
      return true;
  }
- static const TypeInfo smmuv3_type_info = {
++static bool target_restore_za_record(CPUARMState *env,
 +                                     struct target_za_context *za,
 +                                     int size, int *svcr)
 +{
 +    int i, j, vl, vq;
 +
 +    if (!cpu_isar_feature(aa64_sme, env_archcpu(env))) {
 +        return false;
 +    }
 +
 +    __get_user(vl, &za->vl);
 +    vq = sme_vq(env);
 +
 +    /* Reject mismatched VL. */
 +    if (vl != vq * TARGET_SVE_VQ_BYTES) {
 +        return false;
 +    }
 +
 +    /* Accept empty record -- used to clear PSTATE.ZA. */
 +    if (size <= TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
 +        return true;
 +    }
 +
 +    /* Reject non-empty but incomplete record. */
 +    if (size < TARGET_ZA_SIG_CONTEXT_SIZE(vq)) {
 +        return false;
 +    }
 +
 +    *svcr = FIELD_DP64(*svcr, SVCR, ZA, 1);
 +
 +    for (i = 0; i < vl; ++i) {
 +        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
 +        for (j = 0; j < vq * 2; ++j) {
 +            __get_user_e(env->zarray[i].d[j], z + j, le);
 +        }
 +    }
 +    return true;
 +}
 +
  static int target_restore_sigframe(CPUARMState *env,
                                     struct target_rt_sigframe *sf)
  {
      struct target_aarch64_ctx *ctx, *extra = NULL;
      struct target_fpsimd_context *fpsimd = NULL;
      struct target_sve_context *sve = NULL;
 +    struct target_za_context *za = NULL;
      uint64_t extra_datap = 0;
      bool used_extra = false;
      int sve_size = 0;
 +    int za_size = 0;
 +    int svcr = 0;
      target_restore_general_frame(env, sf);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
              sve_size = size;
              break;
 +        case TARGET_ZA_MAGIC:
 +            if (za || size < sizeof(struct target_za_context)) {
 +                goto err;
 +            }
 +            za = (struct target_za_context *)ctx;
 +            za_size = size;
 +            break;
 +
          case TARGET_EXTRA_MAGIC:
              if (extra || size != sizeof(struct target_extra_context)) {
                  goto err;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
      }
      /* SVE data, if present, overwrites FPSIMD data.  */
 -    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
 +    if (sve && !target_restore_sve_record(env, sve, sve_size, &svcr)) {
          goto err;
      }
 +    if (za && !target_restore_za_record(env, za, za_size, &svcr)) {
 +        goto err;
 +    }
 +    if (env->svcr != svcr) {
 +        env->svcr = svcr;
 +        arm_rebuild_hflags(env);
 +    }
      unlock_user(extra, extra_datap, 0);
      return 0;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
          .total_size = offsetof(struct target_rt_sigframe,
                                 uc.tuc_mcontext.__reserved),
      };
 -    int fpsimd_ofs, fr_ofs, sve_ofs = 0, vq = 0, sve_size = 0;
 +    int fpsimd_ofs, fr_ofs, sve_ofs = 0, za_ofs = 0;
 +    int sve_size = 0, za_size = 0;
      struct target_rt_sigframe *frame;
      struct target_rt_frame_record *fr;
      abi_ulong frame_addr, return_addr;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
                                        &layout);
      /* SVE state needs saving only if it exists.  */
 -    if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 -        vq = sve_vq(env);
 -        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 +    if (cpu_isar_feature(aa64_sve, env_archcpu(env)) ||
 +        cpu_isar_feature(aa64_sme, env_archcpu(env))) {
 +        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(sve_vq(env)), 16);
          sve_ofs = alloc_sigframe_space(sve_size, &layout);
      }
 +    if (cpu_isar_feature(aa64_sme, env_archcpu(env))) {
 +        /* ZA state needs saving only if it is enabled.  */
 +        if (FIELD_EX64(env->svcr, SVCR, ZA)) {
 +            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(sme_vq(env));
 +        } else {
 +            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(0);
 +        }
 +        za_ofs = alloc_sigframe_space(za_size, &layout);
 +    }
      if (layout.extra_ofs) {
          /* Reserve space for the extra end marker.  The standard end marker
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
          target_setup_end_record((void *)frame + layout.extra_end_ofs);
      }
      if (sve_ofs) {
 -        target_setup_sve_record((void *)frame + sve_ofs, env, vq, sve_size);
 +        target_setup_sve_record((void *)frame + sve_ofs, env, sve_size);
 +    }
 +    if (za_ofs) {
 +        target_setup_za_record((void *)frame + za_ofs, env, za_size);
      }
      /* Set up the stack frame for unwinding.  */
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
          env->btype = 2;
      }
 +    /*
 +     * Invoke the signal handler with both SM and ZA disabled.
 +     * When clearing SM, ResetSVEState, per SMSTOP.
 +     */
 +    if (FIELD_EX64(env->svcr, SVCR, SM)) {
 +        arm_reset_sve_state(env);
 +    }
 +    if (env->svcr) {
 +        env->svcr = 0;
 +        arm_rebuild_hflags(env);
 +    }
 +
      if (info) {
          tswap_siginfo(&frame->info, info);
          env->xregs[1] = frame_addr + offsetof(struct target_rt_sigframe, info);
 --
-.17.0
+.25.1

-New patch
+[PULL 41/45] linux-user: Rename sve prctls
+From: Richard Henderson <richard.henderson@linaro.org>
+Add "sve" to the sve prctl functions, to distinguish
+them from the coming "sme" prctls with similar names.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-42-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ linux-user/aarch64/target_prctl.h |  8 ++++----
+ linux-user/syscall.c              | 12 ++++++------
+files changed, 10 insertions(+), 10 deletions(-)
+diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/aarch64/target_prctl.h
++++ b/linux-user/aarch64/target_prctl.h
+@@ -XXX,XX +XXX,XX @@
+ #ifndef AARCH64_TARGET_PRCTL_H
+ #define AARCH64_TARGET_PRCTL_H
+-static abi_long do_prctl_get_vl(CPUArchState *env)
++static abi_long do_prctl_sve_get_vl(CPUArchState *env)
+ {
+     ARMCPU *cpu = env_archcpu(env);
+     if (cpu_isar_feature(aa64_sve, cpu)) {
+@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_get_vl(CPUArchState *env)
+     }
+     return -TARGET_EINVAL;
+ }
+-#define do_prctl_get_vl do_prctl_get_vl
++#define do_prctl_sve_get_vl do_prctl_sve_get_vl
+-static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
++static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
+ {
+     /*
+      * We cannot support either PR_SVE_SET_VL_ONEXEC or PR_SVE_VL_INHERIT.
+@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
+     }
+     return -TARGET_EINVAL;
+ }
+-#define do_prctl_set_vl do_prctl_set_vl
++#define do_prctl_sve_set_vl do_prctl_sve_set_vl
+ static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
+ {
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
+ #ifndef do_prctl_set_fp_mode
+ #define do_prctl_set_fp_mode do_prctl_inval1
+ #endif
+-#ifndef do_prctl_get_vl
+-#define do_prctl_get_vl do_prctl_inval0
++#ifndef do_prctl_sve_get_vl
++#define do_prctl_sve_get_vl do_prctl_inval0
+ #endif
+-#ifndef do_prctl_set_vl
+-#define do_prctl_set_vl do_prctl_inval1
++#ifndef do_prctl_sve_set_vl
++#define do_prctl_sve_set_vl do_prctl_inval1
+ #endif
+ #ifndef do_prctl_reset_keys
+ #define do_prctl_reset_keys do_prctl_inval1
+@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
+     case PR_SET_FP_MODE:
+         return do_prctl_set_fp_mode(env, arg2);
+     case PR_SVE_GET_VL:
+-        return do_prctl_get_vl(env);
++        return do_prctl_sve_get_vl(env);
+     case PR_SVE_SET_VL:
+-        return do_prctl_set_vl(env, arg2);
++        return do_prctl_sve_set_vl(env, arg2);
+     case PR_PAC_RESET_KEYS:
+         if (arg3 || arg4 || arg5) {
+             return -TARGET_EINVAL;
+--
+.25.1

-[Qemu-devel] [PULL 09/24] hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode
+[PULL 42/45] linux-user/aarch64: Implement PR_SME_GET_VL, PR_SME_SET_VL
-From: Thomas Huth <thuth@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-When running omap1/2 or pxa2xx based ARM machines with -nodefaults,
+These prctl set the Streaming SVE vector length, which may
-they bail out immediately complaining about a "missing SecureDigital
+be completely different from the Normal SVE vector length.
 device". That's not how the "default" devices in vl.c are meant to
 work - it should be possible for a board to also start up without
 default devices. So let's turn the error message and exit() into
 a warning instead.
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Message-id: 1525326811-3233-1-git-send-email-thuth@redhat.com
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-43-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/omap1.c  |  8 ++++----
+ linux-user/aarch64/target_prctl.h | 54 +++++++++++++++++++++++++++++++
- hw/arm/omap2.c  |  8 ++++----
+ linux-user/syscall.c              | 16 +++++++++
- hw/arm/pxa2xx.c | 15 +++++++--------
+files changed, 70 insertions(+)
 files changed, 15 insertions(+), 16 deletions(-)
-diff --git a/hw/arm/omap1.c b/hw/arm/omap1.c
+diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/omap1.c
+--- a/linux-user/aarch64/target_prctl.h
-+++ b/hw/arm/omap1.c
++++ b/linux-user/aarch64/target_prctl.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_get_vl(CPUArchState *env)
- #include "hw/arm/soc_dma.h"
+ {
- #include "sysemu/block-backend.h"
+     ARMCPU *cpu = env_archcpu(env);
- #include "sysemu/blockdev.h"
+     if (cpu_isar_feature(aa64_sve, cpu)) {
-+#include "sysemu/qtest.h"
++        /* PSTATE.SM is always unset on syscall entry. */
- #include "qemu/range.h"
+         return sve_vq(env) * 16;
  #include "hw/sysbus.h"
  #include "qemu/cutils.h"
@@ -XXX,XX +XXX,XX @@ struct omap_mpu_state_s *omap310_mpu_init(MemoryRegion *system_memory,
                                  omap_findclk(s, "dpll3"));
      dinfo = drive_get(IF_SD, 0, 0);
 -    if (!dinfo) {
 -        error_report("missing SecureDigital device");
 -        exit(1);
 +    if (!dinfo && !qtest_enabled()) {
 +        warn_report("missing SecureDigital device");
      }
-     s->mmc = omap_mmc_init(0xfffb7800, system_memory,
+     return -TARGET_EINVAL;
--                           blk_by_legacy_dinfo(dinfo),
+@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
-+                           dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+         && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
-                            qdev_get_gpio_in(s->ih[1], OMAP_INT_OQN),
+         uint32_t vq, old_vq;
-                            &s->drq[OMAP_DMA_MMC_TX],
-                     omap_findclk(s, "mmc_ck"));
++        /* PSTATE.SM is always unset on syscall entry. */
-diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
+         old_vq = sve_vq(env);
          /*
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
  }
  #define do_prctl_sve_set_vl do_prctl_sve_set_vl
 +static abi_long do_prctl_sme_get_vl(CPUArchState *env)
 +{
 +    ARMCPU *cpu = env_archcpu(env);
 +    if (cpu_isar_feature(aa64_sme, cpu)) {
 +        return sme_vq(env) * 16;
 +    }
 +    return -TARGET_EINVAL;
 +}
 +#define do_prctl_sme_get_vl do_prctl_sme_get_vl
 +
 +static abi_long do_prctl_sme_set_vl(CPUArchState *env, abi_long arg2)
 +{
 +    /*
 +     * We cannot support either PR_SME_SET_VL_ONEXEC or PR_SME_VL_INHERIT.
 +     * Note the kernel definition of sve_vl_valid allows for VQ=512,
 +     * i.e. VL=8192, even though the architectural maximum is VQ=16.
 +     */
 +    if (cpu_isar_feature(aa64_sme, env_archcpu(env))
 +        && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
 +        int vq, old_vq;
 +
 +        old_vq = sme_vq(env);
 +
 +        /*
 +         * Bound the value of vq, so that we know that it fits into
 +         * the 4-bit field in SMCR_EL1.  Because PSTATE.SM is cleared
 +         * on syscall entry, we are not modifying the current SVE
 +         * vector length.
 +         */
 +        vq = MAX(arg2 / 16, 1);
 +        vq = MIN(vq, 16);
 +        env->vfp.smcr_el[1] =
 +            FIELD_DP64(env->vfp.smcr_el[1], SMCR, LEN, vq - 1);
 +
 +        /* Delay rebuilding hflags until we know if ZA must change. */
 +        vq = sve_vqm1_for_el_sm(env, 0, true) + 1;
 +
 +        if (vq != old_vq) {
 +            /*
 +             * PSTATE.ZA state is cleared on any change to SVL.
 +             * We need not call arm_rebuild_hflags because PSTATE.SM was
 +             * cleared on syscall entry, so this hasn't changed VL.
 +             */
 +            env->svcr = FIELD_DP64(env->svcr, SVCR, ZA, 0);
 +            arm_rebuild_hflags(env);
 +        }
 +        return vq * 16;
 +    }
 +    return -TARGET_EINVAL;
 +}
 +#define do_prctl_sme_set_vl do_prctl_sme_set_vl
 +
  static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
  {
      ARMCPU *cpu = env_archcpu(env);
 diff --git a/linux-user/syscall.c b/linux-user/syscall.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/omap2.c
+--- a/linux-user/syscall.c
-+++ b/hw/arm/omap2.c
++++ b/linux-user/syscall.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr)
- #include "cpu.h"
+ #ifndef PR_SET_SYSCALL_USER_DISPATCH
- #include "sysemu/block-backend.h"
+ # define PR_SET_SYSCALL_USER_DISPATCH 59
- #include "sysemu/blockdev.h"
+ #endif
-+#include "sysemu/qtest.h"
++#ifndef PR_SME_SET_VL
- #include "hw/boards.h"
++# define PR_SME_SET_VL  63
- #include "hw/hw.h"
++# define PR_SME_GET_VL  64
- #include "hw/arm/arm.h"
++# define PR_SME_VL_LEN_MASK  0xffff
-@@ -XXX,XX +XXX,XX @@ struct omap_mpu_state_s *omap2420_mpu_init(MemoryRegion *sysmem,
++# define PR_SME_VL_INHERIT   (1 << 17)
-                              s->drq[OMAP24XX_DMA_GPMC]);
++#endif
-     dinfo = drive_get(IF_SD, 0, 0);
+ #include "target_prctl.h"
--    if (!dinfo) {
--        error_report("missing SecureDigital device");
+@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
--        exit(1);
+ #ifndef do_prctl_set_unalign
-+    if (!dinfo && !qtest_enabled()) {
+ #define do_prctl_set_unalign do_prctl_inval1
-+        warn_report("missing SecureDigital device");
+ #endif
-     }
++#ifndef do_prctl_sme_get_vl
-     s->mmc = omap2_mmc_init(omap_l4tao(s->l4, 9),
++#define do_prctl_sme_get_vl do_prctl_inval0
--                    blk_by_legacy_dinfo(dinfo),
++#endif
-+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
++#ifndef do_prctl_sme_set_vl
-                     qdev_get_gpio_in(s->ih[0], OMAP_INT_24XX_MMC_IRQ),
++#define do_prctl_sme_set_vl do_prctl_inval1
-                     &s->drq[OMAP24XX_DMA_MMC1_TX],
++#endif
-                     omap_findclk(s, "mmc_fclk"), omap_findclk(s, "mmc_iclk"));
-diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
+ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
-index XXXXXXX..XXXXXXX 100644
+                          abi_long arg3, abi_long arg4, abi_long arg5)
---- a/hw/arm/pxa2xx.c
+@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
-+++ b/hw/arm/pxa2xx.c
+         return do_prctl_sve_get_vl(env);
-@@ -XXX,XX +XXX,XX @@
+     case PR_SVE_SET_VL:
- #include "chardev/char-fe.h"
+         return do_prctl_sve_set_vl(env, arg2);
- #include "sysemu/block-backend.h"
++    case PR_SME_GET_VL:
- #include "sysemu/blockdev.h"
++        return do_prctl_sme_get_vl(env);
-+#include "sysemu/qtest.h"
++    case PR_SME_SET_VL:
- #include "qemu/cutils.h"
++        return do_prctl_sme_set_vl(env, arg2);
+     case PR_PAC_RESET_KEYS:
- static struct {
+         if (arg3 || arg4 || arg5) {
-@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa270_init(MemoryRegion *address_space,
+             return -TARGET_EINVAL;
      s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 121);
      dinfo = drive_get(IF_SD, 0, 0);
 -    if (!dinfo) {
 -        error_report("missing SecureDigital device");
 -        exit(1);
 +    if (!dinfo && !qtest_enabled()) {
 +        warn_report("missing SecureDigital device");
      }
      s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
 -                    blk_by_legacy_dinfo(dinfo),
 +                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                      qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
                      qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
                      qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa255_init(MemoryRegion *address_space, unsigned int sdram_size)
      s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 85);
      dinfo = drive_get(IF_SD, 0, 0);
 -    if (!dinfo) {
 -        error_report("missing SecureDigital device");
 -        exit(1);
 +    if (!dinfo && !qtest_enabled()) {
 +        warn_report("missing SecureDigital device");
      }
      s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
 -                    blk_by_legacy_dinfo(dinfo),
 +                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                      qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
                      qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
                      qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 03/24] hw/char/cmsdk-apb-uart.c: Accept more input after character read
+[PULL 43/45] target/arm: Only set ZEN in reset if SVE present
-From: Patrick Oppenlander <patrick.oppenlander@gmail.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The character frontend needs to be notified that the uart receive buffer
+There's no reason to set CPACR_EL1.ZEN if SVE disabled.
 is empty and ready to handle another character.
-Previously, the uart only worked correctly when receiving one character
-at a time.
-Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
-Message-id: CAEg67GkRTw=cXei3o9hvpxG_L4zSrNzR0bFyAgny+sSEUb_kPw@mail.gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-44-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/char/cmsdk-apb-uart.c | 1 +
+ target/arm/cpu.c | 7 +++----
-file changed, 1 insertion(+)
+file changed, 3 insertions(+), 4 deletions(-)
-diff --git a/hw/char/cmsdk-apb-uart.c b/hw/char/cmsdk-apb-uart.c
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/char/cmsdk-apb-uart.c
+--- a/target/arm/cpu.c
-+++ b/hw/char/cmsdk-apb-uart.c
++++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t uart_read(void *opaque, hwaddr offset, unsigned size)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
-         r = s->rxbuf;
+         /* and to the FP/Neon instructions */
-         s->state &= ~R_STATE_RXFULL_MASK;
+         env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
-         cmsdk_apb_uart_update(s);
+                                          CPACR_EL1, FPEN, 3);
-+        qemu_chr_fe_accept_input(&s->chr);
+-        /* and to the SVE instructions */
-         break;
+-        env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
-     case A_STATE:
+-                                         CPACR_EL1, ZEN, 3);
-         r = s->state;
+-        /* with reasonable vector length */
 +        /* and to the SVE instructions, with default vector length */
          if (cpu_isar_feature(aa64_sve, cpu)) {
 +            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
 +                                             CPACR_EL1, ZEN, 3);
              env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
          }
          /*
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 01/24] hw/arm/virt: Add linux, pci-domain property
+[PULL 44/45] target/arm: Enable SME for user-only
-From: Jan Kiszka <jan.kiszka@siemens.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-This allows to pin the host controller in the Linux PCI domain space.
+Enable SME, TPIDR2_EL0, and FA64 if supported by the cpu.
 Linux requires that property to be available consistently or not at all,
 in which case the domain number becomes unstable on additions/removals.
 Adding it here won't make a difference in practice for most setups as we
 only expose one controller.
-However, enabling Jailhouse on top may introduce another controller, and
-that one would like to have stable address as well. So the property is
-needed for the first controller as well.
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
-Message-id: 3301c5bc-7b47-1b0e-8ce4-30435057a276@web.de
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220708151540.18136-45-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 1 +
+ target/arm/cpu.c | 11 +++++++++++
-file changed, 1 insertion(+)
+file changed, 11 insertions(+)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/target/arm/cpu.c
-+++ b/hw/arm/virt.c
++++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
-     qemu_fdt_setprop_string(vms->fdt, nodename, "device_type", "pci");
+                                              CPACR_EL1, ZEN, 3);
-     qemu_fdt_setprop_cell(vms->fdt, nodename, "#address-cells", 3);
+             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
-     qemu_fdt_setprop_cell(vms->fdt, nodename, "#size-cells", 2);
+         }
-+    qemu_fdt_setprop_cell(vms->fdt, nodename, "linux,pci-domain", 0);
++        /* and for SME instructions, with default vector length, and TPIDR2 */
-     qemu_fdt_setprop_cells(vms->fdt, nodename, "bus-range", 0,
++        if (cpu_isar_feature(aa64_sme, cpu)) {
-                            nr_pcie_buses - 1);
++            env->cp15.sctlr_el[1] |= SCTLR_EnTP2;
-     qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
++            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
 +                                             CPACR_EL1, SMEN, 3);
 +            env->vfp.smcr_el[1] = cpu->sme_default_vq - 1;
 +            if (cpu_isar_feature(aa64_sme_fa64, cpu)) {
 +                env->vfp.smcr_el[1] = FIELD_DP64(env->vfp.smcr_el[1],
 +                                                 SMCR, FA64, 1);
 +            }
 +        }
          /*
           * Enable 48-bit address space (TODO: take reserved_va into account).
           * Enable TBI0 but not TBI1.
 --
-.17.0
+.25.1

-[Qemu-devel] [PULL 06/24] arm: boot: set boot_info starting from first_cpu
+[PULL 45/45] linux-user/aarch64: Add SME related hwcap entries
-From: Igor Mammedov <imammedo@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Even though nothing is currently broken (since all boards
-use first_cpu as boot cpu), make sure that boot_info is set
-on all CPUs.
-If some board would like support heterogenuos setup (i.e.
-init boot_info on subset of CPUs) in future, it should add
-a reasonable API to do it, instead of starting assigning
-boot_info from some CPU and till the end of present CPUs
-list.
-Ref:
-"Message-ID: <CAFEAcA_NMWuA8WSs3cNeY6xX1kerO_uAcN_3=fK02BEhHJW86g@mail.gmail.com>"
-Signed-off-by: Igor Mammedov <imammedo@redhat.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1525176522-200354-5-git-send-email-imammedo@redhat.com
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-46-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/boot.c | 2 +-
+ linux-user/elfload.c | 20 ++++++++++++++++++++
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 20 insertions(+)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/linux-user/elfload.c
-+++ b/hw/arm/boot.c
++++ b/linux-user/elfload.c
-@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
+@@ -XXX,XX +XXX,XX @@ enum {
-     }
+     ARM_HWCAP2_A64_RNG          = 1 << 16,
-     info->is_linux = is_linux;
+     ARM_HWCAP2_A64_BTI          = 1 << 17,
+     ARM_HWCAP2_A64_MTE          = 1 << 18,
--    for (cs = CPU(cpu); cs; cs = CPU_NEXT(cs)) {
++    ARM_HWCAP2_A64_ECV          = 1 << 19,
-+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
++    ARM_HWCAP2_A64_AFP          = 1 << 20,
-         ARM_CPU(cs)->env.boot_info = info;
++    ARM_HWCAP2_A64_RPRES        = 1 << 21,
-     }
++    ARM_HWCAP2_A64_MTE3         = 1 << 22,
 +    ARM_HWCAP2_A64_SME          = 1 << 23,
 +    ARM_HWCAP2_A64_SME_I16I64   = 1 << 24,
 +    ARM_HWCAP2_A64_SME_F64F64   = 1 << 25,
 +    ARM_HWCAP2_A64_SME_I8I32    = 1 << 26,
 +    ARM_HWCAP2_A64_SME_F16F32   = 1 << 27,
 +    ARM_HWCAP2_A64_SME_B16F32   = 1 << 28,
 +    ARM_HWCAP2_A64_SME_F32F32   = 1 << 29,
 +    ARM_HWCAP2_A64_SME_FA64     = 1 << 30,
  };
  #define ELF_HWCAP   get_elf_hwcap()
@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap2(void)
      GET_FEATURE_ID(aa64_rndr, ARM_HWCAP2_A64_RNG);
      GET_FEATURE_ID(aa64_bti, ARM_HWCAP2_A64_BTI);
      GET_FEATURE_ID(aa64_mte, ARM_HWCAP2_A64_MTE);
 +    GET_FEATURE_ID(aa64_sme, (ARM_HWCAP2_A64_SME |
 +                              ARM_HWCAP2_A64_SME_F32F32 |
 +                              ARM_HWCAP2_A64_SME_B16F32 |
 +                              ARM_HWCAP2_A64_SME_F16F32 |
 +                              ARM_HWCAP2_A64_SME_I8I32));
 +    GET_FEATURE_ID(aa64_sme_f64f64, ARM_HWCAP2_A64_SME_F64F64);
 +    GET_FEATURE_ID(aa64_sme_i16i64, ARM_HWCAP2_A64_SME_I16I64);
 +    GET_FEATURE_ID(aa64_sme_fa64, ARM_HWCAP2_A64_SME_FA64);
      return hwcaps;
  }
 --
-.17.0
+.25.1

target-arm queue: Eric's SMMUv3 patchset, and an array
of minor bugfixes and improvements from various others.

thanks
-- PMM

The following changes since commit c8b7e627b4269a3bc3ae41d9f420547a47e6d9b9:

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-05-04' into staging (2018-05-04 14:42:46 +0100)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180504

for you to fetch changes up to 5680740c92993e9b3f3e011f2a2c394070e33f56:

hw/arm/virt: Introduce the iommu option (2018-05-04 18:05:52 +0100)

----------------------------------------------------------------
target-arm queue:
 * Emulate the SMMUv3 (IOMMU); one will be created in the 'virt' board
   if the commandline includes "-machine iommu=smmuv3"
 * target/arm: Implement v8M VLLDM and VLSTM
 * hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode
 * Some fixes to silence Coverity false-positives
 * arm: boot: set boot_info starting from first_cpu
   (fixes a technical bug not visible in practice)
 * hw/net/smc91c111: Convert away from old_mmio
 * hw/usb/tusb6010: Convert away from old_mmio
 * hw/char/cmsdk-apb-uart.c: Accept more input after character read
 * target/arm: Make MPUIR write-ignored on OMAP, StrongARM
 * hw/arm/virt: Add linux,pci-domain property

----------------------------------------------------------------
Eric Auger (11):
      hw/arm/smmu-common: smmu base device and datatypes
      hw/arm/smmu-common: IOMMU memory region and address space setup
      hw/arm/smmu-common: VMSAv8-64 page table walk
      hw/arm/smmuv3: Wired IRQ and GERROR helpers
      hw/arm/smmuv3: Queue helpers
      hw/arm/smmuv3: Implement MMIO write operations
      hw/arm/smmuv3: Event queue recording helper
      hw/arm/smmuv3: Implement translate callback
      hw/arm/smmuv3: Abort on vfio or vhost case
      target/arm/kvm: Translate the MSI doorbell in kvm_arch_fixup_msi_route
      hw/arm/virt: Introduce the iommu option

Igor Mammedov (1):
      arm: boot: set boot_info starting from first_cpu

Jan Kiszka (1):
      hw/arm/virt: Add linux,pci-domain property

Mathew Maidment (1):
      target/arm: Correct MPUIR privilege level in register_cp_regs_for_features() conditional case

Patrick Oppenlander (1):
      hw/char/cmsdk-apb-uart.c: Accept more input after character read

Peter Maydell (3):
      hw/usb/tusb6010: Convert away from old_mmio
      hw/net/smc91c111: Convert away from old_mmio
      target/arm: Implement v8M VLLDM and VLSTM

Prem Mallappa (3):
      hw/arm/smmuv3: Skeleton
      hw/arm/virt: Add SMMUv3 to the virt board
      hw/arm/virt-acpi-build: Add smmuv3 node in IORT table

Richard Henderson (2):
      target/arm: Tidy conditions in handle_vec_simd_shri
      target/arm: Tidy condition in disas_simd_two_reg_misc

Thomas Huth (1):
      hw/arm: Don't fail qtest due to missing SD card in -nodefaults mode

From: Jan Kiszka <jan.kiszka@siemens.com>

This allows to pin the host controller in the Linux PCI domain space.
Linux requires that property to be available consistently or not at all,
in which case the domain number becomes unstable on additions/removals.
Adding it here won't make a difference in practice for most setups as we
only expose one controller.

However, enabling Jailhouse on top may introduce another controller, and
that one would like to have stable address as well. So the property is
needed for the first controller as well.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Message-id: 3301c5bc-7b47-1b0e-8ce4-30435057a276@web.de
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
     qemu_fdt_setprop_string(vms->fdt, nodename, "device_type", "pci");
     qemu_fdt_setprop_cell(vms->fdt, nodename, "#address-cells", 3);
     qemu_fdt_setprop_cell(vms->fdt, nodename, "#size-cells", 2);
+    qemu_fdt_setprop_cell(vms->fdt, nodename, "linux,pci-domain", 0);
     qemu_fdt_setprop_cells(vms->fdt, nodename, "bus-range", 0,
                            nr_pcie_buses - 1);
     qemu_fdt_setprop(vms->fdt, nodename, "dma-coherent", NULL, 0);
-- 
2.17.0

From: Mathew Maidment <mathew1800@gmail.com>

The duplication of id_tlbtr_reginfo was unintentionally added within
3281af8114c6b8ead02f08b58e3c36895c1ea047 which should have been
id_mpuir_reginfo.

The effect was that for OMAP and StrongARM CPUs we would
incorrectly UNDEF writes to MPUIR rather than NOPing them.

Signed-off-by: Mathew Maidment <mathew1800@gmail.com>
Message-id: 20180501184933.37609-2-mathew1800@gmail.com
[PMM: tweak commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             for (r = id_cp_reginfo; r->type != ARM_CP_SENTINEL; r++) {
                 r->access = PL1_RW;
             }
-            id_tlbtr_reginfo.access = PL1_RW;
+            id_mpuir_reginfo.access = PL1_RW;
             id_tlbtr_reginfo.access = PL1_RW;
         }
         if (arm_feature(env, ARM_FEATURE_V8)) {
-- 
2.17.0

From: Patrick Oppenlander <patrick.oppenlander@gmail.com>

The character frontend needs to be notified that the uart receive buffer
is empty and ready to handle another character.

Previously, the uart only worked correctly when receiving one character
at a time.

Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
Message-id: CAEg67GkRTw=cXei3o9hvpxG_L4zSrNzR0bFyAgny+sSEUb_kPw@mail.gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/cmsdk-apb-uart.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/char/cmsdk-apb-uart.c b/hw/char/cmsdk-apb-uart.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/cmsdk-apb-uart.c
+++ b/hw/char/cmsdk-apb-uart.c
@@ -XXX,XX +XXX,XX @@ static uint64_t uart_read(void *opaque, hwaddr offset, unsigned size)
         r = s->rxbuf;
         s->state &= ~R_STATE_RXFULL_MASK;
         cmsdk_apb_uart_update(s);
+        qemu_chr_fe_accept_input(&s->chr);
         break;
     case A_STATE:
         r = s->state;
-- 
2.17.0

Convert the tusb6010 device away from using the old_mmio field
of MemoryRegionOps. This device is used only in the n800 and n810
boards.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180427173611.10281-2-peter.maydell@linaro.org
---
 hw/usb/tusb6010.c | 40 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/hw/usb/tusb6010.c b/hw/usb/tusb6010.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/tusb6010.c
+++ b/hw/usb/tusb6010.c
@@ -XXX,XX +XXX,XX @@ static void tusb_async_writew(void *opaque, hwaddr addr,
     }
 }
 
+static uint64_t tusb_async_readfn(void *opaque, hwaddr addr, unsigned size)
+{
+    switch (size) {
+    case 1:
+        return tusb_async_readb(opaque, addr);
+    case 2:
+        return tusb_async_readh(opaque, addr);
+    case 4:
+        return tusb_async_readw(opaque, addr);
+    default:
+        g_assert_not_reached();
+    }
+}
+
+static void tusb_async_writefn(void *opaque, hwaddr addr,
+                               uint64_t value, unsigned size)
+{
+    switch (size) {
+    case 1:
+        tusb_async_writeb(opaque, addr, value);
+        break;
+    case 2:
+        tusb_async_writeh(opaque, addr, value);
+        break;
+    case 4:
+        tusb_async_writew(opaque, addr, value);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+}
+
 static const MemoryRegionOps tusb_async_ops = {
-    .old_mmio = {
-        .read = { tusb_async_readb, tusb_async_readh, tusb_async_readw, },
-        .write =  { tusb_async_writeb, tusb_async_writeh, tusb_async_writew, },
-    },
+    .read = tusb_async_readfn,
+    .write = tusb_async_writefn,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.17.0

Convert the smc91c111 device away from using the old_mmio field of
MemoryRegionOps. This device is used by several Arm board models.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180427173611.10281-3-peter.maydell@linaro.org
---
 hw/net/smc91c111.c | 54 +++++++++++++++++++++-------------------------
 1 file changed, 25 insertions(+), 29 deletions(-)

diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
@@ -XXX,XX +XXX,XX @@ static uint32_t smc91c111_readb(void *opaque, hwaddr offset)
     return 0;
 }
 
-static void smc91c111_writew(void *opaque, hwaddr offset,
-                             uint32_t value)
+static uint64_t smc91c111_readfn(void *opaque, hwaddr addr, unsigned size)
 {
-    smc91c111_writeb(opaque, offset, value & 0xff);
-    smc91c111_writeb(opaque, offset + 1, value >> 8);
+    int i;
+    uint32_t val = 0;
+
+    for (i = 0; i < size; i++) {
+        val |= smc91c111_readb(opaque, addr + i) << (i * 8);
+    }
+    return val;
 }
 
-static void smc91c111_writel(void *opaque, hwaddr offset,
-                             uint32_t value)
+static void smc91c111_writefn(void *opaque, hwaddr addr,
+                               uint64_t value, unsigned size)
 {
+    int i = 0;
+
     /* 32-bit writes to offset 0xc only actually write to the bank select
-       register (offset 0xe)  */
-    if (offset != 0xc)
-        smc91c111_writew(opaque, offset, value & 0xffff);
-    smc91c111_writew(opaque, offset + 2, value >> 16);
-}
+     * register (offset 0xe), so skip the first two bytes we would write.
+     */
+    if (addr == 0xc && size == 4) {
+        i += 2;
+    }
 
-static uint32_t smc91c111_readw(void *opaque, hwaddr offset)
-{
-    uint32_t val;
-    val = smc91c111_readb(opaque, offset);
-    val |= smc91c111_readb(opaque, offset + 1) << 8;
-    return val;
-}
-
-static uint32_t smc91c111_readl(void *opaque, hwaddr offset)
-{
-    uint32_t val;
-    val = smc91c111_readw(opaque, offset);
-    val |= smc91c111_readw(opaque, offset + 2) << 16;
-    return val;
+    for (; i < size; i++) {
+        smc91c111_writeb(opaque, addr + i,
+                         extract32(value, i * 8, 8));
+    }
 }
 
 static int smc91c111_can_receive_nc(NetClientState *nc)
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps smc91c111_mem_ops = {
     /* The special case for 32 bit writes to 0xc means we can't just
      * set .impl.min/max_access_size to 1, unfortunately
      */
-    .old_mmio = {
-        .read = { smc91c111_readb, smc91c111_readw, smc91c111_readl, },
-        .write = { smc91c111_writeb, smc91c111_writew, smc91c111_writel, },
-    },
+    .read = smc91c111_readfn,
+    .write = smc91c111_writefn,
+    .valid.min_access_size = 1,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.17.0

From: Igor Mammedov <imammedo@redhat.com>

Even though nothing is currently broken (since all boards
use first_cpu as boot cpu), make sure that boot_info is set
on all CPUs.
If some board would like support heterogenuos setup (i.e.
init boot_info on subset of CPUs) in future, it should add
a reasonable API to do it, instead of starting assigning
boot_info from some CPU and till the end of present CPUs
list.

Ref:
"Message-ID: <CAFEAcA_NMWuA8WSs3cNeY6xX1kerO_uAcN_3=fK02BEhHJW86g@mail.gmail.com>"

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1525176522-200354-5-git-send-email-imammedo@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void arm_load_kernel_notify(Notifier *notifier, void *data)
     }
     info->is_linux = is_linux;
 
-    for (cs = CPU(cpu); cs; cs = CPU_NEXT(cs)) {
+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
         ARM_CPU(cs)->env.boot_info = info;
     }
 }
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

The (size > 3 && !is_q) condition is identical to the preceeding test
of bit 3 in immh; eliminate it.  For the benefit of Coverity, assert
that size is within the bounds we expect.

Fixes: Coverity CID1385846
Fixes: Coverity CID1385849
Fixes: Coverity CID1385852
Fixes: Coverity CID1385857
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180501180455.11214-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shri(DisasContext *s, bool is_q, bool is_u,
         unallocated_encoding(s);
         return;
     }
-
-    if (size > 3 && !is_q) {
-        unallocated_encoding(s);
-        return;
-    }
+    tcg_debug_assert(size <= 3);
 
     if (!fp_access_check(s)) {
         return;
-- 
2.17.0

From: Richard Henderson <richard.henderson@linaro.org>

Path analysis shows that size == 3 && !is_q has been eliminated.

Fixes: Coverity CID1385853
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180501180455.11214-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void disas_simd_two_reg_misc(DisasContext *s, uint32_t insn)
         /* All 64-bit element operations can be shared with scalar 2misc */
         int pass;
 
-        for (pass = 0; pass < (is_q ? 2 : 1); pass++) {
+        /* Coverity claims (size == 3 && !is_q) has been eliminated
+         * from all paths leading to here.
+         */
+        tcg_debug_assert(is_q);
+        for (pass = 0; pass < 2; pass++) {
             TCGv_i64 tcg_op = tcg_temp_new_i64();
             TCGv_i64 tcg_res = tcg_temp_new_i64();
 
-- 
2.17.0

From: Thomas Huth <thuth@redhat.com>

When running omap1/2 or pxa2xx based ARM machines with -nodefaults,
they bail out immediately complaining about a "missing SecureDigital
device". That's not how the "default" devices in vl.c are meant to
work - it should be possible for a board to also start up without
default devices. So let's turn the error message and exit() into
a warning instead.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1525326811-3233-1-git-send-email-thuth@redhat.com
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/omap1.c  |  8 ++++----
 hw/arm/omap2.c  |  8 ++++----
 hw/arm/pxa2xx.c | 15 +++++++--------
 3 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/hw/arm/omap1.c b/hw/arm/omap1.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap1.c
+++ b/hw/arm/omap1.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/soc_dma.h"
 #include "sysemu/block-backend.h"
 #include "sysemu/blockdev.h"
+#include "sysemu/qtest.h"
 #include "qemu/range.h"
 #include "hw/sysbus.h"
 #include "qemu/cutils.h"
@@ -XXX,XX +XXX,XX @@ struct omap_mpu_state_s *omap310_mpu_init(MemoryRegion *system_memory,
                                 omap_findclk(s, "dpll3"));
 
     dinfo = drive_get(IF_SD, 0, 0);
-    if (!dinfo) {
-        error_report("missing SecureDigital device");
-        exit(1);
+    if (!dinfo && !qtest_enabled()) {
+        warn_report("missing SecureDigital device");
     }
     s->mmc = omap_mmc_init(0xfffb7800, system_memory,
-                           blk_by_legacy_dinfo(dinfo),
+                           dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                            qdev_get_gpio_in(s->ih[1], OMAP_INT_OQN),
                            &s->drq[OMAP_DMA_MMC_TX],
                     omap_findclk(s, "mmc_ck"));
diff --git a/hw/arm/omap2.c b/hw/arm/omap2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/omap2.c
+++ b/hw/arm/omap2.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "sysemu/block-backend.h"
 #include "sysemu/blockdev.h"
+#include "sysemu/qtest.h"
 #include "hw/boards.h"
 #include "hw/hw.h"
 #include "hw/arm/arm.h"
@@ -XXX,XX +XXX,XX @@ struct omap_mpu_state_s *omap2420_mpu_init(MemoryRegion *sysmem,
                              s->drq[OMAP24XX_DMA_GPMC]);
 
     dinfo = drive_get(IF_SD, 0, 0);
-    if (!dinfo) {
-        error_report("missing SecureDigital device");
-        exit(1);
+    if (!dinfo && !qtest_enabled()) {
+        warn_report("missing SecureDigital device");
     }
     s->mmc = omap2_mmc_init(omap_l4tao(s->l4, 9),
-                    blk_by_legacy_dinfo(dinfo),
+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                     qdev_get_gpio_in(s->ih[0], OMAP_INT_24XX_MMC_IRQ),
                     &s->drq[OMAP24XX_DMA_MMC1_TX],
                     omap_findclk(s, "mmc_fclk"), omap_findclk(s, "mmc_iclk"));
diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -XXX,XX +XXX,XX @@
 #include "chardev/char-fe.h"
 #include "sysemu/block-backend.h"
 #include "sysemu/blockdev.h"
+#include "sysemu/qtest.h"
 #include "qemu/cutils.h"
 
 static struct {
@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa270_init(MemoryRegion *address_space,
     s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 121);
 
     dinfo = drive_get(IF_SD, 0, 0);
-    if (!dinfo) {
-        error_report("missing SecureDigital device");
-        exit(1);
+    if (!dinfo && !qtest_enabled()) {
+        warn_report("missing SecureDigital device");
     }
     s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
-                    blk_by_legacy_dinfo(dinfo),
+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
@@ -XXX,XX +XXX,XX @@ PXA2xxState *pxa255_init(MemoryRegion *address_space, unsigned int sdram_size)
     s->gpio = pxa2xx_gpio_init(0x40e00000, s->cpu, s->pic, 85);
 
     dinfo = drive_get(IF_SD, 0, 0);
-    if (!dinfo) {
-        error_report("missing SecureDigital device");
-        exit(1);
+    if (!dinfo && !qtest_enabled()) {
+        warn_report("missing SecureDigital device");
     }
     s->mmc = pxa2xx_mmci_init(address_space, 0x41100000,
-                    blk_by_legacy_dinfo(dinfo),
+                    dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
                     qdev_get_gpio_in(s->pic, PXA2XX_PIC_MMC),
                     qdev_get_gpio_in(s->dma, PXA2XX_RX_RQ_MMCI),
                     qdev_get_gpio_in(s->dma, PXA2XX_TX_RQ_MMCI));
-- 
2.17.0

For v8M the instructions VLLDM and VLSTM support lazy saving
and restoring of the secure floating-point registers. Even
if the floating point extension is not implemented, these
instructions must act as NOPs in Secure state, so they can
be used as part of the secure-to-nonsecure call sequence.

Fixes: https://bugs.launchpad.net/qemu/+bug/1768295
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180503105730.5958-1-peter.maydell@linaro.org
---
 target/arm/translate.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
         /* Coprocessor.  */
         if (arm_dc_feature(s, ARM_FEATURE_M)) {
             /* We don't currently implement M profile FP support,
-             * so this entire space should give a NOCP fault.
+             * so this entire space should give a NOCP fault, with
+             * the exception of the v8M VLLDM and VLSTM insns, which
+             * must be NOPs in Secure state and UNDEF in Nonsecure state.
              */
+            if (arm_dc_feature(s, ARM_FEATURE_V8) &&
+                (insn & 0xffa00f00) == 0xec200a00) {
+                /* 0b1110_1100_0x1x_xxxx_xxxx_1010_xxxx_xxxx
+                 *  - VLLDM, VLSTM
+                 * We choose to UNDEF if the RAZ bits are non-zero.
+                 */
+                if (!s->v8m_secure || (insn & 0x0040f0ff)) {
+                    goto illegal_op;
+                }
+                /* Just NOP since FP support is not implemented */
+                break;
+            }
+            /* All other insns: NOCP */
             gen_exception_insn(s, 4, EXCP_NOCP, syn_uncategorized(),
                                default_exception_el(s));
             break;
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

The patch introduces the smmu base device and class for the ARM
smmu. Devices for specific versions will be derived from this
base device.

We also introduce some important datatypes.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-2-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs                |   1 +
 include/hw/arm/smmu-common.h        | 123 ++++++++++++++++++++++++++++
 hw/arm/smmu-common.c                |  81 ++++++++++++++++++
 default-configs/aarch64-softmmu.mak |   1 +
 4 files changed, 206 insertions(+)
 create mode 100644 include/hw/arm/smmu-common.h
 create mode 100644 hw/arm/smmu-common.c

From: Eric Auger <eric.auger@redhat.com>

We set up the infrastructure to enumerate all the PCI devices
attached to the SMMU and create an associated IOMMU memory
region and address space.

Those info are stored in SMMUDevice objects. The devices are
grouped according to the PCIBus they belong to. A hash table
indexed by the PCIBus pointer is used. Also an array indexed by
the bus number allows to find the list of SMMUDevices.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-3-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h |  8 +++++
 hw/arm/smmu-common.c         | 69 ++++++++++++++++++++++++++++++++++++
 hw/arm/trace-events          |  3 ++
 3 files changed, 80 insertions(+)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
 #define ARM_SMMU_GET_CLASS(obj)                              \
     OBJECT_GET_CLASS(SMMUBaseClass, (obj), TYPE_ARM_SMMU)
 
+/* Return the SMMUPciBus handle associated to a PCI bus number */
+SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num);
+
+/* Return the stream ID of an SMMU device */
+static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
+{
+    return PCI_BUILD_BDF(pci_bus_num(sdev->bus), sdev->devfn);
+}
 #endif  /* HW_ARM_SMMU_COMMON */
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/error-report.h"
 #include "hw/arm/smmu-common.h"
 
+/**
+ * The bus number is used for lookup when SID based invalidation occurs.
+ * In that case we lazily populate the SMMUPciBus array from the bus hash
+ * table. At the time the SMMUPciBus is created (smmu_find_add_as), the bus
+ * numbers may not be always initialized yet.
+ */
+SMMUPciBus *smmu_find_smmu_pcibus(SMMUState *s, uint8_t bus_num)
+{
+    SMMUPciBus *smmu_pci_bus = s->smmu_pcibus_by_bus_num[bus_num];
+
+    if (!smmu_pci_bus) {
+        GHashTableIter iter;
+
+        g_hash_table_iter_init(&iter, s->smmu_pcibus_by_busptr);
+        while (g_hash_table_iter_next(&iter, NULL, (void **)&smmu_pci_bus)) {
+            if (pci_bus_num(smmu_pci_bus->bus) == bus_num) {
+                s->smmu_pcibus_by_bus_num[bus_num] = smmu_pci_bus;
+                return smmu_pci_bus;
+            }
+        }
+    }
+    return smmu_pci_bus;
+}
+
+static AddressSpace *smmu_find_add_as(PCIBus *bus, void *opaque, int devfn)
+{
+    SMMUState *s = opaque;
+    SMMUPciBus *sbus = g_hash_table_lookup(s->smmu_pcibus_by_busptr, bus);
+    SMMUDevice *sdev;
+
+    if (!sbus) {
+        sbus = g_malloc0(sizeof(SMMUPciBus) +
+                         sizeof(SMMUDevice *) * SMMU_PCI_DEVFN_MAX);
+        sbus->bus = bus;
+        g_hash_table_insert(s->smmu_pcibus_by_busptr, bus, sbus);
+    }
+
+    sdev = sbus->pbdev[devfn];
+    if (!sdev) {
+        char *name = g_strdup_printf("%s-%d-%d",
+                                     s->mrtypename,
+                                     pci_bus_num(bus), devfn);
+        sdev = sbus->pbdev[devfn] = g_new0(SMMUDevice, 1);
+
+        sdev->smmu = s;
+        sdev->bus = bus;
+        sdev->devfn = devfn;
+
+        memory_region_init_iommu(&sdev->iommu, sizeof(sdev->iommu),
+                                 s->mrtypename,
+                                 OBJECT(s), name, 1ULL << SMMU_MAX_VA_BITS);
+        address_space_init(&sdev->as,
+                           MEMORY_REGION(&sdev->iommu), name);
+        trace_smmu_add_mr(name);
+        g_free(name);
+    }
+
+    return &sdev->as;
+}
+
 static void smmu_base_realize(DeviceState *dev, Error **errp)
 {
+    SMMUState *s = ARM_SMMU(dev);
     SMMUBaseClass *sbc = ARM_SMMU_GET_CLASS(dev);
     Error *local_err = NULL;
 
@@ -XXX,XX +XXX,XX @@ static void smmu_base_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, local_err);
         return;
     }
+
+    s->smmu_pcibus_by_busptr = g_hash_table_new(NULL, NULL);
+
+    if (s->primary_bus) {
+        pci_setup_iommu(s->primary_bus, smmu_find_add_as, s);
+    } else {
+        error_setg(errp, "SMMU is not attached to any PCI bus!");
+    }
 }
 
 static void smmu_base_reset(DeviceState *dev)
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@
 
 # hw/arm/virt-acpi-build.c
 virt_acpi_setup(void) "No fw cfg or ACPI disabled. Bailing out."
+
+# hw/arm/smmu-common.c
+smmu_add_mr(const char *name) "%s"
\ No newline at end of file
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

This patch implements the page table walk for VMSAv8-64.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Message-id: 1524665762-31355-4-git-send-email-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmu-internal.h       |  99 ++++++++++++++++
 include/hw/arm/smmu-common.h |  14 +++
 hw/arm/smmu-common.c         | 222 +++++++++++++++++++++++++++++++++++
 hw/arm/trace-events          |   9 +-
 4 files changed, 343 insertions(+), 1 deletion(-)
 create mode 100644 hw/arm/smmu-internal.h

diff --git a/hw/arm/smmu-internal.h b/hw/arm/smmu-internal.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/smmu-internal.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * ARM SMMU support - Internal API
+ *
+ * Copyright (c) 2017 Red Hat, Inc.
+ * Copyright (C) 2014-2016 Broadcom Corporation
+ * Written by Prem Mallappa, Eric Auger
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef HW_ARM_SMMU_INTERNAL_H
+#define HW_ARM_SMMU_INTERNAL_H
+
+#define TBI0(tbi) ((tbi) & 0x1)
+#define TBI1(tbi) ((tbi) & 0x2 >> 1)
+
+/* PTE Manipulation */
+
+#define ARM_LPAE_PTE_TYPE_SHIFT         0
+#define ARM_LPAE_PTE_TYPE_MASK          0x3
+
+#define ARM_LPAE_PTE_TYPE_BLOCK         1
+#define ARM_LPAE_PTE_TYPE_TABLE         3
+
+#define ARM_LPAE_L3_PTE_TYPE_RESERVED   1
+#define ARM_LPAE_L3_PTE_TYPE_PAGE       3
+
+#define ARM_LPAE_PTE_VALID              (1 << 0)
+
+#define PTE_ADDRESS(pte, shift) \
+    (extract64(pte, shift, 47 - shift + 1) << shift)
+
+#define is_invalid_pte(pte) (!(pte & ARM_LPAE_PTE_VALID))
+
+#define is_reserved_pte(pte, level)                                      \
+    ((level == 3) &&                                                     \
+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_L3_PTE_TYPE_RESERVED))
+
+#define is_block_pte(pte, level)                                         \
+    ((level < 3) &&                                                      \
+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_PTE_TYPE_BLOCK))
+
+#define is_table_pte(pte, level)                                        \
+    ((level < 3) &&                                                     \
+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_PTE_TYPE_TABLE))
+
+#define is_page_pte(pte, level)                                         \
+    ((level == 3) &&                                                    \
+     ((pte & ARM_LPAE_PTE_TYPE_MASK) == ARM_LPAE_L3_PTE_TYPE_PAGE))
+
+/* access permissions */
+
+#define PTE_AP(pte) \
+    (extract64(pte, 6, 2))
+
+#define PTE_APTABLE(pte) \
+    (extract64(pte, 61, 2))
+
+/*
+ * TODO: At the moment all transactions are considered as privileged (EL1)
+ * as IOMMU translation callback does not pass user/priv attributes.
+ */
+#define is_permission_fault(ap, perm) \
+    (((perm) & IOMMU_WO) && ((ap) & 0x2))
+
+#define PTE_AP_TO_PERM(ap) \
+    (IOMMU_ACCESS_FLAG(true, !((ap) & 0x2)))
+
+/* Level Indexing */
+
+static inline int level_shift(int level, int granule_sz)
+{
+    return granule_sz + (3 - level) * (granule_sz - 3);
+}
+
+static inline uint64_t level_page_mask(int level, int granule_sz)
+{
+    return ~(MAKE_64BIT_MASK(0, level_shift(level, granule_sz)));
+}
+
+static inline
+uint64_t iova_level_offset(uint64_t iova, int inputsize,
+                           int level, int gsz)
+{
+    return ((iova & MAKE_64BIT_MASK(0, inputsize)) >> level_shift(level, gsz)) &
+            MAKE_64BIT_MASK(0, gsz - 3);
+}
+
+#endif
diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ static inline uint16_t smmu_get_sid(SMMUDevice *sdev)
 {
     return PCI_BUILD_BDF(pci_bus_num(sdev->bus), sdev->devfn);
 }
+
+/**
+ * smmu_ptw - Perform the page table walk for a given iova / access flags
+ * pair, according to @cfg translation config
+ */
+int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
+             IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info);
+
+/**
+ * select_tt - compute which translation table shall be used according to
+ * the input iova and translation config and return the TT specific info
+ */
+SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova);
+
 #endif  /* HW_ARM_SMMU_COMMON */
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/error-report.h"
 #include "hw/arm/smmu-common.h"
+#include "smmu-internal.h"
+
+/* VMSAv8-64 Translation */
+
+/**
+ * get_pte - Get the content of a page table entry located at
+ * @base_addr[@index]
+ */
+static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte,
+                   SMMUPTWEventInfo *info)
+{
+    int ret;
+    dma_addr_t addr = baseaddr + index * sizeof(*pte);
+
+    /* TODO: guarantee 64-bit single-copy atomicity */
+    ret = dma_memory_read(&address_space_memory, addr,
+                          (uint8_t *)pte, sizeof(*pte));
+
+    if (ret != MEMTX_OK) {
+        info->type = SMMU_PTW_ERR_WALK_EABT;
+        info->addr = addr;
+        return -EINVAL;
+    }
+    trace_smmu_get_pte(baseaddr, index, addr, *pte);
+    return 0;
+}
+
+/* VMSAv8-64 Translation Table Format Descriptor Decoding */
+
+/**
+ * get_page_pte_address - returns the L3 descriptor output address,
+ * ie. the page frame
+ * ARM ARM spec: Figure D4-17 VMSAv8-64 level 3 descriptor format
+ */
+static inline hwaddr get_page_pte_address(uint64_t pte, int granule_sz)
+{
+    return PTE_ADDRESS(pte, granule_sz);
+}
+
+/**
+ * get_table_pte_address - return table descriptor output address,
+ * ie. address of next level table
+ * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
+ */
+static inline hwaddr get_table_pte_address(uint64_t pte, int granule_sz)
+{
+    return PTE_ADDRESS(pte, granule_sz);
+}
+
+/**
+ * get_block_pte_address - return block descriptor output address and block size
+ * ARM ARM Figure D4-16 VMSAv8-64 level0, level1, and level 2 descriptor formats
+ */
+static inline hwaddr get_block_pte_address(uint64_t pte, int level,
+                                           int granule_sz, uint64_t *bsz)
+{
+    int n = (granule_sz - 3) * (4 - level) + 3;
+
+    *bsz = 1 << n;
+    return PTE_ADDRESS(pte, n);
+}
+
+SMMUTransTableInfo *select_tt(SMMUTransCfg *cfg, dma_addr_t iova)
+{
+    bool tbi = extract64(iova, 55, 1) ? TBI1(cfg->tbi) : TBI0(cfg->tbi);
+    uint8_t tbi_byte = tbi * 8;
+
+    if (cfg->tt[0].tsz &&
+        !extract64(iova, 64 - cfg->tt[0].tsz, cfg->tt[0].tsz - tbi_byte)) {
+        /* there is a ttbr0 region and we are in it (high bits all zero) */
+        return &cfg->tt[0];
+    } else if (cfg->tt[1].tsz &&
+           !extract64(iova, 64 - cfg->tt[1].tsz, cfg->tt[1].tsz - tbi_byte)) {
+        /* there is a ttbr1 region and we are in it (high bits all one) */
+        return &cfg->tt[1];
+    } else if (!cfg->tt[0].tsz) {
+        /* ttbr0 region is "everything not in the ttbr1 region" */
+        return &cfg->tt[0];
+    } else if (!cfg->tt[1].tsz) {
+        /* ttbr1 region is "everything not in the ttbr0 region" */
+        return &cfg->tt[1];
+    }
+    /* in the gap between the two regions, this is a Translation fault */
+    return NULL;
+}
+
+/**
+ * smmu_ptw_64 - VMSAv8-64 Walk of the page tables for a given IOVA
+ * @cfg: translation config
+ * @iova: iova to translate
+ * @perm: access type
+ * @tlbe: IOMMUTLBEntry (out)
+ * @info: handle to an error info
+ *
+ * Return 0 on success, < 0 on error. In case of error, @info is filled
+ * and tlbe->perm is set to IOMMU_NONE.
+ * Upon success, @tlbe is filled with translated_addr and entry
+ * permission rights.
+ */
+static int smmu_ptw_64(SMMUTransCfg *cfg,
+                       dma_addr_t iova, IOMMUAccessFlags perm,
+                       IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
+{
+    dma_addr_t baseaddr, indexmask;
+    int stage = cfg->stage;
+    SMMUTransTableInfo *tt = select_tt(cfg, iova);
+    uint8_t level, granule_sz, inputsize, stride;
+
+    if (!tt || tt->disabled) {
+        info->type = SMMU_PTW_ERR_TRANSLATION;
+        goto error;
+    }
+
+    granule_sz = tt->granule_sz;
+    stride = granule_sz - 3;
+    inputsize = 64 - tt->tsz;
+    level = 4 - (inputsize - 4) / stride;
+    indexmask = (1ULL << (inputsize - (stride * (4 - level)))) - 1;
+    baseaddr = extract64(tt->ttb, 0, 48);
+    baseaddr &= ~indexmask;
+
+    tlbe->iova = iova;
+    tlbe->addr_mask = (1 << granule_sz) - 1;
+
+    while (level <= 3) {
+        uint64_t subpage_size = 1ULL << level_shift(level, granule_sz);
+        uint64_t mask = subpage_size - 1;
+        uint32_t offset = iova_level_offset(iova, inputsize, level, granule_sz);
+        uint64_t pte;
+        dma_addr_t pte_addr = baseaddr + offset * sizeof(pte);
+        uint8_t ap;
+
+        if (get_pte(baseaddr, offset, &pte, info)) {
+                goto error;
+        }
+        trace_smmu_ptw_level(level, iova, subpage_size,
+                             baseaddr, offset, pte);
+
+        if (is_invalid_pte(pte) || is_reserved_pte(pte, level)) {
+            trace_smmu_ptw_invalid_pte(stage, level, baseaddr,
+                                       pte_addr, offset, pte);
+            info->type = SMMU_PTW_ERR_TRANSLATION;
+            goto error;
+        }
+
+        if (is_page_pte(pte, level)) {
+            uint64_t gpa = get_page_pte_address(pte, granule_sz);
+
+            ap = PTE_AP(pte);
+            if (is_permission_fault(ap, perm)) {
+                info->type = SMMU_PTW_ERR_PERMISSION;
+                goto error;
+            }
+
+            tlbe->translated_addr = gpa + (iova & mask);
+            tlbe->perm = PTE_AP_TO_PERM(ap);
+            trace_smmu_ptw_page_pte(stage, level, iova,
+                                    baseaddr, pte_addr, pte, gpa);
+            return 0;
+        }
+        if (is_block_pte(pte, level)) {
+            uint64_t block_size;
+            hwaddr gpa = get_block_pte_address(pte, level, granule_sz,
+                                               &block_size);
+
+            ap = PTE_AP(pte);
+            if (is_permission_fault(ap, perm)) {
+                info->type = SMMU_PTW_ERR_PERMISSION;
+                goto error;
+            }
+
+            trace_smmu_ptw_block_pte(stage, level, baseaddr,
+                                     pte_addr, pte, iova, gpa,
+                                     block_size >> 20);
+
+            tlbe->translated_addr = gpa + (iova & mask);
+            tlbe->perm = PTE_AP_TO_PERM(ap);
+            return 0;
+        }
+
+        /* table pte */
+        ap = PTE_APTABLE(pte);
+
+        if (is_permission_fault(ap, perm)) {
+            info->type = SMMU_PTW_ERR_PERMISSION;
+            goto error;
+        }
+        baseaddr = get_table_pte_address(pte, granule_sz);
+        level++;
+    }
+
+    info->type = SMMU_PTW_ERR_TRANSLATION;
+
+error:
+    tlbe->perm = IOMMU_NONE;
+    return -EINVAL;
+}
+
+/**
+ * smmu_ptw - Walk the page tables for an IOVA, according to @cfg
+ *
+ * @cfg: translation configuration
+ * @iova: iova to translate
+ * @perm: tentative access type
+ * @tlbe: returned entry
+ * @info: ptw event handle
+ *
+ * return 0 on success
+ */
+inline int smmu_ptw(SMMUTransCfg *cfg, dma_addr_t iova, IOMMUAccessFlags perm,
+             IOMMUTLBEntry *tlbe, SMMUPTWEventInfo *info)
+{
+    if (!cfg->aa64) {
+        /*
+         * This code path is not entered as we check this while decoding
+         * the configuration data in the derived SMMU model.
+         */
+        g_assert_not_reached();
+    }
+
+    return smmu_ptw_64(cfg, iova, perm, tlbe, info);
+}
 
 /**
  * The bus number is used for lookup when SID based invalidation occurs.
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@
 virt_acpi_setup(void) "No fw cfg or ACPI disabled. Bailing out."
 
 # hw/arm/smmu-common.c
-smmu_add_mr(const char *name) "%s"
\ No newline at end of file
+smmu_add_mr(const char *name) "%s"
+smmu_page_walk(int stage, uint64_t baseaddr, int first_level, uint64_t start, uint64_t end) "stage=%d, baseaddr=0x%"PRIx64", first level=%d, start=0x%"PRIx64", end=0x%"PRIx64
+smmu_lookup_table(int level, uint64_t baseaddr, int granule_sz, uint64_t start, uint64_t end, int flags, uint64_t subpage_size) "level=%d baseaddr=0x%"PRIx64" granule=%d, start=0x%"PRIx64" end=0x%"PRIx64" flags=%d subpage_size=0x%"PRIx64
+smmu_ptw_level(int level, uint64_t iova, size_t subpage_size, uint64_t baseaddr, uint32_t offset, uint64_t pte) "level=%d iova=0x%"PRIx64" subpage_sz=0x%lx baseaddr=0x%"PRIx64" offset=%d => pte=0x%"PRIx64
+smmu_ptw_invalid_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint32_t offset, uint64_t pte) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" offset=%d pte=0x%"PRIx64
+smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t address) "stage=%d level=%d iova=0x%"PRIx64" base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" page address = 0x%"PRIx64
+smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
+smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
-- 
2.17.0

From: Prem Mallappa <prem.mallappa@broadcom.com>

This patch implements a skeleton for the smmuv3 device.
Datatypes and register definitions are introduced. The MMIO
region, the interrupts and the queue are initialized.

Only the MMIO read operation is implemented here.

Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-5-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs     |   2 +-
 hw/arm/smmuv3-internal.h | 142 +++++++++++++++
 include/hw/arm/smmuv3.h  |  87 ++++++++++
 hw/arm/smmuv3.c          | 366 +++++++++++++++++++++++++++++++++++++++
 hw/arm/trace-events      |   3 +
 5 files changed, 599 insertions(+), 1 deletion(-)
 create mode 100644 hw/arm/smmuv3-internal.h
 create mode 100644 include/hw/arm/smmuv3.h
 create mode 100644 hw/arm/smmuv3.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MPS2) += mps2-tz.o
 obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
 obj-$(CONFIG_IOTKIT) += iotkit.o
 obj-$(CONFIG_FSL_IMX7) += fsl-imx7.o mcimx7d-sabre.o
-obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o
+obj-$(CONFIG_ARM_SMMUV3) += smmu-common.o smmuv3.o
diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * ARM SMMUv3 support - Internal API
+ *
+ * Copyright (C) 2014-2016 Broadcom Corporation
+ * Copyright (c) 2017 Red Hat, Inc.
+ * Written by Prem Mallappa, Eric Auger
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef HW_ARM_SMMU_V3_INTERNAL_H
+#define HW_ARM_SMMU_V3_INTERNAL_H
+
+#include "hw/arm/smmu-common.h"
+
+/* MMIO Registers */
+
+REG32(IDR0,                0x0)
+    FIELD(IDR0, S1P,         1 , 1)
+    FIELD(IDR0, TTF,         2 , 2)
+    FIELD(IDR0, COHACC,      4 , 1)
+    FIELD(IDR0, ASID16,      12, 1)
+    FIELD(IDR0, TTENDIAN,    21, 2)
+    FIELD(IDR0, STALL_MODEL, 24, 2)
+    FIELD(IDR0, TERM_MODEL,  26, 1)
+    FIELD(IDR0, STLEVEL,     27, 2)
+
+REG32(IDR1,                0x4)
+    FIELD(IDR1, SIDSIZE,      0 , 6)
+    FIELD(IDR1, EVENTQS,      16, 5)
+    FIELD(IDR1, CMDQS,        21, 5)
+
+#define SMMU_IDR1_SIDSIZE 16
+#define SMMU_CMDQS   19
+#define SMMU_EVENTQS 19
+
+REG32(IDR2,                0x8)
+REG32(IDR3,                0xc)
+REG32(IDR4,                0x10)
+REG32(IDR5,                0x14)
+     FIELD(IDR5, OAS,         0, 3);
+     FIELD(IDR5, GRAN4K,      4, 1);
+     FIELD(IDR5, GRAN16K,     5, 1);
+     FIELD(IDR5, GRAN64K,     6, 1);
+
+#define SMMU_IDR5_OAS 4
+
+REG32(IIDR,                0x1c)
+REG32(CR0,                 0x20)
+    FIELD(CR0, SMMU_ENABLE,   0, 1)
+    FIELD(CR0, EVENTQEN,      2, 1)
+    FIELD(CR0, CMDQEN,        3, 1)
+
+REG32(CR0ACK,              0x24)
+REG32(CR1,                 0x28)
+REG32(CR2,                 0x2c)
+REG32(STATUSR,             0x40)
+REG32(IRQ_CTRL,            0x50)
+    FIELD(IRQ_CTRL, GERROR_IRQEN,        0, 1)
+    FIELD(IRQ_CTRL, PRI_IRQEN,           1, 1)
+    FIELD(IRQ_CTRL, EVENTQ_IRQEN,        2, 1)
+
+REG32(IRQ_CTRL_ACK,        0x54)
+REG32(GERROR,              0x60)
+    FIELD(GERROR, CMDQ_ERR,           0, 1)
+    FIELD(GERROR, EVENTQ_ABT_ERR,     2, 1)
+    FIELD(GERROR, PRIQ_ABT_ERR,       3, 1)
+    FIELD(GERROR, MSI_CMDQ_ABT_ERR,   4, 1)
+    FIELD(GERROR, MSI_EVENTQ_ABT_ERR, 5, 1)
+    FIELD(GERROR, MSI_PRIQ_ABT_ERR,   6, 1)
+    FIELD(GERROR, MSI_GERROR_ABT_ERR, 7, 1)
+    FIELD(GERROR, MSI_SFM_ERR,        8, 1)
+
+REG32(GERRORN,             0x64)
+
+#define A_GERROR_IRQ_CFG0  0x68 /* 64b */
+REG32(GERROR_IRQ_CFG1, 0x70)
+REG32(GERROR_IRQ_CFG2, 0x74)
+
+#define A_STRTAB_BASE      0x80 /* 64b */
+
+#define SMMU_BASE_ADDR_MASK 0xffffffffffe0
+
+REG32(STRTAB_BASE_CFG,     0x88)
+    FIELD(STRTAB_BASE_CFG, FMT,      16, 2)
+    FIELD(STRTAB_BASE_CFG, SPLIT,    6 , 5)
+    FIELD(STRTAB_BASE_CFG, LOG2SIZE, 0 , 6)
+
+#define A_CMDQ_BASE        0x90 /* 64b */
+REG32(CMDQ_PROD,           0x98)
+REG32(CMDQ_CONS,           0x9c)
+    FIELD(CMDQ_CONS, ERR, 24, 7)
+
+#define A_EVENTQ_BASE      0xa0 /* 64b */
+REG32(EVENTQ_PROD,         0xa8)
+REG32(EVENTQ_CONS,         0xac)
+
+#define A_EVENTQ_IRQ_CFG0  0xb0 /* 64b */
+REG32(EVENTQ_IRQ_CFG1,     0xb8)
+REG32(EVENTQ_IRQ_CFG2,     0xbc)
+
+#define A_IDREGS           0xfd0
+
+static inline int smmu_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->cr[0], CR0, SMMU_ENABLE);
+}
+
+/* Command Queue Entry */
+typedef struct Cmd {
+    uint32_t word[4];
+} Cmd;
+
+/* Event Queue Entry */
+typedef struct Evt  {
+    uint32_t word[8];
+} Evt;
+
+static inline uint32_t smmuv3_idreg(int regoffset)
+{
+    /*
+     * Return the value of the Primecell/Corelink ID registers at the
+     * specified offset from the first ID register.
+     * These value indicate an ARM implementation of MMU600 p1
+     */
+    static const uint8_t smmuv3_ids[] = {
+        0x04, 0, 0, 0, 0x84, 0xB4, 0xF0, 0x10, 0x0D, 0xF0, 0x05, 0xB1
+    };
+    return smmuv3_ids[regoffset / 4];
+}
+
+#endif
diff --git a/include/hw/arm/smmuv3.h b/include/hw/arm/smmuv3.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/arm/smmuv3.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Copyright (C) 2014-2016 Broadcom Corporation
+ * Copyright (c) 2017 Red Hat, Inc.
+ * Written by Prem Mallappa, Eric Auger
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef HW_ARM_SMMUV3_H
+#define HW_ARM_SMMUV3_H
+
+#include "hw/arm/smmu-common.h"
+#include "hw/registerfields.h"
+
+#define TYPE_SMMUV3_IOMMU_MEMORY_REGION "smmuv3-iommu-memory-region"
+
+typedef struct SMMUQueue {
+     uint64_t base; /* base register */
+     uint32_t prod;
+     uint32_t cons;
+     uint8_t entry_size;
+     uint8_t log2size;
+} SMMUQueue;
+
+typedef struct SMMUv3State {
+    SMMUState     smmu_state;
+
+    uint32_t features;
+    uint8_t sid_size;
+    uint8_t sid_split;
+
+    uint32_t idr[6];
+    uint32_t iidr;
+    uint32_t cr[3];
+    uint32_t cr0ack;
+    uint32_t statusr;
+    uint32_t irq_ctrl;
+    uint32_t gerror;
+    uint32_t gerrorn;
+    uint64_t gerror_irq_cfg0;
+    uint32_t gerror_irq_cfg1;
+    uint32_t gerror_irq_cfg2;
+    uint64_t strtab_base;
+    uint32_t strtab_base_cfg;
+    uint64_t eventq_irq_cfg0;
+    uint32_t eventq_irq_cfg1;
+    uint32_t eventq_irq_cfg2;
+
+    SMMUQueue eventq, cmdq;
+
+    qemu_irq     irq[4];
+} SMMUv3State;
+
+typedef enum {
+    SMMU_IRQ_EVTQ,
+    SMMU_IRQ_PRIQ,
+    SMMU_IRQ_CMD_SYNC,
+    SMMU_IRQ_GERROR,
+} SMMUIrq;
+
+typedef struct {
+    /*< private >*/
+    SMMUBaseClass smmu_base_class;
+    /*< public >*/
+
+    DeviceRealize parent_realize;
+    DeviceReset   parent_reset;
+} SMMUv3Class;
+
+#define TYPE_ARM_SMMUV3   "arm-smmuv3"
+#define ARM_SMMUV3(obj) OBJECT_CHECK(SMMUv3State, (obj), TYPE_ARM_SMMUV3)
+#define ARM_SMMUV3_CLASS(klass)                              \
+    OBJECT_CLASS_CHECK(SMMUv3Class, (klass), TYPE_ARM_SMMUV3)
+#define ARM_SMMUV3_GET_CLASS(obj) \
+     OBJECT_GET_CLASS(SMMUv3Class, (obj), TYPE_ARM_SMMUV3)
+
+#endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Copyright (C) 2014-2016 Broadcom Corporation
+ * Copyright (c) 2017 Red Hat, Inc.
+ * Written by Prem Mallappa, Eric Auger
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/boards.h"
+#include "sysemu/sysemu.h"
+#include "hw/sysbus.h"
+#include "hw/qdev-core.h"
+#include "hw/pci/pci.h"
+#include "exec/address-spaces.h"
+#include "trace.h"
+#include "qemu/log.h"
+#include "qemu/error-report.h"
+#include "qapi/error.h"
+
+#include "hw/arm/smmuv3.h"
+#include "smmuv3-internal.h"
+
+static void smmuv3_init_regs(SMMUv3State *s)
+{
+    /**
+     * IDR0: stage1 only, AArch64 only, coherent access, 16b ASID,
+     *       multi-level stream table
+     */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, S1P, 1); /* stage 1 supported */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTF, 2); /* AArch64 PTW only */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, COHACC, 1); /* IO coherent */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, ASID16, 1); /* 16-bit ASID */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TTENDIAN, 2); /* little endian */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STALL_MODEL, 1); /* No stall */
+    /* terminated transaction will always be aborted/error returned */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, TERM_MODEL, 1);
+    /* 2-level stream table supported */
+    s->idr[0] = FIELD_DP32(s->idr[0], IDR0, STLEVEL, 1);
+
+    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, SIDSIZE, SMMU_IDR1_SIDSIZE);
+    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, EVENTQS, SMMU_EVENTQS);
+    s->idr[1] = FIELD_DP32(s->idr[1], IDR1, CMDQS,   SMMU_CMDQS);
+
+   /* 4K and 64K granule support */
+    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN4K, 1);
+    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, GRAN64K, 1);
+    s->idr[5] = FIELD_DP32(s->idr[5], IDR5, OAS, SMMU_IDR5_OAS); /* 44 bits */
+
+    s->cmdq.base = deposit64(s->cmdq.base, 0, 5, SMMU_CMDQS);
+    s->cmdq.prod = 0;
+    s->cmdq.cons = 0;
+    s->cmdq.entry_size = sizeof(struct Cmd);
+    s->eventq.base = deposit64(s->eventq.base, 0, 5, SMMU_EVENTQS);
+    s->eventq.prod = 0;
+    s->eventq.cons = 0;
+    s->eventq.entry_size = sizeof(struct Evt);
+
+    s->features = 0;
+    s->sid_split = 0;
+}
+
+static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
+                                   unsigned size, MemTxAttrs attrs)
+{
+    /* not yet implemented */
+    return MEMTX_ERROR;
+}
+
+static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
+                               uint64_t *data, MemTxAttrs attrs)
+{
+    switch (offset) {
+    case A_GERROR_IRQ_CFG0:
+        *data = s->gerror_irq_cfg0;
+        return MEMTX_OK;
+    case A_STRTAB_BASE:
+        *data = s->strtab_base;
+        return MEMTX_OK;
+    case A_CMDQ_BASE:
+        *data = s->cmdq.base;
+        return MEMTX_OK;
+    case A_EVENTQ_BASE:
+        *data = s->eventq.base;
+        return MEMTX_OK;
+    default:
+        *data = 0;
+        qemu_log_mask(LOG_UNIMP,
+                      "%s Unexpected 64-bit access to 0x%"PRIx64" (RAZ)\n",
+                      __func__, offset);
+        return MEMTX_OK;
+    }
+}
+
+static MemTxResult smmu_readl(SMMUv3State *s, hwaddr offset,
+                              uint64_t *data, MemTxAttrs attrs)
+{
+    switch (offset) {
+    case A_IDREGS ... A_IDREGS + 0x1f:
+        *data = smmuv3_idreg(offset - A_IDREGS);
+        return MEMTX_OK;
+    case A_IDR0 ... A_IDR5:
+        *data = s->idr[(offset - A_IDR0) / 4];
+        return MEMTX_OK;
+    case A_IIDR:
+        *data = s->iidr;
+        return MEMTX_OK;
+    case A_CR0:
+        *data = s->cr[0];
+        return MEMTX_OK;
+    case A_CR0ACK:
+        *data = s->cr0ack;
+        return MEMTX_OK;
+    case A_CR1:
+        *data = s->cr[1];
+        return MEMTX_OK;
+    case A_CR2:
+        *data = s->cr[2];
+        return MEMTX_OK;
+    case A_STATUSR:
+        *data = s->statusr;
+        return MEMTX_OK;
+    case A_IRQ_CTRL:
+    case A_IRQ_CTRL_ACK:
+        *data = s->irq_ctrl;
+        return MEMTX_OK;
+    case A_GERROR:
+        *data = s->gerror;
+        return MEMTX_OK;
+    case A_GERRORN:
+        *data = s->gerrorn;
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG0: /* 64b */
+        *data = extract64(s->gerror_irq_cfg0, 0, 32);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG0 + 4:
+        *data = extract64(s->gerror_irq_cfg0, 32, 32);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG1:
+        *data = s->gerror_irq_cfg1;
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG2:
+        *data = s->gerror_irq_cfg2;
+        return MEMTX_OK;
+    case A_STRTAB_BASE: /* 64b */
+        *data = extract64(s->strtab_base, 0, 32);
+        return MEMTX_OK;
+    case A_STRTAB_BASE + 4: /* 64b */
+        *data = extract64(s->strtab_base, 32, 32);
+        return MEMTX_OK;
+    case A_STRTAB_BASE_CFG:
+        *data = s->strtab_base_cfg;
+        return MEMTX_OK;
+    case A_CMDQ_BASE: /* 64b */
+        *data = extract64(s->cmdq.base, 0, 32);
+        return MEMTX_OK;
+    case A_CMDQ_BASE + 4:
+        *data = extract64(s->cmdq.base, 32, 32);
+        return MEMTX_OK;
+    case A_CMDQ_PROD:
+        *data = s->cmdq.prod;
+        return MEMTX_OK;
+    case A_CMDQ_CONS:
+        *data = s->cmdq.cons;
+        return MEMTX_OK;
+    case A_EVENTQ_BASE: /* 64b */
+        *data = extract64(s->eventq.base, 0, 32);
+        return MEMTX_OK;
+    case A_EVENTQ_BASE + 4: /* 64b */
+        *data = extract64(s->eventq.base, 32, 32);
+        return MEMTX_OK;
+    case A_EVENTQ_PROD:
+        *data = s->eventq.prod;
+        return MEMTX_OK;
+    case A_EVENTQ_CONS:
+        *data = s->eventq.cons;
+        return MEMTX_OK;
+    default:
+        *data = 0;
+        qemu_log_mask(LOG_UNIMP,
+                      "%s unhandled 32-bit access at 0x%"PRIx64" (RAZ)\n",
+                      __func__, offset);
+        return MEMTX_OK;
+    }
+}
+
+static MemTxResult smmu_read_mmio(void *opaque, hwaddr offset, uint64_t *data,
+                                  unsigned size, MemTxAttrs attrs)
+{
+    SMMUState *sys = opaque;
+    SMMUv3State *s = ARM_SMMUV3(sys);
+    MemTxResult r;
+
+    /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
+    offset &= ~0x10000;
+
+    switch (size) {
+    case 8:
+        r = smmu_readll(s, offset, data, attrs);
+        break;
+    case 4:
+        r = smmu_readl(s, offset, data, attrs);
+        break;
+    default:
+        r = MEMTX_ERROR;
+        break;
+    }
+
+    trace_smmuv3_read_mmio(offset, *data, size, r);
+    return r;
+}
+
+static const MemoryRegionOps smmu_mem_ops = {
+    .read_with_attrs = smmu_read_mmio,
+    .write_with_attrs = smmu_write_mmio,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 8,
+    },
+    .impl = {
+        .min_access_size = 4,
+        .max_access_size = 8,
+    },
+};
+
+static void smmu_init_irq(SMMUv3State *s, SysBusDevice *dev)
+{
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->irq); i++) {
+        sysbus_init_irq(dev, &s->irq[i]);
+    }
+}
+
+static void smmu_reset(DeviceState *dev)
+{
+    SMMUv3State *s = ARM_SMMUV3(dev);
+    SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s);
+
+    c->parent_reset(dev);
+
+    smmuv3_init_regs(s);
+}
+
+static void smmu_realize(DeviceState *d, Error **errp)
+{
+    SMMUState *sys = ARM_SMMU(d);
+    SMMUv3State *s = ARM_SMMUV3(sys);
+    SMMUv3Class *c = ARM_SMMUV3_GET_CLASS(s);
+    SysBusDevice *dev = SYS_BUS_DEVICE(d);
+    Error *local_err = NULL;
+
+    c->parent_realize(d, &local_err);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        return;
+    }
+
+    memory_region_init_io(&sys->iomem, OBJECT(s),
+                          &smmu_mem_ops, sys, TYPE_ARM_SMMUV3, 0x20000);
+
+    sys->mrtypename = TYPE_SMMUV3_IOMMU_MEMORY_REGION;
+
+    sysbus_init_mmio(dev, &sys->iomem);
+
+    smmu_init_irq(s, dev);
+}
+
+static const VMStateDescription vmstate_smmuv3_queue = {
+    .name = "smmuv3_queue",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT64(base, SMMUQueue),
+        VMSTATE_UINT32(prod, SMMUQueue),
+        VMSTATE_UINT32(cons, SMMUQueue),
+        VMSTATE_UINT8(log2size, SMMUQueue),
+    },
+};
+
+static const VMStateDescription vmstate_smmuv3 = {
+    .name = "smmuv3",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(features, SMMUv3State),
+        VMSTATE_UINT8(sid_size, SMMUv3State),
+        VMSTATE_UINT8(sid_split, SMMUv3State),
+
+        VMSTATE_UINT32_ARRAY(cr, SMMUv3State, 3),
+        VMSTATE_UINT32(cr0ack, SMMUv3State),
+        VMSTATE_UINT32(statusr, SMMUv3State),
+        VMSTATE_UINT32(irq_ctrl, SMMUv3State),
+        VMSTATE_UINT32(gerror, SMMUv3State),
+        VMSTATE_UINT32(gerrorn, SMMUv3State),
+        VMSTATE_UINT64(gerror_irq_cfg0, SMMUv3State),
+        VMSTATE_UINT32(gerror_irq_cfg1, SMMUv3State),
+        VMSTATE_UINT32(gerror_irq_cfg2, SMMUv3State),
+        VMSTATE_UINT64(strtab_base, SMMUv3State),
+        VMSTATE_UINT32(strtab_base_cfg, SMMUv3State),
+        VMSTATE_UINT64(eventq_irq_cfg0, SMMUv3State),
+        VMSTATE_UINT32(eventq_irq_cfg1, SMMUv3State),
+        VMSTATE_UINT32(eventq_irq_cfg2, SMMUv3State),
+
+        VMSTATE_STRUCT(cmdq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue),
+        VMSTATE_STRUCT(eventq, SMMUv3State, 0, vmstate_smmuv3_queue, SMMUQueue),
+
+        VMSTATE_END_OF_LIST(),
+    },
+};
+
+static void smmuv3_instance_init(Object *obj)
+{
+    /* Nothing much to do here as of now */
+}
+
+static void smmuv3_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SMMUv3Class *c = ARM_SMMUV3_CLASS(klass);
+
+    dc->vmsd = &vmstate_smmuv3;
+    device_class_set_parent_reset(dc, smmu_reset, &c->parent_reset);
+    c->parent_realize = dc->realize;
+    dc->realize = smmu_realize;
+}
+
+static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
+                                                  void *data)
+{
+}
+
+static const TypeInfo smmuv3_type_info = {
+    .name          = TYPE_ARM_SMMUV3,
+    .parent        = TYPE_ARM_SMMU,
+    .instance_size = sizeof(SMMUv3State),
+    .instance_init = smmuv3_instance_init,
+    .class_size    = sizeof(SMMUv3Class),
+    .class_init    = smmuv3_class_init,
+};
+
+static const TypeInfo smmuv3_iommu_memory_region_info = {
+    .parent = TYPE_IOMMU_MEMORY_REGION,
+    .name = TYPE_SMMUV3_IOMMU_MEMORY_REGION,
+    .class_init = smmuv3_iommu_memory_region_class_init,
+};
+
+static void smmuv3_register_types(void)
+{
+    type_register(&smmuv3_type_info);
+    type_register(&smmuv3_iommu_memory_region_info);
+}
+
+type_init(smmuv3_register_types)
+
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_ptw_invalid_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr,
 smmu_ptw_page_pte(int stage, int level,  uint64_t iova, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t address) "stage=%d level=%d iova=0x%"PRIx64" base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" page address = 0x%"PRIx64
 smmu_ptw_block_pte(int stage, int level, uint64_t baseaddr, uint64_t pteaddr, uint64_t pte, uint64_t iova, uint64_t gpa, int bsize_mb) "stage=%d level=%d base@=0x%"PRIx64" pte@=0x%"PRIx64" pte=0x%"PRIx64" iova=0x%"PRIx64" block address = 0x%"PRIx64" block size = %d MiB"
 smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "baseaddr=0x%"PRIx64" index=0x%x, pteaddr=0x%"PRIx64", pte=0x%"PRIx64
+
+#hw/arm/smmuv3.c
+smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

We introduce some helpers to handle wired IRQs and especially
GERROR interrupt. SMMU writes GERROR register on GERROR event
and SW acks GERROR interrupts by setting GERRORn.

The Wired interrupts are edge sensitive hence the pulse usage.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-6-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 14 +++++++++
 hw/arm/smmuv3.c          | 64 ++++++++++++++++++++++++++++++++++++++++
 hw/arm/trace-events      |  3 ++
 3 files changed, 81 insertions(+)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t smmuv3_idreg(int regoffset)
     return smmuv3_ids[regoffset / 4];
 }
 
+static inline bool smmuv3_eventq_irq_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, EVENTQ_IRQEN);
+}
+
+static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, GERROR_IRQEN);
+}
+
+/* public until callers get introduced */
+void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
+void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
+
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/smmuv3.h"
 #include "smmuv3-internal.h"
 
+/**
+ * smmuv3_trigger_irq - pulse @irq if enabled and update
+ * GERROR register in case of GERROR interrupt
+ *
+ * @irq: irq type
+ * @gerror_mask: mask of gerrors to toggle (relevant if @irq is GERROR)
+ */
+void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
+{
+
+    bool pulse = false;
+
+    switch (irq) {
+    case SMMU_IRQ_EVTQ:
+        pulse = smmuv3_eventq_irq_enabled(s);
+        break;
+    case SMMU_IRQ_PRIQ:
+        qemu_log_mask(LOG_UNIMP, "PRI not yet supported\n");
+        break;
+    case SMMU_IRQ_CMD_SYNC:
+        pulse = true;
+        break;
+    case SMMU_IRQ_GERROR:
+    {
+        uint32_t pending = s->gerror ^ s->gerrorn;
+        uint32_t new_gerrors = ~pending & gerror_mask;
+
+        if (!new_gerrors) {
+            /* only toggle non pending errors */
+            return;
+        }
+        s->gerror ^= new_gerrors;
+        trace_smmuv3_write_gerror(new_gerrors, s->gerror);
+
+        pulse = smmuv3_gerror_irq_enabled(s);
+        break;
+    }
+    }
+    if (pulse) {
+            trace_smmuv3_trigger_irq(irq);
+            qemu_irq_pulse(s->irq[irq]);
+    }
+}
+
+void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
+{
+    uint32_t pending = s->gerror ^ s->gerrorn;
+    uint32_t toggled = s->gerrorn ^ new_gerrorn;
+
+    if (toggled & ~pending) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "guest toggles non pending errors = 0x%x\n",
+                      toggled & ~pending);
+    }
+
+    /*
+     * We do not raise any error in case guest toggles bits corresponding
+     * to not active IRQs (CONSTRAINED UNPREDICTABLE)
+     */
+    s->gerrorn = new_gerrorn;
+
+    trace_smmuv3_write_gerrorn(toggled & pending, s->gerrorn);
+}
+
 static void smmuv3_init_regs(SMMUv3State *s)
 {
     /**
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_get_pte(uint64_t baseaddr, int index, uint64_t pteaddr, uint64_t pte) "base
 
 #hw/arm/smmuv3.c
 smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
+smmuv3_trigger_irq(int irq) "irq=%d"
+smmuv3_write_gerror(uint32_t toggled, uint32_t gerror) "toggled=0x%x, new GERROR=0x%x"
+smmuv3_write_gerrorn(uint32_t acked, uint32_t gerrorn) "acked=0x%x, new GERRORN=0x%x"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

We introduce helpers to read/write into the command and event
circular queues.

smmuv3_write_eventq and smmuv3_cmq_consume will become static
in subsequent patches.

Invalidation commands are not yet dealt with. We do not cache
data that need to be invalidated. This will change with vhost
integration.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-7-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 163 +++++++++++++++++++++++++++++++++++++++
 hw/arm/smmuv3.c          | 136 ++++++++++++++++++++++++++++++++
 hw/arm/trace-events      |   5 ++
 3 files changed, 304 insertions(+)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
 void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
 void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
 
+/* Queue Handling */
+
+#define Q_BASE(q)          ((q)->base & SMMU_BASE_ADDR_MASK)
+#define WRAP_MASK(q)       (1 << (q)->log2size)
+#define INDEX_MASK(q)      (((1 << (q)->log2size)) - 1)
+#define WRAP_INDEX_MASK(q) ((1 << ((q)->log2size + 1)) - 1)
+
+#define Q_CONS(q) ((q)->cons & INDEX_MASK(q))
+#define Q_PROD(q) ((q)->prod & INDEX_MASK(q))
+
+#define Q_CONS_ENTRY(q)  (Q_BASE(q) + (q)->entry_size * Q_CONS(q))
+#define Q_PROD_ENTRY(q)  (Q_BASE(q) + (q)->entry_size * Q_PROD(q))
+
+#define Q_CONS_WRAP(q) (((q)->cons & WRAP_MASK(q)) >> (q)->log2size)
+#define Q_PROD_WRAP(q) (((q)->prod & WRAP_MASK(q)) >> (q)->log2size)
+
+static inline bool smmuv3_q_full(SMMUQueue *q)
+{
+    return ((q->cons ^ q->prod) & WRAP_INDEX_MASK(q)) == WRAP_MASK(q);
+}
+
+static inline bool smmuv3_q_empty(SMMUQueue *q)
+{
+    return (q->cons & WRAP_INDEX_MASK(q)) == (q->prod & WRAP_INDEX_MASK(q));
+}
+
+static inline void queue_prod_incr(SMMUQueue *q)
+{
+    q->prod = (q->prod + 1) & WRAP_INDEX_MASK(q);
+}
+
+static inline void queue_cons_incr(SMMUQueue *q)
+{
+    /*
+     * We have to use deposit for the CONS registers to preserve
+     * the ERR field in the high bits.
+     */
+    q->cons = deposit32(q->cons, 0, q->log2size + 1, q->cons + 1);
+}
+
+static inline bool smmuv3_cmdq_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->cr[0], CR0, CMDQEN);
+}
+
+static inline bool smmuv3_eventq_enabled(SMMUv3State *s)
+{
+    return FIELD_EX32(s->cr[0], CR0, EVENTQEN);
+}
+
+static inline void smmu_write_cmdq_err(SMMUv3State *s, uint32_t err_type)
+{
+    s->cmdq.cons = FIELD_DP32(s->cmdq.cons, CMDQ_CONS, ERR, err_type);
+}
+
+void smmuv3_write_eventq(SMMUv3State *s, Evt *evt);
+
+/* Commands */
+
+typedef enum SMMUCommandType {
+    SMMU_CMD_NONE            = 0x00,
+    SMMU_CMD_PREFETCH_CONFIG       ,
+    SMMU_CMD_PREFETCH_ADDR,
+    SMMU_CMD_CFGI_STE,
+    SMMU_CMD_CFGI_STE_RANGE,
+    SMMU_CMD_CFGI_CD,
+    SMMU_CMD_CFGI_CD_ALL,
+    SMMU_CMD_CFGI_ALL,
+    SMMU_CMD_TLBI_NH_ALL     = 0x10,
+    SMMU_CMD_TLBI_NH_ASID,
+    SMMU_CMD_TLBI_NH_VA,
+    SMMU_CMD_TLBI_NH_VAA,
+    SMMU_CMD_TLBI_EL3_ALL    = 0x18,
+    SMMU_CMD_TLBI_EL3_VA     = 0x1a,
+    SMMU_CMD_TLBI_EL2_ALL    = 0x20,
+    SMMU_CMD_TLBI_EL2_ASID,
+    SMMU_CMD_TLBI_EL2_VA,
+    SMMU_CMD_TLBI_EL2_VAA,
+    SMMU_CMD_TLBI_S12_VMALL  = 0x28,
+    SMMU_CMD_TLBI_S2_IPA     = 0x2a,
+    SMMU_CMD_TLBI_NSNH_ALL   = 0x30,
+    SMMU_CMD_ATC_INV         = 0x40,
+    SMMU_CMD_PRI_RESP,
+    SMMU_CMD_RESUME          = 0x44,
+    SMMU_CMD_STALL_TERM,
+    SMMU_CMD_SYNC,
+} SMMUCommandType;
+
+static const char *cmd_stringify[] = {
+    [SMMU_CMD_PREFETCH_CONFIG] = "SMMU_CMD_PREFETCH_CONFIG",
+    [SMMU_CMD_PREFETCH_ADDR]   = "SMMU_CMD_PREFETCH_ADDR",
+    [SMMU_CMD_CFGI_STE]        = "SMMU_CMD_CFGI_STE",
+    [SMMU_CMD_CFGI_STE_RANGE]  = "SMMU_CMD_CFGI_STE_RANGE",
+    [SMMU_CMD_CFGI_CD]         = "SMMU_CMD_CFGI_CD",
+    [SMMU_CMD_CFGI_CD_ALL]     = "SMMU_CMD_CFGI_CD_ALL",
+    [SMMU_CMD_CFGI_ALL]        = "SMMU_CMD_CFGI_ALL",
+    [SMMU_CMD_TLBI_NH_ALL]     = "SMMU_CMD_TLBI_NH_ALL",
+    [SMMU_CMD_TLBI_NH_ASID]    = "SMMU_CMD_TLBI_NH_ASID",
+    [SMMU_CMD_TLBI_NH_VA]      = "SMMU_CMD_TLBI_NH_VA",
+    [SMMU_CMD_TLBI_NH_VAA]     = "SMMU_CMD_TLBI_NH_VAA",
+    [SMMU_CMD_TLBI_EL3_ALL]    = "SMMU_CMD_TLBI_EL3_ALL",
+    [SMMU_CMD_TLBI_EL3_VA]     = "SMMU_CMD_TLBI_EL3_VA",
+    [SMMU_CMD_TLBI_EL2_ALL]    = "SMMU_CMD_TLBI_EL2_ALL",
+    [SMMU_CMD_TLBI_EL2_ASID]   = "SMMU_CMD_TLBI_EL2_ASID",
+    [SMMU_CMD_TLBI_EL2_VA]     = "SMMU_CMD_TLBI_EL2_VA",
+    [SMMU_CMD_TLBI_EL2_VAA]    = "SMMU_CMD_TLBI_EL2_VAA",
+    [SMMU_CMD_TLBI_S12_VMALL]  = "SMMU_CMD_TLBI_S12_VMALL",
+    [SMMU_CMD_TLBI_S2_IPA]     = "SMMU_CMD_TLBI_S2_IPA",
+    [SMMU_CMD_TLBI_NSNH_ALL]   = "SMMU_CMD_TLBI_NSNH_ALL",
+    [SMMU_CMD_ATC_INV]         = "SMMU_CMD_ATC_INV",
+    [SMMU_CMD_PRI_RESP]        = "SMMU_CMD_PRI_RESP",
+    [SMMU_CMD_RESUME]          = "SMMU_CMD_RESUME",
+    [SMMU_CMD_STALL_TERM]      = "SMMU_CMD_STALL_TERM",
+    [SMMU_CMD_SYNC]            = "SMMU_CMD_SYNC",
+};
+
+static inline const char *smmu_cmd_string(SMMUCommandType type)
+{
+    if (type > SMMU_CMD_NONE && type < ARRAY_SIZE(cmd_stringify)) {
+        return cmd_stringify[type] ? cmd_stringify[type] : "UNKNOWN";
+    } else {
+        return "INVALID";
+    }
+}
+
+/* CMDQ fields */
+
+typedef enum {
+    SMMU_CERROR_NONE = 0,
+    SMMU_CERROR_ILL,
+    SMMU_CERROR_ABT,
+    SMMU_CERROR_ATC_INV_SYNC,
+} SMMUCmdError;
+
+enum { /* Command completion notification */
+    CMD_SYNC_SIG_NONE,
+    CMD_SYNC_SIG_IRQ,
+    CMD_SYNC_SIG_SEV,
+};
+
+#define CMD_TYPE(x)         extract32((x)->word[0], 0 , 8)
+#define CMD_SSEC(x)         extract32((x)->word[0], 10, 1)
+#define CMD_SSV(x)          extract32((x)->word[0], 11, 1)
+#define CMD_RESUME_AC(x)    extract32((x)->word[0], 12, 1)
+#define CMD_RESUME_AB(x)    extract32((x)->word[0], 13, 1)
+#define CMD_SYNC_CS(x)      extract32((x)->word[0], 12, 2)
+#define CMD_SSID(x)         extract32((x)->word[0], 12, 20)
+#define CMD_SID(x)          ((x)->word[1])
+#define CMD_VMID(x)         extract32((x)->word[1], 0 , 16)
+#define CMD_ASID(x)         extract32((x)->word[1], 16, 16)
+#define CMD_RESUME_STAG(x)  extract32((x)->word[2], 0 , 16)
+#define CMD_RESP(x)         extract32((x)->word[2], 11, 2)
+#define CMD_LEAF(x)         extract32((x)->word[2], 0 , 1)
+#define CMD_STE_RANGE(x)    extract32((x)->word[2], 0 , 5)
+#define CMD_ADDR(x) ({                                        \
+            uint64_t high = (uint64_t)(x)->word[3];           \
+            uint64_t low = extract32((x)->word[2], 12, 20);    \
+            uint64_t addr = high << 32 | (low << 12);         \
+            addr;                                             \
+        })
+
+int smmuv3_cmdq_consume(SMMUv3State *s);
+
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
     trace_smmuv3_write_gerrorn(toggled & pending, s->gerrorn);
 }
 
+static inline MemTxResult queue_read(SMMUQueue *q, void *data)
+{
+    dma_addr_t addr = Q_CONS_ENTRY(q);
+
+    return dma_memory_read(&address_space_memory, addr, data, q->entry_size);
+}
+
+static MemTxResult queue_write(SMMUQueue *q, void *data)
+{
+    dma_addr_t addr = Q_PROD_ENTRY(q);
+    MemTxResult ret;
+
+    ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size);
+    if (ret != MEMTX_OK) {
+        return ret;
+    }
+
+    queue_prod_incr(q);
+    return MEMTX_OK;
+}
+
+void smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
+{
+    SMMUQueue *q = &s->eventq;
+
+    if (!smmuv3_eventq_enabled(s)) {
+        return;
+    }
+
+    if (smmuv3_q_full(q)) {
+        return;
+    }
+
+    queue_write(q, evt);
+
+    if (smmuv3_q_empty(q)) {
+        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
+    }
+}
+
 static void smmuv3_init_regs(SMMUv3State *s)
 {
     /**
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
     s->sid_split = 0;
 }
 
+int smmuv3_cmdq_consume(SMMUv3State *s)
+{
+    SMMUCmdError cmd_error = SMMU_CERROR_NONE;
+    SMMUQueue *q = &s->cmdq;
+    SMMUCommandType type = 0;
+
+    if (!smmuv3_cmdq_enabled(s)) {
+        return 0;
+    }
+    /*
+     * some commands depend on register values, typically CR0. In case those
+     * register values change while handling the command, spec says it
+     * is UNPREDICTABLE whether the command is interpreted under the new
+     * or old value.
+     */
+
+    while (!smmuv3_q_empty(q)) {
+        uint32_t pending = s->gerror ^ s->gerrorn;
+        Cmd cmd;
+
+        trace_smmuv3_cmdq_consume(Q_PROD(q), Q_CONS(q),
+                                  Q_PROD_WRAP(q), Q_CONS_WRAP(q));
+
+        if (FIELD_EX32(pending, GERROR, CMDQ_ERR)) {
+            break;
+        }
+
+        if (queue_read(q, &cmd) != MEMTX_OK) {
+            cmd_error = SMMU_CERROR_ABT;
+            break;
+        }
+
+        type = CMD_TYPE(&cmd);
+
+        trace_smmuv3_cmdq_opcode(smmu_cmd_string(type));
+
+        switch (type) {
+        case SMMU_CMD_SYNC:
+            if (CMD_SYNC_CS(&cmd) & CMD_SYNC_SIG_IRQ) {
+                smmuv3_trigger_irq(s, SMMU_IRQ_CMD_SYNC, 0);
+            }
+            break;
+        case SMMU_CMD_PREFETCH_CONFIG:
+        case SMMU_CMD_PREFETCH_ADDR:
+        case SMMU_CMD_CFGI_STE:
+        case SMMU_CMD_CFGI_STE_RANGE: /* same as SMMU_CMD_CFGI_ALL */
+        case SMMU_CMD_CFGI_CD:
+        case SMMU_CMD_CFGI_CD_ALL:
+        case SMMU_CMD_TLBI_NH_ALL:
+        case SMMU_CMD_TLBI_NH_ASID:
+        case SMMU_CMD_TLBI_NH_VA:
+        case SMMU_CMD_TLBI_NH_VAA:
+        case SMMU_CMD_TLBI_EL3_ALL:
+        case SMMU_CMD_TLBI_EL3_VA:
+        case SMMU_CMD_TLBI_EL2_ALL:
+        case SMMU_CMD_TLBI_EL2_ASID:
+        case SMMU_CMD_TLBI_EL2_VA:
+        case SMMU_CMD_TLBI_EL2_VAA:
+        case SMMU_CMD_TLBI_S12_VMALL:
+        case SMMU_CMD_TLBI_S2_IPA:
+        case SMMU_CMD_TLBI_NSNH_ALL:
+        case SMMU_CMD_ATC_INV:
+        case SMMU_CMD_PRI_RESP:
+        case SMMU_CMD_RESUME:
+        case SMMU_CMD_STALL_TERM:
+            trace_smmuv3_unhandled_cmd(type);
+            break;
+        default:
+            cmd_error = SMMU_CERROR_ILL;
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "Illegal command type: %d\n", CMD_TYPE(&cmd));
+            break;
+        }
+        if (cmd_error) {
+            break;
+        }
+        /*
+         * We only increment the cons index after the completion of
+         * the command. We do that because the SYNC returns immediately
+         * and does not check the completion of previous commands
+         */
+        queue_cons_incr(q);
+    }
+
+    if (cmd_error) {
+        trace_smmuv3_cmdq_consume_error(smmu_cmd_string(type), cmd_error);
+        smmu_write_cmdq_err(s, cmd_error);
+        smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_CMDQ_ERR_MASK);
+    }
+
+    trace_smmuv3_cmdq_consume_out(Q_PROD(q), Q_CONS(q),
+                                  Q_PROD_WRAP(q), Q_CONS_WRAP(q));
+
+    return 0;
+}
+
 static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
                                    unsigned size, MemTxAttrs attrs)
 {
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_read_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr:
 smmuv3_trigger_irq(int irq) "irq=%d"
 smmuv3_write_gerror(uint32_t toggled, uint32_t gerror) "toggled=0x%x, new GERROR=0x%x"
 smmuv3_write_gerrorn(uint32_t acked, uint32_t gerrorn) "acked=0x%x, new GERRORN=0x%x"
+smmuv3_unhandled_cmd(uint32_t type) "Unhandled command type=%d"
+smmuv3_cmdq_consume(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod=%d cons=%d prod.wrap=%d cons.wrap=%d"
+smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
+smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
+smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

Now we have relevant helpers for queue and irq
management, let's implement MMIO write operations.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-8-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h |   8 +-
 hw/arm/smmuv3.c          | 170 +++++++++++++++++++++++++++++++++++++--
 hw/arm/trace-events      |   6 ++
 3 files changed, 174 insertions(+), 10 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ REG32(CR0,                 0x20)
     FIELD(CR0, EVENTQEN,      2, 1)
     FIELD(CR0, CMDQEN,        3, 1)
 
+#define SMMU_CR0_RESERVED 0xFFFFFC20
+
 REG32(CR0ACK,              0x24)
 REG32(CR1,                 0x28)
 REG32(CR2,                 0x2c)
@@ -XXX,XX +XXX,XX @@ static inline bool smmuv3_gerror_irq_enabled(SMMUv3State *s)
     return FIELD_EX32(s->irq_ctrl, IRQ_CTRL, GERROR_IRQEN);
 }
 
-/* public until callers get introduced */
-void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask);
-void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t gerrorn);
-
 /* Queue Handling */
 
 #define Q_BASE(q)          ((q)->base & SMMU_BASE_ADDR_MASK)
@@ -XXX,XX +XXX,XX @@ enum { /* Command completion notification */
             addr;                                             \
         })
 
-int smmuv3_cmdq_consume(SMMUv3State *s);
+#define SMMU_FEATURE_2LVL_STE (1 << 0)
 
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@
  * @irq: irq type
  * @gerror_mask: mask of gerrors to toggle (relevant if @irq is GERROR)
  */
-void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
+static void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq,
+                               uint32_t gerror_mask)
 {
 
     bool pulse = false;
@@ -XXX,XX +XXX,XX @@ void smmuv3_trigger_irq(SMMUv3State *s, SMMUIrq irq, uint32_t gerror_mask)
     }
 }
 
-void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
+static void smmuv3_write_gerrorn(SMMUv3State *s, uint32_t new_gerrorn)
 {
     uint32_t pending = s->gerror ^ s->gerrorn;
     uint32_t toggled = s->gerrorn ^ new_gerrorn;
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
     s->sid_split = 0;
 }
 
-int smmuv3_cmdq_consume(SMMUv3State *s)
+static int smmuv3_cmdq_consume(SMMUv3State *s)
 {
     SMMUCmdError cmd_error = SMMU_CERROR_NONE;
     SMMUQueue *q = &s->cmdq;
@@ -XXX,XX +XXX,XX @@ int smmuv3_cmdq_consume(SMMUv3State *s)
     return 0;
 }
 
+static MemTxResult smmu_writell(SMMUv3State *s, hwaddr offset,
+                               uint64_t data, MemTxAttrs attrs)
+{
+    switch (offset) {
+    case A_GERROR_IRQ_CFG0:
+        s->gerror_irq_cfg0 = data;
+        return MEMTX_OK;
+    case A_STRTAB_BASE:
+        s->strtab_base = data;
+        return MEMTX_OK;
+    case A_CMDQ_BASE:
+        s->cmdq.base = data;
+        s->cmdq.log2size = extract64(s->cmdq.base, 0, 5);
+        if (s->cmdq.log2size > SMMU_CMDQS) {
+            s->cmdq.log2size = SMMU_CMDQS;
+        }
+        return MEMTX_OK;
+    case A_EVENTQ_BASE:
+        s->eventq.base = data;
+        s->eventq.log2size = extract64(s->eventq.base, 0, 5);
+        if (s->eventq.log2size > SMMU_EVENTQS) {
+            s->eventq.log2size = SMMU_EVENTQS;
+        }
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG0:
+        s->eventq_irq_cfg0 = data;
+        return MEMTX_OK;
+    default:
+        qemu_log_mask(LOG_UNIMP,
+                      "%s Unexpected 64-bit access to 0x%"PRIx64" (WI)\n",
+                      __func__, offset);
+        return MEMTX_OK;
+    }
+}
+
+static MemTxResult smmu_writel(SMMUv3State *s, hwaddr offset,
+                               uint64_t data, MemTxAttrs attrs)
+{
+    switch (offset) {
+    case A_CR0:
+        s->cr[0] = data;
+        s->cr0ack = data & ~SMMU_CR0_RESERVED;
+        /* in case the command queue has been enabled */
+        smmuv3_cmdq_consume(s);
+        return MEMTX_OK;
+    case A_CR1:
+        s->cr[1] = data;
+        return MEMTX_OK;
+    case A_CR2:
+        s->cr[2] = data;
+        return MEMTX_OK;
+    case A_IRQ_CTRL:
+        s->irq_ctrl = data;
+        return MEMTX_OK;
+    case A_GERRORN:
+        smmuv3_write_gerrorn(s, data);
+        /*
+         * By acknowledging the CMDQ_ERR, SW may notify cmds can
+         * be processed again
+         */
+        smmuv3_cmdq_consume(s);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG0: /* 64b */
+        s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 0, 32, data);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG0 + 4:
+        s->gerror_irq_cfg0 = deposit64(s->gerror_irq_cfg0, 32, 32, data);
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG1:
+        s->gerror_irq_cfg1 = data;
+        return MEMTX_OK;
+    case A_GERROR_IRQ_CFG2:
+        s->gerror_irq_cfg2 = data;
+        return MEMTX_OK;
+    case A_STRTAB_BASE: /* 64b */
+        s->strtab_base = deposit64(s->strtab_base, 0, 32, data);
+        return MEMTX_OK;
+    case A_STRTAB_BASE + 4:
+        s->strtab_base = deposit64(s->strtab_base, 32, 32, data);
+        return MEMTX_OK;
+    case A_STRTAB_BASE_CFG:
+        s->strtab_base_cfg = data;
+        if (FIELD_EX32(data, STRTAB_BASE_CFG, FMT) == 1) {
+            s->sid_split = FIELD_EX32(data, STRTAB_BASE_CFG, SPLIT);
+            s->features |= SMMU_FEATURE_2LVL_STE;
+        }
+        return MEMTX_OK;
+    case A_CMDQ_BASE: /* 64b */
+        s->cmdq.base = deposit64(s->cmdq.base, 0, 32, data);
+        s->cmdq.log2size = extract64(s->cmdq.base, 0, 5);
+        if (s->cmdq.log2size > SMMU_CMDQS) {
+            s->cmdq.log2size = SMMU_CMDQS;
+        }
+        return MEMTX_OK;
+    case A_CMDQ_BASE + 4: /* 64b */
+        s->cmdq.base = deposit64(s->cmdq.base, 32, 32, data);
+        return MEMTX_OK;
+    case A_CMDQ_PROD:
+        s->cmdq.prod = data;
+        smmuv3_cmdq_consume(s);
+        return MEMTX_OK;
+    case A_CMDQ_CONS:
+        s->cmdq.cons = data;
+        return MEMTX_OK;
+    case A_EVENTQ_BASE: /* 64b */
+        s->eventq.base = deposit64(s->eventq.base, 0, 32, data);
+        s->eventq.log2size = extract64(s->eventq.base, 0, 5);
+        if (s->eventq.log2size > SMMU_EVENTQS) {
+            s->eventq.log2size = SMMU_EVENTQS;
+        }
+        return MEMTX_OK;
+    case A_EVENTQ_BASE + 4:
+        s->eventq.base = deposit64(s->eventq.base, 32, 32, data);
+        return MEMTX_OK;
+    case A_EVENTQ_PROD:
+        s->eventq.prod = data;
+        return MEMTX_OK;
+    case A_EVENTQ_CONS:
+        s->eventq.cons = data;
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG0: /* 64b */
+        s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 0, 32, data);
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG0 + 4:
+        s->eventq_irq_cfg0 = deposit64(s->eventq_irq_cfg0, 32, 32, data);
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG1:
+        s->eventq_irq_cfg1 = data;
+        return MEMTX_OK;
+    case A_EVENTQ_IRQ_CFG2:
+        s->eventq_irq_cfg2 = data;
+        return MEMTX_OK;
+    default:
+        qemu_log_mask(LOG_UNIMP,
+                      "%s Unexpected 32-bit access to 0x%"PRIx64" (WI)\n",
+                      __func__, offset);
+        return MEMTX_OK;
+    }
+}
+
 static MemTxResult smmu_write_mmio(void *opaque, hwaddr offset, uint64_t data,
                                    unsigned size, MemTxAttrs attrs)
 {
-    /* not yet implemented */
-    return MEMTX_ERROR;
+    SMMUState *sys = opaque;
+    SMMUv3State *s = ARM_SMMUV3(sys);
+    MemTxResult r;
+
+    /* CONSTRAINED UNPREDICTABLE choice to have page0/1 be exact aliases */
+    offset &= ~0x10000;
+
+    switch (size) {
+    case 8:
+        r = smmu_writell(s, offset, data, attrs);
+        break;
+    case 4:
+        r = smmu_writel(s, offset, data, attrs);
+        break;
+    default:
+        r = MEMTX_ERROR;
+        break;
+    }
+
+    trace_smmuv3_write_mmio(offset, data, size, r);
+    return r;
 }
 
 static MemTxResult smmu_readll(SMMUv3State *s, hwaddr offset,
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_consume(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t con
 smmuv3_cmdq_opcode(const char *opcode) "<--- %s"
 smmuv3_cmdq_consume_out(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "prod:%d, cons:%d, prod_wrap:%d, cons_wrap:%d "
 smmuv3_cmdq_consume_error(const char *cmd_name, uint8_t cmd_error) "Error on %s command execution: %d"
+smmuv3_update(bool is_empty, uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "q empty:%d prod:%d cons:%d p.wrap:%d p.cons:%d"
+smmuv3_update_check_cmd(int error) "cmdq not enabled or error :0x%x"
+smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr: 0x%"PRIx64" val:0x%"PRIx64" size: 0x%x(%d)"
+smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx val64:0x%lx"
+smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
+smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

Let's introduce a helper function aiming at recording an
event in the event queue.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-9-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 148 ++++++++++++++++++++++++++++++++++++++-
 hw/arm/smmuv3.c          | 108 ++++++++++++++++++++++++++--
 hw/arm/trace-events      |   1 +
 3 files changed, 249 insertions(+), 8 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ static inline void smmu_write_cmdq_err(SMMUv3State *s, uint32_t err_type)
     s->cmdq.cons = FIELD_DP32(s->cmdq.cons, CMDQ_CONS, ERR, err_type);
 }
 
-void smmuv3_write_eventq(SMMUv3State *s, Evt *evt);
-
 /* Commands */
 
 typedef enum SMMUCommandType {
@@ -XXX,XX +XXX,XX @@ enum { /* Command completion notification */
 
 #define SMMU_FEATURE_2LVL_STE (1 << 0)
 
+/* Events */
+
+typedef enum SMMUEventType {
+    SMMU_EVT_OK                 = 0x00,
+    SMMU_EVT_F_UUT                    ,
+    SMMU_EVT_C_BAD_STREAMID           ,
+    SMMU_EVT_F_STE_FETCH              ,
+    SMMU_EVT_C_BAD_STE                ,
+    SMMU_EVT_F_BAD_ATS_TREQ           ,
+    SMMU_EVT_F_STREAM_DISABLED        ,
+    SMMU_EVT_F_TRANS_FORBIDDEN        ,
+    SMMU_EVT_C_BAD_SUBSTREAMID        ,
+    SMMU_EVT_F_CD_FETCH               ,
+    SMMU_EVT_C_BAD_CD                 ,
+    SMMU_EVT_F_WALK_EABT              ,
+    SMMU_EVT_F_TRANSLATION      = 0x10,
+    SMMU_EVT_F_ADDR_SIZE              ,
+    SMMU_EVT_F_ACCESS                 ,
+    SMMU_EVT_F_PERMISSION             ,
+    SMMU_EVT_F_TLB_CONFLICT     = 0x20,
+    SMMU_EVT_F_CFG_CONFLICT           ,
+    SMMU_EVT_E_PAGE_REQ         = 0x24,
+} SMMUEventType;
+
+static const char *event_stringify[] = {
+    [SMMU_EVT_OK]                       = "SMMU_EVT_OK",
+    [SMMU_EVT_F_UUT]                    = "SMMU_EVT_F_UUT",
+    [SMMU_EVT_C_BAD_STREAMID]           = "SMMU_EVT_C_BAD_STREAMID",
+    [SMMU_EVT_F_STE_FETCH]              = "SMMU_EVT_F_STE_FETCH",
+    [SMMU_EVT_C_BAD_STE]                = "SMMU_EVT_C_BAD_STE",
+    [SMMU_EVT_F_BAD_ATS_TREQ]           = "SMMU_EVT_F_BAD_ATS_TREQ",
+    [SMMU_EVT_F_STREAM_DISABLED]        = "SMMU_EVT_F_STREAM_DISABLED",
+    [SMMU_EVT_F_TRANS_FORBIDDEN]        = "SMMU_EVT_F_TRANS_FORBIDDEN",
+    [SMMU_EVT_C_BAD_SUBSTREAMID]        = "SMMU_EVT_C_BAD_SUBSTREAMID",
+    [SMMU_EVT_F_CD_FETCH]               = "SMMU_EVT_F_CD_FETCH",
+    [SMMU_EVT_C_BAD_CD]                 = "SMMU_EVT_C_BAD_CD",
+    [SMMU_EVT_F_WALK_EABT]              = "SMMU_EVT_F_WALK_EABT",
+    [SMMU_EVT_F_TRANSLATION]            = "SMMU_EVT_F_TRANSLATION",
+    [SMMU_EVT_F_ADDR_SIZE]              = "SMMU_EVT_F_ADDR_SIZE",
+    [SMMU_EVT_F_ACCESS]                 = "SMMU_EVT_F_ACCESS",
+    [SMMU_EVT_F_PERMISSION]             = "SMMU_EVT_F_PERMISSION",
+    [SMMU_EVT_F_TLB_CONFLICT]           = "SMMU_EVT_F_TLB_CONFLICT",
+    [SMMU_EVT_F_CFG_CONFLICT]           = "SMMU_EVT_F_CFG_CONFLICT",
+    [SMMU_EVT_E_PAGE_REQ]               = "SMMU_EVT_E_PAGE_REQ",
+};
+
+static inline const char *smmu_event_string(SMMUEventType type)
+{
+    if (type < ARRAY_SIZE(event_stringify)) {
+        return event_stringify[type] ? event_stringify[type] : "UNKNOWN";
+    } else {
+        return "INVALID";
+    }
+}
+
+/*  Encode an event record */
+typedef struct SMMUEventInfo {
+    SMMUEventType type;
+    uint32_t sid;
+    bool recorded;
+    bool record_trans_faults;
+    union {
+        struct {
+            uint32_t ssid;
+            bool ssv;
+            dma_addr_t addr;
+            bool rnw;
+            bool pnu;
+            bool ind;
+       } f_uut;
+       struct SSIDInfo {
+            uint32_t ssid;
+            bool ssv;
+       } c_bad_streamid;
+       struct SSIDAddrInfo {
+            uint32_t ssid;
+            bool ssv;
+            dma_addr_t addr;
+       } f_ste_fetch;
+       struct SSIDInfo c_bad_ste;
+       struct {
+            dma_addr_t addr;
+            bool rnw;
+       } f_transl_forbidden;
+       struct {
+            uint32_t ssid;
+       } c_bad_substream;
+       struct SSIDAddrInfo f_cd_fetch;
+       struct SSIDInfo c_bad_cd;
+       struct FullInfo {
+            bool stall;
+            uint16_t stag;
+            uint32_t ssid;
+            bool ssv;
+            bool s2;
+            dma_addr_t addr;
+            bool rnw;
+            bool pnu;
+            bool ind;
+            uint8_t class;
+            dma_addr_t addr2;
+       } f_walk_eabt;
+       struct FullInfo f_translation;
+       struct FullInfo f_addr_size;
+       struct FullInfo f_access;
+       struct FullInfo f_permission;
+       struct SSIDInfo f_cfg_conflict;
+       /**
+        * not supported yet:
+        * F_BAD_ATS_TREQ
+        * F_BAD_ATS_TREQ
+        * F_TLB_CONFLICT
+        * E_PAGE_REQUEST
+        * IMPDEF_EVENTn
+        */
+    } u;
+} SMMUEventInfo;
+
+/* EVTQ fields */
+
+#define EVT_Q_OVERFLOW        (1 << 31)
+
+#define EVT_SET_TYPE(x, v)              deposit32((x)->word[0], 0 , 8 , v)
+#define EVT_SET_SSV(x, v)               deposit32((x)->word[0], 11, 1 , v)
+#define EVT_SET_SSID(x, v)              deposit32((x)->word[0], 12, 20, v)
+#define EVT_SET_SID(x, v)               ((x)->word[1] = v)
+#define EVT_SET_STAG(x, v)              deposit32((x)->word[2], 0 , 16, v)
+#define EVT_SET_STALL(x, v)             deposit32((x)->word[2], 31, 1 , v)
+#define EVT_SET_PNU(x, v)               deposit32((x)->word[3], 1 , 1 , v)
+#define EVT_SET_IND(x, v)               deposit32((x)->word[3], 2 , 1 , v)
+#define EVT_SET_RNW(x, v)               deposit32((x)->word[3], 3 , 1 , v)
+#define EVT_SET_S2(x, v)                deposit32((x)->word[3], 7 , 1 , v)
+#define EVT_SET_CLASS(x, v)             deposit32((x)->word[3], 8 , 2 , v)
+#define EVT_SET_ADDR(x, addr)                             \
+    do {                                                  \
+            (x)->word[5] = (uint32_t)(addr >> 32);        \
+            (x)->word[4] = (uint32_t)(addr & 0xffffffff); \
+    } while (0)
+#define EVT_SET_ADDR2(x, addr)                            \
+    do {                                                  \
+            deposit32((x)->word[7], 3, 29, addr >> 16);   \
+            deposit32((x)->word[7], 0, 16, addr & 0xffff);\
+    } while (0)
+
+void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
+
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult queue_write(SMMUQueue *q, void *data)
     return MEMTX_OK;
 }
 
-void smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
+static MemTxResult smmuv3_write_eventq(SMMUv3State *s, Evt *evt)
 {
     SMMUQueue *q = &s->eventq;
+    MemTxResult r;
+
+    if (!smmuv3_eventq_enabled(s)) {
+        return MEMTX_ERROR;
+    }
+
+    if (smmuv3_q_full(q)) {
+        return MEMTX_ERROR;
+    }
+
+    r = queue_write(q, evt);
+    if (r != MEMTX_OK) {
+        return r;
+    }
+
+    if (smmuv3_q_empty(q)) {
+        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
+    }
+    return MEMTX_OK;
+}
+
+void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
+{
+    Evt evt;
+    MemTxResult r;
 
     if (!smmuv3_eventq_enabled(s)) {
         return;
     }
 
-    if (smmuv3_q_full(q)) {
+    EVT_SET_TYPE(&evt, info->type);
+    EVT_SET_SID(&evt, info->sid);
+
+    switch (info->type) {
+    case SMMU_EVT_OK:
         return;
+    case SMMU_EVT_F_UUT:
+        EVT_SET_SSID(&evt, info->u.f_uut.ssid);
+        EVT_SET_SSV(&evt,  info->u.f_uut.ssv);
+        EVT_SET_ADDR(&evt, info->u.f_uut.addr);
+        EVT_SET_RNW(&evt,  info->u.f_uut.rnw);
+        EVT_SET_PNU(&evt,  info->u.f_uut.pnu);
+        EVT_SET_IND(&evt,  info->u.f_uut.ind);
+        break;
+    case SMMU_EVT_C_BAD_STREAMID:
+        EVT_SET_SSID(&evt, info->u.c_bad_streamid.ssid);
+        EVT_SET_SSV(&evt,  info->u.c_bad_streamid.ssv);
+        break;
+    case SMMU_EVT_F_STE_FETCH:
+        EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid);
+        EVT_SET_SSV(&evt,  info->u.f_ste_fetch.ssv);
+        EVT_SET_ADDR(&evt, info->u.f_ste_fetch.addr);
+        break;
+    case SMMU_EVT_C_BAD_STE:
+        EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid);
+        EVT_SET_SSV(&evt,  info->u.c_bad_ste.ssv);
+        break;
+    case SMMU_EVT_F_STREAM_DISABLED:
+        break;
+    case SMMU_EVT_F_TRANS_FORBIDDEN:
+        EVT_SET_ADDR(&evt, info->u.f_transl_forbidden.addr);
+        EVT_SET_RNW(&evt, info->u.f_transl_forbidden.rnw);
+        break;
+    case SMMU_EVT_C_BAD_SUBSTREAMID:
+        EVT_SET_SSID(&evt, info->u.c_bad_substream.ssid);
+        break;
+    case SMMU_EVT_F_CD_FETCH:
+        EVT_SET_SSID(&evt, info->u.f_cd_fetch.ssid);
+        EVT_SET_SSV(&evt,  info->u.f_cd_fetch.ssv);
+        EVT_SET_ADDR(&evt, info->u.f_cd_fetch.addr);
+        break;
+    case SMMU_EVT_C_BAD_CD:
+        EVT_SET_SSID(&evt, info->u.c_bad_cd.ssid);
+        EVT_SET_SSV(&evt,  info->u.c_bad_cd.ssv);
+        break;
+    case SMMU_EVT_F_WALK_EABT:
+    case SMMU_EVT_F_TRANSLATION:
+    case SMMU_EVT_F_ADDR_SIZE:
+    case SMMU_EVT_F_ACCESS:
+    case SMMU_EVT_F_PERMISSION:
+        EVT_SET_STALL(&evt, info->u.f_walk_eabt.stall);
+        EVT_SET_STAG(&evt, info->u.f_walk_eabt.stag);
+        EVT_SET_SSID(&evt, info->u.f_walk_eabt.ssid);
+        EVT_SET_SSV(&evt, info->u.f_walk_eabt.ssv);
+        EVT_SET_S2(&evt, info->u.f_walk_eabt.s2);
+        EVT_SET_ADDR(&evt, info->u.f_walk_eabt.addr);
+        EVT_SET_RNW(&evt, info->u.f_walk_eabt.rnw);
+        EVT_SET_PNU(&evt, info->u.f_walk_eabt.pnu);
+        EVT_SET_IND(&evt, info->u.f_walk_eabt.ind);
+        EVT_SET_CLASS(&evt, info->u.f_walk_eabt.class);
+        EVT_SET_ADDR2(&evt, info->u.f_walk_eabt.addr2);
+        break;
+    case SMMU_EVT_F_CFG_CONFLICT:
+        EVT_SET_SSID(&evt, info->u.f_cfg_conflict.ssid);
+        EVT_SET_SSV(&evt,  info->u.f_cfg_conflict.ssv);
+        break;
+    /* rest is not implemented */
+    case SMMU_EVT_F_BAD_ATS_TREQ:
+    case SMMU_EVT_F_TLB_CONFLICT:
+    case SMMU_EVT_E_PAGE_REQ:
+    default:
+        g_assert_not_reached();
     }
 
-    queue_write(q, evt);
-
-    if (smmuv3_q_empty(q)) {
-        smmuv3_trigger_irq(s, SMMU_IRQ_EVTQ, 0);
+    trace_smmuv3_record_event(smmu_event_string(info->type), info->sid);
+    r = smmuv3_write_eventq(s, &evt);
+    if (r != MEMTX_OK) {
+        smmuv3_trigger_irq(s, SMMU_IRQ_GERROR, R_GERROR_EVENTQ_ABT_ERR_MASK);
     }
+    info->recorded = true;
 }
 
 static void smmuv3_init_regs(SMMUv3State *s)
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_write_mmio(uint64_t addr, uint64_t val, unsigned size, uint32_t r) "addr:
 smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx val64:0x%lx"
 smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
 smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
+smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

This patch implements the IOMMU Memory Region translate()
callback. Most of the code relates to the translation
configuration decoding and check (STE, CD).

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Message-id: 1524665762-31355-10-git-send-email-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h | 160 +++++++++++++++++
 hw/arm/smmuv3.c          | 358 +++++++++++++++++++++++++++++++++++++++
 hw/arm/trace-events      |   9 +
 3 files changed, 527 insertions(+)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
 
 void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
 
+/* Configuration Data */
+
+/* STE Level 1 Descriptor */
+typedef struct STEDesc {
+    uint32_t word[2];
+} STEDesc;
+
+/* CD Level 1 Descriptor */
+typedef struct CDDesc {
+    uint32_t word[2];
+} CDDesc;
+
+/* Stream Table Entry(STE) */
+typedef struct STE {
+    uint32_t word[16];
+} STE;
+
+/* Context Descriptor(CD) */
+typedef struct CD {
+    uint32_t word[16];
+} CD;
+
+/* STE fields */
+
+#define STE_VALID(x)   extract32((x)->word[0], 0, 1)
+
+#define STE_CONFIG(x)  extract32((x)->word[0], 1, 3)
+#define STE_CFG_S1_ENABLED(config) (config & 0x1)
+#define STE_CFG_S2_ENABLED(config) (config & 0x2)
+#define STE_CFG_ABORT(config)      (!(config & 0x4))
+#define STE_CFG_BYPASS(config)     (config == 0x4)
+
+#define STE_S1FMT(x)       extract32((x)->word[0], 4 , 2)
+#define STE_S1CDMAX(x)     extract32((x)->word[1], 27, 5)
+#define STE_S1STALLD(x)    extract32((x)->word[2], 27, 1)
+#define STE_EATS(x)        extract32((x)->word[2], 28, 2)
+#define STE_STRW(x)        extract32((x)->word[2], 30, 2)
+#define STE_S2VMID(x)      extract32((x)->word[4], 0 , 16)
+#define STE_S2T0SZ(x)      extract32((x)->word[5], 0 , 6)
+#define STE_S2SL0(x)       extract32((x)->word[5], 6 , 2)
+#define STE_S2TG(x)        extract32((x)->word[5], 14, 2)
+#define STE_S2PS(x)        extract32((x)->word[5], 16, 3)
+#define STE_S2AA64(x)      extract32((x)->word[5], 19, 1)
+#define STE_S2HD(x)        extract32((x)->word[5], 24, 1)
+#define STE_S2HA(x)        extract32((x)->word[5], 25, 1)
+#define STE_S2S(x)         extract32((x)->word[5], 26, 1)
+#define STE_CTXPTR(x)                                           \
+    ({                                                          \
+        unsigned long addr;                                     \
+        addr = (uint64_t)extract32((x)->word[1], 0, 16) << 32;  \
+        addr |= (uint64_t)((x)->word[0] & 0xffffffc0);          \
+        addr;                                                   \
+    })
+
+#define STE_S2TTB(x)                                            \
+    ({                                                          \
+        unsigned long addr;                                     \
+        addr = (uint64_t)extract32((x)->word[7], 0, 16) << 32;  \
+        addr |= (uint64_t)((x)->word[6] & 0xfffffff0);          \
+        addr;                                                   \
+    })
+
+static inline int oas2bits(int oas_field)
+{
+    switch (oas_field) {
+    case 0:
+        return 32;
+    case 1:
+        return 36;
+    case 2:
+        return 40;
+    case 3:
+        return 42;
+    case 4:
+        return 44;
+    case 5:
+        return 48;
+    }
+    return -1;
+}
+
+static inline int pa_range(STE *ste)
+{
+    int oas_field = MIN(STE_S2PS(ste), SMMU_IDR5_OAS);
+
+    if (!STE_S2AA64(ste)) {
+        return 40;
+    }
+
+    return oas2bits(oas_field);
+}
+
+#define MAX_PA(ste) ((1 << pa_range(ste)) - 1)
+
+/* CD fields */
+
+#define CD_VALID(x)   extract32((x)->word[0], 30, 1)
+#define CD_ASID(x)    extract32((x)->word[1], 16, 16)
+#define CD_TTB(x, sel)                                      \
+    ({                                                      \
+        uint64_t hi, lo;                                    \
+        hi = extract32((x)->word[(sel) * 2 + 3], 0, 19);    \
+        hi <<= 32;                                          \
+        lo = (x)->word[(sel) * 2 + 2] & ~0xfULL;            \
+        hi | lo;                                            \
+    })
+
+#define CD_TSZ(x, sel)   extract32((x)->word[0], (16 * (sel)) + 0, 6)
+#define CD_TG(x, sel)    extract32((x)->word[0], (16 * (sel)) + 6, 2)
+#define CD_EPD(x, sel)   extract32((x)->word[0], (16 * (sel)) + 14, 1)
+#define CD_ENDI(x)       extract32((x)->word[0], 15, 1)
+#define CD_IPS(x)        extract32((x)->word[1], 0 , 3)
+#define CD_TBI(x)        extract32((x)->word[1], 6 , 2)
+#define CD_HD(x)         extract32((x)->word[1], 10 , 1)
+#define CD_HA(x)         extract32((x)->word[1], 11 , 1)
+#define CD_S(x)          extract32((x)->word[1], 12, 1)
+#define CD_R(x)          extract32((x)->word[1], 13, 1)
+#define CD_A(x)          extract32((x)->word[1], 14, 1)
+#define CD_AARCH64(x)    extract32((x)->word[1], 9 , 1)
+
+#define CDM_VALID(x)    ((x)->word[0] & 0x1)
+
+static inline int is_cd_valid(SMMUv3State *s, STE *ste, CD *cd)
+{
+    return CD_VALID(cd);
+}
+
+/**
+ * tg2granule - Decodes the CD translation granule size field according
+ * to the ttbr in use
+ * @bits: TG0/1 fields
+ * @ttbr: ttbr index in use
+ */
+static inline int tg2granule(int bits, int ttbr)
+{
+    switch (bits) {
+    case 0:
+        return ttbr ? 0  : 12;
+    case 1:
+        return ttbr ? 14 : 16;
+    case 2:
+        return ttbr ? 12 : 14;
+    case 3:
+        return ttbr ? 16 :  0;
+    default:
+        return 0;
+    }
+}
+
+static inline uint64_t l1std_l2ptr(STEDesc *desc)
+{
+    uint64_t hi, lo;
+
+    hi = desc->word[1];
+    lo = desc->word[0] & ~0x1fULL;
+    return hi << 32 | lo;
+}
+
+#define L1STD_SPAN(stm) (extract32((stm)->word[0], 0, 4))
+
 #endif
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
     s->sid_split = 0;
 }
 
+static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
+                        SMMUEventInfo *event)
+{
+    int ret;
+
+    trace_smmuv3_get_ste(addr);
+    /* TODO: guarantee 64-bit single-copy atomicity */
+    ret = dma_memory_read(&address_space_memory, addr,
+                          (void *)buf, sizeof(*buf));
+    if (ret != MEMTX_OK) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
+        event->type = SMMU_EVT_F_STE_FETCH;
+        event->u.f_ste_fetch.addr = addr;
+        return -EINVAL;
+    }
+    return 0;
+
+}
+
+/* @ssid > 0 not supported yet */
+static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid,
+                       CD *buf, SMMUEventInfo *event)
+{
+    dma_addr_t addr = STE_CTXPTR(ste);
+    int ret;
+
+    trace_smmuv3_get_cd(addr);
+    /* TODO: guarantee 64-bit single-copy atomicity */
+    ret = dma_memory_read(&address_space_memory, addr,
+                           (void *)buf, sizeof(*buf));
+    if (ret != MEMTX_OK) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "Cannot fetch pte at address=0x%"PRIx64"\n", addr);
+        event->type = SMMU_EVT_F_CD_FETCH;
+        event->u.f_ste_fetch.addr = addr;
+        return -EINVAL;
+    }
+    return 0;
+}
+
+/* Returns <0 if the caller has no need to continue the translation */
+static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
+                      STE *ste, SMMUEventInfo *event)
+{
+    uint32_t config;
+    int ret = -EINVAL;
+
+    if (!STE_VALID(ste)) {
+        goto bad_ste;
+    }
+
+    config = STE_CONFIG(ste);
+
+    if (STE_CFG_ABORT(config)) {
+        cfg->aborted = true; /* abort but don't record any event */
+        return ret;
+    }
+
+    if (STE_CFG_BYPASS(config)) {
+        cfg->bypassed = true;
+        return ret;
+    }
+
+    if (STE_CFG_S2_ENABLED(config)) {
+        qemu_log_mask(LOG_UNIMP, "SMMUv3 does not support stage 2 yet\n");
+        goto bad_ste;
+    }
+
+    if (STE_S1CDMAX(ste) != 0) {
+        qemu_log_mask(LOG_UNIMP,
+                      "SMMUv3 does not support multiple context descriptors yet\n");
+        goto bad_ste;
+    }
+
+    if (STE_S1STALLD(ste)) {
+        qemu_log_mask(LOG_UNIMP,
+                      "SMMUv3 S1 stalling fault model not allowed yet\n");
+        goto bad_ste;
+    }
+    return 0;
+
+bad_ste:
+    event->type = SMMU_EVT_C_BAD_STE;
+    return -EINVAL;
+}
+
+/**
+ * smmu_find_ste - Return the stream table entry associated
+ * to the sid
+ *
+ * @s: smmuv3 handle
+ * @sid: stream ID
+ * @ste: returned stream table entry
+ * @event: handle to an event info
+ *
+ * Supports linear and 2-level stream table
+ * Return 0 on success, -EINVAL otherwise
+ */
+static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
+                         SMMUEventInfo *event)
+{
+    dma_addr_t addr;
+    int ret;
+
+    trace_smmuv3_find_ste(sid, s->features, s->sid_split);
+    /* Check SID range */
+    if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
+        event->type = SMMU_EVT_C_BAD_STREAMID;
+        return -EINVAL;
+    }
+    if (s->features & SMMU_FEATURE_2LVL_STE) {
+        int l1_ste_offset, l2_ste_offset, max_l2_ste, span;
+        dma_addr_t strtab_base, l1ptr, l2ptr;
+        STEDesc l1std;
+
+        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK;
+        l1_ste_offset = sid >> s->sid_split;
+        l2_ste_offset = sid & ((1 << s->sid_split) - 1);
+        l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
+        /* TODO: guarantee 64-bit single-copy atomicity */
+        ret = dma_memory_read(&address_space_memory, l1ptr,
+                              (uint8_t *)&l1std, sizeof(l1std));
+        if (ret != MEMTX_OK) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr);
+            event->type = SMMU_EVT_F_STE_FETCH;
+            event->u.f_ste_fetch.addr = l1ptr;
+            return -EINVAL;
+        }
+
+        span = L1STD_SPAN(&l1std);
+
+        if (!span) {
+            /* l2ptr is not valid */
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "invalid sid=%d (L1STD span=0)\n", sid);
+            event->type = SMMU_EVT_C_BAD_STREAMID;
+            return -EINVAL;
+        }
+        max_l2_ste = (1 << span) - 1;
+        l2ptr = l1std_l2ptr(&l1std);
+        trace_smmuv3_find_ste_2lvl(s->strtab_base, l1ptr, l1_ste_offset,
+                                   l2ptr, l2_ste_offset, max_l2_ste);
+        if (l2_ste_offset > max_l2_ste) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "l2_ste_offset=%d > max_l2_ste=%d\n",
+                          l2_ste_offset, max_l2_ste);
+            event->type = SMMU_EVT_C_BAD_STE;
+            return -EINVAL;
+        }
+        addr = l2ptr + l2_ste_offset * sizeof(*ste);
+    } else {
+        addr = s->strtab_base + sid * sizeof(*ste);
+    }
+
+    if (smmu_get_ste(s, addr, ste, event)) {
+        return -EINVAL;
+    }
+
+    return 0;
+}
+
+static int decode_cd(SMMUTransCfg *cfg, CD *cd, SMMUEventInfo *event)
+{
+    int ret = -EINVAL;
+    int i;
+
+    if (!CD_VALID(cd) || !CD_AARCH64(cd)) {
+        goto bad_cd;
+    }
+    if (!CD_A(cd)) {
+        goto bad_cd; /* SMMU_IDR0.TERM_MODEL == 1 */
+    }
+    if (CD_S(cd)) {
+        goto bad_cd; /* !STE_SECURE && SMMU_IDR0.STALL_MODEL == 1 */
+    }
+    if (CD_HA(cd) || CD_HD(cd)) {
+        goto bad_cd; /* HTTU = 0 */
+    }
+
+    /* we support only those at the moment */
+    cfg->aa64 = true;
+    cfg->stage = 1;
+
+    cfg->oas = oas2bits(CD_IPS(cd));
+    cfg->oas = MIN(oas2bits(SMMU_IDR5_OAS), cfg->oas);
+    cfg->tbi = CD_TBI(cd);
+    cfg->asid = CD_ASID(cd);
+
+    trace_smmuv3_decode_cd(cfg->oas);
+
+    /* decode data dependent on TT */
+    for (i = 0; i <= 1; i++) {
+        int tg, tsz;
+        SMMUTransTableInfo *tt = &cfg->tt[i];
+
+        cfg->tt[i].disabled = CD_EPD(cd, i);
+        if (cfg->tt[i].disabled) {
+            continue;
+        }
+
+        tsz = CD_TSZ(cd, i);
+        if (tsz < 16 || tsz > 39) {
+            goto bad_cd;
+        }
+
+        tg = CD_TG(cd, i);
+        tt->granule_sz = tg2granule(tg, i);
+        if ((tt->granule_sz != 12 && tt->granule_sz != 16) || CD_ENDI(cd)) {
+            goto bad_cd;
+        }
+
+        tt->tsz = tsz;
+        tt->ttb = CD_TTB(cd, i);
+        if (tt->ttb & ~(MAKE_64BIT_MASK(0, cfg->oas))) {
+            goto bad_cd;
+        }
+        trace_smmuv3_decode_cd_tt(i, tt->tsz, tt->ttb, tt->granule_sz);
+    }
+
+    event->record_trans_faults = CD_R(cd);
+
+    return 0;
+
+bad_cd:
+    event->type = SMMU_EVT_C_BAD_CD;
+    return ret;
+}
+
+/**
+ * smmuv3_decode_config - Prepare the translation configuration
+ * for the @mr iommu region
+ * @mr: iommu memory region the translation config must be prepared for
+ * @cfg: output translation configuration which is populated through
+ *       the different configuration decoding steps
+ * @event: must be zero'ed by the caller
+ *
+ * return < 0 if the translation needs to be aborted (@event is filled
+ * accordingly). Return 0 otherwise.
+ */
+static int smmuv3_decode_config(IOMMUMemoryRegion *mr, SMMUTransCfg *cfg,
+                                SMMUEventInfo *event)
+{
+    SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
+    uint32_t sid = smmu_get_sid(sdev);
+    SMMUv3State *s = sdev->smmu;
+    int ret = -EINVAL;
+    STE ste;
+    CD cd;
+
+    if (smmu_find_ste(s, sid, &ste, event)) {
+        return ret;
+    }
+
+    if (decode_ste(s, cfg, &ste, event)) {
+        return ret;
+    }
+
+    if (smmu_get_cd(s, &ste, 0 /* ssid */, &cd, event)) {
+        return ret;
+    }
+
+    return decode_cd(cfg, &cd, event);
+}
+
+static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
+                                      IOMMUAccessFlags flag)
+{
+    SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
+    SMMUv3State *s = sdev->smmu;
+    uint32_t sid = smmu_get_sid(sdev);
+    SMMUEventInfo event = {.type = SMMU_EVT_OK, .sid = sid};
+    SMMUPTWEventInfo ptw_info = {};
+    SMMUTransCfg cfg = {};
+    IOMMUTLBEntry entry = {
+        .target_as = &address_space_memory,
+        .iova = addr,
+        .translated_addr = addr,
+        .addr_mask = ~(hwaddr)0,
+        .perm = IOMMU_NONE,
+    };
+    int ret = 0;
+
+    if (!smmu_enabled(s)) {
+        goto out;
+    }
+
+    ret = smmuv3_decode_config(mr, &cfg, &event);
+    if (ret) {
+        goto out;
+    }
+
+    if (cfg.aborted) {
+        goto out;
+    }
+
+    ret = smmu_ptw(&cfg, addr, flag, &entry, &ptw_info);
+    if (ret) {
+        switch (ptw_info.type) {
+        case SMMU_PTW_ERR_WALK_EABT:
+            event.type = SMMU_EVT_F_WALK_EABT;
+            event.u.f_walk_eabt.addr = addr;
+            event.u.f_walk_eabt.rnw = flag & 0x1;
+            event.u.f_walk_eabt.class = 0x1;
+            event.u.f_walk_eabt.addr2 = ptw_info.addr;
+            break;
+        case SMMU_PTW_ERR_TRANSLATION:
+            if (event.record_trans_faults) {
+                event.type = SMMU_EVT_F_TRANSLATION;
+                event.u.f_translation.addr = addr;
+                event.u.f_translation.rnw = flag & 0x1;
+            }
+            break;
+        case SMMU_PTW_ERR_ADDR_SIZE:
+            if (event.record_trans_faults) {
+                event.type = SMMU_EVT_F_ADDR_SIZE;
+                event.u.f_addr_size.addr = addr;
+                event.u.f_addr_size.rnw = flag & 0x1;
+            }
+            break;
+        case SMMU_PTW_ERR_ACCESS:
+            if (event.record_trans_faults) {
+                event.type = SMMU_EVT_F_ACCESS;
+                event.u.f_access.addr = addr;
+                event.u.f_access.rnw = flag & 0x1;
+            }
+            break;
+        case SMMU_PTW_ERR_PERMISSION:
+            if (event.record_trans_faults) {
+                event.type = SMMU_EVT_F_PERMISSION;
+                event.u.f_permission.addr = addr;
+                event.u.f_permission.rnw = flag & 0x1;
+            }
+            break;
+        default:
+            g_assert_not_reached();
+        }
+    }
+out:
+    if (ret) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s translation failed for iova=0x%"PRIx64"(%d)\n",
+                      mr->parent_obj.name, addr, ret);
+        entry.perm = IOMMU_NONE;
+        smmuv3_record_event(s, &event);
+    } else if (!cfg.aborted) {
+        entry.perm = flag;
+        trace_smmuv3_translate(mr->parent_obj.name, sid, addr,
+                               entry.translated_addr, entry.perm);
+    }
+
+    return entry;
+}
+
 static int smmuv3_cmdq_consume(SMMUv3State *s)
 {
     SMMUCmdError cmd_error = SMMU_CERROR_NONE;
@@ -XXX,XX +XXX,XX @@ static void smmuv3_class_init(ObjectClass *klass, void *data)
 static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
                                                   void *data)
 {
+    IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
+
+    imrc->translate = smmuv3_translate;
 }
 
 static const TypeInfo smmuv3_type_info = {
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmuv3_write_mmio_idr(uint64_t addr, uint64_t val) "write to RO/Unimpl reg 0x%lx
 smmuv3_write_mmio_evtq_cons_bef_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "Before clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
 smmuv3_write_mmio_evtq_cons_after_clear(uint32_t prod, uint32_t cons, uint8_t prod_wrap, uint8_t cons_wrap) "after clearing interrupt prod:0x%x cons:0x%x prod.w:%d cons.w:%d"
 smmuv3_record_event(const char *type, uint32_t sid) "%s sid=%d"
+smmuv3_find_ste(uint16_t sid, uint32_t features, uint16_t sid_split) "SID:0x%x features:0x%x, sid_split:0x%x"
+smmuv3_find_ste_2lvl(uint64_t strtab_base, uint64_t l1ptr, int l1_ste_offset, uint64_t l2ptr, int l2_ste_offset, int max_l2_ste) "strtab_base:0x%lx l1ptr:0x%"PRIx64" l1_off:0x%x, l2ptr:0x%"PRIx64" l2_off:0x%x max_l2_ste:%d"
+smmuv3_get_ste(uint64_t addr) "STE addr: 0x%"PRIx64
+smmuv3_translate_bypass(const char *n, uint16_t sid, uint64_t addr, bool is_write) "%s sid=%d bypass iova:0x%"PRIx64" is_write=%d"
+smmuv3_translate_in(uint16_t sid, int pci_bus_num, uint64_t strtab_base) "SID:0x%x bus:%d strtab_base:0x%"PRIx64
+smmuv3_get_cd(uint64_t addr) "CD addr: 0x%"PRIx64
+smmuv3_translate(const char *n, uint16_t sid, uint64_t iova, uint64_t translated, int perm) "%s sid=%d iova=0x%"PRIx64" translated=0x%"PRIx64" perm=0x%x"
+smmuv3_decode_cd(uint32_t oas) "oas=%d"
+smmuv3_decode_cd_tt(int i, uint32_t tsz, uint64_t ttb, uint32_t granule_sz) "TT[%d]:tsz:%d ttb:0x%"PRIx64" granule_sz:%d"
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

At the moment, the SMMUv3 does not support notification on
TLB invalidation. So let's log an error as soon as such notifier
gets enabled.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1524665762-31355-11-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_class_init(ObjectClass *klass, void *data)
     dc->realize = smmu_realize;
 }
 
+static void smmuv3_notify_flag_changed(IOMMUMemoryRegion *iommu,
+                                       IOMMUNotifierFlag old,
+                                       IOMMUNotifierFlag new)
+{
+    if (old == IOMMU_NOTIFIER_NONE) {
+        warn_report("SMMUV3 does not support vhost/vfio integration yet: "
+                    "devices of those types will not function properly");
+    }
+}
+
 static void smmuv3_iommu_memory_region_class_init(ObjectClass *klass,
                                                   void *data)
 {
     IOMMUMemoryRegionClass *imrc = IOMMU_MEMORY_REGION_CLASS(klass);
 
     imrc->translate = smmuv3_translate;
+    imrc->notify_flag_changed = smmuv3_notify_flag_changed;
 }
 
 static const TypeInfo smmuv3_type_info = {
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

In case the MSI is translated by an IOMMU we need to fixup the
MSI route with the translated address.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Bharat Bhushan <Bharat.Bhushan@nxp.com>
Message-id: 1524665762-31355-12-git-send-email-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm.c        | 38 +++++++++++++++++++++++++++++++++++++-
 target/arm/trace-events |  3 +++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/kvm.h"
 #include "kvm_arm.h"
 #include "cpu.h"
+#include "trace.h"
 #include "internals.h"
 #include "hw/arm/arm.h"
+#include "hw/pci/pci.h"
 #include "exec/memattrs.h"
 #include "exec/address-spaces.h"
 #include "hw/boards.h"
@@ -XXX,XX +XXX,XX @@ int kvm_arm_vgic_probe(void)
 int kvm_arch_fixup_msi_route(struct kvm_irq_routing_entry *route,
                              uint64_t address, uint32_t data, PCIDevice *dev)
 {
-    return 0;
+    AddressSpace *as = pci_device_iommu_address_space(dev);
+    hwaddr xlat, len, doorbell_gpa;
+    MemoryRegionSection mrs;
+    MemoryRegion *mr;
+    int ret = 1;
+
+    if (as == &address_space_memory) {
+        return 0;
+    }
+
+    /* MSI doorbell address is translated by an IOMMU */
+
+    rcu_read_lock();
+    mr = address_space_translate(as, address, &xlat, &len, true);
+    if (!mr) {
+        goto unlock;
+    }
+    mrs = memory_region_find(mr, xlat, 1);
+    if (!mrs.mr) {
+        goto unlock;
+    }
+
+    doorbell_gpa = mrs.offset_within_address_space;
+    memory_region_unref(mrs.mr);
+
+    route->u.msi.address_lo = doorbell_gpa;
+    route->u.msi.address_hi = doorbell_gpa >> 32;
+
+    trace_kvm_arm_fixup_msi_route(address, doorbell_gpa);
+
+    ret = 0;
+
+unlock:
+    rcu_read_unlock();
+    return ret;
 }
 
 int kvm_arch_add_msi_route_post(struct kvm_irq_routing_entry *route,
diff --git a/target/arm/trace-events b/target/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/trace-events
+++ b/target/arm/trace-events
@@ -XXX,XX +XXX,XX @@ arm_gt_tval_write(int timer, uint64_t value) "gt_tval_write: timer %d value 0x%"
 arm_gt_ctl_write(int timer, uint64_t value) "gt_ctl_write: timer %d value 0x%" PRIx64
 arm_gt_imask_toggle(int timer, int irqstate) "gt_ctl_write: timer %d IMASK toggle, new irqstate %d"
 arm_gt_cntvoff_write(uint64_t value) "gt_cntvoff_write: value 0x%" PRIx64
+
+# target/arm/kvm.c
+kvm_arm_fixup_msi_route(uint64_t iova, uint64_t gpa) "MSI iova = 0x%"PRIx64" is translated into 0x%"PRIx64
-- 
2.17.0

From: Prem Mallappa <prem.mallappa@broadcom.com>

Add code to instantiate an smmuv3 in virt machine. A new iommu
integer member is introduced in VirtMachineState to store the type
of the iommu in use.

diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -XXX,XX +XXX,XX @@
 
 #define NUM_GICV2M_SPIS       64
 #define NUM_VIRTIO_TRANSPORTS 32
+#define NUM_SMMU_IRQS          4
 
 #define ARCH_GICV3_MAINT_IRQ  9
 
@@ -XXX,XX +XXX,XX @@ enum {
     VIRT_GIC_V2M,
     VIRT_GIC_ITS,
     VIRT_GIC_REDIST,
+    VIRT_SMMU,
     VIRT_UART,
     VIRT_MMIO,
     VIRT_RTC,
@@ -XXX,XX +XXX,XX @@ enum {
     VIRT_SECURE_MEM,
 };
 
+typedef enum VirtIOMMUType {
+    VIRT_IOMMU_NONE,
+    VIRT_IOMMU_SMMUV3,
+    VIRT_IOMMU_VIRTIO,
+} VirtIOMMUType;
+
 typedef struct MemMapEntry {
     hwaddr base;
     hwaddr size;
@@ -XXX,XX +XXX,XX @@ typedef struct {
     bool its;
     bool virt;
     int32_t gic_version;
+    VirtIOMMUType iommu;
     struct arm_boot_info bootinfo;
     const MemMapEntry *memmap;
     const int *irqmap;
@@ -XXX,XX +XXX,XX @@ typedef struct {
     uint32_t clock_phandle;
     uint32_t gic_phandle;
     uint32_t msi_phandle;
+    uint32_t iommu_phandle;
     int psci_conduit;
 } VirtMachineState;
 
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/smbios/smbios.h"
 #include "qapi/visitor.h"
 #include "standard-headers/linux/input.h"
+#include "hw/arm/smmuv3.h"
 
 #define DEFINE_VIRT_MACHINE_LATEST(major, minor, latest) \
     static void virt_##major##_##minor##_class_init(ObjectClass *oc, \
@@ -XXX,XX +XXX,XX @@ static const MemMapEntry a15memmap[] = {
     [VIRT_FW_CFG] =             { 0x09020000, 0x00000018 },
     [VIRT_GPIO] =               { 0x09030000, 0x00001000 },
     [VIRT_SECURE_UART] =        { 0x09040000, 0x00001000 },
+    [VIRT_SMMU] =               { 0x09050000, 0x00020000 },
     [VIRT_MMIO] =               { 0x0a000000, 0x00000200 },
     /* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
     [VIRT_PLATFORM_BUS] =       { 0x0c000000, 0x02000000 },
@@ -XXX,XX +XXX,XX @@ static const int a15irqmap[] = {
     [VIRT_SECURE_UART] = 8,
     [VIRT_MMIO] = 16, /* ...to 16 + NUM_VIRTIO_TRANSPORTS - 1 */
     [VIRT_GIC_V2M] = 48, /* ...to 48 + NUM_GICV2M_SPIS - 1 */
+    [VIRT_SMMU] = 74,    /* ...to 74 + NUM_SMMU_IRQS - 1 */
     [VIRT_PLATFORM_BUS] = 112, /* ...to 112 + PLATFORM_BUS_NUM_IRQS -1 */
 };
 
@@ -XXX,XX +XXX,XX @@ static void create_pcie_irq_map(const VirtMachineState *vms,
                            0x7           /* PCI irq */);
 }
 
-static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
+static void create_smmu(const VirtMachineState *vms, qemu_irq *pic,
+                        PCIBus *bus)
+{
+    char *node;
+    const char compat[] = "arm,smmu-v3";
+    int irq =  vms->irqmap[VIRT_SMMU];
+    int i;
+    hwaddr base = vms->memmap[VIRT_SMMU].base;
+    hwaddr size = vms->memmap[VIRT_SMMU].size;
+    const char irq_names[] = "eventq\0priq\0cmdq-sync\0gerror";
+    DeviceState *dev;
+
+    if (vms->iommu != VIRT_IOMMU_SMMUV3 || !vms->iommu_phandle) {
+        return;
+    }
+
+    dev = qdev_create(NULL, "arm-smmuv3");
+
+    object_property_set_link(OBJECT(dev), OBJECT(bus), "primary-bus",
+                             &error_abort);
+    qdev_init_nofail(dev);
+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
+    for (i = 0; i < NUM_SMMU_IRQS; i++) {
+        sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, pic[irq + i]);
+    }
+
+    node = g_strdup_printf("/smmuv3@%" PRIx64, base);
+    qemu_fdt_add_subnode(vms->fdt, node);
+    qemu_fdt_setprop(vms->fdt, node, "compatible", compat, sizeof(compat));
+    qemu_fdt_setprop_sized_cells(vms->fdt, node, "reg", 2, base, 2, size);
+
+    qemu_fdt_setprop_cells(vms->fdt, node, "interrupts",
+            GIC_FDT_IRQ_TYPE_SPI, irq    , GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+            GIC_FDT_IRQ_TYPE_SPI, irq + 1, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+            GIC_FDT_IRQ_TYPE_SPI, irq + 2, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI,
+            GIC_FDT_IRQ_TYPE_SPI, irq + 3, GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
+
+    qemu_fdt_setprop(vms->fdt, node, "interrupt-names", irq_names,
+                     sizeof(irq_names));
+
+    qemu_fdt_setprop_cell(vms->fdt, node, "clocks", vms->clock_phandle);
+    qemu_fdt_setprop_string(vms->fdt, node, "clock-names", "apb_pclk");
+    qemu_fdt_setprop(vms->fdt, node, "dma-coherent", NULL, 0);
+
+    qemu_fdt_setprop_cell(vms->fdt, node, "#iommu-cells", 1);
+
+    qemu_fdt_setprop_cell(vms->fdt, node, "phandle", vms->iommu_phandle);
+    g_free(node);
+}
+
+static void create_pcie(VirtMachineState *vms, qemu_irq *pic)
 {
     hwaddr base_mmio = vms->memmap[VIRT_PCIE_MMIO].base;
     hwaddr size_mmio = vms->memmap[VIRT_PCIE_MMIO].size;
@@ -XXX,XX +XXX,XX @@ static void create_pcie(const VirtMachineState *vms, qemu_irq *pic)
     qemu_fdt_setprop_cell(vms->fdt, nodename, "#interrupt-cells", 1);
     create_pcie_irq_map(vms, vms->gic_phandle, irq, nodename);
 
+    if (vms->iommu) {
+        vms->iommu_phandle = qemu_fdt_alloc_phandle(vms->fdt);
+
+        create_smmu(vms, pic, pci->bus);
+
+        qemu_fdt_setprop_cells(vms->fdt, nodename, "iommu-map",
+                               0x0, vms->iommu_phandle, 0x0, 0x10000);
+    }
+
     g_free(nodename);
 }
 
-- 
2.17.0

From: Prem Mallappa <prem.mallappa@broadcom.com>

This patch builds the smmuv3 node in the ACPI IORT table.

The RID space of the root complex, which spans 0x0-0x10000
maps to streamid space 0x0-0x10000 in smmuv3, which in turn
maps to deviceid space 0x0-0x10000 in the ITS group.

The guest must feature the IOMMU probe deferral series
(https://lkml.org/lkml/2017/4/10/214) which fixes streamid
multiple lookup. This bug is not related to the SMMU emulation.

Signed-off-by: Prem Mallappa <prem.mallappa@broadcom.com>
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Shannon Zhao <zhaoshenglong@huawei.com>
Message-id: 1524665762-31355-14-git-send-email-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/acpi/acpi-defs.h | 15 ++++++++++
 hw/arm/virt-acpi-build.c    | 55 ++++++++++++++++++++++++++++++++-----
 2 files changed, 63 insertions(+), 7 deletions(-)

diff --git a/include/hw/acpi/acpi-defs.h b/include/hw/acpi/acpi-defs.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/acpi/acpi-defs.h
+++ b/include/hw/acpi/acpi-defs.h
@@ -XXX,XX +XXX,XX @@ struct AcpiIortItsGroup {
 } QEMU_PACKED;
 typedef struct AcpiIortItsGroup AcpiIortItsGroup;
 
+struct AcpiIortSmmu3 {
+    ACPI_IORT_NODE_HEADER_DEF
+    uint64_t base_address;
+    uint32_t flags;
+    uint32_t reserved2;
+    uint64_t vatos_address;
+    uint32_t model;
+    uint32_t event_gsiv;
+    uint32_t pri_gsiv;
+    uint32_t gerr_gsiv;
+    uint32_t sync_gsiv;
+    AcpiIortIdMapping id_mapping_array[0];
+} QEMU_PACKED;
+typedef struct AcpiIortSmmu3 AcpiIortSmmu3;
+
 struct AcpiIortRC {
     ACPI_IORT_NODE_HEADER_DEF
     AcpiIortMemoryAccess memory_properties;
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ build_rsdp(GArray *rsdp_table, BIOSLinker *linker, unsigned xsdt_tbl_offset)
 }
 
 static void
-build_iort(GArray *table_data, BIOSLinker *linker)
+build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
 {
-    int iort_start = table_data->len;
+    int nb_nodes, iort_start = table_data->len;
     AcpiIortIdMapping *idmap;
     AcpiIortItsGroup *its;
     AcpiIortTable *iort;
-    size_t node_size, iort_length;
+    AcpiIortSmmu3 *smmu;
+    size_t node_size, iort_length, smmu_offset = 0;
     AcpiIortRC *rc;
 
     iort = acpi_data_push(table_data, sizeof(*iort));
 
+    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
+        nb_nodes = 3; /* RC, ITS, SMMUv3 */
+    } else {
+        nb_nodes = 2; /* RC, ITS */
+    }
+
     iort_length = sizeof(*iort);
-    iort->node_count = cpu_to_le32(2); /* RC and ITS nodes */
+    iort->node_count = cpu_to_le32(nb_nodes);
     iort->node_offset = cpu_to_le32(sizeof(*iort));
 
     /* ITS group node */
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker)
     its->its_count = cpu_to_le32(1);
     its->identifiers[0] = 0; /* MADT translation_id */
 
+    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
+        int irq =  vms->irqmap[VIRT_SMMU];
+
+        /* SMMUv3 node */
+        smmu_offset = iort->node_offset + node_size;
+        node_size = sizeof(*smmu) + sizeof(*idmap);
+        iort_length += node_size;
+        smmu = acpi_data_push(table_data, node_size);
+
+        smmu->type = ACPI_IORT_NODE_SMMU_V3;
+        smmu->length = cpu_to_le16(node_size);
+        smmu->mapping_count = cpu_to_le32(1);
+        smmu->mapping_offset = cpu_to_le32(sizeof(*smmu));
+        smmu->base_address = cpu_to_le64(vms->memmap[VIRT_SMMU].base);
+        smmu->event_gsiv = cpu_to_le32(irq);
+        smmu->pri_gsiv = cpu_to_le32(irq + 1);
+        smmu->gerr_gsiv = cpu_to_le32(irq + 2);
+        smmu->sync_gsiv = cpu_to_le32(irq + 3);
+
+        /* Identity RID mapping covering the whole input RID range */
+        idmap = &smmu->id_mapping_array[0];
+        idmap->input_base = 0;
+        idmap->id_count = cpu_to_le32(0xFFFF);
+        idmap->output_base = 0;
+        /* output IORT node is the ITS group node (the first node) */
+        idmap->output_reference = cpu_to_le32(iort->node_offset);
+    }
+
     /* Root Complex Node */
     node_size = sizeof(*rc) + sizeof(*idmap);
     iort_length += node_size;
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker)
     idmap->input_base = 0;
     idmap->id_count = cpu_to_le32(0xFFFF);
     idmap->output_base = 0;
-    /* output IORT node is the ITS group node (the first node) */
-    idmap->output_reference = cpu_to_le32(iort->node_offset);
+
+    if (vms->iommu == VIRT_IOMMU_SMMUV3) {
+        /* output IORT node is the smmuv3 node */
+        idmap->output_reference = cpu_to_le32(smmu_offset);
+    } else {
+        /* output IORT node is the ITS group node (the first node) */
+        idmap->output_reference = cpu_to_le32(iort->node_offset);
+    }
 
     iort->length = cpu_to_le32(iort_length);
 
@@ -XXX,XX +XXX,XX @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
 
     if (its_class_name() && !vmc->no_its) {
         acpi_add_table(table_offsets, tables_blob);
-        build_iort(tables_blob, tables->linker);
+        build_iort(tables_blob, tables->linker, vms);
     }
 
     /* XSDT is pointed to by RSDP */
-- 
2.17.0

From: Eric Auger <eric.auger@redhat.com>

ARM virt machine now exposes a new "iommu" option.
The SMMUv3 IOMMU is instantiated using -machine virt,iommu=smmuv3.

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void virt_set_gic_version(Object *obj, const char *value, Error **errp)
     }
 }
 
+static char *virt_get_iommu(Object *obj, Error **errp)
+{
+    VirtMachineState *vms = VIRT_MACHINE(obj);
+
+    switch (vms->iommu) {
+    case VIRT_IOMMU_NONE:
+        return g_strdup("none");
+    case VIRT_IOMMU_SMMUV3:
+        return g_strdup("smmuv3");
+    default:
+        g_assert_not_reached();
+    }
+}
+
+static void virt_set_iommu(Object *obj, const char *value, Error **errp)
+{
+    VirtMachineState *vms = VIRT_MACHINE(obj);
+
+    if (!strcmp(value, "smmuv3")) {
+        vms->iommu = VIRT_IOMMU_SMMUV3;
+    } else if (!strcmp(value, "none")) {
+        vms->iommu = VIRT_IOMMU_NONE;
+    } else {
+        error_setg(errp, "Invalid iommu value");
+        error_append_hint(errp, "Valid values are none, smmuv3.\n");
+    }
+}
+
 static CpuInstanceProperties
 virt_cpu_index_to_props(MachineState *ms, unsigned cpu_index)
 {
@@ -XXX,XX +XXX,XX @@ static void virt_2_12_instance_init(Object *obj)
                                         NULL);
     }
 
+    /* Default disallows iommu instantiation */
+    vms->iommu = VIRT_IOMMU_NONE;
+    object_property_add_str(obj, "iommu", virt_get_iommu, virt_set_iommu, NULL);
+    object_property_set_description(obj, "iommu",
+                                    "Set the IOMMU type. "
+                                    "Valid values are none and smmuv3",
+                                    NULL);
+
     vms->memmap = a15memmap;
     vms->irqmap = a15irqmap;
 }
-- 
2.17.0

I don't have anything else queued up at the moment, so this is just
Richard's SME patches.

-- PMM

The following changes since commit 63b38f6c85acd312c2cab68554abf33adf4ee2b3:

Merge tag 'pull-target-arm-20220707' of https://git.linaro.org/people/pmaydell/qemu-arm into staging (2022-07-08 06:17:11 +0530)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220711

for you to fetch changes up to f9982ceaf26df27d15547a3a7990a95019e9e3a8:

linux-user/aarch64: Add SME related hwcap entries (2022-07-11 13:43:52 +0100)

----------------------------------------------------------------
target-arm:
 * Implement SME emulation, for both system and linux-user

----------------------------------------------------------------
Richard Henderson (45):
      target/arm: Handle SME in aarch64_cpu_dump_state
      target/arm: Add infrastructure for disas_sme
      target/arm: Trap non-streaming usage when Streaming SVE is active
      target/arm: Mark ADR as non-streaming
      target/arm: Mark RDFFR, WRFFR, SETFFR as non-streaming
      target/arm: Mark BDEP, BEXT, BGRP, COMPACT, FEXPA, FTSSEL as non-streaming
      target/arm: Mark PMULL, FMMLA as non-streaming
      target/arm: Mark FTSMUL, FTMAD, FADDA as non-streaming
      target/arm: Mark SMMLA, UMMLA, USMMLA as non-streaming
      target/arm: Mark string/histo/crypto as non-streaming
      target/arm: Mark gather/scatter load/store as non-streaming
      target/arm: Mark gather prefetch as non-streaming
      target/arm: Mark LDFF1 and LDNF1 as non-streaming
      target/arm: Mark LD1RO as non-streaming
      target/arm: Add SME enablement checks
      target/arm: Handle SME in sve_access_check
      target/arm: Implement SME RDSVL, ADDSVL, ADDSPL
      target/arm: Implement SME ZERO
      target/arm: Implement SME MOVA
      target/arm: Implement SME LD1, ST1
      target/arm: Export unpredicated ld/st from translate-sve.c
      target/arm: Implement SME LDR, STR
      target/arm: Implement SME ADDHA, ADDVA
      target/arm: Implement FMOPA, FMOPS (non-widening)
      target/arm: Implement BFMOPA, BFMOPS
      target/arm: Implement FMOPA, FMOPS (widening)
      target/arm: Implement SME integer outer product
      target/arm: Implement PSEL
      target/arm: Implement REVD
      target/arm: Implement SCLAMP, UCLAMP
      target/arm: Reset streaming sve state on exception boundaries
      target/arm: Enable SME for -cpu max
      linux-user/aarch64: Clear tpidr2_el0 if CLONE_SETTLS
      linux-user/aarch64: Reset PSTATE.SM on syscalls
      linux-user/aarch64: Add SM bit to SVE signal context
      linux-user/aarch64: Tidy target_restore_sigframe error return
      linux-user/aarch64: Do not allow duplicate or short sve records
      linux-user/aarch64: Verify extra record lock succeeded
      linux-user/aarch64: Move sve record checks into restore
      linux-user/aarch64: Implement SME signal handling
      linux-user: Rename sve prctls
      linux-user/aarch64: Implement PR_SME_GET_VL, PR_SME_SET_VL
      target/arm: Only set ZEN in reset if SVE present
      target/arm: Enable SME for user-only
      linux-user/aarch64: Add SME related hwcap entries

From: Richard Henderson <richard.henderson@linaro.org>

Dump SVCR, plus use the correct access check for Streaming Mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
     int i;
     int el = arm_current_el(env);
     const char *ns_status;
+    bool sve;
 
     qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
     for (i = 0; i < 32; i++) {
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
                  el,
                  psr & PSTATE_SP ? 'h' : 't');
 
+    if (cpu_isar_feature(aa64_sme, cpu)) {
+        qemu_fprintf(f, "  SVCR=%08" PRIx64 " %c%c",
+                     env->svcr,
+                     (FIELD_EX64(env->svcr, SVCR, ZA) ? 'Z' : '-'),
+                     (FIELD_EX64(env->svcr, SVCR, SM) ? 'S' : '-'));
+    }
     if (cpu_isar_feature(aa64_bti, cpu)) {
         qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
     }
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
     qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
                  vfp_get_fpcr(env), vfp_get_fpsr(env));
 
-    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
+    if (cpu_isar_feature(aa64_sme, cpu) && FIELD_EX64(env->svcr, SVCR, SM)) {
+        sve = sme_exception_el(env, el) == 0;
+    } else if (cpu_isar_feature(aa64_sve, cpu)) {
+        sve = sve_exception_el(env, el) == 0;
+    } else {
+        sve = false;
+    }
+
+    if (sve) {
         int j, zcr_len = sve_vqm1_for_el(env, el);
 
         for (i = 0; i <= FFR_PRED_NUM; i++) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This includes the build rules for the decoder, and the
new file for translation, but excludes any instructions.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h |  1 +
 target/arm/sme.decode      | 20 ++++++++++++++++++++
 target/arm/translate-a64.c |  7 ++++++-
 target/arm/translate-sme.c | 35 +++++++++++++++++++++++++++++++++++
 target/arm/meson.build     |  2 ++
 5 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 target/arm/sme.decode
 create mode 100644 target/arm/translate-sme.c

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ static inline int pred_gvec_reg_size(DisasContext *s)
 }
 
 bool disas_sve(DisasContext *, uint32_t);
+bool disas_sme(DisasContext *, uint32_t);
 
 void gen_gvec_rax1(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
                    uint32_t rm_ofs, uint32_t opr_sz, uint32_t max_sz);
diff --git a/target/arm/sme.decode b/target/arm/sme.decode
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@
+# AArch64 SME instruction descriptions
+#
+#  Copyright (c) 2022 Linaro, Ltd
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+#
+# This file is processed by scripts/decodetree.py
+#
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     }
 
     switch (extract32(insn, 25, 4)) {
-    case 0x0: case 0x1: case 0x3: /* UNALLOCATED */
+    case 0x0:
+        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
+            unallocated_encoding(s);
+        }
+        break;
+    case 0x1: case 0x3: /* UNALLOCATED */
         unallocated_encoding(s);
         break;
     case 0x2:
diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * AArch64 SME translation
+ *
+ * Copyright (c) 2022 Linaro, Ltd
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "tcg/tcg-op.h"
+#include "tcg/tcg-op-gvec.h"
+#include "tcg/tcg-gvec-desc.h"
+#include "translate.h"
+#include "exec/helper-gen.h"
+#include "translate-a64.h"
+#include "fpu/softfloat.h"
+
+
+/*
+ * Include the generated decoder.
+ */
+
+#include "decode-sme.c.inc"
diff --git a/target/arm/meson.build b/target/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/meson.build
+++ b/target/arm/meson.build
@@ -XXX,XX +XXX,XX @@
 gen = [
   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
+  decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
   decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
   decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
   'sme_helper.c',
   'translate-a64.c',
   'translate-sve.c',
+  'translate-sme.c',
 ))
 
 arm_softmmu_ss = ss.source_set()
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This new behaviour is in the ARM pseudocode function
AArch64.CheckFPAdvSIMDEnabled, which applies to AArch32
via AArch32.CheckAdvSIMDOrFPEnabled when the EL to which
the trap would be delivered is in AArch64 mode.

Given that ARMv9 drops support for AArch32 outside EL0, the trap EL
detection ought to be trivially true, but the pseudocode still contains
a number of conditions, and QEMU has not yet committed to dropping A32
support for EL[12] when v9 features are present.

Since the computation of SME_TRAP_NONSTREAMING is necessarily different
for the two modes, we might as well preserve bits within TBFLAG_ANY and
allocate separate bits within TBFLAG_A32 and TBFLAG_A64 instead.

Note that DDI0616A.a has typos for bits [22:21] of LD1RO in the table
of instructions illegal in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h           |  7 +++
 target/arm/translate.h     |  4 ++
 target/arm/sme-fa64.decode | 90 ++++++++++++++++++++++++++++++++++++++
 target/arm/helper.c        | 41 +++++++++++++++++
 target/arm/translate-a64.c | 40 ++++++++++++++++-
 target/arm/translate-vfp.c | 12 +++++
 target/arm/translate.c     |  2 +
 target/arm/meson.build     |  1 +
 8 files changed, 195 insertions(+), 2 deletions(-)
 create mode 100644 target/arm/sme-fa64.decode

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A32, HSTR_ACTIVE, 9, 1)
  * the same thing as the current security state of the processor!
  */
 FIELD(TBFLAG_A32, NS, 10, 1)
+/*
+ * Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not.
+ * This requires an SME trap from AArch32 mode when using NEON.
+ */
+FIELD(TBFLAG_A32, SME_TRAP_NONSTREAMING, 11, 1)
 
 /*
  * Bit usage when in AArch32 state, for M-profile only.
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A64, SMEEXC_EL, 20, 2)
 FIELD(TBFLAG_A64, PSTATE_SM, 22, 1)
 FIELD(TBFLAG_A64, PSTATE_ZA, 23, 1)
 FIELD(TBFLAG_A64, SVL, 24, 4)
+/* Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not. */
+FIELD(TBFLAG_A64, SME_TRAP_NONSTREAMING, 28, 1)
 
 /*
  * Helpers for using the above.
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     bool pstate_sm;
     /* True if PSTATE.ZA is set. */
     bool pstate_za;
+    /* True if non-streaming insns should raise an SME Streaming exception. */
+    bool sme_trap_nonstreaming;
+    /* True if the current instruction is non-streaming. */
+    bool is_nonstreaming;
     /* True if MVE insns are definitely not predicated by VPR or LTPSIZE */
     bool mve_no_pred;
     /*
diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@
+# AArch64 SME allowed instruction decoding
+#
+#  Copyright (c) 2022 Linaro, Ltd
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+#
+# This file is processed by scripts/decodetree.py
+#
+
+# These patterns are taken from Appendix E1.1 of DDI0616 A.a,
+# Arm Architecture Reference Manual Supplement,
+# The Scalable Matrix Extension (SME), for Armv9-A
+
+{
+  [
+    OK  0-00 1110 0000 0001 0010 11-- ---- ----   # SMOV W|Xd,Vn.B[0]
+    OK  0-00 1110 0000 0010 0010 11-- ---- ----   # SMOV W|Xd,Vn.H[0]
+    OK  0100 1110 0000 0100 0010 11-- ---- ----   # SMOV Xd,Vn.S[0]
+    OK  0000 1110 0000 0001 0011 11-- ---- ----   # UMOV Wd,Vn.B[0]
+    OK  0000 1110 0000 0010 0011 11-- ---- ----   # UMOV Wd,Vn.H[0]
+    OK  0000 1110 0000 0100 0011 11-- ---- ----   # UMOV Wd,Vn.S[0]
+    OK  0100 1110 0000 1000 0011 11-- ---- ----   # UMOV Xd,Vn.D[0]
+  ]
+  FAIL  0--0 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD vector operations
+}
+
+{
+  [
+    OK  0101 1110 --1- ---- 11-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar)
+    OK  0101 1110 -10- ---- 00-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar, FP16)
+    OK  01-1 1110 1-10 0001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar)
+    OK  01-1 1110 1111 1001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar, FP16)
+  ]
+  FAIL  01-1 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD single-element operations
+}
+
+FAIL    0-00 110- ---- ---- ---- ---- ---- ----   # Advanced SIMD structure load/store
+FAIL    1100 1110 ---- ---- ---- ---- ---- ----   # Advanced SIMD cryptography extensions
+FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+
+# These are the "avoidance of doubt" final table of Illegal Advanced SIMD instructions
+# We don't actually need to include these, as the default is OK.
+#       -001 111- ---- ---- ---- ---- ---- ----   # Scalar floating-point operations
+#       --10 110- ---- ---- ---- ---- ---- ----   # Load/store pair of FP registers
+#       --01 1100 ---- ---- ---- ---- ---- ----   # Load FP register (PC-relative literal)
+#       --11 1100 --0- ---- ---- ---- ---- ----   # Load/store FP register (unscaled imm)
+#       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+#       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+
+FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
+FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
+FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
+FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
+FAIL    0010 0101 --10 1--- 1001 ---- ---- ----   # WRFFR, SETFFR
+FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
+FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
+FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
+FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
+FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
+FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
+FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
+FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
+FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
+FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
+FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
+FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
+FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
+FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
+FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
+FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
+FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
+FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
+FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
+FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
+FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
+FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
+FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
+FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ int sme_exception_el(CPUARMState *env, int el)
     return 0;
 }
 
+/* This corresponds to the ARM pseudocode function IsFullA64Enabled(). */
+static bool sme_fa64(CPUARMState *env, int el)
+{
+    if (!cpu_isar_feature(aa64_sme_fa64, env_archcpu(env))) {
+        return false;
+    }
+
+    if (el <= 1 && !el_is_in_host(env, el)) {
+        if (!FIELD_EX64(env->vfp.smcr_el[1], SMCR, FA64)) {
+            return false;
+        }
+    }
+    if (el <= 2 && arm_is_el2_enabled(env)) {
+        if (!FIELD_EX64(env->vfp.smcr_el[2], SMCR, FA64)) {
+            return false;
+        }
+    }
+    if (arm_feature(env, ARM_FEATURE_EL3)) {
+        if (!FIELD_EX64(env->vfp.smcr_el[3], SMCR, FA64)) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
 /*
  * Given that SVE is enabled, return the vector length for EL.
  */
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a32(CPUARMState *env, int fp_el,
         DP_TBFLAG_ANY(flags, PSTATE__IL, 1);
     }
 
+    /*
+     * The SME exception we are testing for is raised via
+     * AArch64.CheckFPAdvSIMDEnabled(), as called from
+     * AArch32.CheckAdvSIMDOrFPEnabled().
+     */
+    if (el == 0
+        && FIELD_EX64(env->svcr, SVCR, SM)
+        && (!arm_is_el2_enabled(env)
+            || (arm_el_is_aa64(env, 2) && !(env->cp15.hcr_el2 & HCR_TGE)))
+        && arm_el_is_aa64(env, 1)
+        && !sme_fa64(env, el)) {
+        DP_TBFLAG_A32(flags, SME_TRAP_NONSTREAMING, 1);
+    }
+
     return rebuild_hflags_common_32(env, fp_el, mmu_idx, flags);
 }
 
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
         }
         if (FIELD_EX64(env->svcr, SVCR, SM)) {
             DP_TBFLAG_A64(flags, PSTATE_SM, 1);
+            DP_TBFLAG_A64(flags, SME_TRAP_NONSTREAMING, !sme_fa64(env, el));
         }
         DP_TBFLAG_A64(flags, PSTATE_ZA, FIELD_EX64(env->svcr, SVCR, ZA));
     }
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void do_vec_ld(DisasContext *s, int destidx, int element,
  * unallocated-encoding checks (otherwise the syndrome information
  * for the resulting exception will be incorrect).
  */
-static bool fp_access_check(DisasContext *s)
+static bool fp_access_check_only(DisasContext *s)
 {
     if (s->fp_excp_el) {
         assert(!s->fp_access_checked);
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
     return true;
 }
 
+static bool fp_access_check(DisasContext *s)
+{
+    if (!fp_access_check_only(s)) {
+        return false;
+    }
+    if (s->sme_trap_nonstreaming && s->is_nonstreaming) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_Streaming, false));
+        return false;
+    }
+    return true;
+}
+
 /* Check that SVE access is enabled.  If it is, return true.
  * If not, emit code to generate an appropriate exception and return false.
  */
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
     default:
         g_assert_not_reached();
     }
-    if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
+    if ((ri->type & ARM_CP_FPU) && !fp_access_check_only(s)) {
         return;
     } else if ((ri->type & ARM_CP_SVE) && !sve_access_check(s)) {
         return;
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
     }
 }
 
+/*
+ * Include the generated SME FA64 decoder.
+ */
+
+#include "decode-sme-fa64.c.inc"
+
+static bool trans_OK(DisasContext *s, arg_OK *a)
+{
+    return true;
+}
+
+static bool trans_FAIL(DisasContext *s, arg_OK *a)
+{
+    s->is_nonstreaming = true;
+    return true;
+}
+
 /**
  * is_guarded_page:
  * @env: The cpu environment
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
     dc->mte_active[1] = EX_TBFLAG_A64(tb_flags, MTE0_ACTIVE);
     dc->pstate_sm = EX_TBFLAG_A64(tb_flags, PSTATE_SM);
     dc->pstate_za = EX_TBFLAG_A64(tb_flags, PSTATE_ZA);
+    dc->sme_trap_nonstreaming = EX_TBFLAG_A64(tb_flags, SME_TRAP_NONSTREAMING);
     dc->vec_len = 0;
     dc->vec_stride = 0;
     dc->cp_regs = arm_cpu->cp_regs;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         }
     }
 
+    s->is_nonstreaming = false;
+    if (s->sme_trap_nonstreaming) {
+        disas_sme_fa64(s, insn);
+    }
+
     switch (extract32(insn, 25, 4)) {
     case 0x0:
         if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.c
+++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
         return false;
     }
 
+    /*
+     * Note that rebuild_hflags_a32 has already accounted for being in EL0
+     * and the higher EL in A64 mode, etc.  Unlike A64 mode, there do not
+     * appear to be any insns which touch VFP which are allowed.
+     */
+    if (s->sme_trap_nonstreaming) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_Streaming,
+                                       s->base.pc_next - s->pc_curr == 2));
+        return false;
+    }
+
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
         unallocated_encoding(s);
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
             dc->vec_len = EX_TBFLAG_A32(tb_flags, VECLEN);
             dc->vec_stride = EX_TBFLAG_A32(tb_flags, VECSTRIDE);
         }
+        dc->sme_trap_nonstreaming =
+            EX_TBFLAG_A32(tb_flags, SME_TRAP_NONSTREAMING);
     }
     dc->cp_regs = cpu->cp_regs;
     dc->features = env->features;
diff --git a/target/arm/meson.build b/target/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/meson.build
+++ b/target/arm/meson.build
@@ -XXX,XX +XXX,XX @@
 gen = [
   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
   decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
+  decodetree.process('sme-fa64.decode', extra_args: '--static-decode=disas_sme_fa64'),
   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
   decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
   decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark ADR as a non-streaming instruction, which should trap
if full a64 support is not enabled in streaming mode.

Removing entries from sme-fa64.decode is an easy way to see
what remains to be done.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.h     | 7 +++++++
 target/arm/sme-fa64.decode | 1 -
 target/arm/translate-sve.c | 8 ++++----
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ uint64_t asimd_imm_const(uint32_t imm, int cmode, int op);
     static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \
     { return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__); }
 
+#define TRANS_FEAT_NONSTREAMING(NAME, FEAT, FUNC, ...)            \
+    static bool trans_##NAME(DisasContext *s, arg_##NAME *a)      \
+    {                                                             \
+        s->is_nonstreaming = true;                                \
+        return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__);  \
+    }
+
 #endif /* TARGET_ARM_TRANSLATE_H */
diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
 FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
 FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
 FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_adr(DisasContext *s, arg_rrri *a, gen_helper_gvec_3 *fn)
     return gen_gvec_ool_zzz(s, fn, a->rd, a->rn, a->rm, a->imm);
 }
 
-TRANS_FEAT(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
-TRANS_FEAT(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
-TRANS_FEAT(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
-TRANS_FEAT(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
+TRANS_FEAT_NONSTREAMING(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
+TRANS_FEAT_NONSTREAMING(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
+TRANS_FEAT_NONSTREAMING(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
+TRANS_FEAT_NONSTREAMING(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
 
 /*
  *** SVE Integer Misc - Unpredicated Group
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 2 --
 target/arm/translate-sve.c | 9 ++++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  3 ---
 target/arm/translate-sve.c | 22 ++++++++++++----------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
-FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
-FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
 FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
 FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
 FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_2 * const fexpa_fns[4] = {
     NULL,                   gen_helper_sve_fexpa_h,
     gen_helper_sve_fexpa_s, gen_helper_sve_fexpa_d,
 };
-TRANS_FEAT(FEXPA, aa64_sve, gen_gvec_ool_zz,
-           fexpa_fns[a->esz], a->rd, a->rn, 0)
+TRANS_FEAT_NONSTREAMING(FEXPA, aa64_sve, gen_gvec_ool_zz,
+                        fexpa_fns[a->esz], a->rd, a->rn, 0)
 
 static gen_helper_gvec_3 * const ftssel_fns[4] = {
     NULL,                    gen_helper_sve_ftssel_h,
     gen_helper_sve_ftssel_s, gen_helper_sve_ftssel_d,
 };
-TRANS_FEAT(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz, ftssel_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz,
+                        ftssel_fns[a->esz], a, 0)
 
 /*
  *** SVE Predicate Logical Operations Group
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(TRN2_q, aa64_sve_f64mm, gen_gvec_ool_arg_zzz,
 static gen_helper_gvec_3 * const compact_fns[4] = {
     NULL, NULL, gen_helper_sve_compact_s, gen_helper_sve_compact_d
 };
-TRANS_FEAT(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz, compact_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz,
+                        compact_fns[a->esz], a, 0)
 
 /* Call the helper that computes the ARM LastActiveElement pseudocode
  * function, scaled by the element size.  This includes the not found
@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_3 * const bext_fns[4] = {
     gen_helper_sve2_bext_b, gen_helper_sve2_bext_h,
     gen_helper_sve2_bext_s, gen_helper_sve2_bext_d,
 };
-TRANS_FEAT(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-           bext_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+                        bext_fns[a->esz], a, 0)
 
 static gen_helper_gvec_3 * const bdep_fns[4] = {
     gen_helper_sve2_bdep_b, gen_helper_sve2_bdep_h,
     gen_helper_sve2_bdep_s, gen_helper_sve2_bdep_d,
 };
-TRANS_FEAT(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-           bdep_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+                        bdep_fns[a->esz], a, 0)
 
 static gen_helper_gvec_3 * const bgrp_fns[4] = {
     gen_helper_sve2_bgrp_b, gen_helper_sve2_bgrp_h,
     gen_helper_sve2_bgrp_s, gen_helper_sve2_bgrp_d,
 };
-TRANS_FEAT(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-           bgrp_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+                        bgrp_fns[a->esz], a, 0)
 
 static gen_helper_gvec_3 * const cadd_fns[4] = {
     gen_helper_sve2_cadd_b, gen_helper_sve2_cadd_h,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  2 --
 target/arm/translate-sve.c | 24 +++++++++++++++---------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
-FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
 FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
 FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
 FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_trans_pmull(DisasContext *s, arg_rrr_esz *a, bool sel)
         gen_helper_gvec_pmull_q, gen_helper_sve2_pmull_h,
         NULL,                    gen_helper_sve2_pmull_d,
     };
-    if (a->esz == 0
-        ? !dc_isar_feature(aa64_sve2_pmull128, s)
-        : !dc_isar_feature(aa64_sve, s)) {
+
+    if (a->esz == 0) {
+        if (!dc_isar_feature(aa64_sve2_pmull128, s)) {
+            return false;
+        }
+        s->is_nonstreaming = true;
+    } else if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
     return gen_gvec_ool_arg_zzz(s, fns[a->esz], a, sel);
@@ -XXX,XX +XXX,XX @@ DO_ZPZZ_FP(FMINP, aa64_sve2, sve2_fminp_zpzz)
  * SVE Integer Multiply-Add (unpredicated)
  */
 
-TRANS_FEAT(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_s,
-           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
-TRANS_FEAT(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_d,
-           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
+TRANS_FEAT_NONSTREAMING(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz,
+                        gen_helper_fmmla_s, a->rd, a->rn, a->rm, a->ra,
+                        0, FPST_FPCR)
+TRANS_FEAT_NONSTREAMING(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz,
+                        gen_helper_fmmla_d, a->rd, a->rn, a->rm, a->ra,
+                        0, FPST_FPCR)
 
 static gen_helper_gvec_4 * const sqdmlal_zzzw_fns[] = {
     NULL,                           gen_helper_sve2_sqdmlal_zzzw_h,
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(BFDOT_zzzz, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
 TRANS_FEAT(BFDOT_zzxz, aa64_sve_bf16, gen_gvec_ool_arg_zzxz,
            gen_helper_gvec_bfdot_idx, a)
 
-TRANS_FEAT(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
-           gen_helper_gvec_bfmmla, a, 0)
+TRANS_FEAT_NONSTREAMING(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
+                        gen_helper_gvec_bfmmla, a, 0)
 
 static bool do_BFMLAL_zzzw(DisasContext *s, arg_rrrr_esz *a, bool sel)
 {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  3 ---
 target/arm/translate-sve.c | 15 +++++++++++----
 2 files changed, 11 insertions(+), 7 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  1 -
 target/arm/translate-sve.c | 12 ++++++------
 2 files changed, 6 insertions(+), 7 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  1 -
 target/arm/translate-sve.c | 35 ++++++++++++++++++-----------------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
 FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
 FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
 FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ DO_SVE2_ZZZ_NARROW(RSUBHNT, rsubhnt)
 static gen_helper_gvec_flags_4 * const match_fns[4] = {
     gen_helper_sve2_match_ppzz_b, gen_helper_sve2_match_ppzz_h, NULL, NULL
 };
-TRANS_FEAT(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
+TRANS_FEAT_NONSTREAMING(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
 
 static gen_helper_gvec_flags_4 * const nmatch_fns[4] = {
     gen_helper_sve2_nmatch_ppzz_b, gen_helper_sve2_nmatch_ppzz_h, NULL, NULL
 };
-TRANS_FEAT(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
+TRANS_FEAT_NONSTREAMING(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
 
 static gen_helper_gvec_4 * const histcnt_fns[4] = {
     NULL, NULL, gen_helper_sve2_histcnt_s, gen_helper_sve2_histcnt_d
 };
-TRANS_FEAT(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
-           histcnt_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
+                        histcnt_fns[a->esz], a, 0)
 
-TRANS_FEAT(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
-           a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
+TRANS_FEAT_NONSTREAMING(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
+                        a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
 
 DO_ZPZZ_FP(FADDP, aa64_sve2, sve2_faddp_zpzz)
 DO_ZPZZ_FP(FMAXNMP, aa64_sve2, sve2_fmaxnmp_zpzz)
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(SQRDCMLAH_zzzz, aa64_sve2, gen_gvec_ool_zzzz,
 TRANS_FEAT(USDOT_zzzz, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
            a->esz == 2 ? gen_helper_gvec_usdot_b : NULL, a, 0)
 
-TRANS_FEAT(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
-           gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
+TRANS_FEAT_NONSTREAMING(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
+                        gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
 
-TRANS_FEAT(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_aese, a, false)
-TRANS_FEAT(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_aese, a, true)
+TRANS_FEAT_NONSTREAMING(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_aese, a, false)
+TRANS_FEAT_NONSTREAMING(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_aese, a, true)
 
-TRANS_FEAT(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_sm4e, a, 0)
-TRANS_FEAT(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_sm4ekey, a, 0)
+TRANS_FEAT_NONSTREAMING(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_sm4e, a, 0)
+TRANS_FEAT_NONSTREAMING(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_sm4ekey, a, 0)
 
-TRANS_FEAT(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz, gen_gvec_rax1, a)
+TRANS_FEAT_NONSTREAMING(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz,
+                        gen_gvec_rax1, a)
 
 TRANS_FEAT(FCVTNT_sh, aa64_sve2, gen_gvec_fpst_arg_zpz,
            gen_helper_sve2_fcvtnt_sh, a, 0, FPST_FPCR)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 9 ---------
 target/arm/translate-sve.c | 6 ++++++
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
 FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
 FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
-FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
-FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
-FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
-FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
 FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
 FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
 FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
 FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
 FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
-FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
-FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
-FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
-FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zprz(DisasContext *s, arg_LD1_zprz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zpiz(DisasContext *s, arg_LD1_zpiz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_LDNT1_zprz(DisasContext *s, arg_LD1_zprz *a)
     if (!dc_isar_feature(aa64_sve2, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zprz(DisasContext *s, arg_ST1_zprz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zpiz(DisasContext *s, arg_ST1_zpiz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_STNT1_zprz(DisasContext *s, arg_ST1_zprz *a)
     if (!dc_isar_feature(aa64_sve2, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap if full
a64 support is not enabled in streaming mode.  In this case, introduce
PRF_ns (prefetch non-streaming) to handle the checks.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  3 ---
 target/arm/sve.decode      | 10 +++++-----
 target/arm/translate-sve.c | 11 +++++++++++
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
-FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
 FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
 FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
 FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
 FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
-FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ LD1RO_zpri      1010010 .. 01 0.... 001 ... ..... ..... \
                 @rpri_load_msz nreg=0
 
 # SVE 32-bit gather prefetch (scalar plus 32-bit scaled offsets)
-PRF             1000010 00 -1 ----- 0-- --- ----- 0 ----
+PRF_ns          1000010 00 -1 ----- 0-- --- ----- 0 ----
 
 # SVE 32-bit gather prefetch (vector plus immediate)
-PRF             1000010 -- 00 ----- 111 --- ----- 0 ----
+PRF_ns          1000010 -- 00 ----- 111 --- ----- 0 ----
 
 # SVE contiguous prefetch (scalar plus immediate)
 PRF             1000010 11 1- ----- 0-- --- ----- 0 ----
@@ -XXX,XX +XXX,XX @@ LD1_zpiz        1100010 .. 01 ..... 1.. ... ..... ..... \
                 @rpri_g_load esz=3
 
 # SVE 64-bit gather prefetch (scalar plus 64-bit scaled offsets)
-PRF             1100010 00 11 ----- 1-- --- ----- 0 ----
+PRF_ns          1100010 00 11 ----- 1-- --- ----- 0 ----
 
 # SVE 64-bit gather prefetch (scalar plus unpacked 32-bit scaled offsets)
-PRF             1100010 00 -1 ----- 0-- --- ----- 0 ----
+PRF_ns          1100010 00 -1 ----- 0-- --- ----- 0 ----
 
 # SVE 64-bit gather prefetch (vector plus immediate)
-PRF             1100010 -- 00 ----- 111 --- ----- 0 ----
+PRF_ns          1100010 -- 00 ----- 111 --- ----- 0 ----
 
 ### SVE Memory Store Group
 
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_PRF_rr(DisasContext *s, arg_PRF_rr *a)
     return true;
 }
 
+static bool trans_PRF_ns(DisasContext *s, arg_PRF_ns *a)
+{
+    if (!dc_isar_feature(aa64_sve, s)) {
+        return false;
+    }
+    /* Prefetch is a nop within QEMU.  */
+    s->is_nonstreaming = true;
+    (void)sve_access_check(s);
+    return true;
+}
+
 /*
  * Move Prefix
  *
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 2 --
 target/arm/translate-sve.c | 2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 3 ---
 target/arm/translate-sve.c | 2 ++
 2 files changed, 2 insertions(+), 3 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

These functions will be used to verify that the cpu
is in the correct state for a given instruction.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-16-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h | 21 +++++++++++++++++++++
 target/arm/translate-a64.c | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void write_fp_dreg(DisasContext *s, int reg, TCGv_i64 v);
 bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
                             unsigned int imms, unsigned int immr);
 bool sve_access_check(DisasContext *s);
+bool sme_enabled_check(DisasContext *s);
+bool sme_enabled_check_with_svcr(DisasContext *s, unsigned);
+
+/* This function corresponds to CheckStreamingSVEEnabled. */
+static inline bool sme_sm_enabled_check(DisasContext *s)
+{
+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK);
+}
+
+/* This function corresponds to CheckSMEAndZAEnabled. */
+static inline bool sme_za_enabled_check(DisasContext *s)
+{
+    return sme_enabled_check_with_svcr(s, R_SVCR_ZA_MASK);
+}
+
+/* Note that this function corresponds to CheckStreamingSVEAndZAEnabled. */
+static inline bool sme_smza_enabled_check(DisasContext *s)
+{
+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK | R_SVCR_ZA_MASK);
+}
+
 TCGv_i64 clean_data_tbi(DisasContext *s, TCGv_i64 addr);
 TCGv_i64 gen_mte_check1(DisasContext *s, TCGv_i64 addr, bool is_write,
                         bool tag_checked, int log2_size);
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool sme_access_check(DisasContext *s)
     return true;
 }
 
+/* This function corresponds to CheckSMEEnabled. */
+bool sme_enabled_check(DisasContext *s)
+{
+    /*
+     * Note that unlike sve_excp_el, we have not constrained sme_excp_el
+     * to be zero when fp_excp_el has priority.  This is because we need
+     * sme_excp_el by itself for cpregs access checks.
+     */
+    if (!s->fp_excp_el || s->sme_excp_el < s->fp_excp_el) {
+        s->fp_access_checked = true;
+        return sme_access_check(s);
+    }
+    return fp_access_check_only(s);
+}
+
+/* Common subroutine for CheckSMEAnd*Enabled. */
+bool sme_enabled_check_with_svcr(DisasContext *s, unsigned req)
+{
+    if (!sme_enabled_check(s)) {
+        return false;
+    }
+    if (FIELD_EX64(req, SVCR, SM) && !s->pstate_sm) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_NotStreaming, false));
+        return false;
+    }
+    if (FIELD_EX64(req, SVCR, ZA) && !s->pstate_za) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_InactiveZA, false));
+        return false;
+    }
+    return true;
+}
+
 /*
  * This utility function is for doing register extension with an
  * optional shift. You will likely want to pass a temporary for the
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The pseudocode for CheckSVEEnabled gains a check for Streaming
SVE mode, and for SME present but SVE absent.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-17-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
     return true;
 }
 
-/* Check that SVE access is enabled.  If it is, return true.
+/*
+ * Check that SVE access is enabled.  If it is, return true.
  * If not, emit code to generate an appropriate exception and return false.
+ * This function corresponds to CheckSVEEnabled().
  */
 bool sve_access_check(DisasContext *s)
 {
-    if (s->sve_excp_el) {
-        assert(!s->sve_access_checked);
-        s->sve_access_checked = true;
-
+    if (s->pstate_sm || !dc_isar_feature(aa64_sve, s)) {
+        assert(dc_isar_feature(aa64_sme, s));
+        if (!sme_sm_enabled_check(s)) {
+            goto fail_exit;
+        }
+    } else if (s->sve_excp_el) {
         gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
                               syn_sve_access_trap(), s->sve_excp_el);
-        return false;
+        goto fail_exit;
     }
     s->sve_access_checked = true;
     return fp_access_check(s);
+
+ fail_exit:
+    /* Assert that we only raise one exception per instruction. */
+    assert(!s->sve_access_checked);
+    s->sve_access_checked = true;
+    return false;
 }
 
 /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

These SME instructions are nominally within the SVE decode space,
so we add them to sve.decode and translate-sve.c.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-18-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h | 12 ++++++++++++
 target/arm/sve.decode      |  5 ++++-
 target/arm/translate-sve.c | 38 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ static inline int vec_full_reg_size(DisasContext *s)
     return s->vl;
 }
 
+/* Return the byte size of the vector register, SVL / 8. */
+static inline int streaming_vec_reg_size(DisasContext *s)
+{
+    return s->svl;
+}
+
 /*
  * Return the offset info CPUARMState of the predicate vector register Pn.
  * Note for this purpose, FFR is P16.
@@ -XXX,XX +XXX,XX @@ static inline int pred_full_reg_size(DisasContext *s)
     return s->vl >> 3;
 }
 
+/* Return the byte size of the predicate register, SVL / 64.  */
+static inline int streaming_pred_reg_size(DisasContext *s)
+{
+    return s->svl >> 3;
+}
+
 /*
  * Round up the size of a register to a size allowed by
  * the tcg vector infrastructure.  Any operation which uses this
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ INDEX_ri        00000100 esz:2 1 imm:s5 010001 rn:5 rd:5
 # SVE index generation (register start, register increment)
 INDEX_rr        00000100 .. 1 ..... 010011 ..... .....          @rd_rn_rm
 
-### SVE Stack Allocation Group
+### SVE / Streaming SVE Stack Allocation Group
 
 # SVE stack frame adjustment
 ADDVL           00000100 001 ..... 01010 ...... .....           @rd_rn_i6
+ADDSVL          00000100 001 ..... 01011 ...... .....           @rd_rn_i6
 ADDPL           00000100 011 ..... 01010 ...... .....           @rd_rn_i6
+ADDSPL          00000100 011 ..... 01011 ...... .....           @rd_rn_i6
 
 # SVE stack frame size
 RDVL            00000100 101 11111 01010 imm:s6 rd:5
+RDSVL           00000100 101 11111 01011 imm:s6 rd:5
 
 ### SVE Bitwise Shift - Unpredicated Group
 
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_ADDVL(DisasContext *s, arg_ADDVL *a)
     return true;
 }
 
+static bool trans_ADDSVL(DisasContext *s, arg_ADDSVL *a)
+{
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (sme_enabled_check(s)) {
+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
+        tcg_gen_addi_i64(rd, rn, a->imm * streaming_vec_reg_size(s));
+    }
+    return true;
+}
+
 static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
 {
     if (!dc_isar_feature(aa64_sve, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
     return true;
 }
 
+static bool trans_ADDSPL(DisasContext *s, arg_ADDSPL *a)
+{
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (sme_enabled_check(s)) {
+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
+        tcg_gen_addi_i64(rd, rn, a->imm * streaming_pred_reg_size(s));
+    }
+    return true;
+}
+
 static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
 {
     if (!dc_isar_feature(aa64_sve, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
     return true;
 }
 
+static bool trans_RDSVL(DisasContext *s, arg_RDSVL *a)
+{
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (sme_enabled_check(s)) {
+        TCGv_i64 reg = cpu_reg(s, a->rd);
+        tcg_gen_movi_i64(reg, a->imm * streaming_vec_reg_size(s));
+    }
+    return true;
+}
+
 /*
  *** SVE Compute Vector Address Group
  */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-19-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  2 ++
 target/arm/sme.decode      |  4 ++++
 target/arm/sme_helper.c    | 25 +++++++++++++++++++++++++
 target/arm/translate-sme.c | 13 +++++++++++++
 4 files changed, 44 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

We can reuse the SVE functions for implementing moves to/from
horizontal tile slices, but we need new ones for moves to/from
vertical tile slices.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-20-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  12 +++
 target/arm/helper-sve.h    |   2 +
 target/arm/translate-a64.h |   8 ++
 target/arm/translate.h     |   5 ++
 target/arm/sme.decode      |  15 ++++
 target/arm/sme_helper.c    | 151 ++++++++++++++++++++++++++++++++++++-
 target/arm/sve_helper.c    |  12 +++
 target/arm/translate-sme.c | 127 +++++++++++++++++++++++++++++++
 8 files changed, 331 insertions(+), 1 deletion(-)

From: Richard Henderson <richard.henderson@linaro.org>

We cannot reuse the SVE functions for LD[1-4] and ST[1-4],
because those functions accept only a Zreg register number.
For SME, we want to pass a pointer into ZA storage.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-21-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  82 +++++
 target/arm/sme.decode      |   9 +
 target/arm/sme_helper.c    | 595 +++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c |  70 +++++
 4 files changed, 756 insertions(+)

diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-sme.h
+++ b/target/arm/helper-sme.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sme_mova_cz_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sme_mova_zc_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sme_mova_cz_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sme_mova_zc_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
diff --git a/target/arm/sme.decode b/target/arm/sme.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme.decode
+++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ MOVA            11000000 esz:2 00001 0 v:1 .. pg:3 0 za_imm:4 zr:5  \
                 &mova to_vec=1 rs=%mova_rs
 MOVA            11000000 11    00001 1 v:1 .. pg:3 0 za_imm:4 zr:5  \
                 &mova to_vec=1 rs=%mova_rs esz=4
+
+### SME Memory
+
+&ldst           esz rs pg rn rm za_imm v:bool st:bool
+
+LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
+                &ldst rs=%mova_rs
+LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
+                &ldst esz=4 rs=%mova_rs
diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme_helper.c
+++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "cpu.h"
+#include "internals.h"
 #include "tcg/tcg-gvec-desc.h"
 #include "exec/helper-proto.h"
+#include "exec/cpu_ldst.h"
+#include "exec/exec-all.h"
 #include "qemu/int128.h"
 #include "vec_internal.h"
+#include "sve_ldst_internal.h"
 
 /* ResetSVEState */
 void arm_reset_sve_state(CPUARMState *env)
@@ -XXX,XX +XXX,XX @@ void HELPER(sme_mova_zc_q)(void *vd, void *za, void *vg, uint32_t desc)
 }
 
 #undef DO_MOVA_Z
+
+/*
+ * Clear elements in a tile slice comprising len bytes.
+ */
+
+typedef void ClearFn(void *ptr, size_t off, size_t len);
+
+static void clear_horizontal(void *ptr, size_t off, size_t len)
+{
+    memset(ptr + off, 0, len);
+}
+
+static void clear_vertical_b(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; ++i) {
+        *(uint8_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_h(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 2) {
+        *(uint16_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_s(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 4) {
+        *(uint32_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_d(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 8) {
+        *(uint64_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_q(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 16) {
+        memset(vptr + tile_vslice_offset(i + off), 0, 16);
+    }
+}
+
+/*
+ * Copy elements from an array into a tile slice comprising len bytes.
+ */
+
+typedef void CopyFn(void *dst, const void *src, size_t len);
+
+static void copy_horizontal(void *dst, const void *src, size_t len)
+{
+    memcpy(dst, src, len);
+}
+
+static void copy_vertical_b(void *vdst, const void *vsrc, size_t len)
+{
+    const uint8_t *src = vsrc;
+    uint8_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_h(void *vdst, const void *vsrc, size_t len)
+{
+    const uint16_t *src = vsrc;
+    uint16_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len / 2; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_s(void *vdst, const void *vsrc, size_t len)
+{
+    const uint32_t *src = vsrc;
+    uint32_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len / 4; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_d(void *vdst, const void *vsrc, size_t len)
+{
+    const uint64_t *src = vsrc;
+    uint64_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len / 8; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_q(void *vdst, const void *vsrc, size_t len)
+{
+    for (size_t i = 0; i < len; i += 16) {
+        memcpy(vdst + tile_vslice_offset(i), vsrc + i, 16);
+    }
+}
+
+/*
+ * Host and TLB primitives for vertical tile slice addressing.
+ */
+
+#define DO_LD(NAME, TYPE, HOST, TLB)                                        \
+static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
+{                                                                           \
+    TYPE val = HOST(host);                                                  \
+    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
+}                                                                           \
+static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
+                        intptr_t off, target_ulong addr, uintptr_t ra)      \
+{                                                                           \
+    TYPE val = TLB(env, useronly_clean_ptr(addr), ra);                      \
+    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
+}
+
+#define DO_ST(NAME, TYPE, HOST, TLB)                                        \
+static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
+{                                                                           \
+    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
+    HOST(host, val);                                                        \
+}                                                                           \
+static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
+                        intptr_t off, target_ulong addr, uintptr_t ra)      \
+{                                                                           \
+    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
+    TLB(env, useronly_clean_ptr(addr), val, ra);                            \
+}
+
+/*
+ * The ARMVectorReg elements are stored in host-endian 64-bit units.
+ * For 128-bit quantities, the sequence defined by the Elem[] pseudocode
+ * corresponds to storing the two 64-bit pieces in little-endian order.
+ */
+#define DO_LDQ(HNAME, VNAME, BE, HOST, TLB)                                 \
+static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
+{                                                                           \
+    uint64_t val0 = HOST(host), val1 = HOST(host + 8);                      \
+    uint64_t *ptr = za + off;                                               \
+    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
+}                                                                           \
+static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
+{                                                                           \
+    HNAME##_host(za, tile_vslice_offset(off), host);                        \
+}                                                                           \
+static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    uint64_t val0 = TLB(env, useronly_clean_ptr(addr), ra);                 \
+    uint64_t val1 = TLB(env, useronly_clean_ptr(addr + 8), ra);             \
+    uint64_t *ptr = za + off;                                               \
+    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
+}                                                                           \
+static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
+}
+
+#define DO_STQ(HNAME, VNAME, BE, HOST, TLB)                                 \
+static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
+{                                                                           \
+    uint64_t *ptr = za + off;                                               \
+    HOST(host, ptr[BE]);                                                    \
+    HOST(host + 1, ptr[!BE]);                                               \
+}                                                                           \
+static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
+{                                                                           \
+    HNAME##_host(za, tile_vslice_offset(off), host);                        \
+}                                                                           \
+static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    uint64_t *ptr = za + off;                                               \
+    TLB(env, useronly_clean_ptr(addr), ptr[BE], ra);                        \
+    TLB(env, useronly_clean_ptr(addr + 8), ptr[!BE], ra);                   \
+}                                                                           \
+static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
+}
+
+DO_LD(ld1b, uint8_t, ldub_p, cpu_ldub_data_ra)
+DO_LD(ld1h_be, uint16_t, lduw_be_p, cpu_lduw_be_data_ra)
+DO_LD(ld1h_le, uint16_t, lduw_le_p, cpu_lduw_le_data_ra)
+DO_LD(ld1s_be, uint32_t, ldl_be_p, cpu_ldl_be_data_ra)
+DO_LD(ld1s_le, uint32_t, ldl_le_p, cpu_ldl_le_data_ra)
+DO_LD(ld1d_be, uint64_t, ldq_be_p, cpu_ldq_be_data_ra)
+DO_LD(ld1d_le, uint64_t, ldq_le_p, cpu_ldq_le_data_ra)
+
+DO_LDQ(sve_ld1qq_be, sme_ld1q_be, 1, ldq_be_p, cpu_ldq_be_data_ra)
+DO_LDQ(sve_ld1qq_le, sme_ld1q_le, 0, ldq_le_p, cpu_ldq_le_data_ra)
+
+DO_ST(st1b, uint8_t, stb_p, cpu_stb_data_ra)
+DO_ST(st1h_be, uint16_t, stw_be_p, cpu_stw_be_data_ra)
+DO_ST(st1h_le, uint16_t, stw_le_p, cpu_stw_le_data_ra)
+DO_ST(st1s_be, uint32_t, stl_be_p, cpu_stl_be_data_ra)
+DO_ST(st1s_le, uint32_t, stl_le_p, cpu_stl_le_data_ra)
+DO_ST(st1d_be, uint64_t, stq_be_p, cpu_stq_be_data_ra)
+DO_ST(st1d_le, uint64_t, stq_le_p, cpu_stq_le_data_ra)
+
+DO_STQ(sve_st1qq_be, sme_st1q_be, 1, stq_be_p, cpu_stq_be_data_ra)
+DO_STQ(sve_st1qq_le, sme_st1q_le, 0, stq_le_p, cpu_stq_le_data_ra)
+
+#undef DO_LD
+#undef DO_ST
+#undef DO_LDQ
+#undef DO_STQ
+
+/*
+ * Common helper for all contiguous predicated loads.
+ */
+
+static inline QEMU_ALWAYS_INLINE
+void sme_ld1(CPUARMState *env, void *za, uint64_t *vg,
+             const target_ulong addr, uint32_t desc, const uintptr_t ra,
+             const int esz, uint32_t mtedesc, bool vertical,
+             sve_ldst1_host_fn *host_fn,
+             sve_ldst1_tlb_fn *tlb_fn,
+             ClearFn *clr_fn,
+             CopyFn *cpy_fn)
+{
+    const intptr_t reg_max = simd_oprsz(desc);
+    const intptr_t esize = 1 << esz;
+    intptr_t reg_off, reg_last;
+    SVEContLdSt info;
+    void *host;
+    int flags;
+
+    /* Find the active elements.  */
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
+        /* The entire predicate was false; no load occurs.  */
+        clr_fn(za, 0, reg_max);
+        return;
+    }
+
+    /* Probe the page(s).  Exit with exception for any invalid page. */
+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, ra);
+
+    /* Handle watchpoints for all active elements. */
+    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
+                              BP_MEM_READ, ra);
+
+    /*
+     * Handle mte checks for all active elements.
+     * Since TBI must be set for MTE, !mtedesc => !mte_active.
+     */
+    if (mtedesc) {
+        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
+                                mtedesc, ra);
+    }
+
+    flags = info.page[0].flags | info.page[1].flags;
+    if (unlikely(flags != 0)) {
+#ifdef CONFIG_USER_ONLY
+        g_assert_not_reached();
+#else
+        /*
+         * At least one page includes MMIO.
+         * Any bus operation can fail with cpu_transaction_failed,
+         * which for ARM will raise SyncExternal.  Perform the load
+         * into scratch memory to preserve register state until the end.
+         */
+        ARMVectorReg scratch = { };
+
+        reg_off = info.reg_off_first[0];
+        reg_last = info.reg_off_last[1];
+        if (reg_last < 0) {
+            reg_last = info.reg_off_split;
+            if (reg_last < 0) {
+                reg_last = info.reg_off_last[0];
+            }
+        }
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    tlb_fn(env, &scratch, reg_off, addr + reg_off, ra);
+                }
+                reg_off += esize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+
+        cpy_fn(za, &scratch, reg_max);
+        return;
+#endif
+    }
+
+    /* The entire operation is in RAM, on valid pages. */
+
+    reg_off = info.reg_off_first[0];
+    reg_last = info.reg_off_last[0];
+    host = info.page[0].host;
+
+    if (!vertical) {
+        memset(za, 0, reg_max);
+    } else if (reg_off) {
+        clr_fn(za, 0, reg_off);
+    }
+
+    while (reg_off <= reg_last) {
+        uint64_t pg = vg[reg_off >> 6];
+        do {
+            if ((pg >> (reg_off & 63)) & 1) {
+                host_fn(za, reg_off, host + reg_off);
+            } else if (vertical) {
+                clr_fn(za, reg_off, esize);
+            }
+            reg_off += esize;
+        } while (reg_off <= reg_last && (reg_off & 63));
+    }
+
+    /*
+     * Use the slow path to manage the cross-page misalignment.
+     * But we know this is RAM and cannot trap.
+     */
+    reg_off = info.reg_off_split;
+    if (unlikely(reg_off >= 0)) {
+        tlb_fn(env, za, reg_off, addr + reg_off, ra);
+    }
+
+    reg_off = info.reg_off_first[1];
+    if (unlikely(reg_off >= 0)) {
+        reg_last = info.reg_off_last[1];
+        host = info.page[1].host;
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    host_fn(za, reg_off, host + reg_off);
+                } else if (vertical) {
+                    clr_fn(za, reg_off, esize);
+                }
+                reg_off += esize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+    }
+}
+
+static inline QEMU_ALWAYS_INLINE
+void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,
+                 target_ulong addr, uint32_t desc, uintptr_t ra,
+                 const int esz, bool vertical,
+                 sve_ldst1_host_fn *host_fn,
+                 sve_ldst1_tlb_fn *tlb_fn,
+                 ClearFn *clr_fn,
+                 CopyFn *cpy_fn)
+{
+    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+    int bit55 = extract64(addr, 55, 1);
+
+    /* Remove mtedesc from the normal sve descriptor. */
+    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+    /* Perform gross MTE suppression early. */
+    if (!tbi_check(desc, bit55) ||
+        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+        mtedesc = 0;
+    }
+
+    sme_ld1(env, za, vg, addr, desc, ra, esz, mtedesc, vertical,
+            host_fn, tlb_fn, clr_fn, cpy_fn);
+}
+
+#define DO_LD(L, END, ESZ)                                                 \
+void HELPER(sme_ld1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
+            sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,           \
+            clear_horizontal, copy_horizontal);                            \
+}                                                                          \
+void HELPER(sme_ld1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
+            sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,             \
+            clear_vertical_##L, copy_vertical_##L);                        \
+}                                                                          \
+void HELPER(sme_ld1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
+                sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,       \
+                clear_horizontal, copy_horizontal);                        \
+}                                                                          \
+void HELPER(sme_ld1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
+                sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,         \
+                clear_vertical_##L, copy_vertical_##L);                    \
+}
+
+DO_LD(b, , MO_8)
+DO_LD(h, _be, MO_16)
+DO_LD(h, _le, MO_16)
+DO_LD(s, _be, MO_32)
+DO_LD(s, _le, MO_32)
+DO_LD(d, _be, MO_64)
+DO_LD(d, _le, MO_64)
+DO_LD(q, _be, MO_128)
+DO_LD(q, _le, MO_128)
+
+#undef DO_LD
+
+/*
+ * Common helper for all contiguous predicated stores.
+ */
+
+static inline QEMU_ALWAYS_INLINE
+void sme_st1(CPUARMState *env, void *za, uint64_t *vg,
+             const target_ulong addr, uint32_t desc, const uintptr_t ra,
+             const int esz, uint32_t mtedesc, bool vertical,
+             sve_ldst1_host_fn *host_fn,
+             sve_ldst1_tlb_fn *tlb_fn)
+{
+    const intptr_t reg_max = simd_oprsz(desc);
+    const intptr_t esize = 1 << esz;
+    intptr_t reg_off, reg_last;
+    SVEContLdSt info;
+    void *host;
+    int flags;
+
+    /* Find the active elements.  */
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
+        /* The entire predicate was false; no store occurs.  */
+        return;
+    }
+
+    /* Probe the page(s).  Exit with exception for any invalid page. */
+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_STORE, ra);
+
+    /* Handle watchpoints for all active elements. */
+    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
+                              BP_MEM_WRITE, ra);
+
+    /*
+     * Handle mte checks for all active elements.
+     * Since TBI must be set for MTE, !mtedesc => !mte_active.
+     */
+    if (mtedesc) {
+        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
+                                mtedesc, ra);
+    }
+
+    flags = info.page[0].flags | info.page[1].flags;
+    if (unlikely(flags != 0)) {
+#ifdef CONFIG_USER_ONLY
+        g_assert_not_reached();
+#else
+        /*
+         * At least one page includes MMIO.
+         * Any bus operation can fail with cpu_transaction_failed,
+         * which for ARM will raise SyncExternal.  We cannot avoid
+         * this fault and will leave with the store incomplete.
+         */
+        reg_off = info.reg_off_first[0];
+        reg_last = info.reg_off_last[1];
+        if (reg_last < 0) {
+            reg_last = info.reg_off_split;
+            if (reg_last < 0) {
+                reg_last = info.reg_off_last[0];
+            }
+        }
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    tlb_fn(env, za, reg_off, addr + reg_off, ra);
+                }
+                reg_off += esize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+        return;
+#endif
+    }
+
+    reg_off = info.reg_off_first[0];
+    reg_last = info.reg_off_last[0];
+    host = info.page[0].host;
+
+    while (reg_off <= reg_last) {
+        uint64_t pg = vg[reg_off >> 6];
+        do {
+            if ((pg >> (reg_off & 63)) & 1) {
+                host_fn(za, reg_off, host + reg_off);
+            }
+            reg_off += 1 << esz;
+        } while (reg_off <= reg_last && (reg_off & 63));
+    }
+
+    /*
+     * Use the slow path to manage the cross-page misalignment.
+     * But we know this is RAM and cannot trap.
+     */
+    reg_off = info.reg_off_split;
+    if (unlikely(reg_off >= 0)) {
+        tlb_fn(env, za, reg_off, addr + reg_off, ra);
+    }
+
+    reg_off = info.reg_off_first[1];
+    if (unlikely(reg_off >= 0)) {
+        reg_last = info.reg_off_last[1];
+        host = info.page[1].host;
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    host_fn(za, reg_off, host + reg_off);
+                }
+                reg_off += 1 << esz;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+    }
+}
+
+static inline QEMU_ALWAYS_INLINE
+void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,
+                 uint32_t desc, uintptr_t ra, int esz, bool vertical,
+                 sve_ldst1_host_fn *host_fn,
+                 sve_ldst1_tlb_fn *tlb_fn)
+{
+    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+    int bit55 = extract64(addr, 55, 1);
+
+    /* Remove mtedesc from the normal sve descriptor. */
+    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+    /* Perform gross MTE suppression early. */
+    if (!tbi_check(desc, bit55) ||
+        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+        mtedesc = 0;
+    }
+
+    sme_st1(env, za, vg, addr, desc, ra, esz, mtedesc,
+            vertical, host_fn, tlb_fn);
+}
+
+#define DO_ST(L, END, ESZ)                                                 \
+void HELPER(sme_st1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
+            sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);          \
+}                                                                          \
+void HELPER(sme_st1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
+            sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);            \
+}                                                                          \
+void HELPER(sme_st1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
+                sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);      \
+}                                                                          \
+void HELPER(sme_st1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
+                sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);        \
+}
+
+DO_ST(b, , MO_8)
+DO_ST(h, _be, MO_16)
+DO_ST(h, _le, MO_16)
+DO_ST(s, _be, MO_32)
+DO_ST(s, _le, MO_32)
+DO_ST(d, _be, MO_64)
+DO_ST(d, _le, MO_64)
+DO_ST(q, _be, MO_128)
+DO_ST(q, _le, MO_128)
+
+#undef DO_ST
diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sme.c
+++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool trans_MOVA(DisasContext *s, arg_MOVA *a)
 
     return true;
 }
+
+static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
+{
+    typedef void GenLdSt1(TCGv_env, TCGv_ptr, TCGv_ptr, TCGv, TCGv_i32);
+
+    /*
+     * Indexed by [esz][be][v][mte][st], which is (except for load/store)
+     * also the order in which the elements appear in the function names,
+     * and so how we must concatenate the pieces.
+     */
+
+#define FN_LS(F)     { gen_helper_sme_ld1##F, gen_helper_sme_st1##F }
+#define FN_MTE(F)    { FN_LS(F), FN_LS(F##_mte) }
+#define FN_HV(F)     { FN_MTE(F##_h), FN_MTE(F##_v) }
+#define FN_END(L, B) { FN_HV(L), FN_HV(B) }
+
+    static GenLdSt1 * const fns[5][2][2][2][2] = {
+        FN_END(b, b),
+        FN_END(h_le, h_be),
+        FN_END(s_le, s_be),
+        FN_END(d_le, d_be),
+        FN_END(q_le, q_be),
+    };
+
+#undef FN_LS
+#undef FN_MTE
+#undef FN_HV
+#undef FN_END
+
+    TCGv_ptr t_za, t_pg;
+    TCGv_i64 addr;
+    int svl, desc = 0;
+    bool be = s->be_data == MO_BE;
+    bool mte = s->mte_active[0];
+
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (!sme_smza_enabled_check(s)) {
+        return true;
+    }
+
+    t_za = get_tile_rowcol(s, a->esz, a->rs, a->za_imm, a->v);
+    t_pg = pred_full_reg_ptr(s, a->pg);
+    addr = tcg_temp_new_i64();
+
+    tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), a->esz);
+    tcg_gen_add_i64(addr, addr, cpu_reg_sp(s, a->rn));
+
+    if (mte) {
+        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
+        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
+        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
+        desc = FIELD_DP32(desc, MTEDESC, WRITE, a->st);
+        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << a->esz) - 1);
+        desc <<= SVE_MTEDESC_SHIFT;
+    } else {
+        addr = clean_data_tbi(s, addr);
+    }
+    svl = streaming_vec_reg_size(s);
+    desc = simd_desc(svl, svl, desc);
+
+    fns[a->esz][be][a->v][mte][a->st](cpu_env, t_za, t_pg, addr,
+                                      tcg_constant_i32(desc));
+
+    tcg_temp_free_ptr(t_za);
+    tcg_temp_free_ptr(t_pg);
+    tcg_temp_free_i64(addr);
+    return true;
+}
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Add a TCGv_ptr base argument, which will be cpu_env for SVE.
We will reuse this for SME save and restore array insns.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-22-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h |  3 +++
 target/arm/translate-sve.c | 48 ++++++++++++++++++++++++++++----------
 2 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void gen_gvec_xar(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
                   uint32_t rm_ofs, int64_t shift,
                   uint32_t opr_sz, uint32_t max_sz);
 
+void gen_sve_ldr(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
+void gen_sve_str(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
+
 #endif /* TARGET_ARM_TRANSLATE_A64_H */
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(UCVTF_dd, aa64_sve, gen_gvec_fpst_arg_zpz,
  * The load should begin at the address Rn + IMM.
  */
 
-static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+void gen_sve_ldr(DisasContext *s, TCGv_ptr base, int vofs,
+                 int len, int rn, int imm)
 {
     int len_align = QEMU_ALIGN_DOWN(len, 8);
     int len_remain = len % 8;
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         t0 = tcg_temp_new_i64();
         for (i = 0; i < len_align; i += 8) {
             tcg_gen_qemu_ld_i64(t0, clean_addr, midx, MO_LEUQ);
-            tcg_gen_st_i64(t0, cpu_env, vofs + i);
+            tcg_gen_st_i64(t0, base, vofs + i);
             tcg_gen_addi_i64(clean_addr, clean_addr, 8);
         }
         tcg_temp_free_i64(t0);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         clean_addr = new_tmp_a64_local(s);
         tcg_gen_mov_i64(clean_addr, t0);
 
+        if (base != cpu_env) {
+            TCGv_ptr b = tcg_temp_local_new_ptr();
+            tcg_gen_mov_ptr(b, base);
+            base = b;
+        }
+
         gen_set_label(loop);
 
         t0 = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         tcg_gen_addi_i64(clean_addr, clean_addr, 8);
 
         tp = tcg_temp_new_ptr();
-        tcg_gen_add_ptr(tp, cpu_env, i);
+        tcg_gen_add_ptr(tp, base, i);
         tcg_gen_addi_ptr(i, i, 8);
         tcg_gen_st_i64(t0, tp, vofs);
         tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
         tcg_temp_free_ptr(i);
+
+        if (base != cpu_env) {
+            tcg_temp_free_ptr(base);
+            assert(len_remain == 0);
+        }
     }
 
     /*
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         default:
             g_assert_not_reached();
         }
-        tcg_gen_st_i64(t0, cpu_env, vofs + len_align);
+        tcg_gen_st_i64(t0, base, vofs + len_align);
         tcg_temp_free_i64(t0);
     }
 }
 
 /* Similarly for stores.  */
-static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+void gen_sve_str(DisasContext *s, TCGv_ptr base, int vofs,
+                 int len, int rn, int imm)
 {
     int len_align = QEMU_ALIGN_DOWN(len, 8);
     int len_remain = len % 8;
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         t0 = tcg_temp_new_i64();
         for (i = 0; i < len_align; i += 8) {
-            tcg_gen_ld_i64(t0, cpu_env, vofs + i);
+            tcg_gen_ld_i64(t0, base, vofs + i);
             tcg_gen_qemu_st_i64(t0, clean_addr, midx, MO_LEUQ);
             tcg_gen_addi_i64(clean_addr, clean_addr, 8);
         }
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         clean_addr = new_tmp_a64_local(s);
         tcg_gen_mov_i64(clean_addr, t0);
 
+        if (base != cpu_env) {
+            TCGv_ptr b = tcg_temp_local_new_ptr();
+            tcg_gen_mov_ptr(b, base);
+            base = b;
+        }
+
         gen_set_label(loop);
 
         t0 = tcg_temp_new_i64();
         tp = tcg_temp_new_ptr();
-        tcg_gen_add_ptr(tp, cpu_env, i);
+        tcg_gen_add_ptr(tp, base, i);
         tcg_gen_ld_i64(t0, tp, vofs);
         tcg_gen_addi_ptr(i, i, 8);
         tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
         tcg_temp_free_ptr(i);
+
+        if (base != cpu_env) {
+            tcg_temp_free_ptr(base);
+            assert(len_remain == 0);
+        }
     }
 
     /* Predicate register stores can be any multiple of 2.  */
     if (len_remain) {
         t0 = tcg_temp_new_i64();
-        tcg_gen_ld_i64(t0, cpu_env, vofs + len_align);
+        tcg_gen_ld_i64(t0, base, vofs + len_align);
 
         switch (len_remain) {
         case 2:
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_zri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = vec_full_reg_size(s);
         int off = vec_full_reg_offset(s, a->rd);
-        do_ldr(s, off, size, a->rn, a->imm * size);
+        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_pri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = pred_full_reg_size(s);
         int off = pred_full_reg_offset(s, a->rd);
-        do_ldr(s, off, size, a->rn, a->imm * size);
+        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_zri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = vec_full_reg_size(s);
         int off = vec_full_reg_offset(s, a->rd);
-        do_str(s, off, size, a->rn, a->imm * size);
+        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_pri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = pred_full_reg_size(s);
         int off = pred_full_reg_offset(s, a->rd);
-        do_str(s, off, size, a->rn, a->imm * size);
+        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We can reuse the SVE functions for LDR and STR, passing in the
base of the ZA vector and a zero offset.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-23-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme.decode      |  7 +++++++
 target/arm/translate-sme.c | 24 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/target/arm/sme.decode b/target/arm/sme.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme.decode
+++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
                 &ldst rs=%mova_rs
 LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
                 &ldst esz=4 rs=%mova_rs
+
+&ldstr          rv rn imm
+@ldstr          ....... ... . ...... .. ... rn:5 . imm:4 \
+                &ldstr rv=%mova_rs
+
+LDR             1110000 100 0 000000 .. 000 ..... 0 ....        @ldstr
+STR             1110000 100 1 000000 .. 000 ..... 0 ....        @ldstr
diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sme.c
+++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
     tcg_temp_free_i64(addr);
     return true;
 }
+
+typedef void GenLdStR(DisasContext *, TCGv_ptr, int, int, int, int);
+
+static bool do_ldst_r(DisasContext *s, arg_ldstr *a, GenLdStR *fn)
+{
+    int svl = streaming_vec_reg_size(s);
+    int imm = a->imm;
+    TCGv_ptr base;
+
+    if (!sme_za_enabled_check(s)) {
+        return true;
+    }
+
+    /* ZA[n] equates to ZA0H.B[n]. */
+    base = get_tile_rowcol(s, MO_8, a->rv, imm, false);
+
+    fn(s, base, 0, svl, a->rn, imm * svl);
+
+    tcg_temp_free_ptr(base);
+    return true;
+}
+
+TRANS_FEAT(LDR, aa64_sme, do_ldst_r, a, gen_sve_ldr)
+TRANS_FEAT(STR, aa64_sme, do_ldst_r, a, gen_sve_str)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-24-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  5 +++
 target/arm/sme.decode      | 11 +++++
 target/arm/sme_helper.c    | 90 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 31 +++++++++++++
 4 files changed, 137 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-25-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  5 +++
 target/arm/sme.decode      |  9 +++++
 target/arm/sme_helper.c    | 69 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 32 ++++++++++++++++++
 4 files changed, 115 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-26-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  2 ++
 target/arm/sme.decode      |  2 ++
 target/arm/sme_helper.c    | 56 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 30 ++++++++++++++++++++
 4 files changed, 90 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-27-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  2 ++
 target/arm/sme.decode      |  1 +
 target/arm/sme_helper.c    | 74 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c |  1 +
 4 files changed, 78 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This is SMOPA, SUMOPA, USMOPA_s, UMOPA, for both Int8 and Int16.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-28-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    | 16 ++++++++
 target/arm/sme.decode      | 10 +++++
 target/arm/sme_helper.c    | 82 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 10 +++++
 4 files changed, 118 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This is an SVE instruction that operates using the SVE vector
length but that it is present only if SME is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-29-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve.decode      | 20 +++++++++++++
 target/arm/translate-sve.c | 57 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)

diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ BFMLALT_zzxw    01100100 11 1 ..... 0100.1 ..... .....     @rrxr_3a esz=2
 
 ### SVE2 floating-point bfloat16 dot-product (indexed)
 BFDOT_zzxz      01100100 01 1 ..... 010000 ..... .....     @rrxr_2 esz=2
+
+### SVE broadcast predicate element
+
+&psel           esz pd pn pm rv imm
+%psel_rv        16:2 !function=plus_12
+%psel_imm_b     22:2 19:2
+%psel_imm_h     22:2 20:1
+%psel_imm_s     22:2
+%psel_imm_d     23:1
+@psel           ........ .. . ... .. .. pn:4 . pm:4 . pd:4  \
+                &psel rv=%psel_rv
+
+PSEL            00100101 .. 1 ..1 .. 01 .... 0 .... 0 ....  \
+                @psel esz=0 imm=%psel_imm_b
+PSEL            00100101 .. 1 .10 .. 01 .... 0 .... 0 ....  \
+                @psel esz=1 imm=%psel_imm_h
+PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
+                @psel esz=2 imm=%psel_imm_s
+PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
+                @psel esz=3 imm=%psel_imm_d
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_BFMLAL_zzxw(DisasContext *s, arg_rrxr_esz *a, bool sel)
 
 TRANS_FEAT(BFMLALB_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, false)
 TRANS_FEAT(BFMLALT_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, true)
+
+static bool trans_PSEL(DisasContext *s, arg_psel *a)
+{
+    int vl = vec_full_reg_size(s);
+    int pl = pred_gvec_reg_size(s);
+    int elements = vl >> a->esz;
+    TCGv_i64 tmp, didx, dbit;
+    TCGv_ptr ptr;
+
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (!sve_access_check(s)) {
+        return true;
+    }
+
+    tmp = tcg_temp_new_i64();
+    dbit = tcg_temp_new_i64();
+    didx = tcg_temp_new_i64();
+    ptr = tcg_temp_new_ptr();
+
+    /* Compute the predicate element. */
+    tcg_gen_addi_i64(tmp, cpu_reg(s, a->rv), a->imm);
+    if (is_power_of_2(elements)) {
+        tcg_gen_andi_i64(tmp, tmp, elements - 1);
+    } else {
+        tcg_gen_remu_i64(tmp, tmp, tcg_constant_i64(elements));
+    }
+
+    /* Extract the predicate byte and bit indices. */
+    tcg_gen_shli_i64(tmp, tmp, a->esz);
+    tcg_gen_andi_i64(dbit, tmp, 7);
+    tcg_gen_shri_i64(didx, tmp, 3);
+    if (HOST_BIG_ENDIAN) {
+        tcg_gen_xori_i64(didx, didx, 7);
+    }
+
+    /* Load the predicate word. */
+    tcg_gen_trunc_i64_ptr(ptr, didx);
+    tcg_gen_add_ptr(ptr, ptr, cpu_env);
+    tcg_gen_ld8u_i64(tmp, ptr, pred_full_reg_offset(s, a->pm));
+
+    /* Extract the predicate bit and replicate to MO_64. */
+    tcg_gen_shr_i64(tmp, tmp, dbit);
+    tcg_gen_andi_i64(tmp, tmp, 1);
+    tcg_gen_neg_i64(tmp, tmp);
+
+    /* Apply to either copy the source, or write zeros. */
+    tcg_gen_gvec_ands(MO_64, pred_full_reg_offset(s, a->pd),
+                      pred_full_reg_offset(s, a->pn), tmp, pl, pl);
+
+    tcg_temp_free_i64(tmp);
+    tcg_temp_free_i64(dbit);
+    tcg_temp_free_i64(didx);
+    tcg_temp_free_ptr(ptr);
+    return true;
+}
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This is an SVE instruction that operates using the SVE vector
length but that it is present only if SME is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-30-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sve.h    |  2 ++
 target/arm/sve.decode      |  1 +
 target/arm/sve_helper.c    | 16 ++++++++++++++++
 target/arm/translate-sve.c |  2 ++
 4 files changed, 21 insertions(+)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sve_revh_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
 DEF_HELPER_FLAGS_4(sve_revw_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_4(sme_revd_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
 DEF_HELPER_FLAGS_4(sve_rbit_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sve_rbit_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sve_rbit_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ REVB            00000101 .. 1001 00 100 ... ..... .....         @rd_pg_rn
 REVH            00000101 .. 1001 01 100 ... ..... .....         @rd_pg_rn
 REVW            00000101 .. 1001 10 100 ... ..... .....         @rd_pg_rn
 RBIT            00000101 .. 1001 11 100 ... ..... .....         @rd_pg_rn
+REVD            00000101 00 1011 10 100 ... ..... .....         @rd_pg_rn_e0
 
 # SVE vector splice (predicated, destructive)
 SPLICE          00000101 .. 101 100 100 ... ..... .....         @rdn_pg_rm
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ DO_ZPZ_D(sve_revh_d, uint64_t, hswap64)
 
 DO_ZPZ_D(sve_revw_d, uint64_t, wswap64)
 
+void HELPER(sme_revd_q)(void *vd, void *vn, void *vg, uint32_t desc)
+{
+    intptr_t i, opr_sz = simd_oprsz(desc) / 8;
+    uint64_t *d = vd, *n = vn;
+    uint8_t *pg = vg;
+
+    for (i = 0; i < opr_sz; i += 2) {
+        if (pg[H1(i)] & 1) {
+            uint64_t n0 = n[i + 0];
+            uint64_t n1 = n[i + 1];
+            d[i + 0] = n1;
+            d[i + 1] = n0;
+        }
+    }
+}
+
 DO_ZPZ(sve_rbit_b, uint8_t, H1, revbit8)
 DO_ZPZ(sve_rbit_h, uint16_t, H1_2, revbit16)
 DO_ZPZ(sve_rbit_s, uint32_t, H1_4, revbit32)
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(REVH, aa64_sve, gen_gvec_ool_arg_zpz, revh_fns[a->esz], a, 0)
 TRANS_FEAT(REVW, aa64_sve, gen_gvec_ool_arg_zpz,
            a->esz == 3 ? gen_helper_sve_revw_d : NULL, a, 0)
 
+TRANS_FEAT(REVD, aa64_sme, gen_gvec_ool_arg_zpz, gen_helper_sme_revd_q, a, 0)
+
 TRANS_FEAT(SPLICE, aa64_sve, gen_gvec_ool_arg_zpzz,
            gen_helper_sve_splice, a, a->esz)
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This is an SVE instruction that operates using the SVE vector
length but that it is present only if SME is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-31-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h        |  18 +++++++
 target/arm/sve.decode      |   5 ++
 target/arm/translate-sve.c | 102 +++++++++++++++++++++++++++++++++++++
 target/arm/vec_helper.c    |  24 +++++++++
 4 files changed, 149 insertions(+)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(gvec_bfmlal, TCG_CALL_NO_RWG,
 DEF_HELPER_FLAGS_6(gvec_bfmlal_idx, TCG_CALL_NO_RWG,
                    void, ptr, ptr, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_5(gvec_sclamp_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sclamp_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sclamp_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sclamp_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_5(gvec_uclamp_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uclamp_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uclamp_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uclamp_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
 #include "helper-sve.h"
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
                 @psel esz=2 imm=%psel_imm_s
 PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
                 @psel esz=3 imm=%psel_imm_d
+
+### SVE clamp
+
+SCLAMP          01000100 .. 0 ..... 110000 ..... .....          @rda_rn_rm
+UCLAMP          01000100 .. 0 ..... 110001 ..... .....          @rda_rn_rm
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_PSEL(DisasContext *s, arg_psel *a)
     tcg_temp_free_ptr(ptr);
     return true;
 }
+
+static void gen_sclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
+{
+    tcg_gen_smax_i32(d, a, n);
+    tcg_gen_smin_i32(d, d, m);
+}
+
+static void gen_sclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
+{
+    tcg_gen_smax_i64(d, a, n);
+    tcg_gen_smin_i64(d, d, m);
+}
+
+static void gen_sclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
+                           TCGv_vec m, TCGv_vec a)
+{
+    tcg_gen_smax_vec(vece, d, a, n);
+    tcg_gen_smin_vec(vece, d, d, m);
+}
+
+static void gen_sclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
+{
+    static const TCGOpcode vecop[] = {
+        INDEX_op_smin_vec, INDEX_op_smax_vec, 0
+    };
+    static const GVecGen4 ops[4] = {
+        { .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_b,
+          .opt_opc = vecop,
+          .vece = MO_8 },
+        { .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_h,
+          .opt_opc = vecop,
+          .vece = MO_16 },
+        { .fni4 = gen_sclamp_i32,
+          .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_s,
+          .opt_opc = vecop,
+          .vece = MO_32 },
+        { .fni8 = gen_sclamp_i64,
+          .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_d,
+          .opt_opc = vecop,
+          .vece = MO_64,
+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
+    };
+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
+}
+
+TRANS_FEAT(SCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_sclamp, a)
+
+static void gen_uclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
+{
+    tcg_gen_umax_i32(d, a, n);
+    tcg_gen_umin_i32(d, d, m);
+}
+
+static void gen_uclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
+{
+    tcg_gen_umax_i64(d, a, n);
+    tcg_gen_umin_i64(d, d, m);
+}
+
+static void gen_uclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
+                           TCGv_vec m, TCGv_vec a)
+{
+    tcg_gen_umax_vec(vece, d, a, n);
+    tcg_gen_umin_vec(vece, d, d, m);
+}
+
+static void gen_uclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
+{
+    static const TCGOpcode vecop[] = {
+        INDEX_op_umin_vec, INDEX_op_umax_vec, 0
+    };
+    static const GVecGen4 ops[4] = {
+        { .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_b,
+          .opt_opc = vecop,
+          .vece = MO_8 },
+        { .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_h,
+          .opt_opc = vecop,
+          .vece = MO_16 },
+        { .fni4 = gen_uclamp_i32,
+          .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_s,
+          .opt_opc = vecop,
+          .vece = MO_32 },
+        { .fni8 = gen_uclamp_i64,
+          .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_d,
+          .opt_opc = vecop,
+          .vece = MO_64,
+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
+    };
+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
+}
+
+TRANS_FEAT(UCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_uclamp, a)
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_bfmlal_idx)(void *vd, void *vn, void *vm,
     }
     clear_tail(d, opr_sz, simd_maxsz(desc));
 }
+
+#define DO_CLAMP(NAME, TYPE) \
+void HELPER(NAME)(void *d, void *n, void *m, void *a, uint32_t desc)    \
+{                                                                       \
+    intptr_t i, opr_sz = simd_oprsz(desc);                              \
+    for (i = 0; i < opr_sz; i += sizeof(TYPE)) {                        \
+        TYPE aa = *(TYPE *)(a + i);                                     \
+        TYPE nn = *(TYPE *)(n + i);                                     \
+        TYPE mm = *(TYPE *)(m + i);                                     \
+        TYPE dd = MIN(MAX(aa, nn), mm);                                 \
+        *(TYPE *)(d + i) = dd;                                          \
+    }                                                                   \
+    clear_tail(d, opr_sz, simd_maxsz(desc));                            \
+}
+
+DO_CLAMP(gvec_sclamp_b, int8_t)
+DO_CLAMP(gvec_sclamp_h, int16_t)
+DO_CLAMP(gvec_sclamp_s, int32_t)
+DO_CLAMP(gvec_sclamp_d, int64_t)
+
+DO_CLAMP(gvec_uclamp_b, uint8_t)
+DO_CLAMP(gvec_uclamp_h, uint16_t)
+DO_CLAMP(gvec_uclamp_s, uint32_t)
+DO_CLAMP(gvec_uclamp_d, uint64_t)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We can handle both exception entry and exception return by
hooking into aarch64_sve_change_el.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-32-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
         return;
     }
 
+    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
+    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
+
+    /*
+     * Both AArch64.TakeException and AArch64.ExceptionReturn
+     * invoke ResetSVEState when taking an exception from, or
+     * returning to, AArch32 state when PSTATE.SM is enabled.
+     */
+    if (old_a64 != new_a64 && FIELD_EX64(env->svcr, SVCR, SM)) {
+        arm_reset_sve_state(env);
+        return;
+    }
+
     /*
      * DDI0584A.d sec 3.2: "If SVE instructions are disabled or trapped
      * at ELx, or not available because the EL is in AArch32 state, then
@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
      * we already have the correct register contents when encountering the
      * vq0->vq0 transition between EL0->EL1.
      */
-    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
     old_len = (old_a64 && !sve_exception_el(env, old_el)
                ? sve_vqm1_for_el(env, old_el) : 0);
-    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
     new_len = (new_a64 && !sve_exception_el(env, new_el)
                ? sve_vqm1_for_el(env, new_el) : 0);
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Note that SME remains effectively disabled for user-only,
because we do not yet set CPACR_EL1.SMEN.  This needs to
wait until the kernel ABI is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-33-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst |  4 ++++
 target/arm/cpu64.c            | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
 - FEAT_SHA512 (Advanced SIMD SHA512 instructions)
 - FEAT_SM3 (Advanced SIMD SM3 instructions)
 - FEAT_SM4 (Advanced SIMD SM4 instructions)
+- FEAT_SME (Scalable Matrix Extension)
+- FEAT_SME_FA64 (Full A64 instruction set in Streaming SVE mode)
+- FEAT_SME_F64F64 (Double-precision floating-point outer product instructions)
+- FEAT_SME_I16I64 (16-bit to 64-bit integer widening outer product instructions)
 - FEAT_SPECRES (Speculation restriction instructions)
 - FEAT_SSBS (Speculative Store Bypass Safe)
 - FEAT_TLBIOS (TLB invalidate instructions in Outer Shareable domain)
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
      */
     t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
     t = FIELD_DP64(t, ID_AA64PFR1, RAS_FRAC, 0);  /* FEAT_RASv1p1 + FEAT_DoubleFault */
+    t = FIELD_DP64(t, ID_AA64PFR1, SME, 1);       /* FEAT_SME */
     t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
     cpu->isar.id_aa64pfr1 = t;
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
     t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
     cpu->isar.id_aa64dfr0 = t;
 
+    t = cpu->isar.id_aa64smfr0;
+    t = FIELD_DP64(t, ID_AA64SMFR0, F32F32, 1);   /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, B16F32, 1);   /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, F16F32, 1);   /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, I8I32, 0xf);  /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, F64F64, 1);   /* FEAT_SME_F64F64 */
+    t = FIELD_DP64(t, ID_AA64SMFR0, I16I64, 0xf); /* FEAT_SME_I16I64 */
+    t = FIELD_DP64(t, ID_AA64SMFR0, FA64, 1);     /* FEAT_SME_FA64 */
+    cpu->isar.id_aa64smfr0 = t;
+
     /* Replicate the same data to the 32-bit id registers.  */
     aa32_max_features(cpu);
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-34-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_cpu.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/linux-user/aarch64/target_cpu.h b/linux-user/aarch64/target_cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_cpu.h
+++ b/linux-user/aarch64/target_cpu.h
@@ -XXX,XX +XXX,XX @@ static inline void cpu_clone_regs_parent(CPUARMState *env, unsigned flags)
 
 static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls)
 {
-    /* Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
+    /*
+     * Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
      * different from AArch32 Linux, which uses TPIDRRO.
      */
     env->cp15.tpidr_el[0] = newtls;
+    /* TPIDR2_EL0 is cleared with CLONE_SETTLS. */
+    env->cp15.tpidr2_el0 = 0;
 }
 
 static inline abi_ulong get_sp_from_cpustate(CPUARMState *state)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-35-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/cpu_loop.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/cpu_loop.c
+++ b/linux-user/aarch64/cpu_loop.c
@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
 
         switch (trapnr) {
         case EXCP_SWI:
+            /*
+             * On syscall, PSTATE.ZA is preserved, along with the ZA matrix.
+             * PSTATE.SM is cleared, per SMSTOP, which does ResetSVEState.
+             */
+            if (FIELD_EX64(env->svcr, SVCR, SM)) {
+                env->svcr = FIELD_DP64(env->svcr, SVCR, SM, 0);
+                arm_rebuild_hflags(env);
+                arm_reset_sve_state(env);
+            }
             ret = do_syscall(env,
                              env->xregs[8],
                              env->xregs[0],
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Make sure to zero the currently reserved fields.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-36-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_extra_context {
 struct target_sve_context {
     struct target_aarch64_ctx head;
     uint16_t vl;
-    uint16_t reserved[3];
+    uint16_t flags;
+    uint16_t reserved[2];
     /* The actual SVE data immediately follows.  It is laid out
      * according to TARGET_SVE_SIG_{Z,P}REG_OFFSET, based off of
      * the original struct pointer.
@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
 #define TARGET_SVE_SIG_CONTEXT_SIZE(VQ) \
     (TARGET_SVE_SIG_PREG_OFFSET(VQ, 17))
 
+#define TARGET_SVE_SIG_FLAG_SM  1
+
 struct target_rt_sigframe {
     struct target_siginfo info;
     struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
 {
     int i, j;
 
+    memset(sve, 0, sizeof(*sve));
     __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
     __put_user(size, &sve->head.size);
     __put_user(vq * TARGET_SVE_VQ_BYTES, &sve->vl);
+    if (FIELD_EX64(env->svcr, SVCR, SM)) {
+        __put_user(TARGET_SVE_SIG_FLAG_SM, &sve->flags);
+    }
 
     /* Note that SVE regs are stored as a byte stream, with each byte element
      * at a subsequent address.  This corresponds to a little-endian store
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Fold the return value setting into the goto, so each
point of failure need not do both.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-37-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     struct target_sve_context *sve = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
-    bool err = false;
     int vq = 0, sve_size = 0;
 
     target_restore_general_frame(env, sf);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
         switch (magic) {
         case 0:
             if (size != 0) {
-                err = true;
-                goto exit;
+                goto err;
             }
             if (used_extra) {
                 ctx = NULL;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
 
         case TARGET_FPSIMD_MAGIC:
             if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
-                err = true;
-                goto exit;
+                goto err;
             }
             fpsimd = (struct target_fpsimd_context *)ctx;
             break;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
                     break;
                 }
             }
-            err = true;
-            goto exit;
+            goto err;
 
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
-                err = true;
-                goto exit;
+                goto err;
             }
             __get_user(extra_datap,
                        &((struct target_extra_context *)ctx)->datap);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             /* Unknown record -- we certainly didn't generate it.
              * Did we in fact get out of sync?
              */
-            err = true;
-            goto exit;
+            goto err;
         }
         ctx = (void *)ctx + size;
     }
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     if (fpsimd) {
         target_restore_fpsimd_record(env, fpsimd);
     } else {
-        err = true;
+        goto err;
     }
 
     /* SVE data, if present, overwrites FPSIMD data.  */
     if (sve) {
         target_restore_sve_record(env, sve, vq);
     }
-
- exit:
     unlock_user(extra, extra_datap, 0);
-    return err;
+    return 0;
+
+ err:
+    unlock_user(extra, extra_datap, 0);
+    return 1;
 }
 
 static abi_ulong get_sigframe(struct target_sigaction *ka,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In parse_user_sigframe, the kernel rejects duplicate sve records,
or records that are smaller than the header.  We were silently
allowing these cases to pass, dropping the record.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-38-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             break;
 
         case TARGET_SVE_MAGIC:
+            if (sve || size < sizeof(struct target_sve_context)) {
+                goto err;
+            }
             if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
                 vq = sve_vq(env);
                 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
-                if (!sve && size == sve_size) {
+                if (size == sve_size) {
                     sve = (struct target_sve_context *)ctx;
                     break;
                 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Move the checks out of the parsing loop and into the
restore function.  This more closely mirrors the code
structure in the kernel, and is slightly clearer.

Reject rather than silently skip incorrect VL and SVE record sizes,
bringing our checks in to line with those the kernel does.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-40-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 51 +++++++++++++++++++++++++------------
 1 file changed, 35 insertions(+), 16 deletions(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
     }
 }
 
-static void target_restore_sve_record(CPUARMState *env,
-                                      struct target_sve_context *sve, int vq)
+static bool target_restore_sve_record(CPUARMState *env,
+                                      struct target_sve_context *sve,
+                                      int size)
 {
-    int i, j;
+    int i, j, vl, vq;
 
-    /* Note that SVE regs are stored as a byte stream, with each byte element
+    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
+        return false;
+    }
+
+    __get_user(vl, &sve->vl);
+    vq = sve_vq(env);
+
+    /* Reject mismatched VL. */
+    if (vl != vq * TARGET_SVE_VQ_BYTES) {
+        return false;
+    }
+
+    /* Accept empty record -- used to clear PSTATE.SM. */
+    if (size <= sizeof(*sve)) {
+        return true;
+    }
+
+    /* Reject non-empty but incomplete record. */
+    if (size < TARGET_SVE_SIG_CONTEXT_SIZE(vq)) {
+        return false;
+    }
+
+    /*
+     * Note that SVE regs are stored as a byte stream, with each byte element
      * at a subsequent address.  This corresponds to a little-endian load
      * of our 64-bit hunks.
      */
@@ -XXX,XX +XXX,XX @@ static void target_restore_sve_record(CPUARMState *env,
             }
         }
     }
+    return true;
 }
 
 static int target_restore_sigframe(CPUARMState *env,
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     struct target_sve_context *sve = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
-    int vq = 0, sve_size = 0;
+    int sve_size = 0;
 
     target_restore_general_frame(env, sf);
 
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             if (sve || size < sizeof(struct target_sve_context)) {
                 goto err;
             }
-            if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
-                vq = sve_vq(env);
-                sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
-                if (size == sve_size) {
-                    sve = (struct target_sve_context *)ctx;
-                    break;
-                }
-            }
-            goto err;
+            sve = (struct target_sve_context *)ctx;
+            sve_size = size;
+            break;
 
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     }
 
     /* SVE data, if present, overwrites FPSIMD data.  */
-    if (sve) {
-        target_restore_sve_record(env, sve, vq);
+    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
+        goto err;
     }
     unlock_user(extra, extra_datap, 0);
     return 0;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Set the SM bit in the SVE record on signal delivery, create the ZA record.
Restore SM and ZA state according to the records present on return.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-41-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 167 +++++++++++++++++++++++++++++++++---
 1 file changed, 154 insertions(+), 13 deletions(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
 
 #define TARGET_SVE_SIG_FLAG_SM  1
 
+#define TARGET_ZA_MAGIC        0x54366345
+
+struct target_za_context {
+    struct target_aarch64_ctx head;
+    uint16_t vl;
+    uint16_t reserved[3];
+    /* The actual ZA data immediately follows. */
+};
+
+#define TARGET_ZA_SIG_REGS_OFFSET \
+    QEMU_ALIGN_UP(sizeof(struct target_za_context), TARGET_SVE_VQ_BYTES)
+#define TARGET_ZA_SIG_ZAV_OFFSET(VQ, N) \
+    (TARGET_ZA_SIG_REGS_OFFSET + (VQ) * TARGET_SVE_VQ_BYTES * (N))
+#define TARGET_ZA_SIG_CONTEXT_SIZE(VQ) \
+    TARGET_ZA_SIG_ZAV_OFFSET(VQ, VQ * TARGET_SVE_VQ_BYTES)
+
 struct target_rt_sigframe {
     struct target_siginfo info;
     struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_end_record(struct target_aarch64_ctx *end)
 }
 
 static void target_setup_sve_record(struct target_sve_context *sve,
-                                    CPUARMState *env, int vq, int size)
+                                    CPUARMState *env, int size)
 {
-    int i, j;
+    int i, j, vq = sve_vq(env);
 
     memset(sve, 0, sizeof(*sve));
     __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
     }
 }
 
+static void target_setup_za_record(struct target_za_context *za,
+                                   CPUARMState *env, int size)
+{
+    int vq = sme_vq(env);
+    int vl = vq * TARGET_SVE_VQ_BYTES;
+    int i, j;
+
+    memset(za, 0, sizeof(*za));
+    __put_user(TARGET_ZA_MAGIC, &za->head.magic);
+    __put_user(size, &za->head.size);
+    __put_user(vl, &za->vl);
+
+    if (size == TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
+        return;
+    }
+    assert(size == TARGET_ZA_SIG_CONTEXT_SIZE(vq));
+
+    /*
+     * Note that ZA vectors are stored as a byte stream,
+     * with each byte element at a subsequent address.
+     */
+    for (i = 0; i < vl; ++i) {
+        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
+        for (j = 0; j < vq * 2; ++j) {
+            __put_user_e(env->zarray[i].d[j], z + j, le);
+        }
+    }
+}
+
 static void target_restore_general_frame(CPUARMState *env,
                                          struct target_rt_sigframe *sf)
 {
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
 
 static bool target_restore_sve_record(CPUARMState *env,
                                       struct target_sve_context *sve,
-                                      int size)
+                                      int size, int *svcr)
 {
-    int i, j, vl, vq;
+    int i, j, vl, vq, flags;
+    bool sm;
 
-    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
+    __get_user(vl, &sve->vl);
+    __get_user(flags, &sve->flags);
+
+    sm = flags & TARGET_SVE_SIG_FLAG_SM;
+
+    /* The cpu must support Streaming or Non-streaming SVE. */
+    if (sm
+        ? !cpu_isar_feature(aa64_sme, env_archcpu(env))
+        : !cpu_isar_feature(aa64_sve, env_archcpu(env))) {
         return false;
     }
 
-    __get_user(vl, &sve->vl);
-    vq = sve_vq(env);
+    /*
+     * Note that we cannot use sve_vq() because that depends on the
+     * current setting of PSTATE.SM, not the state to be restored.
+     */
+    vq = sve_vqm1_for_el_sm(env, 0, sm) + 1;
 
     /* Reject mismatched VL. */
     if (vl != vq * TARGET_SVE_VQ_BYTES) {
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
         return false;
     }
 
+    *svcr = FIELD_DP64(*svcr, SVCR, SM, sm);
+
     /*
      * Note that SVE regs are stored as a byte stream, with each byte element
      * at a subsequent address.  This corresponds to a little-endian load
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
     return true;
 }
 
+static bool target_restore_za_record(CPUARMState *env,
+                                     struct target_za_context *za,
+                                     int size, int *svcr)
+{
+    int i, j, vl, vq;
+
+    if (!cpu_isar_feature(aa64_sme, env_archcpu(env))) {
+        return false;
+    }
+
+    __get_user(vl, &za->vl);
+    vq = sme_vq(env);
+
+    /* Reject mismatched VL. */
+    if (vl != vq * TARGET_SVE_VQ_BYTES) {
+        return false;
+    }
+
+    /* Accept empty record -- used to clear PSTATE.ZA. */
+    if (size <= TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
+        return true;
+    }
+
+    /* Reject non-empty but incomplete record. */
+    if (size < TARGET_ZA_SIG_CONTEXT_SIZE(vq)) {
+        return false;
+    }
+
+    *svcr = FIELD_DP64(*svcr, SVCR, ZA, 1);
+
+    for (i = 0; i < vl; ++i) {
+        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
+        for (j = 0; j < vq * 2; ++j) {
+            __get_user_e(env->zarray[i].d[j], z + j, le);
+        }
+    }
+    return true;
+}
+
 static int target_restore_sigframe(CPUARMState *env,
                                    struct target_rt_sigframe *sf)
 {
     struct target_aarch64_ctx *ctx, *extra = NULL;
     struct target_fpsimd_context *fpsimd = NULL;
     struct target_sve_context *sve = NULL;
+    struct target_za_context *za = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
     int sve_size = 0;
+    int za_size = 0;
+    int svcr = 0;
 
     target_restore_general_frame(env, sf);
 
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             sve_size = size;
             break;
 
+        case TARGET_ZA_MAGIC:
+            if (za || size < sizeof(struct target_za_context)) {
+                goto err;
+            }
+            za = (struct target_za_context *)ctx;
+            za_size = size;
+            break;
+
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
                 goto err;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     }
 
     /* SVE data, if present, overwrites FPSIMD data.  */
-    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
+    if (sve && !target_restore_sve_record(env, sve, sve_size, &svcr)) {
         goto err;
     }
+    if (za && !target_restore_za_record(env, za, za_size, &svcr)) {
+        goto err;
+    }
+    if (env->svcr != svcr) {
+        env->svcr = svcr;
+        arm_rebuild_hflags(env);
+    }
     unlock_user(extra, extra_datap, 0);
     return 0;
 
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
         .total_size = offsetof(struct target_rt_sigframe,
                                uc.tuc_mcontext.__reserved),
     };
-    int fpsimd_ofs, fr_ofs, sve_ofs = 0, vq = 0, sve_size = 0;
+    int fpsimd_ofs, fr_ofs, sve_ofs = 0, za_ofs = 0;
+    int sve_size = 0, za_size = 0;
     struct target_rt_sigframe *frame;
     struct target_rt_frame_record *fr;
     abi_ulong frame_addr, return_addr;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
                                       &layout);
 
     /* SVE state needs saving only if it exists.  */
-    if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
-        vq = sve_vq(env);
-        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
+    if (cpu_isar_feature(aa64_sve, env_archcpu(env)) ||
+        cpu_isar_feature(aa64_sme, env_archcpu(env))) {
+        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(sve_vq(env)), 16);
         sve_ofs = alloc_sigframe_space(sve_size, &layout);
     }
+    if (cpu_isar_feature(aa64_sme, env_archcpu(env))) {
+        /* ZA state needs saving only if it is enabled.  */
+        if (FIELD_EX64(env->svcr, SVCR, ZA)) {
+            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(sme_vq(env));
+        } else {
+            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(0);
+        }
+        za_ofs = alloc_sigframe_space(za_size, &layout);
+    }
 
     if (layout.extra_ofs) {
         /* Reserve space for the extra end marker.  The standard end marker
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
         target_setup_end_record((void *)frame + layout.extra_end_ofs);
     }
     if (sve_ofs) {
-        target_setup_sve_record((void *)frame + sve_ofs, env, vq, sve_size);
+        target_setup_sve_record((void *)frame + sve_ofs, env, sve_size);
+    }
+    if (za_ofs) {
+        target_setup_za_record((void *)frame + za_ofs, env, za_size);
     }
 
     /* Set up the stack frame for unwinding.  */
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
         env->btype = 2;
     }
 
+    /*
+     * Invoke the signal handler with both SM and ZA disabled.
+     * When clearing SM, ResetSVEState, per SMSTOP.
+     */
+    if (FIELD_EX64(env->svcr, SVCR, SM)) {
+        arm_reset_sve_state(env);
+    }
+    if (env->svcr) {
+        env->svcr = 0;
+        arm_rebuild_hflags(env);
+    }
+
     if (info) {
         tswap_siginfo(&frame->info, info);
         env->xregs[1] = frame_addr + offsetof(struct target_rt_sigframe, info);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Add "sve" to the sve prctl functions, to distinguish
them from the coming "sme" prctls with similar names.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-42-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_prctl.h |  8 ++++----
 linux-user/syscall.c              | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_prctl.h
+++ b/linux-user/aarch64/target_prctl.h
@@ -XXX,XX +XXX,XX @@
 #ifndef AARCH64_TARGET_PRCTL_H
 #define AARCH64_TARGET_PRCTL_H
 
-static abi_long do_prctl_get_vl(CPUArchState *env)
+static abi_long do_prctl_sve_get_vl(CPUArchState *env)
 {
     ARMCPU *cpu = env_archcpu(env);
     if (cpu_isar_feature(aa64_sve, cpu)) {
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_get_vl(CPUArchState *env)
     }
     return -TARGET_EINVAL;
 }
-#define do_prctl_get_vl do_prctl_get_vl
+#define do_prctl_sve_get_vl do_prctl_sve_get_vl
 
-static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
+static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
 {
     /*
      * We cannot support either PR_SVE_SET_VL_ONEXEC or PR_SVE_VL_INHERIT.
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
     }
     return -TARGET_EINVAL;
 }
-#define do_prctl_set_vl do_prctl_set_vl
+#define do_prctl_sve_set_vl do_prctl_sve_set_vl
 
 static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
 {
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
 #ifndef do_prctl_set_fp_mode
 #define do_prctl_set_fp_mode do_prctl_inval1
 #endif
-#ifndef do_prctl_get_vl
-#define do_prctl_get_vl do_prctl_inval0
+#ifndef do_prctl_sve_get_vl
+#define do_prctl_sve_get_vl do_prctl_inval0
 #endif
-#ifndef do_prctl_set_vl
-#define do_prctl_set_vl do_prctl_inval1
+#ifndef do_prctl_sve_set_vl
+#define do_prctl_sve_set_vl do_prctl_inval1
 #endif
 #ifndef do_prctl_reset_keys
 #define do_prctl_reset_keys do_prctl_inval1
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
     case PR_SET_FP_MODE:
         return do_prctl_set_fp_mode(env, arg2);
     case PR_SVE_GET_VL:
-        return do_prctl_get_vl(env);
+        return do_prctl_sve_get_vl(env);
     case PR_SVE_SET_VL:
-        return do_prctl_set_vl(env, arg2);
+        return do_prctl_sve_set_vl(env, arg2);
     case PR_PAC_RESET_KEYS:
         if (arg3 || arg4 || arg5) {
             return -TARGET_EINVAL;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

These prctl set the Streaming SVE vector length, which may
be completely different from the Normal SVE vector length.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-43-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_prctl.h | 54 +++++++++++++++++++++++++++++++
 linux-user/syscall.c              | 16 +++++++++
 2 files changed, 70 insertions(+)

diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_prctl.h
+++ b/linux-user/aarch64/target_prctl.h
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_get_vl(CPUArchState *env)
 {
     ARMCPU *cpu = env_archcpu(env);
     if (cpu_isar_feature(aa64_sve, cpu)) {
+        /* PSTATE.SM is always unset on syscall entry. */
         return sve_vq(env) * 16;
     }
     return -TARGET_EINVAL;
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
         && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
         uint32_t vq, old_vq;
 
+        /* PSTATE.SM is always unset on syscall entry. */
         old_vq = sve_vq(env);
 
         /*
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
 }
 #define do_prctl_sve_set_vl do_prctl_sve_set_vl
 
+static abi_long do_prctl_sme_get_vl(CPUArchState *env)
+{
+    ARMCPU *cpu = env_archcpu(env);
+    if (cpu_isar_feature(aa64_sme, cpu)) {
+        return sme_vq(env) * 16;
+    }
+    return -TARGET_EINVAL;
+}
+#define do_prctl_sme_get_vl do_prctl_sme_get_vl
+
+static abi_long do_prctl_sme_set_vl(CPUArchState *env, abi_long arg2)
+{
+    /*
+     * We cannot support either PR_SME_SET_VL_ONEXEC or PR_SME_VL_INHERIT.
+     * Note the kernel definition of sve_vl_valid allows for VQ=512,
+     * i.e. VL=8192, even though the architectural maximum is VQ=16.
+     */
+    if (cpu_isar_feature(aa64_sme, env_archcpu(env))
+        && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
+        int vq, old_vq;
+
+        old_vq = sme_vq(env);
+
+        /*
+         * Bound the value of vq, so that we know that it fits into
+         * the 4-bit field in SMCR_EL1.  Because PSTATE.SM is cleared
+         * on syscall entry, we are not modifying the current SVE
+         * vector length.
+         */
+        vq = MAX(arg2 / 16, 1);
+        vq = MIN(vq, 16);
+        env->vfp.smcr_el[1] =
+            FIELD_DP64(env->vfp.smcr_el[1], SMCR, LEN, vq - 1);
+
+        /* Delay rebuilding hflags until we know if ZA must change. */
+        vq = sve_vqm1_for_el_sm(env, 0, true) + 1;
+
+        if (vq != old_vq) {
+            /*
+             * PSTATE.ZA state is cleared on any change to SVL.
+             * We need not call arm_rebuild_hflags because PSTATE.SM was
+             * cleared on syscall entry, so this hasn't changed VL.
+             */
+            env->svcr = FIELD_DP64(env->svcr, SVCR, ZA, 0);
+            arm_rebuild_hflags(env);
+        }
+        return vq * 16;
+    }
+    return -TARGET_EINVAL;
+}
+#define do_prctl_sme_set_vl do_prctl_sme_set_vl
+
 static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
 {
     ARMCPU *cpu = env_archcpu(env);
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr)
 #ifndef PR_SET_SYSCALL_USER_DISPATCH
 # define PR_SET_SYSCALL_USER_DISPATCH 59
 #endif
+#ifndef PR_SME_SET_VL
+# define PR_SME_SET_VL  63
+# define PR_SME_GET_VL  64
+# define PR_SME_VL_LEN_MASK  0xffff
+# define PR_SME_VL_INHERIT   (1 << 17)
+#endif
 
 #include "target_prctl.h"
 
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
 #ifndef do_prctl_set_unalign
 #define do_prctl_set_unalign do_prctl_inval1
 #endif
+#ifndef do_prctl_sme_get_vl
+#define do_prctl_sme_get_vl do_prctl_inval0
+#endif
+#ifndef do_prctl_sme_set_vl
+#define do_prctl_sme_set_vl do_prctl_inval1
+#endif
 
 static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
                          abi_long arg3, abi_long arg4, abi_long arg5)
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
         return do_prctl_sve_get_vl(env);
     case PR_SVE_SET_VL:
         return do_prctl_sve_set_vl(env, arg2);
+    case PR_SME_GET_VL:
+        return do_prctl_sme_get_vl(env);
+    case PR_SME_SET_VL:
+        return do_prctl_sme_set_vl(env, arg2);
     case PR_PAC_RESET_KEYS:
         if (arg3 || arg4 || arg5) {
             return -TARGET_EINVAL;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

There's no reason to set CPACR_EL1.ZEN if SVE disabled.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-44-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
         /* and to the FP/Neon instructions */
         env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
                                          CPACR_EL1, FPEN, 3);
-        /* and to the SVE instructions */
-        env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
-                                         CPACR_EL1, ZEN, 3);
-        /* with reasonable vector length */
+        /* and to the SVE instructions, with default vector length */
         if (cpu_isar_feature(aa64_sve, cpu)) {
+            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+                                             CPACR_EL1, ZEN, 3);
             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
         }
         /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Enable SME, TPIDR2_EL0, and FA64 if supported by the cpu.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-45-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
                                              CPACR_EL1, ZEN, 3);
             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
         }
+        /* and for SME instructions, with default vector length, and TPIDR2 */
+        if (cpu_isar_feature(aa64_sme, cpu)) {
+            env->cp15.sctlr_el[1] |= SCTLR_EnTP2;
+            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+                                             CPACR_EL1, SMEN, 3);
+            env->vfp.smcr_el[1] = cpu->sme_default_vq - 1;
+            if (cpu_isar_feature(aa64_sme_fa64, cpu)) {
+                env->vfp.smcr_el[1] = FIELD_DP64(env->vfp.smcr_el[1],
+                                                 SMCR, FA64, 1);
+            }
+        }
         /*
          * Enable 48-bit address space (TODO: take reserved_va into account).
          * Enable TBI0 but not TBI1.
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-46-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/elfload.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ enum {
     ARM_HWCAP2_A64_RNG          = 1 << 16,
     ARM_HWCAP2_A64_BTI          = 1 << 17,
     ARM_HWCAP2_A64_MTE          = 1 << 18,
+    ARM_HWCAP2_A64_ECV          = 1 << 19,
+    ARM_HWCAP2_A64_AFP          = 1 << 20,
+    ARM_HWCAP2_A64_RPRES        = 1 << 21,
+    ARM_HWCAP2_A64_MTE3         = 1 << 22,
+    ARM_HWCAP2_A64_SME          = 1 << 23,
+    ARM_HWCAP2_A64_SME_I16I64   = 1 << 24,
+    ARM_HWCAP2_A64_SME_F64F64   = 1 << 25,
+    ARM_HWCAP2_A64_SME_I8I32    = 1 << 26,
+    ARM_HWCAP2_A64_SME_F16F32   = 1 << 27,
+    ARM_HWCAP2_A64_SME_B16F32   = 1 << 28,
+    ARM_HWCAP2_A64_SME_F32F32   = 1 << 29,
+    ARM_HWCAP2_A64_SME_FA64     = 1 << 30,
 };
 
 #define ELF_HWCAP   get_elf_hwcap()
@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap2(void)
     GET_FEATURE_ID(aa64_rndr, ARM_HWCAP2_A64_RNG);
     GET_FEATURE_ID(aa64_bti, ARM_HWCAP2_A64_BTI);
     GET_FEATURE_ID(aa64_mte, ARM_HWCAP2_A64_MTE);
+    GET_FEATURE_ID(aa64_sme, (ARM_HWCAP2_A64_SME |
+                              ARM_HWCAP2_A64_SME_F32F32 |
+                              ARM_HWCAP2_A64_SME_B16F32 |
+                              ARM_HWCAP2_A64_SME_F16F32 |
+                              ARM_HWCAP2_A64_SME_I8I32));
+    GET_FEATURE_ID(aa64_sme_f64f64, ARM_HWCAP2_A64_SME_F64F64);
+    GET_FEATURE_ID(aa64_sme_i16i64, ARM_HWCAP2_A64_SME_I16I64);
+    GET_FEATURE_ID(aa64_sme_fa64, ARM_HWCAP2_A64_SME_FA64);
 
     return hwcaps;
 }
-- 
2.25.1