Series comparison

-[Qemu-devel] [PULL 00/25] target-arm queue
+[Qemu-devel] [PULL 00/21] target-arm queue
-target-arm queue. This has the "plumb txattrs through various
+target-arm queue: this time around is all small fixes
-bits of exec.c" patches, and a collection of bug fixes from
+and changes.
 various people.
 thanks
 -- PMM
+The following changes since commit fec105c2abda8567ec15230429c41429b5ee307c:
+  Merge remote-tracking branch 'remotes/kraxel/tags/audio-20190828-pull-request' into staging (2019-09-03 14:03:15 +0100)
 The following changes since commit a3ac12fba028df90f7b3dbec924995c126c41022:
   Merge remote-tracking branch 'remotes/ehabkost/tags/numa-next-pull-request' into staging (2018-05-31 11:12:36 +0100)
 are available in the Git repository at:
-  git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180531
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190903
-for you to fetch changes up to 49d1dca0520ea71bc21867fab6647f474fcf857b:
+for you to fetch changes up to 5e5584c89f36b302c666bc6db535fd3f7ff35ad2:
-  KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice (2018-05-31 14:52:53 +0100)
+  target/arm: Don't abort on M-profile exception return in linux-user mode (2019-09-03 16:20:35 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * target/arm: Honour FPCR.FZ in FRECPX
+ * Revert and correctly fix refactoring of unallocated_encoding()
- * MAINTAINERS: Add entries for newer MPS2 boards and devices
+ * Take exceptions on ATS instructions when needed
- * hw/intc/arm_gicv3: Fix APxR<n> register dispatching
+ * aspeed/timer: Provide back-pressure information for short periods
- * arm_gicv3_kvm: fix bug in writing zero bits back to the in-kernel
+ * memory: Remove unused memory_region_iommu_replay_all()
-   GIC state
+ * hw/arm/smmuv3: Log a guest error when decoding an invalid STE
- * tcg: Fix helper function vs host abi for float16
+ * hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations
- * arm: fix qemu crash on startup with -bios option
+ * target/arm: Fix SMMLS argument order
- * arm: fix malloc type mismatch
+ * hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
- * xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
+ * hw/arm: Correct reference counting for creation of various objects
- * Correct CPACR reset value for v7 cores
+ * includes: remove stale [smp|max]_cpus externs
- * memory.h: Improve IOMMU related documentation
+ * tcg/README: fix typo
- * exec: Plumb transaction attributes through various functions in
+ * atomic_template: fix indentation in GEN_ATOMIC_HELPER
-   preparation for allowing IOMMUs to see them
+ * include/exec/cpu-defs.h: fix typo
- * vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
+ * target/arm: Free TCG temps in trans_VMOV_64_sp()
- * ARM: ACPI: Fix use-after-free due to memory realloc
+ * target/arm: Don't abort on M-profile exception return in linux-user mode
  * KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice
 ----------------------------------------------------------------
-Francisco Iglesias (1):
+Alex Bennée (2):
-      xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
+      includes: remove stale [smp|max]_cpus externs
       include/exec/cpu-defs.h: fix typo
-Igor Mammedov (1):
+Andrew Jeffery (1):
-      arm: fix qemu crash on startup with -bios option
+      aspeed/timer: Provide back-pressure information for short periods
-Jan Kiszka (1):
+Emilio G. Cota (2):
-      hw/intc/arm_gicv3: Fix APxR<n> register dispatching
+      tcg/README: fix typo s/afterwise/afterwards/
       atomic_template: fix indentation in GEN_ATOMIC_HELPER
-Paolo Bonzini (1):
+Eric Auger (3):
-      arm: fix malloc type mismatch
+      memory: Remove unused memory_region_iommu_replay_all()
       hw/arm/smmuv3: Log a guest error when decoding an invalid STE
       hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations
-Peter Maydell (17):
+Peter Maydell (4):
-      target/arm: Honour FPCR.FZ in FRECPX
+      target/arm: Allow ARMCPRegInfo read/write functions to throw exceptions
-      MAINTAINERS: Add entries for newer MPS2 boards and devices
+      target/arm: Take exceptions on ATS instructions when needed
-      Correct CPACR reset value for v7 cores
+      target/arm: Free TCG temps in trans_VMOV_64_sp()
-      memory.h: Improve IOMMU related documentation
+      target/arm: Don't abort on M-profile exception return in linux-user mode
       Make tb_invalidate_phys_addr() take a MemTxAttrs argument
       Make address_space_translate{, _cached}() take a MemTxAttrs argument
       Make address_space_map() take a MemTxAttrs argument
       Make address_space_access_valid() take a MemTxAttrs argument
       Make flatview_extend_translation() take a MemTxAttrs argument
       Make memory_region_access_valid() take a MemTxAttrs argument
       Make MemoryRegion valid.accepts callback take a MemTxAttrs argument
       Make flatview_access_valid() take a MemTxAttrs argument
       Make flatview_translate() take a MemTxAttrs argument
       Make address_space_get_iotlb_entry() take a MemTxAttrs argument
       Make flatview_do_translate() take a MemTxAttrs argument
       Make address_space_translate_iommu take a MemTxAttrs argument
       vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
-Richard Henderson (1):
+Philippe Mathieu-Daudé (6):
-      tcg: Fix helper function vs host abi for float16
+      hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
       hw/arm: Use object_initialize_child for correct reference counting
       hw/arm: Use sysbus_init_child_obj for correct reference counting
       hw/arm/fsl-imx: Add the cpu as child of the SoC object
       hw/dma/xilinx_axi: Use object_initialize_child for correct ref. counting
       hw/net/xilinx_axi: Use object_initialize_child for correct ref. counting
-Shannon Zhao (3):
+Richard Henderson (3):
-      arm_gicv3_kvm: increase clroffset accordingly
+      Revert "target/arm: Use unallocated_encoding for aarch32"
-      ARM: ACPI: Fix use-after-free due to memory realloc
+      target/arm: Factor out unallocated_encoding for aarch32
-      KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice
+      target/arm: Fix SMMLS argument order
- include/exec/exec-all.h        |   5 +-
+ accel/tcg/atomic_template.h    |   2 +-
- include/exec/helper-head.h     |   2 +-
+ hw/arm/smmuv3-internal.h       |   1 +
- include/exec/memory-internal.h |   3 +-
+ include/exec/cpu-defs.h        |   2 +-
- include/exec/memory.h          | 128 +++++++++++++++++++++++++++++++++++------
+ include/exec/memory.h          |  10 ----
- include/migration/vmstate.h    |   3 +
+ include/sysemu/sysemu.h        |   2 -
- include/sysemu/dma.h           |   6 +-
+ target/arm/cpu.h               |   6 ++-
- accel/tcg/translate-all.c      |   4 +-
+ target/arm/translate-a64.h     |   2 +
- exec.c                         |  95 ++++++++++++++++++------------
+ target/arm/translate.h         |   2 -
- hw/arm/boot.c                  |  18 +++---
+ hw/arm/allwinner-a10.c         |   3 +-
- hw/arm/virt-acpi-build.c       |  20 +++++--
+ hw/arm/cubieboard.c            |   3 +-
- hw/dma/xlnx-zdma.c             |  10 +++-
+ hw/arm/digic.c                 |   3 +-
- hw/hppa/dino.c                 |   3 +-
+ hw/arm/exynos4_boards.c        |   4 +-
- hw/intc/arm_gic_kvm.c          |   1 -
+ hw/arm/fsl-imx25.c             |   4 +-
- hw/intc/arm_gicv3_cpuif.c      |  12 ++--
+ hw/arm/fsl-imx31.c             |   4 +-
- hw/intc/arm_gicv3_kvm.c        |   2 +-
+ hw/arm/fsl-imx6.c              |   3 +-
- hw/nvram/fw_cfg.c              |  12 ++--
+ hw/arm/fsl-imx6ul.c            |   2 +-
- hw/s390x/s390-pci-inst.c       |   3 +-
+ hw/arm/mcimx7d-sabre.c         |   9 ++--
- hw/scsi/esp.c                  |   3 +-
+ hw/arm/mps2-tz.c               |  15 +++---
- hw/vfio/common.c               |   3 +-
+ hw/arm/musca.c                 |   9 ++--
- hw/virtio/vhost.c              |   3 +-
+ hw/arm/smmuv3.c                |  18 ++++---
- hw/xen/xen_pt_msi.c            |   3 +-
+ hw/arm/xlnx-zynqmp.c           |   8 +--
- memory.c                       |  12 ++--
+ hw/dma/xilinx_axidma.c         |  16 +++---
- memory_ldst.inc.c              |  18 +++---
+ hw/net/xilinx_axienet.c        |  17 +++----
- target/arm/gdbstub.c           |   3 +-
+ hw/timer/aspeed_timer.c        |  17 ++++++-
- target/arm/helper-a64.c        |  41 +++++++------
+ memory.c                       |   9 ----
- target/arm/helper.c            |  90 ++++++++++++++++-------------
+ target/arm/helper.c            | 107 +++++++++++++++++++++++++++++++++++------
- target/ppc/mmu-hash64.c        |   3 +-
+ target/arm/translate-a64.c     |  13 +++++
- target/riscv/helper.c          |   2 +-
+ target/arm/translate-vfp.inc.c |   2 +
- target/s390x/diag.c            |   6 +-
+ target/arm/translate.c         |  50 +++++++++++++++++--
- target/s390x/excp_helper.c     |   3 +-
+ tcg/README                     |   2 +-
- target/s390x/mmu_helper.c      |   3 +-
+files changed, 244 insertions(+), 101 deletions(-)
  target/s390x/sigp.c            |   3 +-
  target/xtensa/op_helper.c      |   3 +-
  MAINTAINERS                    |   9 ++-
 files changed, 353 insertions(+), 182 deletions(-)

-[Qemu-devel] [PULL 05/25] tcg: Fix helper function vs host abi for float16
+[Qemu-devel] [PULL 01/21] Revert "target/arm: Use unallocated_encoding for aarch32"
 From: Richard Henderson <richard.henderson@linaro.org>
-Depending on the host abi, float16, aka uint16_t, values are
+This reverts commit 3cb36637157088892e9e33ddb1034bffd1251d3b.
 passed and returned either zero-extended in the host register
 or with garbage at the top of the host register.
-The tcg code generator has so far been assuming garbage, as that
+Despite the fact that the text for the call to gen_exception_insn
-matches the x86 abi, but this is incorrect for other host abis.
+is identical for aarch64 and aarch32, the implementation inside
-Further, target/arm has so far been assuming zero-extended results,
+gen_exception_insn is totally different.
 so that it may store the 16-bit value into a 32-bit slot with the
 high 16-bits already clear.
-Rectify both problems by mapping "f16" in the helper definition
+This fixes exceptions raised from aarch64.
 to uint32_t instead of (a typedef for) uint16_t.  This forces
 the host compiler to assume garbage in the upper 16 bits on input
 and to zero-extend the result on output.
-Cc: qemu-stable@nongnu.org
+Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
-Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
+Message-id: 20190826151536.6771-2-richard.henderson@linaro.org
 Message-id: 20180522175629.24932-1-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/exec/helper-head.h |  2 +-
+ target/arm/translate-a64.h     |  2 ++
- target/arm/helper-a64.c    | 35 +++++++++--------
+ target/arm/translate.h         |  2 --
- target/arm/helper.c        | 80 +++++++++++++++++++-------------------
+ target/arm/translate-a64.c     |  7 +++++++
-files changed, 59 insertions(+), 58 deletions(-)
+ target/arm/translate-vfp.inc.c |  3 ++-
  target/arm/translate.c         | 22 ++++++++++------------
 files changed, 21 insertions(+), 15 deletions(-)
-diff --git a/include/exec/helper-head.h b/include/exec/helper-head.h
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/helper-head.h
+--- a/target/arm/translate-a64.h
-+++ b/include/exec/helper-head.h
++++ b/target/arm/translate-a64.h
 @@ -XXX,XX +XXX,XX @@
- #define dh_ctype_int int
+ #ifndef TARGET_ARM_TRANSLATE_A64_H
- #define dh_ctype_i64 uint64_t
+ #define TARGET_ARM_TRANSLATE_A64_H
- #define dh_ctype_s64 int64_t
--#define dh_ctype_f16 float16
++void unallocated_encoding(DisasContext *s);
-+#define dh_ctype_f16 uint32_t
++
- #define dh_ctype_f32 float32
+ #define unsupported_encoding(s, insn)                                    \
- #define dh_ctype_f64 float64
+     do {                                                                 \
- #define dh_ctype_ptr void *
+         qemu_log_mask(LOG_UNIMP,                                         \
-diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
+diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-a64.c
+--- a/target/arm/translate.h
-+++ b/target/arm/helper-a64.c
++++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t float_rel_to_flags(int res)
+@@ -XXX,XX +XXX,XX @@ typedef struct DisasCompare {
-     return flags;
+     bool value_global;
- }
+ } DisasCompare;
--uint64_t HELPER(vfp_cmph_a64)(float16 x, float16 y, void *fp_status)
+-void unallocated_encoding(DisasContext *s);
-+uint64_t HELPER(vfp_cmph_a64)(uint32_t x, uint32_t y, void *fp_status)
+-
- {
+ /* Share the TCG temporaries common between 32 and 64 bit modes.  */
-     return float_rel_to_flags(float16_compare_quiet(x, y, fp_status));
+ extern TCGv_i32 cpu_NF, cpu_ZF, cpu_CF, cpu_VF;
- }
+ extern TCGv_i64 cpu_exclusive_addr;
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 -uint64_t HELPER(vfp_cmpeh_a64)(float16 x, float16 y, void *fp_status)
 +uint64_t HELPER(vfp_cmpeh_a64)(uint32_t x, uint32_t y, void *fp_status)
  {
      return float_rel_to_flags(float16_compare(x, y, fp_status));
  }
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_cgt_f64)(float64 a, float64 b, void *fpstp)
  #define float64_three make_float64(0x4008000000000000ULL)
  #define float64_one_point_five make_float64(0x3FF8000000000000ULL)
 -float16 HELPER(recpsf_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(recpsf_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ float64 HELPER(recpsf_f64)(float64 a, float64 b, void *fpstp)
      return float64_muladd(a, b, float64_two, 0, fpst);
  }
 -float16 HELPER(rsqrtsf_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(rsqrtsf_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_addlp_u16)(uint64_t a)
  }
  /* Floating-point reciprocal exponent - see FPRecpX in ARM ARM */
 -float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
 +uint32_t HELPER(frecpx_f16)(uint32_t a, void *fpstp)
  {
      float_status *fpst = fpstp;
      uint16_t val16, sbit;
@@ -XXX,XX +XXX,XX @@ void HELPER(casp_be_parallel)(CPUARMState *env, uint32_t rs, uint64_t addr,
  #define ADVSIMD_HELPER(name, suffix) HELPER(glue(glue(advsimd_, name), suffix))
  #define ADVSIMD_HALFOP(name) \
 -float16 ADVSIMD_HELPER(name, h)(float16 a, float16 b, void *fpstp) \
 +uint32_t ADVSIMD_HELPER(name, h)(uint32_t a, uint32_t b, void *fpstp) \
  { \
      float_status *fpst = fpstp; \
      return float16_ ## name(a, b, fpst);    \
@@ -XXX,XX +XXX,XX @@ ADVSIMD_HALFOP(mulx)
  ADVSIMD_TWOHALFOP(mulx)
  /* fused multiply-accumulate */
 -float16 HELPER(advsimd_muladdh)(float16 a, float16 b, float16 c, void *fpstp)
 +uint32_t HELPER(advsimd_muladdh)(uint32_t a, uint32_t b, uint32_t c,
 +                                 void *fpstp)
  {
      float_status *fpst = fpstp;
      return float16_muladd(a, b, c, 0, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_muladd2h)(uint32_t two_a, uint32_t two_b,
  #define ADVSIMD_CMPRES(test) (test) ? 0xffff : 0
 -uint32_t HELPER(advsimd_ceq_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_ceq_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      int compare = float16_compare_quiet(a, b, fpst);
      return ADVSIMD_CMPRES(compare == float_relation_equal);
  }
 -uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_cge_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      int compare = float16_compare(a, b, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
                            compare == float_relation_equal);
  }
 -uint32_t HELPER(advsimd_cgt_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_cgt_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      int compare = float16_compare(a, b, fpst);
      return ADVSIMD_CMPRES(compare == float_relation_greater);
  }
 -uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_acge_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
                            compare == float_relation_equal);
  }
 -uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
 +uint32_t HELPER(advsimd_acgt_f16)(uint32_t a, uint32_t b, void *fpstp)
  {
      float_status *fpst = fpstp;
      float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
  }
  /* round to integral */
 -float16 HELPER(advsimd_rinth_exact)(float16 x, void *fp_status)
 +uint32_t HELPER(advsimd_rinth_exact)(uint32_t x, void *fp_status)
  {
      return float16_round_to_int(x, fp_status);
  }
 -float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
 +uint32_t HELPER(advsimd_rinth)(uint32_t x, void *fp_status)
  {
      int old_flags = get_float_exception_flags(fp_status), new_flags;
      float16 ret;
@@ -XXX,XX +XXX,XX @@ float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
   * setting the mode appropriately before calling the helper.
   */
 -uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
 +uint32_t HELPER(advsimd_f16tosinth)(uint32_t a, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
      return float16_to_int16(a, fpst);
  }
 -uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
 +uint32_t HELPER(advsimd_f16touinth)(uint32_t a, void *fpstp)
  {
      float_status *fpst = fpstp;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
   * Square Root and Reciprocal square root
   */
 -float16 HELPER(sqrt_f16)(float16 a, void *fpstp)
 +uint32_t HELPER(sqrt_f16)(uint32_t a, void *fpstp)
  {
      float_status *s = fpstp;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/translate-a64.c
-+++ b/target/arm/helper.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ DO_VFP_cmp(d, float64)
+@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
  /* Integer to float and float to integer conversions */
 -#define CONV_ITOF(name, fsz, sign) \
 -    float##fsz HELPER(name)(uint32_t x, void *fpstp) \
 -{ \
 -    float_status *fpst = fpstp; \
 -    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst); \
 +#define CONV_ITOF(name, ftype, fsz, sign)                           \
 +ftype HELPER(name)(uint32_t x, void *fpstp)                         \
 +{                                                                   \
 +    float_status *fpst = fpstp;                                     \
 +    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst);     \
  }
 -#define CONV_FTOI(name, fsz, sign, round) \
 -uint32_t HELPER(name)(float##fsz x, void *fpstp) \
 -{ \
 -    float_status *fpst = fpstp; \
 -    if (float##fsz##_is_any_nan(x)) { \
 -        float_raise(float_flag_invalid, fpst); \
 -        return 0; \
 -    } \
 -    return float##fsz##_to_##sign##int32##round(x, fpst); \
 +#define CONV_FTOI(name, ftype, fsz, sign, round)                \
 +uint32_t HELPER(name)(ftype x, void *fpstp)                     \
 +{                                                               \
 +    float_status *fpst = fpstp;                                 \
 +    if (float##fsz##_is_any_nan(x)) {                           \
 +        float_raise(float_flag_invalid, fpst);                  \
 +        return 0;                                               \
 +    }                                                           \
 +    return float##fsz##_to_##sign##int32##round(x, fpst);       \
  }
 -#define FLOAT_CONVS(name, p, fsz, sign) \
 -CONV_ITOF(vfp_##name##to##p, fsz, sign) \
 -CONV_FTOI(vfp_to##name##p, fsz, sign, ) \
 -CONV_FTOI(vfp_to##name##z##p, fsz, sign, _round_to_zero)
 +#define FLOAT_CONVS(name, p, ftype, fsz, sign)            \
 +    CONV_ITOF(vfp_##name##to##p, ftype, fsz, sign)        \
 +    CONV_FTOI(vfp_to##name##p, ftype, fsz, sign, )        \
 +    CONV_FTOI(vfp_to##name##z##p, ftype, fsz, sign, _round_to_zero)
 -FLOAT_CONVS(si, h, 16, )
 -FLOAT_CONVS(si, s, 32, )
 -FLOAT_CONVS(si, d, 64, )
 -FLOAT_CONVS(ui, h, 16, u)
 -FLOAT_CONVS(ui, s, 32, u)
 -FLOAT_CONVS(ui, d, 64, u)
 +FLOAT_CONVS(si, h, uint32_t, 16, )
 +FLOAT_CONVS(si, s, float32, 32, )
 +FLOAT_CONVS(si, d, float64, 64, )
 +FLOAT_CONVS(ui, h, uint32_t, 16, u)
 +FLOAT_CONVS(ui, s, float32, 32, u)
 +FLOAT_CONVS(ui, d, float64, 64, u)
  #undef CONV_ITOF
  #undef CONV_FTOI
@@ -XXX,XX +XXX,XX @@ static float16 do_postscale_fp16(float64 f, int shift, float_status *fpst)
      return float64_to_float16(float64_scalbn(f, -shift, fpst), true, fpst);
  }
 -float16 HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(int32_to_float64(x, fpst), shift, fpst);
  }
 -float16 HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(uint32_to_float64(x, fpst), shift, fpst);
  }
 -float16 HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(int64_to_float64(x, fpst), shift, fpst);
  }
 -float16 HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
 +uint32_t HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
  {
      return do_postscale_fp16(uint64_to_float64(x, fpst), shift, fpst);
  }
@@ -XXX,XX +XXX,XX @@ static float64 do_prescale_fp16(float16 f, int shift, float_status *fpst)
      }
  }
--uint32_t HELPER(vfp_toshh)(float16 x, uint32_t shift, void *fpst)
++void unallocated_encoding(DisasContext *s)
-+uint32_t HELPER(vfp_toshh)(uint32_t x, uint32_t shift, void *fpst)
++{
 +    /* Unallocated and reserved encodings are uncategorized */
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
 +}
 +
  static void init_tmp_a64_array(DisasContext *s)
  {
-     return float64_to_int16(do_prescale_fp16(x, shift, fpst), fpst);
+ #ifdef CONFIG_DEBUG_TCG
 diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.inc.c
 +++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
      if (!s->vfp_enabled && !ignore_vfp_enabled) {
          assert(!arm_dc_feature(s, ARM_FEATURE_M));
 -        unallocated_encoding(s);
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                           default_exception_el(s));
          return false;
      }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
      s->base.is_jmp = DISAS_NORETURN;
  }
--uint32_t HELPER(vfp_touhh)(float16 x, uint32_t shift, void *fpst)
+-void unallocated_encoding(DisasContext *s)
-+uint32_t HELPER(vfp_touhh)(uint32_t x, uint32_t shift, void *fpst)
+-{
 -    /* Unallocated and reserved encodings are uncategorized */
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 -}
 -
  /* Force a TB lookup after an instruction that changes the CPU state.  */
  static inline void gen_lookup_tb(DisasContext *s)
  {
-     return float64_to_uint16(do_prescale_fp16(x, shift, fpst), fpst);
+@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
          return;
      }
 -    unallocated_encoding(s);
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
  }
--uint32_t HELPER(vfp_toslh)(float16 x, uint32_t shift, void *fpst)
+ static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
-+uint32_t HELPER(vfp_toslh)(uint32_t x, uint32_t shift, void *fpst)
+@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
- {
+     }
-     return float64_to_int32(do_prescale_fp16(x, shift, fpst), fpst);
      if (undef) {
 -        unallocated_encoding(s);
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                           default_exception_el(s));
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              break;
          default:
          illegal_op:
 -            unallocated_encoding(s);
 +            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                               default_exception_el(s));
              break;
          }
      }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
      }
      return;
  illegal_op:
 -    unallocated_encoding(s);
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
  }
--uint32_t HELPER(vfp_toulh)(float16 x, uint32_t shift, void *fpst)
+ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
-+uint32_t HELPER(vfp_toulh)(uint32_t x, uint32_t shift, void *fpst)
+@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
- {
+     return;
-     return float64_to_uint32(do_prescale_fp16(x, shift, fpst), fpst);
+ illegal_op:
  undef:
 -    unallocated_encoding(s);
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
  }
--uint64_t HELPER(vfp_tosqh)(float16 x, uint32_t shift, void *fpst)
+ static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 +uint64_t HELPER(vfp_tosqh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return float64_to_int64(do_prescale_fp16(x, shift, fpst), fpst);
  }
 -uint64_t HELPER(vfp_touqh)(float16 x, uint32_t shift, void *fpst)
 +uint64_t HELPER(vfp_touqh)(uint32_t x, uint32_t shift, void *fpst)
  {
      return float64_to_uint64(do_prescale_fp16(x, shift, fpst), fpst);
  }
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(set_neon_rmode)(uint32_t rmode, CPUARMState *env)
  }
  /* Half precision conversions.  */
 -float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
 +float32 HELPER(vfp_fcvt_f16_to_f32)(uint32_t a, void *fpstp, uint32_t ahp_mode)
  {
      /* Squash FZ16 to 0 for the duration of conversion.  In this case,
       * it would affect flushing input denormals.
@@ -XXX,XX +XXX,XX @@ float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
      return r;
  }
 -float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
 +uint32_t HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
  {
      /* Squash FZ16 to 0 for the duration of conversion.  In this case,
       * it would affect flushing output denormals.
@@ -XXX,XX +XXX,XX @@ float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
      return r;
  }
 -float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
 +float64 HELPER(vfp_fcvt_f16_to_f64)(uint32_t a, void *fpstp, uint32_t ahp_mode)
  {
      /* Squash FZ16 to 0 for the duration of conversion.  In this case,
       * it would affect flushing input denormals.
@@ -XXX,XX +XXX,XX @@ float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
      return r;
  }
 -float16 HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
 +uint32_t HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
  {
      /* Squash FZ16 to 0 for the duration of conversion.  In this case,
       * it would affect flushing output denormals.
@@ -XXX,XX +XXX,XX @@ static bool round_to_inf(float_status *fpst, bool sign_bit)
      g_assert_not_reached();
  }
 -float16 HELPER(recpe_f16)(float16 input, void *fpstp)
 +uint32_t HELPER(recpe_f16)(uint32_t input, void *fpstp)
  {
      float_status *fpst = fpstp;
      float16 f16 = float16_squash_input_denormal(input, fpst);
@@ -XXX,XX +XXX,XX @@ static uint64_t recip_sqrt_estimate(int *exp , int exp_off, uint64_t frac)
      return extract64(estimate, 0, 8) << 44;
  }
 -float16 HELPER(rsqrte_f16)(float16 input, void *fpstp)
 +uint32_t HELPER(rsqrte_f16)(uint32_t input, void *fpstp)
  {
      float_status *s = fpstp;
      float16 f16 = float16_squash_input_denormal(input, s);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 24/25] ARM: ACPI: Fix use-after-free due to memory realloc
+[Qemu-devel] [PULL 02/21] target/arm: Factor out unallocated_encoding for aarch32
-From: Shannon Zhao <zhaoshenglong@huawei.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-acpi_data_push uses g_array_set_size to resize the memory size. If there
+Make this a static function private to translate.c.
-is no enough contiguous memory, the address will be changed. So previous
+Thus we can use the same idiom between aarch64 and aarch32
-pointer could not be used any more. It must update the pointer and use
+without actually sharing function implementations.
 the new one.
-Also, previous codes wrongly use le32 conversion of iort->node_offset
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-for subsequent computations that will result incorrect value if host is
+Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
-not litlle endian. So use the non-converted one instead.
+Message-id: 20190826151536.6771-3-richard.henderson@linaro.org
 Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1527663951-14552-1-git-send-email-zhaoshenglong@huawei.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt-acpi-build.c | 20 +++++++++++++++-----
+ target/arm/translate-vfp.inc.c |  3 +--
-file changed, 15 insertions(+), 5 deletions(-)
+ target/arm/translate.c         | 22 ++++++++++++----------
 files changed, 13 insertions(+), 12 deletions(-)
-diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
+diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt-acpi-build.c
+--- a/target/arm/translate-vfp.inc.c
-+++ b/hw/arm/virt-acpi-build.c
++++ b/target/arm/translate-vfp.inc.c
-@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
-     AcpiIortItsGroup *its;
-     AcpiIortTable *iort;
+     if (!s->vfp_enabled && !ignore_vfp_enabled) {
-     AcpiIortSmmu3 *smmu;
+         assert(!arm_dc_feature(s, ARM_FEATURE_M));
--    size_t node_size, iort_length, smmu_offset = 0;
+-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-+    size_t node_size, iort_node_offset, iort_length, smmu_offset = 0;
+-                           default_exception_el(s));
-     AcpiIortRC *rc;
++        unallocated_encoding(s);
+         return false;
      iort = acpi_data_push(table_data, sizeof(*iort));
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
      iort_length = sizeof(*iort);
      iort->node_count = cpu_to_le32(nb_nodes);
 -    iort->node_offset = cpu_to_le32(sizeof(*iort));
 +    /*
 +     * Use a copy in case table_data->data moves during acpi_data_push
 +     * operations.
 +     */
 +    iort_node_offset = sizeof(*iort);
 +    iort->node_offset = cpu_to_le32(iort_node_offset);
      /* ITS group node */
      node_size =  sizeof(*its) + sizeof(uint32_t);
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
          int irq =  vms->irqmap[VIRT_SMMU];
          /* SMMUv3 node */
 -        smmu_offset = iort->node_offset + node_size;
 +        smmu_offset = iort_node_offset + node_size;
          node_size = sizeof(*smmu) + sizeof(*idmap);
          iort_length += node_size;
          smmu = acpi_data_push(table_data, node_size);
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
          idmap->id_count = cpu_to_le32(0xFFFF);
          idmap->output_base = 0;
          /* output IORT node is the ITS group node (the first node) */
 -        idmap->output_reference = cpu_to_le32(iort->node_offset);
 +        idmap->output_reference = cpu_to_le32(iort_node_offset);
      }
-     /* Root Complex Node */
+diff --git a/target/arm/translate.c b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+index XXXXXXX..XXXXXXX 100644
-         idmap->output_reference = cpu_to_le32(smmu_offset);
+--- a/target/arm/translate.c
-     } else {
++++ b/target/arm/translate.c
-         /* output IORT node is the ITS group node (the first node) */
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
--        idmap->output_reference = cpu_to_le32(iort->node_offset);
+     s->base.is_jmp = DISAS_NORETURN;
-+        idmap->output_reference = cpu_to_le32(iort_node_offset);
+ }
 +static void unallocated_encoding(DisasContext *s)
 +{
 +    /* Unallocated and reserved encodings are uncategorized */
 +    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 +                       default_exception_el(s));
 +}
 +
  /* Force a TB lookup after an instruction that changes the CPU state.  */
  static inline void gen_lookup_tb(DisasContext *s)
  {
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
          return;
      }
-+    /*
+-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-+     * Update the pointer address in case table_data->data moves during above
+-                       default_exception_el(s));
-+     * acpi_data_push operations.
++    unallocated_encoding(s);
-+     */
+ }
-+    iort = (AcpiIortTable *)(table_data->data + iort_start);
-     iort->length = cpu_to_le32(iort_length);
+ static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
+@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
-     build_header(linker, table_data, (void *)(table_data->data + iort_start),
+     }
      if (undef) {
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                           default_exception_el(s));
 +        unallocated_encoding(s);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
              break;
          default:
          illegal_op:
 -            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                               default_exception_el(s));
 +            unallocated_encoding(s);
              break;
          }
      }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
      }
      return;
  illegal_op:
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 +    unallocated_encoding(s);
  }
  static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
      return;
  illegal_op:
  undef:
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
 -                       default_exception_el(s));
 +    unallocated_encoding(s);
  }
  static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 01/25] target/arm: Honour FPCR.FZ in FRECPX
+[Qemu-devel] [PULL 03/21] target/arm: Allow ARMCPRegInfo read/write functions to throw exceptions
-The FRECPX instructions should (like most other floating point operations)
+Currently the only part of an ARMCPRegInfo which is allowed to cause
-honour the FPCR.FZ bit which specifies whether input denormals should
+a CPU exception is the access function, which returns a value indicating
-be flushed to zero (or FZ16 for the half-precision version).
+that some flavour of UNDEF should be generated.
-We forgot to implement this, which doesn't affect the results (since
-the calculation doesn't actually care about the mantissa bits) but did
+For the ATS system instructions, we would like to conditionally
-mean we were failing to set the FPSR.IDC bit.
+generate exceptions as part of the writefn, because some faults
 during the page table walk (like external aborts) should cause
 an exception to be raised rather than returning a value.
 There are several ways we could do this:
  * plumb the GETPC() value from the top level set_cp_reg/get_cp_reg
    helper functions through into the readfn and writefn hooks
  * add extra readfn_with_ra/writefn_with_ra hooks that take the GETPC()
    value
  * require the ATS instructions to provide a dummy accessfn,
    which serves no purpose except to cause the code generation
    to emit TCG ops to sync the CPU state
  * add an ARM_CP_ flag to mark the ARMCPRegInfo as possibly
    throwing an exception in its read/write hooks, and make the
    codegen sync the CPU state before calling the hooks if the
    flag is set
 This patch opts for the last of these, as it is fairly simple
 to implement and doesn't require invasive changes like updating
 the readfn/writefn hook function prototype signature.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521172712.19930-1-peter.maydell@linaro.org
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Message-id: 20190816125802.25877-2-peter.maydell@linaro.org
 ---
- target/arm/helper-a64.c | 6 ++++++
+ target/arm/cpu.h           | 6 +++++-
-file changed, 6 insertions(+)
+ target/arm/translate-a64.c | 6 ++++++
  target/arm/translate.c     | 7 +++++++
 files changed, 18 insertions(+), 1 deletion(-)
-diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-a64.c
+--- a/target/arm/cpu.h
-+++ b/target/arm/helper-a64.c
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
+@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
-         return nan;
+  * IO indicates that this register does I/O and therefore its accesses
   * need to be surrounded by gen_io_start()/gen_io_end(). In particular,
   * registers which implement clocks or timers require this.
 + * RAISES_EXC is for when the read or write hook might raise an exception;
 + * the generated code will synchronize the CPU state before calling the hook
 + * so that it is safe for the hook to call raise_exception().
   */
  #define ARM_CP_SPECIAL           0x0001
  #define ARM_CP_CONST             0x0002
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
  #define ARM_CP_FPU               0x1000
  #define ARM_CP_SVE               0x2000
  #define ARM_CP_NO_GDB            0x4000
 +#define ARM_CP_RAISES_EXC        0x8000
  /* Used only as a terminator for ARMCPRegInfo lists */
  #define ARM_CP_SENTINEL          0xffff
  /* Mask of only the flag bits in a type field */
 -#define ARM_CP_FLAG_MASK         0x70ff
 +#define ARM_CP_FLAG_MASK         0xf0ff
  /* Valid values for ARMCPRegInfo state field, indicating which of
   * the AArch32 and AArch64 execution states this register is visible in.
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
          tcg_temp_free_ptr(tmpptr);
          tcg_temp_free_i32(tcg_syn);
          tcg_temp_free_i32(tcg_isread);
 +    } else if (ri->type & ARM_CP_RAISES_EXC) {
 +        /*
 +         * The readfn or writefn might raise an exception;
 +         * synchronize the CPU state in case it does.
 +         */
 +        gen_a64_set_pc_im(s->pc_curr);
      }
-+    a = float16_squash_input_denormal(a, fpst);
+     /* Handle special cases first */
-+
+diff --git a/target/arm/translate.c b/target/arm/translate.c
-     val16 = float16_val(a);
+index XXXXXXX..XXXXXXX 100644
-     sbit = 0x8000 & val16;
+--- a/target/arm/translate.c
-     exp = extract32(val16, 10, 5);
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ float32 HELPER(frecpx_f32)(float32 a, void *fpstp)
+@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
-         return nan;
+             tcg_temp_free_ptr(tmpptr);
-     }
+             tcg_temp_free_i32(tcg_syn);
+             tcg_temp_free_i32(tcg_isread);
-+    a = float32_squash_input_denormal(a, fpst);
++        } else if (ri->type & ARM_CP_RAISES_EXC) {
-+
++            /*
-     val32 = float32_val(a);
++             * The readfn or writefn might raise an exception;
-     sbit = 0x80000000ULL & val32;
++             * synchronize the CPU state in case it does.
-     exp = extract32(val32, 23, 8);
++             */
-@@ -XXX,XX +XXX,XX @@ float64 HELPER(frecpx_f64)(float64 a, void *fpstp)
++            gen_set_condexec(s);
-         return nan;
++            gen_set_pc_im(s, s->pc_curr);
-     }
+         }
-+    a = float64_squash_input_denormal(a, fpst);
+         /* Handle special cases first */
 +
      val64 = float64_val(a);
      sbit = 0x8000000000000000ULL & val64;
      exp = extract64(float64_val(a), 52, 11);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 02/25] MAINTAINERS: Add entries for newer MPS2 boards and devices
+Deleted patch
-Add entries to MAINTAINERS to cover the newer MPS2 boards and
-the new devices they use.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20180518153157.14899-1-peter.maydell@linaro.org
----
- MAINTAINERS | 9 +++++++--
-file changed, 7 insertions(+), 2 deletions(-)
-diff --git a/MAINTAINERS b/MAINTAINERS
-index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ F: hw/timer/cmsdk-apb-timer.c
- F: include/hw/timer/cmsdk-apb-timer.h
- F: hw/char/cmsdk-apb-uart.c
- F: include/hw/char/cmsdk-apb-uart.h
-+F: hw/misc/tz-ppc.c
-+F: include/hw/misc/tz-ppc.h
- ARM cores
- M: Peter Maydell <peter.maydell@linaro.org>
-@@ -XXX,XX +XXX,XX @@ M: Peter Maydell <peter.maydell@linaro.org>
- L: qemu-arm@nongnu.org
- S: Maintained
- F: hw/arm/mps2.c
--F: hw/misc/mps2-scc.c
--F: include/hw/misc/mps2-scc.h
-+F: hw/arm/mps2-tz.c
-+F: hw/misc/mps2-*.c
-+F: include/hw/misc/mps2-*.h
-+F: hw/arm/iotkit.c
-+F: include/hw/arm/iotkit.h
- Musicpal
- M: Jan Kiszka <jan.kiszka@web.de>
---
-.17.1

-[Qemu-devel] [PULL 09/25] Correct CPACR reset value for v7 cores
+[Qemu-devel] [PULL 04/21] target/arm: Take exceptions on ATS instructions when needed
-In commit f0aff255700 we made cpacr_write() enforce that some CPACR
+The translation table walk for an ATS instruction can result in
-bits are RAZ/WI and some are RAO/WI for ARMv7 cores. Unfortunately
+various faults.  In general these are just reported back via the
-we forgot to also update the register's reset value. The effect
+PAR_EL1 fault status fields, but in some cases the architecture
-was that (a) a guest that read CPACR on reset would not see ones in
+requires that the fault is turned into an exception:
-the RAO bits, and (b) if you did a migration before the guest did
+ * synchronous stage 2 faults of any kind during AT S1E0* and
-a write to the CPACR then the migration would fail because the
+   AT S1E1* instructions executed from NS EL1 fault to EL2 or EL3
-destination would enforce the RAO bits and then complain that they
+ * synchronous external aborts are taken as Data Abort exceptions
 didn't match the zero value from the source.
-Implement reset for the CPACR using a custom reset function
+(This is documented in the v8A Arm ARM DDI0487A.e D5.2.11 and
-that just calls cpacr_write(), to avoid having to duplicate
+G5.13.4.)
 the logic for which bits are RAO.
-This bug would affect migration for TCG CPUs which are ARMv7
-with VFP but without one of Neon or VFPv3.
-Reported-by: Cédric Le Goater <clg@kaod.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Tested-by: Cédric Le Goater <clg@kaod.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180522173713.26282-1-peter.maydell@linaro.org
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Message-id: 20190816125802.25877-3-peter.maydell@linaro.org
 ---
- target/arm/helper.c | 10 +++++++++-
+ target/arm/helper.c | 107 +++++++++++++++++++++++++++++++++++++-------
-file changed, 9 insertions(+), 1 deletion(-)
+file changed, 92 insertions(+), 15 deletions(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
-     env->cp15.cpacr_el1 = value;
+     ret = get_phys_addr(env, value, access_type, mmu_idx, &phys_addr, &attrs,
- }
+                         &prot, &page_size, &fi, &cacheattrs);
-+static void cpacr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
++    if (ret) {
-+{
++        /*
-+    /* Call cpacr_write() so that we reset with the correct RAO bits set
++         * Some kinds of translation fault must cause exceptions rather
-+     * for our CPU features.
++         * than being reported in the PAR.
-+     */
++         */
-+    cpacr_write(env, ri, 0);
++        int current_el = arm_current_el(env);
-+}
++        int target_el;
 +        uint32_t syn, fsr, fsc;
 +        bool take_exc = false;
 +
- static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
++        if (fi.s1ptw && current_el == 1 && !arm_is_secure(env)
-                                    bool isread)
++            && (mmu_idx == ARMMMUIdx_S1NSE1 || mmu_idx == ARMMMUIdx_S1NSE0)) {
- {
++            /*
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
++             * Synchronous stage 2 fault on an access made as part of the
-     { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3,
++             * translation table walk for AT S1E0* or AT S1E1* insn
-       .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
++             * executed from NS EL1. If this is a synchronous external abort
-       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
++             * and SCR_EL3.EA == 1, then we take a synchronous external abort
--      .resetvalue = 0, .writefn = cpacr_write },
++             * to EL3. Otherwise the fault is taken as an exception to EL2,
-+      .resetfn = cpacr_reset, .writefn = cpacr_write },
++             * and HPFAR_EL2 holds the faulting IPA.
 +             */
 +            if (fi.type == ARMFault_SyncExternalOnWalk &&
 +                (env->cp15.scr_el3 & SCR_EA)) {
 +                target_el = 3;
 +            } else {
 +                env->cp15.hpfar_el2 = extract64(fi.s2addr, 12, 47) << 4;
 +                target_el = 2;
 +            }
 +            take_exc = true;
 +        } else if (fi.type == ARMFault_SyncExternalOnWalk) {
 +            /*
 +             * Synchronous external aborts during a translation table walk
 +             * are taken as Data Abort exceptions.
 +             */
 +            if (fi.stage2) {
 +                if (current_el == 3) {
 +                    target_el = 3;
 +                } else {
 +                    target_el = 2;
 +                }
 +            } else {
 +                target_el = exception_target_el(env);
 +            }
 +            take_exc = true;
 +        }
 +
 +        if (take_exc) {
 +            /* Construct FSR and FSC using same logic as arm_deliver_fault() */
 +            if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
 +                arm_s1_regime_using_lpae_format(env, mmu_idx)) {
 +                fsr = arm_fi_to_lfsc(&fi);
 +                fsc = extract32(fsr, 0, 6);
 +            } else {
 +                fsr = arm_fi_to_sfsc(&fi);
 +                fsc = 0x3f;
 +            }
 +            /*
 +             * Report exception with ESR indicating a fault due to a
 +             * translation table walk for a cache maintenance instruction.
 +             */
 +            syn = syn_data_abort_no_iss(current_el == target_el,
 +                                        fi.ea, 1, fi.s1ptw, 1, fsc);
 +            env->exception.vaddress = value;
 +            env->exception.fsr = fsr;
 +            raise_exception(env, EXCP_DATA_ABORT, syn, target_el);
 +        }
 +    }
 +
      if (is_a64(env)) {
          format64 = true;
      } else if (arm_feature(env, ARM_FEATURE_LPAE)) {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vapa_cp_reginfo[] = {
      /* This underdecoding is safe because the reginfo is NO_RAW. */
      { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
        .access = PL1_W, .accessfn = ats_access,
 -      .writefn = ats_write, .type = ARM_CP_NO_RAW },
 +      .writefn = ats_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
  #endif
      REGINFO_SENTINEL
  };
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
      /* 64 bit address translation operations */
      { .name = "AT_S1E1R", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0,
 -      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1,
 -      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2,
 -      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
 -      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 4,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 5,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 6,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 7,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */
      { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0,
 -      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "AT_S1E3W", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 1,
 -      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
 +      .writefn = ats_write64 },
      { .name = "PAR_EL1", .state = ARM_CP_STATE_AA64,
        .type = ARM_CP_ALIAS,
        .opc0 = 3, .opc1 = 0, .crn = 7, .crm = 4, .opc2 = 0,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
      { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
        .access = PL2_W, .accessfn = at_s1e2_access,
 -      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
      { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
        .access = PL2_W, .accessfn = at_s1e2_access,
 -      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
 +      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
      /* The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
       * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
       * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
       */
      { .name = "ATS1HR", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
        .access = PL2_W,
 -      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
 +      .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
      { .name = "ATS1HW", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
        .access = PL2_W,
 -      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
 +      .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
      { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH,
        .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0,
        /* ARMv7 requires bit 0 and 1 to reset to 1. ARMv8 defines the
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 10/25] memory.h: Improve IOMMU related documentation
+[Qemu-devel] [PULL 05/21] aspeed/timer: Provide back-pressure information for short periods
-Add more detail to the documentation for memory_region_init_iommu()
+From: Andrew Jeffery <andrew@aj.id.au>
 and other IOMMU-related functions and data structures.
+First up: This is not the way the hardware behaves.
+However, it helps resolve real-world problems with short periods being
+used under Linux. Commit 4451d3f59f2a ("clocksource/drivers/fttmr010:
+Fix set_next_event handler") in Linux fixed the timer driver to
+correctly schedule the next event for the Aspeed controller, and in
+combination with 5daa8212c08e ("ARM: dts: aspeed: Describe random number
+device") Linux will now set a timer with a period as low as 1us.
+Configuring a qemu timer with such a short period results in spending
+time handling the interrupt in the model rather than executing guest
+code, leading to noticeable "sticky" behaviour in the guest.
+The behaviour of Linux is correct with respect to the hardware, so we
+need to improve our handling under emulation. The approach chosen is to
+provide back-pressure information by calculating an acceptable minimum
+number of ticks to be set on the model. Under Linux an additional read
+is added in the timer configuration path to detect back-pressure, which
+will never occur on hardware. However if back-pressure is observed, the
+driver alerts the clock event subsystem, which then performs its own
+next event dilation via a config option - d1748302f70b ("clockevents:
+Make minimum delay adjustments configurable")
+A minimum period of 5us was experimentally determined on a Lenovo
+T480s, which I've increased to 20us for "safety".
+Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Message-id: 20190704055150.4899-1-clg@kaod.org
+[clg: - changed the computation of min_ticks to be done each time the
+        timer value is reloaded. It removes the ordering issue of the
+        timer and scu reset handlers but is slightly slower ]
+      - introduced TIMER_MIN_NS
+      - introduced calculate_min_ticks() ]
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20180521140402.23318-2-peter.maydell@linaro.org
 ---
- include/exec/memory.h | 105 ++++++++++++++++++++++++++++++++++++++----
+ hw/timer/aspeed_timer.c | 17 ++++++++++++++++-
-file changed, 95 insertions(+), 10 deletions(-)
+file changed, 16 insertions(+), 1 deletion(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/hw/timer/aspeed_timer.c
-+++ b/include/exec/memory.h
++++ b/hw/timer/aspeed_timer.c
-@@ -XXX,XX +XXX,XX @@ enum IOMMUMemoryRegionAttr {
+@@ -XXX,XX +XXX,XX @@ enum timer_ctrl_op {
-     IOMMU_ATTR_SPAPR_TCE_FD
+     op_pulse_enable
  };
-+/**
++/*
-+ * IOMMUMemoryRegionClass:
++ * Minimum value of the reload register to filter out short period
-+ *
++ * timers which have a noticeable impact in emulation. 5us should be
-+ * All IOMMU implementations need to subclass TYPE_IOMMU_MEMORY_REGION
++ * enough, use 20us for "safety".
 + * and provide an implementation of at least the @translate method here
 + * to handle requests to the memory region. Other methods are optional.
 + *
 + * The IOMMU implementation must use the IOMMU notifier infrastructure
 + * to report whenever mappings are changed, by calling
 + * memory_region_notify_iommu() (or, if necessary, by calling
 + * memory_region_notify_one() for each registered notifier).
 + */
- typedef struct IOMMUMemoryRegionClass {
++#define TIMER_MIN_NS (20 * SCALE_US)
-     /* private */
++
-     struct DeviceClass parent_class;
+ /**
+  * Avoid mutual references between AspeedTimerCtrlState and AspeedTimer
-     /*
+  * structs, as it's a waste of memory. The ptimer BH callback needs to know
--     * Return a TLB entry that contains a given address. Flag should
+@@ -XXX,XX +XXX,XX @@ static inline uint32_t calculate_ticks(struct AspeedTimer *t, uint64_t now_ns)
--     * be the access permission of this translation operation. We can
+     return t->reload - MIN(t->reload, ticks);
--     * set flag to IOMMU_NONE to mean that we don't need any
+ }
--     * read/write permission checks, like, when for region replay.
-+     * Return a TLB entry that contains a given address.
++static uint32_t calculate_min_ticks(AspeedTimer *t, uint32_t value)
-+     *
++{
-+     * The IOMMUAccessFlags indicated via @flag are optional and may
++    uint32_t rate = calculate_rate(t);
-+     * be specified as IOMMU_NONE to indicate that the caller needs
++    uint32_t min_ticks = muldiv64(TIMER_MIN_NS, rate, NANOSECONDS_PER_SECOND);
-+     * the full translation information for both reads and writes. If
++
-+     * the access flags are specified then the IOMMU implementation
++    return  value < min_ticks ? min_ticks : value;
-+     * may use this as an optimization, to stop doing a page table
++}
-+     * walk as soon as it knows that the requested permissions are not
++
-+     * allowed. If IOMMU_NONE is passed then the IOMMU must do the
+ static inline uint64_t calculate_time(struct AspeedTimer *t, uint32_t ticks)
-+     * full page table walk and report the permissions in the returned
+ {
-+     * IOMMUTLBEntry. (Note that this implies that an IOMMU may not
+     uint64_t delta_ns;
-+     * return different mappings for reads and writes.)
+@@ -XXX,XX +XXX,XX @@ static void aspeed_timer_set_value(AspeedTimerCtrlState *s, int timer, int reg,
-+     *
+     switch (reg) {
-+     * The returned information remains valid while the caller is
+     case TIMER_REG_RELOAD:
-+     * holding the big QEMU lock or is inside an RCU critical section;
+         old_reload = t->reload;
-+     * if the caller wishes to cache the mapping beyond that it must
+-        t->reload = value;
-+     * register an IOMMU notifier so it can invalidate its cached
++        t->reload = calculate_min_ticks(t, value);
-+     * information when the IOMMU mapping changes.
-+     *
+         /* If the reload value was not previously set, or zero, and
-+     * @iommu: the IOMMUMemoryRegion
+          * the current value is valid, try to start the timer if it is
 +     * @hwaddr: address to be translated within the memory region
 +     * @flag: requested access permissions
       */
      IOMMUTLBEntry (*translate)(IOMMUMemoryRegion *iommu, hwaddr addr,
                                 IOMMUAccessFlags flag);
 -    /* Returns minimum supported page size */
 +    /* Returns minimum supported page size in bytes.
 +     * If this method is not provided then the minimum is assumed to
 +     * be TARGET_PAGE_SIZE.
 +     *
 +     * @iommu: the IOMMUMemoryRegion
 +     */
      uint64_t (*get_min_page_size)(IOMMUMemoryRegion *iommu);
 -    /* Called when IOMMU Notifier flag changed */
 +    /* Called when IOMMU Notifier flag changes (ie when the set of
 +     * events which IOMMU users are requesting notification for changes).
 +     * Optional method -- need not be provided if the IOMMU does not
 +     * need to know exactly which events must be notified.
 +     *
 +     * @iommu: the IOMMUMemoryRegion
 +     * @old_flags: events which previously needed to be notified
 +     * @new_flags: events which now need to be notified
 +     */
      void (*notify_flag_changed)(IOMMUMemoryRegion *iommu,
                                  IOMMUNotifierFlag old_flags,
                                  IOMMUNotifierFlag new_flags);
 -    /* Set this up to provide customized IOMMU replay function */
 +    /* Called to handle memory_region_iommu_replay().
 +     *
 +     * The default implementation of memory_region_iommu_replay() is to
 +     * call the IOMMU translate method for every page in the address space
 +     * with flag == IOMMU_NONE and then call the notifier if translate
 +     * returns a valid mapping. If this method is implemented then it
 +     * overrides the default behaviour, and must provide the full semantics
 +     * of memory_region_iommu_replay(), by calling @notifier for every
 +     * translation present in the IOMMU.
 +     *
 +     * Optional method -- an IOMMU only needs to provide this method
 +     * if the default is inefficient or produces undesirable side effects.
 +     *
 +     * Note: this is not related to record-and-replay functionality.
 +     */
      void (*replay)(IOMMUMemoryRegion *iommu, IOMMUNotifier *notifier);
 -    /* Get IOMMU misc attributes */
 -    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr,
 +    /* Get IOMMU misc attributes. This is an optional method that
 +     * can be used to allow users of the IOMMU to get implementation-specific
 +     * information. The IOMMU implements this method to handle calls
 +     * by IOMMU users to memory_region_iommu_get_attr() by filling in
 +     * the arbitrary data pointer for any IOMMUMemoryRegionAttr values that
 +     * the IOMMU supports. If the method is unimplemented then
 +     * memory_region_iommu_get_attr() will always return -EINVAL.
 +     *
 +     * @iommu: the IOMMUMemoryRegion
 +     * @attr: attribute being queried
 +     * @data: memory to fill in with the attribute data
 +     *
 +     * Returns 0 on success, or a negative errno; in particular
 +     * returns -EINVAL for unrecognized or unimplemented attribute types.
 +     */
 +    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr attr,
                      void *data);
  } IOMMUMemoryRegionClass;
@@ -XXX,XX +XXX,XX @@ static inline void memory_region_init_reservation(MemoryRegion *mr,
   * An IOMMU region translates addresses and forwards accesses to a target
   * memory region.
   *
 + * The IOMMU implementation must define a subclass of TYPE_IOMMU_MEMORY_REGION.
 + * @_iommu_mr should be a pointer to enough memory for an instance of
 + * that subclass, @instance_size is the size of that subclass, and
 + * @mrtypename is its name. This function will initialize @_iommu_mr as an
 + * instance of the subclass, and its methods will then be called to handle
 + * accesses to the memory region. See the documentation of
 + * #IOMMUMemoryRegionClass for further details.
 + *
   * @_iommu_mr: the #IOMMUMemoryRegion to be initialized
   * @instance_size: the IOMMUMemoryRegion subclass instance size
   * @mrtypename: the type name of the #IOMMUMemoryRegion
@@ -XXX,XX +XXX,XX @@ void memory_region_register_iommu_notifier(MemoryRegion *mr,
   * a notifier with the minimum page granularity returned by
   * mr->iommu_ops->get_page_size().
   *
 + * Note: this is not related to record-and-replay functionality.
 + *
   * @iommu_mr: the memory region to observe
   * @n: the notifier to which to replay iommu mappings
   */
@@ -XXX,XX +XXX,XX @@ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n);
   * memory_region_iommu_replay_all: replay existing IOMMU translations
   * to all the notifiers registered.
   *
 + * Note: this is not related to record-and-replay functionality.
 + *
   * @iommu_mr: the memory region to observe
   */
  void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr);
@@ -XXX,XX +XXX,XX @@ void memory_region_unregister_iommu_notifier(MemoryRegion *mr,
   * memory_region_iommu_get_attr: return an IOMMU attr if get_attr() is
   * defined on the IOMMU.
   *
 - * Returns 0 if succeded, error code otherwise.
 + * Returns 0 on success, or a negative errno otherwise. In particular,
 + * -EINVAL indicates that the IOMMU does not support the requested
 + * attribute.
   *
   * @iommu_mr: the memory region
   * @attr: the requested attribute
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 17/25] Make MemoryRegion valid.accepts callback take a MemTxAttrs argument
+[Qemu-devel] [PULL 06/21] memory: Remove unused memory_region_iommu_replay_all()
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Eric Auger <eric.auger@redhat.com>
 add MemTxAttrs as an argument to the MemoryRegion valid.accepts
 callback. We'll need this for subpage_accepts().
-We could take the approach we used with the read and write
+memory_region_iommu_replay_all is not used. Remove it.
 callbacks and add new a new _with_attrs version, but since there
 are so few implementations of the accepts hook we just change
 them all.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Message-id: 20190822172350.12008-2-eric.auger@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-9-peter.maydell@linaro.org
 ---
- include/exec/memory.h |  3 ++-
+ include/exec/memory.h | 10 ----------
- exec.c                |  9 ++++++---
+ memory.c              |  9 ---------
- hw/hppa/dino.c        |  3 ++-
+files changed, 19 deletions(-)
  hw/nvram/fw_cfg.c     | 12 ++++++++----
  hw/scsi/esp.c         |  3 ++-
  hw/xen/xen_pt_msi.c   |  3 ++-
  memory.c              |  5 +++--
 files changed, 25 insertions(+), 13 deletions(-)
 diff --git a/include/exec/memory.h b/include/exec/memory.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/memory.h
 +++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@ struct MemoryRegionOps {
+@@ -XXX,XX +XXX,XX @@ void memory_region_register_iommu_notifier(MemoryRegion *mr,
-          * as a machine check exception).
+  */
-          */
+ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n);
-         bool (*accepts)(void *opaque, hwaddr addr,
--                        unsigned size, bool is_write);
+-/**
-+                        unsigned size, bool is_write,
+- * memory_region_iommu_replay_all: replay existing IOMMU translations
-+                        MemTxAttrs attrs);
+- * to all the notifiers registered.
-     } valid;
+- *
-     /* Internal implementation constraints: */
+- * Note: this is not related to record-and-replay functionality.
-     struct {
+- *
-diff --git a/exec.c b/exec.c
+- * @iommu_mr: the memory region to observe
-index XXXXXXX..XXXXXXX 100644
+- */
---- a/exec.c
+-void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr);
-+++ b/exec.c
+-
-@@ -XXX,XX +XXX,XX @@ static void notdirty_mem_write(void *opaque, hwaddr ram_addr,
+ /**
- }
+  * memory_region_unregister_iommu_notifier: unregister a notifier for
+  * changes to IOMMU translation entries.
  static bool notdirty_mem_accepts(void *opaque, hwaddr addr,
 -                                 unsigned size, bool is_write)
 +                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return is_write;
  }
@@ -XXX,XX +XXX,XX @@ static MemTxResult subpage_write(void *opaque, hwaddr addr,
  }
  static bool subpage_accepts(void *opaque, hwaddr addr,
 -                            unsigned len, bool is_write)
 +                            unsigned len, bool is_write,
 +                            MemTxAttrs attrs)
  {
      subpage_t *subpage = opaque;
  #if defined(DEBUG_SUBPAGE)
@@ -XXX,XX +XXX,XX @@ static void readonly_mem_write(void *opaque, hwaddr addr,
  }
  static bool readonly_mem_accepts(void *opaque, hwaddr addr,
 -                                 unsigned size, bool is_write)
 +                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return is_write;
  }
 diff --git a/hw/hppa/dino.c b/hw/hppa/dino.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/hppa/dino.c
 +++ b/hw/hppa/dino.c
@@ -XXX,XX +XXX,XX @@ static void gsc_to_pci_forwarding(DinoState *s)
  }
  static bool dino_chip_mem_valid(void *opaque, hwaddr addr,
 -                                unsigned size, bool is_write)
 +                                unsigned size, bool is_write,
 +                                MemTxAttrs attrs)
  {
      switch (addr) {
      case DINO_IAR0:
 diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/nvram/fw_cfg.c
 +++ b/hw/nvram/fw_cfg.c
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_dma_mem_write(void *opaque, hwaddr addr,
  }
  static bool fw_cfg_dma_mem_valid(void *opaque, hwaddr addr,
 -                                  unsigned size, bool is_write)
 +                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return !is_write || ((size == 4 && (addr == 0 || addr == 4)) ||
                           (size == 8 && addr == 0));
  }
  static bool fw_cfg_data_mem_valid(void *opaque, hwaddr addr,
 -                                  unsigned size, bool is_write)
 +                                  unsigned size, bool is_write,
 +                                  MemTxAttrs attrs)
  {
      return addr == 0;
  }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_ctl_mem_write(void *opaque, hwaddr addr,
  }
  static bool fw_cfg_ctl_mem_valid(void *opaque, hwaddr addr,
 -                                 unsigned size, bool is_write)
 +                                 unsigned size, bool is_write,
 +                                 MemTxAttrs attrs)
  {
      return is_write && size == 2;
  }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_comb_write(void *opaque, hwaddr addr,
  }
  static bool fw_cfg_comb_valid(void *opaque, hwaddr addr,
 -                                  unsigned size, bool is_write)
 +                              unsigned size, bool is_write,
 +                              MemTxAttrs attrs)
  {
      return (size == 1) || (is_write && size == 2);
  }
 diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/scsi/esp.c
 +++ b/hw/scsi/esp.c
@@ -XXX,XX +XXX,XX @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
  }
  static bool esp_mem_accepts(void *opaque, hwaddr addr,
 -                            unsigned size, bool is_write)
 +                            unsigned size, bool is_write,
 +                            MemTxAttrs attrs)
  {
      return (size == 1) || (is_write && size == 4);
  }
 diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/xen/xen_pt_msi.c
 +++ b/hw/xen/xen_pt_msi.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pci_msix_read(void *opaque, hwaddr addr,
  }
  static bool pci_msix_accepts(void *opaque, hwaddr addr,
 -                             unsigned size, bool is_write)
 +                             unsigned size, bool is_write,
 +                             MemTxAttrs attrs)
  {
      return !(addr & (size - 1));
  }
 diff --git a/memory.c b/memory.c
 index XXXXXXX..XXXXXXX 100644
 --- a/memory.c
 +++ b/memory.c
-@@ -XXX,XX +XXX,XX @@ static void unassigned_mem_write(void *opaque, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n)
      }
  }
- static bool unassigned_mem_accepts(void *opaque, hwaddr addr,
+-void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr)
--                                   unsigned size, bool is_write)
+-{
-+                                   unsigned size, bool is_write,
+-    IOMMUNotifier *notifier;
-+                                   MemTxAttrs attrs)
+-
 -    IOMMU_NOTIFIER_FOREACH(notifier, iommu_mr) {
 -        memory_region_iommu_replay(iommu_mr, notifier);
 -    }
 -}
 -
  void memory_region_unregister_iommu_notifier(MemoryRegion *mr,
                                               IOMMUNotifier *n)
  {
-     return false;
- }
-@@ -XXX,XX +XXX,XX @@ bool memory_region_access_valid(MemoryRegion *mr,
-     access_size = MAX(MIN(size, access_size_max), access_size_min);
-     for (i = 0; i < size; i += access_size) {
-         if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
--                                    is_write)) {
-+                                    is_write, attrs)) {
-             return false;
-         }
-     }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 23/25] vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
+[Qemu-devel] [PULL 07/21] hw/arm/smmuv3: Log a guest error when decoding an invalid STE
-Provide a VMSTATE_BOOL_SUB_ARRAY to go with VMSTATE_UINT8_SUB_ARRAY
+From: Eric Auger <eric.auger@redhat.com>
 and friends.
+Log a guest error when encountering an invalid STE.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190822172350.12008-5-eric.auger@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20180521140402.23318-23-peter.maydell@linaro.org
 ---
- include/migration/vmstate.h | 3 +++
+ hw/arm/smmuv3.c | 1 +
-file changed, 3 insertions(+)
+file changed, 1 insertion(+)
-diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/migration/vmstate.h
+--- a/hw/arm/smmuv3.c
-+++ b/include/migration/vmstate.h
++++ b/hw/arm/smmuv3.c
-@@ -XXX,XX +XXX,XX @@ extern const VMStateInfo vmstate_info_qtailq;
+@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
- #define VMSTATE_BOOL_ARRAY(_f, _s, _n)                               \
+     uint32_t config;
-     VMSTATE_BOOL_ARRAY_V(_f, _s, _n, 0)
+     if (!STE_VALID(ste)) {
-+#define VMSTATE_BOOL_SUB_ARRAY(_f, _s, _start, _num)                \
++        qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
-+    VMSTATE_SUB_ARRAY(_f, _s, _start, _num, 0, vmstate_info_bool, bool)
+         goto bad_ste;
-+
+     }
  #define VMSTATE_UINT16_ARRAY_V(_f, _s, _n, _v)                         \
      VMSTATE_ARRAY(_f, _s, _n, _v, vmstate_info_uint16, uint16_t)
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 06/25] arm: fix qemu crash on startup with -bios option
+[Qemu-devel] [PULL 08/21] hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations
-From: Igor Mammedov <imammedo@redhat.com>
+From: Eric Auger <eric.auger@redhat.com>
-When QEMU is started with following CLI
+An IOVA/ASID invalidation is notified to all IOMMU Memory Regions
- -machine virt,gic-version=3,accel=kvm -cpu host -bios AAVMF_CODE.fd
+through smmuv3_inv_notifiers_iova/smmuv3_notify_iova.
 it crashes with abort at
  accel/kvm/kvm-all.c:2164:
  KVM_SET_DEVICE_ATTR failed: Group 6 attr 0x000000000000c665: Invalid argument
-Which is caused by implicit dependency of kvm_arm_gicv3_reset() on
+When the notification occurs it is possible that some of the
-arm_gicv3_icc_reset() where the later is called by CPU reset
+PCIe devices associated to the notified regions do not have a
-reset callback.
+valid stream table entry. In that case we output a LOG_GUEST_ERROR
 message, for example:
-However commit:
+invalid sid=<SID> (L1STD span=0)
-b77f6c arm/boot: split load_dtb() from arm_load_kernel()
+"smmuv3_notify_iova error decoding the configuration for iommu mr=<MR>
 broke CPU reset callback registration in case
-  arm_load_kernel()
+This is unfortunate as the user gets the impression that there
-      ...
+are some translation decoding errors whereas there are not.
       if (!info->kernel_filename || info->firmware_loaded)
-branch is taken, i.e. it's sufficient to provide a firmware
+This patch adds a new field in SMMUEventInfo that tells whether
-or do not provide kernel on CLI to skip cpu reset callback
+the detection of an invalid STE must lead to an error report.
-registration, where before offending commit the callback
+invalid_ste_allowed is set before doing the invalidations and
-has been registered unconditionally.
+kept unset on actual translation.
-Fix it by registering the callback right at the beginning of
+The other configuration decoding error messages are kept since if the
-arm_load_kernel() unconditionally instead of doing it at the end.
+STE is valid then the rest of the config must be correct.
-NOTE:
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
- we probably should eliminate that dependency anyways as well as
+Message-id: 20190822172350.12008-6-eric.auger@redhat.com
  separate arch CPU reset parts from arm_load_kernel() into CPU
  itself, but that refactoring that I probably would have to do
  anyways later for CPU hotplug to work.
 Reported-by: Auger Eric <eric.auger@redhat.com>
 Signed-off-by: Igor Mammedov <imammedo@redhat.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 1527070950-208350-1-git-send-email-imammedo@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/boot.c | 18 +++++++++---------
+ hw/arm/smmuv3-internal.h |  1 +
-file changed, 9 insertions(+), 9 deletions(-)
+ hw/arm/smmuv3.c          | 19 +++++++++++--------
 files changed, 12 insertions(+), 8 deletions(-)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
+--- a/hw/arm/smmuv3-internal.h
-+++ b/hw/arm/boot.c
++++ b/hw/arm/smmuv3-internal.h
-@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
+@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
-     static const ARMInsnFixup *primary_loader;
+     uint32_t sid;
-     AddressSpace *as = arm_boot_address_space(cpu, info);
+     bool recorded;
+     bool record_trans_faults;
-+    /* CPU objects (unlike devices) are not automatically reset on system
++    bool inval_ste_allowed;
-+     * reset, so we must always register a handler to do so. If we're
+     union {
-+     * actually loading a kernel, the handler is also responsible for
+         struct {
-+     * arranging that we start it correctly.
+             uint32_t ssid;
-+     */
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
-+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
+index XXXXXXX..XXXXXXX 100644
-+        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
+--- a/hw/arm/smmuv3.c
-+    }
++++ b/hw/arm/smmuv3.c
-+
+@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
-     /* The board code is not supposed to set secure_board_setup unless
+     uint32_t config;
-      * running its code in secure mode is actually possible, and KVM
-      * doesn't support secure.
+     if (!STE_VALID(ste)) {
-@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
+-        qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
-         ARM_CPU(cs)->env.boot_info = info;
++        if (!event->inval_ste_allowed) {
 +            qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
 +        }
          goto bad_ste;
      }
--    /* CPU objects (unlike devices) are not automatically reset on system
+@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
--     * reset, so we must always register a handler to do so. If we're
--     * actually loading a kernel, the handler is also responsible for
+         if (!span) {
--     * arranging that we start it correctly.
+             /* l2ptr is not valid */
--     */
+-            qemu_log_mask(LOG_GUEST_ERROR,
--    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
+-                          "invalid sid=%d (L1STD span=0)\n", sid);
--        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
++            if (!event->inval_ste_allowed) {
--    }
++                qemu_log_mask(LOG_GUEST_ERROR,
--
++                              "invalid sid=%d (L1STD span=0)\n", sid);
-     if (!info->skip_dtb_autoload && have_dtb(info)) {
++            }
-         if (arm_load_dtb(info->dtb_start, info, info->dtb_limit, as) < 0) {
+             event->type = SMMU_EVT_C_BAD_STREAMID;
-             exit(1);
+             return -EINVAL;
          }
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
      SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
      SMMUv3State *s = sdev->smmu;
      uint32_t sid = smmu_get_sid(sdev);
 -    SMMUEventInfo event = {.type = SMMU_EVT_NONE, .sid = sid};
 +    SMMUEventInfo event = {.type = SMMU_EVT_NONE,
 +                           .sid = sid,
 +                           .inval_ste_allowed = false};
      SMMUPTWEventInfo ptw_info = {};
      SMMUTranslationStatus status;
      SMMUState *bs = ARM_SMMU(s);
@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
                                 dma_addr_t iova)
  {
      SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
 -    SMMUEventInfo event = {};
 +    SMMUEventInfo event = {.inval_ste_allowed = true};
      SMMUTransTableInfo *tt;
      SMMUTransCfg *cfg;
      IOMMUTLBEntry entry;
      cfg = smmuv3_get_config(sdev, &event);
      if (!cfg) {
 -        qemu_log_mask(LOG_GUEST_ERROR,
 -                      "%s error decoding the configuration for iommu mr=%s\n",
 -                      __func__, mr->parent_obj.name);
          return;
      }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 04/25] arm_gicv3_kvm: increase clroffset accordingly
+[Qemu-devel] [PULL 09/21] target/arm: Fix SMMLS argument order
-From: Shannon Zhao <zhaoshenglong@huawei.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-It forgot to increase clroffset during the loop. So it only clear the
+The previous simplification got the order of operands to the
-first 4 bytes.
+subtraction wrong.  Since the 64-bit product is the subtrahend,
 we must use a 64-bit subtract to properly compute the borrow
 from the low-part of the product.
-Fixes: 367b9f527becdd20ddf116e17a3c0c2bbc486920
+Fixes: 5f8cd06ebcf5 ("target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR")
-Cc: qemu-stable@nongnu.org
+Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
-Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
-Message-id: 1527047633-12368-1-git-send-email-zhaoshenglong@huawei.com
+Message-id: 20190829013258.16102-1-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/intc/arm_gicv3_kvm.c | 1 +
+ target/arm/translate.c | 20 ++++++++++++++++++--
-file changed, 1 insertion(+)
+file changed, 18 insertions(+), 2 deletions(-)
-diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_kvm.c
+--- a/target/arm/translate.c
-+++ b/hw/intc/arm_gicv3_kvm.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void kvm_dist_putbmp(GICv3State *s, uint32_t offset,
+@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-         if (clroffset != 0) {
+                         if (rd != 15) {
-             reg = 0;
+                             tmp3 = load_reg(s, rd);
-             kvm_gicd_access(s, clroffset, &reg, true);
+                             if (insn & (1 << 6)) {
-+            clroffset += 4;
+-                                tcg_gen_sub_i32(tmp, tmp, tmp3);
-         }
++                                /*
-         reg = *gic_bmp_ptr32(bmp, irq);
++                                 * For SMMLS, we need a 64-bit subtract.
-         kvm_gicd_access(s, offset, &reg, true);
++                                 * Borrow caused by a non-zero multiplicand
 +                                 * lowpart, and the correct result lowpart
 +                                 * for rounding.
 +                                 */
 +                                TCGv_i32 zero = tcg_const_i32(0);
 +                                tcg_gen_sub2_i32(tmp2, tmp, zero, tmp3,
 +                                                 tmp2, tmp);
 +                                tcg_temp_free_i32(zero);
                              } else {
                                  tcg_gen_add_i32(tmp, tmp, tmp3);
                              }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                      if (insn & (1 << 20)) {
                          tcg_gen_add_i32(tmp, tmp, tmp3);
                      } else {
 -                        tcg_gen_sub_i32(tmp, tmp, tmp3);
 +                        /*
 +                         * For SMMLS, we need a 64-bit subtract.
 +                         * Borrow caused by a non-zero multiplicand lowpart,
 +                         * and the correct result lowpart for rounding.
 +                         */
 +                        TCGv_i32 zero = tcg_const_i32(0);
 +                        tcg_gen_sub2_i32(tmp2, tmp, zero, tmp3, tmp2, tmp);
 +                        tcg_temp_free_i32(zero);
                      }
                      tcg_temp_free_i32(tmp3);
                  }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 19/25] Make flatview_translate() take a MemTxAttrs argument
+[Qemu-devel] [PULL 10/21] hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
 add MemTxAttrs as an argument to flatview_translate(); all its
 callers now have attrs available.
+Commit ba1ba5cca introduce the ARM_CPU_TYPE_NAME() macro.
+Unify the code base by use it in all places.
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190823143249.8096-2-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-11-peter.maydell@linaro.org
 ---
- include/exec/memory.h |  7 ++++---
+ hw/arm/allwinner-a10.c | 3 ++-
- exec.c                | 17 +++++++++--------
+ hw/arm/cubieboard.c    | 3 ++-
-files changed, 13 insertions(+), 11 deletions(-)
+ hw/arm/digic.c         | 3 ++-
  hw/arm/fsl-imx25.c     | 2 +-
  hw/arm/fsl-imx31.c     | 2 +-
  hw/arm/fsl-imx6.c      | 3 ++-
  hw/arm/fsl-imx6ul.c    | 2 +-
  hw/arm/xlnx-zynqmp.c   | 8 ++++----
 files changed, 15 insertions(+), 11 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/hw/arm/allwinner-a10.c
-+++ b/include/exec/memory.h
++++ b/hw/arm/allwinner-a10.c
-@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ static void aw_a10_init(Object *obj)
-  */
+     AwA10State *s = AW_A10(obj);
- MemoryRegion *flatview_translate(FlatView *fv,
-                                  hwaddr addr, hwaddr *xlat,
+     object_initialize_child(obj, "cpu", &s->cpu, sizeof(s->cpu),
--                                 hwaddr *len, bool is_write);
+-                            "cortex-a8-" TYPE_ARM_CPU, &error_abort, NULL);
-+                                 hwaddr *len, bool is_write,
++                            ARM_CPU_TYPE_NAME("cortex-a8"),
-+                                 MemTxAttrs attrs);
++                            &error_abort, NULL);
- static inline MemoryRegion *address_space_translate(AddressSpace *as,
+     sysbus_init_child_obj(obj, "intc", &s->intc, sizeof(s->intc),
-                                                     hwaddr addr, hwaddr *xlat,
+                           TYPE_AW_A10_PIC);
-@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate(AddressSpace *as,
+diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c
-                                                     MemTxAttrs attrs)
+index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/cubieboard.c
 +++ b/hw/arm/cubieboard.c
@@ -XXX,XX +XXX,XX @@ static void cubieboard_init(MachineState *machine)
  static void cubieboard_machine_init(MachineClass *mc)
  {
-     return flatview_translate(address_space_to_flatview(as),
+-    mc->desc = "cubietech cubieboard";
--                              addr, xlat, len, is_write);
++    mc->desc = "cubietech cubieboard (Cortex-A9)";
-+                              addr, xlat, len, is_write, attrs);
++    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a9");
- }
+     mc->init = cubieboard_init;
+     mc->block_default_type = IF_IDE;
- /* address_space_access_valid: check for validity of accessing an address
+     mc->units_per_default_bus = 1;
-@@ -XXX,XX +XXX,XX @@ MemTxResult address_space_read(AddressSpace *as, hwaddr addr,
+diff --git a/hw/arm/digic.c b/hw/arm/digic.c
              rcu_read_lock();
              fv = address_space_to_flatview(as);
              l = len;
 -            mr = flatview_translate(fv, addr, &addr1, &l, false);
 +            mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
              if (len == l && memory_access_is_direct(mr, false)) {
                  ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
                  memcpy(buf, ptr, len);
 diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/hw/arm/digic.c
-+++ b/exec.c
++++ b/hw/arm/digic.c
-@@ -XXX,XX +XXX,XX @@ iotlb_fail:
+@@ -XXX,XX +XXX,XX @@ static void digic_init(Object *obj)
+     int i;
- /* Called from RCU critical section */
- MemoryRegion *flatview_translate(FlatView *fv, hwaddr addr, hwaddr *xlat,
+     object_initialize_child(obj, "cpu", &s->cpu, sizeof(s->cpu),
--                                 hwaddr *plen, bool is_write)
+-                            "arm946-" TYPE_ARM_CPU, &error_abort, NULL);
-+                                 hwaddr *plen, bool is_write,
++                            ARM_CPU_TYPE_NAME("arm946"),
-+                                 MemTxAttrs attrs)
++                            &error_abort, NULL);
- {
-     MemoryRegion *mr;
+     for (i = 0; i < DIGIC4_NB_TIMERS; i++) {
-     MemoryRegionSection section;
+ #define DIGIC_TIMER_NAME_MLEN    11
-@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
+diff --git a/hw/arm/fsl-imx25.c b/hw/arm/fsl-imx25.c
-         }
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/fsl-imx25.c
-         l = len;
++++ b/hw/arm/fsl-imx25.c
--        mr = flatview_translate(fv, addr, &addr1, &l, true);
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_init(Object *obj)
-+        mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
+     FslIMX25State *s = FSL_IMX25(obj);
      int i;
 -    object_initialize(&s->cpu, sizeof(s->cpu), "arm926-" TYPE_ARM_CPU);
 +    object_initialize(&s->cpu, sizeof(s->cpu), ARM_CPU_TYPE_NAME("arm926"));
      sysbus_init_child_obj(obj, "avic", &s->avic, sizeof(s->avic),
                            TYPE_IMX_AVIC);
 diff --git a/hw/arm/fsl-imx31.c b/hw/arm/fsl-imx31.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/fsl-imx31.c
 +++ b/hw/arm/fsl-imx31.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx31_init(Object *obj)
      FslIMX31State *s = FSL_IMX31(obj);
      int i;
 -    object_initialize(&s->cpu, sizeof(s->cpu), "arm1136-" TYPE_ARM_CPU);
 +    object_initialize(&s->cpu, sizeof(s->cpu), ARM_CPU_TYPE_NAME("arm1136"));
      sysbus_init_child_obj(obj, "avic", &s->avic, sizeof(s->avic),
                            TYPE_IMX_AVIC);
 diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/fsl-imx6.c
 +++ b/hw/arm/fsl-imx6.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx6_init(Object *obj)
      for (i = 0; i < MIN(ms->smp.cpus, FSL_IMX6_NUM_CPUS); i++) {
          snprintf(name, NAME_SIZE, "cpu%d", i);
          object_initialize_child(obj, name, &s->cpu[i], sizeof(s->cpu[i]),
 -                                "cortex-a9-" TYPE_ARM_CPU, &error_abort, NULL);
 +                                ARM_CPU_TYPE_NAME("cortex-a9"),
 +                                &error_abort, NULL);
      }
-     return result;
+     sysbus_init_child_obj(obj, "a9mpcore", &s->a9mpcore, sizeof(s->a9mpcore),
-@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
-     MemTxResult result = MEMTX_OK;
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/fsl-imx6ul.c
-     l = len;
++++ b/hw/arm/fsl-imx6ul.c
--    mr = flatview_translate(fv, addr, &addr1, &l, true);
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_init(Object *obj)
-+    mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
+     int i;
-     result = flatview_write_continue(fv, addr, attrs, buf, len,
-                                      addr1, l, mr);
+     object_initialize_child(obj, "cpu0", &s->cpu, sizeof(s->cpu),
+-                            "cortex-a7-" TYPE_ARM_CPU, &error_abort, NULL);
-@@ -XXX,XX +XXX,XX @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
++                            ARM_CPU_TYPE_NAME("cortex-a7"), &error_abort, NULL);
-         }
+     /*
-         l = len;
+      * A7MPCORE
--        mr = flatview_translate(fv, addr, &addr1, &l, false);
+diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
-+        mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
+index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/xlnx-zynqmp.c
 +++ b/hw/arm/xlnx-zynqmp.c
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s,
          object_initialize_child(OBJECT(&s->rpu_cluster), "rpu-cpu[*]",
                                  &s->rpu_cpu[i], sizeof(s->rpu_cpu[i]),
 -                                "cortex-r5f-" TYPE_ARM_CPU, &error_abort,
 -                                NULL);
 +                                ARM_CPU_TYPE_NAME("cortex-r5f"),
 +                                &error_abort, NULL);
          name = object_get_canonical_path_component(OBJECT(&s->rpu_cpu[i]));
          if (strcmp(name, boot_cpu)) {
@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_init(Object *obj)
      for (i = 0; i < num_apus; i++) {
          object_initialize_child(OBJECT(&s->apu_cluster), "apu-cpu[*]",
                                  &s->apu_cpu[i], sizeof(s->apu_cpu[i]),
 -                                "cortex-a53-" TYPE_ARM_CPU, &error_abort,
 -                                NULL);
 +                                ARM_CPU_TYPE_NAME("cortex-a53"),
 +                                &error_abort, NULL);
      }
-     return result;
+     sysbus_init_child_obj(obj, "gic", &s->gic, sizeof(s->gic),
@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
      MemoryRegion *mr;
      l = len;
 -    mr = flatview_translate(fv, addr, &addr1, &l, false);
 +    mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
      return flatview_read_continue(fv, addr, attrs, buf, len,
                                    addr1, l, mr);
  }
@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
      while (len > 0) {
          l = len;
 -        mr = flatview_translate(fv, addr, &xlat, &l, is_write);
 +        mr = flatview_translate(fv, addr, &xlat, &l, is_write, attrs);
          if (!memory_access_is_direct(mr, is_write)) {
              l = memory_access_size(mr, l, addr);
              if (!memory_region_access_valid(mr, xlat, l, is_write, attrs)) {
@@ -XXX,XX +XXX,XX @@ flatview_extend_translation(FlatView *fv, hwaddr addr,
          len = target_len;
          this_mr = flatview_translate(fv, addr, &xlat,
 -                                                   &len, is_write);
 +                                     &len, is_write, attrs);
          if (this_mr != mr || xlat != base + done) {
              return done;
          }
@@ -XXX,XX +XXX,XX @@ void *address_space_map(AddressSpace *as,
      l = len;
      rcu_read_lock();
      fv = address_space_to_flatview(as);
 -    mr = flatview_translate(fv, addr, &xlat, &l, is_write);
 +    mr = flatview_translate(fv, addr, &xlat, &l, is_write, attrs);
      if (!memory_access_is_direct(mr, is_write)) {
          if (atomic_xchg(&bounce.in_use, true)) {
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 21/25] Make flatview_do_translate() take a MemTxAttrs argument
+[Qemu-devel] [PULL 11/21] hw/arm: Use object_initialize_child for correct reference counting
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
 add MemTxAttrs as an argument to flatview_do_translate().
+As explained in commit aff39be0ed97:
+  Both functions, object_initialize() and object_property_add_child()
+  increase the reference counter of the new object, so one of the
+  references has to be dropped afterwards to get the reference
+  counting right. Otherwise the child object will not be properly
+  cleaned up when the parent gets destroyed.
+  Thus let's use now object_initialize_child() instead to get the
+  reference counting here right.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190823143249.8096-3-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-13-peter.maydell@linaro.org
 ---
- exec.c | 9 ++++++---
+ hw/arm/mcimx7d-sabre.c |  9 ++++-----
-file changed, 6 insertions(+), 3 deletions(-)
+ hw/arm/mps2-tz.c       | 15 +++++++--------
  hw/arm/musca.c         |  9 +++++----
 files changed, 16 insertions(+), 17 deletions(-)
-diff --git a/exec.c b/exec.c
+diff --git a/hw/arm/mcimx7d-sabre.c b/hw/arm/mcimx7d-sabre.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/hw/arm/mcimx7d-sabre.c
-+++ b/exec.c
++++ b/hw/arm/mcimx7d-sabre.c
-@@ -XXX,XX +XXX,XX @@ unassigned:
+@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
   * @is_write: whether the translation operation is for write
   * @is_mmio: whether this can be MMIO, set true if it can
   * @target_as: the address space targeted by the IOMMU
 + * @attrs: memory transaction attributes
   *
   * This function is called from RCU critical section
   */
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
                                                   hwaddr *page_mask_out,
                                                   bool is_write,
                                                   bool is_mmio,
 -                                                 AddressSpace **target_as)
 +                                                 AddressSpace **target_as,
 +                                                 MemTxAttrs attrs)
  {
-     MemoryRegionSection *section;
+     static struct arm_boot_info boot_info;
-     IOMMUMemoryRegion *iommu_mr;
+     MCIMX7Sabre *s = g_new0(MCIMX7Sabre, 1);
-@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
+-    Object *soc;
-      * but page mask.
+     int i;
      if (machine->ram_size > FSL_IMX7_MMDC_SIZE) {
@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
          .nb_cpus = machine->smp.cpus,
      };
 -    object_initialize(&s->soc, sizeof(s->soc), TYPE_FSL_IMX7);
 -    soc = OBJECT(&s->soc);
 -    object_property_add_child(OBJECT(machine), "soc", soc, &error_fatal);
 -    object_property_set_bool(soc, true, "realized", &error_fatal);
 +    object_initialize_child(OBJECT(machine), "soc",
 +                            &s->soc, sizeof(s->soc),
 +                            TYPE_FSL_IMX7, &error_fatal, NULL);
 +    object_property_set_bool(OBJECT(&s->soc), true, "realized", &error_fatal);
      memory_region_allocate_system_memory(&s->ram, NULL, "mcimx7d-sabre.ram",
                                           machine->ram_size);
 diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/mps2-tz.c
 +++ b/hw/arm/mps2-tz.c
@@ -XXX,XX +XXX,XX @@ static void mps2tz_common_init(MachineState *machine)
      /* The sec_resp_cfg output from the IoTKit must be split into multiple
       * lines, one for each of the PPCs we create here, plus one per MSC.
       */
-     section = flatview_do_translate(address_space_to_flatview(as), addr, &xlat,
+-    object_initialize(&mms->sec_resp_splitter, sizeof(mms->sec_resp_splitter),
--                                    NULL, &page_mask, is_write, false, &as);
+-                      TYPE_SPLIT_IRQ);
-+                                    NULL, &page_mask, is_write, false, &as,
+-    object_property_add_child(OBJECT(machine), "sec-resp-splitter",
-+                                    attrs);
+-                              OBJECT(&mms->sec_resp_splitter), &error_abort);
++    object_initialize_child(OBJECT(machine), "sec-resp-splitter",
-     /* Illegal translation */
++                            &mms->sec_resp_splitter,
-     if (section.mr == &io_mem_unassigned) {
++                            sizeof(mms->sec_resp_splitter),
-@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv, hwaddr addr, hwaddr *xlat,
++                            TYPE_SPLIT_IRQ, &error_abort, NULL);
+     object_property_set_int(OBJECT(&mms->sec_resp_splitter),
-     /* This can be MMIO, so setup MMIO bit. */
+                             ARRAY_SIZE(mms->ppc) + ARRAY_SIZE(mms->msc),
-     section = flatview_do_translate(fv, addr, xlat, plen, NULL,
+                             "num-lines", &error_fatal);
--                                    is_write, true, &as);
+@@ -XXX,XX +XXX,XX @@ static void mps2tz_common_init(MachineState *machine)
-+                                    is_write, true, &as, attrs);
+      * Tx, Rx and "combined" IRQs are sent to the NVIC separately.
-     mr = section.mr;
+      * Create the OR gate for this.
+      */
-     if (xen_enabled() && memory_access_is_direct(mr, is_write)) {
+-    object_initialize(&mms->uart_irq_orgate, sizeof(mms->uart_irq_orgate),
 -                      TYPE_OR_IRQ);
 -    object_property_add_child(OBJECT(mms), "uart-irq-orgate",
 -                              OBJECT(&mms->uart_irq_orgate), &error_abort);
 +    object_initialize_child(OBJECT(mms), "uart-irq-orgate",
 +                            &mms->uart_irq_orgate, sizeof(mms->uart_irq_orgate),
 +                            TYPE_OR_IRQ, &error_abort, NULL);
      object_property_set_int(OBJECT(&mms->uart_irq_orgate), 10, "num-lines",
                              &error_fatal);
      object_property_set_bool(OBJECT(&mms->uart_irq_orgate), true,
 diff --git a/hw/arm/musca.c b/hw/arm/musca.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/musca.c
 +++ b/hw/arm/musca.c
@@ -XXX,XX +XXX,XX @@ static void musca_init(MachineState *machine)
       * The sec_resp_cfg output from the SSE-200 must be split into multiple
       * lines, one for each of the PPCs we create here.
       */
 -    object_initialize(&mms->sec_resp_splitter, sizeof(mms->sec_resp_splitter),
 -                      TYPE_SPLIT_IRQ);
 -    object_property_add_child(OBJECT(machine), "sec-resp-splitter",
 -                              OBJECT(&mms->sec_resp_splitter), &error_fatal);
 +    object_initialize_child(OBJECT(machine), "sec-resp-splitter",
 +                            &mms->sec_resp_splitter,
 +                            sizeof(mms->sec_resp_splitter),
 +                            TYPE_SPLIT_IRQ, &error_fatal, NULL);
 +
      object_property_set_int(OBJECT(&mms->sec_resp_splitter),
                              ARRAY_SIZE(mms->ppc), "num-lines", &error_fatal);
      object_property_set_bool(OBJECT(&mms->sec_resp_splitter), true,
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 22/25] Make address_space_translate_iommu take a MemTxAttrs argument
+[Qemu-devel] [PULL 12/21] hw/arm: Use sysbus_init_child_obj for correct reference counting
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
 add MemTxAttrs as an argument to address_space_translate_iommu().
+Both object_initialize() and qdev_set_parent_bus() increase the
+reference counter of the new object, so one of the references has
+to be dropped afterwards to get the reference counting right.
+In machine model code this refcount leak is not particularly
+problematic because (unlike devices) machines will never be
+created on demand via QMP, and they are never destroyed.
+But in any case let's use the new sysbus_init_child_obj() instead
+to get the reference counting here right.
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190823143249.8096-4-philmd@redhat.com
+[PMM: rewrote commit message]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-14-peter.maydell@linaro.org
 ---
- exec.c | 8 +++++---
+ hw/arm/exynos4_boards.c | 4 ++--
-file changed, 5 insertions(+), 3 deletions(-)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/exec.c b/exec.c
+diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/hw/arm/exynos4_boards.c
-+++ b/exec.c
++++ b/hw/arm/exynos4_boards.c
-@@ -XXX,XX +XXX,XX @@ address_space_translate_internal(AddressSpaceDispatch *d, hwaddr addr, hwaddr *x
+@@ -XXX,XX +XXX,XX @@ exynos4_boards_init_common(MachineState *machine,
-  * @is_write: whether the translation operation is for write
+     exynos4_boards_init_ram(s, get_system_memory(),
-  * @is_mmio: whether this can be MMIO, set true if it can
+                             exynos4_board_ram_size[board_type]);
-  * @target_as: the address space targeted by the IOMMU
-+ * @attrs: transaction attributes
+-    object_initialize(&s->soc, sizeof(s->soc), TYPE_EXYNOS4210_SOC);
-  *
+-    qdev_set_parent_bus(DEVICE(&s->soc), sysbus_get_default());
-  * This function is called from RCU critical section.  It is the common
++    sysbus_init_child_obj(OBJECT(machine), "soc",
-  * part of flatview_do_translate and address_space_translate_cached.
++                          &s->soc, sizeof(s->soc), TYPE_EXYNOS4210_SOC);
-@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection address_space_translate_iommu(IOMMUMemoryRegion *iomm
+     object_property_set_bool(OBJECT(&s->soc), true, "realized",
-                                                          hwaddr *page_mask_out,
+                              &error_fatal);
                                                           bool is_write,
                                                           bool is_mmio,
 -                                                         AddressSpace **target_as)
 +                                                         AddressSpace **target_as,
 +                                                         MemTxAttrs attrs)
  {
      MemoryRegionSection *section;
      hwaddr page_mask = (hwaddr)-1;
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
          return address_space_translate_iommu(iommu_mr, xlat,
                                               plen_out, page_mask_out,
                                               is_write, is_mmio,
 -                                             target_as);
 +                                             target_as, attrs);
      }
      if (page_mask_out) {
          /* Not behind an IOMMU, use default page size. */
@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate_cached(
      section = address_space_translate_iommu(iommu_mr, xlat, plen,
                                              NULL, is_write, true,
 -                                            &target_as);
 +                                            &target_as, attrs);
      return section.mr;
  }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 20/25] Make address_space_get_iotlb_entry() take a MemTxAttrs argument
+[Qemu-devel] [PULL 13/21] hw/arm/fsl-imx: Add the cpu as child of the SoC object
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
 add MemTxAttrs as an argument to address_space_get_iotlb_entry().
+Child properties form the composition tree. All objects need to be
+a child of another object. Objects can only be a child of one object.
+Respect this with the i.MX SoC, to get a cleaner composition tree.
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190823143249.8096-5-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-12-peter.maydell@linaro.org
 ---
- include/exec/memory.h | 2 +-
+ hw/arm/fsl-imx25.c | 4 +++-
- exec.c                | 2 +-
+ hw/arm/fsl-imx31.c | 4 +++-
- hw/virtio/vhost.c     | 3 ++-
+files changed, 6 insertions(+), 2 deletions(-)
 files changed, 4 insertions(+), 3 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/hw/arm/fsl-imx25.c b/hw/arm/fsl-imx25.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/hw/arm/fsl-imx25.c
-+++ b/include/exec/memory.h
++++ b/hw/arm/fsl-imx25.c
-@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache);
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_init(Object *obj)
-  * entry. Should be called from an RCU critical section.
+     FslIMX25State *s = FSL_IMX25(obj);
-  */
+     int i;
- IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
--                                            bool is_write);
+-    object_initialize(&s->cpu, sizeof(s->cpu), ARM_CPU_TYPE_NAME("arm926"));
-+                                            bool is_write, MemTxAttrs attrs);
++    object_initialize_child(obj, "cpu", &s->cpu, sizeof(s->cpu),
++                            ARM_CPU_TYPE_NAME("arm926"),
- /* address_space_translate: translate an address range into an address space
++                            &error_abort, NULL);
-  * into a MemoryRegion and an address range into that section.  Should be
-diff --git a/exec.c b/exec.c
+     sysbus_init_child_obj(obj, "avic", &s->avic, sizeof(s->avic),
                            TYPE_IMX_AVIC);
 diff --git a/hw/arm/fsl-imx31.c b/hw/arm/fsl-imx31.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/hw/arm/fsl-imx31.c
-+++ b/exec.c
++++ b/hw/arm/fsl-imx31.c
-@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx31_init(Object *obj)
+     FslIMX31State *s = FSL_IMX31(obj);
- /* Called from RCU critical section */
+     int i;
- IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
--                                            bool is_write)
+-    object_initialize(&s->cpu, sizeof(s->cpu), ARM_CPU_TYPE_NAME("arm1136"));
-+                                            bool is_write, MemTxAttrs attrs)
++    object_initialize_child(obj, "cpu", &s->cpu, sizeof(s->cpu),
- {
++                            ARM_CPU_TYPE_NAME("arm1136"),
-     MemoryRegionSection section;
++                            &error_abort, NULL);
-     hwaddr xlat, page_mask;
-diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
+     sysbus_init_child_obj(obj, "avic", &s->avic, sizeof(s->avic),
-index XXXXXXX..XXXXXXX 100644
+                           TYPE_IMX_AVIC);
 --- a/hw/virtio/vhost.c
 +++ b/hw/virtio/vhost.c
@@ -XXX,XX +XXX,XX @@ int vhost_device_iotlb_miss(struct vhost_dev *dev, uint64_t iova, int write)
      trace_vhost_iotlb_miss(dev, 1);
      iotlb = address_space_get_iotlb_entry(dev->vdev->dma_as,
 -                                          iova, write);
 +                                          iova, write,
 +                                          MEMTXATTRS_UNSPECIFIED);
      if (iotlb.target_as != NULL) {
          ret = vhost_memory_region_lookup(dev, iotlb.translated_addr,
                                           &uaddr, &len);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 25/25] KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice
+[Qemu-devel] [PULL 14/21] hw/dma/xilinx_axi: Use object_initialize_child for correct ref. counting
-From: Shannon Zhao <zhaoshenglong@huawei.com>
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
-kvm_irqchip_create called by kvm_init will call kvm_init_irq_routing to
+As explained in commit aff39be0ed97:
 initialize global capability variables. If we call kvm_init_irq_routing in
 GIC realize function, previous allocated memory will leak.
-Fix this by deleting the unnecessary call.
+  Both functions, object_initialize() and object_property_add_child()
   increase the reference counter of the new object, so one of the
   references has to be dropped afterwards to get the reference
   counting right. Otherwise the child object will not be properly
   cleaned up when the parent gets destroyed.
   Thus let's use now object_initialize_child() instead to get the
   reference counting here right.
-Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 1527750994-14360-1-git-send-email-zhaoshenglong@huawei.com
+Reviewed-by: Thomas Huth <thuth@redhat.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20190823143249.8096-6-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/intc/arm_gic_kvm.c   | 1 -
+ hw/dma/xilinx_axidma.c | 16 ++++++++--------
- hw/intc/arm_gicv3_kvm.c | 1 -
+file changed, 8 insertions(+), 8 deletions(-)
 files changed, 2 deletions(-)
-diff --git a/hw/intc/arm_gic_kvm.c b/hw/intc/arm_gic_kvm.c
+diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gic_kvm.c
+--- a/hw/dma/xilinx_axidma.c
-+++ b/hw/intc/arm_gic_kvm.c
++++ b/hw/dma/xilinx_axidma.c
-@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gic_realize(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static void xilinx_axidma_init(Object *obj)
+     XilinxAXIDMA *s = XILINX_AXI_DMA(obj);
-     if (kvm_has_gsi_routing()) {
+     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
-         /* set up irq routing */
--        kvm_init_irq_routing(kvm_state);
+-    object_initialize(&s->rx_data_dev, sizeof(s->rx_data_dev),
-         for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
+-                      TYPE_XILINX_AXI_DMA_DATA_STREAM);
-             kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
+-    object_initialize(&s->rx_control_dev, sizeof(s->rx_control_dev),
-         }
+-                      TYPE_XILINX_AXI_DMA_CONTROL_STREAM);
-diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
+-    object_property_add_child(OBJECT(s), "axistream-connected-target",
-index XXXXXXX..XXXXXXX 100644
+-                              (Object *)&s->rx_data_dev, &error_abort);
---- a/hw/intc/arm_gicv3_kvm.c
+-    object_property_add_child(OBJECT(s), "axistream-control-connected-target",
-+++ b/hw/intc/arm_gicv3_kvm.c
+-                              (Object *)&s->rx_control_dev, &error_abort);
-@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gicv3_realize(DeviceState *dev, Error **errp)
++    object_initialize_child(OBJECT(s), "axistream-connected-target",
++                            &s->rx_data_dev, sizeof(s->rx_data_dev),
-     if (kvm_has_gsi_routing()) {
++                            TYPE_XILINX_AXI_DMA_DATA_STREAM, &error_abort,
-         /* set up irq routing */
++                            NULL);
--        kvm_init_irq_routing(kvm_state);
++    object_initialize_child(OBJECT(s), "axistream-control-connected-target",
-         for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
++                            &s->rx_control_dev, sizeof(s->rx_control_dev),
-             kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
++                            TYPE_XILINX_AXI_DMA_CONTROL_STREAM, &error_abort,
-         }
++                            NULL);
      sysbus_init_irq(sbd, &s->streams[0].irq);
      sysbus_init_irq(sbd, &s->streams[1].irq);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 16/25] Make memory_region_access_valid() take a MemTxAttrs argument
+[Qemu-devel] [PULL 15/21] hw/net/xilinx_axi: Use object_initialize_child for correct ref. counting
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
 add MemTxAttrs as an argument to memory_region_access_valid().
 Its callers either have an attrs value to hand, or don't care
 and can use MEMTXATTRS_UNSPECIFIED.
-The callsite in flatview_access_valid() is part of a recursive
+As explained in commit aff39be0ed97:
 loop flatview_access_valid() -> memory_region_access_valid() ->
  subpage_accepts() -> flatview_access_valid(); we make it pass
 MEMTXATTRS_UNSPECIFIED for now, until the next several commits
 have plumbed an attrs parameter through the rest of the loop
 and we can add an attrs parameter to flatview_access_valid().
+  Both functions, object_initialize() and object_property_add_child()
+  increase the reference counter of the new object, so one of the
+  references has to be dropped afterwards to get the reference
+  counting right. Otherwise the child object will not be properly
+  cleaned up when the parent gets destroyed.
+  Thus let's use now object_initialize_child() instead to get the
+  reference counting here right.
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20190823143249.8096-7-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-8-peter.maydell@linaro.org
 ---
- include/exec/memory-internal.h | 3 ++-
+ hw/net/xilinx_axienet.c | 17 ++++++++---------
- exec.c                         | 4 +++-
+file changed, 8 insertions(+), 9 deletions(-)
  hw/s390x/s390-pci-inst.c       | 3 ++-
  memory.c                       | 7 ++++---
 files changed, 11 insertions(+), 6 deletions(-)
-diff --git a/include/exec/memory-internal.h b/include/exec/memory-internal.h
+diff --git a/hw/net/xilinx_axienet.c b/hw/net/xilinx_axienet.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory-internal.h
+--- a/hw/net/xilinx_axienet.c
-+++ b/include/exec/memory-internal.h
++++ b/hw/net/xilinx_axienet.c
-@@ -XXX,XX +XXX,XX @@ void flatview_unref(FlatView *view);
+@@ -XXX,XX +XXX,XX @@ static void xilinx_enet_init(Object *obj)
- extern const MemoryRegionOps unassigned_mem_ops;
+     XilinxAXIEnet *s = XILINX_AXI_ENET(obj);
+     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
- bool memory_region_access_valid(MemoryRegion *mr, hwaddr addr,
--                                unsigned size, bool is_write);
+-    object_initialize(&s->rx_data_dev, sizeof(s->rx_data_dev),
-+                                unsigned size, bool is_write,
+-                      TYPE_XILINX_AXI_ENET_DATA_STREAM);
-+                                MemTxAttrs attrs);
+-    object_initialize(&s->rx_control_dev, sizeof(s->rx_control_dev),
+-                      TYPE_XILINX_AXI_ENET_CONTROL_STREAM);
- void flatview_add_to_dispatch(FlatView *fv, MemoryRegionSection *section);
+-    object_property_add_child(OBJECT(s), "axistream-connected-target",
- AddressSpaceDispatch *address_space_dispatch_new(FlatView *fv);
+-                              (Object *)&s->rx_data_dev, &error_abort);
-diff --git a/exec.c b/exec.c
+-    object_property_add_child(OBJECT(s), "axistream-control-connected-target",
-index XXXXXXX..XXXXXXX 100644
+-                              (Object *)&s->rx_control_dev, &error_abort);
---- a/exec.c
+-
-+++ b/exec.c
++    object_initialize_child(OBJECT(s), "axistream-connected-target",
-@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
++                            &s->rx_data_dev, sizeof(s->rx_data_dev),
-         mr = flatview_translate(fv, addr, &xlat, &l, is_write);
++                            TYPE_XILINX_AXI_ENET_DATA_STREAM, &error_abort,
-         if (!memory_access_is_direct(mr, is_write)) {
++                            NULL);
-             l = memory_access_size(mr, l, addr);
++    object_initialize_child(OBJECT(s), "axistream-control-connected-target",
--            if (!memory_region_access_valid(mr, xlat, l, is_write)) {
++                            &s->rx_control_dev, sizeof(s->rx_control_dev),
-+            /* When our callers all have attrs we'll pass them through here */
++                            TYPE_XILINX_AXI_ENET_CONTROL_STREAM, &error_abort,
-+            if (!memory_region_access_valid(mr, xlat, l, is_write,
++                            NULL);
-+                                            MEMTXATTRS_UNSPECIFIED)) {
+     sysbus_init_irq(sbd, &s->irq);
-                 return false;
-             }
+     memory_region_init_io(&s->iomem, OBJECT(s), &enet_ops, s, "enet", 0x40000);
          }
 diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/s390x/s390-pci-inst.c
 +++ b/hw/s390x/s390-pci-inst.c
@@ -XXX,XX +XXX,XX @@ int pcistb_service_call(S390CPU *cpu, uint8_t r1, uint8_t r3, uint64_t gaddr,
      mr = s390_get_subregion(mr, offset, len);
      offset -= mr->addr;
 -    if (!memory_region_access_valid(mr, offset, len, true)) {
 +    if (!memory_region_access_valid(mr, offset, len, true,
 +                                    MEMTXATTRS_UNSPECIFIED)) {
          s390_program_interrupt(env, PGM_OPERAND, 6, ra);
          return 0;
      }
 diff --git a/memory.c b/memory.c
 index XXXXXXX..XXXXXXX 100644
 --- a/memory.c
 +++ b/memory.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps ram_device_mem_ops = {
  bool memory_region_access_valid(MemoryRegion *mr,
                                  hwaddr addr,
                                  unsigned size,
 -                                bool is_write)
 +                                bool is_write,
 +                                MemTxAttrs attrs)
  {
      int access_size_min, access_size_max;
      int access_size, i;
@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
  {
      MemTxResult r;
 -    if (!memory_region_access_valid(mr, addr, size, false)) {
 +    if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
          *pval = unassigned_mem_read(mr, addr, size);
          return MEMTX_DECODE_ERROR;
      }
@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr,
                                           unsigned size,
                                           MemTxAttrs attrs)
  {
 -    if (!memory_region_access_valid(mr, addr, size, true)) {
 +    if (!memory_region_access_valid(mr, addr, size, true, attrs)) {
          unassigned_mem_write(mr, addr, data, size);
          return MEMTX_DECODE_ERROR;
      }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 07/25] arm: fix malloc type mismatch
+[Qemu-devel] [PULL 16/21] includes: remove stale [smp|max]_cpus externs
-From: Paolo Bonzini <pbonzini@redhat.com>
+From: Alex Bennée <alex.bennee@linaro.org>
-cpregs_keys is an uint32_t* so the allocation should use uint32_t.
+Commit a5e0b3311 removed these in favour of querying machine
-g_new is even better because it is type-safe.
+properties. Remove the extern declarations as well.
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20190828165307.18321-6-alex.bennee@linaro.org
 Cc: Like Xu <like.xu@linux.intel.com>
 Message-Id: <20190711130546.18578-1-alex.bennee@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/gdbstub.c | 3 +--
+ include/sysemu/sysemu.h | 2 --
-file changed, 1 insertion(+), 2 deletions(-)
+file changed, 2 deletions(-)
-diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
+diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/gdbstub.c
+--- a/include/sysemu/sysemu.h
-+++ b/target/arm/gdbstub.c
++++ b/include/sysemu/sysemu.h
-@@ -XXX,XX +XXX,XX @@ int arm_gen_dynamic_xml(CPUState *cs)
+@@ -XXX,XX +XXX,XX @@ extern const char *keyboard_layout;
-     RegisterSysregXmlParam param = {cs, s};
+ extern int win2k_install_hack;
+ extern int alt_grab;
-     cpu->dyn_xml.num_cpregs = 0;
+ extern int ctrl_grab;
--    cpu->dyn_xml.cpregs_keys = g_malloc(sizeof(uint32_t *) *
+-extern int smp_cpus;
--                                        g_hash_table_size(cpu->cp_regs));
+-extern unsigned int max_cpus;
-+    cpu->dyn_xml.cpregs_keys = g_new(uint32_t, g_hash_table_size(cpu->cp_regs));
+ extern int cursor_hide;
-     g_string_printf(s, "<?xml version=\"1.0\"?>");
+ extern int graphic_rotate;
-     g_string_append_printf(s, "<!DOCTYPE target SYSTEM \"gdb-target.dtd\">");
+ extern int no_quit;
      g_string_append_printf(s, "<feature name=\"org.qemu.gdb.arm.sys.regs\">");
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 03/25] hw/intc/arm_gicv3: Fix APxR<n> register dispatching
+[Qemu-devel] [PULL 17/21] tcg/README: fix typo s/afterwise/afterwards/
-From: Jan Kiszka <jan.kiszka@siemens.com>
+From: "Emilio G. Cota" <cota@braap.org>
-There was a nasty flip in identifying which register group an access is
+Afterwise is "wise after the fact", as in "hindsight".
-targeting. The issue caused spuriously raised priorities of the guest
+Here we meant "afterwards" (as in "subsequently"). Fix it.
 when handing CPUs over in the Jailhouse hypervisor.
-Cc: qemu-stable@nongnu.org
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Emilio G. Cota <cota@braap.org>
-Message-id: 28b927d3-da58-bce4-cc13-bfec7f9b1cb9@siemens.com
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20190828165307.18321-7-alex.bennee@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/intc/arm_gicv3_cpuif.c | 12 ++++++------
+ tcg/README | 2 +-
-file changed, 6 insertions(+), 6 deletions(-)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+diff --git a/tcg/README b/tcg/README
 index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/arm_gicv3_cpuif.c
+--- a/tcg/README
-+++ b/hw/intc/arm_gicv3_cpuif.c
++++ b/tcg/README
-@@ -XXX,XX +XXX,XX @@ static uint64_t icv_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
+@@ -XXX,XX +XXX,XX @@ This can be overridden using the following function modifiers:
- {
+   canonical locations before calling the helper.
-     GICv3CPUState *cs = icc_cs_from_env(env);
+ - TCG_CALL_NO_WRITE_GLOBALS means that the helper does not modify any globals.
-     int regno = ri->opc2 & 3;
+   They will only be saved to their canonical location before calling helpers,
--    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+-  but they won't be reloaded afterwise.
-+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
++  but they won't be reloaded afterwards.
-     uint64_t value = cs->ich_apr[grp][regno];
+ - TCG_CALL_NO_SIDE_EFFECTS means that the call to the function is removed if
+   the return value is not used.
      trace_gicv3_icv_ap_read(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
@@ -XXX,XX +XXX,XX @@ static void icv_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
  {
      GICv3CPUState *cs = icc_cs_from_env(env);
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
 +    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
      trace_gicv3_icv_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
@@ -XXX,XX +XXX,XX @@ static uint64_t icc_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
      uint64_t value;
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
 +    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
      if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
          return icv_ap_read(env, ri);
@@ -XXX,XX +XXX,XX @@ static void icc_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
      GICv3CPUState *cs = icc_cs_from_env(env);
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
 +    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
      if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
          icv_ap_write(env, ri, value);
@@ -XXX,XX +XXX,XX @@ static uint64_t ich_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
      GICv3CPUState *cs = icc_cs_from_env(env);
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
 +    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
      uint64_t value;
      value = cs->ich_apr[grp][regno];
@@ -XXX,XX +XXX,XX @@ static void ich_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
  {
      GICv3CPUState *cs = icc_cs_from_env(env);
      int regno = ri->opc2 & 3;
 -    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
 +    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
      trace_gicv3_ich_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 08/25] xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
+[Qemu-devel] [PULL 18/21] atomic_template: fix indentation in GEN_ATOMIC_HELPER
-From: Francisco Iglesias <frasse.iglesias@gmail.com>
+From: "Emilio G. Cota" <cota@braap.org>
-Coverity found that the string return by 'object_get_canonical_path' was not
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-being freed at two locations in the model (CID 1391294 and CID 1391293) and
+Signed-off-by: Emilio G. Cota <cota@braap.org>
-also that a memset was being called with a value greater than the max of a byte
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-on the second argument (CID 1391286). This patch corrects this by adding the
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-freeing of the strings and also changing to memset to zero instead on
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-descriptor unaligned errors.
+Message-id: 20190828165307.18321-8-alex.bennee@linaro.org
 Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20180528184859.3530-1-frasse.iglesias@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/dma/xlnx-zdma.c | 10 +++++++---
+ accel/tcg/atomic_template.h | 2 +-
-file changed, 7 insertions(+), 3 deletions(-)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
+diff --git a/accel/tcg/atomic_template.h b/accel/tcg/atomic_template.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/dma/xlnx-zdma.c
+--- a/accel/tcg/atomic_template.h
-+++ b/hw/dma/xlnx-zdma.c
++++ b/accel/tcg/atomic_template.h
-@@ -XXX,XX +XXX,XX @@ static bool zdma_load_descriptor(XlnxZDMA *s, uint64_t addr, void *buf)
+@@ -XXX,XX +XXX,XX @@ ABI_TYPE ATOMIC_NAME(xchg)(CPUArchState *env, target_ulong addr,
-         qemu_log_mask(LOG_GUEST_ERROR,
-                       "zdma: unaligned descriptor at %" PRIx64,
+ #define GEN_ATOMIC_HELPER(X)                                        \
-                       addr);
+ ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, target_ulong addr,       \
--        memset(buf, 0xdeadbeef, sizeof(XlnxZDMADescr));
+-                 ABI_TYPE val EXTRA_ARGS)                           \
-+        memset(buf, 0x0, sizeof(XlnxZDMADescr));
++                        ABI_TYPE val EXTRA_ARGS)                    \
-         s->error = true;
+ {                                                                   \
-         return false;
+     ATOMIC_MMU_DECLS;                                               \
-     }
+     DATA_TYPE *haddr = ATOMIC_MMU_LOOKUP;                           \
@@ -XXX,XX +XXX,XX @@ static uint64_t zdma_read(void *opaque, hwaddr addr, unsigned size)
      RegisterInfo *r = &s->regs_info[addr / 4];
      if (!r->data) {
 +        gchar *path = object_get_canonical_path(OBJECT(s));
          qemu_log("%s: Decode error: read from %" HWADDR_PRIx "\n",
 -                 object_get_canonical_path(OBJECT(s)),
 +                 path,
                   addr);
 +        g_free(path);
          ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
          zdma_ch_imr_update_irq(s);
          return 0;
@@ -XXX,XX +XXX,XX @@ static void zdma_write(void *opaque, hwaddr addr, uint64_t value,
      RegisterInfo *r = &s->regs_info[addr / 4];
      if (!r->data) {
 +        gchar *path = object_get_canonical_path(OBJECT(s));
          qemu_log("%s: Decode error: write to %" HWADDR_PRIx "=%" PRIx64 "\n",
 -                 object_get_canonical_path(OBJECT(s)),
 +                 path,
                   addr, value);
 +        g_free(path);
          ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
          zdma_ch_imr_update_irq(s);
          return;
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 11/25] Make tb_invalidate_phys_addr() take a MemTxAttrs argument
+[Qemu-devel] [PULL 19/21] include/exec/cpu-defs.h: fix typo
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+From: Alex Bennée <alex.bennee@linaro.org>
 add MemTxAttrs as an argument to tb_invalidate_phys_addr().
 Its callers either have an attrs value to hand, or don't care
 and can use MEMTXATTRS_UNSPECIFIED.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20180521140402.23318-3-peter.maydell@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20190828165307.18321-10-alex.bennee@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/exec/exec-all.h   | 5 +++--
+ include/exec/cpu-defs.h | 2 +-
- accel/tcg/translate-all.c | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
  exec.c                    | 2 +-
  target/xtensa/op_helper.c | 3 ++-
 files changed, 7 insertions(+), 5 deletions(-)
-diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
+diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/exec-all.h
+--- a/include/exec/cpu-defs.h
-+++ b/include/exec/exec-all.h
++++ b/include/exec/cpu-defs.h
-@@ -XXX,XX +XXX,XX @@ void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
+@@ -XXX,XX +XXX,XX @@ typedef struct CPUTLB { } CPUTLB;
- void tlb_set_page(CPUState *cpu, target_ulong vaddr,
+ #endif  /* !CONFIG_USER_ONLY && CONFIG_TCG */
-                   hwaddr paddr, int prot,
-                   int mmu_idx, target_ulong size);
+ /*
--void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr);
+- * This structure must be placed in ArchCPU immedately
-+void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
++ * This structure must be placed in ArchCPU immediately
- void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
+  * before CPUArchState, as a field named "neg".
-                  uintptr_t retaddr);
+  */
- #else
+ typedef struct CPUNegativeOffsetState {
@@ -XXX,XX +XXX,XX @@ static inline void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *cpu,
                                                         uint16_t idxmap)
  {
  }
 -static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
 +static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr,
 +                                           MemTxAttrs attrs)
  {
  }
  #endif
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
  }
  #if !defined(CONFIG_USER_ONLY)
 -void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
 +void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
  {
      ram_addr_t ram_addr;
      MemoryRegion *mr;
 diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/exec.c
 +++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
      if (phys != -1) {
          /* Locks grabbed by tb_invalidate_phys_addr */
          tb_invalidate_phys_addr(cpu->cpu_ases[asidx].as,
 -                                phys | (pc & ~TARGET_PAGE_MASK));
 +                                phys | (pc & ~TARGET_PAGE_MASK), attrs);
      }
  }
  #endif
 diff --git a/target/xtensa/op_helper.c b/target/xtensa/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/xtensa/op_helper.c
 +++ b/target/xtensa/op_helper.c
@@ -XXX,XX +XXX,XX @@ static void tb_invalidate_virtual_addr(CPUXtensaState *env, uint32_t vaddr)
      int ret = xtensa_get_physical_addr(env, false, vaddr, 2, 0,
              &paddr, &page_size, &access);
      if (ret == 0) {
 -        tb_invalidate_phys_addr(&address_space_memory, paddr);
 +        tb_invalidate_phys_addr(&address_space_memory, paddr,
 +                                MEMTXATTRS_UNSPECIFIED);
      }
  }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 12/25] Make address_space_translate{, _cached}() take a MemTxAttrs argument
+Deleted patch
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
-add MemTxAttrs as an argument to address_space_translate()
-and address_space_translate_cached(). Callers either have an
-attrs value to hand, or don't care and can use MEMTXATTRS_UNSPECIFIED.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-4-peter.maydell@linaro.org
----
- include/exec/memory.h     |  4 +++-
- accel/tcg/translate-all.c |  2 +-
- exec.c                    | 14 +++++++++-----
- hw/vfio/common.c          |  3 ++-
- memory_ldst.inc.c         | 18 +++++++++---------
- target/riscv/helper.c     |  2 +-
-files changed, 25 insertions(+), 18 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
-+++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
-  * #MemoryRegion.
-  * @len: pointer to length
-  * @is_write: indicates the transfer direction
-+ * @attrs: memory attributes
-  */
- MemoryRegion *flatview_translate(FlatView *fv,
-                                  hwaddr addr, hwaddr *xlat,
-@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv,
- static inline MemoryRegion *address_space_translate(AddressSpace *as,
-                                                     hwaddr addr, hwaddr *xlat,
--                                                    hwaddr *len, bool is_write)
-+                                                    hwaddr *len, bool is_write,
-+                                                    MemTxAttrs attrs)
- {
-     return flatview_translate(address_space_to_flatview(as),
-                               addr, xlat, len, is_write);
-diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/translate-all.c
-+++ b/accel/tcg/translate-all.c
-@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
-     hwaddr l = 1;
-     rcu_read_lock();
--    mr = address_space_translate(as, addr, &addr, &l, false);
-+    mr = address_space_translate(as, addr, &addr, &l, false, attrs);
-     if (!(memory_region_is_ram(mr)
-           || memory_region_is_romd(mr))) {
-         rcu_read_unlock();
-diff --git a/exec.c b/exec.c
-index XXXXXXX..XXXXXXX 100644
---- a/exec.c
-+++ b/exec.c
-@@ -XXX,XX +XXX,XX @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
-     rcu_read_lock();
-     while (len > 0) {
-         l = len;
--        mr = address_space_translate(as, addr, &addr1, &l, true);
-+        mr = address_space_translate(as, addr, &addr1, &l, true,
-+                                     MEMTXATTRS_UNSPECIFIED);
-         if (!(memory_region_is_ram(mr) ||
-               memory_region_is_romd(mr))) {
-@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache)
-  */
- static inline MemoryRegion *address_space_translate_cached(
-     MemoryRegionCache *cache, hwaddr addr, hwaddr *xlat,
--    hwaddr *plen, bool is_write)
-+    hwaddr *plen, bool is_write, MemTxAttrs attrs)
- {
-     MemoryRegionSection section;
-     MemoryRegion *mr;
-@@ -XXX,XX +XXX,XX @@ address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr,
-     MemoryRegion *mr;
-     l = len;
--    mr = address_space_translate_cached(cache, addr, &addr1, &l, false);
-+    mr = address_space_translate_cached(cache, addr, &addr1, &l, false,
-+                                        MEMTXATTRS_UNSPECIFIED);
-     flatview_read_continue(cache->fv,
-                            addr, MEMTXATTRS_UNSPECIFIED, buf, len,
-                            addr1, l, mr);
-@@ -XXX,XX +XXX,XX @@ address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr,
-     MemoryRegion *mr;
-     l = len;
--    mr = address_space_translate_cached(cache, addr, &addr1, &l, true);
-+    mr = address_space_translate_cached(cache, addr, &addr1, &l, true,
-+                                        MEMTXATTRS_UNSPECIFIED);
-     flatview_write_continue(cache->fv,
-                             addr, MEMTXATTRS_UNSPECIFIED, buf, len,
-                             addr1, l, mr);
-@@ -XXX,XX +XXX,XX @@ bool cpu_physical_memory_is_io(hwaddr phys_addr)
-     rcu_read_lock();
-     mr = address_space_translate(&address_space_memory,
--                                 phys_addr, &phys_addr, &l, false);
-+                                 phys_addr, &phys_addr, &l, false,
-+                                 MEMTXATTRS_UNSPECIFIED);
-     res = !(memory_region_is_ram(mr) || memory_region_is_romd(mr));
-     rcu_read_unlock();
-diff --git a/hw/vfio/common.c b/hw/vfio/common.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/vfio/common.c
-+++ b/hw/vfio/common.c
-@@ -XXX,XX +XXX,XX @@ static bool vfio_get_vaddr(IOMMUTLBEntry *iotlb, void **vaddr,
-      */
-     mr = address_space_translate(&address_space_memory,
-                                  iotlb->translated_addr,
--                                 &xlat, &len, writable);
-+                                 &xlat, &len, writable,
-+                                 MEMTXATTRS_UNSPECIFIED);
-     if (!memory_region_is_ram(mr)) {
-         error_report("iommu map to non memory area %"HWADDR_PRIx"",
-                      xlat);
-diff --git a/memory_ldst.inc.c b/memory_ldst.inc.c
-index XXXXXXX..XXXXXXX 100644
---- a/memory_ldst.inc.c
-+++ b/memory_ldst.inc.c
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL,
-     bool release_lock = false;
-     RCU_READ_LOCK();
--    mr = TRANSLATE(addr, &addr1, &l, false);
-+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
-     if (l < 4 || !IS_DIRECT(mr, false)) {
-         release_lock |= prepare_mmio_access(mr);
-@@ -XXX,XX +XXX,XX @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL,
-     bool release_lock = false;
-     RCU_READ_LOCK();
--    mr = TRANSLATE(addr, &addr1, &l, false);
-+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
-     if (l < 8 || !IS_DIRECT(mr, false)) {
-         release_lock |= prepare_mmio_access(mr);
-@@ -XXX,XX +XXX,XX @@ uint32_t glue(address_space_ldub, SUFFIX)(ARG1_DECL,
-     bool release_lock = false;
-     RCU_READ_LOCK();
--    mr = TRANSLATE(addr, &addr1, &l, false);
-+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
-     if (!IS_DIRECT(mr, false)) {
-         release_lock |= prepare_mmio_access(mr);
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL,
-     bool release_lock = false;
-     RCU_READ_LOCK();
--    mr = TRANSLATE(addr, &addr1, &l, false);
-+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
-     if (l < 2 || !IS_DIRECT(mr, false)) {
-         release_lock |= prepare_mmio_access(mr);
-@@ -XXX,XX +XXX,XX @@ void glue(address_space_stl_notdirty, SUFFIX)(ARG1_DECL,
-     bool release_lock = false;
-     RCU_READ_LOCK();
--    mr = TRANSLATE(addr, &addr1, &l, true);
-+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
-     if (l < 4 || !IS_DIRECT(mr, true)) {
-         release_lock |= prepare_mmio_access(mr);
-@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stl_internal, SUFFIX)(ARG1_DECL,
-     bool release_lock = false;
-     RCU_READ_LOCK();
--    mr = TRANSLATE(addr, &addr1, &l, true);
-+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
-     if (l < 4 || !IS_DIRECT(mr, true)) {
-         release_lock |= prepare_mmio_access(mr);
-@@ -XXX,XX +XXX,XX @@ void glue(address_space_stb, SUFFIX)(ARG1_DECL,
-     bool release_lock = false;
-     RCU_READ_LOCK();
--    mr = TRANSLATE(addr, &addr1, &l, true);
-+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
-     if (!IS_DIRECT(mr, true)) {
-         release_lock |= prepare_mmio_access(mr);
-         r = memory_region_dispatch_write(mr, addr1, val, 1, attrs);
-@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stw_internal, SUFFIX)(ARG1_DECL,
-     bool release_lock = false;
-     RCU_READ_LOCK();
--    mr = TRANSLATE(addr, &addr1, &l, true);
-+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
-     if (l < 2 || !IS_DIRECT(mr, true)) {
-         release_lock |= prepare_mmio_access(mr);
-@@ -XXX,XX +XXX,XX @@ static void glue(address_space_stq_internal, SUFFIX)(ARG1_DECL,
-     bool release_lock = false;
-     RCU_READ_LOCK();
--    mr = TRANSLATE(addr, &addr1, &l, true);
-+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
-     if (l < 8 || !IS_DIRECT(mr, true)) {
-         release_lock |= prepare_mmio_access(mr);
-diff --git a/target/riscv/helper.c b/target/riscv/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/helper.c
-+++ b/target/riscv/helper.c
-@@ -XXX,XX +XXX,XX @@ restart:
-                 MemoryRegion *mr;
-                 hwaddr l = sizeof(target_ulong), addr1;
-                 mr = address_space_translate(cs->as, pte_addr,
--                    &addr1, &l, false);
-+                    &addr1, &l, false, MEMTXATTRS_UNSPECIFIED);
-                 if (memory_access_is_direct(mr, true)) {
-                     target_ulong *pte_pa =
-                         qemu_map_ram_ptr(mr->ram_block, addr1);
---
-.17.1

-[Qemu-devel] [PULL 13/25] Make address_space_map() take a MemTxAttrs argument
+[Qemu-devel] [PULL 20/21] target/arm: Free TCG temps in trans_VMOV_64_sp()
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+The function neon_store_reg32() doesn't free the TCG temp that it
-add MemTxAttrs as an argument to address_space_map().
+is passed, so the caller must do that. We got this right in most
-Its callers either have an attrs value to hand, or don't care
+places but forgot to free the TCG temps in trans_VMOV_64_sp().
 and can use MEMTXATTRS_UNSPECIFIED.
+Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-5-peter.maydell@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20190827121931.26836-1-peter.maydell@linaro.org
 ---
- include/exec/memory.h   | 3 ++-
+ target/arm/translate-vfp.inc.c | 2 ++
- include/sysemu/dma.h    | 3 ++-
+file changed, 2 insertions(+)
  exec.c                  | 6 ++++--
  target/ppc/mmu-hash64.c | 3 ++-
 files changed, 10 insertions(+), 5 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
+diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
+--- a/target/arm/translate-vfp.inc.c
-+++ b/include/exec/memory.h
++++ b/target/arm/translate-vfp.inc.c
-@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_
+@@ -XXX,XX +XXX,XX @@ static bool trans_VMOV_64_sp(DisasContext *s, arg_VMOV_64_sp *a)
-  * @addr: address within that address space
+         /* gpreg to fpreg */
-  * @plen: pointer to length of buffer; updated on return
+         tmp = load_reg(s, a->rt);
-  * @is_write: indicates the transfer direction
+         neon_store_reg32(tmp, a->vm);
-+ * @attrs: memory attributes
++        tcg_temp_free_i32(tmp);
-  */
+         tmp = load_reg(s, a->rt2);
- void *address_space_map(AddressSpace *as, hwaddr addr,
+         neon_store_reg32(tmp, a->vm + 1);
--                        hwaddr *plen, bool is_write);
++        tcg_temp_free_i32(tmp);
 +                        hwaddr *plen, bool is_write, MemTxAttrs attrs);
  /* address_space_unmap: Unmaps a memory region previously mapped by address_space_map()
   *
 diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/sysemu/dma.h
 +++ b/include/sysemu/dma.h
@@ -XXX,XX +XXX,XX @@ static inline void *dma_memory_map(AddressSpace *as,
      hwaddr xlen = *len;
      void *p;
 -    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE);
 +    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE,
 +                          MEMTXATTRS_UNSPECIFIED);
      *len = xlen;
      return p;
  }
 diff --git a/exec.c b/exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/exec.c
 +++ b/exec.c
@@ -XXX,XX +XXX,XX @@ flatview_extend_translation(FlatView *fv, hwaddr addr,
  void *address_space_map(AddressSpace *as,
                          hwaddr addr,
                          hwaddr *plen,
 -                        bool is_write)
 +                        bool is_write,
 +                        MemTxAttrs attrs)
  {
      hwaddr len = *plen;
      hwaddr l, xlat;
@@ -XXX,XX +XXX,XX @@ void *cpu_physical_memory_map(hwaddr addr,
                                hwaddr *plen,
                                int is_write)
  {
 -    return address_space_map(&address_space_memory, addr, plen, is_write);
 +    return address_space_map(&address_space_memory, addr, plen, is_write,
 +                             MEMTXATTRS_UNSPECIFIED);
  }
  void cpu_physical_memory_unmap(void *buffer, hwaddr len,
 diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/ppc/mmu-hash64.c
 +++ b/target/ppc/mmu-hash64.c
@@ -XXX,XX +XXX,XX @@ const ppc_hash_pte64_t *ppc_hash64_map_hptes(PowerPCCPU *cpu,
          return NULL;
      }
--    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false);
+     return true;
 +    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false,
 +                              MEMTXATTRS_UNSPECIFIED);
      if (plen < (n * HASH_PTE_SIZE_64)) {
          hw_error("%s: Unable to map all requested HPTEs\n", __func__);
      }
 --
-.17.1
+.20.1

-[Qemu-devel] [PULL 14/25] Make address_space_access_valid() take a MemTxAttrs argument
+Deleted patch
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
-add MemTxAttrs as an argument to address_space_access_valid().
-Its callers either have an attrs value to hand, or don't care
-and can use MEMTXATTRS_UNSPECIFIED.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-6-peter.maydell@linaro.org
----
- include/exec/memory.h      | 4 +++-
- include/sysemu/dma.h       | 3 ++-
- exec.c                     | 3 ++-
- target/s390x/diag.c        | 6 ++++--
- target/s390x/excp_helper.c | 3 ++-
- target/s390x/mmu_helper.c  | 3 ++-
- target/s390x/sigp.c        | 3 ++-
-files changed, 17 insertions(+), 8 deletions(-)
-diff --git a/include/exec/memory.h b/include/exec/memory.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/exec/memory.h
-+++ b/include/exec/memory.h
-@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate(AddressSpace *as,
-  * @addr: address within that address space
-  * @len: length of the area to be checked
-  * @is_write: indicates the transfer direction
-+ * @attrs: memory attributes
-  */
--bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_write);
-+bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len,
-+                                bool is_write, MemTxAttrs attrs);
- /* address_space_map: map a physical memory region into a host virtual address
-  *
-diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/sysemu/dma.h
-+++ b/include/sysemu/dma.h
-@@ -XXX,XX +XXX,XX @@ static inline bool dma_memory_valid(AddressSpace *as,
-                                     DMADirection dir)
- {
-     return address_space_access_valid(as, addr, len,
--                                      dir == DMA_DIRECTION_FROM_DEVICE);
-+                                      dir == DMA_DIRECTION_FROM_DEVICE,
-+                                      MEMTXATTRS_UNSPECIFIED);
- }
- static inline int dma_memory_rw_relaxed(AddressSpace *as, dma_addr_t addr,
-diff --git a/exec.c b/exec.c
-index XXXXXXX..XXXXXXX 100644
---- a/exec.c
-+++ b/exec.c
-@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
- }
- bool address_space_access_valid(AddressSpace *as, hwaddr addr,
--                                int len, bool is_write)
-+                                int len, bool is_write,
-+                                MemTxAttrs attrs)
- {
-     FlatView *fv;
-     bool result;
-diff --git a/target/s390x/diag.c b/target/s390x/diag.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/s390x/diag.c
-+++ b/target/s390x/diag.c
-@@ -XXX,XX +XXX,XX @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
-             return;
-         }
-         if (!address_space_access_valid(&address_space_memory, addr,
--                                        sizeof(IplParameterBlock), false)) {
-+                                        sizeof(IplParameterBlock), false,
-+                                        MEMTXATTRS_UNSPECIFIED)) {
-             s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
-             return;
-         }
-@@ -XXX,XX +XXX,XX @@ out:
-             return;
-         }
-         if (!address_space_access_valid(&address_space_memory, addr,
--                                        sizeof(IplParameterBlock), true)) {
-+                                        sizeof(IplParameterBlock), true,
-+                                        MEMTXATTRS_UNSPECIFIED)) {
-             s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
-             return;
-         }
-diff --git a/target/s390x/excp_helper.c b/target/s390x/excp_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/s390x/excp_helper.c
-+++ b/target/s390x/excp_helper.c
-@@ -XXX,XX +XXX,XX @@ int s390_cpu_handle_mmu_fault(CPUState *cs, vaddr orig_vaddr, int size,
-     /* check out of RAM access */
-     if (!address_space_access_valid(&address_space_memory, raddr,
--                                    TARGET_PAGE_SIZE, rw)) {
-+                                    TARGET_PAGE_SIZE, rw,
-+                                    MEMTXATTRS_UNSPECIFIED)) {
-         DPRINTF("%s: raddr %" PRIx64 " > ram_size %" PRIx64 "\n", __func__,
-                 (uint64_t)raddr, (uint64_t)ram_size);
-         trigger_pgm_exception(env, PGM_ADDRESSING, ILEN_AUTO);
-diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/s390x/mmu_helper.c
-+++ b/target/s390x/mmu_helper.c
-@@ -XXX,XX +XXX,XX @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages,
-             return ret;
-         }
-         if (!address_space_access_valid(&address_space_memory, pages[i],
--                                        TARGET_PAGE_SIZE, is_write)) {
-+                                        TARGET_PAGE_SIZE, is_write,
-+                                        MEMTXATTRS_UNSPECIFIED)) {
-             trigger_access_exception(env, PGM_ADDRESSING, ILEN_AUTO, 0);
-             return -EFAULT;
-         }
-diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/s390x/sigp.c
-+++ b/target/s390x/sigp.c
-@@ -XXX,XX +XXX,XX @@ static void sigp_set_prefix(CPUState *cs, run_on_cpu_data arg)
-     cpu_synchronize_state(cs);
-     if (!address_space_access_valid(&address_space_memory, addr,
--                                    sizeof(struct LowCore), false)) {
-+                                    sizeof(struct LowCore), false,
-+                                    MEMTXATTRS_UNSPECIFIED)) {
-         set_sigp_status(si, SIGP_STAT_INVALID_PARAMETER);
-         return;
-     }
---
-.17.1

-[Qemu-devel] [PULL 15/25] Make flatview_extend_translation() take a MemTxAttrs argument
+Deleted patch
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
-add MemTxAttrs as an argument to flatview_extend_translation().
-Its callers either have an attrs value to hand, or don't care
-and can use MEMTXATTRS_UNSPECIFIED.
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20180521140402.23318-7-peter.maydell@linaro.org
----
- exec.c | 15 ++++++++++-----
-file changed, 10 insertions(+), 5 deletions(-)
-diff --git a/exec.c b/exec.c
-index XXXXXXX..XXXXXXX 100644
---- a/exec.c
-+++ b/exec.c
-@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
- static hwaddr
- flatview_extend_translation(FlatView *fv, hwaddr addr,
--                                 hwaddr target_len,
--                                 MemoryRegion *mr, hwaddr base, hwaddr len,
--                                 bool is_write)
-+                            hwaddr target_len,
-+                            MemoryRegion *mr, hwaddr base, hwaddr len,
-+                            bool is_write, MemTxAttrs attrs)
- {
-     hwaddr done = 0;
-     hwaddr xlat;
-@@ -XXX,XX +XXX,XX @@ void *address_space_map(AddressSpace *as,
-     memory_region_ref(mr);
-     *plen = flatview_extend_translation(fv, addr, len, mr, xlat,
--                                             l, is_write);
-+                                        l, is_write, attrs);
-     ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen, true);
-     rcu_read_unlock();
-@@ -XXX,XX +XXX,XX @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
-     mr = cache->mrs.mr;
-     memory_region_ref(mr);
-     if (memory_access_is_direct(mr, is_write)) {
-+        /* We don't care about the memory attributes here as we're only
-+         * doing this if we found actual RAM, which behaves the same
-+         * regardless of attributes; so UNSPECIFIED is fine.
-+         */
-         l = flatview_extend_translation(cache->fv, addr, len, mr,
--                                        cache->xlat, l, is_write);
-+                                        cache->xlat, l, is_write,
-+                                        MEMTXATTRS_UNSPECIFIED);
-         cache->ptr = qemu_ram_ptr_length(mr->ram_block, cache->xlat, &l, true);
-     } else {
-         cache->ptr = NULL;
---
-.17.1

-[Qemu-devel] [PULL 18/25] Make flatview_access_valid() take a MemTxAttrs argument
+[Qemu-devel] [PULL 21/21] target/arm: Don't abort on M-profile exception return in linux-user mode
-As part of plumbing MemTxAttrs down to the IOMMU translate method,
+An attempt to do an exception-return (branch to one of the magic
-add MemTxAttrs as an argument to flatview_access_valid().
+addresses) in linux-user mode for M-profile should behave like
-Its callers now all have an attrs value to hand, so we can
+a normal branch, because linux-user mode is always going to be
-correct our earlier temporary use of MEMTXATTRS_UNSPECIFIED.
+in 'handler' mode. This used to work, but we broke it when we added
 support for the M-profile security extension in commit d02a8698d7ae2bfed.
+In that commit we allowed even handler-mode calls to magic return
+values to be checked for and dealt with by causing an
+EXCP_EXCEPTION_EXIT exception to be taken, because this is
+needed for the FNC_RETURN return-from-non-secure-function-call
+handling. For system mode we added a check in do_v7m_exception_exit()
+to make any spurious calls from Handler mode behave correctly, but
+forgot that linux-user mode would also be affected.
+How an attempted return-from-non-secure-function-call in linux-user
+mode should be handled is not clear -- on real hardware it would
+result in return to secure code (not to the Linux kernel) which
+could then handle the error in any way it chose. For QEMU we take
+the simple approach of treating this erroneous return the same way
+it would be handled on a CPU without the security extensions --
+treat it as a normal branch.
+The upshot of all this is that for linux-user mode we should never
+do any of the bx_excret magic, so the code change is simple.
+This ought to be a weird corner case that only affects broken guest
+code (because Linux user processes should never be attempting to do
+exception returns or NS function returns), except that the code that
+assigns addresses in RAM for the process and stack in our linux-user
+code does not attempt to avoid this magic address range, so
+legitimate code attempting to return to a trampoline routine on the
+stack can fall into this case. This change fixes those programs,
+but we should also look at restricting the range of memory we
+use for M-profile linux-user guests to the area that would be
+real RAM in hardware.
+Cc: qemu-stable@nongnu.org
+Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20190822131534.16602-1-peter.maydell@linaro.org
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Fixes: https://bugs.launchpad.net/qemu/+bug/1840922
-Message-id: 20180521140402.23318-10-peter.maydell@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- exec.c | 12 +++++-------
+ target/arm/translate.c | 21 ++++++++++++++++++++-
-file changed, 5 insertions(+), 7 deletions(-)
+file changed, 20 insertions(+), 1 deletion(-)
-diff --git a/exec.c b/exec.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/target/arm/translate.c
-+++ b/exec.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
+@@ -XXX,XX +XXX,XX @@ static inline void gen_bx(DisasContext *s, TCGv_i32 var)
- static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
+     store_cpu_field(var, thumb);
                                    const uint8_t *buf, int len);
  static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
 -                                  bool is_write);
 +                                  bool is_write, MemTxAttrs attrs);
  static MemTxResult subpage_read(void *opaque, hwaddr addr, uint64_t *data,
                                  unsigned len, MemTxAttrs attrs)
@@ -XXX,XX +XXX,XX @@ static bool subpage_accepts(void *opaque, hwaddr addr,
  #endif
      return flatview_access_valid(subpage->fv, addr + subpage->base,
 -                                 len, is_write);
 +                                 len, is_write, attrs);
  }
- static const MemoryRegionOps subpage_ops = {
+-/* Set PC and Thumb state from var. var is marked as dead.
-@@ -XXX,XX +XXX,XX @@ static void cpu_notify_map_clients(void)
++/*
 + * Set PC and Thumb state from var. var is marked as dead.
   * For M-profile CPUs, include logic to detect exception-return
   * branches and handle them. This is needed for Thumb POP/LDM to PC, LDR to PC,
   * and BX reg, and no others, and happens only for code in Handler mode.
 + * The Security Extension also requires us to check for the FNC_RETURN
 + * which signals a function return from non-secure state; this can happen
 + * in both Handler and Thread mode.
 + * To avoid having to do multiple comparisons in inline generated code,
 + * we make the check we do here loose, so it will match for EXC_RETURN
 + * in Thread mode. For system emulation do_v7m_exception_exit() checks
 + * for these spurious cases and returns without doing anything (giving
 + * the same behaviour as for a branch to a non-magic address).
 + *
 + * In linux-user mode it is unclear what the right behaviour for an
 + * attempted FNC_RETURN should be, because in real hardware this will go
 + * directly to Secure code (ie not the Linux kernel) which will then treat
 + * the error in any way it chooses. For QEMU we opt to make the FNC_RETURN
 + * attempt behave the way it would on a CPU without the security extension,
 + * which is to say "like a normal branch". That means we can simply treat
 + * all branches as normal with no magic address behaviour.
   */
  static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
  {
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
       * s->base.is_jmp that we need to do the rest of the work later.
       */
      gen_bx(s, var);
 +#ifndef CONFIG_USER_ONLY
      if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY) ||
          (s->v7m_handler_mode && arm_dc_feature(s, ARM_FEATURE_M))) {
          s->base.is_jmp = DISAS_BX_EXCRET;
      }
 +#endif
  }
- static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
+ static inline void gen_bx_excret_final_code(DisasContext *s)
 -                                  bool is_write)
 +                                  bool is_write, MemTxAttrs attrs)
  {
      MemoryRegion *mr;
      hwaddr l, xlat;
@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
          mr = flatview_translate(fv, addr, &xlat, &l, is_write);
          if (!memory_access_is_direct(mr, is_write)) {
              l = memory_access_size(mr, l, addr);
 -            /* When our callers all have attrs we'll pass them through here */
 -            if (!memory_region_access_valid(mr, xlat, l, is_write,
 -                                            MEMTXATTRS_UNSPECIFIED)) {
 +            if (!memory_region_access_valid(mr, xlat, l, is_write, attrs)) {
                  return false;
              }
          }
@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
      rcu_read_lock();
      fv = address_space_to_flatview(as);
 -    result = flatview_access_valid(fv, addr, len, is_write);
 +    result = flatview_access_valid(fv, addr, len, is_write, attrs);
      rcu_read_unlock();
      return result;
  }
 --
-.17.1
+.20.1

target-arm queue. This has the "plumb txattrs through various
bits of exec.c" patches, and a collection of bug fixes from
various people.

thanks
-- PMM

The following changes since commit a3ac12fba028df90f7b3dbec924995c126c41022:

Merge remote-tracking branch 'remotes/ehabkost/tags/numa-next-pull-request' into staging (2018-05-31 11:12:36 +0100)

are available in the Git repository at:

git://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20180531

for you to fetch changes up to 49d1dca0520ea71bc21867fab6647f474fcf857b:

KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice (2018-05-31 14:52:53 +0100)

----------------------------------------------------------------
target-arm queue:
 * target/arm: Honour FPCR.FZ in FRECPX
 * MAINTAINERS: Add entries for newer MPS2 boards and devices
 * hw/intc/arm_gicv3: Fix APxR<n> register dispatching
 * arm_gicv3_kvm: fix bug in writing zero bits back to the in-kernel
   GIC state
 * tcg: Fix helper function vs host abi for float16
 * arm: fix qemu crash on startup with -bios option
 * arm: fix malloc type mismatch
 * xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors
 * Correct CPACR reset value for v7 cores
 * memory.h: Improve IOMMU related documentation
 * exec: Plumb transaction attributes through various functions in
   preparation for allowing IOMMUs to see them
 * vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY
 * ARM: ACPI: Fix use-after-free due to memory realloc
 * KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice

----------------------------------------------------------------
Francisco Iglesias (1):
      xlnx-zdma: Correct mem leaks and memset to zero on desc unaligned errors

Igor Mammedov (1):
      arm: fix qemu crash on startup with -bios option

Jan Kiszka (1):
      hw/intc/arm_gicv3: Fix APxR<n> register dispatching

Paolo Bonzini (1):
      arm: fix malloc type mismatch

Peter Maydell (17):
      target/arm: Honour FPCR.FZ in FRECPX
      MAINTAINERS: Add entries for newer MPS2 boards and devices
      Correct CPACR reset value for v7 cores
      memory.h: Improve IOMMU related documentation
      Make tb_invalidate_phys_addr() take a MemTxAttrs argument
      Make address_space_translate{, _cached}() take a MemTxAttrs argument
      Make address_space_map() take a MemTxAttrs argument
      Make address_space_access_valid() take a MemTxAttrs argument
      Make flatview_extend_translation() take a MemTxAttrs argument
      Make memory_region_access_valid() take a MemTxAttrs argument
      Make MemoryRegion valid.accepts callback take a MemTxAttrs argument
      Make flatview_access_valid() take a MemTxAttrs argument
      Make flatview_translate() take a MemTxAttrs argument
      Make address_space_get_iotlb_entry() take a MemTxAttrs argument
      Make flatview_do_translate() take a MemTxAttrs argument
      Make address_space_translate_iommu take a MemTxAttrs argument
      vmstate.h: Provide VMSTATE_BOOL_SUB_ARRAY

Richard Henderson (1):
      tcg: Fix helper function vs host abi for float16

Shannon Zhao (3):
      arm_gicv3_kvm: increase clroffset accordingly
      ARM: ACPI: Fix use-after-free due to memory realloc
      KVM: GIC: Fix memory leak due to calling kvm_init_irq_routing twice

The FRECPX instructions should (like most other floating point operations)
honour the FPCR.FZ bit which specifies whether input denormals should
be flushed to zero (or FZ16 for the half-precision version).
We forgot to implement this, which doesn't affect the results (since
the calculation doesn't actually care about the mantissa bits) but did
mean we were failing to set the FPSR.IDC bit.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521172712.19930-1-peter.maydell@linaro.org
---
 target/arm/helper-a64.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
         return nan;
     }
 
+    a = float16_squash_input_denormal(a, fpst);
+
     val16 = float16_val(a);
     sbit = 0x8000 & val16;
     exp = extract32(val16, 10, 5);
@@ -XXX,XX +XXX,XX @@ float32 HELPER(frecpx_f32)(float32 a, void *fpstp)
         return nan;
     }
 
+    a = float32_squash_input_denormal(a, fpst);
+
     val32 = float32_val(a);
     sbit = 0x80000000ULL & val32;
     exp = extract32(val32, 23, 8);
@@ -XXX,XX +XXX,XX @@ float64 HELPER(frecpx_f64)(float64 a, void *fpstp)
         return nan;
     }
 
+    a = float64_squash_input_denormal(a, fpst);
+
     val64 = float64_val(a);
     sbit = 0x8000000000000000ULL & val64;
     exp = extract64(float64_val(a), 52, 11);
-- 
2.17.1

Add entries to MAINTAINERS to cover the newer MPS2 boards and
the new devices they use.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20180518153157.14899-1-peter.maydell@linaro.org
---
 MAINTAINERS | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: hw/timer/cmsdk-apb-timer.c
 F: include/hw/timer/cmsdk-apb-timer.h
 F: hw/char/cmsdk-apb-uart.c
 F: include/hw/char/cmsdk-apb-uart.h
+F: hw/misc/tz-ppc.c
+F: include/hw/misc/tz-ppc.h
 
 ARM cores
 M: Peter Maydell <peter.maydell@linaro.org>
@@ -XXX,XX +XXX,XX @@ M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
 S: Maintained
 F: hw/arm/mps2.c
-F: hw/misc/mps2-scc.c
-F: include/hw/misc/mps2-scc.h
+F: hw/arm/mps2-tz.c
+F: hw/misc/mps2-*.c
+F: include/hw/misc/mps2-*.h
+F: hw/arm/iotkit.c
+F: include/hw/arm/iotkit.h
 
 Musicpal
 M: Jan Kiszka <jan.kiszka@web.de>
-- 
2.17.1

From: Jan Kiszka <jan.kiszka@siemens.com>

There was a nasty flip in identifying which register group an access is
targeting. The issue caused spuriously raised priorities of the guest
when handing CPUs over in the Jailhouse hypervisor.

Cc: qemu-stable@nongnu.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Message-id: 28b927d3-da58-bce4-cc13-bfec7f9b1cb9@siemens.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_cpuif.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static uint64_t icv_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     GICv3CPUState *cs = icc_cs_from_env(env);
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
     uint64_t value = cs->ich_apr[grp][regno];
 
     trace_gicv3_icv_ap_read(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
@@ -XXX,XX +XXX,XX @@ static void icv_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     GICv3CPUState *cs = icc_cs_from_env(env);
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
 
     trace_gicv3_icv_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
 
@@ -XXX,XX +XXX,XX @@ static uint64_t icc_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
     uint64_t value;
 
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
+    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
 
     if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
         return icv_ap_read(env, ri);
@@ -XXX,XX +XXX,XX @@ static void icc_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
     GICv3CPUState *cs = icc_cs_from_env(env);
 
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1;
+    int grp = (ri->crm & 1) ? GICV3_G1 : GICV3_G0;
 
     if (icv_access(env, grp == GICV3_G0 ? HCR_FMO : HCR_IMO)) {
         icv_ap_write(env, ri, value);
@@ -XXX,XX +XXX,XX @@ static uint64_t ich_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     GICv3CPUState *cs = icc_cs_from_env(env);
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
     uint64_t value;
 
     value = cs->ich_apr[grp][regno];
@@ -XXX,XX +XXX,XX @@ static void ich_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     GICv3CPUState *cs = icc_cs_from_env(env);
     int regno = ri->opc2 & 3;
-    int grp = ri->crm & 1 ? GICV3_G0 : GICV3_G1NS;
+    int grp = (ri->crm & 1) ? GICV3_G1NS : GICV3_G0;
 
     trace_gicv3_ich_ap_write(ri->crm & 1, regno, gicv3_redist_affid(cs), value);
 
-- 
2.17.1

From: Shannon Zhao <zhaoshenglong@huawei.com>

It forgot to increase clroffset during the loop. So it only clear the
first 4 bytes.

Fixes: 367b9f527becdd20ddf116e17a3c0c2bbc486920
Cc: qemu-stable@nongnu.org
Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1527047633-12368-1-git-send-email-zhaoshenglong@huawei.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_kvm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_kvm.c
+++ b/hw/intc/arm_gicv3_kvm.c
@@ -XXX,XX +XXX,XX @@ static void kvm_dist_putbmp(GICv3State *s, uint32_t offset,
         if (clroffset != 0) {
             reg = 0;
             kvm_gicd_access(s, clroffset, &reg, true);
+            clroffset += 4;
         }
         reg = *gic_bmp_ptr32(bmp, irq);
         kvm_gicd_access(s, offset, &reg, true);
-- 
2.17.1

From: Richard Henderson <richard.henderson@linaro.org>

Depending on the host abi, float16, aka uint16_t, values are
passed and returned either zero-extended in the host register
or with garbage at the top of the host register.

The tcg code generator has so far been assuming garbage, as that
matches the x86 abi, but this is incorrect for other host abis.
Further, target/arm has so far been assuming zero-extended results,
so that it may store the 16-bit value into a 32-bit slot with the
high 16-bits already clear.

Rectify both problems by mapping "f16" in the helper definition
to uint32_t instead of (a typedef for) uint16_t.  This forces
the host compiler to assume garbage in the upper 16 bits on input
and to zero-extend the result on output.

Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20180522175629.24932-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/exec/helper-head.h |  2 +-
 target/arm/helper-a64.c    | 35 +++++++++--------
 target/arm/helper.c        | 80 +++++++++++++++++++-------------------
 3 files changed, 59 insertions(+), 58 deletions(-)

diff --git a/include/exec/helper-head.h b/include/exec/helper-head.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/helper-head.h
+++ b/include/exec/helper-head.h
@@ -XXX,XX +XXX,XX @@
 #define dh_ctype_int int
 #define dh_ctype_i64 uint64_t
 #define dh_ctype_s64 int64_t
-#define dh_ctype_f16 float16
+#define dh_ctype_f16 uint32_t
 #define dh_ctype_f32 float32
 #define dh_ctype_f64 float64
 #define dh_ctype_ptr void *
diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-a64.c
+++ b/target/arm/helper-a64.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t float_rel_to_flags(int res)
     return flags;
 }
 
-uint64_t HELPER(vfp_cmph_a64)(float16 x, float16 y, void *fp_status)
+uint64_t HELPER(vfp_cmph_a64)(uint32_t x, uint32_t y, void *fp_status)
 {
     return float_rel_to_flags(float16_compare_quiet(x, y, fp_status));
 }
 
-uint64_t HELPER(vfp_cmpeh_a64)(float16 x, float16 y, void *fp_status)
+uint64_t HELPER(vfp_cmpeh_a64)(uint32_t x, uint32_t y, void *fp_status)
 {
     return float_rel_to_flags(float16_compare(x, y, fp_status));
 }
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_cgt_f64)(float64 a, float64 b, void *fpstp)
 #define float64_three make_float64(0x4008000000000000ULL)
 #define float64_one_point_five make_float64(0x3FF8000000000000ULL)
 
-float16 HELPER(recpsf_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(recpsf_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
 
@@ -XXX,XX +XXX,XX @@ float64 HELPER(recpsf_f64)(float64 a, float64 b, void *fpstp)
     return float64_muladd(a, b, float64_two, 0, fpst);
 }
 
-float16 HELPER(rsqrtsf_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(rsqrtsf_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
 
@@ -XXX,XX +XXX,XX @@ uint64_t HELPER(neon_addlp_u16)(uint64_t a)
 }
 
 /* Floating-point reciprocal exponent - see FPRecpX in ARM ARM */
-float16 HELPER(frecpx_f16)(float16 a, void *fpstp)
+uint32_t HELPER(frecpx_f16)(uint32_t a, void *fpstp)
 {
     float_status *fpst = fpstp;
     uint16_t val16, sbit;
@@ -XXX,XX +XXX,XX @@ void HELPER(casp_be_parallel)(CPUARMState *env, uint32_t rs, uint64_t addr,
 #define ADVSIMD_HELPER(name, suffix) HELPER(glue(glue(advsimd_, name), suffix))
 
 #define ADVSIMD_HALFOP(name) \
-float16 ADVSIMD_HELPER(name, h)(float16 a, float16 b, void *fpstp) \
+uint32_t ADVSIMD_HELPER(name, h)(uint32_t a, uint32_t b, void *fpstp) \
 { \
     float_status *fpst = fpstp; \
     return float16_ ## name(a, b, fpst);    \
@@ -XXX,XX +XXX,XX @@ ADVSIMD_HALFOP(mulx)
 ADVSIMD_TWOHALFOP(mulx)
 
 /* fused multiply-accumulate */
-float16 HELPER(advsimd_muladdh)(float16 a, float16 b, float16 c, void *fpstp)
+uint32_t HELPER(advsimd_muladdh)(uint32_t a, uint32_t b, uint32_t c,
+                                 void *fpstp)
 {
     float_status *fpst = fpstp;
     return float16_muladd(a, b, c, 0, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_muladd2h)(uint32_t two_a, uint32_t two_b,
 
 #define ADVSIMD_CMPRES(test) (test) ? 0xffff : 0
 
-uint32_t HELPER(advsimd_ceq_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_ceq_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     int compare = float16_compare_quiet(a, b, fpst);
     return ADVSIMD_CMPRES(compare == float_relation_equal);
 }
 
-uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_cge_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     int compare = float16_compare(a, b, fpst);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_cge_f16)(float16 a, float16 b, void *fpstp)
                           compare == float_relation_equal);
 }
 
-uint32_t HELPER(advsimd_cgt_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_cgt_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     int compare = float16_compare(a, b, fpst);
     return ADVSIMD_CMPRES(compare == float_relation_greater);
 }
 
-uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_acge_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acge_f16)(float16 a, float16 b, void *fpstp)
                           compare == float_relation_equal);
 }
 
-uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
+uint32_t HELPER(advsimd_acgt_f16)(uint32_t a, uint32_t b, void *fpstp)
 {
     float_status *fpst = fpstp;
     float16 f0 = float16_abs(a);
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_acgt_f16)(float16 a, float16 b, void *fpstp)
 }
 
 /* round to integral */
-float16 HELPER(advsimd_rinth_exact)(float16 x, void *fp_status)
+uint32_t HELPER(advsimd_rinth_exact)(uint32_t x, void *fp_status)
 {
     return float16_round_to_int(x, fp_status);
 }
 
-float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
+uint32_t HELPER(advsimd_rinth)(uint32_t x, void *fp_status)
 {
     int old_flags = get_float_exception_flags(fp_status), new_flags;
     float16 ret;
@@ -XXX,XX +XXX,XX @@ float16 HELPER(advsimd_rinth)(float16 x, void *fp_status)
  * setting the mode appropriately before calling the helper.
  */
 
-uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
+uint32_t HELPER(advsimd_f16tosinth)(uint32_t a, void *fpstp)
 {
     float_status *fpst = fpstp;
 
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16tosinth)(float16 a, void *fpstp)
     return float16_to_int16(a, fpst);
 }
 
-uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
+uint32_t HELPER(advsimd_f16touinth)(uint32_t a, void *fpstp)
 {
     float_status *fpst = fpstp;
 
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(advsimd_f16touinth)(float16 a, void *fpstp)
  * Square Root and Reciprocal square root
  */
 
-float16 HELPER(sqrt_f16)(float16 a, void *fpstp)
+uint32_t HELPER(sqrt_f16)(uint32_t a, void *fpstp)
 {
     float_status *s = fpstp;
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ DO_VFP_cmp(d, float64)
 
 /* Integer to float and float to integer conversions */
 
-#define CONV_ITOF(name, fsz, sign) \
-    float##fsz HELPER(name)(uint32_t x, void *fpstp) \
-{ \
-    float_status *fpst = fpstp; \
-    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst); \
+#define CONV_ITOF(name, ftype, fsz, sign)                           \
+ftype HELPER(name)(uint32_t x, void *fpstp)                         \
+{                                                                   \
+    float_status *fpst = fpstp;                                     \
+    return sign##int32_to_##float##fsz((sign##int32_t)x, fpst);     \
 }
 
-#define CONV_FTOI(name, fsz, sign, round) \
-uint32_t HELPER(name)(float##fsz x, void *fpstp) \
-{ \
-    float_status *fpst = fpstp; \
-    if (float##fsz##_is_any_nan(x)) { \
-        float_raise(float_flag_invalid, fpst); \
-        return 0; \
-    } \
-    return float##fsz##_to_##sign##int32##round(x, fpst); \
+#define CONV_FTOI(name, ftype, fsz, sign, round)                \
+uint32_t HELPER(name)(ftype x, void *fpstp)                     \
+{                                                               \
+    float_status *fpst = fpstp;                                 \
+    if (float##fsz##_is_any_nan(x)) {                           \
+        float_raise(float_flag_invalid, fpst);                  \
+        return 0;                                               \
+    }                                                           \
+    return float##fsz##_to_##sign##int32##round(x, fpst);       \
 }
 
-#define FLOAT_CONVS(name, p, fsz, sign) \
-CONV_ITOF(vfp_##name##to##p, fsz, sign) \
-CONV_FTOI(vfp_to##name##p, fsz, sign, ) \
-CONV_FTOI(vfp_to##name##z##p, fsz, sign, _round_to_zero)
+#define FLOAT_CONVS(name, p, ftype, fsz, sign)            \
+    CONV_ITOF(vfp_##name##to##p, ftype, fsz, sign)        \
+    CONV_FTOI(vfp_to##name##p, ftype, fsz, sign, )        \
+    CONV_FTOI(vfp_to##name##z##p, ftype, fsz, sign, _round_to_zero)
 
-FLOAT_CONVS(si, h, 16, )
-FLOAT_CONVS(si, s, 32, )
-FLOAT_CONVS(si, d, 64, )
-FLOAT_CONVS(ui, h, 16, u)
-FLOAT_CONVS(ui, s, 32, u)
-FLOAT_CONVS(ui, d, 64, u)
+FLOAT_CONVS(si, h, uint32_t, 16, )
+FLOAT_CONVS(si, s, float32, 32, )
+FLOAT_CONVS(si, d, float64, 64, )
+FLOAT_CONVS(ui, h, uint32_t, 16, u)
+FLOAT_CONVS(ui, s, float32, 32, u)
+FLOAT_CONVS(ui, d, float64, 64, u)
 
 #undef CONV_ITOF
 #undef CONV_FTOI
@@ -XXX,XX +XXX,XX @@ static float16 do_postscale_fp16(float64 f, int shift, float_status *fpst)
     return float64_to_float16(float64_scalbn(f, -shift, fpst), true, fpst);
 }
 
-float16 HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_sltoh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return do_postscale_fp16(int32_to_float64(x, fpst), shift, fpst);
 }
 
-float16 HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_ultoh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return do_postscale_fp16(uint32_to_float64(x, fpst), shift, fpst);
 }
 
-float16 HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_sqtoh)(uint64_t x, uint32_t shift, void *fpst)
 {
     return do_postscale_fp16(int64_to_float64(x, fpst), shift, fpst);
 }
 
-float16 HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_uqtoh)(uint64_t x, uint32_t shift, void *fpst)
 {
     return do_postscale_fp16(uint64_to_float64(x, fpst), shift, fpst);
 }
@@ -XXX,XX +XXX,XX @@ static float64 do_prescale_fp16(float16 f, int shift, float_status *fpst)
     }
 }
 
-uint32_t HELPER(vfp_toshh)(float16 x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_toshh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_int16(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint32_t HELPER(vfp_touhh)(float16 x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_touhh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_uint16(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint32_t HELPER(vfp_toslh)(float16 x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_toslh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_int32(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint32_t HELPER(vfp_toulh)(float16 x, uint32_t shift, void *fpst)
+uint32_t HELPER(vfp_toulh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_uint32(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint64_t HELPER(vfp_tosqh)(float16 x, uint32_t shift, void *fpst)
+uint64_t HELPER(vfp_tosqh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_int64(do_prescale_fp16(x, shift, fpst), fpst);
 }
 
-uint64_t HELPER(vfp_touqh)(float16 x, uint32_t shift, void *fpst)
+uint64_t HELPER(vfp_touqh)(uint32_t x, uint32_t shift, void *fpst)
 {
     return float64_to_uint64(do_prescale_fp16(x, shift, fpst), fpst);
 }
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(set_neon_rmode)(uint32_t rmode, CPUARMState *env)
 }
 
 /* Half precision conversions.  */
-float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
+float32 HELPER(vfp_fcvt_f16_to_f32)(uint32_t a, void *fpstp, uint32_t ahp_mode)
 {
     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
      * it would affect flushing input denormals.
@@ -XXX,XX +XXX,XX @@ float32 HELPER(vfp_fcvt_f16_to_f32)(float16 a, void *fpstp, uint32_t ahp_mode)
     return r;
 }
 
-float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
+uint32_t HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
 {
     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
      * it would affect flushing output denormals.
@@ -XXX,XX +XXX,XX @@ float16 HELPER(vfp_fcvt_f32_to_f16)(float32 a, void *fpstp, uint32_t ahp_mode)
     return r;
 }
 
-float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
+float64 HELPER(vfp_fcvt_f16_to_f64)(uint32_t a, void *fpstp, uint32_t ahp_mode)
 {
     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
      * it would affect flushing input denormals.
@@ -XXX,XX +XXX,XX @@ float64 HELPER(vfp_fcvt_f16_to_f64)(float16 a, void *fpstp, uint32_t ahp_mode)
     return r;
 }
 
-float16 HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
+uint32_t HELPER(vfp_fcvt_f64_to_f16)(float64 a, void *fpstp, uint32_t ahp_mode)
 {
     /* Squash FZ16 to 0 for the duration of conversion.  In this case,
      * it would affect flushing output denormals.
@@ -XXX,XX +XXX,XX @@ static bool round_to_inf(float_status *fpst, bool sign_bit)
     g_assert_not_reached();
 }
 
-float16 HELPER(recpe_f16)(float16 input, void *fpstp)
+uint32_t HELPER(recpe_f16)(uint32_t input, void *fpstp)
 {
     float_status *fpst = fpstp;
     float16 f16 = float16_squash_input_denormal(input, fpst);
@@ -XXX,XX +XXX,XX @@ static uint64_t recip_sqrt_estimate(int *exp , int exp_off, uint64_t frac)
     return extract64(estimate, 0, 8) << 44;
 }
 
-float16 HELPER(rsqrte_f16)(float16 input, void *fpstp)
+uint32_t HELPER(rsqrte_f16)(uint32_t input, void *fpstp)
 {
     float_status *s = fpstp;
     float16 f16 = float16_squash_input_denormal(input, s);
-- 
2.17.1

From: Igor Mammedov <imammedo@redhat.com>

When QEMU is started with following CLI
 -machine virt,gic-version=3,accel=kvm -cpu host -bios AAVMF_CODE.fd
it crashes with abort at
 accel/kvm/kvm-all.c:2164:
 KVM_SET_DEVICE_ATTR failed: Group 6 attr 0x000000000000c665: Invalid argument

Which is caused by implicit dependency of kvm_arm_gicv3_reset() on
arm_gicv3_icc_reset() where the later is called by CPU reset
reset callback.

However commit:
 3b77f6c arm/boot: split load_dtb() from arm_load_kernel()
broke CPU reset callback registration in case

arm_load_kernel()
      ...
      if (!info->kernel_filename || info->firmware_loaded)

branch is taken, i.e. it's sufficient to provide a firmware
or do not provide kernel on CLI to skip cpu reset callback
registration, where before offending commit the callback
has been registered unconditionally.

Fix it by registering the callback right at the beginning of
arm_load_kernel() unconditionally instead of doing it at the end.

NOTE:
 we probably should eliminate that dependency anyways as well as
 separate arch CPU reset parts from arm_load_kernel() into CPU
 itself, but that refactoring that I probably would have to do
 anyways later for CPU hotplug to work.

Reported-by: Auger Eric <eric.auger@redhat.com>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Tested-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1527070950-208350-1-git-send-email-imammedo@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
     static const ARMInsnFixup *primary_loader;
     AddressSpace *as = arm_boot_address_space(cpu, info);
 
+    /* CPU objects (unlike devices) are not automatically reset on system
+     * reset, so we must always register a handler to do so. If we're
+     * actually loading a kernel, the handler is also responsible for
+     * arranging that we start it correctly.
+     */
+    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
+        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
+    }
+
     /* The board code is not supposed to set secure_board_setup unless
      * running its code in secure mode is actually possible, and KVM
      * doesn't support secure.
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
         ARM_CPU(cs)->env.boot_info = info;
     }
 
-    /* CPU objects (unlike devices) are not automatically reset on system
-     * reset, so we must always register a handler to do so. If we're
-     * actually loading a kernel, the handler is also responsible for
-     * arranging that we start it correctly.
-     */
-    for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
-        qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
-    }
-
     if (!info->skip_dtb_autoload && have_dtb(info)) {
         if (arm_load_dtb(info->dtb_start, info, info->dtb_limit, as) < 0) {
             exit(1);
-- 
2.17.1

From: Paolo Bonzini <pbonzini@redhat.com>

cpregs_keys is an uint32_t* so the allocation should use uint32_t.
g_new is even better because it is type-safe.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/gdbstub.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -XXX,XX +XXX,XX @@ int arm_gen_dynamic_xml(CPUState *cs)
     RegisterSysregXmlParam param = {cs, s};
 
     cpu->dyn_xml.num_cpregs = 0;
-    cpu->dyn_xml.cpregs_keys = g_malloc(sizeof(uint32_t *) *
-                                        g_hash_table_size(cpu->cp_regs));
+    cpu->dyn_xml.cpregs_keys = g_new(uint32_t, g_hash_table_size(cpu->cp_regs));
     g_string_printf(s, "<?xml version=\"1.0\"?>");
     g_string_append_printf(s, "<!DOCTYPE target SYSTEM \"gdb-target.dtd\">");
     g_string_append_printf(s, "<feature name=\"org.qemu.gdb.arm.sys.regs\">");
-- 
2.17.1

From: Francisco Iglesias <frasse.iglesias@gmail.com>

Coverity found that the string return by 'object_get_canonical_path' was not
being freed at two locations in the model (CID 1391294 and CID 1391293) and
also that a memset was being called with a value greater than the max of a byte
on the second argument (CID 1391286). This patch corrects this by adding the
freeing of the strings and also changing to memset to zero instead on
descriptor unaligned errors.

Signed-off-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180528184859.3530-1-frasse.iglesias@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/dma/xlnx-zdma.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/dma/xlnx-zdma.c
+++ b/hw/dma/xlnx-zdma.c
@@ -XXX,XX +XXX,XX @@ static bool zdma_load_descriptor(XlnxZDMA *s, uint64_t addr, void *buf)
         qemu_log_mask(LOG_GUEST_ERROR,
                       "zdma: unaligned descriptor at %" PRIx64,
                       addr);
-        memset(buf, 0xdeadbeef, sizeof(XlnxZDMADescr));
+        memset(buf, 0x0, sizeof(XlnxZDMADescr));
         s->error = true;
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static uint64_t zdma_read(void *opaque, hwaddr addr, unsigned size)
     RegisterInfo *r = &s->regs_info[addr / 4];
 
     if (!r->data) {
+        gchar *path = object_get_canonical_path(OBJECT(s));
         qemu_log("%s: Decode error: read from %" HWADDR_PRIx "\n",
-                 object_get_canonical_path(OBJECT(s)),
+                 path,
                  addr);
+        g_free(path);
         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
         zdma_ch_imr_update_irq(s);
         return 0;
@@ -XXX,XX +XXX,XX @@ static void zdma_write(void *opaque, hwaddr addr, uint64_t value,
     RegisterInfo *r = &s->regs_info[addr / 4];
 
     if (!r->data) {
+        gchar *path = object_get_canonical_path(OBJECT(s));
         qemu_log("%s: Decode error: write to %" HWADDR_PRIx "=%" PRIx64 "\n",
-                 object_get_canonical_path(OBJECT(s)),
+                 path,
                  addr, value);
+        g_free(path);
         ARRAY_FIELD_DP32(s->regs, ZDMA_CH_ISR, INV_APB, true);
         zdma_ch_imr_update_irq(s);
         return;
-- 
2.17.1

In commit f0aff255700 we made cpacr_write() enforce that some CPACR
bits are RAZ/WI and some are RAO/WI for ARMv7 cores. Unfortunately
we forgot to also update the register's reset value. The effect
was that (a) a guest that read CPACR on reset would not see ones in
the RAO bits, and (b) if you did a migration before the guest did
a write to the CPACR then the migration would fail because the
destination would enforce the RAO bits and then complain that they
didn't match the zero value from the source.

Implement reset for the CPACR using a custom reset function
that just calls cpacr_write(), to avoid having to duplicate
the logic for which bits are RAO.

This bug would affect migration for TCG CPUs which are ARMv7
with VFP but without one of Neon or VFPv3.

Reported-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20180522173713.26282-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
     env->cp15.cpacr_el1 = value;
 }
 
+static void cpacr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    /* Call cpacr_write() so that we reset with the correct RAO bits set
+     * for our CPU features.
+     */
+    cpacr_write(env, ri, 0);
+}
+
 static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
                                    bool isread)
 {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
     { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3,
       .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
       .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
-      .resetvalue = 0, .writefn = cpacr_write },
+      .resetfn = cpacr_reset, .writefn = cpacr_write },
     REGINFO_SENTINEL
 };
 
-- 
2.17.1

Add more detail to the documentation for memory_region_init_iommu()
and other IOMMU-related functions and data structures.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20180521140402.23318-2-peter.maydell@linaro.org
---
 include/exec/memory.h | 105 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 95 insertions(+), 10 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ enum IOMMUMemoryRegionAttr {
     IOMMU_ATTR_SPAPR_TCE_FD
 };
 
+/**
+ * IOMMUMemoryRegionClass:
+ *
+ * All IOMMU implementations need to subclass TYPE_IOMMU_MEMORY_REGION
+ * and provide an implementation of at least the @translate method here
+ * to handle requests to the memory region. Other methods are optional.
+ *
+ * The IOMMU implementation must use the IOMMU notifier infrastructure
+ * to report whenever mappings are changed, by calling
+ * memory_region_notify_iommu() (or, if necessary, by calling
+ * memory_region_notify_one() for each registered notifier).
+ */
 typedef struct IOMMUMemoryRegionClass {
     /* private */
     struct DeviceClass parent_class;
 
     /*
-     * Return a TLB entry that contains a given address. Flag should
-     * be the access permission of this translation operation. We can
-     * set flag to IOMMU_NONE to mean that we don't need any
-     * read/write permission checks, like, when for region replay.
+     * Return a TLB entry that contains a given address.
+     *
+     * The IOMMUAccessFlags indicated via @flag are optional and may
+     * be specified as IOMMU_NONE to indicate that the caller needs
+     * the full translation information for both reads and writes. If
+     * the access flags are specified then the IOMMU implementation
+     * may use this as an optimization, to stop doing a page table
+     * walk as soon as it knows that the requested permissions are not
+     * allowed. If IOMMU_NONE is passed then the IOMMU must do the
+     * full page table walk and report the permissions in the returned
+     * IOMMUTLBEntry. (Note that this implies that an IOMMU may not
+     * return different mappings for reads and writes.)
+     *
+     * The returned information remains valid while the caller is
+     * holding the big QEMU lock or is inside an RCU critical section;
+     * if the caller wishes to cache the mapping beyond that it must
+     * register an IOMMU notifier so it can invalidate its cached
+     * information when the IOMMU mapping changes.
+     *
+     * @iommu: the IOMMUMemoryRegion
+     * @hwaddr: address to be translated within the memory region
+     * @flag: requested access permissions
      */
     IOMMUTLBEntry (*translate)(IOMMUMemoryRegion *iommu, hwaddr addr,
                                IOMMUAccessFlags flag);
-    /* Returns minimum supported page size */
+    /* Returns minimum supported page size in bytes.
+     * If this method is not provided then the minimum is assumed to
+     * be TARGET_PAGE_SIZE.
+     *
+     * @iommu: the IOMMUMemoryRegion
+     */
     uint64_t (*get_min_page_size)(IOMMUMemoryRegion *iommu);
-    /* Called when IOMMU Notifier flag changed */
+    /* Called when IOMMU Notifier flag changes (ie when the set of
+     * events which IOMMU users are requesting notification for changes).
+     * Optional method -- need not be provided if the IOMMU does not
+     * need to know exactly which events must be notified.
+     *
+     * @iommu: the IOMMUMemoryRegion
+     * @old_flags: events which previously needed to be notified
+     * @new_flags: events which now need to be notified
+     */
     void (*notify_flag_changed)(IOMMUMemoryRegion *iommu,
                                 IOMMUNotifierFlag old_flags,
                                 IOMMUNotifierFlag new_flags);
-    /* Set this up to provide customized IOMMU replay function */
+    /* Called to handle memory_region_iommu_replay().
+     *
+     * The default implementation of memory_region_iommu_replay() is to
+     * call the IOMMU translate method for every page in the address space
+     * with flag == IOMMU_NONE and then call the notifier if translate
+     * returns a valid mapping. If this method is implemented then it
+     * overrides the default behaviour, and must provide the full semantics
+     * of memory_region_iommu_replay(), by calling @notifier for every
+     * translation present in the IOMMU.
+     *
+     * Optional method -- an IOMMU only needs to provide this method
+     * if the default is inefficient or produces undesirable side effects.
+     *
+     * Note: this is not related to record-and-replay functionality.
+     */
     void (*replay)(IOMMUMemoryRegion *iommu, IOMMUNotifier *notifier);
 
-    /* Get IOMMU misc attributes */
-    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr,
+    /* Get IOMMU misc attributes. This is an optional method that
+     * can be used to allow users of the IOMMU to get implementation-specific
+     * information. The IOMMU implements this method to handle calls
+     * by IOMMU users to memory_region_iommu_get_attr() by filling in
+     * the arbitrary data pointer for any IOMMUMemoryRegionAttr values that
+     * the IOMMU supports. If the method is unimplemented then
+     * memory_region_iommu_get_attr() will always return -EINVAL.
+     *
+     * @iommu: the IOMMUMemoryRegion
+     * @attr: attribute being queried
+     * @data: memory to fill in with the attribute data
+     *
+     * Returns 0 on success, or a negative errno; in particular
+     * returns -EINVAL for unrecognized or unimplemented attribute types.
+     */
+    int (*get_attr)(IOMMUMemoryRegion *iommu, enum IOMMUMemoryRegionAttr attr,
                     void *data);
 } IOMMUMemoryRegionClass;
 
@@ -XXX,XX +XXX,XX @@ static inline void memory_region_init_reservation(MemoryRegion *mr,
  * An IOMMU region translates addresses and forwards accesses to a target
  * memory region.
  *
+ * The IOMMU implementation must define a subclass of TYPE_IOMMU_MEMORY_REGION.
+ * @_iommu_mr should be a pointer to enough memory for an instance of
+ * that subclass, @instance_size is the size of that subclass, and
+ * @mrtypename is its name. This function will initialize @_iommu_mr as an
+ * instance of the subclass, and its methods will then be called to handle
+ * accesses to the memory region. See the documentation of
+ * #IOMMUMemoryRegionClass for further details.
+ *
  * @_iommu_mr: the #IOMMUMemoryRegion to be initialized
  * @instance_size: the IOMMUMemoryRegion subclass instance size
  * @mrtypename: the type name of the #IOMMUMemoryRegion
@@ -XXX,XX +XXX,XX @@ void memory_region_register_iommu_notifier(MemoryRegion *mr,
  * a notifier with the minimum page granularity returned by
  * mr->iommu_ops->get_page_size().
  *
+ * Note: this is not related to record-and-replay functionality.
+ *
  * @iommu_mr: the memory region to observe
  * @n: the notifier to which to replay iommu mappings
  */
@@ -XXX,XX +XXX,XX @@ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n);
  * memory_region_iommu_replay_all: replay existing IOMMU translations
  * to all the notifiers registered.
  *
+ * Note: this is not related to record-and-replay functionality.
+ *
  * @iommu_mr: the memory region to observe
  */
 void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr);
@@ -XXX,XX +XXX,XX @@ void memory_region_unregister_iommu_notifier(MemoryRegion *mr,
  * memory_region_iommu_get_attr: return an IOMMU attr if get_attr() is
  * defined on the IOMMU.
  *
- * Returns 0 if succeded, error code otherwise.
+ * Returns 0 on success, or a negative errno otherwise. In particular,
+ * -EINVAL indicates that the IOMMU does not support the requested
+ * attribute.
  *
  * @iommu_mr: the memory region
  * @attr: the requested attribute
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to tb_invalidate_phys_addr().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20180521140402.23318-3-peter.maydell@linaro.org
---
 include/exec/exec-all.h   | 5 +++--
 accel/tcg/translate-all.c | 2 +-
 exec.c                    | 2 +-
 target/xtensa/op_helper.c | 3 ++-
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
 void tlb_set_page(CPUState *cpu, target_ulong vaddr,
                   hwaddr paddr, int prot,
                   int mmu_idx, target_ulong size);
-void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr);
+void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
 void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
                  uintptr_t retaddr);
 #else
@@ -XXX,XX +XXX,XX @@ static inline void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *cpu,
                                                        uint16_t idxmap)
 {
 }
-static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
+static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr,
+                                           MemTxAttrs attrs)
 {
 }
 #endif
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
 }
 
 #if !defined(CONFIG_USER_ONLY)
-void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
+void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
 {
     ram_addr_t ram_addr;
     MemoryRegion *mr;
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
     if (phys != -1) {
         /* Locks grabbed by tb_invalidate_phys_addr */
         tb_invalidate_phys_addr(cpu->cpu_ases[asidx].as,
-                                phys | (pc & ~TARGET_PAGE_MASK));
+                                phys | (pc & ~TARGET_PAGE_MASK), attrs);
     }
 }
 #endif
diff --git a/target/xtensa/op_helper.c b/target/xtensa/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/xtensa/op_helper.c
+++ b/target/xtensa/op_helper.c
@@ -XXX,XX +XXX,XX @@ static void tb_invalidate_virtual_addr(CPUXtensaState *env, uint32_t vaddr)
     int ret = xtensa_get_physical_addr(env, false, vaddr, 2, 0,
             &paddr, &page_size, &access);
     if (ret == 0) {
-        tb_invalidate_phys_addr(&address_space_memory, paddr);
+        tb_invalidate_phys_addr(&address_space_memory, paddr,
+                                MEMTXATTRS_UNSPECIFIED);
     }
 }
 
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_translate()
and address_space_translate_cached(). Callers either have an
attrs value to hand, or don't care and can use MEMTXATTRS_UNSPECIFIED.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-4-peter.maydell@linaro.org
---
 include/exec/memory.h     |  4 +++-
 accel/tcg/translate-all.c |  2 +-
 exec.c                    | 14 +++++++++-----
 hw/vfio/common.c          |  3 ++-
 memory_ldst.inc.c         | 18 +++++++++---------
 target/riscv/helper.c     |  2 +-
 6 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
  * #MemoryRegion.
  * @len: pointer to length
  * @is_write: indicates the transfer direction
+ * @attrs: memory attributes
  */
 MemoryRegion *flatview_translate(FlatView *fv,
                                  hwaddr addr, hwaddr *xlat,
@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv,
 
 static inline MemoryRegion *address_space_translate(AddressSpace *as,
                                                     hwaddr addr, hwaddr *xlat,
-                                                    hwaddr *len, bool is_write)
+                                                    hwaddr *len, bool is_write,
+                                                    MemTxAttrs attrs)
 {
     return flatview_translate(address_space_to_flatview(as),
                               addr, xlat, len, is_write);
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
     hwaddr l = 1;
 
     rcu_read_lock();
-    mr = address_space_translate(as, addr, &addr, &l, false);
+    mr = address_space_translate(as, addr, &addr, &l, false, attrs);
     if (!(memory_region_is_ram(mr)
           || memory_region_is_romd(mr))) {
         rcu_read_unlock();
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static inline void cpu_physical_memory_write_rom_internal(AddressSpace *as,
     rcu_read_lock();
     while (len > 0) {
         l = len;
-        mr = address_space_translate(as, addr, &addr1, &l, true);
+        mr = address_space_translate(as, addr, &addr1, &l, true,
+                                     MEMTXATTRS_UNSPECIFIED);
 
         if (!(memory_region_is_ram(mr) ||
               memory_region_is_romd(mr))) {
@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache)
  */
 static inline MemoryRegion *address_space_translate_cached(
     MemoryRegionCache *cache, hwaddr addr, hwaddr *xlat,
-    hwaddr *plen, bool is_write)
+    hwaddr *plen, bool is_write, MemTxAttrs attrs)
 {
     MemoryRegionSection section;
     MemoryRegion *mr;
@@ -XXX,XX +XXX,XX @@ address_space_read_cached_slow(MemoryRegionCache *cache, hwaddr addr,
     MemoryRegion *mr;
 
     l = len;
-    mr = address_space_translate_cached(cache, addr, &addr1, &l, false);
+    mr = address_space_translate_cached(cache, addr, &addr1, &l, false,
+                                        MEMTXATTRS_UNSPECIFIED);
     flatview_read_continue(cache->fv,
                            addr, MEMTXATTRS_UNSPECIFIED, buf, len,
                            addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ address_space_write_cached_slow(MemoryRegionCache *cache, hwaddr addr,
     MemoryRegion *mr;
 
     l = len;
-    mr = address_space_translate_cached(cache, addr, &addr1, &l, true);
+    mr = address_space_translate_cached(cache, addr, &addr1, &l, true,
+                                        MEMTXATTRS_UNSPECIFIED);
     flatview_write_continue(cache->fv,
                             addr, MEMTXATTRS_UNSPECIFIED, buf, len,
                             addr1, l, mr);
@@ -XXX,XX +XXX,XX @@ bool cpu_physical_memory_is_io(hwaddr phys_addr)
 
     rcu_read_lock();
     mr = address_space_translate(&address_space_memory,
-                                 phys_addr, &phys_addr, &l, false);
+                                 phys_addr, &phys_addr, &l, false,
+                                 MEMTXATTRS_UNSPECIFIED);
 
     res = !(memory_region_is_ram(mr) || memory_region_is_romd(mr));
     rcu_read_unlock();
diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -XXX,XX +XXX,XX @@ static bool vfio_get_vaddr(IOMMUTLBEntry *iotlb, void **vaddr,
      */
     mr = address_space_translate(&address_space_memory,
                                  iotlb->translated_addr,
-                                 &xlat, &len, writable);
+                                 &xlat, &len, writable,
+                                 MEMTXATTRS_UNSPECIFIED);
     if (!memory_region_is_ram(mr)) {
         error_report("iommu map to non memory area %"HWADDR_PRIx"",
                      xlat);
diff --git a/memory_ldst.inc.c b/memory_ldst.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/memory_ldst.inc.c
+++ b/memory_ldst.inc.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, false);
+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
     if (l < 4 || !IS_DIRECT(mr, false)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, false);
+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
     if (l < 8 || !IS_DIRECT(mr, false)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ uint32_t glue(address_space_ldub, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, false);
+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
     if (!IS_DIRECT(mr, false)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, false);
+    mr = TRANSLATE(addr, &addr1, &l, false, attrs);
     if (l < 2 || !IS_DIRECT(mr, false)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ void glue(address_space_stl_notdirty, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (l < 4 || !IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stl_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (l < 4 || !IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ void glue(address_space_stb, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (!IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
         r = memory_region_dispatch_write(mr, addr1, val, 1, attrs);
@@ -XXX,XX +XXX,XX @@ static inline void glue(address_space_stw_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (l < 2 || !IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
 
@@ -XXX,XX +XXX,XX @@ static void glue(address_space_stq_internal, SUFFIX)(ARG1_DECL,
     bool release_lock = false;
 
     RCU_READ_LOCK();
-    mr = TRANSLATE(addr, &addr1, &l, true);
+    mr = TRANSLATE(addr, &addr1, &l, true, attrs);
     if (l < 8 || !IS_DIRECT(mr, true)) {
         release_lock |= prepare_mmio_access(mr);
 
diff --git a/target/riscv/helper.c b/target/riscv/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/helper.c
+++ b/target/riscv/helper.c
@@ -XXX,XX +XXX,XX @@ restart:
                 MemoryRegion *mr;
                 hwaddr l = sizeof(target_ulong), addr1;
                 mr = address_space_translate(cs->as, pte_addr,
-                    &addr1, &l, false);
+                    &addr1, &l, false, MEMTXATTRS_UNSPECIFIED);
                 if (memory_access_is_direct(mr, true)) {
                     target_ulong *pte_pa =
                         qemu_map_ram_ptr(mr->ram_block, addr1);
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_map().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-5-peter.maydell@linaro.org
---
 include/exec/memory.h   | 3 ++-
 include/sysemu/dma.h    | 3 ++-
 exec.c                  | 6 ++++--
 target/ppc/mmu-hash64.c | 3 ++-
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_
  * @addr: address within that address space
  * @plen: pointer to length of buffer; updated on return
  * @is_write: indicates the transfer direction
+ * @attrs: memory attributes
  */
 void *address_space_map(AddressSpace *as, hwaddr addr,
-                        hwaddr *plen, bool is_write);
+                        hwaddr *plen, bool is_write, MemTxAttrs attrs);
 
 /* address_space_unmap: Unmaps a memory region previously mapped by address_space_map()
  *
diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/dma.h
+++ b/include/sysemu/dma.h
@@ -XXX,XX +XXX,XX @@ static inline void *dma_memory_map(AddressSpace *as,
     hwaddr xlen = *len;
     void *p;
 
-    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE);
+    p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE,
+                          MEMTXATTRS_UNSPECIFIED);
     *len = xlen;
     return p;
 }
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ flatview_extend_translation(FlatView *fv, hwaddr addr,
 void *address_space_map(AddressSpace *as,
                         hwaddr addr,
                         hwaddr *plen,
-                        bool is_write)
+                        bool is_write,
+                        MemTxAttrs attrs)
 {
     hwaddr len = *plen;
     hwaddr l, xlat;
@@ -XXX,XX +XXX,XX @@ void *cpu_physical_memory_map(hwaddr addr,
                               hwaddr *plen,
                               int is_write)
 {
-    return address_space_map(&address_space_memory, addr, plen, is_write);
+    return address_space_map(&address_space_memory, addr, plen, is_write,
+                             MEMTXATTRS_UNSPECIFIED);
 }
 
 void cpu_physical_memory_unmap(void *buffer, hwaddr len,
diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/mmu-hash64.c
+++ b/target/ppc/mmu-hash64.c
@@ -XXX,XX +XXX,XX @@ const ppc_hash_pte64_t *ppc_hash64_map_hptes(PowerPCCPU *cpu,
         return NULL;
     }
 
-    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false);
+    hptes = address_space_map(CPU(cpu)->as, base + pte_offset, &plen, false,
+                              MEMTXATTRS_UNSPECIFIED);
     if (plen < (n * HASH_PTE_SIZE_64)) {
         hw_error("%s: Unable to map all requested HPTEs\n", __func__);
     }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_access_valid().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-6-peter.maydell@linaro.org
---
 include/exec/memory.h      | 4 +++-
 include/sysemu/dma.h       | 3 ++-
 exec.c                     | 3 ++-
 target/s390x/diag.c        | 6 ++++--
 target/s390x/excp_helper.c | 3 ++-
 target/s390x/mmu_helper.c  | 3 ++-
 target/s390x/sigp.c        | 3 ++-
 7 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate(AddressSpace *as,
  * @addr: address within that address space
  * @len: length of the area to be checked
  * @is_write: indicates the transfer direction
+ * @attrs: memory attributes
  */
-bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len, bool is_write);
+bool address_space_access_valid(AddressSpace *as, hwaddr addr, int len,
+                                bool is_write, MemTxAttrs attrs);
 
 /* address_space_map: map a physical memory region into a host virtual address
  *
diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/dma.h
+++ b/include/sysemu/dma.h
@@ -XXX,XX +XXX,XX @@ static inline bool dma_memory_valid(AddressSpace *as,
                                     DMADirection dir)
 {
     return address_space_access_valid(as, addr, len,
-                                      dir == DMA_DIRECTION_FROM_DEVICE);
+                                      dir == DMA_DIRECTION_FROM_DEVICE,
+                                      MEMTXATTRS_UNSPECIFIED);
 }
 
 static inline int dma_memory_rw_relaxed(AddressSpace *as, dma_addr_t addr,
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
 }
 
 bool address_space_access_valid(AddressSpace *as, hwaddr addr,
-                                int len, bool is_write)
+                                int len, bool is_write,
+                                MemTxAttrs attrs)
 {
     FlatView *fv;
     bool result;
diff --git a/target/s390x/diag.c b/target/s390x/diag.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/diag.c
+++ b/target/s390x/diag.c
@@ -XXX,XX +XXX,XX @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
             return;
         }
         if (!address_space_access_valid(&address_space_memory, addr,
-                                        sizeof(IplParameterBlock), false)) {
+                                        sizeof(IplParameterBlock), false,
+                                        MEMTXATTRS_UNSPECIFIED)) {
             s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
             return;
         }
@@ -XXX,XX +XXX,XX @@ out:
             return;
         }
         if (!address_space_access_valid(&address_space_memory, addr,
-                                        sizeof(IplParameterBlock), true)) {
+                                        sizeof(IplParameterBlock), true,
+                                        MEMTXATTRS_UNSPECIFIED)) {
             s390_program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO, ra);
             return;
         }
diff --git a/target/s390x/excp_helper.c b/target/s390x/excp_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/excp_helper.c
+++ b/target/s390x/excp_helper.c
@@ -XXX,XX +XXX,XX @@ int s390_cpu_handle_mmu_fault(CPUState *cs, vaddr orig_vaddr, int size,
 
     /* check out of RAM access */
     if (!address_space_access_valid(&address_space_memory, raddr,
-                                    TARGET_PAGE_SIZE, rw)) {
+                                    TARGET_PAGE_SIZE, rw,
+                                    MEMTXATTRS_UNSPECIFIED)) {
         DPRINTF("%s: raddr %" PRIx64 " > ram_size %" PRIx64 "\n", __func__,
                 (uint64_t)raddr, (uint64_t)ram_size);
         trigger_pgm_exception(env, PGM_ADDRESSING, ILEN_AUTO);
diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/mmu_helper.c
+++ b/target/s390x/mmu_helper.c
@@ -XXX,XX +XXX,XX @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages,
             return ret;
         }
         if (!address_space_access_valid(&address_space_memory, pages[i],
-                                        TARGET_PAGE_SIZE, is_write)) {
+                                        TARGET_PAGE_SIZE, is_write,
+                                        MEMTXATTRS_UNSPECIFIED)) {
             trigger_access_exception(env, PGM_ADDRESSING, ILEN_AUTO, 0);
             return -EFAULT;
         }
diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/sigp.c
+++ b/target/s390x/sigp.c
@@ -XXX,XX +XXX,XX @@ static void sigp_set_prefix(CPUState *cs, run_on_cpu_data arg)
     cpu_synchronize_state(cs);
 
     if (!address_space_access_valid(&address_space_memory, addr,
-                                    sizeof(struct LowCore), false)) {
+                                    sizeof(struct LowCore), false,
+                                    MEMTXATTRS_UNSPECIFIED)) {
         set_sigp_status(si, SIGP_STAT_INVALID_PARAMETER);
         return;
     }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to flatview_extend_translation().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
 
 static hwaddr
 flatview_extend_translation(FlatView *fv, hwaddr addr,
-                                 hwaddr target_len,
-                                 MemoryRegion *mr, hwaddr base, hwaddr len,
-                                 bool is_write)
+                            hwaddr target_len,
+                            MemoryRegion *mr, hwaddr base, hwaddr len,
+                            bool is_write, MemTxAttrs attrs)
 {
     hwaddr done = 0;
     hwaddr xlat;
@@ -XXX,XX +XXX,XX @@ void *address_space_map(AddressSpace *as,
 
     memory_region_ref(mr);
     *plen = flatview_extend_translation(fv, addr, len, mr, xlat,
-                                             l, is_write);
+                                        l, is_write, attrs);
     ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen, true);
     rcu_read_unlock();
 
@@ -XXX,XX +XXX,XX @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
     mr = cache->mrs.mr;
     memory_region_ref(mr);
     if (memory_access_is_direct(mr, is_write)) {
+        /* We don't care about the memory attributes here as we're only
+         * doing this if we found actual RAM, which behaves the same
+         * regardless of attributes; so UNSPECIFIED is fine.
+         */
         l = flatview_extend_translation(cache->fv, addr, len, mr,
-                                        cache->xlat, l, is_write);
+                                        cache->xlat, l, is_write,
+                                        MEMTXATTRS_UNSPECIFIED);
         cache->ptr = qemu_ram_ptr_length(mr->ram_block, cache->xlat, &l, true);
     } else {
         cache->ptr = NULL;
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to memory_region_access_valid().
Its callers either have an attrs value to hand, or don't care
and can use MEMTXATTRS_UNSPECIFIED.

The callsite in flatview_access_valid() is part of a recursive
loop flatview_access_valid() -> memory_region_access_valid() ->
 subpage_accepts() -> flatview_access_valid(); we make it pass
MEMTXATTRS_UNSPECIFIED for now, until the next several commits
have plumbed an attrs parameter through the rest of the loop
and we can add an attrs parameter to flatview_access_valid().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-8-peter.maydell@linaro.org
---
 include/exec/memory-internal.h | 3 ++-
 exec.c                         | 4 +++-
 hw/s390x/s390-pci-inst.c       | 3 ++-
 memory.c                       | 7 ++++---
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/include/exec/memory-internal.h b/include/exec/memory-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory-internal.h
+++ b/include/exec/memory-internal.h
@@ -XXX,XX +XXX,XX @@ void flatview_unref(FlatView *view);
 extern const MemoryRegionOps unassigned_mem_ops;
 
 bool memory_region_access_valid(MemoryRegion *mr, hwaddr addr,
-                                unsigned size, bool is_write);
+                                unsigned size, bool is_write,
+                                MemTxAttrs attrs);
 
 void flatview_add_to_dispatch(FlatView *fv, MemoryRegionSection *section);
 AddressSpaceDispatch *address_space_dispatch_new(FlatView *fv);
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
         mr = flatview_translate(fv, addr, &xlat, &l, is_write);
         if (!memory_access_is_direct(mr, is_write)) {
             l = memory_access_size(mr, l, addr);
-            if (!memory_region_access_valid(mr, xlat, l, is_write)) {
+            /* When our callers all have attrs we'll pass them through here */
+            if (!memory_region_access_valid(mr, xlat, l, is_write,
+                                            MEMTXATTRS_UNSPECIFIED)) {
                 return false;
             }
         }
diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/s390x/s390-pci-inst.c
+++ b/hw/s390x/s390-pci-inst.c
@@ -XXX,XX +XXX,XX @@ int pcistb_service_call(S390CPU *cpu, uint8_t r1, uint8_t r3, uint64_t gaddr,
     mr = s390_get_subregion(mr, offset, len);
     offset -= mr->addr;
 
-    if (!memory_region_access_valid(mr, offset, len, true)) {
+    if (!memory_region_access_valid(mr, offset, len, true,
+                                    MEMTXATTRS_UNSPECIFIED)) {
         s390_program_interrupt(env, PGM_OPERAND, 6, ra);
         return 0;
     }
diff --git a/memory.c b/memory.c
index XXXXXXX..XXXXXXX 100644
--- a/memory.c
+++ b/memory.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps ram_device_mem_ops = {
 bool memory_region_access_valid(MemoryRegion *mr,
                                 hwaddr addr,
                                 unsigned size,
-                                bool is_write)
+                                bool is_write,
+                                MemTxAttrs attrs)
 {
     int access_size_min, access_size_max;
     int access_size, i;
@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
 {
     MemTxResult r;
 
-    if (!memory_region_access_valid(mr, addr, size, false)) {
+    if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
         *pval = unassigned_mem_read(mr, addr, size);
         return MEMTX_DECODE_ERROR;
     }
@@ -XXX,XX +XXX,XX @@ MemTxResult memory_region_dispatch_write(MemoryRegion *mr,
                                          unsigned size,
                                          MemTxAttrs attrs)
 {
-    if (!memory_region_access_valid(mr, addr, size, true)) {
+    if (!memory_region_access_valid(mr, addr, size, true, attrs)) {
         unassigned_mem_write(mr, addr, data, size);
         return MEMTX_DECODE_ERROR;
     }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to the MemoryRegion valid.accepts
callback. We'll need this for subpage_accepts().

We could take the approach we used with the read and write
callbacks and add new a new _with_attrs version, but since there
are so few implementations of the accepts hook we just change
them all.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20180521140402.23318-9-peter.maydell@linaro.org
---
 include/exec/memory.h |  3 ++-
 exec.c                |  9 ++++++---
 hw/hppa/dino.c        |  3 ++-
 hw/nvram/fw_cfg.c     | 12 ++++++++----
 hw/scsi/esp.c         |  3 ++-
 hw/xen/xen_pt_msi.c   |  3 ++-
 memory.c              |  5 +++--
 7 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ struct MemoryRegionOps {
          * as a machine check exception).
          */
         bool (*accepts)(void *opaque, hwaddr addr,
-                        unsigned size, bool is_write);
+                        unsigned size, bool is_write,
+                        MemTxAttrs attrs);
     } valid;
     /* Internal implementation constraints: */
     struct {
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static void notdirty_mem_write(void *opaque, hwaddr ram_addr,
 }
 
 static bool notdirty_mem_accepts(void *opaque, hwaddr addr,
-                                 unsigned size, bool is_write)
+                                 unsigned size, bool is_write,
+                                 MemTxAttrs attrs)
 {
     return is_write;
 }
@@ -XXX,XX +XXX,XX @@ static MemTxResult subpage_write(void *opaque, hwaddr addr,
 }
 
 static bool subpage_accepts(void *opaque, hwaddr addr,
-                            unsigned len, bool is_write)
+                            unsigned len, bool is_write,
+                            MemTxAttrs attrs)
 {
     subpage_t *subpage = opaque;
 #if defined(DEBUG_SUBPAGE)
@@ -XXX,XX +XXX,XX @@ static void readonly_mem_write(void *opaque, hwaddr addr,
 }
 
 static bool readonly_mem_accepts(void *opaque, hwaddr addr,
-                                 unsigned size, bool is_write)
+                                 unsigned size, bool is_write,
+                                 MemTxAttrs attrs)
 {
     return is_write;
 }
diff --git a/hw/hppa/dino.c b/hw/hppa/dino.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/hppa/dino.c
+++ b/hw/hppa/dino.c
@@ -XXX,XX +XXX,XX @@ static void gsc_to_pci_forwarding(DinoState *s)
 }
 
 static bool dino_chip_mem_valid(void *opaque, hwaddr addr,
-                                unsigned size, bool is_write)
+                                unsigned size, bool is_write,
+                                MemTxAttrs attrs)
 {
     switch (addr) {
     case DINO_IAR0:
diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/nvram/fw_cfg.c
+++ b/hw/nvram/fw_cfg.c
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_dma_mem_write(void *opaque, hwaddr addr,
 }
 
 static bool fw_cfg_dma_mem_valid(void *opaque, hwaddr addr,
-                                  unsigned size, bool is_write)
+                                 unsigned size, bool is_write,
+                                 MemTxAttrs attrs)
 {
     return !is_write || ((size == 4 && (addr == 0 || addr == 4)) ||
                          (size == 8 && addr == 0));
 }
 
 static bool fw_cfg_data_mem_valid(void *opaque, hwaddr addr,
-                                  unsigned size, bool is_write)
+                                  unsigned size, bool is_write,
+                                  MemTxAttrs attrs)
 {
     return addr == 0;
 }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_ctl_mem_write(void *opaque, hwaddr addr,
 }
 
 static bool fw_cfg_ctl_mem_valid(void *opaque, hwaddr addr,
-                                 unsigned size, bool is_write)
+                                 unsigned size, bool is_write,
+                                 MemTxAttrs attrs)
 {
     return is_write && size == 2;
 }
@@ -XXX,XX +XXX,XX @@ static void fw_cfg_comb_write(void *opaque, hwaddr addr,
 }
 
 static bool fw_cfg_comb_valid(void *opaque, hwaddr addr,
-                                  unsigned size, bool is_write)
+                              unsigned size, bool is_write,
+                              MemTxAttrs attrs)
 {
     return (size == 1) || (is_write && size == 2);
 }
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -XXX,XX +XXX,XX @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
 }
 
 static bool esp_mem_accepts(void *opaque, hwaddr addr,
-                            unsigned size, bool is_write)
+                            unsigned size, bool is_write,
+                            MemTxAttrs attrs)
 {
     return (size == 1) || (is_write && size == 4);
 }
diff --git a/hw/xen/xen_pt_msi.c b/hw/xen/xen_pt_msi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/xen/xen_pt_msi.c
+++ b/hw/xen/xen_pt_msi.c
@@ -XXX,XX +XXX,XX @@ static uint64_t pci_msix_read(void *opaque, hwaddr addr,
 }
 
 static bool pci_msix_accepts(void *opaque, hwaddr addr,
-                             unsigned size, bool is_write)
+                             unsigned size, bool is_write,
+                             MemTxAttrs attrs)
 {
     return !(addr & (size - 1));
 }
diff --git a/memory.c b/memory.c
index XXXXXXX..XXXXXXX 100644
--- a/memory.c
+++ b/memory.c
@@ -XXX,XX +XXX,XX @@ static void unassigned_mem_write(void *opaque, hwaddr addr,
 }
 
 static bool unassigned_mem_accepts(void *opaque, hwaddr addr,
-                                   unsigned size, bool is_write)
+                                   unsigned size, bool is_write,
+                                   MemTxAttrs attrs)
 {
     return false;
 }
@@ -XXX,XX +XXX,XX @@ bool memory_region_access_valid(MemoryRegion *mr,
     access_size = MAX(MIN(size, access_size_max), access_size_min);
     for (i = 0; i < size; i += access_size) {
         if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
-                                    is_write)) {
+                                    is_write, attrs)) {
             return false;
         }
     }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to flatview_access_valid().
Its callers now all have an attrs value to hand, so we can
correct our earlier temporary use of MEMTXATTRS_UNSPECIFIED.

diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
 static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
                                   const uint8_t *buf, int len);
 static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
-                                  bool is_write);
+                                  bool is_write, MemTxAttrs attrs);
 
 static MemTxResult subpage_read(void *opaque, hwaddr addr, uint64_t *data,
                                 unsigned len, MemTxAttrs attrs)
@@ -XXX,XX +XXX,XX @@ static bool subpage_accepts(void *opaque, hwaddr addr,
 #endif
 
     return flatview_access_valid(subpage->fv, addr + subpage->base,
-                                 len, is_write);
+                                 len, is_write, attrs);
 }
 
 static const MemoryRegionOps subpage_ops = {
@@ -XXX,XX +XXX,XX @@ static void cpu_notify_map_clients(void)
 }
 
 static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
-                                  bool is_write)
+                                  bool is_write, MemTxAttrs attrs)
 {
     MemoryRegion *mr;
     hwaddr l, xlat;
@@ -XXX,XX +XXX,XX @@ static bool flatview_access_valid(FlatView *fv, hwaddr addr, int len,
         mr = flatview_translate(fv, addr, &xlat, &l, is_write);
         if (!memory_access_is_direct(mr, is_write)) {
             l = memory_access_size(mr, l, addr);
-            /* When our callers all have attrs we'll pass them through here */
-            if (!memory_region_access_valid(mr, xlat, l, is_write,
-                                            MEMTXATTRS_UNSPECIFIED)) {
+            if (!memory_region_access_valid(mr, xlat, l, is_write, attrs)) {
                 return false;
             }
         }
@@ -XXX,XX +XXX,XX @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
 
     rcu_read_lock();
     fv = address_space_to_flatview(as);
-    result = flatview_access_valid(fv, addr, len, is_write);
+    result = flatview_access_valid(fv, addr, len, is_write, attrs);
     rcu_read_unlock();
     return result;
 }
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to flatview_translate(); all its
callers now have attrs available.

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_get_iotlb_entry().

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ void address_space_cache_destroy(MemoryRegionCache *cache);
  * entry. Should be called from an RCU critical section.
  */
 IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
-                                            bool is_write);
+                                            bool is_write, MemTxAttrs attrs);
 
 /* address_space_translate: translate an address range into an address space
  * into a MemoryRegion and an address range into that section.  Should be
diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
 
 /* Called from RCU critical section */
 IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
-                                            bool is_write)
+                                            bool is_write, MemTxAttrs attrs)
 {
     MemoryRegionSection section;
     hwaddr xlat, page_mask;
diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -XXX,XX +XXX,XX @@ int vhost_device_iotlb_miss(struct vhost_dev *dev, uint64_t iova, int write)
     trace_vhost_iotlb_miss(dev, 1);
 
     iotlb = address_space_get_iotlb_entry(dev->vdev->dma_as,
-                                          iova, write);
+                                          iova, write,
+                                          MEMTXATTRS_UNSPECIFIED);
     if (iotlb.target_as != NULL) {
         ret = vhost_memory_region_lookup(dev, iotlb.translated_addr,
                                          &uaddr, &len);
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to flatview_do_translate().

diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ unassigned:
  * @is_write: whether the translation operation is for write
  * @is_mmio: whether this can be MMIO, set true if it can
  * @target_as: the address space targeted by the IOMMU
+ * @attrs: memory transaction attributes
  *
  * This function is called from RCU critical section
  */
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
                                                  hwaddr *page_mask_out,
                                                  bool is_write,
                                                  bool is_mmio,
-                                                 AddressSpace **target_as)
+                                                 AddressSpace **target_as,
+                                                 MemTxAttrs attrs)
 {
     MemoryRegionSection *section;
     IOMMUMemoryRegion *iommu_mr;
@@ -XXX,XX +XXX,XX @@ IOMMUTLBEntry address_space_get_iotlb_entry(AddressSpace *as, hwaddr addr,
      * but page mask.
      */
     section = flatview_do_translate(address_space_to_flatview(as), addr, &xlat,
-                                    NULL, &page_mask, is_write, false, &as);
+                                    NULL, &page_mask, is_write, false, &as,
+                                    attrs);
 
     /* Illegal translation */
     if (section.mr == &io_mem_unassigned) {
@@ -XXX,XX +XXX,XX @@ MemoryRegion *flatview_translate(FlatView *fv, hwaddr addr, hwaddr *xlat,
 
     /* This can be MMIO, so setup MMIO bit. */
     section = flatview_do_translate(fv, addr, xlat, plen, NULL,
-                                    is_write, true, &as);
+                                    is_write, true, &as, attrs);
     mr = section.mr;
 
     if (xen_enabled() && memory_access_is_direct(mr, is_write)) {
-- 
2.17.1

As part of plumbing MemTxAttrs down to the IOMMU translate method,
add MemTxAttrs as an argument to address_space_translate_iommu().

diff --git a/exec.c b/exec.c
index XXXXXXX..XXXXXXX 100644
--- a/exec.c
+++ b/exec.c
@@ -XXX,XX +XXX,XX @@ address_space_translate_internal(AddressSpaceDispatch *d, hwaddr addr, hwaddr *x
  * @is_write: whether the translation operation is for write
  * @is_mmio: whether this can be MMIO, set true if it can
  * @target_as: the address space targeted by the IOMMU
+ * @attrs: transaction attributes
  *
  * This function is called from RCU critical section.  It is the common
  * part of flatview_do_translate and address_space_translate_cached.
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection address_space_translate_iommu(IOMMUMemoryRegion *iomm
                                                          hwaddr *page_mask_out,
                                                          bool is_write,
                                                          bool is_mmio,
-                                                         AddressSpace **target_as)
+                                                         AddressSpace **target_as,
+                                                         MemTxAttrs attrs)
 {
     MemoryRegionSection *section;
     hwaddr page_mask = (hwaddr)-1;
@@ -XXX,XX +XXX,XX @@ static MemoryRegionSection flatview_do_translate(FlatView *fv,
         return address_space_translate_iommu(iommu_mr, xlat,
                                              plen_out, page_mask_out,
                                              is_write, is_mmio,
-                                             target_as);
+                                             target_as, attrs);
     }
     if (page_mask_out) {
         /* Not behind an IOMMU, use default page size. */
@@ -XXX,XX +XXX,XX @@ static inline MemoryRegion *address_space_translate_cached(
 
     section = address_space_translate_iommu(iommu_mr, xlat, plen,
                                             NULL, is_write, true,
-                                            &target_as);
+                                            &target_as, attrs);
     return section.mr;
 }
 
-- 
2.17.1

From: Shannon Zhao <zhaoshenglong@huawei.com>

acpi_data_push uses g_array_set_size to resize the memory size. If there
is no enough contiguous memory, the address will be changed. So previous
pointer could not be used any more. It must update the pointer and use
the new one.

Also, previous codes wrongly use le32 conversion of iort->node_offset
for subsequent computations that will result incorrect value if host is
not litlle endian. So use the non-converted one instead.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1527663951-14552-1-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt-acpi-build.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     AcpiIortItsGroup *its;
     AcpiIortTable *iort;
     AcpiIortSmmu3 *smmu;
-    size_t node_size, iort_length, smmu_offset = 0;
+    size_t node_size, iort_node_offset, iort_length, smmu_offset = 0;
     AcpiIortRC *rc;
 
     iort = acpi_data_push(table_data, sizeof(*iort));
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
 
     iort_length = sizeof(*iort);
     iort->node_count = cpu_to_le32(nb_nodes);
-    iort->node_offset = cpu_to_le32(sizeof(*iort));
+    /*
+     * Use a copy in case table_data->data moves during acpi_data_push
+     * operations.
+     */
+    iort_node_offset = sizeof(*iort);
+    iort->node_offset = cpu_to_le32(iort_node_offset);
 
     /* ITS group node */
     node_size =  sizeof(*its) + sizeof(uint32_t);
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
         int irq =  vms->irqmap[VIRT_SMMU];
 
         /* SMMUv3 node */
-        smmu_offset = iort->node_offset + node_size;
+        smmu_offset = iort_node_offset + node_size;
         node_size = sizeof(*smmu) + sizeof(*idmap);
         iort_length += node_size;
         smmu = acpi_data_push(table_data, node_size);
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
         idmap->id_count = cpu_to_le32(0xFFFF);
         idmap->output_base = 0;
         /* output IORT node is the ITS group node (the first node) */
-        idmap->output_reference = cpu_to_le32(iort->node_offset);
+        idmap->output_reference = cpu_to_le32(iort_node_offset);
     }
 
     /* Root Complex Node */
@@ -XXX,XX +XXX,XX @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
         idmap->output_reference = cpu_to_le32(smmu_offset);
     } else {
         /* output IORT node is the ITS group node (the first node) */
-        idmap->output_reference = cpu_to_le32(iort->node_offset);
+        idmap->output_reference = cpu_to_le32(iort_node_offset);
     }
 
+    /*
+     * Update the pointer address in case table_data->data moves during above
+     * acpi_data_push operations.
+     */
+    iort = (AcpiIortTable *)(table_data->data + iort_start);
     iort->length = cpu_to_le32(iort_length);
 
     build_header(linker, table_data, (void *)(table_data->data + iort_start),
-- 
2.17.1

From: Shannon Zhao <zhaoshenglong@huawei.com>

kvm_irqchip_create called by kvm_init will call kvm_init_irq_routing to
initialize global capability variables. If we call kvm_init_irq_routing in
GIC realize function, previous allocated memory will leak.

Fix this by deleting the unnecessary call.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 1527750994-14360-1-git-send-email-zhaoshenglong@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gic_kvm.c   | 1 -
 hw/intc/arm_gicv3_kvm.c | 1 -
 2 files changed, 2 deletions(-)

diff --git a/hw/intc/arm_gic_kvm.c b/hw/intc/arm_gic_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gic_kvm.c
+++ b/hw/intc/arm_gic_kvm.c
@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gic_realize(DeviceState *dev, Error **errp)
 
     if (kvm_has_gsi_routing()) {
         /* set up irq routing */
-        kvm_init_irq_routing(kvm_state);
         for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
             kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
         }
diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_kvm.c
+++ b/hw/intc/arm_gicv3_kvm.c
@@ -XXX,XX +XXX,XX @@ static void kvm_arm_gicv3_realize(DeviceState *dev, Error **errp)
 
     if (kvm_has_gsi_routing()) {
         /* set up irq routing */
-        kvm_init_irq_routing(kvm_state);
         for (i = 0; i < s->num_irq - GIC_INTERNAL; ++i) {
             kvm_irqchip_add_irq_route(kvm_state, i, 0, i);
         }
-- 
2.17.1

target-arm queue: this time around is all small fixes
and changes.

thanks
-- PMM

The following changes since commit fec105c2abda8567ec15230429c41429b5ee307c:

Merge remote-tracking branch 'remotes/kraxel/tags/audio-20190828-pull-request' into staging (2019-09-03 14:03:15 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190903

for you to fetch changes up to 5e5584c89f36b302c666bc6db535fd3f7ff35ad2:

target/arm: Don't abort on M-profile exception return in linux-user mode (2019-09-03 16:20:35 +0100)

----------------------------------------------------------------
target-arm queue:
 * Revert and correctly fix refactoring of unallocated_encoding()
 * Take exceptions on ATS instructions when needed
 * aspeed/timer: Provide back-pressure information for short periods
 * memory: Remove unused memory_region_iommu_replay_all()
 * hw/arm/smmuv3: Log a guest error when decoding an invalid STE
 * hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations
 * target/arm: Fix SMMLS argument order
 * hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
 * hw/arm: Correct reference counting for creation of various objects
 * includes: remove stale [smp|max]_cpus externs
 * tcg/README: fix typo
 * atomic_template: fix indentation in GEN_ATOMIC_HELPER
 * include/exec/cpu-defs.h: fix typo
 * target/arm: Free TCG temps in trans_VMOV_64_sp()
 * target/arm: Don't abort on M-profile exception return in linux-user mode

----------------------------------------------------------------
Alex Bennée (2):
      includes: remove stale [smp|max]_cpus externs
      include/exec/cpu-defs.h: fix typo

Andrew Jeffery (1):
      aspeed/timer: Provide back-pressure information for short periods

Emilio G. Cota (2):
      tcg/README: fix typo s/afterwise/afterwards/
      atomic_template: fix indentation in GEN_ATOMIC_HELPER

Eric Auger (3):
      memory: Remove unused memory_region_iommu_replay_all()
      hw/arm/smmuv3: Log a guest error when decoding an invalid STE
      hw/arm/smmuv3: Remove spurious error messages on IOVA invalidations

Peter Maydell (4):
      target/arm: Allow ARMCPRegInfo read/write functions to throw exceptions
      target/arm: Take exceptions on ATS instructions when needed
      target/arm: Free TCG temps in trans_VMOV_64_sp()
      target/arm: Don't abort on M-profile exception return in linux-user mode

Philippe Mathieu-Daudé (6):
      hw/arm: Use ARM_CPU_TYPE_NAME() macro when appropriate
      hw/arm: Use object_initialize_child for correct reference counting
      hw/arm: Use sysbus_init_child_obj for correct reference counting
      hw/arm/fsl-imx: Add the cpu as child of the SoC object
      hw/dma/xilinx_axi: Use object_initialize_child for correct ref. counting
      hw/net/xilinx_axi: Use object_initialize_child for correct ref. counting

Richard Henderson (3):
      Revert "target/arm: Use unallocated_encoding for aarch32"
      target/arm: Factor out unallocated_encoding for aarch32
      target/arm: Fix SMMLS argument order

From: Richard Henderson <richard.henderson@linaro.org>

This reverts commit 3cb36637157088892e9e33ddb1034bffd1251d3b.

Despite the fact that the text for the call to gen_exception_insn
is identical for aarch64 and aarch32, the implementation inside
gen_exception_insn is totally different.

This fixes exceptions raised from aarch64.

Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20190826151536.6771-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h     |  2 ++
 target/arm/translate.h         |  2 --
 target/arm/translate-a64.c     |  7 +++++++
 target/arm/translate-vfp.inc.c |  3 ++-
 target/arm/translate.c         | 22 ++++++++++------------
 5 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@
 #ifndef TARGET_ARM_TRANSLATE_A64_H
 #define TARGET_ARM_TRANSLATE_A64_H
 
+void unallocated_encoding(DisasContext *s);
+
 #define unsupported_encoding(s, insn)                                    \
     do {                                                                 \
         qemu_log_mask(LOG_UNIMP,                                         \
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasCompare {
     bool value_global;
 } DisasCompare;
 
-void unallocated_encoding(DisasContext *s);
-
 /* Share the TCG temporaries common between 32 and 64 bit modes.  */
 extern TCGv_i32 cpu_NF, cpu_ZF, cpu_CF, cpu_VF;
 extern TCGv_i64 cpu_exclusive_addr;
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
     }
 }
 
+void unallocated_encoding(DisasContext *s)
+{
+    /* Unallocated and reserved encodings are uncategorized */
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
+}
+
 static void init_tmp_a64_array(DisasContext *s)
 {
 #ifdef CONFIG_DEBUG_TCG
diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
-        unallocated_encoding(s);
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                           default_exception_el(s));
         return false;
     }
 
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-void unallocated_encoding(DisasContext *s)
-{
-    /* Unallocated and reserved encodings are uncategorized */
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
-}
-
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         return;
     }
 
-    unallocated_encoding(s);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
 }
 
 static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     }
 
     if (undef) {
-        unallocated_encoding(s);
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                           default_exception_el(s));
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         default:
         illegal_op:
-            unallocated_encoding(s);
+            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                               default_exception_el(s));
             break;
         }
     }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
     }
     return;
 illegal_op:
-    unallocated_encoding(s);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
 }
 
 static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
     return;
 illegal_op:
 undef:
-    unallocated_encoding(s);
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
 }
 
 static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Make this a static function private to translate.c.
Thus we can use the same idiom between aarch64 and aarch32
without actually sharing function implementations.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20190826151536.6771-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-vfp.inc.c |  3 +--
 target/arm/translate.c         | 22 ++++++++++++----------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.inc.c
+++ b/target/arm/translate-vfp.inc.c
@@ -XXX,XX +XXX,XX @@ static bool full_vfp_access_check(DisasContext *s, bool ignore_vfp_enabled)
 
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                           default_exception_el(s));
+        unallocated_encoding(s);
         return false;
     }
 
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
+static void unallocated_encoding(DisasContext *s)
+{
+    /* Unallocated and reserved encodings are uncategorized */
+    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
+                       default_exception_el(s));
+}
+
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 static inline void gen_lookup_tb(DisasContext *s)
 {
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
         return;
     }
 
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static inline void gen_add_data_offset(DisasContext *s, unsigned int insn,
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     }
 
     if (undef) {
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                           default_exception_el(s));
+        unallocated_encoding(s);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
             break;
         default:
         illegal_op:
-            gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                               default_exception_el(s));
+            unallocated_encoding(s);
             break;
         }
     }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
     }
     return;
 illegal_op:
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static void disas_thumb_insn(DisasContext *s, uint32_t insn)
@@ -XXX,XX +XXX,XX @@ static void disas_thumb_insn(DisasContext *s, uint32_t insn)
     return;
 illegal_op:
 undef:
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized(),
-                       default_exception_el(s));
+    unallocated_encoding(s);
 }
 
 static bool insn_crosses_page(CPUARMState *env, DisasContext *s)
-- 
2.20.1

Currently the only part of an ARMCPRegInfo which is allowed to cause
a CPU exception is the access function, which returns a value indicating
that some flavour of UNDEF should be generated.

For the ATS system instructions, we would like to conditionally
generate exceptions as part of the writefn, because some faults
during the page table walk (like external aborts) should cause
an exception to be raised rather than returning a value.

There are several ways we could do this:
 * plumb the GETPC() value from the top level set_cp_reg/get_cp_reg
   helper functions through into the readfn and writefn hooks
 * add extra readfn_with_ra/writefn_with_ra hooks that take the GETPC()
   value
 * require the ATS instructions to provide a dummy accessfn,
   which serves no purpose except to cause the code generation
   to emit TCG ops to sync the CPU state
 * add an ARM_CP_ flag to mark the ARMCPRegInfo as possibly
   throwing an exception in its read/write hooks, and make the
   codegen sync the CPU state before calling the hooks if the
   flag is set

This patch opts for the last of these, as it is fairly simple
to implement and doesn't require invasive changes like updating
the readfn/writefn hook function prototype signature.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20190816125802.25877-2-peter.maydell@linaro.org
---
 target/arm/cpu.h           | 6 +++++-
 target/arm/translate-a64.c | 6 ++++++
 target/arm/translate.c     | 7 +++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
  * IO indicates that this register does I/O and therefore its accesses
  * need to be surrounded by gen_io_start()/gen_io_end(). In particular,
  * registers which implement clocks or timers require this.
+ * RAISES_EXC is for when the read or write hook might raise an exception;
+ * the generated code will synchronize the CPU state before calling the hook
+ * so that it is safe for the hook to call raise_exception().
  */
 #define ARM_CP_SPECIAL           0x0001
 #define ARM_CP_CONST             0x0002
@@ -XXX,XX +XXX,XX @@ static inline uint64_t cpreg_to_kvm_id(uint32_t cpregid)
 #define ARM_CP_FPU               0x1000
 #define ARM_CP_SVE               0x2000
 #define ARM_CP_NO_GDB            0x4000
+#define ARM_CP_RAISES_EXC        0x8000
 /* Used only as a terminator for ARMCPRegInfo lists */
 #define ARM_CP_SENTINEL          0xffff
 /* Mask of only the flag bits in a type field */
-#define ARM_CP_FLAG_MASK         0x70ff
+#define ARM_CP_FLAG_MASK         0xf0ff
 
 /* Valid values for ARMCPRegInfo state field, indicating which of
  * the AArch32 and AArch64 execution states this register is visible in.
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
         tcg_temp_free_ptr(tmpptr);
         tcg_temp_free_i32(tcg_syn);
         tcg_temp_free_i32(tcg_isread);
+    } else if (ri->type & ARM_CP_RAISES_EXC) {
+        /*
+         * The readfn or writefn might raise an exception;
+         * synchronize the CPU state in case it does.
+         */
+        gen_a64_set_pc_im(s->pc_curr);
     }
 
     /* Handle special cases first */
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_coproc_insn(DisasContext *s, uint32_t insn)
             tcg_temp_free_ptr(tmpptr);
             tcg_temp_free_i32(tcg_syn);
             tcg_temp_free_i32(tcg_isread);
+        } else if (ri->type & ARM_CP_RAISES_EXC) {
+            /*
+             * The readfn or writefn might raise an exception;
+             * synchronize the CPU state in case it does.
+             */
+            gen_set_condexec(s);
+            gen_set_pc_im(s, s->pc_curr);
         }
 
         /* Handle special cases first */
-- 
2.20.1

The translation table walk for an ATS instruction can result in
various faults.  In general these are just reported back via the
PAR_EL1 fault status fields, but in some cases the architecture
requires that the fault is turned into an exception:
 * synchronous stage 2 faults of any kind during AT S1E0* and
   AT S1E1* instructions executed from NS EL1 fault to EL2 or EL3
 * synchronous external aborts are taken as Data Abort exceptions

(This is documented in the v8A Arm ARM DDI0487A.e D5.2.11 and
G5.13.4.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20190816125802.25877-3-peter.maydell@linaro.org
---
 target/arm/helper.c | 107 +++++++++++++++++++++++++++++++++++++-------
 1 file changed, 92 insertions(+), 15 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
     ret = get_phys_addr(env, value, access_type, mmu_idx, &phys_addr, &attrs,
                         &prot, &page_size, &fi, &cacheattrs);
 
+    if (ret) {
+        /*
+         * Some kinds of translation fault must cause exceptions rather
+         * than being reported in the PAR.
+         */
+        int current_el = arm_current_el(env);
+        int target_el;
+        uint32_t syn, fsr, fsc;
+        bool take_exc = false;
+
+        if (fi.s1ptw && current_el == 1 && !arm_is_secure(env)
+            && (mmu_idx == ARMMMUIdx_S1NSE1 || mmu_idx == ARMMMUIdx_S1NSE0)) {
+            /*
+             * Synchronous stage 2 fault on an access made as part of the
+             * translation table walk for AT S1E0* or AT S1E1* insn
+             * executed from NS EL1. If this is a synchronous external abort
+             * and SCR_EL3.EA == 1, then we take a synchronous external abort
+             * to EL3. Otherwise the fault is taken as an exception to EL2,
+             * and HPFAR_EL2 holds the faulting IPA.
+             */
+            if (fi.type == ARMFault_SyncExternalOnWalk &&
+                (env->cp15.scr_el3 & SCR_EA)) {
+                target_el = 3;
+            } else {
+                env->cp15.hpfar_el2 = extract64(fi.s2addr, 12, 47) << 4;
+                target_el = 2;
+            }
+            take_exc = true;
+        } else if (fi.type == ARMFault_SyncExternalOnWalk) {
+            /*
+             * Synchronous external aborts during a translation table walk
+             * are taken as Data Abort exceptions.
+             */
+            if (fi.stage2) {
+                if (current_el == 3) {
+                    target_el = 3;
+                } else {
+                    target_el = 2;
+                }
+            } else {
+                target_el = exception_target_el(env);
+            }
+            take_exc = true;
+        }
+
+        if (take_exc) {
+            /* Construct FSR and FSC using same logic as arm_deliver_fault() */
+            if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
+                arm_s1_regime_using_lpae_format(env, mmu_idx)) {
+                fsr = arm_fi_to_lfsc(&fi);
+                fsc = extract32(fsr, 0, 6);
+            } else {
+                fsr = arm_fi_to_sfsc(&fi);
+                fsc = 0x3f;
+            }
+            /*
+             * Report exception with ESR indicating a fault due to a
+             * translation table walk for a cache maintenance instruction.
+             */
+            syn = syn_data_abort_no_iss(current_el == target_el,
+                                        fi.ea, 1, fi.s1ptw, 1, fsc);
+            env->exception.vaddress = value;
+            env->exception.fsr = fsr;
+            raise_exception(env, EXCP_DATA_ABORT, syn, target_el);
+        }
+    }
+
     if (is_a64(env)) {
         format64 = true;
     } else if (arm_feature(env, ARM_FEATURE_LPAE)) {
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vapa_cp_reginfo[] = {
     /* This underdecoding is safe because the reginfo is NO_RAW. */
     { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
       .access = PL1_W, .accessfn = ats_access,
-      .writefn = ats_write, .type = ARM_CP_NO_RAW },
+      .writefn = ats_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
 #endif
     REGINFO_SENTINEL
 };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
     /* 64 bit address translation operations */
     { .name = "AT_S1E1R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0,
-      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1,
-      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2,
-      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
-      .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 4,
-      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 6,
-      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 7,
-      .access = PL2_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */
     { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0,
-      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "AT_S1E3W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 1,
-      .access = PL3_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .access = PL3_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
+      .writefn = ats_write64 },
     { .name = "PAR_EL1", .state = ARM_CP_STATE_AA64,
       .type = ARM_CP_ALIAS,
       .opc0 = 3, .opc1 = 0, .crn = 7, .crm = 4, .opc2 = 0,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
     { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
       .access = PL2_W, .accessfn = at_s1e2_access,
-      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
     { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
       .access = PL2_W, .accessfn = at_s1e2_access,
-      .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
+      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
     /* The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
      * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
      * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
      */
     { .name = "ATS1HR", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
       .access = PL2_W,
-      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
+      .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
     { .name = "ATS1HW", .cp = 15, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
       .access = PL2_W,
-      .writefn = ats1h_write, .type = ARM_CP_NO_RAW },
+      .writefn = ats1h_write, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC },
     { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH,
       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0,
       /* ARMv7 requires bit 0 and 1 to reset to 1. ARMv8 defines the
-- 
2.20.1

From: Andrew Jeffery <andrew@aj.id.au>

First up: This is not the way the hardware behaves.

However, it helps resolve real-world problems with short periods being
used under Linux. Commit 4451d3f59f2a ("clocksource/drivers/fttmr010:
Fix set_next_event handler") in Linux fixed the timer driver to
correctly schedule the next event for the Aspeed controller, and in
combination with 5daa8212c08e ("ARM: dts: aspeed: Describe random number
device") Linux will now set a timer with a period as low as 1us.

Configuring a qemu timer with such a short period results in spending
time handling the interrupt in the model rather than executing guest
code, leading to noticeable "sticky" behaviour in the guest.

The behaviour of Linux is correct with respect to the hardware, so we
need to improve our handling under emulation. The approach chosen is to
provide back-pressure information by calculating an acceptable minimum
number of ticks to be set on the model. Under Linux an additional read
is added in the timer configuration path to detect back-pressure, which
will never occur on hardware. However if back-pressure is observed, the
driver alerts the clock event subsystem, which then performs its own
next event dilation via a config option - d1748302f70b ("clockevents:
Make minimum delay adjustments configurable")

A minimum period of 5us was experimentally determined on a Lenovo
T480s, which I've increased to 20us for "safety".

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20190704055150.4899-1-clg@kaod.org
[clg: - changed the computation of min_ticks to be done each time the
        timer value is reloaded. It removes the ordering issue of the
        timer and scu reset handlers but is slightly slower ]
      - introduced TIMER_MIN_NS
      - introduced calculate_min_ticks() ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/aspeed_timer.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/aspeed_timer.c
+++ b/hw/timer/aspeed_timer.c
@@ -XXX,XX +XXX,XX @@ enum timer_ctrl_op {
     op_pulse_enable
 };
 
+/*
+ * Minimum value of the reload register to filter out short period
+ * timers which have a noticeable impact in emulation. 5us should be
+ * enough, use 20us for "safety".
+ */
+#define TIMER_MIN_NS (20 * SCALE_US)
+
 /**
  * Avoid mutual references between AspeedTimerCtrlState and AspeedTimer
  * structs, as it's a waste of memory. The ptimer BH callback needs to know
@@ -XXX,XX +XXX,XX @@ static inline uint32_t calculate_ticks(struct AspeedTimer *t, uint64_t now_ns)
     return t->reload - MIN(t->reload, ticks);
 }
 
+static uint32_t calculate_min_ticks(AspeedTimer *t, uint32_t value)
+{
+    uint32_t rate = calculate_rate(t);
+    uint32_t min_ticks = muldiv64(TIMER_MIN_NS, rate, NANOSECONDS_PER_SECOND);
+
+    return  value < min_ticks ? min_ticks : value;
+}
+
 static inline uint64_t calculate_time(struct AspeedTimer *t, uint32_t ticks)
 {
     uint64_t delta_ns;
@@ -XXX,XX +XXX,XX @@ static void aspeed_timer_set_value(AspeedTimerCtrlState *s, int timer, int reg,
     switch (reg) {
     case TIMER_REG_RELOAD:
         old_reload = t->reload;
-        t->reload = value;
+        t->reload = calculate_min_ticks(t, value);
 
         /* If the reload value was not previously set, or zero, and
          * the current value is valid, try to start the timer if it is
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

memory_region_iommu_replay_all is not used. Remove it.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Message-id: 20190822172350.12008-2-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/exec/memory.h | 10 ----------
 memory.c              |  9 ---------
 2 files changed, 19 deletions(-)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ void memory_region_register_iommu_notifier(MemoryRegion *mr,
  */
 void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n);
 
-/**
- * memory_region_iommu_replay_all: replay existing IOMMU translations
- * to all the notifiers registered.
- *
- * Note: this is not related to record-and-replay functionality.
- *
- * @iommu_mr: the memory region to observe
- */
-void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr);
-
 /**
  * memory_region_unregister_iommu_notifier: unregister a notifier for
  * changes to IOMMU translation entries.
diff --git a/memory.c b/memory.c
index XXXXXXX..XXXXXXX 100644
--- a/memory.c
+++ b/memory.c
@@ -XXX,XX +XXX,XX @@ void memory_region_iommu_replay(IOMMUMemoryRegion *iommu_mr, IOMMUNotifier *n)
     }
 }
 
-void memory_region_iommu_replay_all(IOMMUMemoryRegion *iommu_mr)
-{
-    IOMMUNotifier *notifier;
-
-    IOMMU_NOTIFIER_FOREACH(notifier, iommu_mr) {
-        memory_region_iommu_replay(iommu_mr, notifier);
-    }
-}
-
 void memory_region_unregister_iommu_notifier(MemoryRegion *mr,
                                              IOMMUNotifier *n)
 {
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

An IOVA/ASID invalidation is notified to all IOMMU Memory Regions
through smmuv3_inv_notifiers_iova/smmuv3_notify_iova.

When the notification occurs it is possible that some of the
PCIe devices associated to the notified regions do not have a
valid stream table entry. In that case we output a LOG_GUEST_ERROR
message, for example:

invalid sid=<SID> (L1STD span=0)
"smmuv3_notify_iova error decoding the configuration for iommu mr=<MR>

This is unfortunate as the user gets the impression that there
are some translation decoding errors whereas there are not.

This patch adds a new field in SMMUEventInfo that tells whether
the detection of an invalid STE must lead to an error report.
invalid_ste_allowed is set before doing the invalidations and
kept unset on actual translation.

The other configuration decoding error messages are kept since if the
STE is valid then the rest of the config must be correct.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20190822172350.12008-6-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmuv3-internal.h |  1 +
 hw/arm/smmuv3.c          | 19 +++++++++++--------
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3-internal.h
+++ b/hw/arm/smmuv3-internal.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUEventInfo {
     uint32_t sid;
     bool recorded;
     bool record_trans_faults;
+    bool inval_ste_allowed;
     union {
         struct {
             uint32_t ssid;
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static int decode_ste(SMMUv3State *s, SMMUTransCfg *cfg,
     uint32_t config;
 
     if (!STE_VALID(ste)) {
-        qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
+        if (!event->inval_ste_allowed) {
+            qemu_log_mask(LOG_GUEST_ERROR, "invalid STE\n");
+        }
         goto bad_ste;
     }
 
@@ -XXX,XX +XXX,XX @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
 
         if (!span) {
             /* l2ptr is not valid */
-            qemu_log_mask(LOG_GUEST_ERROR,
-                          "invalid sid=%d (L1STD span=0)\n", sid);
+            if (!event->inval_ste_allowed) {
+                qemu_log_mask(LOG_GUEST_ERROR,
+                              "invalid sid=%d (L1STD span=0)\n", sid);
+            }
             event->type = SMMU_EVT_C_BAD_STREAMID;
             return -EINVAL;
         }
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry smmuv3_translate(IOMMUMemoryRegion *mr, hwaddr addr,
     SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
     SMMUv3State *s = sdev->smmu;
     uint32_t sid = smmu_get_sid(sdev);
-    SMMUEventInfo event = {.type = SMMU_EVT_NONE, .sid = sid};
+    SMMUEventInfo event = {.type = SMMU_EVT_NONE,
+                           .sid = sid,
+                           .inval_ste_allowed = false};
     SMMUPTWEventInfo ptw_info = {};
     SMMUTranslationStatus status;
     SMMUState *bs = ARM_SMMU(s);
@@ -XXX,XX +XXX,XX @@ static void smmuv3_notify_iova(IOMMUMemoryRegion *mr,
                                dma_addr_t iova)
 {
     SMMUDevice *sdev = container_of(mr, SMMUDevice, iommu);
-    SMMUEventInfo event = {};
+    SMMUEventInfo event = {.inval_ste_allowed = true};
     SMMUTransTableInfo *tt;
     SMMUTransCfg *cfg;
     IOMMUTLBEntry entry;
 
     cfg = smmuv3_get_config(sdev, &event);
     if (!cfg) {
-        qemu_log_mask(LOG_GUEST_ERROR,
-                      "%s error decoding the configuration for iommu mr=%s\n",
-                      __func__, mr->parent_obj.name);
         return;
     }
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The previous simplification got the order of operands to the
subtraction wrong.  Since the 64-bit product is the subtrahend,
we must use a 64-bit subtract to properly compute the borrow
from the low-part of the product.

Fixes: 5f8cd06ebcf5 ("target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR")
Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20190829013258.16102-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         if (rd != 15) {
                             tmp3 = load_reg(s, rd);
                             if (insn & (1 << 6)) {
-                                tcg_gen_sub_i32(tmp, tmp, tmp3);
+                                /*
+                                 * For SMMLS, we need a 64-bit subtract.
+                                 * Borrow caused by a non-zero multiplicand
+                                 * lowpart, and the correct result lowpart
+                                 * for rounding.
+                                 */
+                                TCGv_i32 zero = tcg_const_i32(0);
+                                tcg_gen_sub2_i32(tmp2, tmp, zero, tmp3,
+                                                 tmp2, tmp);
+                                tcg_temp_free_i32(zero);
                             } else {
                                 tcg_gen_add_i32(tmp, tmp, tmp3);
                             }
@@ -XXX,XX +XXX,XX @@ static void disas_thumb2_insn(DisasContext *s, uint32_t insn)
                     if (insn & (1 << 20)) {
                         tcg_gen_add_i32(tmp, tmp, tmp3);
                     } else {
-                        tcg_gen_sub_i32(tmp, tmp, tmp3);
+                        /*
+                         * For SMMLS, we need a 64-bit subtract.
+                         * Borrow caused by a non-zero multiplicand lowpart,
+                         * and the correct result lowpart for rounding.
+                         */
+                        TCGv_i32 zero = tcg_const_i32(0);
+                        tcg_gen_sub2_i32(tmp2, tmp, zero, tmp3, tmp2, tmp);
+                        tcg_temp_free_i32(zero);
                     }
                     tcg_temp_free_i32(tmp3);
                 }
-- 
2.20.1