Series comparison

-[Qemu-devel] [PULL 0/6] target-arm queue
+[Qemu-devel] [PULL 00/10] target-arm queue
-Last lot of patches for arm before softfreeze tomorrow...
+target-arm queue for rc1 -- these are all bug fixes.
 thanks
 -- PMM
-The following changes since commit ef3a6af5e789ff078d1fef880f9dfb6adf18e8f1:
+The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:
-  Merge remote-tracking branch 'remotes/kraxel/tags/vga-20181029-pull-request' into staging (2018-10-29 12:59:15 +0000)
+  Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20181029
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715
-for you to fetch changes up to 20cf5663734310a282e27b7389bc9f53ffe227e6:
+for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:
-  tests/boot-serial-test: Add microbit board testcase (2018-10-29 15:19:48 +0000)
+  target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * microbit: Add the UART to our nRF51 SoC model
+ * report ARMv8-A FP support for AArch32 -cpu max
- * Add a virtual Xilinx Versal board "xlnx-versal-virt"
+ * hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
- * hw/arm/virt: Set VIRT_COMPAT_3_0 compat
+ * hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
  * hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
  * hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
  * hw/arm/virt: Fix non-secure flash mode
  * pl031: Correctly migrate state when using -rtc clock=host
  * fix regression that meant arm926 and arm1026 lost VFP
    double-precision support
  * v8M: NS BusFault on vector table fetch escalates to NS HardFault
 ----------------------------------------------------------------
-Edgar E. Iglesias (2):
+Alex Bennée (1):
-      hw/arm: versal: Add a model of Xilinx Versal SoC
+      target/arm: report ARMv8-A FP support for AArch32 -cpu max
       hw/arm: versal: Add a virtual Xilinx Versal board
-Eric Auger (1):
+David Engraf (1):
-      hw/arm/virt: Set VIRT_COMPAT_3_0 compat
+      hw/arm/virt: Fix non-secure flash mode
-Julia Suvorova (3):
+Peter Maydell (3):
-      hw/char: Implement nRF51 SoC UART
+      pl031: Correctly migrate state when using -rtc clock=host
-      hw/arm/nrf51_soc: Connect UART to nRF51 SoC
+      target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
-      tests/boot-serial-test: Add microbit board testcase
+      target/arm: NS BusFault on vector table fetch escalates to NS HardFault
- hw/arm/Makefile.objs                |   1 +
+Philippe Mathieu-Daudé (5):
- hw/char/Makefile.objs               |   1 +
+      hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
- include/hw/arm/nrf51_soc.h          |   3 +
+      hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
- include/hw/arm/xlnx-versal.h        | 122 +++++++++
+      hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
- include/hw/char/nrf51_uart.h        |  78 ++++++
+      hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
- hw/arm/microbit.c                   |   2 +
+      hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
  hw/arm/nrf51_soc.c                  |  20 ++
  hw/arm/virt.c                       |   4 +
  hw/arm/xlnx-versal-virt.c           | 493 ++++++++++++++++++++++++++++++++++++
  hw/arm/xlnx-versal.c                | 323 +++++++++++++++++++++++
  hw/char/nrf51_uart.c                | 330 ++++++++++++++++++++++++
  tests/boot-serial-test.c            |  19 ++
  default-configs/aarch64-softmmu.mak |   1 +
  hw/char/trace-events                |   4 +
 files changed, 1401 insertions(+)
  create mode 100644 include/hw/arm/xlnx-versal.h
  create mode 100644 include/hw/char/nrf51_uart.h
  create mode 100644 hw/arm/xlnx-versal-virt.c
  create mode 100644 hw/arm/xlnx-versal.c
  create mode 100644 hw/char/nrf51_uart.c
+ include/hw/timer/pl031.h |  2 ++
+ hw/arm/virt.c            |  2 +-
+ hw/core/machine.c        |  1 +
+ hw/display/xlnx_dp.c     | 15 +++++---
+ hw/ssi/mss-spi.c         |  8 ++++-
+ hw/ssi/xilinx_spips.c    | 43 +++++++++++++++-------
+ hw/timer/pl031.c         | 92 +++++++++++++++++++++++++++++++++++++++++++++---
+ target/arm/cpu.c         | 16 +++++++++
+ target/arm/m_helper.c    | 21 ++++++++---
+files changed, 174 insertions(+), 26 deletions(-)

-[Qemu-devel] [PULL 3/6] hw/arm: versal: Add a virtual Xilinx Versal board
+[Qemu-devel] [PULL 01/10] target/arm: report ARMv8-A FP support for AArch32 -cpu max
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Alex Bennée <alex.bennee@linaro.org>
-Add a virtual Xilinx Versal board.
+When we converted to using feature bits in 602f6e42cfbf we missed out
 the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
 -cpu max configurations. This caused a regression in the GCC test
 suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
 report ARMv8-A with FP support (but not ARMv8.2-FP16).
-This board is based on the Xilinx Versal SoC. The exact
+Fixes: https://bugs.launchpad.net/qemu/+bug/1836078
-details of what peripherals are attached to this board
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-will remain in control of QEMU. QEMU will generate an
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-FDT on the fly for Linux and other software to auto-discover
+Message-id: 20190711103737.10017-1-alex.bennee@linaro.org
 peripherals.
 Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 [PMM: removed stray blank line at EOF]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs      |   2 +-
+ target/arm/cpu.c | 4 ++++
- hw/arm/xlnx-versal-virt.c | 493 ++++++++++++++++++++++++++++++++++++++
+file changed, 4 insertions(+)
 files changed, 494 insertions(+), 1 deletion(-)
  create mode 100644 hw/arm/xlnx-versal-virt.c
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/target/arm/cpu.c
-+++ b/hw/arm/Makefile.objs
++++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
+@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
- obj-$(CONFIG_RASPI) += bcm2835_peripherals.o bcm2836.o raspi.o
+             t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
- obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
+             cpu->isar.id_isar6 = t;
- obj-$(CONFIG_XLNX_ZYNQMP_ARM) += xlnx-zynqmp.o xlnx-zcu102.o
--obj-$(CONFIG_XLNX_VERSAL) += xlnx-versal.o
++            t = cpu->isar.mvfr1;
-+obj-$(CONFIG_XLNX_VERSAL) += xlnx-versal.o xlnx-versal-virt.o
++            t = FIELD_DP32(t, MVFR1, FPHP, 2);     /* v8.0 FP support */
- obj-$(CONFIG_FSL_IMX25) += fsl-imx25.o imx25_pdk.o
++            cpu->isar.mvfr1 = t;
  obj-$(CONFIG_FSL_IMX31) += fsl-imx31.o kzm.o
  obj-$(CONFIG_FSL_IMX6) += fsl-imx6.o sabrelite.o
 diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/xlnx-versal-virt.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Xilinx Versal Virtual board.
 + *
 + * Copyright (c) 2018 Xilinx Inc.
 + * Written by Edgar E. Iglesias
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 or
 + * (at your option) any later version.
 + */
 +
-+#include "qemu/osdep.h"
+             t = cpu->isar.mvfr2;
-+#include "qemu/log.h"
+             t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
-+#include "qemu/error-report.h"
+             t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
 +#include "qapi/error.h"
 +#include "sysemu/device_tree.h"
 +#include "exec/address-spaces.h"
 +#include "hw/boards.h"
 +#include "hw/sysbus.h"
 +#include "hw/arm/sysbus-fdt.h"
 +#include "hw/arm/fdt.h"
 +#include "cpu.h"
 +#include "hw/arm/xlnx-versal.h"
 +
 +#define TYPE_XLNX_VERSAL_VIRT_MACHINE MACHINE_TYPE_NAME("xlnx-versal-virt")
 +#define XLNX_VERSAL_VIRT_MACHINE(obj) \
 +    OBJECT_CHECK(VersalVirt, (obj), TYPE_XLNX_VERSAL_VIRT_MACHINE)
 +
 +typedef struct VersalVirt {
 +    MachineState parent_obj;
 +
 +    Versal soc;
 +    MemoryRegion mr_ddr;
 +
 +    void *fdt;
 +    int fdt_size;
 +    struct {
 +        uint32_t gic;
 +        uint32_t ethernet_phy[2];
 +        uint32_t clk_125Mhz;
 +        uint32_t clk_25Mhz;
 +    } phandle;
 +    struct arm_boot_info binfo;
 +
 +    struct {
 +        bool secure;
 +    } cfg;
 +} VersalVirt;
 +
 +static void fdt_create(VersalVirt *s)
 +{
 +    MachineClass *mc = MACHINE_GET_CLASS(s);
 +    int i;
 +
 +    s->fdt = create_device_tree(&s->fdt_size);
 +    if (!s->fdt) {
 +        error_report("create_device_tree() failed");
 +        exit(1);
 +    }
 +
 +    /* Allocate all phandles.  */
 +    s->phandle.gic = qemu_fdt_alloc_phandle(s->fdt);
 +    for (i = 0; i < ARRAY_SIZE(s->phandle.ethernet_phy); i++) {
 +        s->phandle.ethernet_phy[i] = qemu_fdt_alloc_phandle(s->fdt);
 +    }
 +    s->phandle.clk_25Mhz = qemu_fdt_alloc_phandle(s->fdt);
 +    s->phandle.clk_125Mhz = qemu_fdt_alloc_phandle(s->fdt);
 +
 +    /* Create /chosen node for load_dtb.  */
 +    qemu_fdt_add_subnode(s->fdt, "/chosen");
 +
 +    /* Header */
 +    qemu_fdt_setprop_cell(s->fdt, "/", "interrupt-parent", s->phandle.gic);
 +    qemu_fdt_setprop_cell(s->fdt, "/", "#size-cells", 0x2);
 +    qemu_fdt_setprop_cell(s->fdt, "/", "#address-cells", 0x2);
 +    qemu_fdt_setprop_string(s->fdt, "/", "model", mc->desc);
 +    qemu_fdt_setprop_string(s->fdt, "/", "compatible", "xlnx-versal-virt");
 +}
 +
 +static void fdt_add_clk_node(VersalVirt *s, const char *name,
 +                             unsigned int freq_hz, uint32_t phandle)
 +{
 +    qemu_fdt_add_subnode(s->fdt, name);
 +    qemu_fdt_setprop_cell(s->fdt, name, "phandle", phandle);
 +    qemu_fdt_setprop_cell(s->fdt, name, "clock-frequency", freq_hz);
 +    qemu_fdt_setprop_cell(s->fdt, name, "#clock-cells", 0x0);
 +    qemu_fdt_setprop_string(s->fdt, name, "compatible", "fixed-clock");
 +    qemu_fdt_setprop(s->fdt, name, "u-boot,dm-pre-reloc", NULL, 0);
 +}
 +
 +static void fdt_add_cpu_nodes(VersalVirt *s, uint32_t psci_conduit)
 +{
 +    int i;
 +
 +    qemu_fdt_add_subnode(s->fdt, "/cpus");
 +    qemu_fdt_setprop_cell(s->fdt, "/cpus", "#size-cells", 0x0);
 +    qemu_fdt_setprop_cell(s->fdt, "/cpus", "#address-cells", 1);
 +
 +    for (i = XLNX_VERSAL_NR_ACPUS - 1; i >= 0; i--) {
 +        char *name = g_strdup_printf("/cpus/cpu@%d", i);
 +        ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(i));
 +
 +        qemu_fdt_add_subnode(s->fdt, name);
 +        qemu_fdt_setprop_cell(s->fdt, name, "reg", armcpu->mp_affinity);
 +        if (psci_conduit != QEMU_PSCI_CONDUIT_DISABLED) {
 +            qemu_fdt_setprop_string(s->fdt, name, "enable-method", "psci");
 +        }
 +        qemu_fdt_setprop_string(s->fdt, name, "device_type", "cpu");
 +        qemu_fdt_setprop_string(s->fdt, name, "compatible",
 +                                armcpu->dtb_compatible);
 +        g_free(name);
 +    }
 +}
 +
 +static void fdt_add_gic_nodes(VersalVirt *s)
 +{
 +    char *nodename;
 +
 +    nodename = g_strdup_printf("/gic@%x", MM_GIC_APU_DIST_MAIN);
 +    qemu_fdt_add_subnode(s->fdt, nodename);
 +    qemu_fdt_setprop_cell(s->fdt, nodename, "phandle", s->phandle.gic);
 +    qemu_fdt_setprop_cells(s->fdt, nodename, "interrupts",
 +                           GIC_FDT_IRQ_TYPE_PPI, VERSAL_GIC_MAINT_IRQ,
 +                           GIC_FDT_IRQ_FLAGS_LEVEL_HI);
 +    qemu_fdt_setprop(s->fdt, nodename, "interrupt-controller", NULL, 0);
 +    qemu_fdt_setprop_sized_cells(s->fdt, nodename, "reg",
 +                                 2, MM_GIC_APU_DIST_MAIN,
 +                                 2, MM_GIC_APU_DIST_MAIN_SIZE,
 +                                 2, MM_GIC_APU_REDIST_0,
 +                                 2, MM_GIC_APU_REDIST_0_SIZE);
 +    qemu_fdt_setprop_cell(s->fdt, nodename, "#interrupt-cells", 3);
 +    qemu_fdt_setprop_string(s->fdt, nodename, "compatible", "arm,gic-v3");
 +}
 +
 +static void fdt_add_timer_nodes(VersalVirt *s)
 +{
 +    const char compat[] = "arm,armv8-timer";
 +    uint32_t irqflags = GIC_FDT_IRQ_FLAGS_LEVEL_HI;
 +
 +    qemu_fdt_add_subnode(s->fdt, "/timer");
 +    qemu_fdt_setprop_cells(s->fdt, "/timer", "interrupts",
 +            GIC_FDT_IRQ_TYPE_PPI, VERSAL_TIMER_S_EL1_IRQ, irqflags,
 +            GIC_FDT_IRQ_TYPE_PPI, VERSAL_TIMER_NS_EL1_IRQ, irqflags,
 +            GIC_FDT_IRQ_TYPE_PPI, VERSAL_TIMER_VIRT_IRQ, irqflags,
 +            GIC_FDT_IRQ_TYPE_PPI, VERSAL_TIMER_NS_EL2_IRQ, irqflags);
 +    qemu_fdt_setprop(s->fdt, "/timer", "compatible",
 +                     compat, sizeof(compat));
 +}
 +
 +static void fdt_add_uart_nodes(VersalVirt *s)
 +{
 +    uint64_t addrs[] = { MM_UART1, MM_UART0 };
 +    unsigned int irqs[] = { VERSAL_UART1_IRQ_0, VERSAL_UART0_IRQ_0 };
 +    const char compat[] = "arm,pl011\0arm,sbsa-uart";
 +    const char clocknames[] = "uartclk\0apb_pclk";
 +    int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(addrs); i++) {
 +        char *name = g_strdup_printf("/uart@%" PRIx64, addrs[i]);
 +        qemu_fdt_add_subnode(s->fdt, name);
 +        qemu_fdt_setprop_cell(s->fdt, name, "current-speed", 115200);
 +        qemu_fdt_setprop_cells(s->fdt, name, "clocks",
 +                               s->phandle.clk_125Mhz, s->phandle.clk_125Mhz);
 +        qemu_fdt_setprop(s->fdt, name, "clock-names",
 +                         clocknames, sizeof(clocknames));
 +
 +        qemu_fdt_setprop_cells(s->fdt, name, "interrupts",
 +                               GIC_FDT_IRQ_TYPE_SPI, irqs[i],
 +                               GIC_FDT_IRQ_FLAGS_LEVEL_HI);
 +        qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
 +                                     2, addrs[i], 2, 0x1000);
 +        qemu_fdt_setprop(s->fdt, name, "compatible",
 +                         compat, sizeof(compat));
 +        qemu_fdt_setprop(s->fdt, name, "u-boot,dm-pre-reloc", NULL, 0);
 +
 +        if (addrs[i] == MM_UART0) {
 +            /* Select UART0.  */
 +            qemu_fdt_setprop_string(s->fdt, "/chosen", "stdout-path", name);
 +        }
 +        g_free(name);
 +    }
 +}
 +
 +static void fdt_add_fixed_link_nodes(VersalVirt *s, char *gemname,
 +                                     uint32_t phandle)
 +{
 +    char *name = g_strdup_printf("%s/fixed-link", gemname);
 +
 +    qemu_fdt_add_subnode(s->fdt, name);
 +    qemu_fdt_setprop_cell(s->fdt, name, "phandle", phandle);
 +    qemu_fdt_setprop_cells(s->fdt, name, "full-duplex");
 +    qemu_fdt_setprop_cell(s->fdt, name, "speed", 1000);
 +    g_free(name);
 +}
 +
 +static void fdt_add_gem_nodes(VersalVirt *s)
 +{
 +    uint64_t addrs[] = { MM_GEM1, MM_GEM0 };
 +    unsigned int irqs[] = { VERSAL_GEM1_IRQ_0, VERSAL_GEM0_IRQ_0 };
 +    const char clocknames[] = "pclk\0hclk\0tx_clk\0rx_clk";
 +    const char compat_gem[] = "cdns,zynqmp-gem\0cdns,gem";
 +    int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(addrs); i++) {
 +        char *name = g_strdup_printf("/ethernet@%" PRIx64, addrs[i]);
 +        qemu_fdt_add_subnode(s->fdt, name);
 +
 +        fdt_add_fixed_link_nodes(s, name, s->phandle.ethernet_phy[i]);
 +        qemu_fdt_setprop_string(s->fdt, name, "phy-mode", "rgmii-id");
 +        qemu_fdt_setprop_cell(s->fdt, name, "phy-handle",
 +                              s->phandle.ethernet_phy[i]);
 +        qemu_fdt_setprop_cells(s->fdt, name, "clocks",
 +                               s->phandle.clk_25Mhz, s->phandle.clk_25Mhz,
 +                               s->phandle.clk_25Mhz, s->phandle.clk_25Mhz);
 +        qemu_fdt_setprop(s->fdt, name, "clock-names",
 +                         clocknames, sizeof(clocknames));
 +        qemu_fdt_setprop_cells(s->fdt, name, "interrupts",
 +                               GIC_FDT_IRQ_TYPE_SPI, irqs[i],
 +                               GIC_FDT_IRQ_FLAGS_LEVEL_HI,
 +                               GIC_FDT_IRQ_TYPE_SPI, irqs[i],
 +                               GIC_FDT_IRQ_FLAGS_LEVEL_HI);
 +        qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
 +                                     2, addrs[i], 2, 0x1000);
 +        qemu_fdt_setprop(s->fdt, name, "compatible",
 +                         compat_gem, sizeof(compat_gem));
 +        qemu_fdt_setprop_cell(s->fdt, name, "#address-cells", 1);
 +        qemu_fdt_setprop_cell(s->fdt, name, "#size-cells", 0);
 +        g_free(name);
 +    }
 +}
 +
 +static void fdt_nop_memory_nodes(void *fdt, Error **errp)
 +{
 +    Error *err = NULL;
 +    char **node_path;
 +    int n = 0;
 +
 +    node_path = qemu_fdt_node_unit_path(fdt, "memory", &err);
 +    if (err) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    while (node_path[n]) {
 +        if (g_str_has_prefix(node_path[n], "/memory")) {
 +            qemu_fdt_nop_node(fdt, node_path[n]);
 +        }
 +        n++;
 +    }
 +    g_strfreev(node_path);
 +}
 +
 +static void fdt_add_memory_nodes(VersalVirt *s, void *fdt, uint64_t ram_size)
 +{
 +    /* Describes the various split DDR access regions.  */
 +    static const struct {
 +        uint64_t base;
 +        uint64_t size;
 +    } addr_ranges[] = {
 +        { MM_TOP_DDR, MM_TOP_DDR_SIZE },
 +        { MM_TOP_DDR_2, MM_TOP_DDR_2_SIZE },
 +        { MM_TOP_DDR_3, MM_TOP_DDR_3_SIZE },
 +        { MM_TOP_DDR_4, MM_TOP_DDR_4_SIZE }
 +    };
 +    uint64_t mem_reg_prop[8] = {0};
 +    uint64_t size = ram_size;
 +    Error *err = NULL;
 +    char *name;
 +    int i;
 +
 +    fdt_nop_memory_nodes(fdt, &err);
 +    if (err) {
 +        error_report_err(err);
 +        return;
 +    }
 +
 +    name = g_strdup_printf("/memory@%x", MM_TOP_DDR);
 +    for (i = 0; i < ARRAY_SIZE(addr_ranges) && size; i++) {
 +        uint64_t mapsize;
 +
 +        mapsize = size < addr_ranges[i].size ? size : addr_ranges[i].size;
 +
 +        mem_reg_prop[i * 2] = addr_ranges[i].base;
 +        mem_reg_prop[i * 2 + 1] = mapsize;
 +        size -= mapsize;
 +    }
 +    qemu_fdt_add_subnode(fdt, name);
 +    qemu_fdt_setprop_string(fdt, name, "device_type", "memory");
 +
 +    switch (i) {
 +    case 1:
 +        qemu_fdt_setprop_sized_cells(fdt, name, "reg",
 +                                     2, mem_reg_prop[0],
 +                                     2, mem_reg_prop[1]);
 +        break;
 +    case 2:
 +        qemu_fdt_setprop_sized_cells(fdt, name, "reg",
 +                                     2, mem_reg_prop[0],
 +                                     2, mem_reg_prop[1],
 +                                     2, mem_reg_prop[2],
 +                                     2, mem_reg_prop[3]);
 +        break;
 +    case 3:
 +        qemu_fdt_setprop_sized_cells(fdt, name, "reg",
 +                                     2, mem_reg_prop[0],
 +                                     2, mem_reg_prop[1],
 +                                     2, mem_reg_prop[2],
 +                                     2, mem_reg_prop[3],
 +                                     2, mem_reg_prop[4],
 +                                     2, mem_reg_prop[5]);
 +        break;
 +    case 4:
 +        qemu_fdt_setprop_sized_cells(fdt, name, "reg",
 +                                     2, mem_reg_prop[0],
 +                                     2, mem_reg_prop[1],
 +                                     2, mem_reg_prop[2],
 +                                     2, mem_reg_prop[3],
 +                                     2, mem_reg_prop[4],
 +                                     2, mem_reg_prop[5],
 +                                     2, mem_reg_prop[6],
 +                                     2, mem_reg_prop[7]);
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
 +    g_free(name);
 +}
 +
 +static void versal_virt_modify_dtb(const struct arm_boot_info *binfo,
 +                                    void *fdt)
 +{
 +    VersalVirt *s = container_of(binfo, VersalVirt, binfo);
 +
 +    fdt_add_memory_nodes(s, fdt, binfo->ram_size);
 +}
 +
 +static void *versal_virt_get_dtb(const struct arm_boot_info *binfo,
 +                                  int *fdt_size)
 +{
 +    const VersalVirt *board = container_of(binfo, VersalVirt, binfo);
 +
 +    *fdt_size = board->fdt_size;
 +    return board->fdt;
 +}
 +
 +#define NUM_VIRTIO_TRANSPORT 32
 +static void create_virtio_regions(VersalVirt *s)
 +{
 +    int virtio_mmio_size = 0x200;
 +    int i;
 +
 +    for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
 +        char *name = g_strdup_printf("virtio%d", i);;
 +        hwaddr base = MM_TOP_RSVD + i * virtio_mmio_size;
 +        int irq = VERSAL_RSVD_HIGH_IRQ_FIRST + i;
 +        MemoryRegion *mr;
 +        DeviceState *dev;
 +        qemu_irq pic_irq;
 +
 +        pic_irq = qdev_get_gpio_in(DEVICE(&s->soc.fpd.apu.gic), irq);
 +        dev = qdev_create(NULL, "virtio-mmio");
 +        object_property_add_child(OBJECT(&s->soc), name, OBJECT(dev),
 +                                  &error_fatal);
 +        qdev_init_nofail(dev);
 +        sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic_irq);
 +        mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
 +        memory_region_add_subregion(&s->soc.mr_ps, base, mr);
 +        sysbus_create_simple("virtio-mmio", base, pic_irq);
 +    }
 +
 +    for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
 +        hwaddr base = MM_TOP_RSVD + i * virtio_mmio_size;
 +        int irq = VERSAL_RSVD_HIGH_IRQ_FIRST + i;
 +        char *name = g_strdup_printf("/virtio_mmio@%" PRIx64, base);
 +
 +        qemu_fdt_add_subnode(s->fdt, name);
 +        qemu_fdt_setprop(s->fdt, name, "dma-coherent", NULL, 0);
 +        qemu_fdt_setprop_cells(s->fdt, name, "interrupts",
 +                               GIC_FDT_IRQ_TYPE_SPI, irq,
 +                               GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
 +        qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
 +                                     2, base, 2, virtio_mmio_size);
 +        qemu_fdt_setprop_string(s->fdt, name, "compatible", "virtio,mmio");
 +        g_free(name);
 +    }
 +}
 +
 +static void versal_virt_init(MachineState *machine)
 +{
 +    VersalVirt *s = XLNX_VERSAL_VIRT_MACHINE(machine);
 +    int psci_conduit = QEMU_PSCI_CONDUIT_DISABLED;
 +
 +    /*
 +     * If the user provides an Operating System to be loaded, we expect them
 +     * to use the -kernel command line option.
 +     *
 +     * Users can load firmware or boot-loaders with the -device loader options.
 +     *
 +     * When loading an OS, we generate a dtb and let arm_load_kernel() select
 +     * where it gets loaded. This dtb will be passed to the kernel in x0.
 +     *
 +     * If there's no -kernel option, we generate a DTB and place it at 0x1000
 +     * for the bootloaders or firmware to pick up.
 +     *
 +     * If users want to provide their own DTB, they can use the -dtb option.
 +     * These dtb's will have their memory nodes modified to match QEMU's
 +     * selected ram_size option before they get passed to the kernel or fw.
 +     *
 +     * When loading an OS, we turn on QEMU's PSCI implementation with SMC
 +     * as the PSCI conduit. When there's no -kernel, we assume the user
 +     * provides EL3 firmware to handle PSCI.
 +     */
 +    if (machine->kernel_filename) {
 +        psci_conduit = QEMU_PSCI_CONDUIT_SMC;
 +    }
 +
 +    memory_region_allocate_system_memory(&s->mr_ddr, NULL, "ddr",
 +                                         machine->ram_size);
 +
 +    sysbus_init_child_obj(OBJECT(machine), "xlnx-ve", &s->soc,
 +                          sizeof(s->soc), TYPE_XLNX_VERSAL);
 +    object_property_set_link(OBJECT(&s->soc), OBJECT(&s->mr_ddr),
 +                             "ddr", &error_abort);
 +    object_property_set_int(OBJECT(&s->soc), psci_conduit,
 +                            "psci-conduit", &error_abort);
 +    object_property_set_bool(OBJECT(&s->soc), true, "realized", &error_fatal);
 +
 +    fdt_create(s);
 +    create_virtio_regions(s);
 +    fdt_add_gem_nodes(s);
 +    fdt_add_uart_nodes(s);
 +    fdt_add_gic_nodes(s);
 +    fdt_add_timer_nodes(s);
 +    fdt_add_cpu_nodes(s, psci_conduit);
 +    fdt_add_clk_node(s, "/clk125", 125000000, s->phandle.clk_125Mhz);
 +    fdt_add_clk_node(s, "/clk25", 25000000, s->phandle.clk_25Mhz);
 +
 +    /* Make the APU cpu address space visible to virtio and other
 +     * modules unaware of muliple address-spaces.  */
 +    memory_region_add_subregion_overlap(get_system_memory(),
 +                                        0, &s->soc.fpd.apu.mr, 0);
 +
 +    s->binfo.ram_size = machine->ram_size;
 +    s->binfo.kernel_filename = machine->kernel_filename;
 +    s->binfo.kernel_cmdline = machine->kernel_cmdline;
 +    s->binfo.initrd_filename = machine->initrd_filename;
 +    s->binfo.loader_start = 0x0;
 +    s->binfo.get_dtb = versal_virt_get_dtb;
 +    s->binfo.modify_dtb = versal_virt_modify_dtb;
 +    if (machine->kernel_filename) {
 +        arm_load_kernel(s->soc.fpd.apu.cpu[0], &s->binfo);
 +    } else {
 +        AddressSpace *as = arm_boot_address_space(s->soc.fpd.apu.cpu[0],
 +                                                  &s->binfo);
 +        /* Some boot-loaders (e.g u-boot) don't like blobs at address 0 (NULL).
 +         * Offset things by 4K.  */
 +        s->binfo.loader_start = 0x1000;
 +        s->binfo.dtb_limit = 0x1000000;
 +        if (arm_load_dtb(s->binfo.loader_start,
 +                         &s->binfo, s->binfo.dtb_limit, as) < 0) {
 +            exit(EXIT_FAILURE);
 +        }
 +    }
 +}
 +
 +static void versal_virt_machine_instance_init(Object *obj)
 +{
 +}
 +
 +static void versal_virt_machine_class_init(ObjectClass *oc, void *data)
 +{
 +    MachineClass *mc = MACHINE_CLASS(oc);
 +
 +    mc->desc = "Xilinx Versal Virtual development board";
 +    mc->init = versal_virt_init;
 +    mc->max_cpus = XLNX_VERSAL_NR_ACPUS;
 +    mc->default_cpus = XLNX_VERSAL_NR_ACPUS;
 +    mc->no_cdrom = true;
 +}
 +
 +static const TypeInfo versal_virt_machine_init_typeinfo = {
 +    .name       = TYPE_XLNX_VERSAL_VIRT_MACHINE,
 +    .parent     = TYPE_MACHINE,
 +    .class_init = versal_virt_machine_class_init,
 +    .instance_init = versal_virt_machine_instance_init,
 +    .instance_size = sizeof(VersalVirt),
 +};
 +
 +static void versal_virt_machine_init_register_types(void)
 +{
 +    type_register_static(&versal_virt_machine_init_typeinfo);
 +}
 +
 +type_init(versal_virt_machine_init_register_types)
 --
-.19.1
+.20.1

-New patch
+[Qemu-devel] [PULL 02/10] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+In the next commit we will implement the write_with_attrs()
+handler. To avoid using different APIs, convert the read()
+handler first.
+Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/ssi/xilinx_spips.c | 23 +++++++++++------------
+file changed, 11 insertions(+), 12 deletions(-)
+diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/ssi/xilinx_spips.c
++++ b/hw/ssi/xilinx_spips.c
+@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
+     }
+ }
+-static uint64_t
+-lqspi_read(void *opaque, hwaddr addr, unsigned int size)
++static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
++                              unsigned size, MemTxAttrs attrs)
+ {
+-    XilinxQSPIPS *q = opaque;
+-    uint32_t ret;
++    XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
+     if (addr >= q->lqspi_cached_addr &&
+             addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
+         uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
+-        ret = cpu_to_le32(*(uint32_t *)retp);
+-        DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
+-                   (unsigned)ret);
+-        return ret;
+-    } else {
+-        lqspi_load_cache(opaque, addr);
+-        return lqspi_read(opaque, addr, size);
++        *value = cpu_to_le32(*(uint32_t *)retp);
++        DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
++                   addr, *value);
++        return MEMTX_OK;
+     }
++
++    lqspi_load_cache(opaque, addr);
++    return lqspi_read(opaque, addr, value, size, attrs);
+ }
+ static const MemoryRegionOps lqspi_ops = {
+-    .read = lqspi_read,
++    .read_with_attrs = lqspi_read,
+     .endianness = DEVICE_NATIVE_ENDIAN,
+     .valid = {
+         .min_access_size = 1,
+--
+.20.1

-[Qemu-devel] [PULL 2/6] hw/arm: versal: Add a model of Xilinx Versal SoC
+[Qemu-devel] [PULL 03/10] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Add a model of Xilinx Versal SoC.
+Lei Sun found while auditing the code that a CPU write would
 trigger a NULL pointer dereference.
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+>From UG1085 datasheet [*] AXI writes in this region are ignored
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+and generates an AXI Slave Error (SLVERR).
 Fix by implementing the write_with_attrs() handler.
 Return MEMTX_ERROR when the region is accessed (this error maps
 to an AXI slave error).
 [*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
 Reported-by: Lei Sun <slei.casper@gmail.com>
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/Makefile.objs                |   1 +
+ hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
- include/hw/arm/xlnx-versal.h        | 122 +++++++++++
+file changed, 16 insertions(+)
  hw/arm/xlnx-versal.c                | 323 ++++++++++++++++++++++++++++
  default-configs/aarch64-softmmu.mak |   1 +
 files changed, 447 insertions(+)
  create mode 100644 include/hw/arm/xlnx-versal.h
  create mode 100644 hw/arm/xlnx-versal.c
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
+diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
+--- a/hw/ssi/xilinx_spips.c
-+++ b/hw/arm/Makefile.objs
++++ b/hw/ssi/xilinx_spips.c
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
+@@ -XXX,XX +XXX,XX @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
- obj-$(CONFIG_RASPI) += bcm2835_peripherals.o bcm2836.o raspi.o
+     return lqspi_read(opaque, addr, value, size, attrs);
- obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
+ }
- obj-$(CONFIG_XLNX_ZYNQMP_ARM) += xlnx-zynqmp.o xlnx-zcu102.o
-+obj-$(CONFIG_XLNX_VERSAL) += xlnx-versal.o
++static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
- obj-$(CONFIG_FSL_IMX25) += fsl-imx25.o imx25_pdk.o
++                               unsigned size, MemTxAttrs attrs)
- obj-$(CONFIG_FSL_IMX31) += fsl-imx31.o kzm.o
++{
- obj-$(CONFIG_FSL_IMX6) += fsl-imx6.o sabrelite.o
++    /*
-diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
++     * From UG1085, Chapter 24 (Quad-SPI controllers):
-new file mode 100644
++     * - Writes are ignored
-index XXXXXXX..XXXXXXX
++     * - AXI writes generate an external AXI slave error (SLVERR)
---- /dev/null
++     */
-+++ b/include/hw/arm/xlnx-versal.h
++    qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
-@@ -XXX,XX +XXX,XX @@
++                                   " (value: 0x%" PRIx64 "\n",
-+/*
++                  __func__, size << 3, offset, value);
 + * Model of the Xilinx Versal
 + *
 + * Copyright (c) 2018 Xilinx Inc.
 + * Written by Edgar E. Iglesias
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 or
 + * (at your option) any later version.
 + */
 +
-+#ifndef XLNX_VERSAL_H
++    return MEMTX_ERROR;
 +#define XLNX_VERSAL_H
 +
 +#include "hw/sysbus.h"
 +#include "hw/arm/arm.h"
 +#include "hw/intc/arm_gicv3.h"
 +
 +#define TYPE_XLNX_VERSAL "xlnx-versal"
 +#define XLNX_VERSAL(obj) OBJECT_CHECK(Versal, (obj), TYPE_XLNX_VERSAL)
 +
 +#define XLNX_VERSAL_NR_ACPUS   2
 +#define XLNX_VERSAL_NR_UARTS   2
 +#define XLNX_VERSAL_NR_GEMS    2
 +#define XLNX_VERSAL_NR_IRQS    256
 +
 +typedef struct Versal {
 +    /*< private >*/
 +    SysBusDevice parent_obj;
 +
 +    /*< public >*/
 +    struct {
 +        struct {
 +            MemoryRegion mr;
 +            ARMCPU *cpu[XLNX_VERSAL_NR_ACPUS];
 +            GICv3State gic;
 +        } apu;
 +    } fpd;
 +
 +    MemoryRegion mr_ps;
 +
 +    struct {
 +        /* 4 ranges to access DDR.  */
 +        MemoryRegion mr_ddr_ranges[4];
 +    } noc;
 +
 +    struct {
 +        MemoryRegion mr_ocm;
 +
 +        struct {
 +            SysBusDevice *uart[XLNX_VERSAL_NR_UARTS];
 +            SysBusDevice *gem[XLNX_VERSAL_NR_GEMS];
 +        } iou;
 +    } lpd;
 +
 +    struct {
 +        MemoryRegion *mr_ddr;
 +        uint32_t psci_conduit;
 +    } cfg;
 +} Versal;
 +
 +/* Memory-map and IRQ definitions. Copied a subset from
 + * auto-generated files.  */
 +
 +#define VERSAL_GIC_MAINT_IRQ        9
 +#define VERSAL_TIMER_VIRT_IRQ       11
 +#define VERSAL_TIMER_S_EL1_IRQ      13
 +#define VERSAL_TIMER_NS_EL1_IRQ     14
 +#define VERSAL_TIMER_NS_EL2_IRQ     10
 +
 +#define VERSAL_UART0_IRQ_0         18
 +#define VERSAL_UART1_IRQ_0         19
 +#define VERSAL_GEM0_IRQ_0          56
 +#define VERSAL_GEM0_WAKE_IRQ_0     57
 +#define VERSAL_GEM1_IRQ_0          58
 +#define VERSAL_GEM1_WAKE_IRQ_0     59
 +
 +/* Architecturally eserved IRQs suitable for virtualization.  */
 +#define VERSAL_RSVD_HIGH_IRQ_FIRST 160
 +#define VERSAL_RSVD_HIGH_IRQ_LAST  255
 +
 +#define MM_TOP_RSVD                 0xa0000000U
 +#define MM_TOP_RSVD_SIZE            0x4000000
 +#define MM_GIC_APU_DIST_MAIN        0xf9000000U
 +#define MM_GIC_APU_DIST_MAIN_SIZE   0x10000
 +#define MM_GIC_APU_REDIST_0         0xf9080000U
 +#define MM_GIC_APU_REDIST_0_SIZE    0x80000
 +
 +#define MM_UART0                    0xff000000U
 +#define MM_UART0_SIZE               0x10000
 +#define MM_UART1                    0xff010000U
 +#define MM_UART1_SIZE               0x10000
 +
 +#define MM_GEM0                     0xff0c0000U
 +#define MM_GEM0_SIZE                0x10000
 +#define MM_GEM1                     0xff0d0000U
 +#define MM_GEM1_SIZE                0x10000
 +
 +#define MM_OCM                      0xfffc0000U
 +#define MM_OCM_SIZE                 0x40000
 +
 +#define MM_TOP_DDR                  0x0
 +#define MM_TOP_DDR_SIZE             0x80000000U
 +#define MM_TOP_DDR_2                0x800000000ULL
 +#define MM_TOP_DDR_2_SIZE           0x800000000ULL
 +#define MM_TOP_DDR_3                0xc000000000ULL
 +#define MM_TOP_DDR_3_SIZE           0x4000000000ULL
 +#define MM_TOP_DDR_4                0x10000000000ULL
 +#define MM_TOP_DDR_4_SIZE           0xb780000000ULL
 +
 +#define MM_PSM_START                0xffc80000U
 +#define MM_PSM_END                  0xffcf0000U
 +
 +#define MM_CRL                      0xff5e0000U
 +#define MM_CRL_SIZE                 0x300000
 +#define MM_IOU_SCNTR                0xff130000U
 +#define MM_IOU_SCNTR_SIZE           0x10000
 +#define MM_IOU_SCNTRS               0xff140000U
 +#define MM_IOU_SCNTRS_SIZE          0x10000
 +#define MM_FPD_CRF                  0xfd1a0000U
 +#define MM_FPD_CRF_SIZE             0x140000
 +#endif
 diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Xilinx Versal SoC model.
 + *
 + * Copyright (c) 2018 Xilinx Inc.
 + * Written by Edgar E. Iglesias
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 or
 + * (at your option) any later version.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "qemu-common.h"
 +#include "qemu/log.h"
 +#include "hw/sysbus.h"
 +#include "net/net.h"
 +#include "sysemu/sysemu.h"
 +#include "sysemu/kvm.h"
 +#include "hw/arm/arm.h"
 +#include "kvm_arm.h"
 +#include "hw/misc/unimp.h"
 +#include "hw/intc/arm_gicv3_common.h"
 +#include "hw/arm/xlnx-versal.h"
 +
 +#define XLNX_VERSAL_ACPU_TYPE ARM_CPU_TYPE_NAME("cortex-a72")
 +#define GEM_REVISION        0x40070106
 +
 +static void versal_create_apu_cpus(Versal *s)
 +{
 +    int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(s->fpd.apu.cpu); i++) {
 +        Object *obj;
 +        char *name;
 +
 +        obj = object_new(XLNX_VERSAL_ACPU_TYPE);
 +        if (!obj) {
 +            /* Secondary CPUs start in PSCI powered-down state */
 +            error_report("Unable to create apu.cpu[%d] of type %s",
 +                         i, XLNX_VERSAL_ACPU_TYPE);
 +            exit(EXIT_FAILURE);
 +        }
 +
 +        name = g_strdup_printf("apu-cpu[%d]", i);
 +        object_property_add_child(OBJECT(s), name, obj, &error_fatal);
 +        g_free(name);
 +
 +        object_property_set_int(obj, s->cfg.psci_conduit,
 +                                "psci-conduit", &error_abort);
 +        if (i) {
 +            object_property_set_bool(obj, true,
 +                                     "start-powered-off", &error_abort);
 +        }
 +
 +        object_property_set_int(obj, ARRAY_SIZE(s->fpd.apu.cpu),
 +                                "core-count", &error_abort);
 +        object_property_set_link(obj, OBJECT(&s->fpd.apu.mr), "memory",
 +                                 &error_abort);
 +        object_property_set_bool(obj, true, "realized", &error_fatal);
 +        s->fpd.apu.cpu[i] = ARM_CPU(obj);
 +    }
 +}
 +
-+static void versal_create_apu_gic(Versal *s, qemu_irq *pic)
+ static const MemoryRegionOps lqspi_ops = {
-+{
+     .read_with_attrs = lqspi_read,
-+    static const uint64_t addrs[] = {
++    .write_with_attrs = lqspi_write,
-+        MM_GIC_APU_DIST_MAIN,
+     .endianness = DEVICE_NATIVE_ENDIAN,
-+        MM_GIC_APU_REDIST_0
+     .valid = {
-+    };
+         .min_access_size = 1,
 +    SysBusDevice *gicbusdev;
 +    DeviceState *gicdev;
 +    int nr_apu_cpus = ARRAY_SIZE(s->fpd.apu.cpu);
 +    int i;
 +
 +    sysbus_init_child_obj(OBJECT(s), "apu-gic",
 +                          &s->fpd.apu.gic, sizeof(s->fpd.apu.gic),
 +                          gicv3_class_name());
 +    gicbusdev = SYS_BUS_DEVICE(&s->fpd.apu.gic);
 +    gicdev = DEVICE(&s->fpd.apu.gic);
 +    qdev_prop_set_uint32(gicdev, "revision", 3);
 +    qdev_prop_set_uint32(gicdev, "num-cpu", 2);
 +    qdev_prop_set_uint32(gicdev, "num-irq", XLNX_VERSAL_NR_IRQS + 32);
 +    qdev_prop_set_uint32(gicdev, "len-redist-region-count", 1);
 +    qdev_prop_set_uint32(gicdev, "redist-region-count[0]", 2);
 +    qdev_prop_set_bit(gicdev, "has-security-extensions", true);
 +
 +    object_property_set_bool(OBJECT(&s->fpd.apu.gic), true, "realized",
 +                                    &error_fatal);
 +
 +    for (i = 0; i < ARRAY_SIZE(addrs); i++) {
 +        MemoryRegion *mr;
 +
 +        mr = sysbus_mmio_get_region(gicbusdev, i);
 +        memory_region_add_subregion(&s->fpd.apu.mr, addrs[i], mr);
 +    }
 +
 +    for (i = 0; i < nr_apu_cpus; i++) {
 +        DeviceState *cpudev = DEVICE(s->fpd.apu.cpu[i]);
 +        int ppibase = XLNX_VERSAL_NR_IRQS + i * GIC_INTERNAL + GIC_NR_SGIS;
 +        qemu_irq maint_irq;
 +        int ti;
 +        /* Mapping from the output timer irq lines from the CPU to the
 +         * GIC PPI inputs.
 +         */
 +        const int timer_irq[] = {
 +            [GTIMER_PHYS] = VERSAL_TIMER_NS_EL1_IRQ,
 +            [GTIMER_VIRT] = VERSAL_TIMER_VIRT_IRQ,
 +            [GTIMER_HYP]  = VERSAL_TIMER_NS_EL2_IRQ,
 +            [GTIMER_SEC]  = VERSAL_TIMER_S_EL1_IRQ,
 +        };
 +
 +        for (ti = 0; ti < ARRAY_SIZE(timer_irq); ti++) {
 +            qdev_connect_gpio_out(cpudev, ti,
 +                                  qdev_get_gpio_in(gicdev,
 +                                                   ppibase + timer_irq[ti]));
 +        }
 +        maint_irq = qdev_get_gpio_in(gicdev,
 +                                        ppibase + VERSAL_GIC_MAINT_IRQ);
 +        qdev_connect_gpio_out_named(cpudev, "gicv3-maintenance-interrupt",
 +                                    0, maint_irq);
 +        sysbus_connect_irq(gicbusdev, i, qdev_get_gpio_in(cpudev, ARM_CPU_IRQ));
 +        sysbus_connect_irq(gicbusdev, i + nr_apu_cpus,
 +                           qdev_get_gpio_in(cpudev, ARM_CPU_FIQ));
 +        sysbus_connect_irq(gicbusdev, i + 2 * nr_apu_cpus,
 +                           qdev_get_gpio_in(cpudev, ARM_CPU_VIRQ));
 +        sysbus_connect_irq(gicbusdev, i + 3 * nr_apu_cpus,
 +                           qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
 +    }
 +
 +    for (i = 0; i < XLNX_VERSAL_NR_IRQS; i++) {
 +        pic[i] = qdev_get_gpio_in(gicdev, i);
 +    }
 +}
 +
 +static void versal_create_uarts(Versal *s, qemu_irq *pic)
 +{
 +    int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(s->lpd.iou.uart); i++) {
 +        static const int irqs[] = { VERSAL_UART0_IRQ_0, VERSAL_UART1_IRQ_0};
 +        static const uint64_t addrs[] = { MM_UART0, MM_UART1 };
 +        char *name = g_strdup_printf("uart%d", i);
 +        DeviceState *dev;
 +        MemoryRegion *mr;
 +
 +        dev = qdev_create(NULL, "pl011");
 +        s->lpd.iou.uart[i] = SYS_BUS_DEVICE(dev);
 +        qdev_prop_set_chr(dev, "chardev", serial_hd(i));
 +        object_property_add_child(OBJECT(s), name, OBJECT(dev), &error_fatal);
 +        qdev_init_nofail(dev);
 +
 +        mr = sysbus_mmio_get_region(s->lpd.iou.uart[i], 0);
 +        memory_region_add_subregion(&s->mr_ps, addrs[i], mr);
 +
 +        sysbus_connect_irq(s->lpd.iou.uart[i], 0, pic[irqs[i]]);
 +        g_free(name);
 +    }
 +}
 +
 +static void versal_create_gems(Versal *s, qemu_irq *pic)
 +{
 +    int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(s->lpd.iou.gem); i++) {
 +        static const int irqs[] = { VERSAL_GEM0_IRQ_0, VERSAL_GEM1_IRQ_0};
 +        static const uint64_t addrs[] = { MM_GEM0, MM_GEM1 };
 +        char *name = g_strdup_printf("gem%d", i);
 +        NICInfo *nd = &nd_table[i];
 +        DeviceState *dev;
 +        MemoryRegion *mr;
 +
 +        dev = qdev_create(NULL, "cadence_gem");
 +        s->lpd.iou.gem[i] = SYS_BUS_DEVICE(dev);
 +        object_property_add_child(OBJECT(s), name, OBJECT(dev), &error_fatal);
 +        if (nd->used) {
 +            qemu_check_nic_model(nd, "cadence_gem");
 +            qdev_set_nic_properties(dev, nd);
 +        }
 +        object_property_set_int(OBJECT(s->lpd.iou.gem[i]),
 +                                2, "num-priority-queues",
 +                                &error_abort);
 +        object_property_set_link(OBJECT(s->lpd.iou.gem[i]),
 +                                 OBJECT(&s->mr_ps), "dma",
 +                                 &error_abort);
 +        qdev_init_nofail(dev);
 +
 +        mr = sysbus_mmio_get_region(s->lpd.iou.gem[i], 0);
 +        memory_region_add_subregion(&s->mr_ps, addrs[i], mr);
 +
 +        sysbus_connect_irq(s->lpd.iou.gem[i], 0, pic[irqs[i]]);
 +        g_free(name);
 +    }
 +}
 +
 +/* This takes the board allocated linear DDR memory and creates aliases
 + * for each split DDR range/aperture on the Versal address map.
 + */
 +static void versal_map_ddr(Versal *s)
 +{
 +    uint64_t size = memory_region_size(s->cfg.mr_ddr);
 +    /* Describes the various split DDR access regions.  */
 +    static const struct {
 +        uint64_t base;
 +        uint64_t size;
 +    } addr_ranges[] = {
 +        { MM_TOP_DDR, MM_TOP_DDR_SIZE },
 +        { MM_TOP_DDR_2, MM_TOP_DDR_2_SIZE },
 +        { MM_TOP_DDR_3, MM_TOP_DDR_3_SIZE },
 +        { MM_TOP_DDR_4, MM_TOP_DDR_4_SIZE }
 +    };
 +    uint64_t offset = 0;
 +    int i;
 +
 +    assert(ARRAY_SIZE(addr_ranges) == ARRAY_SIZE(s->noc.mr_ddr_ranges));
 +    for (i = 0; i < ARRAY_SIZE(addr_ranges) && size; i++) {
 +        char *name;
 +        uint64_t mapsize;
 +
 +        mapsize = size < addr_ranges[i].size ? size : addr_ranges[i].size;
 +        name = g_strdup_printf("noc-ddr-range%d", i);
 +        /* Create the MR alias.  */
 +        memory_region_init_alias(&s->noc.mr_ddr_ranges[i], OBJECT(s),
 +                                 name, s->cfg.mr_ddr,
 +                                 offset, mapsize);
 +
 +        /* Map it onto the NoC MR.  */
 +        memory_region_add_subregion(&s->mr_ps, addr_ranges[i].base,
 +                                    &s->noc.mr_ddr_ranges[i]);
 +        offset += mapsize;
 +        size -= mapsize;
 +        g_free(name);
 +    }
 +}
 +
 +static void versal_unimp_area(Versal *s, const char *name,
 +                                MemoryRegion *mr,
 +                                hwaddr base, hwaddr size)
 +{
 +    DeviceState *dev = qdev_create(NULL, TYPE_UNIMPLEMENTED_DEVICE);
 +    MemoryRegion *mr_dev;
 +
 +    qdev_prop_set_string(dev, "name", name);
 +    qdev_prop_set_uint64(dev, "size", size);
 +    object_property_add_child(OBJECT(s), name, OBJECT(dev), &error_fatal);
 +    qdev_init_nofail(dev);
 +
 +    mr_dev = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
 +    memory_region_add_subregion(mr, base, mr_dev);
 +}
 +
 +static void versal_unimp(Versal *s)
 +{
 +    versal_unimp_area(s, "psm", &s->mr_ps,
 +                        MM_PSM_START, MM_PSM_END - MM_PSM_START);
 +    versal_unimp_area(s, "crl", &s->mr_ps,
 +                        MM_CRL, MM_CRL_SIZE);
 +    versal_unimp_area(s, "crf", &s->mr_ps,
 +                        MM_FPD_CRF, MM_FPD_CRF_SIZE);
 +    versal_unimp_area(s, "iou-scntr", &s->mr_ps,
 +                        MM_IOU_SCNTR, MM_IOU_SCNTR_SIZE);
 +    versal_unimp_area(s, "iou-scntr-seucre", &s->mr_ps,
 +                        MM_IOU_SCNTRS, MM_IOU_SCNTRS_SIZE);
 +}
 +
 +static void versal_realize(DeviceState *dev, Error **errp)
 +{
 +    Versal *s = XLNX_VERSAL(dev);
 +    qemu_irq pic[XLNX_VERSAL_NR_IRQS];
 +
 +    versal_create_apu_cpus(s);
 +    versal_create_apu_gic(s, pic);
 +    versal_create_uarts(s, pic);
 +    versal_create_gems(s, pic);
 +    versal_map_ddr(s);
 +    versal_unimp(s);
 +
 +    /* Create the On Chip Memory (OCM).  */
 +    memory_region_init_ram(&s->lpd.mr_ocm, OBJECT(s), "ocm",
 +                           MM_OCM_SIZE, &error_fatal);
 +
 +    memory_region_add_subregion_overlap(&s->mr_ps, MM_OCM, &s->lpd.mr_ocm, 0);
 +    memory_region_add_subregion_overlap(&s->fpd.apu.mr, 0, &s->mr_ps, 0);
 +}
 +
 +static void versal_init(Object *obj)
 +{
 +    Versal *s = XLNX_VERSAL(obj);
 +
 +    memory_region_init(&s->fpd.apu.mr, obj, "mr-apu", UINT64_MAX);
 +    memory_region_init(&s->mr_ps, obj, "mr-ps-switch", UINT64_MAX);
 +}
 +
 +static Property versal_properties[] = {
 +    DEFINE_PROP_LINK("ddr", Versal, cfg.mr_ddr, TYPE_MEMORY_REGION,
 +                     MemoryRegion *),
 +    DEFINE_PROP_UINT32("psci-conduit", Versal, cfg.psci_conduit, 0),
 +    DEFINE_PROP_END_OF_LIST()
 +};
 +
 +static void versal_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    dc->realize = versal_realize;
 +    dc->props = versal_properties;
 +    /* No VMSD since we haven't got any top-level SoC state to save.  */
 +}
 +
 +static const TypeInfo versal_info = {
 +    .name = TYPE_XLNX_VERSAL,
 +    .parent = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(Versal),
 +    .instance_init = versal_init,
 +    .class_init = versal_class_init,
 +};
 +
 +static void versal_register_types(void)
 +{
 +    type_register_static(&versal_info);
 +}
 +
 +type_init(versal_register_types);
 diff --git a/default-configs/aarch64-softmmu.mak b/default-configs/aarch64-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/default-configs/aarch64-softmmu.mak
 +++ b/default-configs/aarch64-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_DDC=y
  CONFIG_DPCD=y
  CONFIG_XLNX_ZYNQMP=y
  CONFIG_XLNX_ZYNQMP_ARM=y
 +CONFIG_XLNX_VERSAL=y
  CONFIG_ARM_SMMUV3=y
 --
-.19.1
+.20.1

-New patch
+[Qemu-devel] [PULL 04/10] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+Both lqspi_read() and lqspi_load_cache() expect a 32-bit
+aligned address.
+>From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':
+  Transfer Size Limitations
+    Because of the 32-bit wide TX, RX, and generic FIFO, all
+    APB/AXI transfers must be an integer multiple of 4-bytes.
+    Shorter transfers are not possible.
+Set MemoryRegionOps.impl values to force 32-bit accesses,
+this way we are sure we do not access the lqspi_buf[] array
+out of bound.
+[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
+Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/ssi/xilinx_spips.c | 4 ++++
+file changed, 4 insertions(+)
+diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/ssi/xilinx_spips.c
++++ b/hw/ssi/xilinx_spips.c
+@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps lqspi_ops = {
+     .read_with_attrs = lqspi_read,
+     .write_with_attrs = lqspi_write,
+     .endianness = DEVICE_NATIVE_ENDIAN,
++    .impl = {
++        .min_access_size = 4,
++        .max_access_size = 4,
++    },
+     .valid = {
+         .min_access_size = 1,
+         .max_access_size = 4
+--
+.20.1

-[Qemu-devel] [PULL 6/6] tests/boot-serial-test: Add microbit board testcase
+[Qemu-devel] [PULL 05/10] hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
-From: Julia Suvorova via Qemu-devel <qemu-devel@nongnu.org>
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
-New mini-kernel test for nRF51 SoC UART.
+Reading the RX_DATA register when the RX_FIFO is empty triggers
 an abort. This can be easily reproduced:
-Signed-off-by: Julia Suvorova <jusual@mail.ru>
+  $ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
-Acked-by: Thomas Huth <thuth@redhat.com>
+  QEMU 4.0.50 monitor - type 'help' for more information
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+  (qemu) x 0x40001010
   Aborted (core dumped)
   (gdb) bt
   #1  0x00007f035874f895 in abort () at /lib64/libc.so.6
   #2  0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
   #3  0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
   #4  0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
   #5  0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
   #6  0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
   #7  0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
   #8  0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
   #9  0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
   #10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
   #11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
   #12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
   #13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
   #14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
   #15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
   #16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082
 From the datasheet "Actel SmartFusion Microcontroller Subsystem
 User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
 register has a reset value of 0.
 Check the FIFO is not empty before accessing it, else log an
 error message.
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20190709113715.7761-3-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- tests/boot-serial-test.c | 19 +++++++++++++++++++
+ hw/ssi/mss-spi.c | 8 +++++++-
-file changed, 19 insertions(+)
+file changed, 7 insertions(+), 1 deletion(-)
-diff --git a/tests/boot-serial-test.c b/tests/boot-serial-test.c
+diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
 index XXXXXXX..XXXXXXX 100644
---- a/tests/boot-serial-test.c
+--- a/hw/ssi/mss-spi.c
-+++ b/tests/boot-serial-test.c
++++ b/hw/ssi/mss-spi.c
-@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_aarch64[] = {
+@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
-xfd, 0xff, 0xff, 0x17,                 /* b       -12 (loop) */
+     case R_SPI_RX:
- };
+         s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
+         s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
-+static const uint8_t kernel_nrf51[] = {
+-        ret = fifo32_pop(&s->rx_fifo);
-+    0x00, 0x00, 0x00, 0x00,                 /* Stack top address */
++        if (fifo32_is_empty(&s->rx_fifo)) {
-+    0x09, 0x00, 0x00, 0x00,                 /* Reset handler address */
++            qemu_log_mask(LOG_GUEST_ERROR,
-+    0x04, 0x4a,                             /* ldr  r2, [pc, #16] Get ENABLE */
++                          "%s: Reading empty RX_FIFO\n",
-+    0x04, 0x21,                             /* movs r1, #4 */
++                          __func__);
-+    0x11, 0x60,                             /* str  r1, [r2] */
++        } else {
-+    0x04, 0x4a,                             /* ldr  r2, [pc, #16] Get STARTTX */
++            ret = fifo32_pop(&s->rx_fifo);
-+    0x01, 0x21,                             /* movs r1, #1 */
++        }
-+    0x11, 0x60,                             /* str  r1, [r2] */
+         if (fifo32_is_empty(&s->rx_fifo)) {
-+    0x03, 0x4a,                             /* ldr  r2, [pc, #12] Get TXD */
+             s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
-+    0x54, 0x21,                             /* movs r1, 'T' */
+         }
 +    0x11, 0x60,                             /* str  r1, [r2] */
 +    0xfe, 0xe7,                             /* b    . */
 +    0x00, 0x25, 0x00, 0x40,                 /* 0x40002500 = UART ENABLE */
 +    0x08, 0x20, 0x00, 0x40,                 /* 0x40002008 = UART STARTTX */
 +    0x1c, 0x25, 0x00, 0x40                  /* 0x4000251c = UART TXD */
 +};
 +
  typedef struct testdef {
      const char *arch;       /* Target architecture */
      const char *machine;    /* Name of the machine */
@@ -XXX,XX +XXX,XX @@ static testdef_t tests[] = {
      { "hppa", "hppa", "", "SeaBIOS wants SYSTEM HALT" },
      { "aarch64", "virt", "-cpu cortex-a57", "TT", sizeof(kernel_aarch64),
        kernel_aarch64 },
 +    { "arm", "microbit", "", "T", sizeof(kernel_nrf51), kernel_nrf51 },
      { NULL }
  };
 --
-.19.1
+.20.1

-[Qemu-devel] [PULL 5/6] hw/arm/nrf51_soc: Connect UART to nRF51 SoC
+[Qemu-devel] [PULL 06/10] hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
-From: Julia Suvorova via Qemu-devel <qemu-devel@nongnu.org>
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Wire up nRF51 UART in the corresponding SoC.
+In the previous commit we fixed a crash when the guest read a
 register that pop from an empty FIFO.
 By auditing the repository, we found another similar use with
 an easy way to reproduce:
-Signed-off-by: Julia Suvorova <jusual@mail.ru>
+  $ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+  QEMU 4.0.50 monitor - type 'help' for more information
   (qemu) xp/b 0xfd4a0134
   Aborted (core dumped)
   (gdb) bt
   #0  0x00007f6936dea57f in raise () at /lib64/libc.so.6
   #1  0x00007f6936dd4895 in abort () at /lib64/libc.so.6
   #2  0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431
   #3  0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667
   #4  0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
   #5  0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569
   #6  0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420
   #7  0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447
   #8  0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385
   #9  0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423
   #10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436
   #11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131
   #12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723
   #13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795
   #14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082
 Fix by checking the FIFO is not empty before popping from it.
 The datasheet is not clear about the reset value of this register,
 we choose to return '0'.
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20190709113715.7761-4-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/nrf51_soc.h |  3 +++
+ hw/display/xlnx_dp.c | 15 +++++++++++----
- hw/arm/microbit.c          |  2 ++
+file changed, 11 insertions(+), 4 deletions(-)
  hw/arm/nrf51_soc.c         | 20 ++++++++++++++++++++
 files changed, 25 insertions(+)
-diff --git a/include/hw/arm/nrf51_soc.h b/include/hw/arm/nrf51_soc.h
+diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/nrf51_soc.h
+--- a/hw/display/xlnx_dp.c
-+++ b/include/hw/arm/nrf51_soc.h
++++ b/hw/display/xlnx_dp.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
+     uint8_t ret;
- #include "hw/sysbus.h"
- #include "hw/arm/armv7m.h"
+     if (fifo8_is_empty(&s->rx_fifo)) {
-+#include "hw/char/nrf51_uart.h"
+-        DPRINTF("rx_fifo underflow..\n");
+-        abort();
- #define TYPE_NRF51_SOC "nrf51-soc"
++        qemu_log_mask(LOG_GUEST_ERROR,
- #define NRF51_SOC(obj) \
++                      "%s: Reading empty RX_FIFO\n",
-@@ -XXX,XX +XXX,XX @@ typedef struct NRF51State {
++                      __func__);
-     /*< public >*/
++        /*
-     ARMv7MState cpu;
++         * The datasheet is not clear about the reset value, it seems
++         * to be unspecified. We choose to return '0'.
-+    NRF51UARTState uart;
++         */
-+
++        ret = 0;
-     MemoryRegion iomem;
++    } else {
-     MemoryRegion sram;
++        ret = fifo8_pop(&s->rx_fifo);
-     MemoryRegion flash;
++        DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
 diff --git a/hw/arm/microbit.c b/hw/arm/microbit.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/microbit.c
 +++ b/hw/arm/microbit.c
@@ -XXX,XX +XXX,XX @@
  #include "qapi/error.h"
  #include "hw/boards.h"
  #include "hw/arm/arm.h"
 +#include "sysemu/sysemu.h"
  #include "exec/address-spaces.h"
  #include "hw/arm/nrf51_soc.h"
@@ -XXX,XX +XXX,XX @@ static void microbit_init(MachineState *machine)
      sysbus_init_child_obj(OBJECT(machine), "nrf51", soc, sizeof(s->nrf51),
                            TYPE_NRF51_SOC);
 +    qdev_prop_set_chr(DEVICE(&s->nrf51), "serial0", serial_hd(0));
      object_property_set_link(soc, OBJECT(system_memory), "memory",
                               &error_fatal);
      object_property_set_bool(soc, true, "realized", &error_fatal);
 diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/nrf51_soc.c
 +++ b/hw/arm/nrf51_soc.c
@@ -XXX,XX +XXX,XX @@
  #define NRF51822_FLASH_SIZE     (256 * 1024)
  #define NRF51822_SRAM_SIZE      (16 * 1024)
 +#define BASE_TO_IRQ(base) ((base >> 12) & 0x1F)
 +
  static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
  {
      NRF51State *s = NRF51_SOC(dev_soc);
 +    MemoryRegion *mr;
      Error *err = NULL;
      if (!s->board_memory) {
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
      }
-     memory_region_add_subregion(&s->container, SRAM_BASE, &s->sram);
+-    ret = fifo8_pop(&s->rx_fifo);
+-    DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
-+    /* UART */
+     return ret;
 +    object_property_set_bool(OBJECT(&s->uart), true, "realized", &err);
 +    if (err) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->uart), 0);
 +    memory_region_add_subregion_overlap(&s->container, UART_BASE, mr, 0);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&s->uart), 0,
 +                       qdev_get_gpio_in(DEVICE(&s->cpu),
 +                       BASE_TO_IRQ(UART_BASE)));
 +
      create_unimplemented_device("nrf51_soc.io", IOMEM_BASE, IOMEM_SIZE);
      create_unimplemented_device("nrf51_soc.ficr", FICR_BASE, FICR_SIZE);
      create_unimplemented_device("nrf51_soc.private",
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_init(Object *obj)
      qdev_prop_set_string(DEVICE(&s->cpu), "cpu-type",
                           ARM_CPU_TYPE_NAME("cortex-m0"));
      qdev_prop_set_uint32(DEVICE(&s->cpu), "num-irq", 32);
 +
 +    sysbus_init_child_obj(obj, "uart", &s->uart, sizeof(s->uart),
 +                           TYPE_NRF51_UART);
 +    object_property_add_alias(obj, "serial0", OBJECT(&s->uart), "chardev",
 +                              &error_abort);
  }
- static Property nrf51_soc_properties[] = {
 --
-.19.1
+.20.1

-[Qemu-devel] [PULL 1/6] hw/arm/virt: Set VIRT_COMPAT_3_0 compat
+[Qemu-devel] [PULL 07/10] hw/arm/virt: Fix non-secure flash mode
-From: Eric Auger <eric.auger@redhat.com>
+From: David Engraf <david.engraf@sysgo.com>
-We are missing the VIRT_COMPAT_3_0 definition and setting.
+Using the whole 128 MiB flash in non-secure mode is not working because
-Let's add them.
+virt_flash_fdt() expects the same address for secure_sysmem and sysmem.
 This is not correctly handled by caller because it forwards NULL for
 secure_sysmem in non-secure flash mode.
-Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Fixed by using sysmem when secure_sysmem is NULL.
-Reviewed-by: Andrew Jones <drjones@redhat.com>
-Message-id: 20181024085602.16611-1-eric.auger@redhat.com
+Signed-off-by: David Engraf <david.engraf@sysgo.com>
 Message-id: 20190712075002.14326-1-david.engraf@sysgo.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 4 ++++
+ hw/arm/virt.c | 2 +-
-file changed, 4 insertions(+)
+file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static void virt_machine_3_1_options(MachineClass *mc)
+@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
- }
+                                     &machine->device_memory->mr);
- DEFINE_VIRT_MACHINE_AS_LATEST(3, 1)
+     }
-+#define VIRT_COMPAT_3_0 \
+-    virt_flash_fdt(vms, sysmem, secure_sysmem);
-+    HW_COMPAT_3_0
++    virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
-+
- static void virt_3_0_instance_init(Object *obj)
+     create_gic(vms, pic);
  {
      virt_3_1_instance_init(obj);
@@ -XXX,XX +XXX,XX @@ static void virt_3_0_instance_init(Object *obj)
  static void virt_machine_3_0_options(MachineClass *mc)
  {
      virt_machine_3_1_options(mc);
 +    SET_MACHINE_COMPAT(mc, VIRT_COMPAT_3_0);
  }
  DEFINE_VIRT_MACHINE(3, 0)
 --
-.19.1
+.20.1

-[Qemu-devel] [PULL 4/6] hw/char: Implement nRF51 SoC UART
+[Qemu-devel] [PULL 08/10] pl031: Correctly migrate state when using -rtc clock=host
-From: Julia Suvorova via Qemu-devel <qemu-devel@nongnu.org>
+The PL031 RTC tracks the difference between the guest RTC
+and the host RTC using a tick_offset field. For migration,
-Not implemented: CTS/NCTS, PSEL*.
+however, we currently always migrate the offset between
+the guest and the vm_clock, even if the RTC clock is not
-Signed-off-by: Julia Suvorova <jusual@mail.ru>
+the same as the vm_clock; this was an attempt to retain
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+migration backwards compatibility.
 Unfortunately this results in the RTC behaving oddly across
 a VM state save and restore -- since the VM clock stands still
 across save-then-restore, regardless of how much real world
 time has elapsed, the guest RTC ends up out of sync with the
 host RTC in the restored VM.
 Fix this by migrating the raw tick_offset. To retain migration
 compatibility as far as possible, we have a new property
 migrate-tick-offset; by default this is 'true' and we will
 migrate the true tick offset in a new subsection; if the
 incoming data has no subsection we fall back to the old
 vm_clock-based offset information, so old->new migration
 compatibility is preserved. For complete new->old migration
 compatibility, the property is set to 'false' for 4.0 and
 earlier machine types (this will only affect 'virt-4.0'
 and below, as none of the other pl031-using machines are
 versioned).
 Reported-by: Russell King <rmk@armlinux.org.uk>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Message-id: 20190709143912.28905-1-peter.maydell@linaro.org
 ---
- hw/char/Makefile.objs        |   1 +
+ include/hw/timer/pl031.h |  2 +
- include/hw/char/nrf51_uart.h |  78 +++++++++
+ hw/core/machine.c        |  1 +
- hw/char/nrf51_uart.c         | 330 +++++++++++++++++++++++++++++++++++
+ hw/timer/pl031.c         | 92 ++++++++++++++++++++++++++++++++++++++--
- hw/char/trace-events         |   4 +
+files changed, 91 insertions(+), 4 deletions(-)
-files changed, 413 insertions(+)
- create mode 100644 include/hw/char/nrf51_uart.h
+diff --git a/include/hw/timer/pl031.h b/include/hw/timer/pl031.h
  create mode 100644 hw/char/nrf51_uart.c
 diff --git a/hw/char/Makefile.objs b/hw/char/Makefile.objs
 index XXXXXXX..XXXXXXX 100644
---- a/hw/char/Makefile.objs
+--- a/include/hw/timer/pl031.h
-+++ b/hw/char/Makefile.objs
++++ b/include/hw/timer/pl031.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ typedef struct PL031State {
- common-obj-$(CONFIG_IPACK) += ipoctal232.o
+      */
- common-obj-$(CONFIG_ESCC) += escc.o
+     uint32_t tick_offset_vmstate;
-+common-obj-$(CONFIG_NRF51_SOC) += nrf51_uart.o
+     uint32_t tick_offset;
- common-obj-$(CONFIG_PARALLEL) += parallel.o
++    bool tick_offset_migrated;
- common-obj-$(CONFIG_PARALLEL) += parallel-isa.o
++    bool migrate_tick_offset;
- common-obj-$(CONFIG_PL011) += pl011.o
-diff --git a/include/hw/char/nrf51_uart.h b/include/hw/char/nrf51_uart.h
+     uint32_t mr;
-new file mode 100644
+     uint32_t lr;
-index XXXXXXX..XXXXXXX
+diff --git a/hw/core/machine.c b/hw/core/machine.c
---- /dev/null
+index XXXXXXX..XXXXXXX 100644
-+++ b/include/hw/char/nrf51_uart.h
+--- a/hw/core/machine.c
-@@ -XXX,XX +XXX,XX @@
++++ b/hw/core/machine.c
-+/*
+@@ -XXX,XX +XXX,XX @@ GlobalProperty hw_compat_4_0[] = {
-+ * nRF51 SoC UART emulation
+     { "virtio-gpu-pci", "edid", "false" },
-+ *
+     { "virtio-device", "use-started", "false" },
-+ * Copyright (c) 2018 Julia Suvorova <jusual@mail.ru>
+     { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
-+ *
++    { "pl031", "migrate-tick-offset", "false" },
-+ * This program is free software; you can redistribute it and/or modify
+ };
-+ * it under the terms of the GNU General Public License version 2 or
+ const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
-+ * (at your option) any later version.
-+ */
+diff --git a/hw/timer/pl031.c b/hw/timer/pl031.c
-+
+index XXXXXXX..XXXXXXX 100644
-+#ifndef NRF51_UART_H
+--- a/hw/timer/pl031.c
-+#define NRF51_UART_H
++++ b/hw/timer/pl031.c
-+
+@@ -XXX,XX +XXX,XX @@ static int pl031_pre_save(void *opaque)
-+#include "hw/sysbus.h"
+ {
-+#include "chardev/char-fe.h"
+     PL031State *s = opaque;
-+#include "hw/registerfields.h"
-+
+-    /* tick_offset is base_time - rtc_clock base time.  Instead, we want to
-+#define UART_FIFO_LENGTH 6
+-     * store the base time relative to the QEMU_CLOCK_VIRTUAL for backwards-compatibility.  */
-+#define UART_BASE 0x40002000
++    /*
-+#define UART_SIZE 0x1000
++     * The PL031 device model code uses the tick_offset field, which is
-+
++     * the offset between what the guest RTC should read and what the
-+#define TYPE_NRF51_UART "nrf51_soc.uart"
++     * QEMU rtc_clock reads:
-+#define NRF51_UART(obj) OBJECT_CHECK(NRF51UARTState, (obj), TYPE_NRF51_UART)
++     *  guest_rtc = rtc_clock + tick_offset
-+
++     * and so
-+REG32(UART_STARTRX, 0x000)
++     *  tick_offset = guest_rtc - rtc_clock
-+REG32(UART_STOPRX, 0x004)
++     *
-+REG32(UART_STARTTX, 0x008)
++     * We want to migrate this offset, which sounds straightforward.
-+REG32(UART_STOPTX, 0x00C)
++     * Unfortunately older versions of QEMU migrated a conversion of this
-+REG32(UART_SUSPEND, 0x01C)
++     * offset into an offset from the vm_clock. (This was in turn an
-+
++     * attempt to be compatible with even older QEMU versions, but it
-+REG32(UART_CTS, 0x100)
++     * has incorrect behaviour if the rtc_clock is not the same as the
-+REG32(UART_NCTS, 0x104)
++     * vm_clock.) So we put the actual tick_offset into a migration
-+REG32(UART_RXDRDY, 0x108)
++     * subsection, and the backwards-compatible time-relative-to-vm_clock
-+REG32(UART_TXDRDY, 0x11C)
++     * in the main migration state.
-+REG32(UART_ERROR, 0x124)
++     *
-+REG32(UART_RXTO, 0x144)
++     * Calculate base time relative to QEMU_CLOCK_VIRTUAL:
-+
++     */
-+REG32(UART_INTEN, 0x300)
+     int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-+    FIELD(UART_INTEN, CTS, 0, 1)
+     s->tick_offset_vmstate = s->tick_offset + delta / NANOSECONDS_PER_SECOND;
-+    FIELD(UART_INTEN, NCTS, 1, 1)
-+    FIELD(UART_INTEN, RXDRDY, 2, 1)
+     return 0;
-+    FIELD(UART_INTEN, TXDRDY, 7, 1)
+ }
-+    FIELD(UART_INTEN, ERROR, 9, 1)
-+    FIELD(UART_INTEN, RXTO, 17, 1)
++static int pl031_pre_load(void *opaque)
 +REG32(UART_INTENSET, 0x304)
 +REG32(UART_INTENCLR, 0x308)
 +REG32(UART_ERRORSRC, 0x480)
 +REG32(UART_ENABLE, 0x500)
 +REG32(UART_PSELRTS, 0x508)
 +REG32(UART_PSELTXD, 0x50C)
 +REG32(UART_PSELCTS, 0x510)
 +REG32(UART_PSELRXD, 0x514)
 +REG32(UART_RXD, 0x518)
 +REG32(UART_TXD, 0x51C)
 +REG32(UART_BAUDRATE, 0x524)
 +REG32(UART_CONFIG, 0x56C)
 +
 +typedef struct NRF51UARTState {
 +    SysBusDevice parent_obj;
 +
 +    MemoryRegion iomem;
 +    CharBackend chr;
 +    qemu_irq irq;
 +    guint watch_tag;
 +
 +    uint8_t rx_fifo[UART_FIFO_LENGTH];
 +    unsigned int rx_fifo_pos;
 +    unsigned int rx_fifo_len;
 +
 +    uint32_t reg[0x56C];
 +
 +    bool rx_started;
 +    bool tx_started;
 +    bool pending_tx_byte;
 +    bool enabled;
 +} NRF51UARTState;
 +
 +#endif
 diff --git a/hw/char/nrf51_uart.c b/hw/char/nrf51_uart.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/char/nrf51_uart.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * nRF51 SoC UART emulation
 + *
 + * See nRF51 Series Reference Manual, "29 Universal Asynchronous
 + * Receiver/Transmitter" for hardware specifications:
 + * http://infocenter.nordicsemi.com/pdf/nRF51_RM_v3.0.pdf
 + *
 + * Copyright (c) 2018 Julia Suvorova <jusual@mail.ru>
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 or
 + * (at your option) any later version.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qemu/log.h"
 +#include "hw/char/nrf51_uart.h"
 +#include "trace.h"
 +
 +static void nrf51_uart_update_irq(NRF51UARTState *s)
 +{
-+    bool irq = false;
++    PL031State *s = opaque;
 +
-+    irq |= (s->reg[R_UART_RXDRDY] &&
++    s->tick_offset_migrated = false;
 +            (s->reg[R_UART_INTEN] & R_UART_INTEN_RXDRDY_MASK));
 +    irq |= (s->reg[R_UART_TXDRDY] &&
 +            (s->reg[R_UART_INTEN] & R_UART_INTEN_TXDRDY_MASK));
 +    irq |= (s->reg[R_UART_ERROR]  &&
 +            (s->reg[R_UART_INTEN] & R_UART_INTEN_ERROR_MASK));
 +    irq |= (s->reg[R_UART_RXTO]   &&
 +            (s->reg[R_UART_INTEN] & R_UART_INTEN_RXTO_MASK));
 +
 +    qemu_set_irq(s->irq, irq);
 +}
 +
 +static uint64_t uart_read(void *opaque, hwaddr addr, unsigned int size)
 +{
 +    NRF51UARTState *s = NRF51_UART(opaque);
 +    uint64_t r;
 +
 +    if (!s->enabled) {
 +        return 0;
 +    }
 +
 +    switch (addr) {
 +    case A_UART_RXD:
 +        r = s->rx_fifo[s->rx_fifo_pos];
 +        if (s->rx_started && s->rx_fifo_len) {
 +            s->rx_fifo_pos = (s->rx_fifo_pos + 1) % UART_FIFO_LENGTH;
 +            s->rx_fifo_len--;
 +            if (s->rx_fifo_len) {
 +                s->reg[R_UART_RXDRDY] = 1;
 +                nrf51_uart_update_irq(s);
 +            }
 +            qemu_chr_fe_accept_input(&s->chr);
 +        }
 +        break;
 +    case A_UART_INTENSET:
 +    case A_UART_INTENCLR:
 +    case A_UART_INTEN:
 +        r = s->reg[R_UART_INTEN];
 +        break;
 +    default:
 +        r = s->reg[addr / 4];
 +        break;
 +    }
 +
 +    trace_nrf51_uart_read(addr, r, size);
 +
 +    return r;
 +}
 +
 +static gboolean uart_transmit(GIOChannel *chan, GIOCondition cond, void *opaque)
 +{
 +    NRF51UARTState *s = NRF51_UART(opaque);
 +    int r;
 +    uint8_t c = s->reg[R_UART_TXD];
 +
 +    s->watch_tag = 0;
 +
 +    r = qemu_chr_fe_write(&s->chr, &c, 1);
 +    if (r <= 0) {
 +        s->watch_tag = qemu_chr_fe_add_watch(&s->chr, G_IO_OUT | G_IO_HUP,
 +                                             uart_transmit, s);
 +        if (!s->watch_tag) {
 +            /* The hardware has no transmit error reporting,
 +             * so silently drop the byte
 +             */
 +            goto buffer_drained;
 +        }
 +        return FALSE;
 +    }
 +
 +buffer_drained:
 +    s->reg[R_UART_TXDRDY] = 1;
 +    s->pending_tx_byte = false;
 +    return FALSE;
 +}
 +
 +static void uart_cancel_transmit(NRF51UARTState *s)
 +{
 +    if (s->watch_tag) {
 +        g_source_remove(s->watch_tag);
 +        s->watch_tag = 0;
 +    }
 +}
 +
 +static void uart_write(void *opaque, hwaddr addr,
 +                       uint64_t value, unsigned int size)
 +{
 +    NRF51UARTState *s = NRF51_UART(opaque);
 +
 +    trace_nrf51_uart_write(addr, value, size);
 +
 +    if (!s->enabled && (addr != A_UART_ENABLE)) {
 +        return;
 +    }
 +
 +    switch (addr) {
 +    case A_UART_TXD:
 +        if (!s->pending_tx_byte && s->tx_started) {
 +            s->reg[R_UART_TXD] = value;
 +            s->pending_tx_byte = true;
 +            uart_transmit(NULL, G_IO_OUT, s);
 +        }
 +        break;
 +    case A_UART_INTEN:
 +        s->reg[R_UART_INTEN] = value;
 +        break;
 +    case A_UART_INTENSET:
 +        s->reg[R_UART_INTEN] |= value;
 +        break;
 +    case A_UART_INTENCLR:
 +        s->reg[R_UART_INTEN] &= ~value;
 +        break;
 +    case A_UART_TXDRDY ... A_UART_RXTO:
 +        s->reg[addr / 4] = value;
 +        break;
 +    case A_UART_ERRORSRC:
 +        s->reg[addr / 4] &= ~value;
 +        break;
 +    case A_UART_RXD:
 +        break;
 +    case A_UART_RXDRDY:
 +        if (value == 0) {
 +            s->reg[R_UART_RXDRDY] = 0;
 +        }
 +        break;
 +    case A_UART_STARTTX:
 +        if (value == 1) {
 +            s->tx_started = true;
 +        }
 +        break;
 +    case A_UART_STARTRX:
 +        if (value == 1) {
 +            s->rx_started = true;
 +        }
 +        break;
 +    case A_UART_ENABLE:
 +        if (value) {
 +            if (value == 4) {
 +                s->enabled = true;
 +            }
 +            break;
 +        }
 +        s->enabled = false;
 +        value = 1;
 +        /* fall through */
 +    case A_UART_SUSPEND:
 +    case A_UART_STOPTX:
 +        if (value == 1) {
 +            s->tx_started = false;
 +        }
 +        /* fall through */
 +    case A_UART_STOPRX:
 +        if (addr != A_UART_STOPTX && value == 1) {
 +            s->rx_started = false;
 +            s->reg[R_UART_RXTO] = 1;
 +        }
 +        break;
 +    default:
 +        s->reg[addr / 4] = value;
 +        break;
 +    }
 +    nrf51_uart_update_irq(s);
 +}
 +
 +static const MemoryRegionOps uart_ops = {
 +    .read =  uart_read,
 +    .write = uart_write,
 +    .endianness = DEVICE_LITTLE_ENDIAN,
 +};
 +
 +static void nrf51_uart_reset(DeviceState *dev)
 +{
 +    NRF51UARTState *s = NRF51_UART(dev);
 +
 +    s->pending_tx_byte = 0;
 +
 +    uart_cancel_transmit(s);
 +
 +    memset(s->reg, 0, sizeof(s->reg));
 +
 +    s->reg[R_UART_PSELRTS] = 0xFFFFFFFF;
 +    s->reg[R_UART_PSELTXD] = 0xFFFFFFFF;
 +    s->reg[R_UART_PSELCTS] = 0xFFFFFFFF;
 +    s->reg[R_UART_PSELRXD] = 0xFFFFFFFF;
 +    s->reg[R_UART_BAUDRATE] = 0x4000000;
 +
 +    s->rx_fifo_len = 0;
 +    s->rx_fifo_pos = 0;
 +    s->rx_started = false;
 +    s->tx_started = false;
 +    s->enabled = false;
 +}
 +
 +static void uart_receive(void *opaque, const uint8_t *buf, int size)
 +{
 +
 +    NRF51UARTState *s = NRF51_UART(opaque);
 +    int i;
 +
 +    if (size == 0 || s->rx_fifo_len >= UART_FIFO_LENGTH) {
 +        return;
 +    }
 +
 +    for (i = 0; i < size; i++) {
 +        uint32_t pos = (s->rx_fifo_pos + s->rx_fifo_len) % UART_FIFO_LENGTH;
 +        s->rx_fifo[pos] = buf[i];
 +        s->rx_fifo_len++;
 +    }
 +
 +    s->reg[R_UART_RXDRDY] = 1;
 +    nrf51_uart_update_irq(s);
 +}
 +
 +static int uart_can_receive(void *opaque)
 +{
 +    NRF51UARTState *s = NRF51_UART(opaque);
 +
 +    return s->rx_started ? (UART_FIFO_LENGTH - s->rx_fifo_len) : 0;
 +}
 +
 +static void uart_event(void *opaque, int event)
 +{
 +    NRF51UARTState *s = NRF51_UART(opaque);
 +
 +    if (event == CHR_EVENT_BREAK) {
 +        s->reg[R_UART_ERRORSRC] |= 3;
 +        s->reg[R_UART_ERROR] = 1;
 +        nrf51_uart_update_irq(s);
 +    }
 +}
 +
 +static void nrf51_uart_realize(DeviceState *dev, Error **errp)
 +{
 +    NRF51UARTState *s = NRF51_UART(dev);
 +
 +    qemu_chr_fe_set_handlers(&s->chr, uart_can_receive, uart_receive,
 +                             uart_event, NULL, s, NULL, true);
 +}
 +
 +static void nrf51_uart_init(Object *obj)
 +{
 +    NRF51UARTState *s = NRF51_UART(obj);
 +    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
 +
 +    memory_region_init_io(&s->iomem, obj, &uart_ops, s,
 +                          "nrf51_soc.uart", UART_SIZE);
 +    sysbus_init_mmio(sbd, &s->iomem);
 +    sysbus_init_irq(sbd, &s->irq);
 +}
 +
 +static int nrf51_uart_post_load(void *opaque, int version_id)
 +{
 +    NRF51UARTState *s = NRF51_UART(opaque);
 +
 +    if (s->pending_tx_byte) {
 +        s->watch_tag = qemu_chr_fe_add_watch(&s->chr, G_IO_OUT | G_IO_HUP,
 +                                             uart_transmit, s);
 +    }
 +
 +    return 0;
 +}
 +
-+static const VMStateDescription nrf51_uart_vmstate = {
+ static int pl031_post_load(void *opaque, int version_id)
-+    .name = "nrf51_soc.uart",
+ {
-+    .post_load = nrf51_uart_post_load,
+     PL031State *s = opaque;
 -    int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
 -    s->tick_offset = s->tick_offset_vmstate - delta / NANOSECONDS_PER_SECOND;
 +    /*
 +     * If we got the tick_offset subsection, then we can just use
 +     * the value in that. Otherwise the source is an older QEMU and
 +     * has given us the offset from the vm_clock; convert it back to
 +     * an offset from the rtc_clock. This will cause time to incorrectly
 +     * go backwards compared to the host RTC, but this is unavoidable.
 +     */
 +
 +    if (!s->tick_offset_migrated) {
 +        int64_t delta = qemu_clock_get_ns(rtc_clock) -
 +            qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
 +        s->tick_offset = s->tick_offset_vmstate -
 +            delta / NANOSECONDS_PER_SECOND;
 +    }
      pl031_set_alarm(s);
      return 0;
  }
 +static int pl031_tick_offset_post_load(void *opaque, int version_id)
 +{
 +    PL031State *s = opaque;
 +
 +    s->tick_offset_migrated = true;
 +    return 0;
 +}
 +
 +static bool pl031_tick_offset_needed(void *opaque)
 +{
 +    PL031State *s = opaque;
 +
 +    return s->migrate_tick_offset;
 +}
 +
 +static const VMStateDescription vmstate_pl031_tick_offset = {
 +    .name = "pl031/tick-offset",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .needed = pl031_tick_offset_needed,
 +    .post_load = pl031_tick_offset_post_load,
 +    .fields = (VMStateField[]) {
-+        VMSTATE_UINT32_ARRAY(reg, NRF51UARTState, 0x56C),
++        VMSTATE_UINT32(tick_offset, PL031State),
 +        VMSTATE_UINT8_ARRAY(rx_fifo, NRF51UARTState, UART_FIFO_LENGTH),
 +        VMSTATE_UINT32(rx_fifo_pos, NRF51UARTState),
 +        VMSTATE_UINT32(rx_fifo_len, NRF51UARTState),
 +        VMSTATE_BOOL(rx_started, NRF51UARTState),
 +        VMSTATE_BOOL(tx_started, NRF51UARTState),
 +        VMSTATE_BOOL(pending_tx_byte, NRF51UARTState),
 +        VMSTATE_BOOL(enabled, NRF51UARTState),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
-+static Property nrf51_uart_properties[] = {
+ static const VMStateDescription vmstate_pl031 = {
-+    DEFINE_PROP_CHR("chardev", NRF51UARTState, chr),
+     .name = "pl031",
-+    DEFINE_PROP_END_OF_LIST(),
+     .version_id = 1,
      .minimum_version_id = 1,
      .pre_save = pl031_pre_save,
 +    .pre_load = pl031_pre_load,
      .post_load = pl031_post_load,
      .fields = (VMStateField[]) {
          VMSTATE_UINT32(tick_offset_vmstate, PL031State),
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl031 = {
          VMSTATE_UINT32(im, PL031State),
          VMSTATE_UINT32(is, PL031State),
          VMSTATE_END_OF_LIST()
 +    },
 +    .subsections = (const VMStateDescription*[]) {
 +        &vmstate_pl031_tick_offset,
 +        NULL
      }
  };
 +static Property pl031_properties[] = {
 +    /*
 +     * True to correctly migrate the tick offset of the RTC. False to
 +     * obtain backward migration compatibility with older QEMU versions,
 +     * at the expense of the guest RTC going backwards compared with the
 +     * host RTC when the VM is saved/restored if using -rtc host.
 +     * (Even if set to 'true' older QEMU can migrate forward to newer QEMU;
 +     * 'false' also permits newer QEMU to migrate to older QEMU.)
 +     */
 +    DEFINE_PROP_BOOL("migrate-tick-offset",
 +                     PL031State, migrate_tick_offset, true),
 +    DEFINE_PROP_END_OF_LIST()
 +};
 +
-+static void nrf51_uart_class_init(ObjectClass *klass, void *data)
+ static void pl031_class_init(ObjectClass *klass, void *data)
-+{
+ {
-+    DeviceClass *dc = DEVICE_CLASS(klass);
+     DeviceClass *dc = DEVICE_CLASS(klass);
-+
-+    dc->reset = nrf51_uart_reset;
+     dc->vmsd = &vmstate_pl031;
-+    dc->realize = nrf51_uart_realize;
++    dc->props = pl031_properties;
-+    dc->props = nrf51_uart_properties;
+ }
-+    dc->vmsd = &nrf51_uart_vmstate;
-+}
+ static const TypeInfo pl031_info = {
 +
 +static const TypeInfo nrf51_uart_info = {
 +    .name = TYPE_NRF51_UART,
 +    .parent = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(NRF51UARTState),
 +    .instance_init = nrf51_uart_init,
 +    .class_init = nrf51_uart_class_init
 +};
 +
 +static void nrf51_uart_register_types(void)
 +{
 +    type_register_static(&nrf51_uart_info);
 +}
 +
 +type_init(nrf51_uart_register_types)
 diff --git a/hw/char/trace-events b/hw/char/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/char/trace-events
 +++ b/hw/char/trace-events
@@ -XXX,XX +XXX,XX @@ cmsdk_apb_uart_receive(uint8_t c) "CMSDK APB UART: got character 0x%x from backe
  cmsdk_apb_uart_tx_pending(void) "CMSDK APB UART: character send to backend pending"
  cmsdk_apb_uart_tx(uint8_t c) "CMSDK APB UART: character 0x%x sent to backend"
  cmsdk_apb_uart_set_params(int speed) "CMSDK APB UART: params set to %d 8N1"
 +
 +# hw/char/nrf51_uart.c
 +nrf51_uart_read(uint64_t addr, uint64_t r, unsigned int size) "addr 0x%" PRIx64 " value 0x%" PRIx64 " size %u"
 +nrf51_uart_write(uint64_t addr, uint64_t value, unsigned int size) "addr 0x%" PRIx64 " value 0x%" PRIx64 " size %u"
 --
-.19.1
+.20.1

-New patch
+[Qemu-devel] [PULL 09/10] target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
+The ARMv5 architecture didn't specify detailed per-feature ID
+registers. Now that we're using the MVFR0 register fields to
+gate the existence of VFP instructions, we need to set up
+the correct values in the cpu->isar structure so that we still
+provide an FPU to the guest.
+This fixes a regression in the arm926 and arm1026 CPUs, which
+are the only ones that both have VFP and are ARMv5 or earlier.
+This regression was introduced by the VFP refactoring, and more
+specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
+which accidentally disabled VFP short-vector support and
+double-precision support on these CPUs.
+Fixes: 1120827fa182f0e
+Fixes: 266bd25c485597c
+Fixes: https://bugs.launchpad.net/qemu/+bug/1836192
+Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
+Message-id: 20190711131241.22231-1-peter.maydell@linaro.org
+---
+ target/arm/cpu.c | 12 ++++++++++++
+file changed, 12 insertions(+)
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.c
++++ b/target/arm/cpu.c
+@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
+      * set the field to indicate Jazelle support within QEMU.
+      */
+     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
++    /*
++     * Similarly, we need to set MVFR0 fields to enable double precision
++     * and short vector support even though ARMv5 doesn't have this register.
++     */
++    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
++    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
+ }
+ static void arm946_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
+      * set the field to indicate Jazelle support within QEMU.
+      */
+     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
++    /*
++     * Similarly, we need to set MVFR0 fields to enable double precision
++     * and short vector support even though ARMv5 doesn't have this register.
++     */
++    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
++    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
+     {
+         /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
+--
+.20.1

-New patch
+[Qemu-devel] [PULL 10/10] target/arm: NS BusFault on vector table fetch escalates to NS HardFault
+In the M-profile architecture, when we do a vector table fetch and it
+fails, we need to report a HardFault.  Whether this is a Secure HF or
+a NonSecure HF depends on several things.  If AIRCR.BFHFNMINS is 0
+then HF is always Secure, because there is no NonSecure HardFault.
+Otherwise, the answer depends on whether the 'underlying exception'
+(MemManage, BusFault, SecureFault) targets Secure or NonSecure.  (In
+the pseudocode, this is handled in the Vector() function: the final
+exc.isSecure is calculated by looking at the exc.isSecure from the
+exception returned from the memory access, not the isSecure input
+argument.)
+We weren't doing this correctly, because we were looking at
+the target security domain of the exception we were trying to
+load the vector table entry for. This produces errors of two kinds:
+ * a load from the NS vector table which hits the "NS access
+   to S memory" SecureFault should end up as a Secure HardFault,
+   but we were raising an NS HardFault
+ * a load from the S vector table which causes a BusFault
+   should raise an NS HardFault if BFHFNMINS == 1 (because
+   in that case all BusFaults are NonSecure), but we were raising
+   a Secure HardFault
+Correct the logic.
+We also fix a comment error where we claimed that we might
+be escalating MemManage to HardFault, and forgot about SecureFault.
+(Vector loads can never hit MPU access faults, because they're
+always aligned and always use the default address map.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20190705094823.28905-1-peter.maydell@linaro.org
+---
+ target/arm/m_helper.c | 21 +++++++++++++++++----
+file changed, 17 insertions(+), 4 deletions(-)
+diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/m_helper.c
++++ b/target/arm/m_helper.c
+@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
+         if (sattrs.ns) {
+             attrs.secure = false;
+         } else if (!targets_secure) {
+-            /* NS access to S memory */
++            /*
++             * NS access to S memory: the underlying exception which we escalate
++             * to HardFault is SecureFault, which always targets Secure.
++             */
++            exc_secure = true;
+             goto load_fail;
+         }
+     }
+@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
+     vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
+                                      attrs, &result);
+     if (result != MEMTX_OK) {
++        /*
++         * Underlying exception is BusFault: its target security state
++         * depends on BFHFNMINS.
++         */
++        exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
+         goto load_fail;
+     }
+     *pvec = vector_entry;
+@@ -XXX,XX +XXX,XX @@ load_fail:
+     /*
+      * All vector table fetch fails are reported as HardFault, with
+      * HFSR.VECTTBL and .FORCED set. (FORCED is set because
+-     * technically the underlying exception is a MemManage or BusFault
++     * technically the underlying exception is a SecureFault or BusFault
+      * that is escalated to HardFault.) This is a terminal exception,
+      * so we will either take the HardFault immediately or else enter
+      * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
++     * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
++     * secure); otherwise it targets the same security state as the
++     * underlying exception.
+      */
+-    exc_secure = targets_secure ||
+-        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
++    if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
++        exc_secure = true;
++    }
+     env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
+     armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
+     return false;
+--
+.20.1

Last lot of patches for arm before softfreeze tomorrow...

thanks
-- PMM

The following changes since commit ef3a6af5e789ff078d1fef880f9dfb6adf18e8f1:

Merge remote-tracking branch 'remotes/kraxel/tags/vga-20181029-pull-request' into staging (2018-10-29 12:59:15 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20181029

for you to fetch changes up to 20cf5663734310a282e27b7389bc9f53ffe227e6:

tests/boot-serial-test: Add microbit board testcase (2018-10-29 15:19:48 +0000)

----------------------------------------------------------------
target-arm queue:
 * microbit: Add the UART to our nRF51 SoC model
 * Add a virtual Xilinx Versal board "xlnx-versal-virt"
 * hw/arm/virt: Set VIRT_COMPAT_3_0 compat

----------------------------------------------------------------
Edgar E. Iglesias (2):
      hw/arm: versal: Add a model of Xilinx Versal SoC
      hw/arm: versal: Add a virtual Xilinx Versal board

Eric Auger (1):
      hw/arm/virt: Set VIRT_COMPAT_3_0 compat

Julia Suvorova (3):
      hw/char: Implement nRF51 SoC UART
      hw/arm/nrf51_soc: Connect UART to nRF51 SoC
      tests/boot-serial-test: Add microbit board testcase

hw/arm/Makefile.objs                |   1 +
 hw/char/Makefile.objs               |   1 +
 include/hw/arm/nrf51_soc.h          |   3 +
 include/hw/arm/xlnx-versal.h        | 122 +++++++++
 include/hw/char/nrf51_uart.h        |  78 ++++++
 hw/arm/microbit.c                   |   2 +
 hw/arm/nrf51_soc.c                  |  20 ++
 hw/arm/virt.c                       |   4 +
 hw/arm/xlnx-versal-virt.c           | 493 ++++++++++++++++++++++++++++++++++++
 hw/arm/xlnx-versal.c                | 323 +++++++++++++++++++++++
 hw/char/nrf51_uart.c                | 330 ++++++++++++++++++++++++
 tests/boot-serial-test.c            |  19 ++
 default-configs/aarch64-softmmu.mak |   1 +
 hw/char/trace-events                |   4 +
 14 files changed, 1401 insertions(+)
 create mode 100644 include/hw/arm/xlnx-versal.h
 create mode 100644 include/hw/char/nrf51_uart.h
 create mode 100644 hw/arm/xlnx-versal-virt.c
 create mode 100644 hw/arm/xlnx-versal.c
 create mode 100644 hw/char/nrf51_uart.c

From: Eric Auger <eric.auger@redhat.com>

We are missing the VIRT_COMPAT_3_0 definition and setting.
Let's add them.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 20181024085602.16611-1-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void virt_machine_3_1_options(MachineClass *mc)
 }
 DEFINE_VIRT_MACHINE_AS_LATEST(3, 1)
 
+#define VIRT_COMPAT_3_0 \
+    HW_COMPAT_3_0
+
 static void virt_3_0_instance_init(Object *obj)
 {
     virt_3_1_instance_init(obj);
@@ -XXX,XX +XXX,XX @@ static void virt_3_0_instance_init(Object *obj)
 static void virt_machine_3_0_options(MachineClass *mc)
 {
     virt_machine_3_1_options(mc);
+    SET_MACHINE_COMPAT(mc, VIRT_COMPAT_3_0);
 }
 DEFINE_VIRT_MACHINE(3, 0)
 
-- 
2.19.1

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Add a model of Xilinx Versal SoC.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs                |   1 +
 include/hw/arm/xlnx-versal.h        | 122 +++++++++++
 hw/arm/xlnx-versal.c                | 323 ++++++++++++++++++++++++++++
 default-configs/aarch64-softmmu.mak |   1 +
 4 files changed, 447 insertions(+)
 create mode 100644 include/hw/arm/xlnx-versal.h
 create mode 100644 hw/arm/xlnx-versal.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
 obj-$(CONFIG_RASPI) += bcm2835_peripherals.o bcm2836.o raspi.o
 obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
 obj-$(CONFIG_XLNX_ZYNQMP_ARM) += xlnx-zynqmp.o xlnx-zcu102.o
+obj-$(CONFIG_XLNX_VERSAL) += xlnx-versal.o
 obj-$(CONFIG_FSL_IMX25) += fsl-imx25.o imx25_pdk.o
 obj-$(CONFIG_FSL_IMX31) += fsl-imx31.o kzm.o
 obj-$(CONFIG_FSL_IMX6) += fsl-imx6.o sabrelite.o
diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/arm/xlnx-versal.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Model of the Xilinx Versal
+ *
+ * Copyright (c) 2018 Xilinx Inc.
+ * Written by Edgar E. Iglesias
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or
+ * (at your option) any later version.
+ */
+
+#ifndef XLNX_VERSAL_H
+#define XLNX_VERSAL_H
+
+#include "hw/sysbus.h"
+#include "hw/arm/arm.h"
+#include "hw/intc/arm_gicv3.h"
+
+#define TYPE_XLNX_VERSAL "xlnx-versal"
+#define XLNX_VERSAL(obj) OBJECT_CHECK(Versal, (obj), TYPE_XLNX_VERSAL)
+
+#define XLNX_VERSAL_NR_ACPUS   2
+#define XLNX_VERSAL_NR_UARTS   2
+#define XLNX_VERSAL_NR_GEMS    2
+#define XLNX_VERSAL_NR_IRQS    256
+
+typedef struct Versal {
+    /*< private >*/
+    SysBusDevice parent_obj;
+
+    /*< public >*/
+    struct {
+        struct {
+            MemoryRegion mr;
+            ARMCPU *cpu[XLNX_VERSAL_NR_ACPUS];
+            GICv3State gic;
+        } apu;
+    } fpd;
+
+    MemoryRegion mr_ps;
+
+    struct {
+        /* 4 ranges to access DDR.  */
+        MemoryRegion mr_ddr_ranges[4];
+    } noc;
+
+    struct {
+        MemoryRegion mr_ocm;
+
+        struct {
+            SysBusDevice *uart[XLNX_VERSAL_NR_UARTS];
+            SysBusDevice *gem[XLNX_VERSAL_NR_GEMS];
+        } iou;
+    } lpd;
+
+    struct {
+        MemoryRegion *mr_ddr;
+        uint32_t psci_conduit;
+    } cfg;
+} Versal;
+
+/* Memory-map and IRQ definitions. Copied a subset from
+ * auto-generated files.  */
+
+#define VERSAL_GIC_MAINT_IRQ        9
+#define VERSAL_TIMER_VIRT_IRQ       11
+#define VERSAL_TIMER_S_EL1_IRQ      13
+#define VERSAL_TIMER_NS_EL1_IRQ     14
+#define VERSAL_TIMER_NS_EL2_IRQ     10
+
+#define VERSAL_UART0_IRQ_0         18
+#define VERSAL_UART1_IRQ_0         19
+#define VERSAL_GEM0_IRQ_0          56
+#define VERSAL_GEM0_WAKE_IRQ_0     57
+#define VERSAL_GEM1_IRQ_0          58
+#define VERSAL_GEM1_WAKE_IRQ_0     59
+
+/* Architecturally eserved IRQs suitable for virtualization.  */
+#define VERSAL_RSVD_HIGH_IRQ_FIRST 160
+#define VERSAL_RSVD_HIGH_IRQ_LAST  255
+
+#define MM_TOP_RSVD                 0xa0000000U
+#define MM_TOP_RSVD_SIZE            0x4000000
+#define MM_GIC_APU_DIST_MAIN        0xf9000000U
+#define MM_GIC_APU_DIST_MAIN_SIZE   0x10000
+#define MM_GIC_APU_REDIST_0         0xf9080000U
+#define MM_GIC_APU_REDIST_0_SIZE    0x80000
+
+#define MM_UART0                    0xff000000U
+#define MM_UART0_SIZE               0x10000
+#define MM_UART1                    0xff010000U
+#define MM_UART1_SIZE               0x10000
+
+#define MM_GEM0                     0xff0c0000U
+#define MM_GEM0_SIZE                0x10000
+#define MM_GEM1                     0xff0d0000U
+#define MM_GEM1_SIZE                0x10000
+
+#define MM_OCM                      0xfffc0000U
+#define MM_OCM_SIZE                 0x40000
+
+#define MM_TOP_DDR                  0x0
+#define MM_TOP_DDR_SIZE             0x80000000U
+#define MM_TOP_DDR_2                0x800000000ULL
+#define MM_TOP_DDR_2_SIZE           0x800000000ULL
+#define MM_TOP_DDR_3                0xc000000000ULL
+#define MM_TOP_DDR_3_SIZE           0x4000000000ULL
+#define MM_TOP_DDR_4                0x10000000000ULL
+#define MM_TOP_DDR_4_SIZE           0xb780000000ULL
+
+#define MM_PSM_START                0xffc80000U
+#define MM_PSM_END                  0xffcf0000U
+
+#define MM_CRL                      0xff5e0000U
+#define MM_CRL_SIZE                 0x300000
+#define MM_IOU_SCNTR                0xff130000U
+#define MM_IOU_SCNTR_SIZE           0x10000
+#define MM_IOU_SCNTRS               0xff140000U
+#define MM_IOU_SCNTRS_SIZE          0x10000
+#define MM_FPD_CRF                  0xfd1a0000U
+#define MM_FPD_CRF_SIZE             0x140000
+#endif
diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Xilinx Versal SoC model.
+ *
+ * Copyright (c) 2018 Xilinx Inc.
+ * Written by Edgar E. Iglesias
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or
+ * (at your option) any later version.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu-common.h"
+#include "qemu/log.h"
+#include "hw/sysbus.h"
+#include "net/net.h"
+#include "sysemu/sysemu.h"
+#include "sysemu/kvm.h"
+#include "hw/arm/arm.h"
+#include "kvm_arm.h"
+#include "hw/misc/unimp.h"
+#include "hw/intc/arm_gicv3_common.h"
+#include "hw/arm/xlnx-versal.h"
+
+#define XLNX_VERSAL_ACPU_TYPE ARM_CPU_TYPE_NAME("cortex-a72")
+#define GEM_REVISION        0x40070106
+
+static void versal_create_apu_cpus(Versal *s)
+{
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->fpd.apu.cpu); i++) {
+        Object *obj;
+        char *name;
+
+        obj = object_new(XLNX_VERSAL_ACPU_TYPE);
+        if (!obj) {
+            /* Secondary CPUs start in PSCI powered-down state */
+            error_report("Unable to create apu.cpu[%d] of type %s",
+                         i, XLNX_VERSAL_ACPU_TYPE);
+            exit(EXIT_FAILURE);
+        }
+
+        name = g_strdup_printf("apu-cpu[%d]", i);
+        object_property_add_child(OBJECT(s), name, obj, &error_fatal);
+        g_free(name);
+
+        object_property_set_int(obj, s->cfg.psci_conduit,
+                                "psci-conduit", &error_abort);
+        if (i) {
+            object_property_set_bool(obj, true,
+                                     "start-powered-off", &error_abort);
+        }
+
+        object_property_set_int(obj, ARRAY_SIZE(s->fpd.apu.cpu),
+                                "core-count", &error_abort);
+        object_property_set_link(obj, OBJECT(&s->fpd.apu.mr), "memory",
+                                 &error_abort);
+        object_property_set_bool(obj, true, "realized", &error_fatal);
+        s->fpd.apu.cpu[i] = ARM_CPU(obj);
+    }
+}
+
+static void versal_create_apu_gic(Versal *s, qemu_irq *pic)
+{
+    static const uint64_t addrs[] = {
+        MM_GIC_APU_DIST_MAIN,
+        MM_GIC_APU_REDIST_0
+    };
+    SysBusDevice *gicbusdev;
+    DeviceState *gicdev;
+    int nr_apu_cpus = ARRAY_SIZE(s->fpd.apu.cpu);
+    int i;
+
+    sysbus_init_child_obj(OBJECT(s), "apu-gic",
+                          &s->fpd.apu.gic, sizeof(s->fpd.apu.gic),
+                          gicv3_class_name());
+    gicbusdev = SYS_BUS_DEVICE(&s->fpd.apu.gic);
+    gicdev = DEVICE(&s->fpd.apu.gic);
+    qdev_prop_set_uint32(gicdev, "revision", 3);
+    qdev_prop_set_uint32(gicdev, "num-cpu", 2);
+    qdev_prop_set_uint32(gicdev, "num-irq", XLNX_VERSAL_NR_IRQS + 32);
+    qdev_prop_set_uint32(gicdev, "len-redist-region-count", 1);
+    qdev_prop_set_uint32(gicdev, "redist-region-count[0]", 2);
+    qdev_prop_set_bit(gicdev, "has-security-extensions", true);
+
+    object_property_set_bool(OBJECT(&s->fpd.apu.gic), true, "realized",
+                                    &error_fatal);
+
+    for (i = 0; i < ARRAY_SIZE(addrs); i++) {
+        MemoryRegion *mr;
+
+        mr = sysbus_mmio_get_region(gicbusdev, i);
+        memory_region_add_subregion(&s->fpd.apu.mr, addrs[i], mr);
+    }
+
+    for (i = 0; i < nr_apu_cpus; i++) {
+        DeviceState *cpudev = DEVICE(s->fpd.apu.cpu[i]);
+        int ppibase = XLNX_VERSAL_NR_IRQS + i * GIC_INTERNAL + GIC_NR_SGIS;
+        qemu_irq maint_irq;
+        int ti;
+        /* Mapping from the output timer irq lines from the CPU to the
+         * GIC PPI inputs.
+         */
+        const int timer_irq[] = {
+            [GTIMER_PHYS] = VERSAL_TIMER_NS_EL1_IRQ,
+            [GTIMER_VIRT] = VERSAL_TIMER_VIRT_IRQ,
+            [GTIMER_HYP]  = VERSAL_TIMER_NS_EL2_IRQ,
+            [GTIMER_SEC]  = VERSAL_TIMER_S_EL1_IRQ,
+        };
+
+        for (ti = 0; ti < ARRAY_SIZE(timer_irq); ti++) {
+            qdev_connect_gpio_out(cpudev, ti,
+                                  qdev_get_gpio_in(gicdev,
+                                                   ppibase + timer_irq[ti]));
+        }
+        maint_irq = qdev_get_gpio_in(gicdev,
+                                        ppibase + VERSAL_GIC_MAINT_IRQ);
+        qdev_connect_gpio_out_named(cpudev, "gicv3-maintenance-interrupt",
+                                    0, maint_irq);
+        sysbus_connect_irq(gicbusdev, i, qdev_get_gpio_in(cpudev, ARM_CPU_IRQ));
+        sysbus_connect_irq(gicbusdev, i + nr_apu_cpus,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_FIQ));
+        sysbus_connect_irq(gicbusdev, i + 2 * nr_apu_cpus,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_VIRQ));
+        sysbus_connect_irq(gicbusdev, i + 3 * nr_apu_cpus,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
+    }
+
+    for (i = 0; i < XLNX_VERSAL_NR_IRQS; i++) {
+        pic[i] = qdev_get_gpio_in(gicdev, i);
+    }
+}
+
+static void versal_create_uarts(Versal *s, qemu_irq *pic)
+{
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->lpd.iou.uart); i++) {
+        static const int irqs[] = { VERSAL_UART0_IRQ_0, VERSAL_UART1_IRQ_0};
+        static const uint64_t addrs[] = { MM_UART0, MM_UART1 };
+        char *name = g_strdup_printf("uart%d", i);
+        DeviceState *dev;
+        MemoryRegion *mr;
+
+        dev = qdev_create(NULL, "pl011");
+        s->lpd.iou.uart[i] = SYS_BUS_DEVICE(dev);
+        qdev_prop_set_chr(dev, "chardev", serial_hd(i));
+        object_property_add_child(OBJECT(s), name, OBJECT(dev), &error_fatal);
+        qdev_init_nofail(dev);
+
+        mr = sysbus_mmio_get_region(s->lpd.iou.uart[i], 0);
+        memory_region_add_subregion(&s->mr_ps, addrs[i], mr);
+
+        sysbus_connect_irq(s->lpd.iou.uart[i], 0, pic[irqs[i]]);
+        g_free(name);
+    }
+}
+
+static void versal_create_gems(Versal *s, qemu_irq *pic)
+{
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->lpd.iou.gem); i++) {
+        static const int irqs[] = { VERSAL_GEM0_IRQ_0, VERSAL_GEM1_IRQ_0};
+        static const uint64_t addrs[] = { MM_GEM0, MM_GEM1 };
+        char *name = g_strdup_printf("gem%d", i);
+        NICInfo *nd = &nd_table[i];
+        DeviceState *dev;
+        MemoryRegion *mr;
+
+        dev = qdev_create(NULL, "cadence_gem");
+        s->lpd.iou.gem[i] = SYS_BUS_DEVICE(dev);
+        object_property_add_child(OBJECT(s), name, OBJECT(dev), &error_fatal);
+        if (nd->used) {
+            qemu_check_nic_model(nd, "cadence_gem");
+            qdev_set_nic_properties(dev, nd);
+        }
+        object_property_set_int(OBJECT(s->lpd.iou.gem[i]),
+                                2, "num-priority-queues",
+                                &error_abort);
+        object_property_set_link(OBJECT(s->lpd.iou.gem[i]),
+                                 OBJECT(&s->mr_ps), "dma",
+                                 &error_abort);
+        qdev_init_nofail(dev);
+
+        mr = sysbus_mmio_get_region(s->lpd.iou.gem[i], 0);
+        memory_region_add_subregion(&s->mr_ps, addrs[i], mr);
+
+        sysbus_connect_irq(s->lpd.iou.gem[i], 0, pic[irqs[i]]);
+        g_free(name);
+    }
+}
+
+/* This takes the board allocated linear DDR memory and creates aliases
+ * for each split DDR range/aperture on the Versal address map.
+ */
+static void versal_map_ddr(Versal *s)
+{
+    uint64_t size = memory_region_size(s->cfg.mr_ddr);
+    /* Describes the various split DDR access regions.  */
+    static const struct {
+        uint64_t base;
+        uint64_t size;
+    } addr_ranges[] = {
+        { MM_TOP_DDR, MM_TOP_DDR_SIZE },
+        { MM_TOP_DDR_2, MM_TOP_DDR_2_SIZE },
+        { MM_TOP_DDR_3, MM_TOP_DDR_3_SIZE },
+        { MM_TOP_DDR_4, MM_TOP_DDR_4_SIZE }
+    };
+    uint64_t offset = 0;
+    int i;
+
+    assert(ARRAY_SIZE(addr_ranges) == ARRAY_SIZE(s->noc.mr_ddr_ranges));
+    for (i = 0; i < ARRAY_SIZE(addr_ranges) && size; i++) {
+        char *name;
+        uint64_t mapsize;
+
+        mapsize = size < addr_ranges[i].size ? size : addr_ranges[i].size;
+        name = g_strdup_printf("noc-ddr-range%d", i);
+        /* Create the MR alias.  */
+        memory_region_init_alias(&s->noc.mr_ddr_ranges[i], OBJECT(s),
+                                 name, s->cfg.mr_ddr,
+                                 offset, mapsize);
+
+        /* Map it onto the NoC MR.  */
+        memory_region_add_subregion(&s->mr_ps, addr_ranges[i].base,
+                                    &s->noc.mr_ddr_ranges[i]);
+        offset += mapsize;
+        size -= mapsize;
+        g_free(name);
+    }
+}
+
+static void versal_unimp_area(Versal *s, const char *name,
+                                MemoryRegion *mr,
+                                hwaddr base, hwaddr size)
+{
+    DeviceState *dev = qdev_create(NULL, TYPE_UNIMPLEMENTED_DEVICE);
+    MemoryRegion *mr_dev;
+
+    qdev_prop_set_string(dev, "name", name);
+    qdev_prop_set_uint64(dev, "size", size);
+    object_property_add_child(OBJECT(s), name, OBJECT(dev), &error_fatal);
+    qdev_init_nofail(dev);
+
+    mr_dev = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
+    memory_region_add_subregion(mr, base, mr_dev);
+}
+
+static void versal_unimp(Versal *s)
+{
+    versal_unimp_area(s, "psm", &s->mr_ps,
+                        MM_PSM_START, MM_PSM_END - MM_PSM_START);
+    versal_unimp_area(s, "crl", &s->mr_ps,
+                        MM_CRL, MM_CRL_SIZE);
+    versal_unimp_area(s, "crf", &s->mr_ps,
+                        MM_FPD_CRF, MM_FPD_CRF_SIZE);
+    versal_unimp_area(s, "iou-scntr", &s->mr_ps,
+                        MM_IOU_SCNTR, MM_IOU_SCNTR_SIZE);
+    versal_unimp_area(s, "iou-scntr-seucre", &s->mr_ps,
+                        MM_IOU_SCNTRS, MM_IOU_SCNTRS_SIZE);
+}
+
+static void versal_realize(DeviceState *dev, Error **errp)
+{
+    Versal *s = XLNX_VERSAL(dev);
+    qemu_irq pic[XLNX_VERSAL_NR_IRQS];
+
+    versal_create_apu_cpus(s);
+    versal_create_apu_gic(s, pic);
+    versal_create_uarts(s, pic);
+    versal_create_gems(s, pic);
+    versal_map_ddr(s);
+    versal_unimp(s);
+
+    /* Create the On Chip Memory (OCM).  */
+    memory_region_init_ram(&s->lpd.mr_ocm, OBJECT(s), "ocm",
+                           MM_OCM_SIZE, &error_fatal);
+
+    memory_region_add_subregion_overlap(&s->mr_ps, MM_OCM, &s->lpd.mr_ocm, 0);
+    memory_region_add_subregion_overlap(&s->fpd.apu.mr, 0, &s->mr_ps, 0);
+}
+
+static void versal_init(Object *obj)
+{
+    Versal *s = XLNX_VERSAL(obj);
+
+    memory_region_init(&s->fpd.apu.mr, obj, "mr-apu", UINT64_MAX);
+    memory_region_init(&s->mr_ps, obj, "mr-ps-switch", UINT64_MAX);
+}
+
+static Property versal_properties[] = {
+    DEFINE_PROP_LINK("ddr", Versal, cfg.mr_ddr, TYPE_MEMORY_REGION,
+                     MemoryRegion *),
+    DEFINE_PROP_UINT32("psci-conduit", Versal, cfg.psci_conduit, 0),
+    DEFINE_PROP_END_OF_LIST()
+};
+
+static void versal_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->realize = versal_realize;
+    dc->props = versal_properties;
+    /* No VMSD since we haven't got any top-level SoC state to save.  */
+}
+
+static const TypeInfo versal_info = {
+    .name = TYPE_XLNX_VERSAL,
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Versal),
+    .instance_init = versal_init,
+    .class_init = versal_class_init,
+};
+
+static void versal_register_types(void)
+{
+    type_register_static(&versal_info);
+}
+
+type_init(versal_register_types);
diff --git a/default-configs/aarch64-softmmu.mak b/default-configs/aarch64-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/default-configs/aarch64-softmmu.mak
+++ b/default-configs/aarch64-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_DDC=y
 CONFIG_DPCD=y
 CONFIG_XLNX_ZYNQMP=y
 CONFIG_XLNX_ZYNQMP_ARM=y
+CONFIG_XLNX_VERSAL=y
 CONFIG_ARM_SMMUV3=y
-- 
2.19.1

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Add a virtual Xilinx Versal board.

This board is based on the Xilinx Versal SoC. The exact
details of what peripherals are attached to this board
will remain in control of QEMU. QEMU will generate an
FDT on the fly for Linux and other software to auto-discover
peripherals.

Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
[PMM: removed stray blank line at EOF]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs      |   2 +-
 hw/arm/xlnx-versal-virt.c | 493 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 494 insertions(+), 1 deletion(-)
 create mode 100644 hw/arm/xlnx-versal-virt.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
 obj-$(CONFIG_RASPI) += bcm2835_peripherals.o bcm2836.o raspi.o
 obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
 obj-$(CONFIG_XLNX_ZYNQMP_ARM) += xlnx-zynqmp.o xlnx-zcu102.o
-obj-$(CONFIG_XLNX_VERSAL) += xlnx-versal.o
+obj-$(CONFIG_XLNX_VERSAL) += xlnx-versal.o xlnx-versal-virt.o
 obj-$(CONFIG_FSL_IMX25) += fsl-imx25.o imx25_pdk.o
 obj-$(CONFIG_FSL_IMX31) += fsl-imx31.o kzm.o
 obj-$(CONFIG_FSL_IMX6) += fsl-imx6.o sabrelite.o
diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/xlnx-versal-virt.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Xilinx Versal Virtual board.
+ *
+ * Copyright (c) 2018 Xilinx Inc.
+ * Written by Edgar E. Iglesias
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or
+ * (at your option) any later version.
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "qemu/error-report.h"
+#include "qapi/error.h"
+#include "sysemu/device_tree.h"
+#include "exec/address-spaces.h"
+#include "hw/boards.h"
+#include "hw/sysbus.h"
+#include "hw/arm/sysbus-fdt.h"
+#include "hw/arm/fdt.h"
+#include "cpu.h"
+#include "hw/arm/xlnx-versal.h"
+
+#define TYPE_XLNX_VERSAL_VIRT_MACHINE MACHINE_TYPE_NAME("xlnx-versal-virt")
+#define XLNX_VERSAL_VIRT_MACHINE(obj) \
+    OBJECT_CHECK(VersalVirt, (obj), TYPE_XLNX_VERSAL_VIRT_MACHINE)
+
+typedef struct VersalVirt {
+    MachineState parent_obj;
+
+    Versal soc;
+    MemoryRegion mr_ddr;
+
+    void *fdt;
+    int fdt_size;
+    struct {
+        uint32_t gic;
+        uint32_t ethernet_phy[2];
+        uint32_t clk_125Mhz;
+        uint32_t clk_25Mhz;
+    } phandle;
+    struct arm_boot_info binfo;
+
+    struct {
+        bool secure;
+    } cfg;
+} VersalVirt;
+
+static void fdt_create(VersalVirt *s)
+{
+    MachineClass *mc = MACHINE_GET_CLASS(s);
+    int i;
+
+    s->fdt = create_device_tree(&s->fdt_size);
+    if (!s->fdt) {
+        error_report("create_device_tree() failed");
+        exit(1);
+    }
+
+    /* Allocate all phandles.  */
+    s->phandle.gic = qemu_fdt_alloc_phandle(s->fdt);
+    for (i = 0; i < ARRAY_SIZE(s->phandle.ethernet_phy); i++) {
+        s->phandle.ethernet_phy[i] = qemu_fdt_alloc_phandle(s->fdt);
+    }
+    s->phandle.clk_25Mhz = qemu_fdt_alloc_phandle(s->fdt);
+    s->phandle.clk_125Mhz = qemu_fdt_alloc_phandle(s->fdt);
+
+    /* Create /chosen node for load_dtb.  */
+    qemu_fdt_add_subnode(s->fdt, "/chosen");
+
+    /* Header */
+    qemu_fdt_setprop_cell(s->fdt, "/", "interrupt-parent", s->phandle.gic);
+    qemu_fdt_setprop_cell(s->fdt, "/", "#size-cells", 0x2);
+    qemu_fdt_setprop_cell(s->fdt, "/", "#address-cells", 0x2);
+    qemu_fdt_setprop_string(s->fdt, "/", "model", mc->desc);
+    qemu_fdt_setprop_string(s->fdt, "/", "compatible", "xlnx-versal-virt");
+}
+
+static void fdt_add_clk_node(VersalVirt *s, const char *name,
+                             unsigned int freq_hz, uint32_t phandle)
+{
+    qemu_fdt_add_subnode(s->fdt, name);
+    qemu_fdt_setprop_cell(s->fdt, name, "phandle", phandle);
+    qemu_fdt_setprop_cell(s->fdt, name, "clock-frequency", freq_hz);
+    qemu_fdt_setprop_cell(s->fdt, name, "#clock-cells", 0x0);
+    qemu_fdt_setprop_string(s->fdt, name, "compatible", "fixed-clock");
+    qemu_fdt_setprop(s->fdt, name, "u-boot,dm-pre-reloc", NULL, 0);
+}
+
+static void fdt_add_cpu_nodes(VersalVirt *s, uint32_t psci_conduit)
+{
+    int i;
+
+    qemu_fdt_add_subnode(s->fdt, "/cpus");
+    qemu_fdt_setprop_cell(s->fdt, "/cpus", "#size-cells", 0x0);
+    qemu_fdt_setprop_cell(s->fdt, "/cpus", "#address-cells", 1);
+
+    for (i = XLNX_VERSAL_NR_ACPUS - 1; i >= 0; i--) {
+        char *name = g_strdup_printf("/cpus/cpu@%d", i);
+        ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(i));
+
+        qemu_fdt_add_subnode(s->fdt, name);
+        qemu_fdt_setprop_cell(s->fdt, name, "reg", armcpu->mp_affinity);
+        if (psci_conduit != QEMU_PSCI_CONDUIT_DISABLED) {
+            qemu_fdt_setprop_string(s->fdt, name, "enable-method", "psci");
+        }
+        qemu_fdt_setprop_string(s->fdt, name, "device_type", "cpu");
+        qemu_fdt_setprop_string(s->fdt, name, "compatible",
+                                armcpu->dtb_compatible);
+        g_free(name);
+    }
+}
+
+static void fdt_add_gic_nodes(VersalVirt *s)
+{
+    char *nodename;
+
+    nodename = g_strdup_printf("/gic@%x", MM_GIC_APU_DIST_MAIN);
+    qemu_fdt_add_subnode(s->fdt, nodename);
+    qemu_fdt_setprop_cell(s->fdt, nodename, "phandle", s->phandle.gic);
+    qemu_fdt_setprop_cells(s->fdt, nodename, "interrupts",
+                           GIC_FDT_IRQ_TYPE_PPI, VERSAL_GIC_MAINT_IRQ,
+                           GIC_FDT_IRQ_FLAGS_LEVEL_HI);
+    qemu_fdt_setprop(s->fdt, nodename, "interrupt-controller", NULL, 0);
+    qemu_fdt_setprop_sized_cells(s->fdt, nodename, "reg",
+                                 2, MM_GIC_APU_DIST_MAIN,
+                                 2, MM_GIC_APU_DIST_MAIN_SIZE,
+                                 2, MM_GIC_APU_REDIST_0,
+                                 2, MM_GIC_APU_REDIST_0_SIZE);
+    qemu_fdt_setprop_cell(s->fdt, nodename, "#interrupt-cells", 3);
+    qemu_fdt_setprop_string(s->fdt, nodename, "compatible", "arm,gic-v3");
+}
+
+static void fdt_add_timer_nodes(VersalVirt *s)
+{
+    const char compat[] = "arm,armv8-timer";
+    uint32_t irqflags = GIC_FDT_IRQ_FLAGS_LEVEL_HI;
+
+    qemu_fdt_add_subnode(s->fdt, "/timer");
+    qemu_fdt_setprop_cells(s->fdt, "/timer", "interrupts",
+            GIC_FDT_IRQ_TYPE_PPI, VERSAL_TIMER_S_EL1_IRQ, irqflags,
+            GIC_FDT_IRQ_TYPE_PPI, VERSAL_TIMER_NS_EL1_IRQ, irqflags,
+            GIC_FDT_IRQ_TYPE_PPI, VERSAL_TIMER_VIRT_IRQ, irqflags,
+            GIC_FDT_IRQ_TYPE_PPI, VERSAL_TIMER_NS_EL2_IRQ, irqflags);
+    qemu_fdt_setprop(s->fdt, "/timer", "compatible",
+                     compat, sizeof(compat));
+}
+
+static void fdt_add_uart_nodes(VersalVirt *s)
+{
+    uint64_t addrs[] = { MM_UART1, MM_UART0 };
+    unsigned int irqs[] = { VERSAL_UART1_IRQ_0, VERSAL_UART0_IRQ_0 };
+    const char compat[] = "arm,pl011\0arm,sbsa-uart";
+    const char clocknames[] = "uartclk\0apb_pclk";
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(addrs); i++) {
+        char *name = g_strdup_printf("/uart@%" PRIx64, addrs[i]);
+        qemu_fdt_add_subnode(s->fdt, name);
+        qemu_fdt_setprop_cell(s->fdt, name, "current-speed", 115200);
+        qemu_fdt_setprop_cells(s->fdt, name, "clocks",
+                               s->phandle.clk_125Mhz, s->phandle.clk_125Mhz);
+        qemu_fdt_setprop(s->fdt, name, "clock-names",
+                         clocknames, sizeof(clocknames));
+
+        qemu_fdt_setprop_cells(s->fdt, name, "interrupts",
+                               GIC_FDT_IRQ_TYPE_SPI, irqs[i],
+                               GIC_FDT_IRQ_FLAGS_LEVEL_HI);
+        qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
+                                     2, addrs[i], 2, 0x1000);
+        qemu_fdt_setprop(s->fdt, name, "compatible",
+                         compat, sizeof(compat));
+        qemu_fdt_setprop(s->fdt, name, "u-boot,dm-pre-reloc", NULL, 0);
+
+        if (addrs[i] == MM_UART0) {
+            /* Select UART0.  */
+            qemu_fdt_setprop_string(s->fdt, "/chosen", "stdout-path", name);
+        }
+        g_free(name);
+    }
+}
+
+static void fdt_add_fixed_link_nodes(VersalVirt *s, char *gemname,
+                                     uint32_t phandle)
+{
+    char *name = g_strdup_printf("%s/fixed-link", gemname);
+
+    qemu_fdt_add_subnode(s->fdt, name);
+    qemu_fdt_setprop_cell(s->fdt, name, "phandle", phandle);
+    qemu_fdt_setprop_cells(s->fdt, name, "full-duplex");
+    qemu_fdt_setprop_cell(s->fdt, name, "speed", 1000);
+    g_free(name);
+}
+
+static void fdt_add_gem_nodes(VersalVirt *s)
+{
+    uint64_t addrs[] = { MM_GEM1, MM_GEM0 };
+    unsigned int irqs[] = { VERSAL_GEM1_IRQ_0, VERSAL_GEM0_IRQ_0 };
+    const char clocknames[] = "pclk\0hclk\0tx_clk\0rx_clk";
+    const char compat_gem[] = "cdns,zynqmp-gem\0cdns,gem";
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(addrs); i++) {
+        char *name = g_strdup_printf("/ethernet@%" PRIx64, addrs[i]);
+        qemu_fdt_add_subnode(s->fdt, name);
+
+        fdt_add_fixed_link_nodes(s, name, s->phandle.ethernet_phy[i]);
+        qemu_fdt_setprop_string(s->fdt, name, "phy-mode", "rgmii-id");
+        qemu_fdt_setprop_cell(s->fdt, name, "phy-handle",
+                              s->phandle.ethernet_phy[i]);
+        qemu_fdt_setprop_cells(s->fdt, name, "clocks",
+                               s->phandle.clk_25Mhz, s->phandle.clk_25Mhz,
+                               s->phandle.clk_25Mhz, s->phandle.clk_25Mhz);
+        qemu_fdt_setprop(s->fdt, name, "clock-names",
+                         clocknames, sizeof(clocknames));
+        qemu_fdt_setprop_cells(s->fdt, name, "interrupts",
+                               GIC_FDT_IRQ_TYPE_SPI, irqs[i],
+                               GIC_FDT_IRQ_FLAGS_LEVEL_HI,
+                               GIC_FDT_IRQ_TYPE_SPI, irqs[i],
+                               GIC_FDT_IRQ_FLAGS_LEVEL_HI);
+        qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
+                                     2, addrs[i], 2, 0x1000);
+        qemu_fdt_setprop(s->fdt, name, "compatible",
+                         compat_gem, sizeof(compat_gem));
+        qemu_fdt_setprop_cell(s->fdt, name, "#address-cells", 1);
+        qemu_fdt_setprop_cell(s->fdt, name, "#size-cells", 0);
+        g_free(name);
+    }
+}
+
+static void fdt_nop_memory_nodes(void *fdt, Error **errp)
+{
+    Error *err = NULL;
+    char **node_path;
+    int n = 0;
+
+    node_path = qemu_fdt_node_unit_path(fdt, "memory", &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
+    while (node_path[n]) {
+        if (g_str_has_prefix(node_path[n], "/memory")) {
+            qemu_fdt_nop_node(fdt, node_path[n]);
+        }
+        n++;
+    }
+    g_strfreev(node_path);
+}
+
+static void fdt_add_memory_nodes(VersalVirt *s, void *fdt, uint64_t ram_size)
+{
+    /* Describes the various split DDR access regions.  */
+    static const struct {
+        uint64_t base;
+        uint64_t size;
+    } addr_ranges[] = {
+        { MM_TOP_DDR, MM_TOP_DDR_SIZE },
+        { MM_TOP_DDR_2, MM_TOP_DDR_2_SIZE },
+        { MM_TOP_DDR_3, MM_TOP_DDR_3_SIZE },
+        { MM_TOP_DDR_4, MM_TOP_DDR_4_SIZE }
+    };
+    uint64_t mem_reg_prop[8] = {0};
+    uint64_t size = ram_size;
+    Error *err = NULL;
+    char *name;
+    int i;
+
+    fdt_nop_memory_nodes(fdt, &err);
+    if (err) {
+        error_report_err(err);
+        return;
+    }
+
+    name = g_strdup_printf("/memory@%x", MM_TOP_DDR);
+    for (i = 0; i < ARRAY_SIZE(addr_ranges) && size; i++) {
+        uint64_t mapsize;
+
+        mapsize = size < addr_ranges[i].size ? size : addr_ranges[i].size;
+
+        mem_reg_prop[i * 2] = addr_ranges[i].base;
+        mem_reg_prop[i * 2 + 1] = mapsize;
+        size -= mapsize;
+    }
+    qemu_fdt_add_subnode(fdt, name);
+    qemu_fdt_setprop_string(fdt, name, "device_type", "memory");
+
+    switch (i) {
+    case 1:
+        qemu_fdt_setprop_sized_cells(fdt, name, "reg",
+                                     2, mem_reg_prop[0],
+                                     2, mem_reg_prop[1]);
+        break;
+    case 2:
+        qemu_fdt_setprop_sized_cells(fdt, name, "reg",
+                                     2, mem_reg_prop[0],
+                                     2, mem_reg_prop[1],
+                                     2, mem_reg_prop[2],
+                                     2, mem_reg_prop[3]);
+        break;
+    case 3:
+        qemu_fdt_setprop_sized_cells(fdt, name, "reg",
+                                     2, mem_reg_prop[0],
+                                     2, mem_reg_prop[1],
+                                     2, mem_reg_prop[2],
+                                     2, mem_reg_prop[3],
+                                     2, mem_reg_prop[4],
+                                     2, mem_reg_prop[5]);
+        break;
+    case 4:
+        qemu_fdt_setprop_sized_cells(fdt, name, "reg",
+                                     2, mem_reg_prop[0],
+                                     2, mem_reg_prop[1],
+                                     2, mem_reg_prop[2],
+                                     2, mem_reg_prop[3],
+                                     2, mem_reg_prop[4],
+                                     2, mem_reg_prop[5],
+                                     2, mem_reg_prop[6],
+                                     2, mem_reg_prop[7]);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+    g_free(name);
+}
+
+static void versal_virt_modify_dtb(const struct arm_boot_info *binfo,
+                                    void *fdt)
+{
+    VersalVirt *s = container_of(binfo, VersalVirt, binfo);
+
+    fdt_add_memory_nodes(s, fdt, binfo->ram_size);
+}
+
+static void *versal_virt_get_dtb(const struct arm_boot_info *binfo,
+                                  int *fdt_size)
+{
+    const VersalVirt *board = container_of(binfo, VersalVirt, binfo);
+
+    *fdt_size = board->fdt_size;
+    return board->fdt;
+}
+
+#define NUM_VIRTIO_TRANSPORT 32
+static void create_virtio_regions(VersalVirt *s)
+{
+    int virtio_mmio_size = 0x200;
+    int i;
+
+    for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
+        char *name = g_strdup_printf("virtio%d", i);;
+        hwaddr base = MM_TOP_RSVD + i * virtio_mmio_size;
+        int irq = VERSAL_RSVD_HIGH_IRQ_FIRST + i;
+        MemoryRegion *mr;
+        DeviceState *dev;
+        qemu_irq pic_irq;
+
+        pic_irq = qdev_get_gpio_in(DEVICE(&s->soc.fpd.apu.gic), irq);
+        dev = qdev_create(NULL, "virtio-mmio");
+        object_property_add_child(OBJECT(&s->soc), name, OBJECT(dev),
+                                  &error_fatal);
+        qdev_init_nofail(dev);
+        sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic_irq);
+        mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
+        memory_region_add_subregion(&s->soc.mr_ps, base, mr);
+        sysbus_create_simple("virtio-mmio", base, pic_irq);
+    }
+
+    for (i = 0; i < NUM_VIRTIO_TRANSPORT; i++) {
+        hwaddr base = MM_TOP_RSVD + i * virtio_mmio_size;
+        int irq = VERSAL_RSVD_HIGH_IRQ_FIRST + i;
+        char *name = g_strdup_printf("/virtio_mmio@%" PRIx64, base);
+
+        qemu_fdt_add_subnode(s->fdt, name);
+        qemu_fdt_setprop(s->fdt, name, "dma-coherent", NULL, 0);
+        qemu_fdt_setprop_cells(s->fdt, name, "interrupts",
+                               GIC_FDT_IRQ_TYPE_SPI, irq,
+                               GIC_FDT_IRQ_FLAGS_EDGE_LO_HI);
+        qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
+                                     2, base, 2, virtio_mmio_size);
+        qemu_fdt_setprop_string(s->fdt, name, "compatible", "virtio,mmio");
+        g_free(name);
+    }
+}
+
+static void versal_virt_init(MachineState *machine)
+{
+    VersalVirt *s = XLNX_VERSAL_VIRT_MACHINE(machine);
+    int psci_conduit = QEMU_PSCI_CONDUIT_DISABLED;
+
+    /*
+     * If the user provides an Operating System to be loaded, we expect them
+     * to use the -kernel command line option.
+     *
+     * Users can load firmware or boot-loaders with the -device loader options.
+     *
+     * When loading an OS, we generate a dtb and let arm_load_kernel() select
+     * where it gets loaded. This dtb will be passed to the kernel in x0.
+     *
+     * If there's no -kernel option, we generate a DTB and place it at 0x1000
+     * for the bootloaders or firmware to pick up.
+     *
+     * If users want to provide their own DTB, they can use the -dtb option.
+     * These dtb's will have their memory nodes modified to match QEMU's
+     * selected ram_size option before they get passed to the kernel or fw.
+     *
+     * When loading an OS, we turn on QEMU's PSCI implementation with SMC
+     * as the PSCI conduit. When there's no -kernel, we assume the user
+     * provides EL3 firmware to handle PSCI.
+     */
+    if (machine->kernel_filename) {
+        psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+    }
+
+    memory_region_allocate_system_memory(&s->mr_ddr, NULL, "ddr",
+                                         machine->ram_size);
+
+    sysbus_init_child_obj(OBJECT(machine), "xlnx-ve", &s->soc,
+                          sizeof(s->soc), TYPE_XLNX_VERSAL);
+    object_property_set_link(OBJECT(&s->soc), OBJECT(&s->mr_ddr),
+                             "ddr", &error_abort);
+    object_property_set_int(OBJECT(&s->soc), psci_conduit,
+                            "psci-conduit", &error_abort);
+    object_property_set_bool(OBJECT(&s->soc), true, "realized", &error_fatal);
+
+    fdt_create(s);
+    create_virtio_regions(s);
+    fdt_add_gem_nodes(s);
+    fdt_add_uart_nodes(s);
+    fdt_add_gic_nodes(s);
+    fdt_add_timer_nodes(s);
+    fdt_add_cpu_nodes(s, psci_conduit);
+    fdt_add_clk_node(s, "/clk125", 125000000, s->phandle.clk_125Mhz);
+    fdt_add_clk_node(s, "/clk25", 25000000, s->phandle.clk_25Mhz);
+
+    /* Make the APU cpu address space visible to virtio and other
+     * modules unaware of muliple address-spaces.  */
+    memory_region_add_subregion_overlap(get_system_memory(),
+                                        0, &s->soc.fpd.apu.mr, 0);
+
+    s->binfo.ram_size = machine->ram_size;
+    s->binfo.kernel_filename = machine->kernel_filename;
+    s->binfo.kernel_cmdline = machine->kernel_cmdline;
+    s->binfo.initrd_filename = machine->initrd_filename;
+    s->binfo.loader_start = 0x0;
+    s->binfo.get_dtb = versal_virt_get_dtb;
+    s->binfo.modify_dtb = versal_virt_modify_dtb;
+    if (machine->kernel_filename) {
+        arm_load_kernel(s->soc.fpd.apu.cpu[0], &s->binfo);
+    } else {
+        AddressSpace *as = arm_boot_address_space(s->soc.fpd.apu.cpu[0],
+                                                  &s->binfo);
+        /* Some boot-loaders (e.g u-boot) don't like blobs at address 0 (NULL).
+         * Offset things by 4K.  */
+        s->binfo.loader_start = 0x1000;
+        s->binfo.dtb_limit = 0x1000000;
+        if (arm_load_dtb(s->binfo.loader_start,
+                         &s->binfo, s->binfo.dtb_limit, as) < 0) {
+            exit(EXIT_FAILURE);
+        }
+    }
+}
+
+static void versal_virt_machine_instance_init(Object *obj)
+{
+}
+
+static void versal_virt_machine_class_init(ObjectClass *oc, void *data)
+{
+    MachineClass *mc = MACHINE_CLASS(oc);
+
+    mc->desc = "Xilinx Versal Virtual development board";
+    mc->init = versal_virt_init;
+    mc->max_cpus = XLNX_VERSAL_NR_ACPUS;
+    mc->default_cpus = XLNX_VERSAL_NR_ACPUS;
+    mc->no_cdrom = true;
+}
+
+static const TypeInfo versal_virt_machine_init_typeinfo = {
+    .name       = TYPE_XLNX_VERSAL_VIRT_MACHINE,
+    .parent     = TYPE_MACHINE,
+    .class_init = versal_virt_machine_class_init,
+    .instance_init = versal_virt_machine_instance_init,
+    .instance_size = sizeof(VersalVirt),
+};
+
+static void versal_virt_machine_init_register_types(void)
+{
+    type_register_static(&versal_virt_machine_init_typeinfo);
+}
+
+type_init(versal_virt_machine_init_register_types)
-- 
2.19.1

From: Julia Suvorova via Qemu-devel <qemu-devel@nongnu.org>

Not implemented: CTS/NCTS, PSEL*.

Signed-off-by: Julia Suvorova <jusual@mail.ru>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/Makefile.objs        |   1 +
 include/hw/char/nrf51_uart.h |  78 +++++++++
 hw/char/nrf51_uart.c         | 330 +++++++++++++++++++++++++++++++++++
 hw/char/trace-events         |   4 +
 4 files changed, 413 insertions(+)
 create mode 100644 include/hw/char/nrf51_uart.h
 create mode 100644 hw/char/nrf51_uart.c

diff --git a/hw/char/Makefile.objs b/hw/char/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/Makefile.objs
+++ b/hw/char/Makefile.objs
@@ -XXX,XX +XXX,XX @@
 common-obj-$(CONFIG_IPACK) += ipoctal232.o
 common-obj-$(CONFIG_ESCC) += escc.o
+common-obj-$(CONFIG_NRF51_SOC) += nrf51_uart.o
 common-obj-$(CONFIG_PARALLEL) += parallel.o
 common-obj-$(CONFIG_PARALLEL) += parallel-isa.o
 common-obj-$(CONFIG_PL011) += pl011.o
diff --git a/include/hw/char/nrf51_uart.h b/include/hw/char/nrf51_uart.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/char/nrf51_uart.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * nRF51 SoC UART emulation
+ *
+ * Copyright (c) 2018 Julia Suvorova <jusual@mail.ru>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or
+ * (at your option) any later version.
+ */
+
+#ifndef NRF51_UART_H
+#define NRF51_UART_H
+
+#include "hw/sysbus.h"
+#include "chardev/char-fe.h"
+#include "hw/registerfields.h"
+
+#define UART_FIFO_LENGTH 6
+#define UART_BASE 0x40002000
+#define UART_SIZE 0x1000
+
+#define TYPE_NRF51_UART "nrf51_soc.uart"
+#define NRF51_UART(obj) OBJECT_CHECK(NRF51UARTState, (obj), TYPE_NRF51_UART)
+
+REG32(UART_STARTRX, 0x000)
+REG32(UART_STOPRX, 0x004)
+REG32(UART_STARTTX, 0x008)
+REG32(UART_STOPTX, 0x00C)
+REG32(UART_SUSPEND, 0x01C)
+
+REG32(UART_CTS, 0x100)
+REG32(UART_NCTS, 0x104)
+REG32(UART_RXDRDY, 0x108)
+REG32(UART_TXDRDY, 0x11C)
+REG32(UART_ERROR, 0x124)
+REG32(UART_RXTO, 0x144)
+
+REG32(UART_INTEN, 0x300)
+    FIELD(UART_INTEN, CTS, 0, 1)
+    FIELD(UART_INTEN, NCTS, 1, 1)
+    FIELD(UART_INTEN, RXDRDY, 2, 1)
+    FIELD(UART_INTEN, TXDRDY, 7, 1)
+    FIELD(UART_INTEN, ERROR, 9, 1)
+    FIELD(UART_INTEN, RXTO, 17, 1)
+REG32(UART_INTENSET, 0x304)
+REG32(UART_INTENCLR, 0x308)
+REG32(UART_ERRORSRC, 0x480)
+REG32(UART_ENABLE, 0x500)
+REG32(UART_PSELRTS, 0x508)
+REG32(UART_PSELTXD, 0x50C)
+REG32(UART_PSELCTS, 0x510)
+REG32(UART_PSELRXD, 0x514)
+REG32(UART_RXD, 0x518)
+REG32(UART_TXD, 0x51C)
+REG32(UART_BAUDRATE, 0x524)
+REG32(UART_CONFIG, 0x56C)
+
+typedef struct NRF51UARTState {
+    SysBusDevice parent_obj;
+
+    MemoryRegion iomem;
+    CharBackend chr;
+    qemu_irq irq;
+    guint watch_tag;
+
+    uint8_t rx_fifo[UART_FIFO_LENGTH];
+    unsigned int rx_fifo_pos;
+    unsigned int rx_fifo_len;
+
+    uint32_t reg[0x56C];
+
+    bool rx_started;
+    bool tx_started;
+    bool pending_tx_byte;
+    bool enabled;
+} NRF51UARTState;
+
+#endif
diff --git a/hw/char/nrf51_uart.c b/hw/char/nrf51_uart.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/char/nrf51_uart.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * nRF51 SoC UART emulation
+ *
+ * See nRF51 Series Reference Manual, "29 Universal Asynchronous
+ * Receiver/Transmitter" for hardware specifications:
+ * http://infocenter.nordicsemi.com/pdf/nRF51_RM_v3.0.pdf
+ *
+ * Copyright (c) 2018 Julia Suvorova <jusual@mail.ru>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or
+ * (at your option) any later version.
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "hw/char/nrf51_uart.h"
+#include "trace.h"
+
+static void nrf51_uart_update_irq(NRF51UARTState *s)
+{
+    bool irq = false;
+
+    irq |= (s->reg[R_UART_RXDRDY] &&
+            (s->reg[R_UART_INTEN] & R_UART_INTEN_RXDRDY_MASK));
+    irq |= (s->reg[R_UART_TXDRDY] &&
+            (s->reg[R_UART_INTEN] & R_UART_INTEN_TXDRDY_MASK));
+    irq |= (s->reg[R_UART_ERROR]  &&
+            (s->reg[R_UART_INTEN] & R_UART_INTEN_ERROR_MASK));
+    irq |= (s->reg[R_UART_RXTO]   &&
+            (s->reg[R_UART_INTEN] & R_UART_INTEN_RXTO_MASK));
+
+    qemu_set_irq(s->irq, irq);
+}
+
+static uint64_t uart_read(void *opaque, hwaddr addr, unsigned int size)
+{
+    NRF51UARTState *s = NRF51_UART(opaque);
+    uint64_t r;
+
+    if (!s->enabled) {
+        return 0;
+    }
+
+    switch (addr) {
+    case A_UART_RXD:
+        r = s->rx_fifo[s->rx_fifo_pos];
+        if (s->rx_started && s->rx_fifo_len) {
+            s->rx_fifo_pos = (s->rx_fifo_pos + 1) % UART_FIFO_LENGTH;
+            s->rx_fifo_len--;
+            if (s->rx_fifo_len) {
+                s->reg[R_UART_RXDRDY] = 1;
+                nrf51_uart_update_irq(s);
+            }
+            qemu_chr_fe_accept_input(&s->chr);
+        }
+        break;
+    case A_UART_INTENSET:
+    case A_UART_INTENCLR:
+    case A_UART_INTEN:
+        r = s->reg[R_UART_INTEN];
+        break;
+    default:
+        r = s->reg[addr / 4];
+        break;
+    }
+
+    trace_nrf51_uart_read(addr, r, size);
+
+    return r;
+}
+
+static gboolean uart_transmit(GIOChannel *chan, GIOCondition cond, void *opaque)
+{
+    NRF51UARTState *s = NRF51_UART(opaque);
+    int r;
+    uint8_t c = s->reg[R_UART_TXD];
+
+    s->watch_tag = 0;
+
+    r = qemu_chr_fe_write(&s->chr, &c, 1);
+    if (r <= 0) {
+        s->watch_tag = qemu_chr_fe_add_watch(&s->chr, G_IO_OUT | G_IO_HUP,
+                                             uart_transmit, s);
+        if (!s->watch_tag) {
+            /* The hardware has no transmit error reporting,
+             * so silently drop the byte
+             */
+            goto buffer_drained;
+        }
+        return FALSE;
+    }
+
+buffer_drained:
+    s->reg[R_UART_TXDRDY] = 1;
+    s->pending_tx_byte = false;
+    return FALSE;
+}
+
+static void uart_cancel_transmit(NRF51UARTState *s)
+{
+    if (s->watch_tag) {
+        g_source_remove(s->watch_tag);
+        s->watch_tag = 0;
+    }
+}
+
+static void uart_write(void *opaque, hwaddr addr,
+                       uint64_t value, unsigned int size)
+{
+    NRF51UARTState *s = NRF51_UART(opaque);
+
+    trace_nrf51_uart_write(addr, value, size);
+
+    if (!s->enabled && (addr != A_UART_ENABLE)) {
+        return;
+    }
+
+    switch (addr) {
+    case A_UART_TXD:
+        if (!s->pending_tx_byte && s->tx_started) {
+            s->reg[R_UART_TXD] = value;
+            s->pending_tx_byte = true;
+            uart_transmit(NULL, G_IO_OUT, s);
+        }
+        break;
+    case A_UART_INTEN:
+        s->reg[R_UART_INTEN] = value;
+        break;
+    case A_UART_INTENSET:
+        s->reg[R_UART_INTEN] |= value;
+        break;
+    case A_UART_INTENCLR:
+        s->reg[R_UART_INTEN] &= ~value;
+        break;
+    case A_UART_TXDRDY ... A_UART_RXTO:
+        s->reg[addr / 4] = value;
+        break;
+    case A_UART_ERRORSRC:
+        s->reg[addr / 4] &= ~value;
+        break;
+    case A_UART_RXD:
+        break;
+    case A_UART_RXDRDY:
+        if (value == 0) {
+            s->reg[R_UART_RXDRDY] = 0;
+        }
+        break;
+    case A_UART_STARTTX:
+        if (value == 1) {
+            s->tx_started = true;
+        }
+        break;
+    case A_UART_STARTRX:
+        if (value == 1) {
+            s->rx_started = true;
+        }
+        break;
+    case A_UART_ENABLE:
+        if (value) {
+            if (value == 4) {
+                s->enabled = true;
+            }
+            break;
+        }
+        s->enabled = false;
+        value = 1;
+        /* fall through */
+    case A_UART_SUSPEND:
+    case A_UART_STOPTX:
+        if (value == 1) {
+            s->tx_started = false;
+        }
+        /* fall through */
+    case A_UART_STOPRX:
+        if (addr != A_UART_STOPTX && value == 1) {
+            s->rx_started = false;
+            s->reg[R_UART_RXTO] = 1;
+        }
+        break;
+    default:
+        s->reg[addr / 4] = value;
+        break;
+    }
+    nrf51_uart_update_irq(s);
+}
+
+static const MemoryRegionOps uart_ops = {
+    .read =  uart_read,
+    .write = uart_write,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+};
+
+static void nrf51_uart_reset(DeviceState *dev)
+{
+    NRF51UARTState *s = NRF51_UART(dev);
+
+    s->pending_tx_byte = 0;
+
+    uart_cancel_transmit(s);
+
+    memset(s->reg, 0, sizeof(s->reg));
+
+    s->reg[R_UART_PSELRTS] = 0xFFFFFFFF;
+    s->reg[R_UART_PSELTXD] = 0xFFFFFFFF;
+    s->reg[R_UART_PSELCTS] = 0xFFFFFFFF;
+    s->reg[R_UART_PSELRXD] = 0xFFFFFFFF;
+    s->reg[R_UART_BAUDRATE] = 0x4000000;
+
+    s->rx_fifo_len = 0;
+    s->rx_fifo_pos = 0;
+    s->rx_started = false;
+    s->tx_started = false;
+    s->enabled = false;
+}
+
+static void uart_receive(void *opaque, const uint8_t *buf, int size)
+{
+
+    NRF51UARTState *s = NRF51_UART(opaque);
+    int i;
+
+    if (size == 0 || s->rx_fifo_len >= UART_FIFO_LENGTH) {
+        return;
+    }
+
+    for (i = 0; i < size; i++) {
+        uint32_t pos = (s->rx_fifo_pos + s->rx_fifo_len) % UART_FIFO_LENGTH;
+        s->rx_fifo[pos] = buf[i];
+        s->rx_fifo_len++;
+    }
+
+    s->reg[R_UART_RXDRDY] = 1;
+    nrf51_uart_update_irq(s);
+}
+
+static int uart_can_receive(void *opaque)
+{
+    NRF51UARTState *s = NRF51_UART(opaque);
+
+    return s->rx_started ? (UART_FIFO_LENGTH - s->rx_fifo_len) : 0;
+}
+
+static void uart_event(void *opaque, int event)
+{
+    NRF51UARTState *s = NRF51_UART(opaque);
+
+    if (event == CHR_EVENT_BREAK) {
+        s->reg[R_UART_ERRORSRC] |= 3;
+        s->reg[R_UART_ERROR] = 1;
+        nrf51_uart_update_irq(s);
+    }
+}
+
+static void nrf51_uart_realize(DeviceState *dev, Error **errp)
+{
+    NRF51UARTState *s = NRF51_UART(dev);
+
+    qemu_chr_fe_set_handlers(&s->chr, uart_can_receive, uart_receive,
+                             uart_event, NULL, s, NULL, true);
+}
+
+static void nrf51_uart_init(Object *obj)
+{
+    NRF51UARTState *s = NRF51_UART(obj);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
+
+    memory_region_init_io(&s->iomem, obj, &uart_ops, s,
+                          "nrf51_soc.uart", UART_SIZE);
+    sysbus_init_mmio(sbd, &s->iomem);
+    sysbus_init_irq(sbd, &s->irq);
+}
+
+static int nrf51_uart_post_load(void *opaque, int version_id)
+{
+    NRF51UARTState *s = NRF51_UART(opaque);
+
+    if (s->pending_tx_byte) {
+        s->watch_tag = qemu_chr_fe_add_watch(&s->chr, G_IO_OUT | G_IO_HUP,
+                                             uart_transmit, s);
+    }
+
+    return 0;
+}
+
+static const VMStateDescription nrf51_uart_vmstate = {
+    .name = "nrf51_soc.uart",
+    .post_load = nrf51_uart_post_load,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(reg, NRF51UARTState, 0x56C),
+        VMSTATE_UINT8_ARRAY(rx_fifo, NRF51UARTState, UART_FIFO_LENGTH),
+        VMSTATE_UINT32(rx_fifo_pos, NRF51UARTState),
+        VMSTATE_UINT32(rx_fifo_len, NRF51UARTState),
+        VMSTATE_BOOL(rx_started, NRF51UARTState),
+        VMSTATE_BOOL(tx_started, NRF51UARTState),
+        VMSTATE_BOOL(pending_tx_byte, NRF51UARTState),
+        VMSTATE_BOOL(enabled, NRF51UARTState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static Property nrf51_uart_properties[] = {
+    DEFINE_PROP_CHR("chardev", NRF51UARTState, chr),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void nrf51_uart_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->reset = nrf51_uart_reset;
+    dc->realize = nrf51_uart_realize;
+    dc->props = nrf51_uart_properties;
+    dc->vmsd = &nrf51_uart_vmstate;
+}
+
+static const TypeInfo nrf51_uart_info = {
+    .name = TYPE_NRF51_UART,
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(NRF51UARTState),
+    .instance_init = nrf51_uart_init,
+    .class_init = nrf51_uart_class_init
+};
+
+static void nrf51_uart_register_types(void)
+{
+    type_register_static(&nrf51_uart_info);
+}
+
+type_init(nrf51_uart_register_types)
diff --git a/hw/char/trace-events b/hw/char/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/trace-events
+++ b/hw/char/trace-events
@@ -XXX,XX +XXX,XX @@ cmsdk_apb_uart_receive(uint8_t c) "CMSDK APB UART: got character 0x%x from backe
 cmsdk_apb_uart_tx_pending(void) "CMSDK APB UART: character send to backend pending"
 cmsdk_apb_uart_tx(uint8_t c) "CMSDK APB UART: character 0x%x sent to backend"
 cmsdk_apb_uart_set_params(int speed) "CMSDK APB UART: params set to %d 8N1"
+
+# hw/char/nrf51_uart.c
+nrf51_uart_read(uint64_t addr, uint64_t r, unsigned int size) "addr 0x%" PRIx64 " value 0x%" PRIx64 " size %u"
+nrf51_uart_write(uint64_t addr, uint64_t value, unsigned int size) "addr 0x%" PRIx64 " value 0x%" PRIx64 " size %u"
-- 
2.19.1

From: Julia Suvorova via Qemu-devel <qemu-devel@nongnu.org>

Wire up nRF51 UART in the corresponding SoC.

Signed-off-by: Julia Suvorova <jusual@mail.ru>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/nrf51_soc.h |  3 +++
 hw/arm/microbit.c          |  2 ++
 hw/arm/nrf51_soc.c         | 20 ++++++++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/include/hw/arm/nrf51_soc.h b/include/hw/arm/nrf51_soc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/nrf51_soc.h
+++ b/include/hw/arm/nrf51_soc.h
@@ -XXX,XX +XXX,XX @@
 
 #include "hw/sysbus.h"
 #include "hw/arm/armv7m.h"
+#include "hw/char/nrf51_uart.h"
 
 #define TYPE_NRF51_SOC "nrf51-soc"
 #define NRF51_SOC(obj) \
@@ -XXX,XX +XXX,XX @@ typedef struct NRF51State {
     /*< public >*/
     ARMv7MState cpu;
 
+    NRF51UARTState uart;
+
     MemoryRegion iomem;
     MemoryRegion sram;
     MemoryRegion flash;
diff --git a/hw/arm/microbit.c b/hw/arm/microbit.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/microbit.c
+++ b/hw/arm/microbit.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "hw/boards.h"
 #include "hw/arm/arm.h"
+#include "sysemu/sysemu.h"
 #include "exec/address-spaces.h"
 
 #include "hw/arm/nrf51_soc.h"
@@ -XXX,XX +XXX,XX @@ static void microbit_init(MachineState *machine)
 
     sysbus_init_child_obj(OBJECT(machine), "nrf51", soc, sizeof(s->nrf51),
                           TYPE_NRF51_SOC);
+    qdev_prop_set_chr(DEVICE(&s->nrf51), "serial0", serial_hd(0));
     object_property_set_link(soc, OBJECT(system_memory), "memory",
                              &error_fatal);
     object_property_set_bool(soc, true, "realized", &error_fatal);
diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/nrf51_soc.c
+++ b/hw/arm/nrf51_soc.c
@@ -XXX,XX +XXX,XX @@
 #define NRF51822_FLASH_SIZE     (256 * 1024)
 #define NRF51822_SRAM_SIZE      (16 * 1024)
 
+#define BASE_TO_IRQ(base) ((base >> 12) & 0x1F)
+
 static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
 {
     NRF51State *s = NRF51_SOC(dev_soc);
+    MemoryRegion *mr;
     Error *err = NULL;
 
     if (!s->board_memory) {
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
     }
     memory_region_add_subregion(&s->container, SRAM_BASE, &s->sram);
 
+    /* UART */
+    object_property_set_bool(OBJECT(&s->uart), true, "realized", &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
+    mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->uart), 0);
+    memory_region_add_subregion_overlap(&s->container, UART_BASE, mr, 0);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->uart), 0,
+                       qdev_get_gpio_in(DEVICE(&s->cpu),
+                       BASE_TO_IRQ(UART_BASE)));
+
     create_unimplemented_device("nrf51_soc.io", IOMEM_BASE, IOMEM_SIZE);
     create_unimplemented_device("nrf51_soc.ficr", FICR_BASE, FICR_SIZE);
     create_unimplemented_device("nrf51_soc.private",
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_init(Object *obj)
     qdev_prop_set_string(DEVICE(&s->cpu), "cpu-type",
                          ARM_CPU_TYPE_NAME("cortex-m0"));
     qdev_prop_set_uint32(DEVICE(&s->cpu), "num-irq", 32);
+
+    sysbus_init_child_obj(obj, "uart", &s->uart, sizeof(s->uart),
+                           TYPE_NRF51_UART);
+    object_property_add_alias(obj, "serial0", OBJECT(&s->uart), "chardev",
+                              &error_abort);
 }
 
 static Property nrf51_soc_properties[] = {
-- 
2.19.1

From: Julia Suvorova via Qemu-devel <qemu-devel@nongnu.org>

New mini-kernel test for nRF51 SoC UART.

Signed-off-by: Julia Suvorova <jusual@mail.ru>
Acked-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/boot-serial-test.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/tests/boot-serial-test.c b/tests/boot-serial-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/boot-serial-test.c
+++ b/tests/boot-serial-test.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t kernel_aarch64[] = {
     0xfd, 0xff, 0xff, 0x17,                 /* b       -12 (loop) */
 };
 
+static const uint8_t kernel_nrf51[] = {
+    0x00, 0x00, 0x00, 0x00,                 /* Stack top address */
+    0x09, 0x00, 0x00, 0x00,                 /* Reset handler address */
+    0x04, 0x4a,                             /* ldr  r2, [pc, #16] Get ENABLE */
+    0x04, 0x21,                             /* movs r1, #4 */
+    0x11, 0x60,                             /* str  r1, [r2] */
+    0x04, 0x4a,                             /* ldr  r2, [pc, #16] Get STARTTX */
+    0x01, 0x21,                             /* movs r1, #1 */
+    0x11, 0x60,                             /* str  r1, [r2] */
+    0x03, 0x4a,                             /* ldr  r2, [pc, #12] Get TXD */
+    0x54, 0x21,                             /* movs r1, 'T' */
+    0x11, 0x60,                             /* str  r1, [r2] */
+    0xfe, 0xe7,                             /* b    . */
+    0x00, 0x25, 0x00, 0x40,                 /* 0x40002500 = UART ENABLE */
+    0x08, 0x20, 0x00, 0x40,                 /* 0x40002008 = UART STARTTX */
+    0x1c, 0x25, 0x00, 0x40                  /* 0x4000251c = UART TXD */
+};
+
 typedef struct testdef {
     const char *arch;       /* Target architecture */
     const char *machine;    /* Name of the machine */
@@ -XXX,XX +XXX,XX @@ static testdef_t tests[] = {
     { "hppa", "hppa", "", "SeaBIOS wants SYSTEM HALT" },
     { "aarch64", "virt", "-cpu cortex-a57", "TT", sizeof(kernel_aarch64),
       kernel_aarch64 },
+    { "arm", "microbit", "", "T", sizeof(kernel_nrf51), kernel_nrf51 },
 
     { NULL }
 };
-- 
2.19.1

target-arm queue for rc1 -- these are all bug fixes.

thanks
-- PMM

The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:

Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715

for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:

target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)

----------------------------------------------------------------
target-arm queue:
 * report ARMv8-A FP support for AArch32 -cpu max
 * hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
 * hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
 * hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
 * hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
 * hw/arm/virt: Fix non-secure flash mode
 * pl031: Correctly migrate state when using -rtc clock=host
 * fix regression that meant arm926 and arm1026 lost VFP
   double-precision support
 * v8M: NS BusFault on vector table fetch escalates to NS HardFault

----------------------------------------------------------------
Alex Bennée (1):
      target/arm: report ARMv8-A FP support for AArch32 -cpu max

David Engraf (1):
      hw/arm/virt: Fix non-secure flash mode

Peter Maydell (3):
      pl031: Correctly migrate state when using -rtc clock=host
      target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
      target/arm: NS BusFault on vector table fetch escalates to NS HardFault

Philippe Mathieu-Daudé (5):
      hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
      hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
      hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
      hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
      hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO

From: Alex Bennée <alex.bennee@linaro.org>

When we converted to using feature bits in 602f6e42cfbf we missed out
the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
-cpu max configurations. This caused a regression in the GCC test
suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
report ARMv8-A with FP support (but not ARMv8.2-FP16).

Fixes: https://bugs.launchpad.net/qemu/+bug/1836078
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190711103737.10017-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
             t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
             cpu->isar.id_isar6 = t;
 
+            t = cpu->isar.mvfr1;
+            t = FIELD_DP32(t, MVFR1, FPHP, 2);     /* v8.0 FP support */
+            cpu->isar.mvfr1 = t;
+
             t = cpu->isar.mvfr2;
             t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
             t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the next commit we will implement the write_with_attrs()
handler. To avoid using different APIs, convert the read()
handler first.

Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/xilinx_spips.c | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
     }
 }
 
-static uint64_t
-lqspi_read(void *opaque, hwaddr addr, unsigned int size)
+static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
+                              unsigned size, MemTxAttrs attrs)
 {
-    XilinxQSPIPS *q = opaque;
-    uint32_t ret;
+    XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
 
     if (addr >= q->lqspi_cached_addr &&
             addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
         uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
-        ret = cpu_to_le32(*(uint32_t *)retp);
-        DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
-                   (unsigned)ret);
-        return ret;
-    } else {
-        lqspi_load_cache(opaque, addr);
-        return lqspi_read(opaque, addr, size);
+        *value = cpu_to_le32(*(uint32_t *)retp);
+        DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
+                   addr, *value);
+        return MEMTX_OK;
     }
+
+    lqspi_load_cache(opaque, addr);
+    return lqspi_read(opaque, addr, value, size, attrs);
 }
 
 static const MemoryRegionOps lqspi_ops = {
-    .read = lqspi_read,
+    .read_with_attrs = lqspi_read,
     .endianness = DEVICE_NATIVE_ENDIAN,
     .valid = {
         .min_access_size = 1,
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Lei Sun found while auditing the code that a CPU write would
trigger a NULL pointer dereference.

>From UG1085 datasheet [*] AXI writes in this region are ignored
and generates an AXI Slave Error (SLVERR).

Fix by implementing the write_with_attrs() handler.
Return MEMTX_ERROR when the region is accessed (this error maps
to an AXI slave error).

[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf

Reported-by: Lei Sun <slei.casper@gmail.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
     return lqspi_read(opaque, addr, value, size, attrs);
 }
 
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+                               unsigned size, MemTxAttrs attrs)
+{
+    /*
+     * From UG1085, Chapter 24 (Quad-SPI controllers):
+     * - Writes are ignored
+     * - AXI writes generate an external AXI slave error (SLVERR)
+     */
+    qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
+                                   " (value: 0x%" PRIx64 "\n",
+                  __func__, size << 3, offset, value);
+
+    return MEMTX_ERROR;
+}
+
 static const MemoryRegionOps lqspi_ops = {
     .read_with_attrs = lqspi_read,
+    .write_with_attrs = lqspi_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
     .valid = {
         .min_access_size = 1,
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Both lqspi_read() and lqspi_load_cache() expect a 32-bit
aligned address.

>From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':

Transfer Size Limitations

Because of the 32-bit wide TX, RX, and generic FIFO, all
    APB/AXI transfers must be an integer multiple of 4-bytes.
    Shorter transfers are not possible.

Set MemoryRegionOps.impl values to force 32-bit accesses,
this way we are sure we do not access the lqspi_buf[] array
out of bound.

[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps lqspi_ops = {
     .read_with_attrs = lqspi_read,
     .write_with_attrs = lqspi_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
+    .impl = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+    },
     .valid = {
         .min_access_size = 1,
         .max_access_size = 4
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Reading the RX_DATA register when the RX_FIFO is empty triggers
an abort. This can be easily reproduced:

$ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
  QEMU 4.0.50 monitor - type 'help' for more information
  (qemu) x 0x40001010
  Aborted (core dumped)

(gdb) bt
  #1  0x00007f035874f895 in abort () at /lib64/libc.so.6
  #2  0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
  #3  0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
  #4  0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
  #5  0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
  #6  0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
  #7  0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
  #8  0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
  #9  0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
  #10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
  #11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
  #12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
  #13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
  #14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
  #15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
  #16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082

From the datasheet "Actel SmartFusion Microcontroller Subsystem
User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
register has a reset value of 0.

Check the FIFO is not empty before accessing it, else log an
error message.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/mss-spi.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/mss-spi.c
+++ b/hw/ssi/mss-spi.c
@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
     case R_SPI_RX:
         s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
         s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
-        ret = fifo32_pop(&s->rx_fifo);
+        if (fifo32_is_empty(&s->rx_fifo)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Reading empty RX_FIFO\n",
+                          __func__);
+        } else {
+            ret = fifo32_pop(&s->rx_fifo);
+        }
         if (fifo32_is_empty(&s->rx_fifo)) {
             s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
         }
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the previous commit we fixed a crash when the guest read a
register that pop from an empty FIFO.
By auditing the repository, we found another similar use with
an easy way to reproduce:

$ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
  QEMU 4.0.50 monitor - type 'help' for more information
  (qemu) xp/b 0xfd4a0134
  Aborted (core dumped)

(gdb) bt
  #0  0x00007f6936dea57f in raise () at /lib64/libc.so.6
  #1  0x00007f6936dd4895 in abort () at /lib64/libc.so.6
  #2  0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431
  #3  0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667
  #4  0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
  #5  0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569
  #6  0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420
  #7  0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447
  #8  0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385
  #9  0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423
  #10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436
  #11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131
  #12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723
  #13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795
  #14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082

Fix by checking the FIFO is not empty before popping from it.

The datasheet is not clear about the reset value of this register,
we choose to return '0'.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-4-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/display/xlnx_dp.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
     uint8_t ret;
 
     if (fifo8_is_empty(&s->rx_fifo)) {
-        DPRINTF("rx_fifo underflow..\n");
-        abort();
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Reading empty RX_FIFO\n",
+                      __func__);
+        /*
+         * The datasheet is not clear about the reset value, it seems
+         * to be unspecified. We choose to return '0'.
+         */
+        ret = 0;
+    } else {
+        ret = fifo8_pop(&s->rx_fifo);
+        DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
     }
-    ret = fifo8_pop(&s->rx_fifo);
-    DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
     return ret;
 }
 
-- 
2.20.1

From: David Engraf <david.engraf@sysgo.com>

Using the whole 128 MiB flash in non-secure mode is not working because
virt_flash_fdt() expects the same address for secure_sysmem and sysmem.
This is not correctly handled by caller because it forwards NULL for
secure_sysmem in non-secure flash mode.

Fixed by using sysmem when secure_sysmem is NULL.

Signed-off-by: David Engraf <david.engraf@sysgo.com>
Message-id: 20190712075002.14326-1-david.engraf@sysgo.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
                                     &machine->device_memory->mr);
     }
 
-    virt_flash_fdt(vms, sysmem, secure_sysmem);
+    virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
 
     create_gic(vms, pic);
 
-- 
2.20.1

The PL031 RTC tracks the difference between the guest RTC
and the host RTC using a tick_offset field. For migration,
however, we currently always migrate the offset between
the guest and the vm_clock, even if the RTC clock is not
the same as the vm_clock; this was an attempt to retain
migration backwards compatibility.

Unfortunately this results in the RTC behaving oddly across
a VM state save and restore -- since the VM clock stands still
across save-then-restore, regardless of how much real world
time has elapsed, the guest RTC ends up out of sync with the
host RTC in the restored VM.

Fix this by migrating the raw tick_offset. To retain migration
compatibility as far as possible, we have a new property
migrate-tick-offset; by default this is 'true' and we will
migrate the true tick offset in a new subsection; if the
incoming data has no subsection we fall back to the old
vm_clock-based offset information, so old->new migration
compatibility is preserved. For complete new->old migration
compatibility, the property is set to 'false' for 4.0 and
earlier machine types (this will only affect 'virt-4.0'
and below, as none of the other pl031-using machines are
versioned).

Reported-by: Russell King <rmk@armlinux.org.uk>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 20190709143912.28905-1-peter.maydell@linaro.org
---
 include/hw/timer/pl031.h |  2 +
 hw/core/machine.c        |  1 +
 hw/timer/pl031.c         | 92 ++++++++++++++++++++++++++++++++++++++--
 3 files changed, 91 insertions(+), 4 deletions(-)

diff --git a/include/hw/timer/pl031.h b/include/hw/timer/pl031.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/timer/pl031.h
+++ b/include/hw/timer/pl031.h
@@ -XXX,XX +XXX,XX @@ typedef struct PL031State {
      */
     uint32_t tick_offset_vmstate;
     uint32_t tick_offset;
+    bool tick_offset_migrated;
+    bool migrate_tick_offset;
 
     uint32_t mr;
     uint32_t lr;
diff --git a/hw/core/machine.c b/hw/core/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -XXX,XX +XXX,XX @@ GlobalProperty hw_compat_4_0[] = {
     { "virtio-gpu-pci", "edid", "false" },
     { "virtio-device", "use-started", "false" },
     { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
+    { "pl031", "migrate-tick-offset", "false" },
 };
 const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
 
diff --git a/hw/timer/pl031.c b/hw/timer/pl031.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/pl031.c
+++ b/hw/timer/pl031.c
@@ -XXX,XX +XXX,XX @@ static int pl031_pre_save(void *opaque)
 {
     PL031State *s = opaque;
 
-    /* tick_offset is base_time - rtc_clock base time.  Instead, we want to
-     * store the base time relative to the QEMU_CLOCK_VIRTUAL for backwards-compatibility.  */
+    /*
+     * The PL031 device model code uses the tick_offset field, which is
+     * the offset between what the guest RTC should read and what the
+     * QEMU rtc_clock reads:
+     *  guest_rtc = rtc_clock + tick_offset
+     * and so
+     *  tick_offset = guest_rtc - rtc_clock
+     *
+     * We want to migrate this offset, which sounds straightforward.
+     * Unfortunately older versions of QEMU migrated a conversion of this
+     * offset into an offset from the vm_clock. (This was in turn an
+     * attempt to be compatible with even older QEMU versions, but it
+     * has incorrect behaviour if the rtc_clock is not the same as the
+     * vm_clock.) So we put the actual tick_offset into a migration
+     * subsection, and the backwards-compatible time-relative-to-vm_clock
+     * in the main migration state.
+     *
+     * Calculate base time relative to QEMU_CLOCK_VIRTUAL:
+     */
     int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
     s->tick_offset_vmstate = s->tick_offset + delta / NANOSECONDS_PER_SECOND;
 
     return 0;
 }
 
+static int pl031_pre_load(void *opaque)
+{
+    PL031State *s = opaque;
+
+    s->tick_offset_migrated = false;
+    return 0;
+}
+
 static int pl031_post_load(void *opaque, int version_id)
 {
     PL031State *s = opaque;
 
-    int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-    s->tick_offset = s->tick_offset_vmstate - delta / NANOSECONDS_PER_SECOND;
+    /*
+     * If we got the tick_offset subsection, then we can just use
+     * the value in that. Otherwise the source is an older QEMU and
+     * has given us the offset from the vm_clock; convert it back to
+     * an offset from the rtc_clock. This will cause time to incorrectly
+     * go backwards compared to the host RTC, but this is unavoidable.
+     */
+
+    if (!s->tick_offset_migrated) {
+        int64_t delta = qemu_clock_get_ns(rtc_clock) -
+            qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+        s->tick_offset = s->tick_offset_vmstate -
+            delta / NANOSECONDS_PER_SECOND;
+    }
     pl031_set_alarm(s);
     return 0;
 }
 
+static int pl031_tick_offset_post_load(void *opaque, int version_id)
+{
+    PL031State *s = opaque;
+
+    s->tick_offset_migrated = true;
+    return 0;
+}
+
+static bool pl031_tick_offset_needed(void *opaque)
+{
+    PL031State *s = opaque;
+
+    return s->migrate_tick_offset;
+}
+
+static const VMStateDescription vmstate_pl031_tick_offset = {
+    .name = "pl031/tick-offset",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = pl031_tick_offset_needed,
+    .post_load = pl031_tick_offset_post_load,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(tick_offset, PL031State),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_pl031 = {
     .name = "pl031",
     .version_id = 1,
     .minimum_version_id = 1,
     .pre_save = pl031_pre_save,
+    .pre_load = pl031_pre_load,
     .post_load = pl031_post_load,
     .fields = (VMStateField[]) {
         VMSTATE_UINT32(tick_offset_vmstate, PL031State),
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl031 = {
         VMSTATE_UINT32(im, PL031State),
         VMSTATE_UINT32(is, PL031State),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription*[]) {
+        &vmstate_pl031_tick_offset,
+        NULL
     }
 };
 
+static Property pl031_properties[] = {
+    /*
+     * True to correctly migrate the tick offset of the RTC. False to
+     * obtain backward migration compatibility with older QEMU versions,
+     * at the expense of the guest RTC going backwards compared with the
+     * host RTC when the VM is saved/restored if using -rtc host.
+     * (Even if set to 'true' older QEMU can migrate forward to newer QEMU;
+     * 'false' also permits newer QEMU to migrate to older QEMU.)
+     */
+    DEFINE_PROP_BOOL("migrate-tick-offset",
+                     PL031State, migrate_tick_offset, true),
+    DEFINE_PROP_END_OF_LIST()
+};
+
 static void pl031_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
 
     dc->vmsd = &vmstate_pl031;
+    dc->props = pl031_properties;
 }
 
 static const TypeInfo pl031_info = {
-- 
2.20.1

The ARMv5 architecture didn't specify detailed per-feature ID
registers. Now that we're using the MVFR0 register fields to
gate the existence of VFP instructions, we need to set up
the correct values in the cpu->isar structure so that we still
provide an FPU to the guest.

This fixes a regression in the arm926 and arm1026 CPUs, which
are the only ones that both have VFP and are ARMv5 or earlier.
This regression was introduced by the VFP refactoring, and more
specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
which accidentally disabled VFP short-vector support and
double-precision support on these CPUs.

Fixes: 1120827fa182f0e
Fixes: 266bd25c485597c
Fixes: https://bugs.launchpad.net/qemu/+bug/1836192
Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
Message-id: 20190711131241.22231-1-peter.maydell@linaro.org
---
 target/arm/cpu.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
      * set the field to indicate Jazelle support within QEMU.
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable double precision
+     * and short vector support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 }
 
 static void arm946_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
      * set the field to indicate Jazelle support within QEMU.
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable double precision
+     * and short vector support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 
     {
         /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
-- 
2.20.1

In the M-profile architecture, when we do a vector table fetch and it
fails, we need to report a HardFault.  Whether this is a Secure HF or
a NonSecure HF depends on several things.  If AIRCR.BFHFNMINS is 0
then HF is always Secure, because there is no NonSecure HardFault.
Otherwise, the answer depends on whether the 'underlying exception'
(MemManage, BusFault, SecureFault) targets Secure or NonSecure.  (In
the pseudocode, this is handled in the Vector() function: the final
exc.isSecure is calculated by looking at the exc.isSecure from the
exception returned from the memory access, not the isSecure input
argument.)

We weren't doing this correctly, because we were looking at
the target security domain of the exception we were trying to
load the vector table entry for. This produces errors of two kinds:
 * a load from the NS vector table which hits the "NS access
   to S memory" SecureFault should end up as a Secure HardFault,
   but we were raising an NS HardFault
 * a load from the S vector table which causes a BusFault
   should raise an NS HardFault if BFHFNMINS == 1 (because
   in that case all BusFaults are NonSecure), but we were raising
   a Secure HardFault

Correct the logic.

We also fix a comment error where we claimed that we might
be escalating MemManage to HardFault, and forgot about SecureFault.
(Vector loads can never hit MPU access faults, because they're
always aligned and always use the default address map.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20190705094823.28905-1-peter.maydell@linaro.org
---
 target/arm/m_helper.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
         if (sattrs.ns) {
             attrs.secure = false;
         } else if (!targets_secure) {
-            /* NS access to S memory */
+            /*
+             * NS access to S memory: the underlying exception which we escalate
+             * to HardFault is SecureFault, which always targets Secure.
+             */
+            exc_secure = true;
             goto load_fail;
         }
     }
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
     vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
                                      attrs, &result);
     if (result != MEMTX_OK) {
+        /*
+         * Underlying exception is BusFault: its target security state
+         * depends on BFHFNMINS.
+         */
+        exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
         goto load_fail;
     }
     *pvec = vector_entry;
@@ -XXX,XX +XXX,XX @@ load_fail:
     /*
      * All vector table fetch fails are reported as HardFault, with
      * HFSR.VECTTBL and .FORCED set. (FORCED is set because
-     * technically the underlying exception is a MemManage or BusFault
+     * technically the underlying exception is a SecureFault or BusFault
      * that is escalated to HardFault.) This is a terminal exception,
      * so we will either take the HardFault immediately or else enter
      * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
+     * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
+     * secure); otherwise it targets the same security state as the
+     * underlying exception.
      */
-    exc_secure = targets_secure ||
-        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
+    if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
+        exc_secure = true;
+    }
     env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
     armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
     return false;
-- 
2.20.1