Series comparison

-[Qemu-devel] [PULL 00/46] target-arm queue
+[Qemu-devel] [PULL 00/10] target-arm queue
-target-arm queue for softfreeze: this is quite big as I
+target-arm queue for rc1 -- these are all bug fixes.
 was on holiday last week, so this is all just sneaking in
 under the wire. I particularly wanted to get Philippe's
 patches in before freeze as that sort of code-movement
 patchset is painful to have to rebase.
 thanks
 -- PMM
-The following changes since commit ae9108f8f0746ce64d02afb1a216153a50926132:
+The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:
-  Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-4.1-pull-request' into staging (2019-07-01 15:55:40 +0100)
+  Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190701
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715
-for you to fetch changes up to 787a7e76c2e93a48c47b324fea592c9910a70483:
+for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:
-  target/arm: Declare some M-profile functions publicly (2019-07-01 17:29:01 +0100)
+  target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * hw/arm/boot: fix direct kernel boot with initrd
+ * report ARMv8-A FP support for AArch32 -cpu max
- * hw/arm/msf2-som: Exit when the cpu is not the expected one
+ * hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
- * i.mx7: fix bugs in PCI controller needed to boot recent kernels
+ * hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
- * aspeed: add RTC device
+ * hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
- * aspeed: fix some timer device bugs
+ * hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
- * aspeed: add swift-bmc board
+ * hw/arm/virt: Fix non-secure flash mode
- * aspeed: vic: Add support for legacy register interface
+ * pl031: Correctly migrate state when using -rtc clock=host
- * aspeed: add aspeed-xdma device
+ * fix regression that meant arm926 and arm1026 lost VFP
- * Add new sbsa-ref board for aarch64
+   double-precision support
- * target/arm: code refactoring in preparation for support of
+ * v8M: NS BusFault on vector table fetch escalates to NS HardFault
    compilation with TCG disabled
 ----------------------------------------------------------------
-Adriana Kobylak (1):
+Alex Bennée (1):
-      aspeed: Add support for the swift-bmc board
+      target/arm: report ARMv8-A FP support for AArch32 -cpu max
-Andrew Jeffery (3):
+David Engraf (1):
-      aspeed/timer: Status register contains reload for stopped timer
+      hw/arm/virt: Fix non-secure flash mode
       aspeed/timer: Fix match calculations
       aspeed: vic: Add support for legacy register interface
-Andrew Jones (1):
+Peter Maydell (3):
-      hw/arm/boot: fix direct kernel boot with initrd
+      pl031: Correctly migrate state when using -rtc clock=host
       target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
       target/arm: NS BusFault on vector table fetch escalates to NS HardFault
-Andrey Smirnov (5):
+Philippe Mathieu-Daudé (5):
-      i.mx7d: Add no-op/unimplemented APBH DMA module
+      hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
-      i.mx7d: Add no-op/unimplemented PCIE PHY IP block
+      hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
-      pci: designware: Update MSI mapping unconditionally
+      hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
-      pci: designware: Update MSI mapping when MSI address changes
+      hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
-      i.mx7d: pci: Update PCI IRQ mapping to match HW
+      hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
-Christian Svensson (1):
+ include/hw/timer/pl031.h |  2 ++
-      aspeed/timer: Ensure positive muldiv delta
+ hw/arm/virt.c            |  2 +-
  hw/core/machine.c        |  1 +
  hw/display/xlnx_dp.c     | 15 +++++---
  hw/ssi/mss-spi.c         |  8 ++++-
  hw/ssi/xilinx_spips.c    | 43 +++++++++++++++-------
  hw/timer/pl031.c         | 92 +++++++++++++++++++++++++++++++++++++++++++++---
  target/arm/cpu.c         | 16 +++++++++
  target/arm/m_helper.c    | 21 ++++++++---
 files changed, 174 insertions(+), 26 deletions(-)
-Cédric Le Goater (7):
-      aspeed: add a per SoC mapping for the interrupt space
-      aspeed: add a per SoC mapping for the memory space
-      aspeed: introduce a configurable number of CPU per machine
-      aspeed: add support for multiple NICs
-      aspeed: remove the "ram" link
-      aspeed: add a RAM memory region container
-      aspeed/smc: add a 'sdram_base' property
-Eddie James (1):
-      hw/misc/aspeed_xdma: New device
-Hongbo Zhang (2):
-      hw/arm: Add arm SBSA reference machine, skeleton part
-      hw/arm: Add arm SBSA reference machine, devices part
-Jan Kiszka (1):
-      hw/arm/virt: Add support for Cortex-A7
-Joel Stanley (4):
-      hw: timer: Add ASPEED RTC device
-      hw/arm/aspeed: Add RTC to SoC
-      aspeed/timer: Fix behaviour running Linux
-      aspeed: Link SCU to the watchdog
-Philippe Mathieu-Daudé (19):
-      hw/arm/msf2-som: Exit when the cpu is not the expected one
-      target/arm: Makefile cleanup (Aarch64)
-      target/arm: Makefile cleanup (ARM)
-      target/arm: Makefile cleanup (KVM)
-      target/arm: Makefile cleanup (softmmu)
-      target/arm: Add copyright boilerplate
-      target/arm/helper: Remove unused include
-      target/arm: Fix multiline comment syntax
-      target/arm: Fix coding style issues
-      target/arm: Move CPU state dumping routines to cpu.c
-      target/arm: Declare get_phys_addr() function publicly
-      target/arm: Move TLB related routines to tlb_helper.c
-      target/arm/vfp_helper: Move code around
-      target/arm/vfp_helper: Extract vfp_set_fpscr_to_host()
-      target/arm/vfp_helper: Extract vfp_set_fpscr_from_host()
-      target/arm/vfp_helper: Restrict the SoftFloat use to TCG
-      target/arm: Restrict PSCI to TCG
-      target/arm: Declare arm_log_exception() function publicly
-      target/arm: Declare some M-profile functions publicly
-Samuel Ortiz (1):
-      target/arm: Move the DC ZVA helper into op_helper
- hw/arm/Makefile.objs                |   1 +
- hw/misc/Makefile.objs               |   1 +
- hw/timer/Makefile.objs              |   2 +-
- target/arm/Makefile.objs            |  24 +-
- include/hw/arm/aspeed_soc.h         |  53 ++-
- include/hw/arm/fsl-imx7.h           |  14 +-
- include/hw/misc/aspeed_xdma.h       |  30 ++
- include/hw/ssi/aspeed_smc.h         |   3 +
- include/hw/timer/aspeed_rtc.h       |  31 ++
- include/hw/watchdog/wdt_aspeed.h    |   1 +
- target/arm/cpu.h                    |   2 -
- target/arm/internals.h              |  69 ++-
- target/arm/translate.h              |   5 -
- hw/arm/aspeed.c                     |  76 +++-
- hw/arm/aspeed_soc.c                 | 262 +++++++++---
- hw/arm/boot.c                       |   3 +-
- hw/arm/fsl-imx7.c                   |  11 +
- hw/arm/msf2-som.c                   |   1 +
- hw/arm/sbsa-ref.c                   | 806 ++++++++++++++++++++++++++++++++++++
- hw/arm/virt.c                       |   1 +
- hw/intc/aspeed_vic.c                | 105 +++--
- hw/misc/aspeed_xdma.c               | 165 ++++++++
- hw/pci-host/designware.c            |  18 +-
- hw/ssi/aspeed_smc.c                 |   1 +
- hw/timer/aspeed_rtc.c               | 180 ++++++++
- hw/timer/aspeed_timer.c             |  76 ++--
- hw/watchdog/wdt_aspeed.c            |  20 +
- target/arm/cpu.c                    | 232 ++++++++++-
- target/arm/helper.c                 | 498 +++++++++-------------
- target/arm/op_helper.c              | 262 ++++++------
- target/arm/tlb_helper.c             | 200 +++++++++
- target/arm/translate-a64.c          | 128 ------
- target/arm/translate.c              |  91 +---
- target/arm/vfp_helper.c             | 199 +++++----
- MAINTAINERS                         |   8 +
- default-configs/aarch64-softmmu.mak |   1 +
- hw/arm/Kconfig                      |  14 +
- hw/misc/trace-events                |   3 +
- hw/timer/trace-events               |   4 +
-files changed, 2675 insertions(+), 926 deletions(-)
- create mode 100644 include/hw/misc/aspeed_xdma.h
- create mode 100644 include/hw/timer/aspeed_rtc.h
- create mode 100644 hw/arm/sbsa-ref.c
- create mode 100644 hw/misc/aspeed_xdma.c
- create mode 100644 hw/timer/aspeed_rtc.c
- create mode 100644 target/arm/tlb_helper.c

-[Qemu-devel] [PULL 01/46] hw/arm/boot: fix direct kernel boot with initrd
+Deleted patch
-From: Andrew Jones <drjones@redhat.com>
-Fix the condition used to check whether the initrd fits
-into RAM; in some cases if an initrd was also passed on
-the command line we would get an error stating that it
-was too big to fit into RAM after the kernel. Despite the
-error the loader continued anyway, though, so also add an
-exit(1) when the initrd is actually too big.
-Fixes: 852dc64d665f ("hw/arm/boot: Diagnose layouts that put initrd or
-DTB off the end of RAM")
-Signed-off-by: Andrew Jones <drjones@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190618125844.4863-1-drjones@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/boot.c | 3 ++-
-file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/boot.c b/hw/arm/boot.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/boot.c
-+++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
-                              info->initrd_filename);
-                 exit(1);
-             }
--            if (info->initrd_start + initrd_size > info->ram_size) {
-+            if (info->initrd_start + initrd_size > ram_end) {
-                 error_report("could not load initrd '%s': "
-                              "too big to fit into RAM after the kernel",
-                              info->initrd_filename);
-+                exit(1);
-             }
-         } else {
-             initrd_size = 0;
---
-.20.1

-[Qemu-devel] [PULL 39/46] target/arm: Move TLB related routines to tlb_helper.c
+[Qemu-devel] [PULL 01/10] target/arm: report ARMv8-A FP support for AArch32 -cpu max
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Alex Bennée <alex.bennee@linaro.org>
-These routines are TCG specific.
+When we converted to using feature bits in 602f6e42cfbf we missed out
-The arm_deliver_fault() function is only used within the new
+the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
-helper. Make it static.
+-cpu max configurations. This caused a regression in the GCC test
 suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
 report ARMv8-A with FP support (but not ARMv8.2-FP16).
-Suggested-by: Alex Bennée <alex.bennee@linaro.org>
+Fixes: https://bugs.launchpad.net/qemu/+bug/1836078
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20190701132516.26392-13-philmd@redhat.com
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20190711103737.10017-1-alex.bennee@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/Makefile.objs |   1 +
+ target/arm/cpu.c | 4 ++++
- target/arm/internals.h   |   3 -
+file changed, 4 insertions(+)
  target/arm/cpu.c         |   6 +-
  target/arm/helper.c      |  53 -----------
  target/arm/op_helper.c   | 135 --------------------------
  target/arm/tlb_helper.c  | 200 +++++++++++++++++++++++++++++++++++++++
 files changed, 205 insertions(+), 193 deletions(-)
  create mode 100644 target/arm/tlb_helper.c
-diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/Makefile.objs
-+++ b/target/arm/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ target/arm/translate-sve.o: target/arm/decode-sve.inc.c
- target/arm/translate.o: target/arm/decode-vfp.inc.c
- target/arm/translate.o: target/arm/decode-vfp-uncond.inc.c
-+obj-y += tlb_helper.o
- obj-y += translate.o op_helper.o
- obj-y += crypto_helper.o
- obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
-diff --git a/target/arm/internals.h b/target/arm/internals.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
-+++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
-                       MMUAccessType access_type, int mmu_idx,
-                       bool probe, uintptr_t retaddr);
--void arm_deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type,
--                       int mmu_idx, ARMMMUFaultInfo *fi) QEMU_NORETURN;
--
- /* Return true if the stage 1 translation regime is using LPAE format page
-  * tables */
- bool arm_s1_regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx);
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
+@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
-     cc->gdb_write_register = arm_cpu_gdb_write_register;
+             t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
- #ifndef CONFIG_USER_ONLY
+             cpu->isar.id_isar6 = t;
-     cc->do_interrupt = arm_cpu_do_interrupt;
--    cc->do_unaligned_access = arm_cpu_do_unaligned_access;
++            t = cpu->isar.mvfr1;
--    cc->do_transaction_failed = arm_cpu_do_transaction_failed;
++            t = FIELD_DP32(t, MVFR1, FPHP, 2);     /* v8.0 FP support */
-     cc->get_phys_page_attrs_debug = arm_cpu_get_phys_page_attrs_debug;
++            cpu->isar.mvfr1 = t;
      cc->asidx_from_attrs = arm_asidx_from_attrs;
      cc->vmsd = &vmstate_arm_cpu;
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
  #ifdef CONFIG_TCG
      cc->tcg_initialize = arm_translate_init;
      cc->tlb_fill = arm_cpu_tlb_fill;
 +#if !defined(CONFIG_USER_ONLY)
 +    cc->do_unaligned_access = arm_cpu_do_unaligned_access;
 +    cc->do_transaction_failed = arm_cpu_do_transaction_failed;
 +#endif /* CONFIG_TCG && !CONFIG_USER_ONLY */
  #endif
  }
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
  #endif
 -bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
 -                      MMUAccessType access_type, int mmu_idx,
 -                      bool probe, uintptr_t retaddr)
 -{
 -    ARMCPU *cpu = ARM_CPU(cs);
 -
 -#ifdef CONFIG_USER_ONLY
 -    cpu->env.exception.vaddress = address;
 -    if (access_type == MMU_INST_FETCH) {
 -        cs->exception_index = EXCP_PREFETCH_ABORT;
 -    } else {
 -        cs->exception_index = EXCP_DATA_ABORT;
 -    }
 -    cpu_loop_exit_restore(cs, retaddr);
 -#else
 -    hwaddr phys_addr;
 -    target_ulong page_size;
 -    int prot, ret;
 -    MemTxAttrs attrs = {};
 -    ARMMMUFaultInfo fi = {};
 -
 -    /*
 -     * Walk the page table and (if the mapping exists) add the page
 -     * to the TLB.  On success, return true.  Otherwise, if probing,
 -     * return false.  Otherwise populate fsr with ARM DFSR/IFSR fault
 -     * register format, and signal the fault.
 -     */
 -    ret = get_phys_addr(&cpu->env, address, access_type,
 -                        core_to_arm_mmu_idx(&cpu->env, mmu_idx),
 -                        &phys_addr, &attrs, &prot, &page_size, &fi, NULL);
 -    if (likely(!ret)) {
 -        /*
 -         * Map a single [sub]page. Regions smaller than our declared
 -         * target page size are handled specially, so for those we
 -         * pass in the exact addresses.
 -         */
 -        if (page_size >= TARGET_PAGE_SIZE) {
 -            phys_addr &= TARGET_PAGE_MASK;
 -            address &= TARGET_PAGE_MASK;
 -        }
 -        tlb_set_page_with_attrs(cs, address, phys_addr, attrs,
 -                                prot, mmu_idx, page_size);
 -        return true;
 -    } else if (probe) {
 -        return false;
 -    } else {
 -        /* now we have a real cpu fault */
 -        cpu_restore_state(cs, retaddr, true);
 -        arm_deliver_fault(cpu, address, access_type, mmu_idx, &fi);
 -    }
 -#endif
 -}
 -
  /* Note that signed overflow is undefined in C.  The following routines are
     careful to use unsigned types where modulo arithmetic is required.
     Failure to do so _will_ break on newer gcc.  */
 diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/op_helper.c
 +++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(neon_tbl)(uint32_t ireg, uint32_t def, void *vn,
      return val;
  }
 -#if !defined(CONFIG_USER_ONLY)
 -
 -static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
 -                                            unsigned int target_el,
 -                                            bool same_el, bool ea,
 -                                            bool s1ptw, bool is_write,
 -                                            int fsc)
 -{
 -    uint32_t syn;
 -
 -    /*
 -     * ISV is only set for data aborts routed to EL2 and
 -     * never for stage-1 page table walks faulting on stage 2.
 -     *
 -     * Furthermore, ISV is only set for certain kinds of load/stores.
 -     * If the template syndrome does not have ISV set, we should leave
 -     * it cleared.
 -     *
 -     * See ARMv8 specs, D7-1974:
 -     * ISS encoding for an exception from a Data Abort, the
 -     * ISV field.
 -     */
 -    if (!(template_syn & ARM_EL_ISV) || target_el != 2 || s1ptw) {
 -        syn = syn_data_abort_no_iss(same_el,
 -                                    ea, 0, s1ptw, is_write, fsc);
 -    } else {
 -        /*
 -         * Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
 -         * syndrome created at translation time.
 -         * Now we create the runtime syndrome with the remaining fields.
 -         */
 -        syn = syn_data_abort_with_iss(same_el,
 -                                      0, 0, 0, 0, 0,
 -                                      ea, 0, s1ptw, is_write, fsc,
 -                                      false);
 -        /* Merge the runtime syndrome with the template syndrome.  */
 -        syn |= template_syn;
 -    }
 -    return syn;
 -}
 -
 -void arm_deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type,
 -                       int mmu_idx, ARMMMUFaultInfo *fi)
 -{
 -    CPUARMState *env = &cpu->env;
 -    int target_el;
 -    bool same_el;
 -    uint32_t syn, exc, fsr, fsc;
 -    ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
 -
 -    target_el = exception_target_el(env);
 -    if (fi->stage2) {
 -        target_el = 2;
 -        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
 -    }
 -    same_el = (arm_current_el(env) == target_el);
 -
 -    if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
 -        arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
 -        /*
 -         * LPAE format fault status register : bottom 6 bits are
 -         * status code in the same form as needed for syndrome
 -         */
 -        fsr = arm_fi_to_lfsc(fi);
 -        fsc = extract32(fsr, 0, 6);
 -    } else {
 -        fsr = arm_fi_to_sfsc(fi);
 -        /*
 -         * Short format FSR : this fault will never actually be reported
 -         * to an EL that uses a syndrome register. Use a (currently)
 -         * reserved FSR code in case the constructed syndrome does leak
 -         * into the guest somehow.
 -         */
 -        fsc = 0x3f;
 -    }
 -
 -    if (access_type == MMU_INST_FETCH) {
 -        syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
 -        exc = EXCP_PREFETCH_ABORT;
 -    } else {
 -        syn = merge_syn_data_abort(env->exception.syndrome, target_el,
 -                                   same_el, fi->ea, fi->s1ptw,
 -                                   access_type == MMU_DATA_STORE,
 -                                   fsc);
 -        if (access_type == MMU_DATA_STORE
 -            && arm_feature(env, ARM_FEATURE_V6)) {
 -            fsr |= (1 << 11);
 -        }
 -        exc = EXCP_DATA_ABORT;
 -    }
 -
 -    env->exception.vaddress = addr;
 -    env->exception.fsr = fsr;
 -    raise_exception(env, exc, syn, target_el);
 -}
 -
 -/* Raise a data fault alignment exception for the specified virtual address */
 -void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
 -                                 MMUAccessType access_type,
 -                                 int mmu_idx, uintptr_t retaddr)
 -{
 -    ARMCPU *cpu = ARM_CPU(cs);
 -    ARMMMUFaultInfo fi = {};
 -
 -    /* now we have a real cpu fault */
 -    cpu_restore_state(cs, retaddr, true);
 -
 -    fi.type = ARMFault_Alignment;
 -    arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
 -}
 -
 -/*
 - * arm_cpu_do_transaction_failed: handle a memory system error response
 - * (eg "no device/memory present at address") by raising an external abort
 - * exception
 - */
 -void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
 -                                   vaddr addr, unsigned size,
 -                                   MMUAccessType access_type,
 -                                   int mmu_idx, MemTxAttrs attrs,
 -                                   MemTxResult response, uintptr_t retaddr)
 -{
 -    ARMCPU *cpu = ARM_CPU(cs);
 -    ARMMMUFaultInfo fi = {};
 -
 -    /* now we have a real cpu fault */
 -    cpu_restore_state(cs, retaddr, true);
 -
 -    fi.ea = arm_extabort_type(response);
 -    fi.type = ARMFault_SyncExternal;
 -    arm_deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
 -}
 -
 -#endif /* !defined(CONFIG_USER_ONLY) */
 -
  void HELPER(v8m_stackcheck)(CPUARMState *env, uint32_t newvalue)
  {
      /*
 diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * ARM TLB (Translation lookaside buffer) helpers.
 + *
 + * This code is licensed under the GNU GPL v2 or later.
 + *
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +#include "qemu/osdep.h"
 +#include "cpu.h"
 +#include "internals.h"
 +#include "exec/exec-all.h"
 +
-+#if !defined(CONFIG_USER_ONLY)
+             t = cpu->isar.mvfr2;
-+
+             t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
-+static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
+             t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
 +                                            unsigned int target_el,
 +                                            bool same_el, bool ea,
 +                                            bool s1ptw, bool is_write,
 +                                            int fsc)
 +{
 +    uint32_t syn;
 +
 +    /*
 +     * ISV is only set for data aborts routed to EL2 and
 +     * never for stage-1 page table walks faulting on stage 2.
 +     *
 +     * Furthermore, ISV is only set for certain kinds of load/stores.
 +     * If the template syndrome does not have ISV set, we should leave
 +     * it cleared.
 +     *
 +     * See ARMv8 specs, D7-1974:
 +     * ISS encoding for an exception from a Data Abort, the
 +     * ISV field.
 +     */
 +    if (!(template_syn & ARM_EL_ISV) || target_el != 2 || s1ptw) {
 +        syn = syn_data_abort_no_iss(same_el,
 +                                    ea, 0, s1ptw, is_write, fsc);
 +    } else {
 +        /*
 +         * Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
 +         * syndrome created at translation time.
 +         * Now we create the runtime syndrome with the remaining fields.
 +         */
 +        syn = syn_data_abort_with_iss(same_el,
 +                                      0, 0, 0, 0, 0,
 +                                      ea, 0, s1ptw, is_write, fsc,
 +                                      false);
 +        /* Merge the runtime syndrome with the template syndrome.  */
 +        syn |= template_syn;
 +    }
 +    return syn;
 +}
 +
 +static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
 +                                            MMUAccessType access_type,
 +                                            int mmu_idx, ARMMMUFaultInfo *fi)
 +{
 +    CPUARMState *env = &cpu->env;
 +    int target_el;
 +    bool same_el;
 +    uint32_t syn, exc, fsr, fsc;
 +    ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
 +
 +    target_el = exception_target_el(env);
 +    if (fi->stage2) {
 +        target_el = 2;
 +        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
 +    }
 +    same_el = (arm_current_el(env) == target_el);
 +
 +    if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
 +        arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
 +        /*
 +         * LPAE format fault status register : bottom 6 bits are
 +         * status code in the same form as needed for syndrome
 +         */
 +        fsr = arm_fi_to_lfsc(fi);
 +        fsc = extract32(fsr, 0, 6);
 +    } else {
 +        fsr = arm_fi_to_sfsc(fi);
 +        /*
 +         * Short format FSR : this fault will never actually be reported
 +         * to an EL that uses a syndrome register. Use a (currently)
 +         * reserved FSR code in case the constructed syndrome does leak
 +         * into the guest somehow.
 +         */
 +        fsc = 0x3f;
 +    }
 +
 +    if (access_type == MMU_INST_FETCH) {
 +        syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
 +        exc = EXCP_PREFETCH_ABORT;
 +    } else {
 +        syn = merge_syn_data_abort(env->exception.syndrome, target_el,
 +                                   same_el, fi->ea, fi->s1ptw,
 +                                   access_type == MMU_DATA_STORE,
 +                                   fsc);
 +        if (access_type == MMU_DATA_STORE
 +            && arm_feature(env, ARM_FEATURE_V6)) {
 +            fsr |= (1 << 11);
 +        }
 +        exc = EXCP_DATA_ABORT;
 +    }
 +
 +    env->exception.vaddress = addr;
 +    env->exception.fsr = fsr;
 +    raise_exception(env, exc, syn, target_el);
 +}
 +
 +/* Raise a data fault alignment exception for the specified virtual address */
 +void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
 +                                 MMUAccessType access_type,
 +                                 int mmu_idx, uintptr_t retaddr)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    ARMMMUFaultInfo fi = {};
 +
 +    /* now we have a real cpu fault */
 +    cpu_restore_state(cs, retaddr, true);
 +
 +    fi.type = ARMFault_Alignment;
 +    arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
 +}
 +
 +/*
 + * arm_cpu_do_transaction_failed: handle a memory system error response
 + * (eg "no device/memory present at address") by raising an external abort
 + * exception
 + */
 +void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
 +                                   vaddr addr, unsigned size,
 +                                   MMUAccessType access_type,
 +                                   int mmu_idx, MemTxAttrs attrs,
 +                                   MemTxResult response, uintptr_t retaddr)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    ARMMMUFaultInfo fi = {};
 +
 +    /* now we have a real cpu fault */
 +    cpu_restore_state(cs, retaddr, true);
 +
 +    fi.ea = arm_extabort_type(response);
 +    fi.type = ARMFault_SyncExternal;
 +    arm_deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
 +}
 +
 +#endif /* !defined(CONFIG_USER_ONLY) */
 +
 +bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
 +                      MMUAccessType access_type, int mmu_idx,
 +                      bool probe, uintptr_t retaddr)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +
 +#ifdef CONFIG_USER_ONLY
 +    cpu->env.exception.vaddress = address;
 +    if (access_type == MMU_INST_FETCH) {
 +        cs->exception_index = EXCP_PREFETCH_ABORT;
 +    } else {
 +        cs->exception_index = EXCP_DATA_ABORT;
 +    }
 +    cpu_loop_exit_restore(cs, retaddr);
 +#else
 +    hwaddr phys_addr;
 +    target_ulong page_size;
 +    int prot, ret;
 +    MemTxAttrs attrs = {};
 +    ARMMMUFaultInfo fi = {};
 +
 +    /*
 +     * Walk the page table and (if the mapping exists) add the page
 +     * to the TLB.  On success, return true.  Otherwise, if probing,
 +     * return false.  Otherwise populate fsr with ARM DFSR/IFSR fault
 +     * register format, and signal the fault.
 +     */
 +    ret = get_phys_addr(&cpu->env, address, access_type,
 +                        core_to_arm_mmu_idx(&cpu->env, mmu_idx),
 +                        &phys_addr, &attrs, &prot, &page_size, &fi, NULL);
 +    if (likely(!ret)) {
 +        /*
 +         * Map a single [sub]page. Regions smaller than our declared
 +         * target page size are handled specially, so for those we
 +         * pass in the exact addresses.
 +         */
 +        if (page_size >= TARGET_PAGE_SIZE) {
 +            phys_addr &= TARGET_PAGE_MASK;
 +            address &= TARGET_PAGE_MASK;
 +        }
 +        tlb_set_page_with_attrs(cs, address, phys_addr, attrs,
 +                                prot, mmu_idx, page_size);
 +        return true;
 +    } else if (probe) {
 +        return false;
 +    } else {
 +        /* now we have a real cpu fault */
 +        cpu_restore_state(cs, retaddr, true);
 +        arm_deliver_fault(cpu, address, access_type, mmu_idx, &fi);
 +    }
 +#endif
 +}
 --
 .20.1

-[Qemu-devel] [PULL 46/46] target/arm: Declare some M-profile functions publicly
+[Qemu-devel] [PULL 02/10] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
 From: Philippe Mathieu-Daudé <philmd@redhat.com>
-In the next commit we will split the M-profile functions from this
+In the next commit we will implement the write_with_attrs()
-file. Some function will be called out of helper.c. Declare them in
+handler. To avoid using different APIs, convert the read()
-the "internals.h" header.
+handler first.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-22-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/internals.h | 42 ++++++++++++++++++++++++++++++++++++++++++
+ hw/ssi/xilinx_spips.c | 23 +++++++++++------------
- target/arm/helper.c    | 38 ++------------------------------------
+file changed, 11 insertions(+), 12 deletions(-)
 files changed, 44 insertions(+), 36 deletions(-)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
+diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
+--- a/hw/ssi/xilinx_spips.c
-+++ b/target/arm/internals.h
++++ b/hw/ssi/xilinx_spips.c
-@@ -XXX,XX +XXX,XX @@ static inline uint32_t v7m_sp_limit(CPUARMState *env)
+@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
      }
  }
-+/**
+-static uint64_t
-+ * v7m_cpacr_pass:
+-lqspi_read(void *opaque, hwaddr addr, unsigned int size)
-+ * Return true if the v7M CPACR permits access to the FPU for the specified
++static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
-+ * security state and privilege level.
++                              unsigned size, MemTxAttrs attrs)
-+ */
+ {
-+static inline bool v7m_cpacr_pass(CPUARMState *env,
+-    XilinxQSPIPS *q = opaque;
-+                                  bool is_secure, bool is_priv)
+-    uint32_t ret;
-+{
++    XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
-+    switch (extract32(env->v7m.cpacr[is_secure], 20, 2)) {
-+    case 0:
+     if (addr >= q->lqspi_cached_addr &&
-+    case 2: /* UNPREDICTABLE: we treat like 0 */
+             addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
-+        return false;
+         uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
-+    case 1:
+-        ret = cpu_to_le32(*(uint32_t *)retp);
-+        return is_priv;
+-        DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
-+    case 3:
+-                   (unsigned)ret);
-+        return true;
+-        return ret;
-+    default:
+-    } else {
-+        g_assert_not_reached();
+-        lqspi_load_cache(opaque, addr);
-+    }
+-        return lqspi_read(opaque, addr, size);
-+}
++        *value = cpu_to_le32(*(uint32_t *)retp);
 +        DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
 +                   addr, *value);
 +        return MEMTX_OK;
      }
 +
- /**
++    lqspi_load_cache(opaque, addr);
-  * aarch32_mode_name(): Return name of the AArch32 CPU mode
++    return lqspi_read(opaque, addr, value, size, attrs);
   * @psr: Program Status Register indicating CPU mode
@@ -XXX,XX +XXX,XX @@ static inline int exception_target_el(CPUARMState *env)
  #ifndef CONFIG_USER_ONLY
 +/* Security attributes for an address, as returned by v8m_security_lookup. */
 +typedef struct V8M_SAttributes {
 +    bool subpage; /* true if these attrs don't cover the whole TARGET_PAGE */
 +    bool ns;
 +    bool nsc;
 +    uint8_t sregion;
 +    bool srvalid;
 +    uint8_t iregion;
 +    bool irvalid;
 +} V8M_SAttributes;
 +
 +void v8m_security_lookup(CPUARMState *env, uint32_t address,
 +                         MMUAccessType access_type, ARMMMUIdx mmu_idx,
 +                         V8M_SAttributes *sattrs);
 +
 +bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
 +                       MMUAccessType access_type, ARMMMUIdx mmu_idx,
 +                       hwaddr *phys_ptr, MemTxAttrs *txattrs,
 +                       int *prot, bool *is_subpage,
 +                       ARMMMUFaultInfo *fi, uint32_t *mregion);
 +
  /* Cacheability and shareability attributes for a memory access */
  typedef struct ARMCacheAttrs {
      unsigned int attrs:8; /* as in the MAIR register encoding */
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
                                 hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
                                 target_ulong *page_size_ptr,
                                 ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
 -
 -/* Security attributes for an address, as returned by v8m_security_lookup. */
 -typedef struct V8M_SAttributes {
 -    bool subpage; /* true if these attrs don't cover the whole TARGET_PAGE */
 -    bool ns;
 -    bool nsc;
 -    uint8_t sregion;
 -    bool srvalid;
 -    uint8_t iregion;
 -    bool irvalid;
 -} V8M_SAttributes;
 -
 -static void v8m_security_lookup(CPUARMState *env, uint32_t address,
 -                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
 -                                V8M_SAttributes *sattrs);
  #endif
  static void switch_mode(CPUARMState *env, int mode);
@@ -XXX,XX +XXX,XX @@ void arm_log_exception(int idx)
      }
  }
--/*
+ static const MemoryRegionOps lqspi_ops = {
-- * Return true if the v7M CPACR permits access to the FPU for the specified
+-    .read = lqspi_read,
-- * security state and privilege level.
++    .read_with_attrs = lqspi_read,
-- */
+     .endianness = DEVICE_NATIVE_ENDIAN,
--static bool v7m_cpacr_pass(CPUARMState *env, bool is_secure, bool is_priv)
+     .valid = {
--{
+         .min_access_size = 1,
 -    switch (extract32(env->v7m.cpacr[is_secure], 20, 2)) {
 -    case 0:
 -    case 2: /* UNPREDICTABLE: we treat like 0 */
 -        return false;
 -    case 1:
 -        return is_priv;
 -    case 3:
 -        return true;
 -    default:
 -        g_assert_not_reached();
 -    }
 -}
 -
  /*
   * What kind of stack write are we doing? This affects how exceptions
   * generated during the stacking are treated.
@@ -XXX,XX +XXX,XX @@ static bool v8m_is_sau_exempt(CPUARMState *env,
          (address >= 0xe00ff000 && address <= 0xe00fffff);
  }
 -static void v8m_security_lookup(CPUARMState *env, uint32_t address,
 +void v8m_security_lookup(CPUARMState *env, uint32_t address,
                                  MMUAccessType access_type, ARMMMUIdx mmu_idx,
                                  V8M_SAttributes *sattrs)
  {
@@ -XXX,XX +XXX,XX @@ static void v8m_security_lookup(CPUARMState *env, uint32_t address,
      }
  }
 -static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
 +bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
                                hwaddr *phys_ptr, MemTxAttrs *txattrs,
                                int *prot, bool *is_subpage,
 --
 .20.1

-[Qemu-devel] [PULL 42/46] target/arm/vfp_helper: Extract vfp_set_fpscr_from_host()
+[Qemu-devel] [PULL 03/10] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
 From: Philippe Mathieu-Daudé <philmd@redhat.com>
-The vfp_set_fpscr() helper contains code specific to the host
+Lei Sun found while auditing the code that a CPU write would
-floating point implementation (here the SoftFloat library).
+trigger a NULL pointer dereference.
 Extract this code to vfp_set_fpscr_from_host().
+>From UG1085 datasheet [*] AXI writes in this region are ignored
+and generates an AXI Slave Error (SLVERR).
+Fix by implementing the write_with_attrs() handler.
+Return MEMTX_ERROR when the region is accessed (this error maps
+to an AXI slave error).
+[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
+Reported-by: Lei Sun <slei.casper@gmail.com>
+Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-17-philmd@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/vfp_helper.c | 19 +++++++++++++------
+ hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
-file changed, 13 insertions(+), 6 deletions(-)
+file changed, 16 insertions(+)
-diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
+diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vfp_helper.c
+--- a/hw/ssi/xilinx_spips.c
-+++ b/target/arm/vfp_helper.c
++++ b/hw/ssi/xilinx_spips.c
-@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_to_host(int target_bits)
+@@ -XXX,XX +XXX,XX @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
-     return host_bits;
+     return lqspi_read(opaque, addr, value, size, attrs);
  }
-+static uint32_t vfp_get_fpscr_from_host(CPUARMState *env)
++static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
 +                               unsigned size, MemTxAttrs attrs)
 +{
-+    uint32_t i;
++    /*
 +     * From UG1085, Chapter 24 (Quad-SPI controllers):
 +     * - Writes are ignored
 +     * - AXI writes generate an external AXI slave error (SLVERR)
 +     */
 +    qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
 +                                   " (value: 0x%" PRIx64 "\n",
 +                  __func__, size << 3, offset, value);
 +
-+    i = get_float_exception_flags(&env->vfp.fp_status);
++    return MEMTX_ERROR;
 +    i |= get_float_exception_flags(&env->vfp.standard_fp_status);
 +    /* FZ16 does not generate an input denormal exception.  */
 +    i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
 +          & ~float_flag_input_denormal);
 +    return vfp_exceptbits_from_host(i);
 +}
 +
- static void vfp_set_fpscr_to_host(CPUARMState *env, uint32_t val)
+ static const MemoryRegionOps lqspi_ops = {
- {
+     .read_with_attrs = lqspi_read,
-     int i;
++    .write_with_attrs = lqspi_write,
-@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
+     .endianness = DEVICE_NATIVE_ENDIAN,
-             | (env->vfp.vec_len << 16)
+     .valid = {
-             | (env->vfp.vec_stride << 20);
+         .min_access_size = 1,
 -    i = get_float_exception_flags(&env->vfp.fp_status);
 -    i |= get_float_exception_flags(&env->vfp.standard_fp_status);
 -    /* FZ16 does not generate an input denormal exception.  */
 -    i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
 -          & ~float_flag_input_denormal);
 -    fpscr |= vfp_exceptbits_from_host(i);
 +    fpscr |= vfp_get_fpscr_from_host(env);
      i = env->vfp.qc[0] | env->vfp.qc[1] | env->vfp.qc[2] | env->vfp.qc[3];
      fpscr |= i ? FPCR_QC : 0;
 --
 .20.1

-[Qemu-devel] [PULL 45/46] target/arm: Declare arm_log_exception() function publicly
+[Qemu-devel] [PULL 04/10] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
 From: Philippe Mathieu-Daudé <philmd@redhat.com>
-In few commits we will split the M-profile functions from this
+Both lqspi_read() and lqspi_load_cache() expect a 32-bit
-file, and this function will also be called in the new file.
+aligned address.
 Declare it in the "internals.h" header.
 Since it is in the middle of a block of M profile functions,
 move it previous to this block to ease the later refactor.
+>From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':
+  Transfer Size Limitations
+    Because of the 32-bit wide TX, RX, and generic FIFO, all
+    APB/AXI transfers must be an integer multiple of 4-bytes.
+    Shorter transfers are not possible.
+Set MemoryRegionOps.impl values to force 32-bit accesses,
+this way we are sure we do not access the lqspi_buf[] array
+out of bound.
+[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
+Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-21-philmd@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/internals.h |  2 ++
+ hw/ssi/xilinx_spips.c | 4 ++++
- target/arm/helper.c    | 76 +++++++++++++++++++++---------------------
+file changed, 4 insertions(+)
 files changed, 40 insertions(+), 38 deletions(-)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
+diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
+--- a/hw/ssi/xilinx_spips.c
-+++ b/target/arm/internals.h
++++ b/hw/ssi/xilinx_spips.c
-@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
+@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps lqspi_ops = {
-                    target_ulong *page_size,
+     .read_with_attrs = lqspi_read,
-                    ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
+     .write_with_attrs = lqspi_write,
+     .endianness = DEVICE_NATIVE_ENDIAN,
-+void arm_log_exception(int idx);
++    .impl = {
-+
++        .min_access_size = 4,
- #endif /* !CONFIG_USER_ONLY */
++        .max_access_size = 4,
++    },
- #endif
+     .valid = {
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+         .min_access_size = 1,
-index XXXXXXX..XXXXXXX 100644
+         .max_access_size = 4
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
      return target_el;
  }
 +void arm_log_exception(int idx)
 +{
 +    if (qemu_loglevel_mask(CPU_LOG_INT)) {
 +        const char *exc = NULL;
 +        static const char * const excnames[] = {
 +            [EXCP_UDEF] = "Undefined Instruction",
 +            [EXCP_SWI] = "SVC",
 +            [EXCP_PREFETCH_ABORT] = "Prefetch Abort",
 +            [EXCP_DATA_ABORT] = "Data Abort",
 +            [EXCP_IRQ] = "IRQ",
 +            [EXCP_FIQ] = "FIQ",
 +            [EXCP_BKPT] = "Breakpoint",
 +            [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit",
 +            [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage",
 +            [EXCP_HVC] = "Hypervisor Call",
 +            [EXCP_HYP_TRAP] = "Hypervisor Trap",
 +            [EXCP_SMC] = "Secure Monitor Call",
 +            [EXCP_VIRQ] = "Virtual IRQ",
 +            [EXCP_VFIQ] = "Virtual FIQ",
 +            [EXCP_SEMIHOST] = "Semihosting call",
 +            [EXCP_NOCP] = "v7M NOCP UsageFault",
 +            [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
 +            [EXCP_STKOF] = "v8M STKOF UsageFault",
 +            [EXCP_LAZYFP] = "v7M exception during lazy FP stacking",
 +            [EXCP_LSERR] = "v8M LSERR UsageFault",
 +            [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault",
 +        };
 +
 +        if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
 +            exc = excnames[idx];
 +        }
 +        if (!exc) {
 +            exc = "unknown";
 +        }
 +        qemu_log_mask(CPU_LOG_INT, "Taking exception %d [%s]\n", idx, exc);
 +    }
 +}
 +
  /*
   * Return true if the v7M CPACR permits access to the FPU for the specified
   * security state and privilege level.
@@ -XXX,XX +XXX,XX @@ static bool do_v7m_function_return(ARMCPU *cpu)
      return true;
  }
 -static void arm_log_exception(int idx)
 -{
 -    if (qemu_loglevel_mask(CPU_LOG_INT)) {
 -        const char *exc = NULL;
 -        static const char * const excnames[] = {
 -            [EXCP_UDEF] = "Undefined Instruction",
 -            [EXCP_SWI] = "SVC",
 -            [EXCP_PREFETCH_ABORT] = "Prefetch Abort",
 -            [EXCP_DATA_ABORT] = "Data Abort",
 -            [EXCP_IRQ] = "IRQ",
 -            [EXCP_FIQ] = "FIQ",
 -            [EXCP_BKPT] = "Breakpoint",
 -            [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit",
 -            [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage",
 -            [EXCP_HVC] = "Hypervisor Call",
 -            [EXCP_HYP_TRAP] = "Hypervisor Trap",
 -            [EXCP_SMC] = "Secure Monitor Call",
 -            [EXCP_VIRQ] = "Virtual IRQ",
 -            [EXCP_VFIQ] = "Virtual FIQ",
 -            [EXCP_SEMIHOST] = "Semihosting call",
 -            [EXCP_NOCP] = "v7M NOCP UsageFault",
 -            [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
 -            [EXCP_STKOF] = "v8M STKOF UsageFault",
 -            [EXCP_LAZYFP] = "v7M exception during lazy FP stacking",
 -            [EXCP_LSERR] = "v8M LSERR UsageFault",
 -            [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault",
 -        };
 -
 -        if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
 -            exc = excnames[idx];
 -        }
 -        if (!exc) {
 -            exc = "unknown";
 -        }
 -        qemu_log_mask(CPU_LOG_INT, "Taking exception %d [%s]\n", idx, exc);
 -    }
 -}
 -
  static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
                                 uint32_t addr, uint16_t *insn)
  {
 --
 .20.1

-[Qemu-devel] [PULL 02/46] hw/arm/msf2-som: Exit when the cpu is not the expected one
+[Qemu-devel] [PULL 05/10] hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
 From: Philippe Mathieu-Daudé <philmd@redhat.com>
-This machine correctly defines its default_cpu_type to cortex-m3
+Reading the RX_DATA register when the RX_FIFO is empty triggers
-and report an error if the user requested another cpu_type,
+an abort. This can be easily reproduced:
 however it does not exit, and this can confuse users trying
 to use another core:
-  $ qemu-system-arm -M emcraft-sf2 -cpu cortex-m4 -kernel test-m4.elf
+  $ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
-  qemu-system-arm: This board can only be used with CPU cortex-m3-arm-cpu
+  QEMU 4.0.50 monitor - type 'help' for more information
-  [output related to M3 core ...]
+  (qemu) x 0x40001010
   Aborted (core dumped)
-The CPU is indeed a M3 core:
+  (gdb) bt
   #1  0x00007f035874f895 in abort () at /lib64/libc.so.6
   #2  0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
   #3  0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
   #4  0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
   #5  0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
   #6  0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
   #7  0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
   #8  0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
   #9  0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
   #10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
   #11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
   #12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
   #13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
   #14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
   #15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
   #16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082
-  (qemu) info qom-tree
+From the datasheet "Actel SmartFusion Microcontroller Subsystem
-  /machine (emcraft-sf2-machine)
+User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
-    /unattached (container)
+register has a reset value of 0.
       /device[0] (msf2-soc)
         /armv7m (armv7m)
           /cpu (cortex-m3-arm-cpu)
-Add the missing exit() call to return to the shell.
+Check the FIFO is not empty before accessing it, else log an
 error message.
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: 20190709113715.7761-3-philmd@redhat.com
 Message-id: 20190617160136.29930-1-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/msf2-som.c | 1 +
+ hw/ssi/mss-spi.c | 8 +++++++-
-file changed, 1 insertion(+)
+file changed, 7 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/msf2-som.c b/hw/arm/msf2-som.c
+diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/msf2-som.c
+--- a/hw/ssi/mss-spi.c
-+++ b/hw/arm/msf2-som.c
++++ b/hw/ssi/mss-spi.c
-@@ -XXX,XX +XXX,XX @@ static void emcraft_sf2_s2s010_init(MachineState *machine)
+@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
-     if (strcmp(machine->cpu_type, mc->default_cpu_type) != 0) {
+     case R_SPI_RX:
-         error_report("This board can only be used with CPU %s",
+         s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
-                      mc->default_cpu_type);
+         s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
-+        exit(1);
+-        ret = fifo32_pop(&s->rx_fifo);
-     }
++        if (fifo32_is_empty(&s->rx_fifo)) {
++            qemu_log_mask(LOG_GUEST_ERROR,
-     memory_region_init_ram(ddr, NULL, "ddr-ram", DDR_SIZE,
++                          "%s: Reading empty RX_FIFO\n",
 +                          __func__);
 +        } else {
 +            ret = fifo32_pop(&s->rx_fifo);
 +        }
          if (fifo32_is_empty(&s->rx_fifo)) {
              s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
          }
 --
 .20.1

-[Qemu-devel] [PULL 43/46] target/arm/vfp_helper: Restrict the SoftFloat use to TCG
+[Qemu-devel] [PULL 06/10] hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
 From: Philippe Mathieu-Daudé <philmd@redhat.com>
-This code is specific to the SoftFloat floating-point
+In the previous commit we fixed a crash when the guest read a
-implementation, which is only used by TCG.
+register that pop from an empty FIFO.
 By auditing the repository, we found another similar use with
 an easy way to reproduce:
   $ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
   QEMU 4.0.50 monitor - type 'help' for more information
   (qemu) xp/b 0xfd4a0134
   Aborted (core dumped)
   (gdb) bt
   #0  0x00007f6936dea57f in raise () at /lib64/libc.so.6
   #1  0x00007f6936dd4895 in abort () at /lib64/libc.so.6
   #2  0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431
   #3  0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667
   #4  0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
   #5  0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569
   #6  0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420
   #7  0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447
   #8  0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385
   #9  0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423
   #10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436
   #11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131
   #12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723
   #13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795
   #14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082
 Fix by checking the FIFO is not empty before popping from it.
 The datasheet is not clear about the reset value of this register,
 we choose to return '0'.
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-18-philmd@redhat.com
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20190709113715.7761-4-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/vfp_helper.c | 26 +++++++++++++++++++++++---
+ hw/display/xlnx_dp.c | 15 +++++++++++----
-file changed, 23 insertions(+), 3 deletions(-)
+file changed, 11 insertions(+), 4 deletions(-)
-diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
+diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vfp_helper.c
+--- a/hw/display/xlnx_dp.c
-+++ b/target/arm/vfp_helper.c
++++ b/hw/display/xlnx_dp.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
-  */
+     uint8_t ret;
- #include "qemu/osdep.h"
+     if (fifo8_is_empty(&s->rx_fifo)) {
--#include "qemu/log.h"
+-        DPRINTF("rx_fifo underflow..\n");
- #include "cpu.h"
+-        abort();
- #include "exec/helper-proto.h"
++        qemu_log_mask(LOG_GUEST_ERROR,
--#include "fpu/softfloat.h"
++                      "%s: Reading empty RX_FIFO\n",
- #include "internals.h"
++                      __func__);
--
++        /*
-+#ifdef CONFIG_TCG
++         * The datasheet is not clear about the reset value, it seems
-+#include "qemu/log.h"
++         * to be unspecified. We choose to return '0'.
-+#include "fpu/softfloat.h"
++         */
-+#endif
++        ret = 0;
++    } else {
- /* VFP support.  We follow the convention used for VFP instructions:
++        ret = fifo8_pop(&s->rx_fifo);
-    Single precision routines have a "s" suffix, double precision a
++        DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
-    "d" suffix.  */
+     }
+-    ret = fifo8_pop(&s->rx_fifo);
-+#ifdef CONFIG_TCG
+-    DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
-+
+     return ret;
  /* Convert host exception flags to vfp form.  */
  static inline int vfp_exceptbits_from_host(int host_bits)
  {
@@ -XXX,XX +XXX,XX @@ static void vfp_set_fpscr_to_host(CPUARMState *env, uint32_t val)
      set_float_exception_flags(0, &env->vfp.standard_fp_status);
  }
-+#else
-+
-+static uint32_t vfp_get_fpscr_from_host(CPUARMState *env)
-+{
-+    return 0;
-+}
-+
-+static void vfp_set_fpscr_to_host(CPUARMState *env, uint32_t val)
-+{
-+}
-+
-+#endif
-+
- uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
- {
-     uint32_t i, fpscr;
-@@ -XXX,XX +XXX,XX @@ void vfp_set_fpscr(CPUARMState *env, uint32_t val)
-     HELPER(vfp_set_fpscr)(env, val);
- }
-+#ifdef CONFIG_TCG
-+
- #define VFP_HELPER(name, p) HELPER(glue(glue(vfp_,name),p))
- #define VFP_BINOP(name) \
-@@ -XXX,XX +XXX,XX @@ float64 HELPER(frint64_d)(float64 f, void *fpst)
- {
-     return frint_d(f, fpst, 64);
- }
-+
-+#endif
 --
 .20.1

-[Qemu-devel] [PULL 03/46] hw/arm/virt: Add support for Cortex-A7
+[Qemu-devel] [PULL 07/10] hw/arm/virt: Fix non-secure flash mode
-From: Jan Kiszka <jan.kiszka@siemens.com>
+From: David Engraf <david.engraf@sysgo.com>
-Allow cortex-a7 to be used with the virt board; it supports
+Using the whole 128 MiB flash in non-secure mode is not working because
-the v7VE features and there is no reason to deny this type.
+virt_flash_fdt() expects the same address for secure_sysmem and sysmem.
 This is not correctly handled by caller because it forwards NULL for
 secure_sysmem in non-secure flash mode.
-Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Fixed by using sysmem when secure_sysmem is NULL.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: fc5404f7-4d1d-c28f-6e48-d8799c82acc0@web.de
+Signed-off-by: David Engraf <david.engraf@sysgo.com>
 Message-id: 20190712075002.14326-1-david.engraf@sysgo.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 1 +
+ hw/arm/virt.c | 2 +-
-file changed, 1 insertion(+)
+file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static const int a15irqmap[] = {
+@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
- };
+                                     &machine->device_memory->mr);
+     }
- static const char *valid_cpus[] = {
-+    ARM_CPU_TYPE_NAME("cortex-a7"),
+-    virt_flash_fdt(vms, sysmem, secure_sysmem);
-     ARM_CPU_TYPE_NAME("cortex-a15"),
++    virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
-     ARM_CPU_TYPE_NAME("cortex-a53"),
-     ARM_CPU_TYPE_NAME("cortex-a57"),
+     create_gic(vms, pic);
 --
 .20.1

-[Qemu-devel] [PULL 04/46] i.mx7d: Add no-op/unimplemented APBH DMA module
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-Instantiate no-op APBH DMA module. Needed to boot latest Linux kernel.
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/fsl-imx7.h | 3 +++
- hw/arm/fsl-imx7.c         | 6 ++++++
-files changed, 9 insertions(+)
-diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx7.h
-+++ b/include/hw/arm/fsl-imx7.h
-@@ -XXX,XX +XXX,XX @@ enum FslIMX7MemoryMap {
-     FSL_IMX7_PCIE_REG_SIZE        = 16 * 1024,
-     FSL_IMX7_GPR_ADDR             = 0x30340000,
-+
-+    FSL_IMX7_DMA_APBH_ADDR        = 0x33000000,
-+    FSL_IMX7_DMA_APBH_SIZE        = 0x2000,
- };
- enum FslIMX7IRQs {
-diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx7.c
-+++ b/hw/arm/fsl-imx7.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
-      */
-     create_unimplemented_device("lcdif", FSL_IMX7_LCDIF_ADDR,
-                                 FSL_IMX7_LCDIF_SIZE);
-+
-+    /*
-+     * DMA APBH
-+     */
-+    create_unimplemented_device("dma-apbh", FSL_IMX7_DMA_APBH_ADDR,
-+                                FSL_IMX7_DMA_APBH_SIZE);
- }
- static void fsl_imx7_class_init(ObjectClass *oc, void *data)
---
-.20.1

-[Qemu-devel] [PULL 05/46] i.mx7d: Add no-op/unimplemented PCIE PHY IP block
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-Add no-op/unimplemented PCIE PHY IP block. Needed by new kernels to
-use PCIE.
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/fsl-imx7.h | 3 +++
- hw/arm/fsl-imx7.c         | 5 +++++
-files changed, 8 insertions(+)
-diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx7.h
-+++ b/include/hw/arm/fsl-imx7.h
-@@ -XXX,XX +XXX,XX @@ enum FslIMX7MemoryMap {
-     FSL_IMX7_ADC2_ADDR            = 0x30620000,
-     FSL_IMX7_ADCn_SIZE            = 0x1000,
-+    FSL_IMX7_PCIE_PHY_ADDR        = 0x306D0000,
-+    FSL_IMX7_PCIE_PHY_SIZE        = 0x10000,
-+
-     FSL_IMX7_GPC_ADDR             = 0x303A0000,
-     FSL_IMX7_I2C1_ADDR            = 0x30A20000,
-diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/fsl-imx7.c
-+++ b/hw/arm/fsl-imx7.c
-@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
-      */
-     create_unimplemented_device("dma-apbh", FSL_IMX7_DMA_APBH_ADDR,
-                                 FSL_IMX7_DMA_APBH_SIZE);
-+    /*
-+     * PCIe PHY
-+     */
-+    create_unimplemented_device("pcie-phy", FSL_IMX7_PCIE_PHY_ADDR,
-+                                FSL_IMX7_PCIE_PHY_SIZE);
- }
- static void fsl_imx7_class_init(ObjectClass *oc, void *data)
---
-.20.1

-[Qemu-devel] [PULL 06/46] pci: designware: Update MSI mapping unconditionally
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-Expression to calculate update_msi_mapping in code handling writes to
-DESIGNWARE_PCIE_MSI_INTR0_ENABLE is missing an ! operator and should
-be:
-    !!root->msi.intr[0].enable ^ !!val;
-so that MSI mapping is updated when enabled transitions from either
-"none" -> "any" or "any" -> "none". Since that register shouldn't be
-written to very often, change the code to update MSI mapping
-unconditionally instead of trying to fix the update_msi_mapping logic.
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/pci-host/designware.c | 10 ++--------
-file changed, 2 insertions(+), 8 deletions(-)
-diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/pci-host/designware.c
-+++ b/hw/pci-host/designware.c
-@@ -XXX,XX +XXX,XX @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
-         root->msi.base |= (uint64_t)val << 32;
-         break;
--    case DESIGNWARE_PCIE_MSI_INTR0_ENABLE: {
--        const bool update_msi_mapping = !root->msi.intr[0].enable ^ !!val;
--
-+    case DESIGNWARE_PCIE_MSI_INTR0_ENABLE:
-         root->msi.intr[0].enable = val;
--
--        if (update_msi_mapping) {
--            designware_pcie_root_update_msi_mapping(root);
--        }
-+        designware_pcie_root_update_msi_mapping(root);
-         break;
--    }
-     case DESIGNWARE_PCIE_MSI_INTR0_MASK:
-         root->msi.intr[0].mask = val;
---
-.20.1

-[Qemu-devel] [PULL 07/46] pci: designware: Update MSI mapping when MSI address changes
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-MSI mapping needs to be update when MSI address changes, so add the
-code to do so.
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/pci-host/designware.c | 2 ++
-file changed, 2 insertions(+)
-diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/pci-host/designware.c
-+++ b/hw/pci-host/designware.c
-@@ -XXX,XX +XXX,XX @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
-     case DESIGNWARE_PCIE_MSI_ADDR_LO:
-         root->msi.base &= 0xFFFFFFFF00000000ULL;
-         root->msi.base |= val;
-+        designware_pcie_root_update_msi_mapping(root);
-         break;
-     case DESIGNWARE_PCIE_MSI_ADDR_HI:
-         root->msi.base &= 0x00000000FFFFFFFFULL;
-         root->msi.base |= (uint64_t)val << 32;
-+        designware_pcie_root_update_msi_mapping(root);
-         break;
-     case DESIGNWARE_PCIE_MSI_INTR0_ENABLE:
---
-.20.1

-[Qemu-devel] [PULL 08/46] i.mx7d: pci: Update PCI IRQ mapping to match HW
+Deleted patch
-From: Andrey Smirnov <andrew.smirnov@gmail.com>
-Datasheet for i.MX7 is incorrect and i.MX7's PCI IRQ mapping matches
-that of i.MX6:
-    * INTD/MSI    122
-    * INTC        123
-    * INTB        124
-    * INTA        125
-Fix all of the relevant code to reflect that fact. Needed by latest
-Linux kernels.
-(Reference: Linux kernel commit 538d6e9d597584e80 from an
-NXP employee confirming that the datasheet is incorrect and
-with a report of a test against hardware.)
-Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
-Cc: Peter Maydell <peter.maydell@linaro.org>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: qemu-devel@nongnu.org
-Cc: qemu-arm@nongnu.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-[PMM: added ref to kernel commit confirming the datasheet error]
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/fsl-imx7.h | 8 ++++----
- hw/pci-host/designware.c  | 6 ++++--
-files changed, 8 insertions(+), 6 deletions(-)
-diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx7.h
-+++ b/include/hw/arm/fsl-imx7.h
-@@ -XXX,XX +XXX,XX @@ enum FslIMX7IRQs {
-     FSL_IMX7_USB2_IRQ     = 42,
-     FSL_IMX7_USB3_IRQ     = 40,
--    FSL_IMX7_PCI_INTA_IRQ = 122,
--    FSL_IMX7_PCI_INTB_IRQ = 123,
--    FSL_IMX7_PCI_INTC_IRQ = 124,
--    FSL_IMX7_PCI_INTD_IRQ = 125,
-+    FSL_IMX7_PCI_INTA_IRQ = 125,
-+    FSL_IMX7_PCI_INTB_IRQ = 124,
-+    FSL_IMX7_PCI_INTC_IRQ = 123,
-+    FSL_IMX7_PCI_INTD_IRQ = 122,
-     FSL_IMX7_UART7_IRQ    = 126,
-diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/pci-host/designware.c
-+++ b/hw/pci-host/designware.c
-@@ -XXX,XX +XXX,XX @@
- #define DESIGNWARE_PCIE_ATU_DEVFN(x)               (((x) >> 16) & 0xff)
- #define DESIGNWARE_PCIE_ATU_UPPER_TARGET           0x91C
-+#define DESIGNWARE_PCIE_IRQ_MSI                    3
-+
- static DesignwarePCIEHost *
- designware_pcie_root_to_host(DesignwarePCIERoot *root)
- {
-@@ -XXX,XX +XXX,XX @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
-     root->msi.intr[0].status |= BIT(val) & root->msi.intr[0].enable;
-     if (root->msi.intr[0].status & ~root->msi.intr[0].mask) {
--        qemu_set_irq(host->pci.irqs[0], 1);
-+        qemu_set_irq(host->pci.irqs[DESIGNWARE_PCIE_IRQ_MSI], 1);
-     }
- }
-@@ -XXX,XX +XXX,XX @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
-     case DESIGNWARE_PCIE_MSI_INTR0_STATUS:
-         root->msi.intr[0].status ^= val;
-         if (!root->msi.intr[0].status) {
--            qemu_set_irq(host->pci.irqs[0], 0);
-+            qemu_set_irq(host->pci.irqs[DESIGNWARE_PCIE_IRQ_MSI], 0);
-         }
-         break;
---
-.20.1

-[Qemu-devel] [PULL 09/46] aspeed: add a per SoC mapping for the interrupt space
+Deleted patch
-From: Cédric Le Goater <clg@kaod.org>
-This will simplify the definition of new SoCs, like the AST2600 which
-should use a different CPU and a different IRQ number layout.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Message-id: 20190618165311.27066-2-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/aspeed_soc.h | 36 +++++++++++++++++++++++
- hw/arm/aspeed_soc.c         | 57 +++++++++++++++++++++++++++++++------
-files changed, 85 insertions(+), 8 deletions(-)
-diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/aspeed_soc.h
-+++ b/include/hw/arm/aspeed_soc.h
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCInfo {
-     const char *fmc_typename;
-     const char **spi_typename;
-     int wdts_num;
-+    const int *irqmap;
- } AspeedSoCInfo;
- typedef struct AspeedSoCClass {
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCClass {
- #define ASPEED_SOC_GET_CLASS(obj)                               \
-     OBJECT_GET_CLASS(AspeedSoCClass, (obj), TYPE_ASPEED_SOC)
-+enum {
-+    ASPEED_IOMEM,
-+    ASPEED_UART1,
-+    ASPEED_UART2,
-+    ASPEED_UART3,
-+    ASPEED_UART4,
-+    ASPEED_UART5,
-+    ASPEED_VUART,
-+    ASPEED_FMC,
-+    ASPEED_SPI1,
-+    ASPEED_SPI2,
-+    ASPEED_VIC,
-+    ASPEED_SDMC,
-+    ASPEED_SCU,
-+    ASPEED_ADC,
-+    ASPEED_SRAM,
-+    ASPEED_GPIO,
-+    ASPEED_RTC,
-+    ASPEED_TIMER1,
-+    ASPEED_TIMER2,
-+    ASPEED_TIMER3,
-+    ASPEED_TIMER4,
-+    ASPEED_TIMER5,
-+    ASPEED_TIMER6,
-+    ASPEED_TIMER7,
-+    ASPEED_TIMER8,
-+    ASPEED_WDT,
-+    ASPEED_PWM,
-+    ASPEED_LPC,
-+    ASPEED_IBT,
-+    ASPEED_I2C,
-+    ASPEED_ETH1,
-+    ASPEED_ETH2,
-+};
-+
- #endif /* ASPEED_SOC_H */
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
-+++ b/hw/arm/aspeed_soc.c
-@@ -XXX,XX +XXX,XX @@
- #define ASPEED_SOC_ETH1_BASE        0x1E660000
- #define ASPEED_SOC_ETH2_BASE        0x1E680000
--static const int uart_irqs[] = { 9, 32, 33, 34, 10 };
--static const int timer_irqs[] = { 16, 17, 18, 35, 36, 37, 38, 39, };
-+static const int aspeed_soc_ast2400_irqmap[] = {
-+    [ASPEED_UART1]  = 9,
-+    [ASPEED_UART2]  = 32,
-+    [ASPEED_UART3]  = 33,
-+    [ASPEED_UART4]  = 34,
-+    [ASPEED_UART5]  = 10,
-+    [ASPEED_VUART]  = 8,
-+    [ASPEED_FMC]    = 19,
-+    [ASPEED_SDMC]   = 0,
-+    [ASPEED_SCU]    = 21,
-+    [ASPEED_ADC]    = 31,
-+    [ASPEED_GPIO]   = 20,
-+    [ASPEED_RTC]    = 22,
-+    [ASPEED_TIMER1] = 16,
-+    [ASPEED_TIMER2] = 17,
-+    [ASPEED_TIMER3] = 18,
-+    [ASPEED_TIMER4] = 35,
-+    [ASPEED_TIMER5] = 36,
-+    [ASPEED_TIMER6] = 37,
-+    [ASPEED_TIMER7] = 38,
-+    [ASPEED_TIMER8] = 39,
-+    [ASPEED_WDT]    = 27,
-+    [ASPEED_PWM]    = 28,
-+    [ASPEED_LPC]    = 8,
-+    [ASPEED_IBT]    = 8, /* LPC */
-+    [ASPEED_I2C]    = 12,
-+    [ASPEED_ETH1]   = 2,
-+    [ASPEED_ETH2]   = 3,
-+};
- #define AST2400_SDRAM_BASE       0x40000000
- #define AST2500_SDRAM_BASE       0x80000000
-+/* AST2500 uses the same IRQs as the AST2400 */
-+#define aspeed_soc_ast2500_irqmap aspeed_soc_ast2400_irqmap
-+
- static const hwaddr aspeed_soc_ast2400_spi_bases[] = { ASPEED_SOC_SPI_BASE };
- static const char *aspeed_soc_ast2400_typenames[] = { "aspeed.smc.spi" };
-@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
-         .fmc_typename = "aspeed.smc.fmc",
-         .spi_typename = aspeed_soc_ast2400_typenames,
-         .wdts_num     = 2,
-+        .irqmap       = aspeed_soc_ast2400_irqmap,
-     }, {
-         .name         = "ast2400-a1",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
-@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
-         .fmc_typename = "aspeed.smc.fmc",
-         .spi_typename = aspeed_soc_ast2400_typenames,
-         .wdts_num     = 2,
-+        .irqmap       = aspeed_soc_ast2400_irqmap,
-     }, {
-         .name         = "ast2400",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
-@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
-         .fmc_typename = "aspeed.smc.fmc",
-         .spi_typename = aspeed_soc_ast2400_typenames,
-         .wdts_num     = 2,
-+        .irqmap       = aspeed_soc_ast2400_irqmap,
-     }, {
-         .name         = "ast2500-a1",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm1176"),
-@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
-         .fmc_typename = "aspeed.smc.ast2500-fmc",
-         .spi_typename = aspeed_soc_ast2500_typenames,
-         .wdts_num     = 3,
-+        .irqmap       = aspeed_soc_ast2500_irqmap,
-     },
- };
-+static qemu_irq aspeed_soc_get_irq(AspeedSoCState *s, int ctrl)
-+{
-+    AspeedSoCClass *sc = ASPEED_SOC_GET_CLASS(s);
-+
-+    return qdev_get_gpio_in(DEVICE(&s->vic), sc->info->irqmap[ctrl]);
-+}
-+
- static void aspeed_soc_init(Object *obj)
- {
-     AspeedSoCState *s = ASPEED_SOC(obj);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         return;
-     }
-     sysbus_mmio_map(SYS_BUS_DEVICE(&s->timerctrl), 0, ASPEED_SOC_TIMER_BASE);
--    for (i = 0; i < ARRAY_SIZE(timer_irqs); i++) {
--        qemu_irq irq = qdev_get_gpio_in(DEVICE(&s->vic), timer_irqs[i]);
-+    for (i = 0; i < ASPEED_TIMER_NR_TIMERS; i++) {
-+        qemu_irq irq = aspeed_soc_get_irq(s, ASPEED_TIMER1 + i);
-         sysbus_connect_irq(SYS_BUS_DEVICE(&s->timerctrl), i, irq);
-     }
-     /* UART - attach an 8250 to the IO space as our UART5 */
-     if (serial_hd(0)) {
--        qemu_irq uart5 = qdev_get_gpio_in(DEVICE(&s->vic), uart_irqs[4]);
-+        qemu_irq uart5 = aspeed_soc_get_irq(s, ASPEED_UART5);
-         serial_mm_init(get_system_memory(),
-                        ASPEED_SOC_IOMEM_BASE + ASPEED_SOC_UART_5_BASE, 2,
-                        uart5, 38400, serial_hd(0), DEVICE_LITTLE_ENDIAN);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     }
-     sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c), 0, ASPEED_SOC_I2C_BASE);
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c), 0,
--                       qdev_get_gpio_in(DEVICE(&s->vic), 12));
-+                       aspeed_soc_get_irq(s, ASPEED_I2C));
-     /* FMC, The number of CS is set at the board level */
-     object_property_set_bool(OBJECT(&s->fmc), true, "realized", &err);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     sysbus_mmio_map(SYS_BUS_DEVICE(&s->fmc), 1,
-                     s->fmc.ctrl->flash_window_base);
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->fmc), 0,
--                       qdev_get_gpio_in(DEVICE(&s->vic), 19));
-+                       aspeed_soc_get_irq(s, ASPEED_FMC));
-     /* SPI */
-     for (i = 0; i < sc->info->spis_num; i++) {
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     }
-     sysbus_mmio_map(SYS_BUS_DEVICE(&s->ftgmac100), 0, ASPEED_SOC_ETH1_BASE);
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100), 0,
--                       qdev_get_gpio_in(DEVICE(&s->vic), 2));
-+                       aspeed_soc_get_irq(s, ASPEED_ETH1));
- }
- static void aspeed_soc_class_init(ObjectClass *oc, void *data)
---
-.20.1

-[Qemu-devel] [PULL 10/46] aspeed: add a per SoC mapping for the memory space
+Deleted patch
-From: Cédric Le Goater <clg@kaod.org>
-This will simplify the definition of new SoCs, like the AST2600 which
-should use a slightly different address space and have a different set
-of controllers.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Message-id: 20190618165311.27066-3-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/aspeed_soc.h |   4 +-
- hw/arm/aspeed.c             |   8 +--
- hw/arm/aspeed_soc.c         | 117 ++++++++++++++++++++++--------------
-files changed, 78 insertions(+), 51 deletions(-)
-diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/aspeed_soc.h
-+++ b/include/hw/arm/aspeed_soc.h
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCInfo {
-     const char *name;
-     const char *cpu_type;
-     uint32_t silicon_rev;
--    hwaddr sdram_base;
-     uint64_t sram_size;
-     int spis_num;
--    const hwaddr *spi_bases;
-     const char *fmc_typename;
-     const char **spi_typename;
-     int wdts_num;
-     const int *irqmap;
-+    const hwaddr *memmap;
- } AspeedSoCInfo;
- typedef struct AspeedSoCClass {
-@@ -XXX,XX +XXX,XX @@ enum {
-     ASPEED_I2C,
-     ASPEED_ETH1,
-     ASPEED_ETH2,
-+    ASPEED_SDRAM,
- };
- #endif /* ASPEED_SOC_H */
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
-+++ b/hw/arm/aspeed.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-                                         &error_abort);
-     memory_region_allocate_system_memory(&bmc->ram, NULL, "ram", ram_size);
--    memory_region_add_subregion(get_system_memory(), sc->info->sdram_base,
--                                &bmc->ram);
-+    memory_region_add_subregion(get_system_memory(),
-+                                sc->info->memmap[ASPEED_SDRAM], &bmc->ram);
-     object_property_add_const_link(OBJECT(&bmc->soc), "ram", OBJECT(&bmc->ram),
-                                    &error_abort);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-     memory_region_init_io(&bmc->max_ram, NULL, &max_ram_ops, NULL,
-                           "max_ram", max_ram_size  - ram_size);
-     memory_region_add_subregion(get_system_memory(),
--                                sc->info->sdram_base + ram_size,
-+                                sc->info->memmap[ASPEED_SDRAM] + ram_size,
-                                 &bmc->max_ram);
-     aspeed_board_init_flashes(&bmc->soc.fmc, cfg->fmc_model, &error_abort);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-     aspeed_board_binfo.initrd_filename = machine->initrd_filename;
-     aspeed_board_binfo.kernel_cmdline = machine->kernel_cmdline;
-     aspeed_board_binfo.ram_size = ram_size;
--    aspeed_board_binfo.loader_start = sc->info->sdram_base;
-+    aspeed_board_binfo.loader_start = sc->info->memmap[ASPEED_SDRAM];
-     if (cfg->i2c_init) {
-         cfg->i2c_init(bmc);
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
-+++ b/hw/arm/aspeed_soc.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/i2c/aspeed_i2c.h"
- #include "net/net.h"
--#define ASPEED_SOC_UART_5_BASE      0x00184000
- #define ASPEED_SOC_IOMEM_SIZE       0x00200000
--#define ASPEED_SOC_IOMEM_BASE       0x1E600000
--#define ASPEED_SOC_FMC_BASE         0x1E620000
--#define ASPEED_SOC_SPI_BASE         0x1E630000
--#define ASPEED_SOC_SPI2_BASE        0x1E631000
--#define ASPEED_SOC_VIC_BASE         0x1E6C0000
--#define ASPEED_SOC_SDMC_BASE        0x1E6E0000
--#define ASPEED_SOC_SCU_BASE         0x1E6E2000
--#define ASPEED_SOC_SRAM_BASE        0x1E720000
--#define ASPEED_SOC_TIMER_BASE       0x1E782000
--#define ASPEED_SOC_WDT_BASE         0x1E785000
--#define ASPEED_SOC_I2C_BASE         0x1E78A000
--#define ASPEED_SOC_ETH1_BASE        0x1E660000
--#define ASPEED_SOC_ETH2_BASE        0x1E680000
-+
-+static const hwaddr aspeed_soc_ast2400_memmap[] = {
-+    [ASPEED_IOMEM]  = 0x1E600000,
-+    [ASPEED_FMC]    = 0x1E620000,
-+    [ASPEED_SPI1]   = 0x1E630000,
-+    [ASPEED_VIC]    = 0x1E6C0000,
-+    [ASPEED_SDMC]   = 0x1E6E0000,
-+    [ASPEED_SCU]    = 0x1E6E2000,
-+    [ASPEED_ADC]    = 0x1E6E9000,
-+    [ASPEED_SRAM]   = 0x1E720000,
-+    [ASPEED_GPIO]   = 0x1E780000,
-+    [ASPEED_RTC]    = 0x1E781000,
-+    [ASPEED_TIMER1] = 0x1E782000,
-+    [ASPEED_WDT]    = 0x1E785000,
-+    [ASPEED_PWM]    = 0x1E786000,
-+    [ASPEED_LPC]    = 0x1E789000,
-+    [ASPEED_IBT]    = 0x1E789140,
-+    [ASPEED_I2C]    = 0x1E78A000,
-+    [ASPEED_ETH1]   = 0x1E660000,
-+    [ASPEED_ETH2]   = 0x1E680000,
-+    [ASPEED_UART1]  = 0x1E783000,
-+    [ASPEED_UART5]  = 0x1E784000,
-+    [ASPEED_VUART]  = 0x1E787000,
-+    [ASPEED_SDRAM]  = 0x40000000,
-+};
-+
-+static const hwaddr aspeed_soc_ast2500_memmap[] = {
-+    [ASPEED_IOMEM]  = 0x1E600000,
-+    [ASPEED_FMC]    = 0x1E620000,
-+    [ASPEED_SPI1]   = 0x1E630000,
-+    [ASPEED_SPI2]   = 0x1E631000,
-+    [ASPEED_VIC]    = 0x1E6C0000,
-+    [ASPEED_SDMC]   = 0x1E6E0000,
-+    [ASPEED_SCU]    = 0x1E6E2000,
-+    [ASPEED_ADC]    = 0x1E6E9000,
-+    [ASPEED_SRAM]   = 0x1E720000,
-+    [ASPEED_GPIO]   = 0x1E780000,
-+    [ASPEED_RTC]    = 0x1E781000,
-+    [ASPEED_TIMER1] = 0x1E782000,
-+    [ASPEED_WDT]    = 0x1E785000,
-+    [ASPEED_PWM]    = 0x1E786000,
-+    [ASPEED_LPC]    = 0x1E789000,
-+    [ASPEED_IBT]    = 0x1E789140,
-+    [ASPEED_I2C]    = 0x1E78A000,
-+    [ASPEED_ETH1]   = 0x1E660000,
-+    [ASPEED_ETH2]   = 0x1E680000,
-+    [ASPEED_UART1]  = 0x1E783000,
-+    [ASPEED_UART5]  = 0x1E784000,
-+    [ASPEED_VUART]  = 0x1E787000,
-+    [ASPEED_SDRAM]  = 0x80000000,
-+};
- static const int aspeed_soc_ast2400_irqmap[] = {
-     [ASPEED_UART1]  = 9,
-@@ -XXX,XX +XXX,XX @@ static const int aspeed_soc_ast2400_irqmap[] = {
-     [ASPEED_ETH2]   = 3,
- };
--#define AST2400_SDRAM_BASE       0x40000000
--#define AST2500_SDRAM_BASE       0x80000000
--
--/* AST2500 uses the same IRQs as the AST2400 */
- #define aspeed_soc_ast2500_irqmap aspeed_soc_ast2400_irqmap
--static const hwaddr aspeed_soc_ast2400_spi_bases[] = { ASPEED_SOC_SPI_BASE };
- static const char *aspeed_soc_ast2400_typenames[] = { "aspeed.smc.spi" };
--
--static const hwaddr aspeed_soc_ast2500_spi_bases[] = { ASPEED_SOC_SPI_BASE,
--                                                       ASPEED_SOC_SPI2_BASE};
- static const char *aspeed_soc_ast2500_typenames[] = {
-     "aspeed.smc.ast2500-spi1", "aspeed.smc.ast2500-spi2" };
-@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
-         .name         = "ast2400-a0",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
-         .silicon_rev  = AST2400_A0_SILICON_REV,
--        .sdram_base   = AST2400_SDRAM_BASE,
-         .sram_size    = 0x8000,
-         .spis_num     = 1,
--        .spi_bases    = aspeed_soc_ast2400_spi_bases,
-         .fmc_typename = "aspeed.smc.fmc",
-         .spi_typename = aspeed_soc_ast2400_typenames,
-         .wdts_num     = 2,
-         .irqmap       = aspeed_soc_ast2400_irqmap,
-+        .memmap       = aspeed_soc_ast2400_memmap,
-     }, {
-         .name         = "ast2400-a1",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
-         .silicon_rev  = AST2400_A1_SILICON_REV,
--        .sdram_base   = AST2400_SDRAM_BASE,
-         .sram_size    = 0x8000,
-         .spis_num     = 1,
--        .spi_bases    = aspeed_soc_ast2400_spi_bases,
-         .fmc_typename = "aspeed.smc.fmc",
-         .spi_typename = aspeed_soc_ast2400_typenames,
-         .wdts_num     = 2,
-         .irqmap       = aspeed_soc_ast2400_irqmap,
-+        .memmap       = aspeed_soc_ast2400_memmap,
-     }, {
-         .name         = "ast2400",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
-         .silicon_rev  = AST2400_A0_SILICON_REV,
--        .sdram_base   = AST2400_SDRAM_BASE,
-         .sram_size    = 0x8000,
-         .spis_num     = 1,
--        .spi_bases    = aspeed_soc_ast2400_spi_bases,
-         .fmc_typename = "aspeed.smc.fmc",
-         .spi_typename = aspeed_soc_ast2400_typenames,
-         .wdts_num     = 2,
-         .irqmap       = aspeed_soc_ast2400_irqmap,
-+        .memmap       = aspeed_soc_ast2400_memmap,
-     }, {
-         .name         = "ast2500-a1",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm1176"),
-         .silicon_rev  = AST2500_A1_SILICON_REV,
--        .sdram_base   = AST2500_SDRAM_BASE,
-         .sram_size    = 0x9000,
-         .spis_num     = 2,
--        .spi_bases    = aspeed_soc_ast2500_spi_bases,
-         .fmc_typename = "aspeed.smc.ast2500-fmc",
-         .spi_typename = aspeed_soc_ast2500_typenames,
-         .wdts_num     = 3,
-         .irqmap       = aspeed_soc_ast2500_irqmap,
-+        .memmap       = aspeed_soc_ast2500_memmap,
-     },
- };
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     Error *err = NULL, *local_err = NULL;
-     /* IO space */
--    create_unimplemented_device("aspeed_soc.io",
--                                ASPEED_SOC_IOMEM_BASE, ASPEED_SOC_IOMEM_SIZE);
-+    create_unimplemented_device("aspeed_soc.io", sc->info->memmap[ASPEED_IOMEM],
-+                                ASPEED_SOC_IOMEM_SIZE);
-     /* CPU */
-     object_property_set_bool(OBJECT(&s->cpu), true, "realized", &err);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         error_propagate(errp, err);
-         return;
-     }
--    memory_region_add_subregion(get_system_memory(), ASPEED_SOC_SRAM_BASE,
--                                &s->sram);
-+    memory_region_add_subregion(get_system_memory(),
-+                                sc->info->memmap[ASPEED_SRAM], &s->sram);
-     /* SCU */
-     object_property_set_bool(OBJECT(&s->scu), true, "realized", &err);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         error_propagate(errp, err);
-         return;
-     }
--    sysbus_mmio_map(SYS_BUS_DEVICE(&s->scu), 0, ASPEED_SOC_SCU_BASE);
-+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->scu), 0, sc->info->memmap[ASPEED_SCU]);
-     /* VIC */
-     object_property_set_bool(OBJECT(&s->vic), true, "realized", &err);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         error_propagate(errp, err);
-         return;
-     }
--    sysbus_mmio_map(SYS_BUS_DEVICE(&s->vic), 0, ASPEED_SOC_VIC_BASE);
-+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->vic), 0, sc->info->memmap[ASPEED_VIC]);
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->vic), 0,
-                        qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_IRQ));
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->vic), 1,
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         error_propagate(errp, err);
-         return;
-     }
--    sysbus_mmio_map(SYS_BUS_DEVICE(&s->timerctrl), 0, ASPEED_SOC_TIMER_BASE);
-+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->timerctrl), 0,
-+                    sc->info->memmap[ASPEED_TIMER1]);
-     for (i = 0; i < ASPEED_TIMER_NR_TIMERS; i++) {
-         qemu_irq irq = aspeed_soc_get_irq(s, ASPEED_TIMER1 + i);
-         sysbus_connect_irq(SYS_BUS_DEVICE(&s->timerctrl), i, irq);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     /* UART - attach an 8250 to the IO space as our UART5 */
-     if (serial_hd(0)) {
-         qemu_irq uart5 = aspeed_soc_get_irq(s, ASPEED_UART5);
--        serial_mm_init(get_system_memory(),
--                       ASPEED_SOC_IOMEM_BASE + ASPEED_SOC_UART_5_BASE, 2,
-+        serial_mm_init(get_system_memory(), sc->info->memmap[ASPEED_UART5], 2,
-                        uart5, 38400, serial_hd(0), DEVICE_LITTLE_ENDIAN);
-     }
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         error_propagate(errp, err);
-         return;
-     }
--    sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c), 0, ASPEED_SOC_I2C_BASE);
-+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c), 0, sc->info->memmap[ASPEED_I2C]);
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c), 0,
-                        aspeed_soc_get_irq(s, ASPEED_I2C));
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         error_propagate(errp, err);
-         return;
-     }
--    sysbus_mmio_map(SYS_BUS_DEVICE(&s->fmc), 0, ASPEED_SOC_FMC_BASE);
-+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->fmc), 0, sc->info->memmap[ASPEED_FMC]);
-     sysbus_mmio_map(SYS_BUS_DEVICE(&s->fmc), 1,
-                     s->fmc.ctrl->flash_window_base);
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->fmc), 0,
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-             error_propagate(errp, err);
-             return;
-         }
--        sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0, sc->info->spi_bases[i]);
-+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0,
-+                        sc->info->memmap[ASPEED_SPI1 + i]);
-         sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 1,
-                         s->spi[i].ctrl->flash_window_base);
-     }
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         error_propagate(errp, err);
-         return;
-     }
--    sysbus_mmio_map(SYS_BUS_DEVICE(&s->sdmc), 0, ASPEED_SOC_SDMC_BASE);
-+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->sdmc), 0, sc->info->memmap[ASPEED_SDMC]);
-     /* Watch dog */
-     for (i = 0; i < sc->info->wdts_num; i++) {
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-             return;
-         }
-         sysbus_mmio_map(SYS_BUS_DEVICE(&s->wdt[i]), 0,
--                        ASPEED_SOC_WDT_BASE + i * 0x20);
-+                        sc->info->memmap[ASPEED_WDT] + i * 0x20);
-     }
-     /* Net */
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         error_propagate(errp, err);
-         return;
-     }
--    sysbus_mmio_map(SYS_BUS_DEVICE(&s->ftgmac100), 0, ASPEED_SOC_ETH1_BASE);
-+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->ftgmac100), 0,
-+                    sc->info->memmap[ASPEED_ETH1]);
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100), 0,
-                        aspeed_soc_get_irq(s, ASPEED_ETH1));
- }
---
-.20.1

-[Qemu-devel] [PULL 11/46] hw: timer: Add ASPEED RTC device
+[Qemu-devel] [PULL 08/10] pl031: Correctly migrate state when using -rtc clock=host
-From: Joel Stanley <joel@jms.id.au>
+The PL031 RTC tracks the difference between the guest RTC
+and the host RTC using a tick_offset field. For migration,
-The RTC is modeled to provide time and date functionality. It is
+however, we currently always migrate the offset between
-initialised at zero to match the hardware.
+the guest and the vm_clock, even if the RTC clock is not
+the same as the vm_clock; this was an attempt to retain
-There is no modelling of the alarm functionality, which includes the IRQ
+migration backwards compatibility.
-line. As there is no guest code to exercise this function that is
-acceptable for now.
+Unfortunately this results in the RTC behaving oddly across
+a VM state save and restore -- since the VM clock stands still
-Signed-off-by: Joel Stanley <joel@jms.id.au>
+across save-then-restore, regardless of how much real world
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+time has elapsed, the guest RTC ends up out of sync with the
-Message-id: 20190618165311.27066-4-clg@kaod.org
+host RTC in the restored VM.
 Fix this by migrating the raw tick_offset. To retain migration
 compatibility as far as possible, we have a new property
 migrate-tick-offset; by default this is 'true' and we will
 migrate the true tick offset in a new subsection; if the
 incoming data has no subsection we fall back to the old
 vm_clock-based offset information, so old->new migration
 compatibility is preserved. For complete new->old migration
 compatibility, the property is set to 'false' for 4.0 and
 earlier machine types (this will only affect 'virt-4.0'
 and below, as none of the other pl031-using machines are
 versioned).
 Reported-by: Russell King <rmk@armlinux.org.uk>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Message-id: 20190709143912.28905-1-peter.maydell@linaro.org
 ---
- hw/timer/Makefile.objs        |   2 +-
+ include/hw/timer/pl031.h |  2 +
- include/hw/timer/aspeed_rtc.h |  31 ++++++
+ hw/core/machine.c        |  1 +
- hw/timer/aspeed_rtc.c         | 180 ++++++++++++++++++++++++++++++++++
+ hw/timer/pl031.c         | 92 ++++++++++++++++++++++++++++++++++++++--
- hw/timer/trace-events         |   4 +
+files changed, 91 insertions(+), 4 deletions(-)
-files changed, 216 insertions(+), 1 deletion(-)
- create mode 100644 include/hw/timer/aspeed_rtc.h
+diff --git a/include/hw/timer/pl031.h b/include/hw/timer/pl031.h
  create mode 100644 hw/timer/aspeed_rtc.c
 diff --git a/hw/timer/Makefile.objs b/hw/timer/Makefile.objs
 index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/Makefile.objs
+--- a/include/hw/timer/pl031.h
-+++ b/hw/timer/Makefile.objs
++++ b/include/hw/timer/pl031.h
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MC146818RTC) += mc146818rtc.o
+@@ -XXX,XX +XXX,XX @@ typedef struct PL031State {
- obj-$(CONFIG_ALLWINNER_A10_PIT) += allwinner-a10-pit.o
+      */
+     uint32_t tick_offset_vmstate;
- common-obj-$(CONFIG_STM32F2XX_TIMER) += stm32f2xx_timer.o
+     uint32_t tick_offset;
--common-obj-$(CONFIG_ASPEED_SOC) += aspeed_timer.o
++    bool tick_offset_migrated;
-+common-obj-$(CONFIG_ASPEED_SOC) += aspeed_timer.o aspeed_rtc.o
++    bool migrate_tick_offset;
- common-obj-$(CONFIG_SUN4V_RTC) += sun4v-rtc.o
+     uint32_t mr;
- common-obj-$(CONFIG_CMSDK_APB_TIMER) += cmsdk-apb-timer.o
+     uint32_t lr;
-diff --git a/include/hw/timer/aspeed_rtc.h b/include/hw/timer/aspeed_rtc.h
+diff --git a/hw/core/machine.c b/hw/core/machine.c
-new file mode 100644
+index XXXXXXX..XXXXXXX 100644
-index XXXXXXX..XXXXXXX
+--- a/hw/core/machine.c
---- /dev/null
++++ b/hw/core/machine.c
-+++ b/include/hw/timer/aspeed_rtc.h
+@@ -XXX,XX +XXX,XX @@ GlobalProperty hw_compat_4_0[] = {
-@@ -XXX,XX +XXX,XX @@
+     { "virtio-gpu-pci", "edid", "false" },
-+/*
+     { "virtio-device", "use-started", "false" },
-+ * ASPEED Real Time Clock
+     { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
-+ * Joel Stanley <joel@jms.id.au>
++    { "pl031", "migrate-tick-offset", "false" },
-+ *
+ };
-+ * Copyright 2019 IBM Corp
+ const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
-+ * SPDX-License-Identifier: GPL-2.0-or-later
-+ */
+diff --git a/hw/timer/pl031.c b/hw/timer/pl031.c
-+#ifndef ASPEED_RTC_H
+index XXXXXXX..XXXXXXX 100644
-+#define ASPEED_RTC_H
+--- a/hw/timer/pl031.c
-+
++++ b/hw/timer/pl031.c
-+#include <stdint.h>
+@@ -XXX,XX +XXX,XX @@ static int pl031_pre_save(void *opaque)
-+
+ {
-+#include "hw/hw.h"
+     PL031State *s = opaque;
-+#include "hw/irq.h"
-+#include "hw/sysbus.h"
+-    /* tick_offset is base_time - rtc_clock base time.  Instead, we want to
-+
+-     * store the base time relative to the QEMU_CLOCK_VIRTUAL for backwards-compatibility.  */
-+typedef struct AspeedRtcState {
++    /*
-+    SysBusDevice parent_obj;
++     * The PL031 device model code uses the tick_offset field, which is
-+
++     * the offset between what the guest RTC should read and what the
-+    MemoryRegion iomem;
++     * QEMU rtc_clock reads:
-+    qemu_irq irq;
++     *  guest_rtc = rtc_clock + tick_offset
-+
++     * and so
-+    uint32_t reg[0x18];
++     *  tick_offset = guest_rtc - rtc_clock
-+    int offset;
++     *
-+
++     * We want to migrate this offset, which sounds straightforward.
-+} AspeedRtcState;
++     * Unfortunately older versions of QEMU migrated a conversion of this
-+
++     * offset into an offset from the vm_clock. (This was in turn an
-+#define TYPE_ASPEED_RTC "aspeed.rtc"
++     * attempt to be compatible with even older QEMU versions, but it
-+#define ASPEED_RTC(obj) OBJECT_CHECK(AspeedRtcState, (obj), TYPE_ASPEED_RTC)
++     * has incorrect behaviour if the rtc_clock is not the same as the
-+
++     * vm_clock.) So we put the actual tick_offset into a migration
-+#endif /* ASPEED_RTC_H */
++     * subsection, and the backwards-compatible time-relative-to-vm_clock
-diff --git a/hw/timer/aspeed_rtc.c b/hw/timer/aspeed_rtc.c
++     * in the main migration state.
-new file mode 100644
++     *
-index XXXXXXX..XXXXXXX
++     * Calculate base time relative to QEMU_CLOCK_VIRTUAL:
---- /dev/null
++     */
-+++ b/hw/timer/aspeed_rtc.c
+     int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-@@ -XXX,XX +XXX,XX @@
+     s->tick_offset_vmstate = s->tick_offset + delta / NANOSECONDS_PER_SECOND;
-+/*
-+ * ASPEED Real Time Clock
+     return 0;
-+ * Joel Stanley <joel@jms.id.au>
+ }
-+ *
-+ * Copyright 2019 IBM Corp
++static int pl031_pre_load(void *opaque)
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qemu-common.h"
 +#include "hw/timer/aspeed_rtc.h"
 +#include "qemu/log.h"
 +#include "qemu/timer.h"
 +
 +#include "trace.h"
 +
 +#define COUNTER1        (0x00 / 4)
 +#define COUNTER2        (0x04 / 4)
 +#define ALARM           (0x08 / 4)
 +#define CONTROL         (0x10 / 4)
 +#define ALARM_STATUS    (0x14 / 4)
 +
 +#define RTC_UNLOCKED    BIT(1)
 +#define RTC_ENABLED     BIT(0)
 +
 +static void aspeed_rtc_calc_offset(AspeedRtcState *rtc)
 +{
-+    struct tm tm;
++    PL031State *s = opaque;
-+    uint32_t year, cent;
++
-+    uint32_t reg1 = rtc->reg[COUNTER1];
++    s->tick_offset_migrated = false;
-+    uint32_t reg2 = rtc->reg[COUNTER2];
++    return 0;
 +
 +    tm.tm_mday = (reg1 >> 24) & 0x1f;
 +    tm.tm_hour = (reg1 >> 16) & 0x1f;
 +    tm.tm_min = (reg1 >> 8) & 0x3f;
 +    tm.tm_sec = (reg1 >> 0) & 0x3f;
 +
 +    cent = (reg2 >> 16) & 0x1f;
 +    year = (reg2 >> 8) & 0x7f;
 +    tm.tm_mon = ((reg2 >>  0) & 0x0f) - 1;
 +    tm.tm_year = year + (cent * 100) - 1900;
 +
 +    rtc->offset = qemu_timedate_diff(&tm);
 +}
 +
-+static uint32_t aspeed_rtc_get_counter(AspeedRtcState *rtc, int r)
+ static int pl031_post_load(void *opaque, int version_id)
  {
      PL031State *s = opaque;
 -    int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
 -    s->tick_offset = s->tick_offset_vmstate - delta / NANOSECONDS_PER_SECOND;
 +    /*
 +     * If we got the tick_offset subsection, then we can just use
 +     * the value in that. Otherwise the source is an older QEMU and
 +     * has given us the offset from the vm_clock; convert it back to
 +     * an offset from the rtc_clock. This will cause time to incorrectly
 +     * go backwards compared to the host RTC, but this is unavoidable.
 +     */
 +
 +    if (!s->tick_offset_migrated) {
 +        int64_t delta = qemu_clock_get_ns(rtc_clock) -
 +            qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
 +        s->tick_offset = s->tick_offset_vmstate -
 +            delta / NANOSECONDS_PER_SECOND;
 +    }
      pl031_set_alarm(s);
      return 0;
  }
 +static int pl031_tick_offset_post_load(void *opaque, int version_id)
 +{
-+    uint32_t year, cent;
++    PL031State *s = opaque;
-+    struct tm now;
++
-+
++    s->tick_offset_migrated = true;
-+    qemu_get_timedate(&now, rtc->offset);
++    return 0;
 +
 +    switch (r) {
 +    case COUNTER1:
 +        return (now.tm_mday << 24) | (now.tm_hour << 16) |
 +            (now.tm_min << 8) | now.tm_sec;
 +    case COUNTER2:
 +        cent = (now.tm_year + 1900) / 100;
 +        year = now.tm_year % 100;
 +        return ((cent & 0x1f) << 16) | ((year & 0x7f) << 8) |
 +            ((now.tm_mon + 1) & 0xf);
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
-+static uint64_t aspeed_rtc_read(void *opaque, hwaddr addr,
++static bool pl031_tick_offset_needed(void *opaque)
 +                                unsigned size)
 +{
-+    AspeedRtcState *rtc = opaque;
++    PL031State *s = opaque;
-+    uint64_t val;
++
-+    uint32_t r = addr >> 2;
++    return s->migrate_tick_offset;
 +
 +    switch (r) {
 +    case COUNTER1:
 +    case COUNTER2:
 +        if (rtc->reg[CONTROL] & RTC_ENABLED) {
 +            rtc->reg[r] = aspeed_rtc_get_counter(rtc, r);
 +        }
 +        /* fall through */
 +    case CONTROL:
 +        val = rtc->reg[r];
 +        break;
 +    case ALARM:
 +    case ALARM_STATUS:
 +    default:
 +        qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx "\n", __func__, addr);
 +        return 0;
 +    }
 +
 +    trace_aspeed_rtc_read(addr, val);
 +
 +    return val;
 +}
 +
-+static void aspeed_rtc_write(void *opaque, hwaddr addr,
++static const VMStateDescription vmstate_pl031_tick_offset = {
-+                             uint64_t val, unsigned size)
++    .name = "pl031/tick-offset",
 +{
 +    AspeedRtcState *rtc = opaque;
 +    uint32_t r = addr >> 2;
 +
 +    switch (r) {
 +    case COUNTER1:
 +    case COUNTER2:
 +        if (!(rtc->reg[CONTROL] & RTC_UNLOCKED)) {
 +            break;
 +        }
 +        /* fall through */
 +    case CONTROL:
 +        rtc->reg[r] = val;
 +        aspeed_rtc_calc_offset(rtc);
 +        break;
 +    case ALARM:
 +    case ALARM_STATUS:
 +    default:
 +        qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx "\n", __func__, addr);
 +        break;
 +    }
 +    trace_aspeed_rtc_write(addr, val);
 +}
 +
 +static void aspeed_rtc_reset(DeviceState *d)
 +{
 +    AspeedRtcState *rtc = ASPEED_RTC(d);
 +
 +    rtc->offset = 0;
 +    memset(rtc->reg, 0, sizeof(rtc->reg));
 +}
 +
 +static const MemoryRegionOps aspeed_rtc_ops = {
 +    .read = aspeed_rtc_read,
 +    .write = aspeed_rtc_write,
 +    .endianness = DEVICE_NATIVE_ENDIAN,
 +};
 +
 +static const VMStateDescription vmstate_aspeed_rtc = {
 +    .name = TYPE_ASPEED_RTC,
 +    .version_id = 1,
++    .minimum_version_id = 1,
++    .needed = pl031_tick_offset_needed,
++    .post_load = pl031_tick_offset_post_load,
 +    .fields = (VMStateField[]) {
-+        VMSTATE_UINT32_ARRAY(reg, AspeedRtcState, 0x18),
++        VMSTATE_UINT32(tick_offset, PL031State),
 +        VMSTATE_INT32(offset, AspeedRtcState),
 +        VMSTATE_INT32(offset, AspeedRtcState),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
-+static void aspeed_rtc_realize(DeviceState *dev, Error **errp)
+ static const VMStateDescription vmstate_pl031 = {
-+{
+     .name = "pl031",
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+     .version_id = 1,
-+    AspeedRtcState *s = ASPEED_RTC(dev);
+     .minimum_version_id = 1,
-+
+     .pre_save = pl031_pre_save,
-+    sysbus_init_irq(sbd, &s->irq);
++    .pre_load = pl031_pre_load,
-+
+     .post_load = pl031_post_load,
-+    memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_rtc_ops, s,
+     .fields = (VMStateField[]) {
-+                          "aspeed-rtc", 0x18ULL);
+         VMSTATE_UINT32(tick_offset_vmstate, PL031State),
-+    sysbus_init_mmio(sbd, &s->iomem);
+@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl031 = {
-+}
+         VMSTATE_UINT32(im, PL031State),
-+
+         VMSTATE_UINT32(is, PL031State),
-+static void aspeed_rtc_class_init(ObjectClass *klass, void *data)
+         VMSTATE_END_OF_LIST()
-+{
++    },
-+    DeviceClass *dc = DEVICE_CLASS(klass);
++    .subsections = (const VMStateDescription*[]) {
-+
++        &vmstate_pl031_tick_offset,
-+    dc->realize = aspeed_rtc_realize;
++        NULL
-+    dc->vmsd = &vmstate_aspeed_rtc;
+     }
-+    dc->reset = aspeed_rtc_reset;
+ };
-+}
-+
++static Property pl031_properties[] = {
-+static const TypeInfo aspeed_rtc_info = {
++    /*
-+    .name          = TYPE_ASPEED_RTC,
++     * True to correctly migrate the tick offset of the RTC. False to
-+    .parent        = TYPE_SYS_BUS_DEVICE,
++     * obtain backward migration compatibility with older QEMU versions,
-+    .instance_size = sizeof(AspeedRtcState),
++     * at the expense of the guest RTC going backwards compared with the
-+    .class_init    = aspeed_rtc_class_init,
++     * host RTC when the VM is saved/restored if using -rtc host.
 +     * (Even if set to 'true' older QEMU can migrate forward to newer QEMU;
 +     * 'false' also permits newer QEMU to migrate to older QEMU.)
 +     */
 +    DEFINE_PROP_BOOL("migrate-tick-offset",
 +                     PL031State, migrate_tick_offset, true),
 +    DEFINE_PROP_END_OF_LIST()
 +};
 +
-+static void aspeed_rtc_register_types(void)
+ static void pl031_class_init(ObjectClass *klass, void *data)
-+{
+ {
-+    type_register_static(&aspeed_rtc_info);
+     DeviceClass *dc = DEVICE_CLASS(klass);
-+}
-+
+     dc->vmsd = &vmstate_pl031;
-+type_init(aspeed_rtc_register_types)
++    dc->props = pl031_properties;
-diff --git a/hw/timer/trace-events b/hw/timer/trace-events
+ }
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/trace-events
+ static const TypeInfo pl031_info = {
 +++ b/hw/timer/trace-events
@@ -XXX,XX +XXX,XX @@ cmsdk_apb_dualtimer_read(uint64_t offset, uint64_t data, unsigned size) "CMSDK A
  cmsdk_apb_dualtimer_write(uint64_t offset, uint64_t data, unsigned size) "CMSDK APB dualtimer write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
  cmsdk_apb_dualtimer_reset(void) "CMSDK APB dualtimer: reset"
 +# hw/timer/aspeed-rtc.c
 +aspeed_rtc_read(uint64_t addr, uint64_t value) "addr 0x%02" PRIx64 " value 0x%08" PRIx64
 +aspeed_rtc_write(uint64_t addr, uint64_t value) "addr 0x%02" PRIx64 " value 0x%08" PRIx64
 +
  # sun4v-rtc.c
  sun4v_rtc_read(uint64_t addr, uint64_t value) "read: addr 0x%" PRIx64 " value 0x%" PRIx64
  sun4v_rtc_write(uint64_t addr, uint64_t value) "write: addr 0x%" PRIx64 " value 0x%" PRIx64
 --
 .20.1

-[Qemu-devel] [PULL 12/46] hw/arm/aspeed: Add RTC to SoC
+Deleted patch
-From: Joel Stanley <joel@jms.id.au>
-All systems have an RTC.
-The IRQ is hooked up but the model does not use it at this stage. There
-is no guest code that uses it, so this limitation is acceptable.
-Signed-off-by: Joel Stanley <joel@jms.id.au>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20190618165311.27066-5-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/aspeed_soc.h |  2 ++
- hw/arm/aspeed_soc.c         | 13 +++++++++++++
-files changed, 15 insertions(+)
-diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/aspeed_soc.h
-+++ b/include/hw/arm/aspeed_soc.h
-@@ -XXX,XX +XXX,XX @@
- #include "hw/misc/aspeed_scu.h"
- #include "hw/misc/aspeed_sdmc.h"
- #include "hw/timer/aspeed_timer.h"
-+#include "hw/timer/aspeed_rtc.h"
- #include "hw/i2c/aspeed_i2c.h"
- #include "hw/ssi/aspeed_smc.h"
- #include "hw/watchdog/wdt_aspeed.h"
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCState {
-     ARMCPU cpu;
-     MemoryRegion sram;
-     AspeedVICState vic;
-+    AspeedRtcState rtc;
-     AspeedTimerCtrlState timerctrl;
-     AspeedI2CState i2c;
-     AspeedSCUState scu;
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
-+++ b/hw/arm/aspeed_soc.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
-     sysbus_init_child_obj(obj, "vic", OBJECT(&s->vic), sizeof(s->vic),
-                           TYPE_ASPEED_VIC);
-+    sysbus_init_child_obj(obj, "rtc", OBJECT(&s->rtc), sizeof(s->rtc),
-+                          TYPE_ASPEED_RTC);
-+
-     sysbus_init_child_obj(obj, "timerctrl", OBJECT(&s->timerctrl),
-                           sizeof(s->timerctrl), TYPE_ASPEED_TIMER);
-     object_property_add_const_link(OBJECT(&s->timerctrl), "scu",
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->vic), 1,
-                        qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_FIQ));
-+    /* RTC */
-+    object_property_set_bool(OBJECT(&s->rtc), true, "realized", &err);
-+    if (err) {
-+        error_propagate(errp, err);
-+        return;
-+    }
-+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->rtc), 0, sc->info->memmap[ASPEED_RTC]);
-+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->rtc), 0,
-+                       aspeed_soc_get_irq(s, ASPEED_RTC));
-+
-     /* Timer */
-     object_property_set_bool(OBJECT(&s->timerctrl), true, "realized", &err);
-     if (err) {
---
-.20.1

-[Qemu-devel] [PULL 13/46] aspeed: introduce a configurable number of CPU per machine
+Deleted patch
-From: Cédric Le Goater <clg@kaod.org>
-The current models of the Aspeed SoCs only have one CPU but future
-ones will support SMP. Introduce a new num_cpus field at the SoC class
-level to define the number of available CPUs per SoC and also
-introduce a 'num-cpus' property to activate the CPUs configured for
-the machine.
-The max_cpus limit of the machine should depend on the SoC definition
-but, unfortunately, these values are not available when the machine
-class is initialized. This is the reason why we add a check on
-num_cpus in the AspeedSoC realize handler.
-SMP support will be activated when models for such SoCs are implemented.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Message-id: 20190618165311.27066-6-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/aspeed_soc.h |  5 ++++-
- hw/arm/aspeed.c             |  7 +++++--
- hw/arm/aspeed_soc.c         | 33 +++++++++++++++++++++++++++------
-files changed, 36 insertions(+), 9 deletions(-)
-diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/aspeed_soc.h
-+++ b/include/hw/arm/aspeed_soc.h
-@@ -XXX,XX +XXX,XX @@
- #define ASPEED_SPIS_NUM  2
- #define ASPEED_WDTS_NUM  3
-+#define ASPEED_CPUS_NUM  2
- typedef struct AspeedSoCState {
-     /*< private >*/
-     DeviceState parent;
-     /*< public >*/
--    ARMCPU cpu;
-+    ARMCPU cpu[ASPEED_CPUS_NUM];
-+    uint32_t num_cpus;
-     MemoryRegion sram;
-     AspeedVICState vic;
-     AspeedRtcState rtc;
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCInfo {
-     int wdts_num;
-     const int *irqmap;
-     const hwaddr *memmap;
-+    uint32_t num_cpus;
- } AspeedSoCInfo;
- typedef struct AspeedSoCClass {
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
-+++ b/hw/arm/aspeed.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/misc/tmp105.h"
- #include "qemu/log.h"
- #include "sysemu/block-backend.h"
-+#include "sysemu/sysemu.h"
- #include "hw/loader.h"
- #include "qemu/error-report.h"
- #include "qemu/units.h"
- static struct arm_boot_info aspeed_board_binfo = {
-     .board_id = -1, /* device-tree-only board */
--    .nb_cpus = 1,
- };
- struct AspeedBoardState {
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-                             &error_abort);
-     object_property_set_int(OBJECT(&bmc->soc), cfg->num_cs, "num-cs",
-                             &error_abort);
-+    object_property_set_int(OBJECT(&bmc->soc), smp_cpus, "num-cpus",
-+                            &error_abort);
-     if (machine->kernel_filename) {
-         /*
-          * When booting with a -kernel command line there is no u-boot
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-     aspeed_board_binfo.kernel_cmdline = machine->kernel_cmdline;
-     aspeed_board_binfo.ram_size = ram_size;
-     aspeed_board_binfo.loader_start = sc->info->memmap[ASPEED_SDRAM];
-+    aspeed_board_binfo.nb_cpus = bmc->soc.num_cpus;
-     if (cfg->i2c_init) {
-         cfg->i2c_init(bmc);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_class_init(ObjectClass *oc, void *data)
-     mc->desc = board->desc;
-     mc->init = aspeed_machine_init;
--    mc->max_cpus = 1;
-+    mc->max_cpus = ASPEED_CPUS_NUM;
-     mc->no_sdcard = 1;
-     mc->no_floppy = 1;
-     mc->no_cdrom = 1;
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
-+++ b/hw/arm/aspeed_soc.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/char/serial.h"
- #include "qemu/log.h"
- #include "qemu/module.h"
-+#include "qemu/error-report.h"
- #include "hw/i2c/aspeed_i2c.h"
- #include "net/net.h"
-@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
-         .wdts_num     = 2,
-         .irqmap       = aspeed_soc_ast2400_irqmap,
-         .memmap       = aspeed_soc_ast2400_memmap,
-+        .num_cpus     = 1,
-     }, {
-         .name         = "ast2400-a1",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
-@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
-         .wdts_num     = 2,
-         .irqmap       = aspeed_soc_ast2400_irqmap,
-         .memmap       = aspeed_soc_ast2400_memmap,
-+        .num_cpus     = 1,
-     }, {
-         .name         = "ast2400",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
-@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
-         .wdts_num     = 2,
-         .irqmap       = aspeed_soc_ast2400_irqmap,
-         .memmap       = aspeed_soc_ast2400_memmap,
-+        .num_cpus     = 1,
-     }, {
-         .name         = "ast2500-a1",
-         .cpu_type     = ARM_CPU_TYPE_NAME("arm1176"),
-@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
-         .wdts_num     = 3,
-         .irqmap       = aspeed_soc_ast2500_irqmap,
-         .memmap       = aspeed_soc_ast2500_memmap,
-+        .num_cpus     = 1,
-     },
- };
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
-     AspeedSoCClass *sc = ASPEED_SOC_GET_CLASS(s);
-     int i;
--    object_initialize_child(obj, "cpu", OBJECT(&s->cpu), sizeof(s->cpu),
--                            sc->info->cpu_type, &error_abort, NULL);
-+    for (i = 0; i < sc->info->num_cpus; i++) {
-+        object_initialize_child(obj, "cpu[*]", OBJECT(&s->cpu[i]),
-+                                sizeof(s->cpu[i]), sc->info->cpu_type,
-+                                &error_abort, NULL);
-+    }
-     sysbus_init_child_obj(obj, "scu", OBJECT(&s->scu), sizeof(s->scu),
-                           TYPE_ASPEED_SCU);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     create_unimplemented_device("aspeed_soc.io", sc->info->memmap[ASPEED_IOMEM],
-                                 ASPEED_SOC_IOMEM_SIZE);
-+    if (s->num_cpus > sc->info->num_cpus) {
-+        warn_report("%s: invalid number of CPUs %d, using default %d",
-+                    sc->info->name, s->num_cpus, sc->info->num_cpus);
-+        s->num_cpus = sc->info->num_cpus;
-+    }
-+
-     /* CPU */
--    object_property_set_bool(OBJECT(&s->cpu), true, "realized", &err);
--    if (err) {
--        error_propagate(errp, err);
--        return;
-+    for (i = 0; i < s->num_cpus; i++) {
-+        object_property_set_bool(OBJECT(&s->cpu[i]), true, "realized", &err);
-+        if (err) {
-+            error_propagate(errp, err);
-+            return;
-+        }
-     }
-     /* SRAM */
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100), 0,
-                        aspeed_soc_get_irq(s, ASPEED_ETH1));
- }
-+static Property aspeed_soc_properties[] = {
-+    DEFINE_PROP_UINT32("num-cpus", AspeedSoCState, num_cpus, 0),
-+    DEFINE_PROP_END_OF_LIST(),
-+};
- static void aspeed_soc_class_init(ObjectClass *oc, void *data)
- {
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_class_init(ObjectClass *oc, void *data)
-     dc->realize = aspeed_soc_realize;
-     /* Reason: Uses serial_hds and nd_table in realize() directly */
-     dc->user_creatable = false;
-+    dc->props = aspeed_soc_properties;
- }
- static const TypeInfo aspeed_soc_type_info = {
---
-.20.1

-[Qemu-devel] [PULL 14/46] aspeed: add support for multiple NICs
+Deleted patch
-From: Cédric Le Goater <clg@kaod.org>
-The Aspeed SoCs have two MACs. Extend the Aspeed model to support a
-second NIC.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Message-id: 20190618165311.27066-7-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/arm/aspeed_soc.h |  3 ++-
- hw/arm/aspeed_soc.c         | 33 +++++++++++++++++++--------------
-files changed, 21 insertions(+), 15 deletions(-)
-diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/aspeed_soc.h
-+++ b/include/hw/arm/aspeed_soc.h
-@@ -XXX,XX +XXX,XX @@
- #define ASPEED_SPIS_NUM  2
- #define ASPEED_WDTS_NUM  3
- #define ASPEED_CPUS_NUM  2
-+#define ASPEED_MACS_NUM  2
- typedef struct AspeedSoCState {
-     /*< private >*/
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCState {
-     AspeedSMCState spi[ASPEED_SPIS_NUM];
-     AspeedSDMCState sdmc;
-     AspeedWDTState wdt[ASPEED_WDTS_NUM];
--    FTGMAC100State ftgmac100;
-+    FTGMAC100State ftgmac100[ASPEED_MACS_NUM];
- } AspeedSoCState;
- #define TYPE_ASPEED_SOC "aspeed-soc"
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
-+++ b/hw/arm/aspeed_soc.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
-                                     sc->info->silicon_rev);
-     }
--    sysbus_init_child_obj(obj, "ftgmac100", OBJECT(&s->ftgmac100),
--                          sizeof(s->ftgmac100), TYPE_FTGMAC100);
-+    for (i = 0; i < ASPEED_MACS_NUM; i++) {
-+        sysbus_init_child_obj(obj, "ftgmac100[*]", OBJECT(&s->ftgmac100[i]),
-+                              sizeof(s->ftgmac100[i]), TYPE_FTGMAC100);
-+    }
- }
- static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-     }
-     /* Net */
--    qdev_set_nic_properties(DEVICE(&s->ftgmac100), &nd_table[0]);
--    object_property_set_bool(OBJECT(&s->ftgmac100), true, "aspeed", &err);
--    object_property_set_bool(OBJECT(&s->ftgmac100), true, "realized",
--                             &local_err);
--    error_propagate(&err, local_err);
--    if (err) {
--        error_propagate(errp, err);
--        return;
-+    for (i = 0; i < nb_nics; i++) {
-+        qdev_set_nic_properties(DEVICE(&s->ftgmac100[i]), &nd_table[i]);
-+        object_property_set_bool(OBJECT(&s->ftgmac100[i]), true, "aspeed",
-+                                 &err);
-+        object_property_set_bool(OBJECT(&s->ftgmac100[i]), true, "realized",
-+                                 &local_err);
-+        error_propagate(&err, local_err);
-+        if (err) {
-+            error_propagate(errp, err);
-+           return;
-+        }
-+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->ftgmac100[i]), 0,
-+                        sc->info->memmap[ASPEED_ETH1 + i]);
-+        sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100[i]), 0,
-+                           aspeed_soc_get_irq(s, ASPEED_ETH1 + i));
-     }
--    sysbus_mmio_map(SYS_BUS_DEVICE(&s->ftgmac100), 0,
--                    sc->info->memmap[ASPEED_ETH1]);
--    sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100), 0,
--                       aspeed_soc_get_irq(s, ASPEED_ETH1));
- }
- static Property aspeed_soc_properties[] = {
-     DEFINE_PROP_UINT32("num-cpus", AspeedSoCState, num_cpus, 0),
---
-.20.1

-[Qemu-devel] [PULL 15/46] aspeed/timer: Fix behaviour running Linux
+Deleted patch
-From: Joel Stanley <joel@jms.id.au>
-The Linux kernel driver was updated in commit 4451d3f59f2a
-("clocksource/drivers/fttmr010: Fix set_next_event handler) to fix an
-issue observed on hardware:
- > RELOAD register is loaded into COUNT register when the aspeed timer
- > is enabled, which means the next event may be delayed because timer
- > interrupt won't be generated until <0xFFFFFFFF - current_count +
- > cycles>.
-When running under Qemu, the system appeared "laggy". The guest is now
-scheduling timer events too regularly, starving the host of CPU time.
-This patch modifies the timer model to attempt to schedule the timer
-expiry as the guest requests, but if we have missed the deadline we
-re interrupt and try again, which allows the guest to catch up.
-Provides expected behaviour with old and new guest code.
-Fixes: c04bd47db6b9 ("hw/timer: Add ASPEED timer device model")
-Signed-off-by: Joel Stanley <joel@jms.id.au>
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20190618165311.27066-8-clg@kaod.org
-[clg: - merged a fix from Andrew Jeffery <andrew@aj.id.au>
-        "Fire interrupt on failure to meet deadline"
-        https://lists.ozlabs.org/pipermail/openbmc/2019-January/014641.html
-      - adapted commit log
-      - checkpatch fixes ]
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/timer/aspeed_timer.c | 57 ++++++++++++++++++++++-------------------
-file changed, 30 insertions(+), 27 deletions(-)
-diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/aspeed_timer.c
-+++ b/hw/timer/aspeed_timer.c
-@@ -XXX,XX +XXX,XX @@ static inline uint64_t calculate_time(struct AspeedTimer *t, uint32_t ticks)
- static uint64_t calculate_next(struct AspeedTimer *t)
- {
--    uint64_t next = 0;
--    uint32_t rate = calculate_rate(t);
-+    uint64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-+    uint64_t next;
--    while (!next) {
--        /* We don't know the relationship between the values in the match
--         * registers, so sort using MAX/MIN/zero. We sort in that order as the
--         * timer counts down to zero. */
--        uint64_t seq[] = {
--            calculate_time(t, MAX(t->match[0], t->match[1])),
--            calculate_time(t, MIN(t->match[0], t->match[1])),
--            calculate_time(t, 0),
--        };
--        uint64_t reload_ns;
--        uint64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-+    /*
-+     * We don't know the relationship between the values in the match
-+     * registers, so sort using MAX/MIN/zero. We sort in that order as
-+     * the timer counts down to zero.
-+     */
--        if (now < seq[0]) {
--            next = seq[0];
--        } else if (now < seq[1]) {
--            next = seq[1];
--        } else if (now < seq[2]) {
--            next = seq[2];
--        } else if (t->reload) {
--            reload_ns = muldiv64(t->reload, NANOSECONDS_PER_SECOND, rate);
--            t->start = now - ((now - t->start) % reload_ns);
--        } else {
--            /* no reload value, return 0 */
--            break;
--        }
-+    next = calculate_time(t, MAX(t->match[0], t->match[1]));
-+    if (now < next) {
-+        return next;
-     }
--    return next;
-+    next = calculate_time(t, MIN(t->match[0], t->match[1]));
-+    if (now < next) {
-+        return next;
-+    }
-+
-+    next = calculate_time(t, 0);
-+    if (now < next) {
-+        return next;
-+    }
-+
-+    /* We've missed all deadlines, fire interrupt and try again */
-+    timer_del(&t->timer);
-+
-+    if (timer_overflow_interrupt(t)) {
-+        t->level = !t->level;
-+        qemu_set_irq(t->irq, t->level);
-+    }
-+
-+    t->start = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-+    return calculate_time(t, MAX(MAX(t->match[0], t->match[1]), 0));
- }
- static void aspeed_timer_mod(AspeedTimer *t)
---
-.20.1

-[Qemu-devel] [PULL 16/46] aspeed/timer: Status register contains reload for stopped timer
+Deleted patch
-From: Andrew Jeffery <andrew@aj.id.au>
-From the datasheet:
-  This register stores the current status of counter #N. When timer
-  enable bit TMC30[N * b] is disabled, the reload register will be
-  loaded into this counter. When timer bit TMC30[N * b] is set, the
-  counter will start to decrement. CPU can update this register value
-  when enable bit is set.
-Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Message-id: 20190618165311.27066-9-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/timer/aspeed_timer.c | 6 +++++-
-file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/aspeed_timer.c
-+++ b/hw/timer/aspeed_timer.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_timer_get_value(AspeedTimer *t, int reg)
-     switch (reg) {
-     case TIMER_REG_STATUS:
--        value = calculate_ticks(t, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL));
-+        if (timer_enabled(t)) {
-+            value = calculate_ticks(t, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL));
-+        } else {
-+            value = t->reload;
-+        }
-         break;
-     case TIMER_REG_RELOAD:
-         value = t->reload;
---
-.20.1

-[Qemu-devel] [PULL 17/46] aspeed/timer: Fix match calculations
+Deleted patch
-From: Andrew Jeffery <andrew@aj.id.au>
-If the match value exceeds reload then we don't want to include it in
-calculations for the next event.
-Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20190618165311.27066-10-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/timer/aspeed_timer.c | 13 ++++++++++---
-file changed, 10 insertions(+), 3 deletions(-)
-diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/aspeed_timer.c
-+++ b/hw/timer/aspeed_timer.c
-@@ -XXX,XX +XXX,XX @@ static inline uint64_t calculate_time(struct AspeedTimer *t, uint32_t ticks)
-     return t->start + delta_ns;
- }
-+static inline uint32_t calculate_match(struct AspeedTimer *t, int i)
-+{
-+    return t->match[i] < t->reload ? t->match[i] : 0;
-+}
-+
- static uint64_t calculate_next(struct AspeedTimer *t)
- {
-     uint64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-@@ -XXX,XX +XXX,XX @@ static uint64_t calculate_next(struct AspeedTimer *t)
-      * the timer counts down to zero.
-      */
--    next = calculate_time(t, MAX(t->match[0], t->match[1]));
-+    next = calculate_time(t, MAX(calculate_match(t, 0), calculate_match(t, 1)));
-     if (now < next) {
-         return next;
-     }
--    next = calculate_time(t, MIN(t->match[0], t->match[1]));
-+    next = calculate_time(t, MIN(calculate_match(t, 0), calculate_match(t, 1)));
-     if (now < next) {
-         return next;
-     }
-@@ -XXX,XX +XXX,XX @@ static uint64_t calculate_next(struct AspeedTimer *t)
-         qemu_set_irq(t->irq, t->level);
-     }
-+    next = MAX(MAX(calculate_match(t, 0), calculate_match(t, 1)), 0);
-     t->start = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
--    return calculate_time(t, MAX(MAX(t->match[0], t->match[1]), 0));
-+
-+    return calculate_time(t, next);
- }
- static void aspeed_timer_mod(AspeedTimer *t)
---
-.20.1

-[Qemu-devel] [PULL 18/46] aspeed/timer: Ensure positive muldiv delta
+Deleted patch
-From: Christian Svensson <bluecmd@google.com>
-If the host decrements the counter register that results in a negative
-delta. This is then passed to muldiv64 which only handles unsigned
-numbers resulting in bogus results.
-This fix ensures the delta being operated on is positive.
-Test case: kexec a kernel using aspeed_timer and it will freeze on the
-second bootup when the kernel initializes the timer. With this patch
-that no longer happens and the timer appears to run OK.
-Signed-off-by: Christian Svensson <bluecmd@google.com>
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
-Message-id: 20190618165311.27066-12-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/timer/aspeed_timer.c | 6 +++++-
-file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/aspeed_timer.c
-+++ b/hw/timer/aspeed_timer.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_timer_set_value(AspeedTimerCtrlState *s, int timer, int reg,
-             int64_t delta = (int64_t) value - (int64_t) calculate_ticks(t, now);
-             uint32_t rate = calculate_rate(t);
--            t->start += muldiv64(delta, NANOSECONDS_PER_SECOND, rate);
-+            if (delta >= 0) {
-+                t->start += muldiv64(delta, NANOSECONDS_PER_SECOND, rate);
-+            } else {
-+                t->start -= muldiv64(-delta, NANOSECONDS_PER_SECOND, rate);
-+            }
-             aspeed_timer_mod(t);
-         }
-         break;
---
-.20.1

-[Qemu-devel] [PULL 19/46] aspeed: remove the "ram" link
+Deleted patch
-From: Cédric Le Goater <clg@kaod.org>
-It has never been used as far as I can tell from the git history.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Message-id: 20190618165311.27066-13-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/aspeed.c | 2 --
-file changed, 2 deletions(-)
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
-+++ b/hw/arm/aspeed.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-     memory_region_allocate_system_memory(&bmc->ram, NULL, "ram", ram_size);
-     memory_region_add_subregion(get_system_memory(),
-                                 sc->info->memmap[ASPEED_SDRAM], &bmc->ram);
--    object_property_add_const_link(OBJECT(&bmc->soc), "ram", OBJECT(&bmc->ram),
--                                   &error_abort);
-     max_ram_size = object_property_get_uint(OBJECT(&bmc->soc), "max-ram-size",
-                                             &error_abort);
---
-.20.1

-[Qemu-devel] [PULL 20/46] aspeed: add a RAM memory region container
+Deleted patch
-From: Cédric Le Goater <clg@kaod.org>
-The RAM memory region is defined after the SoC is realized when the
-SDMC controller has checked that the defined RAM size for the machine
-is correct. This is problematic for controller models requiring a link
-on the RAM region, for DMA support in the SMC controller for instance.
-Introduce a container memory region for the RAM that we can link into
-the controllers early, before the SoC is realized. It will be
-populated with the RAM region after the checks have be done.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Message-id: 20190618165311.27066-14-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/aspeed.c | 13 +++++++++----
-file changed, 9 insertions(+), 4 deletions(-)
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
-+++ b/hw/arm/aspeed.c
-@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info aspeed_board_binfo = {
- struct AspeedBoardState {
-     AspeedSoCState soc;
-+    MemoryRegion ram_container;
-     MemoryRegion ram;
-     MemoryRegion max_ram;
- };
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-     ram_addr_t max_ram_size;
-     bmc = g_new0(AspeedBoardState, 1);
-+
-+    memory_region_init(&bmc->ram_container, NULL, "aspeed-ram-container",
-+                       UINT32_MAX);
-+
-     object_initialize_child(OBJECT(machine), "soc", &bmc->soc,
-                             (sizeof(bmc->soc)), cfg->soc_name, &error_abort,
-                             NULL);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
-                                         &error_abort);
-     memory_region_allocate_system_memory(&bmc->ram, NULL, "ram", ram_size);
-+    memory_region_add_subregion(&bmc->ram_container, 0, &bmc->ram);
-     memory_region_add_subregion(get_system_memory(),
--                                sc->info->memmap[ASPEED_SDRAM], &bmc->ram);
-+                                sc->info->memmap[ASPEED_SDRAM],
-+                                &bmc->ram_container);
-     max_ram_size = object_property_get_uint(OBJECT(&bmc->soc), "max-ram-size",
-                                             &error_abort);
-     memory_region_init_io(&bmc->max_ram, NULL, &max_ram_ops, NULL,
-                           "max_ram", max_ram_size  - ram_size);
--    memory_region_add_subregion(get_system_memory(),
--                                sc->info->memmap[ASPEED_SDRAM] + ram_size,
--                                &bmc->max_ram);
-+    memory_region_add_subregion(&bmc->ram_container, ram_size, &bmc->max_ram);
-     aspeed_board_init_flashes(&bmc->soc.fmc, cfg->fmc_model, &error_abort);
-     aspeed_board_init_flashes(&bmc->soc.spi[0], cfg->spi_model, &error_abort);
---
-.20.1

-[Qemu-devel] [PULL 21/46] aspeed/smc: add a 'sdram_base' property
+Deleted patch
-From: Cédric Le Goater <clg@kaod.org>
-The DRAM address of a DMA transaction depends on the DRAM base address
-of the SoC. Inform the SMC controller model with this value.
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190618165311.27066-15-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/ssi/aspeed_smc.h | 3 +++
- hw/arm/aspeed_soc.c         | 6 ++++++
- hw/ssi/aspeed_smc.c         | 1 +
-files changed, 10 insertions(+)
-diff --git a/include/hw/ssi/aspeed_smc.h b/include/hw/ssi/aspeed_smc.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/ssi/aspeed_smc.h
-+++ b/include/hw/ssi/aspeed_smc.h
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSMCState {
-     uint8_t r_timings;
-     uint8_t conf_enable_w0;
-+    /* for DMA support */
-+    uint64_t sdram_base;
-+
-     AspeedSMCFlash *flashes;
-     uint8_t snoop_index;
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
-+++ b/hw/arm/aspeed_soc.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-                        aspeed_soc_get_irq(s, ASPEED_I2C));
-     /* FMC, The number of CS is set at the board level */
-+    object_property_set_int(OBJECT(&s->fmc), sc->info->memmap[ASPEED_SDRAM],
-+                            "sdram-base", &err);
-+    if (err) {
-+        error_propagate(errp, err);
-+        return;
-+    }
-     object_property_set_bool(OBJECT(&s->fmc), true, "realized", &err);
-     if (err) {
-         error_propagate(errp, err);
-diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/aspeed_smc.c
-+++ b/hw/ssi/aspeed_smc.c
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_aspeed_smc = {
- static Property aspeed_smc_properties[] = {
-     DEFINE_PROP_UINT32("num-cs", AspeedSMCState, num_cs, 1),
-+    DEFINE_PROP_UINT64("sdram-base", AspeedSMCState, sdram_base, 0),
-     DEFINE_PROP_END_OF_LIST(),
- };
---
-.20.1

-[Qemu-devel] [PULL 22/46] aspeed: Add support for the swift-bmc board
+Deleted patch
-From: Adriana Kobylak <anoo@us.ibm.com>
-The Swift board is an OpenPOWER system hosting POWER processors.
-Add support for their BMC including the I2C devices as found on HW.
-Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Message-id: 20190618165311.27066-20-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/aspeed.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++
-file changed, 50 insertions(+)
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
-+++ b/hw/arm/aspeed.c
-@@ -XXX,XX +XXX,XX @@ struct AspeedBoardState {
-         SCU_AST2500_HW_STRAP_ACPI_ENABLE |                              \
-         SCU_HW_STRAP_SPI_MODE(SCU_HW_STRAP_SPI_MASTER))
-+/* Swift hardware value: 0xF11AD206 */
-+#define SWIFT_BMC_HW_STRAP1 (                                           \
-+        AST2500_HW_STRAP1_DEFAULTS |                                    \
-+        SCU_AST2500_HW_STRAP_SPI_AUTOFETCH_ENABLE |                     \
-+        SCU_AST2500_HW_STRAP_GPIO_STRAP_ENABLE |                        \
-+        SCU_AST2500_HW_STRAP_UART_DEBUG |                               \
-+        SCU_AST2500_HW_STRAP_DDR4_ENABLE |                              \
-+        SCU_H_PLL_BYPASS_EN |                                           \
-+        SCU_AST2500_HW_STRAP_ACPI_ENABLE |                              \
-+        SCU_HW_STRAP_SPI_MODE(SCU_HW_STRAP_SPI_MASTER))
-+
- /* Witherspoon hardware value: 0xF10AD216 (but use romulus definition) */
- #define WITHERSPOON_BMC_HW_STRAP1 ROMULUS_BMC_HW_STRAP1
-@@ -XXX,XX +XXX,XX @@ static void romulus_bmc_i2c_init(AspeedBoardState *bmc)
-     i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 11), "ds1338", 0x32);
- }
-+static void swift_bmc_i2c_init(AspeedBoardState *bmc)
-+{
-+    AspeedSoCState *soc = &bmc->soc;
-+
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 3), "pca9552", 0x60);
-+
-+    /* The swift board expects a TMP275 but a TMP105 is compatible */
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 7), "tmp105", 0x48);
-+    /* The swift board expects a pca9551 but a pca9552 is compatible */
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 7), "pca9552", 0x60);
-+
-+    /* The swift board expects an Epson RX8900 RTC but a ds1338 is compatible */
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 8), "ds1338", 0x32);
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 8), "pca9552", 0x60);
-+
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 9), "tmp423", 0x4c);
-+    /* The swift board expects a pca9539 but a pca9552 is compatible */
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 9), "pca9552", 0x74);
-+
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 10), "tmp423", 0x4c);
-+    /* The swift board expects a pca9539 but a pca9552 is compatible */
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 10), "pca9552",
-+                     0x74);
-+
-+    /* The swift board expects a TMP275 but a TMP105 is compatible */
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 12), "tmp105", 0x48);
-+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 12), "tmp105", 0x4a);
-+}
-+
- static void witherspoon_bmc_i2c_init(AspeedBoardState *bmc)
- {
-     AspeedSoCState *soc = &bmc->soc;
-@@ -XXX,XX +XXX,XX @@ static const AspeedBoardConfig aspeed_boards[] = {
-         .num_cs    = 2,
-         .i2c_init  = romulus_bmc_i2c_init,
-         .ram       = 512 * MiB,
-+    }, {
-+        .name      = MACHINE_TYPE_NAME("swift-bmc"),
-+        .desc      = "OpenPOWER Swift BMC (ARM1176)",
-+        .soc_name  = "ast2500-a1",
-+        .hw_strap1 = SWIFT_BMC_HW_STRAP1,
-+        .fmc_model = "mx66l1g45g",
-+        .spi_model = "mx66l1g45g",
-+        .num_cs    = 2,
-+        .i2c_init  = swift_bmc_i2c_init,
-+        .ram       = 512 * MiB,
-     }, {
-         .name      = MACHINE_TYPE_NAME("witherspoon-bmc"),
-         .desc      = "OpenPOWER Witherspoon BMC (ARM1176)",
---
-.20.1

-[Qemu-devel] [PULL 23/46] hw/misc/aspeed_xdma: New device
+Deleted patch
-From: Eddie James <eajames@linux.ibm.com>
-The XDMA engine embedded in the Aspeed SOCs performs PCI DMA operations
-between the SOC (acting as a BMC) and a host processor in a server.
-The XDMA engine exists on the AST2400, AST2500, and AST2600 SOCs, so
-enable it for all of those. Add trace events on the important register
-writes in the XDMA engine.
-Signed-off-by: Eddie James <eajames@linux.ibm.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20190618165311.27066-21-clg@kaod.org
-[clg: - changed title ]
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/misc/Makefile.objs         |   1 +
- include/hw/arm/aspeed_soc.h   |   3 +
- include/hw/misc/aspeed_xdma.h |  30 +++++++
- hw/arm/aspeed_soc.c           |  17 ++++
- hw/misc/aspeed_xdma.c         | 165 ++++++++++++++++++++++++++++++++++
- hw/misc/trace-events          |   3 +
-files changed, 219 insertions(+)
- create mode 100644 include/hw/misc/aspeed_xdma.h
- create mode 100644 hw/misc/aspeed_xdma.c
-diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
-index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/Makefile.objs
-+++ b/hw/misc/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_ARMSSE_MHU) += armsse-mhu.o
- obj-$(CONFIG_PVPANIC) += pvpanic.o
- obj-$(CONFIG_AUX) += auxbus.o
-+obj-$(CONFIG_ASPEED_SOC) += aspeed_xdma.o
- obj-$(CONFIG_ASPEED_SOC) += aspeed_scu.o aspeed_sdmc.o
- obj-$(CONFIG_MSF2) += msf2-sysreg.o
- obj-$(CONFIG_NRF51_SOC) += nrf51_rng.o
-diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/aspeed_soc.h
-+++ b/include/hw/arm/aspeed_soc.h
-@@ -XXX,XX +XXX,XX @@
- #include "hw/intc/aspeed_vic.h"
- #include "hw/misc/aspeed_scu.h"
- #include "hw/misc/aspeed_sdmc.h"
-+#include "hw/misc/aspeed_xdma.h"
- #include "hw/timer/aspeed_timer.h"
- #include "hw/timer/aspeed_rtc.h"
- #include "hw/i2c/aspeed_i2c.h"
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCState {
-     AspeedTimerCtrlState timerctrl;
-     AspeedI2CState i2c;
-     AspeedSCUState scu;
-+    AspeedXDMAState xdma;
-     AspeedSMCState fmc;
-     AspeedSMCState spi[ASPEED_SPIS_NUM];
-     AspeedSDMCState sdmc;
-@@ -XXX,XX +XXX,XX @@ enum {
-     ASPEED_ETH1,
-     ASPEED_ETH2,
-     ASPEED_SDRAM,
-+    ASPEED_XDMA,
- };
- #endif /* ASPEED_SOC_H */
-diff --git a/include/hw/misc/aspeed_xdma.h b/include/hw/misc/aspeed_xdma.h
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/include/hw/misc/aspeed_xdma.h
-@@ -XXX,XX +XXX,XX @@
-+/*
-+ * ASPEED XDMA Controller
-+ * Eddie James <eajames@linux.ibm.com>
-+ *
-+ * Copyright (C) 2019 IBM Corp.
-+ * SPDX-License-Identifer: GPL-2.0-or-later
-+ */
-+
-+#ifndef ASPEED_XDMA_H
-+#define ASPEED_XDMA_H
-+
-+#include "hw/sysbus.h"
-+
-+#define TYPE_ASPEED_XDMA "aspeed.xdma"
-+#define ASPEED_XDMA(obj) OBJECT_CHECK(AspeedXDMAState, (obj), TYPE_ASPEED_XDMA)
-+
-+#define ASPEED_XDMA_NUM_REGS (ASPEED_XDMA_REG_SIZE / sizeof(uint32_t))
-+#define ASPEED_XDMA_REG_SIZE 0x7C
-+
-+typedef struct AspeedXDMAState {
-+    SysBusDevice parent;
-+
-+    MemoryRegion iomem;
-+    qemu_irq irq;
-+
-+    char bmc_cmdq_readp_set;
-+    uint32_t regs[ASPEED_XDMA_NUM_REGS];
-+} AspeedXDMAState;
-+
-+#endif /* ASPEED_XDMA_H */
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
-+++ b/hw/arm/aspeed_soc.c
-@@ -XXX,XX +XXX,XX @@ static const hwaddr aspeed_soc_ast2400_memmap[] = {
-     [ASPEED_VIC]    = 0x1E6C0000,
-     [ASPEED_SDMC]   = 0x1E6E0000,
-     [ASPEED_SCU]    = 0x1E6E2000,
-+    [ASPEED_XDMA]   = 0x1E6E7000,
-     [ASPEED_ADC]    = 0x1E6E9000,
-     [ASPEED_SRAM]   = 0x1E720000,
-     [ASPEED_GPIO]   = 0x1E780000,
-@@ -XXX,XX +XXX,XX @@ static const hwaddr aspeed_soc_ast2500_memmap[] = {
-     [ASPEED_VIC]    = 0x1E6C0000,
-     [ASPEED_SDMC]   = 0x1E6E0000,
-     [ASPEED_SCU]    = 0x1E6E2000,
-+    [ASPEED_XDMA]   = 0x1E6E7000,
-     [ASPEED_ADC]    = 0x1E6E9000,
-     [ASPEED_SRAM]   = 0x1E720000,
-     [ASPEED_GPIO]   = 0x1E780000,
-@@ -XXX,XX +XXX,XX @@ static const int aspeed_soc_ast2400_irqmap[] = {
-     [ASPEED_I2C]    = 12,
-     [ASPEED_ETH1]   = 2,
-     [ASPEED_ETH2]   = 3,
-+    [ASPEED_XDMA]   = 6,
- };
- #define aspeed_soc_ast2500_irqmap aspeed_soc_ast2400_irqmap
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
-         sysbus_init_child_obj(obj, "ftgmac100[*]", OBJECT(&s->ftgmac100[i]),
-                               sizeof(s->ftgmac100[i]), TYPE_FTGMAC100);
-     }
-+
-+    sysbus_init_child_obj(obj, "xdma", OBJECT(&s->xdma), sizeof(s->xdma),
-+                          TYPE_ASPEED_XDMA);
- }
- static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
-         sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100[i]), 0,
-                            aspeed_soc_get_irq(s, ASPEED_ETH1 + i));
-     }
-+
-+    /* XDMA */
-+    object_property_set_bool(OBJECT(&s->xdma), true, "realized", &err);
-+    if (err) {
-+        error_propagate(errp, err);
-+        return;
-+    }
-+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->xdma), 0,
-+                    sc->info->memmap[ASPEED_XDMA]);
-+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->xdma), 0,
-+                       aspeed_soc_get_irq(s, ASPEED_XDMA));
- }
- static Property aspeed_soc_properties[] = {
-     DEFINE_PROP_UINT32("num-cpus", AspeedSoCState, num_cpus, 0),
-diff --git a/hw/misc/aspeed_xdma.c b/hw/misc/aspeed_xdma.c
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/hw/misc/aspeed_xdma.c
-@@ -XXX,XX +XXX,XX @@
-+/*
-+ * ASPEED XDMA Controller
-+ * Eddie James <eajames@linux.ibm.com>
-+ *
-+ * Copyright (C) 2019 IBM Corp
-+ * SPDX-License-Identifer: GPL-2.0-or-later
-+ */
-+
-+#include "qemu/osdep.h"
-+#include "qemu/log.h"
-+#include "qemu/error-report.h"
-+#include "hw/misc/aspeed_xdma.h"
-+#include "qapi/error.h"
-+
-+#include "trace.h"
-+
-+#define XDMA_BMC_CMDQ_ADDR         0x10
-+#define XDMA_BMC_CMDQ_ENDP         0x14
-+#define XDMA_BMC_CMDQ_WRP          0x18
-+#define  XDMA_BMC_CMDQ_W_MASK      0x0003FFFF
-+#define XDMA_BMC_CMDQ_RDP          0x1C
-+#define  XDMA_BMC_CMDQ_RDP_MAGIC   0xEE882266
-+#define XDMA_IRQ_ENG_CTRL          0x20
-+#define  XDMA_IRQ_ENG_CTRL_US_COMP BIT(4)
-+#define  XDMA_IRQ_ENG_CTRL_DS_COMP BIT(5)
-+#define  XDMA_IRQ_ENG_CTRL_W_MASK  0xBFEFF07F
-+#define XDMA_IRQ_ENG_STAT          0x24
-+#define  XDMA_IRQ_ENG_STAT_US_COMP BIT(4)
-+#define  XDMA_IRQ_ENG_STAT_DS_COMP BIT(5)
-+#define  XDMA_IRQ_ENG_STAT_RESET   0xF8000000
-+#define XDMA_MEM_SIZE              0x1000
-+
-+#define TO_REG(addr) ((addr) / sizeof(uint32_t))
-+
-+static uint64_t aspeed_xdma_read(void *opaque, hwaddr addr, unsigned int size)
-+{
-+    uint32_t val = 0;
-+    AspeedXDMAState *xdma = opaque;
-+
-+    if (addr < ASPEED_XDMA_REG_SIZE) {
-+        val = xdma->regs[TO_REG(addr)];
-+    }
-+
-+    return (uint64_t)val;
-+}
-+
-+static void aspeed_xdma_write(void *opaque, hwaddr addr, uint64_t val,
-+                              unsigned int size)
-+{
-+    unsigned int idx;
-+    uint32_t val32 = (uint32_t)val;
-+    AspeedXDMAState *xdma = opaque;
-+
-+    if (addr >= ASPEED_XDMA_REG_SIZE) {
-+        return;
-+    }
-+
-+    switch (addr) {
-+    case XDMA_BMC_CMDQ_ENDP:
-+        xdma->regs[TO_REG(addr)] = val32 & XDMA_BMC_CMDQ_W_MASK;
-+        break;
-+    case XDMA_BMC_CMDQ_WRP:
-+        idx = TO_REG(addr);
-+        xdma->regs[idx] = val32 & XDMA_BMC_CMDQ_W_MASK;
-+        xdma->regs[TO_REG(XDMA_BMC_CMDQ_RDP)] = xdma->regs[idx];
-+
-+        trace_aspeed_xdma_write(addr, val);
-+
-+        if (xdma->bmc_cmdq_readp_set) {
-+            xdma->bmc_cmdq_readp_set = 0;
-+        } else {
-+            xdma->regs[TO_REG(XDMA_IRQ_ENG_STAT)] |=
-+                XDMA_IRQ_ENG_STAT_US_COMP | XDMA_IRQ_ENG_STAT_DS_COMP;
-+
-+            if (xdma->regs[TO_REG(XDMA_IRQ_ENG_CTRL)] &
-+                (XDMA_IRQ_ENG_CTRL_US_COMP | XDMA_IRQ_ENG_CTRL_DS_COMP))
-+                qemu_irq_raise(xdma->irq);
-+        }
-+        break;
-+    case XDMA_BMC_CMDQ_RDP:
-+        trace_aspeed_xdma_write(addr, val);
-+
-+        if (val32 == XDMA_BMC_CMDQ_RDP_MAGIC) {
-+            xdma->bmc_cmdq_readp_set = 1;
-+        }
-+        break;
-+    case XDMA_IRQ_ENG_CTRL:
-+        xdma->regs[TO_REG(addr)] = val32 & XDMA_IRQ_ENG_CTRL_W_MASK;
-+        break;
-+    case XDMA_IRQ_ENG_STAT:
-+        trace_aspeed_xdma_write(addr, val);
-+
-+        idx = TO_REG(addr);
-+        if (val32 & (XDMA_IRQ_ENG_STAT_US_COMP | XDMA_IRQ_ENG_STAT_DS_COMP)) {
-+            xdma->regs[idx] &=
-+                ~(XDMA_IRQ_ENG_STAT_US_COMP | XDMA_IRQ_ENG_STAT_DS_COMP);
-+            qemu_irq_lower(xdma->irq);
-+        }
-+        break;
-+    default:
-+        xdma->regs[TO_REG(addr)] = val32;
-+        break;
-+    }
-+}
-+
-+static const MemoryRegionOps aspeed_xdma_ops = {
-+    .read = aspeed_xdma_read,
-+    .write = aspeed_xdma_write,
-+    .endianness = DEVICE_NATIVE_ENDIAN,
-+    .valid.min_access_size = 4,
-+    .valid.max_access_size = 4,
-+};
-+
-+static void aspeed_xdma_realize(DeviceState *dev, Error **errp)
-+{
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
-+    AspeedXDMAState *xdma = ASPEED_XDMA(dev);
-+
-+    sysbus_init_irq(sbd, &xdma->irq);
-+    memory_region_init_io(&xdma->iomem, OBJECT(xdma), &aspeed_xdma_ops, xdma,
-+                          TYPE_ASPEED_XDMA, XDMA_MEM_SIZE);
-+    sysbus_init_mmio(sbd, &xdma->iomem);
-+}
-+
-+static void aspeed_xdma_reset(DeviceState *dev)
-+{
-+    AspeedXDMAState *xdma = ASPEED_XDMA(dev);
-+
-+    xdma->bmc_cmdq_readp_set = 0;
-+    memset(xdma->regs, 0, ASPEED_XDMA_REG_SIZE);
-+    xdma->regs[TO_REG(XDMA_IRQ_ENG_STAT)] = XDMA_IRQ_ENG_STAT_RESET;
-+
-+    qemu_irq_lower(xdma->irq);
-+}
-+
-+static const VMStateDescription aspeed_xdma_vmstate = {
-+    .name = TYPE_ASPEED_XDMA,
-+    .version_id = 1,
-+    .fields = (VMStateField[]) {
-+        VMSTATE_UINT32_ARRAY(regs, AspeedXDMAState, ASPEED_XDMA_NUM_REGS),
-+        VMSTATE_END_OF_LIST(),
-+    },
-+};
-+
-+static void aspeed_xdma_class_init(ObjectClass *classp, void *data)
-+{
-+    DeviceClass *dc = DEVICE_CLASS(classp);
-+
-+    dc->realize = aspeed_xdma_realize;
-+    dc->reset = aspeed_xdma_reset;
-+    dc->vmsd = &aspeed_xdma_vmstate;
-+}
-+
-+static const TypeInfo aspeed_xdma_info = {
-+    .name          = TYPE_ASPEED_XDMA,
-+    .parent        = TYPE_SYS_BUS_DEVICE,
-+    .instance_size = sizeof(AspeedXDMAState),
-+    .class_init    = aspeed_xdma_class_init,
-+};
-+
-+static void aspeed_xdma_register_type(void)
-+{
-+    type_register_static(&aspeed_xdma_info);
-+}
-+type_init(aspeed_xdma_register_type);
-diff --git a/hw/misc/trace-events b/hw/misc/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/trace-events
-+++ b/hw/misc/trace-events
-@@ -XXX,XX +XXX,XX @@ armsse_cpuid_write(uint64_t offset, uint64_t data, unsigned size) "SSE-200 CPU_I
- # armsse-mhu.c
- armsse_mhu_read(uint64_t offset, uint64_t data, unsigned size) "SSE-200 MHU read: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
- armsse_mhu_write(uint64_t offset, uint64_t data, unsigned size) "SSE-200 MHU write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
-+
-+# aspeed_xdma.c
-+aspeed_xdma_write(uint64_t offset, uint64_t data) "XDMA write: offset 0x%" PRIx64 " data 0x%" PRIx64
---
-.20.1

-[Qemu-devel] [PULL 24/46] aspeed: vic: Add support for legacy register interface
+Deleted patch
-From: Andrew Jeffery <andrew@aj.id.au>
-The legacy interface only supported up to 32 IRQs, which became
-restrictive around the AST2400 generation. QEMU support for the SoCs
-started with the AST2400 along with an effort to reimplement and
-upstream drivers for Linux, so up until this point the consumers of the
-QEMU ASPEED support only required the 64 IRQ register interface.
-In an effort to support older BMC firmware, add support for the 32 IRQ
-interface.
-Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Joel Stanley <joel@jms.id.au>
-Message-id: 20190618165311.27066-22-clg@kaod.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/intc/aspeed_vic.c | 105 ++++++++++++++++++++++++++-----------------
-file changed, 63 insertions(+), 42 deletions(-)
-diff --git a/hw/intc/aspeed_vic.c b/hw/intc/aspeed_vic.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/intc/aspeed_vic.c
-+++ b/hw/intc/aspeed_vic.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_vic_set_irq(void *opaque, int irq, int level)
- static uint64_t aspeed_vic_read(void *opaque, hwaddr offset, unsigned size)
- {
--    uint64_t val;
--    const bool high = !!(offset & 0x4);
--    hwaddr n_offset = (offset & ~0x4);
-     AspeedVICState *s = (AspeedVICState *)opaque;
-+    hwaddr n_offset;
-+    uint64_t val;
-+    bool high;
-     if (offset < AVIC_NEW_BASE_OFFSET) {
--        qemu_log_mask(LOG_UNIMP, "%s: Ignoring read from legacy registers "
--                      "at 0x%" HWADDR_PRIx "[%u]\n", __func__, offset, size);
--        return 0;
-+        high = false;
-+        n_offset = offset;
-+    } else {
-+        high = !!(offset & 0x4);
-+        n_offset = (offset & ~0x4);
-     }
--    n_offset -= AVIC_NEW_BASE_OFFSET;
--
-     switch (n_offset) {
--    case 0x0: /* IRQ Status */
-+    case 0x80: /* IRQ Status */
-+    case 0x00:
-         val = s->raw & ~s->select & s->enable;
-         break;
--    case 0x08: /* FIQ Status */
-+    case 0x88: /* FIQ Status */
-+    case 0x04:
-         val = s->raw & s->select & s->enable;
-         break;
--    case 0x10: /* Raw Interrupt Status */
-+    case 0x90: /* Raw Interrupt Status */
-+    case 0x08:
-         val = s->raw;
-         break;
--    case 0x18: /* Interrupt Selection */
-+    case 0x98: /* Interrupt Selection */
-+    case 0x0c:
-         val = s->select;
-         break;
--    case 0x20: /* Interrupt Enable */
-+    case 0xa0: /* Interrupt Enable */
-+    case 0x10:
-         val = s->enable;
-         break;
--    case 0x30: /* Software Interrupt */
-+    case 0xb0: /* Software Interrupt */
-+    case 0x18:
-         val = s->trigger;
-         break;
--    case 0x40: /* Interrupt Sensitivity */
-+    case 0xc0: /* Interrupt Sensitivity */
-+    case 0x24:
-         val = s->sense;
-         break;
--    case 0x48: /* Interrupt Both Edge Trigger Control */
-+    case 0xc8: /* Interrupt Both Edge Trigger Control */
-+    case 0x28:
-         val = s->dual_edge;
-         break;
--    case 0x50: /* Interrupt Event */
-+    case 0xd0: /* Interrupt Event */
-+    case 0x2c:
-         val = s->event;
-         break;
--    case 0x60: /* Edge Triggered Interrupt Status */
-+    case 0xe0: /* Edge Triggered Interrupt Status */
-         val = s->raw & ~s->sense;
-         break;
-         /* Illegal */
--    case 0x28: /* Interrupt Enable Clear */
--    case 0x38: /* Software Interrupt Clear */
--    case 0x58: /* Edge Triggered Interrupt Clear */
-+    case 0xa8: /* Interrupt Enable Clear */
-+    case 0xb8: /* Software Interrupt Clear */
-+    case 0xd8: /* Edge Triggered Interrupt Clear */
-         qemu_log_mask(LOG_GUEST_ERROR,
-                       "%s: Read of write-only register with offset 0x%"
-                       HWADDR_PRIx "\n", __func__, offset);
-@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_vic_read(void *opaque, hwaddr offset, unsigned size)
-     }
-     if (high) {
-         val = extract64(val, 32, 19);
-+    } else {
-+        val = extract64(val, 0, 32);
-     }
-     trace_aspeed_vic_read(offset, size, val);
-     return val;
-@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_vic_read(void *opaque, hwaddr offset, unsigned size)
- static void aspeed_vic_write(void *opaque, hwaddr offset, uint64_t data,
-                              unsigned size)
- {
--    const bool high = !!(offset & 0x4);
--    hwaddr n_offset = (offset & ~0x4);
-     AspeedVICState *s = (AspeedVICState *)opaque;
-+    hwaddr n_offset;
-+    bool high;
-     if (offset < AVIC_NEW_BASE_OFFSET) {
--        qemu_log_mask(LOG_UNIMP,
--                      "%s: Ignoring write to legacy registers at 0x%"
--                      HWADDR_PRIx "[%u] <- 0x%" PRIx64 "\n", __func__, offset,
--                      size, data);
--        return;
-+        high = false;
-+        n_offset = offset;
-+    } else {
-+        high = !!(offset & 0x4);
-+        n_offset = (offset & ~0x4);
-     }
--    n_offset -= AVIC_NEW_BASE_OFFSET;
-     trace_aspeed_vic_write(offset, size, data);
-     /* Given we have members using separate enable/clear registers, deposit64()
-@@ -XXX,XX +XXX,XX @@ static void aspeed_vic_write(void *opaque, hwaddr offset, uint64_t data,
-     }
-     switch (n_offset) {
--    case 0x18: /* Interrupt Selection */
-+    case 0x98: /* Interrupt Selection */
-+    case 0x0c:
-         /* Register has deposit64() semantics - overwrite requested 32 bits */
-         if (high) {
-             s->select &= AVIC_L_MASK;
-@@ -XXX,XX +XXX,XX @@ static void aspeed_vic_write(void *opaque, hwaddr offset, uint64_t data,
-         }
-         s->select |= data;
-         break;
--    case 0x20: /* Interrupt Enable */
-+    case 0xa0: /* Interrupt Enable */
-+    case 0x10:
-         s->enable |= data;
-         break;
--    case 0x28: /* Interrupt Enable Clear */
-+    case 0xa8: /* Interrupt Enable Clear */
-+    case 0x14:
-         s->enable &= ~data;
-         break;
--    case 0x30: /* Software Interrupt */
-+    case 0xb0: /* Software Interrupt */
-+    case 0x18:
-         qemu_log_mask(LOG_UNIMP, "%s: Software interrupts unavailable. "
-                       "IRQs requested: 0x%016" PRIx64 "\n", __func__, data);
-         break;
--    case 0x38: /* Software Interrupt Clear */
-+    case 0xb8: /* Software Interrupt Clear */
-+    case 0x1c:
-         qemu_log_mask(LOG_UNIMP, "%s: Software interrupts unavailable. "
-                       "IRQs to be cleared: 0x%016" PRIx64 "\n", __func__, data);
-         break;
--    case 0x50: /* Interrupt Event */
-+    case 0xd0: /* Interrupt Event */
-         /* Register has deposit64() semantics - overwrite the top four valid
-          * IRQ bits, as only the top four IRQs (GPIOs) can change their event
-          * type */
-@@ -XXX,XX +XXX,XX @@ static void aspeed_vic_write(void *opaque, hwaddr offset, uint64_t data,
-                           "Ignoring invalid write to interrupt event register");
-         }
-         break;
--    case 0x58: /* Edge Triggered Interrupt Clear */
-+    case 0xd8: /* Edge Triggered Interrupt Clear */
-+    case 0x38:
-         s->raw &= ~(data & ~s->sense);
-         break;
--    case 0x00: /* IRQ Status */
--    case 0x08: /* FIQ Status */
--    case 0x10: /* Raw Interrupt Status */
--    case 0x40: /* Interrupt Sensitivity */
--    case 0x48: /* Interrupt Both Edge Trigger Control */
--    case 0x60: /* Edge Triggered Interrupt Status */
-+    case 0x80: /* IRQ Status */
-+    case 0x00:
-+    case 0x88: /* FIQ Status */
-+    case 0x04:
-+    case 0x90: /* Raw Interrupt Status */
-+    case 0x08:
-+    case 0xc0: /* Interrupt Sensitivity */
-+    case 0x24:
-+    case 0xc8: /* Interrupt Both Edge Trigger Control */
-+    case 0x28:
-+    case 0xe0: /* Edge Triggered Interrupt Status */
-         qemu_log_mask(LOG_GUEST_ERROR,
-                       "%s: Write of read-only register with offset 0x%"
-                       HWADDR_PRIx "\n", __func__, offset);
---
-.20.1

-[Qemu-devel] [PULL 25/46] aspeed: Link SCU to the watchdog
+Deleted patch
-From: Joel Stanley <joel@jms.id.au>
-The ast2500 uses the watchdog to reset the SDRAM controller. This
-operation is usually performed by u-boot's memory training procedure,
-and it is enabled by setting a bit in the SCU and then causing the
-watchdog to expire. Therefore, we need the watchdog to be able to
-access the SCU's register space.
-This causes the watchdog to not perform a system reset when the bit is
-set. In the future it could perform a reset of the SDMC model.
-Signed-off-by: Joel Stanley <joel@jms.id.au>
-Signed-off-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190621065242.32535-1-joel@jms.id.au
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- include/hw/watchdog/wdt_aspeed.h |  1 +
- hw/arm/aspeed_soc.c              |  2 ++
- hw/watchdog/wdt_aspeed.c         | 20 ++++++++++++++++++++
-files changed, 23 insertions(+)
-diff --git a/include/hw/watchdog/wdt_aspeed.h b/include/hw/watchdog/wdt_aspeed.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/watchdog/wdt_aspeed.h
-+++ b/include/hw/watchdog/wdt_aspeed.h
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedWDTState {
-     MemoryRegion iomem;
-     uint32_t regs[ASPEED_WDT_REGS_MAX];
-+    AspeedSCUState *scu;
-     uint32_t pclk_freq;
-     uint32_t silicon_rev;
-     uint32_t ext_pulse_width_mask;
-diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed_soc.c
-+++ b/hw/arm/aspeed_soc.c
-@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
-                               sizeof(s->wdt[i]), TYPE_ASPEED_WDT);
-         qdev_prop_set_uint32(DEVICE(&s->wdt[i]), "silicon-rev",
-                                     sc->info->silicon_rev);
-+        object_property_add_const_link(OBJECT(&s->wdt[i]), "scu",
-+                                       OBJECT(&s->scu), &error_abort);
-     }
-     for (i = 0; i < ASPEED_MACS_NUM; i++) {
-diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/watchdog/wdt_aspeed.c
-+++ b/hw/watchdog/wdt_aspeed.c
-@@ -XXX,XX +XXX,XX @@
- #define WDT_RESTART_MAGIC               0x4755
-+#define SCU_RESET_CONTROL1              (0x04 / 4)
-+#define    SCU_RESET_SDRAM              BIT(0)
-+
- static bool aspeed_wdt_is_enabled(const AspeedWDTState *s)
- {
-     return s->regs[WDT_CTRL] & WDT_CTRL_ENABLE;
-@@ -XXX,XX +XXX,XX @@ static void aspeed_wdt_timer_expired(void *dev)
- {
-     AspeedWDTState *s = ASPEED_WDT(dev);
-+    /* Do not reset on SDRAM controller reset */
-+    if (s->scu->regs[SCU_RESET_CONTROL1] & SCU_RESET_SDRAM) {
-+        timer_del(s->timer);
-+        s->regs[WDT_CTRL] = 0;
-+        return;
-+    }
-+
-     qemu_log_mask(CPU_LOG_RESET, "Watchdog timer expired.\n");
-     watchdog_perform_action();
-     timer_del(s->timer);
-@@ -XXX,XX +XXX,XX @@ static void aspeed_wdt_realize(DeviceState *dev, Error **errp)
- {
-     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
-     AspeedWDTState *s = ASPEED_WDT(dev);
-+    Error *err = NULL;
-+    Object *obj;
-+
-+    obj = object_property_get_link(OBJECT(dev), "scu", &err);
-+    if (!obj) {
-+        error_propagate(errp, err);
-+        error_prepend(errp, "required link 'scu' not found: ");
-+        return;
-+    }
-+    s->scu = ASPEED_SCU(obj);
-     if (!is_supported_silicon_rev(s->silicon_rev)) {
-         error_setg(errp, "Unknown silicon revision: 0x%" PRIx32,
---
-.20.1

-[Qemu-devel] [PULL 26/46] hw/arm: Add arm SBSA reference machine, skeleton part
+Deleted patch
-From: Hongbo Zhang <hongbo.zhang@linaro.org>
-For AArch64, the existing "virt" machine is primarily meant to
-run on KVM and execute virtualization workloads, but we need an
-environment as faithful as possible to physical hardware, for supporting
-firmware and OS development for physical Aarch64 machines.
-This patch introduces new machine type 'sbsa-ref' with main features:
- - Based on 'virt' machine type.
- - A new memory map.
- - CPU type cortex-a57.
- - EL2 and EL3 are enabled.
- - GIC version 3.
- - System bus AHCI controller.
- - System bus EHCI controller.
- - CDROM and hard disc on AHCI bus.
- - E1000E ethernet card on PCIE bus.
- - VGA display adaptor on PCIE bus.
- - No virtio devices.
- - No fw_cfg device.
- - No ACPI table supplied.
- - Only minimal device tree nodes.
-Arm Trusted Firmware and UEFI porting to this are done accordingly,
-and the firmware should supply ACPI tables to the guest OS.  The
-minimal device tree nodes supplied by QEMU for this platform are only
-to pass the dynamic info reflecting command line input to firmware,
-not for loading the guest OS.
-To make the review easier, this task is split into two patches, the
-fundamental skeleton part and the peripheral devices part; this patch is
-the first part.
-Signed-off-by: Hongbo Zhang <hongbo.zhang@linaro.org>
-Message-id: 1561890034-15921-2-git-send-email-hongbo.zhang@linaro.org
-[PMM: commit message tweaks; moved some bits between patch 1 and 2
- to ensure patch 1 builds cleanly; removed unneeded lines from
- Kconfig stanza; only provide board for qemu-system-aarch64, not
- qemu-system-arm; added MAINTAINERS entry]
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/Makefile.objs                |   1 +
- hw/arm/sbsa-ref.c                   | 271 ++++++++++++++++++++++++++++
- MAINTAINERS                         |   8 +
- default-configs/aarch64-softmmu.mak |   1 +
- hw/arm/Kconfig                      |  14 ++
-files changed, 295 insertions(+)
- create mode 100644 hw/arm/sbsa-ref.c
-diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Makefile.objs
-+++ b/hw/arm/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_SPITZ) += spitz.o
- obj-$(CONFIG_TOSA) += tosa.o
- obj-$(CONFIG_Z2) += z2.o
- obj-$(CONFIG_REALVIEW) += realview.o
-+obj-$(CONFIG_SBSA_REF) += sbsa-ref.o
- obj-$(CONFIG_STELLARIS) += stellaris.o
- obj-$(CONFIG_COLLIE) += collie.o
- obj-$(CONFIG_VERSATILE) += versatilepb.o
-diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/hw/arm/sbsa-ref.c
-@@ -XXX,XX +XXX,XX @@
-+/*
-+ * ARM SBSA Reference Platform emulation
-+ *
-+ * Copyright (c) 2018 Linaro Limited
-+ * Written by Hongbo Zhang <hongbo.zhang@linaro.org>
-+ *
-+ * This program is free software; you can redistribute it and/or modify it
-+ * under the terms and conditions of the GNU General Public License,
-+ * version 2 or later, as published by the Free Software Foundation.
-+ *
-+ * This program is distributed in the hope it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
-+ * more details.
-+ *
-+ * You should have received a copy of the GNU General Public License along with
-+ * this program.  If not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+#include "qemu/osdep.h"
-+#include "qapi/error.h"
-+#include "qemu/error-report.h"
-+#include "qemu/units.h"
-+#include "sysemu/numa.h"
-+#include "sysemu/sysemu.h"
-+#include "exec/address-spaces.h"
-+#include "exec/hwaddr.h"
-+#include "kvm_arm.h"
-+#include "hw/arm/boot.h"
-+#include "hw/boards.h"
-+#include "hw/intc/arm_gicv3_common.h"
-+
-+#define RAMLIMIT_GB 8192
-+#define RAMLIMIT_BYTES (RAMLIMIT_GB * GiB)
-+
-+enum {
-+    SBSA_FLASH,
-+    SBSA_MEM,
-+    SBSA_CPUPERIPHS,
-+    SBSA_GIC_DIST,
-+    SBSA_GIC_REDIST,
-+    SBSA_SMMU,
-+    SBSA_UART,
-+    SBSA_RTC,
-+    SBSA_PCIE,
-+    SBSA_PCIE_MMIO,
-+    SBSA_PCIE_MMIO_HIGH,
-+    SBSA_PCIE_PIO,
-+    SBSA_PCIE_ECAM,
-+    SBSA_GPIO,
-+    SBSA_SECURE_UART,
-+    SBSA_SECURE_UART_MM,
-+    SBSA_SECURE_MEM,
-+    SBSA_AHCI,
-+    SBSA_EHCI,
-+};
-+
-+typedef struct MemMapEntry {
-+    hwaddr base;
-+    hwaddr size;
-+} MemMapEntry;
-+
-+typedef struct {
-+    MachineState parent;
-+    struct arm_boot_info bootinfo;
-+    int smp_cpus;
-+    void *fdt;
-+    int fdt_size;
-+    int psci_conduit;
-+} SBSAMachineState;
-+
-+#define TYPE_SBSA_MACHINE   MACHINE_TYPE_NAME("sbsa-ref")
-+#define SBSA_MACHINE(obj) \
-+    OBJECT_CHECK(SBSAMachineState, (obj), TYPE_SBSA_MACHINE)
-+
-+static const MemMapEntry sbsa_ref_memmap[] = {
-+    /* 512M boot ROM */
-+    [SBSA_FLASH] =              {          0, 0x20000000 },
-+    /* 512M secure memory */
-+    [SBSA_SECURE_MEM] =         { 0x20000000, 0x20000000 },
-+    /* Space reserved for CPU peripheral devices */
-+    [SBSA_CPUPERIPHS] =         { 0x40000000, 0x00040000 },
-+    [SBSA_GIC_DIST] =           { 0x40060000, 0x00010000 },
-+    [SBSA_GIC_REDIST] =         { 0x40080000, 0x04000000 },
-+    [SBSA_UART] =               { 0x60000000, 0x00001000 },
-+    [SBSA_RTC] =                { 0x60010000, 0x00001000 },
-+    [SBSA_GPIO] =               { 0x60020000, 0x00001000 },
-+    [SBSA_SECURE_UART] =        { 0x60030000, 0x00001000 },
-+    [SBSA_SECURE_UART_MM] =     { 0x60040000, 0x00001000 },
-+    [SBSA_SMMU] =               { 0x60050000, 0x00020000 },
-+    /* Space here reserved for more SMMUs */
-+    [SBSA_AHCI] =               { 0x60100000, 0x00010000 },
-+    [SBSA_EHCI] =               { 0x60110000, 0x00010000 },
-+    /* Space here reserved for other devices */
-+    [SBSA_PCIE_PIO] =           { 0x7fff0000, 0x00010000 },
-+    /* 32-bit address PCIE MMIO space */
-+    [SBSA_PCIE_MMIO] =          { 0x80000000, 0x70000000 },
-+    /* 256M PCIE ECAM space */
-+    [SBSA_PCIE_ECAM] =          { 0xf0000000, 0x10000000 },
-+    /* ~1TB PCIE MMIO space (4GB to 1024GB boundary) */
-+    [SBSA_PCIE_MMIO_HIGH] =     { 0x100000000ULL, 0xFF00000000ULL },
-+    [SBSA_MEM] =                { 0x10000000000ULL, RAMLIMIT_BYTES },
-+};
-+
-+static void sbsa_ref_init(MachineState *machine)
-+{
-+    SBSAMachineState *sms = SBSA_MACHINE(machine);
-+    MachineClass *mc = MACHINE_GET_CLASS(machine);
-+    MemoryRegion *sysmem = get_system_memory();
-+    MemoryRegion *secure_sysmem = NULL;
-+    MemoryRegion *ram = g_new(MemoryRegion, 1);
-+    const CPUArchIdList *possible_cpus;
-+    int n, sbsa_max_cpus;
-+
-+    if (strcmp(machine->cpu_type, ARM_CPU_TYPE_NAME("cortex-a57"))) {
-+        error_report("sbsa-ref: CPU type other than the built-in "
-+                     "cortex-a57 not supported");
-+        exit(1);
-+    }
-+
-+    if (kvm_enabled()) {
-+        error_report("sbsa-ref: KVM is not supported for this machine");
-+        exit(1);
-+    }
-+
-+    /*
-+     * This machine has EL3 enabled, external firmware should supply PSCI
-+     * implementation, so the QEMU's internal PSCI is disabled.
-+     */
-+    sms->psci_conduit = QEMU_PSCI_CONDUIT_DISABLED;
-+
-+    sbsa_max_cpus = sbsa_ref_memmap[SBSA_GIC_REDIST].size / GICV3_REDIST_SIZE;
-+
-+    if (max_cpus > sbsa_max_cpus) {
-+        error_report("Number of SMP CPUs requested (%d) exceeds max CPUs "
-+                     "supported by machine 'sbsa-ref' (%d)",
-+                     max_cpus, sbsa_max_cpus);
-+        exit(1);
-+    }
-+
-+    sms->smp_cpus = smp_cpus;
-+
-+    if (machine->ram_size > sbsa_ref_memmap[SBSA_MEM].size) {
-+        error_report("sbsa-ref: cannot model more than %dGB RAM", RAMLIMIT_GB);
-+        exit(1);
-+    }
-+
-+    possible_cpus = mc->possible_cpu_arch_ids(machine);
-+    for (n = 0; n < possible_cpus->len; n++) {
-+        Object *cpuobj;
-+        CPUState *cs;
-+
-+        if (n >= smp_cpus) {
-+            break;
-+        }
-+
-+        cpuobj = object_new(possible_cpus->cpus[n].type);
-+        object_property_set_int(cpuobj, possible_cpus->cpus[n].arch_id,
-+                                "mp-affinity", NULL);
-+
-+        cs = CPU(cpuobj);
-+        cs->cpu_index = n;
-+
-+        numa_cpu_pre_plug(&possible_cpus->cpus[cs->cpu_index], DEVICE(cpuobj),
-+                          &error_fatal);
-+
-+        if (object_property_find(cpuobj, "reset-cbar", NULL)) {
-+            object_property_set_int(cpuobj,
-+                                    sbsa_ref_memmap[SBSA_CPUPERIPHS].base,
-+                                    "reset-cbar", &error_abort);
-+        }
-+
-+        object_property_set_link(cpuobj, OBJECT(sysmem), "memory",
-+                                 &error_abort);
-+
-+        object_property_set_link(cpuobj, OBJECT(secure_sysmem),
-+                                 "secure-memory", &error_abort);
-+
-+        object_property_set_bool(cpuobj, true, "realized", &error_fatal);
-+        object_unref(cpuobj);
-+    }
-+
-+    memory_region_allocate_system_memory(ram, NULL, "sbsa-ref.ram",
-+                                         machine->ram_size);
-+    memory_region_add_subregion(sysmem, sbsa_ref_memmap[SBSA_MEM].base, ram);
-+
-+    sms->bootinfo.ram_size = machine->ram_size;
-+    sms->bootinfo.kernel_filename = machine->kernel_filename;
-+    sms->bootinfo.nb_cpus = smp_cpus;
-+    sms->bootinfo.board_id = -1;
-+    sms->bootinfo.loader_start = sbsa_ref_memmap[SBSA_MEM].base;
-+    arm_load_kernel(ARM_CPU(first_cpu), &sms->bootinfo);
-+}
-+
-+static uint64_t sbsa_ref_cpu_mp_affinity(SBSAMachineState *sms, int idx)
-+{
-+    uint8_t clustersz = ARM_DEFAULT_CPUS_PER_CLUSTER;
-+    return arm_cpu_mp_affinity(idx, clustersz);
-+}
-+
-+static const CPUArchIdList *sbsa_ref_possible_cpu_arch_ids(MachineState *ms)
-+{
-+    SBSAMachineState *sms = SBSA_MACHINE(ms);
-+    int n;
-+
-+    if (ms->possible_cpus) {
-+        assert(ms->possible_cpus->len == max_cpus);
-+        return ms->possible_cpus;
-+    }
-+
-+    ms->possible_cpus = g_malloc0(sizeof(CPUArchIdList) +
-+                                  sizeof(CPUArchId) * max_cpus);
-+    ms->possible_cpus->len = max_cpus;
-+    for (n = 0; n < ms->possible_cpus->len; n++) {
-+        ms->possible_cpus->cpus[n].type = ms->cpu_type;
-+        ms->possible_cpus->cpus[n].arch_id =
-+            sbsa_ref_cpu_mp_affinity(sms, n);
-+        ms->possible_cpus->cpus[n].props.has_thread_id = true;
-+        ms->possible_cpus->cpus[n].props.thread_id = n;
-+    }
-+    return ms->possible_cpus;
-+}
-+
-+static CpuInstanceProperties
-+sbsa_ref_cpu_index_to_props(MachineState *ms, unsigned cpu_index)
-+{
-+    MachineClass *mc = MACHINE_GET_CLASS(ms);
-+    const CPUArchIdList *possible_cpus = mc->possible_cpu_arch_ids(ms);
-+
-+    assert(cpu_index < possible_cpus->len);
-+    return possible_cpus->cpus[cpu_index].props;
-+}
-+
-+static int64_t
-+sbsa_ref_get_default_cpu_node_id(const MachineState *ms, int idx)
-+{
-+    return idx % nb_numa_nodes;
-+}
-+
-+static void sbsa_ref_class_init(ObjectClass *oc, void *data)
-+{
-+    MachineClass *mc = MACHINE_CLASS(oc);
-+
-+    mc->init = sbsa_ref_init;
-+    mc->desc = "QEMU 'SBSA Reference' ARM Virtual Machine";
-+    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a57");
-+    mc->max_cpus = 512;
-+    mc->pci_allow_0_address = true;
-+    mc->minimum_page_bits = 12;
-+    mc->block_default_type = IF_IDE;
-+    mc->no_cdrom = 1;
-+    mc->default_ram_size = 1 * GiB;
-+    mc->default_cpus = 4;
-+    mc->possible_cpu_arch_ids = sbsa_ref_possible_cpu_arch_ids;
-+    mc->cpu_index_to_instance_props = sbsa_ref_cpu_index_to_props;
-+    mc->get_default_cpu_node_id = sbsa_ref_get_default_cpu_node_id;
-+}
-+
-+static const TypeInfo sbsa_ref_info = {
-+    .name          = TYPE_SBSA_MACHINE,
-+    .parent        = TYPE_MACHINE,
-+    .class_init    = sbsa_ref_class_init,
-+    .instance_size = sizeof(SBSAMachineState),
-+};
-+
-+static void sbsa_ref_machine_init(void)
-+{
-+    type_register_static(&sbsa_ref_info);
-+}
-+
-+type_init(sbsa_ref_machine_init);
-diff --git a/MAINTAINERS b/MAINTAINERS
-index XXXXXXX..XXXXXXX 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ F: include/hw/arm/fsl-imx6.h
- F: include/hw/misc/imx6_*.h
- F: include/hw/ssi/imx_spi.h
-+SBSA-REF
-+M: Radoslaw Biernacki <radoslaw.biernacki@linaro.org>
-+M: Peter Maydell <peter.maydell@linaro.org>
-+R: Leif Lindholm <leif.lindholm@linaro.org>
-+L: qemu-arm@nongnu.org
-+S: Maintained
-+F: hw/arm/sbsa-ref.c
-+
- Sharp SL-5500 (Collie) PDA
- M: Peter Maydell <peter.maydell@linaro.org>
- L: qemu-arm@nongnu.org
-diff --git a/default-configs/aarch64-softmmu.mak b/default-configs/aarch64-softmmu.mak
-index XXXXXXX..XXXXXXX 100644
---- a/default-configs/aarch64-softmmu.mak
-+++ b/default-configs/aarch64-softmmu.mak
-@@ -XXX,XX +XXX,XX @@ include arm-softmmu.mak
- CONFIG_XLNX_ZYNQMP_ARM=y
- CONFIG_XLNX_VERSAL=y
-+CONFIG_SBSA_REF=y
-diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/Kconfig
-+++ b/hw/arm/Kconfig
-@@ -XXX,XX +XXX,XX @@ config REALVIEW
-     select DS1338 # I2C RTC+NVRAM
-     select USB_OHCI
-+config SBSA_REF
-+    bool
-+    imply PCI_DEVICES
-+    select AHCI
-+    select ARM_SMMUV3
-+    select GPIO_KEY
-+    select PCI_EXPRESS
-+    select PCI_EXPRESS_GENERIC_BRIDGE
-+    select PFLASH_CFI01
-+    select PL011 # UART
-+    select PL031 # RTC
-+    select PL061 # GPIO
-+    select USB_EHCI_SYSBUS
-+
- config SABRELITE
-     bool
-     select FSL_IMX6
---
-.20.1

-[Qemu-devel] [PULL 27/46] hw/arm: Add arm SBSA reference machine, devices part
+Deleted patch
-From: Hongbo Zhang <hongbo.zhang@linaro.org>
-Following the previous patch, this patch adds peripheral devices to the
-newly introduced SBSA-ref machine.
-Signed-off-by: Hongbo Zhang <hongbo.zhang@linaro.org>
-Message-id: 1561890034-15921-3-git-send-email-hongbo.zhang@linaro.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/sbsa-ref.c | 535 ++++++++++++++++++++++++++++++++++++++++++++++
-file changed, 535 insertions(+)
-diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/sbsa-ref.c
-+++ b/hw/arm/sbsa-ref.c
-@@ -XXX,XX +XXX,XX @@
-  */
- #include "qemu/osdep.h"
-+#include "qemu-common.h"
- #include "qapi/error.h"
- #include "qemu/error-report.h"
- #include "qemu/units.h"
-+#include "sysemu/device_tree.h"
- #include "sysemu/numa.h"
- #include "sysemu/sysemu.h"
- #include "exec/address-spaces.h"
- #include "exec/hwaddr.h"
- #include "kvm_arm.h"
- #include "hw/arm/boot.h"
-+#include "hw/block/flash.h"
- #include "hw/boards.h"
-+#include "hw/ide/internal.h"
-+#include "hw/ide/ahci_internal.h"
- #include "hw/intc/arm_gicv3_common.h"
-+#include "hw/loader.h"
-+#include "hw/pci-host/gpex.h"
-+#include "hw/usb.h"
-+#include "net/net.h"
- #define RAMLIMIT_GB 8192
- #define RAMLIMIT_BYTES (RAMLIMIT_GB * GiB)
-+#define NUM_IRQS        256
-+#define NUM_SMMU_IRQS   4
-+#define NUM_SATA_PORTS  6
-+
-+#define VIRTUAL_PMU_IRQ        7
-+#define ARCH_GIC_MAINT_IRQ     9
-+#define ARCH_TIMER_VIRT_IRQ    11
-+#define ARCH_TIMER_S_EL1_IRQ   13
-+#define ARCH_TIMER_NS_EL1_IRQ  14
-+#define ARCH_TIMER_NS_EL2_IRQ  10
-+
- enum {
-     SBSA_FLASH,
-     SBSA_MEM,
-@@ -XXX,XX +XXX,XX @@ typedef struct {
-     void *fdt;
-     int fdt_size;
-     int psci_conduit;
-+    PFlashCFI01 *flash[2];
- } SBSAMachineState;
- #define TYPE_SBSA_MACHINE   MACHINE_TYPE_NAME("sbsa-ref")
-@@ -XXX,XX +XXX,XX @@ static const MemMapEntry sbsa_ref_memmap[] = {
-     [SBSA_MEM] =                { 0x10000000000ULL, RAMLIMIT_BYTES },
- };
-+static const int sbsa_ref_irqmap[] = {
-+    [SBSA_UART] = 1,
-+    [SBSA_RTC] = 2,
-+    [SBSA_PCIE] = 3, /* ... to 6 */
-+    [SBSA_GPIO] = 7,
-+    [SBSA_SECURE_UART] = 8,
-+    [SBSA_SECURE_UART_MM] = 9,
-+    [SBSA_AHCI] = 10,
-+    [SBSA_EHCI] = 11,
-+};
-+
-+/*
-+ * Firmware on this machine only uses ACPI table to load OS, these limited
-+ * device tree nodes are just to let firmware know the info which varies from
-+ * command line parameters, so it is not necessary to be fully compatible
-+ * with the kernel CPU and NUMA binding rules.
-+ */
-+static void create_fdt(SBSAMachineState *sms)
-+{
-+    void *fdt = create_device_tree(&sms->fdt_size);
-+    const MachineState *ms = MACHINE(sms);
-+    int cpu;
-+
-+    if (!fdt) {
-+        error_report("create_device_tree() failed");
-+        exit(1);
-+    }
-+
-+    sms->fdt = fdt;
-+
-+    qemu_fdt_setprop_string(fdt, "/", "compatible", "linux,sbsa-ref");
-+    qemu_fdt_setprop_cell(fdt, "/", "#address-cells", 0x2);
-+    qemu_fdt_setprop_cell(fdt, "/", "#size-cells", 0x2);
-+
-+    if (have_numa_distance) {
-+        int size = nb_numa_nodes * nb_numa_nodes * 3 * sizeof(uint32_t);
-+        uint32_t *matrix = g_malloc0(size);
-+        int idx, i, j;
-+
-+        for (i = 0; i < nb_numa_nodes; i++) {
-+            for (j = 0; j < nb_numa_nodes; j++) {
-+                idx = (i * nb_numa_nodes + j) * 3;
-+                matrix[idx + 0] = cpu_to_be32(i);
-+                matrix[idx + 1] = cpu_to_be32(j);
-+                matrix[idx + 2] = cpu_to_be32(numa_info[i].distance[j]);
-+            }
-+        }
-+
-+        qemu_fdt_add_subnode(fdt, "/distance-map");
-+        qemu_fdt_setprop(fdt, "/distance-map", "distance-matrix",
-+                         matrix, size);
-+        g_free(matrix);
-+    }
-+
-+    qemu_fdt_add_subnode(sms->fdt, "/cpus");
-+
-+    for (cpu = sms->smp_cpus - 1; cpu >= 0; cpu--) {
-+        char *nodename = g_strdup_printf("/cpus/cpu@%d", cpu);
-+        ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(cpu));
-+        CPUState *cs = CPU(armcpu);
-+
-+        qemu_fdt_add_subnode(sms->fdt, nodename);
-+
-+        if (ms->possible_cpus->cpus[cs->cpu_index].props.has_node_id) {
-+            qemu_fdt_setprop_cell(sms->fdt, nodename, "numa-node-id",
-+                ms->possible_cpus->cpus[cs->cpu_index].props.node_id);
-+        }
-+
-+        g_free(nodename);
-+    }
-+}
-+
-+#define SBSA_FLASH_SECTOR_SIZE (256 * KiB)
-+
-+static PFlashCFI01 *sbsa_flash_create1(SBSAMachineState *sms,
-+                                        const char *name,
-+                                        const char *alias_prop_name)
-+{
-+    /*
-+     * Create a single flash device.  We use the same parameters as
-+     * the flash devices on the Versatile Express board.
-+     */
-+    DeviceState *dev = qdev_create(NULL, TYPE_PFLASH_CFI01);
-+
-+    qdev_prop_set_uint64(dev, "sector-length", SBSA_FLASH_SECTOR_SIZE);
-+    qdev_prop_set_uint8(dev, "width", 4);
-+    qdev_prop_set_uint8(dev, "device-width", 2);
-+    qdev_prop_set_bit(dev, "big-endian", false);
-+    qdev_prop_set_uint16(dev, "id0", 0x89);
-+    qdev_prop_set_uint16(dev, "id1", 0x18);
-+    qdev_prop_set_uint16(dev, "id2", 0x00);
-+    qdev_prop_set_uint16(dev, "id3", 0x00);
-+    qdev_prop_set_string(dev, "name", name);
-+    object_property_add_child(OBJECT(sms), name, OBJECT(dev),
-+                              &error_abort);
-+    object_property_add_alias(OBJECT(sms), alias_prop_name,
-+                              OBJECT(dev), "drive", &error_abort);
-+    return PFLASH_CFI01(dev);
-+}
-+
-+static void sbsa_flash_create(SBSAMachineState *sms)
-+{
-+    sms->flash[0] = sbsa_flash_create1(sms, "sbsa.flash0", "pflash0");
-+    sms->flash[1] = sbsa_flash_create1(sms, "sbsa.flash1", "pflash1");
-+}
-+
-+static void sbsa_flash_map1(PFlashCFI01 *flash,
-+                            hwaddr base, hwaddr size,
-+                            MemoryRegion *sysmem)
-+{
-+    DeviceState *dev = DEVICE(flash);
-+
-+    assert(size % SBSA_FLASH_SECTOR_SIZE == 0);
-+    assert(size / SBSA_FLASH_SECTOR_SIZE <= UINT32_MAX);
-+    qdev_prop_set_uint32(dev, "num-blocks", size / SBSA_FLASH_SECTOR_SIZE);
-+    qdev_init_nofail(dev);
-+
-+    memory_region_add_subregion(sysmem, base,
-+                                sysbus_mmio_get_region(SYS_BUS_DEVICE(dev),
-+                                                       0));
-+}
-+
-+static void sbsa_flash_map(SBSAMachineState *sms,
-+                           MemoryRegion *sysmem,
-+                           MemoryRegion *secure_sysmem)
-+{
-+    /*
-+     * Map two flash devices to fill the SBSA_FLASH space in the memmap.
-+     * sysmem is the system memory space. secure_sysmem is the secure view
-+     * of the system, and the first flash device should be made visible only
-+     * there. The second flash device is visible to both secure and nonsecure.
-+     * If sysmem == secure_sysmem this means there is no separate Secure
-+     * address space and both flash devices are generally visible.
-+     */
-+    hwaddr flashsize = sbsa_ref_memmap[SBSA_FLASH].size / 2;
-+    hwaddr flashbase = sbsa_ref_memmap[SBSA_FLASH].base;
-+
-+    sbsa_flash_map1(sms->flash[0], flashbase, flashsize,
-+                    secure_sysmem);
-+    sbsa_flash_map1(sms->flash[1], flashbase + flashsize, flashsize,
-+                    sysmem);
-+}
-+
-+static bool sbsa_firmware_init(SBSAMachineState *sms,
-+                               MemoryRegion *sysmem,
-+                               MemoryRegion *secure_sysmem)
-+{
-+    int i;
-+    BlockBackend *pflash_blk0;
-+
-+    /* Map legacy -drive if=pflash to machine properties */
-+    for (i = 0; i < ARRAY_SIZE(sms->flash); i++) {
-+        pflash_cfi01_legacy_drive(sms->flash[i],
-+                                  drive_get(IF_PFLASH, 0, i));
-+    }
-+
-+    sbsa_flash_map(sms, sysmem, secure_sysmem);
-+
-+    pflash_blk0 = pflash_cfi01_get_blk(sms->flash[0]);
-+
-+    if (bios_name) {
-+        char *fname;
-+        MemoryRegion *mr;
-+        int image_size;
-+
-+        if (pflash_blk0) {
-+            error_report("The contents of the first flash device may be "
-+                         "specified with -bios or with -drive if=pflash... "
-+                         "but you cannot use both options at once");
-+            exit(1);
-+        }
-+
-+        /* Fall back to -bios */
-+
-+        fname = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
-+        if (!fname) {
-+            error_report("Could not find ROM image '%s'", bios_name);
-+            exit(1);
-+        }
-+        mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(sms->flash[0]), 0);
-+        image_size = load_image_mr(fname, mr);
-+        g_free(fname);
-+        if (image_size < 0) {
-+            error_report("Could not load ROM image '%s'", bios_name);
-+            exit(1);
-+        }
-+    }
-+
-+    return pflash_blk0 || bios_name;
-+}
-+
-+static void create_secure_ram(SBSAMachineState *sms,
-+                              MemoryRegion *secure_sysmem)
-+{
-+    MemoryRegion *secram = g_new(MemoryRegion, 1);
-+    hwaddr base = sbsa_ref_memmap[SBSA_SECURE_MEM].base;
-+    hwaddr size = sbsa_ref_memmap[SBSA_SECURE_MEM].size;
-+
-+    memory_region_init_ram(secram, NULL, "sbsa-ref.secure-ram", size,
-+                           &error_fatal);
-+    memory_region_add_subregion(secure_sysmem, base, secram);
-+}
-+
-+static void create_gic(SBSAMachineState *sms, qemu_irq *pic)
-+{
-+    DeviceState *gicdev;
-+    SysBusDevice *gicbusdev;
-+    const char *gictype;
-+    uint32_t redist0_capacity, redist0_count;
-+    int i;
-+
-+    gictype = gicv3_class_name();
-+
-+    gicdev = qdev_create(NULL, gictype);
-+    qdev_prop_set_uint32(gicdev, "revision", 3);
-+    qdev_prop_set_uint32(gicdev, "num-cpu", smp_cpus);
-+    /*
-+     * Note that the num-irq property counts both internal and external
-+     * interrupts; there are always 32 of the former (mandated by GIC spec).
-+     */
-+    qdev_prop_set_uint32(gicdev, "num-irq", NUM_IRQS + 32);
-+    qdev_prop_set_bit(gicdev, "has-security-extensions", true);
-+
-+    redist0_capacity =
-+                sbsa_ref_memmap[SBSA_GIC_REDIST].size / GICV3_REDIST_SIZE;
-+    redist0_count = MIN(smp_cpus, redist0_capacity);
-+
-+    qdev_prop_set_uint32(gicdev, "len-redist-region-count", 1);
-+    qdev_prop_set_uint32(gicdev, "redist-region-count[0]", redist0_count);
-+
-+    qdev_init_nofail(gicdev);
-+    gicbusdev = SYS_BUS_DEVICE(gicdev);
-+    sysbus_mmio_map(gicbusdev, 0, sbsa_ref_memmap[SBSA_GIC_DIST].base);
-+    sysbus_mmio_map(gicbusdev, 1, sbsa_ref_memmap[SBSA_GIC_REDIST].base);
-+
-+    /*
-+     * Wire the outputs from each CPU's generic timer and the GICv3
-+     * maintenance interrupt signal to the appropriate GIC PPI inputs,
-+     * and the GIC's IRQ/FIQ/VIRQ/VFIQ interrupt outputs to the CPU's inputs.
-+     */
-+    for (i = 0; i < smp_cpus; i++) {
-+        DeviceState *cpudev = DEVICE(qemu_get_cpu(i));
-+        int ppibase = NUM_IRQS + i * GIC_INTERNAL + GIC_NR_SGIS;
-+        int irq;
-+        /*
-+         * Mapping from the output timer irq lines from the CPU to the
-+         * GIC PPI inputs used for this board.
-+         */
-+        const int timer_irq[] = {
-+            [GTIMER_PHYS] = ARCH_TIMER_NS_EL1_IRQ,
-+            [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
-+            [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
-+            [GTIMER_SEC]  = ARCH_TIMER_S_EL1_IRQ,
-+        };
-+
-+        for (irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
-+            qdev_connect_gpio_out(cpudev, irq,
-+                                  qdev_get_gpio_in(gicdev,
-+                                                   ppibase + timer_irq[irq]));
-+        }
-+
-+        qdev_connect_gpio_out_named(cpudev, "gicv3-maintenance-interrupt", 0,
-+                                    qdev_get_gpio_in(gicdev, ppibase
-+                                                     + ARCH_GIC_MAINT_IRQ));
-+        qdev_connect_gpio_out_named(cpudev, "pmu-interrupt", 0,
-+                                    qdev_get_gpio_in(gicdev, ppibase
-+                                                     + VIRTUAL_PMU_IRQ));
-+
-+        sysbus_connect_irq(gicbusdev, i, qdev_get_gpio_in(cpudev, ARM_CPU_IRQ));
-+        sysbus_connect_irq(gicbusdev, i + smp_cpus,
-+                           qdev_get_gpio_in(cpudev, ARM_CPU_FIQ));
-+        sysbus_connect_irq(gicbusdev, i + 2 * smp_cpus,
-+                           qdev_get_gpio_in(cpudev, ARM_CPU_VIRQ));
-+        sysbus_connect_irq(gicbusdev, i + 3 * smp_cpus,
-+                           qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
-+    }
-+
-+    for (i = 0; i < NUM_IRQS; i++) {
-+        pic[i] = qdev_get_gpio_in(gicdev, i);
-+    }
-+}
-+
-+static void create_uart(const SBSAMachineState *sms, qemu_irq *pic, int uart,
-+                        MemoryRegion *mem, Chardev *chr)
-+{
-+    hwaddr base = sbsa_ref_memmap[uart].base;
-+    int irq = sbsa_ref_irqmap[uart];
-+    DeviceState *dev = qdev_create(NULL, "pl011");
-+    SysBusDevice *s = SYS_BUS_DEVICE(dev);
-+
-+    qdev_prop_set_chr(dev, "chardev", chr);
-+    qdev_init_nofail(dev);
-+    memory_region_add_subregion(mem, base,
-+                                sysbus_mmio_get_region(s, 0));
-+    sysbus_connect_irq(s, 0, pic[irq]);
-+}
-+
-+static void create_rtc(const SBSAMachineState *sms, qemu_irq *pic)
-+{
-+    hwaddr base = sbsa_ref_memmap[SBSA_RTC].base;
-+    int irq = sbsa_ref_irqmap[SBSA_RTC];
-+
-+    sysbus_create_simple("pl031", base, pic[irq]);
-+}
-+
-+static DeviceState *gpio_key_dev;
-+static void sbsa_ref_powerdown_req(Notifier *n, void *opaque)
-+{
-+    /* use gpio Pin 3 for power button event */
-+    qemu_set_irq(qdev_get_gpio_in(gpio_key_dev, 0), 1);
-+}
-+
-+static Notifier sbsa_ref_powerdown_notifier = {
-+    .notify = sbsa_ref_powerdown_req
-+};
-+
-+static void create_gpio(const SBSAMachineState *sms, qemu_irq *pic)
-+{
-+    DeviceState *pl061_dev;
-+    hwaddr base = sbsa_ref_memmap[SBSA_GPIO].base;
-+    int irq = sbsa_ref_irqmap[SBSA_GPIO];
-+
-+    pl061_dev = sysbus_create_simple("pl061", base, pic[irq]);
-+
-+    gpio_key_dev = sysbus_create_simple("gpio-key", -1,
-+                                        qdev_get_gpio_in(pl061_dev, 3));
-+
-+    /* connect powerdown request */
-+    qemu_register_powerdown_notifier(&sbsa_ref_powerdown_notifier);
-+}
-+
-+static void create_ahci(const SBSAMachineState *sms, qemu_irq *pic)
-+{
-+    hwaddr base = sbsa_ref_memmap[SBSA_AHCI].base;
-+    int irq = sbsa_ref_irqmap[SBSA_AHCI];
-+    DeviceState *dev;
-+    DriveInfo *hd[NUM_SATA_PORTS];
-+    SysbusAHCIState *sysahci;
-+    AHCIState *ahci;
-+    int i;
-+
-+    dev = qdev_create(NULL, "sysbus-ahci");
-+    qdev_prop_set_uint32(dev, "num-ports", NUM_SATA_PORTS);
-+    qdev_init_nofail(dev);
-+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
-+    sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[irq]);
-+
-+    sysahci = SYSBUS_AHCI(dev);
-+    ahci = &sysahci->ahci;
-+    ide_drive_get(hd, ARRAY_SIZE(hd));
-+    for (i = 0; i < ahci->ports; i++) {
-+        if (hd[i] == NULL) {
-+            continue;
-+        }
-+        ide_create_drive(&ahci->dev[i].port, 0, hd[i]);
-+    }
-+}
-+
-+static void create_ehci(const SBSAMachineState *sms, qemu_irq *pic)
-+{
-+    hwaddr base = sbsa_ref_memmap[SBSA_EHCI].base;
-+    int irq = sbsa_ref_irqmap[SBSA_EHCI];
-+
-+    sysbus_create_simple("platform-ehci-usb", base, pic[irq]);
-+}
-+
-+static void create_smmu(const SBSAMachineState *sms, qemu_irq *pic,
-+                        PCIBus *bus)
-+{
-+    hwaddr base = sbsa_ref_memmap[SBSA_SMMU].base;
-+    int irq =  sbsa_ref_irqmap[SBSA_SMMU];
-+    DeviceState *dev;
-+    int i;
-+
-+    dev = qdev_create(NULL, "arm-smmuv3");
-+
-+    object_property_set_link(OBJECT(dev), OBJECT(bus), "primary-bus",
-+                             &error_abort);
-+    qdev_init_nofail(dev);
-+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
-+    for (i = 0; i < NUM_SMMU_IRQS; i++) {
-+        sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, pic[irq + i]);
-+    }
-+}
-+
-+static void create_pcie(SBSAMachineState *sms, qemu_irq *pic)
-+{
-+    hwaddr base_ecam = sbsa_ref_memmap[SBSA_PCIE_ECAM].base;
-+    hwaddr size_ecam = sbsa_ref_memmap[SBSA_PCIE_ECAM].size;
-+    hwaddr base_mmio = sbsa_ref_memmap[SBSA_PCIE_MMIO].base;
-+    hwaddr size_mmio = sbsa_ref_memmap[SBSA_PCIE_MMIO].size;
-+    hwaddr base_mmio_high = sbsa_ref_memmap[SBSA_PCIE_MMIO_HIGH].base;
-+    hwaddr size_mmio_high = sbsa_ref_memmap[SBSA_PCIE_MMIO_HIGH].size;
-+    hwaddr base_pio = sbsa_ref_memmap[SBSA_PCIE_PIO].base;
-+    int irq = sbsa_ref_irqmap[SBSA_PCIE];
-+    MemoryRegion *mmio_alias, *mmio_alias_high, *mmio_reg;
-+    MemoryRegion *ecam_alias, *ecam_reg;
-+    DeviceState *dev;
-+    PCIHostState *pci;
-+    int i;
-+
-+    dev = qdev_create(NULL, TYPE_GPEX_HOST);
-+    qdev_init_nofail(dev);
-+
-+    /* Map ECAM space */
-+    ecam_alias = g_new0(MemoryRegion, 1);
-+    ecam_reg = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
-+    memory_region_init_alias(ecam_alias, OBJECT(dev), "pcie-ecam",
-+                             ecam_reg, 0, size_ecam);
-+    memory_region_add_subregion(get_system_memory(), base_ecam, ecam_alias);
-+
-+    /* Map the MMIO space */
-+    mmio_alias = g_new0(MemoryRegion, 1);
-+    mmio_reg = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 1);
-+    memory_region_init_alias(mmio_alias, OBJECT(dev), "pcie-mmio",
-+                             mmio_reg, base_mmio, size_mmio);
-+    memory_region_add_subregion(get_system_memory(), base_mmio, mmio_alias);
-+
-+    /* Map the MMIO_HIGH space */
-+    mmio_alias_high = g_new0(MemoryRegion, 1);
-+    memory_region_init_alias(mmio_alias_high, OBJECT(dev), "pcie-mmio-high",
-+                             mmio_reg, base_mmio_high, size_mmio_high);
-+    memory_region_add_subregion(get_system_memory(), base_mmio_high,
-+                                mmio_alias_high);
-+
-+    /* Map IO port space */
-+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 2, base_pio);
-+
-+    for (i = 0; i < GPEX_NUM_IRQS; i++) {
-+        sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, pic[irq + i]);
-+        gpex_set_irq_num(GPEX_HOST(dev), i, irq + i);
-+    }
-+
-+    pci = PCI_HOST_BRIDGE(dev);
-+    if (pci->bus) {
-+        for (i = 0; i < nb_nics; i++) {
-+            NICInfo *nd = &nd_table[i];
-+
-+            if (!nd->model) {
-+                nd->model = g_strdup("e1000e");
-+            }
-+
-+            pci_nic_init_nofail(nd, pci->bus, nd->model, NULL);
-+        }
-+    }
-+
-+    pci_create_simple(pci->bus, -1, "VGA");
-+
-+    create_smmu(sms, pic, pci->bus);
-+}
-+
-+static void *sbsa_ref_dtb(const struct arm_boot_info *binfo, int *fdt_size)
-+{
-+    const SBSAMachineState *board = container_of(binfo, SBSAMachineState,
-+                                                 bootinfo);
-+
-+    *fdt_size = board->fdt_size;
-+    return board->fdt;
-+}
-+
- static void sbsa_ref_init(MachineState *machine)
- {
-     SBSAMachineState *sms = SBSA_MACHINE(machine);
-@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
-     MemoryRegion *sysmem = get_system_memory();
-     MemoryRegion *secure_sysmem = NULL;
-     MemoryRegion *ram = g_new(MemoryRegion, 1);
-+    bool firmware_loaded;
-     const CPUArchIdList *possible_cpus;
-     int n, sbsa_max_cpus;
-+    qemu_irq pic[NUM_IRQS];
-     if (strcmp(machine->cpu_type, ARM_CPU_TYPE_NAME("cortex-a57"))) {
-         error_report("sbsa-ref: CPU type other than the built-in "
-@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
-         exit(1);
-     }
-+    /*
-+     * The Secure view of the world is the same as the NonSecure,
-+     * but with a few extra devices. Create it as a container region
-+     * containing the system memory at low priority; any secure-only
-+     * devices go in at higher priority and take precedence.
-+     */
-+    secure_sysmem = g_new(MemoryRegion, 1);
-+    memory_region_init(secure_sysmem, OBJECT(machine), "secure-memory",
-+                       UINT64_MAX);
-+    memory_region_add_subregion_overlap(secure_sysmem, 0, sysmem, -1);
-+
-+    firmware_loaded = sbsa_firmware_init(sms, sysmem,
-+                                         secure_sysmem ?: sysmem);
-+
-+    if (machine->kernel_filename && firmware_loaded) {
-+        error_report("sbsa-ref: No fw_cfg device on this machine, "
-+                     "so -kernel option is not supported when firmware loaded, "
-+                     "please load OS from hard disk instead");
-+        exit(1);
-+    }
-+
-     /*
-      * This machine has EL3 enabled, external firmware should supply PSCI
-      * implementation, so the QEMU's internal PSCI is disabled.
-@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
-                                          machine->ram_size);
-     memory_region_add_subregion(sysmem, sbsa_ref_memmap[SBSA_MEM].base, ram);
-+    create_fdt(sms);
-+
-+    create_secure_ram(sms, secure_sysmem);
-+
-+    create_gic(sms, pic);
-+
-+    create_uart(sms, pic, SBSA_UART, sysmem, serial_hd(0));
-+    create_uart(sms, pic, SBSA_SECURE_UART, secure_sysmem, serial_hd(1));
-+    /* Second secure UART for RAS and MM from EL0 */
-+    create_uart(sms, pic, SBSA_SECURE_UART_MM, secure_sysmem, serial_hd(2));
-+
-+    create_rtc(sms, pic);
-+
-+    create_gpio(sms, pic);
-+
-+    create_ahci(sms, pic);
-+
-+    create_ehci(sms, pic);
-+
-+    create_pcie(sms, pic);
-+
-     sms->bootinfo.ram_size = machine->ram_size;
-     sms->bootinfo.kernel_filename = machine->kernel_filename;
-     sms->bootinfo.nb_cpus = smp_cpus;
-     sms->bootinfo.board_id = -1;
-     sms->bootinfo.loader_start = sbsa_ref_memmap[SBSA_MEM].base;
-+    sms->bootinfo.get_dtb = sbsa_ref_dtb;
-+    sms->bootinfo.firmware_loaded = firmware_loaded;
-     arm_load_kernel(ARM_CPU(first_cpu), &sms->bootinfo);
- }
-@@ -XXX,XX +XXX,XX @@ sbsa_ref_get_default_cpu_node_id(const MachineState *ms, int idx)
-     return idx % nb_numa_nodes;
- }
-+static void sbsa_ref_instance_init(Object *obj)
-+{
-+    SBSAMachineState *sms = SBSA_MACHINE(obj);
-+
-+    sbsa_flash_create(sms);
-+}
-+
- static void sbsa_ref_class_init(ObjectClass *oc, void *data)
- {
-     MachineClass *mc = MACHINE_CLASS(oc);
-@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_class_init(ObjectClass *oc, void *data)
- static const TypeInfo sbsa_ref_info = {
-     .name          = TYPE_SBSA_MACHINE,
-     .parent        = TYPE_MACHINE,
-+    .instance_init = sbsa_ref_instance_init,
-     .class_init    = sbsa_ref_class_init,
-     .instance_size = sizeof(SBSAMachineState),
- };
---
-.20.1

-[Qemu-devel] [PULL 28/46] target/arm: Makefile cleanup (Aarch64)
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Group Aarch64 rules together, TCG related ones at the bottom.
-This will help when restricting TCG-only objects.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-2-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/Makefile.objs | 5 +++--
-file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/Makefile.objs
-+++ b/target/arm/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
- obj-y += translate.o op_helper.o helper.o cpu.o
- obj-y += neon_helper.o iwmmxt_helper.o vec_helper.o vfp_helper.o
- obj-y += gdbstub.o
--obj-$(TARGET_AARCH64) += cpu64.o translate-a64.o helper-a64.o gdbstub64.o
--obj-$(TARGET_AARCH64) += pauth_helper.o
-+obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
- obj-y += crypto_helper.o
- obj-$(CONFIG_SOFTMMU) += arm-powerctl.o
-@@ -XXX,XX +XXX,XX @@ target/arm/translate-sve.o: target/arm/decode-sve.inc.c
- target/arm/translate.o: target/arm/decode-vfp.inc.c
- target/arm/translate.o: target/arm/decode-vfp-uncond.inc.c
-+obj-$(TARGET_AARCH64) += translate-a64.o helper-a64.o
- obj-$(TARGET_AARCH64) += translate-sve.o sve_helper.o
-+obj-$(TARGET_AARCH64) += pauth_helper.o
---
-.20.1

-[Qemu-devel] [PULL 29/46] target/arm: Makefile cleanup (ARM)
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Group ARM objects together, TCG related ones at the bottom.
-This will help when restricting TCG-only objects.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-3-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/Makefile.objs | 10 ++++++----
-file changed, 6 insertions(+), 4 deletions(-)
-diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/Makefile.objs
-+++ b/target/arm/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_KVM) += kvm.o
- obj-$(call land,$(CONFIG_KVM),$(call lnot,$(TARGET_AARCH64))) += kvm32.o
- obj-$(call land,$(CONFIG_KVM),$(TARGET_AARCH64)) += kvm64.o
- obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
--obj-y += translate.o op_helper.o helper.o cpu.o
--obj-y += neon_helper.o iwmmxt_helper.o vec_helper.o vfp_helper.o
--obj-y += gdbstub.o
-+obj-y += helper.o vfp_helper.o
-+obj-y += cpu.o gdbstub.o
- obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
--obj-y += crypto_helper.o
- obj-$(CONFIG_SOFTMMU) += arm-powerctl.o
- DECODETREE = $(SRC_PATH)/scripts/decodetree.py
-@@ -XXX,XX +XXX,XX @@ target/arm/translate-sve.o: target/arm/decode-sve.inc.c
- target/arm/translate.o: target/arm/decode-vfp.inc.c
- target/arm/translate.o: target/arm/decode-vfp-uncond.inc.c
-+obj-y += translate.o op_helper.o
-+obj-y += crypto_helper.o
-+obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
-+
- obj-$(TARGET_AARCH64) += translate-a64.o helper-a64.o
- obj-$(TARGET_AARCH64) += translate-sve.o sve_helper.o
- obj-$(TARGET_AARCH64) += pauth_helper.o
---
-.20.1

-[Qemu-devel] [PULL 30/46] target/arm: Makefile cleanup (KVM)
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Group KVM rules together.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-4-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/Makefile.objs | 9 +++++----
-file changed, 5 insertions(+), 4 deletions(-)
-diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/Makefile.objs
-+++ b/target/arm/Makefile.objs
-@@ -XXX,XX +XXX,XX @@
- obj-y += arm-semi.o
- obj-$(CONFIG_SOFTMMU) += machine.o psci.o arch_dump.o monitor.o
--obj-$(CONFIG_KVM) += kvm.o
--obj-$(call land,$(CONFIG_KVM),$(call lnot,$(TARGET_AARCH64))) += kvm32.o
--obj-$(call land,$(CONFIG_KVM),$(TARGET_AARCH64)) += kvm64.o
--obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
- obj-y += helper.o vfp_helper.o
- obj-y += cpu.o gdbstub.o
- obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
- obj-$(CONFIG_SOFTMMU) += arm-powerctl.o
-+obj-$(CONFIG_KVM) += kvm.o
-+obj-$(call land,$(CONFIG_KVM),$(call lnot,$(TARGET_AARCH64))) += kvm32.o
-+obj-$(call land,$(CONFIG_KVM),$(TARGET_AARCH64)) += kvm64.o
-+obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
-+
- DECODETREE = $(SRC_PATH)/scripts/decodetree.py
- target/arm/decode-sve.inc.c: $(SRC_PATH)/target/arm/sve.decode $(DECODETREE)
---
-.20.1

-[Qemu-devel] [PULL 31/46] target/arm: Makefile cleanup (softmmu)
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Group SOFTMMU objects together.
-Since PSCI is TCG specific, keep it separate.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-5-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/Makefile.objs | 5 ++++-
-file changed, 4 insertions(+), 1 deletion(-)
-diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/Makefile.objs
-+++ b/target/arm/Makefile.objs
-@@ -XXX,XX +XXX,XX @@
- obj-y += arm-semi.o
--obj-$(CONFIG_SOFTMMU) += machine.o psci.o arch_dump.o monitor.o
- obj-y += helper.o vfp_helper.o
- obj-y += cpu.o gdbstub.o
- obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
-+
-+obj-$(CONFIG_SOFTMMU) += machine.o arch_dump.o monitor.o
- obj-$(CONFIG_SOFTMMU) += arm-powerctl.o
- obj-$(CONFIG_KVM) += kvm.o
-@@ -XXX,XX +XXX,XX @@ obj-y += translate.o op_helper.o
- obj-y += crypto_helper.o
- obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
-+obj-$(CONFIG_SOFTMMU) += psci.o
-+
- obj-$(TARGET_AARCH64) += translate-a64.o helper-a64.o
- obj-$(TARGET_AARCH64) += translate-sve.o sve_helper.o
- obj-$(TARGET_AARCH64) += pauth_helper.o
---
-.20.1

-[Qemu-devel] [PULL 32/46] target/arm: Add copyright boilerplate
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Robert Bradford <robert.bradford@intel.com>
-Reviewed-by: Samuel Ortiz <sameo@linux.intel.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-6-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 7 +++++++
-file changed, 7 insertions(+)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@
-+/*
-+ * ARM generic helpers.
-+ *
-+ * This code is licensed under the GNU GPL v2 or later.
-+ *
-+ * SPDX-License-Identifier: GPL-2.0-or-later
-+ */
- #include "qemu/osdep.h"
- #include "qemu/units.h"
- #include "target/arm/idau.h"
---
-.20.1

-[Qemu-devel] [PULL 33/46] target/arm/helper: Remove unused include
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-7-philmd@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 2 --
-file changed, 2 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@
- #include "exec/gdbstub.h"
- #include "exec/helper-proto.h"
- #include "qemu/host-utils.h"
--#include "sysemu/arch_init.h"
- #include "sysemu/sysemu.h"
- #include "qemu/bitops.h"
- #include "qemu/crc32c.h"
-@@ -XXX,XX +XXX,XX @@
- #include "hw/semihosting/semihost.h"
- #include "sysemu/cpus.h"
- #include "sysemu/kvm.h"
--#include "fpu/softfloat.h"
- #include "qemu/range.h"
- #include "qapi/qapi-commands-target.h"
- #include "qapi/error.h"
---
-.20.1

-[Qemu-devel] [PULL 37/46] target/arm: Move CPU state dumping routines to cpu.c
+[Qemu-devel] [PULL 09/10] target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+The ARMv5 architecture didn't specify detailed per-feature ID
 registers. Now that we're using the MVFR0 register fields to
 gate the existence of VFP instructions, we need to set up
 the correct values in the cpu->isar structure so that we still
 provide an FPU to the guest.
-Suggested-by: Samuel Ortiz <sameo@linux.intel.com>
+This fixes a regression in the arm926 and arm1026 CPUs, which
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+are the only ones that both have VFP and are ARMv5 or earlier.
-Message-id: 20190701132516.26392-11-philmd@redhat.com
+This regression was introduced by the VFP refactoring, and more
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
 which accidentally disabled VFP short-vector support and
 double-precision support on these CPUs.
 Fixes: 1120827fa182f0e
 Fixes: 266bd25c485597c
 Fixes: https://bugs.launchpad.net/qemu/+bug/1836192
 Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
+Message-id: 20190711131241.22231-1-peter.maydell@linaro.org
 ---
- target/arm/cpu.h           |   2 -
+ target/arm/cpu.c | 12 ++++++++++++
- target/arm/translate.h     |   5 -
+file changed, 12 insertions(+)
  target/arm/cpu.c           | 226 +++++++++++++++++++++++++++++++++++++
  target/arm/translate-a64.c | 128 ---------------------
  target/arm/translate.c     |  88 ---------------
 files changed, 226 insertions(+), 223 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_interrupt(CPUState *cpu);
- void arm_v7m_cpu_do_interrupt(CPUState *cpu);
- bool arm_cpu_exec_interrupt(CPUState *cpu, int int_req);
--void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags);
--
- hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cpu, vaddr addr,
-                                          MemTxAttrs *attrs);
-diff --git a/target/arm/translate.h b/target/arm/translate.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.h
-+++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ static inline void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
- #ifdef TARGET_AARCH64
- void a64_translate_init(void);
- void gen_a64_set_pc_im(uint64_t val);
--void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags);
- extern const TranslatorOps aarch64_translator_ops;
- #else
- static inline void a64_translate_init(void)
-@@ -XXX,XX +XXX,XX @@ static inline void a64_translate_init(void)
- static inline void gen_a64_set_pc_im(uint64_t val)
- {
- }
--
--static inline void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
--{
--}
- #endif
- void arm_test_cc(DisasCompare *cmp, int cc);
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
-  */
+      * set the field to indicate Jazelle support within QEMU.
+      */
- #include "qemu/osdep.h"
+     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
-+#include "qemu/qemu-print.h"
++    /*
- #include "qemu-common.h"
++     * Similarly, we need to set MVFR0 fields to enable double precision
- #include "target/arm/idau.h"
++     * and short vector support even though ARMv5 doesn't have this register.
- #include "qemu/module.h"
++     */
-@@ -XXX,XX +XXX,XX @@ static void arm_disas_set_info(CPUState *cpu, disassemble_info *info)
++    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
- #endif
++    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
  }
-+#ifdef TARGET_AARCH64
+ static void arm946_initfn(Object *obj)
-+
+@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
-+static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
+      * set the field to indicate Jazelle support within QEMU.
-+{
+      */
-+    ARMCPU *cpu = ARM_CPU(cs);
+     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
-+    CPUARMState *env = &cpu->env;
++    /*
-+    uint32_t psr = pstate_read(env);
++     * Similarly, we need to set MVFR0 fields to enable double precision
-+    int i;
++     * and short vector support even though ARMv5 doesn't have this register.
-+    int el = arm_current_el(env);
++     */
-+    const char *ns_status;
++    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
-+
++    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
-+    qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
-+    for (i = 0; i < 32; i++) {
+     {
-+        if (i == 31) {
+         /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
 +            qemu_fprintf(f, " SP=%016" PRIx64 "\n", env->xregs[i]);
 +        } else {
 +            qemu_fprintf(f, "X%02d=%016" PRIx64 "%s", i, env->xregs[i],
 +                         (i + 2) % 3 ? " " : "\n");
 +        }
 +    }
 +
 +    if (arm_feature(env, ARM_FEATURE_EL3) && el != 3) {
 +        ns_status = env->cp15.scr_el3 & SCR_NS ? "NS " : "S ";
 +    } else {
 +        ns_status = "";
 +    }
 +    qemu_fprintf(f, "PSTATE=%08x %c%c%c%c %sEL%d%c",
 +                 psr,
 +                 psr & PSTATE_N ? 'N' : '-',
 +                 psr & PSTATE_Z ? 'Z' : '-',
 +                 psr & PSTATE_C ? 'C' : '-',
 +                 psr & PSTATE_V ? 'V' : '-',
 +                 ns_status,
 +                 el,
 +                 psr & PSTATE_SP ? 'h' : 't');
 +
 +    if (cpu_isar_feature(aa64_bti, cpu)) {
 +        qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
 +    }
 +    if (!(flags & CPU_DUMP_FPU)) {
 +        qemu_fprintf(f, "\n");
 +        return;
 +    }
 +    if (fp_exception_el(env, el) != 0) {
 +        qemu_fprintf(f, "    FPU disabled\n");
 +        return;
 +    }
 +    qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
 +                 vfp_get_fpcr(env), vfp_get_fpsr(env));
 +
 +    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
 +        int j, zcr_len = sve_zcr_len_for_el(env, el);
 +
 +        for (i = 0; i <= FFR_PRED_NUM; i++) {
 +            bool eol;
 +            if (i == FFR_PRED_NUM) {
 +                qemu_fprintf(f, "FFR=");
 +                /* It's last, so end the line.  */
 +                eol = true;
 +            } else {
 +                qemu_fprintf(f, "P%02d=", i);
 +                switch (zcr_len) {
 +                case 0:
 +                    eol = i % 8 == 7;
 +                    break;
 +                case 1:
 +                    eol = i % 6 == 5;
 +                    break;
 +                case 2:
 +                case 3:
 +                    eol = i % 3 == 2;
 +                    break;
 +                default:
 +                    /* More than one quadword per predicate.  */
 +                    eol = true;
 +                    break;
 +                }
 +            }
 +            for (j = zcr_len / 4; j >= 0; j--) {
 +                int digits;
 +                if (j * 4 + 4 <= zcr_len + 1) {
 +                    digits = 16;
 +                } else {
 +                    digits = (zcr_len % 4 + 1) * 4;
 +                }
 +                qemu_fprintf(f, "%0*" PRIx64 "%s", digits,
 +                             env->vfp.pregs[i].p[j],
 +                             j ? ":" : eol ? "\n" : " ");
 +            }
 +        }
 +
 +        for (i = 0; i < 32; i++) {
 +            if (zcr_len == 0) {
 +                qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64 "%s",
 +                             i, env->vfp.zregs[i].d[1],
 +                             env->vfp.zregs[i].d[0], i & 1 ? "\n" : " ");
 +            } else if (zcr_len == 1) {
 +                qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64
 +                             ":%016" PRIx64 ":%016" PRIx64 "\n",
 +                             i, env->vfp.zregs[i].d[3], env->vfp.zregs[i].d[2],
 +                             env->vfp.zregs[i].d[1], env->vfp.zregs[i].d[0]);
 +            } else {
 +                for (j = zcr_len; j >= 0; j--) {
 +                    bool odd = (zcr_len - j) % 2 != 0;
 +                    if (j == zcr_len) {
 +                        qemu_fprintf(f, "Z%02d[%x-%x]=", i, j, j - 1);
 +                    } else if (!odd) {
 +                        if (j > 0) {
 +                            qemu_fprintf(f, "   [%x-%x]=", j, j - 1);
 +                        } else {
 +                            qemu_fprintf(f, "     [%x]=", j);
 +                        }
 +                    }
 +                    qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%s",
 +                                 env->vfp.zregs[i].d[j * 2 + 1],
 +                                 env->vfp.zregs[i].d[j * 2],
 +                                 odd || j == 0 ? "\n" : ":");
 +                }
 +            }
 +        }
 +    } else {
 +        for (i = 0; i < 32; i++) {
 +            uint64_t *q = aa64_vfp_qreg(env, i);
 +            qemu_fprintf(f, "Q%02d=%016" PRIx64 ":%016" PRIx64 "%s",
 +                         i, q[1], q[0], (i & 1 ? "\n" : " "));
 +        }
 +    }
 +}
 +
 +#else
 +
 +static inline void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 +{
 +    g_assert_not_reached();
 +}
 +
 +#endif
 +
 +static void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +    int i;
 +
 +    if (is_a64(env)) {
 +        aarch64_cpu_dump_state(cs, f, flags);
 +        return;
 +    }
 +
 +    for (i = 0; i < 16; i++) {
 +        qemu_fprintf(f, "R%02d=%08x", i, env->regs[i]);
 +        if ((i % 4) == 3) {
 +            qemu_fprintf(f, "\n");
 +        } else {
 +            qemu_fprintf(f, " ");
 +        }
 +    }
 +
 +    if (arm_feature(env, ARM_FEATURE_M)) {
 +        uint32_t xpsr = xpsr_read(env);
 +        const char *mode;
 +        const char *ns_status = "";
 +
 +        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 +            ns_status = env->v7m.secure ? "S " : "NS ";
 +        }
 +
 +        if (xpsr & XPSR_EXCP) {
 +            mode = "handler";
 +        } else {
 +            if (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_NPRIV_MASK) {
 +                mode = "unpriv-thread";
 +            } else {
 +                mode = "priv-thread";
 +            }
 +        }
 +
 +        qemu_fprintf(f, "XPSR=%08x %c%c%c%c %c %s%s\n",
 +                     xpsr,
 +                     xpsr & XPSR_N ? 'N' : '-',
 +                     xpsr & XPSR_Z ? 'Z' : '-',
 +                     xpsr & XPSR_C ? 'C' : '-',
 +                     xpsr & XPSR_V ? 'V' : '-',
 +                     xpsr & XPSR_T ? 'T' : 'A',
 +                     ns_status,
 +                     mode);
 +    } else {
 +        uint32_t psr = cpsr_read(env);
 +        const char *ns_status = "";
 +
 +        if (arm_feature(env, ARM_FEATURE_EL3) &&
 +            (psr & CPSR_M) != ARM_CPU_MODE_MON) {
 +            ns_status = env->cp15.scr_el3 & SCR_NS ? "NS " : "S ";
 +        }
 +
 +        qemu_fprintf(f, "PSR=%08x %c%c%c%c %c %s%s%d\n",
 +                     psr,
 +                     psr & CPSR_N ? 'N' : '-',
 +                     psr & CPSR_Z ? 'Z' : '-',
 +                     psr & CPSR_C ? 'C' : '-',
 +                     psr & CPSR_V ? 'V' : '-',
 +                     psr & CPSR_T ? 'T' : 'A',
 +                     ns_status,
 +                     aarch32_mode_name(psr), (psr & 0x10) ? 32 : 26);
 +    }
 +
 +    if (flags & CPU_DUMP_FPU) {
 +        int numvfpregs = 0;
 +        if (arm_feature(env, ARM_FEATURE_VFP)) {
 +            numvfpregs += 16;
 +        }
 +        if (arm_feature(env, ARM_FEATURE_VFP3)) {
 +            numvfpregs += 16;
 +        }
 +        for (i = 0; i < numvfpregs; i++) {
 +            uint64_t v = *aa32_vfp_dreg(env, i);
 +            qemu_fprintf(f, "s%02d=%08x s%02d=%08x d%02d=%016" PRIx64 "\n",
 +                         i * 2, (uint32_t)v,
 +                         i * 2 + 1, (uint32_t)(v >> 32),
 +                         i, v);
 +        }
 +        qemu_fprintf(f, "FPSCR: %08x\n", vfp_get_fpscr(env));
 +    }
 +}
 +
  uint64_t arm_cpu_mp_affinity(int idx, uint8_t clustersz)
  {
      uint32_t Aff1 = idx / clustersz;
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@
  #include "translate.h"
  #include "internals.h"
  #include "qemu/host-utils.h"
 -#include "qemu/qemu-print.h"
  #include "hw/semihosting/semihost.h"
  #include "exec/gen-icount.h"
@@ -XXX,XX +XXX,XX @@ static void set_btype(DisasContext *s, int val)
      s->btype = -1;
  }
 -void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 -{
 -    ARMCPU *cpu = ARM_CPU(cs);
 -    CPUARMState *env = &cpu->env;
 -    uint32_t psr = pstate_read(env);
 -    int i;
 -    int el = arm_current_el(env);
 -    const char *ns_status;
 -
 -    qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
 -    for (i = 0; i < 32; i++) {
 -        if (i == 31) {
 -            qemu_fprintf(f, " SP=%016" PRIx64 "\n", env->xregs[i]);
 -        } else {
 -            qemu_fprintf(f, "X%02d=%016" PRIx64 "%s", i, env->xregs[i],
 -                         (i + 2) % 3 ? " " : "\n");
 -        }
 -    }
 -
 -    if (arm_feature(env, ARM_FEATURE_EL3) && el != 3) {
 -        ns_status = env->cp15.scr_el3 & SCR_NS ? "NS " : "S ";
 -    } else {
 -        ns_status = "";
 -    }
 -    qemu_fprintf(f, "PSTATE=%08x %c%c%c%c %sEL%d%c",
 -                 psr,
 -                 psr & PSTATE_N ? 'N' : '-',
 -                 psr & PSTATE_Z ? 'Z' : '-',
 -                 psr & PSTATE_C ? 'C' : '-',
 -                 psr & PSTATE_V ? 'V' : '-',
 -                 ns_status,
 -                 el,
 -                 psr & PSTATE_SP ? 'h' : 't');
 -
 -    if (cpu_isar_feature(aa64_bti, cpu)) {
 -        qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
 -    }
 -    if (!(flags & CPU_DUMP_FPU)) {
 -        qemu_fprintf(f, "\n");
 -        return;
 -    }
 -    if (fp_exception_el(env, el) != 0) {
 -        qemu_fprintf(f, "    FPU disabled\n");
 -        return;
 -    }
 -    qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
 -                 vfp_get_fpcr(env), vfp_get_fpsr(env));
 -
 -    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
 -        int j, zcr_len = sve_zcr_len_for_el(env, el);
 -
 -        for (i = 0; i <= FFR_PRED_NUM; i++) {
 -            bool eol;
 -            if (i == FFR_PRED_NUM) {
 -                qemu_fprintf(f, "FFR=");
 -                /* It's last, so end the line.  */
 -                eol = true;
 -            } else {
 -                qemu_fprintf(f, "P%02d=", i);
 -                switch (zcr_len) {
 -                case 0:
 -                    eol = i % 8 == 7;
 -                    break;
 -                case 1:
 -                    eol = i % 6 == 5;
 -                    break;
 -                case 2:
 -                case 3:
 -                    eol = i % 3 == 2;
 -                    break;
 -                default:
 -                    /* More than one quadword per predicate.  */
 -                    eol = true;
 -                    break;
 -                }
 -            }
 -            for (j = zcr_len / 4; j >= 0; j--) {
 -                int digits;
 -                if (j * 4 + 4 <= zcr_len + 1) {
 -                    digits = 16;
 -                } else {
 -                    digits = (zcr_len % 4 + 1) * 4;
 -                }
 -                qemu_fprintf(f, "%0*" PRIx64 "%s", digits,
 -                             env->vfp.pregs[i].p[j],
 -                             j ? ":" : eol ? "\n" : " ");
 -            }
 -        }
 -
 -        for (i = 0; i < 32; i++) {
 -            if (zcr_len == 0) {
 -                qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64 "%s",
 -                             i, env->vfp.zregs[i].d[1],
 -                             env->vfp.zregs[i].d[0], i & 1 ? "\n" : " ");
 -            } else if (zcr_len == 1) {
 -                qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64
 -                             ":%016" PRIx64 ":%016" PRIx64 "\n",
 -                             i, env->vfp.zregs[i].d[3], env->vfp.zregs[i].d[2],
 -                             env->vfp.zregs[i].d[1], env->vfp.zregs[i].d[0]);
 -            } else {
 -                for (j = zcr_len; j >= 0; j--) {
 -                    bool odd = (zcr_len - j) % 2 != 0;
 -                    if (j == zcr_len) {
 -                        qemu_fprintf(f, "Z%02d[%x-%x]=", i, j, j - 1);
 -                    } else if (!odd) {
 -                        if (j > 0) {
 -                            qemu_fprintf(f, "   [%x-%x]=", j, j - 1);
 -                        } else {
 -                            qemu_fprintf(f, "     [%x]=", j);
 -                        }
 -                    }
 -                    qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%s",
 -                                 env->vfp.zregs[i].d[j * 2 + 1],
 -                                 env->vfp.zregs[i].d[j * 2],
 -                                 odd || j == 0 ? "\n" : ":");
 -                }
 -            }
 -        }
 -    } else {
 -        for (i = 0; i < 32; i++) {
 -            uint64_t *q = aa64_vfp_qreg(env, i);
 -            qemu_fprintf(f, "Q%02d=%016" PRIx64 ":%016" PRIx64 "%s",
 -                         i, q[1], q[0], (i & 1 ? "\n" : " "));
 -        }
 -    }
 -}
 -
  void gen_a64_set_pc_im(uint64_t val)
  {
      tcg_gen_movi_i64(cpu_pc, val);
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@
  #include "tcg-op-gvec.h"
  #include "qemu/log.h"
  #include "qemu/bitops.h"
 -#include "qemu/qemu-print.h"
  #include "arm_ldst.h"
  #include "hw/semihosting/semihost.h"
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
      translator_loop(ops, &dc.base, cpu, tb, max_insns);
  }
 -void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 -{
 -    ARMCPU *cpu = ARM_CPU(cs);
 -    CPUARMState *env = &cpu->env;
 -    int i;
 -
 -    if (is_a64(env)) {
 -        aarch64_cpu_dump_state(cs, f, flags);
 -        return;
 -    }
 -
 -    for (i = 0; i < 16; i++) {
 -        qemu_fprintf(f, "R%02d=%08x", i, env->regs[i]);
 -        if ((i % 4) == 3) {
 -            qemu_fprintf(f, "\n");
 -        } else {
 -            qemu_fprintf(f, " ");
 -        }
 -    }
 -
 -    if (arm_feature(env, ARM_FEATURE_M)) {
 -        uint32_t xpsr = xpsr_read(env);
 -        const char *mode;
 -        const char *ns_status = "";
 -
 -        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -            ns_status = env->v7m.secure ? "S " : "NS ";
 -        }
 -
 -        if (xpsr & XPSR_EXCP) {
 -            mode = "handler";
 -        } else {
 -            if (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_NPRIV_MASK) {
 -                mode = "unpriv-thread";
 -            } else {
 -                mode = "priv-thread";
 -            }
 -        }
 -
 -        qemu_fprintf(f, "XPSR=%08x %c%c%c%c %c %s%s\n",
 -                     xpsr,
 -                     xpsr & XPSR_N ? 'N' : '-',
 -                     xpsr & XPSR_Z ? 'Z' : '-',
 -                     xpsr & XPSR_C ? 'C' : '-',
 -                     xpsr & XPSR_V ? 'V' : '-',
 -                     xpsr & XPSR_T ? 'T' : 'A',
 -                     ns_status,
 -                     mode);
 -    } else {
 -        uint32_t psr = cpsr_read(env);
 -        const char *ns_status = "";
 -
 -        if (arm_feature(env, ARM_FEATURE_EL3) &&
 -            (psr & CPSR_M) != ARM_CPU_MODE_MON) {
 -            ns_status = env->cp15.scr_el3 & SCR_NS ? "NS " : "S ";
 -        }
 -
 -        qemu_fprintf(f, "PSR=%08x %c%c%c%c %c %s%s%d\n",
 -                     psr,
 -                     psr & CPSR_N ? 'N' : '-',
 -                     psr & CPSR_Z ? 'Z' : '-',
 -                     psr & CPSR_C ? 'C' : '-',
 -                     psr & CPSR_V ? 'V' : '-',
 -                     psr & CPSR_T ? 'T' : 'A',
 -                     ns_status,
 -                     aarch32_mode_name(psr), (psr & 0x10) ? 32 : 26);
 -    }
 -
 -    if (flags & CPU_DUMP_FPU) {
 -        int numvfpregs = 0;
 -        if (arm_feature(env, ARM_FEATURE_VFP)) {
 -            numvfpregs += 16;
 -        }
 -        if (arm_feature(env, ARM_FEATURE_VFP3)) {
 -            numvfpregs += 16;
 -        }
 -        for (i = 0; i < numvfpregs; i++) {
 -            uint64_t v = *aa32_vfp_dreg(env, i);
 -            qemu_fprintf(f, "s%02d=%08x s%02d=%08x d%02d=%016" PRIx64 "\n",
 -                         i * 2, (uint32_t)v,
 -                         i * 2 + 1, (uint32_t)(v >> 32),
 -                         i, v);
 -        }
 -        qemu_fprintf(f, "FPSCR: %08x\n", vfp_get_fpscr(env));
 -    }
 -}
 -
  void restore_state_to_opc(CPUARMState *env, TranslationBlock *tb,
                            target_ulong *data)
  {
 --
 .20.1

-[Qemu-devel] [PULL 34/46] target/arm: Fix multiline comment syntax
+[Qemu-devel] [PULL 10/10] target/arm: NS BusFault on vector table fetch escalates to NS HardFault
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+In the M-profile architecture, when we do a vector table fetch and it
 fails, we need to report a HardFault.  Whether this is a Secure HF or
 a NonSecure HF depends on several things.  If AIRCR.BFHFNMINS is 0
 then HF is always Secure, because there is no NonSecure HardFault.
 Otherwise, the answer depends on whether the 'underlying exception'
 (MemManage, BusFault, SecureFault) targets Secure or NonSecure.  (In
 the pseudocode, this is handled in the Vector() function: the final
 exc.isSecure is calculated by looking at the exc.isSecure from the
 exception returned from the memory access, not the isSecure input
 argument.)
-Since commit 8c06fbdf36b checkpatch.pl enforce a new multiline
+We weren't doing this correctly, because we were looking at
-comment syntax. Since we'll move this code around, fix its style
+the target security domain of the exception we were trying to
-first.
+load the vector table entry for. This produces errors of two kinds:
  * a load from the NS vector table which hits the "NS access
    to S memory" SecureFault should end up as a Secure HardFault,
    but we were raising an NS HardFault
  * a load from the S vector table which causes a BusFault
    should raise an NS HardFault if BFHFNMINS == 1 (because
    in that case all BusFaults are NonSecure), but we were raising
    a Secure HardFault
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Correct the logic.
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-8-philmd@redhat.com
+We also fix a comment error where we claimed that we might
 be escalating MemManage to HardFault, and forgot about SecureFault.
 (Vector loads can never hit MPU access faults, because they're
 always aligned and always use the default address map.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20190705094823.28905-1-peter.maydell@linaro.org
 ---
- target/arm/helper.c     | 237 ++++++++++++++++++++++++++--------------
+ target/arm/m_helper.c | 21 +++++++++++++++++----
- target/arm/op_helper.c  |  54 ++++++---
+file changed, 17 insertions(+), 4 deletions(-)
  target/arm/vfp_helper.c |   3 +-
 files changed, 196 insertions(+), 98 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/m_helper.c
-+++ b/target/arm/helper.c
++++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
  uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
  {
 -    /* The TT instructions can be used by unprivileged code, but in
 +    /*
 +     * The TT instructions can be used by unprivileged code, but in
       * user-only emulation we don't have the MPU.
       * Luckily since we know we are NonSecure unprivileged (and that in
       * turn means that the A flag wasn't specified), all the bits in the
@@ -XXX,XX +XXX,XX @@ static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,
      return true;
  pend_fault:
 -    /* By pending the exception at this point we are making
 +    /*
 +     * By pending the exception at this point we are making
       * the IMPDEF choice "overridden exceptions pended" (see the
       * MergeExcInfo() pseudocode). The other choice would be to not
       * pend them now and then make a choice about which to throw away
@@ -XXX,XX +XXX,XX @@ static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,
      return true;
  pend_fault:
 -    /* By pending the exception at this point we are making
 +    /*
 +     * By pending the exception at this point we are making
       * the IMPDEF choice "overridden exceptions pended" (see the
       * MergeExcInfo() pseudocode). The other choice would be to not
       * pend them now and then make a choice about which to throw away
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
       */
  }
 -/* Write to v7M CONTROL.SPSEL bit for the specified security bank.
 +/*
 + * Write to v7M CONTROL.SPSEL bit for the specified security bank.
   * This may change the current stack pointer between Main and Process
   * stack pointers if it is done for the CONTROL register for the current
   * security state.
@@ -XXX,XX +XXX,XX @@ static void write_v7m_control_spsel_for_secstate(CPUARMState *env,
      }
  }
 -/* Write to v7M CONTROL.SPSEL bit. This may change the current
 +/*
 + * Write to v7M CONTROL.SPSEL bit. This may change the current
   * stack pointer between Main and Process stack pointers.
   */
  static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)
@@ -XXX,XX +XXX,XX @@ static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)
  void write_v7m_exception(CPUARMState *env, uint32_t new_exc)
  {
 -    /* Write a new value to v7m.exception, thus transitioning into or out
 +    /*
 +     * Write a new value to v7m.exception, thus transitioning into or out
       * of Handler mode; this may result in a change of active stack pointer.
       */
      bool new_is_psp, old_is_psp = v7m_using_psp(env);
@@ -XXX,XX +XXX,XX @@ static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)
          return;
      }
 -    /* All the banked state is accessed by looking at env->v7m.secure
 +    /*
 +     * All the banked state is accessed by looking at env->v7m.secure
       * except for the stack pointer; rearrange the SP appropriately.
       */
      new_ss_msp = env->v7m.other_ss_msp;
@@ -XXX,XX +XXX,XX @@ static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)
  void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
  {
 -    /* Handle v7M BXNS:
 +    /*
 +     * Handle v7M BXNS:
       *  - if the return value is a magic value, do exception return (like BX)
       *  - otherwise bit 0 of the return value is the target security state
       */
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
      }
      if (dest >= min_magic) {
 -        /* This is an exception return magic value; put it where
 +        /*
 +         * This is an exception return magic value; put it where
           * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
           * Note that if we ever add gen_ss_advance() singlestep support to
           * M profile this should count as an "instruction execution complete"
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
  void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
  {
 -    /* Handle v7M BLXNS:
 +    /*
 +     * Handle v7M BLXNS:
       *  - bit 0 of the destination address is the target security state
       */
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
      assert(env->v7m.secure);
      if (dest & 1) {
 -        /* target is Secure, so this is just a normal BLX,
 +        /*
 +         * Target is Secure, so this is just a normal BLX,
           * except that the low bit doesn't indicate Thumb/not.
           */
          env->regs[14] = nextinst;
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
      env->regs[13] = sp;
      env->regs[14] = 0xfeffffff;
      if (arm_v7m_is_handler_mode(env)) {
 -        /* Write a dummy value to IPSR, to avoid leaking the current secure
 +        /*
 +         * Write a dummy value to IPSR, to avoid leaking the current secure
           * exception number to non-secure code. This is guaranteed not
           * to cause write_v7m_exception() to actually change stacks.
           */
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
  static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
                                  bool spsel)
  {
 -    /* Return a pointer to the location where we currently store the
 +    /*
 +     * Return a pointer to the location where we currently store the
       * stack pointer for the requested security state and thread mode.
       * This pointer will become invalid if the CPU state is updated
       * such that the stack pointers are switched around (eg changing
 @@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
+         if (sattrs.ns) {
-     mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);
+             attrs.secure = false;
+         } else if (!targets_secure) {
--    /* We don't do a get_phys_addr() here because the rules for vector
+-            /* NS access to S memory */
 +    /*
 +     * We don't do a get_phys_addr() here because the rules for vector
       * loads are special: they always use the default memory map, and
       * the default memory map permits reads from all addresses.
       * Since there's no easy way to pass through to pmsav8_mpu_lookup()
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
      return true;
  load_fail:
 -    /* All vector table fetch fails are reported as HardFault, with
 +    /*
 +     * All vector table fetch fails are reported as HardFault, with
       * HFSR.VECTTBL and .FORCED set. (FORCED is set because
       * technically the underlying exception is a MemManage or BusFault
       * that is escalated to HardFault.) This is a terminal exception,
@@ -XXX,XX +XXX,XX @@ static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)
  static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
                                    bool ignore_faults)
  {
 -    /* For v8M, push the callee-saves register part of the stack frame.
 +    /*
 +     * For v8M, push the callee-saves register part of the stack frame.
       * Compare the v8M pseudocode PushCalleeStack().
       * In the tailchaining case this may not be the current stack.
       */
@@ -XXX,XX +XXX,XX @@ static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
          return true;
      }
 -    /* Write as much of the stack frame as we can. A write failure may
 +    /*
 +     * Write as much of the stack frame as we can. A write failure may
       * cause us to pend a derived exception.
       */
      sig = v7m_integrity_sig(env, lr);
@@ -XXX,XX +XXX,XX @@ static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
  static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
                                  bool ignore_stackfaults)
  {
 -    /* Do the "take the exception" parts of exception entry,
 +    /*
 +     * Do the "take the exception" parts of exception entry,
       * but not the pushing of state to the stack. This is
       * similar to the pseudocode ExceptionTaken() function.
       */
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
      if (arm_feature(env, ARM_FEATURE_V8)) {
          if (arm_feature(env, ARM_FEATURE_M_SECURITY) &&
              (lr & R_V7M_EXCRET_S_MASK)) {
 -            /* The background code (the owner of the registers in the
 +            /*
-+             * The background code (the owner of the registers in the
++             * NS access to S memory: the underlying exception which we escalate
-              * exception frame) is Secure. This means it may either already
++             * to HardFault is SecureFault, which always targets Secure.
-              * have or now needs to push callee-saves registers.
++             */
-              */
++            exc_secure = true;
-             if (targets_secure) {
+             goto load_fail;
                  if (dotailchain && !(lr & R_V7M_EXCRET_ES_MASK)) {
 -                    /* We took an exception from Secure to NonSecure
 +                    /*
 +                     * We took an exception from Secure to NonSecure
                       * (which means the callee-saved registers got stacked)
                       * and are now tailchaining to a Secure exception.
                       * Clear DCRS so eventual return from this Secure
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
                      lr &= ~R_V7M_EXCRET_DCRS_MASK;
                  }
              } else {
 -                /* We're going to a non-secure exception; push the
 +                /*
 +                 * We're going to a non-secure exception; push the
                   * callee-saves registers to the stack now, if they're
                   * not already saved.
                   */
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
              lr |= R_V7M_EXCRET_SPSEL_MASK;
          }
 -        /* Clear registers if necessary to prevent non-secure exception
 +        /*
 +         * Clear registers if necessary to prevent non-secure exception
           * code being able to see register values from secure code.
           * Where register values become architecturally UNKNOWN we leave
           * them with their previous values.
           */
          if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
              if (!targets_secure) {
 -                /* Always clear the caller-saved registers (they have been
 +                /*
 +                 * Always clear the caller-saved registers (they have been
                   * pushed to the stack earlier in v7m_push_stack()).
                   * Clear callee-saved registers if the background code is
                   * Secure (in which case these regs were saved in
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
      }
      if (push_failed && !ignore_stackfaults) {
 -        /* Derived exception on callee-saves register stacking:
 +        /*
 +         * Derived exception on callee-saves register stacking:
           * we might now want to take a different exception which
           * targets a different security state, so try again from the top.
           */
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
          return;
      }
 -    /* Now we've done everything that might cause a derived exception
 +    /*
 +     * Now we've done everything that might cause a derived exception
       * we can go ahead and activate whichever exception we're going to
       * take (which might now be the derived exception).
       */
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
  static bool v7m_push_stack(ARMCPU *cpu)
  {
 -    /* Do the "set up stack frame" part of exception entry,
 +    /*
 +     * Do the "set up stack frame" part of exception entry,
       * similar to pseudocode PushStack().
       * Return true if we generate a derived exception (and so
       * should ignore further stack faults trying to process
@@ -XXX,XX +XXX,XX @@ static bool v7m_push_stack(ARMCPU *cpu)
          }
      }
+@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
--    /* Write as much of the stack frame as we can. If we fail a stack
+     vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
-+    /*
+                                      attrs, &result);
-+     * Write as much of the stack frame as we can. If we fail a stack
+     if (result != MEMTX_OK) {
-      * write this will result in a derived exception being pended
++        /*
-      * (which may be taken in preference to the one we started with
++         * Underlying exception is BusFault: its target security state
-      * if it has higher priority).
++         * depends on BFHFNMINS.
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
++         */
-     bool ftype;
++        exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
-     bool restore_s16_s31;
+         goto load_fail;
 -    /* If we're not in Handler mode then jumps to magic exception-exit
 +    /*
 +     * If we're not in Handler mode then jumps to magic exception-exit
       * addresses don't have magic behaviour. However for the v8M
       * security extensions the magic secure-function-return has to
       * work in thread mode too, so to avoid doing an extra check in
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
          return;
      }
+     *pvec = vector_entry;
--    /* In the spec pseudocode ExceptionReturn() is called directly
+@@ -XXX,XX +XXX,XX @@ load_fail:
-+    /*
+     /*
-+     * In the spec pseudocode ExceptionReturn() is called directly
+      * All vector table fetch fails are reported as HardFault, with
-      * from BXWritePC() and gets the full target PC value including
+      * HFSR.VECTTBL and .FORCED set. (FORCED is set because
-      * bit zero. In QEMU's implementation we treat it as a normal
+-     * technically the underlying exception is a MemManage or BusFault
-      * jump-to-register (which is then caught later on), and so split
++     * technically the underlying exception is a SecureFault or BusFault
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
+      * that is escalated to HardFault.) This is a terminal exception,
-     }
+      * so we will either take the HardFault immediately or else enter
+      * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
-     if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
++     * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
--        /* EXC_RETURN.ES validation check (R_SMFL). We must do this before
++     * secure); otherwise it targets the same security state as the
-+        /*
++     * underlying exception.
 +         * EXC_RETURN.ES validation check (R_SMFL). We must do this before
           * we pick which FAULTMASK to clear.
           */
          if (!env->v7m.secure &&
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
      }
      if (env->v7m.exception != ARMV7M_EXCP_NMI) {
 -        /* Auto-clear FAULTMASK on return from other than NMI.
 +        /*
 +         * Auto-clear FAULTMASK on return from other than NMI.
           * If the security extension is implemented then this only
           * happens if the raw execution priority is >= 0; the
           * value of the ES bit in the exception return value indicates
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
          /* still an irq active now */
          break;
      case 1:
 -        /* we returned to base exception level, no nesting.
 +        /*
 +         * We returned to base exception level, no nesting.
           * (In the pseudocode this is written using "NestedActivation != 1"
           * where we have 'rettobase == false'.)
           */
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
      if (arm_feature(env, ARM_FEATURE_V8)) {
          if (!arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 -            /* UNPREDICTABLE if S == 1 or DCRS == 0 or ES == 1 (R_XLCP);
 +            /*
 +             * UNPREDICTABLE if S == 1 or DCRS == 0 or ES == 1 (R_XLCP);
               * we choose to take the UsageFault.
               */
              if ((excret & R_V7M_EXCRET_S_MASK) ||
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
              break;
          case 13: /* Return to Thread using Process stack */
          case 9: /* Return to Thread using Main stack */
 -            /* We only need to check NONBASETHRDENA for v7M, because in
 +            /*
 +             * We only need to check NONBASETHRDENA for v7M, because in
               * v8M this bit does not exist (it is RES1).
               */
              if (!rettobase &&
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
      }
      if (ufault) {
 -        /* Bad exception return: instead of popping the exception
 +        /*
 +         * Bad exception return: instead of popping the exception
           * stack, directly take a usage fault on the current stack.
           */
          env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
      switch_v7m_security_state(env, return_to_secure);
      {
 -        /* The stack pointer we should be reading the exception frame from
 +        /*
 +         * The stack pointer we should be reading the exception frame from
           * depends on bits in the magic exception return type value (and
           * for v8M isn't necessarily the stack pointer we will eventually
           * end up resuming execution with). Get a pointer to the location
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
              v7m_stack_read(cpu, &xpsr, frameptr + 0x1c, mmu_idx);
          if (!pop_ok) {
 -            /* v7m_stack_read() pended a fault, so take it (as a tail
 +            /*
 +             * v7m_stack_read() pended a fault, so take it (as a tail
               * chained exception on the same stack frame)
               */
              qemu_log_mask(CPU_LOG_INT, "...derived exception on unstacking\n");
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
              return;
          }
 -        /* Returning from an exception with a PC with bit 0 set is defined
 +        /*
 +         * Returning from an exception with a PC with bit 0 set is defined
           * behaviour on v8M (bit 0 is ignored), but for v7M it was specified
           * to be UNPREDICTABLE. In practice actual v7M hardware seems to ignore
           * the lsbit, and there are several RTOSes out there which incorrectly
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
          }
          if (arm_feature(env, ARM_FEATURE_V8)) {
 -            /* For v8M we have to check whether the xPSR exception field
 +            /*
 +             * For v8M we have to check whether the xPSR exception field
               * matches the EXCRET value for return to handler/thread
               * before we commit to changing the SP and xPSR.
               */
              bool will_be_handler = (xpsr & XPSR_EXCP) != 0;
              if (return_to_handler != will_be_handler) {
 -                /* Take an INVPC UsageFault on the current stack.
 +                /*
 +                 * Take an INVPC UsageFault on the current stack.
                   * By this point we will have switched to the security state
                   * for the background state, so this UsageFault will target
                   * that state.
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
                  frameptr += 0x40;
              }
          }
 -        /* Undo stack alignment (the SPREALIGN bit indicates that the original
 +        /*
 +         * Undo stack alignment (the SPREALIGN bit indicates that the original
           * pre-exception SP was not 8-aligned and we added a padding word to
           * align it, so we undo this by ORing in the bit that increases it
           * from the current 8-aligned value to the 8-unaligned value. (Adding 4
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
                                                 V7M_CONTROL, SFPA, sfpa);
      }
 -    /* The restored xPSR exception field will be zero if we're
 +    /*
 +     * The restored xPSR exception field will be zero if we're
       * resuming in Thread mode. If that doesn't match what the
       * exception return excret specified then this is a UsageFault.
       * v7M requires we make this check here; v8M did it earlier.
       */
-     if (return_to_handler != arm_v7m_is_handler_mode(env)) {
+-    exc_secure = targets_secure ||
--        /* Take an INVPC UsageFault by pushing the stack again;
+-        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
-+        /*
++    if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
-+         * Take an INVPC UsageFault by pushing the stack again;
++        exc_secure = true;
-          * we know we're v7M so this is never a Secure UsageFault.
++    }
-          */
+     env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
-         bool ignore_stackfaults;
+     armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
-@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
+     return false;
  static bool do_v7m_function_return(ARMCPU *cpu)
  {
 -    /* v8M security extensions magic function return.
 +    /*
 +     * v8M security extensions magic function return.
       * We may either:
       *  (1) throw an exception (longjump)
       *  (2) return true if we successfully handled the function return
@@ -XXX,XX +XXX,XX @@ static bool do_v7m_function_return(ARMCPU *cpu)
          frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
          frameptr = *frame_sp_p;
 -        /* These loads may throw an exception (for MPU faults). We want to
 +        /*
 +         * These loads may throw an exception (for MPU faults). We want to
           * do them as secure, so work out what MMU index that is.
           */
          mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
@@ -XXX,XX +XXX,XX @@ static void arm_log_exception(int idx)
  static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
                                 uint32_t addr, uint16_t *insn)
  {
 -    /* Load a 16-bit portion of a v7M instruction, returning true on success,
 +    /*
 +     * Load a 16-bit portion of a v7M instruction, returning true on success,
       * or false on failure (in which case we will have pended the appropriate
       * exception).
       * We need to do the instruction fetch's MPU and SAU checks
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
      v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
      if (!sattrs.nsc || sattrs.ns) {
 -        /* This must be the second half of the insn, and it straddles a
 +        /*
 +         * This must be the second half of the insn, and it straddles a
           * region boundary with the second half not being S&NSC.
           */
          env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
  static bool v7m_handle_execute_nsc(ARMCPU *cpu)
  {
 -    /* Check whether this attempt to execute code in a Secure & NS-Callable
 +    /*
 +     * Check whether this attempt to execute code in a Secure & NS-Callable
       * memory region is for an SG instruction; if so, then emulate the
       * effect of the SG instruction and return true. Otherwise pend
       * the correct kind of exception and return false.
@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
      ARMMMUIdx mmu_idx;
      uint16_t insn;
 -    /* We should never get here unless get_phys_addr_pmsav8() caused
 +    /*
 +     * We should never get here unless get_phys_addr_pmsav8() caused
       * an exception for NS executing in S&NSC memory.
       */
      assert(!env->v7m.secure);
@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
      }
      if (insn != 0xe97f) {
 -        /* Not an SG instruction first half (we choose the IMPDEF
 +        /*
 +         * Not an SG instruction first half (we choose the IMPDEF
           * early-SG-check option).
           */
          goto gen_invep;
@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
      }
      if (insn != 0xe97f) {
 -        /* Not an SG instruction second half (yes, both halves of the SG
 +        /*
 +         * Not an SG instruction second half (yes, both halves of the SG
           * insn have the same hex value)
           */
          goto gen_invep;
      }
 -    /* OK, we have confirmed that we really have an SG instruction.
 +    /*
 +     * OK, we have confirmed that we really have an SG instruction.
       * We know we're NS in S memory so don't need to repeat those checks.
       */
      qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
      arm_log_exception(cs->exception_index);
 -    /* For exceptions we just mark as pending on the NVIC, and let that
 -       handle it.  */
 +    /*
 +     * For exceptions we just mark as pending on the NVIC, and let that
 +     * handle it.
 +     */
      switch (cs->exception_index) {
      case EXCP_UDEF:
          armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
          break;
      case EXCP_PREFETCH_ABORT:
      case EXCP_DATA_ABORT:
 -        /* Note that for M profile we don't have a guest facing FSR, but
 +        /*
 +         * Note that for M profile we don't have a guest facing FSR, but
           * the env->exception.fsr will be populated by the code that
           * raises the fault, in the A profile short-descriptor format.
           */
          switch (env->exception.fsr & 0xf) {
          case M_FAKE_FSR_NSC_EXEC:
 -            /* Exception generated when we try to execute code at an address
 +            /*
 +             * Exception generated when we try to execute code at an address
               * which is marked as Secure & Non-Secure Callable and the CPU
               * is in the Non-Secure state. The only instruction which can
               * be executed like this is SG (and that only if both halves of
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
              }
              break;
          case M_FAKE_FSR_SFAULT:
 -            /* Various flavours of SecureFault for attempts to execute or
 +            /*
 +             * Various flavours of SecureFault for attempts to execute or
               * access data in the wrong security state.
               */
              switch (cs->exception_index) {
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
              armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
              break;
          default:
 -            /* All other FSR values are either MPU faults or "can't happen
 +            /*
 +             * All other FSR values are either MPU faults or "can't happen
               * for M profile" cases.
               */
              switch (cs->exception_index) {
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
      if (arm_feature(env, ARM_FEATURE_V8)) {
          lr = R_V7M_EXCRET_RES1_MASK |
              R_V7M_EXCRET_DCRS_MASK;
 -        /* The S bit indicates whether we should return to Secure
 +        /*
 +         * The S bit indicates whether we should return to Secure
           * or NonSecure (ie our current state).
           * The ES bit indicates whether we're taking this exception
           * to Secure or NonSecure (ie our target state). We set it
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
      v7m_exception_taken(cpu, lr, false, ignore_stackfaults);
  }
 -/* Function used to synchronize QEMU's AArch64 register set with AArch32
 +/*
 + * Function used to synchronize QEMU's AArch64 register set with AArch32
   * register set.  This is necessary when switching between AArch32 and AArch64
   * execution state.
   */
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_32_to_64(CPUARMState *env)
          env->xregs[i] = env->regs[i];
      }
 -    /* Unless we are in FIQ mode, x8-x12 come from the user registers r8-r12.
 +    /*
 +     * Unless we are in FIQ mode, x8-x12 come from the user registers r8-r12.
       * Otherwise, they come from the banked user regs.
       */
      if (mode == ARM_CPU_MODE_FIQ) {
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_32_to_64(CPUARMState *env)
          }
      }
 -    /* Registers x13-x23 are the various mode SP and FP registers. Registers
 +    /*
 +     * Registers x13-x23 are the various mode SP and FP registers. Registers
       * r13 and r14 are only copied if we are in that mode, otherwise we copy
       * from the mode banked register.
       */
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_32_to_64(CPUARMState *env)
          env->xregs[23] = env->banked_r13[bank_number(ARM_CPU_MODE_UND)];
      }
 -    /* Registers x24-x30 are mapped to r8-r14 in FIQ mode.  If we are in FIQ
 +    /*
 +     * Registers x24-x30 are mapped to r8-r14 in FIQ mode.  If we are in FIQ
       * mode, then we can copy from r8-r14.  Otherwise, we copy from the
       * FIQ bank for r8-r14.
       */
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_32_to_64(CPUARMState *env)
      env->pc = env->regs[15];
  }
 -/* Function used to synchronize QEMU's AArch32 register set with AArch64
 +/*
 + * Function used to synchronize QEMU's AArch32 register set with AArch64
   * register set.  This is necessary when switching between AArch32 and AArch64
   * execution state.
   */
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_64_to_32(CPUARMState *env)
          env->regs[i] = env->xregs[i];
      }
 -    /* Unless we are in FIQ mode, r8-r12 come from the user registers x8-x12.
 +    /*
 +     * Unless we are in FIQ mode, r8-r12 come from the user registers x8-x12.
       * Otherwise, we copy x8-x12 into the banked user regs.
       */
      if (mode == ARM_CPU_MODE_FIQ) {
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_64_to_32(CPUARMState *env)
          }
      }
 -    /* Registers r13 & r14 depend on the current mode.
 +    /*
 +     * Registers r13 & r14 depend on the current mode.
       * If we are in a given mode, we copy the corresponding x registers to r13
       * and r14.  Otherwise, we copy the x register to the banked r13 and r14
       * for the mode.
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_64_to_32(CPUARMState *env)
      } else {
          env->banked_r13[bank_number(ARM_CPU_MODE_USR)] = env->xregs[13];
 -        /* HYP is an exception in that it does not have its own banked r14 but
 +        /*
 +         * HYP is an exception in that it does not have its own banked r14 but
           * shares the USR r14
           */
          if (mode == ARM_CPU_MODE_HYP) {
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
          return value;
      }
      case 0x94: /* CONTROL_NS */
 -        /* We have to handle this here because unprivileged Secure code
 +        /*
 +         * We have to handle this here because unprivileged Secure code
           * can read the NS CONTROL register.
           */
          if (!env->v7m.secure) {
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
              return env->v7m.faultmask[M_REG_NS];
          case 0x98: /* SP_NS */
          {
 -            /* This gives the non-secure SP selected based on whether we're
 +            /*
 +             * This gives the non-secure SP selected based on whether we're
               * currently in handler mode or not, using the NS CONTROL.SPSEL.
               */
              bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
  void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
  {
 -    /* We're passed bits [11..0] of the instruction; extract
 +    /*
 +     * We're passed bits [11..0] of the instruction; extract
       * SYSm and the mask bits.
       * Invalid combinations of SYSm and mask are UNPREDICTABLE;
       * we choose to treat them as if the mask bits were valid.
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
              return;
          case 0x98: /* SP_NS */
          {
 -            /* This gives the non-secure SP selected based on whether we're
 +            /*
 +             * This gives the non-secure SP selected based on whether we're
               * currently in handler mode or not, using the NS CONTROL.SPSEL.
               */
              bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
      bool targetsec = env->v7m.secure;
      bool is_subpage;
 -    /* Work out what the security state and privilege level we're
 +    /*
 +     * Work out what the security state and privilege level we're
       * interested in is...
       */
      if (alt) {
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
      /* ...and then figure out which MMU index this is */
      mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targetsec, targetpriv);
 -    /* We know that the MPU and SAU don't care about the access type
 +    /*
 +     * We know that the MPU and SAU don't care about the access type
       * for our purposes beyond that we don't want to claim to be
       * an insn fetch, so we arbitrarily call this a read.
       */
 -    /* MPU region info only available for privileged or if
 +    /*
 +     * MPU region info only available for privileged or if
       * inspecting the other MPU state.
       */
      if (arm_current_el(env) != 0 || alt) {
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
  void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
  {
 -    /* Implement DC ZVA, which zeroes a fixed-length block of memory.
 +    /*
 +     * Implement DC ZVA, which zeroes a fixed-length block of memory.
       * Note that we do not implement the (architecturally mandated)
       * alignment fault for attempts to use this on Device memory
       * (which matches the usual QEMU behaviour of not implementing either
@@ -XXX,XX +XXX,XX @@ void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
  #ifndef CONFIG_USER_ONLY
      {
 -        /* Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
 +        /*
 +         * Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
           * the block size so we might have to do more than one TLB lookup.
           * We know that in fact for any v8 CPU the page size is at least 4K
           * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only
@@ -XXX,XX +XXX,XX @@ void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
                  }
              }
              if (i == maxidx) {
 -                /* If it's all in the TLB it's fair game for just writing to;
 +                /*
 +                 * If it's all in the TLB it's fair game for just writing to;
                   * we know we don't need to update dirty status, etc.
                   */
                  for (i = 0; i < maxidx - 1; i++) {
@@ -XXX,XX +XXX,XX @@ void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
                  memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE));
                  return;
              }
 -            /* OK, try a store and see if we can populate the tlb. This
 +            /*
 +             * OK, try a store and see if we can populate the tlb. This
               * might cause an exception if the memory isn't writable,
               * in which case we will longjmp out of here. We must for
               * this purpose use the actual register value passed to us
@@ -XXX,XX +XXX,XX @@ void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
              }
          }
 -        /* Slow path (probably attempt to do this to an I/O device or
 +        /*
 +         * Slow path (probably attempt to do this to an I/O device or
           * similar, or clearing of a block of code we have translations
           * cached for). Just do a series of byte writes as the architecture
           * demands. It's not worth trying to use a cpu_physical_memory_map(),
 diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/op_helper.c
 +++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
  {
      uint32_t syn;
 -    /* ISV is only set for data aborts routed to EL2 and
 +    /*
 +     * ISV is only set for data aborts routed to EL2 and
       * never for stage-1 page table walks faulting on stage 2.
       *
       * Furthermore, ISV is only set for certain kinds of load/stores.
@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
          syn = syn_data_abort_no_iss(same_el,
                                      ea, 0, s1ptw, is_write, fsc);
      } else {
 -        /* Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
 +        /*
 +         * Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
           * syndrome created at translation time.
           * Now we create the runtime syndrome with the remaining fields.
           */
@@ -XXX,XX +XXX,XX @@ void arm_deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type,
      if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
          arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
 -        /* LPAE format fault status register : bottom 6 bits are
 +        /*
 +         * LPAE format fault status register : bottom 6 bits are
           * status code in the same form as needed for syndrome
           */
          fsr = arm_fi_to_lfsc(fi);
          fsc = extract32(fsr, 0, 6);
      } else {
          fsr = arm_fi_to_sfsc(fi);
 -        /* Short format FSR : this fault will never actually be reported
 +        /*
 +         * Short format FSR : this fault will never actually be reported
           * to an EL that uses a syndrome register. Use a (currently)
           * reserved FSR code in case the constructed syndrome does leak
           * into the guest somehow.
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
      arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
  }
 -/* arm_cpu_do_transaction_failed: handle a memory system error response
 +/*
 + * arm_cpu_do_transaction_failed: handle a memory system error response
   * (eg "no device/memory present at address") by raising an external abort
   * exception
   */
@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
      int bt;
      uint32_t contextidr;
 -    /* Links to unimplemented or non-context aware breakpoints are
 +    /*
 +     * Links to unimplemented or non-context aware breakpoints are
       * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
       * as if linked to an UNKNOWN context-aware breakpoint (in which
       * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
      bt = extract64(bcr, 20, 4);
 -    /* We match the whole register even if this is AArch32 using the
 +    /*
 +     * We match the whole register even if this is AArch32 using the
       * short descriptor format (in which case it holds both PROCID and ASID),
       * since we don't implement the optional v7 context ID masking.
       */
@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
      case 9: /* linked VMID match (reserved if no EL2) */
      case 11: /* linked context ID and VMID match (reserved if no EL2) */
      default:
 -        /* Links to Unlinked context breakpoints must generate no
 +        /*
 +         * Links to Unlinked context breakpoints must generate no
           * events; we choose to do the same for reserved values too.
           */
          return false;
@@ -XXX,XX +XXX,XX @@ static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
      CPUARMState *env = &cpu->env;
      uint64_t cr;
      int pac, hmc, ssc, wt, lbn;
 -    /* Note that for watchpoints the check is against the CPU security
 +    /*
 +     * Note that for watchpoints the check is against the CPU security
       * state, not the S/NS attribute on the offending data access.
       */
      bool is_secure = arm_is_secure(env);
@@ -XXX,XX +XXX,XX @@ static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
          }
          cr = env->cp15.dbgwcr[n];
          if (wp->hitattrs.user) {
 -            /* The LDRT/STRT/LDT/STT "unprivileged access" instructions should
 +            /*
 +             * The LDRT/STRT/LDT/STT "unprivileged access" instructions should
               * match watchpoints as if they were accesses done at EL0, even if
               * the CPU is at EL1 or higher.
               */
@@ -XXX,XX +XXX,XX @@ static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
          }
          cr = env->cp15.dbgbcr[n];
      }
 -    /* The WATCHPOINT_HIT flag guarantees us that the watchpoint is
 +    /*
 +     * The WATCHPOINT_HIT flag guarantees us that the watchpoint is
       * enabled and that the address and access type match; for breakpoints
       * we know the address matched; check the remaining fields, including
       * linked breakpoints. We rely on WCR and BCR having the same layout
@@ -XXX,XX +XXX,XX @@ static bool check_watchpoints(ARMCPU *cpu)
      CPUARMState *env = &cpu->env;
      int n;
 -    /* If watchpoints are disabled globally or we can't take debug
 +    /*
 +     * If watchpoints are disabled globally or we can't take debug
       * exceptions here then watchpoint firings are ignored.
       */
      if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
@@ -XXX,XX +XXX,XX @@ static bool check_breakpoints(ARMCPU *cpu)
      CPUARMState *env = &cpu->env;
      int n;
 -    /* If breakpoints are disabled globally or we can't take debug
 +    /*
 +     * If breakpoints are disabled globally or we can't take debug
       * exceptions here then breakpoint firings are ignored.
       */
      if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
@@ -XXX,XX +XXX,XX @@ void HELPER(check_breakpoints)(CPUARMState *env)
  bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
  {
 -    /* Called by core code when a CPU watchpoint fires; need to check if this
 +    /*
 +     * Called by core code when a CPU watchpoint fires; need to check if this
       * is also an architectural watchpoint match.
       */
      ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
      ARMCPU *cpu = ARM_CPU(cs);
      CPUARMState *env = &cpu->env;
 -    /* In BE32 system mode, target memory is stored byteswapped (on a
 +    /*
 +     * In BE32 system mode, target memory is stored byteswapped (on a
       * little-endian host system), and by the time we reach here (via an
       * opcode helper) the addresses of subword accesses have been adjusted
       * to account for that, which means that watchpoints will not match.
@@ -XXX,XX +XXX,XX @@ vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
  void arm_debug_excp_handler(CPUState *cs)
  {
 -    /* Called by core code when a watchpoint or breakpoint fires;
 +    /*
 +     * Called by core code when a watchpoint or breakpoint fires;
       * need to check which one and raise the appropriate exception.
       */
      ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ void arm_debug_excp_handler(CPUState *cs)
          uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
          bool same_el = (arm_debug_target_el(env) == arm_current_el(env));
 -        /* (1) GDB breakpoints should be handled first.
 +        /*
 +         * (1) GDB breakpoints should be handled first.
           * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
           * since singlestep is also done by generating a debug internal
           * exception.
@@ -XXX,XX +XXX,XX @@ void arm_debug_excp_handler(CPUState *cs)
          }
          env->exception.fsr = arm_debug_exception_fsr(env);
 -        /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing
 +        /*
 +         * FAR is UNKNOWN: clear vaddress to avoid potentially exposing
           * values to the guest that it shouldn't be able to see at its
           * exception/security level.
           */
 diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/vfp_helper.c
 +++ b/target/arm/vfp_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
          set_default_nan_mode(dnan_enabled, &env->vfp.fp_status_f16);
      }
 -    /* The exception flags are ORed together when we read fpscr so we
 +    /*
 +     * The exception flags are ORed together when we read fpscr so we
       * only need to preserve the current state in one of our
       * float_status values.
       */
 --
 .20.1

-[Qemu-devel] [PULL 35/46] target/arm: Fix coding style issues
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Since we'll move this code around, fix its style first.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-9-philmd@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate.c  | 11 ++++++-----
- target/arm/vfp_helper.c | 36 ++++++++++++++++++++++++------------
-files changed, 30 insertions(+), 17 deletions(-)
-diff --git a/target/arm/translate.c b/target/arm/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
-+++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-                 loaded_base = 0;
-                 loaded_var = NULL;
-                 n = 0;
--                for(i=0;i<16;i++) {
-+                for (i = 0; i < 16; i++) {
-                     if (insn & (1 << i))
-                         n++;
-                 }
-@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
-                     }
-                 }
-                 j = 0;
--                for(i=0;i<16;i++) {
-+                for (i = 0; i < 16; i++) {
-                     if (insn & (1 << i)) {
-                         if (is_load) {
-                             /* load */
-@@ -XXX,XX +XXX,XX @@ void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-         return;
-     }
--    for(i=0;i<16;i++) {
-+    for (i = 0; i < 16; i++) {
-         qemu_fprintf(f, "R%02d=%08x", i, env->regs[i]);
--        if ((i % 4) == 3)
-+        if ((i % 4) == 3) {
-             qemu_fprintf(f, "\n");
--        else
-+        } else {
-             qemu_fprintf(f, " ");
-+        }
-     }
-     if (arm_feature(env, ARM_FEATURE_M)) {
-diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vfp_helper.c
-+++ b/target/arm/vfp_helper.c
-@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_from_host(int host_bits)
- {
-     int target_bits = 0;
--    if (host_bits & float_flag_invalid)
-+    if (host_bits & float_flag_invalid) {
-         target_bits |= 1;
--    if (host_bits & float_flag_divbyzero)
-+    }
-+    if (host_bits & float_flag_divbyzero) {
-         target_bits |= 2;
--    if (host_bits & float_flag_overflow)
-+    }
-+    if (host_bits & float_flag_overflow) {
-         target_bits |= 4;
--    if (host_bits & (float_flag_underflow | float_flag_output_denormal))
-+    }
-+    if (host_bits & (float_flag_underflow | float_flag_output_denormal)) {
-         target_bits |= 8;
--    if (host_bits & float_flag_inexact)
-+    }
-+    if (host_bits & float_flag_inexact) {
-         target_bits |= 0x10;
--    if (host_bits & float_flag_input_denormal)
-+    }
-+    if (host_bits & float_flag_input_denormal) {
-         target_bits |= 0x80;
-+    }
-     return target_bits;
- }
-@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_to_host(int target_bits)
- {
-     int host_bits = 0;
--    if (target_bits & 1)
-+    if (target_bits & 1) {
-         host_bits |= float_flag_invalid;
--    if (target_bits & 2)
-+    }
-+    if (target_bits & 2) {
-         host_bits |= float_flag_divbyzero;
--    if (target_bits & 4)
-+    }
-+    if (target_bits & 4) {
-         host_bits |= float_flag_overflow;
--    if (target_bits & 8)
-+    }
-+    if (target_bits & 8) {
-         host_bits |= float_flag_underflow;
--    if (target_bits & 0x10)
-+    }
-+    if (target_bits & 0x10) {
-         host_bits |= float_flag_inexact;
--    if (target_bits & 0x80)
-+    }
-+    if (target_bits & 0x80) {
-         host_bits |= float_flag_input_denormal;
-+    }
-     return host_bits;
- }
---
-.20.1

-[Qemu-devel] [PULL 36/46] target/arm: Move the DC ZVA helper into op_helper
+Deleted patch
-From: Samuel Ortiz <sameo@linux.intel.com>
-Those helpers are a software implementation of the ARM v8 memory zeroing
-op code. They should be moved to the op helper file, which is going to
-eventually be built only when TCG is enabled.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Robert Bradford <robert.bradford@intel.com>
-Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-10-philmd@redhat.com
-[PMD: Rebased]
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c    | 92 -----------------------------------------
- target/arm/op_helper.c | 93 ++++++++++++++++++++++++++++++++++++++++++
-files changed, 93 insertions(+), 92 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
- #endif
- }
--void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
--{
--    /*
--     * Implement DC ZVA, which zeroes a fixed-length block of memory.
--     * Note that we do not implement the (architecturally mandated)
--     * alignment fault for attempts to use this on Device memory
--     * (which matches the usual QEMU behaviour of not implementing either
--     * alignment faults or any memory attribute handling).
--     */
--
--    ARMCPU *cpu = env_archcpu(env);
--    uint64_t blocklen = 4 << cpu->dcz_blocksize;
--    uint64_t vaddr = vaddr_in & ~(blocklen - 1);
--
--#ifndef CONFIG_USER_ONLY
--    {
--        /*
--         * Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
--         * the block size so we might have to do more than one TLB lookup.
--         * We know that in fact for any v8 CPU the page size is at least 4K
--         * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only
--         * 1K as an artefact of legacy v5 subpage support being present in the
--         * same QEMU executable. So in practice the hostaddr[] array has
--         * two entries, given the current setting of TARGET_PAGE_BITS_MIN.
--         */
--        int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE);
--        void *hostaddr[DIV_ROUND_UP(2 * KiB, 1 << TARGET_PAGE_BITS_MIN)];
--        int try, i;
--        unsigned mmu_idx = cpu_mmu_index(env, false);
--        TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx);
--
--        assert(maxidx <= ARRAY_SIZE(hostaddr));
--
--        for (try = 0; try < 2; try++) {
--
--            for (i = 0; i < maxidx; i++) {
--                hostaddr[i] = tlb_vaddr_to_host(env,
--                                                vaddr + TARGET_PAGE_SIZE * i,
--                                                1, mmu_idx);
--                if (!hostaddr[i]) {
--                    break;
--                }
--            }
--            if (i == maxidx) {
--                /*
--                 * If it's all in the TLB it's fair game for just writing to;
--                 * we know we don't need to update dirty status, etc.
--                 */
--                for (i = 0; i < maxidx - 1; i++) {
--                    memset(hostaddr[i], 0, TARGET_PAGE_SIZE);
--                }
--                memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE));
--                return;
--            }
--            /*
--             * OK, try a store and see if we can populate the tlb. This
--             * might cause an exception if the memory isn't writable,
--             * in which case we will longjmp out of here. We must for
--             * this purpose use the actual register value passed to us
--             * so that we get the fault address right.
--             */
--            helper_ret_stb_mmu(env, vaddr_in, 0, oi, GETPC());
--            /* Now we can populate the other TLB entries, if any */
--            for (i = 0; i < maxidx; i++) {
--                uint64_t va = vaddr + TARGET_PAGE_SIZE * i;
--                if (va != (vaddr_in & TARGET_PAGE_MASK)) {
--                    helper_ret_stb_mmu(env, va, 0, oi, GETPC());
--                }
--            }
--        }
--
--        /*
--         * Slow path (probably attempt to do this to an I/O device or
--         * similar, or clearing of a block of code we have translations
--         * cached for). Just do a series of byte writes as the architecture
--         * demands. It's not worth trying to use a cpu_physical_memory_map(),
--         * memset(), unmap() sequence here because:
--         *  + we'd need to account for the blocksize being larger than a page
--         *  + the direct-RAM access case is almost always going to be dealt
--         *    with in the fastpath code above, so there's no speed benefit
--         *  + we would have to deal with the map returning NULL because the
--         *    bounce buffer was in use
--         */
--        for (i = 0; i < blocklen; i++) {
--            helper_ret_stb_mmu(env, vaddr + i, 0, oi, GETPC());
--        }
--    }
--#else
--    memset(g2h(vaddr), 0, blocklen);
--#endif
--}
--
- /* Note that signed overflow is undefined in C.  The following routines are
-    careful to use unsigned types where modulo arithmetic is required.
-    Failure to do so _will_ break on newer gcc.  */
-diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/op_helper.c
-+++ b/target/arm/op_helper.c
-@@ -XXX,XX +XXX,XX @@
-  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
-  */
- #include "qemu/osdep.h"
-+#include "qemu/units.h"
- #include "qemu/log.h"
- #include "qemu/main-loop.h"
- #include "cpu.h"
-@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i)
-         return ((uint32_t)x >> shift) | (x << (32 - shift));
-     }
- }
-+
-+void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
-+{
-+    /*
-+     * Implement DC ZVA, which zeroes a fixed-length block of memory.
-+     * Note that we do not implement the (architecturally mandated)
-+     * alignment fault for attempts to use this on Device memory
-+     * (which matches the usual QEMU behaviour of not implementing either
-+     * alignment faults or any memory attribute handling).
-+     */
-+
-+    ARMCPU *cpu = env_archcpu(env);
-+    uint64_t blocklen = 4 << cpu->dcz_blocksize;
-+    uint64_t vaddr = vaddr_in & ~(blocklen - 1);
-+
-+#ifndef CONFIG_USER_ONLY
-+    {
-+        /*
-+         * Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
-+         * the block size so we might have to do more than one TLB lookup.
-+         * We know that in fact for any v8 CPU the page size is at least 4K
-+         * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only
-+         * 1K as an artefact of legacy v5 subpage support being present in the
-+         * same QEMU executable. So in practice the hostaddr[] array has
-+         * two entries, given the current setting of TARGET_PAGE_BITS_MIN.
-+         */
-+        int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE);
-+        void *hostaddr[DIV_ROUND_UP(2 * KiB, 1 << TARGET_PAGE_BITS_MIN)];
-+        int try, i;
-+        unsigned mmu_idx = cpu_mmu_index(env, false);
-+        TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx);
-+
-+        assert(maxidx <= ARRAY_SIZE(hostaddr));
-+
-+        for (try = 0; try < 2; try++) {
-+
-+            for (i = 0; i < maxidx; i++) {
-+                hostaddr[i] = tlb_vaddr_to_host(env,
-+                                                vaddr + TARGET_PAGE_SIZE * i,
-+                                                1, mmu_idx);
-+                if (!hostaddr[i]) {
-+                    break;
-+                }
-+            }
-+            if (i == maxidx) {
-+                /*
-+                 * If it's all in the TLB it's fair game for just writing to;
-+                 * we know we don't need to update dirty status, etc.
-+                 */
-+                for (i = 0; i < maxidx - 1; i++) {
-+                    memset(hostaddr[i], 0, TARGET_PAGE_SIZE);
-+                }
-+                memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE));
-+                return;
-+            }
-+            /*
-+             * OK, try a store and see if we can populate the tlb. This
-+             * might cause an exception if the memory isn't writable,
-+             * in which case we will longjmp out of here. We must for
-+             * this purpose use the actual register value passed to us
-+             * so that we get the fault address right.
-+             */
-+            helper_ret_stb_mmu(env, vaddr_in, 0, oi, GETPC());
-+            /* Now we can populate the other TLB entries, if any */
-+            for (i = 0; i < maxidx; i++) {
-+                uint64_t va = vaddr + TARGET_PAGE_SIZE * i;
-+                if (va != (vaddr_in & TARGET_PAGE_MASK)) {
-+                    helper_ret_stb_mmu(env, va, 0, oi, GETPC());
-+                }
-+            }
-+        }
-+
-+        /*
-+         * Slow path (probably attempt to do this to an I/O device or
-+         * similar, or clearing of a block of code we have translations
-+         * cached for). Just do a series of byte writes as the architecture
-+         * demands. It's not worth trying to use a cpu_physical_memory_map(),
-+         * memset(), unmap() sequence here because:
-+         *  + we'd need to account for the blocksize being larger than a page
-+         *  + the direct-RAM access case is almost always going to be dealt
-+         *    with in the fastpath code above, so there's no speed benefit
-+         *  + we would have to deal with the map returning NULL because the
-+         *    bounce buffer was in use
-+         */
-+        for (i = 0; i < blocklen; i++) {
-+            helper_ret_stb_mmu(env, vaddr + i, 0, oi, GETPC());
-+        }
-+    }
-+#else
-+    memset(g2h(vaddr), 0, blocklen);
-+#endif
-+}
---
-.20.1

-[Qemu-devel] [PULL 38/46] target/arm: Declare get_phys_addr() function publicly
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-In the next commit we will split the TLB related routines of
-this file, and this function will also be called in the new
-file. Declare it in the "internals.h" header.
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-12-philmd@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/internals.h | 16 ++++++++++++++++
- target/arm/helper.c    | 21 +++++----------------
-files changed, 21 insertions(+), 16 deletions(-)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
-+++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static inline int exception_target_el(CPUARMState *env)
-     return target_el;
- }
-+#ifndef CONFIG_USER_ONLY
-+
-+/* Cacheability and shareability attributes for a memory access */
-+typedef struct ARMCacheAttrs {
-+    unsigned int attrs:8; /* as in the MAIR register encoding */
-+    unsigned int shareability:2; /* as in the SH field of the VMSAv8-64 PTEs */
-+} ARMCacheAttrs;
-+
-+bool get_phys_addr(CPUARMState *env, target_ulong address,
-+                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
-+                   hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
-+                   target_ulong *page_size,
-+                   ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
-+
-+#endif /* !CONFIG_USER_ONLY */
-+
- #endif
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@
- #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
- #ifndef CONFIG_USER_ONLY
--/* Cacheability and shareability attributes for a memory access */
--typedef struct ARMCacheAttrs {
--    unsigned int attrs:8; /* as in the MAIR register encoding */
--    unsigned int shareability:2; /* as in the SH field of the VMSAv8-64 PTEs */
--} ARMCacheAttrs;
--
--static bool get_phys_addr(CPUARMState *env, target_ulong address,
--                          MMUAccessType access_type, ARMMMUIdx mmu_idx,
--                          hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
--                          target_ulong *page_size,
--                          ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
- static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
-                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
-@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(ARMCacheAttrs s1, ARMCacheAttrs s2)
-  * @fi: set to fault info if the translation fails
-  * @cacheattrs: (if non-NULL) set to the cacheability/shareability attributes
-  */
--static bool get_phys_addr(CPUARMState *env, target_ulong address,
--                          MMUAccessType access_type, ARMMMUIdx mmu_idx,
--                          hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
--                          target_ulong *page_size,
--                          ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
-+bool get_phys_addr(CPUARMState *env, target_ulong address,
-+                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
-+                   hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
-+                   target_ulong *page_size,
-+                   ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
- {
-     if (mmu_idx == ARMMMUIdx_S12NSE0 || mmu_idx == ARMMMUIdx_S12NSE1) {
-         /* Call ourselves recursively to do the stage 1 and then stage 2
---
-.20.1

-[Qemu-devel] [PULL 40/46] target/arm/vfp_helper: Move code around
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-To ease the review of the next commit,
-move the vfp_exceptbits_to_host() function directly after
-vfp_exceptbits_from_host().  Amusingly the diff shows we
-are moving vfp_get_fpscr().
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-15-philmd@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/vfp_helper.c | 52 ++++++++++++++++++++---------------------
-file changed, 26 insertions(+), 26 deletions(-)
-diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vfp_helper.c
-+++ b/target/arm/vfp_helper.c
-@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_from_host(int host_bits)
-     return target_bits;
- }
--uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
--{
--    uint32_t i, fpscr;
--
--    fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
--            | (env->vfp.vec_len << 16)
--            | (env->vfp.vec_stride << 20);
--
--    i = get_float_exception_flags(&env->vfp.fp_status);
--    i |= get_float_exception_flags(&env->vfp.standard_fp_status);
--    /* FZ16 does not generate an input denormal exception.  */
--    i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
--          & ~float_flag_input_denormal);
--    fpscr |= vfp_exceptbits_from_host(i);
--
--    i = env->vfp.qc[0] | env->vfp.qc[1] | env->vfp.qc[2] | env->vfp.qc[3];
--    fpscr |= i ? FPCR_QC : 0;
--
--    return fpscr;
--}
--
--uint32_t vfp_get_fpscr(CPUARMState *env)
--{
--    return HELPER(vfp_get_fpscr)(env);
--}
--
- /* Convert vfp exception flags to target form.  */
- static inline int vfp_exceptbits_to_host(int target_bits)
- {
-@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_to_host(int target_bits)
-     return host_bits;
- }
-+uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
-+{
-+    uint32_t i, fpscr;
-+
-+    fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
-+            | (env->vfp.vec_len << 16)
-+            | (env->vfp.vec_stride << 20);
-+
-+    i = get_float_exception_flags(&env->vfp.fp_status);
-+    i |= get_float_exception_flags(&env->vfp.standard_fp_status);
-+    /* FZ16 does not generate an input denormal exception.  */
-+    i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
-+          & ~float_flag_input_denormal);
-+    fpscr |= vfp_exceptbits_from_host(i);
-+
-+    i = env->vfp.qc[0] | env->vfp.qc[1] | env->vfp.qc[2] | env->vfp.qc[3];
-+    fpscr |= i ? FPCR_QC : 0;
-+
-+    return fpscr;
-+}
-+
-+uint32_t vfp_get_fpscr(CPUARMState *env)
-+{
-+    return HELPER(vfp_get_fpscr)(env);
-+}
-+
- void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
- {
-     int i;
---
-.20.1

-[Qemu-devel] [PULL 41/46] target/arm/vfp_helper: Extract vfp_set_fpscr_to_host()
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-The vfp_set_fpscr() helper contains code specific to the host
-floating point implementation (here the SoftFloat library).
-Extract this code to vfp_set_fpscr_to_host().
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-16-philmd@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/vfp_helper.c | 127 +++++++++++++++++++++-------------------
-file changed, 66 insertions(+), 61 deletions(-)
-diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vfp_helper.c
-+++ b/target/arm/vfp_helper.c
-@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_to_host(int target_bits)
-     return host_bits;
- }
--uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
--{
--    uint32_t i, fpscr;
--
--    fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
--            | (env->vfp.vec_len << 16)
--            | (env->vfp.vec_stride << 20);
--
--    i = get_float_exception_flags(&env->vfp.fp_status);
--    i |= get_float_exception_flags(&env->vfp.standard_fp_status);
--    /* FZ16 does not generate an input denormal exception.  */
--    i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
--          & ~float_flag_input_denormal);
--    fpscr |= vfp_exceptbits_from_host(i);
--
--    i = env->vfp.qc[0] | env->vfp.qc[1] | env->vfp.qc[2] | env->vfp.qc[3];
--    fpscr |= i ? FPCR_QC : 0;
--
--    return fpscr;
--}
--
--uint32_t vfp_get_fpscr(CPUARMState *env)
--{
--    return HELPER(vfp_get_fpscr)(env);
--}
--
--void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
-+static void vfp_set_fpscr_to_host(CPUARMState *env, uint32_t val)
- {
-     int i;
-     uint32_t changed = env->vfp.xregs[ARM_VFP_FPSCR];
--    /* When ARMv8.2-FP16 is not supported, FZ16 is RES0.  */
--    if (!cpu_isar_feature(aa64_fp16, env_archcpu(env))) {
--        val &= ~FPCR_FZ16;
--    }
--
--    if (arm_feature(env, ARM_FEATURE_M)) {
--        /*
--         * M profile FPSCR is RES0 for the QC, STRIDE, FZ16, LEN bits
--         * and also for the trapped-exception-handling bits IxE.
--         */
--        val &= 0xf7c0009f;
--    }
--
--    /*
--     * We don't implement trapped exception handling, so the
--     * trap enable bits, IDE|IXE|UFE|OFE|DZE|IOE are all RAZ/WI (not RES0!)
--     *
--     * If we exclude the exception flags, IOC|DZC|OFC|UFC|IXC|IDC
--     * (which are stored in fp_status), and the other RES0 bits
--     * in between, then we clear all of the low 16 bits.
--     */
--    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xf7c80000;
--    env->vfp.vec_len = (val >> 16) & 7;
--    env->vfp.vec_stride = (val >> 20) & 3;
--
--    /*
--     * The bit we set within fpscr_q is arbitrary; the register as a
--     * whole being zero/non-zero is what counts.
--     */
--    env->vfp.qc[0] = val & FPCR_QC;
--    env->vfp.qc[1] = 0;
--    env->vfp.qc[2] = 0;
--    env->vfp.qc[3] = 0;
--
-     changed ^= val;
-     if (changed & (3 << 22)) {
-         i = (val >> 22) & 3;
-@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
-     set_float_exception_flags(0, &env->vfp.standard_fp_status);
- }
-+uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
-+{
-+    uint32_t i, fpscr;
-+
-+    fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
-+            | (env->vfp.vec_len << 16)
-+            | (env->vfp.vec_stride << 20);
-+
-+    i = get_float_exception_flags(&env->vfp.fp_status);
-+    i |= get_float_exception_flags(&env->vfp.standard_fp_status);
-+    /* FZ16 does not generate an input denormal exception.  */
-+    i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
-+          & ~float_flag_input_denormal);
-+    fpscr |= vfp_exceptbits_from_host(i);
-+
-+    i = env->vfp.qc[0] | env->vfp.qc[1] | env->vfp.qc[2] | env->vfp.qc[3];
-+    fpscr |= i ? FPCR_QC : 0;
-+
-+    return fpscr;
-+}
-+
-+uint32_t vfp_get_fpscr(CPUARMState *env)
-+{
-+    return HELPER(vfp_get_fpscr)(env);
-+}
-+
-+void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
-+{
-+    /* When ARMv8.2-FP16 is not supported, FZ16 is RES0.  */
-+    if (!cpu_isar_feature(aa64_fp16, env_archcpu(env))) {
-+        val &= ~FPCR_FZ16;
-+    }
-+
-+    if (arm_feature(env, ARM_FEATURE_M)) {
-+        /*
-+         * M profile FPSCR is RES0 for the QC, STRIDE, FZ16, LEN bits
-+         * and also for the trapped-exception-handling bits IxE.
-+         */
-+        val &= 0xf7c0009f;
-+    }
-+
-+    /*
-+     * We don't implement trapped exception handling, so the
-+     * trap enable bits, IDE|IXE|UFE|OFE|DZE|IOE are all RAZ/WI (not RES0!)
-+     *
-+     * If we exclude the exception flags, IOC|DZC|OFC|UFC|IXC|IDC
-+     * (which are stored in fp_status), and the other RES0 bits
-+     * in between, then we clear all of the low 16 bits.
-+     */
-+    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xf7c80000;
-+    env->vfp.vec_len = (val >> 16) & 7;
-+    env->vfp.vec_stride = (val >> 20) & 3;
-+
-+    /*
-+     * The bit we set within fpscr_q is arbitrary; the register as a
-+     * whole being zero/non-zero is what counts.
-+     */
-+    env->vfp.qc[0] = val & FPCR_QC;
-+    env->vfp.qc[1] = 0;
-+    env->vfp.qc[2] = 0;
-+    env->vfp.qc[3] = 0;
-+
-+    vfp_set_fpscr_to_host(env, val);
-+}
-+
- void vfp_set_fpscr(CPUARMState *env, uint32_t val)
- {
-     HELPER(vfp_set_fpscr)(env, val);
---
-.20.1

-[Qemu-devel] [PULL 44/46] target/arm: Restrict PSCI to TCG
+Deleted patch
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
-Under KVM, the kernel gets the HVC call and handle the PSCI requests.
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20190701132516.26392-20-philmd@redhat.com
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/internals.h | 6 +++++-
-file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
-+++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len);
- /* Callback function for when a watchpoint or breakpoint triggers. */
- void arm_debug_excp_handler(CPUState *cs);
--#ifdef CONFIG_USER_ONLY
-+#if defined(CONFIG_USER_ONLY) || !defined(CONFIG_TCG)
- static inline bool arm_is_psci_call(ARMCPU *cpu, int excp_type)
- {
-     return false;
- }
-+static inline void arm_handle_psci_call(ARMCPU *cpu)
-+{
-+    g_assert_not_reached();
-+}
- #else
- /* Return true if the r0/x0 value indicates that this SMC/HVC is a PSCI call. */
- bool arm_is_psci_call(ARMCPU *cpu, int excp_type);
---
-.20.1

target-arm queue for softfreeze: this is quite big as I
was on holiday last week, so this is all just sneaking in
under the wire. I particularly wanted to get Philippe's
patches in before freeze as that sort of code-movement
patchset is painful to have to rebase.

thanks
-- PMM

The following changes since commit ae9108f8f0746ce64d02afb1a216153a50926132:

Merge remote-tracking branch 'remotes/vivier2/tags/linux-user-for-4.1-pull-request' into staging (2019-07-01 15:55:40 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190701

for you to fetch changes up to 787a7e76c2e93a48c47b324fea592c9910a70483:

target/arm: Declare some M-profile functions publicly (2019-07-01 17:29:01 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/boot: fix direct kernel boot with initrd
 * hw/arm/msf2-som: Exit when the cpu is not the expected one
 * i.mx7: fix bugs in PCI controller needed to boot recent kernels
 * aspeed: add RTC device
 * aspeed: fix some timer device bugs
 * aspeed: add swift-bmc board
 * aspeed: vic: Add support for legacy register interface
 * aspeed: add aspeed-xdma device
 * Add new sbsa-ref board for aarch64
 * target/arm: code refactoring in preparation for support of
   compilation with TCG disabled

----------------------------------------------------------------
Adriana Kobylak (1):
      aspeed: Add support for the swift-bmc board

Andrew Jeffery (3):
      aspeed/timer: Status register contains reload for stopped timer
      aspeed/timer: Fix match calculations
      aspeed: vic: Add support for legacy register interface

Andrew Jones (1):
      hw/arm/boot: fix direct kernel boot with initrd

Andrey Smirnov (5):
      i.mx7d: Add no-op/unimplemented APBH DMA module
      i.mx7d: Add no-op/unimplemented PCIE PHY IP block
      pci: designware: Update MSI mapping unconditionally
      pci: designware: Update MSI mapping when MSI address changes
      i.mx7d: pci: Update PCI IRQ mapping to match HW

Christian Svensson (1):
      aspeed/timer: Ensure positive muldiv delta

Cédric Le Goater (7):
      aspeed: add a per SoC mapping for the interrupt space
      aspeed: add a per SoC mapping for the memory space
      aspeed: introduce a configurable number of CPU per machine
      aspeed: add support for multiple NICs
      aspeed: remove the "ram" link
      aspeed: add a RAM memory region container
      aspeed/smc: add a 'sdram_base' property

Eddie James (1):
      hw/misc/aspeed_xdma: New device

Hongbo Zhang (2):
      hw/arm: Add arm SBSA reference machine, skeleton part
      hw/arm: Add arm SBSA reference machine, devices part

Jan Kiszka (1):
      hw/arm/virt: Add support for Cortex-A7

Joel Stanley (4):
      hw: timer: Add ASPEED RTC device
      hw/arm/aspeed: Add RTC to SoC
      aspeed/timer: Fix behaviour running Linux
      aspeed: Link SCU to the watchdog

Philippe Mathieu-Daudé (19):
      hw/arm/msf2-som: Exit when the cpu is not the expected one
      target/arm: Makefile cleanup (Aarch64)
      target/arm: Makefile cleanup (ARM)
      target/arm: Makefile cleanup (KVM)
      target/arm: Makefile cleanup (softmmu)
      target/arm: Add copyright boilerplate
      target/arm/helper: Remove unused include
      target/arm: Fix multiline comment syntax
      target/arm: Fix coding style issues
      target/arm: Move CPU state dumping routines to cpu.c
      target/arm: Declare get_phys_addr() function publicly
      target/arm: Move TLB related routines to tlb_helper.c
      target/arm/vfp_helper: Move code around
      target/arm/vfp_helper: Extract vfp_set_fpscr_to_host()
      target/arm/vfp_helper: Extract vfp_set_fpscr_from_host()
      target/arm/vfp_helper: Restrict the SoftFloat use to TCG
      target/arm: Restrict PSCI to TCG
      target/arm: Declare arm_log_exception() function publicly
      target/arm: Declare some M-profile functions publicly

Samuel Ortiz (1):
      target/arm: Move the DC ZVA helper into op_helper

From: Andrew Jones <drjones@redhat.com>

Fix the condition used to check whether the initrd fits
into RAM; in some cases if an initrd was also passed on
the command line we would get an error stating that it
was too big to fit into RAM after the kernel. Despite the
error the loader continued anyway, though, so also add an
exit(1) when the initrd is actually too big.

Fixes: 852dc64d665f ("hw/arm/boot: Diagnose layouts that put initrd or
DTB off the end of RAM")
Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190618125844.4863-1-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/boot.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
                              info->initrd_filename);
                 exit(1);
             }
-            if (info->initrd_start + initrd_size > info->ram_size) {
+            if (info->initrd_start + initrd_size > ram_end) {
                 error_report("could not load initrd '%s': "
                              "too big to fit into RAM after the kernel",
                              info->initrd_filename);
+                exit(1);
             }
         } else {
             initrd_size = 0;
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

This machine correctly defines its default_cpu_type to cortex-m3
and report an error if the user requested another cpu_type,
however it does not exit, and this can confuse users trying
to use another core:

$ qemu-system-arm -M emcraft-sf2 -cpu cortex-m4 -kernel test-m4.elf
  qemu-system-arm: This board can only be used with CPU cortex-m3-arm-cpu
  [output related to M3 core ...]

The CPU is indeed a M3 core:

(qemu) info qom-tree
  /machine (emcraft-sf2-machine)
    /unattached (container)
      /device[0] (msf2-soc)
        /armv7m (armv7m)
          /cpu (cortex-m3-arm-cpu)

Add the missing exit() call to return to the shell.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
Message-id: 20190617160136.29930-1-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/msf2-som.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/msf2-som.c b/hw/arm/msf2-som.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/msf2-som.c
+++ b/hw/arm/msf2-som.c
@@ -XXX,XX +XXX,XX @@ static void emcraft_sf2_s2s010_init(MachineState *machine)
     if (strcmp(machine->cpu_type, mc->default_cpu_type) != 0) {
         error_report("This board can only be used with CPU %s",
                      mc->default_cpu_type);
+        exit(1);
     }
 
     memory_region_init_ram(ddr, NULL, "ddr-ram", DDR_SIZE,
-- 
2.20.1

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Instantiate no-op APBH DMA module. Needed to boot latest Linux kernel.

Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/fsl-imx7.h | 3 +++
 hw/arm/fsl-imx7.c         | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx7.h
+++ b/include/hw/arm/fsl-imx7.h
@@ -XXX,XX +XXX,XX @@ enum FslIMX7MemoryMap {
     FSL_IMX7_PCIE_REG_SIZE        = 16 * 1024,
 
     FSL_IMX7_GPR_ADDR             = 0x30340000,
+
+    FSL_IMX7_DMA_APBH_ADDR        = 0x33000000,
+    FSL_IMX7_DMA_APBH_SIZE        = 0x2000,
 };
 
 enum FslIMX7IRQs {
diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx7.c
+++ b/hw/arm/fsl-imx7.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
      */
     create_unimplemented_device("lcdif", FSL_IMX7_LCDIF_ADDR,
                                 FSL_IMX7_LCDIF_SIZE);
+
+    /*
+     * DMA APBH
+     */
+    create_unimplemented_device("dma-apbh", FSL_IMX7_DMA_APBH_ADDR,
+                                FSL_IMX7_DMA_APBH_SIZE);
 }
 
 static void fsl_imx7_class_init(ObjectClass *oc, void *data)
-- 
2.20.1

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Add no-op/unimplemented PCIE PHY IP block. Needed by new kernels to
use PCIE.

Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/fsl-imx7.h | 3 +++
 hw/arm/fsl-imx7.c         | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx7.h
+++ b/include/hw/arm/fsl-imx7.h
@@ -XXX,XX +XXX,XX @@ enum FslIMX7MemoryMap {
     FSL_IMX7_ADC2_ADDR            = 0x30620000,
     FSL_IMX7_ADCn_SIZE            = 0x1000,
 
+    FSL_IMX7_PCIE_PHY_ADDR        = 0x306D0000,
+    FSL_IMX7_PCIE_PHY_SIZE        = 0x10000,
+
     FSL_IMX7_GPC_ADDR             = 0x303A0000,
 
     FSL_IMX7_I2C1_ADDR            = 0x30A20000,
diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx7.c
+++ b/hw/arm/fsl-imx7.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
      */
     create_unimplemented_device("dma-apbh", FSL_IMX7_DMA_APBH_ADDR,
                                 FSL_IMX7_DMA_APBH_SIZE);
+    /*
+     * PCIe PHY
+     */
+    create_unimplemented_device("pcie-phy", FSL_IMX7_PCIE_PHY_ADDR,
+                                FSL_IMX7_PCIE_PHY_SIZE);
 }
 
 static void fsl_imx7_class_init(ObjectClass *oc, void *data)
-- 
2.20.1

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Expression to calculate update_msi_mapping in code handling writes to
DESIGNWARE_PCIE_MSI_INTR0_ENABLE is missing an ! operator and should
be:

!!root->msi.intr[0].enable ^ !!val;

so that MSI mapping is updated when enabled transitions from either
"none" -> "any" or "any" -> "none". Since that register shouldn't be
written to very often, change the code to update MSI mapping
unconditionally instead of trying to fix the update_msi_mapping logic.

Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/pci-host/designware.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/pci-host/designware.c
+++ b/hw/pci-host/designware.c
@@ -XXX,XX +XXX,XX @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
         root->msi.base |= (uint64_t)val << 32;
         break;
 
-    case DESIGNWARE_PCIE_MSI_INTR0_ENABLE: {
-        const bool update_msi_mapping = !root->msi.intr[0].enable ^ !!val;
-
+    case DESIGNWARE_PCIE_MSI_INTR0_ENABLE:
         root->msi.intr[0].enable = val;
-
-        if (update_msi_mapping) {
-            designware_pcie_root_update_msi_mapping(root);
-        }
+        designware_pcie_root_update_msi_mapping(root);
         break;
-    }
 
     case DESIGNWARE_PCIE_MSI_INTR0_MASK:
         root->msi.intr[0].mask = val;
-- 
2.20.1

From: Andrey Smirnov <andrew.smirnov@gmail.com>

MSI mapping needs to be update when MSI address changes, so add the
code to do so.

Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/pci-host/designware.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/pci-host/designware.c
+++ b/hw/pci-host/designware.c
@@ -XXX,XX +XXX,XX @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
     case DESIGNWARE_PCIE_MSI_ADDR_LO:
         root->msi.base &= 0xFFFFFFFF00000000ULL;
         root->msi.base |= val;
+        designware_pcie_root_update_msi_mapping(root);
         break;
 
     case DESIGNWARE_PCIE_MSI_ADDR_HI:
         root->msi.base &= 0x00000000FFFFFFFFULL;
         root->msi.base |= (uint64_t)val << 32;
+        designware_pcie_root_update_msi_mapping(root);
         break;
 
     case DESIGNWARE_PCIE_MSI_INTR0_ENABLE:
-- 
2.20.1

From: Andrey Smirnov <andrew.smirnov@gmail.com>

Datasheet for i.MX7 is incorrect and i.MX7's PCI IRQ mapping matches
that of i.MX6:

* INTD/MSI    122
    * INTC        123
    * INTB        124
    * INTA        125

Fix all of the relevant code to reflect that fact. Needed by latest
Linux kernels.

(Reference: Linux kernel commit 538d6e9d597584e80 from an
NXP employee confirming that the datasheet is incorrect and
with a report of a test against hardware.)

Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: qemu-devel@nongnu.org
Cc: qemu-arm@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: added ref to kernel commit confirming the datasheet error]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/fsl-imx7.h | 8 ++++----
 hw/pci-host/designware.c  | 6 ++++--
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/include/hw/arm/fsl-imx7.h b/include/hw/arm/fsl-imx7.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx7.h
+++ b/include/hw/arm/fsl-imx7.h
@@ -XXX,XX +XXX,XX @@ enum FslIMX7IRQs {
     FSL_IMX7_USB2_IRQ     = 42,
     FSL_IMX7_USB3_IRQ     = 40,
 
-    FSL_IMX7_PCI_INTA_IRQ = 122,
-    FSL_IMX7_PCI_INTB_IRQ = 123,
-    FSL_IMX7_PCI_INTC_IRQ = 124,
-    FSL_IMX7_PCI_INTD_IRQ = 125,
+    FSL_IMX7_PCI_INTA_IRQ = 125,
+    FSL_IMX7_PCI_INTB_IRQ = 124,
+    FSL_IMX7_PCI_INTC_IRQ = 123,
+    FSL_IMX7_PCI_INTD_IRQ = 122,
 
     FSL_IMX7_UART7_IRQ    = 126,
 
diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/pci-host/designware.c
+++ b/hw/pci-host/designware.c
@@ -XXX,XX +XXX,XX @@
 #define DESIGNWARE_PCIE_ATU_DEVFN(x)               (((x) >> 16) & 0xff)
 #define DESIGNWARE_PCIE_ATU_UPPER_TARGET           0x91C
 
+#define DESIGNWARE_PCIE_IRQ_MSI                    3
+
 static DesignwarePCIEHost *
 designware_pcie_root_to_host(DesignwarePCIERoot *root)
 {
@@ -XXX,XX +XXX,XX @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
     root->msi.intr[0].status |= BIT(val) & root->msi.intr[0].enable;
 
     if (root->msi.intr[0].status & ~root->msi.intr[0].mask) {
-        qemu_set_irq(host->pci.irqs[0], 1);
+        qemu_set_irq(host->pci.irqs[DESIGNWARE_PCIE_IRQ_MSI], 1);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
     case DESIGNWARE_PCIE_MSI_INTR0_STATUS:
         root->msi.intr[0].status ^= val;
         if (!root->msi.intr[0].status) {
-            qemu_set_irq(host->pci.irqs[0], 0);
+            qemu_set_irq(host->pci.irqs[DESIGNWARE_PCIE_IRQ_MSI], 0);
         }
         break;
 
-- 
2.20.1

From: Cédric Le Goater <clg@kaod.org>

This will simplify the definition of new SoCs, like the AST2600 which
should use a different CPU and a different IRQ number layout.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20190618165311.27066-2-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/aspeed_soc.h | 36 +++++++++++++++++++++++
 hw/arm/aspeed_soc.c         | 57 +++++++++++++++++++++++++++++++------
 2 files changed, 85 insertions(+), 8 deletions(-)

From: Cédric Le Goater <clg@kaod.org>

This will simplify the definition of new SoCs, like the AST2600 which
should use a slightly different address space and have a different set
of controllers.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20190618165311.27066-3-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/aspeed_soc.h |   4 +-
 hw/arm/aspeed.c             |   8 +--
 hw/arm/aspeed_soc.c         | 117 ++++++++++++++++++++++--------------
 3 files changed, 78 insertions(+), 51 deletions(-)

diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/aspeed_soc.h
+++ b/include/hw/arm/aspeed_soc.h
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCInfo {
     const char *name;
     const char *cpu_type;
     uint32_t silicon_rev;
-    hwaddr sdram_base;
     uint64_t sram_size;
     int spis_num;
-    const hwaddr *spi_bases;
     const char *fmc_typename;
     const char **spi_typename;
     int wdts_num;
     const int *irqmap;
+    const hwaddr *memmap;
 } AspeedSoCInfo;
 
 typedef struct AspeedSoCClass {
@@ -XXX,XX +XXX,XX @@ enum {
     ASPEED_I2C,
     ASPEED_ETH1,
     ASPEED_ETH2,
+    ASPEED_SDRAM,
 };
 
 #endif /* ASPEED_SOC_H */
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
                                         &error_abort);
 
     memory_region_allocate_system_memory(&bmc->ram, NULL, "ram", ram_size);
-    memory_region_add_subregion(get_system_memory(), sc->info->sdram_base,
-                                &bmc->ram);
+    memory_region_add_subregion(get_system_memory(),
+                                sc->info->memmap[ASPEED_SDRAM], &bmc->ram);
     object_property_add_const_link(OBJECT(&bmc->soc), "ram", OBJECT(&bmc->ram),
                                    &error_abort);
 
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
     memory_region_init_io(&bmc->max_ram, NULL, &max_ram_ops, NULL,
                           "max_ram", max_ram_size  - ram_size);
     memory_region_add_subregion(get_system_memory(),
-                                sc->info->sdram_base + ram_size,
+                                sc->info->memmap[ASPEED_SDRAM] + ram_size,
                                 &bmc->max_ram);
 
     aspeed_board_init_flashes(&bmc->soc.fmc, cfg->fmc_model, &error_abort);
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
     aspeed_board_binfo.initrd_filename = machine->initrd_filename;
     aspeed_board_binfo.kernel_cmdline = machine->kernel_cmdline;
     aspeed_board_binfo.ram_size = ram_size;
-    aspeed_board_binfo.loader_start = sc->info->sdram_base;
+    aspeed_board_binfo.loader_start = sc->info->memmap[ASPEED_SDRAM];
 
     if (cfg->i2c_init) {
         cfg->i2c_init(bmc);
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/i2c/aspeed_i2c.h"
 #include "net/net.h"
 
-#define ASPEED_SOC_UART_5_BASE      0x00184000
 #define ASPEED_SOC_IOMEM_SIZE       0x00200000
-#define ASPEED_SOC_IOMEM_BASE       0x1E600000
-#define ASPEED_SOC_FMC_BASE         0x1E620000
-#define ASPEED_SOC_SPI_BASE         0x1E630000
-#define ASPEED_SOC_SPI2_BASE        0x1E631000
-#define ASPEED_SOC_VIC_BASE         0x1E6C0000
-#define ASPEED_SOC_SDMC_BASE        0x1E6E0000
-#define ASPEED_SOC_SCU_BASE         0x1E6E2000
-#define ASPEED_SOC_SRAM_BASE        0x1E720000
-#define ASPEED_SOC_TIMER_BASE       0x1E782000
-#define ASPEED_SOC_WDT_BASE         0x1E785000
-#define ASPEED_SOC_I2C_BASE         0x1E78A000
-#define ASPEED_SOC_ETH1_BASE        0x1E660000
-#define ASPEED_SOC_ETH2_BASE        0x1E680000
+
+static const hwaddr aspeed_soc_ast2400_memmap[] = {
+    [ASPEED_IOMEM]  = 0x1E600000,
+    [ASPEED_FMC]    = 0x1E620000,
+    [ASPEED_SPI1]   = 0x1E630000,
+    [ASPEED_VIC]    = 0x1E6C0000,
+    [ASPEED_SDMC]   = 0x1E6E0000,
+    [ASPEED_SCU]    = 0x1E6E2000,
+    [ASPEED_ADC]    = 0x1E6E9000,
+    [ASPEED_SRAM]   = 0x1E720000,
+    [ASPEED_GPIO]   = 0x1E780000,
+    [ASPEED_RTC]    = 0x1E781000,
+    [ASPEED_TIMER1] = 0x1E782000,
+    [ASPEED_WDT]    = 0x1E785000,
+    [ASPEED_PWM]    = 0x1E786000,
+    [ASPEED_LPC]    = 0x1E789000,
+    [ASPEED_IBT]    = 0x1E789140,
+    [ASPEED_I2C]    = 0x1E78A000,
+    [ASPEED_ETH1]   = 0x1E660000,
+    [ASPEED_ETH2]   = 0x1E680000,
+    [ASPEED_UART1]  = 0x1E783000,
+    [ASPEED_UART5]  = 0x1E784000,
+    [ASPEED_VUART]  = 0x1E787000,
+    [ASPEED_SDRAM]  = 0x40000000,
+};
+
+static const hwaddr aspeed_soc_ast2500_memmap[] = {
+    [ASPEED_IOMEM]  = 0x1E600000,
+    [ASPEED_FMC]    = 0x1E620000,
+    [ASPEED_SPI1]   = 0x1E630000,
+    [ASPEED_SPI2]   = 0x1E631000,
+    [ASPEED_VIC]    = 0x1E6C0000,
+    [ASPEED_SDMC]   = 0x1E6E0000,
+    [ASPEED_SCU]    = 0x1E6E2000,
+    [ASPEED_ADC]    = 0x1E6E9000,
+    [ASPEED_SRAM]   = 0x1E720000,
+    [ASPEED_GPIO]   = 0x1E780000,
+    [ASPEED_RTC]    = 0x1E781000,
+    [ASPEED_TIMER1] = 0x1E782000,
+    [ASPEED_WDT]    = 0x1E785000,
+    [ASPEED_PWM]    = 0x1E786000,
+    [ASPEED_LPC]    = 0x1E789000,
+    [ASPEED_IBT]    = 0x1E789140,
+    [ASPEED_I2C]    = 0x1E78A000,
+    [ASPEED_ETH1]   = 0x1E660000,
+    [ASPEED_ETH2]   = 0x1E680000,
+    [ASPEED_UART1]  = 0x1E783000,
+    [ASPEED_UART5]  = 0x1E784000,
+    [ASPEED_VUART]  = 0x1E787000,
+    [ASPEED_SDRAM]  = 0x80000000,
+};
 
 static const int aspeed_soc_ast2400_irqmap[] = {
     [ASPEED_UART1]  = 9,
@@ -XXX,XX +XXX,XX @@ static const int aspeed_soc_ast2400_irqmap[] = {
     [ASPEED_ETH2]   = 3,
 };
 
-#define AST2400_SDRAM_BASE       0x40000000
-#define AST2500_SDRAM_BASE       0x80000000
-
-/* AST2500 uses the same IRQs as the AST2400 */
 #define aspeed_soc_ast2500_irqmap aspeed_soc_ast2400_irqmap
 
-static const hwaddr aspeed_soc_ast2400_spi_bases[] = { ASPEED_SOC_SPI_BASE };
 static const char *aspeed_soc_ast2400_typenames[] = { "aspeed.smc.spi" };
-
-static const hwaddr aspeed_soc_ast2500_spi_bases[] = { ASPEED_SOC_SPI_BASE,
-                                                       ASPEED_SOC_SPI2_BASE};
 static const char *aspeed_soc_ast2500_typenames[] = {
     "aspeed.smc.ast2500-spi1", "aspeed.smc.ast2500-spi2" };
 
@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
         .name         = "ast2400-a0",
         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
         .silicon_rev  = AST2400_A0_SILICON_REV,
-        .sdram_base   = AST2400_SDRAM_BASE,
         .sram_size    = 0x8000,
         .spis_num     = 1,
-        .spi_bases    = aspeed_soc_ast2400_spi_bases,
         .fmc_typename = "aspeed.smc.fmc",
         .spi_typename = aspeed_soc_ast2400_typenames,
         .wdts_num     = 2,
         .irqmap       = aspeed_soc_ast2400_irqmap,
+        .memmap       = aspeed_soc_ast2400_memmap,
     }, {
         .name         = "ast2400-a1",
         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
         .silicon_rev  = AST2400_A1_SILICON_REV,
-        .sdram_base   = AST2400_SDRAM_BASE,
         .sram_size    = 0x8000,
         .spis_num     = 1,
-        .spi_bases    = aspeed_soc_ast2400_spi_bases,
         .fmc_typename = "aspeed.smc.fmc",
         .spi_typename = aspeed_soc_ast2400_typenames,
         .wdts_num     = 2,
         .irqmap       = aspeed_soc_ast2400_irqmap,
+        .memmap       = aspeed_soc_ast2400_memmap,
     }, {
         .name         = "ast2400",
         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
         .silicon_rev  = AST2400_A0_SILICON_REV,
-        .sdram_base   = AST2400_SDRAM_BASE,
         .sram_size    = 0x8000,
         .spis_num     = 1,
-        .spi_bases    = aspeed_soc_ast2400_spi_bases,
         .fmc_typename = "aspeed.smc.fmc",
         .spi_typename = aspeed_soc_ast2400_typenames,
         .wdts_num     = 2,
         .irqmap       = aspeed_soc_ast2400_irqmap,
+        .memmap       = aspeed_soc_ast2400_memmap,
     }, {
         .name         = "ast2500-a1",
         .cpu_type     = ARM_CPU_TYPE_NAME("arm1176"),
         .silicon_rev  = AST2500_A1_SILICON_REV,
-        .sdram_base   = AST2500_SDRAM_BASE,
         .sram_size    = 0x9000,
         .spis_num     = 2,
-        .spi_bases    = aspeed_soc_ast2500_spi_bases,
         .fmc_typename = "aspeed.smc.ast2500-fmc",
         .spi_typename = aspeed_soc_ast2500_typenames,
         .wdts_num     = 3,
         .irqmap       = aspeed_soc_ast2500_irqmap,
+        .memmap       = aspeed_soc_ast2500_memmap,
     },
 };
 
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
     Error *err = NULL, *local_err = NULL;
 
     /* IO space */
-    create_unimplemented_device("aspeed_soc.io",
-                                ASPEED_SOC_IOMEM_BASE, ASPEED_SOC_IOMEM_SIZE);
+    create_unimplemented_device("aspeed_soc.io", sc->info->memmap[ASPEED_IOMEM],
+                                ASPEED_SOC_IOMEM_SIZE);
 
     /* CPU */
     object_property_set_bool(OBJECT(&s->cpu), true, "realized", &err);
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, err);
         return;
     }
-    memory_region_add_subregion(get_system_memory(), ASPEED_SOC_SRAM_BASE,
-                                &s->sram);
+    memory_region_add_subregion(get_system_memory(),
+                                sc->info->memmap[ASPEED_SRAM], &s->sram);
 
     /* SCU */
     object_property_set_bool(OBJECT(&s->scu), true, "realized", &err);
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, err);
         return;
     }
-    sysbus_mmio_map(SYS_BUS_DEVICE(&s->scu), 0, ASPEED_SOC_SCU_BASE);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->scu), 0, sc->info->memmap[ASPEED_SCU]);
 
     /* VIC */
     object_property_set_bool(OBJECT(&s->vic), true, "realized", &err);
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, err);
         return;
     }
-    sysbus_mmio_map(SYS_BUS_DEVICE(&s->vic), 0, ASPEED_SOC_VIC_BASE);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->vic), 0, sc->info->memmap[ASPEED_VIC]);
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->vic), 0,
                        qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_IRQ));
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->vic), 1,
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, err);
         return;
     }
-    sysbus_mmio_map(SYS_BUS_DEVICE(&s->timerctrl), 0, ASPEED_SOC_TIMER_BASE);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->timerctrl), 0,
+                    sc->info->memmap[ASPEED_TIMER1]);
     for (i = 0; i < ASPEED_TIMER_NR_TIMERS; i++) {
         qemu_irq irq = aspeed_soc_get_irq(s, ASPEED_TIMER1 + i);
         sysbus_connect_irq(SYS_BUS_DEVICE(&s->timerctrl), i, irq);
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
     /* UART - attach an 8250 to the IO space as our UART5 */
     if (serial_hd(0)) {
         qemu_irq uart5 = aspeed_soc_get_irq(s, ASPEED_UART5);
-        serial_mm_init(get_system_memory(),
-                       ASPEED_SOC_IOMEM_BASE + ASPEED_SOC_UART_5_BASE, 2,
+        serial_mm_init(get_system_memory(), sc->info->memmap[ASPEED_UART5], 2,
                        uart5, 38400, serial_hd(0), DEVICE_LITTLE_ENDIAN);
     }
 
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, err);
         return;
     }
-    sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c), 0, ASPEED_SOC_I2C_BASE);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->i2c), 0, sc->info->memmap[ASPEED_I2C]);
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->i2c), 0,
                        aspeed_soc_get_irq(s, ASPEED_I2C));
 
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, err);
         return;
     }
-    sysbus_mmio_map(SYS_BUS_DEVICE(&s->fmc), 0, ASPEED_SOC_FMC_BASE);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->fmc), 0, sc->info->memmap[ASPEED_FMC]);
     sysbus_mmio_map(SYS_BUS_DEVICE(&s->fmc), 1,
                     s->fmc.ctrl->flash_window_base);
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->fmc), 0,
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
             error_propagate(errp, err);
             return;
         }
-        sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0, sc->info->spi_bases[i]);
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 0,
+                        sc->info->memmap[ASPEED_SPI1 + i]);
         sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi[i]), 1,
                         s->spi[i].ctrl->flash_window_base);
     }
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, err);
         return;
     }
-    sysbus_mmio_map(SYS_BUS_DEVICE(&s->sdmc), 0, ASPEED_SOC_SDMC_BASE);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->sdmc), 0, sc->info->memmap[ASPEED_SDMC]);
 
     /* Watch dog */
     for (i = 0; i < sc->info->wdts_num; i++) {
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
             return;
         }
         sysbus_mmio_map(SYS_BUS_DEVICE(&s->wdt[i]), 0,
-                        ASPEED_SOC_WDT_BASE + i * 0x20);
+                        sc->info->memmap[ASPEED_WDT] + i * 0x20);
     }
 
     /* Net */
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, err);
         return;
     }
-    sysbus_mmio_map(SYS_BUS_DEVICE(&s->ftgmac100), 0, ASPEED_SOC_ETH1_BASE);
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->ftgmac100), 0,
+                    sc->info->memmap[ASPEED_ETH1]);
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100), 0,
                        aspeed_soc_get_irq(s, ASPEED_ETH1));
 }
-- 
2.20.1

From: Joel Stanley <joel@jms.id.au>

The RTC is modeled to provide time and date functionality. It is
initialised at zero to match the hardware.

There is no modelling of the alarm functionality, which includes the IRQ
line. As there is no guest code to exercise this function that is
acceptable for now.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20190618165311.27066-4-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/Makefile.objs        |   2 +-
 include/hw/timer/aspeed_rtc.h |  31 ++++++
 hw/timer/aspeed_rtc.c         | 180 ++++++++++++++++++++++++++++++++++
 hw/timer/trace-events         |   4 +
 4 files changed, 216 insertions(+), 1 deletion(-)
 create mode 100644 include/hw/timer/aspeed_rtc.h
 create mode 100644 hw/timer/aspeed_rtc.c

diff --git a/hw/timer/Makefile.objs b/hw/timer/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/Makefile.objs
+++ b/hw/timer/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MC146818RTC) += mc146818rtc.o
 obj-$(CONFIG_ALLWINNER_A10_PIT) += allwinner-a10-pit.o
 
 common-obj-$(CONFIG_STM32F2XX_TIMER) += stm32f2xx_timer.o
-common-obj-$(CONFIG_ASPEED_SOC) += aspeed_timer.o
+common-obj-$(CONFIG_ASPEED_SOC) += aspeed_timer.o aspeed_rtc.o
 
 common-obj-$(CONFIG_SUN4V_RTC) += sun4v-rtc.o
 common-obj-$(CONFIG_CMSDK_APB_TIMER) += cmsdk-apb-timer.o
diff --git a/include/hw/timer/aspeed_rtc.h b/include/hw/timer/aspeed_rtc.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/timer/aspeed_rtc.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * ASPEED Real Time Clock
+ * Joel Stanley <joel@jms.id.au>
+ *
+ * Copyright 2019 IBM Corp
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+#ifndef ASPEED_RTC_H
+#define ASPEED_RTC_H
+
+#include <stdint.h>
+
+#include "hw/hw.h"
+#include "hw/irq.h"
+#include "hw/sysbus.h"
+
+typedef struct AspeedRtcState {
+    SysBusDevice parent_obj;
+
+    MemoryRegion iomem;
+    qemu_irq irq;
+
+    uint32_t reg[0x18];
+    int offset;
+
+} AspeedRtcState;
+
+#define TYPE_ASPEED_RTC "aspeed.rtc"
+#define ASPEED_RTC(obj) OBJECT_CHECK(AspeedRtcState, (obj), TYPE_ASPEED_RTC)
+
+#endif /* ASPEED_RTC_H */
diff --git a/hw/timer/aspeed_rtc.c b/hw/timer/aspeed_rtc.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/timer/aspeed_rtc.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * ASPEED Real Time Clock
+ * Joel Stanley <joel@jms.id.au>
+ *
+ * Copyright 2019 IBM Corp
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "hw/timer/aspeed_rtc.h"
+#include "qemu/log.h"
+#include "qemu/timer.h"
+
+#include "trace.h"
+
+#define COUNTER1        (0x00 / 4)
+#define COUNTER2        (0x04 / 4)
+#define ALARM           (0x08 / 4)
+#define CONTROL         (0x10 / 4)
+#define ALARM_STATUS    (0x14 / 4)
+
+#define RTC_UNLOCKED    BIT(1)
+#define RTC_ENABLED     BIT(0)
+
+static void aspeed_rtc_calc_offset(AspeedRtcState *rtc)
+{
+    struct tm tm;
+    uint32_t year, cent;
+    uint32_t reg1 = rtc->reg[COUNTER1];
+    uint32_t reg2 = rtc->reg[COUNTER2];
+
+    tm.tm_mday = (reg1 >> 24) & 0x1f;
+    tm.tm_hour = (reg1 >> 16) & 0x1f;
+    tm.tm_min = (reg1 >> 8) & 0x3f;
+    tm.tm_sec = (reg1 >> 0) & 0x3f;
+
+    cent = (reg2 >> 16) & 0x1f;
+    year = (reg2 >> 8) & 0x7f;
+    tm.tm_mon = ((reg2 >>  0) & 0x0f) - 1;
+    tm.tm_year = year + (cent * 100) - 1900;
+
+    rtc->offset = qemu_timedate_diff(&tm);
+}
+
+static uint32_t aspeed_rtc_get_counter(AspeedRtcState *rtc, int r)
+{
+    uint32_t year, cent;
+    struct tm now;
+
+    qemu_get_timedate(&now, rtc->offset);
+
+    switch (r) {
+    case COUNTER1:
+        return (now.tm_mday << 24) | (now.tm_hour << 16) |
+            (now.tm_min << 8) | now.tm_sec;
+    case COUNTER2:
+        cent = (now.tm_year + 1900) / 100;
+        year = now.tm_year % 100;
+        return ((cent & 0x1f) << 16) | ((year & 0x7f) << 8) |
+            ((now.tm_mon + 1) & 0xf);
+    default:
+        g_assert_not_reached();
+    }
+}
+
+static uint64_t aspeed_rtc_read(void *opaque, hwaddr addr,
+                                unsigned size)
+{
+    AspeedRtcState *rtc = opaque;
+    uint64_t val;
+    uint32_t r = addr >> 2;
+
+    switch (r) {
+    case COUNTER1:
+    case COUNTER2:
+        if (rtc->reg[CONTROL] & RTC_ENABLED) {
+            rtc->reg[r] = aspeed_rtc_get_counter(rtc, r);
+        }
+        /* fall through */
+    case CONTROL:
+        val = rtc->reg[r];
+        break;
+    case ALARM:
+    case ALARM_STATUS:
+    default:
+        qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx "\n", __func__, addr);
+        return 0;
+    }
+
+    trace_aspeed_rtc_read(addr, val);
+
+    return val;
+}
+
+static void aspeed_rtc_write(void *opaque, hwaddr addr,
+                             uint64_t val, unsigned size)
+{
+    AspeedRtcState *rtc = opaque;
+    uint32_t r = addr >> 2;
+
+    switch (r) {
+    case COUNTER1:
+    case COUNTER2:
+        if (!(rtc->reg[CONTROL] & RTC_UNLOCKED)) {
+            break;
+        }
+        /* fall through */
+    case CONTROL:
+        rtc->reg[r] = val;
+        aspeed_rtc_calc_offset(rtc);
+        break;
+    case ALARM:
+    case ALARM_STATUS:
+    default:
+        qemu_log_mask(LOG_UNIMP, "%s: 0x%" HWADDR_PRIx "\n", __func__, addr);
+        break;
+    }
+    trace_aspeed_rtc_write(addr, val);
+}
+
+static void aspeed_rtc_reset(DeviceState *d)
+{
+    AspeedRtcState *rtc = ASPEED_RTC(d);
+
+    rtc->offset = 0;
+    memset(rtc->reg, 0, sizeof(rtc->reg));
+}
+
+static const MemoryRegionOps aspeed_rtc_ops = {
+    .read = aspeed_rtc_read,
+    .write = aspeed_rtc_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
+static const VMStateDescription vmstate_aspeed_rtc = {
+    .name = TYPE_ASPEED_RTC,
+    .version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(reg, AspeedRtcState, 0x18),
+        VMSTATE_INT32(offset, AspeedRtcState),
+        VMSTATE_INT32(offset, AspeedRtcState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void aspeed_rtc_realize(DeviceState *dev, Error **errp)
+{
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+    AspeedRtcState *s = ASPEED_RTC(dev);
+
+    sysbus_init_irq(sbd, &s->irq);
+
+    memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_rtc_ops, s,
+                          "aspeed-rtc", 0x18ULL);
+    sysbus_init_mmio(sbd, &s->iomem);
+}
+
+static void aspeed_rtc_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->realize = aspeed_rtc_realize;
+    dc->vmsd = &vmstate_aspeed_rtc;
+    dc->reset = aspeed_rtc_reset;
+}
+
+static const TypeInfo aspeed_rtc_info = {
+    .name          = TYPE_ASPEED_RTC,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(AspeedRtcState),
+    .class_init    = aspeed_rtc_class_init,
+};
+
+static void aspeed_rtc_register_types(void)
+{
+    type_register_static(&aspeed_rtc_info);
+}
+
+type_init(aspeed_rtc_register_types)
diff --git a/hw/timer/trace-events b/hw/timer/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/trace-events
+++ b/hw/timer/trace-events
@@ -XXX,XX +XXX,XX @@ cmsdk_apb_dualtimer_read(uint64_t offset, uint64_t data, unsigned size) "CMSDK A
 cmsdk_apb_dualtimer_write(uint64_t offset, uint64_t data, unsigned size) "CMSDK APB dualtimer write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
 cmsdk_apb_dualtimer_reset(void) "CMSDK APB dualtimer: reset"
 
+# hw/timer/aspeed-rtc.c
+aspeed_rtc_read(uint64_t addr, uint64_t value) "addr 0x%02" PRIx64 " value 0x%08" PRIx64
+aspeed_rtc_write(uint64_t addr, uint64_t value) "addr 0x%02" PRIx64 " value 0x%08" PRIx64
+
 # sun4v-rtc.c
 sun4v_rtc_read(uint64_t addr, uint64_t value) "read: addr 0x%" PRIx64 " value 0x%" PRIx64
 sun4v_rtc_write(uint64_t addr, uint64_t value) "write: addr 0x%" PRIx64 " value 0x%" PRIx64
-- 
2.20.1

From: Joel Stanley <joel@jms.id.au>

All systems have an RTC.

The IRQ is hooked up but the model does not use it at this stage. There
is no guest code that uses it, so this limitation is acceptable.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20190618165311.27066-5-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/aspeed_soc.h |  2 ++
 hw/arm/aspeed_soc.c         | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/aspeed_soc.h
+++ b/include/hw/arm/aspeed_soc.h
@@ -XXX,XX +XXX,XX @@
 #include "hw/misc/aspeed_scu.h"
 #include "hw/misc/aspeed_sdmc.h"
 #include "hw/timer/aspeed_timer.h"
+#include "hw/timer/aspeed_rtc.h"
 #include "hw/i2c/aspeed_i2c.h"
 #include "hw/ssi/aspeed_smc.h"
 #include "hw/watchdog/wdt_aspeed.h"
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCState {
     ARMCPU cpu;
     MemoryRegion sram;
     AspeedVICState vic;
+    AspeedRtcState rtc;
     AspeedTimerCtrlState timerctrl;
     AspeedI2CState i2c;
     AspeedSCUState scu;
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
     sysbus_init_child_obj(obj, "vic", OBJECT(&s->vic), sizeof(s->vic),
                           TYPE_ASPEED_VIC);
 
+    sysbus_init_child_obj(obj, "rtc", OBJECT(&s->rtc), sizeof(s->rtc),
+                          TYPE_ASPEED_RTC);
+
     sysbus_init_child_obj(obj, "timerctrl", OBJECT(&s->timerctrl),
                           sizeof(s->timerctrl), TYPE_ASPEED_TIMER);
     object_property_add_const_link(OBJECT(&s->timerctrl), "scu",
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->vic), 1,
                        qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_FIQ));
 
+    /* RTC */
+    object_property_set_bool(OBJECT(&s->rtc), true, "realized", &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->rtc), 0, sc->info->memmap[ASPEED_RTC]);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->rtc), 0,
+                       aspeed_soc_get_irq(s, ASPEED_RTC));
+
     /* Timer */
     object_property_set_bool(OBJECT(&s->timerctrl), true, "realized", &err);
     if (err) {
-- 
2.20.1

From: Cédric Le Goater <clg@kaod.org>

The current models of the Aspeed SoCs only have one CPU but future
ones will support SMP. Introduce a new num_cpus field at the SoC class
level to define the number of available CPUs per SoC and also
introduce a 'num-cpus' property to activate the CPUs configured for
the machine.

The max_cpus limit of the machine should depend on the SoC definition
but, unfortunately, these values are not available when the machine
class is initialized. This is the reason why we add a check on
num_cpus in the AspeedSoC realize handler.

SMP support will be activated when models for such SoCs are implemented.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20190618165311.27066-6-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/aspeed_soc.h |  5 ++++-
 hw/arm/aspeed.c             |  7 +++++--
 hw/arm/aspeed_soc.c         | 33 +++++++++++++++++++++++++++------
 3 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/aspeed_soc.h
+++ b/include/hw/arm/aspeed_soc.h
@@ -XXX,XX +XXX,XX @@
 
 #define ASPEED_SPIS_NUM  2
 #define ASPEED_WDTS_NUM  3
+#define ASPEED_CPUS_NUM  2
 
 typedef struct AspeedSoCState {
     /*< private >*/
     DeviceState parent;
 
     /*< public >*/
-    ARMCPU cpu;
+    ARMCPU cpu[ASPEED_CPUS_NUM];
+    uint32_t num_cpus;
     MemoryRegion sram;
     AspeedVICState vic;
     AspeedRtcState rtc;
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCInfo {
     int wdts_num;
     const int *irqmap;
     const hwaddr *memmap;
+    uint32_t num_cpus;
 } AspeedSoCInfo;
 
 typedef struct AspeedSoCClass {
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/misc/tmp105.h"
 #include "qemu/log.h"
 #include "sysemu/block-backend.h"
+#include "sysemu/sysemu.h"
 #include "hw/loader.h"
 #include "qemu/error-report.h"
 #include "qemu/units.h"
 
 static struct arm_boot_info aspeed_board_binfo = {
     .board_id = -1, /* device-tree-only board */
-    .nb_cpus = 1,
 };
 
 struct AspeedBoardState {
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
                             &error_abort);
     object_property_set_int(OBJECT(&bmc->soc), cfg->num_cs, "num-cs",
                             &error_abort);
+    object_property_set_int(OBJECT(&bmc->soc), smp_cpus, "num-cpus",
+                            &error_abort);
     if (machine->kernel_filename) {
         /*
          * When booting with a -kernel command line there is no u-boot
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
     aspeed_board_binfo.kernel_cmdline = machine->kernel_cmdline;
     aspeed_board_binfo.ram_size = ram_size;
     aspeed_board_binfo.loader_start = sc->info->memmap[ASPEED_SDRAM];
+    aspeed_board_binfo.nb_cpus = bmc->soc.num_cpus;
 
     if (cfg->i2c_init) {
         cfg->i2c_init(bmc);
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_class_init(ObjectClass *oc, void *data)
 
     mc->desc = board->desc;
     mc->init = aspeed_machine_init;
-    mc->max_cpus = 1;
+    mc->max_cpus = ASPEED_CPUS_NUM;
     mc->no_sdcard = 1;
     mc->no_floppy = 1;
     mc->no_cdrom = 1;
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/char/serial.h"
 #include "qemu/log.h"
 #include "qemu/module.h"
+#include "qemu/error-report.h"
 #include "hw/i2c/aspeed_i2c.h"
 #include "net/net.h"
 
@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
         .wdts_num     = 2,
         .irqmap       = aspeed_soc_ast2400_irqmap,
         .memmap       = aspeed_soc_ast2400_memmap,
+        .num_cpus     = 1,
     }, {
         .name         = "ast2400-a1",
         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
         .wdts_num     = 2,
         .irqmap       = aspeed_soc_ast2400_irqmap,
         .memmap       = aspeed_soc_ast2400_memmap,
+        .num_cpus     = 1,
     }, {
         .name         = "ast2400",
         .cpu_type     = ARM_CPU_TYPE_NAME("arm926"),
@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
         .wdts_num     = 2,
         .irqmap       = aspeed_soc_ast2400_irqmap,
         .memmap       = aspeed_soc_ast2400_memmap,
+        .num_cpus     = 1,
     }, {
         .name         = "ast2500-a1",
         .cpu_type     = ARM_CPU_TYPE_NAME("arm1176"),
@@ -XXX,XX +XXX,XX @@ static const AspeedSoCInfo aspeed_socs[] = {
         .wdts_num     = 3,
         .irqmap       = aspeed_soc_ast2500_irqmap,
         .memmap       = aspeed_soc_ast2500_memmap,
+        .num_cpus     = 1,
     },
 };
 
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
     AspeedSoCClass *sc = ASPEED_SOC_GET_CLASS(s);
     int i;
 
-    object_initialize_child(obj, "cpu", OBJECT(&s->cpu), sizeof(s->cpu),
-                            sc->info->cpu_type, &error_abort, NULL);
+    for (i = 0; i < sc->info->num_cpus; i++) {
+        object_initialize_child(obj, "cpu[*]", OBJECT(&s->cpu[i]),
+                                sizeof(s->cpu[i]), sc->info->cpu_type,
+                                &error_abort, NULL);
+    }
 
     sysbus_init_child_obj(obj, "scu", OBJECT(&s->scu), sizeof(s->scu),
                           TYPE_ASPEED_SCU);
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
     create_unimplemented_device("aspeed_soc.io", sc->info->memmap[ASPEED_IOMEM],
                                 ASPEED_SOC_IOMEM_SIZE);
 
+    if (s->num_cpus > sc->info->num_cpus) {
+        warn_report("%s: invalid number of CPUs %d, using default %d",
+                    sc->info->name, s->num_cpus, sc->info->num_cpus);
+        s->num_cpus = sc->info->num_cpus;
+    }
+
     /* CPU */
-    object_property_set_bool(OBJECT(&s->cpu), true, "realized", &err);
-    if (err) {
-        error_propagate(errp, err);
-        return;
+    for (i = 0; i < s->num_cpus; i++) {
+        object_property_set_bool(OBJECT(&s->cpu[i]), true, "realized", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
     }
 
     /* SRAM */
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100), 0,
                        aspeed_soc_get_irq(s, ASPEED_ETH1));
 }
+static Property aspeed_soc_properties[] = {
+    DEFINE_PROP_UINT32("num-cpus", AspeedSoCState, num_cpus, 0),
+    DEFINE_PROP_END_OF_LIST(),
+};
 
 static void aspeed_soc_class_init(ObjectClass *oc, void *data)
 {
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_class_init(ObjectClass *oc, void *data)
     dc->realize = aspeed_soc_realize;
     /* Reason: Uses serial_hds and nd_table in realize() directly */
     dc->user_creatable = false;
+    dc->props = aspeed_soc_properties;
 }
 
 static const TypeInfo aspeed_soc_type_info = {
-- 
2.20.1

From: Cédric Le Goater <clg@kaod.org>

The Aspeed SoCs have two MACs. Extend the Aspeed model to support a
second NIC.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20190618165311.27066-7-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/aspeed_soc.h |  3 ++-
 hw/arm/aspeed_soc.c         | 33 +++++++++++++++++++--------------
 2 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/aspeed_soc.h
+++ b/include/hw/arm/aspeed_soc.h
@@ -XXX,XX +XXX,XX @@
 #define ASPEED_SPIS_NUM  2
 #define ASPEED_WDTS_NUM  3
 #define ASPEED_CPUS_NUM  2
+#define ASPEED_MACS_NUM  2
 
 typedef struct AspeedSoCState {
     /*< private >*/
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCState {
     AspeedSMCState spi[ASPEED_SPIS_NUM];
     AspeedSDMCState sdmc;
     AspeedWDTState wdt[ASPEED_WDTS_NUM];
-    FTGMAC100State ftgmac100;
+    FTGMAC100State ftgmac100[ASPEED_MACS_NUM];
 } AspeedSoCState;
 
 #define TYPE_ASPEED_SOC "aspeed-soc"
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
                                     sc->info->silicon_rev);
     }
 
-    sysbus_init_child_obj(obj, "ftgmac100", OBJECT(&s->ftgmac100),
-                          sizeof(s->ftgmac100), TYPE_FTGMAC100);
+    for (i = 0; i < ASPEED_MACS_NUM; i++) {
+        sysbus_init_child_obj(obj, "ftgmac100[*]", OBJECT(&s->ftgmac100[i]),
+                              sizeof(s->ftgmac100[i]), TYPE_FTGMAC100);
+    }
 }
 
 static void aspeed_soc_realize(DeviceState *dev, Error **errp)
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
     }
 
     /* Net */
-    qdev_set_nic_properties(DEVICE(&s->ftgmac100), &nd_table[0]);
-    object_property_set_bool(OBJECT(&s->ftgmac100), true, "aspeed", &err);
-    object_property_set_bool(OBJECT(&s->ftgmac100), true, "realized",
-                             &local_err);
-    error_propagate(&err, local_err);
-    if (err) {
-        error_propagate(errp, err);
-        return;
+    for (i = 0; i < nb_nics; i++) {
+        qdev_set_nic_properties(DEVICE(&s->ftgmac100[i]), &nd_table[i]);
+        object_property_set_bool(OBJECT(&s->ftgmac100[i]), true, "aspeed",
+                                 &err);
+        object_property_set_bool(OBJECT(&s->ftgmac100[i]), true, "realized",
+                                 &local_err);
+        error_propagate(&err, local_err);
+        if (err) {
+            error_propagate(errp, err);
+           return;
+        }
+        sysbus_mmio_map(SYS_BUS_DEVICE(&s->ftgmac100[i]), 0,
+                        sc->info->memmap[ASPEED_ETH1 + i]);
+        sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100[i]), 0,
+                           aspeed_soc_get_irq(s, ASPEED_ETH1 + i));
     }
-    sysbus_mmio_map(SYS_BUS_DEVICE(&s->ftgmac100), 0,
-                    sc->info->memmap[ASPEED_ETH1]);
-    sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100), 0,
-                       aspeed_soc_get_irq(s, ASPEED_ETH1));
 }
 static Property aspeed_soc_properties[] = {
     DEFINE_PROP_UINT32("num-cpus", AspeedSoCState, num_cpus, 0),
-- 
2.20.1

From: Joel Stanley <joel@jms.id.au>

The Linux kernel driver was updated in commit 4451d3f59f2a
("clocksource/drivers/fttmr010: Fix set_next_event handler) to fix an
issue observed on hardware:

> RELOAD register is loaded into COUNT register when the aspeed timer
 > is enabled, which means the next event may be delayed because timer
 > interrupt won't be generated until <0xFFFFFFFF - current_count +
 > cycles>.

When running under Qemu, the system appeared "laggy". The guest is now
scheduling timer events too regularly, starving the host of CPU time.

This patch modifies the timer model to attempt to schedule the timer
expiry as the guest requests, but if we have missed the deadline we
re interrupt and try again, which allows the guest to catch up.

Provides expected behaviour with old and new guest code.

Fixes: c04bd47db6b9 ("hw/timer: Add ASPEED timer device model")
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20190618165311.27066-8-clg@kaod.org
[clg: - merged a fix from Andrew Jeffery <andrew@aj.id.au>
        "Fire interrupt on failure to meet deadline"
        https://lists.ozlabs.org/pipermail/openbmc/2019-January/014641.html
      - adapted commit log
      - checkpatch fixes ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/aspeed_timer.c | 57 ++++++++++++++++++++++-------------------
 1 file changed, 30 insertions(+), 27 deletions(-)

diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/aspeed_timer.c
+++ b/hw/timer/aspeed_timer.c
@@ -XXX,XX +XXX,XX @@ static inline uint64_t calculate_time(struct AspeedTimer *t, uint32_t ticks)
 
 static uint64_t calculate_next(struct AspeedTimer *t)
 {
-    uint64_t next = 0;
-    uint32_t rate = calculate_rate(t);
+    uint64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+    uint64_t next;
 
-    while (!next) {
-        /* We don't know the relationship between the values in the match
-         * registers, so sort using MAX/MIN/zero. We sort in that order as the
-         * timer counts down to zero. */
-        uint64_t seq[] = {
-            calculate_time(t, MAX(t->match[0], t->match[1])),
-            calculate_time(t, MIN(t->match[0], t->match[1])),
-            calculate_time(t, 0),
-        };
-        uint64_t reload_ns;
-        uint64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+    /*
+     * We don't know the relationship between the values in the match
+     * registers, so sort using MAX/MIN/zero. We sort in that order as
+     * the timer counts down to zero.
+     */
 
-        if (now < seq[0]) {
-            next = seq[0];
-        } else if (now < seq[1]) {
-            next = seq[1];
-        } else if (now < seq[2]) {
-            next = seq[2];
-        } else if (t->reload) {
-            reload_ns = muldiv64(t->reload, NANOSECONDS_PER_SECOND, rate);
-            t->start = now - ((now - t->start) % reload_ns);
-        } else {
-            /* no reload value, return 0 */
-            break;
-        }
+    next = calculate_time(t, MAX(t->match[0], t->match[1]));
+    if (now < next) {
+        return next;
     }
 
-    return next;
+    next = calculate_time(t, MIN(t->match[0], t->match[1]));
+    if (now < next) {
+        return next;
+    }
+
+    next = calculate_time(t, 0);
+    if (now < next) {
+        return next;
+    }
+
+    /* We've missed all deadlines, fire interrupt and try again */
+    timer_del(&t->timer);
+
+    if (timer_overflow_interrupt(t)) {
+        t->level = !t->level;
+        qemu_set_irq(t->irq, t->level);
+    }
+
+    t->start = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+    return calculate_time(t, MAX(MAX(t->match[0], t->match[1]), 0));
 }
 
 static void aspeed_timer_mod(AspeedTimer *t)
-- 
2.20.1

From: Andrew Jeffery <andrew@aj.id.au>

From the datasheet:

This register stores the current status of counter #N. When timer
  enable bit TMC30[N * b] is disabled, the reload register will be
  loaded into this counter. When timer bit TMC30[N * b] is set, the
  counter will start to decrement. CPU can update this register value
  when enable bit is set.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20190618165311.27066-9-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/aspeed_timer.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/aspeed_timer.c
+++ b/hw/timer/aspeed_timer.c
@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_timer_get_value(AspeedTimer *t, int reg)
 
     switch (reg) {
     case TIMER_REG_STATUS:
-        value = calculate_ticks(t, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL));
+        if (timer_enabled(t)) {
+            value = calculate_ticks(t, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL));
+        } else {
+            value = t->reload;
+        }
         break;
     case TIMER_REG_RELOAD:
         value = t->reload;
-- 
2.20.1

From: Andrew Jeffery <andrew@aj.id.au>

If the match value exceeds reload then we don't want to include it in
calculations for the next event.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20190618165311.27066-10-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/aspeed_timer.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

From: Christian Svensson <bluecmd@google.com>

If the host decrements the counter register that results in a negative
delta. This is then passed to muldiv64 which only handles unsigned
numbers resulting in bogus results.

This fix ensures the delta being operated on is positive.

Test case: kexec a kernel using aspeed_timer and it will freeze on the
second bootup when the kernel initializes the timer. With this patch
that no longer happens and the timer appears to run OK.

Signed-off-by: Christian Svensson <bluecmd@google.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 20190618165311.27066-12-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/aspeed_timer.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/timer/aspeed_timer.c b/hw/timer/aspeed_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/aspeed_timer.c
+++ b/hw/timer/aspeed_timer.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_timer_set_value(AspeedTimerCtrlState *s, int timer, int reg,
             int64_t delta = (int64_t) value - (int64_t) calculate_ticks(t, now);
             uint32_t rate = calculate_rate(t);
 
-            t->start += muldiv64(delta, NANOSECONDS_PER_SECOND, rate);
+            if (delta >= 0) {
+                t->start += muldiv64(delta, NANOSECONDS_PER_SECOND, rate);
+            } else {
+                t->start -= muldiv64(-delta, NANOSECONDS_PER_SECOND, rate);
+            }
             aspeed_timer_mod(t);
         }
         break;
-- 
2.20.1

From: Cédric Le Goater <clg@kaod.org>

It has never been used as far as I can tell from the git history.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20190618165311.27066-13-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
     memory_region_allocate_system_memory(&bmc->ram, NULL, "ram", ram_size);
     memory_region_add_subregion(get_system_memory(),
                                 sc->info->memmap[ASPEED_SDRAM], &bmc->ram);
-    object_property_add_const_link(OBJECT(&bmc->soc), "ram", OBJECT(&bmc->ram),
-                                   &error_abort);
 
     max_ram_size = object_property_get_uint(OBJECT(&bmc->soc), "max-ram-size",
                                             &error_abort);
-- 
2.20.1

From: Cédric Le Goater <clg@kaod.org>

The RAM memory region is defined after the SoC is realized when the
SDMC controller has checked that the defined RAM size for the machine
is correct. This is problematic for controller models requiring a link
on the RAM region, for DMA support in the SMC controller for instance.

Introduce a container memory region for the RAM that we can link into
the controllers early, before the SoC is realized. It will be
populated with the RAM region after the checks have be done.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20190618165311.27066-14-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info aspeed_board_binfo = {
 
 struct AspeedBoardState {
     AspeedSoCState soc;
+    MemoryRegion ram_container;
     MemoryRegion ram;
     MemoryRegion max_ram;
 };
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
     ram_addr_t max_ram_size;
 
     bmc = g_new0(AspeedBoardState, 1);
+
+    memory_region_init(&bmc->ram_container, NULL, "aspeed-ram-container",
+                       UINT32_MAX);
+
     object_initialize_child(OBJECT(machine), "soc", &bmc->soc,
                             (sizeof(bmc->soc)), cfg->soc_name, &error_abort,
                             NULL);
@@ -XXX,XX +XXX,XX @@ static void aspeed_board_init(MachineState *machine,
                                         &error_abort);
 
     memory_region_allocate_system_memory(&bmc->ram, NULL, "ram", ram_size);
+    memory_region_add_subregion(&bmc->ram_container, 0, &bmc->ram);
     memory_region_add_subregion(get_system_memory(),
-                                sc->info->memmap[ASPEED_SDRAM], &bmc->ram);
+                                sc->info->memmap[ASPEED_SDRAM],
+                                &bmc->ram_container);
 
     max_ram_size = object_property_get_uint(OBJECT(&bmc->soc), "max-ram-size",
                                             &error_abort);
     memory_region_init_io(&bmc->max_ram, NULL, &max_ram_ops, NULL,
                           "max_ram", max_ram_size  - ram_size);
-    memory_region_add_subregion(get_system_memory(),
-                                sc->info->memmap[ASPEED_SDRAM] + ram_size,
-                                &bmc->max_ram);
+    memory_region_add_subregion(&bmc->ram_container, ram_size, &bmc->max_ram);
 
     aspeed_board_init_flashes(&bmc->soc.fmc, cfg->fmc_model, &error_abort);
     aspeed_board_init_flashes(&bmc->soc.spi[0], cfg->spi_model, &error_abort);
-- 
2.20.1

From: Cédric Le Goater <clg@kaod.org>

The DRAM address of a DMA transaction depends on the DRAM base address
of the SoC. Inform the SMC controller model with this value.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190618165311.27066-15-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/ssi/aspeed_smc.h | 3 +++
 hw/arm/aspeed_soc.c         | 6 ++++++
 hw/ssi/aspeed_smc.c         | 1 +
 3 files changed, 10 insertions(+)

diff --git a/include/hw/ssi/aspeed_smc.h b/include/hw/ssi/aspeed_smc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/ssi/aspeed_smc.h
+++ b/include/hw/ssi/aspeed_smc.h
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSMCState {
     uint8_t r_timings;
     uint8_t conf_enable_w0;
 
+    /* for DMA support */
+    uint64_t sdram_base;
+
     AspeedSMCFlash *flashes;
 
     uint8_t snoop_index;
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
                        aspeed_soc_get_irq(s, ASPEED_I2C));
 
     /* FMC, The number of CS is set at the board level */
+    object_property_set_int(OBJECT(&s->fmc), sc->info->memmap[ASPEED_SDRAM],
+                            "sdram-base", &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
     object_property_set_bool(OBJECT(&s->fmc), true, "realized", &err);
     if (err) {
         error_propagate(errp, err);
diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_aspeed_smc = {
 
 static Property aspeed_smc_properties[] = {
     DEFINE_PROP_UINT32("num-cs", AspeedSMCState, num_cs, 1),
+    DEFINE_PROP_UINT64("sdram-base", AspeedSMCState, sdram_base, 0),
     DEFINE_PROP_END_OF_LIST(),
 };
 
-- 
2.20.1

From: Adriana Kobylak <anoo@us.ibm.com>

The Swift board is an OpenPOWER system hosting POWER processors.
Add support for their BMC including the I2C devices as found on HW.

Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20190618165311.27066-20-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ struct AspeedBoardState {
         SCU_AST2500_HW_STRAP_ACPI_ENABLE |                              \
         SCU_HW_STRAP_SPI_MODE(SCU_HW_STRAP_SPI_MASTER))
 
+/* Swift hardware value: 0xF11AD206 */
+#define SWIFT_BMC_HW_STRAP1 (                                           \
+        AST2500_HW_STRAP1_DEFAULTS |                                    \
+        SCU_AST2500_HW_STRAP_SPI_AUTOFETCH_ENABLE |                     \
+        SCU_AST2500_HW_STRAP_GPIO_STRAP_ENABLE |                        \
+        SCU_AST2500_HW_STRAP_UART_DEBUG |                               \
+        SCU_AST2500_HW_STRAP_DDR4_ENABLE |                              \
+        SCU_H_PLL_BYPASS_EN |                                           \
+        SCU_AST2500_HW_STRAP_ACPI_ENABLE |                              \
+        SCU_HW_STRAP_SPI_MODE(SCU_HW_STRAP_SPI_MASTER))
+
 /* Witherspoon hardware value: 0xF10AD216 (but use romulus definition) */
 #define WITHERSPOON_BMC_HW_STRAP1 ROMULUS_BMC_HW_STRAP1
 
@@ -XXX,XX +XXX,XX @@ static void romulus_bmc_i2c_init(AspeedBoardState *bmc)
     i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 11), "ds1338", 0x32);
 }
 
+static void swift_bmc_i2c_init(AspeedBoardState *bmc)
+{
+    AspeedSoCState *soc = &bmc->soc;
+
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 3), "pca9552", 0x60);
+
+    /* The swift board expects a TMP275 but a TMP105 is compatible */
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 7), "tmp105", 0x48);
+    /* The swift board expects a pca9551 but a pca9552 is compatible */
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 7), "pca9552", 0x60);
+
+    /* The swift board expects an Epson RX8900 RTC but a ds1338 is compatible */
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 8), "ds1338", 0x32);
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 8), "pca9552", 0x60);
+
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 9), "tmp423", 0x4c);
+    /* The swift board expects a pca9539 but a pca9552 is compatible */
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 9), "pca9552", 0x74);
+
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 10), "tmp423", 0x4c);
+    /* The swift board expects a pca9539 but a pca9552 is compatible */
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 10), "pca9552",
+                     0x74);
+
+    /* The swift board expects a TMP275 but a TMP105 is compatible */
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 12), "tmp105", 0x48);
+    i2c_create_slave(aspeed_i2c_get_bus(DEVICE(&soc->i2c), 12), "tmp105", 0x4a);
+}
+
 static void witherspoon_bmc_i2c_init(AspeedBoardState *bmc)
 {
     AspeedSoCState *soc = &bmc->soc;
@@ -XXX,XX +XXX,XX @@ static const AspeedBoardConfig aspeed_boards[] = {
         .num_cs    = 2,
         .i2c_init  = romulus_bmc_i2c_init,
         .ram       = 512 * MiB,
+    }, {
+        .name      = MACHINE_TYPE_NAME("swift-bmc"),
+        .desc      = "OpenPOWER Swift BMC (ARM1176)",
+        .soc_name  = "ast2500-a1",
+        .hw_strap1 = SWIFT_BMC_HW_STRAP1,
+        .fmc_model = "mx66l1g45g",
+        .spi_model = "mx66l1g45g",
+        .num_cs    = 2,
+        .i2c_init  = swift_bmc_i2c_init,
+        .ram       = 512 * MiB,
     }, {
         .name      = MACHINE_TYPE_NAME("witherspoon-bmc"),
         .desc      = "OpenPOWER Witherspoon BMC (ARM1176)",
-- 
2.20.1

From: Eddie James <eajames@linux.ibm.com>

The XDMA engine embedded in the Aspeed SOCs performs PCI DMA operations
between the SOC (acting as a BMC) and a host processor in a server.

The XDMA engine exists on the AST2400, AST2500, and AST2600 SOCs, so
enable it for all of those. Add trace events on the important register
writes in the XDMA engine.

Signed-off-by: Eddie James <eajames@linux.ibm.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20190618165311.27066-21-clg@kaod.org
[clg: - changed title ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/Makefile.objs         |   1 +
 include/hw/arm/aspeed_soc.h   |   3 +
 include/hw/misc/aspeed_xdma.h |  30 +++++++
 hw/arm/aspeed_soc.c           |  17 ++++
 hw/misc/aspeed_xdma.c         | 165 ++++++++++++++++++++++++++++++++++
 hw/misc/trace-events          |   3 +
 6 files changed, 219 insertions(+)
 create mode 100644 include/hw/misc/aspeed_xdma.h
 create mode 100644 hw/misc/aspeed_xdma.c

diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/Makefile.objs
+++ b/hw/misc/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_ARMSSE_MHU) += armsse-mhu.o
 
 obj-$(CONFIG_PVPANIC) += pvpanic.o
 obj-$(CONFIG_AUX) += auxbus.o
+obj-$(CONFIG_ASPEED_SOC) += aspeed_xdma.o
 obj-$(CONFIG_ASPEED_SOC) += aspeed_scu.o aspeed_sdmc.o
 obj-$(CONFIG_MSF2) += msf2-sysreg.o
 obj-$(CONFIG_NRF51_SOC) += nrf51_rng.o
diff --git a/include/hw/arm/aspeed_soc.h b/include/hw/arm/aspeed_soc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/aspeed_soc.h
+++ b/include/hw/arm/aspeed_soc.h
@@ -XXX,XX +XXX,XX @@
 #include "hw/intc/aspeed_vic.h"
 #include "hw/misc/aspeed_scu.h"
 #include "hw/misc/aspeed_sdmc.h"
+#include "hw/misc/aspeed_xdma.h"
 #include "hw/timer/aspeed_timer.h"
 #include "hw/timer/aspeed_rtc.h"
 #include "hw/i2c/aspeed_i2c.h"
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSoCState {
     AspeedTimerCtrlState timerctrl;
     AspeedI2CState i2c;
     AspeedSCUState scu;
+    AspeedXDMAState xdma;
     AspeedSMCState fmc;
     AspeedSMCState spi[ASPEED_SPIS_NUM];
     AspeedSDMCState sdmc;
@@ -XXX,XX +XXX,XX @@ enum {
     ASPEED_ETH1,
     ASPEED_ETH2,
     ASPEED_SDRAM,
+    ASPEED_XDMA,
 };
 
 #endif /* ASPEED_SOC_H */
diff --git a/include/hw/misc/aspeed_xdma.h b/include/hw/misc/aspeed_xdma.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/misc/aspeed_xdma.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * ASPEED XDMA Controller
+ * Eddie James <eajames@linux.ibm.com>
+ *
+ * Copyright (C) 2019 IBM Corp.
+ * SPDX-License-Identifer: GPL-2.0-or-later
+ */
+
+#ifndef ASPEED_XDMA_H
+#define ASPEED_XDMA_H
+
+#include "hw/sysbus.h"
+
+#define TYPE_ASPEED_XDMA "aspeed.xdma"
+#define ASPEED_XDMA(obj) OBJECT_CHECK(AspeedXDMAState, (obj), TYPE_ASPEED_XDMA)
+
+#define ASPEED_XDMA_NUM_REGS (ASPEED_XDMA_REG_SIZE / sizeof(uint32_t))
+#define ASPEED_XDMA_REG_SIZE 0x7C
+
+typedef struct AspeedXDMAState {
+    SysBusDevice parent;
+
+    MemoryRegion iomem;
+    qemu_irq irq;
+
+    char bmc_cmdq_readp_set;
+    uint32_t regs[ASPEED_XDMA_NUM_REGS];
+} AspeedXDMAState;
+
+#endif /* ASPEED_XDMA_H */
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@ static const hwaddr aspeed_soc_ast2400_memmap[] = {
     [ASPEED_VIC]    = 0x1E6C0000,
     [ASPEED_SDMC]   = 0x1E6E0000,
     [ASPEED_SCU]    = 0x1E6E2000,
+    [ASPEED_XDMA]   = 0x1E6E7000,
     [ASPEED_ADC]    = 0x1E6E9000,
     [ASPEED_SRAM]   = 0x1E720000,
     [ASPEED_GPIO]   = 0x1E780000,
@@ -XXX,XX +XXX,XX @@ static const hwaddr aspeed_soc_ast2500_memmap[] = {
     [ASPEED_VIC]    = 0x1E6C0000,
     [ASPEED_SDMC]   = 0x1E6E0000,
     [ASPEED_SCU]    = 0x1E6E2000,
+    [ASPEED_XDMA]   = 0x1E6E7000,
     [ASPEED_ADC]    = 0x1E6E9000,
     [ASPEED_SRAM]   = 0x1E720000,
     [ASPEED_GPIO]   = 0x1E780000,
@@ -XXX,XX +XXX,XX @@ static const int aspeed_soc_ast2400_irqmap[] = {
     [ASPEED_I2C]    = 12,
     [ASPEED_ETH1]   = 2,
     [ASPEED_ETH2]   = 3,
+    [ASPEED_XDMA]   = 6,
 };
 
 #define aspeed_soc_ast2500_irqmap aspeed_soc_ast2400_irqmap
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
         sysbus_init_child_obj(obj, "ftgmac100[*]", OBJECT(&s->ftgmac100[i]),
                               sizeof(s->ftgmac100[i]), TYPE_FTGMAC100);
     }
+
+    sysbus_init_child_obj(obj, "xdma", OBJECT(&s->xdma), sizeof(s->xdma),
+                          TYPE_ASPEED_XDMA);
 }
 
 static void aspeed_soc_realize(DeviceState *dev, Error **errp)
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_realize(DeviceState *dev, Error **errp)
         sysbus_connect_irq(SYS_BUS_DEVICE(&s->ftgmac100[i]), 0,
                            aspeed_soc_get_irq(s, ASPEED_ETH1 + i));
     }
+
+    /* XDMA */
+    object_property_set_bool(OBJECT(&s->xdma), true, "realized", &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->xdma), 0,
+                    sc->info->memmap[ASPEED_XDMA]);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->xdma), 0,
+                       aspeed_soc_get_irq(s, ASPEED_XDMA));
 }
 static Property aspeed_soc_properties[] = {
     DEFINE_PROP_UINT32("num-cpus", AspeedSoCState, num_cpus, 0),
diff --git a/hw/misc/aspeed_xdma.c b/hw/misc/aspeed_xdma.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/misc/aspeed_xdma.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * ASPEED XDMA Controller
+ * Eddie James <eajames@linux.ibm.com>
+ *
+ * Copyright (C) 2019 IBM Corp
+ * SPDX-License-Identifer: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "qemu/error-report.h"
+#include "hw/misc/aspeed_xdma.h"
+#include "qapi/error.h"
+
+#include "trace.h"
+
+#define XDMA_BMC_CMDQ_ADDR         0x10
+#define XDMA_BMC_CMDQ_ENDP         0x14
+#define XDMA_BMC_CMDQ_WRP          0x18
+#define  XDMA_BMC_CMDQ_W_MASK      0x0003FFFF
+#define XDMA_BMC_CMDQ_RDP          0x1C
+#define  XDMA_BMC_CMDQ_RDP_MAGIC   0xEE882266
+#define XDMA_IRQ_ENG_CTRL          0x20
+#define  XDMA_IRQ_ENG_CTRL_US_COMP BIT(4)
+#define  XDMA_IRQ_ENG_CTRL_DS_COMP BIT(5)
+#define  XDMA_IRQ_ENG_CTRL_W_MASK  0xBFEFF07F
+#define XDMA_IRQ_ENG_STAT          0x24
+#define  XDMA_IRQ_ENG_STAT_US_COMP BIT(4)
+#define  XDMA_IRQ_ENG_STAT_DS_COMP BIT(5)
+#define  XDMA_IRQ_ENG_STAT_RESET   0xF8000000
+#define XDMA_MEM_SIZE              0x1000
+
+#define TO_REG(addr) ((addr) / sizeof(uint32_t))
+
+static uint64_t aspeed_xdma_read(void *opaque, hwaddr addr, unsigned int size)
+{
+    uint32_t val = 0;
+    AspeedXDMAState *xdma = opaque;
+
+    if (addr < ASPEED_XDMA_REG_SIZE) {
+        val = xdma->regs[TO_REG(addr)];
+    }
+
+    return (uint64_t)val;
+}
+
+static void aspeed_xdma_write(void *opaque, hwaddr addr, uint64_t val,
+                              unsigned int size)
+{
+    unsigned int idx;
+    uint32_t val32 = (uint32_t)val;
+    AspeedXDMAState *xdma = opaque;
+
+    if (addr >= ASPEED_XDMA_REG_SIZE) {
+        return;
+    }
+
+    switch (addr) {
+    case XDMA_BMC_CMDQ_ENDP:
+        xdma->regs[TO_REG(addr)] = val32 & XDMA_BMC_CMDQ_W_MASK;
+        break;
+    case XDMA_BMC_CMDQ_WRP:
+        idx = TO_REG(addr);
+        xdma->regs[idx] = val32 & XDMA_BMC_CMDQ_W_MASK;
+        xdma->regs[TO_REG(XDMA_BMC_CMDQ_RDP)] = xdma->regs[idx];
+
+        trace_aspeed_xdma_write(addr, val);
+
+        if (xdma->bmc_cmdq_readp_set) {
+            xdma->bmc_cmdq_readp_set = 0;
+        } else {
+            xdma->regs[TO_REG(XDMA_IRQ_ENG_STAT)] |=
+                XDMA_IRQ_ENG_STAT_US_COMP | XDMA_IRQ_ENG_STAT_DS_COMP;
+
+            if (xdma->regs[TO_REG(XDMA_IRQ_ENG_CTRL)] &
+                (XDMA_IRQ_ENG_CTRL_US_COMP | XDMA_IRQ_ENG_CTRL_DS_COMP))
+                qemu_irq_raise(xdma->irq);
+        }
+        break;
+    case XDMA_BMC_CMDQ_RDP:
+        trace_aspeed_xdma_write(addr, val);
+
+        if (val32 == XDMA_BMC_CMDQ_RDP_MAGIC) {
+            xdma->bmc_cmdq_readp_set = 1;
+        }
+        break;
+    case XDMA_IRQ_ENG_CTRL:
+        xdma->regs[TO_REG(addr)] = val32 & XDMA_IRQ_ENG_CTRL_W_MASK;
+        break;
+    case XDMA_IRQ_ENG_STAT:
+        trace_aspeed_xdma_write(addr, val);
+
+        idx = TO_REG(addr);
+        if (val32 & (XDMA_IRQ_ENG_STAT_US_COMP | XDMA_IRQ_ENG_STAT_DS_COMP)) {
+            xdma->regs[idx] &=
+                ~(XDMA_IRQ_ENG_STAT_US_COMP | XDMA_IRQ_ENG_STAT_DS_COMP);
+            qemu_irq_lower(xdma->irq);
+        }
+        break;
+    default:
+        xdma->regs[TO_REG(addr)] = val32;
+        break;
+    }
+}
+
+static const MemoryRegionOps aspeed_xdma_ops = {
+    .read = aspeed_xdma_read,
+    .write = aspeed_xdma_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+    .valid.min_access_size = 4,
+    .valid.max_access_size = 4,
+};
+
+static void aspeed_xdma_realize(DeviceState *dev, Error **errp)
+{
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+    AspeedXDMAState *xdma = ASPEED_XDMA(dev);
+
+    sysbus_init_irq(sbd, &xdma->irq);
+    memory_region_init_io(&xdma->iomem, OBJECT(xdma), &aspeed_xdma_ops, xdma,
+                          TYPE_ASPEED_XDMA, XDMA_MEM_SIZE);
+    sysbus_init_mmio(sbd, &xdma->iomem);
+}
+
+static void aspeed_xdma_reset(DeviceState *dev)
+{
+    AspeedXDMAState *xdma = ASPEED_XDMA(dev);
+
+    xdma->bmc_cmdq_readp_set = 0;
+    memset(xdma->regs, 0, ASPEED_XDMA_REG_SIZE);
+    xdma->regs[TO_REG(XDMA_IRQ_ENG_STAT)] = XDMA_IRQ_ENG_STAT_RESET;
+
+    qemu_irq_lower(xdma->irq);
+}
+
+static const VMStateDescription aspeed_xdma_vmstate = {
+    .name = TYPE_ASPEED_XDMA,
+    .version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(regs, AspeedXDMAState, ASPEED_XDMA_NUM_REGS),
+        VMSTATE_END_OF_LIST(),
+    },
+};
+
+static void aspeed_xdma_class_init(ObjectClass *classp, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(classp);
+
+    dc->realize = aspeed_xdma_realize;
+    dc->reset = aspeed_xdma_reset;
+    dc->vmsd = &aspeed_xdma_vmstate;
+}
+
+static const TypeInfo aspeed_xdma_info = {
+    .name          = TYPE_ASPEED_XDMA,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(AspeedXDMAState),
+    .class_init    = aspeed_xdma_class_init,
+};
+
+static void aspeed_xdma_register_type(void)
+{
+    type_register_static(&aspeed_xdma_info);
+}
+type_init(aspeed_xdma_register_type);
diff --git a/hw/misc/trace-events b/hw/misc/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/trace-events
+++ b/hw/misc/trace-events
@@ -XXX,XX +XXX,XX @@ armsse_cpuid_write(uint64_t offset, uint64_t data, unsigned size) "SSE-200 CPU_I
 # armsse-mhu.c
 armsse_mhu_read(uint64_t offset, uint64_t data, unsigned size) "SSE-200 MHU read: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
 armsse_mhu_write(uint64_t offset, uint64_t data, unsigned size) "SSE-200 MHU write: offset 0x%" PRIx64 " data 0x%" PRIx64 " size %u"
+
+# aspeed_xdma.c
+aspeed_xdma_write(uint64_t offset, uint64_t data) "XDMA write: offset 0x%" PRIx64 " data 0x%" PRIx64
-- 
2.20.1

From: Andrew Jeffery <andrew@aj.id.au>

The legacy interface only supported up to 32 IRQs, which became
restrictive around the AST2400 generation. QEMU support for the SoCs
started with the AST2400 along with an effort to reimplement and
upstream drivers for Linux, so up until this point the consumers of the
QEMU ASPEED support only required the 64 IRQ register interface.

In an effort to support older BMC firmware, add support for the 32 IRQ
interface.

Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 20190618165311.27066-22-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/aspeed_vic.c | 105 ++++++++++++++++++++++++++-----------------
 1 file changed, 63 insertions(+), 42 deletions(-)

diff --git a/hw/intc/aspeed_vic.c b/hw/intc/aspeed_vic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/aspeed_vic.c
+++ b/hw/intc/aspeed_vic.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_vic_set_irq(void *opaque, int irq, int level)
 
 static uint64_t aspeed_vic_read(void *opaque, hwaddr offset, unsigned size)
 {
-    uint64_t val;
-    const bool high = !!(offset & 0x4);
-    hwaddr n_offset = (offset & ~0x4);
     AspeedVICState *s = (AspeedVICState *)opaque;
+    hwaddr n_offset;
+    uint64_t val;
+    bool high;
 
     if (offset < AVIC_NEW_BASE_OFFSET) {
-        qemu_log_mask(LOG_UNIMP, "%s: Ignoring read from legacy registers "
-                      "at 0x%" HWADDR_PRIx "[%u]\n", __func__, offset, size);
-        return 0;
+        high = false;
+        n_offset = offset;
+    } else {
+        high = !!(offset & 0x4);
+        n_offset = (offset & ~0x4);
     }
 
-    n_offset -= AVIC_NEW_BASE_OFFSET;
-
     switch (n_offset) {
-    case 0x0: /* IRQ Status */
+    case 0x80: /* IRQ Status */
+    case 0x00:
         val = s->raw & ~s->select & s->enable;
         break;
-    case 0x08: /* FIQ Status */
+    case 0x88: /* FIQ Status */
+    case 0x04:
         val = s->raw & s->select & s->enable;
         break;
-    case 0x10: /* Raw Interrupt Status */
+    case 0x90: /* Raw Interrupt Status */
+    case 0x08:
         val = s->raw;
         break;
-    case 0x18: /* Interrupt Selection */
+    case 0x98: /* Interrupt Selection */
+    case 0x0c:
         val = s->select;
         break;
-    case 0x20: /* Interrupt Enable */
+    case 0xa0: /* Interrupt Enable */
+    case 0x10:
         val = s->enable;
         break;
-    case 0x30: /* Software Interrupt */
+    case 0xb0: /* Software Interrupt */
+    case 0x18:
         val = s->trigger;
         break;
-    case 0x40: /* Interrupt Sensitivity */
+    case 0xc0: /* Interrupt Sensitivity */
+    case 0x24:
         val = s->sense;
         break;
-    case 0x48: /* Interrupt Both Edge Trigger Control */
+    case 0xc8: /* Interrupt Both Edge Trigger Control */
+    case 0x28:
         val = s->dual_edge;
         break;
-    case 0x50: /* Interrupt Event */
+    case 0xd0: /* Interrupt Event */
+    case 0x2c:
         val = s->event;
         break;
-    case 0x60: /* Edge Triggered Interrupt Status */
+    case 0xe0: /* Edge Triggered Interrupt Status */
         val = s->raw & ~s->sense;
         break;
         /* Illegal */
-    case 0x28: /* Interrupt Enable Clear */
-    case 0x38: /* Software Interrupt Clear */
-    case 0x58: /* Edge Triggered Interrupt Clear */
+    case 0xa8: /* Interrupt Enable Clear */
+    case 0xb8: /* Software Interrupt Clear */
+    case 0xd8: /* Edge Triggered Interrupt Clear */
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Read of write-only register with offset 0x%"
                       HWADDR_PRIx "\n", __func__, offset);
@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_vic_read(void *opaque, hwaddr offset, unsigned size)
     }
     if (high) {
         val = extract64(val, 32, 19);
+    } else {
+        val = extract64(val, 0, 32);
     }
     trace_aspeed_vic_read(offset, size, val);
     return val;
@@ -XXX,XX +XXX,XX @@ static uint64_t aspeed_vic_read(void *opaque, hwaddr offset, unsigned size)
 static void aspeed_vic_write(void *opaque, hwaddr offset, uint64_t data,
                              unsigned size)
 {
-    const bool high = !!(offset & 0x4);
-    hwaddr n_offset = (offset & ~0x4);
     AspeedVICState *s = (AspeedVICState *)opaque;
+    hwaddr n_offset;
+    bool high;
 
     if (offset < AVIC_NEW_BASE_OFFSET) {
-        qemu_log_mask(LOG_UNIMP,
-                      "%s: Ignoring write to legacy registers at 0x%"
-                      HWADDR_PRIx "[%u] <- 0x%" PRIx64 "\n", __func__, offset,
-                      size, data);
-        return;
+        high = false;
+        n_offset = offset;
+    } else {
+        high = !!(offset & 0x4);
+        n_offset = (offset & ~0x4);
     }
 
-    n_offset -= AVIC_NEW_BASE_OFFSET;
     trace_aspeed_vic_write(offset, size, data);
 
     /* Given we have members using separate enable/clear registers, deposit64()
@@ -XXX,XX +XXX,XX @@ static void aspeed_vic_write(void *opaque, hwaddr offset, uint64_t data,
     }
 
     switch (n_offset) {
-    case 0x18: /* Interrupt Selection */
+    case 0x98: /* Interrupt Selection */
+    case 0x0c:
         /* Register has deposit64() semantics - overwrite requested 32 bits */
         if (high) {
             s->select &= AVIC_L_MASK;
@@ -XXX,XX +XXX,XX @@ static void aspeed_vic_write(void *opaque, hwaddr offset, uint64_t data,
         }
         s->select |= data;
         break;
-    case 0x20: /* Interrupt Enable */
+    case 0xa0: /* Interrupt Enable */
+    case 0x10:
         s->enable |= data;
         break;
-    case 0x28: /* Interrupt Enable Clear */
+    case 0xa8: /* Interrupt Enable Clear */
+    case 0x14:
         s->enable &= ~data;
         break;
-    case 0x30: /* Software Interrupt */
+    case 0xb0: /* Software Interrupt */
+    case 0x18:
         qemu_log_mask(LOG_UNIMP, "%s: Software interrupts unavailable. "
                       "IRQs requested: 0x%016" PRIx64 "\n", __func__, data);
         break;
-    case 0x38: /* Software Interrupt Clear */
+    case 0xb8: /* Software Interrupt Clear */
+    case 0x1c:
         qemu_log_mask(LOG_UNIMP, "%s: Software interrupts unavailable. "
                       "IRQs to be cleared: 0x%016" PRIx64 "\n", __func__, data);
         break;
-    case 0x50: /* Interrupt Event */
+    case 0xd0: /* Interrupt Event */
         /* Register has deposit64() semantics - overwrite the top four valid
          * IRQ bits, as only the top four IRQs (GPIOs) can change their event
          * type */
@@ -XXX,XX +XXX,XX @@ static void aspeed_vic_write(void *opaque, hwaddr offset, uint64_t data,
                           "Ignoring invalid write to interrupt event register");
         }
         break;
-    case 0x58: /* Edge Triggered Interrupt Clear */
+    case 0xd8: /* Edge Triggered Interrupt Clear */
+    case 0x38:
         s->raw &= ~(data & ~s->sense);
         break;
-    case 0x00: /* IRQ Status */
-    case 0x08: /* FIQ Status */
-    case 0x10: /* Raw Interrupt Status */
-    case 0x40: /* Interrupt Sensitivity */
-    case 0x48: /* Interrupt Both Edge Trigger Control */
-    case 0x60: /* Edge Triggered Interrupt Status */
+    case 0x80: /* IRQ Status */
+    case 0x00:
+    case 0x88: /* FIQ Status */
+    case 0x04:
+    case 0x90: /* Raw Interrupt Status */
+    case 0x08:
+    case 0xc0: /* Interrupt Sensitivity */
+    case 0x24:
+    case 0xc8: /* Interrupt Both Edge Trigger Control */
+    case 0x28:
+    case 0xe0: /* Edge Triggered Interrupt Status */
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: Write of read-only register with offset 0x%"
                       HWADDR_PRIx "\n", __func__, offset);
-- 
2.20.1

From: Joel Stanley <joel@jms.id.au>

The ast2500 uses the watchdog to reset the SDRAM controller. This
operation is usually performed by u-boot's memory training procedure,
and it is enabled by setting a bit in the SCU and then causing the
watchdog to expire. Therefore, we need the watchdog to be able to
access the SCU's register space.

This causes the watchdog to not perform a system reset when the bit is
set. In the future it could perform a reset of the SDMC model.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190621065242.32535-1-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/watchdog/wdt_aspeed.h |  1 +
 hw/arm/aspeed_soc.c              |  2 ++
 hw/watchdog/wdt_aspeed.c         | 20 ++++++++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/include/hw/watchdog/wdt_aspeed.h b/include/hw/watchdog/wdt_aspeed.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/watchdog/wdt_aspeed.h
+++ b/include/hw/watchdog/wdt_aspeed.h
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedWDTState {
     MemoryRegion iomem;
     uint32_t regs[ASPEED_WDT_REGS_MAX];
 
+    AspeedSCUState *scu;
     uint32_t pclk_freq;
     uint32_t silicon_rev;
     uint32_t ext_pulse_width_mask;
diff --git a/hw/arm/aspeed_soc.c b/hw/arm/aspeed_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_soc.c
+++ b/hw/arm/aspeed_soc.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_init(Object *obj)
                               sizeof(s->wdt[i]), TYPE_ASPEED_WDT);
         qdev_prop_set_uint32(DEVICE(&s->wdt[i]), "silicon-rev",
                                     sc->info->silicon_rev);
+        object_property_add_const_link(OBJECT(&s->wdt[i]), "scu",
+                                       OBJECT(&s->scu), &error_abort);
     }
 
     for (i = 0; i < ASPEED_MACS_NUM; i++) {
diff --git a/hw/watchdog/wdt_aspeed.c b/hw/watchdog/wdt_aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/watchdog/wdt_aspeed.c
+++ b/hw/watchdog/wdt_aspeed.c
@@ -XXX,XX +XXX,XX @@
 
 #define WDT_RESTART_MAGIC               0x4755
 
+#define SCU_RESET_CONTROL1              (0x04 / 4)
+#define    SCU_RESET_SDRAM              BIT(0)
+
 static bool aspeed_wdt_is_enabled(const AspeedWDTState *s)
 {
     return s->regs[WDT_CTRL] & WDT_CTRL_ENABLE;
@@ -XXX,XX +XXX,XX @@ static void aspeed_wdt_timer_expired(void *dev)
 {
     AspeedWDTState *s = ASPEED_WDT(dev);
 
+    /* Do not reset on SDRAM controller reset */
+    if (s->scu->regs[SCU_RESET_CONTROL1] & SCU_RESET_SDRAM) {
+        timer_del(s->timer);
+        s->regs[WDT_CTRL] = 0;
+        return;
+    }
+
     qemu_log_mask(CPU_LOG_RESET, "Watchdog timer expired.\n");
     watchdog_perform_action();
     timer_del(s->timer);
@@ -XXX,XX +XXX,XX @@ static void aspeed_wdt_realize(DeviceState *dev, Error **errp)
 {
     SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
     AspeedWDTState *s = ASPEED_WDT(dev);
+    Error *err = NULL;
+    Object *obj;
+
+    obj = object_property_get_link(OBJECT(dev), "scu", &err);
+    if (!obj) {
+        error_propagate(errp, err);
+        error_prepend(errp, "required link 'scu' not found: ");
+        return;
+    }
+    s->scu = ASPEED_SCU(obj);
 
     if (!is_supported_silicon_rev(s->silicon_rev)) {
         error_setg(errp, "Unknown silicon revision: 0x%" PRIx32,
-- 
2.20.1

From: Hongbo Zhang <hongbo.zhang@linaro.org>

For AArch64, the existing "virt" machine is primarily meant to
run on KVM and execute virtualization workloads, but we need an
environment as faithful as possible to physical hardware, for supporting
firmware and OS development for physical Aarch64 machines.

This patch introduces new machine type 'sbsa-ref' with main features:
 - Based on 'virt' machine type.
 - A new memory map.
 - CPU type cortex-a57.
 - EL2 and EL3 are enabled.
 - GIC version 3.
 - System bus AHCI controller.
 - System bus EHCI controller.
 - CDROM and hard disc on AHCI bus.
 - E1000E ethernet card on PCIE bus.
 - VGA display adaptor on PCIE bus.
 - No virtio devices.
 - No fw_cfg device.
 - No ACPI table supplied.
 - Only minimal device tree nodes.

Arm Trusted Firmware and UEFI porting to this are done accordingly,
and the firmware should supply ACPI tables to the guest OS.  The
minimal device tree nodes supplied by QEMU for this platform are only
to pass the dynamic info reflecting command line input to firmware,
not for loading the guest OS.

To make the review easier, this task is split into two patches, the
fundamental skeleton part and the peripheral devices part; this patch is
the first part.

Signed-off-by: Hongbo Zhang <hongbo.zhang@linaro.org>
Message-id: 1561890034-15921-2-git-send-email-hongbo.zhang@linaro.org
[PMM: commit message tweaks; moved some bits between patch 1 and 2
 to ensure patch 1 builds cleanly; removed unneeded lines from
 Kconfig stanza; only provide board for qemu-system-aarch64, not
 qemu-system-arm; added MAINTAINERS entry]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs                |   1 +
 hw/arm/sbsa-ref.c                   | 271 ++++++++++++++++++++++++++++
 MAINTAINERS                         |   8 +
 default-configs/aarch64-softmmu.mak |   1 +
 hw/arm/Kconfig                      |  14 ++
 5 files changed, 295 insertions(+)
 create mode 100644 hw/arm/sbsa-ref.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_SPITZ) += spitz.o
 obj-$(CONFIG_TOSA) += tosa.o
 obj-$(CONFIG_Z2) += z2.o
 obj-$(CONFIG_REALVIEW) += realview.o
+obj-$(CONFIG_SBSA_REF) += sbsa-ref.o
 obj-$(CONFIG_STELLARIS) += stellaris.o
 obj-$(CONFIG_COLLIE) += collie.o
 obj-$(CONFIG_VERSATILE) += versatilepb.o
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * ARM SBSA Reference Platform emulation
+ *
+ * Copyright (c) 2018 Linaro Limited
+ * Written by Hongbo Zhang <hongbo.zhang@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2 or later, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+#include "qemu/units.h"
+#include "sysemu/numa.h"
+#include "sysemu/sysemu.h"
+#include "exec/address-spaces.h"
+#include "exec/hwaddr.h"
+#include "kvm_arm.h"
+#include "hw/arm/boot.h"
+#include "hw/boards.h"
+#include "hw/intc/arm_gicv3_common.h"
+
+#define RAMLIMIT_GB 8192
+#define RAMLIMIT_BYTES (RAMLIMIT_GB * GiB)
+
+enum {
+    SBSA_FLASH,
+    SBSA_MEM,
+    SBSA_CPUPERIPHS,
+    SBSA_GIC_DIST,
+    SBSA_GIC_REDIST,
+    SBSA_SMMU,
+    SBSA_UART,
+    SBSA_RTC,
+    SBSA_PCIE,
+    SBSA_PCIE_MMIO,
+    SBSA_PCIE_MMIO_HIGH,
+    SBSA_PCIE_PIO,
+    SBSA_PCIE_ECAM,
+    SBSA_GPIO,
+    SBSA_SECURE_UART,
+    SBSA_SECURE_UART_MM,
+    SBSA_SECURE_MEM,
+    SBSA_AHCI,
+    SBSA_EHCI,
+};
+
+typedef struct MemMapEntry {
+    hwaddr base;
+    hwaddr size;
+} MemMapEntry;
+
+typedef struct {
+    MachineState parent;
+    struct arm_boot_info bootinfo;
+    int smp_cpus;
+    void *fdt;
+    int fdt_size;
+    int psci_conduit;
+} SBSAMachineState;
+
+#define TYPE_SBSA_MACHINE   MACHINE_TYPE_NAME("sbsa-ref")
+#define SBSA_MACHINE(obj) \
+    OBJECT_CHECK(SBSAMachineState, (obj), TYPE_SBSA_MACHINE)
+
+static const MemMapEntry sbsa_ref_memmap[] = {
+    /* 512M boot ROM */
+    [SBSA_FLASH] =              {          0, 0x20000000 },
+    /* 512M secure memory */
+    [SBSA_SECURE_MEM] =         { 0x20000000, 0x20000000 },
+    /* Space reserved for CPU peripheral devices */
+    [SBSA_CPUPERIPHS] =         { 0x40000000, 0x00040000 },
+    [SBSA_GIC_DIST] =           { 0x40060000, 0x00010000 },
+    [SBSA_GIC_REDIST] =         { 0x40080000, 0x04000000 },
+    [SBSA_UART] =               { 0x60000000, 0x00001000 },
+    [SBSA_RTC] =                { 0x60010000, 0x00001000 },
+    [SBSA_GPIO] =               { 0x60020000, 0x00001000 },
+    [SBSA_SECURE_UART] =        { 0x60030000, 0x00001000 },
+    [SBSA_SECURE_UART_MM] =     { 0x60040000, 0x00001000 },
+    [SBSA_SMMU] =               { 0x60050000, 0x00020000 },
+    /* Space here reserved for more SMMUs */
+    [SBSA_AHCI] =               { 0x60100000, 0x00010000 },
+    [SBSA_EHCI] =               { 0x60110000, 0x00010000 },
+    /* Space here reserved for other devices */
+    [SBSA_PCIE_PIO] =           { 0x7fff0000, 0x00010000 },
+    /* 32-bit address PCIE MMIO space */
+    [SBSA_PCIE_MMIO] =          { 0x80000000, 0x70000000 },
+    /* 256M PCIE ECAM space */
+    [SBSA_PCIE_ECAM] =          { 0xf0000000, 0x10000000 },
+    /* ~1TB PCIE MMIO space (4GB to 1024GB boundary) */
+    [SBSA_PCIE_MMIO_HIGH] =     { 0x100000000ULL, 0xFF00000000ULL },
+    [SBSA_MEM] =                { 0x10000000000ULL, RAMLIMIT_BYTES },
+};
+
+static void sbsa_ref_init(MachineState *machine)
+{
+    SBSAMachineState *sms = SBSA_MACHINE(machine);
+    MachineClass *mc = MACHINE_GET_CLASS(machine);
+    MemoryRegion *sysmem = get_system_memory();
+    MemoryRegion *secure_sysmem = NULL;
+    MemoryRegion *ram = g_new(MemoryRegion, 1);
+    const CPUArchIdList *possible_cpus;
+    int n, sbsa_max_cpus;
+
+    if (strcmp(machine->cpu_type, ARM_CPU_TYPE_NAME("cortex-a57"))) {
+        error_report("sbsa-ref: CPU type other than the built-in "
+                     "cortex-a57 not supported");
+        exit(1);
+    }
+
+    if (kvm_enabled()) {
+        error_report("sbsa-ref: KVM is not supported for this machine");
+        exit(1);
+    }
+
+    /*
+     * This machine has EL3 enabled, external firmware should supply PSCI
+     * implementation, so the QEMU's internal PSCI is disabled.
+     */
+    sms->psci_conduit = QEMU_PSCI_CONDUIT_DISABLED;
+
+    sbsa_max_cpus = sbsa_ref_memmap[SBSA_GIC_REDIST].size / GICV3_REDIST_SIZE;
+
+    if (max_cpus > sbsa_max_cpus) {
+        error_report("Number of SMP CPUs requested (%d) exceeds max CPUs "
+                     "supported by machine 'sbsa-ref' (%d)",
+                     max_cpus, sbsa_max_cpus);
+        exit(1);
+    }
+
+    sms->smp_cpus = smp_cpus;
+
+    if (machine->ram_size > sbsa_ref_memmap[SBSA_MEM].size) {
+        error_report("sbsa-ref: cannot model more than %dGB RAM", RAMLIMIT_GB);
+        exit(1);
+    }
+
+    possible_cpus = mc->possible_cpu_arch_ids(machine);
+    for (n = 0; n < possible_cpus->len; n++) {
+        Object *cpuobj;
+        CPUState *cs;
+
+        if (n >= smp_cpus) {
+            break;
+        }
+
+        cpuobj = object_new(possible_cpus->cpus[n].type);
+        object_property_set_int(cpuobj, possible_cpus->cpus[n].arch_id,
+                                "mp-affinity", NULL);
+
+        cs = CPU(cpuobj);
+        cs->cpu_index = n;
+
+        numa_cpu_pre_plug(&possible_cpus->cpus[cs->cpu_index], DEVICE(cpuobj),
+                          &error_fatal);
+
+        if (object_property_find(cpuobj, "reset-cbar", NULL)) {
+            object_property_set_int(cpuobj,
+                                    sbsa_ref_memmap[SBSA_CPUPERIPHS].base,
+                                    "reset-cbar", &error_abort);
+        }
+
+        object_property_set_link(cpuobj, OBJECT(sysmem), "memory",
+                                 &error_abort);
+
+        object_property_set_link(cpuobj, OBJECT(secure_sysmem),
+                                 "secure-memory", &error_abort);
+
+        object_property_set_bool(cpuobj, true, "realized", &error_fatal);
+        object_unref(cpuobj);
+    }
+
+    memory_region_allocate_system_memory(ram, NULL, "sbsa-ref.ram",
+                                         machine->ram_size);
+    memory_region_add_subregion(sysmem, sbsa_ref_memmap[SBSA_MEM].base, ram);
+
+    sms->bootinfo.ram_size = machine->ram_size;
+    sms->bootinfo.kernel_filename = machine->kernel_filename;
+    sms->bootinfo.nb_cpus = smp_cpus;
+    sms->bootinfo.board_id = -1;
+    sms->bootinfo.loader_start = sbsa_ref_memmap[SBSA_MEM].base;
+    arm_load_kernel(ARM_CPU(first_cpu), &sms->bootinfo);
+}
+
+static uint64_t sbsa_ref_cpu_mp_affinity(SBSAMachineState *sms, int idx)
+{
+    uint8_t clustersz = ARM_DEFAULT_CPUS_PER_CLUSTER;
+    return arm_cpu_mp_affinity(idx, clustersz);
+}
+
+static const CPUArchIdList *sbsa_ref_possible_cpu_arch_ids(MachineState *ms)
+{
+    SBSAMachineState *sms = SBSA_MACHINE(ms);
+    int n;
+
+    if (ms->possible_cpus) {
+        assert(ms->possible_cpus->len == max_cpus);
+        return ms->possible_cpus;
+    }
+
+    ms->possible_cpus = g_malloc0(sizeof(CPUArchIdList) +
+                                  sizeof(CPUArchId) * max_cpus);
+    ms->possible_cpus->len = max_cpus;
+    for (n = 0; n < ms->possible_cpus->len; n++) {
+        ms->possible_cpus->cpus[n].type = ms->cpu_type;
+        ms->possible_cpus->cpus[n].arch_id =
+            sbsa_ref_cpu_mp_affinity(sms, n);
+        ms->possible_cpus->cpus[n].props.has_thread_id = true;
+        ms->possible_cpus->cpus[n].props.thread_id = n;
+    }
+    return ms->possible_cpus;
+}
+
+static CpuInstanceProperties
+sbsa_ref_cpu_index_to_props(MachineState *ms, unsigned cpu_index)
+{
+    MachineClass *mc = MACHINE_GET_CLASS(ms);
+    const CPUArchIdList *possible_cpus = mc->possible_cpu_arch_ids(ms);
+
+    assert(cpu_index < possible_cpus->len);
+    return possible_cpus->cpus[cpu_index].props;
+}
+
+static int64_t
+sbsa_ref_get_default_cpu_node_id(const MachineState *ms, int idx)
+{
+    return idx % nb_numa_nodes;
+}
+
+static void sbsa_ref_class_init(ObjectClass *oc, void *data)
+{
+    MachineClass *mc = MACHINE_CLASS(oc);
+
+    mc->init = sbsa_ref_init;
+    mc->desc = "QEMU 'SBSA Reference' ARM Virtual Machine";
+    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a57");
+    mc->max_cpus = 512;
+    mc->pci_allow_0_address = true;
+    mc->minimum_page_bits = 12;
+    mc->block_default_type = IF_IDE;
+    mc->no_cdrom = 1;
+    mc->default_ram_size = 1 * GiB;
+    mc->default_cpus = 4;
+    mc->possible_cpu_arch_ids = sbsa_ref_possible_cpu_arch_ids;
+    mc->cpu_index_to_instance_props = sbsa_ref_cpu_index_to_props;
+    mc->get_default_cpu_node_id = sbsa_ref_get_default_cpu_node_id;
+}
+
+static const TypeInfo sbsa_ref_info = {
+    .name          = TYPE_SBSA_MACHINE,
+    .parent        = TYPE_MACHINE,
+    .class_init    = sbsa_ref_class_init,
+    .instance_size = sizeof(SBSAMachineState),
+};
+
+static void sbsa_ref_machine_init(void)
+{
+    type_register_static(&sbsa_ref_info);
+}
+
+type_init(sbsa_ref_machine_init);
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: include/hw/arm/fsl-imx6.h
 F: include/hw/misc/imx6_*.h
 F: include/hw/ssi/imx_spi.h
 
+SBSA-REF
+M: Radoslaw Biernacki <radoslaw.biernacki@linaro.org>
+M: Peter Maydell <peter.maydell@linaro.org>
+R: Leif Lindholm <leif.lindholm@linaro.org>
+L: qemu-arm@nongnu.org
+S: Maintained
+F: hw/arm/sbsa-ref.c
+
 Sharp SL-5500 (Collie) PDA
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
diff --git a/default-configs/aarch64-softmmu.mak b/default-configs/aarch64-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/default-configs/aarch64-softmmu.mak
+++ b/default-configs/aarch64-softmmu.mak
@@ -XXX,XX +XXX,XX @@ include arm-softmmu.mak
 
 CONFIG_XLNX_ZYNQMP_ARM=y
 CONFIG_XLNX_VERSAL=y
+CONFIG_SBSA_REF=y
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config REALVIEW
     select DS1338 # I2C RTC+NVRAM
     select USB_OHCI
 
+config SBSA_REF
+    bool
+    imply PCI_DEVICES
+    select AHCI
+    select ARM_SMMUV3
+    select GPIO_KEY
+    select PCI_EXPRESS
+    select PCI_EXPRESS_GENERIC_BRIDGE
+    select PFLASH_CFI01
+    select PL011 # UART
+    select PL031 # RTC
+    select PL061 # GPIO
+    select USB_EHCI_SYSBUS
+
 config SABRELITE
     bool
     select FSL_IMX6
-- 
2.20.1

From: Hongbo Zhang <hongbo.zhang@linaro.org>

Following the previous patch, this patch adds peripheral devices to the
newly introduced SBSA-ref machine.

Signed-off-by: Hongbo Zhang <hongbo.zhang@linaro.org>
Message-id: 1561890034-15921-3-git-send-email-hongbo.zhang@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/sbsa-ref.c | 535 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 535 insertions(+)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "qemu/units.h"
+#include "sysemu/device_tree.h"
 #include "sysemu/numa.h"
 #include "sysemu/sysemu.h"
 #include "exec/address-spaces.h"
 #include "exec/hwaddr.h"
 #include "kvm_arm.h"
 #include "hw/arm/boot.h"
+#include "hw/block/flash.h"
 #include "hw/boards.h"
+#include "hw/ide/internal.h"
+#include "hw/ide/ahci_internal.h"
 #include "hw/intc/arm_gicv3_common.h"
+#include "hw/loader.h"
+#include "hw/pci-host/gpex.h"
+#include "hw/usb.h"
+#include "net/net.h"
 
 #define RAMLIMIT_GB 8192
 #define RAMLIMIT_BYTES (RAMLIMIT_GB * GiB)
 
+#define NUM_IRQS        256
+#define NUM_SMMU_IRQS   4
+#define NUM_SATA_PORTS  6
+
+#define VIRTUAL_PMU_IRQ        7
+#define ARCH_GIC_MAINT_IRQ     9
+#define ARCH_TIMER_VIRT_IRQ    11
+#define ARCH_TIMER_S_EL1_IRQ   13
+#define ARCH_TIMER_NS_EL1_IRQ  14
+#define ARCH_TIMER_NS_EL2_IRQ  10
+
 enum {
     SBSA_FLASH,
     SBSA_MEM,
@@ -XXX,XX +XXX,XX @@ typedef struct {
     void *fdt;
     int fdt_size;
     int psci_conduit;
+    PFlashCFI01 *flash[2];
 } SBSAMachineState;
 
 #define TYPE_SBSA_MACHINE   MACHINE_TYPE_NAME("sbsa-ref")
@@ -XXX,XX +XXX,XX @@ static const MemMapEntry sbsa_ref_memmap[] = {
     [SBSA_MEM] =                { 0x10000000000ULL, RAMLIMIT_BYTES },
 };
 
+static const int sbsa_ref_irqmap[] = {
+    [SBSA_UART] = 1,
+    [SBSA_RTC] = 2,
+    [SBSA_PCIE] = 3, /* ... to 6 */
+    [SBSA_GPIO] = 7,
+    [SBSA_SECURE_UART] = 8,
+    [SBSA_SECURE_UART_MM] = 9,
+    [SBSA_AHCI] = 10,
+    [SBSA_EHCI] = 11,
+};
+
+/*
+ * Firmware on this machine only uses ACPI table to load OS, these limited
+ * device tree nodes are just to let firmware know the info which varies from
+ * command line parameters, so it is not necessary to be fully compatible
+ * with the kernel CPU and NUMA binding rules.
+ */
+static void create_fdt(SBSAMachineState *sms)
+{
+    void *fdt = create_device_tree(&sms->fdt_size);
+    const MachineState *ms = MACHINE(sms);
+    int cpu;
+
+    if (!fdt) {
+        error_report("create_device_tree() failed");
+        exit(1);
+    }
+
+    sms->fdt = fdt;
+
+    qemu_fdt_setprop_string(fdt, "/", "compatible", "linux,sbsa-ref");
+    qemu_fdt_setprop_cell(fdt, "/", "#address-cells", 0x2);
+    qemu_fdt_setprop_cell(fdt, "/", "#size-cells", 0x2);
+
+    if (have_numa_distance) {
+        int size = nb_numa_nodes * nb_numa_nodes * 3 * sizeof(uint32_t);
+        uint32_t *matrix = g_malloc0(size);
+        int idx, i, j;
+
+        for (i = 0; i < nb_numa_nodes; i++) {
+            for (j = 0; j < nb_numa_nodes; j++) {
+                idx = (i * nb_numa_nodes + j) * 3;
+                matrix[idx + 0] = cpu_to_be32(i);
+                matrix[idx + 1] = cpu_to_be32(j);
+                matrix[idx + 2] = cpu_to_be32(numa_info[i].distance[j]);
+            }
+        }
+
+        qemu_fdt_add_subnode(fdt, "/distance-map");
+        qemu_fdt_setprop(fdt, "/distance-map", "distance-matrix",
+                         matrix, size);
+        g_free(matrix);
+    }
+
+    qemu_fdt_add_subnode(sms->fdt, "/cpus");
+
+    for (cpu = sms->smp_cpus - 1; cpu >= 0; cpu--) {
+        char *nodename = g_strdup_printf("/cpus/cpu@%d", cpu);
+        ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(cpu));
+        CPUState *cs = CPU(armcpu);
+
+        qemu_fdt_add_subnode(sms->fdt, nodename);
+
+        if (ms->possible_cpus->cpus[cs->cpu_index].props.has_node_id) {
+            qemu_fdt_setprop_cell(sms->fdt, nodename, "numa-node-id",
+                ms->possible_cpus->cpus[cs->cpu_index].props.node_id);
+        }
+
+        g_free(nodename);
+    }
+}
+
+#define SBSA_FLASH_SECTOR_SIZE (256 * KiB)
+
+static PFlashCFI01 *sbsa_flash_create1(SBSAMachineState *sms,
+                                        const char *name,
+                                        const char *alias_prop_name)
+{
+    /*
+     * Create a single flash device.  We use the same parameters as
+     * the flash devices on the Versatile Express board.
+     */
+    DeviceState *dev = qdev_create(NULL, TYPE_PFLASH_CFI01);
+
+    qdev_prop_set_uint64(dev, "sector-length", SBSA_FLASH_SECTOR_SIZE);
+    qdev_prop_set_uint8(dev, "width", 4);
+    qdev_prop_set_uint8(dev, "device-width", 2);
+    qdev_prop_set_bit(dev, "big-endian", false);
+    qdev_prop_set_uint16(dev, "id0", 0x89);
+    qdev_prop_set_uint16(dev, "id1", 0x18);
+    qdev_prop_set_uint16(dev, "id2", 0x00);
+    qdev_prop_set_uint16(dev, "id3", 0x00);
+    qdev_prop_set_string(dev, "name", name);
+    object_property_add_child(OBJECT(sms), name, OBJECT(dev),
+                              &error_abort);
+    object_property_add_alias(OBJECT(sms), alias_prop_name,
+                              OBJECT(dev), "drive", &error_abort);
+    return PFLASH_CFI01(dev);
+}
+
+static void sbsa_flash_create(SBSAMachineState *sms)
+{
+    sms->flash[0] = sbsa_flash_create1(sms, "sbsa.flash0", "pflash0");
+    sms->flash[1] = sbsa_flash_create1(sms, "sbsa.flash1", "pflash1");
+}
+
+static void sbsa_flash_map1(PFlashCFI01 *flash,
+                            hwaddr base, hwaddr size,
+                            MemoryRegion *sysmem)
+{
+    DeviceState *dev = DEVICE(flash);
+
+    assert(size % SBSA_FLASH_SECTOR_SIZE == 0);
+    assert(size / SBSA_FLASH_SECTOR_SIZE <= UINT32_MAX);
+    qdev_prop_set_uint32(dev, "num-blocks", size / SBSA_FLASH_SECTOR_SIZE);
+    qdev_init_nofail(dev);
+
+    memory_region_add_subregion(sysmem, base,
+                                sysbus_mmio_get_region(SYS_BUS_DEVICE(dev),
+                                                       0));
+}
+
+static void sbsa_flash_map(SBSAMachineState *sms,
+                           MemoryRegion *sysmem,
+                           MemoryRegion *secure_sysmem)
+{
+    /*
+     * Map two flash devices to fill the SBSA_FLASH space in the memmap.
+     * sysmem is the system memory space. secure_sysmem is the secure view
+     * of the system, and the first flash device should be made visible only
+     * there. The second flash device is visible to both secure and nonsecure.
+     * If sysmem == secure_sysmem this means there is no separate Secure
+     * address space and both flash devices are generally visible.
+     */
+    hwaddr flashsize = sbsa_ref_memmap[SBSA_FLASH].size / 2;
+    hwaddr flashbase = sbsa_ref_memmap[SBSA_FLASH].base;
+
+    sbsa_flash_map1(sms->flash[0], flashbase, flashsize,
+                    secure_sysmem);
+    sbsa_flash_map1(sms->flash[1], flashbase + flashsize, flashsize,
+                    sysmem);
+}
+
+static bool sbsa_firmware_init(SBSAMachineState *sms,
+                               MemoryRegion *sysmem,
+                               MemoryRegion *secure_sysmem)
+{
+    int i;
+    BlockBackend *pflash_blk0;
+
+    /* Map legacy -drive if=pflash to machine properties */
+    for (i = 0; i < ARRAY_SIZE(sms->flash); i++) {
+        pflash_cfi01_legacy_drive(sms->flash[i],
+                                  drive_get(IF_PFLASH, 0, i));
+    }
+
+    sbsa_flash_map(sms, sysmem, secure_sysmem);
+
+    pflash_blk0 = pflash_cfi01_get_blk(sms->flash[0]);
+
+    if (bios_name) {
+        char *fname;
+        MemoryRegion *mr;
+        int image_size;
+
+        if (pflash_blk0) {
+            error_report("The contents of the first flash device may be "
+                         "specified with -bios or with -drive if=pflash... "
+                         "but you cannot use both options at once");
+            exit(1);
+        }
+
+        /* Fall back to -bios */
+
+        fname = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
+        if (!fname) {
+            error_report("Could not find ROM image '%s'", bios_name);
+            exit(1);
+        }
+        mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(sms->flash[0]), 0);
+        image_size = load_image_mr(fname, mr);
+        g_free(fname);
+        if (image_size < 0) {
+            error_report("Could not load ROM image '%s'", bios_name);
+            exit(1);
+        }
+    }
+
+    return pflash_blk0 || bios_name;
+}
+
+static void create_secure_ram(SBSAMachineState *sms,
+                              MemoryRegion *secure_sysmem)
+{
+    MemoryRegion *secram = g_new(MemoryRegion, 1);
+    hwaddr base = sbsa_ref_memmap[SBSA_SECURE_MEM].base;
+    hwaddr size = sbsa_ref_memmap[SBSA_SECURE_MEM].size;
+
+    memory_region_init_ram(secram, NULL, "sbsa-ref.secure-ram", size,
+                           &error_fatal);
+    memory_region_add_subregion(secure_sysmem, base, secram);
+}
+
+static void create_gic(SBSAMachineState *sms, qemu_irq *pic)
+{
+    DeviceState *gicdev;
+    SysBusDevice *gicbusdev;
+    const char *gictype;
+    uint32_t redist0_capacity, redist0_count;
+    int i;
+
+    gictype = gicv3_class_name();
+
+    gicdev = qdev_create(NULL, gictype);
+    qdev_prop_set_uint32(gicdev, "revision", 3);
+    qdev_prop_set_uint32(gicdev, "num-cpu", smp_cpus);
+    /*
+     * Note that the num-irq property counts both internal and external
+     * interrupts; there are always 32 of the former (mandated by GIC spec).
+     */
+    qdev_prop_set_uint32(gicdev, "num-irq", NUM_IRQS + 32);
+    qdev_prop_set_bit(gicdev, "has-security-extensions", true);
+
+    redist0_capacity =
+                sbsa_ref_memmap[SBSA_GIC_REDIST].size / GICV3_REDIST_SIZE;
+    redist0_count = MIN(smp_cpus, redist0_capacity);
+
+    qdev_prop_set_uint32(gicdev, "len-redist-region-count", 1);
+    qdev_prop_set_uint32(gicdev, "redist-region-count[0]", redist0_count);
+
+    qdev_init_nofail(gicdev);
+    gicbusdev = SYS_BUS_DEVICE(gicdev);
+    sysbus_mmio_map(gicbusdev, 0, sbsa_ref_memmap[SBSA_GIC_DIST].base);
+    sysbus_mmio_map(gicbusdev, 1, sbsa_ref_memmap[SBSA_GIC_REDIST].base);
+
+    /*
+     * Wire the outputs from each CPU's generic timer and the GICv3
+     * maintenance interrupt signal to the appropriate GIC PPI inputs,
+     * and the GIC's IRQ/FIQ/VIRQ/VFIQ interrupt outputs to the CPU's inputs.
+     */
+    for (i = 0; i < smp_cpus; i++) {
+        DeviceState *cpudev = DEVICE(qemu_get_cpu(i));
+        int ppibase = NUM_IRQS + i * GIC_INTERNAL + GIC_NR_SGIS;
+        int irq;
+        /*
+         * Mapping from the output timer irq lines from the CPU to the
+         * GIC PPI inputs used for this board.
+         */
+        const int timer_irq[] = {
+            [GTIMER_PHYS] = ARCH_TIMER_NS_EL1_IRQ,
+            [GTIMER_VIRT] = ARCH_TIMER_VIRT_IRQ,
+            [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
+            [GTIMER_SEC]  = ARCH_TIMER_S_EL1_IRQ,
+        };
+
+        for (irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
+            qdev_connect_gpio_out(cpudev, irq,
+                                  qdev_get_gpio_in(gicdev,
+                                                   ppibase + timer_irq[irq]));
+        }
+
+        qdev_connect_gpio_out_named(cpudev, "gicv3-maintenance-interrupt", 0,
+                                    qdev_get_gpio_in(gicdev, ppibase
+                                                     + ARCH_GIC_MAINT_IRQ));
+        qdev_connect_gpio_out_named(cpudev, "pmu-interrupt", 0,
+                                    qdev_get_gpio_in(gicdev, ppibase
+                                                     + VIRTUAL_PMU_IRQ));
+
+        sysbus_connect_irq(gicbusdev, i, qdev_get_gpio_in(cpudev, ARM_CPU_IRQ));
+        sysbus_connect_irq(gicbusdev, i + smp_cpus,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_FIQ));
+        sysbus_connect_irq(gicbusdev, i + 2 * smp_cpus,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_VIRQ));
+        sysbus_connect_irq(gicbusdev, i + 3 * smp_cpus,
+                           qdev_get_gpio_in(cpudev, ARM_CPU_VFIQ));
+    }
+
+    for (i = 0; i < NUM_IRQS; i++) {
+        pic[i] = qdev_get_gpio_in(gicdev, i);
+    }
+}
+
+static void create_uart(const SBSAMachineState *sms, qemu_irq *pic, int uart,
+                        MemoryRegion *mem, Chardev *chr)
+{
+    hwaddr base = sbsa_ref_memmap[uart].base;
+    int irq = sbsa_ref_irqmap[uart];
+    DeviceState *dev = qdev_create(NULL, "pl011");
+    SysBusDevice *s = SYS_BUS_DEVICE(dev);
+
+    qdev_prop_set_chr(dev, "chardev", chr);
+    qdev_init_nofail(dev);
+    memory_region_add_subregion(mem, base,
+                                sysbus_mmio_get_region(s, 0));
+    sysbus_connect_irq(s, 0, pic[irq]);
+}
+
+static void create_rtc(const SBSAMachineState *sms, qemu_irq *pic)
+{
+    hwaddr base = sbsa_ref_memmap[SBSA_RTC].base;
+    int irq = sbsa_ref_irqmap[SBSA_RTC];
+
+    sysbus_create_simple("pl031", base, pic[irq]);
+}
+
+static DeviceState *gpio_key_dev;
+static void sbsa_ref_powerdown_req(Notifier *n, void *opaque)
+{
+    /* use gpio Pin 3 for power button event */
+    qemu_set_irq(qdev_get_gpio_in(gpio_key_dev, 0), 1);
+}
+
+static Notifier sbsa_ref_powerdown_notifier = {
+    .notify = sbsa_ref_powerdown_req
+};
+
+static void create_gpio(const SBSAMachineState *sms, qemu_irq *pic)
+{
+    DeviceState *pl061_dev;
+    hwaddr base = sbsa_ref_memmap[SBSA_GPIO].base;
+    int irq = sbsa_ref_irqmap[SBSA_GPIO];
+
+    pl061_dev = sysbus_create_simple("pl061", base, pic[irq]);
+
+    gpio_key_dev = sysbus_create_simple("gpio-key", -1,
+                                        qdev_get_gpio_in(pl061_dev, 3));
+
+    /* connect powerdown request */
+    qemu_register_powerdown_notifier(&sbsa_ref_powerdown_notifier);
+}
+
+static void create_ahci(const SBSAMachineState *sms, qemu_irq *pic)
+{
+    hwaddr base = sbsa_ref_memmap[SBSA_AHCI].base;
+    int irq = sbsa_ref_irqmap[SBSA_AHCI];
+    DeviceState *dev;
+    DriveInfo *hd[NUM_SATA_PORTS];
+    SysbusAHCIState *sysahci;
+    AHCIState *ahci;
+    int i;
+
+    dev = qdev_create(NULL, "sysbus-ahci");
+    qdev_prop_set_uint32(dev, "num-ports", NUM_SATA_PORTS);
+    qdev_init_nofail(dev);
+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
+    sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[irq]);
+
+    sysahci = SYSBUS_AHCI(dev);
+    ahci = &sysahci->ahci;
+    ide_drive_get(hd, ARRAY_SIZE(hd));
+    for (i = 0; i < ahci->ports; i++) {
+        if (hd[i] == NULL) {
+            continue;
+        }
+        ide_create_drive(&ahci->dev[i].port, 0, hd[i]);
+    }
+}
+
+static void create_ehci(const SBSAMachineState *sms, qemu_irq *pic)
+{
+    hwaddr base = sbsa_ref_memmap[SBSA_EHCI].base;
+    int irq = sbsa_ref_irqmap[SBSA_EHCI];
+
+    sysbus_create_simple("platform-ehci-usb", base, pic[irq]);
+}
+
+static void create_smmu(const SBSAMachineState *sms, qemu_irq *pic,
+                        PCIBus *bus)
+{
+    hwaddr base = sbsa_ref_memmap[SBSA_SMMU].base;
+    int irq =  sbsa_ref_irqmap[SBSA_SMMU];
+    DeviceState *dev;
+    int i;
+
+    dev = qdev_create(NULL, "arm-smmuv3");
+
+    object_property_set_link(OBJECT(dev), OBJECT(bus), "primary-bus",
+                             &error_abort);
+    qdev_init_nofail(dev);
+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
+    for (i = 0; i < NUM_SMMU_IRQS; i++) {
+        sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, pic[irq + i]);
+    }
+}
+
+static void create_pcie(SBSAMachineState *sms, qemu_irq *pic)
+{
+    hwaddr base_ecam = sbsa_ref_memmap[SBSA_PCIE_ECAM].base;
+    hwaddr size_ecam = sbsa_ref_memmap[SBSA_PCIE_ECAM].size;
+    hwaddr base_mmio = sbsa_ref_memmap[SBSA_PCIE_MMIO].base;
+    hwaddr size_mmio = sbsa_ref_memmap[SBSA_PCIE_MMIO].size;
+    hwaddr base_mmio_high = sbsa_ref_memmap[SBSA_PCIE_MMIO_HIGH].base;
+    hwaddr size_mmio_high = sbsa_ref_memmap[SBSA_PCIE_MMIO_HIGH].size;
+    hwaddr base_pio = sbsa_ref_memmap[SBSA_PCIE_PIO].base;
+    int irq = sbsa_ref_irqmap[SBSA_PCIE];
+    MemoryRegion *mmio_alias, *mmio_alias_high, *mmio_reg;
+    MemoryRegion *ecam_alias, *ecam_reg;
+    DeviceState *dev;
+    PCIHostState *pci;
+    int i;
+
+    dev = qdev_create(NULL, TYPE_GPEX_HOST);
+    qdev_init_nofail(dev);
+
+    /* Map ECAM space */
+    ecam_alias = g_new0(MemoryRegion, 1);
+    ecam_reg = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
+    memory_region_init_alias(ecam_alias, OBJECT(dev), "pcie-ecam",
+                             ecam_reg, 0, size_ecam);
+    memory_region_add_subregion(get_system_memory(), base_ecam, ecam_alias);
+
+    /* Map the MMIO space */
+    mmio_alias = g_new0(MemoryRegion, 1);
+    mmio_reg = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 1);
+    memory_region_init_alias(mmio_alias, OBJECT(dev), "pcie-mmio",
+                             mmio_reg, base_mmio, size_mmio);
+    memory_region_add_subregion(get_system_memory(), base_mmio, mmio_alias);
+
+    /* Map the MMIO_HIGH space */
+    mmio_alias_high = g_new0(MemoryRegion, 1);
+    memory_region_init_alias(mmio_alias_high, OBJECT(dev), "pcie-mmio-high",
+                             mmio_reg, base_mmio_high, size_mmio_high);
+    memory_region_add_subregion(get_system_memory(), base_mmio_high,
+                                mmio_alias_high);
+
+    /* Map IO port space */
+    sysbus_mmio_map(SYS_BUS_DEVICE(dev), 2, base_pio);
+
+    for (i = 0; i < GPEX_NUM_IRQS; i++) {
+        sysbus_connect_irq(SYS_BUS_DEVICE(dev), i, pic[irq + i]);
+        gpex_set_irq_num(GPEX_HOST(dev), i, irq + i);
+    }
+
+    pci = PCI_HOST_BRIDGE(dev);
+    if (pci->bus) {
+        for (i = 0; i < nb_nics; i++) {
+            NICInfo *nd = &nd_table[i];
+
+            if (!nd->model) {
+                nd->model = g_strdup("e1000e");
+            }
+
+            pci_nic_init_nofail(nd, pci->bus, nd->model, NULL);
+        }
+    }
+
+    pci_create_simple(pci->bus, -1, "VGA");
+
+    create_smmu(sms, pic, pci->bus);
+}
+
+static void *sbsa_ref_dtb(const struct arm_boot_info *binfo, int *fdt_size)
+{
+    const SBSAMachineState *board = container_of(binfo, SBSAMachineState,
+                                                 bootinfo);
+
+    *fdt_size = board->fdt_size;
+    return board->fdt;
+}
+
 static void sbsa_ref_init(MachineState *machine)
 {
     SBSAMachineState *sms = SBSA_MACHINE(machine);
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
     MemoryRegion *sysmem = get_system_memory();
     MemoryRegion *secure_sysmem = NULL;
     MemoryRegion *ram = g_new(MemoryRegion, 1);
+    bool firmware_loaded;
     const CPUArchIdList *possible_cpus;
     int n, sbsa_max_cpus;
+    qemu_irq pic[NUM_IRQS];
 
     if (strcmp(machine->cpu_type, ARM_CPU_TYPE_NAME("cortex-a57"))) {
         error_report("sbsa-ref: CPU type other than the built-in "
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
         exit(1);
     }
 
+    /*
+     * The Secure view of the world is the same as the NonSecure,
+     * but with a few extra devices. Create it as a container region
+     * containing the system memory at low priority; any secure-only
+     * devices go in at higher priority and take precedence.
+     */
+    secure_sysmem = g_new(MemoryRegion, 1);
+    memory_region_init(secure_sysmem, OBJECT(machine), "secure-memory",
+                       UINT64_MAX);
+    memory_region_add_subregion_overlap(secure_sysmem, 0, sysmem, -1);
+
+    firmware_loaded = sbsa_firmware_init(sms, sysmem,
+                                         secure_sysmem ?: sysmem);
+
+    if (machine->kernel_filename && firmware_loaded) {
+        error_report("sbsa-ref: No fw_cfg device on this machine, "
+                     "so -kernel option is not supported when firmware loaded, "
+                     "please load OS from hard disk instead");
+        exit(1);
+    }
+
     /*
      * This machine has EL3 enabled, external firmware should supply PSCI
      * implementation, so the QEMU's internal PSCI is disabled.
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
                                          machine->ram_size);
     memory_region_add_subregion(sysmem, sbsa_ref_memmap[SBSA_MEM].base, ram);
 
+    create_fdt(sms);
+
+    create_secure_ram(sms, secure_sysmem);
+
+    create_gic(sms, pic);
+
+    create_uart(sms, pic, SBSA_UART, sysmem, serial_hd(0));
+    create_uart(sms, pic, SBSA_SECURE_UART, secure_sysmem, serial_hd(1));
+    /* Second secure UART for RAS and MM from EL0 */
+    create_uart(sms, pic, SBSA_SECURE_UART_MM, secure_sysmem, serial_hd(2));
+
+    create_rtc(sms, pic);
+
+    create_gpio(sms, pic);
+
+    create_ahci(sms, pic);
+
+    create_ehci(sms, pic);
+
+    create_pcie(sms, pic);
+
     sms->bootinfo.ram_size = machine->ram_size;
     sms->bootinfo.kernel_filename = machine->kernel_filename;
     sms->bootinfo.nb_cpus = smp_cpus;
     sms->bootinfo.board_id = -1;
     sms->bootinfo.loader_start = sbsa_ref_memmap[SBSA_MEM].base;
+    sms->bootinfo.get_dtb = sbsa_ref_dtb;
+    sms->bootinfo.firmware_loaded = firmware_loaded;
     arm_load_kernel(ARM_CPU(first_cpu), &sms->bootinfo);
 }
 
@@ -XXX,XX +XXX,XX @@ sbsa_ref_get_default_cpu_node_id(const MachineState *ms, int idx)
     return idx % nb_numa_nodes;
 }
 
+static void sbsa_ref_instance_init(Object *obj)
+{
+    SBSAMachineState *sms = SBSA_MACHINE(obj);
+
+    sbsa_flash_create(sms);
+}
+
 static void sbsa_ref_class_init(ObjectClass *oc, void *data)
 {
     MachineClass *mc = MACHINE_CLASS(oc);
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_class_init(ObjectClass *oc, void *data)
 static const TypeInfo sbsa_ref_info = {
     .name          = TYPE_SBSA_MACHINE,
     .parent        = TYPE_MACHINE,
+    .instance_init = sbsa_ref_instance_init,
     .class_init    = sbsa_ref_class_init,
     .instance_size = sizeof(SBSAMachineState),
 };
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Group Aarch64 rules together, TCG related ones at the bottom.
This will help when restricting TCG-only objects.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-2-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Makefile.objs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
 obj-y += translate.o op_helper.o helper.o cpu.o
 obj-y += neon_helper.o iwmmxt_helper.o vec_helper.o vfp_helper.o
 obj-y += gdbstub.o
-obj-$(TARGET_AARCH64) += cpu64.o translate-a64.o helper-a64.o gdbstub64.o
-obj-$(TARGET_AARCH64) += pauth_helper.o
+obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
 obj-y += crypto_helper.o
 obj-$(CONFIG_SOFTMMU) += arm-powerctl.o
 
@@ -XXX,XX +XXX,XX @@ target/arm/translate-sve.o: target/arm/decode-sve.inc.c
 target/arm/translate.o: target/arm/decode-vfp.inc.c
 target/arm/translate.o: target/arm/decode-vfp-uncond.inc.c
 
+obj-$(TARGET_AARCH64) += translate-a64.o helper-a64.o
 obj-$(TARGET_AARCH64) += translate-sve.o sve_helper.o
+obj-$(TARGET_AARCH64) += pauth_helper.o
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Group ARM objects together, TCG related ones at the bottom.
This will help when restricting TCG-only objects.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Makefile.objs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_KVM) += kvm.o
 obj-$(call land,$(CONFIG_KVM),$(call lnot,$(TARGET_AARCH64))) += kvm32.o
 obj-$(call land,$(CONFIG_KVM),$(TARGET_AARCH64)) += kvm64.o
 obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
-obj-y += translate.o op_helper.o helper.o cpu.o
-obj-y += neon_helper.o iwmmxt_helper.o vec_helper.o vfp_helper.o
-obj-y += gdbstub.o
+obj-y += helper.o vfp_helper.o
+obj-y += cpu.o gdbstub.o
 obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
-obj-y += crypto_helper.o
 obj-$(CONFIG_SOFTMMU) += arm-powerctl.o
 
 DECODETREE = $(SRC_PATH)/scripts/decodetree.py
@@ -XXX,XX +XXX,XX @@ target/arm/translate-sve.o: target/arm/decode-sve.inc.c
 target/arm/translate.o: target/arm/decode-vfp.inc.c
 target/arm/translate.o: target/arm/decode-vfp-uncond.inc.c
 
+obj-y += translate.o op_helper.o
+obj-y += crypto_helper.o
+obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
+
 obj-$(TARGET_AARCH64) += translate-a64.o helper-a64.o
 obj-$(TARGET_AARCH64) += translate-sve.o sve_helper.o
 obj-$(TARGET_AARCH64) += pauth_helper.o
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Group KVM rules together.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-4-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Makefile.objs | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@
 obj-y += arm-semi.o
 obj-$(CONFIG_SOFTMMU) += machine.o psci.o arch_dump.o monitor.o
-obj-$(CONFIG_KVM) += kvm.o
-obj-$(call land,$(CONFIG_KVM),$(call lnot,$(TARGET_AARCH64))) += kvm32.o
-obj-$(call land,$(CONFIG_KVM),$(TARGET_AARCH64)) += kvm64.o
-obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
 obj-y += helper.o vfp_helper.o
 obj-y += cpu.o gdbstub.o
 obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
 obj-$(CONFIG_SOFTMMU) += arm-powerctl.o
 
+obj-$(CONFIG_KVM) += kvm.o
+obj-$(call land,$(CONFIG_KVM),$(call lnot,$(TARGET_AARCH64))) += kvm32.o
+obj-$(call land,$(CONFIG_KVM),$(TARGET_AARCH64)) += kvm64.o
+obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
+
 DECODETREE = $(SRC_PATH)/scripts/decodetree.py
 
 target/arm/decode-sve.inc.c: $(SRC_PATH)/target/arm/sve.decode $(DECODETREE)
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Group SOFTMMU objects together.
Since PSCI is TCG specific, keep it separate.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-5-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Makefile.objs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@
 obj-y += arm-semi.o
-obj-$(CONFIG_SOFTMMU) += machine.o psci.o arch_dump.o monitor.o
 obj-y += helper.o vfp_helper.o
 obj-y += cpu.o gdbstub.o
 obj-$(TARGET_AARCH64) += cpu64.o gdbstub64.o
+
+obj-$(CONFIG_SOFTMMU) += machine.o arch_dump.o monitor.o
 obj-$(CONFIG_SOFTMMU) += arm-powerctl.o
 
 obj-$(CONFIG_KVM) += kvm.o
@@ -XXX,XX +XXX,XX @@ obj-y += translate.o op_helper.o
 obj-y += crypto_helper.o
 obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
 
+obj-$(CONFIG_SOFTMMU) += psci.o
+
 obj-$(TARGET_AARCH64) += translate-a64.o helper-a64.o
 obj-$(TARGET_AARCH64) += translate-sve.o sve_helper.o
 obj-$(TARGET_AARCH64) += pauth_helper.o
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Since commit 8c06fbdf36b checkpatch.pl enforce a new multiline
comment syntax. Since we'll move this code around, fix its style
first.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-8-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c     | 237 ++++++++++++++++++++++++++--------------
 target/arm/op_helper.c  |  54 ++++++---
 target/arm/vfp_helper.c |   3 +-
 3 files changed, 196 insertions(+), 98 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
 
 uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
 {
-    /* The TT instructions can be used by unprivileged code, but in
+    /*
+     * The TT instructions can be used by unprivileged code, but in
      * user-only emulation we don't have the MPU.
      * Luckily since we know we are NonSecure unprivileged (and that in
      * turn means that the A flag wasn't specified), all the bits in the
@@ -XXX,XX +XXX,XX @@ static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,
     return true;
 
 pend_fault:
-    /* By pending the exception at this point we are making
+    /*
+     * By pending the exception at this point we are making
      * the IMPDEF choice "overridden exceptions pended" (see the
      * MergeExcInfo() pseudocode). The other choice would be to not
      * pend them now and then make a choice about which to throw away
@@ -XXX,XX +XXX,XX @@ static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,
     return true;
 
 pend_fault:
-    /* By pending the exception at this point we are making
+    /*
+     * By pending the exception at this point we are making
      * the IMPDEF choice "overridden exceptions pended" (see the
      * MergeExcInfo() pseudocode). The other choice would be to not
      * pend them now and then make a choice about which to throw away
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
      */
 }
 
-/* Write to v7M CONTROL.SPSEL bit for the specified security bank.
+/*
+ * Write to v7M CONTROL.SPSEL bit for the specified security bank.
  * This may change the current stack pointer between Main and Process
  * stack pointers if it is done for the CONTROL register for the current
  * security state.
@@ -XXX,XX +XXX,XX @@ static void write_v7m_control_spsel_for_secstate(CPUARMState *env,
     }
 }
 
-/* Write to v7M CONTROL.SPSEL bit. This may change the current
+/*
+ * Write to v7M CONTROL.SPSEL bit. This may change the current
  * stack pointer between Main and Process stack pointers.
  */
 static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)
@@ -XXX,XX +XXX,XX @@ static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)
 
 void write_v7m_exception(CPUARMState *env, uint32_t new_exc)
 {
-    /* Write a new value to v7m.exception, thus transitioning into or out
+    /*
+     * Write a new value to v7m.exception, thus transitioning into or out
      * of Handler mode; this may result in a change of active stack pointer.
      */
     bool new_is_psp, old_is_psp = v7m_using_psp(env);
@@ -XXX,XX +XXX,XX @@ static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)
         return;
     }
 
-    /* All the banked state is accessed by looking at env->v7m.secure
+    /*
+     * All the banked state is accessed by looking at env->v7m.secure
      * except for the stack pointer; rearrange the SP appropriately.
      */
     new_ss_msp = env->v7m.other_ss_msp;
@@ -XXX,XX +XXX,XX @@ static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)
 
 void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
 {
-    /* Handle v7M BXNS:
+    /*
+     * Handle v7M BXNS:
      *  - if the return value is a magic value, do exception return (like BX)
      *  - otherwise bit 0 of the return value is the target security state
      */
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
     }
 
     if (dest >= min_magic) {
-        /* This is an exception return magic value; put it where
+        /*
+         * This is an exception return magic value; put it where
          * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
          * Note that if we ever add gen_ss_advance() singlestep support to
          * M profile this should count as an "instruction execution complete"
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
 
 void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
 {
-    /* Handle v7M BLXNS:
+    /*
+     * Handle v7M BLXNS:
      *  - bit 0 of the destination address is the target security state
      */
 
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
     assert(env->v7m.secure);
 
     if (dest & 1) {
-        /* target is Secure, so this is just a normal BLX,
+        /*
+         * Target is Secure, so this is just a normal BLX,
          * except that the low bit doesn't indicate Thumb/not.
          */
         env->regs[14] = nextinst;
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
     env->regs[13] = sp;
     env->regs[14] = 0xfeffffff;
     if (arm_v7m_is_handler_mode(env)) {
-        /* Write a dummy value to IPSR, to avoid leaking the current secure
+        /*
+         * Write a dummy value to IPSR, to avoid leaking the current secure
          * exception number to non-secure code. This is guaranteed not
          * to cause write_v7m_exception() to actually change stacks.
          */
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
 static uint32_t *get_v7m_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
                                 bool spsel)
 {
-    /* Return a pointer to the location where we currently store the
+    /*
+     * Return a pointer to the location where we currently store the
      * stack pointer for the requested security state and thread mode.
      * This pointer will become invalid if the CPU state is updated
      * such that the stack pointers are switched around (eg changing
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
 
     mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);
 
-    /* We don't do a get_phys_addr() here because the rules for vector
+    /*
+     * We don't do a get_phys_addr() here because the rules for vector
      * loads are special: they always use the default memory map, and
      * the default memory map permits reads from all addresses.
      * Since there's no easy way to pass through to pmsav8_mpu_lookup()
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
     return true;
 
 load_fail:
-    /* All vector table fetch fails are reported as HardFault, with
+    /*
+     * All vector table fetch fails are reported as HardFault, with
      * HFSR.VECTTBL and .FORCED set. (FORCED is set because
      * technically the underlying exception is a MemManage or BusFault
      * that is escalated to HardFault.) This is a terminal exception,
@@ -XXX,XX +XXX,XX @@ static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)
 static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
                                   bool ignore_faults)
 {
-    /* For v8M, push the callee-saves register part of the stack frame.
+    /*
+     * For v8M, push the callee-saves register part of the stack frame.
      * Compare the v8M pseudocode PushCalleeStack().
      * In the tailchaining case this may not be the current stack.
      */
@@ -XXX,XX +XXX,XX @@ static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
         return true;
     }
 
-    /* Write as much of the stack frame as we can. A write failure may
+    /*
+     * Write as much of the stack frame as we can. A write failure may
      * cause us to pend a derived exception.
      */
     sig = v7m_integrity_sig(env, lr);
@@ -XXX,XX +XXX,XX @@ static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
 static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
                                 bool ignore_stackfaults)
 {
-    /* Do the "take the exception" parts of exception entry,
+    /*
+     * Do the "take the exception" parts of exception entry,
      * but not the pushing of state to the stack. This is
      * similar to the pseudocode ExceptionTaken() function.
      */
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
     if (arm_feature(env, ARM_FEATURE_V8)) {
         if (arm_feature(env, ARM_FEATURE_M_SECURITY) &&
             (lr & R_V7M_EXCRET_S_MASK)) {
-            /* The background code (the owner of the registers in the
+            /*
+             * The background code (the owner of the registers in the
              * exception frame) is Secure. This means it may either already
              * have or now needs to push callee-saves registers.
              */
             if (targets_secure) {
                 if (dotailchain && !(lr & R_V7M_EXCRET_ES_MASK)) {
-                    /* We took an exception from Secure to NonSecure
+                    /*
+                     * We took an exception from Secure to NonSecure
                      * (which means the callee-saved registers got stacked)
                      * and are now tailchaining to a Secure exception.
                      * Clear DCRS so eventual return from this Secure
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
                     lr &= ~R_V7M_EXCRET_DCRS_MASK;
                 }
             } else {
-                /* We're going to a non-secure exception; push the
+                /*
+                 * We're going to a non-secure exception; push the
                  * callee-saves registers to the stack now, if they're
                  * not already saved.
                  */
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
             lr |= R_V7M_EXCRET_SPSEL_MASK;
         }
 
-        /* Clear registers if necessary to prevent non-secure exception
+        /*
+         * Clear registers if necessary to prevent non-secure exception
          * code being able to see register values from secure code.
          * Where register values become architecturally UNKNOWN we leave
          * them with their previous values.
          */
         if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
             if (!targets_secure) {
-                /* Always clear the caller-saved registers (they have been
+                /*
+                 * Always clear the caller-saved registers (they have been
                  * pushed to the stack earlier in v7m_push_stack()).
                  * Clear callee-saved registers if the background code is
                  * Secure (in which case these regs were saved in
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
     }
 
     if (push_failed && !ignore_stackfaults) {
-        /* Derived exception on callee-saves register stacking:
+        /*
+         * Derived exception on callee-saves register stacking:
          * we might now want to take a different exception which
          * targets a different security state, so try again from the top.
          */
@@ -XXX,XX +XXX,XX @@ static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
         return;
     }
 
-    /* Now we've done everything that might cause a derived exception
+    /*
+     * Now we've done everything that might cause a derived exception
      * we can go ahead and activate whichever exception we're going to
      * take (which might now be the derived exception).
      */
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
 
 static bool v7m_push_stack(ARMCPU *cpu)
 {
-    /* Do the "set up stack frame" part of exception entry,
+    /*
+     * Do the "set up stack frame" part of exception entry,
      * similar to pseudocode PushStack().
      * Return true if we generate a derived exception (and so
      * should ignore further stack faults trying to process
@@ -XXX,XX +XXX,XX @@ static bool v7m_push_stack(ARMCPU *cpu)
         }
     }
 
-    /* Write as much of the stack frame as we can. If we fail a stack
+    /*
+     * Write as much of the stack frame as we can. If we fail a stack
      * write this will result in a derived exception being pended
      * (which may be taken in preference to the one we started with
      * if it has higher priority).
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
     bool ftype;
     bool restore_s16_s31;
 
-    /* If we're not in Handler mode then jumps to magic exception-exit
+    /*
+     * If we're not in Handler mode then jumps to magic exception-exit
      * addresses don't have magic behaviour. However for the v8M
      * security extensions the magic secure-function-return has to
      * work in thread mode too, so to avoid doing an extra check in
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
         return;
     }
 
-    /* In the spec pseudocode ExceptionReturn() is called directly
+    /*
+     * In the spec pseudocode ExceptionReturn() is called directly
      * from BXWritePC() and gets the full target PC value including
      * bit zero. In QEMU's implementation we treat it as a normal
      * jump-to-register (which is then caught later on), and so split
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
     }
 
     if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-        /* EXC_RETURN.ES validation check (R_SMFL). We must do this before
+        /*
+         * EXC_RETURN.ES validation check (R_SMFL). We must do this before
          * we pick which FAULTMASK to clear.
          */
         if (!env->v7m.secure &&
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
     }
 
     if (env->v7m.exception != ARMV7M_EXCP_NMI) {
-        /* Auto-clear FAULTMASK on return from other than NMI.
+        /*
+         * Auto-clear FAULTMASK on return from other than NMI.
          * If the security extension is implemented then this only
          * happens if the raw execution priority is >= 0; the
          * value of the ES bit in the exception return value indicates
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
         /* still an irq active now */
         break;
     case 1:
-        /* we returned to base exception level, no nesting.
+        /*
+         * We returned to base exception level, no nesting.
          * (In the pseudocode this is written using "NestedActivation != 1"
          * where we have 'rettobase == false'.)
          */
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
 
     if (arm_feature(env, ARM_FEATURE_V8)) {
         if (!arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-            /* UNPREDICTABLE if S == 1 or DCRS == 0 or ES == 1 (R_XLCP);
+            /*
+             * UNPREDICTABLE if S == 1 or DCRS == 0 or ES == 1 (R_XLCP);
              * we choose to take the UsageFault.
              */
             if ((excret & R_V7M_EXCRET_S_MASK) ||
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
             break;
         case 13: /* Return to Thread using Process stack */
         case 9: /* Return to Thread using Main stack */
-            /* We only need to check NONBASETHRDENA for v7M, because in
+            /*
+             * We only need to check NONBASETHRDENA for v7M, because in
              * v8M this bit does not exist (it is RES1).
              */
             if (!rettobase &&
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
     }
 
     if (ufault) {
-        /* Bad exception return: instead of popping the exception
+        /*
+         * Bad exception return: instead of popping the exception
          * stack, directly take a usage fault on the current stack.
          */
         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
     switch_v7m_security_state(env, return_to_secure);
 
     {
-        /* The stack pointer we should be reading the exception frame from
+        /*
+         * The stack pointer we should be reading the exception frame from
          * depends on bits in the magic exception return type value (and
          * for v8M isn't necessarily the stack pointer we will eventually
          * end up resuming execution with). Get a pointer to the location
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
             v7m_stack_read(cpu, &xpsr, frameptr + 0x1c, mmu_idx);
 
         if (!pop_ok) {
-            /* v7m_stack_read() pended a fault, so take it (as a tail
+            /*
+             * v7m_stack_read() pended a fault, so take it (as a tail
              * chained exception on the same stack frame)
              */
             qemu_log_mask(CPU_LOG_INT, "...derived exception on unstacking\n");
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
             return;
         }
 
-        /* Returning from an exception with a PC with bit 0 set is defined
+        /*
+         * Returning from an exception with a PC with bit 0 set is defined
          * behaviour on v8M (bit 0 is ignored), but for v7M it was specified
          * to be UNPREDICTABLE. In practice actual v7M hardware seems to ignore
          * the lsbit, and there are several RTOSes out there which incorrectly
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
         }
 
         if (arm_feature(env, ARM_FEATURE_V8)) {
-            /* For v8M we have to check whether the xPSR exception field
+            /*
+             * For v8M we have to check whether the xPSR exception field
              * matches the EXCRET value for return to handler/thread
              * before we commit to changing the SP and xPSR.
              */
             bool will_be_handler = (xpsr & XPSR_EXCP) != 0;
             if (return_to_handler != will_be_handler) {
-                /* Take an INVPC UsageFault on the current stack.
+                /*
+                 * Take an INVPC UsageFault on the current stack.
                  * By this point we will have switched to the security state
                  * for the background state, so this UsageFault will target
                  * that state.
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
                 frameptr += 0x40;
             }
         }
-        /* Undo stack alignment (the SPREALIGN bit indicates that the original
+        /*
+         * Undo stack alignment (the SPREALIGN bit indicates that the original
          * pre-exception SP was not 8-aligned and we added a padding word to
          * align it, so we undo this by ORing in the bit that increases it
          * from the current 8-aligned value to the 8-unaligned value. (Adding 4
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
                                                V7M_CONTROL, SFPA, sfpa);
     }
 
-    /* The restored xPSR exception field will be zero if we're
+    /*
+     * The restored xPSR exception field will be zero if we're
      * resuming in Thread mode. If that doesn't match what the
      * exception return excret specified then this is a UsageFault.
      * v7M requires we make this check here; v8M did it earlier.
      */
     if (return_to_handler != arm_v7m_is_handler_mode(env)) {
-        /* Take an INVPC UsageFault by pushing the stack again;
+        /*
+         * Take an INVPC UsageFault by pushing the stack again;
          * we know we're v7M so this is never a Secure UsageFault.
          */
         bool ignore_stackfaults;
@@ -XXX,XX +XXX,XX @@ static void do_v7m_exception_exit(ARMCPU *cpu)
 
 static bool do_v7m_function_return(ARMCPU *cpu)
 {
-    /* v8M security extensions magic function return.
+    /*
+     * v8M security extensions magic function return.
      * We may either:
      *  (1) throw an exception (longjump)
      *  (2) return true if we successfully handled the function return
@@ -XXX,XX +XXX,XX @@ static bool do_v7m_function_return(ARMCPU *cpu)
         frame_sp_p = get_v7m_sp_ptr(env, true, threadmode, spsel);
         frameptr = *frame_sp_p;
 
-        /* These loads may throw an exception (for MPU faults). We want to
+        /*
+         * These loads may throw an exception (for MPU faults). We want to
          * do them as secure, so work out what MMU index that is.
          */
         mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
@@ -XXX,XX +XXX,XX @@ static void arm_log_exception(int idx)
 static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
                                uint32_t addr, uint16_t *insn)
 {
-    /* Load a 16-bit portion of a v7M instruction, returning true on success,
+    /*
+     * Load a 16-bit portion of a v7M instruction, returning true on success,
      * or false on failure (in which case we will have pended the appropriate
      * exception).
      * We need to do the instruction fetch's MPU and SAU checks
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
 
     v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, &sattrs);
     if (!sattrs.nsc || sattrs.ns) {
-        /* This must be the second half of the insn, and it straddles a
+        /*
+         * This must be the second half of the insn, and it straddles a
          * region boundary with the second half not being S&NSC.
          */
         env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
@@ -XXX,XX +XXX,XX @@ static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
 
 static bool v7m_handle_execute_nsc(ARMCPU *cpu)
 {
-    /* Check whether this attempt to execute code in a Secure & NS-Callable
+    /*
+     * Check whether this attempt to execute code in a Secure & NS-Callable
      * memory region is for an SG instruction; if so, then emulate the
      * effect of the SG instruction and return true. Otherwise pend
      * the correct kind of exception and return false.
@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
     ARMMMUIdx mmu_idx;
     uint16_t insn;
 
-    /* We should never get here unless get_phys_addr_pmsav8() caused
+    /*
+     * We should never get here unless get_phys_addr_pmsav8() caused
      * an exception for NS executing in S&NSC memory.
      */
     assert(!env->v7m.secure);
@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
     }
 
     if (insn != 0xe97f) {
-        /* Not an SG instruction first half (we choose the IMPDEF
+        /*
+         * Not an SG instruction first half (we choose the IMPDEF
          * early-SG-check option).
          */
         goto gen_invep;
@@ -XXX,XX +XXX,XX @@ static bool v7m_handle_execute_nsc(ARMCPU *cpu)
     }
 
     if (insn != 0xe97f) {
-        /* Not an SG instruction second half (yes, both halves of the SG
+        /*
+         * Not an SG instruction second half (yes, both halves of the SG
          * insn have the same hex value)
          */
         goto gen_invep;
     }
 
-    /* OK, we have confirmed that we really have an SG instruction.
+    /*
+     * OK, we have confirmed that we really have an SG instruction.
      * We know we're NS in S memory so don't need to repeat those checks.
      */
     qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
 
     arm_log_exception(cs->exception_index);
 
-    /* For exceptions we just mark as pending on the NVIC, and let that
-       handle it.  */
+    /*
+     * For exceptions we just mark as pending on the NVIC, and let that
+     * handle it.
+     */
     switch (cs->exception_index) {
     case EXCP_UDEF:
         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
         break;
     case EXCP_PREFETCH_ABORT:
     case EXCP_DATA_ABORT:
-        /* Note that for M profile we don't have a guest facing FSR, but
+        /*
+         * Note that for M profile we don't have a guest facing FSR, but
          * the env->exception.fsr will be populated by the code that
          * raises the fault, in the A profile short-descriptor format.
          */
         switch (env->exception.fsr & 0xf) {
         case M_FAKE_FSR_NSC_EXEC:
-            /* Exception generated when we try to execute code at an address
+            /*
+             * Exception generated when we try to execute code at an address
              * which is marked as Secure & Non-Secure Callable and the CPU
              * is in the Non-Secure state. The only instruction which can
              * be executed like this is SG (and that only if both halves of
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
             }
             break;
         case M_FAKE_FSR_SFAULT:
-            /* Various flavours of SecureFault for attempts to execute or
+            /*
+             * Various flavours of SecureFault for attempts to execute or
              * access data in the wrong security state.
              */
             switch (cs->exception_index) {
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
             break;
         default:
-            /* All other FSR values are either MPU faults or "can't happen
+            /*
+             * All other FSR values are either MPU faults or "can't happen
              * for M profile" cases.
              */
             switch (cs->exception_index) {
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
     if (arm_feature(env, ARM_FEATURE_V8)) {
         lr = R_V7M_EXCRET_RES1_MASK |
             R_V7M_EXCRET_DCRS_MASK;
-        /* The S bit indicates whether we should return to Secure
+        /*
+         * The S bit indicates whether we should return to Secure
          * or NonSecure (ie our current state).
          * The ES bit indicates whether we're taking this exception
          * to Secure or NonSecure (ie our target state). We set it
@@ -XXX,XX +XXX,XX @@ void arm_v7m_cpu_do_interrupt(CPUState *cs)
     v7m_exception_taken(cpu, lr, false, ignore_stackfaults);
 }
 
-/* Function used to synchronize QEMU's AArch64 register set with AArch32
+/*
+ * Function used to synchronize QEMU's AArch64 register set with AArch32
  * register set.  This is necessary when switching between AArch32 and AArch64
  * execution state.
  */
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_32_to_64(CPUARMState *env)
         env->xregs[i] = env->regs[i];
     }
 
-    /* Unless we are in FIQ mode, x8-x12 come from the user registers r8-r12.
+    /*
+     * Unless we are in FIQ mode, x8-x12 come from the user registers r8-r12.
      * Otherwise, they come from the banked user regs.
      */
     if (mode == ARM_CPU_MODE_FIQ) {
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_32_to_64(CPUARMState *env)
         }
     }
 
-    /* Registers x13-x23 are the various mode SP and FP registers. Registers
+    /*
+     * Registers x13-x23 are the various mode SP and FP registers. Registers
      * r13 and r14 are only copied if we are in that mode, otherwise we copy
      * from the mode banked register.
      */
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_32_to_64(CPUARMState *env)
         env->xregs[23] = env->banked_r13[bank_number(ARM_CPU_MODE_UND)];
     }
 
-    /* Registers x24-x30 are mapped to r8-r14 in FIQ mode.  If we are in FIQ
+    /*
+     * Registers x24-x30 are mapped to r8-r14 in FIQ mode.  If we are in FIQ
      * mode, then we can copy from r8-r14.  Otherwise, we copy from the
      * FIQ bank for r8-r14.
      */
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_32_to_64(CPUARMState *env)
     env->pc = env->regs[15];
 }
 
-/* Function used to synchronize QEMU's AArch32 register set with AArch64
+/*
+ * Function used to synchronize QEMU's AArch32 register set with AArch64
  * register set.  This is necessary when switching between AArch32 and AArch64
  * execution state.
  */
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_64_to_32(CPUARMState *env)
         env->regs[i] = env->xregs[i];
     }
 
-    /* Unless we are in FIQ mode, r8-r12 come from the user registers x8-x12.
+    /*
+     * Unless we are in FIQ mode, r8-r12 come from the user registers x8-x12.
      * Otherwise, we copy x8-x12 into the banked user regs.
      */
     if (mode == ARM_CPU_MODE_FIQ) {
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_64_to_32(CPUARMState *env)
         }
     }
 
-    /* Registers r13 & r14 depend on the current mode.
+    /*
+     * Registers r13 & r14 depend on the current mode.
      * If we are in a given mode, we copy the corresponding x registers to r13
      * and r14.  Otherwise, we copy the x register to the banked r13 and r14
      * for the mode.
@@ -XXX,XX +XXX,XX @@ void aarch64_sync_64_to_32(CPUARMState *env)
     } else {
         env->banked_r13[bank_number(ARM_CPU_MODE_USR)] = env->xregs[13];
 
-        /* HYP is an exception in that it does not have its own banked r14 but
+        /*
+         * HYP is an exception in that it does not have its own banked r14 but
          * shares the USR r14
          */
         if (mode == ARM_CPU_MODE_HYP) {
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
         return value;
     }
     case 0x94: /* CONTROL_NS */
-        /* We have to handle this here because unprivileged Secure code
+        /*
+         * We have to handle this here because unprivileged Secure code
          * can read the NS CONTROL register.
          */
         if (!env->v7m.secure) {
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
             return env->v7m.faultmask[M_REG_NS];
         case 0x98: /* SP_NS */
         {
-            /* This gives the non-secure SP selected based on whether we're
+            /*
+             * This gives the non-secure SP selected based on whether we're
              * currently in handler mode or not, using the NS CONTROL.SPSEL.
              */
             bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
 
 void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
 {
-    /* We're passed bits [11..0] of the instruction; extract
+    /*
+     * We're passed bits [11..0] of the instruction; extract
      * SYSm and the mask bits.
      * Invalid combinations of SYSm and mask are UNPREDICTABLE;
      * we choose to treat them as if the mask bits were valid.
@@ -XXX,XX +XXX,XX @@ void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
             return;
         case 0x98: /* SP_NS */
         {
-            /* This gives the non-secure SP selected based on whether we're
+            /*
+             * This gives the non-secure SP selected based on whether we're
              * currently in handler mode or not, using the NS CONTROL.SPSEL.
              */
             bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
     bool targetsec = env->v7m.secure;
     bool is_subpage;
 
-    /* Work out what the security state and privilege level we're
+    /*
+     * Work out what the security state and privilege level we're
      * interested in is...
      */
     if (alt) {
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
     /* ...and then figure out which MMU index this is */
     mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targetsec, targetpriv);
 
-    /* We know that the MPU and SAU don't care about the access type
+    /*
+     * We know that the MPU and SAU don't care about the access type
      * for our purposes beyond that we don't want to claim to be
      * an insn fetch, so we arbitrarily call this a read.
      */
 
-    /* MPU region info only available for privileged or if
+    /*
+     * MPU region info only available for privileged or if
      * inspecting the other MPU state.
      */
     if (arm_current_el(env) != 0 || alt) {
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
 
 void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
 {
-    /* Implement DC ZVA, which zeroes a fixed-length block of memory.
+    /*
+     * Implement DC ZVA, which zeroes a fixed-length block of memory.
      * Note that we do not implement the (architecturally mandated)
      * alignment fault for attempts to use this on Device memory
      * (which matches the usual QEMU behaviour of not implementing either
@@ -XXX,XX +XXX,XX @@ void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
 
 #ifndef CONFIG_USER_ONLY
     {
-        /* Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
+        /*
+         * Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
          * the block size so we might have to do more than one TLB lookup.
          * We know that in fact for any v8 CPU the page size is at least 4K
          * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only
@@ -XXX,XX +XXX,XX @@ void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
                 }
             }
             if (i == maxidx) {
-                /* If it's all in the TLB it's fair game for just writing to;
+                /*
+                 * If it's all in the TLB it's fair game for just writing to;
                  * we know we don't need to update dirty status, etc.
                  */
                 for (i = 0; i < maxidx - 1; i++) {
@@ -XXX,XX +XXX,XX @@ void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
                 memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE));
                 return;
             }
-            /* OK, try a store and see if we can populate the tlb. This
+            /*
+             * OK, try a store and see if we can populate the tlb. This
              * might cause an exception if the memory isn't writable,
              * in which case we will longjmp out of here. We must for
              * this purpose use the actual register value passed to us
@@ -XXX,XX +XXX,XX @@ void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
             }
         }
 
-        /* Slow path (probably attempt to do this to an I/O device or
+        /*
+         * Slow path (probably attempt to do this to an I/O device or
          * similar, or clearing of a block of code we have translations
          * cached for). Just do a series of byte writes as the architecture
          * demands. It's not worth trying to use a cpu_physical_memory_map(),
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
 {
     uint32_t syn;
 
-    /* ISV is only set for data aborts routed to EL2 and
+    /*
+     * ISV is only set for data aborts routed to EL2 and
      * never for stage-1 page table walks faulting on stage 2.
      *
      * Furthermore, ISV is only set for certain kinds of load/stores.
@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
         syn = syn_data_abort_no_iss(same_el,
                                     ea, 0, s1ptw, is_write, fsc);
     } else {
-        /* Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
+        /*
+         * Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
          * syndrome created at translation time.
          * Now we create the runtime syndrome with the remaining fields.
          */
@@ -XXX,XX +XXX,XX @@ void arm_deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type,
 
     if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
         arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
-        /* LPAE format fault status register : bottom 6 bits are
+        /*
+         * LPAE format fault status register : bottom 6 bits are
          * status code in the same form as needed for syndrome
          */
         fsr = arm_fi_to_lfsc(fi);
         fsc = extract32(fsr, 0, 6);
     } else {
         fsr = arm_fi_to_sfsc(fi);
-        /* Short format FSR : this fault will never actually be reported
+        /*
+         * Short format FSR : this fault will never actually be reported
          * to an EL that uses a syndrome register. Use a (currently)
          * reserved FSR code in case the constructed syndrome does leak
          * into the guest somehow.
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
     arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
 }
 
-/* arm_cpu_do_transaction_failed: handle a memory system error response
+/*
+ * arm_cpu_do_transaction_failed: handle a memory system error response
  * (eg "no device/memory present at address") by raising an external abort
  * exception
  */
@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
     int bt;
     uint32_t contextidr;
 
-    /* Links to unimplemented or non-context aware breakpoints are
+    /*
+     * Links to unimplemented or non-context aware breakpoints are
      * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
      * as if linked to an UNKNOWN context-aware breakpoint (in which
      * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
 
     bt = extract64(bcr, 20, 4);
 
-    /* We match the whole register even if this is AArch32 using the
+    /*
+     * We match the whole register even if this is AArch32 using the
      * short descriptor format (in which case it holds both PROCID and ASID),
      * since we don't implement the optional v7 context ID masking.
      */
@@ -XXX,XX +XXX,XX @@ static bool linked_bp_matches(ARMCPU *cpu, int lbn)
     case 9: /* linked VMID match (reserved if no EL2) */
     case 11: /* linked context ID and VMID match (reserved if no EL2) */
     default:
-        /* Links to Unlinked context breakpoints must generate no
+        /*
+         * Links to Unlinked context breakpoints must generate no
          * events; we choose to do the same for reserved values too.
          */
         return false;
@@ -XXX,XX +XXX,XX @@ static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
     CPUARMState *env = &cpu->env;
     uint64_t cr;
     int pac, hmc, ssc, wt, lbn;
-    /* Note that for watchpoints the check is against the CPU security
+    /*
+     * Note that for watchpoints the check is against the CPU security
      * state, not the S/NS attribute on the offending data access.
      */
     bool is_secure = arm_is_secure(env);
@@ -XXX,XX +XXX,XX @@ static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
         }
         cr = env->cp15.dbgwcr[n];
         if (wp->hitattrs.user) {
-            /* The LDRT/STRT/LDT/STT "unprivileged access" instructions should
+            /*
+             * The LDRT/STRT/LDT/STT "unprivileged access" instructions should
              * match watchpoints as if they were accesses done at EL0, even if
              * the CPU is at EL1 or higher.
              */
@@ -XXX,XX +XXX,XX @@ static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
         }
         cr = env->cp15.dbgbcr[n];
     }
-    /* The WATCHPOINT_HIT flag guarantees us that the watchpoint is
+    /*
+     * The WATCHPOINT_HIT flag guarantees us that the watchpoint is
      * enabled and that the address and access type match; for breakpoints
      * we know the address matched; check the remaining fields, including
      * linked breakpoints. We rely on WCR and BCR having the same layout
@@ -XXX,XX +XXX,XX @@ static bool check_watchpoints(ARMCPU *cpu)
     CPUARMState *env = &cpu->env;
     int n;
 
-    /* If watchpoints are disabled globally or we can't take debug
+    /*
+     * If watchpoints are disabled globally or we can't take debug
      * exceptions here then watchpoint firings are ignored.
      */
     if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
@@ -XXX,XX +XXX,XX @@ static bool check_breakpoints(ARMCPU *cpu)
     CPUARMState *env = &cpu->env;
     int n;
 
-    /* If breakpoints are disabled globally or we can't take debug
+    /*
+     * If breakpoints are disabled globally or we can't take debug
      * exceptions here then breakpoint firings are ignored.
      */
     if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
@@ -XXX,XX +XXX,XX @@ void HELPER(check_breakpoints)(CPUARMState *env)
 
 bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
 {
-    /* Called by core code when a CPU watchpoint fires; need to check if this
+    /*
+     * Called by core code when a CPU watchpoint fires; need to check if this
      * is also an architectural watchpoint match.
      */
     ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
     ARMCPU *cpu = ARM_CPU(cs);
     CPUARMState *env = &cpu->env;
 
-    /* In BE32 system mode, target memory is stored byteswapped (on a
+    /*
+     * In BE32 system mode, target memory is stored byteswapped (on a
      * little-endian host system), and by the time we reach here (via an
      * opcode helper) the addresses of subword accesses have been adjusted
      * to account for that, which means that watchpoints will not match.
@@ -XXX,XX +XXX,XX @@ vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
 
 void arm_debug_excp_handler(CPUState *cs)
 {
-    /* Called by core code when a watchpoint or breakpoint fires;
+    /*
+     * Called by core code when a watchpoint or breakpoint fires;
      * need to check which one and raise the appropriate exception.
      */
     ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ void arm_debug_excp_handler(CPUState *cs)
         uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
         bool same_el = (arm_debug_target_el(env) == arm_current_el(env));
 
-        /* (1) GDB breakpoints should be handled first.
+        /*
+         * (1) GDB breakpoints should be handled first.
          * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
          * since singlestep is also done by generating a debug internal
          * exception.
@@ -XXX,XX +XXX,XX @@ void arm_debug_excp_handler(CPUState *cs)
         }
 
         env->exception.fsr = arm_debug_exception_fsr(env);
-        /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing
+        /*
+         * FAR is UNKNOWN: clear vaddress to avoid potentially exposing
          * values to the guest that it shouldn't be able to see at its
          * exception/security level.
          */
diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vfp_helper.c
+++ b/target/arm/vfp_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
         set_default_nan_mode(dnan_enabled, &env->vfp.fp_status_f16);
     }
 
-    /* The exception flags are ORed together when we read fpscr so we
+    /*
+     * The exception flags are ORed together when we read fpscr so we
      * only need to preserve the current state in one of our
      * float_status values.
      */
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Since we'll move this code around, fix its style first.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-9-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c  | 11 ++++++-----
 target/arm/vfp_helper.c | 36 ++++++++++++++++++++++++------------
 2 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                 loaded_base = 0;
                 loaded_var = NULL;
                 n = 0;
-                for(i=0;i<16;i++) {
+                for (i = 0; i < 16; i++) {
                     if (insn & (1 << i))
                         n++;
                 }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                     }
                 }
                 j = 0;
-                for(i=0;i<16;i++) {
+                for (i = 0; i < 16; i++) {
                     if (insn & (1 << i)) {
                         if (is_load) {
                             /* load */
@@ -XXX,XX +XXX,XX @@ void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
         return;
     }
 
-    for(i=0;i<16;i++) {
+    for (i = 0; i < 16; i++) {
         qemu_fprintf(f, "R%02d=%08x", i, env->regs[i]);
-        if ((i % 4) == 3)
+        if ((i % 4) == 3) {
             qemu_fprintf(f, "\n");
-        else
+        } else {
             qemu_fprintf(f, " ");
+        }
     }
 
     if (arm_feature(env, ARM_FEATURE_M)) {
diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vfp_helper.c
+++ b/target/arm/vfp_helper.c
@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_from_host(int host_bits)
 {
     int target_bits = 0;
 
-    if (host_bits & float_flag_invalid)
+    if (host_bits & float_flag_invalid) {
         target_bits |= 1;
-    if (host_bits & float_flag_divbyzero)
+    }
+    if (host_bits & float_flag_divbyzero) {
         target_bits |= 2;
-    if (host_bits & float_flag_overflow)
+    }
+    if (host_bits & float_flag_overflow) {
         target_bits |= 4;
-    if (host_bits & (float_flag_underflow | float_flag_output_denormal))
+    }
+    if (host_bits & (float_flag_underflow | float_flag_output_denormal)) {
         target_bits |= 8;
-    if (host_bits & float_flag_inexact)
+    }
+    if (host_bits & float_flag_inexact) {
         target_bits |= 0x10;
-    if (host_bits & float_flag_input_denormal)
+    }
+    if (host_bits & float_flag_input_denormal) {
         target_bits |= 0x80;
+    }
     return target_bits;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_to_host(int target_bits)
 {
     int host_bits = 0;
 
-    if (target_bits & 1)
+    if (target_bits & 1) {
         host_bits |= float_flag_invalid;
-    if (target_bits & 2)
+    }
+    if (target_bits & 2) {
         host_bits |= float_flag_divbyzero;
-    if (target_bits & 4)
+    }
+    if (target_bits & 4) {
         host_bits |= float_flag_overflow;
-    if (target_bits & 8)
+    }
+    if (target_bits & 8) {
         host_bits |= float_flag_underflow;
-    if (target_bits & 0x10)
+    }
+    if (target_bits & 0x10) {
         host_bits |= float_flag_inexact;
-    if (target_bits & 0x80)
+    }
+    if (target_bits & 0x80) {
         host_bits |= float_flag_input_denormal;
+    }
     return host_bits;
 }
 
-- 
2.20.1

From: Samuel Ortiz <sameo@linux.intel.com>

Those helpers are a software implementation of the ARM v8 memory zeroing
op code. They should be moved to the op helper file, which is going to
eventually be built only when TCG is enabled.

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Robert Bradford <robert.bradford@intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-10-philmd@redhat.com
[PMD: Rebased]
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c    | 92 -----------------------------------------
 target/arm/op_helper.c | 93 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+), 92 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
 #endif
 }
 
-void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
-{
-    /*
-     * Implement DC ZVA, which zeroes a fixed-length block of memory.
-     * Note that we do not implement the (architecturally mandated)
-     * alignment fault for attempts to use this on Device memory
-     * (which matches the usual QEMU behaviour of not implementing either
-     * alignment faults or any memory attribute handling).
-     */
-
-    ARMCPU *cpu = env_archcpu(env);
-    uint64_t blocklen = 4 << cpu->dcz_blocksize;
-    uint64_t vaddr = vaddr_in & ~(blocklen - 1);
-
-#ifndef CONFIG_USER_ONLY
-    {
-        /*
-         * Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
-         * the block size so we might have to do more than one TLB lookup.
-         * We know that in fact for any v8 CPU the page size is at least 4K
-         * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only
-         * 1K as an artefact of legacy v5 subpage support being present in the
-         * same QEMU executable. So in practice the hostaddr[] array has
-         * two entries, given the current setting of TARGET_PAGE_BITS_MIN.
-         */
-        int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE);
-        void *hostaddr[DIV_ROUND_UP(2 * KiB, 1 << TARGET_PAGE_BITS_MIN)];
-        int try, i;
-        unsigned mmu_idx = cpu_mmu_index(env, false);
-        TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx);
-
-        assert(maxidx <= ARRAY_SIZE(hostaddr));
-
-        for (try = 0; try < 2; try++) {
-
-            for (i = 0; i < maxidx; i++) {
-                hostaddr[i] = tlb_vaddr_to_host(env,
-                                                vaddr + TARGET_PAGE_SIZE * i,
-                                                1, mmu_idx);
-                if (!hostaddr[i]) {
-                    break;
-                }
-            }
-            if (i == maxidx) {
-                /*
-                 * If it's all in the TLB it's fair game for just writing to;
-                 * we know we don't need to update dirty status, etc.
-                 */
-                for (i = 0; i < maxidx - 1; i++) {
-                    memset(hostaddr[i], 0, TARGET_PAGE_SIZE);
-                }
-                memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE));
-                return;
-            }
-            /*
-             * OK, try a store and see if we can populate the tlb. This
-             * might cause an exception if the memory isn't writable,
-             * in which case we will longjmp out of here. We must for
-             * this purpose use the actual register value passed to us
-             * so that we get the fault address right.
-             */
-            helper_ret_stb_mmu(env, vaddr_in, 0, oi, GETPC());
-            /* Now we can populate the other TLB entries, if any */
-            for (i = 0; i < maxidx; i++) {
-                uint64_t va = vaddr + TARGET_PAGE_SIZE * i;
-                if (va != (vaddr_in & TARGET_PAGE_MASK)) {
-                    helper_ret_stb_mmu(env, va, 0, oi, GETPC());
-                }
-            }
-        }
-
-        /*
-         * Slow path (probably attempt to do this to an I/O device or
-         * similar, or clearing of a block of code we have translations
-         * cached for). Just do a series of byte writes as the architecture
-         * demands. It's not worth trying to use a cpu_physical_memory_map(),
-         * memset(), unmap() sequence here because:
-         *  + we'd need to account for the blocksize being larger than a page
-         *  + the direct-RAM access case is almost always going to be dealt
-         *    with in the fastpath code above, so there's no speed benefit
-         *  + we would have to deal with the map returning NULL because the
-         *    bounce buffer was in use
-         */
-        for (i = 0; i < blocklen; i++) {
-            helper_ret_stb_mmu(env, vaddr + i, 0, oi, GETPC());
-        }
-    }
-#else
-    memset(g2h(vaddr), 0, blocklen);
-#endif
-}
-
 /* Note that signed overflow is undefined in C.  The following routines are
    careful to use unsigned types where modulo arithmetic is required.
    Failure to do so _will_ break on newer gcc.  */
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@
  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  */
 #include "qemu/osdep.h"
+#include "qemu/units.h"
 #include "qemu/log.h"
 #include "qemu/main-loop.h"
 #include "cpu.h"
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i)
         return ((uint32_t)x >> shift) | (x << (32 - shift));
     }
 }
+
+void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
+{
+    /*
+     * Implement DC ZVA, which zeroes a fixed-length block of memory.
+     * Note that we do not implement the (architecturally mandated)
+     * alignment fault for attempts to use this on Device memory
+     * (which matches the usual QEMU behaviour of not implementing either
+     * alignment faults or any memory attribute handling).
+     */
+
+    ARMCPU *cpu = env_archcpu(env);
+    uint64_t blocklen = 4 << cpu->dcz_blocksize;
+    uint64_t vaddr = vaddr_in & ~(blocklen - 1);
+
+#ifndef CONFIG_USER_ONLY
+    {
+        /*
+         * Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
+         * the block size so we might have to do more than one TLB lookup.
+         * We know that in fact for any v8 CPU the page size is at least 4K
+         * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only
+         * 1K as an artefact of legacy v5 subpage support being present in the
+         * same QEMU executable. So in practice the hostaddr[] array has
+         * two entries, given the current setting of TARGET_PAGE_BITS_MIN.
+         */
+        int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE);
+        void *hostaddr[DIV_ROUND_UP(2 * KiB, 1 << TARGET_PAGE_BITS_MIN)];
+        int try, i;
+        unsigned mmu_idx = cpu_mmu_index(env, false);
+        TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx);
+
+        assert(maxidx <= ARRAY_SIZE(hostaddr));
+
+        for (try = 0; try < 2; try++) {
+
+            for (i = 0; i < maxidx; i++) {
+                hostaddr[i] = tlb_vaddr_to_host(env,
+                                                vaddr + TARGET_PAGE_SIZE * i,
+                                                1, mmu_idx);
+                if (!hostaddr[i]) {
+                    break;
+                }
+            }
+            if (i == maxidx) {
+                /*
+                 * If it's all in the TLB it's fair game for just writing to;
+                 * we know we don't need to update dirty status, etc.
+                 */
+                for (i = 0; i < maxidx - 1; i++) {
+                    memset(hostaddr[i], 0, TARGET_PAGE_SIZE);
+                }
+                memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE));
+                return;
+            }
+            /*
+             * OK, try a store and see if we can populate the tlb. This
+             * might cause an exception if the memory isn't writable,
+             * in which case we will longjmp out of here. We must for
+             * this purpose use the actual register value passed to us
+             * so that we get the fault address right.
+             */
+            helper_ret_stb_mmu(env, vaddr_in, 0, oi, GETPC());
+            /* Now we can populate the other TLB entries, if any */
+            for (i = 0; i < maxidx; i++) {
+                uint64_t va = vaddr + TARGET_PAGE_SIZE * i;
+                if (va != (vaddr_in & TARGET_PAGE_MASK)) {
+                    helper_ret_stb_mmu(env, va, 0, oi, GETPC());
+                }
+            }
+        }
+
+        /*
+         * Slow path (probably attempt to do this to an I/O device or
+         * similar, or clearing of a block of code we have translations
+         * cached for). Just do a series of byte writes as the architecture
+         * demands. It's not worth trying to use a cpu_physical_memory_map(),
+         * memset(), unmap() sequence here because:
+         *  + we'd need to account for the blocksize being larger than a page
+         *  + the direct-RAM access case is almost always going to be dealt
+         *    with in the fastpath code above, so there's no speed benefit
+         *  + we would have to deal with the map returning NULL because the
+         *    bounce buffer was in use
+         */
+        for (i = 0; i < blocklen; i++) {
+            helper_ret_stb_mmu(env, vaddr + i, 0, oi, GETPC());
+        }
+    }
+#else
+    memset(g2h(vaddr), 0, blocklen);
+#endif
+}
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Suggested-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-11-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h           |   2 -
 target/arm/translate.h     |   5 -
 target/arm/cpu.c           | 226 +++++++++++++++++++++++++++++++++++++
 target/arm/translate-a64.c | 128 ---------------------
 target/arm/translate.c     |  88 ---------------
 5 files changed, 226 insertions(+), 223 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_interrupt(CPUState *cpu);
 void arm_v7m_cpu_do_interrupt(CPUState *cpu);
 bool arm_cpu_exec_interrupt(CPUState *cpu, int int_req);
 
-void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags);
-
 hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cpu, vaddr addr,
                                          MemTxAttrs *attrs);
 
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ static inline void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
 #ifdef TARGET_AARCH64
 void a64_translate_init(void);
 void gen_a64_set_pc_im(uint64_t val);
-void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags);
 extern const TranslatorOps aarch64_translator_ops;
 #else
 static inline void a64_translate_init(void)
@@ -XXX,XX +XXX,XX @@ static inline void a64_translate_init(void)
 static inline void gen_a64_set_pc_im(uint64_t val)
 {
 }
-
-static inline void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-{
-}
 #endif
 
 void arm_test_cc(DisasCompare *cmp, int cc);
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/qemu-print.h"
 #include "qemu-common.h"
 #include "target/arm/idau.h"
 #include "qemu/module.h"
@@ -XXX,XX +XXX,XX @@ static void arm_disas_set_info(CPUState *cpu, disassemble_info *info)
 #endif
 }
 
+#ifdef TARGET_AARCH64
+
+static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+    uint32_t psr = pstate_read(env);
+    int i;
+    int el = arm_current_el(env);
+    const char *ns_status;
+
+    qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
+    for (i = 0; i < 32; i++) {
+        if (i == 31) {
+            qemu_fprintf(f, " SP=%016" PRIx64 "\n", env->xregs[i]);
+        } else {
+            qemu_fprintf(f, "X%02d=%016" PRIx64 "%s", i, env->xregs[i],
+                         (i + 2) % 3 ? " " : "\n");
+        }
+    }
+
+    if (arm_feature(env, ARM_FEATURE_EL3) && el != 3) {
+        ns_status = env->cp15.scr_el3 & SCR_NS ? "NS " : "S ";
+    } else {
+        ns_status = "";
+    }
+    qemu_fprintf(f, "PSTATE=%08x %c%c%c%c %sEL%d%c",
+                 psr,
+                 psr & PSTATE_N ? 'N' : '-',
+                 psr & PSTATE_Z ? 'Z' : '-',
+                 psr & PSTATE_C ? 'C' : '-',
+                 psr & PSTATE_V ? 'V' : '-',
+                 ns_status,
+                 el,
+                 psr & PSTATE_SP ? 'h' : 't');
+
+    if (cpu_isar_feature(aa64_bti, cpu)) {
+        qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
+    }
+    if (!(flags & CPU_DUMP_FPU)) {
+        qemu_fprintf(f, "\n");
+        return;
+    }
+    if (fp_exception_el(env, el) != 0) {
+        qemu_fprintf(f, "    FPU disabled\n");
+        return;
+    }
+    qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
+                 vfp_get_fpcr(env), vfp_get_fpsr(env));
+
+    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
+        int j, zcr_len = sve_zcr_len_for_el(env, el);
+
+        for (i = 0; i <= FFR_PRED_NUM; i++) {
+            bool eol;
+            if (i == FFR_PRED_NUM) {
+                qemu_fprintf(f, "FFR=");
+                /* It's last, so end the line.  */
+                eol = true;
+            } else {
+                qemu_fprintf(f, "P%02d=", i);
+                switch (zcr_len) {
+                case 0:
+                    eol = i % 8 == 7;
+                    break;
+                case 1:
+                    eol = i % 6 == 5;
+                    break;
+                case 2:
+                case 3:
+                    eol = i % 3 == 2;
+                    break;
+                default:
+                    /* More than one quadword per predicate.  */
+                    eol = true;
+                    break;
+                }
+            }
+            for (j = zcr_len / 4; j >= 0; j--) {
+                int digits;
+                if (j * 4 + 4 <= zcr_len + 1) {
+                    digits = 16;
+                } else {
+                    digits = (zcr_len % 4 + 1) * 4;
+                }
+                qemu_fprintf(f, "%0*" PRIx64 "%s", digits,
+                             env->vfp.pregs[i].p[j],
+                             j ? ":" : eol ? "\n" : " ");
+            }
+        }
+
+        for (i = 0; i < 32; i++) {
+            if (zcr_len == 0) {
+                qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64 "%s",
+                             i, env->vfp.zregs[i].d[1],
+                             env->vfp.zregs[i].d[0], i & 1 ? "\n" : " ");
+            } else if (zcr_len == 1) {
+                qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64
+                             ":%016" PRIx64 ":%016" PRIx64 "\n",
+                             i, env->vfp.zregs[i].d[3], env->vfp.zregs[i].d[2],
+                             env->vfp.zregs[i].d[1], env->vfp.zregs[i].d[0]);
+            } else {
+                for (j = zcr_len; j >= 0; j--) {
+                    bool odd = (zcr_len - j) % 2 != 0;
+                    if (j == zcr_len) {
+                        qemu_fprintf(f, "Z%02d[%x-%x]=", i, j, j - 1);
+                    } else if (!odd) {
+                        if (j > 0) {
+                            qemu_fprintf(f, "   [%x-%x]=", j, j - 1);
+                        } else {
+                            qemu_fprintf(f, "     [%x]=", j);
+                        }
+                    }
+                    qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%s",
+                                 env->vfp.zregs[i].d[j * 2 + 1],
+                                 env->vfp.zregs[i].d[j * 2],
+                                 odd || j == 0 ? "\n" : ":");
+                }
+            }
+        }
+    } else {
+        for (i = 0; i < 32; i++) {
+            uint64_t *q = aa64_vfp_qreg(env, i);
+            qemu_fprintf(f, "Q%02d=%016" PRIx64 ":%016" PRIx64 "%s",
+                         i, q[1], q[0], (i & 1 ? "\n" : " "));
+        }
+    }
+}
+
+#else
+
+static inline void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
+{
+    g_assert_not_reached();
+}
+
+#endif
+
+static void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+    int i;
+
+    if (is_a64(env)) {
+        aarch64_cpu_dump_state(cs, f, flags);
+        return;
+    }
+
+    for (i = 0; i < 16; i++) {
+        qemu_fprintf(f, "R%02d=%08x", i, env->regs[i]);
+        if ((i % 4) == 3) {
+            qemu_fprintf(f, "\n");
+        } else {
+            qemu_fprintf(f, " ");
+        }
+    }
+
+    if (arm_feature(env, ARM_FEATURE_M)) {
+        uint32_t xpsr = xpsr_read(env);
+        const char *mode;
+        const char *ns_status = "";
+
+        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+            ns_status = env->v7m.secure ? "S " : "NS ";
+        }
+
+        if (xpsr & XPSR_EXCP) {
+            mode = "handler";
+        } else {
+            if (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_NPRIV_MASK) {
+                mode = "unpriv-thread";
+            } else {
+                mode = "priv-thread";
+            }
+        }
+
+        qemu_fprintf(f, "XPSR=%08x %c%c%c%c %c %s%s\n",
+                     xpsr,
+                     xpsr & XPSR_N ? 'N' : '-',
+                     xpsr & XPSR_Z ? 'Z' : '-',
+                     xpsr & XPSR_C ? 'C' : '-',
+                     xpsr & XPSR_V ? 'V' : '-',
+                     xpsr & XPSR_T ? 'T' : 'A',
+                     ns_status,
+                     mode);
+    } else {
+        uint32_t psr = cpsr_read(env);
+        const char *ns_status = "";
+
+        if (arm_feature(env, ARM_FEATURE_EL3) &&
+            (psr & CPSR_M) != ARM_CPU_MODE_MON) {
+            ns_status = env->cp15.scr_el3 & SCR_NS ? "NS " : "S ";
+        }
+
+        qemu_fprintf(f, "PSR=%08x %c%c%c%c %c %s%s%d\n",
+                     psr,
+                     psr & CPSR_N ? 'N' : '-',
+                     psr & CPSR_Z ? 'Z' : '-',
+                     psr & CPSR_C ? 'C' : '-',
+                     psr & CPSR_V ? 'V' : '-',
+                     psr & CPSR_T ? 'T' : 'A',
+                     ns_status,
+                     aarch32_mode_name(psr), (psr & 0x10) ? 32 : 26);
+    }
+
+    if (flags & CPU_DUMP_FPU) {
+        int numvfpregs = 0;
+        if (arm_feature(env, ARM_FEATURE_VFP)) {
+            numvfpregs += 16;
+        }
+        if (arm_feature(env, ARM_FEATURE_VFP3)) {
+            numvfpregs += 16;
+        }
+        for (i = 0; i < numvfpregs; i++) {
+            uint64_t v = *aa32_vfp_dreg(env, i);
+            qemu_fprintf(f, "s%02d=%08x s%02d=%08x d%02d=%016" PRIx64 "\n",
+                         i * 2, (uint32_t)v,
+                         i * 2 + 1, (uint32_t)(v >> 32),
+                         i, v);
+        }
+        qemu_fprintf(f, "FPSCR: %08x\n", vfp_get_fpscr(env));
+    }
+}
+
 uint64_t arm_cpu_mp_affinity(int idx, uint8_t clustersz)
 {
     uint32_t Aff1 = idx / clustersz;
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@
 #include "translate.h"
 #include "internals.h"
 #include "qemu/host-utils.h"
-#include "qemu/qemu-print.h"
 
 #include "hw/semihosting/semihost.h"
 #include "exec/gen-icount.h"
@@ -XXX,XX +XXX,XX @@ static void set_btype(DisasContext *s, int val)
     s->btype = -1;
 }
 
-void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-{
-    ARMCPU *cpu = ARM_CPU(cs);
-    CPUARMState *env = &cpu->env;
-    uint32_t psr = pstate_read(env);
-    int i;
-    int el = arm_current_el(env);
-    const char *ns_status;
-
-    qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
-    for (i = 0; i < 32; i++) {
-        if (i == 31) {
-            qemu_fprintf(f, " SP=%016" PRIx64 "\n", env->xregs[i]);
-        } else {
-            qemu_fprintf(f, "X%02d=%016" PRIx64 "%s", i, env->xregs[i],
-                         (i + 2) % 3 ? " " : "\n");
-        }
-    }
-
-    if (arm_feature(env, ARM_FEATURE_EL3) && el != 3) {
-        ns_status = env->cp15.scr_el3 & SCR_NS ? "NS " : "S ";
-    } else {
-        ns_status = "";
-    }
-    qemu_fprintf(f, "PSTATE=%08x %c%c%c%c %sEL%d%c",
-                 psr,
-                 psr & PSTATE_N ? 'N' : '-',
-                 psr & PSTATE_Z ? 'Z' : '-',
-                 psr & PSTATE_C ? 'C' : '-',
-                 psr & PSTATE_V ? 'V' : '-',
-                 ns_status,
-                 el,
-                 psr & PSTATE_SP ? 'h' : 't');
-
-    if (cpu_isar_feature(aa64_bti, cpu)) {
-        qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
-    }
-    if (!(flags & CPU_DUMP_FPU)) {
-        qemu_fprintf(f, "\n");
-        return;
-    }
-    if (fp_exception_el(env, el) != 0) {
-        qemu_fprintf(f, "    FPU disabled\n");
-        return;
-    }
-    qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
-                 vfp_get_fpcr(env), vfp_get_fpsr(env));
-
-    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
-        int j, zcr_len = sve_zcr_len_for_el(env, el);
-
-        for (i = 0; i <= FFR_PRED_NUM; i++) {
-            bool eol;
-            if (i == FFR_PRED_NUM) {
-                qemu_fprintf(f, "FFR=");
-                /* It's last, so end the line.  */
-                eol = true;
-            } else {
-                qemu_fprintf(f, "P%02d=", i);
-                switch (zcr_len) {
-                case 0:
-                    eol = i % 8 == 7;
-                    break;
-                case 1:
-                    eol = i % 6 == 5;
-                    break;
-                case 2:
-                case 3:
-                    eol = i % 3 == 2;
-                    break;
-                default:
-                    /* More than one quadword per predicate.  */
-                    eol = true;
-                    break;
-                }
-            }
-            for (j = zcr_len / 4; j >= 0; j--) {
-                int digits;
-                if (j * 4 + 4 <= zcr_len + 1) {
-                    digits = 16;
-                } else {
-                    digits = (zcr_len % 4 + 1) * 4;
-                }
-                qemu_fprintf(f, "%0*" PRIx64 "%s", digits,
-                             env->vfp.pregs[i].p[j],
-                             j ? ":" : eol ? "\n" : " ");
-            }
-        }
-
-        for (i = 0; i < 32; i++) {
-            if (zcr_len == 0) {
-                qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64 "%s",
-                             i, env->vfp.zregs[i].d[1],
-                             env->vfp.zregs[i].d[0], i & 1 ? "\n" : " ");
-            } else if (zcr_len == 1) {
-                qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64
-                             ":%016" PRIx64 ":%016" PRIx64 "\n",
-                             i, env->vfp.zregs[i].d[3], env->vfp.zregs[i].d[2],
-                             env->vfp.zregs[i].d[1], env->vfp.zregs[i].d[0]);
-            } else {
-                for (j = zcr_len; j >= 0; j--) {
-                    bool odd = (zcr_len - j) % 2 != 0;
-                    if (j == zcr_len) {
-                        qemu_fprintf(f, "Z%02d[%x-%x]=", i, j, j - 1);
-                    } else if (!odd) {
-                        if (j > 0) {
-                            qemu_fprintf(f, "   [%x-%x]=", j, j - 1);
-                        } else {
-                            qemu_fprintf(f, "     [%x]=", j);
-                        }
-                    }
-                    qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%s",
-                                 env->vfp.zregs[i].d[j * 2 + 1],
-                                 env->vfp.zregs[i].d[j * 2],
-                                 odd || j == 0 ? "\n" : ":");
-                }
-            }
-        }
-    } else {
-        for (i = 0; i < 32; i++) {
-            uint64_t *q = aa64_vfp_qreg(env, i);
-            qemu_fprintf(f, "Q%02d=%016" PRIx64 ":%016" PRIx64 "%s",
-                         i, q[1], q[0], (i & 1 ? "\n" : " "));
-        }
-    }
-}
-
 void gen_a64_set_pc_im(uint64_t val)
 {
     tcg_gen_movi_i64(cpu_pc, val);
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@
 #include "tcg-op-gvec.h"
 #include "qemu/log.h"
 #include "qemu/bitops.h"
-#include "qemu/qemu-print.h"
 #include "arm_ldst.h"
 #include "hw/semihosting/semihost.h"
 
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
     translator_loop(ops, &dc.base, cpu, tb, max_insns);
 }
 
-void arm_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-{
-    ARMCPU *cpu = ARM_CPU(cs);
-    CPUARMState *env = &cpu->env;
-    int i;
-
-    if (is_a64(env)) {
-        aarch64_cpu_dump_state(cs, f, flags);
-        return;
-    }
-
-    for (i = 0; i < 16; i++) {
-        qemu_fprintf(f, "R%02d=%08x", i, env->regs[i]);
-        if ((i % 4) == 3) {
-            qemu_fprintf(f, "\n");
-        } else {
-            qemu_fprintf(f, " ");
-        }
-    }
-
-    if (arm_feature(env, ARM_FEATURE_M)) {
-        uint32_t xpsr = xpsr_read(env);
-        const char *mode;
-        const char *ns_status = "";
-
-        if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
-            ns_status = env->v7m.secure ? "S " : "NS ";
-        }
-
-        if (xpsr & XPSR_EXCP) {
-            mode = "handler";
-        } else {
-            if (env->v7m.control[env->v7m.secure] & R_V7M_CONTROL_NPRIV_MASK) {
-                mode = "unpriv-thread";
-            } else {
-                mode = "priv-thread";
-            }
-        }
-
-        qemu_fprintf(f, "XPSR=%08x %c%c%c%c %c %s%s\n",
-                     xpsr,
-                     xpsr & XPSR_N ? 'N' : '-',
-                     xpsr & XPSR_Z ? 'Z' : '-',
-                     xpsr & XPSR_C ? 'C' : '-',
-                     xpsr & XPSR_V ? 'V' : '-',
-                     xpsr & XPSR_T ? 'T' : 'A',
-                     ns_status,
-                     mode);
-    } else {
-        uint32_t psr = cpsr_read(env);
-        const char *ns_status = "";
-
-        if (arm_feature(env, ARM_FEATURE_EL3) &&
-            (psr & CPSR_M) != ARM_CPU_MODE_MON) {
-            ns_status = env->cp15.scr_el3 & SCR_NS ? "NS " : "S ";
-        }
-
-        qemu_fprintf(f, "PSR=%08x %c%c%c%c %c %s%s%d\n",
-                     psr,
-                     psr & CPSR_N ? 'N' : '-',
-                     psr & CPSR_Z ? 'Z' : '-',
-                     psr & CPSR_C ? 'C' : '-',
-                     psr & CPSR_V ? 'V' : '-',
-                     psr & CPSR_T ? 'T' : 'A',
-                     ns_status,
-                     aarch32_mode_name(psr), (psr & 0x10) ? 32 : 26);
-    }
-
-    if (flags & CPU_DUMP_FPU) {
-        int numvfpregs = 0;
-        if (arm_feature(env, ARM_FEATURE_VFP)) {
-            numvfpregs += 16;
-        }
-        if (arm_feature(env, ARM_FEATURE_VFP3)) {
-            numvfpregs += 16;
-        }
-        for (i = 0; i < numvfpregs; i++) {
-            uint64_t v = *aa32_vfp_dreg(env, i);
-            qemu_fprintf(f, "s%02d=%08x s%02d=%08x d%02d=%016" PRIx64 "\n",
-                         i * 2, (uint32_t)v,
-                         i * 2 + 1, (uint32_t)(v >> 32),
-                         i, v);
-        }
-        qemu_fprintf(f, "FPSCR: %08x\n", vfp_get_fpscr(env));
-    }
-}
-
 void restore_state_to_opc(CPUARMState *env, TranslationBlock *tb,
                           target_ulong *data)
 {
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the next commit we will split the TLB related routines of
this file, and this function will also be called in the new
file. Declare it in the "internals.h" header.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-12-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 16 ++++++++++++++++
 target/arm/helper.c    | 21 +++++----------------
 2 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline int exception_target_el(CPUARMState *env)
     return target_el;
 }
 
+#ifndef CONFIG_USER_ONLY
+
+/* Cacheability and shareability attributes for a memory access */
+typedef struct ARMCacheAttrs {
+    unsigned int attrs:8; /* as in the MAIR register encoding */
+    unsigned int shareability:2; /* as in the SH field of the VMSAv8-64 PTEs */
+} ARMCacheAttrs;
+
+bool get_phys_addr(CPUARMState *env, target_ulong address,
+                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                   hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
+                   target_ulong *page_size,
+                   ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
+
+#endif /* !CONFIG_USER_ONLY */
+
 #endif
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@
 #define ARM_CPU_FREQ 1000000000 /* FIXME: 1 GHz, should be configurable */
 
 #ifndef CONFIG_USER_ONLY
-/* Cacheability and shareability attributes for a memory access */
-typedef struct ARMCacheAttrs {
-    unsigned int attrs:8; /* as in the MAIR register encoding */
-    unsigned int shareability:2; /* as in the SH field of the VMSAv8-64 PTEs */
-} ARMCacheAttrs;
-
-static bool get_phys_addr(CPUARMState *env, target_ulong address,
-                          MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                          hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
-                          target_ulong *page_size,
-                          ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
 
 static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(ARMCacheAttrs s1, ARMCacheAttrs s2)
  * @fi: set to fault info if the translation fails
  * @cacheattrs: (if non-NULL) set to the cacheability/shareability attributes
  */
-static bool get_phys_addr(CPUARMState *env, target_ulong address,
-                          MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                          hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
-                          target_ulong *page_size,
-                          ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
+bool get_phys_addr(CPUARMState *env, target_ulong address,
+                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                   hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
+                   target_ulong *page_size,
+                   ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs)
 {
     if (mmu_idx == ARMMMUIdx_S12NSE0 || mmu_idx == ARMMMUIdx_S12NSE1) {
         /* Call ourselves recursively to do the stage 1 and then stage 2
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

These routines are TCG specific.
The arm_deliver_fault() function is only used within the new
helper. Make it static.

Suggested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-13-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/Makefile.objs |   1 +
 target/arm/internals.h   |   3 -
 target/arm/cpu.c         |   6 +-
 target/arm/helper.c      |  53 -----------
 target/arm/op_helper.c   | 135 --------------------------
 target/arm/tlb_helper.c  | 200 +++++++++++++++++++++++++++++++++++++++
 6 files changed, 205 insertions(+), 193 deletions(-)
 create mode 100644 target/arm/tlb_helper.c

diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ target/arm/translate-sve.o: target/arm/decode-sve.inc.c
 target/arm/translate.o: target/arm/decode-vfp.inc.c
 target/arm/translate.o: target/arm/decode-vfp-uncond.inc.c
 
+obj-y += tlb_helper.o
 obj-y += translate.o op_helper.o
 obj-y += crypto_helper.o
 obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                       MMUAccessType access_type, int mmu_idx,
                       bool probe, uintptr_t retaddr);
 
-void arm_deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type,
-                       int mmu_idx, ARMMMUFaultInfo *fi) QEMU_NORETURN;
-
 /* Return true if the stage 1 translation regime is using LPAE format page
  * tables */
 bool arm_s1_regime_using_lpae_format(CPUARMState *env, ARMMMUIdx mmu_idx);
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
     cc->gdb_write_register = arm_cpu_gdb_write_register;
 #ifndef CONFIG_USER_ONLY
     cc->do_interrupt = arm_cpu_do_interrupt;
-    cc->do_unaligned_access = arm_cpu_do_unaligned_access;
-    cc->do_transaction_failed = arm_cpu_do_transaction_failed;
     cc->get_phys_page_attrs_debug = arm_cpu_get_phys_page_attrs_debug;
     cc->asidx_from_attrs = arm_asidx_from_attrs;
     cc->vmsd = &vmstate_arm_cpu;
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_class_init(ObjectClass *oc, void *data)
 #ifdef CONFIG_TCG
     cc->tcg_initialize = arm_translate_init;
     cc->tlb_fill = arm_cpu_tlb_fill;
+#if !defined(CONFIG_USER_ONLY)
+    cc->do_unaligned_access = arm_cpu_do_unaligned_access;
+    cc->do_transaction_failed = arm_cpu_do_transaction_failed;
+#endif /* CONFIG_TCG && !CONFIG_USER_ONLY */
 #endif
 }
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
 
 #endif
 
-bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
-                      MMUAccessType access_type, int mmu_idx,
-                      bool probe, uintptr_t retaddr)
-{
-    ARMCPU *cpu = ARM_CPU(cs);
-
-#ifdef CONFIG_USER_ONLY
-    cpu->env.exception.vaddress = address;
-    if (access_type == MMU_INST_FETCH) {
-        cs->exception_index = EXCP_PREFETCH_ABORT;
-    } else {
-        cs->exception_index = EXCP_DATA_ABORT;
-    }
-    cpu_loop_exit_restore(cs, retaddr);
-#else
-    hwaddr phys_addr;
-    target_ulong page_size;
-    int prot, ret;
-    MemTxAttrs attrs = {};
-    ARMMMUFaultInfo fi = {};
-
-    /*
-     * Walk the page table and (if the mapping exists) add the page
-     * to the TLB.  On success, return true.  Otherwise, if probing,
-     * return false.  Otherwise populate fsr with ARM DFSR/IFSR fault
-     * register format, and signal the fault.
-     */
-    ret = get_phys_addr(&cpu->env, address, access_type,
-                        core_to_arm_mmu_idx(&cpu->env, mmu_idx),
-                        &phys_addr, &attrs, &prot, &page_size, &fi, NULL);
-    if (likely(!ret)) {
-        /*
-         * Map a single [sub]page. Regions smaller than our declared
-         * target page size are handled specially, so for those we
-         * pass in the exact addresses.
-         */
-        if (page_size >= TARGET_PAGE_SIZE) {
-            phys_addr &= TARGET_PAGE_MASK;
-            address &= TARGET_PAGE_MASK;
-        }
-        tlb_set_page_with_attrs(cs, address, phys_addr, attrs,
-                                prot, mmu_idx, page_size);
-        return true;
-    } else if (probe) {
-        return false;
-    } else {
-        /* now we have a real cpu fault */
-        cpu_restore_state(cs, retaddr, true);
-        arm_deliver_fault(cpu, address, access_type, mmu_idx, &fi);
-    }
-#endif
-}
-
 /* Note that signed overflow is undefined in C.  The following routines are
    careful to use unsigned types where modulo arithmetic is required.
    Failure to do so _will_ break on newer gcc.  */
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(neon_tbl)(uint32_t ireg, uint32_t def, void *vn,
     return val;
 }
 
-#if !defined(CONFIG_USER_ONLY)
-
-static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
-                                            unsigned int target_el,
-                                            bool same_el, bool ea,
-                                            bool s1ptw, bool is_write,
-                                            int fsc)
-{
-    uint32_t syn;
-
-    /*
-     * ISV is only set for data aborts routed to EL2 and
-     * never for stage-1 page table walks faulting on stage 2.
-     *
-     * Furthermore, ISV is only set for certain kinds of load/stores.
-     * If the template syndrome does not have ISV set, we should leave
-     * it cleared.
-     *
-     * See ARMv8 specs, D7-1974:
-     * ISS encoding for an exception from a Data Abort, the
-     * ISV field.
-     */
-    if (!(template_syn & ARM_EL_ISV) || target_el != 2 || s1ptw) {
-        syn = syn_data_abort_no_iss(same_el,
-                                    ea, 0, s1ptw, is_write, fsc);
-    } else {
-        /*
-         * Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
-         * syndrome created at translation time.
-         * Now we create the runtime syndrome with the remaining fields.
-         */
-        syn = syn_data_abort_with_iss(same_el,
-                                      0, 0, 0, 0, 0,
-                                      ea, 0, s1ptw, is_write, fsc,
-                                      false);
-        /* Merge the runtime syndrome with the template syndrome.  */
-        syn |= template_syn;
-    }
-    return syn;
-}
-
-void arm_deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type,
-                       int mmu_idx, ARMMMUFaultInfo *fi)
-{
-    CPUARMState *env = &cpu->env;
-    int target_el;
-    bool same_el;
-    uint32_t syn, exc, fsr, fsc;
-    ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
-
-    target_el = exception_target_el(env);
-    if (fi->stage2) {
-        target_el = 2;
-        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
-    }
-    same_el = (arm_current_el(env) == target_el);
-
-    if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
-        arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
-        /*
-         * LPAE format fault status register : bottom 6 bits are
-         * status code in the same form as needed for syndrome
-         */
-        fsr = arm_fi_to_lfsc(fi);
-        fsc = extract32(fsr, 0, 6);
-    } else {
-        fsr = arm_fi_to_sfsc(fi);
-        /*
-         * Short format FSR : this fault will never actually be reported
-         * to an EL that uses a syndrome register. Use a (currently)
-         * reserved FSR code in case the constructed syndrome does leak
-         * into the guest somehow.
-         */
-        fsc = 0x3f;
-    }
-
-    if (access_type == MMU_INST_FETCH) {
-        syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
-        exc = EXCP_PREFETCH_ABORT;
-    } else {
-        syn = merge_syn_data_abort(env->exception.syndrome, target_el,
-                                   same_el, fi->ea, fi->s1ptw,
-                                   access_type == MMU_DATA_STORE,
-                                   fsc);
-        if (access_type == MMU_DATA_STORE
-            && arm_feature(env, ARM_FEATURE_V6)) {
-            fsr |= (1 << 11);
-        }
-        exc = EXCP_DATA_ABORT;
-    }
-
-    env->exception.vaddress = addr;
-    env->exception.fsr = fsr;
-    raise_exception(env, exc, syn, target_el);
-}
-
-/* Raise a data fault alignment exception for the specified virtual address */
-void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
-                                 MMUAccessType access_type,
-                                 int mmu_idx, uintptr_t retaddr)
-{
-    ARMCPU *cpu = ARM_CPU(cs);
-    ARMMMUFaultInfo fi = {};
-
-    /* now we have a real cpu fault */
-    cpu_restore_state(cs, retaddr, true);
-
-    fi.type = ARMFault_Alignment;
-    arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
-}
-
-/*
- * arm_cpu_do_transaction_failed: handle a memory system error response
- * (eg "no device/memory present at address") by raising an external abort
- * exception
- */
-void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
-                                   vaddr addr, unsigned size,
-                                   MMUAccessType access_type,
-                                   int mmu_idx, MemTxAttrs attrs,
-                                   MemTxResult response, uintptr_t retaddr)
-{
-    ARMCPU *cpu = ARM_CPU(cs);
-    ARMMMUFaultInfo fi = {};
-
-    /* now we have a real cpu fault */
-    cpu_restore_state(cs, retaddr, true);
-
-    fi.ea = arm_extabort_type(response);
-    fi.type = ARMFault_SyncExternal;
-    arm_deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
-}
-
-#endif /* !defined(CONFIG_USER_ONLY) */
-
 void HELPER(v8m_stackcheck)(CPUARMState *env, uint32_t newvalue)
 {
     /*
diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * ARM TLB (Translation lookaside buffer) helpers.
+ *
+ * This code is licensed under the GNU GPL v2 or later.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "internals.h"
+#include "exec/exec-all.h"
+
+#if !defined(CONFIG_USER_ONLY)
+
+static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
+                                            unsigned int target_el,
+                                            bool same_el, bool ea,
+                                            bool s1ptw, bool is_write,
+                                            int fsc)
+{
+    uint32_t syn;
+
+    /*
+     * ISV is only set for data aborts routed to EL2 and
+     * never for stage-1 page table walks faulting on stage 2.
+     *
+     * Furthermore, ISV is only set for certain kinds of load/stores.
+     * If the template syndrome does not have ISV set, we should leave
+     * it cleared.
+     *
+     * See ARMv8 specs, D7-1974:
+     * ISS encoding for an exception from a Data Abort, the
+     * ISV field.
+     */
+    if (!(template_syn & ARM_EL_ISV) || target_el != 2 || s1ptw) {
+        syn = syn_data_abort_no_iss(same_el,
+                                    ea, 0, s1ptw, is_write, fsc);
+    } else {
+        /*
+         * Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
+         * syndrome created at translation time.
+         * Now we create the runtime syndrome with the remaining fields.
+         */
+        syn = syn_data_abort_with_iss(same_el,
+                                      0, 0, 0, 0, 0,
+                                      ea, 0, s1ptw, is_write, fsc,
+                                      false);
+        /* Merge the runtime syndrome with the template syndrome.  */
+        syn |= template_syn;
+    }
+    return syn;
+}
+
+static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
+                                            MMUAccessType access_type,
+                                            int mmu_idx, ARMMMUFaultInfo *fi)
+{
+    CPUARMState *env = &cpu->env;
+    int target_el;
+    bool same_el;
+    uint32_t syn, exc, fsr, fsc;
+    ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
+
+    target_el = exception_target_el(env);
+    if (fi->stage2) {
+        target_el = 2;
+        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
+    }
+    same_el = (arm_current_el(env) == target_el);
+
+    if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
+        arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
+        /*
+         * LPAE format fault status register : bottom 6 bits are
+         * status code in the same form as needed for syndrome
+         */
+        fsr = arm_fi_to_lfsc(fi);
+        fsc = extract32(fsr, 0, 6);
+    } else {
+        fsr = arm_fi_to_sfsc(fi);
+        /*
+         * Short format FSR : this fault will never actually be reported
+         * to an EL that uses a syndrome register. Use a (currently)
+         * reserved FSR code in case the constructed syndrome does leak
+         * into the guest somehow.
+         */
+        fsc = 0x3f;
+    }
+
+    if (access_type == MMU_INST_FETCH) {
+        syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
+        exc = EXCP_PREFETCH_ABORT;
+    } else {
+        syn = merge_syn_data_abort(env->exception.syndrome, target_el,
+                                   same_el, fi->ea, fi->s1ptw,
+                                   access_type == MMU_DATA_STORE,
+                                   fsc);
+        if (access_type == MMU_DATA_STORE
+            && arm_feature(env, ARM_FEATURE_V6)) {
+            fsr |= (1 << 11);
+        }
+        exc = EXCP_DATA_ABORT;
+    }
+
+    env->exception.vaddress = addr;
+    env->exception.fsr = fsr;
+    raise_exception(env, exc, syn, target_el);
+}
+
+/* Raise a data fault alignment exception for the specified virtual address */
+void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
+                                 MMUAccessType access_type,
+                                 int mmu_idx, uintptr_t retaddr)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    ARMMMUFaultInfo fi = {};
+
+    /* now we have a real cpu fault */
+    cpu_restore_state(cs, retaddr, true);
+
+    fi.type = ARMFault_Alignment;
+    arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
+}
+
+/*
+ * arm_cpu_do_transaction_failed: handle a memory system error response
+ * (eg "no device/memory present at address") by raising an external abort
+ * exception
+ */
+void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
+                                   vaddr addr, unsigned size,
+                                   MMUAccessType access_type,
+                                   int mmu_idx, MemTxAttrs attrs,
+                                   MemTxResult response, uintptr_t retaddr)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+    ARMMMUFaultInfo fi = {};
+
+    /* now we have a real cpu fault */
+    cpu_restore_state(cs, retaddr, true);
+
+    fi.ea = arm_extabort_type(response);
+    fi.type = ARMFault_SyncExternal;
+    arm_deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
+}
+
+#endif /* !defined(CONFIG_USER_ONLY) */
+
+bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
+                      MMUAccessType access_type, int mmu_idx,
+                      bool probe, uintptr_t retaddr)
+{
+    ARMCPU *cpu = ARM_CPU(cs);
+
+#ifdef CONFIG_USER_ONLY
+    cpu->env.exception.vaddress = address;
+    if (access_type == MMU_INST_FETCH) {
+        cs->exception_index = EXCP_PREFETCH_ABORT;
+    } else {
+        cs->exception_index = EXCP_DATA_ABORT;
+    }
+    cpu_loop_exit_restore(cs, retaddr);
+#else
+    hwaddr phys_addr;
+    target_ulong page_size;
+    int prot, ret;
+    MemTxAttrs attrs = {};
+    ARMMMUFaultInfo fi = {};
+
+    /*
+     * Walk the page table and (if the mapping exists) add the page
+     * to the TLB.  On success, return true.  Otherwise, if probing,
+     * return false.  Otherwise populate fsr with ARM DFSR/IFSR fault
+     * register format, and signal the fault.
+     */
+    ret = get_phys_addr(&cpu->env, address, access_type,
+                        core_to_arm_mmu_idx(&cpu->env, mmu_idx),
+                        &phys_addr, &attrs, &prot, &page_size, &fi, NULL);
+    if (likely(!ret)) {
+        /*
+         * Map a single [sub]page. Regions smaller than our declared
+         * target page size are handled specially, so for those we
+         * pass in the exact addresses.
+         */
+        if (page_size >= TARGET_PAGE_SIZE) {
+            phys_addr &= TARGET_PAGE_MASK;
+            address &= TARGET_PAGE_MASK;
+        }
+        tlb_set_page_with_attrs(cs, address, phys_addr, attrs,
+                                prot, mmu_idx, page_size);
+        return true;
+    } else if (probe) {
+        return false;
+    } else {
+        /* now we have a real cpu fault */
+        cpu_restore_state(cs, retaddr, true);
+        arm_deliver_fault(cpu, address, access_type, mmu_idx, &fi);
+    }
+#endif
+}
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

To ease the review of the next commit,
move the vfp_exceptbits_to_host() function directly after
vfp_exceptbits_from_host().  Amusingly the diff shows we
are moving vfp_get_fpscr().

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-15-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/vfp_helper.c | 52 ++++++++++++++++++++---------------------
 1 file changed, 26 insertions(+), 26 deletions(-)

From: Philippe Mathieu-Daudé <philmd@redhat.com>

The vfp_set_fpscr() helper contains code specific to the host
floating point implementation (here the SoftFloat library).
Extract this code to vfp_set_fpscr_to_host().

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-16-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/vfp_helper.c | 127 +++++++++++++++++++++-------------------
 1 file changed, 66 insertions(+), 61 deletions(-)

diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vfp_helper.c
+++ b/target/arm/vfp_helper.c
@@ -XXX,XX +XXX,XX @@ static inline int vfp_exceptbits_to_host(int target_bits)
     return host_bits;
 }
 
-uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
-{
-    uint32_t i, fpscr;
-
-    fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
-            | (env->vfp.vec_len << 16)
-            | (env->vfp.vec_stride << 20);
-
-    i = get_float_exception_flags(&env->vfp.fp_status);
-    i |= get_float_exception_flags(&env->vfp.standard_fp_status);
-    /* FZ16 does not generate an input denormal exception.  */
-    i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
-          & ~float_flag_input_denormal);
-    fpscr |= vfp_exceptbits_from_host(i);
-
-    i = env->vfp.qc[0] | env->vfp.qc[1] | env->vfp.qc[2] | env->vfp.qc[3];
-    fpscr |= i ? FPCR_QC : 0;
-
-    return fpscr;
-}
-
-uint32_t vfp_get_fpscr(CPUARMState *env)
-{
-    return HELPER(vfp_get_fpscr)(env);
-}
-
-void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
+static void vfp_set_fpscr_to_host(CPUARMState *env, uint32_t val)
 {
     int i;
     uint32_t changed = env->vfp.xregs[ARM_VFP_FPSCR];
 
-    /* When ARMv8.2-FP16 is not supported, FZ16 is RES0.  */
-    if (!cpu_isar_feature(aa64_fp16, env_archcpu(env))) {
-        val &= ~FPCR_FZ16;
-    }
-
-    if (arm_feature(env, ARM_FEATURE_M)) {
-        /*
-         * M profile FPSCR is RES0 for the QC, STRIDE, FZ16, LEN bits
-         * and also for the trapped-exception-handling bits IxE.
-         */
-        val &= 0xf7c0009f;
-    }
-
-    /*
-     * We don't implement trapped exception handling, so the
-     * trap enable bits, IDE|IXE|UFE|OFE|DZE|IOE are all RAZ/WI (not RES0!)
-     *
-     * If we exclude the exception flags, IOC|DZC|OFC|UFC|IXC|IDC
-     * (which are stored in fp_status), and the other RES0 bits
-     * in between, then we clear all of the low 16 bits.
-     */
-    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xf7c80000;
-    env->vfp.vec_len = (val >> 16) & 7;
-    env->vfp.vec_stride = (val >> 20) & 3;
-
-    /*
-     * The bit we set within fpscr_q is arbitrary; the register as a
-     * whole being zero/non-zero is what counts.
-     */
-    env->vfp.qc[0] = val & FPCR_QC;
-    env->vfp.qc[1] = 0;
-    env->vfp.qc[2] = 0;
-    env->vfp.qc[3] = 0;
-
     changed ^= val;
     if (changed & (3 << 22)) {
         i = (val >> 22) & 3;
@@ -XXX,XX +XXX,XX @@ void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
     set_float_exception_flags(0, &env->vfp.standard_fp_status);
 }
 
+uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
+{
+    uint32_t i, fpscr;
+
+    fpscr = env->vfp.xregs[ARM_VFP_FPSCR]
+            | (env->vfp.vec_len << 16)
+            | (env->vfp.vec_stride << 20);
+
+    i = get_float_exception_flags(&env->vfp.fp_status);
+    i |= get_float_exception_flags(&env->vfp.standard_fp_status);
+    /* FZ16 does not generate an input denormal exception.  */
+    i |= (get_float_exception_flags(&env->vfp.fp_status_f16)
+          & ~float_flag_input_denormal);
+    fpscr |= vfp_exceptbits_from_host(i);
+
+    i = env->vfp.qc[0] | env->vfp.qc[1] | env->vfp.qc[2] | env->vfp.qc[3];
+    fpscr |= i ? FPCR_QC : 0;
+
+    return fpscr;
+}
+
+uint32_t vfp_get_fpscr(CPUARMState *env)
+{
+    return HELPER(vfp_get_fpscr)(env);
+}
+
+void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
+{
+    /* When ARMv8.2-FP16 is not supported, FZ16 is RES0.  */
+    if (!cpu_isar_feature(aa64_fp16, env_archcpu(env))) {
+        val &= ~FPCR_FZ16;
+    }
+
+    if (arm_feature(env, ARM_FEATURE_M)) {
+        /*
+         * M profile FPSCR is RES0 for the QC, STRIDE, FZ16, LEN bits
+         * and also for the trapped-exception-handling bits IxE.
+         */
+        val &= 0xf7c0009f;
+    }
+
+    /*
+     * We don't implement trapped exception handling, so the
+     * trap enable bits, IDE|IXE|UFE|OFE|DZE|IOE are all RAZ/WI (not RES0!)
+     *
+     * If we exclude the exception flags, IOC|DZC|OFC|UFC|IXC|IDC
+     * (which are stored in fp_status), and the other RES0 bits
+     * in between, then we clear all of the low 16 bits.
+     */
+    env->vfp.xregs[ARM_VFP_FPSCR] = val & 0xf7c80000;
+    env->vfp.vec_len = (val >> 16) & 7;
+    env->vfp.vec_stride = (val >> 20) & 3;
+
+    /*
+     * The bit we set within fpscr_q is arbitrary; the register as a
+     * whole being zero/non-zero is what counts.
+     */
+    env->vfp.qc[0] = val & FPCR_QC;
+    env->vfp.qc[1] = 0;
+    env->vfp.qc[2] = 0;
+    env->vfp.qc[3] = 0;
+
+    vfp_set_fpscr_to_host(env, val);
+}
+
 void vfp_set_fpscr(CPUARMState *env, uint32_t val)
 {
     HELPER(vfp_set_fpscr)(env, val);
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

The vfp_set_fpscr() helper contains code specific to the host
floating point implementation (here the SoftFloat library).
Extract this code to vfp_set_fpscr_from_host().

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-17-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/vfp_helper.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

From: Philippe Mathieu-Daudé <philmd@redhat.com>

This code is specific to the SoftFloat floating-point
implementation, which is only used by TCG.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-18-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/vfp_helper.c | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/target/arm/vfp_helper.c b/target/arm/vfp_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vfp_helper.c
+++ b/target/arm/vfp_helper.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu/log.h"
 #include "cpu.h"
 #include "exec/helper-proto.h"
-#include "fpu/softfloat.h"
 #include "internals.h"
-
+#ifdef CONFIG_TCG
+#include "qemu/log.h"
+#include "fpu/softfloat.h"
+#endif
 
 /* VFP support.  We follow the convention used for VFP instructions:
    Single precision routines have a "s" suffix, double precision a
    "d" suffix.  */
 
+#ifdef CONFIG_TCG
+
 /* Convert host exception flags to vfp form.  */
 static inline int vfp_exceptbits_from_host(int host_bits)
 {
@@ -XXX,XX +XXX,XX @@ static void vfp_set_fpscr_to_host(CPUARMState *env, uint32_t val)
     set_float_exception_flags(0, &env->vfp.standard_fp_status);
 }
 
+#else
+
+static uint32_t vfp_get_fpscr_from_host(CPUARMState *env)
+{
+    return 0;
+}
+
+static void vfp_set_fpscr_to_host(CPUARMState *env, uint32_t val)
+{
+}
+
+#endif
+
 uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
 {
     uint32_t i, fpscr;
@@ -XXX,XX +XXX,XX @@ void vfp_set_fpscr(CPUARMState *env, uint32_t val)
     HELPER(vfp_set_fpscr)(env, val);
 }
 
+#ifdef CONFIG_TCG
+
 #define VFP_HELPER(name, p) HELPER(glue(glue(vfp_,name),p))
 
 #define VFP_BINOP(name) \
@@ -XXX,XX +XXX,XX @@ float64 HELPER(frint64_d)(float64 f, void *fpst)
 {
     return frint_d(f, fpst, 64);
 }
+
+#endif
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Under KVM, the kernel gets the HVC call and handle the PSCI requests.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-20-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len);
 /* Callback function for when a watchpoint or breakpoint triggers. */
 void arm_debug_excp_handler(CPUState *cs);
 
-#ifdef CONFIG_USER_ONLY
+#if defined(CONFIG_USER_ONLY) || !defined(CONFIG_TCG)
 static inline bool arm_is_psci_call(ARMCPU *cpu, int excp_type)
 {
     return false;
 }
+static inline void arm_handle_psci_call(ARMCPU *cpu)
+{
+    g_assert_not_reached();
+}
 #else
 /* Return true if the r0/x0 value indicates that this SMC/HVC is a PSCI call. */
 bool arm_is_psci_call(ARMCPU *cpu, int excp_type);
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In few commits we will split the M-profile functions from this
file, and this function will also be called in the new file.
Declare it in the "internals.h" header.
Since it is in the middle of a block of M profile functions,
move it previous to this block to ease the later refactor.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-21-philmd@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h |  2 ++
 target/arm/helper.c    | 76 +++++++++++++++++++++---------------------
 2 files changed, 40 insertions(+), 38 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
                    target_ulong *page_size,
                    ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
 
+void arm_log_exception(int idx);
+
 #endif /* !CONFIG_USER_ONLY */
 
 #endif
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
     return target_el;
 }
 
+void arm_log_exception(int idx)
+{
+    if (qemu_loglevel_mask(CPU_LOG_INT)) {
+        const char *exc = NULL;
+        static const char * const excnames[] = {
+            [EXCP_UDEF] = "Undefined Instruction",
+            [EXCP_SWI] = "SVC",
+            [EXCP_PREFETCH_ABORT] = "Prefetch Abort",
+            [EXCP_DATA_ABORT] = "Data Abort",
+            [EXCP_IRQ] = "IRQ",
+            [EXCP_FIQ] = "FIQ",
+            [EXCP_BKPT] = "Breakpoint",
+            [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit",
+            [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage",
+            [EXCP_HVC] = "Hypervisor Call",
+            [EXCP_HYP_TRAP] = "Hypervisor Trap",
+            [EXCP_SMC] = "Secure Monitor Call",
+            [EXCP_VIRQ] = "Virtual IRQ",
+            [EXCP_VFIQ] = "Virtual FIQ",
+            [EXCP_SEMIHOST] = "Semihosting call",
+            [EXCP_NOCP] = "v7M NOCP UsageFault",
+            [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
+            [EXCP_STKOF] = "v8M STKOF UsageFault",
+            [EXCP_LAZYFP] = "v7M exception during lazy FP stacking",
+            [EXCP_LSERR] = "v8M LSERR UsageFault",
+            [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault",
+        };
+
+        if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
+            exc = excnames[idx];
+        }
+        if (!exc) {
+            exc = "unknown";
+        }
+        qemu_log_mask(CPU_LOG_INT, "Taking exception %d [%s]\n", idx, exc);
+    }
+}
+
 /*
  * Return true if the v7M CPACR permits access to the FPU for the specified
  * security state and privilege level.
@@ -XXX,XX +XXX,XX @@ static bool do_v7m_function_return(ARMCPU *cpu)
     return true;
 }
 
-static void arm_log_exception(int idx)
-{
-    if (qemu_loglevel_mask(CPU_LOG_INT)) {
-        const char *exc = NULL;
-        static const char * const excnames[] = {
-            [EXCP_UDEF] = "Undefined Instruction",
-            [EXCP_SWI] = "SVC",
-            [EXCP_PREFETCH_ABORT] = "Prefetch Abort",
-            [EXCP_DATA_ABORT] = "Data Abort",
-            [EXCP_IRQ] = "IRQ",
-            [EXCP_FIQ] = "FIQ",
-            [EXCP_BKPT] = "Breakpoint",
-            [EXCP_EXCEPTION_EXIT] = "QEMU v7M exception exit",
-            [EXCP_KERNEL_TRAP] = "QEMU intercept of kernel commpage",
-            [EXCP_HVC] = "Hypervisor Call",
-            [EXCP_HYP_TRAP] = "Hypervisor Trap",
-            [EXCP_SMC] = "Secure Monitor Call",
-            [EXCP_VIRQ] = "Virtual IRQ",
-            [EXCP_VFIQ] = "Virtual FIQ",
-            [EXCP_SEMIHOST] = "Semihosting call",
-            [EXCP_NOCP] = "v7M NOCP UsageFault",
-            [EXCP_INVSTATE] = "v7M INVSTATE UsageFault",
-            [EXCP_STKOF] = "v8M STKOF UsageFault",
-            [EXCP_LAZYFP] = "v7M exception during lazy FP stacking",
-            [EXCP_LSERR] = "v8M LSERR UsageFault",
-            [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault",
-        };
-
-        if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
-            exc = excnames[idx];
-        }
-        if (!exc) {
-            exc = "unknown";
-        }
-        qemu_log_mask(CPU_LOG_INT, "Taking exception %d [%s]\n", idx, exc);
-    }
-}
-
 static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx,
                                uint32_t addr, uint16_t *insn)
 {
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the next commit we will split the M-profile functions from this
file. Some function will be called out of helper.c. Declare them in
the "internals.h" header.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190701132516.26392-22-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h | 42 ++++++++++++++++++++++++++++++++++++++++++
 target/arm/helper.c    | 38 ++------------------------------------
 2 files changed, 44 insertions(+), 36 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t v7m_sp_limit(CPUARMState *env)
     }
 }
 
+/**
+ * v7m_cpacr_pass:
+ * Return true if the v7M CPACR permits access to the FPU for the specified
+ * security state and privilege level.
+ */
+static inline bool v7m_cpacr_pass(CPUARMState *env,
+                                  bool is_secure, bool is_priv)
+{
+    switch (extract32(env->v7m.cpacr[is_secure], 20, 2)) {
+    case 0:
+    case 2: /* UNPREDICTABLE: we treat like 0 */
+        return false;
+    case 1:
+        return is_priv;
+    case 3:
+        return true;
+    default:
+        g_assert_not_reached();
+    }
+}
+
 /**
  * aarch32_mode_name(): Return name of the AArch32 CPU mode
  * @psr: Program Status Register indicating CPU mode
@@ -XXX,XX +XXX,XX @@ static inline int exception_target_el(CPUARMState *env)
 
 #ifndef CONFIG_USER_ONLY
 
+/* Security attributes for an address, as returned by v8m_security_lookup. */
+typedef struct V8M_SAttributes {
+    bool subpage; /* true if these attrs don't cover the whole TARGET_PAGE */
+    bool ns;
+    bool nsc;
+    uint8_t sregion;
+    bool srvalid;
+    uint8_t iregion;
+    bool irvalid;
+} V8M_SAttributes;
+
+void v8m_security_lookup(CPUARMState *env, uint32_t address,
+                         MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                         V8M_SAttributes *sattrs);
+
+bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
+                       MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                       hwaddr *phys_ptr, MemTxAttrs *txattrs,
+                       int *prot, bool *is_subpage,
+                       ARMMMUFaultInfo *fi, uint32_t *mregion);
+
 /* Cacheability and shareability attributes for a memory access */
 typedef struct ARMCacheAttrs {
     unsigned int attrs:8; /* as in the MAIR register encoding */
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, target_ulong address,
                                hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
                                target_ulong *page_size_ptr,
                                ARMMMUFaultInfo *fi, ARMCacheAttrs *cacheattrs);
-
-/* Security attributes for an address, as returned by v8m_security_lookup. */
-typedef struct V8M_SAttributes {
-    bool subpage; /* true if these attrs don't cover the whole TARGET_PAGE */
-    bool ns;
-    bool nsc;
-    uint8_t sregion;
-    bool srvalid;
-    uint8_t iregion;
-    bool irvalid;
-} V8M_SAttributes;
-
-static void v8m_security_lookup(CPUARMState *env, uint32_t address,
-                                MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                                V8M_SAttributes *sattrs);
 #endif
 
 static void switch_mode(CPUARMState *env, int mode);
@@ -XXX,XX +XXX,XX @@ void arm_log_exception(int idx)
     }
 }
 
-/*
- * Return true if the v7M CPACR permits access to the FPU for the specified
- * security state and privilege level.
- */
-static bool v7m_cpacr_pass(CPUARMState *env, bool is_secure, bool is_priv)
-{
-    switch (extract32(env->v7m.cpacr[is_secure], 20, 2)) {
-    case 0:
-    case 2: /* UNPREDICTABLE: we treat like 0 */
-        return false;
-    case 1:
-        return is_priv;
-    case 3:
-        return true;
-    default:
-        g_assert_not_reached();
-    }
-}
-
 /*
  * What kind of stack write are we doing? This affects how exceptions
  * generated during the stacking are treated.
@@ -XXX,XX +XXX,XX @@ static bool v8m_is_sau_exempt(CPUARMState *env,
         (address >= 0xe00ff000 && address <= 0xe00fffff);
 }
 
-static void v8m_security_lookup(CPUARMState *env, uint32_t address,
+void v8m_security_lookup(CPUARMState *env, uint32_t address,
                                 MMUAccessType access_type, ARMMMUIdx mmu_idx,
                                 V8M_SAttributes *sattrs)
 {
@@ -XXX,XX +XXX,XX @@ static void v8m_security_lookup(CPUARMState *env, uint32_t address,
     }
 }
 
-static bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
+bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
                               hwaddr *phys_ptr, MemTxAttrs *txattrs,
                               int *prot, bool *is_subpage,
-- 
2.20.1

target-arm queue for rc1 -- these are all bug fixes.

thanks
-- PMM

The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:

Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715

for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:

target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)

----------------------------------------------------------------
target-arm queue:
 * report ARMv8-A FP support for AArch32 -cpu max
 * hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
 * hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
 * hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
 * hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
 * hw/arm/virt: Fix non-secure flash mode
 * pl031: Correctly migrate state when using -rtc clock=host
 * fix regression that meant arm926 and arm1026 lost VFP
   double-precision support
 * v8M: NS BusFault on vector table fetch escalates to NS HardFault

----------------------------------------------------------------
Alex Bennée (1):
      target/arm: report ARMv8-A FP support for AArch32 -cpu max

David Engraf (1):
      hw/arm/virt: Fix non-secure flash mode

Peter Maydell (3):
      pl031: Correctly migrate state when using -rtc clock=host
      target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
      target/arm: NS BusFault on vector table fetch escalates to NS HardFault

Philippe Mathieu-Daudé (5):
      hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
      hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
      hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
      hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
      hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO

From: Alex Bennée <alex.bennee@linaro.org>

When we converted to using feature bits in 602f6e42cfbf we missed out
the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
-cpu max configurations. This caused a regression in the GCC test
suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
report ARMv8-A with FP support (but not ARMv8.2-FP16).

Fixes: https://bugs.launchpad.net/qemu/+bug/1836078
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190711103737.10017-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
             t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
             cpu->isar.id_isar6 = t;
 
+            t = cpu->isar.mvfr1;
+            t = FIELD_DP32(t, MVFR1, FPHP, 2);     /* v8.0 FP support */
+            cpu->isar.mvfr1 = t;
+
             t = cpu->isar.mvfr2;
             t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
             t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the next commit we will implement the write_with_attrs()
handler. To avoid using different APIs, convert the read()
handler first.

Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/xilinx_spips.c | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
     }
 }
 
-static uint64_t
-lqspi_read(void *opaque, hwaddr addr, unsigned int size)
+static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
+                              unsigned size, MemTxAttrs attrs)
 {
-    XilinxQSPIPS *q = opaque;
-    uint32_t ret;
+    XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
 
     if (addr >= q->lqspi_cached_addr &&
             addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
         uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
-        ret = cpu_to_le32(*(uint32_t *)retp);
-        DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
-                   (unsigned)ret);
-        return ret;
-    } else {
-        lqspi_load_cache(opaque, addr);
-        return lqspi_read(opaque, addr, size);
+        *value = cpu_to_le32(*(uint32_t *)retp);
+        DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
+                   addr, *value);
+        return MEMTX_OK;
     }
+
+    lqspi_load_cache(opaque, addr);
+    return lqspi_read(opaque, addr, value, size, attrs);
 }
 
 static const MemoryRegionOps lqspi_ops = {
-    .read = lqspi_read,
+    .read_with_attrs = lqspi_read,
     .endianness = DEVICE_NATIVE_ENDIAN,
     .valid = {
         .min_access_size = 1,
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Lei Sun found while auditing the code that a CPU write would
trigger a NULL pointer dereference.

>From UG1085 datasheet [*] AXI writes in this region are ignored
and generates an AXI Slave Error (SLVERR).

Fix by implementing the write_with_attrs() handler.
Return MEMTX_ERROR when the region is accessed (this error maps
to an AXI slave error).

[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf

Reported-by: Lei Sun <slei.casper@gmail.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
     return lqspi_read(opaque, addr, value, size, attrs);
 }
 
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+                               unsigned size, MemTxAttrs attrs)
+{
+    /*
+     * From UG1085, Chapter 24 (Quad-SPI controllers):
+     * - Writes are ignored
+     * - AXI writes generate an external AXI slave error (SLVERR)
+     */
+    qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
+                                   " (value: 0x%" PRIx64 "\n",
+                  __func__, size << 3, offset, value);
+
+    return MEMTX_ERROR;
+}
+
 static const MemoryRegionOps lqspi_ops = {
     .read_with_attrs = lqspi_read,
+    .write_with_attrs = lqspi_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
     .valid = {
         .min_access_size = 1,
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Both lqspi_read() and lqspi_load_cache() expect a 32-bit
aligned address.

>From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':

Transfer Size Limitations

Because of the 32-bit wide TX, RX, and generic FIFO, all
    APB/AXI transfers must be an integer multiple of 4-bytes.
    Shorter transfers are not possible.

Set MemoryRegionOps.impl values to force 32-bit accesses,
this way we are sure we do not access the lqspi_buf[] array
out of bound.

[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps lqspi_ops = {
     .read_with_attrs = lqspi_read,
     .write_with_attrs = lqspi_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
+    .impl = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+    },
     .valid = {
         .min_access_size = 1,
         .max_access_size = 4
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Reading the RX_DATA register when the RX_FIFO is empty triggers
an abort. This can be easily reproduced:

$ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
  QEMU 4.0.50 monitor - type 'help' for more information
  (qemu) x 0x40001010
  Aborted (core dumped)

(gdb) bt
  #1  0x00007f035874f895 in abort () at /lib64/libc.so.6
  #2  0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
  #3  0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
  #4  0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
  #5  0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
  #6  0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
  #7  0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
  #8  0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
  #9  0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
  #10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
  #11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
  #12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
  #13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
  #14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
  #15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
  #16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082

From the datasheet "Actel SmartFusion Microcontroller Subsystem
User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
register has a reset value of 0.

Check the FIFO is not empty before accessing it, else log an
error message.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/mss-spi.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/mss-spi.c
+++ b/hw/ssi/mss-spi.c
@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
     case R_SPI_RX:
         s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
         s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
-        ret = fifo32_pop(&s->rx_fifo);
+        if (fifo32_is_empty(&s->rx_fifo)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Reading empty RX_FIFO\n",
+                          __func__);
+        } else {
+            ret = fifo32_pop(&s->rx_fifo);
+        }
         if (fifo32_is_empty(&s->rx_fifo)) {
             s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
         }
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the previous commit we fixed a crash when the guest read a
register that pop from an empty FIFO.
By auditing the repository, we found another similar use with
an easy way to reproduce:

$ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
  QEMU 4.0.50 monitor - type 'help' for more information
  (qemu) xp/b 0xfd4a0134
  Aborted (core dumped)

(gdb) bt
  #0  0x00007f6936dea57f in raise () at /lib64/libc.so.6
  #1  0x00007f6936dd4895 in abort () at /lib64/libc.so.6
  #2  0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431
  #3  0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667
  #4  0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
  #5  0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569
  #6  0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420
  #7  0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447
  #8  0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385
  #9  0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423
  #10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436
  #11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131
  #12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723
  #13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795
  #14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082

Fix by checking the FIFO is not empty before popping from it.

The datasheet is not clear about the reset value of this register,
we choose to return '0'.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-4-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/display/xlnx_dp.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
     uint8_t ret;
 
     if (fifo8_is_empty(&s->rx_fifo)) {
-        DPRINTF("rx_fifo underflow..\n");
-        abort();
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Reading empty RX_FIFO\n",
+                      __func__);
+        /*
+         * The datasheet is not clear about the reset value, it seems
+         * to be unspecified. We choose to return '0'.
+         */
+        ret = 0;
+    } else {
+        ret = fifo8_pop(&s->rx_fifo);
+        DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
     }
-    ret = fifo8_pop(&s->rx_fifo);
-    DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
     return ret;
 }
 
-- 
2.20.1

From: David Engraf <david.engraf@sysgo.com>

Using the whole 128 MiB flash in non-secure mode is not working because
virt_flash_fdt() expects the same address for secure_sysmem and sysmem.
This is not correctly handled by caller because it forwards NULL for
secure_sysmem in non-secure flash mode.

Fixed by using sysmem when secure_sysmem is NULL.

Signed-off-by: David Engraf <david.engraf@sysgo.com>
Message-id: 20190712075002.14326-1-david.engraf@sysgo.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
                                     &machine->device_memory->mr);
     }
 
-    virt_flash_fdt(vms, sysmem, secure_sysmem);
+    virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
 
     create_gic(vms, pic);
 
-- 
2.20.1

The PL031 RTC tracks the difference between the guest RTC
and the host RTC using a tick_offset field. For migration,
however, we currently always migrate the offset between
the guest and the vm_clock, even if the RTC clock is not
the same as the vm_clock; this was an attempt to retain
migration backwards compatibility.

Unfortunately this results in the RTC behaving oddly across
a VM state save and restore -- since the VM clock stands still
across save-then-restore, regardless of how much real world
time has elapsed, the guest RTC ends up out of sync with the
host RTC in the restored VM.

Fix this by migrating the raw tick_offset. To retain migration
compatibility as far as possible, we have a new property
migrate-tick-offset; by default this is 'true' and we will
migrate the true tick offset in a new subsection; if the
incoming data has no subsection we fall back to the old
vm_clock-based offset information, so old->new migration
compatibility is preserved. For complete new->old migration
compatibility, the property is set to 'false' for 4.0 and
earlier machine types (this will only affect 'virt-4.0'
and below, as none of the other pl031-using machines are
versioned).

Reported-by: Russell King <rmk@armlinux.org.uk>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 20190709143912.28905-1-peter.maydell@linaro.org
---
 include/hw/timer/pl031.h |  2 +
 hw/core/machine.c        |  1 +
 hw/timer/pl031.c         | 92 ++++++++++++++++++++++++++++++++++++++--
 3 files changed, 91 insertions(+), 4 deletions(-)

diff --git a/include/hw/timer/pl031.h b/include/hw/timer/pl031.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/timer/pl031.h
+++ b/include/hw/timer/pl031.h
@@ -XXX,XX +XXX,XX @@ typedef struct PL031State {
      */
     uint32_t tick_offset_vmstate;
     uint32_t tick_offset;
+    bool tick_offset_migrated;
+    bool migrate_tick_offset;
 
     uint32_t mr;
     uint32_t lr;
diff --git a/hw/core/machine.c b/hw/core/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -XXX,XX +XXX,XX @@ GlobalProperty hw_compat_4_0[] = {
     { "virtio-gpu-pci", "edid", "false" },
     { "virtio-device", "use-started", "false" },
     { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
+    { "pl031", "migrate-tick-offset", "false" },
 };
 const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
 
diff --git a/hw/timer/pl031.c b/hw/timer/pl031.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/pl031.c
+++ b/hw/timer/pl031.c
@@ -XXX,XX +XXX,XX @@ static int pl031_pre_save(void *opaque)
 {
     PL031State *s = opaque;
 
-    /* tick_offset is base_time - rtc_clock base time.  Instead, we want to
-     * store the base time relative to the QEMU_CLOCK_VIRTUAL for backwards-compatibility.  */
+    /*
+     * The PL031 device model code uses the tick_offset field, which is
+     * the offset between what the guest RTC should read and what the
+     * QEMU rtc_clock reads:
+     *  guest_rtc = rtc_clock + tick_offset
+     * and so
+     *  tick_offset = guest_rtc - rtc_clock
+     *
+     * We want to migrate this offset, which sounds straightforward.
+     * Unfortunately older versions of QEMU migrated a conversion of this
+     * offset into an offset from the vm_clock. (This was in turn an
+     * attempt to be compatible with even older QEMU versions, but it
+     * has incorrect behaviour if the rtc_clock is not the same as the
+     * vm_clock.) So we put the actual tick_offset into a migration
+     * subsection, and the backwards-compatible time-relative-to-vm_clock
+     * in the main migration state.
+     *
+     * Calculate base time relative to QEMU_CLOCK_VIRTUAL:
+     */
     int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
     s->tick_offset_vmstate = s->tick_offset + delta / NANOSECONDS_PER_SECOND;
 
     return 0;
 }
 
+static int pl031_pre_load(void *opaque)
+{
+    PL031State *s = opaque;
+
+    s->tick_offset_migrated = false;
+    return 0;
+}
+
 static int pl031_post_load(void *opaque, int version_id)
 {
     PL031State *s = opaque;
 
-    int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-    s->tick_offset = s->tick_offset_vmstate - delta / NANOSECONDS_PER_SECOND;
+    /*
+     * If we got the tick_offset subsection, then we can just use
+     * the value in that. Otherwise the source is an older QEMU and
+     * has given us the offset from the vm_clock; convert it back to
+     * an offset from the rtc_clock. This will cause time to incorrectly
+     * go backwards compared to the host RTC, but this is unavoidable.
+     */
+
+    if (!s->tick_offset_migrated) {
+        int64_t delta = qemu_clock_get_ns(rtc_clock) -
+            qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+        s->tick_offset = s->tick_offset_vmstate -
+            delta / NANOSECONDS_PER_SECOND;
+    }
     pl031_set_alarm(s);
     return 0;
 }
 
+static int pl031_tick_offset_post_load(void *opaque, int version_id)
+{
+    PL031State *s = opaque;
+
+    s->tick_offset_migrated = true;
+    return 0;
+}
+
+static bool pl031_tick_offset_needed(void *opaque)
+{
+    PL031State *s = opaque;
+
+    return s->migrate_tick_offset;
+}
+
+static const VMStateDescription vmstate_pl031_tick_offset = {
+    .name = "pl031/tick-offset",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = pl031_tick_offset_needed,
+    .post_load = pl031_tick_offset_post_load,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(tick_offset, PL031State),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_pl031 = {
     .name = "pl031",
     .version_id = 1,
     .minimum_version_id = 1,
     .pre_save = pl031_pre_save,
+    .pre_load = pl031_pre_load,
     .post_load = pl031_post_load,
     .fields = (VMStateField[]) {
         VMSTATE_UINT32(tick_offset_vmstate, PL031State),
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl031 = {
         VMSTATE_UINT32(im, PL031State),
         VMSTATE_UINT32(is, PL031State),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription*[]) {
+        &vmstate_pl031_tick_offset,
+        NULL
     }
 };
 
+static Property pl031_properties[] = {
+    /*
+     * True to correctly migrate the tick offset of the RTC. False to
+     * obtain backward migration compatibility with older QEMU versions,
+     * at the expense of the guest RTC going backwards compared with the
+     * host RTC when the VM is saved/restored if using -rtc host.
+     * (Even if set to 'true' older QEMU can migrate forward to newer QEMU;
+     * 'false' also permits newer QEMU to migrate to older QEMU.)
+     */
+    DEFINE_PROP_BOOL("migrate-tick-offset",
+                     PL031State, migrate_tick_offset, true),
+    DEFINE_PROP_END_OF_LIST()
+};
+
 static void pl031_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
 
     dc->vmsd = &vmstate_pl031;
+    dc->props = pl031_properties;
 }
 
 static const TypeInfo pl031_info = {
-- 
2.20.1

The ARMv5 architecture didn't specify detailed per-feature ID
registers. Now that we're using the MVFR0 register fields to
gate the existence of VFP instructions, we need to set up
the correct values in the cpu->isar structure so that we still
provide an FPU to the guest.

This fixes a regression in the arm926 and arm1026 CPUs, which
are the only ones that both have VFP and are ARMv5 or earlier.
This regression was introduced by the VFP refactoring, and more
specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
which accidentally disabled VFP short-vector support and
double-precision support on these CPUs.

Fixes: 1120827fa182f0e
Fixes: 266bd25c485597c
Fixes: https://bugs.launchpad.net/qemu/+bug/1836192
Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
Message-id: 20190711131241.22231-1-peter.maydell@linaro.org
---
 target/arm/cpu.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
      * set the field to indicate Jazelle support within QEMU.
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable double precision
+     * and short vector support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 }
 
 static void arm946_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
      * set the field to indicate Jazelle support within QEMU.
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable double precision
+     * and short vector support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 
     {
         /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
-- 
2.20.1

In the M-profile architecture, when we do a vector table fetch and it
fails, we need to report a HardFault.  Whether this is a Secure HF or
a NonSecure HF depends on several things.  If AIRCR.BFHFNMINS is 0
then HF is always Secure, because there is no NonSecure HardFault.
Otherwise, the answer depends on whether the 'underlying exception'
(MemManage, BusFault, SecureFault) targets Secure or NonSecure.  (In
the pseudocode, this is handled in the Vector() function: the final
exc.isSecure is calculated by looking at the exc.isSecure from the
exception returned from the memory access, not the isSecure input
argument.)

We weren't doing this correctly, because we were looking at
the target security domain of the exception we were trying to
load the vector table entry for. This produces errors of two kinds:
 * a load from the NS vector table which hits the "NS access
   to S memory" SecureFault should end up as a Secure HardFault,
   but we were raising an NS HardFault
 * a load from the S vector table which causes a BusFault
   should raise an NS HardFault if BFHFNMINS == 1 (because
   in that case all BusFaults are NonSecure), but we were raising
   a Secure HardFault

Correct the logic.

We also fix a comment error where we claimed that we might
be escalating MemManage to HardFault, and forgot about SecureFault.
(Vector loads can never hit MPU access faults, because they're
always aligned and always use the default address map.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20190705094823.28905-1-peter.maydell@linaro.org
---
 target/arm/m_helper.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
         if (sattrs.ns) {
             attrs.secure = false;
         } else if (!targets_secure) {
-            /* NS access to S memory */
+            /*
+             * NS access to S memory: the underlying exception which we escalate
+             * to HardFault is SecureFault, which always targets Secure.
+             */
+            exc_secure = true;
             goto load_fail;
         }
     }
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
     vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
                                      attrs, &result);
     if (result != MEMTX_OK) {
+        /*
+         * Underlying exception is BusFault: its target security state
+         * depends on BFHFNMINS.
+         */
+        exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
         goto load_fail;
     }
     *pvec = vector_entry;
@@ -XXX,XX +XXX,XX @@ load_fail:
     /*
      * All vector table fetch fails are reported as HardFault, with
      * HFSR.VECTTBL and .FORCED set. (FORCED is set because
-     * technically the underlying exception is a MemManage or BusFault
+     * technically the underlying exception is a SecureFault or BusFault
      * that is escalated to HardFault.) This is a terminal exception,
      * so we will either take the HardFault immediately or else enter
      * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
+     * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
+     * secure); otherwise it targets the same security state as the
+     * underlying exception.
      */
-    exc_secure = targets_secure ||
-        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
+    if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
+        exc_secure = true;
+    }
     env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
     armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
     return false;
-- 
2.20.1