Series comparison

-[Qemu-devel] [PULL 00/10] target-arm queue
+[PULL 00/15] target-arm queue
-target-arm queue for rc1 -- these are all bug fixes.
+Latest arm queue, a mixed bag of features and bug fixes.
 thanks
 -- PMM
-The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:
+The following changes since commit cbf01142b2aef0c0b4e995cecd7e79d342bbc47e:
-  Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)
+  Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200115' into staging (2020-01-17 12:13:17 +0000)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200117-1
-for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:
+for you to fetch changes up to 1a1fbc6cbb34c26d43d8360c66c1d21681af14a9:
-  target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)
+  target/arm: Set ISSIs16Bit in make_issinfo (2020-01-17 14:27:16 +0000)
 ----------------------------------------------------------------
-target-arm queue:
+Add model of the Netduino Plus 2 board
- * report ARMv8-A FP support for AArch32 -cpu max
+Some allwinner-a10 code cleanup
- * hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
+New test cases for cubieboard
- * hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
+target/arm/arm-semi: fix SYS_OPEN to return nonzero filehandle
- * hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
+i.MX: add an emulation for RNGC device
- * hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
+target/arm: adjust program counter for wfi exception in AArch32
- * hw/arm/virt: Fix non-secure flash mode
+arm/gicv3: update virtual irq state after IAR register read
- * pl031: Correctly migrate state when using -rtc clock=host
+Set IL bit correctly for syndrome information for data aborts
  * fix regression that meant arm926 and arm1026 lost VFP
    double-precision support
  * v8M: NS BusFault on vector table fetch escalates to NS HardFault
 ----------------------------------------------------------------
-Alex Bennée (1):
+Alistair Francis (4):
-      target/arm: report ARMv8-A FP support for AArch32 -cpu max
+      hw/misc: Add the STM32F4xx Sysconfig device
       hw/misc: Add the STM32F4xx EXTI device
       hw/arm: Add the STM32F4xx SoC
       hw/arm: Add the Netduino Plus 2
-David Engraf (1):
+Jeff Kubascik (3):
-      hw/arm/virt: Fix non-secure flash mode
+      target/arm: adjust program counter for wfi exception in AArch32
       arm/gicv3: update virtual irq state after IAR register read
       target/arm: Return correct IL bit in merge_syn_data_abort
-Peter Maydell (3):
+Martin Kaiser (1):
-      pl031: Correctly migrate state when using -rtc clock=host
+      i.MX: add an emulation for RNGC
-      target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
-      target/arm: NS BusFault on vector table fetch escalates to NS HardFault
+Masahiro Yamada (1):
       target/arm/arm-semi: fix SYS_OPEN to return nonzero filehandle
 Philippe Mathieu-Daudé (5):
-      hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
+      tests/boot_linux_console: Add initrd test for the CubieBoard
-      hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
+      tests/boot_linux_console: Add a SD card test for the CubieBoard
-      hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
+      hw/arm/allwinner-a10: Move SoC definitions out of header
-      hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
+      hw/arm/allwinner-a10: Simplify by passing IRQs with qdev_pass_gpios()
-      hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
+      hw/arm/allwinner-a10: Remove local qemu_irq variables
- include/hw/timer/pl031.h |  2 ++
+Richard Henderson (1):
- hw/arm/virt.c            |  2 +-
+      target/arm: Set ISSIs16Bit in make_issinfo
  hw/core/machine.c        |  1 +
  hw/display/xlnx_dp.c     | 15 +++++---
  hw/ssi/mss-spi.c         |  8 ++++-
  hw/ssi/xilinx_spips.c    | 43 +++++++++++++++-------
  hw/timer/pl031.c         | 92 +++++++++++++++++++++++++++++++++++++++++++++---
  target/arm/cpu.c         | 16 +++++++++
  target/arm/m_helper.c    | 21 ++++++++---
 files changed, 174 insertions(+), 26 deletions(-)
+ hw/arm/Makefile.objs                   |   2 +
+ hw/misc/Makefile.objs                  |   3 +
+ include/hw/arm/allwinner-a10.h         |   7 -
+ include/hw/arm/fsl-imx25.h             |   5 +
+ include/hw/arm/stm32f405_soc.h         |  73 ++++++++
+ include/hw/misc/imx_rngc.h             |  35 ++++
+ include/hw/misc/stm32f4xx_exti.h       |  60 +++++++
+ include/hw/misc/stm32f4xx_syscfg.h     |  61 +++++++
+ hw/arm/allwinner-a10.c                 |  39 +++--
+ hw/arm/fsl-imx25.c                     |  11 ++
+ hw/arm/netduinoplus2.c                 |  52 ++++++
+ hw/arm/stm32f405_soc.c                 | 302 +++++++++++++++++++++++++++++++++
+ hw/intc/arm_gicv3_cpuif.c              |   3 +
+ hw/misc/imx_rngc.c                     | 278 ++++++++++++++++++++++++++++++
+ hw/misc/stm32f4xx_exti.c               | 188 ++++++++++++++++++++
+ hw/misc/stm32f4xx_syscfg.c             | 171 +++++++++++++++++++
+ target/arm/arm-semi.c                  |   5 +-
+ target/arm/op_helper.c                 |   7 +-
+ target/arm/tlb_helper.c                |   2 +-
+ target/arm/translate.c                 |   3 +
+ MAINTAINERS                            |  14 ++
+ default-configs/arm-softmmu.mak        |   1 +
+ hw/arm/Kconfig                         |  10 ++
+ hw/misc/Kconfig                        |   6 +
+ hw/misc/trace-events                   |  11 ++
+ tests/acceptance/boot_linux_console.py |  85 ++++++++++
+files changed, 1405 insertions(+), 29 deletions(-)
+ create mode 100644 include/hw/arm/stm32f405_soc.h
+ create mode 100644 include/hw/misc/imx_rngc.h
+ create mode 100644 include/hw/misc/stm32f4xx_exti.h
+ create mode 100644 include/hw/misc/stm32f4xx_syscfg.h
+ create mode 100644 hw/arm/netduinoplus2.c
+ create mode 100644 hw/arm/stm32f405_soc.c
+ create mode 100644 hw/misc/imx_rngc.c
+ create mode 100644 hw/misc/stm32f4xx_exti.c
+ create mode 100644 hw/misc/stm32f4xx_syscfg.c

-New patch
+[PULL 01/15] hw/misc: Add the STM32F4xx Sysconfig device
+From: Alistair Francis <alistair@alistair23.me>
+Signed-off-by: Alistair Francis <alistair@alistair23.me>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 49b01423a09cef2ca832ff73a84a996568f1a8fc.1576658572.git.alistair@alistair23.me
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/misc/Makefile.objs              |   1 +
+ include/hw/misc/stm32f4xx_syscfg.h |  61 ++++++++++
+ hw/misc/stm32f4xx_syscfg.c         | 171 +++++++++++++++++++++++++++++
+ default-configs/arm-softmmu.mak    |   1 +
+ hw/arm/Kconfig                     |   9 ++
+ hw/misc/Kconfig                    |   3 +
+ hw/misc/trace-events               |   6 +
+files changed, 252 insertions(+)
+ create mode 100644 include/hw/misc/stm32f4xx_syscfg.h
+ create mode 100644 hw/misc/stm32f4xx_syscfg.c
+diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/misc/Makefile.objs
++++ b/hw/misc/Makefile.objs
+@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_SLAVIO) += slavio_misc.o
+ common-obj-$(CONFIG_ZYNQ) += zynq_slcr.o
+ common-obj-$(CONFIG_ZYNQ) += zynq-xadc.o
+ common-obj-$(CONFIG_STM32F2XX_SYSCFG) += stm32f2xx_syscfg.o
++common-obj-$(CONFIG_STM32F4XX_SYSCFG) += stm32f4xx_syscfg.o
+ obj-$(CONFIG_MIPS_CPS) += mips_cmgcr.o
+ obj-$(CONFIG_MIPS_CPS) += mips_cpc.o
+ obj-$(CONFIG_MIPS_ITU) += mips_itu.o
+diff --git a/include/hw/misc/stm32f4xx_syscfg.h b/include/hw/misc/stm32f4xx_syscfg.h
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/include/hw/misc/stm32f4xx_syscfg.h
+@@ -XXX,XX +XXX,XX @@
++/*
++ * STM32F4xx SYSCFG
++ *
++ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#ifndef HW_STM_SYSCFG_H
++#define HW_STM_SYSCFG_H
++
++#include "hw/sysbus.h"
++#include "hw/hw.h"
++
++#define SYSCFG_MEMRMP  0x00
++#define SYSCFG_PMC     0x04
++#define SYSCFG_EXTICR1 0x08
++#define SYSCFG_EXTICR2 0x0C
++#define SYSCFG_EXTICR3 0x10
++#define SYSCFG_EXTICR4 0x14
++#define SYSCFG_CMPCR   0x20
++
++#define TYPE_STM32F4XX_SYSCFG "stm32f4xx-syscfg"
++#define STM32F4XX_SYSCFG(obj) \
++    OBJECT_CHECK(STM32F4xxSyscfgState, (obj), TYPE_STM32F4XX_SYSCFG)
++
++#define SYSCFG_NUM_EXTICR 4
++
++typedef struct {
++    /* <private> */
++    SysBusDevice parent_obj;
++
++    /* <public> */
++    MemoryRegion mmio;
++
++    uint32_t syscfg_memrmp;
++    uint32_t syscfg_pmc;
++    uint32_t syscfg_exticr[SYSCFG_NUM_EXTICR];
++    uint32_t syscfg_cmpcr;
++
++    qemu_irq irq;
++    qemu_irq gpio_out[16];
++} STM32F4xxSyscfgState;
++
++#endif
+diff --git a/hw/misc/stm32f4xx_syscfg.c b/hw/misc/stm32f4xx_syscfg.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/hw/misc/stm32f4xx_syscfg.c
+@@ -XXX,XX +XXX,XX @@
++/*
++ * STM32F4xx SYSCFG
++ *
++ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#include "qemu/osdep.h"
++#include "qemu/log.h"
++#include "trace.h"
++#include "hw/irq.h"
++#include "migration/vmstate.h"
++#include "hw/misc/stm32f4xx_syscfg.h"
++
++static void stm32f4xx_syscfg_reset(DeviceState *dev)
++{
++    STM32F4xxSyscfgState *s = STM32F4XX_SYSCFG(dev);
++
++    s->syscfg_memrmp = 0x00000000;
++    s->syscfg_pmc = 0x00000000;
++    s->syscfg_exticr[0] = 0x00000000;
++    s->syscfg_exticr[1] = 0x00000000;
++    s->syscfg_exticr[2] = 0x00000000;
++    s->syscfg_exticr[3] = 0x00000000;
++    s->syscfg_cmpcr = 0x00000000;
++}
++
++static void stm32f4xx_syscfg_set_irq(void *opaque, int irq, int level)
++{
++    STM32F4xxSyscfgState *s = opaque;
++    int icrreg = irq / 4;
++    int startbit = (irq & 3) * 4;
++    uint8_t config = config = irq / 16;
++
++    trace_stm32f4xx_syscfg_set_irq(irq / 16, irq % 16, level);
++
++    g_assert(icrreg < SYSCFG_NUM_EXTICR);
++
++    if (extract32(s->syscfg_exticr[icrreg], startbit, 4) == config) {
++        qemu_set_irq(s->gpio_out[irq], level);
++        trace_stm32f4xx_pulse_exti(irq);
++   }
++}
++
++static uint64_t stm32f4xx_syscfg_read(void *opaque, hwaddr addr,
++                                     unsigned int size)
++{
++    STM32F4xxSyscfgState *s = opaque;
++
++    trace_stm32f4xx_syscfg_read(addr);
++
++    switch (addr) {
++    case SYSCFG_MEMRMP:
++        return s->syscfg_memrmp;
++    case SYSCFG_PMC:
++        return s->syscfg_pmc;
++    case SYSCFG_EXTICR1...SYSCFG_EXTICR4:
++        return s->syscfg_exticr[addr / 4 - SYSCFG_EXTICR1 / 4];
++    case SYSCFG_CMPCR:
++        return s->syscfg_cmpcr;
++    default:
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: Bad offset 0x%"HWADDR_PRIx"\n", __func__, addr);
++        return 0;
++    }
++}
++
++static void stm32f4xx_syscfg_write(void *opaque, hwaddr addr,
++                       uint64_t val64, unsigned int size)
++{
++    STM32F4xxSyscfgState *s = opaque;
++    uint32_t value = val64;
++
++    trace_stm32f4xx_syscfg_write(value, addr);
++
++    switch (addr) {
++    case SYSCFG_MEMRMP:
++        qemu_log_mask(LOG_UNIMP,
++                      "%s: Changing the memory mapping isn't supported " \
++                      "in QEMU\n", __func__);
++        return;
++    case SYSCFG_PMC:
++        qemu_log_mask(LOG_UNIMP,
++                      "%s: Changing the memory mapping isn't supported " \
++                      "in QEMU\n", __func__);
++        return;
++    case SYSCFG_EXTICR1...SYSCFG_EXTICR4:
++        s->syscfg_exticr[addr / 4 - SYSCFG_EXTICR1 / 4] = (value & 0xFFFF);
++        return;
++    case SYSCFG_CMPCR:
++        s->syscfg_cmpcr = value;
++        return;
++    default:
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: Bad offset 0x%"HWADDR_PRIx"\n", __func__, addr);
++    }
++}
++
++static const MemoryRegionOps stm32f4xx_syscfg_ops = {
++    .read = stm32f4xx_syscfg_read,
++    .write = stm32f4xx_syscfg_write,
++    .endianness = DEVICE_NATIVE_ENDIAN,
++};
++
++static void stm32f4xx_syscfg_init(Object *obj)
++{
++    STM32F4xxSyscfgState *s = STM32F4XX_SYSCFG(obj);
++
++    sysbus_init_irq(SYS_BUS_DEVICE(obj), &s->irq);
++
++    memory_region_init_io(&s->mmio, obj, &stm32f4xx_syscfg_ops, s,
++                          TYPE_STM32F4XX_SYSCFG, 0x400);
++    sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->mmio);
++
++    qdev_init_gpio_in(DEVICE(obj), stm32f4xx_syscfg_set_irq, 16 * 9);
++    qdev_init_gpio_out(DEVICE(obj), s->gpio_out, 16);
++}
++
++static const VMStateDescription vmstate_stm32f4xx_syscfg = {
++    .name = TYPE_STM32F4XX_SYSCFG,
++    .version_id = 1,
++    .minimum_version_id = 1,
++    .fields = (VMStateField[]) {
++        VMSTATE_UINT32(syscfg_memrmp, STM32F4xxSyscfgState),
++        VMSTATE_UINT32(syscfg_pmc, STM32F4xxSyscfgState),
++        VMSTATE_UINT32_ARRAY(syscfg_exticr, STM32F4xxSyscfgState,
++                             SYSCFG_NUM_EXTICR),
++        VMSTATE_UINT32(syscfg_cmpcr, STM32F4xxSyscfgState),
++        VMSTATE_END_OF_LIST()
++    }
++};
++
++static void stm32f4xx_syscfg_class_init(ObjectClass *klass, void *data)
++{
++    DeviceClass *dc = DEVICE_CLASS(klass);
++
++    dc->reset = stm32f4xx_syscfg_reset;
++    dc->vmsd = &vmstate_stm32f4xx_syscfg;
++}
++
++static const TypeInfo stm32f4xx_syscfg_info = {
++    .name          = TYPE_STM32F4XX_SYSCFG,
++    .parent        = TYPE_SYS_BUS_DEVICE,
++    .instance_size = sizeof(STM32F4xxSyscfgState),
++    .instance_init = stm32f4xx_syscfg_init,
++    .class_init    = stm32f4xx_syscfg_class_init,
++};
++
++static void stm32f4xx_syscfg_register_types(void)
++{
++    type_register_static(&stm32f4xx_syscfg_info);
++}
++
++type_init(stm32f4xx_syscfg_register_types)
+diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
+index XXXXXXX..XXXXXXX 100644
+--- a/default-configs/arm-softmmu.mak
++++ b/default-configs/arm-softmmu.mak
+@@ -XXX,XX +XXX,XX @@ CONFIG_Z2=y
+ CONFIG_COLLIE=y
+ CONFIG_ASPEED_SOC=y
+ CONFIG_NETDUINO2=y
++CONFIG_NETDUINOPLUS2=y
+ CONFIG_MPS2=y
+ CONFIG_RASPI=y
+ CONFIG_DIGIC=y
+diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/Kconfig
++++ b/hw/arm/Kconfig
+@@ -XXX,XX +XXX,XX @@ config NETDUINO2
+     bool
+     select STM32F205_SOC
++config NETDUINOPLUS2
++    bool
++    select STM32F405_SOC
++
+ config NSERIES
+     bool
+     select OMAP
+@@ -XXX,XX +XXX,XX @@ config STM32F205_SOC
+     select STM32F2XX_ADC
+     select STM32F2XX_SPI
++config STM32F405_SOC
++    bool
++    select ARM_V7M
++    select STM32F4XX_SYSCFG
++
+ config XLNX_ZYNQMP_ARM
+     bool
+     select AHCI
+diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/misc/Kconfig
++++ b/hw/misc/Kconfig
+@@ -XXX,XX +XXX,XX @@ config IMX
+ config STM32F2XX_SYSCFG
+     bool
++config STM32F4XX_SYSCFG
++    bool
++
+ config MIPS_ITU
+     bool
+diff --git a/hw/misc/trace-events b/hw/misc/trace-events
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/misc/trace-events
++++ b/hw/misc/trace-events
+@@ -XXX,XX +XXX,XX @@ mos6522_set_sr_int(void) "set sr_int"
+ mos6522_write(uint64_t addr, uint64_t val) "reg=0x%"PRIx64 " val=0x%"PRIx64
+ mos6522_read(uint64_t addr, unsigned val) "reg=0x%"PRIx64 " val=0x%x"
++# stm32f4xx_syscfg
++stm32f4xx_syscfg_set_irq(int gpio, int line, int level) "Interupt: GPIO: %d, Line: %d; Level: %d"
++stm32f4xx_pulse_exti(int irq) "Pulse EXTI: %d"
++stm32f4xx_syscfg_read(uint64_t addr) "reg read: addr: 0x%" PRIx64 " "
++stm32f4xx_syscfg_write(uint64_t addr, uint64_t data) "reg write: addr: 0x%" PRIx64 " val: 0x%" PRIx64 ""
++
+ # tz-mpc.c
+ tz_mpc_reg_read(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs read: offset 0x%x data 0x%" PRIx64 " size %u"
+ tz_mpc_reg_write(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs write: offset 0x%x data 0x%" PRIx64 " size %u"
+--
+.20.1

-[Qemu-devel] [PULL 08/10] pl031: Correctly migrate state when using -rtc clock=host
+[PULL 02/15] hw/misc: Add the STM32F4xx EXTI device
-The PL031 RTC tracks the difference between the guest RTC
+From: Alistair Francis <alistair@alistair23.me>
 and the host RTC using a tick_offset field. For migration,
 however, we currently always migrate the offset between
 the guest and the vm_clock, even if the RTC clock is not
 the same as the vm_clock; this was an attempt to retain
 migration backwards compatibility.
-Unfortunately this results in the RTC behaving oddly across
+Signed-off-by: Alistair Francis <alistair@alistair23.me>
-a VM state save and restore -- since the VM clock stands still
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-across save-then-restore, regardless of how much real world
+Message-id: ef941d59fd8658589d34ed432e1d6dfdcf7fb1d0.1576658572.git.alistair@alistair23.me
-time has elapsed, the guest RTC ends up out of sync with the
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-host RTC in the restored VM.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  hw/misc/Makefile.objs            |   1 +
  include/hw/misc/stm32f4xx_exti.h |  60 ++++++++++
  hw/misc/stm32f4xx_exti.c         | 188 +++++++++++++++++++++++++++++++
  hw/arm/Kconfig                   |   1 +
  hw/misc/Kconfig                  |   3 +
  hw/misc/trace-events             |   5 +
 files changed, 258 insertions(+)
  create mode 100644 include/hw/misc/stm32f4xx_exti.h
  create mode 100644 hw/misc/stm32f4xx_exti.c
-Fix this by migrating the raw tick_offset. To retain migration
+diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
 compatibility as far as possible, we have a new property
 migrate-tick-offset; by default this is 'true' and we will
 migrate the true tick offset in a new subsection; if the
 incoming data has no subsection we fall back to the old
 vm_clock-based offset information, so old->new migration
 compatibility is preserved. For complete new->old migration
 compatibility, the property is set to 'false' for 4.0 and
 earlier machine types (this will only affect 'virt-4.0'
 and below, as none of the other pl031-using machines are
 versioned).
 Reported-by: Russell King <rmk@armlinux.org.uk>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 Message-id: 20190709143912.28905-1-peter.maydell@linaro.org
 ---
  include/hw/timer/pl031.h |  2 +
  hw/core/machine.c        |  1 +
  hw/timer/pl031.c         | 92 ++++++++++++++++++++++++++++++++++++++--
 files changed, 91 insertions(+), 4 deletions(-)
 diff --git a/include/hw/timer/pl031.h b/include/hw/timer/pl031.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/timer/pl031.h
+--- a/hw/misc/Makefile.objs
-+++ b/include/hw/timer/pl031.h
++++ b/hw/misc/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ typedef struct PL031State {
+@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_ZYNQ) += zynq_slcr.o
-      */
+ common-obj-$(CONFIG_ZYNQ) += zynq-xadc.o
-     uint32_t tick_offset_vmstate;
+ common-obj-$(CONFIG_STM32F2XX_SYSCFG) += stm32f2xx_syscfg.o
-     uint32_t tick_offset;
+ common-obj-$(CONFIG_STM32F4XX_SYSCFG) += stm32f4xx_syscfg.o
-+    bool tick_offset_migrated;
++common-obj-$(CONFIG_STM32F4XX_EXTI) += stm32f4xx_exti.o
-+    bool migrate_tick_offset;
+ obj-$(CONFIG_MIPS_CPS) += mips_cmgcr.o
+ obj-$(CONFIG_MIPS_CPS) += mips_cpc.o
-     uint32_t mr;
+ obj-$(CONFIG_MIPS_ITU) += mips_itu.o
-     uint32_t lr;
+diff --git a/include/hw/misc/stm32f4xx_exti.h b/include/hw/misc/stm32f4xx_exti.h
-diff --git a/hw/core/machine.c b/hw/core/machine.c
+new file mode 100644
-index XXXXXXX..XXXXXXX 100644
+index XXXXXXX..XXXXXXX
---- a/hw/core/machine.c
+--- /dev/null
-+++ b/hw/core/machine.c
++++ b/include/hw/misc/stm32f4xx_exti.h
-@@ -XXX,XX +XXX,XX @@ GlobalProperty hw_compat_4_0[] = {
+@@ -XXX,XX +XXX,XX @@
-     { "virtio-gpu-pci", "edid", "false" },
++/*
-     { "virtio-device", "use-started", "false" },
++ * STM32F4XX EXTI
-     { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
++ *
-+    { "pl031", "migrate-tick-offset", "false" },
++ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
- };
++ *
- const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
-diff --git a/hw/timer/pl031.c b/hw/timer/pl031.c
++ * in the Software without restriction, including without limitation the rights
-index XXXXXXX..XXXXXXX 100644
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
---- a/hw/timer/pl031.c
++ * copies of the Software, and to permit persons to whom the Software is
-+++ b/hw/timer/pl031.c
++ * furnished to do so, subject to the following conditions:
-@@ -XXX,XX +XXX,XX @@ static int pl031_pre_save(void *opaque)
++ *
- {
++ * The above copyright notice and this permission notice shall be included in
-     PL031State *s = opaque;
++ * all copies or substantial portions of the Software.
++ *
--    /* tick_offset is base_time - rtc_clock base time.  Instead, we want to
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
--     * store the base time relative to the QEMU_CLOCK_VIRTUAL for backwards-compatibility.  */
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-+    /*
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-+     * The PL031 device model code uses the tick_offset field, which is
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-+     * the offset between what the guest RTC should read and what the
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-+     * QEMU rtc_clock reads:
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-+     *  guest_rtc = rtc_clock + tick_offset
++ * THE SOFTWARE.
-+     * and so
++ */
-+     *  tick_offset = guest_rtc - rtc_clock
++
-+     *
++#ifndef HW_STM_EXTI_H
-+     * We want to migrate this offset, which sounds straightforward.
++#define HW_STM_EXTI_H
-+     * Unfortunately older versions of QEMU migrated a conversion of this
++
-+     * offset into an offset from the vm_clock. (This was in turn an
++#include "hw/sysbus.h"
-+     * attempt to be compatible with even older QEMU versions, but it
++#include "hw/hw.h"
-+     * has incorrect behaviour if the rtc_clock is not the same as the
++
-+     * vm_clock.) So we put the actual tick_offset into a migration
++#define EXTI_IMR   0x00
-+     * subsection, and the backwards-compatible time-relative-to-vm_clock
++#define EXTI_EMR   0x04
-+     * in the main migration state.
++#define EXTI_RTSR  0x08
-+     *
++#define EXTI_FTSR  0x0C
-+     * Calculate base time relative to QEMU_CLOCK_VIRTUAL:
++#define EXTI_SWIER 0x10
-+     */
++#define EXTI_PR    0x14
-     int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
++
-     s->tick_offset_vmstate = s->tick_offset + delta / NANOSECONDS_PER_SECOND;
++#define TYPE_STM32F4XX_EXTI "stm32f4xx-exti"
++#define STM32F4XX_EXTI(obj) \
-     return 0;
++    OBJECT_CHECK(STM32F4xxExtiState, (obj), TYPE_STM32F4XX_EXTI)
- }
++
++#define NUM_GPIO_EVENT_IN_LINES 16
-+static int pl031_pre_load(void *opaque)
++#define NUM_INTERRUPT_OUT_LINES 16
-+{
++
-+    PL031State *s = opaque;
++typedef struct {
-+
++    SysBusDevice parent_obj;
-+    s->tick_offset_migrated = false;
++
 +    MemoryRegion mmio;
 +
 +    uint32_t exti_imr;
 +    uint32_t exti_emr;
 +    uint32_t exti_rtsr;
 +    uint32_t exti_ftsr;
 +    uint32_t exti_swier;
 +    uint32_t exti_pr;
 +
 +    qemu_irq irq[NUM_INTERRUPT_OUT_LINES];
 +} STM32F4xxExtiState;
 +
 +#endif
 diff --git a/hw/misc/stm32f4xx_exti.c b/hw/misc/stm32f4xx_exti.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/misc/stm32f4xx_exti.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * STM32F4XX EXTI
 + *
 + * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qemu/log.h"
 +#include "trace.h"
 +#include "hw/irq.h"
 +#include "migration/vmstate.h"
 +#include "hw/misc/stm32f4xx_exti.h"
 +
 +static void stm32f4xx_exti_reset(DeviceState *dev)
 +{
 +    STM32F4xxExtiState *s = STM32F4XX_EXTI(dev);
 +
 +    s->exti_imr = 0x00000000;
 +    s->exti_emr = 0x00000000;
 +    s->exti_rtsr = 0x00000000;
 +    s->exti_ftsr = 0x00000000;
 +    s->exti_swier = 0x00000000;
 +    s->exti_pr = 0x00000000;
 +}
 +
 +static void stm32f4xx_exti_set_irq(void *opaque, int irq, int level)
 +{
 +    STM32F4xxExtiState *s = opaque;
 +
 +    trace_stm32f4xx_exti_set_irq(irq, level);
 +
 +    if (((1 << irq) & s->exti_rtsr) && level) {
 +        /* Rising Edge */
 +        s->exti_pr |= 1 << irq;
 +    }
 +
 +    if (((1 << irq) & s->exti_ftsr) && !level) {
 +        /* Falling Edge */
 +        s->exti_pr |= 1 << irq;
 +    }
 +
 +    if (!((1 << irq) & s->exti_imr)) {
 +        /* Interrupt is masked */
 +        return;
 +    }
 +    qemu_irq_pulse(s->irq[irq]);
 +}
 +
 +static uint64_t stm32f4xx_exti_read(void *opaque, hwaddr addr,
 +                                     unsigned int size)
 +{
 +    STM32F4xxExtiState *s = opaque;
 +
 +    trace_stm32f4xx_exti_read(addr);
 +
 +    switch (addr) {
 +    case EXTI_IMR:
 +        return s->exti_imr;
 +    case EXTI_EMR:
 +        return s->exti_emr;
 +    case EXTI_RTSR:
 +        return s->exti_rtsr;
 +    case EXTI_FTSR:
 +        return s->exti_ftsr;
 +    case EXTI_SWIER:
 +        return s->exti_swier;
 +    case EXTI_PR:
 +        return s->exti_pr;
 +    default:
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "STM32F4XX_exti_read: Bad offset %x\n", (int)addr);
 +        return 0;
 +    }
 +    return 0;
 +}
 +
- static int pl031_post_load(void *opaque, int version_id)
++static void stm32f4xx_exti_write(void *opaque, hwaddr addr,
- {
++                       uint64_t val64, unsigned int size)
-     PL031State *s = opaque;
++{
++    STM32F4xxExtiState *s = opaque;
--    int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
++    uint32_t value = (uint32_t) val64;
--    s->tick_offset = s->tick_offset_vmstate - delta / NANOSECONDS_PER_SECOND;
++
-+    /*
++    trace_stm32f4xx_exti_write(addr, value);
-+     * If we got the tick_offset subsection, then we can just use
++
-+     * the value in that. Otherwise the source is an older QEMU and
++    switch (addr) {
-+     * has given us the offset from the vm_clock; convert it back to
++    case EXTI_IMR:
-+     * an offset from the rtc_clock. This will cause time to incorrectly
++        s->exti_imr = value;
-+     * go backwards compared to the host RTC, but this is unavoidable.
++        return;
-+     */
++    case EXTI_EMR:
-+
++        s->exti_emr = value;
-+    if (!s->tick_offset_migrated) {
++        return;
-+        int64_t delta = qemu_clock_get_ns(rtc_clock) -
++    case EXTI_RTSR:
-+            qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
++        s->exti_rtsr = value;
-+        s->tick_offset = s->tick_offset_vmstate -
++        return;
-+            delta / NANOSECONDS_PER_SECOND;
++    case EXTI_FTSR:
-+    }
++        s->exti_ftsr = value;
-     pl031_set_alarm(s);
++        return;
-     return 0;
++    case EXTI_SWIER:
- }
++        s->exti_swier = value;
++        return;
-+static int pl031_tick_offset_post_load(void *opaque, int version_id)
++    case EXTI_PR:
-+{
++        /* This bit is cleared by writing a 1 to it */
-+    PL031State *s = opaque;
++        s->exti_pr &= ~value;
-+
++        return;
-+    s->tick_offset_migrated = true;
++    default:
-+    return 0;
++        qemu_log_mask(LOG_GUEST_ERROR,
-+}
++                      "STM32F4XX_exti_write: Bad offset %x\n", (int)addr);
-+
++    }
-+static bool pl031_tick_offset_needed(void *opaque)
++}
-+{
++
-+    PL031State *s = opaque;
++static const MemoryRegionOps stm32f4xx_exti_ops = {
-+
++    .read = stm32f4xx_exti_read,
-+    return s->migrate_tick_offset;
++    .write = stm32f4xx_exti_write,
-+}
++    .endianness = DEVICE_NATIVE_ENDIAN,
-+
++};
-+static const VMStateDescription vmstate_pl031_tick_offset = {
++
-+    .name = "pl031/tick-offset",
++static void stm32f4xx_exti_init(Object *obj)
 +{
 +    STM32F4xxExtiState *s = STM32F4XX_EXTI(obj);
 +    int i;
 +
 +    for (i = 0; i < NUM_INTERRUPT_OUT_LINES; i++) {
 +        sysbus_init_irq(SYS_BUS_DEVICE(obj), &s->irq[i]);
 +    }
 +
 +    memory_region_init_io(&s->mmio, obj, &stm32f4xx_exti_ops, s,
 +                          TYPE_STM32F4XX_EXTI, 0x400);
 +    sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->mmio);
 +
 +    qdev_init_gpio_in(DEVICE(obj), stm32f4xx_exti_set_irq,
 +                      NUM_GPIO_EVENT_IN_LINES);
 +}
 +
 +static const VMStateDescription vmstate_stm32f4xx_exti = {
 +    .name = TYPE_STM32F4XX_EXTI,
 +    .version_id = 1,
 +    .minimum_version_id = 1,
-+    .needed = pl031_tick_offset_needed,
-+    .post_load = pl031_tick_offset_post_load,
 +    .fields = (VMStateField[]) {
-+        VMSTATE_UINT32(tick_offset, PL031State),
++        VMSTATE_UINT32(exti_imr, STM32F4xxExtiState),
 +        VMSTATE_UINT32(exti_emr, STM32F4xxExtiState),
 +        VMSTATE_UINT32(exti_rtsr, STM32F4xxExtiState),
 +        VMSTATE_UINT32(exti_ftsr, STM32F4xxExtiState),
 +        VMSTATE_UINT32(exti_swier, STM32F4xxExtiState),
 +        VMSTATE_UINT32(exti_pr, STM32F4xxExtiState),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
- static const VMStateDescription vmstate_pl031 = {
++static void stm32f4xx_exti_class_init(ObjectClass *klass, void *data)
-     .name = "pl031",
++{
-     .version_id = 1,
++    DeviceClass *dc = DEVICE_CLASS(klass);
-     .minimum_version_id = 1,
++
-     .pre_save = pl031_pre_save,
++    dc->reset = stm32f4xx_exti_reset;
-+    .pre_load = pl031_pre_load,
++    dc->vmsd = &vmstate_stm32f4xx_exti;
-     .post_load = pl031_post_load,
++}
-     .fields = (VMStateField[]) {
++
-         VMSTATE_UINT32(tick_offset_vmstate, PL031State),
++static const TypeInfo stm32f4xx_exti_info = {
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl031 = {
++    .name          = TYPE_STM32F4XX_EXTI,
-         VMSTATE_UINT32(im, PL031State),
++    .parent        = TYPE_SYS_BUS_DEVICE,
-         VMSTATE_UINT32(is, PL031State),
++    .instance_size = sizeof(STM32F4xxExtiState),
-         VMSTATE_END_OF_LIST()
++    .instance_init = stm32f4xx_exti_init,
-+    },
++    .class_init    = stm32f4xx_exti_class_init,
 +    .subsections = (const VMStateDescription*[]) {
 +        &vmstate_pl031_tick_offset,
 +        NULL
      }
  };
 +static Property pl031_properties[] = {
 +    /*
 +     * True to correctly migrate the tick offset of the RTC. False to
 +     * obtain backward migration compatibility with older QEMU versions,
 +     * at the expense of the guest RTC going backwards compared with the
 +     * host RTC when the VM is saved/restored if using -rtc host.
 +     * (Even if set to 'true' older QEMU can migrate forward to newer QEMU;
 +     * 'false' also permits newer QEMU to migrate to older QEMU.)
 +     */
 +    DEFINE_PROP_BOOL("migrate-tick-offset",
 +                     PL031State, migrate_tick_offset, true),
 +    DEFINE_PROP_END_OF_LIST()
 +};
 +
- static void pl031_class_init(ObjectClass *klass, void *data)
++static void stm32f4xx_exti_register_types(void)
- {
++{
-     DeviceClass *dc = DEVICE_CLASS(klass);
++    type_register_static(&stm32f4xx_exti_info);
++}
-     dc->vmsd = &vmstate_pl031;
++
-+    dc->props = pl031_properties;
++type_init(stm32f4xx_exti_register_types)
- }
+diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
+index XXXXXXX..XXXXXXX 100644
- static const TypeInfo pl031_info = {
+--- a/hw/arm/Kconfig
 +++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config STM32F405_SOC
      bool
      select ARM_V7M
      select STM32F4XX_SYSCFG
 +    select STM32F4XX_EXTI
  config XLNX_ZYNQMP_ARM
      bool
 diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/Kconfig
 +++ b/hw/misc/Kconfig
@@ -XXX,XX +XXX,XX @@ config STM32F2XX_SYSCFG
  config STM32F4XX_SYSCFG
      bool
 +config STM32F4XX_EXTI
 +    bool
 +
  config MIPS_ITU
      bool
 diff --git a/hw/misc/trace-events b/hw/misc/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/trace-events
 +++ b/hw/misc/trace-events
@@ -XXX,XX +XXX,XX @@ stm32f4xx_pulse_exti(int irq) "Pulse EXTI: %d"
  stm32f4xx_syscfg_read(uint64_t addr) "reg read: addr: 0x%" PRIx64 " "
  stm32f4xx_syscfg_write(uint64_t addr, uint64_t data) "reg write: addr: 0x%" PRIx64 " val: 0x%" PRIx64 ""
 +# stm32f4xx_exti
 +stm32f4xx_exti_set_irq(int irq, int leve) "Set EXTI: %d to %d"
 +stm32f4xx_exti_read(uint64_t addr) "reg read: addr: 0x%" PRIx64 " "
 +stm32f4xx_exti_write(uint64_t addr, uint64_t data) "reg write: addr: 0x%" PRIx64 " val: 0x%" PRIx64 ""
 +
  # tz-mpc.c
  tz_mpc_reg_read(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs read: offset 0x%x data 0x%" PRIx64 " size %u"
  tz_mpc_reg_write(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs write: offset 0x%x data 0x%" PRIx64 " size %u"
 --
 .20.1

-[Qemu-devel] [PULL 10/10] target/arm: NS BusFault on vector table fetch escalates to NS HardFault
+[PULL 03/15] hw/arm: Add the STM32F4xx SoC
-In the M-profile architecture, when we do a vector table fetch and it
+From: Alistair Francis <alistair@alistair23.me>
 fails, we need to report a HardFault.  Whether this is a Secure HF or
 a NonSecure HF depends on several things.  If AIRCR.BFHFNMINS is 0
 then HF is always Secure, because there is no NonSecure HardFault.
 Otherwise, the answer depends on whether the 'underlying exception'
 (MemManage, BusFault, SecureFault) targets Secure or NonSecure.  (In
 the pseudocode, this is handled in the Vector() function: the final
 exc.isSecure is calculated by looking at the exc.isSecure from the
 exception returned from the memory access, not the isSecure input
 argument.)
-We weren't doing this correctly, because we were looking at
+Signed-off-by: Alistair Francis <alistair@alistair23.me>
-the target security domain of the exception we were trying to
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-load the vector table entry for. This produces errors of two kinds:
+Message-id: 1d145c4c13e5fa140caf131232a6f524c88fcd72.1576658572.git.alistair@alistair23.me
- * a load from the NS vector table which hits the "NS access
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-   to S memory" SecureFault should end up as a Secure HardFault,
+---
-   but we were raising an NS HardFault
+ hw/arm/Makefile.objs           |   1 +
- * a load from the S vector table which causes a BusFault
+ include/hw/arm/stm32f405_soc.h |  73 ++++++++
-   should raise an NS HardFault if BFHFNMINS == 1 (because
+ hw/arm/stm32f405_soc.c         | 302 +++++++++++++++++++++++++++++++++
-   in that case all BusFaults are NonSecure), but we were raising
+ MAINTAINERS                    |   8 +
-   a Secure HardFault
+files changed, 384 insertions(+)
  create mode 100644 include/hw/arm/stm32f405_soc.h
  create mode 100644 hw/arm/stm32f405_soc.c
-Correct the logic.
+diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
 We also fix a comment error where we claimed that we might
 be escalating MemManage to HardFault, and forgot about SecureFault.
 (Vector loads can never hit MPU access faults, because they're
 always aligned and always use the default address map.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20190705094823.28905-1-peter.maydell@linaro.org
 ---
  target/arm/m_helper.c | 21 +++++++++++++++++----
 file changed, 17 insertions(+), 4 deletions(-)
 diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/m_helper.c
+--- a/hw/arm/Makefile.objs
-+++ b/target/arm/m_helper.c
++++ b/hw/arm/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
+@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_STRONGARM) += strongarm.o
-         if (sattrs.ns) {
+ obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
-             attrs.secure = false;
+ obj-$(CONFIG_RASPI) += bcm2835_peripherals.o bcm2836.o raspi.o
-         } else if (!targets_secure) {
+ obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
--            /* NS access to S memory */
++obj-$(CONFIG_STM32F405_SOC) += stm32f405_soc.o
-+            /*
+ obj-$(CONFIG_XLNX_ZYNQMP_ARM) += xlnx-zynqmp.o xlnx-zcu102.o
-+             * NS access to S memory: the underlying exception which we escalate
+ obj-$(CONFIG_XLNX_VERSAL) += xlnx-versal.o xlnx-versal-virt.o
-+             * to HardFault is SecureFault, which always targets Secure.
+ obj-$(CONFIG_FSL_IMX25) += fsl-imx25.o imx25_pdk.o
-+             */
+diff --git a/include/hw/arm/stm32f405_soc.h b/include/hw/arm/stm32f405_soc.h
-+            exc_secure = true;
+new file mode 100644
-             goto load_fail;
+index XXXXXXX..XXXXXXX
-         }
+--- /dev/null
-     }
++++ b/include/hw/arm/stm32f405_soc.h
-@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
+@@ -XXX,XX +XXX,XX @@
-     vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
++/*
-                                      attrs, &result);
++ * STM32F405 SoC
-     if (result != MEMTX_OK) {
++ *
-+        /*
++ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
-+         * Underlying exception is BusFault: its target security state
++ *
-+         * depends on BFHFNMINS.
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
-+         */
++ * of this software and associated documentation files (the "Software"), to deal
-+        exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
++ * in the Software without restriction, including without limitation the rights
-         goto load_fail;
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-     }
++ * copies of the Software, and to permit persons to whom the Software is
-     *pvec = vector_entry;
++ * furnished to do so, subject to the following conditions:
-@@ -XXX,XX +XXX,XX @@ load_fail:
++ *
-     /*
++ * The above copyright notice and this permission notice shall be included in
-      * All vector table fetch fails are reported as HardFault, with
++ * all copies or substantial portions of the Software.
-      * HFSR.VECTTBL and .FORCED set. (FORCED is set because
++ *
--     * technically the underlying exception is a MemManage or BusFault
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+     * technically the underlying exception is a SecureFault or BusFault
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-      * that is escalated to HardFault.) This is a terminal exception,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-      * so we will either take the HardFault immediately or else enter
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-      * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-+     * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-+     * secure); otherwise it targets the same security state as the
++ * THE SOFTWARE.
-+     * underlying exception.
++ */
-      */
++
--    exc_secure = targets_secure ||
++#ifndef HW_ARM_STM32F405_SOC_H
--        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
++#define HW_ARM_STM32F405_SOC_H
-+    if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
++
-+        exc_secure = true;
++#include "hw/misc/stm32f4xx_syscfg.h"
-+    }
++#include "hw/timer/stm32f2xx_timer.h"
-     env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
++#include "hw/char/stm32f2xx_usart.h"
-     armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
++#include "hw/adc/stm32f2xx_adc.h"
-     return false;
++#include "hw/misc/stm32f4xx_exti.h"
 +#include "hw/or-irq.h"
 +#include "hw/ssi/stm32f2xx_spi.h"
 +#include "hw/arm/armv7m.h"
 +
 +#define TYPE_STM32F405_SOC "stm32f405-soc"
 +#define STM32F405_SOC(obj) \
 +    OBJECT_CHECK(STM32F405State, (obj), TYPE_STM32F405_SOC)
 +
 +#define STM_NUM_USARTS 7
 +#define STM_NUM_TIMERS 4
 +#define STM_NUM_ADCS 6
 +#define STM_NUM_SPIS 6
 +
 +#define FLASH_BASE_ADDRESS 0x08000000
 +#define FLASH_SIZE (1024 * 1024)
 +#define SRAM_BASE_ADDRESS 0x20000000
 +#define SRAM_SIZE (192 * 1024)
 +
 +typedef struct STM32F405State {
 +    /*< private >*/
 +    SysBusDevice parent_obj;
 +    /*< public >*/
 +
 +    char *cpu_type;
 +
 +    ARMv7MState armv7m;
 +
 +    STM32F4xxSyscfgState syscfg;
 +    STM32F4xxExtiState exti;
 +    STM32F2XXUsartState usart[STM_NUM_USARTS];
 +    STM32F2XXTimerState timer[STM_NUM_TIMERS];
 +    qemu_or_irq adc_irqs;
 +    STM32F2XXADCState adc[STM_NUM_ADCS];
 +    STM32F2XXSPIState spi[STM_NUM_SPIS];
 +
 +    MemoryRegion sram;
 +    MemoryRegion flash;
 +    MemoryRegion flash_alias;
 +} STM32F405State;
 +
 +#endif
 diff --git a/hw/arm/stm32f405_soc.c b/hw/arm/stm32f405_soc.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/stm32f405_soc.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * STM32F405 SoC
 + *
 + * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "qemu-common.h"
 +#include "exec/address-spaces.h"
 +#include "sysemu/sysemu.h"
 +#include "hw/arm/stm32f405_soc.h"
 +#include "hw/misc/unimp.h"
 +
 +#define SYSCFG_ADD                     0x40013800
 +static const uint32_t usart_addr[] = { 0x40011000, 0x40004400, 0x40004800,
 +                                       0x40004C00, 0x40005000, 0x40011400,
 +                                       0x40007800, 0x40007C00 };
 +/* At the moment only Timer 2 to 5 are modelled */
 +static const uint32_t timer_addr[] = { 0x40000000, 0x40000400,
 +                                       0x40000800, 0x40000C00 };
 +#define ADC_ADDR                       0x40012000
 +static const uint32_t spi_addr[] =   { 0x40013000, 0x40003800, 0x40003C00,
 +                                       0x40013400, 0x40015000, 0x40015400 };
 +#define EXTI_ADDR                      0x40013C00
 +
 +#define SYSCFG_IRQ               71
 +static const int usart_irq[] = { 37, 38, 39, 52, 53, 71, 82, 83 };
 +static const int timer_irq[] = { 28, 29, 30, 50 };
 +#define ADC_IRQ 18
 +static const int spi_irq[] =   { 35, 36, 51, 0, 0, 0 };
 +static const int exti_irq[] =  { 6, 7, 8, 9, 10, 23, 23, 23, 23, 23, 40,
 +                                 40, 40, 40, 40, 40} ;
 +
 +
 +static void stm32f405_soc_initfn(Object *obj)
 +{
 +    STM32F405State *s = STM32F405_SOC(obj);
 +    int i;
 +
 +    sysbus_init_child_obj(obj, "armv7m", &s->armv7m, sizeof(s->armv7m),
 +                          TYPE_ARMV7M);
 +
 +    sysbus_init_child_obj(obj, "syscfg", &s->syscfg, sizeof(s->syscfg),
 +                          TYPE_STM32F4XX_SYSCFG);
 +
 +    for (i = 0; i < STM_NUM_USARTS; i++) {
 +        sysbus_init_child_obj(obj, "usart[*]", &s->usart[i],
 +                              sizeof(s->usart[i]), TYPE_STM32F2XX_USART);
 +    }
 +
 +    for (i = 0; i < STM_NUM_TIMERS; i++) {
 +        sysbus_init_child_obj(obj, "timer[*]", &s->timer[i],
 +                              sizeof(s->timer[i]), TYPE_STM32F2XX_TIMER);
 +    }
 +
 +    for (i = 0; i < STM_NUM_ADCS; i++) {
 +        sysbus_init_child_obj(obj, "adc[*]", &s->adc[i], sizeof(s->adc[i]),
 +                              TYPE_STM32F2XX_ADC);
 +    }
 +
 +    for (i = 0; i < STM_NUM_SPIS; i++) {
 +        sysbus_init_child_obj(obj, "spi[*]", &s->spi[i], sizeof(s->spi[i]),
 +                              TYPE_STM32F2XX_SPI);
 +    }
 +
 +    sysbus_init_child_obj(obj, "exti", &s->exti, sizeof(s->exti),
 +                          TYPE_STM32F4XX_EXTI);
 +}
 +
 +static void stm32f405_soc_realize(DeviceState *dev_soc, Error **errp)
 +{
 +    STM32F405State *s = STM32F405_SOC(dev_soc);
 +    MemoryRegion *system_memory = get_system_memory();
 +    DeviceState *dev, *armv7m;
 +    SysBusDevice *busdev;
 +    Error *err = NULL;
 +    int i;
 +
 +    memory_region_init_ram(&s->flash, NULL, "STM32F405.flash", FLASH_SIZE,
 +                           &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    memory_region_init_alias(&s->flash_alias, NULL, "STM32F405.flash.alias",
 +                             &s->flash, 0, FLASH_SIZE);
 +
 +    memory_region_set_readonly(&s->flash, true);
 +    memory_region_set_readonly(&s->flash_alias, true);
 +
 +    memory_region_add_subregion(system_memory, FLASH_BASE_ADDRESS, &s->flash);
 +    memory_region_add_subregion(system_memory, 0, &s->flash_alias);
 +
 +    memory_region_init_ram(&s->sram, NULL, "STM32F405.sram", SRAM_SIZE,
 +                           &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    memory_region_add_subregion(system_memory, SRAM_BASE_ADDRESS, &s->sram);
 +
 +    armv7m = DEVICE(&s->armv7m);
 +    qdev_prop_set_uint32(armv7m, "num-irq", 96);
 +    qdev_prop_set_string(armv7m, "cpu-type", s->cpu_type);
 +    qdev_prop_set_bit(armv7m, "enable-bitband", true);
 +    object_property_set_link(OBJECT(&s->armv7m), OBJECT(system_memory),
 +                                     "memory", &error_abort);
 +    object_property_set_bool(OBJECT(&s->armv7m), true, "realized", &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +
 +    /* System configuration controller */
 +    dev = DEVICE(&s->syscfg);
 +    object_property_set_bool(OBJECT(&s->syscfg), true, "realized", &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    busdev = SYS_BUS_DEVICE(dev);
 +    sysbus_mmio_map(busdev, 0, SYSCFG_ADD);
 +    sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, SYSCFG_IRQ));
 +
 +    /* Attach UART (uses USART registers) and USART controllers */
 +    for (i = 0; i < STM_NUM_USARTS; i++) {
 +        dev = DEVICE(&(s->usart[i]));
 +        qdev_prop_set_chr(dev, "chardev", serial_hd(i));
 +        object_property_set_bool(OBJECT(&s->usart[i]), true, "realized", &err);
 +        if (err != NULL) {
 +            error_propagate(errp, err);
 +            return;
 +        }
 +        busdev = SYS_BUS_DEVICE(dev);
 +        sysbus_mmio_map(busdev, 0, usart_addr[i]);
 +        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, usart_irq[i]));
 +    }
 +
 +    /* Timer 2 to 5 */
 +    for (i = 0; i < STM_NUM_TIMERS; i++) {
 +        dev = DEVICE(&(s->timer[i]));
 +        qdev_prop_set_uint64(dev, "clock-frequency", 1000000000);
 +        object_property_set_bool(OBJECT(&s->timer[i]), true, "realized", &err);
 +        if (err != NULL) {
 +            error_propagate(errp, err);
 +            return;
 +        }
 +        busdev = SYS_BUS_DEVICE(dev);
 +        sysbus_mmio_map(busdev, 0, timer_addr[i]);
 +        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, timer_irq[i]));
 +    }
 +
 +    /* ADC device, the IRQs are ORed together */
 +    object_initialize_child(OBJECT(s), "adc-orirq", &s->adc_irqs,
 +                            sizeof(s->adc_irqs), TYPE_OR_IRQ,
 +                            &err, NULL);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    object_property_set_int(OBJECT(&s->adc_irqs), STM_NUM_ADCS,
 +                            "num-lines", &err);
 +    object_property_set_bool(OBJECT(&s->adc_irqs), true, "realized", &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    qdev_connect_gpio_out(DEVICE(&s->adc_irqs), 0,
 +                          qdev_get_gpio_in(armv7m, ADC_IRQ));
 +
 +    dev = DEVICE(&(s->adc[i]));
 +    object_property_set_bool(OBJECT(&s->adc[i]), true, "realized", &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    busdev = SYS_BUS_DEVICE(dev);
 +    sysbus_mmio_map(busdev, 0, ADC_ADDR);
 +    sysbus_connect_irq(busdev, 0,
 +                       qdev_get_gpio_in(DEVICE(&s->adc_irqs), i));
 +
 +    /* SPI devices */
 +    for (i = 0; i < STM_NUM_SPIS; i++) {
 +        dev = DEVICE(&(s->spi[i]));
 +        object_property_set_bool(OBJECT(&s->spi[i]), true, "realized", &err);
 +        if (err != NULL) {
 +            error_propagate(errp, err);
 +            return;
 +        }
 +        busdev = SYS_BUS_DEVICE(dev);
 +        sysbus_mmio_map(busdev, 0, spi_addr[i]);
 +        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, spi_irq[i]));
 +    }
 +
 +    /* EXTI device */
 +    dev = DEVICE(&s->exti);
 +    object_property_set_bool(OBJECT(&s->exti), true, "realized", &err);
 +    if (err != NULL) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    busdev = SYS_BUS_DEVICE(dev);
 +    sysbus_mmio_map(busdev, 0, EXTI_ADDR);
 +    for (i = 0; i < 16; i++) {
 +        sysbus_connect_irq(busdev, i, qdev_get_gpio_in(armv7m, exti_irq[i]));
 +    }
 +    for (i = 0; i < 16; i++) {
 +        qdev_connect_gpio_out(DEVICE(&s->syscfg), i, qdev_get_gpio_in(dev, i));
 +    }
 +
 +    create_unimplemented_device("timer[7]",    0x40001400, 0x400);
 +    create_unimplemented_device("timer[12]",   0x40001800, 0x400);
 +    create_unimplemented_device("timer[6]",    0x40001000, 0x400);
 +    create_unimplemented_device("timer[13]",   0x40001C00, 0x400);
 +    create_unimplemented_device("timer[14]",   0x40002000, 0x400);
 +    create_unimplemented_device("RTC and BKP", 0x40002800, 0x400);
 +    create_unimplemented_device("WWDG",        0x40002C00, 0x400);
 +    create_unimplemented_device("IWDG",        0x40003000, 0x400);
 +    create_unimplemented_device("I2S2ext",     0x40003000, 0x400);
 +    create_unimplemented_device("I2S3ext",     0x40004000, 0x400);
 +    create_unimplemented_device("I2C1",        0x40005400, 0x400);
 +    create_unimplemented_device("I2C2",        0x40005800, 0x400);
 +    create_unimplemented_device("I2C3",        0x40005C00, 0x400);
 +    create_unimplemented_device("CAN1",        0x40006400, 0x400);
 +    create_unimplemented_device("CAN2",        0x40006800, 0x400);
 +    create_unimplemented_device("PWR",         0x40007000, 0x400);
 +    create_unimplemented_device("DAC",         0x40007400, 0x400);
 +    create_unimplemented_device("timer[1]",    0x40010000, 0x400);
 +    create_unimplemented_device("timer[8]",    0x40010400, 0x400);
 +    create_unimplemented_device("SDIO",        0x40012C00, 0x400);
 +    create_unimplemented_device("timer[9]",    0x40014000, 0x400);
 +    create_unimplemented_device("timer[10]",   0x40014400, 0x400);
 +    create_unimplemented_device("timer[11]",   0x40014800, 0x400);
 +    create_unimplemented_device("GPIOA",       0x40020000, 0x400);
 +    create_unimplemented_device("GPIOB",       0x40020400, 0x400);
 +    create_unimplemented_device("GPIOC",       0x40020800, 0x400);
 +    create_unimplemented_device("GPIOD",       0x40020C00, 0x400);
 +    create_unimplemented_device("GPIOE",       0x40021000, 0x400);
 +    create_unimplemented_device("GPIOF",       0x40021400, 0x400);
 +    create_unimplemented_device("GPIOG",       0x40021800, 0x400);
 +    create_unimplemented_device("GPIOH",       0x40021C00, 0x400);
 +    create_unimplemented_device("GPIOI",       0x40022000, 0x400);
 +    create_unimplemented_device("CRC",         0x40023000, 0x400);
 +    create_unimplemented_device("RCC",         0x40023800, 0x400);
 +    create_unimplemented_device("Flash Int",   0x40023C00, 0x400);
 +    create_unimplemented_device("BKPSRAM",     0x40024000, 0x400);
 +    create_unimplemented_device("DMA1",        0x40026000, 0x400);
 +    create_unimplemented_device("DMA2",        0x40026400, 0x400);
 +    create_unimplemented_device("Ethernet",    0x40028000, 0x1400);
 +    create_unimplemented_device("USB OTG HS",  0x40040000, 0x30000);
 +    create_unimplemented_device("USB OTG FS",  0x50000000, 0x31000);
 +    create_unimplemented_device("DCMI",        0x50050000, 0x400);
 +    create_unimplemented_device("RNG",         0x50060800, 0x400);
 +}
 +
 +static Property stm32f405_soc_properties[] = {
 +    DEFINE_PROP_STRING("cpu-type", STM32F405State, cpu_type),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static void stm32f405_soc_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    dc->realize = stm32f405_soc_realize;
 +    dc->props = stm32f405_soc_properties;
 +    /* No vmstate or reset required: device has no internal state */
 +}
 +
 +static const TypeInfo stm32f405_soc_info = {
 +    .name          = TYPE_STM32F405_SOC,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(STM32F405State),
 +    .instance_init = stm32f405_soc_initfn,
 +    .class_init    = stm32f405_soc_class_init,
 +};
 +
 +static void stm32f405_soc_types(void)
 +{
 +    type_register_static(&stm32f405_soc_info);
 +}
 +
 +type_init(stm32f405_soc_types)
 diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: hw/adc/*
  F: hw/ssi/stm32f2xx_spi.c
  F: include/hw/*/stm32*.h
 +STM32F405
 +M: Alistair Francis <alistair@alistair23.me>
 +M: Peter Maydell <peter.maydell@linaro.org>
 +S: Maintained
 +F: hw/arm/stm32f405_soc.c
 +F: hw/misc/stm32f4xx_syscfg.c
 +F: hw/misc/stm32f4xx_exti.c
 +
  Netduino 2
  M: Alistair Francis <alistair@alistair23.me>
  M: Peter Maydell <peter.maydell@linaro.org>
 --
 .20.1

-[Qemu-devel] [PULL 03/10] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
+[PULL 04/15] hw/arm: Add the Netduino Plus 2
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Alistair Francis <alistair@alistair23.me>
-Lei Sun found while auditing the code that a CPU write would
+Signed-off-by: Alistair Francis <alistair@alistair23.me>
-trigger a NULL pointer dereference.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: dad8d8d47f7625913e35e27a1c00f603a6b08f9a.1576658572.git.alistair@alistair23.me
 >From UG1085 datasheet [*] AXI writes in this region are ignored
 and generates an AXI Slave Error (SLVERR).
 Fix by implementing the write_with_attrs() handler.
 Return MEMTX_ERROR when the region is accessed (this error maps
 to an AXI slave error).
 [*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
 Reported-by: Lei Sun <slei.casper@gmail.com>
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
+ hw/arm/Makefile.objs   |  1 +
-file changed, 16 insertions(+)
+ hw/arm/netduinoplus2.c | 52 ++++++++++++++++++++++++++++++++++++++++++
  MAINTAINERS            |  6 +++++
 files changed, 59 insertions(+)
  create mode 100644 hw/arm/netduinoplus2.c
-diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
+diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/xilinx_spips.c
+--- a/hw/arm/Makefile.objs
-+++ b/hw/ssi/xilinx_spips.c
++++ b/hw/arm/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
+@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MAINSTONE) += mainstone.o
-     return lqspi_read(opaque, addr, value, size, attrs);
+ obj-$(CONFIG_MICROBIT) += microbit.o
- }
+ obj-$(CONFIG_MUSICPAL) += musicpal.o
+ obj-$(CONFIG_NETDUINO2) += netduino2.o
-+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
++obj-$(CONFIG_NETDUINOPLUS2) += netduinoplus2.o
-+                               unsigned size, MemTxAttrs attrs)
+ obj-$(CONFIG_NSERIES) += nseries.o
  obj-$(CONFIG_SX1) += omap_sx1.o
  obj-$(CONFIG_CHEETAH) += palm.o
 diff --git a/hw/arm/netduinoplus2.c b/hw/arm/netduinoplus2.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/arm/netduinoplus2.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Netduino Plus 2 Machine Model
 + *
 + * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qapi/error.h"
 +#include "hw/boards.h"
 +#include "hw/qdev-properties.h"
 +#include "qemu/error-report.h"
 +#include "hw/arm/stm32f405_soc.h"
 +#include "hw/arm/boot.h"
 +
 +static void netduinoplus2_init(MachineState *machine)
 +{
-+    /*
++    DeviceState *dev;
 +     * From UG1085, Chapter 24 (Quad-SPI controllers):
 +     * - Writes are ignored
 +     * - AXI writes generate an external AXI slave error (SLVERR)
 +     */
 +    qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
 +                                   " (value: 0x%" PRIx64 "\n",
 +                  __func__, size << 3, offset, value);
 +
-+    return MEMTX_ERROR;
++    dev = qdev_create(NULL, TYPE_STM32F405_SOC);
 +    qdev_prop_set_string(dev, "cpu-type", ARM_CPU_TYPE_NAME("cortex-m4"));
 +    object_property_set_bool(OBJECT(dev), true, "realized", &error_fatal);
 +
 +    armv7m_load_kernel(ARM_CPU(first_cpu),
 +                       machine->kernel_filename,
 +                       FLASH_SIZE);
 +}
 +
- static const MemoryRegionOps lqspi_ops = {
++static void netduinoplus2_machine_init(MachineClass *mc)
-     .read_with_attrs = lqspi_read,
++{
-+    .write_with_attrs = lqspi_write,
++    mc->desc = "Netduino Plus 2 Machine";
-     .endianness = DEVICE_NATIVE_ENDIAN,
++    mc->init = netduinoplus2_init;
-     .valid = {
++}
-         .min_access_size = 1,
++
 +DEFINE_MACHINE("netduinoplus2", netduinoplus2_machine_init)
 diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ M: Peter Maydell <peter.maydell@linaro.org>
  S: Maintained
  F: hw/arm/netduino2.c
 +Netduino Plus 2
 +M: Alistair Francis <alistair@alistair23.me>
 +M: Peter Maydell <peter.maydell@linaro.org>
 +S: Maintained
 +F: hw/arm/netduinoplus2.c
 +
  SmartFusion2
  M: Subbaraya Sundeep <sundeep.lkml@gmail.com>
  M: Peter Maydell <peter.maydell@linaro.org>
 --
 .20.1

-New patch
+[PULL 05/15] tests/boot_linux_console: Add initrd test for the CubieBoard
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+This test boots a Linux kernel on a CubieBoard and verify
+the serial output is working.
+The kernel image and DeviceTree blob are built by the Armbian
+project (based on Debian):
+https://docs.armbian.com/Developer-Guide_Build-Preparation/
+The cpio image used comes from the linux-build-test project:
+https://github.com/groeck/linux-build-test
+If ARM is a target being built, "make check-acceptance" will
+automatically include this test by the use of the "arch:arm" tags.
+Alternatively, this test can be run using:
+  $ avocado --show=console run -t machine:cubieboard tests/acceptance/boot_linux_console.py
+  console: Uncompressing Linux... done, booting the kernel.
+  console: Booting Linux on physical CPU 0x0
+  console: Linux version 4.20.7-sunxi (root@armbian.com) (gcc version 7.2.1 20171011 (Linaro GCC 7.2-2017.11)) #5.75 SMP Fri Feb 8 09:02:10 CET 2019
+  console: CPU: ARMv7 Processor [410fc080] revision 0 (ARMv7), cr=50c5387d
+  console: CPU: PIPT / VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
+  console: OF: fdt: Machine model: Cubietech Cubieboard
+  [...]
+  console: Boot successful.
+  console: cat /proc/cpuinfo
+  console: / # cat /proc/cpuinfo
+  console: processor      : 0
+  console: model name     : ARMv7 Processor rev 0 (v7l)
+  console: BogoMIPS       : 832.51
+  [...]
+  console: Hardware       : Allwinner sun4i/sun5i Families
+  console: Revision       : 0000
+  console: Serial         : 0000000000000000
+  console: cat /proc/iomem
+  console: / # cat /proc/iomem
+  console: 01c00000-01c0002f : system-control@1c00000
+  console: 01c02000-01c02fff : dma-controller@1c02000
+  console: 01c05000-01c05fff : spi@1c05000
+  console: 01c0b080-01c0b093 : mdio@1c0b080
+  console: 01c0c000-01c0cfff : lcd-controller@1c0c000
+  console: 01c0d000-01c0dfff : lcd-controller@1c0d000
+  console: 01c0f000-01c0ffff : mmc@1c0f000
+  [...]
+  PASS (54.35 s)
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
+Tested-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
+Message-id: 20191230110953.25496-2-f4bug@amsat.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/acceptance/boot_linux_console.py | 41 ++++++++++++++++++++++++++
+file changed, 41 insertions(+)
+diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/acceptance/boot_linux_console.py
++++ b/tests/acceptance/boot_linux_console.py
+@@ -XXX,XX +XXX,XX @@ class BootLinuxConsole(Test):
+         self.wait_for_console_pattern('Boot successful.')
+         # TODO user command, for now the uart is stuck
++    def test_arm_cubieboard_initrd(self):
++        """
++        :avocado: tags=arch:arm
++        :avocado: tags=machine:cubieboard
++        """
++        deb_url = ('https://apt.armbian.com/pool/main/l/'
++                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
++        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
++        deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
++        kernel_path = self.extract_from_deb(deb_path,
++                                            '/boot/vmlinuz-4.20.7-sunxi')
++        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun4i-a10-cubieboard.dtb'
++        dtb_path = self.extract_from_deb(deb_path, dtb_path)
++        initrd_url = ('https://github.com/groeck/linux-build-test/raw/'
++                      '2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/'
++                      'arm/rootfs-armv5.cpio.gz')
++        initrd_hash = '2b50f1873e113523967806f4da2afe385462ff9b'
++        initrd_path_gz = self.fetch_asset(initrd_url, asset_hash=initrd_hash)
++        initrd_path = os.path.join(self.workdir, 'rootfs.cpio')
++        archive.gzip_uncompress(initrd_path_gz, initrd_path)
++
++        self.vm.set_console()
++        kernel_command_line = (self.KERNEL_COMMON_COMMAND_LINE +
++                               'console=ttyS0,115200 '
++                               'usbcore.nousb '
++                               'panic=-1 noreboot')
++        self.vm.add_args('-kernel', kernel_path,
++                         '-dtb', dtb_path,
++                         '-initrd', initrd_path,
++                         '-append', kernel_command_line,
++                         '-no-reboot')
++        self.vm.launch()
++        self.wait_for_console_pattern('Boot successful.')
++
++        exec_command_and_wait_for_pattern(self, 'cat /proc/cpuinfo',
++                                                'Allwinner sun4i/sun5i')
++        exec_command_and_wait_for_pattern(self, 'cat /proc/iomem',
++                                                'system-control@1c00000')
++        exec_command_and_wait_for_pattern(self, 'reboot',
++                                                'reboot: Restarting system')
++
+     def test_s390x_s390_ccw_virtio(self):
+         """
+         :avocado: tags=arch:s390x
+--
+.20.1

-New patch
+[PULL 06/15] tests/boot_linux_console: Add a SD card test for the CubieBoard
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+The kernel image and DeviceTree blob are built by the Armbian
+project (based on Debian):
+https://docs.armbian.com/Developer-Guide_Build-Preparation/
+The cpio image used comes from the linux-build-test project:
+https://github.com/groeck/linux-build-test
+If ARM is a target being built, "make check-acceptance" will
+automatically include this test by the use of the "arch:arm" tags.
+Alternatively, this test can be run using:
+  $ avocado --show=console run -t machine:cubieboard tests/acceptance/boot_linux_console.py
+  console: Uncompressing Linux... done, booting the kernel.
+  console: Booting Linux on physical CPU 0x0
+  console: Linux version 4.20.7-sunxi (root@armbian.com) (gcc version 7.2.1 20171011 (Linaro GCC 7.2-2017.11)) #5.75 SMP Fri Feb 8 09:02:10 CET 2019
+  [...]
+  console: ahci-sunxi 1c18000.sata: Linked as a consumer to regulator.4
+  console: ahci-sunxi 1c18000.sata: controller can't do 64bit DMA, forcing 32bit
+  console: ahci-sunxi 1c18000.sata: AHCI 0001.0000 32 slots 1 ports 1.5 Gbps 0x1 impl platform mode
+  console: ahci-sunxi 1c18000.sata: flags: ncq only
+  console: scsi host0: ahci-sunxi
+  console: ata1: SATA max UDMA/133 mmio [mem 0x01c18000-0x01c18fff] port 0x100 irq 27
+  console: of_cfs_init
+  console: of_cfs_init: OK
+  console: vcc3v0: disabling
+  console: vcc5v0: disabling
+  console: usb1-vbus: disabling
+  console: usb2-vbus: disabling
+  console: ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
+  console: ata1.00: ATA-7: QEMU HARDDISK, 2.5+, max UDMA/100
+  console: ata1.00: 40960 sectors, multi 16: LBA48 NCQ (depth 32)
+  console: ata1.00: applying bridge limits
+  console: ata1.00: configured for UDMA/100
+  console: scsi 0:0:0:0: Direct-Access     ATA      QEMU HARDDISK    2.5+ PQ: 0 ANSI: 5
+  console: sd 0:0:0:0: Attached scsi generic sg0 type 0
+  console: sd 0:0:0:0: [sda] 40960 512-byte logical blocks: (21.0 MB/20.0 MiB)
+  console: sd 0:0:0:0: [sda] Write Protect is off
+  console: sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
+  console: sd 0:0:0:0: [sda] Attached SCSI disk
+  console: EXT4-fs (sda): mounting ext2 file system using the ext4 subsystem
+  console: EXT4-fs (sda): mounted filesystem without journal. Opts: (null)
+  console: VFS: Mounted root (ext2 filesystem) readonly on device 8:0.
+  [...]
+  console: cat /proc/partitions
+  console: / # cat /proc/partitions
+  console: major minor  #blocks  name
+  console: 1        0       4096 ram0
+  console: 1        1       4096 ram1
+  console: 1        2       4096 ram2
+  console: 1        3       4096 ram3
+  console: 8        0      20480 sda
+  console: reboot
+  console: / # reboot
+  [...]
+  console: sd 0:0:0:0: [sda] Synchronizing SCSI cache
+  console: reboot: Restarting system
+  PASS (48.39 s)
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20191230110953.25496-3-f4bug@amsat.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/acceptance/boot_linux_console.py | 44 ++++++++++++++++++++++++++
+file changed, 44 insertions(+)
+diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/acceptance/boot_linux_console.py
++++ b/tests/acceptance/boot_linux_console.py
+@@ -XXX,XX +XXX,XX @@ class BootLinuxConsole(Test):
+         exec_command_and_wait_for_pattern(self, 'reboot',
+                                                 'reboot: Restarting system')
++    def test_arm_cubieboard_sata(self):
++        """
++        :avocado: tags=arch:arm
++        :avocado: tags=machine:cubieboard
++        """
++        deb_url = ('https://apt.armbian.com/pool/main/l/'
++                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
++        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
++        deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
++        kernel_path = self.extract_from_deb(deb_path,
++                                            '/boot/vmlinuz-4.20.7-sunxi')
++        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun4i-a10-cubieboard.dtb'
++        dtb_path = self.extract_from_deb(deb_path, dtb_path)
++        rootfs_url = ('https://github.com/groeck/linux-build-test/raw/'
++                      '2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/'
++                      'arm/rootfs-armv5.ext2.gz')
++        rootfs_hash = '093e89d2b4d982234bf528bc9fb2f2f17a9d1f93'
++        rootfs_path_gz = self.fetch_asset(rootfs_url, asset_hash=rootfs_hash)
++        rootfs_path = os.path.join(self.workdir, 'rootfs.cpio')
++        archive.gzip_uncompress(rootfs_path_gz, rootfs_path)
++
++        self.vm.set_console()
++        kernel_command_line = (self.KERNEL_COMMON_COMMAND_LINE +
++                               'console=ttyS0,115200 '
++                               'usbcore.nousb '
++                               'root=/dev/sda ro '
++                               'panic=-1 noreboot')
++        self.vm.add_args('-kernel', kernel_path,
++                         '-dtb', dtb_path,
++                         '-drive', 'if=none,format=raw,id=disk0,file='
++                                   + rootfs_path,
++                         '-device', 'ide-hd,bus=ide.0,drive=disk0',
++                         '-append', kernel_command_line,
++                         '-no-reboot')
++        self.vm.launch()
++        self.wait_for_console_pattern('Boot successful.')
++
++        exec_command_and_wait_for_pattern(self, 'cat /proc/cpuinfo',
++                                                'Allwinner sun4i/sun5i')
++        exec_command_and_wait_for_pattern(self, 'cat /proc/partitions',
++                                                'sda')
++        exec_command_and_wait_for_pattern(self, 'reboot',
++                                                'reboot: Restarting system')
++
+     def test_s390x_s390_ccw_virtio(self):
+         """
+         :avocado: tags=arch:s390x
+--
+.20.1

-New patch
+[PULL 07/15] hw/arm/allwinner-a10: Move SoC definitions out of header
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+These definitions are specific to the A10 SoC and don't need
+to be exported to the different Allwinner peripherals.
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20191230110953.25496-4-f4bug@amsat.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/hw/arm/allwinner-a10.h | 6 ------
+ hw/arm/allwinner-a10.c         | 6 ++++++
+files changed, 6 insertions(+), 6 deletions(-)
+diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/allwinner-a10.h
++++ b/include/hw/arm/allwinner-a10.h
+@@ -XXX,XX +XXX,XX @@
+ #include "target/arm/cpu.h"
+-#define AW_A10_PIC_REG_BASE     0x01c20400
+-#define AW_A10_PIT_REG_BASE     0x01c20c00
+-#define AW_A10_UART0_REG_BASE   0x01c28000
+-#define AW_A10_EMAC_BASE        0x01c0b000
+-#define AW_A10_SATA_BASE        0x01c18000
+-
+ #define AW_A10_SDRAM_BASE       0x40000000
+ #define TYPE_AW_A10 "allwinner-a10"
+diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/allwinner-a10.c
++++ b/hw/arm/allwinner-a10.c
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/misc/unimp.h"
+ #include "sysemu/sysemu.h"
++#define AW_A10_PIC_REG_BASE     0x01c20400
++#define AW_A10_PIT_REG_BASE     0x01c20c00
++#define AW_A10_UART0_REG_BASE   0x01c28000
++#define AW_A10_EMAC_BASE        0x01c0b000
++#define AW_A10_SATA_BASE        0x01c18000
++
+ static void aw_a10_init(Object *obj)
+ {
+     AwA10State *s = AW_A10(obj);
+--
+.20.1

-[Qemu-devel] [PULL 09/10] target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
+[PULL 08/15] hw/arm/allwinner-a10: Simplify by passing IRQs with qdev_pass_gpios()
-The ARMv5 architecture didn't specify detailed per-feature ID
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
 registers. Now that we're using the MVFR0 register fields to
 gate the existence of VFP instructions, we need to set up
 the correct values in the cpu->isar structure so that we still
 provide an FPU to the guest.
-This fixes a regression in the arm926 and arm1026 CPUs, which
+By calling qdev_pass_gpios() we don't need to hold a copy of the
-are the only ones that both have VFP and are ARMv5 or earlier.
+IRQs from the INTC into the SoC state.
-This regression was introduced by the VFP refactoring, and more
+Instead of filling an array of qemu_irq and passing it around, we
-specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
+can now directly call qdev_get_gpio_in() on the SoC.
 which accidentally disabled VFP short-vector support and
 double-precision support on these CPUs.
-Fixes: 1120827fa182f0e
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Fixes: 266bd25c485597c
+Message-id: 20191230110953.25496-5-f4bug@amsat.org
 Fixes: https://bugs.launchpad.net/qemu/+bug/1836192
 Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
 Message-id: 20190711131241.22231-1-peter.maydell@linaro.org
 ---
- target/arm/cpu.c | 12 ++++++++++++
+ include/hw/arm/allwinner-a10.h |  1 -
-file changed, 12 insertions(+)
+ hw/arm/allwinner-a10.c         | 24 +++++++++++-------------
 files changed, 11 insertions(+), 14 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/include/hw/arm/allwinner-a10.h
-+++ b/target/arm/cpu.c
++++ b/include/hw/arm/allwinner-a10.h
-@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ typedef struct AwA10State {
-      * set the field to indicate Jazelle support within QEMU.
+     /*< public >*/
-      */
-     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+     ARMCPU cpu;
-+    /*
+-    qemu_irq irq[AW_A10_PIC_INT_NR];
-+     * Similarly, we need to set MVFR0 fields to enable double precision
+     AwA10PITState timer;
-+     * and short vector support even though ARMv5 doesn't have this register.
+     AwA10PICState intc;
-+     */
+     AwEmacState emac;
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
+index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/allwinner-a10.c
 +++ b/hw/arm/allwinner-a10.c
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
  {
      AwA10State *s = AW_A10(dev);
      SysBusDevice *sysbusdev;
 -    uint8_t i;
      qemu_irq fiq, irq;
      Error *err = NULL;
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
      sysbus_mmio_map(sysbusdev, 0, AW_A10_PIC_REG_BASE);
      sysbus_connect_irq(sysbusdev, 0, irq);
      sysbus_connect_irq(sysbusdev, 1, fiq);
 -    for (i = 0; i < AW_A10_PIC_INT_NR; i++) {
 -        s->irq[i] = qdev_get_gpio_in(DEVICE(&s->intc), i);
 -    }
 +    qdev_pass_gpios(DEVICE(&s->intc), dev, NULL);
      object_property_set_bool(OBJECT(&s->timer), true, "realized", &err);
      if (err != NULL) {
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
      }
      sysbusdev = SYS_BUS_DEVICE(&s->timer);
      sysbus_mmio_map(sysbusdev, 0, AW_A10_PIT_REG_BASE);
 -    sysbus_connect_irq(sysbusdev, 0, s->irq[22]);
 -    sysbus_connect_irq(sysbusdev, 1, s->irq[23]);
 -    sysbus_connect_irq(sysbusdev, 2, s->irq[24]);
 -    sysbus_connect_irq(sysbusdev, 3, s->irq[25]);
 -    sysbus_connect_irq(sysbusdev, 4, s->irq[67]);
 -    sysbus_connect_irq(sysbusdev, 5, s->irq[68]);
 +    sysbus_connect_irq(sysbusdev, 0, qdev_get_gpio_in(dev, 22));
 +    sysbus_connect_irq(sysbusdev, 1, qdev_get_gpio_in(dev, 23));
 +    sysbus_connect_irq(sysbusdev, 2, qdev_get_gpio_in(dev, 24));
 +    sysbus_connect_irq(sysbusdev, 3, qdev_get_gpio_in(dev, 25));
 +    sysbus_connect_irq(sysbusdev, 4, qdev_get_gpio_in(dev, 67));
 +    sysbus_connect_irq(sysbusdev, 5, qdev_get_gpio_in(dev, 68));
      memory_region_init_ram(&s->sram_a, OBJECT(dev), "sram A", 48 * KiB,
                             &error_fatal);
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
      }
      sysbusdev = SYS_BUS_DEVICE(&s->emac);
      sysbus_mmio_map(sysbusdev, 0, AW_A10_EMAC_BASE);
 -    sysbus_connect_irq(sysbusdev, 0, s->irq[55]);
 +    sysbus_connect_irq(sysbusdev, 0, qdev_get_gpio_in(dev, 55));
      object_property_set_bool(OBJECT(&s->sata), true, "realized", &err);
      if (err) {
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
          return;
      }
      sysbus_mmio_map(SYS_BUS_DEVICE(&s->sata), 0, AW_A10_SATA_BASE);
 -    sysbus_connect_irq(SYS_BUS_DEVICE(&s->sata), 0, s->irq[56]);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&s->sata), 0, qdev_get_gpio_in(dev, 56));
      /* FIXME use a qdev chardev prop instead of serial_hd() */
 -    serial_mm_init(get_system_memory(), AW_A10_UART0_REG_BASE, 2, s->irq[1],
 +    serial_mm_init(get_system_memory(), AW_A10_UART0_REG_BASE, 2,
 +                   qdev_get_gpio_in(dev, 1),
 , serial_hd(0), DEVICE_NATIVE_ENDIAN);
  }
- static void arm946_initfn(Object *obj)
-@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
-      * set the field to indicate Jazelle support within QEMU.
-      */
-     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
-+    /*
-+     * Similarly, we need to set MVFR0 fields to enable double precision
-+     * and short vector support even though ARMv5 doesn't have this register.
-+     */
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
-     {
-         /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
 --
 .20.1

-New patch
+[PULL 09/15] hw/arm/allwinner-a10: Remove local qemu_irq variables
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+We won't reuse the CPU IRQ/FIQ variables. Simplify by calling
+qdev_get_gpio_in() in place.
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20191230110953.25496-6-f4bug@amsat.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/allwinner-a10.c | 9 ++++-----
+file changed, 4 insertions(+), 5 deletions(-)
+diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/allwinner-a10.c
++++ b/hw/arm/allwinner-a10.c
+@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
+ {
+     AwA10State *s = AW_A10(dev);
+     SysBusDevice *sysbusdev;
+-    qemu_irq fiq, irq;
+     Error *err = NULL;
+     object_property_set_bool(OBJECT(&s->cpu), true, "realized", &err);
+@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
+         error_propagate(errp, err);
+         return;
+     }
+-    irq = qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_IRQ);
+-    fiq = qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_FIQ);
+     object_property_set_bool(OBJECT(&s->intc), true, "realized", &err);
+     if (err != NULL) {
+@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
+     }
+     sysbusdev = SYS_BUS_DEVICE(&s->intc);
+     sysbus_mmio_map(sysbusdev, 0, AW_A10_PIC_REG_BASE);
+-    sysbus_connect_irq(sysbusdev, 0, irq);
+-    sysbus_connect_irq(sysbusdev, 1, fiq);
++    sysbus_connect_irq(sysbusdev, 0,
++                       qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_IRQ));
++    sysbus_connect_irq(sysbusdev, 1,
++                       qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_FIQ));
+     qdev_pass_gpios(DEVICE(&s->intc), dev, NULL);
+     object_property_set_bool(OBJECT(&s->timer), true, "realized", &err);
+--
+.20.1

-[Qemu-devel] [PULL 06/10] hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
+[PULL 10/15] target/arm/arm-semi: fix SYS_OPEN to return nonzero filehandle
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Masahiro Yamada <masahiroy@kernel.org>
-In the previous commit we fixed a crash when the guest read a
+According to the specification "Semihosting for AArch32 and Aarch64",
-register that pop from an empty FIFO.
+the SYS_OPEN operation should return:
 By auditing the repository, we found another similar use with
 an easy way to reproduce:
-  $ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
+ - A nonzero handle if the call is successful
-  QEMU 4.0.50 monitor - type 'help' for more information
+ - -1 if the call is not successful
   (qemu) xp/b 0xfd4a0134
   Aborted (core dumped)
-  (gdb) bt
+So, it should never return 0.
   #0  0x00007f6936dea57f in raise () at /lib64/libc.so.6
   #1  0x00007f6936dd4895 in abort () at /lib64/libc.so.6
   #2  0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431
   #3  0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667
   #4  0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
   #5  0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569
   #6  0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420
   #7  0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447
   #8  0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385
   #9  0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423
   #10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436
   #11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131
   #12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723
   #13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795
   #14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082
-Fix by checking the FIFO is not empty before popping from it.
+Prior to commit 35e9a0a8ce4b ("target/arm/arm-semi: Make semihosting
 code hand out its own file descriptors"), the guest fd matched to the
 host fd. It returned a nonzero handle on success since the fd 0 is
 already used for stdin.
-The datasheet is not clear about the reset value of this register,
+Now that the guest fd is the index of guestfd_array, it starts from 0.
 we choose to return '0'.
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+I noticed this issue particularly because Trusted Firmware-A built with
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+PLAT=qemu is no longer working. Its io_semihosting driver only handles
-Message-id: 20190709113715.7761-4-philmd@redhat.com
+a positive return value as a valid filehandle.
 Basically, there are two ways to fix this:
   - Use (guestfd - 1) as the index of guestfs_arrary. We need to insert
     increment/decrement to convert the guestfd and the array index back
     and forth.
   - Keep using guestfd as the index of guestfs_array. The first entry
     of guestfs_array is left unused.
 I thought the latter is simpler. We end up with wasting a small piece
 of memory for the unused first entry of guestfd_array, but this is
 probably not a big deal.
 Fixes: 35e9a0a8ce4b ("target/arm/arm-semi: Make semihosting code hand out its own file descriptors")
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20200109041228.10131-1-masahiroy@kernel.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/display/xlnx_dp.c | 15 +++++++++++----
+ target/arm/arm-semi.c | 5 +++--
-file changed, 11 insertions(+), 4 deletions(-)
+file changed, 3 insertions(+), 2 deletions(-)
-diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
+diff --git a/target/arm/arm-semi.c b/target/arm/arm-semi.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/display/xlnx_dp.c
+--- a/target/arm/arm-semi.c
-+++ b/hw/display/xlnx_dp.c
++++ b/target/arm/arm-semi.c
-@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
+@@ -XXX,XX +XXX,XX @@ static int alloc_guestfd(void)
-     uint8_t ret;
+         guestfd_array = g_array_new(FALSE, TRUE, sizeof(GuestFD));
      if (fifo8_is_empty(&s->rx_fifo)) {
 -        DPRINTF("rx_fifo underflow..\n");
 -        abort();
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "%s: Reading empty RX_FIFO\n",
 +                      __func__);
 +        /*
 +         * The datasheet is not clear about the reset value, it seems
 +         * to be unspecified. We choose to return '0'.
 +         */
 +        ret = 0;
 +    } else {
 +        ret = fifo8_pop(&s->rx_fifo);
 +        DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
      }
--    ret = fifo8_pop(&s->rx_fifo);
--    DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
+-    for (i = 0; i < guestfd_array->len; i++) {
-     return ret;
++    /* SYS_OPEN should return nonzero handle on success. Start guestfd from 1 */
- }
++    for (i = 1; i < guestfd_array->len; i++) {
          GuestFD *gf = &g_array_index(guestfd_array, GuestFD, i);
          if (gf->type == GuestFDUnused) {
@@ -XXX,XX +XXX,XX @@ static GuestFD *do_get_guestfd(int guestfd)
          return NULL;
      }
 -    if (guestfd < 0 || guestfd >= guestfd_array->len) {
 +    if (guestfd <= 0 || guestfd >= guestfd_array->len) {
          return NULL;
      }
 --
 .20.1

-[Qemu-devel] [PULL 05/10] hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
+[PULL 11/15] i.MX: add an emulation for RNGC
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Martin Kaiser <martin@kaiser.cx>
-Reading the RX_DATA register when the RX_FIFO is empty triggers
+Add an emulation for the RNGC random number generator and the compatible
-an abort. This can be easily reproduced:
+RNGB variant. These peripherals are included (at least) in imx25 and
+imx35 chipsets.
-  $ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
-  QEMU 4.0.50 monitor - type 'help' for more information
+The emulation supports the initial self test, reseeding the prng and
-  (qemu) x 0x40001010
+reading random numbers.
-  Aborted (core dumped)
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
-  (gdb) bt
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
   #1  0x00007f035874f895 in abort () at /lib64/libc.so.6
   #2  0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
   #3  0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
   #4  0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
   #5  0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
   #6  0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
   #7  0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
   #8  0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
   #9  0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
   #10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
   #11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
   #12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
   #13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
   #14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
   #15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
   #16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082
 From the datasheet "Actel SmartFusion Microcontroller Subsystem
 User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
 register has a reset value of 0.
 Check the FIFO is not empty before accessing it, else log an
 error message.
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20190709113715.7761-3-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/mss-spi.c | 8 +++++++-
+ hw/misc/Makefile.objs      |   1 +
-file changed, 7 insertions(+), 1 deletion(-)
+ include/hw/arm/fsl-imx25.h |   5 +
+ include/hw/misc/imx_rngc.h |  35 +++++
-diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
+ hw/arm/fsl-imx25.c         |  11 ++
  hw/misc/imx_rngc.c         | 278 +++++++++++++++++++++++++++++++++++++
 files changed, 330 insertions(+)
  create mode 100644 include/hw/misc/imx_rngc.h
  create mode 100644 hw/misc/imx_rngc.c
 diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/mss-spi.c
+--- a/hw/misc/Makefile.objs
-+++ b/hw/ssi/mss-spi.c
++++ b/hw/misc/Makefile.objs
-@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
+@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_IMX) += imx7_ccm.o
-     case R_SPI_RX:
+ common-obj-$(CONFIG_IMX) += imx2_wdt.o
-         s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
+ common-obj-$(CONFIG_IMX) += imx7_snvs.o
-         s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
+ common-obj-$(CONFIG_IMX) += imx7_gpr.o
--        ret = fifo32_pop(&s->rx_fifo);
++common-obj-$(CONFIG_IMX) += imx_rngc.o
-+        if (fifo32_is_empty(&s->rx_fifo)) {
+ common-obj-$(CONFIG_MILKYMIST) += milkymist-hpdmc.o
-+            qemu_log_mask(LOG_GUEST_ERROR,
+ common-obj-$(CONFIG_MILKYMIST) += milkymist-pfpu.o
-+                          "%s: Reading empty RX_FIFO\n",
+ common-obj-$(CONFIG_MAINSTONE) += mst_fpga.o
-+                          __func__);
+diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/fsl-imx25.h
 +++ b/include/hw/arm/fsl-imx25.h
@@ -XXX,XX +XXX,XX @@
  #include "hw/timer/imx_gpt.h"
  #include "hw/timer/imx_epit.h"
  #include "hw/net/imx_fec.h"
 +#include "hw/misc/imx_rngc.h"
  #include "hw/i2c/imx_i2c.h"
  #include "hw/gpio/imx_gpio.h"
  #include "exec/memory.h"
@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX25State {
      IMXGPTState    gpt[FSL_IMX25_NUM_GPTS];
      IMXEPITState   epit[FSL_IMX25_NUM_EPITS];
      IMXFECState    fec;
 +    IMXRNGCState   rngc;
      IMXI2CState    i2c[FSL_IMX25_NUM_I2CS];
      IMXGPIOState   gpio[FSL_IMX25_NUM_GPIOS];
      MemoryRegion   rom[2];
@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX25State {
  #define FSL_IMX25_GPIO4_SIZE    0x4000
  #define FSL_IMX25_GPIO3_ADDR    0x53FA4000
  #define FSL_IMX25_GPIO3_SIZE    0x4000
 +#define FSL_IMX25_RNGC_ADDR     0x53FB0000
 +#define FSL_IMX25_RNGC_SIZE     0x4000
  #define FSL_IMX25_GPIO1_ADDR    0x53FCC000
  #define FSL_IMX25_GPIO1_SIZE    0x4000
  #define FSL_IMX25_GPIO2_ADDR    0x53FD0000
@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX25State {
  #define FSL_IMX25_EPIT1_IRQ     28
  #define FSL_IMX25_EPIT2_IRQ     27
  #define FSL_IMX25_FEC_IRQ       57
 +#define FSL_IMX25_RNGC_IRQ      22
  #define FSL_IMX25_I2C1_IRQ      3
  #define FSL_IMX25_I2C2_IRQ      4
  #define FSL_IMX25_I2C3_IRQ      10
 diff --git a/include/hw/misc/imx_rngc.h b/include/hw/misc/imx_rngc.h
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/include/hw/misc/imx_rngc.h
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Freescale i.MX RNGC emulation
 + *
 + * Copyright (C) 2020 Martin Kaiser <martin@kaiser.cx>
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + */
 +
 +#ifndef IMX_RNGC_H
 +#define IMX_RNGC_H
 +
 +#include "hw/sysbus.h"
 +
 +#define TYPE_IMX_RNGC "imx.rngc"
 +#define IMX_RNGC(obj) OBJECT_CHECK(IMXRNGCState, (obj), TYPE_IMX_RNGC)
 +
 +typedef struct IMXRNGCState {
 +    /*< private >*/
 +    SysBusDevice parent_obj;
 +
 +    /*< public >*/
 +    MemoryRegion  iomem;
 +
 +    uint8_t op_self_test;
 +    uint8_t op_seed;
 +    uint8_t mask;
 +    bool    auto_seed;
 +
 +    QEMUBH *self_test_bh;
 +    QEMUBH *seed_bh;
 +    qemu_irq irq;
 +} IMXRNGCState;
 +
 +#endif /* IMX_RNGC_H */
 diff --git a/hw/arm/fsl-imx25.c b/hw/arm/fsl-imx25.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/fsl-imx25.c
 +++ b/hw/arm/fsl-imx25.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_init(Object *obj)
      sysbus_init_child_obj(obj, "fec", &s->fec, sizeof(s->fec), TYPE_IMX_FEC);
 +    sysbus_init_child_obj(obj, "rngc", &s->rngc, sizeof(s->rngc),
 +                          TYPE_IMX_RNGC);
 +
      for (i = 0; i < FSL_IMX25_NUM_I2CS; i++) {
          sysbus_init_child_obj(obj, "i2c[*]", &s->i2c[i], sizeof(s->i2c[i]),
                                TYPE_IMX_I2C);
@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_realize(DeviceState *dev, Error **errp)
      sysbus_connect_irq(SYS_BUS_DEVICE(&s->fec), 0,
                         qdev_get_gpio_in(DEVICE(&s->avic), FSL_IMX25_FEC_IRQ));
 +    object_property_set_bool(OBJECT(&s->rngc), true, "realized", &err);
 +    if (err) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    sysbus_mmio_map(SYS_BUS_DEVICE(&s->rngc), 0, FSL_IMX25_RNGC_ADDR);
 +    sysbus_connect_irq(SYS_BUS_DEVICE(&s->rngc), 0,
 +                       qdev_get_gpio_in(DEVICE(&s->avic), FSL_IMX25_RNGC_IRQ));
      /* Initialize all I2C */
      for (i = 0; i < FSL_IMX25_NUM_I2CS; i++) {
 diff --git a/hw/misc/imx_rngc.c b/hw/misc/imx_rngc.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/misc/imx_rngc.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * Freescale i.MX RNGC emulation
 + *
 + * Copyright (C) 2020 Martin Kaiser <martin@kaiser.cx>
 + *
 + * This work is licensed under the terms of the GNU GPL, version 2 or later.
 + * See the COPYING file in the top-level directory.
 + *
 + * This driver provides the minimum functionality to initialize and seed
 + * an rngc and to read random numbers. The rngb that is found in imx25
 + * chipsets is also supported.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "qemu/main-loop.h"
 +#include "qemu/module.h"
 +#include "qemu/log.h"
 +#include "qemu/guest-random.h"
 +#include "hw/irq.h"
 +#include "hw/misc/imx_rngc.h"
 +#include "migration/vmstate.h"
 +
 +#define RNGC_NAME "i.MX RNGC"
 +
 +#define RNGC_VER_ID  0x00
 +#define RNGC_COMMAND 0x04
 +#define RNGC_CONTROL 0x08
 +#define RNGC_STATUS  0x0C
 +#define RNGC_FIFO    0x14
 +
 +/* These version info are reported by the rngb in an imx258 chip. */
 +#define RNG_TYPE_RNGB 0x1
 +#define V_MAJ 0x2
 +#define V_MIN 0x40
 +
 +#define RNGC_CMD_BIT_SW_RST    0x40
 +#define RNGC_CMD_BIT_CLR_ERR   0x20
 +#define RNGC_CMD_BIT_CLR_INT   0x10
 +#define RNGC_CMD_BIT_SEED      0x02
 +#define RNGC_CMD_BIT_SELF_TEST 0x01
 +
 +#define RNGC_CTRL_BIT_MASK_ERR  0x40
 +#define RNGC_CTRL_BIT_MASK_DONE 0x20
 +#define RNGC_CTRL_BIT_AUTO_SEED 0x10
 +
 +/* the current status for self-test and seed operations */
 +#define OP_IDLE 0
 +#define OP_RUN  1
 +#define OP_DONE 2
 +
 +static uint64_t imx_rngc_read(void *opaque, hwaddr offset, unsigned size)
 +{
 +    IMXRNGCState *s = IMX_RNGC(opaque);
 +    uint64_t val = 0;
 +
 +    switch (offset) {
 +    case RNGC_VER_ID:
 +        val |= RNG_TYPE_RNGB << 28 | V_MAJ << 8 | V_MIN;
 +        break;
 +
 +    case RNGC_COMMAND:
 +        if (s->op_seed == OP_RUN) {
 +            val |= RNGC_CMD_BIT_SEED;
 +        }
 +        if (s->op_self_test == OP_RUN) {
 +            val |= RNGC_CMD_BIT_SELF_TEST;
 +        }
 +        break;
 +
 +    case RNGC_CONTROL:
 +        /*
 +         * The CTL_ACC and VERIF_MODE bits are not supported yet.
 +         * They read as 0.
 +         */
 +        val |= s->mask;
 +        if (s->auto_seed) {
 +            val |= RNGC_CTRL_BIT_AUTO_SEED;
 +        }
 +        /*
 +         * We don't have an internal fifo like the real hardware.
 +         * There's no need for strategy to handle fifo underflows.
 +         * We return the FIFO_UFLOW_RESPONSE bits as 0.
 +         */
 +        break;
 +
 +    case RNGC_STATUS:
 +        /*
 +         * We never report any statistics test or self-test errors or any
 +         * other errors. STAT_TEST_PF, ST_PF and ERROR are always 0.
 +         */
 +
 +        /*
 +         * We don't have an internal fifo, see above. Therefore, we
 +         * report back the default fifo size (5 32-bit words) and
 +         * indicate that our fifo is always full.
 +         */
 +        val |= 5 << 12 | 5 << 8;
 +
 +        /* We always have a new seed available. */
 +        val |= 1 << 6;
 +
 +        if (s->op_seed == OP_DONE) {
 +            val |= 1 << 5;
 +        }
 +        if (s->op_self_test == OP_DONE) {
 +            val |= 1 << 4;
 +        }
 +        if (s->op_seed == OP_RUN || s->op_self_test == OP_RUN) {
 +            /*
 +             * We're busy if self-test is running or if we're
 +             * seeding the prng.
 +             */
 +            val |= 1 << 1;
 +        } else {
-+            ret = fifo32_pop(&s->rx_fifo);
++            /*
-+        }
++             * We're ready to provide secure random numbers whenever
-         if (fifo32_is_empty(&s->rx_fifo)) {
++             * we're not busy.
-             s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
++             */
-         }
++            val |= 1;
 +        }
 +        break;
 +
 +    case RNGC_FIFO:
 +        qemu_guest_getrandom_nofail(&val, sizeof(val));
 +        break;
 +    }
 +
 +    return val;
 +}
 +
 +static void imx_rngc_do_reset(IMXRNGCState *s)
 +{
 +    s->op_self_test = OP_IDLE;
 +    s->op_seed = OP_IDLE;
 +    s->mask = 0;
 +    s->auto_seed = false;
 +}
 +
 +static void imx_rngc_write(void *opaque, hwaddr offset, uint64_t value,
 +                           unsigned size)
 +{
 +    IMXRNGCState *s = IMX_RNGC(opaque);
 +
 +    switch (offset) {
 +    case RNGC_COMMAND:
 +        if (value & RNGC_CMD_BIT_SW_RST) {
 +            imx_rngc_do_reset(s);
 +        }
 +
 +        /*
 +         * For now, both CLR_ERR and CLR_INT clear the interrupt. We
 +         * don't report any errors yet.
 +         */
 +        if (value & (RNGC_CMD_BIT_CLR_ERR | RNGC_CMD_BIT_CLR_INT)) {
 +            qemu_irq_lower(s->irq);
 +        }
 +
 +        if (value & RNGC_CMD_BIT_SEED) {
 +            s->op_seed = OP_RUN;
 +            qemu_bh_schedule(s->seed_bh);
 +        }
 +
 +        if (value & RNGC_CMD_BIT_SELF_TEST) {
 +            s->op_self_test = OP_RUN;
 +            qemu_bh_schedule(s->self_test_bh);
 +        }
 +        break;
 +
 +    case RNGC_CONTROL:
 +        /*
 +         * The CTL_ACC and VERIF_MODE bits are not supported yet.
 +         * We ignore them if they're set by the caller.
 +         */
 +
 +        if (value & RNGC_CTRL_BIT_MASK_ERR) {
 +            s->mask |= RNGC_CTRL_BIT_MASK_ERR;
 +        } else {
 +            s->mask &= ~RNGC_CTRL_BIT_MASK_ERR;
 +        }
 +
 +        if (value & RNGC_CTRL_BIT_MASK_DONE) {
 +            s->mask |= RNGC_CTRL_BIT_MASK_DONE;
 +        } else {
 +            s->mask &= ~RNGC_CTRL_BIT_MASK_DONE;
 +        }
 +
 +        if (value & RNGC_CTRL_BIT_AUTO_SEED) {
 +            s->auto_seed = true;
 +        } else {
 +            s->auto_seed = false;
 +        }
 +        break;
 +    }
 +}
 +
 +static const MemoryRegionOps imx_rngc_ops = {
 +    .read  = imx_rngc_read,
 +    .write = imx_rngc_write,
 +    .endianness = DEVICE_NATIVE_ENDIAN,
 +};
 +
 +static void imx_rngc_self_test(void *opaque)
 +{
 +    IMXRNGCState *s = IMX_RNGC(opaque);
 +
 +    s->op_self_test = OP_DONE;
 +    if (!(s->mask & RNGC_CTRL_BIT_MASK_DONE)) {
 +        qemu_irq_raise(s->irq);
 +    }
 +}
 +
 +static void imx_rngc_seed(void *opaque)
 +{
 +    IMXRNGCState *s = IMX_RNGC(opaque);
 +
 +    s->op_seed = OP_DONE;
 +    if (!(s->mask & RNGC_CTRL_BIT_MASK_DONE)) {
 +        qemu_irq_raise(s->irq);
 +    }
 +}
 +
 +static void imx_rngc_realize(DeviceState *dev, Error **errp)
 +{
 +    IMXRNGCState *s = IMX_RNGC(dev);
 +    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 +
 +    memory_region_init_io(&s->iomem, OBJECT(s), &imx_rngc_ops, s,
 +                          TYPE_IMX_RNGC, 0x1000);
 +    sysbus_init_mmio(sbd, &s->iomem);
 +
 +    sysbus_init_irq(sbd, &s->irq);
 +    s->self_test_bh = qemu_bh_new(imx_rngc_self_test, s);
 +    s->seed_bh = qemu_bh_new(imx_rngc_seed, s);
 +}
 +
 +static void imx_rngc_reset(DeviceState *dev)
 +{
 +    IMXRNGCState *s = IMX_RNGC(dev);
 +
 +    imx_rngc_do_reset(s);
 +}
 +
 +static const VMStateDescription vmstate_imx_rngc = {
 +    .name = RNGC_NAME,
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT8(op_self_test, IMXRNGCState),
 +        VMSTATE_UINT8(op_seed, IMXRNGCState),
 +        VMSTATE_UINT8(mask, IMXRNGCState),
 +        VMSTATE_BOOL(auto_seed, IMXRNGCState),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static void imx_rngc_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    dc->realize = imx_rngc_realize;
 +    dc->reset = imx_rngc_reset;
 +    dc->desc = RNGC_NAME,
 +    dc->vmsd = &vmstate_imx_rngc;
 +}
 +
 +static const TypeInfo imx_rngc_info = {
 +    .name          = TYPE_IMX_RNGC,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(IMXRNGCState),
 +    .class_init    = imx_rngc_class_init,
 +};
 +
 +static void imx_rngc_register_types(void)
 +{
 +    type_register_static(&imx_rngc_info);
 +}
 +
 +type_init(imx_rngc_register_types)
 --
 .20.1

-[Qemu-devel] [PULL 04/10] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
+[PULL 12/15] target/arm: adjust program counter for wfi exception in AArch32
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Jeff Kubascik <jeff.kubascik@dornerworks.com>
-Both lqspi_read() and lqspi_load_cache() expect a 32-bit
+The wfi instruction can be configured to be trapped by a higher exception
-aligned address.
+level, such as the EL2 hypervisor. When the instruction is trapped, the
 program counter should contain the address of the wfi instruction that
 caused the exception. The program counter is adjusted for this in the wfi op
 helper function.
->From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':
+However, this correction is done to env->pc, which only applies to AArch64
 mode. For AArch32, the program counter is stored in env->regs[15]. This
 adds an if-else statement to modify the correct program counter location
 based on the the current CPU mode.
-  Transfer Size Limitations
+Signed-off-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
     Because of the 32-bit wide TX, RX, and generic FIFO, all
     APB/AXI transfers must be an integer multiple of 4-bytes.
     Shorter transfers are not possible.
 Set MemoryRegionOps.impl values to force 32-bit accesses,
 this way we are sure we do not access the lqspi_buf[] array
 out of bound.
 [*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/xilinx_spips.c | 4 ++++
+ target/arm/op_helper.c | 7 ++++++-
-file changed, 4 insertions(+)
+file changed, 6 insertions(+), 1 deletion(-)
-diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
+diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/xilinx_spips.c
+--- a/target/arm/op_helper.c
-+++ b/hw/ssi/xilinx_spips.c
++++ b/target/arm/op_helper.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps lqspi_ops = {
+@@ -XXX,XX +XXX,XX @@ void HELPER(wfi)(CPUARMState *env, uint32_t insn_len)
-     .read_with_attrs = lqspi_read,
+     }
-     .write_with_attrs = lqspi_write,
-     .endianness = DEVICE_NATIVE_ENDIAN,
+     if (target_el) {
-+    .impl = {
+-        env->pc -= insn_len;
-+        .min_access_size = 4,
++        if (env->aarch64) {
-+        .max_access_size = 4,
++            env->pc -= insn_len;
-+    },
++        } else {
-     .valid = {
++            env->regs[15] -= insn_len;
-         .min_access_size = 1,
++        }
-         .max_access_size = 4
++
          raise_exception(env, EXCP_UDEF, syn_wfx(1, 0xe, 0, insn_len == 2),
                          target_el);
      }
 --
 .20.1

-[Qemu-devel] [PULL 02/10] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
+[PULL 13/15] arm/gicv3: update virtual irq state after IAR register read
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Jeff Kubascik <jeff.kubascik@dornerworks.com>
-In the next commit we will implement the write_with_attrs()
+The IAR0/IAR1 register is used to acknowledge an interrupt - a read of the
-handler. To avoid using different APIs, convert the read()
+register activates the highest priority pending interrupt and provides its
-handler first.
+interrupt ID. Activating an interrupt can change the CPU's virtual interrupt
 state - this change makes sure the virtual irq state is updated.
-Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Signed-off-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
-Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20200113154607.97032-1-jeff.kubascik@dornerworks.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/xilinx_spips.c | 23 +++++++++++------------
+ hw/intc/arm_gicv3_cpuif.c | 3 +++
-file changed, 11 insertions(+), 12 deletions(-)
+file changed, 3 insertions(+)
-diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
+diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/xilinx_spips.c
+--- a/hw/intc/arm_gicv3_cpuif.c
-+++ b/hw/ssi/xilinx_spips.c
++++ b/hw/intc/arm_gicv3_cpuif.c
-@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
+@@ -XXX,XX +XXX,XX @@ static uint64_t icv_iar_read(CPUARMState *env, const ARMCPRegInfo *ri)
-     }
      trace_gicv3_icv_iar_read(ri->crm == 8 ? 0 : 1,
                               gicv3_redist_affid(cs), intid);
 +
 +    gicv3_cpuif_virt_update(cs);
 +
      return intid;
  }
--static uint64_t
--lqspi_read(void *opaque, hwaddr addr, unsigned int size)
-+static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
-+                              unsigned size, MemTxAttrs attrs)
- {
--    XilinxQSPIPS *q = opaque;
--    uint32_t ret;
-+    XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
-     if (addr >= q->lqspi_cached_addr &&
-             addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
-         uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
--        ret = cpu_to_le32(*(uint32_t *)retp);
--        DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
--                   (unsigned)ret);
--        return ret;
--    } else {
--        lqspi_load_cache(opaque, addr);
--        return lqspi_read(opaque, addr, size);
-+        *value = cpu_to_le32(*(uint32_t *)retp);
-+        DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
-+                   addr, *value);
-+        return MEMTX_OK;
-     }
-+
-+    lqspi_load_cache(opaque, addr);
-+    return lqspi_read(opaque, addr, value, size, attrs);
- }
- static const MemoryRegionOps lqspi_ops = {
--    .read = lqspi_read,
-+    .read_with_attrs = lqspi_read,
-     .endianness = DEVICE_NATIVE_ENDIAN,
-     .valid = {
-         .min_access_size = 1,
 --
 .20.1

-[Qemu-devel] [PULL 07/10] hw/arm/virt: Fix non-secure flash mode
+[PULL 14/15] target/arm: Return correct IL bit in merge_syn_data_abort
-From: David Engraf <david.engraf@sysgo.com>
+From: Jeff Kubascik <jeff.kubascik@dornerworks.com>
-Using the whole 128 MiB flash in non-secure mode is not working because
+The IL bit is set for 32-bit instructions, thus passing false
-virt_flash_fdt() expects the same address for secure_sysmem and sysmem.
+with the is_16bit parameter to syn_data_abort_with_iss() makes
-This is not correctly handled by caller because it forwards NULL for
+a syn mask that always has the IL bit set.
 secure_sysmem in non-secure flash mode.
-Fixed by using sysmem when secure_sysmem is NULL.
+Pass is_16bit as true to make the initial syn mask have IL=0,
 so that the final IL value comes from or'ing template_syn.
-Signed-off-by: David Engraf <david.engraf@sysgo.com>
+Cc: qemu-stable@nongnu.org
-Message-id: 20190712075002.14326-1-david.engraf@sysgo.com
+Fixes: aaa1f954d4ca ("target-arm: A64: Create Instruction Syndromes for Data Aborts")
 Signed-off-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20200117004618.2742-2-richard.henderson@linaro.org
 [rth: Extracted this as a self-contained bug fix from a larger patch]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 2 +-
+ target/arm/tlb_helper.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
+--- a/target/arm/tlb_helper.c
-+++ b/hw/arm/virt.c
++++ b/target/arm/tlb_helper.c
-@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
+@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
-                                     &machine->device_memory->mr);
+         syn = syn_data_abort_with_iss(same_el,
 , 0, 0, 0, 0,
                                        ea, 0, s1ptw, is_write, fsc,
 -                                      false);
 +                                      true);
          /* Merge the runtime syndrome with the template syndrome.  */
          syn |= template_syn;
      }
--    virt_flash_fdt(vms, sysmem, secure_sysmem);
-+    virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
-     create_gic(vms, pic);
 --
 .20.1

-[Qemu-devel] [PULL 01/10] target/arm: report ARMv8-A FP support for AArch32 -cpu max
+[PULL 15/15] target/arm: Set ISSIs16Bit in make_issinfo
-From: Alex Bennée <alex.bennee@linaro.org>
+From: Richard Henderson <richard.henderson@linaro.org>
-When we converted to using feature bits in 602f6e42cfbf we missed out
+During the conversion to decodetree, the setting of
-the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
+ISSIs16Bit got lost.  This causes the guest os to
--cpu max configurations. This caused a regression in the GCC test
+incorrectly adjust trapping memory operations.
 suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
 report ARMv8-A with FP support (but not ARMv8.2-FP16).
-Fixes: https://bugs.launchpad.net/qemu/+bug/1836078
+Cc: qemu-stable@nongnu.org
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Fixes: 46beb58efbb8a2a32 ("target/arm: Convert T16, load (literal)")
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reported-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
-Message-id: 20190711103737.10017-1-alex.bennee@linaro.org
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20200117004618.2742-3-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c | 4 ++++
+ target/arm/translate.c | 3 +++
-file changed, 4 insertions(+)
+file changed, 3 insertions(+)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/target/arm/translate.c
-+++ b/target/arm/cpu.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static ISSInfo make_issinfo(DisasContext *s, int rd, bool p, bool w)
-             t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
+     /* ISS not valid if writeback */
-             cpu->isar.id_isar6 = t;
+     if (p && !w) {
+         ret = rd;
-+            t = cpu->isar.mvfr1;
++        if (s->base.pc_next - s->pc_curr == 2) {
-+            t = FIELD_DP32(t, MVFR1, FPHP, 2);     /* v8.0 FP support */
++            ret |= ISSIs16Bit;
-+            cpu->isar.mvfr1 = t;
++        }
-+
+     } else {
-             t = cpu->isar.mvfr2;
+         ret = ISSInvalid;
-             t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
+     }
              t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
 --
 .20.1

target-arm queue for rc1 -- these are all bug fixes.

thanks
-- PMM

The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:

Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715

for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:

target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)

----------------------------------------------------------------
target-arm queue:
 * report ARMv8-A FP support for AArch32 -cpu max
 * hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
 * hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
 * hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
 * hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
 * hw/arm/virt: Fix non-secure flash mode
 * pl031: Correctly migrate state when using -rtc clock=host
 * fix regression that meant arm926 and arm1026 lost VFP
   double-precision support
 * v8M: NS BusFault on vector table fetch escalates to NS HardFault

----------------------------------------------------------------
Alex Bennée (1):
      target/arm: report ARMv8-A FP support for AArch32 -cpu max

David Engraf (1):
      hw/arm/virt: Fix non-secure flash mode

Peter Maydell (3):
      pl031: Correctly migrate state when using -rtc clock=host
      target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
      target/arm: NS BusFault on vector table fetch escalates to NS HardFault

Philippe Mathieu-Daudé (5):
      hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
      hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
      hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
      hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
      hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO

From: Alex Bennée <alex.bennee@linaro.org>

When we converted to using feature bits in 602f6e42cfbf we missed out
the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
-cpu max configurations. This caused a regression in the GCC test
suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
report ARMv8-A with FP support (but not ARMv8.2-FP16).

Fixes: https://bugs.launchpad.net/qemu/+bug/1836078
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190711103737.10017-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
             t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
             cpu->isar.id_isar6 = t;
 
+            t = cpu->isar.mvfr1;
+            t = FIELD_DP32(t, MVFR1, FPHP, 2);     /* v8.0 FP support */
+            cpu->isar.mvfr1 = t;
+
             t = cpu->isar.mvfr2;
             t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
             t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the next commit we will implement the write_with_attrs()
handler. To avoid using different APIs, convert the read()
handler first.

Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/xilinx_spips.c | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
     }
 }
 
-static uint64_t
-lqspi_read(void *opaque, hwaddr addr, unsigned int size)
+static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
+                              unsigned size, MemTxAttrs attrs)
 {
-    XilinxQSPIPS *q = opaque;
-    uint32_t ret;
+    XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
 
     if (addr >= q->lqspi_cached_addr &&
             addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
         uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
-        ret = cpu_to_le32(*(uint32_t *)retp);
-        DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
-                   (unsigned)ret);
-        return ret;
-    } else {
-        lqspi_load_cache(opaque, addr);
-        return lqspi_read(opaque, addr, size);
+        *value = cpu_to_le32(*(uint32_t *)retp);
+        DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
+                   addr, *value);
+        return MEMTX_OK;
     }
+
+    lqspi_load_cache(opaque, addr);
+    return lqspi_read(opaque, addr, value, size, attrs);
 }
 
 static const MemoryRegionOps lqspi_ops = {
-    .read = lqspi_read,
+    .read_with_attrs = lqspi_read,
     .endianness = DEVICE_NATIVE_ENDIAN,
     .valid = {
         .min_access_size = 1,
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Lei Sun found while auditing the code that a CPU write would
trigger a NULL pointer dereference.

>From UG1085 datasheet [*] AXI writes in this region are ignored
and generates an AXI Slave Error (SLVERR).

Fix by implementing the write_with_attrs() handler.
Return MEMTX_ERROR when the region is accessed (this error maps
to an AXI slave error).

[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf

Reported-by: Lei Sun <slei.casper@gmail.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
     return lqspi_read(opaque, addr, value, size, attrs);
 }
 
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+                               unsigned size, MemTxAttrs attrs)
+{
+    /*
+     * From UG1085, Chapter 24 (Quad-SPI controllers):
+     * - Writes are ignored
+     * - AXI writes generate an external AXI slave error (SLVERR)
+     */
+    qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
+                                   " (value: 0x%" PRIx64 "\n",
+                  __func__, size << 3, offset, value);
+
+    return MEMTX_ERROR;
+}
+
 static const MemoryRegionOps lqspi_ops = {
     .read_with_attrs = lqspi_read,
+    .write_with_attrs = lqspi_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
     .valid = {
         .min_access_size = 1,
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Both lqspi_read() and lqspi_load_cache() expect a 32-bit
aligned address.

>From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':

Transfer Size Limitations

Because of the 32-bit wide TX, RX, and generic FIFO, all
    APB/AXI transfers must be an integer multiple of 4-bytes.
    Shorter transfers are not possible.

Set MemoryRegionOps.impl values to force 32-bit accesses,
this way we are sure we do not access the lqspi_buf[] array
out of bound.

[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps lqspi_ops = {
     .read_with_attrs = lqspi_read,
     .write_with_attrs = lqspi_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
+    .impl = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+    },
     .valid = {
         .min_access_size = 1,
         .max_access_size = 4
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Reading the RX_DATA register when the RX_FIFO is empty triggers
an abort. This can be easily reproduced:

$ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
  QEMU 4.0.50 monitor - type 'help' for more information
  (qemu) x 0x40001010
  Aborted (core dumped)

(gdb) bt
  #1  0x00007f035874f895 in abort () at /lib64/libc.so.6
  #2  0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
  #3  0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
  #4  0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
  #5  0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
  #6  0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
  #7  0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
  #8  0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
  #9  0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
  #10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
  #11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
  #12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
  #13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
  #14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
  #15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
  #16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082

From the datasheet "Actel SmartFusion Microcontroller Subsystem
User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
register has a reset value of 0.

Check the FIFO is not empty before accessing it, else log an
error message.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/mss-spi.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/mss-spi.c
+++ b/hw/ssi/mss-spi.c
@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
     case R_SPI_RX:
         s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
         s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
-        ret = fifo32_pop(&s->rx_fifo);
+        if (fifo32_is_empty(&s->rx_fifo)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Reading empty RX_FIFO\n",
+                          __func__);
+        } else {
+            ret = fifo32_pop(&s->rx_fifo);
+        }
         if (fifo32_is_empty(&s->rx_fifo)) {
             s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
         }
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the previous commit we fixed a crash when the guest read a
register that pop from an empty FIFO.
By auditing the repository, we found another similar use with
an easy way to reproduce:

$ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
  QEMU 4.0.50 monitor - type 'help' for more information
  (qemu) xp/b 0xfd4a0134
  Aborted (core dumped)

(gdb) bt
  #0  0x00007f6936dea57f in raise () at /lib64/libc.so.6
  #1  0x00007f6936dd4895 in abort () at /lib64/libc.so.6
  #2  0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431
  #3  0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667
  #4  0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
  #5  0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569
  #6  0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420
  #7  0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447
  #8  0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385
  #9  0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423
  #10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436
  #11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131
  #12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723
  #13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795
  #14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082

Fix by checking the FIFO is not empty before popping from it.

The datasheet is not clear about the reset value of this register,
we choose to return '0'.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-4-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/display/xlnx_dp.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
     uint8_t ret;
 
     if (fifo8_is_empty(&s->rx_fifo)) {
-        DPRINTF("rx_fifo underflow..\n");
-        abort();
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Reading empty RX_FIFO\n",
+                      __func__);
+        /*
+         * The datasheet is not clear about the reset value, it seems
+         * to be unspecified. We choose to return '0'.
+         */
+        ret = 0;
+    } else {
+        ret = fifo8_pop(&s->rx_fifo);
+        DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
     }
-    ret = fifo8_pop(&s->rx_fifo);
-    DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
     return ret;
 }
 
-- 
2.20.1

From: David Engraf <david.engraf@sysgo.com>

Using the whole 128 MiB flash in non-secure mode is not working because
virt_flash_fdt() expects the same address for secure_sysmem and sysmem.
This is not correctly handled by caller because it forwards NULL for
secure_sysmem in non-secure flash mode.

Fixed by using sysmem when secure_sysmem is NULL.

Signed-off-by: David Engraf <david.engraf@sysgo.com>
Message-id: 20190712075002.14326-1-david.engraf@sysgo.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
                                     &machine->device_memory->mr);
     }
 
-    virt_flash_fdt(vms, sysmem, secure_sysmem);
+    virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
 
     create_gic(vms, pic);
 
-- 
2.20.1

The PL031 RTC tracks the difference between the guest RTC
and the host RTC using a tick_offset field. For migration,
however, we currently always migrate the offset between
the guest and the vm_clock, even if the RTC clock is not
the same as the vm_clock; this was an attempt to retain
migration backwards compatibility.

Unfortunately this results in the RTC behaving oddly across
a VM state save and restore -- since the VM clock stands still
across save-then-restore, regardless of how much real world
time has elapsed, the guest RTC ends up out of sync with the
host RTC in the restored VM.

Fix this by migrating the raw tick_offset. To retain migration
compatibility as far as possible, we have a new property
migrate-tick-offset; by default this is 'true' and we will
migrate the true tick offset in a new subsection; if the
incoming data has no subsection we fall back to the old
vm_clock-based offset information, so old->new migration
compatibility is preserved. For complete new->old migration
compatibility, the property is set to 'false' for 4.0 and
earlier machine types (this will only affect 'virt-4.0'
and below, as none of the other pl031-using machines are
versioned).

Reported-by: Russell King <rmk@armlinux.org.uk>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 20190709143912.28905-1-peter.maydell@linaro.org
---
 include/hw/timer/pl031.h |  2 +
 hw/core/machine.c        |  1 +
 hw/timer/pl031.c         | 92 ++++++++++++++++++++++++++++++++++++++--
 3 files changed, 91 insertions(+), 4 deletions(-)

diff --git a/include/hw/timer/pl031.h b/include/hw/timer/pl031.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/timer/pl031.h
+++ b/include/hw/timer/pl031.h
@@ -XXX,XX +XXX,XX @@ typedef struct PL031State {
      */
     uint32_t tick_offset_vmstate;
     uint32_t tick_offset;
+    bool tick_offset_migrated;
+    bool migrate_tick_offset;
 
     uint32_t mr;
     uint32_t lr;
diff --git a/hw/core/machine.c b/hw/core/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -XXX,XX +XXX,XX @@ GlobalProperty hw_compat_4_0[] = {
     { "virtio-gpu-pci", "edid", "false" },
     { "virtio-device", "use-started", "false" },
     { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
+    { "pl031", "migrate-tick-offset", "false" },
 };
 const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
 
diff --git a/hw/timer/pl031.c b/hw/timer/pl031.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/pl031.c
+++ b/hw/timer/pl031.c
@@ -XXX,XX +XXX,XX @@ static int pl031_pre_save(void *opaque)
 {
     PL031State *s = opaque;
 
-    /* tick_offset is base_time - rtc_clock base time.  Instead, we want to
-     * store the base time relative to the QEMU_CLOCK_VIRTUAL for backwards-compatibility.  */
+    /*
+     * The PL031 device model code uses the tick_offset field, which is
+     * the offset between what the guest RTC should read and what the
+     * QEMU rtc_clock reads:
+     *  guest_rtc = rtc_clock + tick_offset
+     * and so
+     *  tick_offset = guest_rtc - rtc_clock
+     *
+     * We want to migrate this offset, which sounds straightforward.
+     * Unfortunately older versions of QEMU migrated a conversion of this
+     * offset into an offset from the vm_clock. (This was in turn an
+     * attempt to be compatible with even older QEMU versions, but it
+     * has incorrect behaviour if the rtc_clock is not the same as the
+     * vm_clock.) So we put the actual tick_offset into a migration
+     * subsection, and the backwards-compatible time-relative-to-vm_clock
+     * in the main migration state.
+     *
+     * Calculate base time relative to QEMU_CLOCK_VIRTUAL:
+     */
     int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
     s->tick_offset_vmstate = s->tick_offset + delta / NANOSECONDS_PER_SECOND;
 
     return 0;
 }
 
+static int pl031_pre_load(void *opaque)
+{
+    PL031State *s = opaque;
+
+    s->tick_offset_migrated = false;
+    return 0;
+}
+
 static int pl031_post_load(void *opaque, int version_id)
 {
     PL031State *s = opaque;
 
-    int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-    s->tick_offset = s->tick_offset_vmstate - delta / NANOSECONDS_PER_SECOND;
+    /*
+     * If we got the tick_offset subsection, then we can just use
+     * the value in that. Otherwise the source is an older QEMU and
+     * has given us the offset from the vm_clock; convert it back to
+     * an offset from the rtc_clock. This will cause time to incorrectly
+     * go backwards compared to the host RTC, but this is unavoidable.
+     */
+
+    if (!s->tick_offset_migrated) {
+        int64_t delta = qemu_clock_get_ns(rtc_clock) -
+            qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+        s->tick_offset = s->tick_offset_vmstate -
+            delta / NANOSECONDS_PER_SECOND;
+    }
     pl031_set_alarm(s);
     return 0;
 }
 
+static int pl031_tick_offset_post_load(void *opaque, int version_id)
+{
+    PL031State *s = opaque;
+
+    s->tick_offset_migrated = true;
+    return 0;
+}
+
+static bool pl031_tick_offset_needed(void *opaque)
+{
+    PL031State *s = opaque;
+
+    return s->migrate_tick_offset;
+}
+
+static const VMStateDescription vmstate_pl031_tick_offset = {
+    .name = "pl031/tick-offset",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = pl031_tick_offset_needed,
+    .post_load = pl031_tick_offset_post_load,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(tick_offset, PL031State),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_pl031 = {
     .name = "pl031",
     .version_id = 1,
     .minimum_version_id = 1,
     .pre_save = pl031_pre_save,
+    .pre_load = pl031_pre_load,
     .post_load = pl031_post_load,
     .fields = (VMStateField[]) {
         VMSTATE_UINT32(tick_offset_vmstate, PL031State),
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl031 = {
         VMSTATE_UINT32(im, PL031State),
         VMSTATE_UINT32(is, PL031State),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription*[]) {
+        &vmstate_pl031_tick_offset,
+        NULL
     }
 };
 
+static Property pl031_properties[] = {
+    /*
+     * True to correctly migrate the tick offset of the RTC. False to
+     * obtain backward migration compatibility with older QEMU versions,
+     * at the expense of the guest RTC going backwards compared with the
+     * host RTC when the VM is saved/restored if using -rtc host.
+     * (Even if set to 'true' older QEMU can migrate forward to newer QEMU;
+     * 'false' also permits newer QEMU to migrate to older QEMU.)
+     */
+    DEFINE_PROP_BOOL("migrate-tick-offset",
+                     PL031State, migrate_tick_offset, true),
+    DEFINE_PROP_END_OF_LIST()
+};
+
 static void pl031_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
 
     dc->vmsd = &vmstate_pl031;
+    dc->props = pl031_properties;
 }
 
 static const TypeInfo pl031_info = {
-- 
2.20.1

The ARMv5 architecture didn't specify detailed per-feature ID
registers. Now that we're using the MVFR0 register fields to
gate the existence of VFP instructions, we need to set up
the correct values in the cpu->isar structure so that we still
provide an FPU to the guest.

This fixes a regression in the arm926 and arm1026 CPUs, which
are the only ones that both have VFP and are ARMv5 or earlier.
This regression was introduced by the VFP refactoring, and more
specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
which accidentally disabled VFP short-vector support and
double-precision support on these CPUs.

Fixes: 1120827fa182f0e
Fixes: 266bd25c485597c
Fixes: https://bugs.launchpad.net/qemu/+bug/1836192
Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
Message-id: 20190711131241.22231-1-peter.maydell@linaro.org
---
 target/arm/cpu.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
      * set the field to indicate Jazelle support within QEMU.
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable double precision
+     * and short vector support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 }
 
 static void arm946_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
      * set the field to indicate Jazelle support within QEMU.
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable double precision
+     * and short vector support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 
     {
         /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
-- 
2.20.1

In the M-profile architecture, when we do a vector table fetch and it
fails, we need to report a HardFault.  Whether this is a Secure HF or
a NonSecure HF depends on several things.  If AIRCR.BFHFNMINS is 0
then HF is always Secure, because there is no NonSecure HardFault.
Otherwise, the answer depends on whether the 'underlying exception'
(MemManage, BusFault, SecureFault) targets Secure or NonSecure.  (In
the pseudocode, this is handled in the Vector() function: the final
exc.isSecure is calculated by looking at the exc.isSecure from the
exception returned from the memory access, not the isSecure input
argument.)

We weren't doing this correctly, because we were looking at
the target security domain of the exception we were trying to
load the vector table entry for. This produces errors of two kinds:
 * a load from the NS vector table which hits the "NS access
   to S memory" SecureFault should end up as a Secure HardFault,
   but we were raising an NS HardFault
 * a load from the S vector table which causes a BusFault
   should raise an NS HardFault if BFHFNMINS == 1 (because
   in that case all BusFaults are NonSecure), but we were raising
   a Secure HardFault

Correct the logic.

We also fix a comment error where we claimed that we might
be escalating MemManage to HardFault, and forgot about SecureFault.
(Vector loads can never hit MPU access faults, because they're
always aligned and always use the default address map.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20190705094823.28905-1-peter.maydell@linaro.org
---
 target/arm/m_helper.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
         if (sattrs.ns) {
             attrs.secure = false;
         } else if (!targets_secure) {
-            /* NS access to S memory */
+            /*
+             * NS access to S memory: the underlying exception which we escalate
+             * to HardFault is SecureFault, which always targets Secure.
+             */
+            exc_secure = true;
             goto load_fail;
         }
     }
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
     vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
                                      attrs, &result);
     if (result != MEMTX_OK) {
+        /*
+         * Underlying exception is BusFault: its target security state
+         * depends on BFHFNMINS.
+         */
+        exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
         goto load_fail;
     }
     *pvec = vector_entry;
@@ -XXX,XX +XXX,XX @@ load_fail:
     /*
      * All vector table fetch fails are reported as HardFault, with
      * HFSR.VECTTBL and .FORCED set. (FORCED is set because
-     * technically the underlying exception is a MemManage or BusFault
+     * technically the underlying exception is a SecureFault or BusFault
      * that is escalated to HardFault.) This is a terminal exception,
      * so we will either take the HardFault immediately or else enter
      * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
+     * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
+     * secure); otherwise it targets the same security state as the
+     * underlying exception.
      */
-    exc_secure = targets_secure ||
-        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
+    if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
+        exc_secure = true;
+    }
     env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
     armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
     return false;
-- 
2.20.1

Latest arm queue, a mixed bag of features and bug fixes.

thanks
-- PMM

The following changes since commit cbf01142b2aef0c0b4e995cecd7e79d342bbc47e:

Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200115' into staging (2020-01-17 12:13:17 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200117-1

for you to fetch changes up to 1a1fbc6cbb34c26d43d8360c66c1d21681af14a9:

target/arm: Set ISSIs16Bit in make_issinfo (2020-01-17 14:27:16 +0000)

----------------------------------------------------------------
Add model of the Netduino Plus 2 board
Some allwinner-a10 code cleanup
New test cases for cubieboard
target/arm/arm-semi: fix SYS_OPEN to return nonzero filehandle
i.MX: add an emulation for RNGC device
target/arm: adjust program counter for wfi exception in AArch32
arm/gicv3: update virtual irq state after IAR register read
Set IL bit correctly for syndrome information for data aborts

----------------------------------------------------------------
Alistair Francis (4):
      hw/misc: Add the STM32F4xx Sysconfig device
      hw/misc: Add the STM32F4xx EXTI device
      hw/arm: Add the STM32F4xx SoC
      hw/arm: Add the Netduino Plus 2

Jeff Kubascik (3):
      target/arm: adjust program counter for wfi exception in AArch32
      arm/gicv3: update virtual irq state after IAR register read
      target/arm: Return correct IL bit in merge_syn_data_abort

Martin Kaiser (1):
      i.MX: add an emulation for RNGC

Masahiro Yamada (1):
      target/arm/arm-semi: fix SYS_OPEN to return nonzero filehandle

Philippe Mathieu-Daudé (5):
      tests/boot_linux_console: Add initrd test for the CubieBoard
      tests/boot_linux_console: Add a SD card test for the CubieBoard
      hw/arm/allwinner-a10: Move SoC definitions out of header
      hw/arm/allwinner-a10: Simplify by passing IRQs with qdev_pass_gpios()
      hw/arm/allwinner-a10: Remove local qemu_irq variables

Richard Henderson (1):
      target/arm: Set ISSIs16Bit in make_issinfo

hw/arm/Makefile.objs                   |   2 +
 hw/misc/Makefile.objs                  |   3 +
 include/hw/arm/allwinner-a10.h         |   7 -
 include/hw/arm/fsl-imx25.h             |   5 +
 include/hw/arm/stm32f405_soc.h         |  73 ++++++++
 include/hw/misc/imx_rngc.h             |  35 ++++
 include/hw/misc/stm32f4xx_exti.h       |  60 +++++++
 include/hw/misc/stm32f4xx_syscfg.h     |  61 +++++++
 hw/arm/allwinner-a10.c                 |  39 +++--
 hw/arm/fsl-imx25.c                     |  11 ++
 hw/arm/netduinoplus2.c                 |  52 ++++++
 hw/arm/stm32f405_soc.c                 | 302 +++++++++++++++++++++++++++++++++
 hw/intc/arm_gicv3_cpuif.c              |   3 +
 hw/misc/imx_rngc.c                     | 278 ++++++++++++++++++++++++++++++
 hw/misc/stm32f4xx_exti.c               | 188 ++++++++++++++++++++
 hw/misc/stm32f4xx_syscfg.c             | 171 +++++++++++++++++++
 target/arm/arm-semi.c                  |   5 +-
 target/arm/op_helper.c                 |   7 +-
 target/arm/tlb_helper.c                |   2 +-
 target/arm/translate.c                 |   3 +
 MAINTAINERS                            |  14 ++
 default-configs/arm-softmmu.mak        |   1 +
 hw/arm/Kconfig                         |  10 ++
 hw/misc/Kconfig                        |   6 +
 hw/misc/trace-events                   |  11 ++
 tests/acceptance/boot_linux_console.py |  85 ++++++++++
 26 files changed, 1405 insertions(+), 29 deletions(-)
 create mode 100644 include/hw/arm/stm32f405_soc.h
 create mode 100644 include/hw/misc/imx_rngc.h
 create mode 100644 include/hw/misc/stm32f4xx_exti.h
 create mode 100644 include/hw/misc/stm32f4xx_syscfg.h
 create mode 100644 hw/arm/netduinoplus2.c
 create mode 100644 hw/arm/stm32f405_soc.c
 create mode 100644 hw/misc/imx_rngc.c
 create mode 100644 hw/misc/stm32f4xx_exti.c
 create mode 100644 hw/misc/stm32f4xx_syscfg.c

From: Alistair Francis <alistair@alistair23.me>

Signed-off-by: Alistair Francis <alistair@alistair23.me>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 49b01423a09cef2ca832ff73a84a996568f1a8fc.1576658572.git.alistair@alistair23.me
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/Makefile.objs              |   1 +
 include/hw/misc/stm32f4xx_syscfg.h |  61 ++++++++++
 hw/misc/stm32f4xx_syscfg.c         | 171 +++++++++++++++++++++++++++++
 default-configs/arm-softmmu.mak    |   1 +
 hw/arm/Kconfig                     |   9 ++
 hw/misc/Kconfig                    |   3 +
 hw/misc/trace-events               |   6 +
 7 files changed, 252 insertions(+)
 create mode 100644 include/hw/misc/stm32f4xx_syscfg.h
 create mode 100644 hw/misc/stm32f4xx_syscfg.c

diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/Makefile.objs
+++ b/hw/misc/Makefile.objs
@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_SLAVIO) += slavio_misc.o
 common-obj-$(CONFIG_ZYNQ) += zynq_slcr.o
 common-obj-$(CONFIG_ZYNQ) += zynq-xadc.o
 common-obj-$(CONFIG_STM32F2XX_SYSCFG) += stm32f2xx_syscfg.o
+common-obj-$(CONFIG_STM32F4XX_SYSCFG) += stm32f4xx_syscfg.o
 obj-$(CONFIG_MIPS_CPS) += mips_cmgcr.o
 obj-$(CONFIG_MIPS_CPS) += mips_cpc.o
 obj-$(CONFIG_MIPS_ITU) += mips_itu.o
diff --git a/include/hw/misc/stm32f4xx_syscfg.h b/include/hw/misc/stm32f4xx_syscfg.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/misc/stm32f4xx_syscfg.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * STM32F4xx SYSCFG
+ *
+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef HW_STM_SYSCFG_H
+#define HW_STM_SYSCFG_H
+
+#include "hw/sysbus.h"
+#include "hw/hw.h"
+
+#define SYSCFG_MEMRMP  0x00
+#define SYSCFG_PMC     0x04
+#define SYSCFG_EXTICR1 0x08
+#define SYSCFG_EXTICR2 0x0C
+#define SYSCFG_EXTICR3 0x10
+#define SYSCFG_EXTICR4 0x14
+#define SYSCFG_CMPCR   0x20
+
+#define TYPE_STM32F4XX_SYSCFG "stm32f4xx-syscfg"
+#define STM32F4XX_SYSCFG(obj) \
+    OBJECT_CHECK(STM32F4xxSyscfgState, (obj), TYPE_STM32F4XX_SYSCFG)
+
+#define SYSCFG_NUM_EXTICR 4
+
+typedef struct {
+    /* <private> */
+    SysBusDevice parent_obj;
+
+    /* <public> */
+    MemoryRegion mmio;
+
+    uint32_t syscfg_memrmp;
+    uint32_t syscfg_pmc;
+    uint32_t syscfg_exticr[SYSCFG_NUM_EXTICR];
+    uint32_t syscfg_cmpcr;
+
+    qemu_irq irq;
+    qemu_irq gpio_out[16];
+} STM32F4xxSyscfgState;
+
+#endif
diff --git a/hw/misc/stm32f4xx_syscfg.c b/hw/misc/stm32f4xx_syscfg.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/misc/stm32f4xx_syscfg.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * STM32F4xx SYSCFG
+ *
+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "trace.h"
+#include "hw/irq.h"
+#include "migration/vmstate.h"
+#include "hw/misc/stm32f4xx_syscfg.h"
+
+static void stm32f4xx_syscfg_reset(DeviceState *dev)
+{
+    STM32F4xxSyscfgState *s = STM32F4XX_SYSCFG(dev);
+
+    s->syscfg_memrmp = 0x00000000;
+    s->syscfg_pmc = 0x00000000;
+    s->syscfg_exticr[0] = 0x00000000;
+    s->syscfg_exticr[1] = 0x00000000;
+    s->syscfg_exticr[2] = 0x00000000;
+    s->syscfg_exticr[3] = 0x00000000;
+    s->syscfg_cmpcr = 0x00000000;
+}
+
+static void stm32f4xx_syscfg_set_irq(void *opaque, int irq, int level)
+{
+    STM32F4xxSyscfgState *s = opaque;
+    int icrreg = irq / 4;
+    int startbit = (irq & 3) * 4;
+    uint8_t config = config = irq / 16;
+
+    trace_stm32f4xx_syscfg_set_irq(irq / 16, irq % 16, level);
+
+    g_assert(icrreg < SYSCFG_NUM_EXTICR);
+
+    if (extract32(s->syscfg_exticr[icrreg], startbit, 4) == config) {
+        qemu_set_irq(s->gpio_out[irq], level);
+        trace_stm32f4xx_pulse_exti(irq);
+   }
+}
+
+static uint64_t stm32f4xx_syscfg_read(void *opaque, hwaddr addr,
+                                     unsigned int size)
+{
+    STM32F4xxSyscfgState *s = opaque;
+
+    trace_stm32f4xx_syscfg_read(addr);
+
+    switch (addr) {
+    case SYSCFG_MEMRMP:
+        return s->syscfg_memrmp;
+    case SYSCFG_PMC:
+        return s->syscfg_pmc;
+    case SYSCFG_EXTICR1...SYSCFG_EXTICR4:
+        return s->syscfg_exticr[addr / 4 - SYSCFG_EXTICR1 / 4];
+    case SYSCFG_CMPCR:
+        return s->syscfg_cmpcr;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Bad offset 0x%"HWADDR_PRIx"\n", __func__, addr);
+        return 0;
+    }
+}
+
+static void stm32f4xx_syscfg_write(void *opaque, hwaddr addr,
+                       uint64_t val64, unsigned int size)
+{
+    STM32F4xxSyscfgState *s = opaque;
+    uint32_t value = val64;
+
+    trace_stm32f4xx_syscfg_write(value, addr);
+
+    switch (addr) {
+    case SYSCFG_MEMRMP:
+        qemu_log_mask(LOG_UNIMP,
+                      "%s: Changing the memory mapping isn't supported " \
+                      "in QEMU\n", __func__);
+        return;
+    case SYSCFG_PMC:
+        qemu_log_mask(LOG_UNIMP,
+                      "%s: Changing the memory mapping isn't supported " \
+                      "in QEMU\n", __func__);
+        return;
+    case SYSCFG_EXTICR1...SYSCFG_EXTICR4:
+        s->syscfg_exticr[addr / 4 - SYSCFG_EXTICR1 / 4] = (value & 0xFFFF);
+        return;
+    case SYSCFG_CMPCR:
+        s->syscfg_cmpcr = value;
+        return;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Bad offset 0x%"HWADDR_PRIx"\n", __func__, addr);
+    }
+}
+
+static const MemoryRegionOps stm32f4xx_syscfg_ops = {
+    .read = stm32f4xx_syscfg_read,
+    .write = stm32f4xx_syscfg_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
+static void stm32f4xx_syscfg_init(Object *obj)
+{
+    STM32F4xxSyscfgState *s = STM32F4XX_SYSCFG(obj);
+
+    sysbus_init_irq(SYS_BUS_DEVICE(obj), &s->irq);
+
+    memory_region_init_io(&s->mmio, obj, &stm32f4xx_syscfg_ops, s,
+                          TYPE_STM32F4XX_SYSCFG, 0x400);
+    sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->mmio);
+
+    qdev_init_gpio_in(DEVICE(obj), stm32f4xx_syscfg_set_irq, 16 * 9);
+    qdev_init_gpio_out(DEVICE(obj), s->gpio_out, 16);
+}
+
+static const VMStateDescription vmstate_stm32f4xx_syscfg = {
+    .name = TYPE_STM32F4XX_SYSCFG,
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(syscfg_memrmp, STM32F4xxSyscfgState),
+        VMSTATE_UINT32(syscfg_pmc, STM32F4xxSyscfgState),
+        VMSTATE_UINT32_ARRAY(syscfg_exticr, STM32F4xxSyscfgState,
+                             SYSCFG_NUM_EXTICR),
+        VMSTATE_UINT32(syscfg_cmpcr, STM32F4xxSyscfgState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void stm32f4xx_syscfg_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->reset = stm32f4xx_syscfg_reset;
+    dc->vmsd = &vmstate_stm32f4xx_syscfg;
+}
+
+static const TypeInfo stm32f4xx_syscfg_info = {
+    .name          = TYPE_STM32F4XX_SYSCFG,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(STM32F4xxSyscfgState),
+    .instance_init = stm32f4xx_syscfg_init,
+    .class_init    = stm32f4xx_syscfg_class_init,
+};
+
+static void stm32f4xx_syscfg_register_types(void)
+{
+    type_register_static(&stm32f4xx_syscfg_info);
+}
+
+type_init(stm32f4xx_syscfg_register_types)
diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -XXX,XX +XXX,XX @@ CONFIG_Z2=y
 CONFIG_COLLIE=y
 CONFIG_ASPEED_SOC=y
 CONFIG_NETDUINO2=y
+CONFIG_NETDUINOPLUS2=y
 CONFIG_MPS2=y
 CONFIG_RASPI=y
 CONFIG_DIGIC=y
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config NETDUINO2
     bool
     select STM32F205_SOC
 
+config NETDUINOPLUS2
+    bool
+    select STM32F405_SOC
+
 config NSERIES
     bool
     select OMAP
@@ -XXX,XX +XXX,XX @@ config STM32F205_SOC
     select STM32F2XX_ADC
     select STM32F2XX_SPI
 
+config STM32F405_SOC
+    bool
+    select ARM_V7M
+    select STM32F4XX_SYSCFG
+
 config XLNX_ZYNQMP_ARM
     bool
     select AHCI
diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/Kconfig
+++ b/hw/misc/Kconfig
@@ -XXX,XX +XXX,XX @@ config IMX
 config STM32F2XX_SYSCFG
     bool
 
+config STM32F4XX_SYSCFG
+    bool
+
 config MIPS_ITU
     bool
 
diff --git a/hw/misc/trace-events b/hw/misc/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/trace-events
+++ b/hw/misc/trace-events
@@ -XXX,XX +XXX,XX @@ mos6522_set_sr_int(void) "set sr_int"
 mos6522_write(uint64_t addr, uint64_t val) "reg=0x%"PRIx64 " val=0x%"PRIx64
 mos6522_read(uint64_t addr, unsigned val) "reg=0x%"PRIx64 " val=0x%x"
 
+# stm32f4xx_syscfg
+stm32f4xx_syscfg_set_irq(int gpio, int line, int level) "Interupt: GPIO: %d, Line: %d; Level: %d"
+stm32f4xx_pulse_exti(int irq) "Pulse EXTI: %d"
+stm32f4xx_syscfg_read(uint64_t addr) "reg read: addr: 0x%" PRIx64 " "
+stm32f4xx_syscfg_write(uint64_t addr, uint64_t data) "reg write: addr: 0x%" PRIx64 " val: 0x%" PRIx64 ""
+
 # tz-mpc.c
 tz_mpc_reg_read(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs read: offset 0x%x data 0x%" PRIx64 " size %u"
 tz_mpc_reg_write(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs write: offset 0x%x data 0x%" PRIx64 " size %u"
-- 
2.20.1

From: Alistair Francis <alistair@alistair23.me>

Signed-off-by: Alistair Francis <alistair@alistair23.me>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: ef941d59fd8658589d34ed432e1d6dfdcf7fb1d0.1576658572.git.alistair@alistair23.me
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/Makefile.objs            |   1 +
 include/hw/misc/stm32f4xx_exti.h |  60 ++++++++++
 hw/misc/stm32f4xx_exti.c         | 188 +++++++++++++++++++++++++++++++
 hw/arm/Kconfig                   |   1 +
 hw/misc/Kconfig                  |   3 +
 hw/misc/trace-events             |   5 +
 6 files changed, 258 insertions(+)
 create mode 100644 include/hw/misc/stm32f4xx_exti.h
 create mode 100644 hw/misc/stm32f4xx_exti.c

diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/Makefile.objs
+++ b/hw/misc/Makefile.objs
@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_ZYNQ) += zynq_slcr.o
 common-obj-$(CONFIG_ZYNQ) += zynq-xadc.o
 common-obj-$(CONFIG_STM32F2XX_SYSCFG) += stm32f2xx_syscfg.o
 common-obj-$(CONFIG_STM32F4XX_SYSCFG) += stm32f4xx_syscfg.o
+common-obj-$(CONFIG_STM32F4XX_EXTI) += stm32f4xx_exti.o
 obj-$(CONFIG_MIPS_CPS) += mips_cmgcr.o
 obj-$(CONFIG_MIPS_CPS) += mips_cpc.o
 obj-$(CONFIG_MIPS_ITU) += mips_itu.o
diff --git a/include/hw/misc/stm32f4xx_exti.h b/include/hw/misc/stm32f4xx_exti.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/misc/stm32f4xx_exti.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * STM32F4XX EXTI
+ *
+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef HW_STM_EXTI_H
+#define HW_STM_EXTI_H
+
+#include "hw/sysbus.h"
+#include "hw/hw.h"
+
+#define EXTI_IMR   0x00
+#define EXTI_EMR   0x04
+#define EXTI_RTSR  0x08
+#define EXTI_FTSR  0x0C
+#define EXTI_SWIER 0x10
+#define EXTI_PR    0x14
+
+#define TYPE_STM32F4XX_EXTI "stm32f4xx-exti"
+#define STM32F4XX_EXTI(obj) \
+    OBJECT_CHECK(STM32F4xxExtiState, (obj), TYPE_STM32F4XX_EXTI)
+
+#define NUM_GPIO_EVENT_IN_LINES 16
+#define NUM_INTERRUPT_OUT_LINES 16
+
+typedef struct {
+    SysBusDevice parent_obj;
+
+    MemoryRegion mmio;
+
+    uint32_t exti_imr;
+    uint32_t exti_emr;
+    uint32_t exti_rtsr;
+    uint32_t exti_ftsr;
+    uint32_t exti_swier;
+    uint32_t exti_pr;
+
+    qemu_irq irq[NUM_INTERRUPT_OUT_LINES];
+} STM32F4xxExtiState;
+
+#endif
diff --git a/hw/misc/stm32f4xx_exti.c b/hw/misc/stm32f4xx_exti.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/misc/stm32f4xx_exti.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * STM32F4XX EXTI
+ *
+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "trace.h"
+#include "hw/irq.h"
+#include "migration/vmstate.h"
+#include "hw/misc/stm32f4xx_exti.h"
+
+static void stm32f4xx_exti_reset(DeviceState *dev)
+{
+    STM32F4xxExtiState *s = STM32F4XX_EXTI(dev);
+
+    s->exti_imr = 0x00000000;
+    s->exti_emr = 0x00000000;
+    s->exti_rtsr = 0x00000000;
+    s->exti_ftsr = 0x00000000;
+    s->exti_swier = 0x00000000;
+    s->exti_pr = 0x00000000;
+}
+
+static void stm32f4xx_exti_set_irq(void *opaque, int irq, int level)
+{
+    STM32F4xxExtiState *s = opaque;
+
+    trace_stm32f4xx_exti_set_irq(irq, level);
+
+    if (((1 << irq) & s->exti_rtsr) && level) {
+        /* Rising Edge */
+        s->exti_pr |= 1 << irq;
+    }
+
+    if (((1 << irq) & s->exti_ftsr) && !level) {
+        /* Falling Edge */
+        s->exti_pr |= 1 << irq;
+    }
+
+    if (!((1 << irq) & s->exti_imr)) {
+        /* Interrupt is masked */
+        return;
+    }
+    qemu_irq_pulse(s->irq[irq]);
+}
+
+static uint64_t stm32f4xx_exti_read(void *opaque, hwaddr addr,
+                                     unsigned int size)
+{
+    STM32F4xxExtiState *s = opaque;
+
+    trace_stm32f4xx_exti_read(addr);
+
+    switch (addr) {
+    case EXTI_IMR:
+        return s->exti_imr;
+    case EXTI_EMR:
+        return s->exti_emr;
+    case EXTI_RTSR:
+        return s->exti_rtsr;
+    case EXTI_FTSR:
+        return s->exti_ftsr;
+    case EXTI_SWIER:
+        return s->exti_swier;
+    case EXTI_PR:
+        return s->exti_pr;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "STM32F4XX_exti_read: Bad offset %x\n", (int)addr);
+        return 0;
+    }
+    return 0;
+}
+
+static void stm32f4xx_exti_write(void *opaque, hwaddr addr,
+                       uint64_t val64, unsigned int size)
+{
+    STM32F4xxExtiState *s = opaque;
+    uint32_t value = (uint32_t) val64;
+
+    trace_stm32f4xx_exti_write(addr, value);
+
+    switch (addr) {
+    case EXTI_IMR:
+        s->exti_imr = value;
+        return;
+    case EXTI_EMR:
+        s->exti_emr = value;
+        return;
+    case EXTI_RTSR:
+        s->exti_rtsr = value;
+        return;
+    case EXTI_FTSR:
+        s->exti_ftsr = value;
+        return;
+    case EXTI_SWIER:
+        s->exti_swier = value;
+        return;
+    case EXTI_PR:
+        /* This bit is cleared by writing a 1 to it */
+        s->exti_pr &= ~value;
+        return;
+    default:
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "STM32F4XX_exti_write: Bad offset %x\n", (int)addr);
+    }
+}
+
+static const MemoryRegionOps stm32f4xx_exti_ops = {
+    .read = stm32f4xx_exti_read,
+    .write = stm32f4xx_exti_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
+static void stm32f4xx_exti_init(Object *obj)
+{
+    STM32F4xxExtiState *s = STM32F4XX_EXTI(obj);
+    int i;
+
+    for (i = 0; i < NUM_INTERRUPT_OUT_LINES; i++) {
+        sysbus_init_irq(SYS_BUS_DEVICE(obj), &s->irq[i]);
+    }
+
+    memory_region_init_io(&s->mmio, obj, &stm32f4xx_exti_ops, s,
+                          TYPE_STM32F4XX_EXTI, 0x400);
+    sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->mmio);
+
+    qdev_init_gpio_in(DEVICE(obj), stm32f4xx_exti_set_irq,
+                      NUM_GPIO_EVENT_IN_LINES);
+}
+
+static const VMStateDescription vmstate_stm32f4xx_exti = {
+    .name = TYPE_STM32F4XX_EXTI,
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(exti_imr, STM32F4xxExtiState),
+        VMSTATE_UINT32(exti_emr, STM32F4xxExtiState),
+        VMSTATE_UINT32(exti_rtsr, STM32F4xxExtiState),
+        VMSTATE_UINT32(exti_ftsr, STM32F4xxExtiState),
+        VMSTATE_UINT32(exti_swier, STM32F4xxExtiState),
+        VMSTATE_UINT32(exti_pr, STM32F4xxExtiState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void stm32f4xx_exti_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->reset = stm32f4xx_exti_reset;
+    dc->vmsd = &vmstate_stm32f4xx_exti;
+}
+
+static const TypeInfo stm32f4xx_exti_info = {
+    .name          = TYPE_STM32F4XX_EXTI,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(STM32F4xxExtiState),
+    .instance_init = stm32f4xx_exti_init,
+    .class_init    = stm32f4xx_exti_class_init,
+};
+
+static void stm32f4xx_exti_register_types(void)
+{
+    type_register_static(&stm32f4xx_exti_info);
+}
+
+type_init(stm32f4xx_exti_register_types)
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config STM32F405_SOC
     bool
     select ARM_V7M
     select STM32F4XX_SYSCFG
+    select STM32F4XX_EXTI
 
 config XLNX_ZYNQMP_ARM
     bool
diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/Kconfig
+++ b/hw/misc/Kconfig
@@ -XXX,XX +XXX,XX @@ config STM32F2XX_SYSCFG
 config STM32F4XX_SYSCFG
     bool
 
+config STM32F4XX_EXTI
+    bool
+
 config MIPS_ITU
     bool
 
diff --git a/hw/misc/trace-events b/hw/misc/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/trace-events
+++ b/hw/misc/trace-events
@@ -XXX,XX +XXX,XX @@ stm32f4xx_pulse_exti(int irq) "Pulse EXTI: %d"
 stm32f4xx_syscfg_read(uint64_t addr) "reg read: addr: 0x%" PRIx64 " "
 stm32f4xx_syscfg_write(uint64_t addr, uint64_t data) "reg write: addr: 0x%" PRIx64 " val: 0x%" PRIx64 ""
 
+# stm32f4xx_exti
+stm32f4xx_exti_set_irq(int irq, int leve) "Set EXTI: %d to %d"
+stm32f4xx_exti_read(uint64_t addr) "reg read: addr: 0x%" PRIx64 " "
+stm32f4xx_exti_write(uint64_t addr, uint64_t data) "reg write: addr: 0x%" PRIx64 " val: 0x%" PRIx64 ""
+
 # tz-mpc.c
 tz_mpc_reg_read(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs read: offset 0x%x data 0x%" PRIx64 " size %u"
 tz_mpc_reg_write(uint32_t offset, uint64_t data, unsigned size) "TZ MPC regs write: offset 0x%x data 0x%" PRIx64 " size %u"
-- 
2.20.1

From: Alistair Francis <alistair@alistair23.me>

Signed-off-by: Alistair Francis <alistair@alistair23.me>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1d145c4c13e5fa140caf131232a6f524c88fcd72.1576658572.git.alistair@alistair23.me
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs           |   1 +
 include/hw/arm/stm32f405_soc.h |  73 ++++++++
 hw/arm/stm32f405_soc.c         | 302 +++++++++++++++++++++++++++++++++
 MAINTAINERS                    |   8 +
 4 files changed, 384 insertions(+)
 create mode 100644 include/hw/arm/stm32f405_soc.h
 create mode 100644 hw/arm/stm32f405_soc.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_STRONGARM) += strongarm.o
 obj-$(CONFIG_ALLWINNER_A10) += allwinner-a10.o cubieboard.o
 obj-$(CONFIG_RASPI) += bcm2835_peripherals.o bcm2836.o raspi.o
 obj-$(CONFIG_STM32F205_SOC) += stm32f205_soc.o
+obj-$(CONFIG_STM32F405_SOC) += stm32f405_soc.o
 obj-$(CONFIG_XLNX_ZYNQMP_ARM) += xlnx-zynqmp.o xlnx-zcu102.o
 obj-$(CONFIG_XLNX_VERSAL) += xlnx-versal.o xlnx-versal-virt.o
 obj-$(CONFIG_FSL_IMX25) += fsl-imx25.o imx25_pdk.o
diff --git a/include/hw/arm/stm32f405_soc.h b/include/hw/arm/stm32f405_soc.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/arm/stm32f405_soc.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * STM32F405 SoC
+ *
+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef HW_ARM_STM32F405_SOC_H
+#define HW_ARM_STM32F405_SOC_H
+
+#include "hw/misc/stm32f4xx_syscfg.h"
+#include "hw/timer/stm32f2xx_timer.h"
+#include "hw/char/stm32f2xx_usart.h"
+#include "hw/adc/stm32f2xx_adc.h"
+#include "hw/misc/stm32f4xx_exti.h"
+#include "hw/or-irq.h"
+#include "hw/ssi/stm32f2xx_spi.h"
+#include "hw/arm/armv7m.h"
+
+#define TYPE_STM32F405_SOC "stm32f405-soc"
+#define STM32F405_SOC(obj) \
+    OBJECT_CHECK(STM32F405State, (obj), TYPE_STM32F405_SOC)
+
+#define STM_NUM_USARTS 7
+#define STM_NUM_TIMERS 4
+#define STM_NUM_ADCS 6
+#define STM_NUM_SPIS 6
+
+#define FLASH_BASE_ADDRESS 0x08000000
+#define FLASH_SIZE (1024 * 1024)
+#define SRAM_BASE_ADDRESS 0x20000000
+#define SRAM_SIZE (192 * 1024)
+
+typedef struct STM32F405State {
+    /*< private >*/
+    SysBusDevice parent_obj;
+    /*< public >*/
+
+    char *cpu_type;
+
+    ARMv7MState armv7m;
+
+    STM32F4xxSyscfgState syscfg;
+    STM32F4xxExtiState exti;
+    STM32F2XXUsartState usart[STM_NUM_USARTS];
+    STM32F2XXTimerState timer[STM_NUM_TIMERS];
+    qemu_or_irq adc_irqs;
+    STM32F2XXADCState adc[STM_NUM_ADCS];
+    STM32F2XXSPIState spi[STM_NUM_SPIS];
+
+    MemoryRegion sram;
+    MemoryRegion flash;
+    MemoryRegion flash_alias;
+} STM32F405State;
+
+#endif
diff --git a/hw/arm/stm32f405_soc.c b/hw/arm/stm32f405_soc.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/stm32f405_soc.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * STM32F405 SoC
+ *
+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu-common.h"
+#include "exec/address-spaces.h"
+#include "sysemu/sysemu.h"
+#include "hw/arm/stm32f405_soc.h"
+#include "hw/misc/unimp.h"
+
+#define SYSCFG_ADD                     0x40013800
+static const uint32_t usart_addr[] = { 0x40011000, 0x40004400, 0x40004800,
+                                       0x40004C00, 0x40005000, 0x40011400,
+                                       0x40007800, 0x40007C00 };
+/* At the moment only Timer 2 to 5 are modelled */
+static const uint32_t timer_addr[] = { 0x40000000, 0x40000400,
+                                       0x40000800, 0x40000C00 };
+#define ADC_ADDR                       0x40012000
+static const uint32_t spi_addr[] =   { 0x40013000, 0x40003800, 0x40003C00,
+                                       0x40013400, 0x40015000, 0x40015400 };
+#define EXTI_ADDR                      0x40013C00
+
+#define SYSCFG_IRQ               71
+static const int usart_irq[] = { 37, 38, 39, 52, 53, 71, 82, 83 };
+static const int timer_irq[] = { 28, 29, 30, 50 };
+#define ADC_IRQ 18
+static const int spi_irq[] =   { 35, 36, 51, 0, 0, 0 };
+static const int exti_irq[] =  { 6, 7, 8, 9, 10, 23, 23, 23, 23, 23, 40,
+                                 40, 40, 40, 40, 40} ;
+
+
+static void stm32f405_soc_initfn(Object *obj)
+{
+    STM32F405State *s = STM32F405_SOC(obj);
+    int i;
+
+    sysbus_init_child_obj(obj, "armv7m", &s->armv7m, sizeof(s->armv7m),
+                          TYPE_ARMV7M);
+
+    sysbus_init_child_obj(obj, "syscfg", &s->syscfg, sizeof(s->syscfg),
+                          TYPE_STM32F4XX_SYSCFG);
+
+    for (i = 0; i < STM_NUM_USARTS; i++) {
+        sysbus_init_child_obj(obj, "usart[*]", &s->usart[i],
+                              sizeof(s->usart[i]), TYPE_STM32F2XX_USART);
+    }
+
+    for (i = 0; i < STM_NUM_TIMERS; i++) {
+        sysbus_init_child_obj(obj, "timer[*]", &s->timer[i],
+                              sizeof(s->timer[i]), TYPE_STM32F2XX_TIMER);
+    }
+
+    for (i = 0; i < STM_NUM_ADCS; i++) {
+        sysbus_init_child_obj(obj, "adc[*]", &s->adc[i], sizeof(s->adc[i]),
+                              TYPE_STM32F2XX_ADC);
+    }
+
+    for (i = 0; i < STM_NUM_SPIS; i++) {
+        sysbus_init_child_obj(obj, "spi[*]", &s->spi[i], sizeof(s->spi[i]),
+                              TYPE_STM32F2XX_SPI);
+    }
+
+    sysbus_init_child_obj(obj, "exti", &s->exti, sizeof(s->exti),
+                          TYPE_STM32F4XX_EXTI);
+}
+
+static void stm32f405_soc_realize(DeviceState *dev_soc, Error **errp)
+{
+    STM32F405State *s = STM32F405_SOC(dev_soc);
+    MemoryRegion *system_memory = get_system_memory();
+    DeviceState *dev, *armv7m;
+    SysBusDevice *busdev;
+    Error *err = NULL;
+    int i;
+
+    memory_region_init_ram(&s->flash, NULL, "STM32F405.flash", FLASH_SIZE,
+                           &err);
+    if (err != NULL) {
+        error_propagate(errp, err);
+        return;
+    }
+    memory_region_init_alias(&s->flash_alias, NULL, "STM32F405.flash.alias",
+                             &s->flash, 0, FLASH_SIZE);
+
+    memory_region_set_readonly(&s->flash, true);
+    memory_region_set_readonly(&s->flash_alias, true);
+
+    memory_region_add_subregion(system_memory, FLASH_BASE_ADDRESS, &s->flash);
+    memory_region_add_subregion(system_memory, 0, &s->flash_alias);
+
+    memory_region_init_ram(&s->sram, NULL, "STM32F405.sram", SRAM_SIZE,
+                           &err);
+    if (err != NULL) {
+        error_propagate(errp, err);
+        return;
+    }
+    memory_region_add_subregion(system_memory, SRAM_BASE_ADDRESS, &s->sram);
+
+    armv7m = DEVICE(&s->armv7m);
+    qdev_prop_set_uint32(armv7m, "num-irq", 96);
+    qdev_prop_set_string(armv7m, "cpu-type", s->cpu_type);
+    qdev_prop_set_bit(armv7m, "enable-bitband", true);
+    object_property_set_link(OBJECT(&s->armv7m), OBJECT(system_memory),
+                                     "memory", &error_abort);
+    object_property_set_bool(OBJECT(&s->armv7m), true, "realized", &err);
+    if (err != NULL) {
+        error_propagate(errp, err);
+        return;
+    }
+
+    /* System configuration controller */
+    dev = DEVICE(&s->syscfg);
+    object_property_set_bool(OBJECT(&s->syscfg), true, "realized", &err);
+    if (err != NULL) {
+        error_propagate(errp, err);
+        return;
+    }
+    busdev = SYS_BUS_DEVICE(dev);
+    sysbus_mmio_map(busdev, 0, SYSCFG_ADD);
+    sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, SYSCFG_IRQ));
+
+    /* Attach UART (uses USART registers) and USART controllers */
+    for (i = 0; i < STM_NUM_USARTS; i++) {
+        dev = DEVICE(&(s->usart[i]));
+        qdev_prop_set_chr(dev, "chardev", serial_hd(i));
+        object_property_set_bool(OBJECT(&s->usart[i]), true, "realized", &err);
+        if (err != NULL) {
+            error_propagate(errp, err);
+            return;
+        }
+        busdev = SYS_BUS_DEVICE(dev);
+        sysbus_mmio_map(busdev, 0, usart_addr[i]);
+        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, usart_irq[i]));
+    }
+
+    /* Timer 2 to 5 */
+    for (i = 0; i < STM_NUM_TIMERS; i++) {
+        dev = DEVICE(&(s->timer[i]));
+        qdev_prop_set_uint64(dev, "clock-frequency", 1000000000);
+        object_property_set_bool(OBJECT(&s->timer[i]), true, "realized", &err);
+        if (err != NULL) {
+            error_propagate(errp, err);
+            return;
+        }
+        busdev = SYS_BUS_DEVICE(dev);
+        sysbus_mmio_map(busdev, 0, timer_addr[i]);
+        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, timer_irq[i]));
+    }
+
+    /* ADC device, the IRQs are ORed together */
+    object_initialize_child(OBJECT(s), "adc-orirq", &s->adc_irqs,
+                            sizeof(s->adc_irqs), TYPE_OR_IRQ,
+                            &err, NULL);
+    if (err != NULL) {
+        error_propagate(errp, err);
+        return;
+    }
+    object_property_set_int(OBJECT(&s->adc_irqs), STM_NUM_ADCS,
+                            "num-lines", &err);
+    object_property_set_bool(OBJECT(&s->adc_irqs), true, "realized", &err);
+    if (err != NULL) {
+        error_propagate(errp, err);
+        return;
+    }
+    qdev_connect_gpio_out(DEVICE(&s->adc_irqs), 0,
+                          qdev_get_gpio_in(armv7m, ADC_IRQ));
+
+    dev = DEVICE(&(s->adc[i]));
+    object_property_set_bool(OBJECT(&s->adc[i]), true, "realized", &err);
+    if (err != NULL) {
+        error_propagate(errp, err);
+        return;
+    }
+    busdev = SYS_BUS_DEVICE(dev);
+    sysbus_mmio_map(busdev, 0, ADC_ADDR);
+    sysbus_connect_irq(busdev, 0,
+                       qdev_get_gpio_in(DEVICE(&s->adc_irqs), i));
+
+    /* SPI devices */
+    for (i = 0; i < STM_NUM_SPIS; i++) {
+        dev = DEVICE(&(s->spi[i]));
+        object_property_set_bool(OBJECT(&s->spi[i]), true, "realized", &err);
+        if (err != NULL) {
+            error_propagate(errp, err);
+            return;
+        }
+        busdev = SYS_BUS_DEVICE(dev);
+        sysbus_mmio_map(busdev, 0, spi_addr[i]);
+        sysbus_connect_irq(busdev, 0, qdev_get_gpio_in(armv7m, spi_irq[i]));
+    }
+
+    /* EXTI device */
+    dev = DEVICE(&s->exti);
+    object_property_set_bool(OBJECT(&s->exti), true, "realized", &err);
+    if (err != NULL) {
+        error_propagate(errp, err);
+        return;
+    }
+    busdev = SYS_BUS_DEVICE(dev);
+    sysbus_mmio_map(busdev, 0, EXTI_ADDR);
+    for (i = 0; i < 16; i++) {
+        sysbus_connect_irq(busdev, i, qdev_get_gpio_in(armv7m, exti_irq[i]));
+    }
+    for (i = 0; i < 16; i++) {
+        qdev_connect_gpio_out(DEVICE(&s->syscfg), i, qdev_get_gpio_in(dev, i));
+    }
+
+    create_unimplemented_device("timer[7]",    0x40001400, 0x400);
+    create_unimplemented_device("timer[12]",   0x40001800, 0x400);
+    create_unimplemented_device("timer[6]",    0x40001000, 0x400);
+    create_unimplemented_device("timer[13]",   0x40001C00, 0x400);
+    create_unimplemented_device("timer[14]",   0x40002000, 0x400);
+    create_unimplemented_device("RTC and BKP", 0x40002800, 0x400);
+    create_unimplemented_device("WWDG",        0x40002C00, 0x400);
+    create_unimplemented_device("IWDG",        0x40003000, 0x400);
+    create_unimplemented_device("I2S2ext",     0x40003000, 0x400);
+    create_unimplemented_device("I2S3ext",     0x40004000, 0x400);
+    create_unimplemented_device("I2C1",        0x40005400, 0x400);
+    create_unimplemented_device("I2C2",        0x40005800, 0x400);
+    create_unimplemented_device("I2C3",        0x40005C00, 0x400);
+    create_unimplemented_device("CAN1",        0x40006400, 0x400);
+    create_unimplemented_device("CAN2",        0x40006800, 0x400);
+    create_unimplemented_device("PWR",         0x40007000, 0x400);
+    create_unimplemented_device("DAC",         0x40007400, 0x400);
+    create_unimplemented_device("timer[1]",    0x40010000, 0x400);
+    create_unimplemented_device("timer[8]",    0x40010400, 0x400);
+    create_unimplemented_device("SDIO",        0x40012C00, 0x400);
+    create_unimplemented_device("timer[9]",    0x40014000, 0x400);
+    create_unimplemented_device("timer[10]",   0x40014400, 0x400);
+    create_unimplemented_device("timer[11]",   0x40014800, 0x400);
+    create_unimplemented_device("GPIOA",       0x40020000, 0x400);
+    create_unimplemented_device("GPIOB",       0x40020400, 0x400);
+    create_unimplemented_device("GPIOC",       0x40020800, 0x400);
+    create_unimplemented_device("GPIOD",       0x40020C00, 0x400);
+    create_unimplemented_device("GPIOE",       0x40021000, 0x400);
+    create_unimplemented_device("GPIOF",       0x40021400, 0x400);
+    create_unimplemented_device("GPIOG",       0x40021800, 0x400);
+    create_unimplemented_device("GPIOH",       0x40021C00, 0x400);
+    create_unimplemented_device("GPIOI",       0x40022000, 0x400);
+    create_unimplemented_device("CRC",         0x40023000, 0x400);
+    create_unimplemented_device("RCC",         0x40023800, 0x400);
+    create_unimplemented_device("Flash Int",   0x40023C00, 0x400);
+    create_unimplemented_device("BKPSRAM",     0x40024000, 0x400);
+    create_unimplemented_device("DMA1",        0x40026000, 0x400);
+    create_unimplemented_device("DMA2",        0x40026400, 0x400);
+    create_unimplemented_device("Ethernet",    0x40028000, 0x1400);
+    create_unimplemented_device("USB OTG HS",  0x40040000, 0x30000);
+    create_unimplemented_device("USB OTG FS",  0x50000000, 0x31000);
+    create_unimplemented_device("DCMI",        0x50050000, 0x400);
+    create_unimplemented_device("RNG",         0x50060800, 0x400);
+}
+
+static Property stm32f405_soc_properties[] = {
+    DEFINE_PROP_STRING("cpu-type", STM32F405State, cpu_type),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void stm32f405_soc_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->realize = stm32f405_soc_realize;
+    dc->props = stm32f405_soc_properties;
+    /* No vmstate or reset required: device has no internal state */
+}
+
+static const TypeInfo stm32f405_soc_info = {
+    .name          = TYPE_STM32F405_SOC,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(STM32F405State),
+    .instance_init = stm32f405_soc_initfn,
+    .class_init    = stm32f405_soc_class_init,
+};
+
+static void stm32f405_soc_types(void)
+{
+    type_register_static(&stm32f405_soc_info);
+}
+
+type_init(stm32f405_soc_types)
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: hw/adc/*
 F: hw/ssi/stm32f2xx_spi.c
 F: include/hw/*/stm32*.h
 
+STM32F405
+M: Alistair Francis <alistair@alistair23.me>
+M: Peter Maydell <peter.maydell@linaro.org>
+S: Maintained
+F: hw/arm/stm32f405_soc.c
+F: hw/misc/stm32f4xx_syscfg.c
+F: hw/misc/stm32f4xx_exti.c
+
 Netduino 2
 M: Alistair Francis <alistair@alistair23.me>
 M: Peter Maydell <peter.maydell@linaro.org>
-- 
2.20.1

From: Alistair Francis <alistair@alistair23.me>

Signed-off-by: Alistair Francis <alistair@alistair23.me>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: dad8d8d47f7625913e35e27a1c00f603a6b08f9a.1576658572.git.alistair@alistair23.me
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/Makefile.objs   |  1 +
 hw/arm/netduinoplus2.c | 52 ++++++++++++++++++++++++++++++++++++++++++
 MAINTAINERS            |  6 +++++
 3 files changed, 59 insertions(+)
 create mode 100644 hw/arm/netduinoplus2.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-$(CONFIG_MAINSTONE) += mainstone.o
 obj-$(CONFIG_MICROBIT) += microbit.o
 obj-$(CONFIG_MUSICPAL) += musicpal.o
 obj-$(CONFIG_NETDUINO2) += netduino2.o
+obj-$(CONFIG_NETDUINOPLUS2) += netduinoplus2.o
 obj-$(CONFIG_NSERIES) += nseries.o
 obj-$(CONFIG_SX1) += omap_sx1.o
 obj-$(CONFIG_CHEETAH) += palm.o
diff --git a/hw/arm/netduinoplus2.c b/hw/arm/netduinoplus2.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/arm/netduinoplus2.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Netduino Plus 2 Machine Model
+ *
+ * Copyright (c) 2014 Alistair Francis <alistair@alistair23.me>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "hw/boards.h"
+#include "hw/qdev-properties.h"
+#include "qemu/error-report.h"
+#include "hw/arm/stm32f405_soc.h"
+#include "hw/arm/boot.h"
+
+static void netduinoplus2_init(MachineState *machine)
+{
+    DeviceState *dev;
+
+    dev = qdev_create(NULL, TYPE_STM32F405_SOC);
+    qdev_prop_set_string(dev, "cpu-type", ARM_CPU_TYPE_NAME("cortex-m4"));
+    object_property_set_bool(OBJECT(dev), true, "realized", &error_fatal);
+
+    armv7m_load_kernel(ARM_CPU(first_cpu),
+                       machine->kernel_filename,
+                       FLASH_SIZE);
+}
+
+static void netduinoplus2_machine_init(MachineClass *mc)
+{
+    mc->desc = "Netduino Plus 2 Machine";
+    mc->init = netduinoplus2_init;
+}
+
+DEFINE_MACHINE("netduinoplus2", netduinoplus2_machine_init)
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ M: Peter Maydell <peter.maydell@linaro.org>
 S: Maintained
 F: hw/arm/netduino2.c
 
+Netduino Plus 2
+M: Alistair Francis <alistair@alistair23.me>
+M: Peter Maydell <peter.maydell@linaro.org>
+S: Maintained
+F: hw/arm/netduinoplus2.c
+
 SmartFusion2
 M: Subbaraya Sundeep <sundeep.lkml@gmail.com>
 M: Peter Maydell <peter.maydell@linaro.org>
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

This test boots a Linux kernel on a CubieBoard and verify
the serial output is working.

The kernel image and DeviceTree blob are built by the Armbian
project (based on Debian):
https://docs.armbian.com/Developer-Guide_Build-Preparation/

The cpio image used comes from the linux-build-test project:
https://github.com/groeck/linux-build-test

If ARM is a target being built, "make check-acceptance" will
automatically include this test by the use of the "arch:arm" tags.

Alternatively, this test can be run using:

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Tested-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Message-id: 20191230110953.25496-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/acceptance/boot_linux_console.py | 41 ++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
index XXXXXXX..XXXXXXX 100644
--- a/tests/acceptance/boot_linux_console.py
+++ b/tests/acceptance/boot_linux_console.py
@@ -XXX,XX +XXX,XX @@ class BootLinuxConsole(Test):
         self.wait_for_console_pattern('Boot successful.')
         # TODO user command, for now the uart is stuck
 
+    def test_arm_cubieboard_initrd(self):
+        """
+        :avocado: tags=arch:arm
+        :avocado: tags=machine:cubieboard
+        """
+        deb_url = ('https://apt.armbian.com/pool/main/l/'
+                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
+        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
+        deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+        kernel_path = self.extract_from_deb(deb_path,
+                                            '/boot/vmlinuz-4.20.7-sunxi')
+        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun4i-a10-cubieboard.dtb'
+        dtb_path = self.extract_from_deb(deb_path, dtb_path)
+        initrd_url = ('https://github.com/groeck/linux-build-test/raw/'
+                      '2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/'
+                      'arm/rootfs-armv5.cpio.gz')
+        initrd_hash = '2b50f1873e113523967806f4da2afe385462ff9b'
+        initrd_path_gz = self.fetch_asset(initrd_url, asset_hash=initrd_hash)
+        initrd_path = os.path.join(self.workdir, 'rootfs.cpio')
+        archive.gzip_uncompress(initrd_path_gz, initrd_path)
+
+        self.vm.set_console()
+        kernel_command_line = (self.KERNEL_COMMON_COMMAND_LINE +
+                               'console=ttyS0,115200 '
+                               'usbcore.nousb '
+                               'panic=-1 noreboot')
+        self.vm.add_args('-kernel', kernel_path,
+                         '-dtb', dtb_path,
+                         '-initrd', initrd_path,
+                         '-append', kernel_command_line,
+                         '-no-reboot')
+        self.vm.launch()
+        self.wait_for_console_pattern('Boot successful.')
+
+        exec_command_and_wait_for_pattern(self, 'cat /proc/cpuinfo',
+                                                'Allwinner sun4i/sun5i')
+        exec_command_and_wait_for_pattern(self, 'cat /proc/iomem',
+                                                'system-control@1c00000')
+        exec_command_and_wait_for_pattern(self, 'reboot',
+                                                'reboot: Restarting system')
+
     def test_s390x_s390_ccw_virtio(self):
         """
         :avocado: tags=arch:s390x
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The kernel image and DeviceTree blob are built by the Armbian
project (based on Debian):
https://docs.armbian.com/Developer-Guide_Build-Preparation/

The cpio image used comes from the linux-build-test project:
https://github.com/groeck/linux-build-test

If ARM is a target being built, "make check-acceptance" will
automatically include this test by the use of the "arch:arm" tags.

Alternatively, this test can be run using:

$ avocado --show=console run -t machine:cubieboard tests/acceptance/boot_linux_console.py
  console: Uncompressing Linux... done, booting the kernel.
  console: Booting Linux on physical CPU 0x0
  console: Linux version 4.20.7-sunxi (root@armbian.com) (gcc version 7.2.1 20171011 (Linaro GCC 7.2-2017.11)) #5.75 SMP Fri Feb 8 09:02:10 CET 2019
  [...]
  console: ahci-sunxi 1c18000.sata: Linked as a consumer to regulator.4
  console: ahci-sunxi 1c18000.sata: controller can't do 64bit DMA, forcing 32bit
  console: ahci-sunxi 1c18000.sata: AHCI 0001.0000 32 slots 1 ports 1.5 Gbps 0x1 impl platform mode
  console: ahci-sunxi 1c18000.sata: flags: ncq only
  console: scsi host0: ahci-sunxi
  console: ata1: SATA max UDMA/133 mmio [mem 0x01c18000-0x01c18fff] port 0x100 irq 27
  console: of_cfs_init
  console: of_cfs_init: OK
  console: vcc3v0: disabling
  console: vcc5v0: disabling
  console: usb1-vbus: disabling
  console: usb2-vbus: disabling
  console: ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
  console: ata1.00: ATA-7: QEMU HARDDISK, 2.5+, max UDMA/100
  console: ata1.00: 40960 sectors, multi 16: LBA48 NCQ (depth 32)
  console: ata1.00: applying bridge limits
  console: ata1.00: configured for UDMA/100
  console: scsi 0:0:0:0: Direct-Access     ATA      QEMU HARDDISK    2.5+ PQ: 0 ANSI: 5
  console: sd 0:0:0:0: Attached scsi generic sg0 type 0
  console: sd 0:0:0:0: [sda] 40960 512-byte logical blocks: (21.0 MB/20.0 MiB)
  console: sd 0:0:0:0: [sda] Write Protect is off
  console: sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
  console: sd 0:0:0:0: [sda] Attached SCSI disk
  console: EXT4-fs (sda): mounting ext2 file system using the ext4 subsystem
  console: EXT4-fs (sda): mounted filesystem without journal. Opts: (null)
  console: VFS: Mounted root (ext2 filesystem) readonly on device 8:0.
  [...]
  console: cat /proc/partitions
  console: / # cat /proc/partitions
  console: major minor  #blocks  name
  console: 1        0       4096 ram0
  console: 1        1       4096 ram1
  console: 1        2       4096 ram2
  console: 1        3       4096 ram3
  console: 8        0      20480 sda
  console: reboot
  console: / # reboot
  [...]
  console: sd 0:0:0:0: [sda] Synchronizing SCSI cache
  console: reboot: Restarting system
  PASS (48.39 s)

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20191230110953.25496-3-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/acceptance/boot_linux_console.py | 44 ++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/tests/acceptance/boot_linux_console.py b/tests/acceptance/boot_linux_console.py
index XXXXXXX..XXXXXXX 100644
--- a/tests/acceptance/boot_linux_console.py
+++ b/tests/acceptance/boot_linux_console.py
@@ -XXX,XX +XXX,XX @@ class BootLinuxConsole(Test):
         exec_command_and_wait_for_pattern(self, 'reboot',
                                                 'reboot: Restarting system')
 
+    def test_arm_cubieboard_sata(self):
+        """
+        :avocado: tags=arch:arm
+        :avocado: tags=machine:cubieboard
+        """
+        deb_url = ('https://apt.armbian.com/pool/main/l/'
+                   'linux-4.20.7-sunxi/linux-image-dev-sunxi_5.75_armhf.deb')
+        deb_hash = '1334c29c44d984ffa05ed10de8c3361f33d78315'
+        deb_path = self.fetch_asset(deb_url, asset_hash=deb_hash)
+        kernel_path = self.extract_from_deb(deb_path,
+                                            '/boot/vmlinuz-4.20.7-sunxi')
+        dtb_path = '/usr/lib/linux-image-dev-sunxi/sun4i-a10-cubieboard.dtb'
+        dtb_path = self.extract_from_deb(deb_path, dtb_path)
+        rootfs_url = ('https://github.com/groeck/linux-build-test/raw/'
+                      '2eb0a73b5d5a28df3170c546ddaaa9757e1e0848/rootfs/'
+                      'arm/rootfs-armv5.ext2.gz')
+        rootfs_hash = '093e89d2b4d982234bf528bc9fb2f2f17a9d1f93'
+        rootfs_path_gz = self.fetch_asset(rootfs_url, asset_hash=rootfs_hash)
+        rootfs_path = os.path.join(self.workdir, 'rootfs.cpio')
+        archive.gzip_uncompress(rootfs_path_gz, rootfs_path)
+
+        self.vm.set_console()
+        kernel_command_line = (self.KERNEL_COMMON_COMMAND_LINE +
+                               'console=ttyS0,115200 '
+                               'usbcore.nousb '
+                               'root=/dev/sda ro '
+                               'panic=-1 noreboot')
+        self.vm.add_args('-kernel', kernel_path,
+                         '-dtb', dtb_path,
+                         '-drive', 'if=none,format=raw,id=disk0,file='
+                                   + rootfs_path,
+                         '-device', 'ide-hd,bus=ide.0,drive=disk0',
+                         '-append', kernel_command_line,
+                         '-no-reboot')
+        self.vm.launch()
+        self.wait_for_console_pattern('Boot successful.')
+
+        exec_command_and_wait_for_pattern(self, 'cat /proc/cpuinfo',
+                                                'Allwinner sun4i/sun5i')
+        exec_command_and_wait_for_pattern(self, 'cat /proc/partitions',
+                                                'sda')
+        exec_command_and_wait_for_pattern(self, 'reboot',
+                                                'reboot: Restarting system')
+
     def test_s390x_s390_ccw_virtio(self):
         """
         :avocado: tags=arch:s390x
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

These definitions are specific to the A10 SoC and don't need
to be exported to the different Allwinner peripherals.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20191230110953.25496-4-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/allwinner-a10.h | 6 ------
 hw/arm/allwinner-a10.c         | 6 ++++++
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/allwinner-a10.h
+++ b/include/hw/arm/allwinner-a10.h
@@ -XXX,XX +XXX,XX @@
 #include "target/arm/cpu.h"
 
 
-#define AW_A10_PIC_REG_BASE     0x01c20400
-#define AW_A10_PIT_REG_BASE     0x01c20c00
-#define AW_A10_UART0_REG_BASE   0x01c28000
-#define AW_A10_EMAC_BASE        0x01c0b000
-#define AW_A10_SATA_BASE        0x01c18000
-
 #define AW_A10_SDRAM_BASE       0x40000000
 
 #define TYPE_AW_A10 "allwinner-a10"
diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/allwinner-a10.c
+++ b/hw/arm/allwinner-a10.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/misc/unimp.h"
 #include "sysemu/sysemu.h"
 
+#define AW_A10_PIC_REG_BASE     0x01c20400
+#define AW_A10_PIT_REG_BASE     0x01c20c00
+#define AW_A10_UART0_REG_BASE   0x01c28000
+#define AW_A10_EMAC_BASE        0x01c0b000
+#define AW_A10_SATA_BASE        0x01c18000
+
 static void aw_a10_init(Object *obj)
 {
     AwA10State *s = AW_A10(obj);
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

By calling qdev_pass_gpios() we don't need to hold a copy of the
IRQs from the INTC into the SoC state.
Instead of filling an array of qemu_irq and passing it around, we
can now directly call qdev_get_gpio_in() on the SoC.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20191230110953.25496-5-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/allwinner-a10.h |  1 -
 hw/arm/allwinner-a10.c         | 24 +++++++++++-------------
 2 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/allwinner-a10.h
+++ b/include/hw/arm/allwinner-a10.h
@@ -XXX,XX +XXX,XX @@ typedef struct AwA10State {
     /*< public >*/
 
     ARMCPU cpu;
-    qemu_irq irq[AW_A10_PIC_INT_NR];
     AwA10PITState timer;
     AwA10PICState intc;
     AwEmacState emac;
diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/allwinner-a10.c
+++ b/hw/arm/allwinner-a10.c
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
 {
     AwA10State *s = AW_A10(dev);
     SysBusDevice *sysbusdev;
-    uint8_t i;
     qemu_irq fiq, irq;
     Error *err = NULL;
 
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
     sysbus_mmio_map(sysbusdev, 0, AW_A10_PIC_REG_BASE);
     sysbus_connect_irq(sysbusdev, 0, irq);
     sysbus_connect_irq(sysbusdev, 1, fiq);
-    for (i = 0; i < AW_A10_PIC_INT_NR; i++) {
-        s->irq[i] = qdev_get_gpio_in(DEVICE(&s->intc), i);
-    }
+    qdev_pass_gpios(DEVICE(&s->intc), dev, NULL);
 
     object_property_set_bool(OBJECT(&s->timer), true, "realized", &err);
     if (err != NULL) {
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
     }
     sysbusdev = SYS_BUS_DEVICE(&s->timer);
     sysbus_mmio_map(sysbusdev, 0, AW_A10_PIT_REG_BASE);
-    sysbus_connect_irq(sysbusdev, 0, s->irq[22]);
-    sysbus_connect_irq(sysbusdev, 1, s->irq[23]);
-    sysbus_connect_irq(sysbusdev, 2, s->irq[24]);
-    sysbus_connect_irq(sysbusdev, 3, s->irq[25]);
-    sysbus_connect_irq(sysbusdev, 4, s->irq[67]);
-    sysbus_connect_irq(sysbusdev, 5, s->irq[68]);
+    sysbus_connect_irq(sysbusdev, 0, qdev_get_gpio_in(dev, 22));
+    sysbus_connect_irq(sysbusdev, 1, qdev_get_gpio_in(dev, 23));
+    sysbus_connect_irq(sysbusdev, 2, qdev_get_gpio_in(dev, 24));
+    sysbus_connect_irq(sysbusdev, 3, qdev_get_gpio_in(dev, 25));
+    sysbus_connect_irq(sysbusdev, 4, qdev_get_gpio_in(dev, 67));
+    sysbus_connect_irq(sysbusdev, 5, qdev_get_gpio_in(dev, 68));
 
     memory_region_init_ram(&s->sram_a, OBJECT(dev), "sram A", 48 * KiB,
                            &error_fatal);
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
     }
     sysbusdev = SYS_BUS_DEVICE(&s->emac);
     sysbus_mmio_map(sysbusdev, 0, AW_A10_EMAC_BASE);
-    sysbus_connect_irq(sysbusdev, 0, s->irq[55]);
+    sysbus_connect_irq(sysbusdev, 0, qdev_get_gpio_in(dev, 55));
 
     object_property_set_bool(OBJECT(&s->sata), true, "realized", &err);
     if (err) {
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
         return;
     }
     sysbus_mmio_map(SYS_BUS_DEVICE(&s->sata), 0, AW_A10_SATA_BASE);
-    sysbus_connect_irq(SYS_BUS_DEVICE(&s->sata), 0, s->irq[56]);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->sata), 0, qdev_get_gpio_in(dev, 56));
 
     /* FIXME use a qdev chardev prop instead of serial_hd() */
-    serial_mm_init(get_system_memory(), AW_A10_UART0_REG_BASE, 2, s->irq[1],
+    serial_mm_init(get_system_memory(), AW_A10_UART0_REG_BASE, 2,
+                   qdev_get_gpio_in(dev, 1),
                    115200, serial_hd(0), DEVICE_NATIVE_ENDIAN);
 }
 
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

We won't reuse the CPU IRQ/FIQ variables. Simplify by calling
qdev_get_gpio_in() in place.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20191230110953.25496-6-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/allwinner-a10.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/hw/arm/allwinner-a10.c b/hw/arm/allwinner-a10.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/allwinner-a10.c
+++ b/hw/arm/allwinner-a10.c
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
 {
     AwA10State *s = AW_A10(dev);
     SysBusDevice *sysbusdev;
-    qemu_irq fiq, irq;
     Error *err = NULL;
 
     object_property_set_bool(OBJECT(&s->cpu), true, "realized", &err);
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
         error_propagate(errp, err);
         return;
     }
-    irq = qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_IRQ);
-    fiq = qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_FIQ);
 
     object_property_set_bool(OBJECT(&s->intc), true, "realized", &err);
     if (err != NULL) {
@@ -XXX,XX +XXX,XX @@ static void aw_a10_realize(DeviceState *dev, Error **errp)
     }
     sysbusdev = SYS_BUS_DEVICE(&s->intc);
     sysbus_mmio_map(sysbusdev, 0, AW_A10_PIC_REG_BASE);
-    sysbus_connect_irq(sysbusdev, 0, irq);
-    sysbus_connect_irq(sysbusdev, 1, fiq);
+    sysbus_connect_irq(sysbusdev, 0,
+                       qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_IRQ));
+    sysbus_connect_irq(sysbusdev, 1,
+                       qdev_get_gpio_in(DEVICE(&s->cpu), ARM_CPU_FIQ));
     qdev_pass_gpios(DEVICE(&s->intc), dev, NULL);
 
     object_property_set_bool(OBJECT(&s->timer), true, "realized", &err);
-- 
2.20.1

From: Masahiro Yamada <masahiroy@kernel.org>

According to the specification "Semihosting for AArch32 and Aarch64",
the SYS_OPEN operation should return:

- A nonzero handle if the call is successful
 - -1 if the call is not successful

So, it should never return 0.

Prior to commit 35e9a0a8ce4b ("target/arm/arm-semi: Make semihosting
code hand out its own file descriptors"), the guest fd matched to the
host fd. It returned a nonzero handle on success since the fd 0 is
already used for stdin.

Now that the guest fd is the index of guestfd_array, it starts from 0.

I noticed this issue particularly because Trusted Firmware-A built with
PLAT=qemu is no longer working. Its io_semihosting driver only handles
a positive return value as a valid filehandle.

Basically, there are two ways to fix this:

- Use (guestfd - 1) as the index of guestfs_arrary. We need to insert
    increment/decrement to convert the guestfd and the array index back
    and forth.

- Keep using guestfd as the index of guestfs_array. The first entry
    of guestfs_array is left unused.

I thought the latter is simpler. We end up with wasting a small piece
of memory for the unused first entry of guestfd_array, but this is
probably not a big deal.

Fixes: 35e9a0a8ce4b ("target/arm/arm-semi: Make semihosting code hand out its own file descriptors")
Cc: qemu-stable@nongnu.org
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200109041228.10131-1-masahiroy@kernel.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/arm-semi.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/arm/arm-semi.c b/target/arm/arm-semi.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/arm-semi.c
+++ b/target/arm/arm-semi.c
@@ -XXX,XX +XXX,XX @@ static int alloc_guestfd(void)
         guestfd_array = g_array_new(FALSE, TRUE, sizeof(GuestFD));
     }
 
-    for (i = 0; i < guestfd_array->len; i++) {
+    /* SYS_OPEN should return nonzero handle on success. Start guestfd from 1 */
+    for (i = 1; i < guestfd_array->len; i++) {
         GuestFD *gf = &g_array_index(guestfd_array, GuestFD, i);
 
         if (gf->type == GuestFDUnused) {
@@ -XXX,XX +XXX,XX @@ static GuestFD *do_get_guestfd(int guestfd)
         return NULL;
     }
 
-    if (guestfd < 0 || guestfd >= guestfd_array->len) {
+    if (guestfd <= 0 || guestfd >= guestfd_array->len) {
         return NULL;
     }
 
-- 
2.20.1

From: Martin Kaiser <martin@kaiser.cx>

Add an emulation for the RNGC random number generator and the compatible
RNGB variant. These peripherals are included (at least) in imx25 and
imx35 chipsets.

The emulation supports the initial self test, reseeding the prng and
reading random numbers.

Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/Makefile.objs      |   1 +
 include/hw/arm/fsl-imx25.h |   5 +
 include/hw/misc/imx_rngc.h |  35 +++++
 hw/arm/fsl-imx25.c         |  11 ++
 hw/misc/imx_rngc.c         | 278 +++++++++++++++++++++++++++++++++++++
 5 files changed, 330 insertions(+)
 create mode 100644 include/hw/misc/imx_rngc.h
 create mode 100644 hw/misc/imx_rngc.c

diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/Makefile.objs
+++ b/hw/misc/Makefile.objs
@@ -XXX,XX +XXX,XX @@ common-obj-$(CONFIG_IMX) += imx7_ccm.o
 common-obj-$(CONFIG_IMX) += imx2_wdt.o
 common-obj-$(CONFIG_IMX) += imx7_snvs.o
 common-obj-$(CONFIG_IMX) += imx7_gpr.o
+common-obj-$(CONFIG_IMX) += imx_rngc.o
 common-obj-$(CONFIG_MILKYMIST) += milkymist-hpdmc.o
 common-obj-$(CONFIG_MILKYMIST) += milkymist-pfpu.o
 common-obj-$(CONFIG_MAINSTONE) += mst_fpga.o
diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx25.h
+++ b/include/hw/arm/fsl-imx25.h
@@ -XXX,XX +XXX,XX @@
 #include "hw/timer/imx_gpt.h"
 #include "hw/timer/imx_epit.h"
 #include "hw/net/imx_fec.h"
+#include "hw/misc/imx_rngc.h"
 #include "hw/i2c/imx_i2c.h"
 #include "hw/gpio/imx_gpio.h"
 #include "exec/memory.h"
@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX25State {
     IMXGPTState    gpt[FSL_IMX25_NUM_GPTS];
     IMXEPITState   epit[FSL_IMX25_NUM_EPITS];
     IMXFECState    fec;
+    IMXRNGCState   rngc;
     IMXI2CState    i2c[FSL_IMX25_NUM_I2CS];
     IMXGPIOState   gpio[FSL_IMX25_NUM_GPIOS];
     MemoryRegion   rom[2];
@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX25State {
 #define FSL_IMX25_GPIO4_SIZE    0x4000
 #define FSL_IMX25_GPIO3_ADDR    0x53FA4000
 #define FSL_IMX25_GPIO3_SIZE    0x4000
+#define FSL_IMX25_RNGC_ADDR     0x53FB0000
+#define FSL_IMX25_RNGC_SIZE     0x4000
 #define FSL_IMX25_GPIO1_ADDR    0x53FCC000
 #define FSL_IMX25_GPIO1_SIZE    0x4000
 #define FSL_IMX25_GPIO2_ADDR    0x53FD0000
@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX25State {
 #define FSL_IMX25_EPIT1_IRQ     28
 #define FSL_IMX25_EPIT2_IRQ     27
 #define FSL_IMX25_FEC_IRQ       57
+#define FSL_IMX25_RNGC_IRQ      22
 #define FSL_IMX25_I2C1_IRQ      3
 #define FSL_IMX25_I2C2_IRQ      4
 #define FSL_IMX25_I2C3_IRQ      10
diff --git a/include/hw/misc/imx_rngc.h b/include/hw/misc/imx_rngc.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/misc/imx_rngc.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Freescale i.MX RNGC emulation
+ *
+ * Copyright (C) 2020 Martin Kaiser <martin@kaiser.cx>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef IMX_RNGC_H
+#define IMX_RNGC_H
+
+#include "hw/sysbus.h"
+
+#define TYPE_IMX_RNGC "imx.rngc"
+#define IMX_RNGC(obj) OBJECT_CHECK(IMXRNGCState, (obj), TYPE_IMX_RNGC)
+
+typedef struct IMXRNGCState {
+    /*< private >*/
+    SysBusDevice parent_obj;
+
+    /*< public >*/
+    MemoryRegion  iomem;
+
+    uint8_t op_self_test;
+    uint8_t op_seed;
+    uint8_t mask;
+    bool    auto_seed;
+
+    QEMUBH *self_test_bh;
+    QEMUBH *seed_bh;
+    qemu_irq irq;
+} IMXRNGCState;
+
+#endif /* IMX_RNGC_H */
diff --git a/hw/arm/fsl-imx25.c b/hw/arm/fsl-imx25.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx25.c
+++ b/hw/arm/fsl-imx25.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_init(Object *obj)
 
     sysbus_init_child_obj(obj, "fec", &s->fec, sizeof(s->fec), TYPE_IMX_FEC);
 
+    sysbus_init_child_obj(obj, "rngc", &s->rngc, sizeof(s->rngc),
+                          TYPE_IMX_RNGC);
+
     for (i = 0; i < FSL_IMX25_NUM_I2CS; i++) {
         sysbus_init_child_obj(obj, "i2c[*]", &s->i2c[i], sizeof(s->i2c[i]),
                               TYPE_IMX_I2C);
@@ -XXX,XX +XXX,XX @@ static void fsl_imx25_realize(DeviceState *dev, Error **errp)
     sysbus_connect_irq(SYS_BUS_DEVICE(&s->fec), 0,
                        qdev_get_gpio_in(DEVICE(&s->avic), FSL_IMX25_FEC_IRQ));
 
+    object_property_set_bool(OBJECT(&s->rngc), true, "realized", &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
+    sysbus_mmio_map(SYS_BUS_DEVICE(&s->rngc), 0, FSL_IMX25_RNGC_ADDR);
+    sysbus_connect_irq(SYS_BUS_DEVICE(&s->rngc), 0,
+                       qdev_get_gpio_in(DEVICE(&s->avic), FSL_IMX25_RNGC_IRQ));
 
     /* Initialize all I2C */
     for (i = 0; i < FSL_IMX25_NUM_I2CS; i++) {
diff --git a/hw/misc/imx_rngc.c b/hw/misc/imx_rngc.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/misc/imx_rngc.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Freescale i.MX RNGC emulation
+ *
+ * Copyright (C) 2020 Martin Kaiser <martin@kaiser.cx>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ * This driver provides the minimum functionality to initialize and seed
+ * an rngc and to read random numbers. The rngb that is found in imx25
+ * chipsets is also supported.
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/main-loop.h"
+#include "qemu/module.h"
+#include "qemu/log.h"
+#include "qemu/guest-random.h"
+#include "hw/irq.h"
+#include "hw/misc/imx_rngc.h"
+#include "migration/vmstate.h"
+
+#define RNGC_NAME "i.MX RNGC"
+
+#define RNGC_VER_ID  0x00
+#define RNGC_COMMAND 0x04
+#define RNGC_CONTROL 0x08
+#define RNGC_STATUS  0x0C
+#define RNGC_FIFO    0x14
+
+/* These version info are reported by the rngb in an imx258 chip. */
+#define RNG_TYPE_RNGB 0x1
+#define V_MAJ 0x2
+#define V_MIN 0x40
+
+#define RNGC_CMD_BIT_SW_RST    0x40
+#define RNGC_CMD_BIT_CLR_ERR   0x20
+#define RNGC_CMD_BIT_CLR_INT   0x10
+#define RNGC_CMD_BIT_SEED      0x02
+#define RNGC_CMD_BIT_SELF_TEST 0x01
+
+#define RNGC_CTRL_BIT_MASK_ERR  0x40
+#define RNGC_CTRL_BIT_MASK_DONE 0x20
+#define RNGC_CTRL_BIT_AUTO_SEED 0x10
+
+/* the current status for self-test and seed operations */
+#define OP_IDLE 0
+#define OP_RUN  1
+#define OP_DONE 2
+
+static uint64_t imx_rngc_read(void *opaque, hwaddr offset, unsigned size)
+{
+    IMXRNGCState *s = IMX_RNGC(opaque);
+    uint64_t val = 0;
+
+    switch (offset) {
+    case RNGC_VER_ID:
+        val |= RNG_TYPE_RNGB << 28 | V_MAJ << 8 | V_MIN;
+        break;
+
+    case RNGC_COMMAND:
+        if (s->op_seed == OP_RUN) {
+            val |= RNGC_CMD_BIT_SEED;
+        }
+        if (s->op_self_test == OP_RUN) {
+            val |= RNGC_CMD_BIT_SELF_TEST;
+        }
+        break;
+
+    case RNGC_CONTROL:
+        /*
+         * The CTL_ACC and VERIF_MODE bits are not supported yet.
+         * They read as 0.
+         */
+        val |= s->mask;
+        if (s->auto_seed) {
+            val |= RNGC_CTRL_BIT_AUTO_SEED;
+        }
+        /*
+         * We don't have an internal fifo like the real hardware.
+         * There's no need for strategy to handle fifo underflows.
+         * We return the FIFO_UFLOW_RESPONSE bits as 0.
+         */
+        break;
+
+    case RNGC_STATUS:
+        /*
+         * We never report any statistics test or self-test errors or any
+         * other errors. STAT_TEST_PF, ST_PF and ERROR are always 0.
+         */
+
+        /*
+         * We don't have an internal fifo, see above. Therefore, we
+         * report back the default fifo size (5 32-bit words) and
+         * indicate that our fifo is always full.
+         */
+        val |= 5 << 12 | 5 << 8;
+
+        /* We always have a new seed available. */
+        val |= 1 << 6;
+
+        if (s->op_seed == OP_DONE) {
+            val |= 1 << 5;
+        }
+        if (s->op_self_test == OP_DONE) {
+            val |= 1 << 4;
+        }
+        if (s->op_seed == OP_RUN || s->op_self_test == OP_RUN) {
+            /*
+             * We're busy if self-test is running or if we're
+             * seeding the prng.
+             */
+            val |= 1 << 1;
+        } else {
+            /*
+             * We're ready to provide secure random numbers whenever
+             * we're not busy.
+             */
+            val |= 1;
+        }
+        break;
+
+    case RNGC_FIFO:
+        qemu_guest_getrandom_nofail(&val, sizeof(val));
+        break;
+    }
+
+    return val;
+}
+
+static void imx_rngc_do_reset(IMXRNGCState *s)
+{
+    s->op_self_test = OP_IDLE;
+    s->op_seed = OP_IDLE;
+    s->mask = 0;
+    s->auto_seed = false;
+}
+
+static void imx_rngc_write(void *opaque, hwaddr offset, uint64_t value,
+                           unsigned size)
+{
+    IMXRNGCState *s = IMX_RNGC(opaque);
+
+    switch (offset) {
+    case RNGC_COMMAND:
+        if (value & RNGC_CMD_BIT_SW_RST) {
+            imx_rngc_do_reset(s);
+        }
+
+        /*
+         * For now, both CLR_ERR and CLR_INT clear the interrupt. We
+         * don't report any errors yet.
+         */
+        if (value & (RNGC_CMD_BIT_CLR_ERR | RNGC_CMD_BIT_CLR_INT)) {
+            qemu_irq_lower(s->irq);
+        }
+
+        if (value & RNGC_CMD_BIT_SEED) {
+            s->op_seed = OP_RUN;
+            qemu_bh_schedule(s->seed_bh);
+        }
+
+        if (value & RNGC_CMD_BIT_SELF_TEST) {
+            s->op_self_test = OP_RUN;
+            qemu_bh_schedule(s->self_test_bh);
+        }
+        break;
+
+    case RNGC_CONTROL:
+        /*
+         * The CTL_ACC and VERIF_MODE bits are not supported yet.
+         * We ignore them if they're set by the caller.
+         */
+
+        if (value & RNGC_CTRL_BIT_MASK_ERR) {
+            s->mask |= RNGC_CTRL_BIT_MASK_ERR;
+        } else {
+            s->mask &= ~RNGC_CTRL_BIT_MASK_ERR;
+        }
+
+        if (value & RNGC_CTRL_BIT_MASK_DONE) {
+            s->mask |= RNGC_CTRL_BIT_MASK_DONE;
+        } else {
+            s->mask &= ~RNGC_CTRL_BIT_MASK_DONE;
+        }
+
+        if (value & RNGC_CTRL_BIT_AUTO_SEED) {
+            s->auto_seed = true;
+        } else {
+            s->auto_seed = false;
+        }
+        break;
+    }
+}
+
+static const MemoryRegionOps imx_rngc_ops = {
+    .read  = imx_rngc_read,
+    .write = imx_rngc_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
+static void imx_rngc_self_test(void *opaque)
+{
+    IMXRNGCState *s = IMX_RNGC(opaque);
+
+    s->op_self_test = OP_DONE;
+    if (!(s->mask & RNGC_CTRL_BIT_MASK_DONE)) {
+        qemu_irq_raise(s->irq);
+    }
+}
+
+static void imx_rngc_seed(void *opaque)
+{
+    IMXRNGCState *s = IMX_RNGC(opaque);
+
+    s->op_seed = OP_DONE;
+    if (!(s->mask & RNGC_CTRL_BIT_MASK_DONE)) {
+        qemu_irq_raise(s->irq);
+    }
+}
+
+static void imx_rngc_realize(DeviceState *dev, Error **errp)
+{
+    IMXRNGCState *s = IMX_RNGC(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+
+    memory_region_init_io(&s->iomem, OBJECT(s), &imx_rngc_ops, s,
+                          TYPE_IMX_RNGC, 0x1000);
+    sysbus_init_mmio(sbd, &s->iomem);
+
+    sysbus_init_irq(sbd, &s->irq);
+    s->self_test_bh = qemu_bh_new(imx_rngc_self_test, s);
+    s->seed_bh = qemu_bh_new(imx_rngc_seed, s);
+}
+
+static void imx_rngc_reset(DeviceState *dev)
+{
+    IMXRNGCState *s = IMX_RNGC(dev);
+
+    imx_rngc_do_reset(s);
+}
+
+static const VMStateDescription vmstate_imx_rngc = {
+    .name = RNGC_NAME,
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT8(op_self_test, IMXRNGCState),
+        VMSTATE_UINT8(op_seed, IMXRNGCState),
+        VMSTATE_UINT8(mask, IMXRNGCState),
+        VMSTATE_BOOL(auto_seed, IMXRNGCState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void imx_rngc_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->realize = imx_rngc_realize;
+    dc->reset = imx_rngc_reset;
+    dc->desc = RNGC_NAME,
+    dc->vmsd = &vmstate_imx_rngc;
+}
+
+static const TypeInfo imx_rngc_info = {
+    .name          = TYPE_IMX_RNGC,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(IMXRNGCState),
+    .class_init    = imx_rngc_class_init,
+};
+
+static void imx_rngc_register_types(void)
+{
+    type_register_static(&imx_rngc_info);
+}
+
+type_init(imx_rngc_register_types)
-- 
2.20.1

From: Jeff Kubascik <jeff.kubascik@dornerworks.com>

The wfi instruction can be configured to be trapped by a higher exception
level, such as the EL2 hypervisor. When the instruction is trapped, the
program counter should contain the address of the wfi instruction that
caused the exception. The program counter is adjusted for this in the wfi op
helper function.

However, this correction is done to env->pc, which only applies to AArch64
mode. For AArch32, the program counter is stored in env->regs[15]. This
adds an if-else statement to modify the correct program counter location
based on the the current CPU mode.

Signed-off-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/op_helper.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(wfi)(CPUARMState *env, uint32_t insn_len)
     }
 
     if (target_el) {
-        env->pc -= insn_len;
+        if (env->aarch64) {
+            env->pc -= insn_len;
+        } else {
+            env->regs[15] -= insn_len;
+        }
+
         raise_exception(env, EXCP_UDEF, syn_wfx(1, 0xe, 0, insn_len == 2),
                         target_el);
     }
-- 
2.20.1

From: Jeff Kubascik <jeff.kubascik@dornerworks.com>

The IAR0/IAR1 register is used to acknowledge an interrupt - a read of the
register activates the highest priority pending interrupt and provides its
interrupt ID. Activating an interrupt can change the CPU's virtual interrupt
state - this change makes sure the virtual irq state is updated.

Signed-off-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200113154607.97032-1-jeff.kubascik@dornerworks.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_cpuif.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@ static uint64_t icv_iar_read(CPUARMState *env, const ARMCPRegInfo *ri)
 
     trace_gicv3_icv_iar_read(ri->crm == 8 ? 0 : 1,
                              gicv3_redist_affid(cs), intid);
+
+    gicv3_cpuif_virt_update(cs);
+
     return intid;
 }
 
-- 
2.20.1

From: Jeff Kubascik <jeff.kubascik@dornerworks.com>

The IL bit is set for 32-bit instructions, thus passing false
with the is_16bit parameter to syn_data_abort_with_iss() makes
a syn mask that always has the IL bit set.

Pass is_16bit as true to make the initial syn mask have IL=0,
so that the final IL value comes from or'ing template_syn.

Cc: qemu-stable@nongnu.org
Fixes: aaa1f954d4ca ("target-arm: A64: Create Instruction Syndromes for Data Aborts")
Signed-off-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200117004618.2742-2-richard.henderson@linaro.org
[rth: Extracted this as a self-contained bug fix from a larger patch]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tlb_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
         syn = syn_data_abort_with_iss(same_el,
                                       0, 0, 0, 0, 0,
                                       ea, 0, s1ptw, is_write, fsc,
-                                      false);
+                                      true);
         /* Merge the runtime syndrome with the template syndrome.  */
         syn |= template_syn;
     }
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

During the conversion to decodetree, the setting of
ISSIs16Bit got lost.  This causes the guest os to
incorrectly adjust trapping memory operations.

Cc: qemu-stable@nongnu.org
Fixes: 46beb58efbb8a2a32 ("target/arm: Convert T16, load (literal)")
Reported-by: Jeff Kubascik <jeff.kubascik@dornerworks.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200117004618.2742-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static ISSInfo make_issinfo(DisasContext *s, int rd, bool p, bool w)
     /* ISS not valid if writeback */
     if (p && !w) {
         ret = rd;
+        if (s->base.pc_next - s->pc_curr == 2) {
+            ret |= ISSIs16Bit;
+        }
     } else {
         ret = ISSInvalid;
     }
-- 
2.20.1