Series comparison

-[Qemu-devel] [PULL 00/10] target-arm queue
+[PULL 00/34] target-arm queue
-target-arm queue for rc1 -- these are all bug fixes.
+I might squeeze in another pullreq before softfreeze, but the
 queue was already big enough that I wanted to send this lot out now.
-thanks
 -- PMM
-The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:
+The following changes since commit 4abf70a661a5df3886ac9d7c19c3617fa92b922a:
-  Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)
+  Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-06-24' into staging (2020-07-03 15:34:45 +0100)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200703
-for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:
+for you to fetch changes up to 0f10bf84a9d489259a5b11c6aa1b05c1175b76ea:
-  target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)
+  Deprecate TileGX port (2020-07-03 16:59:46 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * report ARMv8-A FP support for AArch32 -cpu max
+ * i.MX6UL EVK board: put PHYs in the correct places
- * hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
+ * hw/arm/virt: Let the virtio-iommu bypass MSIs
- * hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
+ * target/arm: kvm: Handle DABT with no valid ISS
- * hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
+ * hw/arm/virt-acpi-build: Only expose flash on older machine types
- * hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
+ * target/arm: Fix temp double-free in sve ldr/str
- * hw/arm/virt: Fix non-secure flash mode
+ * hw/display/bcm2835_fb.c: Initialize all fields of struct
- * pl031: Correctly migrate state when using -rtc clock=host
+ * hw/arm/spitz: Code cleanup to fix Coverity-detected memory leak
- * fix regression that meant arm926 and arm1026 lost VFP
+ * Deprecate TileGX port
    double-precision support
  * v8M: NS BusFault on vector table fetch escalates to NS HardFault
 ----------------------------------------------------------------
-Alex Bennée (1):
+Andrew Jones (4):
-      target/arm: report ARMv8-A FP support for AArch32 -cpu max
+      tests/acpi: remove stale allowed tables
       tests/acpi: virt: allow DSDT acpi table changes
       hw/arm/virt-acpi-build: Only expose flash on older machine types
       tests/acpi: virt: update golden masters for DSDT
-David Engraf (1):
+Beata Michalska (2):
-      hw/arm/virt: Fix non-secure flash mode
+      target/arm: kvm: Handle DABT with no valid ISS
       target/arm: kvm: Handle misconfigured dabt injection
-Peter Maydell (3):
+Eric Auger (5):
-      pl031: Correctly migrate state when using -rtc clock=host
+      qdev: Introduce DEFINE_PROP_RESERVED_REGION
-      target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
+      virtio-iommu: Implement RESV_MEM probe request
-      target/arm: NS BusFault on vector table fetch escalates to NS HardFault
+      virtio-iommu: Handle reserved regions in the translation process
       virtio-iommu-pci: Add array of Interval properties
       hw/arm/virt: Let the virtio-iommu bypass MSIs
-Philippe Mathieu-Daudé (5):
+Jean-Christophe Dubois (3):
-      hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
+      Add a phy-num property to the i.MX FEC emulator
-      hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
+      Add the ability to select a different PHY for each i.MX6UL FEC interface
-      hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
+      Select MDIO device 2 and 1 as PHY devices for i.MX6UL EVK board.
       hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
       hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
- include/hw/timer/pl031.h |  2 ++
+Peter Maydell (19):
- hw/arm/virt.c            |  2 +-
+      hw/display/bcm2835_fb.c: Initialize all fields of struct
- hw/core/machine.c        |  1 +
+      hw/arm/spitz: Detabify
- hw/display/xlnx_dp.c     | 15 +++++---
+      hw/arm/spitz: Create SpitzMachineClass abstract base class
- hw/ssi/mss-spi.c         |  8 ++++-
+      hw/arm/spitz: Keep pointers to MPU and SSI devices in SpitzMachineState
- hw/ssi/xilinx_spips.c    | 43 +++++++++++++++-------
+      hw/arm/spitz: Keep pointers to scp0, scp1 in SpitzMachineState
- hw/timer/pl031.c         | 92 +++++++++++++++++++++++++++++++++++++++++++++---
+      hw/arm/spitz: Implement inbound GPIO lines for bit5 and power signals
- target/arm/cpu.c         | 16 +++++++++
+      hw/misc/max111x: provide QOM properties for setting initial values
- target/arm/m_helper.c    | 21 ++++++++---
+      hw/misc/max111x: Don't use vmstate_register()
-files changed, 174 insertions(+), 26 deletions(-)
+      ssi: Add ssi_realize_and_unref()
       hw/arm/spitz: Use max111x properties to set initial values
       hw/misc/max111x: Use GPIO lines rather than max111x_set_input()
       hw/misc/max111x: Create header file for documentation, TYPE_ macros
       hw/arm/spitz: Encapsulate misc GPIO handling in a device
       hw/gpio/zaurus.c: Use LOG_GUEST_ERROR for bad guest register accesses
       hw/arm/spitz: Use LOG_GUEST_ERROR for bad guest register accesses
       hw/arm/pxa2xx_pic: Use LOG_GUEST_ERROR for bad guest register accesses
       hw/arm/spitz: Provide usual QOM macros for corgi-ssp and spitz-lcdtg
       Replace uses of FROM_SSI_SLAVE() macro with QOM casts
       Deprecate TileGX port
+Richard Henderson (1):
+      target/arm: Fix temp double-free in sve ldr/str
+ docs/system/deprecated.rst                  |  11 +
+ include/exec/memory.h                       |   6 +
+ include/hw/arm/fsl-imx6ul.h                 |   2 +
+ include/hw/arm/pxa.h                        |   1 -
+ include/hw/arm/sharpsl.h                    |   3 -
+ include/hw/arm/virt.h                       |   8 +
+ include/hw/misc/max111x.h                   |  56 +++
+ include/hw/net/imx_fec.h                    |   1 +
+ include/hw/qdev-properties.h                |   3 +
+ include/hw/ssi/ssi.h                        |  31 +-
+ include/hw/virtio/virtio-iommu.h            |   2 +
+ include/qemu/typedefs.h                     |   1 +
+ target/arm/cpu.h                            |   2 +
+ target/arm/kvm_arm.h                        |  10 +
+ target/arm/translate-a64.h                  |   1 +
+ tests/qtest/bios-tables-test-allowed-diff.h |  18 -
+ hw/arm/fsl-imx6ul.c                         |  10 +
+ hw/arm/mcimx6ul-evk.c                       |   2 +
+ hw/arm/pxa2xx_pic.c                         |   9 +-
+ hw/arm/spitz.c                              | 507 ++++++++++++++++------------
+ hw/arm/virt-acpi-build.c                    |   5 +-
+ hw/arm/virt.c                               |  33 ++
+ hw/arm/z2.c                                 |  11 +-
+ hw/core/qdev-properties.c                   |  89 +++++
+ hw/display/ads7846.c                        |   9 +-
+ hw/display/bcm2835_fb.c                     |   4 +
+ hw/display/ssd0323.c                        |  10 +-
+ hw/gpio/zaurus.c                            |  12 +-
+ hw/misc/max111x.c                           |  86 +++--
+ hw/net/imx_fec.c                            |  24 +-
+ hw/sd/ssi-sd.c                              |   4 +-
+ hw/ssi/ssi.c                                |   7 +-
+ hw/virtio/virtio-iommu-pci.c                |  11 +
+ hw/virtio/virtio-iommu.c                    | 114 ++++++-
+ target/arm/kvm.c                            |  80 +++++
+ target/arm/kvm32.c                          |  34 ++
+ target/arm/kvm64.c                          |  49 +++
+ target/arm/translate-a64.c                  |   6 +
+ target/arm/translate-sve.c                  |   8 +-
+ MAINTAINERS                                 |   1 +
+ hw/net/trace-events                         |   4 +-
+ hw/virtio/trace-events                      |   1 +
+ tests/data/acpi/virt/DSDT                   | Bin 5307 -> 5205 bytes
+ tests/data/acpi/virt/DSDT.memhp             | Bin 6668 -> 6566 bytes
+ tests/data/acpi/virt/DSDT.numamem           | Bin 5307 -> 5205 bytes
+files changed, 974 insertions(+), 312 deletions(-)
+ create mode 100644 include/hw/misc/max111x.h

-New patch
+[PULL 01/34] Add a phy-num property to the i.MX FEC emulator
+From: Jean-Christophe Dubois <jcd@tribudubois.net>
+We need a solution to use an Ethernet PHY that is not the first device
+on the MDIO bus (device 0 on MDIO bus).
+As an example with the i.MX6UL the NXP SOC has 2 Ethernet devices but
+only one MDIO bus on which the 2 related PHY are connected but at unique
+addresses.
+Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
+Message-id: a1a5c0e139d1c763194b8020573dcb6025daeefa.1593296112.git.jcd@tribudubois.net
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/hw/net/imx_fec.h |  1 +
+ hw/net/imx_fec.c         | 24 +++++++++++++++++-------
+ hw/net/trace-events      |  4 ++--
+files changed, 20 insertions(+), 9 deletions(-)
+diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/net/imx_fec.h
++++ b/include/hw/net/imx_fec.h
+@@ -XXX,XX +XXX,XX @@ typedef struct IMXFECState {
+     uint32_t phy_advertise;
+     uint32_t phy_int;
+     uint32_t phy_int_mask;
++    uint32_t phy_num;
+     bool is_fec;
+diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/net/imx_fec.c
++++ b/hw/net/imx_fec.c
+@@ -XXX,XX +XXX,XX @@ static void imx_phy_reset(IMXFECState *s)
+ static uint32_t imx_phy_read(IMXFECState *s, int reg)
+ {
+     uint32_t val;
++    uint32_t phy = reg / 32;
+-    if (reg > 31) {
+-        /* we only advertise one phy */
++    if (phy != s->phy_num) {
++        qemu_log_mask(LOG_GUEST_ERROR, "[%s.phy]%s: Bad phy num %u\n",
++                      TYPE_IMX_FEC, __func__, phy);
+         return 0;
+     }
++    reg %= 32;
++
+     switch (reg) {
+     case 0:     /* Basic Control */
+         val = s->phy_control;
+@@ -XXX,XX +XXX,XX @@ static uint32_t imx_phy_read(IMXFECState *s, int reg)
+         break;
+     }
+-    trace_imx_phy_read(val, reg);
++    trace_imx_phy_read(val, phy, reg);
+     return val;
+ }
+ static void imx_phy_write(IMXFECState *s, int reg, uint32_t val)
+ {
+-    trace_imx_phy_write(val, reg);
++    uint32_t phy = reg / 32;
+-    if (reg > 31) {
+-        /* we only advertise one phy */
++    if (phy != s->phy_num) {
++        qemu_log_mask(LOG_GUEST_ERROR, "[%s.phy]%s: Bad phy num %u\n",
++                      TYPE_IMX_FEC, __func__, phy);
+         return;
+     }
++    reg %= 32;
++
++    trace_imx_phy_write(val, phy, reg);
++
+     switch (reg) {
+     case 0:     /* Basic Control */
+         if (val & 0x8000) {
+@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
+                                                        extract32(value,
+, 10)));
+         } else {
+-            /* This a write operation */
++            /* This is a write operation */
+             imx_phy_write(s, extract32(value, 18, 10), extract32(value, 0, 16));
+         }
+         /* raise the interrupt as the PHY operation is done */
+@@ -XXX,XX +XXX,XX @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
+ static Property imx_eth_properties[] = {
+     DEFINE_NIC_PROPERTIES(IMXFECState, conf),
+     DEFINE_PROP_UINT32("tx-ring-num", IMXFECState, tx_ring_num, 1),
++    DEFINE_PROP_UINT32("phy-num", IMXFECState, phy_num, 0),
+     DEFINE_PROP_END_OF_LIST(),
+ };
+diff --git a/hw/net/trace-events b/hw/net/trace-events
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/net/trace-events
++++ b/hw/net/trace-events
+@@ -XXX,XX +XXX,XX @@ i82596_set_multicast(uint16_t count) "Added %d multicast entries"
+ i82596_channel_attention(void *s) "%p: Received CHANNEL ATTENTION"
+ # imx_fec.c
+-imx_phy_read(uint32_t val, int reg) "0x%04"PRIx32" <= reg[%d]"
+-imx_phy_write(uint32_t val, int reg) "0x%04"PRIx32" => reg[%d]"
++imx_phy_read(uint32_t val, int phy, int reg) "0x%04"PRIx32" <= phy[%d].reg[%d]"
++imx_phy_write(uint32_t val, int phy, int reg) "0x%04"PRIx32" => phy[%d].reg[%d]"
+ imx_phy_update_link(const char *s) "%s"
+ imx_phy_reset(void) ""
+ imx_fec_read_bd(uint64_t addr, int flags, int len, int data) "tx_bd 0x%"PRIx64" flags 0x%04x len %d data 0x%08x"
+--
+.20.1

-New patch
+[PULL 02/34] Add the ability to select a different PHY for each i.MX6UL FEC interface
+From: Jean-Christophe Dubois <jcd@tribudubois.net>
+Add properties to the i.MX6UL processor to be able to select a
+particular PHY on the MDIO bus for each FEC device.
+Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
+Message-id: ea1d604198b6b73ea6521676e45bacfc597aba53.1593296112.git.jcd@tribudubois.net
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/hw/arm/fsl-imx6ul.h |  2 ++
+ hw/arm/fsl-imx6ul.c         | 10 ++++++++++
+files changed, 12 insertions(+)
+diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/fsl-imx6ul.h
++++ b/include/hw/arm/fsl-imx6ul.h
+@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX6ULState {
+     MemoryRegion       caam;
+     MemoryRegion       ocram;
+     MemoryRegion       ocram_alias;
++
++    uint32_t           phy_num[FSL_IMX6UL_NUM_ETHS];
+ } FslIMX6ULState;
+ enum FslIMX6ULMemoryMap {
+diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/fsl-imx6ul.c
++++ b/hw/arm/fsl-imx6ul.c
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp)
+             FSL_IMX6UL_ENET2_TIMER_IRQ,
+         };
++        object_property_set_uint(OBJECT(&s->eth[i]),
++                                 s->phy_num[i],
++                                 "phy-num", &error_abort);
+         object_property_set_uint(OBJECT(&s->eth[i]),
+                                  FSL_IMX6UL_ETH_NUM_TX_RINGS,
+                                  "tx-ring-num", &error_abort);
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp)
+                                 FSL_IMX6UL_OCRAM_ALIAS_ADDR, &s->ocram_alias);
+ }
++static Property fsl_imx6ul_properties[] = {
++    DEFINE_PROP_UINT32("fec1-phy-num", FslIMX6ULState, phy_num[0], 0),
++    DEFINE_PROP_UINT32("fec2-phy-num", FslIMX6ULState, phy_num[1], 1),
++    DEFINE_PROP_END_OF_LIST(),
++};
++
+ static void fsl_imx6ul_class_init(ObjectClass *oc, void *data)
+ {
+     DeviceClass *dc = DEVICE_CLASS(oc);
++    device_class_set_props(dc, fsl_imx6ul_properties);
+     dc->realize = fsl_imx6ul_realize;
+     dc->desc = "i.MX6UL SOC";
+     /* Reason: Uses serial_hds and nd_table in realize() directly */
+--
+.20.1

-New patch
+[PULL 03/34] Select MDIO device 2 and 1 as PHY devices for i.MX6UL EVK board.
+From: Jean-Christophe Dubois <jcd@tribudubois.net>
+The i.MX6UL EVK 14x14 board uses:
+- PHY 2 for FEC 1
+- PHY 1 for FEC 2
+Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
+Message-id: fb41992126c091a71d76ab3d1898959091f60583.1593296112.git.jcd@tribudubois.net
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/mcimx6ul-evk.c | 2 ++
+file changed, 2 insertions(+)
+diff --git a/hw/arm/mcimx6ul-evk.c b/hw/arm/mcimx6ul-evk.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/mcimx6ul-evk.c
++++ b/hw/arm/mcimx6ul-evk.c
+@@ -XXX,XX +XXX,XX @@ static void mcimx6ul_evk_init(MachineState *machine)
+     s = FSL_IMX6UL(object_new(TYPE_FSL_IMX6UL));
+     object_property_add_child(OBJECT(machine), "soc", OBJECT(s));
++    object_property_set_uint(OBJECT(s), 2, "fec1-phy-num", &error_fatal);
++    object_property_set_uint(OBJECT(s), 1, "fec2-phy-num", &error_fatal);
+     qdev_realize(DEVICE(s), NULL, &error_fatal);
+     memory_region_add_subregion(get_system_memory(), FSL_IMX6UL_MMDC_ADDR,
+--
+.20.1

-New patch
+[PULL 04/34] qdev: Introduce DEFINE_PROP_RESERVED_REGION
+From: Eric Auger <eric.auger@redhat.com>
+Introduce a new property defining a reserved region:
+<low address>:<high address>:<type>.
+This will be used to encode reserved IOVA regions.
+For instance, in virtio-iommu use case, reserved IOVA regions
+will be passed by the machine code to the virtio-iommu-pci
+device (an array of those). The type of the reserved region
+will match the virtio_iommu_probe_resv_mem subtype value:
+- VIRTIO_IOMMU_RESV_MEM_T_RESERVED (0)
+- VIRTIO_IOMMU_RESV_MEM_T_MSI (1)
+on PC/Q35 machine, this will be used to inform the
+virtio-iommu-pci device it should bypass the MSI region.
+The reserved region will be: 0xfee00000:0xfeefffff:1.
+On ARM, we can declare the ITS MSI doorbell as an MSI
+region to prevent MSIs from being mapped on guest side.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Message-id: 20200629070404.10969-2-eric.auger@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/exec/memory.h        |  6 +++
+ include/hw/qdev-properties.h |  3 ++
+ include/qemu/typedefs.h      |  1 +
+ hw/core/qdev-properties.c    | 89 ++++++++++++++++++++++++++++++++++++
+files changed, 99 insertions(+)
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/exec/memory.h
++++ b/include/exec/memory.h
+@@ -XXX,XX +XXX,XX @@ extern bool global_dirty_log;
+ typedef struct MemoryRegionOps MemoryRegionOps;
++struct ReservedRegion {
++    hwaddr low;
++    hwaddr high;
++    unsigned type;
++};
++
+ typedef struct IOMMUTLBEntry IOMMUTLBEntry;
+ /* See address_space_translate: bit 0 is read, bit 1 is write.  */
+diff --git a/include/hw/qdev-properties.h b/include/hw/qdev-properties.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/qdev-properties.h
++++ b/include/hw/qdev-properties.h
+@@ -XXX,XX +XXX,XX @@ extern const PropertyInfo qdev_prop_string;
+ extern const PropertyInfo qdev_prop_chr;
+ extern const PropertyInfo qdev_prop_tpm;
+ extern const PropertyInfo qdev_prop_macaddr;
++extern const PropertyInfo qdev_prop_reserved_region;
+ extern const PropertyInfo qdev_prop_on_off_auto;
+ extern const PropertyInfo qdev_prop_multifd_compression;
+ extern const PropertyInfo qdev_prop_losttickpolicy;
+@@ -XXX,XX +XXX,XX @@ extern const PropertyInfo qdev_prop_pcie_link_width;
+     DEFINE_PROP(_n, _s, _f, qdev_prop_drive_iothread, BlockBackend *)
+ #define DEFINE_PROP_MACADDR(_n, _s, _f)         \
+     DEFINE_PROP(_n, _s, _f, qdev_prop_macaddr, MACAddr)
++#define DEFINE_PROP_RESERVED_REGION(_n, _s, _f)         \
++    DEFINE_PROP(_n, _s, _f, qdev_prop_reserved_region, ReservedRegion)
+ #define DEFINE_PROP_ON_OFF_AUTO(_n, _s, _f, _d) \
+     DEFINE_PROP_SIGNED(_n, _s, _f, _d, qdev_prop_on_off_auto, OnOffAuto)
+ #define DEFINE_PROP_MULTIFD_COMPRESSION(_n, _s, _f, _d) \
+diff --git a/include/qemu/typedefs.h b/include/qemu/typedefs.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/qemu/typedefs.h
++++ b/include/qemu/typedefs.h
+@@ -XXX,XX +XXX,XX @@ typedef struct ISABus ISABus;
+ typedef struct ISADevice ISADevice;
+ typedef struct IsaDma IsaDma;
+ typedef struct MACAddr MACAddr;
++typedef struct ReservedRegion ReservedRegion;
+ typedef struct MachineClass MachineClass;
+ typedef struct MachineState MachineState;
+ typedef struct MemoryListener MemoryListener;
+diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/core/qdev-properties.c
++++ b/hw/core/qdev-properties.c
+@@ -XXX,XX +XXX,XX @@
+ #include "chardev/char.h"
+ #include "qemu/uuid.h"
+ #include "qemu/units.h"
++#include "qemu/cutils.h"
+ void qdev_prop_set_after_realize(DeviceState *dev, const char *name,
+                                   Error **errp)
+@@ -XXX,XX +XXX,XX @@ const PropertyInfo qdev_prop_macaddr = {
+     .set   = set_mac,
+ };
++/* --- Reserved Region --- */
++
++/*
++ * Accepted syntax:
++ *   <low address>:<high address>:<type>
++ *   where low/high addresses are uint64_t in hexadecimal
++ *   and type is a non-negative decimal integer
++ */
++static void get_reserved_region(Object *obj, Visitor *v, const char *name,
++                                void *opaque, Error **errp)
++{
++    DeviceState *dev = DEVICE(obj);
++    Property *prop = opaque;
++    ReservedRegion *rr = qdev_get_prop_ptr(dev, prop);
++    char buffer[64];
++    char *p = buffer;
++    int rc;
++
++    rc = snprintf(buffer, sizeof(buffer), "0x%"PRIx64":0x%"PRIx64":%u",
++                  rr->low, rr->high, rr->type);
++    assert(rc < sizeof(buffer));
++
++    visit_type_str(v, name, &p, errp);
++}
++
++static void set_reserved_region(Object *obj, Visitor *v, const char *name,
++                                void *opaque, Error **errp)
++{
++    DeviceState *dev = DEVICE(obj);
++    Property *prop = opaque;
++    ReservedRegion *rr = qdev_get_prop_ptr(dev, prop);
++    Error *local_err = NULL;
++    const char *endptr;
++    char *str;
++    int ret;
++
++    if (dev->realized) {
++        qdev_prop_set_after_realize(dev, name, errp);
++        return;
++    }
++
++    visit_type_str(v, name, &str, &local_err);
++    if (local_err) {
++        error_propagate(errp, local_err);
++        return;
++    }
++
++    ret = qemu_strtou64(str, &endptr, 16, &rr->low);
++    if (ret) {
++        error_setg(errp, "start address of '%s'"
++                   " must be a hexadecimal integer", name);
++        goto out;
++    }
++    if (*endptr != ':') {
++        goto separator_error;
++    }
++
++    ret = qemu_strtou64(endptr + 1, &endptr, 16, &rr->high);
++    if (ret) {
++        error_setg(errp, "end address of '%s'"
++                   " must be a hexadecimal integer", name);
++        goto out;
++    }
++    if (*endptr != ':') {
++        goto separator_error;
++    }
++
++    ret = qemu_strtoui(endptr + 1, &endptr, 10, &rr->type);
++    if (ret) {
++        error_setg(errp, "type of '%s'"
++                   " must be a non-negative decimal integer", name);
++    }
++    goto out;
++
++separator_error:
++    error_setg(errp, "reserved region fields must be separated with ':'");
++out:
++    g_free(str);
++    return;
++}
++
++const PropertyInfo qdev_prop_reserved_region = {
++    .name  = "reserved_region",
++    .description = "Reserved Region, example: 0xFEE00000:0xFEEFFFFF:0",
++    .get   = get_reserved_region,
++    .set   = set_reserved_region,
++};
++
+ /* --- on/off/auto --- */
+ const PropertyInfo qdev_prop_on_off_auto = {
+--
+.20.1

-[Qemu-devel] [PULL 06/10] hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
+[PULL 05/34] virtio-iommu: Implement RESV_MEM probe request
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Eric Auger <eric.auger@redhat.com>
-In the previous commit we fixed a crash when the guest read a
+This patch implements the PROBE request. At the moment,
-register that pop from an empty FIFO.
+only THE RESV_MEM property is handled. The first goal is
-By auditing the repository, we found another similar use with
+to report iommu wide reserved regions such as the MSI regions
-an easy way to reproduce:
+set by the machine code. On x86 this will be the IOAPIC MSI
+region, [0xFEE00000 - 0xFEEFFFFF], on ARM this may be the ITS
-  $ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
+doorbell.
-  QEMU 4.0.50 monitor - type 'help' for more information
-  (qemu) xp/b 0xfd4a0134
+In the future we may introduce per device reserved regions.
-  Aborted (core dumped)
+This will be useful when protecting host assigned devices
+which may expose their own reserved regions
-  (gdb) bt
-  #0  0x00007f6936dea57f in raise () at /lib64/libc.so.6
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
-  #1  0x00007f6936dd4895 in abort () at /lib64/libc.so.6
+Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-  #2  0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-  #3  0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667
+Message-id: 20200629070404.10969-3-eric.auger@redhat.com
   #4  0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
   #5  0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569
   #6  0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420
   #7  0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447
   #8  0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385
   #9  0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423
   #10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436
   #11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131
   #12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723
   #13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795
   #14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082
 Fix by checking the FIFO is not empty before popping from it.
 The datasheet is not clear about the reset value of this register,
 we choose to return '0'.
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20190709113715.7761-4-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/display/xlnx_dp.c | 15 +++++++++++----
+ include/hw/virtio/virtio-iommu.h |  2 +
-file changed, 11 insertions(+), 4 deletions(-)
+ hw/virtio/virtio-iommu.c         | 94 ++++++++++++++++++++++++++++++--
+ hw/virtio/trace-events           |  1 +
-diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
+files changed, 93 insertions(+), 4 deletions(-)
 diff --git a/include/hw/virtio/virtio-iommu.h b/include/hw/virtio/virtio-iommu.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/display/xlnx_dp.c
+--- a/include/hw/virtio/virtio-iommu.h
-+++ b/hw/display/xlnx_dp.c
++++ b/include/hw/virtio/virtio-iommu.h
-@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
+@@ -XXX,XX +XXX,XX @@ typedef struct VirtIOIOMMU {
-     uint8_t ret;
+     GHashTable *as_by_busptr;
+     IOMMUPciBus *iommu_pcibus_by_bus_num[PCI_BUS_MAX];
-     if (fifo8_is_empty(&s->rx_fifo)) {
+     PCIBus *primary_bus;
--        DPRINTF("rx_fifo underflow..\n");
++    ReservedRegion *reserved_regions;
--        abort();
++    uint32_t nb_reserved_regions;
-+        qemu_log_mask(LOG_GUEST_ERROR,
+     GTree *domains;
-+                      "%s: Reading empty RX_FIFO\n",
+     QemuMutex mutex;
-+                      __func__);
+     GTree *endpoints;
-+        /*
+diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
-+         * The datasheet is not clear about the reset value, it seems
+index XXXXXXX..XXXXXXX 100644
-+         * to be unspecified. We choose to return '0'.
+--- a/hw/virtio/virtio-iommu.c
-+         */
++++ b/hw/virtio/virtio-iommu.c
-+        ret = 0;
+@@ -XXX,XX +XXX,XX @@
-+    } else {
-+        ret = fifo8_pop(&s->rx_fifo);
+ /* Max size */
-+        DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
+ #define VIOMMU_DEFAULT_QUEUE_SIZE 256
-     }
++#define VIOMMU_PROBE_SIZE 512
--    ret = fifo8_pop(&s->rx_fifo);
--    DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
+ typedef struct VirtIOIOMMUDomain {
      uint32_t id;
@@ -XXX,XX +XXX,XX @@ static int virtio_iommu_unmap(VirtIOIOMMU *s,
      return ret;
  }
++static ssize_t virtio_iommu_fill_resv_mem_prop(VirtIOIOMMU *s, uint32_t ep,
++                                               uint8_t *buf, size_t free)
++{
++    struct virtio_iommu_probe_resv_mem prop = {};
++    size_t size = sizeof(prop), length = size - sizeof(prop.head), total;
++    int i;
++
++    total = size * s->nb_reserved_regions;
++
++    if (total > free) {
++        return -ENOSPC;
++    }
++
++    for (i = 0; i < s->nb_reserved_regions; i++) {
++        unsigned subtype = s->reserved_regions[i].type;
++
++        assert(subtype == VIRTIO_IOMMU_RESV_MEM_T_RESERVED ||
++               subtype == VIRTIO_IOMMU_RESV_MEM_T_MSI);
++        prop.head.type = cpu_to_le16(VIRTIO_IOMMU_PROBE_T_RESV_MEM);
++        prop.head.length = cpu_to_le16(length);
++        prop.subtype = subtype;
++        prop.start = cpu_to_le64(s->reserved_regions[i].low);
++        prop.end = cpu_to_le64(s->reserved_regions[i].high);
++
++        memcpy(buf, &prop, size);
++
++        trace_virtio_iommu_fill_resv_property(ep, prop.subtype,
++                                              prop.start, prop.end);
++        buf += size;
++    }
++    return total;
++}
++
++/**
++ * virtio_iommu_probe - Fill the probe request buffer with
++ * the properties the device is able to return
++ */
++static int virtio_iommu_probe(VirtIOIOMMU *s,
++                              struct virtio_iommu_req_probe *req,
++                              uint8_t *buf)
++{
++    uint32_t ep_id = le32_to_cpu(req->endpoint);
++    size_t free = VIOMMU_PROBE_SIZE;
++    ssize_t count;
++
++    if (!virtio_iommu_mr(s, ep_id)) {
++        return VIRTIO_IOMMU_S_NOENT;
++    }
++
++    count = virtio_iommu_fill_resv_mem_prop(s, ep_id, buf, free);
++    if (count < 0) {
++        return VIRTIO_IOMMU_S_INVAL;
++    }
++    buf += count;
++    free -= count;
++
++    return VIRTIO_IOMMU_S_OK;
++}
++
+ static int virtio_iommu_iov_to_req(struct iovec *iov,
+                                    unsigned int iov_cnt,
+                                    void *req, size_t req_sz)
+@@ -XXX,XX +XXX,XX @@ virtio_iommu_handle_req(detach)
+ virtio_iommu_handle_req(map)
+ virtio_iommu_handle_req(unmap)
++static int virtio_iommu_handle_probe(VirtIOIOMMU *s,
++                                     struct iovec *iov,
++                                     unsigned int iov_cnt,
++                                     uint8_t *buf)
++{
++    struct virtio_iommu_req_probe req;
++    int ret = virtio_iommu_iov_to_req(iov, iov_cnt, &req, sizeof(req));
++
++    return ret ? ret : virtio_iommu_probe(s, &req, buf);
++}
++
+ static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq)
+ {
+     VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
+     struct virtio_iommu_req_head head;
+     struct virtio_iommu_req_tail tail = {};
++    size_t output_size = sizeof(tail), sz;
+     VirtQueueElement *elem;
+     unsigned int iov_cnt;
+     struct iovec *iov;
+-    size_t sz;
++    void *buf = NULL;
+     for (;;) {
+         elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq)
+         case VIRTIO_IOMMU_T_UNMAP:
+             tail.status = virtio_iommu_handle_unmap(s, iov, iov_cnt);
+             break;
++        case VIRTIO_IOMMU_T_PROBE:
++        {
++            struct virtio_iommu_req_tail *ptail;
++
++            output_size = s->config.probe_size + sizeof(tail);
++            buf = g_malloc0(output_size);
++
++            ptail = (struct virtio_iommu_req_tail *)
++                        (buf + s->config.probe_size);
++            ptail->status = virtio_iommu_handle_probe(s, iov, iov_cnt, buf);
++        }
+         default:
+             tail.status = VIRTIO_IOMMU_S_UNSUPP;
+         }
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq)
+ out:
+         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
+-                          &tail, sizeof(tail));
+-        assert(sz == sizeof(tail));
++                          buf ? buf : &tail, output_size);
++        assert(sz == output_size);
+-        virtqueue_push(vq, elem, sizeof(tail));
++        virtqueue_push(vq, elem, sz);
+         virtio_notify(vdev, vq);
+         g_free(elem);
++        g_free(buf);
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_device_realize(DeviceState *dev, Error **errp)
+     s->config.page_size_mask = TARGET_PAGE_MASK;
+     s->config.input_range.end = -1UL;
+     s->config.domain_range.end = 32;
++    s->config.probe_size = VIOMMU_PROBE_SIZE;
+     virtio_add_feature(&s->features, VIRTIO_RING_F_EVENT_IDX);
+     virtio_add_feature(&s->features, VIRTIO_RING_F_INDIRECT_DESC);
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_device_realize(DeviceState *dev, Error **errp)
+     virtio_add_feature(&s->features, VIRTIO_IOMMU_F_MAP_UNMAP);
+     virtio_add_feature(&s->features, VIRTIO_IOMMU_F_BYPASS);
+     virtio_add_feature(&s->features, VIRTIO_IOMMU_F_MMIO);
++    virtio_add_feature(&s->features, VIRTIO_IOMMU_F_PROBE);
+     qemu_mutex_init(&s->mutex);
+diff --git a/hw/virtio/trace-events b/hw/virtio/trace-events
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/virtio/trace-events
++++ b/hw/virtio/trace-events
+@@ -XXX,XX +XXX,XX @@ virtio_iommu_get_domain(uint32_t domain_id) "Alloc domain=%d"
+ virtio_iommu_put_domain(uint32_t domain_id) "Free domain=%d"
+ virtio_iommu_translate_out(uint64_t virt_addr, uint64_t phys_addr, uint32_t sid) "0x%"PRIx64" -> 0x%"PRIx64 " for sid=%d"
+ virtio_iommu_report_fault(uint8_t reason, uint32_t flags, uint32_t endpoint, uint64_t addr) "FAULT reason=%d flags=%d endpoint=%d address =0x%"PRIx64
++virtio_iommu_fill_resv_property(uint32_t devid, uint8_t subtype, uint64_t start, uint64_t end) "dev= %d, type=%d start=0x%"PRIx64" end=0x%"PRIx64
 --
 .20.1

-New patch
+[PULL 06/34] virtio-iommu: Handle reserved regions in the translation process
+From: Eric Auger <eric.auger@redhat.com>
+When translating an address we need to check if it belongs to
+a reserved virtual address range. If it does, there are 2 cases:
+- it belongs to a RESERVED region: the guest should neither use
+  this address in a MAP not instruct the end-point to DMA on
+  them. We report an error
+- It belongs to an MSI region: we bypass the translation.
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Message-id: 20200629070404.10969-4-eric.auger@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/virtio/virtio-iommu.c | 20 ++++++++++++++++++++
+file changed, 20 insertions(+)
+diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/virtio/virtio-iommu.c
++++ b/hw/virtio/virtio-iommu.c
+@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry virtio_iommu_translate(IOMMUMemoryRegion *mr, hwaddr addr,
+     uint32_t sid, flags;
+     bool bypass_allowed;
+     bool found;
++    int i;
+     interval.low = addr;
+     interval.high = addr + 1;
+@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry virtio_iommu_translate(IOMMUMemoryRegion *mr, hwaddr addr,
+         goto unlock;
+     }
++    for (i = 0; i < s->nb_reserved_regions; i++) {
++        ReservedRegion *reg = &s->reserved_regions[i];
++
++        if (addr >= reg->low && addr <= reg->high) {
++            switch (reg->type) {
++            case VIRTIO_IOMMU_RESV_MEM_T_MSI:
++                entry.perm = flag;
++                break;
++            case VIRTIO_IOMMU_RESV_MEM_T_RESERVED:
++            default:
++                virtio_iommu_report_fault(s, VIRTIO_IOMMU_FAULT_R_MAPPING,
++                                          VIRTIO_IOMMU_FAULT_F_ADDRESS,
++                                          sid, addr);
++                break;
++            }
++            goto unlock;
++        }
++    }
++
+     if (!ep->domain) {
+         if (!bypass_allowed) {
+             error_report_once("%s %02x:%02x.%01x not attached to any domain",
+--
+.20.1

-New patch
+[PULL 07/34] virtio-iommu-pci: Add array of Interval properties
+From: Eric Auger <eric.auger@redhat.com>
+The machine may need to pass reserved regions to the
+virtio-iommu-pci device (such as the MSI window on x86
+or the MSI doorbells on ARM).
+So let's add an array of Interval properties.
+Note: if some reserved regions are already set by the
+machine code - which should be the case in general -,
+the length of the property array is already set and
+prevents the end-user from modifying them. For example,
+attempting to use:
+-device virtio-iommu-pci,\
+ len-reserved-regions=1,reserved-regions[0]=0xfee00000:0xfeefffff:1
+would result in the following error message:
+qemu-system-aarch64: -device virtio-iommu-pci,addr=0xa,
+len-reserved-regions=1,reserved-regions[0]=0xfee00000:0xfeefffff:1:
+array size property len-reserved-regions may not be set more than once
+Otherwise, for example, adding two reserved regions is achieved
+using the following options:
+-device virtio-iommu-pci,addr=0xa,len-reserved-regions=2,\
+ reserved-regions[0]=0xfee00000:0xfeefffff:1,\
+ reserved-regions[1]=0x1000000:100ffff:1
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Message-id: 20200629070404.10969-5-eric.auger@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/virtio/virtio-iommu-pci.c | 11 +++++++++++
+file changed, 11 insertions(+)
+diff --git a/hw/virtio/virtio-iommu-pci.c b/hw/virtio/virtio-iommu-pci.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/virtio/virtio-iommu-pci.c
++++ b/hw/virtio/virtio-iommu-pci.c
+@@ -XXX,XX +XXX,XX @@ struct VirtIOIOMMUPCI {
+ static Property virtio_iommu_pci_properties[] = {
+     DEFINE_PROP_UINT32("class", VirtIOPCIProxy, class_code, 0),
++    DEFINE_PROP_ARRAY("reserved-regions", VirtIOIOMMUPCI,
++                      vdev.nb_reserved_regions, vdev.reserved_regions,
++                      qdev_prop_reserved_region, ReservedRegion),
+     DEFINE_PROP_END_OF_LIST(),
+ };
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
+ {
+     VirtIOIOMMUPCI *dev = VIRTIO_IOMMU_PCI(vpci_dev);
+     DeviceState *vdev = DEVICE(&dev->vdev);
++    VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
+     if (!qdev_get_machine_hotplug_handler(DEVICE(vpci_dev))) {
+         MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
+                           "-no-acpi\n");
+         return;
+     }
++    for (int i = 0; i < s->nb_reserved_regions; i++) {
++        if (s->reserved_regions[i].type != VIRTIO_IOMMU_RESV_MEM_T_RESERVED &&
++            s->reserved_regions[i].type != VIRTIO_IOMMU_RESV_MEM_T_MSI) {
++            error_setg(errp, "reserved region %d has an invalid type", i);
++            error_append_hint(errp, "Valid values are 0 and 1\n");
++        }
++    }
+     object_property_set_link(OBJECT(dev),
+                              OBJECT(pci_get_bus(&vpci_dev->pci_dev)),
+                              "primary-bus", &error_abort);
+--
+.20.1

-[Qemu-devel] [PULL 07/10] hw/arm/virt: Fix non-secure flash mode
+[PULL 08/34] hw/arm/virt: Let the virtio-iommu bypass MSIs
-From: David Engraf <david.engraf@sysgo.com>
+From: Eric Auger <eric.auger@redhat.com>
-Using the whole 128 MiB flash in non-secure mode is not working because
+At the moment the virtio-iommu translates MSI transactions.
-virt_flash_fdt() expects the same address for secure_sysmem and sysmem.
+This behavior is inherited from ARM SMMU. The virt machine
-This is not correctly handled by caller because it forwards NULL for
+code knows where the guest MSI doorbells are so we can easily
-secure_sysmem in non-secure flash mode.
+declare those regions as VIRTIO_IOMMU_RESV_MEM_T_MSI. With that
 setting the guest will not map MSIs through the IOMMU and those
 transactions will be simply bypassed.
-Fixed by using sysmem when secure_sysmem is NULL.
+Depending on which MSI controller is in use (ITS or GICV2M),
 we declare either:
 - the ITS interrupt translation space (ITS_base + 0x10000),
   containing the GITS_TRANSLATOR or
 - The GICV2M single frame, containing the MSI_SETSP_NS register.
-Signed-off-by: David Engraf <david.engraf@sysgo.com>
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20190712075002.14326-1-david.engraf@sysgo.com
+Message-id: 20200629070404.10969-6-eric.auger@redhat.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 2 +-
+ include/hw/arm/virt.h |  7 +++++++
-file changed, 1 insertion(+), 1 deletion(-)
+ hw/arm/virt.c         | 30 ++++++++++++++++++++++++++++++
 files changed, 37 insertions(+)
+diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/virt.h
++++ b/include/hw/arm/virt.h
+@@ -XXX,XX +XXX,XX @@ typedef enum VirtIOMMUType {
+     VIRT_IOMMU_VIRTIO,
+ } VirtIOMMUType;
++typedef enum VirtMSIControllerType {
++    VIRT_MSI_CTRL_NONE,
++    VIRT_MSI_CTRL_GICV2M,
++    VIRT_MSI_CTRL_ITS,
++} VirtMSIControllerType;
++
+ typedef enum VirtGICType {
+     VIRT_GIC_VERSION_MAX,
+     VIRT_GIC_VERSION_HOST,
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+     OnOffAuto acpi;
+     VirtGICType gic_version;
+     VirtIOMMUType iommu;
++    VirtMSIControllerType msi_controller;
+     uint16_t virtio_iommu_bdf;
+     struct arm_boot_info bootinfo;
+     MemMapEntry *memmap;
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
+@@ -XXX,XX +XXX,XX @@ static void create_its(VirtMachineState *vms)
-                                     &machine->device_memory->mr);
+     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, vms->memmap[VIRT_GIC_ITS].base);
      fdt_add_its_gic_node(vms);
 +    vms->msi_controller = VIRT_MSI_CTRL_ITS;
  }
  static void create_v2m(VirtMachineState *vms)
@@ -XXX,XX +XXX,XX @@ static void create_v2m(VirtMachineState *vms)
      }
--    virt_flash_fdt(vms, sysmem, secure_sysmem);
+     fdt_add_v2m_gic_node(vms);
-+    virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
++    vms->msi_controller = VIRT_MSI_CTRL_GICV2M;
+ }
-     create_gic(vms, pic);
  static void create_gic(VirtMachineState *vms)
@@ -XXX,XX +XXX,XX @@ out:
  static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
                                              DeviceState *dev, Error **errp)
  {
 +    VirtMachineState *vms = VIRT_MACHINE(hotplug_dev);
 +
      if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
          virt_memory_pre_plug(hotplug_dev, dev, errp);
 +    } else if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
 +        hwaddr db_start = 0, db_end = 0;
 +        char *resv_prop_str;
 +
 +        switch (vms->msi_controller) {
 +        case VIRT_MSI_CTRL_NONE:
 +            return;
 +        case VIRT_MSI_CTRL_ITS:
 +            /* GITS_TRANSLATER page */
 +            db_start = base_memmap[VIRT_GIC_ITS].base + 0x10000;
 +            db_end = base_memmap[VIRT_GIC_ITS].base +
 +                     base_memmap[VIRT_GIC_ITS].size - 1;
 +            break;
 +        case VIRT_MSI_CTRL_GICV2M:
 +            /* MSI_SETSPI_NS page */
 +            db_start = base_memmap[VIRT_GIC_V2M].base;
 +            db_end = db_start + base_memmap[VIRT_GIC_V2M].size - 1;
 +            break;
 +        }
 +        resv_prop_str = g_strdup_printf("0x%"PRIx64":0x%"PRIx64":%u",
 +                                        db_start, db_end,
 +                                        VIRTIO_IOMMU_RESV_MEM_T_MSI);
 +
 +        qdev_prop_set_uint32(dev, "len-reserved-regions", 1);
 +        qdev_prop_set_string(dev, "reserved-regions[0]", resv_prop_str);
 +        g_free(resv_prop_str);
      }
  }
 --
 .20.1

-[Qemu-devel] [PULL 03/10] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
+[PULL 09/34] target/arm: kvm: Handle DABT with no valid ISS
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Beata Michalska <beata.michalska@linaro.org>
-Lei Sun found while auditing the code that a CPU write would
+On ARMv7 & ARMv8 some load/store instructions might trigger a data abort
-trigger a NULL pointer dereference.
+exception with no valid ISS info to be decoded. The lack of decode info
 makes it at least tricky to emulate those instruction which is one of the
 (many) reasons why KVM will not even try to do so.
->From UG1085 datasheet [*] AXI writes in this region are ignored
+Add support for handling those by requesting KVM to inject external
-and generates an AXI Slave Error (SLVERR).
+dabt into the quest.
-Fix by implementing the write_with_attrs() handler.
+Signed-off-by: Beata Michalska <beata.michalska@linaro.org>
-Return MEMTX_ERROR when the region is accessed (this error maps
+Reviewed-by: Andrew Jones <drjones@redhat.com>
-to an AXI slave error).
+Message-id: 20200629114110.30723-2-beata.michalska@linaro.org
 [*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
 Reported-by: Lei Sun <slei.casper@gmail.com>
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
+ target/arm/kvm.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
-file changed, 16 insertions(+)
+file changed, 52 insertions(+)
-diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
+diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/xilinx_spips.c
+--- a/target/arm/kvm.c
-+++ b/hw/ssi/xilinx_spips.c
++++ b/target/arm/kvm.c
-@@ -XXX,XX +XXX,XX @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
+@@ -XXX,XX +XXX,XX @@ const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
-     return lqspi_read(opaque, addr, value, size, attrs);
  static bool cap_has_mp_state;
  static bool cap_has_inject_serror_esr;
 +static bool cap_has_inject_ext_dabt;
  static ARMHostCPUFeatures arm_host_cpu_features;
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init(MachineState *ms, KVMState *s)
          ret = -EINVAL;
      }
 +    if (kvm_check_extension(s, KVM_CAP_ARM_NISV_TO_USER)) {
 +        if (kvm_vm_enable_cap(s, KVM_CAP_ARM_NISV_TO_USER, 0)) {
 +            error_report("Failed to enable KVM_CAP_ARM_NISV_TO_USER cap");
 +        } else {
 +            /* Set status for supporting the external dabt injection */
 +            cap_has_inject_ext_dabt = kvm_check_extension(s,
 +                                    KVM_CAP_ARM_INJECT_EXT_DABT);
 +        }
 +    }
 +
      return ret;
  }
-+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+@@ -XXX,XX +XXX,XX @@ void kvm_arm_vm_state_change(void *opaque, int running, RunState state)
-+                               unsigned size, MemTxAttrs attrs)
+     }
  }
 +/**
 + * kvm_arm_handle_dabt_nisv:
 + * @cs: CPUState
 + * @esr_iss: ISS encoding (limited) for the exception from Data Abort
 + *           ISV bit set to '0b0' -> no valid instruction syndrome
 + * @fault_ipa: faulting address for the synchronous data abort
 + *
 + * Returns: 0 if the exception has been handled, < 0 otherwise
 + */
 +static int kvm_arm_handle_dabt_nisv(CPUState *cs, uint64_t esr_iss,
 +                                    uint64_t fault_ipa)
 +{
 +    /*
-+     * From UG1085, Chapter 24 (Quad-SPI controllers):
++     * Request KVM to inject the external data abort into the guest
 +     * - Writes are ignored
 +     * - AXI writes generate an external AXI slave error (SLVERR)
 +     */
-+    qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
++    if (cap_has_inject_ext_dabt) {
-+                                   " (value: 0x%" PRIx64 "\n",
++        struct kvm_vcpu_events events = { };
-+                  __func__, size << 3, offset, value);
++        /*
-+
++         * The external data abort event will be handled immediately by KVM
-+    return MEMTX_ERROR;
++         * using the address fault that triggered the exit on given VCPU.
 +         * Requesting injection of the external data abort does not rely
 +         * on any other VCPU state. Therefore, in this particular case, the VCPU
 +         * synchronization can be exceptionally skipped.
 +         */
 +        events.exception.ext_dabt_pending = 1;
 +        /* KVM_CAP_ARM_INJECT_EXT_DABT implies KVM_CAP_VCPU_EVENTS */
 +        return kvm_vcpu_ioctl(cs, KVM_SET_VCPU_EVENTS, &events);
 +    } else {
 +        error_report("Data abort exception triggered by guest memory access "
 +                     "at physical address: 0x"  TARGET_FMT_lx,
 +                     (target_ulong)fault_ipa);
 +        error_printf("KVM unable to emulate faulting instruction.\n");
 +    }
 +    return -1;
 +}
 +
- static const MemoryRegionOps lqspi_ops = {
+ int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
-     .read_with_attrs = lqspi_read,
+ {
-+    .write_with_attrs = lqspi_write,
+     int ret = 0;
-     .endianness = DEVICE_NATIVE_ENDIAN,
+@@ -XXX,XX +XXX,XX @@ int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
-     .valid = {
+             ret = EXCP_DEBUG;
-         .min_access_size = 1,
+         } /* otherwise return to guest */
          break;
 +    case KVM_EXIT_ARM_NISV:
 +        /* External DABT with no valid iss to decode */
 +        ret = kvm_arm_handle_dabt_nisv(cs, run->arm_nisv.esr_iss,
 +                                       run->arm_nisv.fault_ipa);
 +        break;
      default:
          qemu_log_mask(LOG_UNIMP, "%s: un-handled exit reason %d\n",
                        __func__, run->exit_reason);
 --
 .20.1

-New patch
+[PULL 10/34] target/arm: kvm: Handle misconfigured dabt injection
+From: Beata Michalska <beata.michalska@linaro.org>
 Injecting external data abort through KVM might trigger
 an issue on kernels that do not get updated to include the KVM fix.
 For those and aarch32 guests, the injected abort gets misconfigured
 to be an implementation defined exception. This leads to the guest
 repeatedly re-running the faulting instruction.
 Add support for handling that case.
 [
   Fixed-by: 018f22f95e8a
     ('KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests')
   Fixed-by: 21aecdbd7f3a
     ('KVM: arm: Make inject_abt32() inject an external abort instead')
 ]
 Signed-off-by: Beata Michalska <beata.michalska@linaro.org>
 Acked-by: Andrew Jones <drjones@redhat.com>
 Message-id: 20200629114110.30723-3-beata.michalska@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/cpu.h     |  2 ++
  target/arm/kvm_arm.h | 10 +++++++++
  target/arm/kvm.c     | 30 ++++++++++++++++++++++++++-
  target/arm/kvm32.c   | 34 ++++++++++++++++++++++++++++++
  target/arm/kvm64.c   | 49 ++++++++++++++++++++++++++++++++++++++++++++
 files changed, 124 insertions(+), 1 deletion(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
          uint64_t esr;
      } serror;
 +    uint8_t ext_dabt_raised; /* Tracking/verifying injection of ext DABT */
 +
      /* State of our input IRQ/FIQ/VIRQ/VFIQ lines */
      uint32_t irq_line_state;
 diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm_arm.h
 +++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_hw_debug_active(CPUState *cs);
  struct kvm_guest_debug_arch;
  void kvm_arm_copy_hw_debug_data(struct kvm_guest_debug_arch *ptr);
 +/**
 + * kvm_arm_verify_ext_dabt_pending:
 + * @cs: CPUState
 + *
 + * Verify the fault status code wrt the Ext DABT injection
 + *
 + * Returns: true if the fault status code is as expected, false otherwise
 + */
 +bool kvm_arm_verify_ext_dabt_pending(CPUState *cs);
 +
  /**
   * its_class_name:
   *
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ int kvm_get_vcpu_events(ARMCPU *cpu)
  void kvm_arch_pre_run(CPUState *cs, struct kvm_run *run)
  {
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +
 +    if (unlikely(env->ext_dabt_raised)) {
 +        /*
 +         * Verifying that the ext DABT has been properly injected,
 +         * otherwise risking indefinitely re-running the faulting instruction
 +         * Covering a very narrow case for kernels 5.5..5.5.4
 +         * when injected abort was misconfigured to be
 +         * an IMPLEMENTATION DEFINED exception (for 32-bit EL1)
 +         */
 +        if (!arm_feature(env, ARM_FEATURE_AARCH64) &&
 +            unlikely(!kvm_arm_verify_ext_dabt_pending(cs))) {
 +
 +            error_report("Data abort exception with no valid ISS generated by "
 +                   "guest memory access. KVM unable to emulate faulting "
 +                   "instruction. Failed to inject an external data abort "
 +                   "into the guest.");
 +            abort();
 +       }
 +       /* Clear the status */
 +       env->ext_dabt_raised = 0;
 +    }
  }
  MemTxAttrs kvm_arch_post_run(CPUState *cs, struct kvm_run *run)
@@ -XXX,XX +XXX,XX @@ void kvm_arm_vm_state_change(void *opaque, int running, RunState state)
  static int kvm_arm_handle_dabt_nisv(CPUState *cs, uint64_t esr_iss,
                                      uint64_t fault_ipa)
  {
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
      /*
       * Request KVM to inject the external data abort into the guest
       */
@@ -XXX,XX +XXX,XX @@ static int kvm_arm_handle_dabt_nisv(CPUState *cs, uint64_t esr_iss,
           */
          events.exception.ext_dabt_pending = 1;
          /* KVM_CAP_ARM_INJECT_EXT_DABT implies KVM_CAP_VCPU_EVENTS */
 -        return kvm_vcpu_ioctl(cs, KVM_SET_VCPU_EVENTS, &events);
 +        if (!kvm_vcpu_ioctl(cs, KVM_SET_VCPU_EVENTS, &events)) {
 +            env->ext_dabt_raised = 1;
 +            return 0;
 +        }
      } else {
          error_report("Data abort exception triggered by guest memory access "
                       "at physical address: 0x"  TARGET_FMT_lx,
 diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm32.c
 +++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_init(CPUState *cs)
  {
      qemu_log_mask(LOG_UNIMP, "%s: not implemented\n", __func__);
  }
 +
 +#define ARM_REG_DFSR  ARM_CP15_REG32(0, 5, 0, 0)
 +#define ARM_REG_TTBCR ARM_CP15_REG32(0, 2, 0, 2)
 +/*
 + *DFSR:
 + *      TTBCR.EAE == 0
 + *          FS[4]   - DFSR[10]
 + *          FS[3:0] - DFSR[3:0]
 + *      TTBCR.EAE == 1
 + *          FS, bits [5:0]
 + */
 +#define DFSR_FSC(lpae, v) \
 +    ((lpae) ? ((v) & 0x3F) : (((v) >> 6) | ((v) & 0x1F)))
 +
 +#define DFSC_EXTABT(lpae) ((lpae) ? 0x10 : 0x08)
 +
 +bool kvm_arm_verify_ext_dabt_pending(CPUState *cs)
 +{
 +    uint32_t dfsr_val;
 +
 +    if (!kvm_get_one_reg(cs, ARM_REG_DFSR, &dfsr_val)) {
 +        ARMCPU *cpu = ARM_CPU(cs);
 +        CPUARMState *env = &cpu->env;
 +        uint32_t ttbcr;
 +        int lpae = 0;
 +
 +        if (!kvm_get_one_reg(cs, ARM_REG_TTBCR, &ttbcr)) {
 +            lpae = arm_feature(env, ARM_FEATURE_LPAE) && (ttbcr & TTBCR_EAE);
 +        }
 +        /* The verification is based on FS filed of the DFSR reg only*/
 +        return (DFSR_FSC(lpae, dfsr_val) == DFSC_EXTABT(lpae));
 +    }
 +    return false;
 +}
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_handle_debug(CPUState *cs, struct kvm_debug_exit_arch *debug_exit)
      return false;
  }
 +
 +#define ARM64_REG_ESR_EL1 ARM64_SYS_REG(3, 0, 5, 2, 0)
 +#define ARM64_REG_TCR_EL1 ARM64_SYS_REG(3, 0, 2, 0, 2)
 +
 +/*
 + * ESR_EL1
 + * ISS encoding
 + * AARCH64: DFSC,   bits [5:0]
 + * AARCH32:
 + *      TTBCR.EAE == 0
 + *          FS[4]   - DFSR[10]
 + *          FS[3:0] - DFSR[3:0]
 + *      TTBCR.EAE == 1
 + *          FS, bits [5:0]
 + */
 +#define ESR_DFSC(aarch64, lpae, v)        \
 +    ((aarch64 || (lpae)) ? ((v) & 0x3F)   \
 +               : (((v) >> 6) | ((v) & 0x1F)))
 +
 +#define ESR_DFSC_EXTABT(aarch64, lpae) \
 +    ((aarch64) ? 0x10 : (lpae) ? 0x10 : 0x8)
 +
 +bool kvm_arm_verify_ext_dabt_pending(CPUState *cs)
 +{
 +    uint64_t dfsr_val;
 +
 +    if (!kvm_get_one_reg(cs, ARM64_REG_ESR_EL1, &dfsr_val)) {
 +        ARMCPU *cpu = ARM_CPU(cs);
 +        CPUARMState *env = &cpu->env;
 +        int aarch64_mode = arm_feature(env, ARM_FEATURE_AARCH64);
 +        int lpae = 0;
 +
 +        if (!aarch64_mode) {
 +            uint64_t ttbcr;
 +
 +            if (!kvm_get_one_reg(cs, ARM64_REG_TCR_EL1, &ttbcr)) {
 +                lpae = arm_feature(env, ARM_FEATURE_LPAE)
 +                        && (ttbcr & TTBCR_EAE);
 +            }
 +        }
 +        /*
 +         * The verification here is based on the DFSC bits
 +         * of the ESR_EL1 reg only
 +         */
 +         return (ESR_DFSC(aarch64_mode, lpae, dfsr_val) ==
 +                ESR_DFSC_EXTABT(aarch64_mode, lpae));
 +    }
 +    return false;
 +}
 --
 .20.1

-New patch
+[PULL 11/34] tests/acpi: remove stale allowed tables
+From: Andrew Jones <drjones@redhat.com>
+Fixes: 93dd625f8bf7 ("tests/acpi: update expected data files")
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Message-id: 20200629140938.17566-2-drjones@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/qtest/bios-tables-test-allowed-diff.h | 18 ------------------
+file changed, 18 deletions(-)
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
+@@ -1,19 +1 @@
+ /* List of comma-separated changed AML files to ignore */
+-"tests/data/acpi/pc/DSDT",
+-"tests/data/acpi/pc/DSDT.acpihmat",
+-"tests/data/acpi/pc/DSDT.bridge",
+-"tests/data/acpi/pc/DSDT.cphp",
+-"tests/data/acpi/pc/DSDT.dimmpxm",
+-"tests/data/acpi/pc/DSDT.ipmikcs",
+-"tests/data/acpi/pc/DSDT.memhp",
+-"tests/data/acpi/pc/DSDT.numamem",
+-"tests/data/acpi/q35/DSDT",
+-"tests/data/acpi/q35/DSDT.acpihmat",
+-"tests/data/acpi/q35/DSDT.bridge",
+-"tests/data/acpi/q35/DSDT.cphp",
+-"tests/data/acpi/q35/DSDT.dimmpxm",
+-"tests/data/acpi/q35/DSDT.ipmibt",
+-"tests/data/acpi/q35/DSDT.memhp",
+-"tests/data/acpi/q35/DSDT.mmio64",
+-"tests/data/acpi/q35/DSDT.numamem",
+-"tests/data/acpi/q35/DSDT.tis",
+--
+.20.1

-New patch
+[PULL 12/34] tests/acpi: virt: allow DSDT acpi table changes
+From: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Message-id: 20200629140938.17566-3-drjones@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/qtest/bios-tables-test-allowed-diff.h | 3 +++
+file changed, 3 insertions(+)
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
+@@ -1 +1,4 @@
+ /* List of comma-separated changed AML files to ignore */
++"tests/data/acpi/virt/DSDT",
++"tests/data/acpi/virt/DSDT.memhp",
++"tests/data/acpi/virt/DSDT.numamem",
+--
+.20.1

-New patch
+[PULL 13/34] hw/arm/virt-acpi-build: Only expose flash on older machine types
+From: Andrew Jones <drjones@redhat.com>
+The flash device is exclusively for the host-controlled firmware, so
+we should not expose it to the OS. Exposing it risks the OS messing
+with it, which could break firmware runtime services and surprise the
+OS when all its changes disappear after reboot.
+As firmware needs the device and uses DT, we leave the device exposed
+there. It's up to firmware to remove the nodes from DT before sending
+it on to the OS. However, there's no need to force firmware to remove
+tables from ACPI (which it doesn't know how to do anyway), so we
+simply don't add the tables in the first place. But, as we've been
+adding the tables for quite some time and don't want to change the
+default hardware exposed to versioned machines, then we only stop
+exposing the flash device tables for 5.1 and later machine types.
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Message-id: 20200629140938.17566-4-drjones@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/hw/arm/virt.h    | 1 +
+ hw/arm/virt-acpi-build.c | 5 ++++-
+ hw/arm/virt.c            | 3 +++
+files changed, 8 insertions(+), 1 deletion(-)
+diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/virt.h
++++ b/include/hw/arm/virt.h
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+     bool no_highmem_ecam;
+     bool no_ged;   /* Machines < 4.2 has no support for ACPI GED device */
+     bool kvm_no_adjvtime;
++    bool acpi_expose_flash;
+ } VirtMachineClass;
+ typedef struct {
+diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/virt-acpi-build.c
++++ b/hw/arm/virt-acpi-build.c
+@@ -XXX,XX +XXX,XX @@ static void build_fadt_rev5(GArray *table_data, BIOSLinker *linker,
+ static void
+ build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+ {
++    VirtMachineClass *vmc = VIRT_MACHINE_GET_CLASS(vms);
+     Aml *scope, *dsdt;
+     MachineState *ms = MACHINE(vms);
+     const MemMapEntry *memmap = vms->memmap;
+@@ -XXX,XX +XXX,XX @@ build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
+     acpi_dsdt_add_cpus(scope, vms->smp_cpus);
+     acpi_dsdt_add_uart(scope, &memmap[VIRT_UART],
+                        (irqmap[VIRT_UART] + ARM_SPI_BASE));
+-    acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
++    if (vmc->acpi_expose_flash) {
++        acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
++    }
+     acpi_dsdt_add_fw_cfg(scope, &memmap[VIRT_FW_CFG]);
+     acpi_dsdt_add_virtio(scope, &memmap[VIRT_MMIO],
+                     (irqmap[VIRT_MMIO] + ARM_SPI_BASE), NUM_VIRTIO_TRANSPORTS);
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/virt.c
++++ b/hw/arm/virt.c
+@@ -XXX,XX +XXX,XX @@ DEFINE_VIRT_MACHINE_AS_LATEST(5, 1)
+ static void virt_machine_5_0_options(MachineClass *mc)
+ {
++    VirtMachineClass *vmc = VIRT_MACHINE_CLASS(OBJECT_CLASS(mc));
++
+     virt_machine_5_1_options(mc);
+     compat_props_add(mc->compat_props, hw_compat_5_0, hw_compat_5_0_len);
+     mc->numa_mem_supported = true;
++    vmc->acpi_expose_flash = true;
+ }
+ DEFINE_VIRT_MACHINE(5, 0)
+--
+.20.1

-[Qemu-devel] [PULL 05/10] hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
+[PULL 14/34] tests/acpi: virt: update golden masters for DSDT
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Andrew Jones <drjones@redhat.com>
-Reading the RX_DATA register when the RX_FIFO is empty triggers
+Differences between disassembled ASL files for DSDT:
 an abort. This can be easily reproduced:
-  $ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
+@@ -XXX,XX +XXX,XX @@
-  QEMU 4.0.50 monitor - type 'help' for more information
+  *
-  (qemu) x 0x40001010
+  * Disassembling to symbolic ASL+ operators
-  Aborted (core dumped)
+  *
 - * Disassembly of a, Mon Jun 29 09:50:01 2020
 + * Disassembly of b, Mon Jun 29 09:50:03 2020
   *
   * Original Table Header:
   *     Signature        "DSDT"
 - *     Length           0x000014BB (5307)
 + *     Length           0x00001455 (5205)
   *     Revision         0x02
 - *     Checksum         0xD1
 + *     Checksum         0xE1
   *     OEM ID           "BOCHS "
   *     OEM Table ID     "BXPCDSDT"
   *     OEM Revision     0x00000001 (1)
@@ -XXX,XX +XXX,XX @@
              })
          }
-  (gdb) bt
+-        Device (FLS0)
-  #1  0x00007f035874f895 in abort () at /lib64/libc.so.6
+-        {
-  #2  0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
+-            Name (_HID, "LNRO0015")  // _HID: Hardware ID
-  #3  0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
+-            Name (_UID, Zero)  // _UID: Unique ID
-  #4  0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
+-            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
-  #5  0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
+-            {
-  #6  0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
+-                Memory32Fixed (ReadWrite,
-  #7  0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
+-                    0x00000000,         // Address Base
-  #8  0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
+-                    0x04000000,         // Address Length
-  #9  0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
+-                    )
-  #10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
+-            })
-  #11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
+-        }
-  #12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
+-
-  #13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
+-        Device (FLS1)
-  #14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
+-        {
-  #15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
+-            Name (_HID, "LNRO0015")  // _HID: Hardware ID
-  #16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082
+-            Name (_UID, One)  // _UID: Unique ID
 -            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 -            {
 -                Memory32Fixed (ReadWrite,
 -                    0x04000000,         // Address Base
 -                    0x04000000,         // Address Length
 -                    )
 -            })
 -        }
 -
          Device (FWCF)
          {
              Name (_HID, "QEMU0002")  // _HID: Hardware ID
-From the datasheet "Actel SmartFusion Microcontroller Subsystem
+The other two binaries have the same changes (the removal of the
-User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
+flash devices).
 register has a reset value of 0.
-Check the FIFO is not empty before accessing it, else log an
+Signed-off-by: Andrew Jones <drjones@redhat.com>
-error message.
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
-Message-id: 20190709113715.7761-3-philmd@redhat.com
+Message-id: 20200629140938.17566-5-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/mss-spi.c | 8 +++++++-
+ tests/qtest/bios-tables-test-allowed-diff.h |   3 ---
-file changed, 7 insertions(+), 1 deletion(-)
+ tests/data/acpi/virt/DSDT                   | Bin 5307 -> 5205 bytes
  tests/data/acpi/virt/DSDT.memhp             | Bin 6668 -> 6566 bytes
  tests/data/acpi/virt/DSDT.numamem           | Bin 5307 -> 5205 bytes
 files changed, 3 deletions(-)
-diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/mss-spi.c
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
-+++ b/hw/ssi/mss-spi.c
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
-@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
+@@ -1,4 +1 @@
-     case R_SPI_RX:
+ /* List of comma-separated changed AML files to ignore */
-         s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
+-"tests/data/acpi/virt/DSDT",
-         s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
+-"tests/data/acpi/virt/DSDT.memhp",
--        ret = fifo32_pop(&s->rx_fifo);
+-"tests/data/acpi/virt/DSDT.numamem",
-+        if (fifo32_is_empty(&s->rx_fifo)) {
+diff --git a/tests/data/acpi/virt/DSDT b/tests/data/acpi/virt/DSDT
-+            qemu_log_mask(LOG_GUEST_ERROR,
+index XXXXXXX..XXXXXXX 100644
-+                          "%s: Reading empty RX_FIFO\n",
+GIT binary patch
-+                          __func__);
+delta 28
-+        } else {
+kcmdn3c~yhUCD<h-RD^+n>ET2!X{H9}iRuX(-<}f&0DgxFc>n+a
-+            ret = fifo32_pop(&s->rx_fifo);
-+        }
+delta 156
-         if (fifo32_is_empty(&s->rx_fifo)) {
+zcmcbrv0IbNCD<iow+I6R)5VEg(oAih6V(&y4c&Z#4LIUGJY9Hw{DS-q3=B;fIO0P+
-             s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
+zU4W!>P_UpN7hfAE10w?juv9WcH-WSmV$;Hiu7w4t3#`S$E!^1+q9xGPH`KtuzzAr5
-         }
+LaERl^1zUvy_;n(J
 diff --git a/tests/data/acpi/virt/DSDT.memhp b/tests/data/acpi/virt/DSDT.memhp
 index XXXXXXX..XXXXXXX 100644
 GIT binary patch
 delta 28
 kcmeA%S!T@T66_MPOp<|tiD@F2G*jb@iRuX(-^xn@0CHUjRR910
 delta 156
 zcmZ2x++)J!66_MfBgMeL^l>7WG*kP$iRuaUhHgH=1|0Doo-VvTenI{Q28N~#9Py!^
 zE<n;bC|FRCi?5B7fsp|MSSlH!n?PC&v1wsM*TMqS1=eEW7Vhi@(GuwD8){%+U<5Qj
 LIK*+|0yaqism~!^
 diff --git a/tests/data/acpi/virt/DSDT.numamem b/tests/data/acpi/virt/DSDT.numamem
 index XXXXXXX..XXXXXXX 100644
 GIT binary patch
 delta 28
 kcmdn3c~yhUCD<h-RD^+n>ET2!X{H9}iRuX(-<}f&0DgxFc>n+a
 delta 156
 zcmcbrv0IbNCD<iow+I6R)5VEg(oAih6V(&y4c&Z#4LIUGJY9Hw{DS-q3=B;fIO0P+
 zU4W!>P_UpN7hfAE10w?juv9WcH-WSmV$;Hiu7w4t3#`S$E!^1+q9xGPH`KtuzzAr5
 LaERl^1zUvy_;n(J
 --
 .20.1

-[Qemu-devel] [PULL 04/10] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
+[PULL 15/34] target/arm: Fix temp double-free in sve ldr/str
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-Both lqspi_read() and lqspi_load_cache() expect a 32-bit
+The temp that gets assigned to clean_addr has been allocated with
-aligned address.
+new_tmp_a64, which means that it will be freed at the end of the
 instruction.  Freeing it earlier leads to assertion failure.
->From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':
+The loop creates a complication, in which we allocate a new local
 temp, which does need freeing, and the final code path is shared
 between the loop and non-loop.
-  Transfer Size Limitations
+Fix this complication by adding new_tmp_a64_local so that the new
 local temp is freed at the end, and can be treated exactly like
 the non-loop path.
-    Because of the 32-bit wide TX, RX, and generic FIFO, all
+Fixes: bba87d0a0f4
-    APB/AXI transfers must be an integer multiple of 4-bytes.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-    Shorter transfers are not possible.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20200702175605.1987125-1-richard.henderson@linaro.org
 Set MemoryRegionOps.impl values to force 32-bit accesses,
 this way we are sure we do not access the lqspi_buf[] array
 out of bound.
 [*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/xilinx_spips.c | 4 ++++
+ target/arm/translate-a64.h | 1 +
-file changed, 4 insertions(+)
+ target/arm/translate-a64.c | 6 ++++++
  target/arm/translate-sve.c | 8 ++------
 files changed, 9 insertions(+), 6 deletions(-)
-diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
+diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/xilinx_spips.c
+--- a/target/arm/translate-a64.h
-+++ b/hw/ssi/xilinx_spips.c
++++ b/target/arm/translate-a64.h
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps lqspi_ops = {
+@@ -XXX,XX +XXX,XX @@ void unallocated_encoding(DisasContext *s);
-     .read_with_attrs = lqspi_read,
+     } while (0)
-     .write_with_attrs = lqspi_write,
-     .endianness = DEVICE_NATIVE_ENDIAN,
+ TCGv_i64 new_tmp_a64(DisasContext *s);
-+    .impl = {
++TCGv_i64 new_tmp_a64_local(DisasContext *s);
-+        .min_access_size = 4,
+ TCGv_i64 new_tmp_a64_zero(DisasContext *s);
-+        .max_access_size = 4,
+ TCGv_i64 cpu_reg(DisasContext *s, int reg);
-+    },
+ TCGv_i64 cpu_reg_sp(DisasContext *s, int reg);
-     .valid = {
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-         .min_access_size = 1,
+index XXXXXXX..XXXXXXX 100644
-         .max_access_size = 4
+--- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ TCGv_i64 new_tmp_a64(DisasContext *s)
      return s->tmp_a64[s->tmp_a64_count++] = tcg_temp_new_i64();
  }
 +TCGv_i64 new_tmp_a64_local(DisasContext *s)
 +{
 +    assert(s->tmp_a64_count < TMP_A64_MAX);
 +    return s->tmp_a64[s->tmp_a64_count++] = tcg_temp_local_new_i64();
 +}
 +
  TCGv_i64 new_tmp_a64_zero(DisasContext *s)
  {
      TCGv_i64 t = new_tmp_a64(s);
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          /* Copy the clean address into a local temp, live across the loop. */
          t0 = clean_addr;
 -        clean_addr = tcg_temp_local_new_i64();
 +        clean_addr = new_tmp_a64_local(s);
          tcg_gen_mov_i64(clean_addr, t0);
 -        tcg_temp_free_i64(t0);
          gen_set_label(loop);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          tcg_gen_st_i64(t0, cpu_env, vofs + len_align);
          tcg_temp_free_i64(t0);
      }
 -    tcg_temp_free_i64(clean_addr);
  }
  /* Similarly for stores.  */
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          /* Copy the clean address into a local temp, live across the loop. */
          t0 = clean_addr;
 -        clean_addr = tcg_temp_local_new_i64();
 +        clean_addr = new_tmp_a64_local(s);
          tcg_gen_mov_i64(clean_addr, t0);
 -        tcg_temp_free_i64(t0);
          gen_set_label(loop);
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          }
          tcg_temp_free_i64(t0);
      }
 -    tcg_temp_free_i64(clean_addr);
  }
  static bool trans_LDR_zri(DisasContext *s, arg_rri *a)
 --
 .20.1

-[Qemu-devel] [PULL 01/10] target/arm: report ARMv8-A FP support for AArch32 -cpu max
+[PULL 16/34] hw/display/bcm2835_fb.c: Initialize all fields of struct
-From: Alex Bennée <alex.bennee@linaro.org>
+In bcm2835_fb_mbox_push(), Coverity complains (CID 1429989) that we
 pass a pointer to a local struct to another function without
 initializing all its fields.  This is a real bug:
 bcm2835_fb_reconfigure() copies the whole of our new BCM2385FBConfig
 struct into s->config, so any fields we don't initialize will corrupt
 the state of the device.
-When we converted to using feature bits in 602f6e42cfbf we missed out
+Copy the two fields which we don't want to update (pixo and alpha)
-the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
+from the existing config so we don't accidentally change them.
 -cpu max configurations. This caused a regression in the GCC test
 suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
 report ARMv8-A with FP support (but not ARMv8.2-FP16).
-Fixes: https://bugs.launchpad.net/qemu/+bug/1836078
+Fixes: cfb7ba983857e40e88
 Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20190711103737.10017-1-alex.bennee@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20200628195436.27582-1-peter.maydell@linaro.org
 ---
- target/arm/cpu.c | 4 ++++
+ hw/display/bcm2835_fb.c | 4 ++++
 file changed, 4 insertions(+)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/hw/display/bcm2835_fb.c
-+++ b/target/arm/cpu.c
++++ b/hw/display/bcm2835_fb.c
-@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static void bcm2835_fb_mbox_push(BCM2835FBState *s, uint32_t value)
-             t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
+     newconf.base = s->vcram_base | (value & 0xc0000000);
-             cpu->isar.id_isar6 = t;
+     newconf.base += BCM2835_FB_OFFSET;
-+            t = cpu->isar.mvfr1;
++    /* Copy fields which we don't want to change from the existing config */
-+            t = FIELD_DP32(t, MVFR1, FPHP, 2);     /* v8.0 FP support */
++    newconf.pixo = s->config.pixo;
-+            cpu->isar.mvfr1 = t;
++    newconf.alpha = s->config.alpha;
 +
-             t = cpu->isar.mvfr2;
+     bcm2835_fb_validate_config(&newconf);
-             t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
-             t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
+     pitch = bcm2835_fb_get_pitch(&newconf);
 --
 .20.1

-[Qemu-devel] [PULL 02/10] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
+[PULL 17/34] hw/arm/spitz: Detabify
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+The spitz board has been around a long time, and still has a fair number
+of hard-coded tab characters in it. We're about to do some work on
-In the next commit we will implement the write_with_attrs()
+this source file, so start out by expanding out the tabs.
-handler. To avoid using different APIs, convert the read()
-handler first.
+This commit is a pure whitespace only change.
 Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-2-peter.maydell@linaro.org
 ---
- hw/ssi/xilinx_spips.c | 23 +++++++++++------------
+ hw/arm/spitz.c | 156 ++++++++++++++++++++++++-------------------------
-file changed, 11 insertions(+), 12 deletions(-)
+file changed, 78 insertions(+), 78 deletions(-)
-diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/xilinx_spips.c
+--- a/hw/arm/spitz.c
-+++ b/hw/ssi/xilinx_spips.c
++++ b/hw/arm/spitz.c
-@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
+@@ -XXX,XX +XXX,XX @@
  #include "cpu.h"
  #undef REG_FMT
 -#define REG_FMT            "0x%02lx"
 +#define REG_FMT                         "0x%02lx"
  /* Spitz Flash */
 -#define FLASH_BASE        0x0c000000
 -#define FLASH_ECCLPLB        0x00    /* Line parity 7 - 0 bit */
 -#define FLASH_ECCLPUB        0x04    /* Line parity 15 - 8 bit */
 -#define FLASH_ECCCP        0x08    /* Column parity 5 - 0 bit */
 -#define FLASH_ECCCNTR        0x0c    /* ECC byte counter */
 -#define FLASH_ECCCLRR        0x10    /* Clear ECC */
 -#define FLASH_FLASHIO        0x14    /* Flash I/O */
 -#define FLASH_FLASHCTL        0x18    /* Flash Control */
 +#define FLASH_BASE              0x0c000000
 +#define FLASH_ECCLPLB           0x00    /* Line parity 7 - 0 bit */
 +#define FLASH_ECCLPUB           0x04    /* Line parity 15 - 8 bit */
 +#define FLASH_ECCCP             0x08    /* Column parity 5 - 0 bit */
 +#define FLASH_ECCCNTR           0x0c    /* ECC byte counter */
 +#define FLASH_ECCCLRR           0x10    /* Clear ECC */
 +#define FLASH_FLASHIO           0x14    /* Flash I/O */
 +#define FLASH_FLASHCTL          0x18    /* Flash Control */
 -#define FLASHCTL_CE0        (1 << 0)
 -#define FLASHCTL_CLE        (1 << 1)
 -#define FLASHCTL_ALE        (1 << 2)
 -#define FLASHCTL_WP        (1 << 3)
 -#define FLASHCTL_CE1        (1 << 4)
 -#define FLASHCTL_RYBY        (1 << 5)
 -#define FLASHCTL_NCE        (FLASHCTL_CE0 | FLASHCTL_CE1)
 +#define FLASHCTL_CE0            (1 << 0)
 +#define FLASHCTL_CLE            (1 << 1)
 +#define FLASHCTL_ALE            (1 << 2)
 +#define FLASHCTL_WP             (1 << 3)
 +#define FLASHCTL_CE1            (1 << 4)
 +#define FLASHCTL_RYBY           (1 << 5)
 +#define FLASHCTL_NCE            (FLASHCTL_CE0 | FLASHCTL_CE1)
  #define TYPE_SL_NAND "sl-nand"
  #define SL_NAND(obj) OBJECT_CHECK(SLNANDState, (obj), TYPE_SL_NAND)
@@ -XXX,XX +XXX,XX @@ static uint64_t sl_read(void *opaque, hwaddr addr, unsigned size)
      int ryby;
      switch (addr) {
 -#define BSHR(byte, from, to)    ((s->ecc.lp[byte] >> (from - to)) & (1 << to))
 +#define BSHR(byte, from, to)    ((s->ecc.lp[byte] >> (from - to)) & (1 << to))
      case FLASH_ECCLPLB:
          return BSHR(0, 4, 0) | BSHR(0, 5, 2) | BSHR(0, 6, 4) | BSHR(0, 7, 6) |
                  BSHR(1, 4, 1) | BSHR(1, 5, 3) | BSHR(1, 6, 5) | BSHR(1, 7, 7);
 -#define BSHL(byte, from, to)    ((s->ecc.lp[byte] << (to - from)) & (1 << to))
 +#define BSHL(byte, from, to)    ((s->ecc.lp[byte] << (to - from)) & (1 << to))
      case FLASH_ECCLPUB:
          return BSHL(0, 0, 0) | BSHL(0, 1, 2) | BSHL(0, 2, 4) | BSHL(0, 3, 6) |
                  BSHL(1, 0, 1) | BSHL(1, 1, 3) | BSHL(1, 2, 5) | BSHL(1, 3, 7);
@@ -XXX,XX +XXX,XX @@ static void sl_nand_realize(DeviceState *dev, Error **errp)
  /* Spitz Keyboard */
 -#define SPITZ_KEY_STROBE_NUM    11
 -#define SPITZ_KEY_SENSE_NUM    7
 +#define SPITZ_KEY_STROBE_NUM    11
 +#define SPITZ_KEY_SENSE_NUM     7
  static const int spitz_gpio_key_sense[SPITZ_KEY_SENSE_NUM] = {
 , 17, 91, 34, 36, 38, 39
@@ -XXX,XX +XXX,XX @@ static int spitz_keymap[SPITZ_KEY_SENSE_NUM + 1][SPITZ_KEY_STROBE_NUM] = {
      { 0x52, 0x43, 0x01, 0x47, 0x49,  -1 ,  -1 ,  -1 ,  -1 ,  -1 ,  -1  },
  };
 -#define SPITZ_GPIO_AK_INT    13    /* Remote control */
 -#define SPITZ_GPIO_SYNC        16    /* Sync button */
 -#define SPITZ_GPIO_ON_KEY    95    /* Power button */
 -#define SPITZ_GPIO_SWA        97    /* Lid */
 -#define SPITZ_GPIO_SWB        96    /* Tablet mode */
 +#define SPITZ_GPIO_AK_INT       13      /* Remote control */
 +#define SPITZ_GPIO_SYNC                 16      /* Sync button */
 +#define SPITZ_GPIO_ON_KEY       95      /* Power button */
 +#define SPITZ_GPIO_SWA          97      /* Lid */
 +#define SPITZ_GPIO_SWB          96      /* Tablet mode */
  /* The special buttons are mapped to unused keys */
  static const int spitz_gpiomap[5] = {
@@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_keydown(SpitzKeyboardState *s, int keycode)
  #define SPITZ_MOD_CTRL    (1 << 8)
  #define SPITZ_MOD_FN      (1 << 9)
 -#define QUEUE_KEY(c)    s->fifo[(s->fifopos + s->fifolen ++) & 0xf] = c
 +#define QUEUE_KEY(c)    s->fifo[(s->fifopos + s->fifolen ++) & 0xf] = c
  static void spitz_keyboard_handler(void *opaque, int keycode)
  {
@@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_handler(void *opaque, int keycode)
      uint16_t code;
      int mapcode;
      switch (keycode) {
 -    case 0x2a:    /* Left Shift */
 +    case 0x2a:  /* Left Shift */
          s->modifiers |= 1;
          break;
      case 0xaa:
          s->modifiers &= ~1;
          break;
 -    case 0x36:    /* Right Shift */
 +    case 0x36:  /* Right Shift */
          s->modifiers |= 2;
          break;
      case 0xb6:
          s->modifiers &= ~2;
          break;
 -    case 0x1d:    /* Control */
 +    case 0x1d:  /* Control */
          s->modifiers |= 4;
          break;
      case 0x9d:
          s->modifiers &= ~4;
          break;
 -    case 0x38:    /* Alt */
 +    case 0x38:  /* Alt */
          s->modifiers |= 8;
          break;
      case 0xb8:
@@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_realize(DeviceState *dev, Error **errp)
  /* LCD backlight controller */
 -#define LCDTG_RESCTL    0x00
 -#define LCDTG_PHACTRL    0x01
 -#define LCDTG_DUTYCTRL    0x02
 -#define LCDTG_POWERREG0    0x03
 -#define LCDTG_POWERREG1    0x04
 -#define LCDTG_GPOR3    0x05
 -#define LCDTG_PICTRL    0x06
 -#define LCDTG_POLCTRL    0x07
 +#define LCDTG_RESCTL    0x00
 +#define LCDTG_PHACTRL   0x01
 +#define LCDTG_DUTYCTRL  0x02
 +#define LCDTG_POWERREG0         0x03
 +#define LCDTG_POWERREG1         0x04
 +#define LCDTG_GPOR3     0x05
 +#define LCDTG_PICTRL    0x06
 +#define LCDTG_POLCTRL   0x07
  typedef struct {
      SSISlave ssidev;
@@ -XXX,XX +XXX,XX @@ static void spitz_lcdtg_realize(SSISlave *dev, Error **errp)
  /* SSP devices */
 -#define CORGI_SSP_PORT        2
 +#define CORGI_SSP_PORT          2
 -#define SPITZ_GPIO_LCDCON_CS    53
 -#define SPITZ_GPIO_ADS7846_CS    14
 -#define SPITZ_GPIO_MAX1111_CS    20
 -#define SPITZ_GPIO_TP_INT    11
 +#define SPITZ_GPIO_LCDCON_CS    53
 +#define SPITZ_GPIO_ADS7846_CS   14
 +#define SPITZ_GPIO_MAX1111_CS   20
 +#define SPITZ_GPIO_TP_INT       11
  static DeviceState *max1111;
@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_gpio_cs(void *opaque, int line, int level)
      s->enable[line] = !level;
  }
 -#define MAX1111_BATT_VOLT    1
 -#define MAX1111_BATT_TEMP    2
 -#define MAX1111_ACIN_VOLT    3
 +#define MAX1111_BATT_VOLT       1
 +#define MAX1111_BATT_TEMP       2
 +#define MAX1111_ACIN_VOLT       3
 -#define SPITZ_BATTERY_TEMP    0xe0    /* About 2.9V */
 -#define SPITZ_BATTERY_VOLT    0xd0    /* About 4.0V */
 -#define SPITZ_CHARGEON_ACIN    0x80    /* About 5.0V */
 +#define SPITZ_BATTERY_TEMP      0xe0    /* About 2.9V */
 +#define SPITZ_BATTERY_VOLT      0xd0    /* About 4.0V */
 +#define SPITZ_CHARGEON_ACIN     0x80    /* About 5.0V */
  static void spitz_adc_temp_on(void *opaque, int line, int level)
  {
@@ -XXX,XX +XXX,XX @@ static void spitz_microdrive_attach(PXA2xxState *cpu, int slot)
  /* Wm8750 and Max7310 on I2C */
 -#define AKITA_MAX_ADDR    0x18
 -#define SPITZ_WM_ADDRL    0x1b
 -#define SPITZ_WM_ADDRH    0x1a
 +#define AKITA_MAX_ADDR  0x18
 +#define SPITZ_WM_ADDRL  0x1b
 +#define SPITZ_WM_ADDRH  0x1a
 -#define SPITZ_GPIO_WM    5
 +#define SPITZ_GPIO_WM   5
  static void spitz_wm8750_addr(void *opaque, int line, int level)
  {
@@ -XXX,XX +XXX,XX @@ static void spitz_out_switch(void *opaque, int line, int level)
      }
  }
--static uint64_t
+-#define SPITZ_SCP_LED_GREEN        1
--lqspi_read(void *opaque, hwaddr addr, unsigned int size)
+-#define SPITZ_SCP_JK_B            2
-+static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
+-#define SPITZ_SCP_CHRG_ON        3
-+                              unsigned size, MemTxAttrs attrs)
+-#define SPITZ_SCP_MUTE_L        4
- {
+-#define SPITZ_SCP_MUTE_R        5
--    XilinxQSPIPS *q = opaque;
+-#define SPITZ_SCP_CF_POWER        6
--    uint32_t ret;
+-#define SPITZ_SCP_LED_ORANGE        7
-+    XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
+-#define SPITZ_SCP_JK_A            8
+-#define SPITZ_SCP_ADC_TEMP_ON        9
-     if (addr >= q->lqspi_cached_addr &&
+-#define SPITZ_SCP2_IR_ON        1
-             addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
+-#define SPITZ_SCP2_AKIN_PULLUP        2
-         uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
+-#define SPITZ_SCP2_BACKLIGHT_CONT    7
--        ret = cpu_to_le32(*(uint32_t *)retp);
+-#define SPITZ_SCP2_BACKLIGHT_ON        8
--        DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
+-#define SPITZ_SCP2_MIC_BIAS        9
--                   (unsigned)ret);
++#define SPITZ_SCP_LED_GREEN             1
--        return ret;
++#define SPITZ_SCP_JK_B                  2
--    } else {
++#define SPITZ_SCP_CHRG_ON               3
--        lqspi_load_cache(opaque, addr);
++#define SPITZ_SCP_MUTE_L                4
--        return lqspi_read(opaque, addr, size);
++#define SPITZ_SCP_MUTE_R                5
-+        *value = cpu_to_le32(*(uint32_t *)retp);
++#define SPITZ_SCP_CF_POWER              6
-+        DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
++#define SPITZ_SCP_LED_ORANGE            7
-+                   addr, *value);
++#define SPITZ_SCP_JK_A                  8
-+        return MEMTX_OK;
++#define SPITZ_SCP_ADC_TEMP_ON           9
-     }
++#define SPITZ_SCP2_IR_ON                1
-+
++#define SPITZ_SCP2_AKIN_PULLUP          2
-+    lqspi_load_cache(opaque, addr);
++#define SPITZ_SCP2_BACKLIGHT_CONT       7
-+    return lqspi_read(opaque, addr, value, size, attrs);
++#define SPITZ_SCP2_BACKLIGHT_ON                 8
 +#define SPITZ_SCP2_MIC_BIAS             9
  static void spitz_scoop_gpio_setup(PXA2xxState *cpu,
                  DeviceState *scp0, DeviceState *scp1)
@@ -XXX,XX +XXX,XX @@ static void spitz_scoop_gpio_setup(PXA2xxState *cpu,
      qdev_connect_gpio_out(scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
  }
- static const MemoryRegionOps lqspi_ops = {
+-#define SPITZ_GPIO_HSYNC        22
--    .read = lqspi_read,
+-#define SPITZ_GPIO_SD_DETECT        9
-+    .read_with_attrs = lqspi_read,
+-#define SPITZ_GPIO_SD_WP        81
-     .endianness = DEVICE_NATIVE_ENDIAN,
+-#define SPITZ_GPIO_ON_RESET        89
-     .valid = {
+-#define SPITZ_GPIO_BAT_COVER        90
-         .min_access_size = 1,
+-#define SPITZ_GPIO_CF1_IRQ        105
 -#define SPITZ_GPIO_CF1_CD        94
 -#define SPITZ_GPIO_CF2_IRQ        106
 -#define SPITZ_GPIO_CF2_CD        93
 +#define SPITZ_GPIO_HSYNC                22
 +#define SPITZ_GPIO_SD_DETECT            9
 +#define SPITZ_GPIO_SD_WP                81
 +#define SPITZ_GPIO_ON_RESET             89
 +#define SPITZ_GPIO_BAT_COVER            90
 +#define SPITZ_GPIO_CF1_IRQ              105
 +#define SPITZ_GPIO_CF1_CD               94
 +#define SPITZ_GPIO_CF2_IRQ              106
 +#define SPITZ_GPIO_CF2_CD               93
  static int spitz_hsync;
@@ -XXX,XX +XXX,XX @@ static void spitz_gpio_setup(PXA2xxState *cpu, int slots)
  /* Board init.  */
  enum spitz_model_e { spitz, akita, borzoi, terrier };
 -#define SPITZ_RAM    0x04000000
 -#define SPITZ_ROM    0x00800000
 +#define SPITZ_RAM       0x04000000
 +#define SPITZ_ROM       0x00800000
  static struct arm_boot_info spitz_binfo = {
      .loader_start = PXA2XX_SDRAM_BASE,
 --
 .20.1

-New patch
+[PULL 18/34] hw/arm/spitz: Create SpitzMachineClass abstract base class
+For the four Spitz-family machines (akita, borzoi, spitz, terrier)
 create a proper abstract class SpitzMachineClass which encapsulates
 the common behaviour, rather than having them all derive directly
 from TYPE_MACHINE:
  * instead of each machine class setting mc->init to a wrapper
    function which calls spitz_common_init() with parameters,
    put that data in the SpitzMachineClass and make spitz_common_init
    the SpitzMachineClass machine-init function
  * move the settings of mc->block_default_type and
    mc->ignore_memory_transaction_failures into the SpitzMachineClass
    class init rather than repeating them in each machine's class init
 (The motivation is that we're going to want to keep some state in
 the SpitzMachineState so we can connect GPIOs between devices created
 in one sub-function of the machine init to devices created in a
 different sub-function.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20200628142429.17111-3-peter.maydell@linaro.org
 ---
  hw/arm/spitz.c | 91 ++++++++++++++++++++++++++++++--------------------
 file changed, 55 insertions(+), 36 deletions(-)
 diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/spitz.c
 +++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@
  #include "exec/address-spaces.h"
  #include "cpu.h"
 +enum spitz_model_e { spitz, akita, borzoi, terrier };
 +
 +typedef struct {
 +    MachineClass parent;
 +    enum spitz_model_e model;
 +    int arm_id;
 +} SpitzMachineClass;
 +
 +typedef struct {
 +    MachineState parent;
 +} SpitzMachineState;
 +
 +#define TYPE_SPITZ_MACHINE "spitz-common"
 +#define SPITZ_MACHINE(obj) \
 +    OBJECT_CHECK(SpitzMachineState, obj, TYPE_SPITZ_MACHINE)
 +#define SPITZ_MACHINE_GET_CLASS(obj) \
 +    OBJECT_GET_CLASS(SpitzMachineClass, obj, TYPE_SPITZ_MACHINE)
 +#define SPITZ_MACHINE_CLASS(klass) \
 +    OBJECT_CLASS_CHECK(SpitzMachineClass, klass, TYPE_SPITZ_MACHINE)
 +
  #undef REG_FMT
  #define REG_FMT                         "0x%02lx"
@@ -XXX,XX +XXX,XX @@ static void spitz_gpio_setup(PXA2xxState *cpu, int slots)
  }
  /* Board init.  */
 -enum spitz_model_e { spitz, akita, borzoi, terrier };
 -
  #define SPITZ_RAM       0x04000000
  #define SPITZ_ROM       0x00800000
@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info spitz_binfo = {
      .ram_size = 0x04000000,
  };
 -static void spitz_common_init(MachineState *machine,
 -                              enum spitz_model_e model, int arm_id)
 +static void spitz_common_init(MachineState *machine)
  {
 +    SpitzMachineClass *smc = SPITZ_MACHINE_GET_CLASS(machine);
 +    enum spitz_model_e model = smc->model;
      PXA2xxState *mpu;
      DeviceState *scp0, *scp1 = NULL;
      MemoryRegion *address_space_mem = get_system_memory();
@@ -XXX,XX +XXX,XX @@ static void spitz_common_init(MachineState *machine,
          /* A 4.0 GB microdrive is permanently sitting in CF slot 0.  */
          spitz_microdrive_attach(mpu, 0);
 -    spitz_binfo.board_id = arm_id;
 +    spitz_binfo.board_id = smc->arm_id;
      arm_load_kernel(mpu->cpu, machine, &spitz_binfo);
      sl_bootparam_write(SL_PXA_PARAM_BASE);
  }
 -static void spitz_init(MachineState *machine)
 +static void spitz_common_class_init(ObjectClass *oc, void *data)
  {
 -    spitz_common_init(machine, spitz, 0x2c9);
 +    MachineClass *mc = MACHINE_CLASS(oc);
 +
 +    mc->block_default_type = IF_IDE;
 +    mc->ignore_memory_transaction_failures = true;
 +    mc->init = spitz_common_init;
  }
 -static void borzoi_init(MachineState *machine)
 -{
 -    spitz_common_init(machine, borzoi, 0x33f);
 -}
 -
 -static void akita_init(MachineState *machine)
 -{
 -    spitz_common_init(machine, akita, 0x2e8);
 -}
 -
 -static void terrier_init(MachineState *machine)
 -{
 -    spitz_common_init(machine, terrier, 0x33f);
 -}
 +static const TypeInfo spitz_common_info = {
 +    .name = TYPE_SPITZ_MACHINE,
 +    .parent = TYPE_MACHINE,
 +    .abstract = true,
 +    .instance_size = sizeof(SpitzMachineState),
 +    .class_size = sizeof(SpitzMachineClass),
 +    .class_init = spitz_common_class_init,
 +};
  static void akitapda_class_init(ObjectClass *oc, void *data)
  {
      MachineClass *mc = MACHINE_CLASS(oc);
 +    SpitzMachineClass *smc = SPITZ_MACHINE_CLASS(oc);
      mc->desc = "Sharp SL-C1000 (Akita) PDA (PXA270)";
 -    mc->init = akita_init;
 -    mc->ignore_memory_transaction_failures = true;
      mc->default_cpu_type = ARM_CPU_TYPE_NAME("pxa270-c0");
 +    smc->model = akita;
 +    smc->arm_id = 0x2e8;
  }
  static const TypeInfo akitapda_type = {
      .name = MACHINE_TYPE_NAME("akita"),
 -    .parent = TYPE_MACHINE,
 +    .parent = TYPE_SPITZ_MACHINE,
      .class_init = akitapda_class_init,
  };
  static void spitzpda_class_init(ObjectClass *oc, void *data)
  {
      MachineClass *mc = MACHINE_CLASS(oc);
 +    SpitzMachineClass *smc = SPITZ_MACHINE_CLASS(oc);
      mc->desc = "Sharp SL-C3000 (Spitz) PDA (PXA270)";
 -    mc->init = spitz_init;
 -    mc->block_default_type = IF_IDE;
 -    mc->ignore_memory_transaction_failures = true;
      mc->default_cpu_type = ARM_CPU_TYPE_NAME("pxa270-c0");
 +    smc->model = spitz;
 +    smc->arm_id = 0x2c9;
  }
  static const TypeInfo spitzpda_type = {
      .name = MACHINE_TYPE_NAME("spitz"),
 -    .parent = TYPE_MACHINE,
 +    .parent = TYPE_SPITZ_MACHINE,
      .class_init = spitzpda_class_init,
  };
  static void borzoipda_class_init(ObjectClass *oc, void *data)
  {
      MachineClass *mc = MACHINE_CLASS(oc);
 +    SpitzMachineClass *smc = SPITZ_MACHINE_CLASS(oc);
      mc->desc = "Sharp SL-C3100 (Borzoi) PDA (PXA270)";
 -    mc->init = borzoi_init;
 -    mc->block_default_type = IF_IDE;
 -    mc->ignore_memory_transaction_failures = true;
      mc->default_cpu_type = ARM_CPU_TYPE_NAME("pxa270-c0");
 +    smc->model = borzoi;
 +    smc->arm_id = 0x33f;
  }
  static const TypeInfo borzoipda_type = {
      .name = MACHINE_TYPE_NAME("borzoi"),
 -    .parent = TYPE_MACHINE,
 +    .parent = TYPE_SPITZ_MACHINE,
      .class_init = borzoipda_class_init,
  };
  static void terrierpda_class_init(ObjectClass *oc, void *data)
  {
      MachineClass *mc = MACHINE_CLASS(oc);
 +    SpitzMachineClass *smc = SPITZ_MACHINE_CLASS(oc);
      mc->desc = "Sharp SL-C3200 (Terrier) PDA (PXA270)";
 -    mc->init = terrier_init;
 -    mc->block_default_type = IF_IDE;
 -    mc->ignore_memory_transaction_failures = true;
      mc->default_cpu_type = ARM_CPU_TYPE_NAME("pxa270-c5");
 +    smc->model = terrier;
 +    smc->arm_id = 0x33f;
  }
  static const TypeInfo terrierpda_type = {
      .name = MACHINE_TYPE_NAME("terrier"),
 -    .parent = TYPE_MACHINE,
 +    .parent = TYPE_SPITZ_MACHINE,
      .class_init = terrierpda_class_init,
  };
  static void spitz_machine_init(void)
  {
 +    type_register_static(&spitz_common_info);
      type_register_static(&akitapda_type);
      type_register_static(&spitzpda_type);
      type_register_static(&borzoipda_type);
 --
 .20.1

-New patch
+[PULL 19/34] hw/arm/spitz: Keep pointers to MPU and SSI devices in SpitzMachineState
+Keep pointers to the MPU and the SSI devices in SpitzMachineState.
+We're going to want to make GPIO connections between some of the
+SSI devices and the SCPs, so we want to keep hold of a pointer to
+those; putting the MPU into the struct allows us to pass just
+one thing to spitz_ssp_attach() rather than two.
+We have to retain the setting of the global "max1111" variable
+for the moment as it is used in spitz_adc_temp_on(); later in
+this series of commits we will be able to remove it.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-4-peter.maydell@linaro.org
+---
+ hw/arm/spitz.c | 50 ++++++++++++++++++++++++++++----------------------
+file changed, 28 insertions(+), 22 deletions(-)
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/spitz.c
++++ b/hw/arm/spitz.c
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+ typedef struct {
+     MachineState parent;
++    PXA2xxState *mpu;
++    DeviceState *mux;
++    DeviceState *lcdtg;
++    DeviceState *ads7846;
++    DeviceState *max1111;
+ } SpitzMachineState;
+ #define TYPE_SPITZ_MACHINE "spitz-common"
+@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_realize(SSISlave *d, Error **errp)
+     s->bus[2] = ssi_create_bus(dev, "ssi2");
+ }
+-static void spitz_ssp_attach(PXA2xxState *cpu)
++static void spitz_ssp_attach(SpitzMachineState *sms)
+ {
+-    DeviceState *mux;
+-    DeviceState *dev;
+     void *bus;
+-    mux = ssi_create_slave(cpu->ssp[CORGI_SSP_PORT - 1], "corgi-ssp");
++    sms->mux = ssi_create_slave(sms->mpu->ssp[CORGI_SSP_PORT - 1], "corgi-ssp");
+-    bus = qdev_get_child_bus(mux, "ssi0");
+-    ssi_create_slave(bus, "spitz-lcdtg");
++    bus = qdev_get_child_bus(sms->mux, "ssi0");
++    sms->lcdtg = ssi_create_slave(bus, "spitz-lcdtg");
+-    bus = qdev_get_child_bus(mux, "ssi1");
+-    dev = ssi_create_slave(bus, "ads7846");
+-    qdev_connect_gpio_out(dev, 0,
+-                          qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_TP_INT));
++    bus = qdev_get_child_bus(sms->mux, "ssi1");
++    sms->ads7846 = ssi_create_slave(bus, "ads7846");
++    qdev_connect_gpio_out(sms->ads7846, 0,
++                          qdev_get_gpio_in(sms->mpu->gpio, SPITZ_GPIO_TP_INT));
+-    bus = qdev_get_child_bus(mux, "ssi2");
+-    max1111 = ssi_create_slave(bus, "max1111");
+-    max111x_set_input(max1111, MAX1111_BATT_VOLT, SPITZ_BATTERY_VOLT);
+-    max111x_set_input(max1111, MAX1111_BATT_TEMP, 0);
+-    max111x_set_input(max1111, MAX1111_ACIN_VOLT, SPITZ_CHARGEON_ACIN);
++    bus = qdev_get_child_bus(sms->mux, "ssi2");
++    sms->max1111 = ssi_create_slave(bus, "max1111");
++    max1111 = sms->max1111;
++    max111x_set_input(sms->max1111, MAX1111_BATT_VOLT, SPITZ_BATTERY_VOLT);
++    max111x_set_input(sms->max1111, MAX1111_BATT_TEMP, 0);
++    max111x_set_input(sms->max1111, MAX1111_ACIN_VOLT, SPITZ_CHARGEON_ACIN);
+-    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_LCDCON_CS,
+-                        qdev_get_gpio_in(mux, 0));
+-    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_ADS7846_CS,
+-                        qdev_get_gpio_in(mux, 1));
+-    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_MAX1111_CS,
+-                        qdev_get_gpio_in(mux, 2));
++    qdev_connect_gpio_out(sms->mpu->gpio, SPITZ_GPIO_LCDCON_CS,
++                        qdev_get_gpio_in(sms->mux, 0));
++    qdev_connect_gpio_out(sms->mpu->gpio, SPITZ_GPIO_ADS7846_CS,
++                        qdev_get_gpio_in(sms->mux, 1));
++    qdev_connect_gpio_out(sms->mpu->gpio, SPITZ_GPIO_MAX1111_CS,
++                        qdev_get_gpio_in(sms->mux, 2));
+ }
+ /* CF Microdrive */
+@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info spitz_binfo = {
+ static void spitz_common_init(MachineState *machine)
+ {
+     SpitzMachineClass *smc = SPITZ_MACHINE_GET_CLASS(machine);
++    SpitzMachineState *sms = SPITZ_MACHINE(machine);
+     enum spitz_model_e model = smc->model;
+     PXA2xxState *mpu;
+     DeviceState *scp0, *scp1 = NULL;
+@@ -XXX,XX +XXX,XX @@ static void spitz_common_init(MachineState *machine)
+     /* Setup CPU & memory */
+     mpu = pxa270_init(address_space_mem, spitz_binfo.ram_size,
+                       machine->cpu_type);
++    sms->mpu = mpu;
+     sl_flash_register(mpu, (model == spitz) ? FLASH_128M : FLASH_1024M);
+@@ -XXX,XX +XXX,XX @@ static void spitz_common_init(MachineState *machine)
+     /* Setup peripherals */
+     spitz_keyboard_register(mpu);
+-    spitz_ssp_attach(mpu);
++    spitz_ssp_attach(sms);
+     scp0 = sysbus_create_simple("scoop", 0x10800000, NULL);
+     if (model != akita) {
+--
+.20.1

-New patch
+[PULL 20/34] hw/arm/spitz: Keep pointers to scp0, scp1 in SpitzMachineState
+Keep pointers to scp0, scp1 in SpitzMachineState, and just pass
+that to spitz_scoop_gpio_setup().
+(We'll want to use some of the other fields in SpitzMachineState
+in that function in the next commit.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-5-peter.maydell@linaro.org
+---
+ hw/arm/spitz.c | 34 +++++++++++++++++++---------------
+file changed, 19 insertions(+), 15 deletions(-)
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/spitz.c
++++ b/hw/arm/spitz.c
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+     DeviceState *lcdtg;
+     DeviceState *ads7846;
+     DeviceState *max1111;
++    DeviceState *scp0;
++    DeviceState *scp1;
+ } SpitzMachineState;
+ #define TYPE_SPITZ_MACHINE "spitz-common"
+@@ -XXX,XX +XXX,XX @@ static void spitz_out_switch(void *opaque, int line, int level)
+ #define SPITZ_SCP2_BACKLIGHT_ON                 8
+ #define SPITZ_SCP2_MIC_BIAS             9
+-static void spitz_scoop_gpio_setup(PXA2xxState *cpu,
+-                DeviceState *scp0, DeviceState *scp1)
++static void spitz_scoop_gpio_setup(SpitzMachineState *sms)
+ {
+-    qemu_irq *outsignals = qemu_allocate_irqs(spitz_out_switch, cpu, 8);
++    qemu_irq *outsignals = qemu_allocate_irqs(spitz_out_switch, sms->mpu, 8);
+-    qdev_connect_gpio_out(scp0, SPITZ_SCP_CHRG_ON, outsignals[0]);
+-    qdev_connect_gpio_out(scp0, SPITZ_SCP_JK_B, outsignals[1]);
+-    qdev_connect_gpio_out(scp0, SPITZ_SCP_LED_GREEN, outsignals[2]);
+-    qdev_connect_gpio_out(scp0, SPITZ_SCP_LED_ORANGE, outsignals[3]);
++    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_CHRG_ON, outsignals[0]);
++    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_JK_B, outsignals[1]);
++    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_GREEN, outsignals[2]);
++    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_ORANGE, outsignals[3]);
+-    if (scp1) {
+-        qdev_connect_gpio_out(scp1, SPITZ_SCP2_BACKLIGHT_CONT, outsignals[4]);
+-        qdev_connect_gpio_out(scp1, SPITZ_SCP2_BACKLIGHT_ON, outsignals[5]);
++    if (sms->scp1) {
++        qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_CONT,
++                              outsignals[4]);
++        qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_ON,
++                              outsignals[5]);
+     }
+-    qdev_connect_gpio_out(scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
++    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
+ }
+ #define SPITZ_GPIO_HSYNC                22
+@@ -XXX,XX +XXX,XX @@ static void spitz_common_init(MachineState *machine)
+     SpitzMachineState *sms = SPITZ_MACHINE(machine);
+     enum spitz_model_e model = smc->model;
+     PXA2xxState *mpu;
+-    DeviceState *scp0, *scp1 = NULL;
+     MemoryRegion *address_space_mem = get_system_memory();
+     MemoryRegion *rom = g_new(MemoryRegion, 1);
+@@ -XXX,XX +XXX,XX @@ static void spitz_common_init(MachineState *machine)
+     spitz_ssp_attach(sms);
+-    scp0 = sysbus_create_simple("scoop", 0x10800000, NULL);
++    sms->scp0 = sysbus_create_simple("scoop", 0x10800000, NULL);
+     if (model != akita) {
+-        scp1 = sysbus_create_simple("scoop", 0x08800040, NULL);
++        sms->scp1 = sysbus_create_simple("scoop", 0x08800040, NULL);
++    } else {
++        sms->scp1 = NULL;
+     }
+-    spitz_scoop_gpio_setup(mpu, scp0, scp1);
++    spitz_scoop_gpio_setup(sms);
+     spitz_gpio_setup(mpu, (model == akita) ? 1 : 2);
+--
+.20.1

-New patch
+[PULL 21/34] hw/arm/spitz: Implement inbound GPIO lines for bit5 and power signals
+Currently the Spitz board uses a nasty hack for the GPIO lines
+that pass "bit5" and "power" information to the LCD controller:
+the lcdtg realize function sets a global variable to point to
+the instance it just realized, and then the functions spitz_bl_power()
+and spitz_bl_bit5() use that to find the device they are changing
+the internal state of. There is a comment reading:
+ FIXME: Implement GPIO properly and remove this hack.
+which was added in 2009.
+Implement GPIO properly and remove this hack.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-6-peter.maydell@linaro.org
+---
+ hw/arm/spitz.c | 28 ++++++++++++----------------
+file changed, 12 insertions(+), 16 deletions(-)
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/spitz.c
++++ b/hw/arm/spitz.c
+@@ -XXX,XX +XXX,XX @@ static void spitz_bl_update(SpitzLCDTG *s)
+         zaurus_printf("LCD Backlight now off\n");
+ }
+-/* FIXME: Implement GPIO properly and remove this hack.  */
+-static SpitzLCDTG *spitz_lcdtg;
+-
+ static inline void spitz_bl_bit5(void *opaque, int line, int level)
+ {
+-    SpitzLCDTG *s = spitz_lcdtg;
++    SpitzLCDTG *s = opaque;
+     int prev = s->bl_intensity;
+     if (level)
+@@ -XXX,XX +XXX,XX @@ static inline void spitz_bl_bit5(void *opaque, int line, int level)
+ static inline void spitz_bl_power(void *opaque, int line, int level)
+ {
+-    SpitzLCDTG *s = spitz_lcdtg;
++    SpitzLCDTG *s = opaque;
+     s->bl_power = !!level;
+     spitz_bl_update(s);
+ }
+@@ -XXX,XX +XXX,XX @@ static uint32_t spitz_lcdtg_transfer(SSISlave *dev, uint32_t value)
+     return 0;
+ }
+-static void spitz_lcdtg_realize(SSISlave *dev, Error **errp)
++static void spitz_lcdtg_realize(SSISlave *ssi, Error **errp)
+ {
+-    SpitzLCDTG *s = FROM_SSI_SLAVE(SpitzLCDTG, dev);
++    SpitzLCDTG *s = FROM_SSI_SLAVE(SpitzLCDTG, ssi);
++    DeviceState *dev = DEVICE(s);
+-    spitz_lcdtg = s;
+     s->bl_power = 0;
+     s->bl_intensity = 0x20;
++
++    qdev_init_gpio_in_named(dev, spitz_bl_bit5, "bl_bit5", 1);
++    qdev_init_gpio_in_named(dev, spitz_bl_power, "bl_power", 1);
+ }
+ /* SSP devices */
+@@ -XXX,XX +XXX,XX @@ static void spitz_out_switch(void *opaque, int line, int level)
+     case 3:
+         zaurus_printf("Orange LED %s.\n", level ? "on" : "off");
+         break;
+-    case 4:
+-        spitz_bl_bit5(opaque, line, level);
+-        break;
+-    case 5:
+-        spitz_bl_power(opaque, line, level);
+-        break;
+     case 6:
+         spitz_adc_temp_on(opaque, line, level);
+         break;
++    default:
++        g_assert_not_reached();
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static void spitz_scoop_gpio_setup(SpitzMachineState *sms)
+     if (sms->scp1) {
+         qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_CONT,
+-                              outsignals[4]);
++                              qdev_get_gpio_in_named(sms->lcdtg, "bl_bit5", 0));
+         qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_ON,
+-                              outsignals[5]);
++                              qdev_get_gpio_in_named(sms->lcdtg, "bl_power", 0));
+     }
+     qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
+--
+.20.1

-[Qemu-devel] [PULL 08/10] pl031: Correctly migrate state when using -rtc clock=host
+[PULL 22/34] hw/misc/max111x: provide QOM properties for setting initial values
-The PL031 RTC tracks the difference between the guest RTC
+Add some QOM properties to the max111x ADC device to allow the
-and the host RTC using a tick_offset field. For migration,
+initial values to be configured. Currently this is done by
-however, we currently always migrate the offset between
+board code calling max111x_set_input() after it creates the
-the guest and the vm_clock, even if the RTC clock is not
+device, which doesn't work on system reset.
 the same as the vm_clock; this was an attempt to retain
 migration backwards compatibility.
-Unfortunately this results in the RTC behaving oddly across
+This requires us to implement a reset method for this device,
-a VM state save and restore -- since the VM clock stands still
+so while we're doing that make sure we reset the other parts
-across save-then-restore, regardless of how much real world
+of the device state.
 time has elapsed, the guest RTC ends up out of sync with the
 host RTC in the restored VM.
-Fix this by migrating the raw tick_offset. To retain migration
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-compatibility as far as possible, we have a new property
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-migrate-tick-offset; by default this is 'true' and we will
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-migrate the true tick offset in a new subsection; if the
+Message-id: 20200628142429.17111-7-peter.maydell@linaro.org
-incoming data has no subsection we fall back to the old
+---
-vm_clock-based offset information, so old->new migration
+ hw/misc/max111x.c | 57 ++++++++++++++++++++++++++++++++++++++---------
-compatibility is preserved. For complete new->old migration
+file changed, 47 insertions(+), 10 deletions(-)
 compatibility, the property is set to 'false' for 4.0 and
 earlier machine types (this will only affect 'virt-4.0'
 and below, as none of the other pl031-using machines are
 versioned).
-Reported-by: Russell King <rmk@armlinux.org.uk>
+diff --git a/hw/misc/max111x.c b/hw/misc/max111x.c
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
 Message-id: 20190709143912.28905-1-peter.maydell@linaro.org
 ---
  include/hw/timer/pl031.h |  2 +
  hw/core/machine.c        |  1 +
  hw/timer/pl031.c         | 92 ++++++++++++++++++++++++++++++++++++++--
 files changed, 91 insertions(+), 4 deletions(-)
 diff --git a/include/hw/timer/pl031.h b/include/hw/timer/pl031.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/timer/pl031.h
+--- a/hw/misc/max111x.c
-+++ b/include/hw/timer/pl031.h
++++ b/hw/misc/max111x.c
-@@ -XXX,XX +XXX,XX @@ typedef struct PL031State {
+@@ -XXX,XX +XXX,XX @@
-      */
+ #include "hw/ssi/ssi.h"
-     uint32_t tick_offset_vmstate;
+ #include "migration/vmstate.h"
-     uint32_t tick_offset;
+ #include "qemu/module.h"
-+    bool tick_offset_migrated;
++#include "hw/qdev-properties.h"
-+    bool migrate_tick_offset;
+ typedef struct {
-     uint32_t mr;
+     SSISlave parent_obj;
-     uint32_t lr;
-diff --git a/hw/core/machine.c b/hw/core/machine.c
+     qemu_irq interrupt;
-index XXXXXXX..XXXXXXX 100644
++    /* Values of inputs at system reset (settable by QOM property) */
---- a/hw/core/machine.c
++    uint8_t reset_input[8];
-+++ b/hw/core/machine.c
++
-@@ -XXX,XX +XXX,XX @@ GlobalProperty hw_compat_4_0[] = {
+     uint8_t tb1, rb2, rb3;
-     { "virtio-gpu-pci", "edid", "false" },
+     int cycle;
-     { "virtio-device", "use-started", "false" },
-     { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
+@@ -XXX,XX +XXX,XX @@ static int max111x_init(SSISlave *d, int inputs)
-+    { "pl031", "migrate-tick-offset", "false" },
+     qdev_init_gpio_out(dev, &s->interrupt, 1);
- };
- const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
+     s->inputs = inputs;
+-    /* TODO: add a user interface for setting these */
-diff --git a/hw/timer/pl031.c b/hw/timer/pl031.c
+-    s->input[0] = 0xf0;
-index XXXXXXX..XXXXXXX 100644
+-    s->input[1] = 0xe0;
---- a/hw/timer/pl031.c
+-    s->input[2] = 0xd0;
-+++ b/hw/timer/pl031.c
+-    s->input[3] = 0xc0;
-@@ -XXX,XX +XXX,XX @@ static int pl031_pre_save(void *opaque)
+-    s->input[4] = 0xb0;
- {
+-    s->input[5] = 0xa0;
-     PL031State *s = opaque;
+-    s->input[6] = 0x90;
+-    s->input[7] = 0x80;
--    /* tick_offset is base_time - rtc_clock base time.  Instead, we want to
+-    s->com = 0;
--     * store the base time relative to the QEMU_CLOCK_VIRTUAL for backwards-compatibility.  */
-+    /*
+     vmstate_register(VMSTATE_IF(dev), VMSTATE_INSTANCE_ID_ANY,
-+     * The PL031 device model code uses the tick_offset field, which is
+                      &vmstate_max111x, s);
-+     * the offset between what the guest RTC should read and what the
+@@ -XXX,XX +XXX,XX @@ void max111x_set_input(DeviceState *dev, int line, uint8_t value)
-+     * QEMU rtc_clock reads:
+     s->input[line] = value;
 +     *  guest_rtc = rtc_clock + tick_offset
 +     * and so
 +     *  tick_offset = guest_rtc - rtc_clock
 +     *
 +     * We want to migrate this offset, which sounds straightforward.
 +     * Unfortunately older versions of QEMU migrated a conversion of this
 +     * offset into an offset from the vm_clock. (This was in turn an
 +     * attempt to be compatible with even older QEMU versions, but it
 +     * has incorrect behaviour if the rtc_clock is not the same as the
 +     * vm_clock.) So we put the actual tick_offset into a migration
 +     * subsection, and the backwards-compatible time-relative-to-vm_clock
 +     * in the main migration state.
 +     *
 +     * Calculate base time relative to QEMU_CLOCK_VIRTUAL:
 +     */
      int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
      s->tick_offset_vmstate = s->tick_offset + delta / NANOSECONDS_PER_SECOND;
      return 0;
  }
-+static int pl031_pre_load(void *opaque)
++static void max111x_reset(DeviceState *dev)
 +{
-+    PL031State *s = opaque;
++    MAX111xState *s = MAX_111X(dev);
 +    int i;
 +
-+    s->tick_offset_migrated = false;
++    for (i = 0; i < s->inputs; i++) {
-+    return 0;
++        s->input[i] = s->reset_input[i];
 +    }
 +    s->com = 0;
 +    s->tb1 = 0;
 +    s->rb2 = 0;
 +    s->rb3 = 0;
 +    s->cycle = 0;
 +}
 +
- static int pl031_post_load(void *opaque, int version_id)
++static Property max1110_properties[] = {
- {
++    /* Reset values for ADC inputs */
-     PL031State *s = opaque;
++    DEFINE_PROP_UINT8("input0", MAX111xState, reset_input[0], 0xf0),
++    DEFINE_PROP_UINT8("input1", MAX111xState, reset_input[1], 0xe0),
--    int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
++    DEFINE_PROP_UINT8("input2", MAX111xState, reset_input[2], 0xd0),
--    s->tick_offset = s->tick_offset_vmstate - delta / NANOSECONDS_PER_SECOND;
++    DEFINE_PROP_UINT8("input3", MAX111xState, reset_input[3], 0xc0),
-+    /*
++    DEFINE_PROP_END_OF_LIST(),
 +     * If we got the tick_offset subsection, then we can just use
 +     * the value in that. Otherwise the source is an older QEMU and
 +     * has given us the offset from the vm_clock; convert it back to
 +     * an offset from the rtc_clock. This will cause time to incorrectly
 +     * go backwards compared to the host RTC, but this is unavoidable.
 +     */
 +
 +    if (!s->tick_offset_migrated) {
 +        int64_t delta = qemu_clock_get_ns(rtc_clock) -
 +            qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
 +        s->tick_offset = s->tick_offset_vmstate -
 +            delta / NANOSECONDS_PER_SECOND;
 +    }
      pl031_set_alarm(s);
      return 0;
  }
 +static int pl031_tick_offset_post_load(void *opaque, int version_id)
 +{
 +    PL031State *s = opaque;
 +
 +    s->tick_offset_migrated = true;
 +    return 0;
 +}
 +
 +static bool pl031_tick_offset_needed(void *opaque)
 +{
 +    PL031State *s = opaque;
 +
 +    return s->migrate_tick_offset;
 +}
 +
 +static const VMStateDescription vmstate_pl031_tick_offset = {
 +    .name = "pl031/tick-offset",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .needed = pl031_tick_offset_needed,
 +    .post_load = pl031_tick_offset_post_load,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT32(tick_offset, PL031State),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
- static const VMStateDescription vmstate_pl031 = {
++static Property max1111_properties[] = {
-     .name = "pl031",
++    /* Reset values for ADC inputs */
-     .version_id = 1,
++    DEFINE_PROP_UINT8("input0", MAX111xState, reset_input[0], 0xf0),
-     .minimum_version_id = 1,
++    DEFINE_PROP_UINT8("input1", MAX111xState, reset_input[1], 0xe0),
-     .pre_save = pl031_pre_save,
++    DEFINE_PROP_UINT8("input2", MAX111xState, reset_input[2], 0xd0),
-+    .pre_load = pl031_pre_load,
++    DEFINE_PROP_UINT8("input3", MAX111xState, reset_input[3], 0xc0),
-     .post_load = pl031_post_load,
++    DEFINE_PROP_UINT8("input4", MAX111xState, reset_input[4], 0xb0),
-     .fields = (VMStateField[]) {
++    DEFINE_PROP_UINT8("input5", MAX111xState, reset_input[5], 0xa0),
-         VMSTATE_UINT32(tick_offset_vmstate, PL031State),
++    DEFINE_PROP_UINT8("input6", MAX111xState, reset_input[6], 0x90),
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl031 = {
++    DEFINE_PROP_UINT8("input7", MAX111xState, reset_input[7], 0x80),
-         VMSTATE_UINT32(im, PL031State),
++    DEFINE_PROP_END_OF_LIST(),
          VMSTATE_UINT32(is, PL031State),
          VMSTATE_END_OF_LIST()
 +    },
 +    .subsections = (const VMStateDescription*[]) {
 +        &vmstate_pl031_tick_offset,
 +        NULL
      }
  };
 +static Property pl031_properties[] = {
 +    /*
 +     * True to correctly migrate the tick offset of the RTC. False to
 +     * obtain backward migration compatibility with older QEMU versions,
 +     * at the expense of the guest RTC going backwards compared with the
 +     * host RTC when the VM is saved/restored if using -rtc host.
 +     * (Even if set to 'true' older QEMU can migrate forward to newer QEMU;
 +     * 'false' also permits newer QEMU to migrate to older QEMU.)
 +     */
 +    DEFINE_PROP_BOOL("migrate-tick-offset",
 +                     PL031State, migrate_tick_offset, true),
 +    DEFINE_PROP_END_OF_LIST()
 +};
 +
- static void pl031_class_init(ObjectClass *klass, void *data)
+ static void max111x_class_init(ObjectClass *klass, void *data)
  {
-     DeviceClass *dc = DEVICE_CLASS(klass);
+     SSISlaveClass *k = SSI_SLAVE_CLASS(klass);
++    DeviceClass *dc = DEVICE_CLASS(klass);
-     dc->vmsd = &vmstate_pl031;
-+    dc->props = pl031_properties;
+     k->transfer = max111x_transfer;
 +    dc->reset = max111x_reset;
  }
- static const TypeInfo pl031_info = {
+ static const TypeInfo max111x_info = {
@@ -XXX,XX +XXX,XX @@ static const TypeInfo max111x_info = {
  static void max1110_class_init(ObjectClass *klass, void *data)
  {
      SSISlaveClass *k = SSI_SLAVE_CLASS(klass);
 +    DeviceClass *dc = DEVICE_CLASS(klass);
      k->realize = max1110_realize;
 +    device_class_set_props(dc, max1110_properties);
  }
  static const TypeInfo max1110_info = {
@@ -XXX,XX +XXX,XX @@ static const TypeInfo max1110_info = {
  static void max1111_class_init(ObjectClass *klass, void *data)
  {
      SSISlaveClass *k = SSI_SLAVE_CLASS(klass);
 +    DeviceClass *dc = DEVICE_CLASS(klass);
      k->realize = max1111_realize;
 +    device_class_set_props(dc, max1111_properties);
  }
  static const TypeInfo max1111_info = {
 --
 .20.1

-New patch
+[PULL 23/34] hw/misc/max111x: Don't use vmstate_register()
+The max111x is a proper qdev device; we can use dc->vmsd rather than
+directly calling vmstate_register().
+It's possible that this is a migration compat break, but the only
+boards that use this device are the spitz-family ('akita', 'borzoi',
+'spitz', 'terrier').
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-8-peter.maydell@linaro.org
+---
+ hw/misc/max111x.c | 3 +--
+file changed, 1 insertion(+), 2 deletions(-)
+diff --git a/hw/misc/max111x.c b/hw/misc/max111x.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/misc/max111x.c
++++ b/hw/misc/max111x.c
+@@ -XXX,XX +XXX,XX @@ static int max111x_init(SSISlave *d, int inputs)
+     s->inputs = inputs;
+-    vmstate_register(VMSTATE_IF(dev), VMSTATE_INSTANCE_ID_ANY,
+-                     &vmstate_max111x, s);
+     return 0;
+ }
+@@ -XXX,XX +XXX,XX @@ static void max111x_class_init(ObjectClass *klass, void *data)
+     k->transfer = max111x_transfer;
+     dc->reset = max111x_reset;
++    dc->vmsd = &vmstate_max111x;
+ }
+ static const TypeInfo max111x_info = {
+--
+.20.1

-New patch
+[PULL 24/34] ssi: Add ssi_realize_and_unref()
+Add an ssi_realize_and_unref(), for the benefit of callers
+who want to be able to create an SSI device, set QOM properties
+on it, and then do the realize-and-unref afterwards.
+The API works on the same principle as the recently added
+qdev_realize_and_undef(), sysbus_realize_and_undef(), etc.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-9-peter.maydell@linaro.org
+---
+ include/hw/ssi/ssi.h | 26 ++++++++++++++++++++++++++
+ hw/ssi/ssi.c         |  7 ++++++-
+files changed, 32 insertions(+), 1 deletion(-)
+diff --git a/include/hw/ssi/ssi.h b/include/hw/ssi/ssi.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/ssi/ssi.h
++++ b/include/hw/ssi/ssi.h
+@@ -XXX,XX +XXX,XX @@ extern const VMStateDescription vmstate_ssi_slave;
+ }
+ DeviceState *ssi_create_slave(SSIBus *bus, const char *name);
++/**
++ * ssi_realize_and_unref: realize and unref an SSI slave device
++ * @dev: SSI slave device to realize
++ * @bus: SSI bus to put it on
++ * @errp: error pointer
++ *
++ * Call 'realize' on @dev, put it on the specified @bus, and drop the
++ * reference to it. Errors are reported via @errp and by returning
++ * false.
++ *
++ * This function is useful if you have created @dev via qdev_new()
++ * (which takes a reference to the device it returns to you), so that
++ * you can set properties on it before realizing it. If you don't need
++ * to set properties then ssi_create_slave() is probably better (as it
++ * does the create, init and realize in one step).
++ *
++ * If you are embedding the SSI slave into another QOM device and
++ * initialized it via some variant on object_initialize_child() then
++ * do not use this function, because that family of functions arrange
++ * for the only reference to the child device to be held by the parent
++ * via the child<> property, and so the reference-count-drop done here
++ * would be incorrect.  (Instead you would want ssi_realize(), which
++ * doesn't currently exist but would be trivial to create if we had
++ * any code that wanted it.)
++ */
++bool ssi_realize_and_unref(DeviceState *dev, SSIBus *bus, Error **errp);
+ /* Master interface.  */
+ SSIBus *ssi_create_bus(DeviceState *parent, const char *name);
+diff --git a/hw/ssi/ssi.c b/hw/ssi/ssi.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/ssi/ssi.c
++++ b/hw/ssi/ssi.c
+@@ -XXX,XX +XXX,XX @@ static const TypeInfo ssi_slave_info = {
+     .abstract = true,
+ };
++bool ssi_realize_and_unref(DeviceState *dev, SSIBus *bus, Error **errp)
++{
++    return qdev_realize_and_unref(dev, &bus->parent_obj, errp);
++}
++
+ DeviceState *ssi_create_slave(SSIBus *bus, const char *name)
+ {
+     DeviceState *dev = qdev_new(name);
+-    qdev_realize_and_unref(dev, &bus->parent_obj, &error_fatal);
++    ssi_realize_and_unref(dev, bus, &error_fatal);
+     return dev;
+ }
+--
+.20.1

-New patch
+[PULL 25/34] hw/arm/spitz: Use max111x properties to set initial values
+Use the new max111x qdev properties to set the initial input
+values rather than calling max111x_set_input(); this means that
+on system reset the inputs will correctly return to their initial
+values.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20200628142429.17111-10-peter.maydell@linaro.org
+---
+ hw/arm/spitz.c | 11 +++++++----
+file changed, 7 insertions(+), 4 deletions(-)
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/spitz.c
++++ b/hw/arm/spitz.c
+@@ -XXX,XX +XXX,XX @@ static void spitz_ssp_attach(SpitzMachineState *sms)
+                           qdev_get_gpio_in(sms->mpu->gpio, SPITZ_GPIO_TP_INT));
+     bus = qdev_get_child_bus(sms->mux, "ssi2");
+-    sms->max1111 = ssi_create_slave(bus, "max1111");
++    sms->max1111 = qdev_new("max1111");
+     max1111 = sms->max1111;
+-    max111x_set_input(sms->max1111, MAX1111_BATT_VOLT, SPITZ_BATTERY_VOLT);
+-    max111x_set_input(sms->max1111, MAX1111_BATT_TEMP, 0);
+-    max111x_set_input(sms->max1111, MAX1111_ACIN_VOLT, SPITZ_CHARGEON_ACIN);
++    qdev_prop_set_uint8(sms->max1111, "input1" /* BATT_VOLT */,
++                        SPITZ_BATTERY_VOLT);
++    qdev_prop_set_uint8(sms->max1111, "input2" /* BATT_TEMP */, 0);
++    qdev_prop_set_uint8(sms->max1111, "input3" /* ACIN_VOLT */,
++                        SPITZ_CHARGEON_ACIN);
++    ssi_realize_and_unref(sms->max1111, bus, &error_fatal);
+     qdev_connect_gpio_out(sms->mpu->gpio, SPITZ_GPIO_LCDCON_CS,
+                         qdev_get_gpio_in(sms->mux, 0));
+--
+.20.1

-New patch
+[PULL 26/34] hw/misc/max111x: Use GPIO lines rather than max111x_set_input()
+The max111x ADC device model allows other code to set the level on
+the 8 ADC inputs using the max111x_set_input() function.  Replace
+this with generic qdev GPIO inputs, which also allow inputs to be set
+to arbitrary values.
+Using GPIO lines will make it easier for board code to wire things
+up, so that if device A wants to set the ADC input it doesn't need to
+have a direct pointer to the max111x but can just set that value on
+its output GPIO, which is then wired up by the board to the
+appropriate max111x input.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-11-peter.maydell@linaro.org
+---
+ include/hw/ssi/ssi.h |  3 ---
+ hw/arm/spitz.c       |  9 +++++----
+ hw/misc/max111x.c    | 16 +++++++++-------
+files changed, 14 insertions(+), 14 deletions(-)
+diff --git a/include/hw/ssi/ssi.h b/include/hw/ssi/ssi.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/ssi/ssi.h
++++ b/include/hw/ssi/ssi.h
+@@ -XXX,XX +XXX,XX @@ SSIBus *ssi_create_bus(DeviceState *parent, const char *name);
+ uint32_t ssi_transfer(SSIBus *bus, uint32_t val);
+-/* max111x.c */
+-void max111x_set_input(DeviceState *dev, int line, uint8_t value);
+-
+ #endif
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/spitz.c
++++ b/hw/arm/spitz.c
+@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_gpio_cs(void *opaque, int line, int level)
+ static void spitz_adc_temp_on(void *opaque, int line, int level)
+ {
++    int batt_temp;
++
+     if (!max1111)
+         return;
+-    if (level)
+-        max111x_set_input(max1111, MAX1111_BATT_TEMP, SPITZ_BATTERY_TEMP);
+-    else
+-        max111x_set_input(max1111, MAX1111_BATT_TEMP, 0);
++    batt_temp = level ? SPITZ_BATTERY_TEMP : 0;
++
++    qemu_set_irq(qdev_get_gpio_in(max1111, MAX1111_BATT_TEMP), batt_temp);
+ }
+ static void corgi_ssp_realize(SSISlave *d, Error **errp)
+diff --git a/hw/misc/max111x.c b/hw/misc/max111x.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/misc/max111x.c
++++ b/hw/misc/max111x.c
+@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_max111x = {
+     }
+ };
++static void max111x_input_set(void *opaque, int line, int value)
++{
++    MAX111xState *s = MAX_111X(opaque);
++
++    assert(line >= 0 && line < s->inputs);
++    s->input[line] = value;
++}
++
+ static int max111x_init(SSISlave *d, int inputs)
+ {
+     DeviceState *dev = DEVICE(d);
+     MAX111xState *s = MAX_111X(dev);
+     qdev_init_gpio_out(dev, &s->interrupt, 1);
++    qdev_init_gpio_in(dev, max111x_input_set, inputs);
+     s->inputs = inputs;
+@@ -XXX,XX +XXX,XX @@ static void max1111_realize(SSISlave *dev, Error **errp)
+     max111x_init(dev, 4);
+ }
+-void max111x_set_input(DeviceState *dev, int line, uint8_t value)
+-{
+-    MAX111xState *s = MAX_111X(dev);
+-    assert(line >= 0 && line < s->inputs);
+-    s->input[line] = value;
+-}
+-
+ static void max111x_reset(DeviceState *dev)
+ {
+     MAX111xState *s = MAX_111X(dev);
+--
+.20.1

-New patch
+[PULL 27/34] hw/misc/max111x: Create header file for documentation, TYPE_ macros
+Create a header file for the hw/misc/max111x device, in the
+usual modern style for QOM devices:
+ * definition of the TYPE_ constants and macros
+ * definition of the device's state struct so that it can
+   be embedded in other structs if desired
+ * documentation of the interface
+This allows us to use TYPE_MAX_1111 in the spitz.c code rather
+than the string "max1111".
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20200628142429.17111-12-peter.maydell@linaro.org
+---
+ include/hw/misc/max111x.h | 56 +++++++++++++++++++++++++++++++++++++++
+ hw/arm/spitz.c            |  3 ++-
+ hw/misc/max111x.c         | 24 +----------------
+ MAINTAINERS               |  1 +
+files changed, 60 insertions(+), 24 deletions(-)
+ create mode 100644 include/hw/misc/max111x.h
+diff --git a/include/hw/misc/max111x.h b/include/hw/misc/max111x.h
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/include/hw/misc/max111x.h
+@@ -XXX,XX +XXX,XX @@
++/*
++ * Maxim MAX1110/1111 ADC chip emulation.
++ *
++ * Copyright (c) 2006 Openedhand Ltd.
++ * Written by Andrzej Zaborowski <balrog@zabor.org>
++ *
++ * This code is licensed under the GNU GPLv2.
++ *
++ * Contributions after 2012-01-13 are licensed under the terms of the
++ * GNU GPL, version 2 or (at your option) any later version.
++ */
++
++#ifndef HW_MISC_MAX111X_H
++#define HW_MISC_MAX111X_H
++
++#include "hw/ssi/ssi.h"
++
++/*
++ * This is a model of the Maxim MAX1110/1111 ADC chip, which for QEMU
++ * is an SSI slave device. It has either 4 (max1110) or 8 (max1111)
++ * 8-bit ADC channels.
++ *
++ * QEMU interface:
++ *  + GPIO inputs 0..3 (for max1110) or 0..7 (for max1111): set the value
++ *    of each ADC input, as an unsigned 8-bit value
++ *  + GPIO output 0: interrupt line
++ *  + Properties "input0" to "input3" (max1110) or "input0" to "input7"
++ *    (max1111): initial reset values for ADC inputs.
++ *
++ * Known bugs:
++ *  + the interrupt line is not correctly implemented, and will never
++ *    be lowered once it has been asserted.
++ */
++typedef struct {
++    SSISlave parent_obj;
++
++    qemu_irq interrupt;
++    /* Values of inputs at system reset (settable by QOM property) */
++    uint8_t reset_input[8];
++
++    uint8_t tb1, rb2, rb3;
++    int cycle;
++
++    uint8_t input[8];
++    int inputs, com;
++} MAX111xState;
++
++#define TYPE_MAX_111X "max111x"
++
++#define MAX_111X(obj) \
++    OBJECT_CHECK(MAX111xState, (obj), TYPE_MAX_111X)
++
++#define TYPE_MAX_1110 "max1110"
++#define TYPE_MAX_1111 "max1111"
++
++#endif
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/spitz.c
++++ b/hw/arm/spitz.c
+@@ -XXX,XX +XXX,XX @@
+ #include "audio/audio.h"
+ #include "hw/boards.h"
+ #include "hw/sysbus.h"
++#include "hw/misc/max111x.h"
+ #include "migration/vmstate.h"
+ #include "exec/address-spaces.h"
+ #include "cpu.h"
+@@ -XXX,XX +XXX,XX @@ static void spitz_ssp_attach(SpitzMachineState *sms)
+                           qdev_get_gpio_in(sms->mpu->gpio, SPITZ_GPIO_TP_INT));
+     bus = qdev_get_child_bus(sms->mux, "ssi2");
+-    sms->max1111 = qdev_new("max1111");
++    sms->max1111 = qdev_new(TYPE_MAX_1111);
+     max1111 = sms->max1111;
+     qdev_prop_set_uint8(sms->max1111, "input1" /* BATT_VOLT */,
+                         SPITZ_BATTERY_VOLT);
+diff --git a/hw/misc/max111x.c b/hw/misc/max111x.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/misc/max111x.c
++++ b/hw/misc/max111x.c
+@@ -XXX,XX +XXX,XX @@
+  */
+ #include "qemu/osdep.h"
++#include "hw/misc/max111x.h"
+ #include "hw/irq.h"
+-#include "hw/ssi/ssi.h"
+ #include "migration/vmstate.h"
+ #include "qemu/module.h"
+ #include "hw/qdev-properties.h"
+-typedef struct {
+-    SSISlave parent_obj;
+-
+-    qemu_irq interrupt;
+-    /* Values of inputs at system reset (settable by QOM property) */
+-    uint8_t reset_input[8];
+-
+-    uint8_t tb1, rb2, rb3;
+-    int cycle;
+-
+-    uint8_t input[8];
+-    int inputs, com;
+-} MAX111xState;
+-
+-#define TYPE_MAX_111X "max111x"
+-
+-#define MAX_111X(obj) \
+-    OBJECT_CHECK(MAX111xState, (obj), TYPE_MAX_111X)
+-
+-#define TYPE_MAX_1110 "max1110"
+-#define TYPE_MAX_1111 "max1111"
+-
+ /* Control-byte bitfields */
+ #define CB_PD0        (1 << 0)
+ #define CB_PD1        (1 << 1)
+diff --git a/MAINTAINERS b/MAINTAINERS
+index XXXXXXX..XXXXXXX 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -XXX,XX +XXX,XX @@ F: hw/gpio/max7310.c
+ F: hw/gpio/zaurus.c
+ F: hw/misc/mst_fpga.c
+ F: hw/misc/max111x.c
++F: include/hw/misc/max111x.h
+ F: include/hw/arm/pxa.h
+ F: include/hw/arm/sharpsl.h
+ F: include/hw/display/tc6393xb.h
+--
+.20.1

-New patch
+[PULL 28/34] hw/arm/spitz: Encapsulate misc GPIO handling in a device
+Currently we have a free-floating set of IRQs and a function
 spitz_out_switch() which handle some miscellaneous GPIO lines for the
 spitz board.  Encapsulate this behaviour in a simple QOM device.
 At this point we can finally remove the 'max1111' global, because the
 ADC battery-temperature value is now handled by the misc-gpio device
 writing the value to its outbound "adc-temp" GPIO, which the board
 code wires up to the appropriate inbound GPIO line on the max1111.
 This commit also fixes Coverity issue CID 1421913 (which pointed out
 that the 'outsignals' in spitz_scoop_gpio_setup() were leaked),
 because it removes the use of the qemu_allocate_irqs() API from this
 code entirely.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20200628142429.17111-13-peter.maydell@linaro.org
 ---
  hw/arm/spitz.c | 129 +++++++++++++++++++++++++++++++++----------------
 file changed, 87 insertions(+), 42 deletions(-)
 diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/spitz.c
 +++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
      DeviceState *max1111;
      DeviceState *scp0;
      DeviceState *scp1;
 +    DeviceState *misc_gpio;
  } SpitzMachineState;
  #define TYPE_SPITZ_MACHINE "spitz-common"
@@ -XXX,XX +XXX,XX @@ static void spitz_lcdtg_realize(SSISlave *ssi, Error **errp)
  #define SPITZ_GPIO_MAX1111_CS   20
  #define SPITZ_GPIO_TP_INT       11
 -static DeviceState *max1111;
 -
  /* "Demux" the signal based on current chipselect */
  typedef struct {
      SSISlave ssidev;
@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_gpio_cs(void *opaque, int line, int level)
  #define SPITZ_BATTERY_VOLT      0xd0    /* About 4.0V */
  #define SPITZ_CHARGEON_ACIN     0x80    /* About 5.0V */
 -static void spitz_adc_temp_on(void *opaque, int line, int level)
 -{
 -    int batt_temp;
 -
 -    if (!max1111)
 -        return;
 -
 -    batt_temp = level ? SPITZ_BATTERY_TEMP : 0;
 -
 -    qemu_set_irq(qdev_get_gpio_in(max1111, MAX1111_BATT_TEMP), batt_temp);
 -}
 -
  static void corgi_ssp_realize(SSISlave *d, Error **errp)
  {
      DeviceState *dev = DEVICE(d);
@@ -XXX,XX +XXX,XX @@ static void spitz_ssp_attach(SpitzMachineState *sms)
      bus = qdev_get_child_bus(sms->mux, "ssi2");
      sms->max1111 = qdev_new(TYPE_MAX_1111);
 -    max1111 = sms->max1111;
      qdev_prop_set_uint8(sms->max1111, "input1" /* BATT_VOLT */,
                          SPITZ_BATTERY_VOLT);
      qdev_prop_set_uint8(sms->max1111, "input2" /* BATT_TEMP */, 0);
@@ -XXX,XX +XXX,XX @@ static void spitz_akita_i2c_setup(PXA2xxState *cpu)
  /* Other peripherals */
 -static void spitz_out_switch(void *opaque, int line, int level)
 +/*
 + * Encapsulation of some miscellaneous GPIO line behaviour for the Spitz boards.
 + *
 + * QEMU interface:
 + *  + named GPIO inputs "green-led", "orange-led", "charging", "discharging":
 + *    these currently just print messages that the line has been signalled
 + *  + named GPIO input "adc-temp-on": set to cause the battery-temperature
 + *    value to be passed to the max111x ADC
 + *  + named GPIO output "adc-temp": the ADC value, to be wired up to the max111x
 + */
 +#define TYPE_SPITZ_MISC_GPIO "spitz-misc-gpio"
 +#define SPITZ_MISC_GPIO(obj) \
 +    OBJECT_CHECK(SpitzMiscGPIOState, (obj), TYPE_SPITZ_MISC_GPIO)
 +
 +typedef struct SpitzMiscGPIOState {
 +    SysBusDevice parent_obj;
 +
 +    qemu_irq adc_value;
 +} SpitzMiscGPIOState;
 +
 +static void spitz_misc_charging(void *opaque, int n, int level)
  {
 -    switch (line) {
 -    case 0:
 -        zaurus_printf("Charging %s.\n", level ? "off" : "on");
 -        break;
 -    case 1:
 -        zaurus_printf("Discharging %s.\n", level ? "on" : "off");
 -        break;
 -    case 2:
 -        zaurus_printf("Green LED %s.\n", level ? "on" : "off");
 -        break;
 -    case 3:
 -        zaurus_printf("Orange LED %s.\n", level ? "on" : "off");
 -        break;
 -    case 6:
 -        spitz_adc_temp_on(opaque, line, level);
 -        break;
 -    default:
 -        g_assert_not_reached();
 -    }
 +    zaurus_printf("Charging %s.\n", level ? "off" : "on");
 +}
 +
 +static void spitz_misc_discharging(void *opaque, int n, int level)
 +{
 +    zaurus_printf("Discharging %s.\n", level ? "off" : "on");
 +}
 +
 +static void spitz_misc_green_led(void *opaque, int n, int level)
 +{
 +    zaurus_printf("Green LED %s.\n", level ? "off" : "on");
 +}
 +
 +static void spitz_misc_orange_led(void *opaque, int n, int level)
 +{
 +    zaurus_printf("Orange LED %s.\n", level ? "off" : "on");
 +}
 +
 +static void spitz_misc_adc_temp(void *opaque, int n, int level)
 +{
 +    SpitzMiscGPIOState *s = SPITZ_MISC_GPIO(opaque);
 +    int batt_temp = level ? SPITZ_BATTERY_TEMP : 0;
 +
 +    qemu_set_irq(s->adc_value, batt_temp);
 +}
 +
 +static void spitz_misc_gpio_init(Object *obj)
 +{
 +    SpitzMiscGPIOState *s = SPITZ_MISC_GPIO(obj);
 +    DeviceState *dev = DEVICE(obj);
 +
 +    qdev_init_gpio_in_named(dev, spitz_misc_charging, "charging", 1);
 +    qdev_init_gpio_in_named(dev, spitz_misc_discharging, "discharging", 1);
 +    qdev_init_gpio_in_named(dev, spitz_misc_green_led, "green-led", 1);
 +    qdev_init_gpio_in_named(dev, spitz_misc_orange_led, "orange-led", 1);
 +    qdev_init_gpio_in_named(dev, spitz_misc_adc_temp, "adc-temp-on", 1);
 +
 +    qdev_init_gpio_out_named(dev, &s->adc_value, "adc-temp", 1);
  }
  #define SPITZ_SCP_LED_GREEN             1
@@ -XXX,XX +XXX,XX @@ static void spitz_out_switch(void *opaque, int line, int level)
  static void spitz_scoop_gpio_setup(SpitzMachineState *sms)
  {
 -    qemu_irq *outsignals = qemu_allocate_irqs(spitz_out_switch, sms->mpu, 8);
 +    DeviceState *miscdev = sysbus_create_simple(TYPE_SPITZ_MISC_GPIO, -1, NULL);
 -    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_CHRG_ON, outsignals[0]);
 -    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_JK_B, outsignals[1]);
 -    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_GREEN, outsignals[2]);
 -    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_ORANGE, outsignals[3]);
 +    sms->misc_gpio = miscdev;
 +
 +    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_CHRG_ON,
 +                          qdev_get_gpio_in_named(miscdev, "charging", 0));
 +    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_JK_B,
 +                          qdev_get_gpio_in_named(miscdev, "discharging", 0));
 +    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_GREEN,
 +                          qdev_get_gpio_in_named(miscdev, "green-led", 0));
 +    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_ORANGE,
 +                          qdev_get_gpio_in_named(miscdev, "orange-led", 0));
 +    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_ADC_TEMP_ON,
 +                          qdev_get_gpio_in_named(miscdev, "adc-temp-on", 0));
 +    qdev_connect_gpio_out_named(miscdev, "adc-temp", 0,
 +                                qdev_get_gpio_in(sms->max1111, MAX1111_BATT_TEMP));
      if (sms->scp1) {
          qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_CONT,
@@ -XXX,XX +XXX,XX @@ static void spitz_scoop_gpio_setup(SpitzMachineState *sms)
          qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_ON,
                                qdev_get_gpio_in_named(sms->lcdtg, "bl_power", 0));
      }
 -
 -    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
  }
  #define SPITZ_GPIO_HSYNC                22
@@ -XXX,XX +XXX,XX @@ static const TypeInfo spitz_lcdtg_info = {
      .class_init    = spitz_lcdtg_class_init,
  };
 +static const TypeInfo spitz_misc_gpio_info = {
 +    .name = TYPE_SPITZ_MISC_GPIO,
 +    .parent = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(SpitzMiscGPIOState),
 +    .instance_init = spitz_misc_gpio_init,
 +    /*
 +     * No class_init required: device has no internal state so does not
 +     * need to set up reset or vmstate, and does not have a realize method.
 +     */
 +};
 +
  static void spitz_register_types(void)
  {
      type_register_static(&corgi_ssp_info);
      type_register_static(&spitz_lcdtg_info);
      type_register_static(&spitz_keyboard_info);
      type_register_static(&sl_nand_info);
 +    type_register_static(&spitz_misc_gpio_info);
  }
  type_init(spitz_register_types)
 --
 .20.1

-New patch
+[PULL 29/34] hw/gpio/zaurus.c: Use LOG_GUEST_ERROR for bad guest register accesses
+Instead of logging guest accesses to invalid register offsets in this
+device using zaurus_printf() (which just prints to stderr), use the
+usual qemu_log_mask(LOG_GUEST_ERROR,...).
+Since this was the only use of the zaurus_printf() macro outside
+spitz.c, we can move the definition of that macro from sharpsl.h
+to spitz.c.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-14-peter.maydell@linaro.org
+---
+ include/hw/arm/sharpsl.h |  3 ---
+ hw/arm/spitz.c           |  3 +++
+ hw/gpio/zaurus.c         | 12 +++++++-----
+files changed, 10 insertions(+), 8 deletions(-)
+diff --git a/include/hw/arm/sharpsl.h b/include/hw/arm/sharpsl.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/sharpsl.h
++++ b/include/hw/arm/sharpsl.h
+@@ -XXX,XX +XXX,XX @@
+ #include "exec/hwaddr.h"
+-#define zaurus_printf(format, ...)    \
+-    fprintf(stderr, "%s: " format, __func__, ##__VA_ARGS__)
+-
+ /* zaurus.c */
+ #define SL_PXA_PARAM_BASE    0xa0000a00
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/spitz.c
++++ b/hw/arm/spitz.c
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+ #define SPITZ_MACHINE_CLASS(klass) \
+     OBJECT_CLASS_CHECK(SpitzMachineClass, klass, TYPE_SPITZ_MACHINE)
++#define zaurus_printf(format, ...)                              \
++    fprintf(stderr, "%s: " format, __func__, ##__VA_ARGS__)
++
+ #undef REG_FMT
+ #define REG_FMT                         "0x%02lx"
+diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/gpio/zaurus.c
++++ b/hw/gpio/zaurus.c
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/sysbus.h"
+ #include "migration/vmstate.h"
+ #include "qemu/module.h"
+-
+-#undef REG_FMT
+-#define REG_FMT            "0x%02lx"
++#include "qemu/log.h"
+ /* SCOOP devices */
+@@ -XXX,XX +XXX,XX @@ static uint64_t scoop_read(void *opaque, hwaddr addr,
+     case SCOOP_GPRR:
+         return s->gpio_level;
+     default:
+-        zaurus_printf("Bad register offset " REG_FMT "\n", (unsigned long)addr);
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "scoop_read: bad register offset 0x%02" HWADDR_PRIx "\n",
++                      addr);
+     }
+     return 0;
+@@ -XXX,XX +XXX,XX @@ static void scoop_write(void *opaque, hwaddr addr,
+         scoop_gpio_handler_update(s);
+         break;
+     default:
+-        zaurus_printf("Bad register offset " REG_FMT "\n", (unsigned long)addr);
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "scoop_write: bad register offset 0x%02" HWADDR_PRIx "\n",
++                      addr);
+     }
+ }
+--
+.20.1

-New patch
+[PULL 30/34] hw/arm/spitz: Use LOG_GUEST_ERROR for bad guest register accesses
+Instead of logging guest accesses to invalid register offsets in the
+Spitz flash device with zaurus_printf() (which just prints to stderr),
+use the usual qemu_log_mask(LOG_GUEST_ERROR,...).
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-15-peter.maydell@linaro.org
+---
+ hw/arm/spitz.c | 12 +++++++-----
+file changed, 7 insertions(+), 5 deletions(-)
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/spitz.c
++++ b/hw/arm/spitz.c
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/ssi/ssi.h"
+ #include "hw/block/flash.h"
+ #include "qemu/timer.h"
++#include "qemu/log.h"
+ #include "hw/arm/sharpsl.h"
+ #include "ui/console.h"
+ #include "hw/audio/wm8750.h"
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+ #define zaurus_printf(format, ...)                              \
+     fprintf(stderr, "%s: " format, __func__, ##__VA_ARGS__)
+-#undef REG_FMT
+-#define REG_FMT                         "0x%02lx"
+-
+ /* Spitz Flash */
+ #define FLASH_BASE              0x0c000000
+ #define FLASH_ECCLPLB           0x00    /* Line parity 7 - 0 bit */
+@@ -XXX,XX +XXX,XX @@ static uint64_t sl_read(void *opaque, hwaddr addr, unsigned size)
+         return ecc_digest(&s->ecc, nand_getio(s->nand));
+     default:
+-        zaurus_printf("Bad register offset " REG_FMT "\n", (unsigned long)addr);
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "sl_read: bad register offset 0x%02" HWADDR_PRIx "\n",
++                      addr);
+     }
+     return 0;
+ }
+@@ -XXX,XX +XXX,XX @@ static void sl_write(void *opaque, hwaddr addr,
+         break;
+     default:
+-        zaurus_printf("Bad register offset " REG_FMT "\n", (unsigned long)addr);
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "sl_write: bad register offset 0x%02" HWADDR_PRIx "\n",
++                      addr);
+     }
+ }
+--
+.20.1

-New patch
+[PULL 31/34] hw/arm/pxa2xx_pic: Use LOG_GUEST_ERROR for bad guest register accesses
+Instead of using printf() for logging guest accesses to invalid
+register offsets in the pxa2xx PIC device, use the usual
+qemu_log_mask(LOG_GUEST_ERROR,...).
+This was the only user of the REG_FMT macro in pxa.h, so we can
+remove that.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-16-peter.maydell@linaro.org
+---
+ include/hw/arm/pxa.h | 1 -
+ hw/arm/pxa2xx_pic.c  | 9 +++++++--
+files changed, 7 insertions(+), 3 deletions(-)
+diff --git a/include/hw/arm/pxa.h b/include/hw/arm/pxa.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/pxa.h
++++ b/include/hw/arm/pxa.h
+@@ -XXX,XX +XXX,XX @@ struct PXA2xxI2SState {
+ };
+ # define PA_FMT            "0x%08lx"
+-# define REG_FMT        "0x" TARGET_FMT_plx
+ PXA2xxState *pxa270_init(MemoryRegion *address_space, unsigned int sdram_size,
+                          const char *revision);
+diff --git a/hw/arm/pxa2xx_pic.c b/hw/arm/pxa2xx_pic.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/pxa2xx_pic.c
++++ b/hw/arm/pxa2xx_pic.c
+@@ -XXX,XX +XXX,XX @@
+ #include "qemu/osdep.h"
+ #include "qapi/error.h"
+ #include "qemu/module.h"
++#include "qemu/log.h"
+ #include "cpu.h"
+ #include "hw/arm/pxa.h"
+ #include "hw/sysbus.h"
+@@ -XXX,XX +XXX,XX @@ static uint64_t pxa2xx_pic_mem_read(void *opaque, hwaddr offset,
+     case ICHP:    /* Highest Priority register */
+         return pxa2xx_pic_highest(s);
+     default:
+-        printf("%s: Bad register offset " REG_FMT "\n", __func__, offset);
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "pxa2xx_pic_mem_read: bad register offset 0x%" HWADDR_PRIx
++                      "\n", offset);
+         return 0;
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static void pxa2xx_pic_mem_write(void *opaque, hwaddr offset,
+         s->priority[32 + ((offset - IPR32) >> 2)] = value & 0x8000003f;
+         break;
+     default:
+-        printf("%s: Bad register offset " REG_FMT "\n", __func__, offset);
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "pxa2xx_pic_mem_write: bad register offset 0x%"
++                      HWADDR_PRIx "\n", offset);
+         return;
+     }
+     pxa2xx_pic_update(opaque);
+--
+.20.1

-New patch
+[PULL 32/34] hw/arm/spitz: Provide usual QOM macros for corgi-ssp and spitz-lcdtg
+The QOM types "spitz-lcdtg" and "corgi-ssp" are missing the
+usual QOM TYPE and casting macros; provide and use them.
+In particular, we can safely use the QOM cast macros instead of
+FROM_SSI_SLAVE() because in both cases the 'ssidev' field of
+the instance state struct is the first field in it.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20200628142429.17111-17-peter.maydell@linaro.org
+---
+ hw/arm/spitz.c | 23 +++++++++++++++--------
+file changed, 15 insertions(+), 8 deletions(-)
+diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/spitz.c
++++ b/hw/arm/spitz.c
+@@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_realize(DeviceState *dev, Error **errp)
+ #define LCDTG_PICTRL    0x06
+ #define LCDTG_POLCTRL   0x07
++#define TYPE_SPITZ_LCDTG "spitz-lcdtg"
++#define SPITZ_LCDTG(obj) OBJECT_CHECK(SpitzLCDTG, (obj), TYPE_SPITZ_LCDTG)
++
+ typedef struct {
+     SSISlave ssidev;
+     uint32_t bl_intensity;
+@@ -XXX,XX +XXX,XX @@ static inline void spitz_bl_power(void *opaque, int line, int level)
+ static uint32_t spitz_lcdtg_transfer(SSISlave *dev, uint32_t value)
+ {
+-    SpitzLCDTG *s = FROM_SSI_SLAVE(SpitzLCDTG, dev);
++    SpitzLCDTG *s = SPITZ_LCDTG(dev);
+     int addr;
+     addr = value >> 5;
+     value &= 0x1f;
+@@ -XXX,XX +XXX,XX @@ static uint32_t spitz_lcdtg_transfer(SSISlave *dev, uint32_t value)
+ static void spitz_lcdtg_realize(SSISlave *ssi, Error **errp)
+ {
+-    SpitzLCDTG *s = FROM_SSI_SLAVE(SpitzLCDTG, ssi);
++    SpitzLCDTG *s = SPITZ_LCDTG(ssi);
+     DeviceState *dev = DEVICE(s);
+     s->bl_power = 0;
+@@ -XXX,XX +XXX,XX @@ static void spitz_lcdtg_realize(SSISlave *ssi, Error **errp)
+ #define SPITZ_GPIO_MAX1111_CS   20
+ #define SPITZ_GPIO_TP_INT       11
++#define TYPE_CORGI_SSP "corgi-ssp"
++#define CORGI_SSP(obj) OBJECT_CHECK(CorgiSSPState, (obj), TYPE_CORGI_SSP)
++
+ /* "Demux" the signal based on current chipselect */
+ typedef struct {
+     SSISlave ssidev;
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+ static uint32_t corgi_ssp_transfer(SSISlave *dev, uint32_t value)
+ {
+-    CorgiSSPState *s = FROM_SSI_SLAVE(CorgiSSPState, dev);
++    CorgiSSPState *s = CORGI_SSP(dev);
+     int i;
+     for (i = 0; i < 3; i++) {
+@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_gpio_cs(void *opaque, int line, int level)
+ static void corgi_ssp_realize(SSISlave *d, Error **errp)
+ {
+     DeviceState *dev = DEVICE(d);
+-    CorgiSSPState *s = FROM_SSI_SLAVE(CorgiSSPState, d);
++    CorgiSSPState *s = CORGI_SSP(d);
+     qdev_init_gpio_in(dev, corgi_ssp_gpio_cs, 3);
+     s->bus[0] = ssi_create_bus(dev, "ssi0");
+@@ -XXX,XX +XXX,XX @@ static void spitz_ssp_attach(SpitzMachineState *sms)
+ {
+     void *bus;
+-    sms->mux = ssi_create_slave(sms->mpu->ssp[CORGI_SSP_PORT - 1], "corgi-ssp");
++    sms->mux = ssi_create_slave(sms->mpu->ssp[CORGI_SSP_PORT - 1],
++                                TYPE_CORGI_SSP);
+     bus = qdev_get_child_bus(sms->mux, "ssi0");
+-    sms->lcdtg = ssi_create_slave(bus, "spitz-lcdtg");
++    sms->lcdtg = ssi_create_slave(bus, TYPE_SPITZ_LCDTG);
+     bus = qdev_get_child_bus(sms->mux, "ssi1");
+     sms->ads7846 = ssi_create_slave(bus, "ads7846");
+@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_class_init(ObjectClass *klass, void *data)
+ }
+ static const TypeInfo corgi_ssp_info = {
+-    .name          = "corgi-ssp",
++    .name          = TYPE_CORGI_SSP,
+     .parent        = TYPE_SSI_SLAVE,
+     .instance_size = sizeof(CorgiSSPState),
+     .class_init    = corgi_ssp_class_init,
+@@ -XXX,XX +XXX,XX @@ static void spitz_lcdtg_class_init(ObjectClass *klass, void *data)
+ }
+ static const TypeInfo spitz_lcdtg_info = {
+-    .name          = "spitz-lcdtg",
++    .name          = TYPE_SPITZ_LCDTG,
+     .parent        = TYPE_SSI_SLAVE,
+     .instance_size = sizeof(SpitzLCDTG),
+     .class_init    = spitz_lcdtg_class_init,
+--
+.20.1

-[Qemu-devel] [PULL 09/10] target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
+[PULL 33/34] Replace uses of FROM_SSI_SLAVE() macro with QOM casts
-The ARMv5 architecture didn't specify detailed per-feature ID
+The FROM_SSI_SLAVE() macro predates QOM and is used as a typesafe way
-registers. Now that we're using the MVFR0 register fields to
+to cast from an SSISlave* to the instance struct of a subtype of
-gate the existence of VFP instructions, we need to set up
+TYPE_SSI_SLAVE.  Switch to using the QOM cast macros instead, which
-the correct values in the cpu->isar structure so that we still
+have the same effect (by writing the QOM macros if the types were
-provide an FPU to the guest.
+previously missing them.)
-This fixes a regression in the arm926 and arm1026 CPUs, which
+(The FROM_SSI_SLAVE() macro allows the SSISlave member of the
-are the only ones that both have VFP and are ARMv5 or earlier.
+subtype's struct to be anywhere as long as it is named "ssidev",
-This regression was introduced by the VFP refactoring, and more
+whereas a QOM cast macro insists that it is the first thing in the
-specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
+subtype's struct.  This is true for all the types we convert here.)
 which accidentally disabled VFP short-vector support and
 double-precision support on these CPUs.
-Fixes: 1120827fa182f0e
+This removes all the uses of FROM_SSI_SLAVE() so we can delete the
-Fixes: 266bd25c485597c
+definition.
-Fixes: https://bugs.launchpad.net/qemu/+bug/1836192
 Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
+Message-id: 20200628142429.17111-18-peter.maydell@linaro.org
 Message-id: 20190711131241.22231-1-peter.maydell@linaro.org
 ---
- target/arm/cpu.c | 12 ++++++++++++
+ include/hw/ssi/ssi.h |  2 --
-file changed, 12 insertions(+)
+ hw/arm/z2.c          | 11 +++++++----
  hw/display/ads7846.c |  9 ++++++---
  hw/display/ssd0323.c | 10 +++++++---
  hw/sd/ssi-sd.c       |  4 ++--
 files changed, 22 insertions(+), 14 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/include/hw/ssi/ssi.h b/include/hw/ssi/ssi.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/include/hw/ssi/ssi.h
-+++ b/target/arm/cpu.c
++++ b/include/hw/ssi/ssi.h
-@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ struct SSISlave {
-      * set the field to indicate Jazelle support within QEMU.
+     bool cs;
-      */
+ };
-     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
-+    /*
+-#define FROM_SSI_SLAVE(type, dev) DO_UPCAST(type, ssidev, dev)
-+     * Similarly, we need to set MVFR0 fields to enable double precision
+-
-+     * and short vector support even though ARMv5 doesn't have this register.
+ extern const VMStateDescription vmstate_ssi_slave;
-+     */
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+ #define VMSTATE_SSI_SLAVE(_field, _state) {                          \
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
+diff --git a/hw/arm/z2.c b/hw/arm/z2.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/z2.c
 +++ b/hw/arm/z2.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
      int pos;
  } ZipitLCD;
 +#define TYPE_ZIPIT_LCD "zipit-lcd"
 +#define ZIPIT_LCD(obj) OBJECT_CHECK(ZipitLCD, (obj), TYPE_ZIPIT_LCD)
 +
  static uint32_t zipit_lcd_transfer(SSISlave *dev, uint32_t value)
  {
 -    ZipitLCD *z = FROM_SSI_SLAVE(ZipitLCD, dev);
 +    ZipitLCD *z = ZIPIT_LCD(dev);
      uint16_t val;
      if (z->selected) {
          z->buf[z->pos] = value & 0xff;
@@ -XXX,XX +XXX,XX @@ static void z2_lcd_cs(void *opaque, int line, int level)
  static void zipit_lcd_realize(SSISlave *dev, Error **errp)
  {
 -    ZipitLCD *z = FROM_SSI_SLAVE(ZipitLCD, dev);
 +    ZipitLCD *z = ZIPIT_LCD(dev);
      z->selected = 0;
      z->enabled = 0;
      z->pos = 0;
@@ -XXX,XX +XXX,XX @@ static void zipit_lcd_class_init(ObjectClass *klass, void *data)
  }
- static void arm946_initfn(Object *obj)
+ static const TypeInfo zipit_lcd_info = {
-@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
+-    .name          = "zipit-lcd",
-      * set the field to indicate Jazelle support within QEMU.
++    .name          = TYPE_ZIPIT_LCD,
-      */
+     .parent        = TYPE_SSI_SLAVE,
-     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+     .instance_size = sizeof(ZipitLCD),
-+    /*
+     .class_init    = zipit_lcd_class_init,
-+     * Similarly, we need to set MVFR0 fields to enable double precision
+@@ -XXX,XX +XXX,XX @@ static void z2_init(MachineState *machine)
-+     * and short vector support even though ARMv5 doesn't have this register.
-+     */
+     type_register_static(&zipit_lcd_info);
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+     type_register_static(&aer915_info);
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
+-    z2_lcd = ssi_create_slave(mpu->ssp[1], "zipit-lcd");
++    z2_lcd = ssi_create_slave(mpu->ssp[1], TYPE_ZIPIT_LCD);
-     {
+     bus = pxa2xx_i2c_bus(mpu->i2c[0]);
-         /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
+     i2c_create_slave(bus, TYPE_AER915, 0x55);
      wm = i2c_create_slave(bus, TYPE_WM8750, 0x1b);
 diff --git a/hw/display/ads7846.c b/hw/display/ads7846.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/display/ads7846.c
 +++ b/hw/display/ads7846.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
      int output;
  } ADS7846State;
 +#define TYPE_ADS7846 "ads7846"
 +#define ADS7846(obj) OBJECT_CHECK(ADS7846State, (obj), TYPE_ADS7846)
 +
  /* Control-byte bitfields */
  #define CB_PD0        (1 << 0)
  #define CB_PD1        (1 << 1)
@@ -XXX,XX +XXX,XX @@ static void ads7846_int_update(ADS7846State *s)
  static uint32_t ads7846_transfer(SSISlave *dev, uint32_t value)
  {
 -    ADS7846State *s = FROM_SSI_SLAVE(ADS7846State, dev);
 +    ADS7846State *s = ADS7846(dev);
      switch (s->cycle ++) {
      case 0:
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_ads7846 = {
  static void ads7846_realize(SSISlave *d, Error **errp)
  {
      DeviceState *dev = DEVICE(d);
 -    ADS7846State *s = FROM_SSI_SLAVE(ADS7846State, d);
 +    ADS7846State *s = ADS7846(d);
      qdev_init_gpio_out(dev, &s->interrupt, 1);
@@ -XXX,XX +XXX,XX @@ static void ads7846_class_init(ObjectClass *klass, void *data)
  }
  static const TypeInfo ads7846_info = {
 -    .name          = "ads7846",
 +    .name          = TYPE_ADS7846,
      .parent        = TYPE_SSI_SLAVE,
      .instance_size = sizeof(ADS7846State),
      .class_init    = ads7846_class_init,
 diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/display/ssd0323.c
 +++ b/hw/display/ssd0323.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
      uint8_t framebuffer[128 * 80 / 2];
  } ssd0323_state;
 +#define TYPE_SSD0323 "ssd0323"
 +#define SSD0323(obj) OBJECT_CHECK(ssd0323_state, (obj), TYPE_SSD0323)
 +
 +
  static uint32_t ssd0323_transfer(SSISlave *dev, uint32_t data)
  {
 -    ssd0323_state *s = FROM_SSI_SLAVE(ssd0323_state, dev);
 +    ssd0323_state *s = SSD0323(dev);
      switch (s->mode) {
      case SSD0323_DATA:
@@ -XXX,XX +XXX,XX @@ static const GraphicHwOps ssd0323_ops = {
  static void ssd0323_realize(SSISlave *d, Error **errp)
  {
      DeviceState *dev = DEVICE(d);
 -    ssd0323_state *s = FROM_SSI_SLAVE(ssd0323_state, d);
 +    ssd0323_state *s = SSD0323(d);
      s->col_end = 63;
      s->row_end = 79;
@@ -XXX,XX +XXX,XX @@ static void ssd0323_class_init(ObjectClass *klass, void *data)
  }
  static const TypeInfo ssd0323_info = {
 -    .name          = "ssd0323",
 +    .name          = TYPE_SSD0323,
      .parent        = TYPE_SSI_SLAVE,
      .instance_size = sizeof(ssd0323_state),
      .class_init    = ssd0323_class_init,
 diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/sd/ssi-sd.c
 +++ b/hw/sd/ssi-sd.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
  static uint32_t ssi_sd_transfer(SSISlave *dev, uint32_t val)
  {
 -    ssi_sd_state *s = FROM_SSI_SLAVE(ssi_sd_state, dev);
 +    ssi_sd_state *s = SSI_SD(dev);
      /* Special case: allow CMD12 (STOP TRANSMISSION) while reading data.  */
      if (s->mode == SSI_SD_DATA_READ && val == 0x4d) {
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_ssi_sd = {
  static void ssi_sd_realize(SSISlave *d, Error **errp)
  {
 -    ssi_sd_state *s = FROM_SSI_SLAVE(ssi_sd_state, d);
 +    ssi_sd_state *s = SSI_SD(d);
      DeviceState *carddev;
      DriveInfo *dinfo;
      Error *err = NULL;
 --
 .20.1

-[Qemu-devel] [PULL 10/10] target/arm: NS BusFault on vector table fetch escalates to NS HardFault
+[PULL 34/34] Deprecate TileGX port
-In the M-profile architecture, when we do a vector table fetch and it
+Deprecate our TileGX target support:
-fails, we need to report a HardFault.  Whether this is a Secure HF or
+ * we have no active maintainer for it
-a NonSecure HF depends on several things.  If AIRCR.BFHFNMINS is 0
+ * it has had essentially no contributions (other than tree-wide cleanups
-then HF is always Secure, because there is no NonSecure HardFault.
+   and similar) since it was first added
-Otherwise, the answer depends on whether the 'underlying exception'
+ * the Linux kernel dropped support in 2018, as has glibc
 (MemManage, BusFault, SecureFault) targets Secure or NonSecure.  (In
 the pseudocode, this is handled in the Vector() function: the final
 exc.isSecure is calculated by looking at the exc.isSecure from the
 exception returned from the memory access, not the isSecure input
 argument.)
-We weren't doing this correctly, because we were looking at
+Note the deprecation in the manual, but don't try to print a warning
-the target security domain of the exception we were trying to
+when QEMU runs -- printing unsuppressable messages is more obtrusive
-load the vector table entry for. This produces errors of two kinds:
+for linux-user mode than it would be for system-emulation mode, and
- * a load from the NS vector table which hits the "NS access
+it doesn't seem worth trying to invent a new suppressible-error
-   to S memory" SecureFault should end up as a Secure HardFault,
+system for linux-user just for this.
    but we were raising an NS HardFault
  * a load from the S vector table which causes a BusFault
    should raise an NS HardFault if BFHFNMINS == 1 (because
    in that case all BusFaults are NonSecure), but we were raising
    a Secure HardFault
 Correct the logic.
 We also fix a comment error where we claimed that we might
 be escalating MemManage to HardFault, and forgot about SecureFault.
 (Vector loads can never hit MPU access faults, because they're
 always aligned and always use the default address map.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20190705094823.28905-1-peter.maydell@linaro.org
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Thomas Huth <thuth@redhat.com>
 Message-id: 20200619154831.26319-1-peter.maydell@linaro.org
 ---
- target/arm/m_helper.c | 21 +++++++++++++++++----
+ docs/system/deprecated.rst | 11 +++++++++++
-file changed, 17 insertions(+), 4 deletions(-)
+file changed, 11 insertions(+)
-diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
+diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/m_helper.c
+--- a/docs/system/deprecated.rst
-+++ b/target/arm/m_helper.c
++++ b/docs/system/deprecated.rst
-@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
+@@ -XXX,XX +XXX,XX @@ The above, converted to the current supported format::
-         if (sattrs.ns) {
-             attrs.secure = false;
+   json:{"file.driver":"rbd", "file.pool":"rbd", "file.image":"name"}
-         } else if (!targets_secure) {
--            /* NS access to S memory */
++linux-user mode CPUs
-+            /*
++--------------------
-+             * NS access to S memory: the underlying exception which we escalate
++
-+             * to HardFault is SecureFault, which always targets Secure.
++``tilegx`` CPUs (since 5.1.0)
-+             */
++'''''''''''''''''''''''''''''
-+            exc_secure = true;
++
-             goto load_fail;
++The ``tilegx`` guest CPU support (which was only implemented in
-         }
++linux-user mode) is deprecated and will be removed in a future version
-     }
++of QEMU. Support for this CPU was removed from the upstream Linux
-@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
++kernel in 2018, and has also been dropped from glibc.
-     vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
++
-                                      attrs, &result);
+ Related binaries
-     if (result != MEMTX_OK) {
+ ----------------
-+        /*
 +         * Underlying exception is BusFault: its target security state
 +         * depends on BFHFNMINS.
 +         */
 +        exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
          goto load_fail;
      }
      *pvec = vector_entry;
@@ -XXX,XX +XXX,XX @@ load_fail:
      /*
       * All vector table fetch fails are reported as HardFault, with
       * HFSR.VECTTBL and .FORCED set. (FORCED is set because
 -     * technically the underlying exception is a MemManage or BusFault
 +     * technically the underlying exception is a SecureFault or BusFault
       * that is escalated to HardFault.) This is a terminal exception,
       * so we will either take the HardFault immediately or else enter
       * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
 +     * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
 +     * secure); otherwise it targets the same security state as the
 +     * underlying exception.
       */
 -    exc_secure = targets_secure ||
 -        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
 +    if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
 +        exc_secure = true;
 +    }
      env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
      armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
      return false;
 --
 .20.1

target-arm queue for rc1 -- these are all bug fixes.

thanks
-- PMM

The following changes since commit b9404bf592e7ba74180e1a54ed7a266ec6ee67f2:

Merge remote-tracking branch 'remotes/dgilbert/tags/pull-hmp-20190715' into staging (2019-07-15 12:22:07 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20190715

for you to fetch changes up to 51c9122e92b776a3f16af0b9282f1dc5012e2a19:

target/arm: NS BusFault on vector table fetch escalates to NS HardFault (2019-07-15 14:17:04 +0100)

----------------------------------------------------------------
target-arm queue:
 * report ARMv8-A FP support for AArch32 -cpu max
 * hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
 * hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
 * hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
 * hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO
 * hw/arm/virt: Fix non-secure flash mode
 * pl031: Correctly migrate state when using -rtc clock=host
 * fix regression that meant arm926 and arm1026 lost VFP
   double-precision support
 * v8M: NS BusFault on vector table fetch escalates to NS HardFault

----------------------------------------------------------------
Alex Bennée (1):
      target/arm: report ARMv8-A FP support for AArch32 -cpu max

David Engraf (1):
      hw/arm/virt: Fix non-secure flash mode

Peter Maydell (3):
      pl031: Correctly migrate state when using -rtc clock=host
      target/arm: Set VFP-related MVFR0 fields for arm926 and arm1026
      target/arm: NS BusFault on vector table fetch escalates to NS HardFault

Philippe Mathieu-Daudé (5):
      hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs
      hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory
      hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[]
      hw/ssi/mss-spi: Avoid crash when reading empty RX FIFO
      hw/display/xlnx_dp: Avoid crash when reading empty RX FIFO

From: Alex Bennée <alex.bennee@linaro.org>

When we converted to using feature bits in 602f6e42cfbf we missed out
the fact (dp && arm_dc_feature(s, ARM_FEATURE_V8)) was supported for
-cpu max configurations. This caused a regression in the GCC test
suite. Fix this by setting the appropriate bits in mvfr1.FPHP to
report ARMv8-A with FP support (but not ARMv8.2-FP16).

Fixes: https://bugs.launchpad.net/qemu/+bug/1836078
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20190711103737.10017-1-alex.bennee@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
             t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
             cpu->isar.id_isar6 = t;
 
+            t = cpu->isar.mvfr1;
+            t = FIELD_DP32(t, MVFR1, FPHP, 2);     /* v8.0 FP support */
+            cpu->isar.mvfr1 = t;
+
             t = cpu->isar.mvfr2;
             t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
             t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the next commit we will implement the write_with_attrs()
handler. To avoid using different APIs, convert the read()
handler first.

Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/xilinx_spips.c | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static void lqspi_load_cache(void *opaque, hwaddr addr)
     }
 }
 
-static uint64_t
-lqspi_read(void *opaque, hwaddr addr, unsigned int size)
+static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
+                              unsigned size, MemTxAttrs attrs)
 {
-    XilinxQSPIPS *q = opaque;
-    uint32_t ret;
+    XilinxQSPIPS *q = XILINX_QSPIPS(opaque);
 
     if (addr >= q->lqspi_cached_addr &&
             addr <= q->lqspi_cached_addr + LQSPI_CACHE_SIZE - 4) {
         uint8_t *retp = &q->lqspi_buf[addr - q->lqspi_cached_addr];
-        ret = cpu_to_le32(*(uint32_t *)retp);
-        DB_PRINT_L(1, "addr: %08x, data: %08x\n", (unsigned)addr,
-                   (unsigned)ret);
-        return ret;
-    } else {
-        lqspi_load_cache(opaque, addr);
-        return lqspi_read(opaque, addr, size);
+        *value = cpu_to_le32(*(uint32_t *)retp);
+        DB_PRINT_L(1, "addr: %08" HWADDR_PRIx ", data: %08" PRIx64 "\n",
+                   addr, *value);
+        return MEMTX_OK;
     }
+
+    lqspi_load_cache(opaque, addr);
+    return lqspi_read(opaque, addr, value, size, attrs);
 }
 
 static const MemoryRegionOps lqspi_ops = {
-    .read = lqspi_read,
+    .read_with_attrs = lqspi_read,
     .endianness = DEVICE_NATIVE_ENDIAN,
     .valid = {
         .min_access_size = 1,
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Lei Sun found while auditing the code that a CPU write would
trigger a NULL pointer dereference.

>From UG1085 datasheet [*] AXI writes in this region are ignored
and generates an AXI Slave Error (SLVERR).

Fix by implementing the write_with_attrs() handler.
Return MEMTX_ERROR when the region is accessed (this error maps
to an AXI slave error).

[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf

Reported-by: Lei Sun <slei.casper@gmail.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/xilinx_spips.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static MemTxResult lqspi_read(void *opaque, hwaddr addr, uint64_t *value,
     return lqspi_read(opaque, addr, value, size, attrs);
 }
 
+static MemTxResult lqspi_write(void *opaque, hwaddr offset, uint64_t value,
+                               unsigned size, MemTxAttrs attrs)
+{
+    /*
+     * From UG1085, Chapter 24 (Quad-SPI controllers):
+     * - Writes are ignored
+     * - AXI writes generate an external AXI slave error (SLVERR)
+     */
+    qemu_log_mask(LOG_GUEST_ERROR, "%s Unexpected %u-bit access to 0x%" PRIx64
+                                   " (value: 0x%" PRIx64 "\n",
+                  __func__, size << 3, offset, value);
+
+    return MEMTX_ERROR;
+}
+
 static const MemoryRegionOps lqspi_ops = {
     .read_with_attrs = lqspi_read,
+    .write_with_attrs = lqspi_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
     .valid = {
         .min_access_size = 1,
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Both lqspi_read() and lqspi_load_cache() expect a 32-bit
aligned address.

>From UG1085 datasheet [*] chapter on 'Quad-SPI Controller':

Transfer Size Limitations

Because of the 32-bit wide TX, RX, and generic FIFO, all
    APB/AXI transfers must be an integer multiple of 4-bytes.
    Shorter transfers are not possible.

Set MemoryRegionOps.impl values to force 32-bit accesses,
this way we are sure we do not access the lqspi_buf[] array
out of bound.

[*] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf

diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/xilinx_spips.c
+++ b/hw/ssi/xilinx_spips.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps lqspi_ops = {
     .read_with_attrs = lqspi_read,
     .write_with_attrs = lqspi_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
+    .impl = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+    },
     .valid = {
         .min_access_size = 1,
         .max_access_size = 4
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Reading the RX_DATA register when the RX_FIFO is empty triggers
an abort. This can be easily reproduced:

$ qemu-system-arm -M emcraft-sf2 -monitor stdio -S
  QEMU 4.0.50 monitor - type 'help' for more information
  (qemu) x 0x40001010
  Aborted (core dumped)

(gdb) bt
  #1  0x00007f035874f895 in abort () at /lib64/libc.so.6
  #2  0x00005628686591ff in fifo8_pop (fifo=0x56286a9a4c68) at util/fifo8.c:66
  #3  0x00005628683e0b8e in fifo32_pop (fifo=0x56286a9a4c68) at include/qemu/fifo32.h:137
  #4  0x00005628683e0efb in spi_read (opaque=0x56286a9a4850, addr=4, size=4) at hw/ssi/mss-spi.c:168
  #5  0x0000562867f96801 in memory_region_read_accessor (mr=0x56286a9a4b60, addr=16, value=0x7ffeecb0c5c8, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
  #6  0x0000562867f96cdb in access_with_adjusted_size (addr=16, value=0x7ffeecb0c5c8, size=4, access_size_min=1, access_size_max=4, access_fn=0x562867f967c3 <memory_region_read_accessor>, mr=0x56286a9a4b60, attrs=...) at memory.c:569
  #7  0x0000562867f99940 in memory_region_dispatch_read1 (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1420
  #8  0x0000562867f99a08 in memory_region_dispatch_read (mr=0x56286a9a4b60, addr=16, pval=0x7ffeecb0c5c8, size=4, attrs=...) at memory.c:1447
  #9  0x0000562867f38721 in flatview_read_continue (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, addr1=16, l=4, mr=0x56286a9a4b60) at exec.c:3385
  #10 0x0000562867f38874 in flatview_read (fv=0x56286aec6360, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3423
  #11 0x0000562867f388ea in address_space_read_full (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4) at exec.c:3436
  #12 0x0000562867f389c5 in address_space_rw (as=0x56286aa3e890, addr=1073745936, attrs=..., buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=false) at exec.c:3466
  #13 0x0000562867f3bdd7 in cpu_memory_rw_debug (cpu=0x56286aa19d00, addr=1073745936, buf=0x7ffeecb0c7c0 "\340ǰ\354\376\177", len=4, is_write=0) at exec.c:3976
  #14 0x000056286811ed51 in memory_dump (mon=0x56286a8c32d0, count=1, format=120, wsize=4, addr=1073745936, is_physical=0) at monitor/misc.c:730
  #15 0x000056286811eff1 in hmp_memory_dump (mon=0x56286a8c32d0, qdict=0x56286b15c400) at monitor/misc.c:785
  #16 0x00005628684740ee in handle_hmp_command (mon=0x56286a8c32d0, cmdline=0x56286a8caeb2 "0x40001010") at monitor/hmp.c:1082

From the datasheet "Actel SmartFusion Microcontroller Subsystem
User's Guide" Rev.1, Table 13-3 "SPI Register Summary", this
register has a reset value of 0.

Check the FIFO is not empty before accessing it, else log an
error message.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/mss-spi.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/hw/ssi/mss-spi.c b/hw/ssi/mss-spi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/mss-spi.c
+++ b/hw/ssi/mss-spi.c
@@ -XXX,XX +XXX,XX @@ spi_read(void *opaque, hwaddr addr, unsigned int size)
     case R_SPI_RX:
         s->regs[R_SPI_STATUS] &= ~S_RXFIFOFUL;
         s->regs[R_SPI_STATUS] &= ~S_RXCHOVRF;
-        ret = fifo32_pop(&s->rx_fifo);
+        if (fifo32_is_empty(&s->rx_fifo)) {
+            qemu_log_mask(LOG_GUEST_ERROR,
+                          "%s: Reading empty RX_FIFO\n",
+                          __func__);
+        } else {
+            ret = fifo32_pop(&s->rx_fifo);
+        }
         if (fifo32_is_empty(&s->rx_fifo)) {
             s->regs[R_SPI_STATUS] |= S_RXFIFOEMP;
         }
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

In the previous commit we fixed a crash when the guest read a
register that pop from an empty FIFO.
By auditing the repository, we found another similar use with
an easy way to reproduce:

$ qemu-system-aarch64 -M xlnx-zcu102 -monitor stdio -S
  QEMU 4.0.50 monitor - type 'help' for more information
  (qemu) xp/b 0xfd4a0134
  Aborted (core dumped)

(gdb) bt
  #0  0x00007f6936dea57f in raise () at /lib64/libc.so.6
  #1  0x00007f6936dd4895 in abort () at /lib64/libc.so.6
  #2  0x0000561ad32975ec in xlnx_dp_aux_pop_rx_fifo (s=0x7f692babee70) at hw/display/xlnx_dp.c:431
  #3  0x0000561ad3297dc0 in xlnx_dp_read (opaque=0x7f692babee70, offset=77, size=4) at hw/display/xlnx_dp.c:667
  #4  0x0000561ad321b896 in memory_region_read_accessor (mr=0x7f692babf620, addr=308, value=0x7ffe05c1db88, size=4, shift=0, mask=4294967295, attrs=...) at memory.c:439
  #5  0x0000561ad321bd70 in access_with_adjusted_size (addr=308, value=0x7ffe05c1db88, size=1, access_size_min=4, access_size_max=4, access_fn=0x561ad321b858 <memory_region_read_accessor>, mr=0x7f692babf620, attrs=...) at memory.c:569
  #6  0x0000561ad321e9d5 in memory_region_dispatch_read1 (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1420
  #7  0x0000561ad321ea9d in memory_region_dispatch_read (mr=0x7f692babf620, addr=308, pval=0x7ffe05c1db88, size=1, attrs=...) at memory.c:1447
  #8  0x0000561ad31bd742 in flatview_read_continue (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1, addr1=308, l=1, mr=0x7f692babf620) at exec.c:3385
  #9  0x0000561ad31bd895 in flatview_read (fv=0x561ad69c04f0, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3423
  #10 0x0000561ad31bd90b in address_space_read_full (as=0x561ad5bb3020, addr=4249485620, attrs=..., buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", len=1) at exec.c:3436
  #11 0x0000561ad33b1c42 in address_space_read (len=1, buf=0x7ffe05c1dcf0 "\020\335\301\005\376\177", attrs=..., addr=4249485620, as=0x561ad5bb3020) at include/exec/memory.h:2131
  #12 0x0000561ad33b1c42 in memory_dump (mon=0x561ad59c4530, count=1, format=120, wsize=1, addr=4249485620, is_physical=1) at monitor/misc.c:723
  #13 0x0000561ad33b1fc1 in hmp_physical_memory_dump (mon=0x561ad59c4530, qdict=0x561ad6c6fd00) at monitor/misc.c:795
  #14 0x0000561ad37b4a9f in handle_hmp_command (mon=0x561ad59c4530, cmdline=0x561ad59d0f22 "/b 0x00000000fd4a0134") at monitor/hmp.c:1082

Fix by checking the FIFO is not empty before popping from it.

The datasheet is not clear about the reset value of this register,
we choose to return '0'.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20190709113715.7761-4-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/display/xlnx_dp.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/xlnx_dp.c
+++ b/hw/display/xlnx_dp.c
@@ -XXX,XX +XXX,XX @@ static uint8_t xlnx_dp_aux_pop_rx_fifo(XlnxDPState *s)
     uint8_t ret;
 
     if (fifo8_is_empty(&s->rx_fifo)) {
-        DPRINTF("rx_fifo underflow..\n");
-        abort();
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: Reading empty RX_FIFO\n",
+                      __func__);
+        /*
+         * The datasheet is not clear about the reset value, it seems
+         * to be unspecified. We choose to return '0'.
+         */
+        ret = 0;
+    } else {
+        ret = fifo8_pop(&s->rx_fifo);
+        DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
     }
-    ret = fifo8_pop(&s->rx_fifo);
-    DPRINTF("pop 0x%" PRIX8 " from rx_fifo.\n", ret);
     return ret;
 }
 
-- 
2.20.1

From: David Engraf <david.engraf@sysgo.com>

Using the whole 128 MiB flash in non-secure mode is not working because
virt_flash_fdt() expects the same address for secure_sysmem and sysmem.
This is not correctly handled by caller because it forwards NULL for
secure_sysmem in non-secure flash mode.

Fixed by using sysmem when secure_sysmem is NULL.

Signed-off-by: David Engraf <david.engraf@sysgo.com>
Message-id: 20190712075002.14326-1-david.engraf@sysgo.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
                                     &machine->device_memory->mr);
     }
 
-    virt_flash_fdt(vms, sysmem, secure_sysmem);
+    virt_flash_fdt(vms, sysmem, secure_sysmem ?: sysmem);
 
     create_gic(vms, pic);
 
-- 
2.20.1

The PL031 RTC tracks the difference between the guest RTC
and the host RTC using a tick_offset field. For migration,
however, we currently always migrate the offset between
the guest and the vm_clock, even if the RTC clock is not
the same as the vm_clock; this was an attempt to retain
migration backwards compatibility.

Unfortunately this results in the RTC behaving oddly across
a VM state save and restore -- since the VM clock stands still
across save-then-restore, regardless of how much real world
time has elapsed, the guest RTC ends up out of sync with the
host RTC in the restored VM.

Fix this by migrating the raw tick_offset. To retain migration
compatibility as far as possible, we have a new property
migrate-tick-offset; by default this is 'true' and we will
migrate the true tick offset in a new subsection; if the
incoming data has no subsection we fall back to the old
vm_clock-based offset information, so old->new migration
compatibility is preserved. For complete new->old migration
compatibility, the property is set to 'false' for 4.0 and
earlier machine types (this will only affect 'virt-4.0'
and below, as none of the other pl031-using machines are
versioned).

Reported-by: Russell King <rmk@armlinux.org.uk>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 20190709143912.28905-1-peter.maydell@linaro.org
---
 include/hw/timer/pl031.h |  2 +
 hw/core/machine.c        |  1 +
 hw/timer/pl031.c         | 92 ++++++++++++++++++++++++++++++++++++++--
 3 files changed, 91 insertions(+), 4 deletions(-)

diff --git a/include/hw/timer/pl031.h b/include/hw/timer/pl031.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/timer/pl031.h
+++ b/include/hw/timer/pl031.h
@@ -XXX,XX +XXX,XX @@ typedef struct PL031State {
      */
     uint32_t tick_offset_vmstate;
     uint32_t tick_offset;
+    bool tick_offset_migrated;
+    bool migrate_tick_offset;
 
     uint32_t mr;
     uint32_t lr;
diff --git a/hw/core/machine.c b/hw/core/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -XXX,XX +XXX,XX @@ GlobalProperty hw_compat_4_0[] = {
     { "virtio-gpu-pci", "edid", "false" },
     { "virtio-device", "use-started", "false" },
     { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
+    { "pl031", "migrate-tick-offset", "false" },
 };
 const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
 
diff --git a/hw/timer/pl031.c b/hw/timer/pl031.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/pl031.c
+++ b/hw/timer/pl031.c
@@ -XXX,XX +XXX,XX @@ static int pl031_pre_save(void *opaque)
 {
     PL031State *s = opaque;
 
-    /* tick_offset is base_time - rtc_clock base time.  Instead, we want to
-     * store the base time relative to the QEMU_CLOCK_VIRTUAL for backwards-compatibility.  */
+    /*
+     * The PL031 device model code uses the tick_offset field, which is
+     * the offset between what the guest RTC should read and what the
+     * QEMU rtc_clock reads:
+     *  guest_rtc = rtc_clock + tick_offset
+     * and so
+     *  tick_offset = guest_rtc - rtc_clock
+     *
+     * We want to migrate this offset, which sounds straightforward.
+     * Unfortunately older versions of QEMU migrated a conversion of this
+     * offset into an offset from the vm_clock. (This was in turn an
+     * attempt to be compatible with even older QEMU versions, but it
+     * has incorrect behaviour if the rtc_clock is not the same as the
+     * vm_clock.) So we put the actual tick_offset into a migration
+     * subsection, and the backwards-compatible time-relative-to-vm_clock
+     * in the main migration state.
+     *
+     * Calculate base time relative to QEMU_CLOCK_VIRTUAL:
+     */
     int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
     s->tick_offset_vmstate = s->tick_offset + delta / NANOSECONDS_PER_SECOND;
 
     return 0;
 }
 
+static int pl031_pre_load(void *opaque)
+{
+    PL031State *s = opaque;
+
+    s->tick_offset_migrated = false;
+    return 0;
+}
+
 static int pl031_post_load(void *opaque, int version_id)
 {
     PL031State *s = opaque;
 
-    int64_t delta = qemu_clock_get_ns(rtc_clock) - qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-    s->tick_offset = s->tick_offset_vmstate - delta / NANOSECONDS_PER_SECOND;
+    /*
+     * If we got the tick_offset subsection, then we can just use
+     * the value in that. Otherwise the source is an older QEMU and
+     * has given us the offset from the vm_clock; convert it back to
+     * an offset from the rtc_clock. This will cause time to incorrectly
+     * go backwards compared to the host RTC, but this is unavoidable.
+     */
+
+    if (!s->tick_offset_migrated) {
+        int64_t delta = qemu_clock_get_ns(rtc_clock) -
+            qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+        s->tick_offset = s->tick_offset_vmstate -
+            delta / NANOSECONDS_PER_SECOND;
+    }
     pl031_set_alarm(s);
     return 0;
 }
 
+static int pl031_tick_offset_post_load(void *opaque, int version_id)
+{
+    PL031State *s = opaque;
+
+    s->tick_offset_migrated = true;
+    return 0;
+}
+
+static bool pl031_tick_offset_needed(void *opaque)
+{
+    PL031State *s = opaque;
+
+    return s->migrate_tick_offset;
+}
+
+static const VMStateDescription vmstate_pl031_tick_offset = {
+    .name = "pl031/tick-offset",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .needed = pl031_tick_offset_needed,
+    .post_load = pl031_tick_offset_post_load,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(tick_offset, PL031State),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_pl031 = {
     .name = "pl031",
     .version_id = 1,
     .minimum_version_id = 1,
     .pre_save = pl031_pre_save,
+    .pre_load = pl031_pre_load,
     .post_load = pl031_post_load,
     .fields = (VMStateField[]) {
         VMSTATE_UINT32(tick_offset_vmstate, PL031State),
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_pl031 = {
         VMSTATE_UINT32(im, PL031State),
         VMSTATE_UINT32(is, PL031State),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (const VMStateDescription*[]) {
+        &vmstate_pl031_tick_offset,
+        NULL
     }
 };
 
+static Property pl031_properties[] = {
+    /*
+     * True to correctly migrate the tick offset of the RTC. False to
+     * obtain backward migration compatibility with older QEMU versions,
+     * at the expense of the guest RTC going backwards compared with the
+     * host RTC when the VM is saved/restored if using -rtc host.
+     * (Even if set to 'true' older QEMU can migrate forward to newer QEMU;
+     * 'false' also permits newer QEMU to migrate to older QEMU.)
+     */
+    DEFINE_PROP_BOOL("migrate-tick-offset",
+                     PL031State, migrate_tick_offset, true),
+    DEFINE_PROP_END_OF_LIST()
+};
+
 static void pl031_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
 
     dc->vmsd = &vmstate_pl031;
+    dc->props = pl031_properties;
 }
 
 static const TypeInfo pl031_info = {
-- 
2.20.1

The ARMv5 architecture didn't specify detailed per-feature ID
registers. Now that we're using the MVFR0 register fields to
gate the existence of VFP instructions, we need to set up
the correct values in the cpu->isar structure so that we still
provide an FPU to the guest.

This fixes a regression in the arm926 and arm1026 CPUs, which
are the only ones that both have VFP and are ARMv5 or earlier.
This regression was introduced by the VFP refactoring, and more
specifically by commits 1120827fa182f0e76 and 266bd25c485597c,
which accidentally disabled VFP short-vector support and
double-precision support on these CPUs.

Fixes: 1120827fa182f0e
Fixes: 266bd25c485597c
Fixes: https://bugs.launchpad.net/qemu/+bug/1836192
Reported-by: Christophe Lyon <christophe.lyon@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Christophe Lyon <christophe.lyon@linaro.org>
Message-id: 20190711131241.22231-1-peter.maydell@linaro.org
---
 target/arm/cpu.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm926_initfn(Object *obj)
      * set the field to indicate Jazelle support within QEMU.
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable double precision
+     * and short vector support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 }
 
 static void arm946_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void arm1026_initfn(Object *obj)
      * set the field to indicate Jazelle support within QEMU.
      */
     cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable double precision
+     * and short vector support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 
     {
         /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
-- 
2.20.1

In the M-profile architecture, when we do a vector table fetch and it
fails, we need to report a HardFault.  Whether this is a Secure HF or
a NonSecure HF depends on several things.  If AIRCR.BFHFNMINS is 0
then HF is always Secure, because there is no NonSecure HardFault.
Otherwise, the answer depends on whether the 'underlying exception'
(MemManage, BusFault, SecureFault) targets Secure or NonSecure.  (In
the pseudocode, this is handled in the Vector() function: the final
exc.isSecure is calculated by looking at the exc.isSecure from the
exception returned from the memory access, not the isSecure input
argument.)

We weren't doing this correctly, because we were looking at
the target security domain of the exception we were trying to
load the vector table entry for. This produces errors of two kinds:
 * a load from the NS vector table which hits the "NS access
   to S memory" SecureFault should end up as a Secure HardFault,
   but we were raising an NS HardFault
 * a load from the S vector table which causes a BusFault
   should raise an NS HardFault if BFHFNMINS == 1 (because
   in that case all BusFaults are NonSecure), but we were raising
   a Secure HardFault

Correct the logic.

We also fix a comment error where we claimed that we might
be escalating MemManage to HardFault, and forgot about SecureFault.
(Vector loads can never hit MPU access faults, because they're
always aligned and always use the default address map.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20190705094823.28905-1-peter.maydell@linaro.org
---
 target/arm/m_helper.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/target/arm/m_helper.c b/target/arm/m_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/m_helper.c
+++ b/target/arm/m_helper.c
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
         if (sattrs.ns) {
             attrs.secure = false;
         } else if (!targets_secure) {
-            /* NS access to S memory */
+            /*
+             * NS access to S memory: the underlying exception which we escalate
+             * to HardFault is SecureFault, which always targets Secure.
+             */
+            exc_secure = true;
             goto load_fail;
         }
     }
@@ -XXX,XX +XXX,XX @@ static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
     vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
                                      attrs, &result);
     if (result != MEMTX_OK) {
+        /*
+         * Underlying exception is BusFault: its target security state
+         * depends on BFHFNMINS.
+         */
+        exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
         goto load_fail;
     }
     *pvec = vector_entry;
@@ -XXX,XX +XXX,XX @@ load_fail:
     /*
      * All vector table fetch fails are reported as HardFault, with
      * HFSR.VECTTBL and .FORCED set. (FORCED is set because
-     * technically the underlying exception is a MemManage or BusFault
+     * technically the underlying exception is a SecureFault or BusFault
      * that is escalated to HardFault.) This is a terminal exception,
      * so we will either take the HardFault immediately or else enter
      * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
+     * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
+     * secure); otherwise it targets the same security state as the
+     * underlying exception.
      */
-    exc_secure = targets_secure ||
-        !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
+    if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
+        exc_secure = true;
+    }
     env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK | R_V7M_HFSR_FORCED_MASK;
     armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
     return false;
-- 
2.20.1

I might squeeze in another pullreq before softfreeze, but the
queue was already big enough that I wanted to send this lot out now.

-- PMM

The following changes since commit 4abf70a661a5df3886ac9d7c19c3617fa92b922a:

Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2020-06-24' into staging (2020-07-03 15:34:45 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200703

for you to fetch changes up to 0f10bf84a9d489259a5b11c6aa1b05c1175b76ea:

Deprecate TileGX port (2020-07-03 16:59:46 +0100)

----------------------------------------------------------------
target-arm queue:
 * i.MX6UL EVK board: put PHYs in the correct places
 * hw/arm/virt: Let the virtio-iommu bypass MSIs
 * target/arm: kvm: Handle DABT with no valid ISS
 * hw/arm/virt-acpi-build: Only expose flash on older machine types
 * target/arm: Fix temp double-free in sve ldr/str
 * hw/display/bcm2835_fb.c: Initialize all fields of struct
 * hw/arm/spitz: Code cleanup to fix Coverity-detected memory leak
 * Deprecate TileGX port

----------------------------------------------------------------
Andrew Jones (4):
      tests/acpi: remove stale allowed tables
      tests/acpi: virt: allow DSDT acpi table changes
      hw/arm/virt-acpi-build: Only expose flash on older machine types
      tests/acpi: virt: update golden masters for DSDT

Beata Michalska (2):
      target/arm: kvm: Handle DABT with no valid ISS
      target/arm: kvm: Handle misconfigured dabt injection

Eric Auger (5):
      qdev: Introduce DEFINE_PROP_RESERVED_REGION
      virtio-iommu: Implement RESV_MEM probe request
      virtio-iommu: Handle reserved regions in the translation process
      virtio-iommu-pci: Add array of Interval properties
      hw/arm/virt: Let the virtio-iommu bypass MSIs

Jean-Christophe Dubois (3):
      Add a phy-num property to the i.MX FEC emulator
      Add the ability to select a different PHY for each i.MX6UL FEC interface
      Select MDIO device 2 and 1 as PHY devices for i.MX6UL EVK board.

Peter Maydell (19):
      hw/display/bcm2835_fb.c: Initialize all fields of struct
      hw/arm/spitz: Detabify
      hw/arm/spitz: Create SpitzMachineClass abstract base class
      hw/arm/spitz: Keep pointers to MPU and SSI devices in SpitzMachineState
      hw/arm/spitz: Keep pointers to scp0, scp1 in SpitzMachineState
      hw/arm/spitz: Implement inbound GPIO lines for bit5 and power signals
      hw/misc/max111x: provide QOM properties for setting initial values
      hw/misc/max111x: Don't use vmstate_register()
      ssi: Add ssi_realize_and_unref()
      hw/arm/spitz: Use max111x properties to set initial values
      hw/misc/max111x: Use GPIO lines rather than max111x_set_input()
      hw/misc/max111x: Create header file for documentation, TYPE_ macros
      hw/arm/spitz: Encapsulate misc GPIO handling in a device
      hw/gpio/zaurus.c: Use LOG_GUEST_ERROR for bad guest register accesses
      hw/arm/spitz: Use LOG_GUEST_ERROR for bad guest register accesses
      hw/arm/pxa2xx_pic: Use LOG_GUEST_ERROR for bad guest register accesses
      hw/arm/spitz: Provide usual QOM macros for corgi-ssp and spitz-lcdtg
      Replace uses of FROM_SSI_SLAVE() macro with QOM casts
      Deprecate TileGX port

Richard Henderson (1):
      target/arm: Fix temp double-free in sve ldr/str

From: Jean-Christophe Dubois <jcd@tribudubois.net>

We need a solution to use an Ethernet PHY that is not the first device
on the MDIO bus (device 0 on MDIO bus).

As an example with the i.MX6UL the NXP SOC has 2 Ethernet devices but
only one MDIO bus on which the 2 related PHY are connected but at unique
addresses.

Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Message-id: a1a5c0e139d1c763194b8020573dcb6025daeefa.1593296112.git.jcd@tribudubois.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/net/imx_fec.h |  1 +
 hw/net/imx_fec.c         | 24 +++++++++++++++++-------
 hw/net/trace-events      |  4 ++--
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/include/hw/net/imx_fec.h b/include/hw/net/imx_fec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/net/imx_fec.h
+++ b/include/hw/net/imx_fec.h
@@ -XXX,XX +XXX,XX @@ typedef struct IMXFECState {
     uint32_t phy_advertise;
     uint32_t phy_int;
     uint32_t phy_int_mask;
+    uint32_t phy_num;
 
     bool is_fec;
 
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -XXX,XX +XXX,XX @@ static void imx_phy_reset(IMXFECState *s)
 static uint32_t imx_phy_read(IMXFECState *s, int reg)
 {
     uint32_t val;
+    uint32_t phy = reg / 32;
 
-    if (reg > 31) {
-        /* we only advertise one phy */
+    if (phy != s->phy_num) {
+        qemu_log_mask(LOG_GUEST_ERROR, "[%s.phy]%s: Bad phy num %u\n",
+                      TYPE_IMX_FEC, __func__, phy);
         return 0;
     }
 
+    reg %= 32;
+
     switch (reg) {
     case 0:     /* Basic Control */
         val = s->phy_control;
@@ -XXX,XX +XXX,XX @@ static uint32_t imx_phy_read(IMXFECState *s, int reg)
         break;
     }
 
-    trace_imx_phy_read(val, reg);
+    trace_imx_phy_read(val, phy, reg);
 
     return val;
 }
 
 static void imx_phy_write(IMXFECState *s, int reg, uint32_t val)
 {
-    trace_imx_phy_write(val, reg);
+    uint32_t phy = reg / 32;
 
-    if (reg > 31) {
-        /* we only advertise one phy */
+    if (phy != s->phy_num) {
+        qemu_log_mask(LOG_GUEST_ERROR, "[%s.phy]%s: Bad phy num %u\n",
+                      TYPE_IMX_FEC, __func__, phy);
         return;
     }
 
+    reg %= 32;
+
+    trace_imx_phy_write(val, phy, reg);
+
     switch (reg) {
     case 0:     /* Basic Control */
         if (val & 0x8000) {
@@ -XXX,XX +XXX,XX @@ static void imx_eth_write(void *opaque, hwaddr offset, uint64_t value,
                                                        extract32(value,
                                                                  18, 10)));
         } else {
-            /* This a write operation */
+            /* This is a write operation */
             imx_phy_write(s, extract32(value, 18, 10), extract32(value, 0, 16));
         }
         /* raise the interrupt as the PHY operation is done */
@@ -XXX,XX +XXX,XX @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
 static Property imx_eth_properties[] = {
     DEFINE_NIC_PROPERTIES(IMXFECState, conf),
     DEFINE_PROP_UINT32("tx-ring-num", IMXFECState, tx_ring_num, 1),
+    DEFINE_PROP_UINT32("phy-num", IMXFECState, phy_num, 0),
     DEFINE_PROP_END_OF_LIST(),
 };
 
diff --git a/hw/net/trace-events b/hw/net/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/trace-events
+++ b/hw/net/trace-events
@@ -XXX,XX +XXX,XX @@ i82596_set_multicast(uint16_t count) "Added %d multicast entries"
 i82596_channel_attention(void *s) "%p: Received CHANNEL ATTENTION"
 
 # imx_fec.c
-imx_phy_read(uint32_t val, int reg) "0x%04"PRIx32" <= reg[%d]"
-imx_phy_write(uint32_t val, int reg) "0x%04"PRIx32" => reg[%d]"
+imx_phy_read(uint32_t val, int phy, int reg) "0x%04"PRIx32" <= phy[%d].reg[%d]"
+imx_phy_write(uint32_t val, int phy, int reg) "0x%04"PRIx32" => phy[%d].reg[%d]"
 imx_phy_update_link(const char *s) "%s"
 imx_phy_reset(void) ""
 imx_fec_read_bd(uint64_t addr, int flags, int len, int data) "tx_bd 0x%"PRIx64" flags 0x%04x len %d data 0x%08x"
-- 
2.20.1

From: Jean-Christophe Dubois <jcd@tribudubois.net>

Add properties to the i.MX6UL processor to be able to select a
particular PHY on the MDIO bus for each FEC device.

Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Message-id: ea1d604198b6b73ea6521676e45bacfc597aba53.1593296112.git.jcd@tribudubois.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/fsl-imx6ul.h |  2 ++
 hw/arm/fsl-imx6ul.c         | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/include/hw/arm/fsl-imx6ul.h b/include/hw/arm/fsl-imx6ul.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx6ul.h
+++ b/include/hw/arm/fsl-imx6ul.h
@@ -XXX,XX +XXX,XX @@ typedef struct FslIMX6ULState {
     MemoryRegion       caam;
     MemoryRegion       ocram;
     MemoryRegion       ocram_alias;
+
+    uint32_t           phy_num[FSL_IMX6UL_NUM_ETHS];
 } FslIMX6ULState;
 
 enum FslIMX6ULMemoryMap {
diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/fsl-imx6ul.c
+++ b/hw/arm/fsl-imx6ul.c
@@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp)
             FSL_IMX6UL_ENET2_TIMER_IRQ,
         };
 
+        object_property_set_uint(OBJECT(&s->eth[i]),
+                                 s->phy_num[i],
+                                 "phy-num", &error_abort);
         object_property_set_uint(OBJECT(&s->eth[i]),
                                  FSL_IMX6UL_ETH_NUM_TX_RINGS,
                                  "tx-ring-num", &error_abort);
@@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp)
                                 FSL_IMX6UL_OCRAM_ALIAS_ADDR, &s->ocram_alias);
 }
 
+static Property fsl_imx6ul_properties[] = {
+    DEFINE_PROP_UINT32("fec1-phy-num", FslIMX6ULState, phy_num[0], 0),
+    DEFINE_PROP_UINT32("fec2-phy-num", FslIMX6ULState, phy_num[1], 1),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
 static void fsl_imx6ul_class_init(ObjectClass *oc, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(oc);
 
+    device_class_set_props(dc, fsl_imx6ul_properties);
     dc->realize = fsl_imx6ul_realize;
     dc->desc = "i.MX6UL SOC";
     /* Reason: Uses serial_hds and nd_table in realize() directly */
-- 
2.20.1

From: Jean-Christophe Dubois <jcd@tribudubois.net>

The i.MX6UL EVK 14x14 board uses:
- PHY 2 for FEC 1
- PHY 1 for FEC 2

Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Message-id: fb41992126c091a71d76ab3d1898959091f60583.1593296112.git.jcd@tribudubois.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/mcimx6ul-evk.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/arm/mcimx6ul-evk.c b/hw/arm/mcimx6ul-evk.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/mcimx6ul-evk.c
+++ b/hw/arm/mcimx6ul-evk.c
@@ -XXX,XX +XXX,XX @@ static void mcimx6ul_evk_init(MachineState *machine)
 
     s = FSL_IMX6UL(object_new(TYPE_FSL_IMX6UL));
     object_property_add_child(OBJECT(machine), "soc", OBJECT(s));
+    object_property_set_uint(OBJECT(s), 2, "fec1-phy-num", &error_fatal);
+    object_property_set_uint(OBJECT(s), 1, "fec2-phy-num", &error_fatal);
     qdev_realize(DEVICE(s), NULL, &error_fatal);
 
     memory_region_add_subregion(get_system_memory(), FSL_IMX6UL_MMDC_ADDR,
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

Introduce a new property defining a reserved region:
<low address>:<high address>:<type>.

This will be used to encode reserved IOVA regions.

For instance, in virtio-iommu use case, reserved IOVA regions
will be passed by the machine code to the virtio-iommu-pci
device (an array of those). The type of the reserved region
will match the virtio_iommu_probe_resv_mem subtype value:
- VIRTIO_IOMMU_RESV_MEM_T_RESERVED (0)
- VIRTIO_IOMMU_RESV_MEM_T_MSI (1)

on PC/Q35 machine, this will be used to inform the
virtio-iommu-pci device it should bypass the MSI region.
The reserved region will be: 0xfee00000:0xfeefffff:1.

On ARM, we can declare the ITS MSI doorbell as an MSI
region to prevent MSIs from being mapped on guest side.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20200629070404.10969-2-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/exec/memory.h        |  6 +++
 include/hw/qdev-properties.h |  3 ++
 include/qemu/typedefs.h      |  1 +
 hw/core/qdev-properties.c    | 89 ++++++++++++++++++++++++++++++++++++
 4 files changed, 99 insertions(+)

diff --git a/include/exec/memory.h b/include/exec/memory.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memory.h
+++ b/include/exec/memory.h
@@ -XXX,XX +XXX,XX @@ extern bool global_dirty_log;
 
 typedef struct MemoryRegionOps MemoryRegionOps;
 
+struct ReservedRegion {
+    hwaddr low;
+    hwaddr high;
+    unsigned type;
+};
+
 typedef struct IOMMUTLBEntry IOMMUTLBEntry;
 
 /* See address_space_translate: bit 0 is read, bit 1 is write.  */
diff --git a/include/hw/qdev-properties.h b/include/hw/qdev-properties.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/qdev-properties.h
+++ b/include/hw/qdev-properties.h
@@ -XXX,XX +XXX,XX @@ extern const PropertyInfo qdev_prop_string;
 extern const PropertyInfo qdev_prop_chr;
 extern const PropertyInfo qdev_prop_tpm;
 extern const PropertyInfo qdev_prop_macaddr;
+extern const PropertyInfo qdev_prop_reserved_region;
 extern const PropertyInfo qdev_prop_on_off_auto;
 extern const PropertyInfo qdev_prop_multifd_compression;
 extern const PropertyInfo qdev_prop_losttickpolicy;
@@ -XXX,XX +XXX,XX @@ extern const PropertyInfo qdev_prop_pcie_link_width;
     DEFINE_PROP(_n, _s, _f, qdev_prop_drive_iothread, BlockBackend *)
 #define DEFINE_PROP_MACADDR(_n, _s, _f)         \
     DEFINE_PROP(_n, _s, _f, qdev_prop_macaddr, MACAddr)
+#define DEFINE_PROP_RESERVED_REGION(_n, _s, _f)         \
+    DEFINE_PROP(_n, _s, _f, qdev_prop_reserved_region, ReservedRegion)
 #define DEFINE_PROP_ON_OFF_AUTO(_n, _s, _f, _d) \
     DEFINE_PROP_SIGNED(_n, _s, _f, _d, qdev_prop_on_off_auto, OnOffAuto)
 #define DEFINE_PROP_MULTIFD_COMPRESSION(_n, _s, _f, _d) \
diff --git a/include/qemu/typedefs.h b/include/qemu/typedefs.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/typedefs.h
+++ b/include/qemu/typedefs.h
@@ -XXX,XX +XXX,XX @@ typedef struct ISABus ISABus;
 typedef struct ISADevice ISADevice;
 typedef struct IsaDma IsaDma;
 typedef struct MACAddr MACAddr;
+typedef struct ReservedRegion ReservedRegion;
 typedef struct MachineClass MachineClass;
 typedef struct MachineState MachineState;
 typedef struct MemoryListener MemoryListener;
diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/qdev-properties.c
+++ b/hw/core/qdev-properties.c
@@ -XXX,XX +XXX,XX @@
 #include "chardev/char.h"
 #include "qemu/uuid.h"
 #include "qemu/units.h"
+#include "qemu/cutils.h"
 
 void qdev_prop_set_after_realize(DeviceState *dev, const char *name,
                                   Error **errp)
@@ -XXX,XX +XXX,XX @@ const PropertyInfo qdev_prop_macaddr = {
     .set   = set_mac,
 };
 
+/* --- Reserved Region --- */
+
+/*
+ * Accepted syntax:
+ *   <low address>:<high address>:<type>
+ *   where low/high addresses are uint64_t in hexadecimal
+ *   and type is a non-negative decimal integer
+ */
+static void get_reserved_region(Object *obj, Visitor *v, const char *name,
+                                void *opaque, Error **errp)
+{
+    DeviceState *dev = DEVICE(obj);
+    Property *prop = opaque;
+    ReservedRegion *rr = qdev_get_prop_ptr(dev, prop);
+    char buffer[64];
+    char *p = buffer;
+    int rc;
+
+    rc = snprintf(buffer, sizeof(buffer), "0x%"PRIx64":0x%"PRIx64":%u",
+                  rr->low, rr->high, rr->type);
+    assert(rc < sizeof(buffer));
+
+    visit_type_str(v, name, &p, errp);
+}
+
+static void set_reserved_region(Object *obj, Visitor *v, const char *name,
+                                void *opaque, Error **errp)
+{
+    DeviceState *dev = DEVICE(obj);
+    Property *prop = opaque;
+    ReservedRegion *rr = qdev_get_prop_ptr(dev, prop);
+    Error *local_err = NULL;
+    const char *endptr;
+    char *str;
+    int ret;
+
+    if (dev->realized) {
+        qdev_prop_set_after_realize(dev, name, errp);
+        return;
+    }
+
+    visit_type_str(v, name, &str, &local_err);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        return;
+    }
+
+    ret = qemu_strtou64(str, &endptr, 16, &rr->low);
+    if (ret) {
+        error_setg(errp, "start address of '%s'"
+                   " must be a hexadecimal integer", name);
+        goto out;
+    }
+    if (*endptr != ':') {
+        goto separator_error;
+    }
+
+    ret = qemu_strtou64(endptr + 1, &endptr, 16, &rr->high);
+    if (ret) {
+        error_setg(errp, "end address of '%s'"
+                   " must be a hexadecimal integer", name);
+        goto out;
+    }
+    if (*endptr != ':') {
+        goto separator_error;
+    }
+
+    ret = qemu_strtoui(endptr + 1, &endptr, 10, &rr->type);
+    if (ret) {
+        error_setg(errp, "type of '%s'"
+                   " must be a non-negative decimal integer", name);
+    }
+    goto out;
+
+separator_error:
+    error_setg(errp, "reserved region fields must be separated with ':'");
+out:
+    g_free(str);
+    return;
+}
+
+const PropertyInfo qdev_prop_reserved_region = {
+    .name  = "reserved_region",
+    .description = "Reserved Region, example: 0xFEE00000:0xFEEFFFFF:0",
+    .get   = get_reserved_region,
+    .set   = set_reserved_region,
+};
+
 /* --- on/off/auto --- */
 
 const PropertyInfo qdev_prop_on_off_auto = {
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

This patch implements the PROBE request. At the moment,
only THE RESV_MEM property is handled. The first goal is
to report iommu wide reserved regions such as the MSI regions
set by the machine code. On x86 this will be the IOAPIC MSI
region, [0xFEE00000 - 0xFEEFFFFF], on ARM this may be the ITS
doorbell.

In the future we may introduce per device reserved regions.
This will be useful when protecting host assigned devices
which may expose their own reserved regions

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20200629070404.10969-3-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/virtio/virtio-iommu.h |  2 +
 hw/virtio/virtio-iommu.c         | 94 ++++++++++++++++++++++++++++++--
 hw/virtio/trace-events           |  1 +
 3 files changed, 93 insertions(+), 4 deletions(-)

diff --git a/include/hw/virtio/virtio-iommu.h b/include/hw/virtio/virtio-iommu.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/virtio/virtio-iommu.h
+++ b/include/hw/virtio/virtio-iommu.h
@@ -XXX,XX +XXX,XX @@ typedef struct VirtIOIOMMU {
     GHashTable *as_by_busptr;
     IOMMUPciBus *iommu_pcibus_by_bus_num[PCI_BUS_MAX];
     PCIBus *primary_bus;
+    ReservedRegion *reserved_regions;
+    uint32_t nb_reserved_regions;
     GTree *domains;
     QemuMutex mutex;
     GTree *endpoints;
diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -XXX,XX +XXX,XX @@
 
 /* Max size */
 #define VIOMMU_DEFAULT_QUEUE_SIZE 256
+#define VIOMMU_PROBE_SIZE 512
 
 typedef struct VirtIOIOMMUDomain {
     uint32_t id;
@@ -XXX,XX +XXX,XX @@ static int virtio_iommu_unmap(VirtIOIOMMU *s,
     return ret;
 }
 
+static ssize_t virtio_iommu_fill_resv_mem_prop(VirtIOIOMMU *s, uint32_t ep,
+                                               uint8_t *buf, size_t free)
+{
+    struct virtio_iommu_probe_resv_mem prop = {};
+    size_t size = sizeof(prop), length = size - sizeof(prop.head), total;
+    int i;
+
+    total = size * s->nb_reserved_regions;
+
+    if (total > free) {
+        return -ENOSPC;
+    }
+
+    for (i = 0; i < s->nb_reserved_regions; i++) {
+        unsigned subtype = s->reserved_regions[i].type;
+
+        assert(subtype == VIRTIO_IOMMU_RESV_MEM_T_RESERVED ||
+               subtype == VIRTIO_IOMMU_RESV_MEM_T_MSI);
+        prop.head.type = cpu_to_le16(VIRTIO_IOMMU_PROBE_T_RESV_MEM);
+        prop.head.length = cpu_to_le16(length);
+        prop.subtype = subtype;
+        prop.start = cpu_to_le64(s->reserved_regions[i].low);
+        prop.end = cpu_to_le64(s->reserved_regions[i].high);
+
+        memcpy(buf, &prop, size);
+
+        trace_virtio_iommu_fill_resv_property(ep, prop.subtype,
+                                              prop.start, prop.end);
+        buf += size;
+    }
+    return total;
+}
+
+/**
+ * virtio_iommu_probe - Fill the probe request buffer with
+ * the properties the device is able to return
+ */
+static int virtio_iommu_probe(VirtIOIOMMU *s,
+                              struct virtio_iommu_req_probe *req,
+                              uint8_t *buf)
+{
+    uint32_t ep_id = le32_to_cpu(req->endpoint);
+    size_t free = VIOMMU_PROBE_SIZE;
+    ssize_t count;
+
+    if (!virtio_iommu_mr(s, ep_id)) {
+        return VIRTIO_IOMMU_S_NOENT;
+    }
+
+    count = virtio_iommu_fill_resv_mem_prop(s, ep_id, buf, free);
+    if (count < 0) {
+        return VIRTIO_IOMMU_S_INVAL;
+    }
+    buf += count;
+    free -= count;
+
+    return VIRTIO_IOMMU_S_OK;
+}
+
 static int virtio_iommu_iov_to_req(struct iovec *iov,
                                    unsigned int iov_cnt,
                                    void *req, size_t req_sz)
@@ -XXX,XX +XXX,XX @@ virtio_iommu_handle_req(detach)
 virtio_iommu_handle_req(map)
 virtio_iommu_handle_req(unmap)
 
+static int virtio_iommu_handle_probe(VirtIOIOMMU *s,
+                                     struct iovec *iov,
+                                     unsigned int iov_cnt,
+                                     uint8_t *buf)
+{
+    struct virtio_iommu_req_probe req;
+    int ret = virtio_iommu_iov_to_req(iov, iov_cnt, &req, sizeof(req));
+
+    return ret ? ret : virtio_iommu_probe(s, &req, buf);
+}
+
 static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq)
 {
     VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
     struct virtio_iommu_req_head head;
     struct virtio_iommu_req_tail tail = {};
+    size_t output_size = sizeof(tail), sz;
     VirtQueueElement *elem;
     unsigned int iov_cnt;
     struct iovec *iov;
-    size_t sz;
+    void *buf = NULL;
 
     for (;;) {
         elem = virtqueue_pop(vq, sizeof(VirtQueueElement));
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq)
         case VIRTIO_IOMMU_T_UNMAP:
             tail.status = virtio_iommu_handle_unmap(s, iov, iov_cnt);
             break;
+        case VIRTIO_IOMMU_T_PROBE:
+        {
+            struct virtio_iommu_req_tail *ptail;
+
+            output_size = s->config.probe_size + sizeof(tail);
+            buf = g_malloc0(output_size);
+
+            ptail = (struct virtio_iommu_req_tail *)
+                        (buf + s->config.probe_size);
+            ptail->status = virtio_iommu_handle_probe(s, iov, iov_cnt, buf);
+        }
         default:
             tail.status = VIRTIO_IOMMU_S_UNSUPP;
         }
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_handle_command(VirtIODevice *vdev, VirtQueue *vq)
 
 out:
         sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
-                          &tail, sizeof(tail));
-        assert(sz == sizeof(tail));
+                          buf ? buf : &tail, output_size);
+        assert(sz == output_size);
 
-        virtqueue_push(vq, elem, sizeof(tail));
+        virtqueue_push(vq, elem, sz);
         virtio_notify(vdev, vq);
         g_free(elem);
+        g_free(buf);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_device_realize(DeviceState *dev, Error **errp)
     s->config.page_size_mask = TARGET_PAGE_MASK;
     s->config.input_range.end = -1UL;
     s->config.domain_range.end = 32;
+    s->config.probe_size = VIOMMU_PROBE_SIZE;
 
     virtio_add_feature(&s->features, VIRTIO_RING_F_EVENT_IDX);
     virtio_add_feature(&s->features, VIRTIO_RING_F_INDIRECT_DESC);
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_device_realize(DeviceState *dev, Error **errp)
     virtio_add_feature(&s->features, VIRTIO_IOMMU_F_MAP_UNMAP);
     virtio_add_feature(&s->features, VIRTIO_IOMMU_F_BYPASS);
     virtio_add_feature(&s->features, VIRTIO_IOMMU_F_MMIO);
+    virtio_add_feature(&s->features, VIRTIO_IOMMU_F_PROBE);
 
     qemu_mutex_init(&s->mutex);
 
diff --git a/hw/virtio/trace-events b/hw/virtio/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/trace-events
+++ b/hw/virtio/trace-events
@@ -XXX,XX +XXX,XX @@ virtio_iommu_get_domain(uint32_t domain_id) "Alloc domain=%d"
 virtio_iommu_put_domain(uint32_t domain_id) "Free domain=%d"
 virtio_iommu_translate_out(uint64_t virt_addr, uint64_t phys_addr, uint32_t sid) "0x%"PRIx64" -> 0x%"PRIx64 " for sid=%d"
 virtio_iommu_report_fault(uint8_t reason, uint32_t flags, uint32_t endpoint, uint64_t addr) "FAULT reason=%d flags=%d endpoint=%d address =0x%"PRIx64
+virtio_iommu_fill_resv_property(uint32_t devid, uint8_t subtype, uint64_t start, uint64_t end) "dev= %d, type=%d start=0x%"PRIx64" end=0x%"PRIx64
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

When translating an address we need to check if it belongs to
a reserved virtual address range. If it does, there are 2 cases:

- it belongs to a RESERVED region: the guest should neither use
  this address in a MAP not instruct the end-point to DMA on
  them. We report an error

- It belongs to an MSI region: we bypass the translation.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20200629070404.10969-4-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/virtio/virtio-iommu.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry virtio_iommu_translate(IOMMUMemoryRegion *mr, hwaddr addr,
     uint32_t sid, flags;
     bool bypass_allowed;
     bool found;
+    int i;
 
     interval.low = addr;
     interval.high = addr + 1;
@@ -XXX,XX +XXX,XX @@ static IOMMUTLBEntry virtio_iommu_translate(IOMMUMemoryRegion *mr, hwaddr addr,
         goto unlock;
     }
 
+    for (i = 0; i < s->nb_reserved_regions; i++) {
+        ReservedRegion *reg = &s->reserved_regions[i];
+
+        if (addr >= reg->low && addr <= reg->high) {
+            switch (reg->type) {
+            case VIRTIO_IOMMU_RESV_MEM_T_MSI:
+                entry.perm = flag;
+                break;
+            case VIRTIO_IOMMU_RESV_MEM_T_RESERVED:
+            default:
+                virtio_iommu_report_fault(s, VIRTIO_IOMMU_FAULT_R_MAPPING,
+                                          VIRTIO_IOMMU_FAULT_F_ADDRESS,
+                                          sid, addr);
+                break;
+            }
+            goto unlock;
+        }
+    }
+
     if (!ep->domain) {
         if (!bypass_allowed) {
             error_report_once("%s %02x:%02x.%01x not attached to any domain",
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

The machine may need to pass reserved regions to the
virtio-iommu-pci device (such as the MSI window on x86
or the MSI doorbells on ARM).

So let's add an array of Interval properties.

Note: if some reserved regions are already set by the
machine code - which should be the case in general -,
the length of the property array is already set and
prevents the end-user from modifying them. For example,
attempting to use:

-device virtio-iommu-pci,\
 len-reserved-regions=1,reserved-regions[0]=0xfee00000:0xfeefffff:1

would result in the following error message:

qemu-system-aarch64: -device virtio-iommu-pci,addr=0xa,
len-reserved-regions=1,reserved-regions[0]=0xfee00000:0xfeefffff:1:
array size property len-reserved-regions may not be set more than once

Otherwise, for example, adding two reserved regions is achieved
using the following options:

-device virtio-iommu-pci,addr=0xa,len-reserved-regions=2,\
 reserved-regions[0]=0xfee00000:0xfeefffff:1,\
 reserved-regions[1]=0x1000000:100ffff:1

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Reviewed-by: Peter Xu <peterx@redhat.com>
Message-id: 20200629070404.10969-5-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/virtio/virtio-iommu-pci.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/hw/virtio/virtio-iommu-pci.c b/hw/virtio/virtio-iommu-pci.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/virtio-iommu-pci.c
+++ b/hw/virtio/virtio-iommu-pci.c
@@ -XXX,XX +XXX,XX @@ struct VirtIOIOMMUPCI {
 
 static Property virtio_iommu_pci_properties[] = {
     DEFINE_PROP_UINT32("class", VirtIOPCIProxy, class_code, 0),
+    DEFINE_PROP_ARRAY("reserved-regions", VirtIOIOMMUPCI,
+                      vdev.nb_reserved_regions, vdev.reserved_regions,
+                      qdev_prop_reserved_region, ReservedRegion),
     DEFINE_PROP_END_OF_LIST(),
 };
 
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
 {
     VirtIOIOMMUPCI *dev = VIRTIO_IOMMU_PCI(vpci_dev);
     DeviceState *vdev = DEVICE(&dev->vdev);
+    VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
 
     if (!qdev_get_machine_hotplug_handler(DEVICE(vpci_dev))) {
         MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
                           "-no-acpi\n");
         return;
     }
+    for (int i = 0; i < s->nb_reserved_regions; i++) {
+        if (s->reserved_regions[i].type != VIRTIO_IOMMU_RESV_MEM_T_RESERVED &&
+            s->reserved_regions[i].type != VIRTIO_IOMMU_RESV_MEM_T_MSI) {
+            error_setg(errp, "reserved region %d has an invalid type", i);
+            error_append_hint(errp, "Valid values are 0 and 1\n");
+        }
+    }
     object_property_set_link(OBJECT(dev),
                              OBJECT(pci_get_bus(&vpci_dev->pci_dev)),
                              "primary-bus", &error_abort);
-- 
2.20.1

From: Eric Auger <eric.auger@redhat.com>

At the moment the virtio-iommu translates MSI transactions.
This behavior is inherited from ARM SMMU. The virt machine
code knows where the guest MSI doorbells are so we can easily
declare those regions as VIRTIO_IOMMU_RESV_MEM_T_MSI. With that
setting the guest will not map MSIs through the IOMMU and those
transactions will be simply bypassed.

Depending on which MSI controller is in use (ITS or GICV2M),
we declare either:
- the ITS interrupt translation space (ITS_base + 0x10000),
  containing the GITS_TRANSLATOR or
- The GICV2M single frame, containing the MSI_SETSP_NS register.

Signed-off-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20200629070404.10969-6-eric.auger@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/virt.h |  7 +++++++
 hw/arm/virt.c         | 30 ++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -XXX,XX +XXX,XX @@ typedef enum VirtIOMMUType {
     VIRT_IOMMU_VIRTIO,
 } VirtIOMMUType;
 
+typedef enum VirtMSIControllerType {
+    VIRT_MSI_CTRL_NONE,
+    VIRT_MSI_CTRL_GICV2M,
+    VIRT_MSI_CTRL_ITS,
+} VirtMSIControllerType;
+
 typedef enum VirtGICType {
     VIRT_GIC_VERSION_MAX,
     VIRT_GIC_VERSION_HOST,
@@ -XXX,XX +XXX,XX @@ typedef struct {
     OnOffAuto acpi;
     VirtGICType gic_version;
     VirtIOMMUType iommu;
+    VirtMSIControllerType msi_controller;
     uint16_t virtio_iommu_bdf;
     struct arm_boot_info bootinfo;
     MemMapEntry *memmap;
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void create_its(VirtMachineState *vms)
     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, vms->memmap[VIRT_GIC_ITS].base);
 
     fdt_add_its_gic_node(vms);
+    vms->msi_controller = VIRT_MSI_CTRL_ITS;
 }
 
 static void create_v2m(VirtMachineState *vms)
@@ -XXX,XX +XXX,XX @@ static void create_v2m(VirtMachineState *vms)
     }
 
     fdt_add_v2m_gic_node(vms);
+    vms->msi_controller = VIRT_MSI_CTRL_GICV2M;
 }
 
 static void create_gic(VirtMachineState *vms)
@@ -XXX,XX +XXX,XX @@ out:
 static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
                                             DeviceState *dev, Error **errp)
 {
+    VirtMachineState *vms = VIRT_MACHINE(hotplug_dev);
+
     if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
         virt_memory_pre_plug(hotplug_dev, dev, errp);
+    } else if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
+        hwaddr db_start = 0, db_end = 0;
+        char *resv_prop_str;
+
+        switch (vms->msi_controller) {
+        case VIRT_MSI_CTRL_NONE:
+            return;
+        case VIRT_MSI_CTRL_ITS:
+            /* GITS_TRANSLATER page */
+            db_start = base_memmap[VIRT_GIC_ITS].base + 0x10000;
+            db_end = base_memmap[VIRT_GIC_ITS].base +
+                     base_memmap[VIRT_GIC_ITS].size - 1;
+            break;
+        case VIRT_MSI_CTRL_GICV2M:
+            /* MSI_SETSPI_NS page */
+            db_start = base_memmap[VIRT_GIC_V2M].base;
+            db_end = db_start + base_memmap[VIRT_GIC_V2M].size - 1;
+            break;
+        }
+        resv_prop_str = g_strdup_printf("0x%"PRIx64":0x%"PRIx64":%u",
+                                        db_start, db_end,
+                                        VIRTIO_IOMMU_RESV_MEM_T_MSI);
+
+        qdev_prop_set_uint32(dev, "len-reserved-regions", 1);
+        qdev_prop_set_string(dev, "reserved-regions[0]", resv_prop_str);
+        g_free(resv_prop_str);
     }
 }
 
-- 
2.20.1

From: Beata Michalska <beata.michalska@linaro.org>

On ARMv7 & ARMv8 some load/store instructions might trigger a data abort
exception with no valid ISS info to be decoded. The lack of decode info
makes it at least tricky to emulate those instruction which is one of the
(many) reasons why KVM will not even try to do so.

Add support for handling those by requesting KVM to inject external
dabt into the quest.

Signed-off-by: Beata Michalska <beata.michalska@linaro.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 20200629114110.30723-2-beata.michalska@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
 
 static bool cap_has_mp_state;
 static bool cap_has_inject_serror_esr;
+static bool cap_has_inject_ext_dabt;
 
 static ARMHostCPUFeatures arm_host_cpu_features;
 
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init(MachineState *ms, KVMState *s)
         ret = -EINVAL;
     }
 
+    if (kvm_check_extension(s, KVM_CAP_ARM_NISV_TO_USER)) {
+        if (kvm_vm_enable_cap(s, KVM_CAP_ARM_NISV_TO_USER, 0)) {
+            error_report("Failed to enable KVM_CAP_ARM_NISV_TO_USER cap");
+        } else {
+            /* Set status for supporting the external dabt injection */
+            cap_has_inject_ext_dabt = kvm_check_extension(s,
+                                    KVM_CAP_ARM_INJECT_EXT_DABT);
+        }
+    }
+
     return ret;
 }
 
@@ -XXX,XX +XXX,XX @@ void kvm_arm_vm_state_change(void *opaque, int running, RunState state)
     }
 }
 
+/**
+ * kvm_arm_handle_dabt_nisv:
+ * @cs: CPUState
+ * @esr_iss: ISS encoding (limited) for the exception from Data Abort
+ *           ISV bit set to '0b0' -> no valid instruction syndrome
+ * @fault_ipa: faulting address for the synchronous data abort
+ *
+ * Returns: 0 if the exception has been handled, < 0 otherwise
+ */
+static int kvm_arm_handle_dabt_nisv(CPUState *cs, uint64_t esr_iss,
+                                    uint64_t fault_ipa)
+{
+    /*
+     * Request KVM to inject the external data abort into the guest
+     */
+    if (cap_has_inject_ext_dabt) {
+        struct kvm_vcpu_events events = { };
+        /*
+         * The external data abort event will be handled immediately by KVM
+         * using the address fault that triggered the exit on given VCPU.
+         * Requesting injection of the external data abort does not rely
+         * on any other VCPU state. Therefore, in this particular case, the VCPU
+         * synchronization can be exceptionally skipped.
+         */
+        events.exception.ext_dabt_pending = 1;
+        /* KVM_CAP_ARM_INJECT_EXT_DABT implies KVM_CAP_VCPU_EVENTS */
+        return kvm_vcpu_ioctl(cs, KVM_SET_VCPU_EVENTS, &events);
+    } else {
+        error_report("Data abort exception triggered by guest memory access "
+                     "at physical address: 0x"  TARGET_FMT_lx,
+                     (target_ulong)fault_ipa);
+        error_printf("KVM unable to emulate faulting instruction.\n");
+    }
+    return -1;
+}
+
 int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
 {
     int ret = 0;
@@ -XXX,XX +XXX,XX @@ int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
             ret = EXCP_DEBUG;
         } /* otherwise return to guest */
         break;
+    case KVM_EXIT_ARM_NISV:
+        /* External DABT with no valid iss to decode */
+        ret = kvm_arm_handle_dabt_nisv(cs, run->arm_nisv.esr_iss,
+                                       run->arm_nisv.fault_ipa);
+        break;
     default:
         qemu_log_mask(LOG_UNIMP, "%s: un-handled exit reason %d\n",
                       __func__, run->exit_reason);
-- 
2.20.1

From: Beata Michalska <beata.michalska@linaro.org>

Injecting external data abort through KVM might trigger
an issue on kernels that do not get updated to include the KVM fix.
For those and aarch32 guests, the injected abort gets misconfigured
to be an implementation defined exception. This leads to the guest
repeatedly re-running the faulting instruction.

Add support for handling that case.

[
  Fixed-by: 018f22f95e8a
	('KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests')
  Fixed-by: 21aecdbd7f3a
	('KVM: arm: Make inject_abt32() inject an external abort instead')
]

Signed-off-by: Beata Michalska <beata.michalska@linaro.org>
Acked-by: Andrew Jones <drjones@redhat.com>
Message-id: 20200629114110.30723-3-beata.michalska@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h     |  2 ++
 target/arm/kvm_arm.h | 10 +++++++++
 target/arm/kvm.c     | 30 ++++++++++++++++++++++++++-
 target/arm/kvm32.c   | 34 ++++++++++++++++++++++++++++++
 target/arm/kvm64.c   | 49 ++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 124 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
         uint64_t esr;
     } serror;
 
+    uint8_t ext_dabt_raised; /* Tracking/verifying injection of ext DABT */
+
     /* State of our input IRQ/FIQ/VIRQ/VFIQ lines */
     uint32_t irq_line_state;
 
diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_hw_debug_active(CPUState *cs);
 struct kvm_guest_debug_arch;
 void kvm_arm_copy_hw_debug_data(struct kvm_guest_debug_arch *ptr);
 
+/**
+ * kvm_arm_verify_ext_dabt_pending:
+ * @cs: CPUState
+ *
+ * Verify the fault status code wrt the Ext DABT injection
+ *
+ * Returns: true if the fault status code is as expected, false otherwise
+ */
+bool kvm_arm_verify_ext_dabt_pending(CPUState *cs);
+
 /**
  * its_class_name:
  *
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ int kvm_get_vcpu_events(ARMCPU *cpu)
 
 void kvm_arch_pre_run(CPUState *cs, struct kvm_run *run)
 {
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+
+    if (unlikely(env->ext_dabt_raised)) {
+        /*
+         * Verifying that the ext DABT has been properly injected,
+         * otherwise risking indefinitely re-running the faulting instruction
+         * Covering a very narrow case for kernels 5.5..5.5.4
+         * when injected abort was misconfigured to be
+         * an IMPLEMENTATION DEFINED exception (for 32-bit EL1)
+         */
+        if (!arm_feature(env, ARM_FEATURE_AARCH64) &&
+            unlikely(!kvm_arm_verify_ext_dabt_pending(cs))) {
+
+            error_report("Data abort exception with no valid ISS generated by "
+                   "guest memory access. KVM unable to emulate faulting "
+                   "instruction. Failed to inject an external data abort "
+                   "into the guest.");
+            abort();
+       }
+       /* Clear the status */
+       env->ext_dabt_raised = 0;
+    }
 }
 
 MemTxAttrs kvm_arch_post_run(CPUState *cs, struct kvm_run *run)
@@ -XXX,XX +XXX,XX @@ void kvm_arm_vm_state_change(void *opaque, int running, RunState state)
 static int kvm_arm_handle_dabt_nisv(CPUState *cs, uint64_t esr_iss,
                                     uint64_t fault_ipa)
 {
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
     /*
      * Request KVM to inject the external data abort into the guest
      */
@@ -XXX,XX +XXX,XX @@ static int kvm_arm_handle_dabt_nisv(CPUState *cs, uint64_t esr_iss,
          */
         events.exception.ext_dabt_pending = 1;
         /* KVM_CAP_ARM_INJECT_EXT_DABT implies KVM_CAP_VCPU_EVENTS */
-        return kvm_vcpu_ioctl(cs, KVM_SET_VCPU_EVENTS, &events);
+        if (!kvm_vcpu_ioctl(cs, KVM_SET_VCPU_EVENTS, &events)) {
+            env->ext_dabt_raised = 1;
+            return 0;
+        }
     } else {
         error_report("Data abort exception triggered by guest memory access "
                      "at physical address: 0x"  TARGET_FMT_lx,
diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_init(CPUState *cs)
 {
     qemu_log_mask(LOG_UNIMP, "%s: not implemented\n", __func__);
 }
+
+#define ARM_REG_DFSR  ARM_CP15_REG32(0, 5, 0, 0)
+#define ARM_REG_TTBCR ARM_CP15_REG32(0, 2, 0, 2)
+/*
+ *DFSR:
+ *      TTBCR.EAE == 0
+ *          FS[4]   - DFSR[10]
+ *          FS[3:0] - DFSR[3:0]
+ *      TTBCR.EAE == 1
+ *          FS, bits [5:0]
+ */
+#define DFSR_FSC(lpae, v) \
+    ((lpae) ? ((v) & 0x3F) : (((v) >> 6) | ((v) & 0x1F)))
+
+#define DFSC_EXTABT(lpae) ((lpae) ? 0x10 : 0x08)
+
+bool kvm_arm_verify_ext_dabt_pending(CPUState *cs)
+{
+    uint32_t dfsr_val;
+
+    if (!kvm_get_one_reg(cs, ARM_REG_DFSR, &dfsr_val)) {
+        ARMCPU *cpu = ARM_CPU(cs);
+        CPUARMState *env = &cpu->env;
+        uint32_t ttbcr;
+        int lpae = 0;
+
+        if (!kvm_get_one_reg(cs, ARM_REG_TTBCR, &ttbcr)) {
+            lpae = arm_feature(env, ARM_FEATURE_LPAE) && (ttbcr & TTBCR_EAE);
+        }
+        /* The verification is based on FS filed of the DFSR reg only*/
+        return (DFSR_FSC(lpae, dfsr_val) == DFSC_EXTABT(lpae));
+    }
+    return false;
+}
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_handle_debug(CPUState *cs, struct kvm_debug_exit_arch *debug_exit)
 
     return false;
 }
+
+#define ARM64_REG_ESR_EL1 ARM64_SYS_REG(3, 0, 5, 2, 0)
+#define ARM64_REG_TCR_EL1 ARM64_SYS_REG(3, 0, 2, 0, 2)
+
+/*
+ * ESR_EL1
+ * ISS encoding
+ * AARCH64: DFSC,   bits [5:0]
+ * AARCH32:
+ *      TTBCR.EAE == 0
+ *          FS[4]   - DFSR[10]
+ *          FS[3:0] - DFSR[3:0]
+ *      TTBCR.EAE == 1
+ *          FS, bits [5:0]
+ */
+#define ESR_DFSC(aarch64, lpae, v)        \
+    ((aarch64 || (lpae)) ? ((v) & 0x3F)   \
+               : (((v) >> 6) | ((v) & 0x1F)))
+
+#define ESR_DFSC_EXTABT(aarch64, lpae) \
+    ((aarch64) ? 0x10 : (lpae) ? 0x10 : 0x8)
+
+bool kvm_arm_verify_ext_dabt_pending(CPUState *cs)
+{
+    uint64_t dfsr_val;
+
+    if (!kvm_get_one_reg(cs, ARM64_REG_ESR_EL1, &dfsr_val)) {
+        ARMCPU *cpu = ARM_CPU(cs);
+        CPUARMState *env = &cpu->env;
+        int aarch64_mode = arm_feature(env, ARM_FEATURE_AARCH64);
+        int lpae = 0;
+
+        if (!aarch64_mode) {
+            uint64_t ttbcr;
+
+            if (!kvm_get_one_reg(cs, ARM64_REG_TCR_EL1, &ttbcr)) {
+                lpae = arm_feature(env, ARM_FEATURE_LPAE)
+                        && (ttbcr & TTBCR_EAE);
+            }
+        }
+        /*
+         * The verification here is based on the DFSC bits
+         * of the ESR_EL1 reg only
+         */
+         return (ESR_DFSC(aarch64_mode, lpae, dfsr_val) ==
+                ESR_DFSC_EXTABT(aarch64_mode, lpae));
+    }
+    return false;
+}
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

Fixes: 93dd625f8bf7 ("tests/acpi: update expected data files")
Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20200629140938.17566-2-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1,19 +1 @@
 /* List of comma-separated changed AML files to ignore */
-"tests/data/acpi/pc/DSDT",
-"tests/data/acpi/pc/DSDT.acpihmat",
-"tests/data/acpi/pc/DSDT.bridge",
-"tests/data/acpi/pc/DSDT.cphp",
-"tests/data/acpi/pc/DSDT.dimmpxm",
-"tests/data/acpi/pc/DSDT.ipmikcs",
-"tests/data/acpi/pc/DSDT.memhp",
-"tests/data/acpi/pc/DSDT.numamem",
-"tests/data/acpi/q35/DSDT",
-"tests/data/acpi/q35/DSDT.acpihmat",
-"tests/data/acpi/q35/DSDT.bridge",
-"tests/data/acpi/q35/DSDT.cphp",
-"tests/data/acpi/q35/DSDT.dimmpxm",
-"tests/data/acpi/q35/DSDT.ipmibt",
-"tests/data/acpi/q35/DSDT.memhp",
-"tests/data/acpi/q35/DSDT.mmio64",
-"tests/data/acpi/q35/DSDT.numamem",
-"tests/data/acpi/q35/DSDT.tis",
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

The flash device is exclusively for the host-controlled firmware, so
we should not expose it to the OS. Exposing it risks the OS messing
with it, which could break firmware runtime services and surprise the
OS when all its changes disappear after reboot.

As firmware needs the device and uses DT, we leave the device exposed
there. It's up to firmware to remove the nodes from DT before sending
it on to the OS. However, there's no need to force firmware to remove
tables from ACPI (which it doesn't know how to do anyway), so we
simply don't add the tables in the first place. But, as we've been
adding the tables for quite some time and don't want to change the
default hardware exposed to versioned machines, then we only stop
exposing the flash device tables for 5.1 and later machine types.

Suggested-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Suggested-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 20200629140938.17566-4-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/virt.h    | 1 +
 hw/arm/virt-acpi-build.c | 5 ++++-
 hw/arm/virt.c            | 3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
     bool no_highmem_ecam;
     bool no_ged;   /* Machines < 4.2 has no support for ACPI GED device */
     bool kvm_no_adjvtime;
+    bool acpi_expose_flash;
 } VirtMachineClass;
 
 typedef struct {
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@ static void build_fadt_rev5(GArray *table_data, BIOSLinker *linker,
 static void
 build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
 {
+    VirtMachineClass *vmc = VIRT_MACHINE_GET_CLASS(vms);
     Aml *scope, *dsdt;
     MachineState *ms = MACHINE(vms);
     const MemMapEntry *memmap = vms->memmap;
@@ -XXX,XX +XXX,XX @@ build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
     acpi_dsdt_add_cpus(scope, vms->smp_cpus);
     acpi_dsdt_add_uart(scope, &memmap[VIRT_UART],
                        (irqmap[VIRT_UART] + ARM_SPI_BASE));
-    acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
+    if (vmc->acpi_expose_flash) {
+        acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
+    }
     acpi_dsdt_add_fw_cfg(scope, &memmap[VIRT_FW_CFG]);
     acpi_dsdt_add_virtio(scope, &memmap[VIRT_MMIO],
                     (irqmap[VIRT_MMIO] + ARM_SPI_BASE), NUM_VIRTIO_TRANSPORTS);
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ DEFINE_VIRT_MACHINE_AS_LATEST(5, 1)
 
 static void virt_machine_5_0_options(MachineClass *mc)
 {
+    VirtMachineClass *vmc = VIRT_MACHINE_CLASS(OBJECT_CLASS(mc));
+
     virt_machine_5_1_options(mc);
     compat_props_add(mc->compat_props, hw_compat_5_0, hw_compat_5_0_len);
     mc->numa_mem_supported = true;
+    vmc->acpi_expose_flash = true;
 }
 DEFINE_VIRT_MACHINE(5, 0)
 
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

Differences between disassembled ASL files for DSDT:

@@ -XXX,XX +XXX,XX @@
  *
  * Disassembling to symbolic ASL+ operators
  *
- * Disassembly of a, Mon Jun 29 09:50:01 2020
+ * Disassembly of b, Mon Jun 29 09:50:03 2020
  *
  * Original Table Header:
  *     Signature        "DSDT"
- *     Length           0x000014BB (5307)
+ *     Length           0x00001455 (5205)
  *     Revision         0x02
- *     Checksum         0xD1
+ *     Checksum         0xE1
  *     OEM ID           "BOCHS "
  *     OEM Table ID     "BXPCDSDT"
  *     OEM Revision     0x00000001 (1)
@@ -XXX,XX +XXX,XX @@
             })
         }

-        Device (FLS0)
-        {
-            Name (_HID, "LNRO0015")  // _HID: Hardware ID
-            Name (_UID, Zero)  // _UID: Unique ID
-            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
-            {
-                Memory32Fixed (ReadWrite,
-                    0x00000000,         // Address Base
-                    0x04000000,         // Address Length
-                    )
-            })
-        }
-
-        Device (FLS1)
-        {
-            Name (_HID, "LNRO0015")  // _HID: Hardware ID
-            Name (_UID, One)  // _UID: Unique ID
-            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
-            {
-                Memory32Fixed (ReadWrite,
-                    0x04000000,         // Address Base
-                    0x04000000,         // Address Length
-                    )
-            })
-        }
-
         Device (FWCF)
         {
             Name (_HID, "QEMU0002")  // _HID: Hardware ID

The other two binaries have the same changes (the removal of the
flash devices).

Signed-off-by: Andrew Jones <drjones@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Message-id: 20200629140938.17566-5-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h |   3 ---
 tests/data/acpi/virt/DSDT                   | Bin 5307 -> 5205 bytes
 tests/data/acpi/virt/DSDT.memhp             | Bin 6668 -> 6566 bytes
 tests/data/acpi/virt/DSDT.numamem           | Bin 5307 -> 5205 bytes
 4 files changed, 3 deletions(-)

delta 156
zcmcbrv0IbNCD<iow+I6R)5VEg(oAih6V(&y4c&Z#4LIUGJY9Hw{DS-q3=B;fIO0P+
zU4W!>P_UpN7hfAE10w?juv9WcH-WSmV$;Hiu7w4t3#`S$E!^1+q9xGPH`KtuzzAr5
LaERl^1zUvy_;n(J

diff --git a/tests/data/acpi/virt/DSDT.memhp b/tests/data/acpi/virt/DSDT.memhp
index XXXXXXX..XXXXXXX 100644
GIT binary patch
delta 28
kcmeA%S!T@T66_MPOp<|tiD@F2G*jb@iRuX(-^xn@0CHUjRR910

delta 156
zcmZ2x++)J!66_MfBgMeL^l>7WG*kP$iRuaUhHgH=1|0Doo-VvTenI{Q28N~#9Py!^
zE<n;bC|FRCi?5B7fsp|MSSlH!n?PC&v1wsM*TMqS1=eEW7Vhi@(GuwD8){%+U<5Qj
LIK*+|0yaqism~!^

diff --git a/tests/data/acpi/virt/DSDT.numamem b/tests/data/acpi/virt/DSDT.numamem
index XXXXXXX..XXXXXXX 100644
GIT binary patch
delta 28
kcmdn3c~yhUCD<h-RD^+n>ET2!X{H9}iRuX(-<}f&0DgxFc>n+a

delta 156
zcmcbrv0IbNCD<iow+I6R)5VEg(oAih6V(&y4c&Z#4LIUGJY9Hw{DS-q3=B;fIO0P+
zU4W!>P_UpN7hfAE10w?juv9WcH-WSmV$;Hiu7w4t3#`S$E!^1+q9xGPH`KtuzzAr5
LaERl^1zUvy_;n(J

-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The temp that gets assigned to clean_addr has been allocated with
new_tmp_a64, which means that it will be freed at the end of the
instruction.  Freeing it earlier leads to assertion failure.

The loop creates a complication, in which we allocate a new local
temp, which does need freeing, and the final code path is shared
between the loop and non-loop.

Fix this complication by adding new_tmp_a64_local so that the new
local temp is freed at the end, and can be treated exactly like
the non-loop path.

Fixes: bba87d0a0f4
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200702175605.1987125-1-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h | 1 +
 target/arm/translate-a64.c | 6 ++++++
 target/arm/translate-sve.c | 8 ++------
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void unallocated_encoding(DisasContext *s);
     } while (0)
 
 TCGv_i64 new_tmp_a64(DisasContext *s);
+TCGv_i64 new_tmp_a64_local(DisasContext *s);
 TCGv_i64 new_tmp_a64_zero(DisasContext *s);
 TCGv_i64 cpu_reg(DisasContext *s, int reg);
 TCGv_i64 cpu_reg_sp(DisasContext *s, int reg);
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ TCGv_i64 new_tmp_a64(DisasContext *s)
     return s->tmp_a64[s->tmp_a64_count++] = tcg_temp_new_i64();
 }
 
+TCGv_i64 new_tmp_a64_local(DisasContext *s)
+{
+    assert(s->tmp_a64_count < TMP_A64_MAX);
+    return s->tmp_a64[s->tmp_a64_count++] = tcg_temp_local_new_i64();
+}
+
 TCGv_i64 new_tmp_a64_zero(DisasContext *s)
 {
     TCGv_i64 t = new_tmp_a64(s);
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         /* Copy the clean address into a local temp, live across the loop. */
         t0 = clean_addr;
-        clean_addr = tcg_temp_local_new_i64();
+        clean_addr = new_tmp_a64_local(s);
         tcg_gen_mov_i64(clean_addr, t0);
-        tcg_temp_free_i64(t0);
 
         gen_set_label(loop);
 
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         tcg_gen_st_i64(t0, cpu_env, vofs + len_align);
         tcg_temp_free_i64(t0);
     }
-    tcg_temp_free_i64(clean_addr);
 }
 
 /* Similarly for stores.  */
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         /* Copy the clean address into a local temp, live across the loop. */
         t0 = clean_addr;
-        clean_addr = tcg_temp_local_new_i64();
+        clean_addr = new_tmp_a64_local(s);
         tcg_gen_mov_i64(clean_addr, t0);
-        tcg_temp_free_i64(t0);
 
         gen_set_label(loop);
 
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         }
         tcg_temp_free_i64(t0);
     }
-    tcg_temp_free_i64(clean_addr);
 }
 
 static bool trans_LDR_zri(DisasContext *s, arg_rri *a)
-- 
2.20.1

In bcm2835_fb_mbox_push(), Coverity complains (CID 1429989) that we
pass a pointer to a local struct to another function without
initializing all its fields.  This is a real bug:
bcm2835_fb_reconfigure() copies the whole of our new BCM2385FBConfig
struct into s->config, so any fields we don't initialize will corrupt
the state of the device.

Copy the two fields which we don't want to update (pixo and alpha)
from the existing config so we don't accidentally change them.

Fixes: cfb7ba983857e40e88
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200628195436.27582-1-peter.maydell@linaro.org
---
 hw/display/bcm2835_fb.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/bcm2835_fb.c
+++ b/hw/display/bcm2835_fb.c
@@ -XXX,XX +XXX,XX @@ static void bcm2835_fb_mbox_push(BCM2835FBState *s, uint32_t value)
     newconf.base = s->vcram_base | (value & 0xc0000000);
     newconf.base += BCM2835_FB_OFFSET;
 
+    /* Copy fields which we don't want to change from the existing config */
+    newconf.pixo = s->config.pixo;
+    newconf.alpha = s->config.alpha;
+
     bcm2835_fb_validate_config(&newconf);
 
     pitch = bcm2835_fb_get_pitch(&newconf);
-- 
2.20.1

The spitz board has been around a long time, and still has a fair number
of hard-coded tab characters in it. We're about to do some work on
this source file, so start out by expanding out the tabs.

This commit is a pure whitespace only change.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-2-peter.maydell@linaro.org
---
 hw/arm/spitz.c | 156 ++++++++++++++++++++++++-------------------------
 1 file changed, 78 insertions(+), 78 deletions(-)

diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 
 #undef REG_FMT
-#define REG_FMT			"0x%02lx"
+#define REG_FMT                         "0x%02lx"
 
 /* Spitz Flash */
-#define FLASH_BASE		0x0c000000
-#define FLASH_ECCLPLB		0x00	/* Line parity 7 - 0 bit */
-#define FLASH_ECCLPUB		0x04	/* Line parity 15 - 8 bit */
-#define FLASH_ECCCP		0x08	/* Column parity 5 - 0 bit */
-#define FLASH_ECCCNTR		0x0c	/* ECC byte counter */
-#define FLASH_ECCCLRR		0x10	/* Clear ECC */
-#define FLASH_FLASHIO		0x14	/* Flash I/O */
-#define FLASH_FLASHCTL		0x18	/* Flash Control */
+#define FLASH_BASE              0x0c000000
+#define FLASH_ECCLPLB           0x00    /* Line parity 7 - 0 bit */
+#define FLASH_ECCLPUB           0x04    /* Line parity 15 - 8 bit */
+#define FLASH_ECCCP             0x08    /* Column parity 5 - 0 bit */
+#define FLASH_ECCCNTR           0x0c    /* ECC byte counter */
+#define FLASH_ECCCLRR           0x10    /* Clear ECC */
+#define FLASH_FLASHIO           0x14    /* Flash I/O */
+#define FLASH_FLASHCTL          0x18    /* Flash Control */
 
-#define FLASHCTL_CE0		(1 << 0)
-#define FLASHCTL_CLE		(1 << 1)
-#define FLASHCTL_ALE		(1 << 2)
-#define FLASHCTL_WP		(1 << 3)
-#define FLASHCTL_CE1		(1 << 4)
-#define FLASHCTL_RYBY		(1 << 5)
-#define FLASHCTL_NCE		(FLASHCTL_CE0 | FLASHCTL_CE1)
+#define FLASHCTL_CE0            (1 << 0)
+#define FLASHCTL_CLE            (1 << 1)
+#define FLASHCTL_ALE            (1 << 2)
+#define FLASHCTL_WP             (1 << 3)
+#define FLASHCTL_CE1            (1 << 4)
+#define FLASHCTL_RYBY           (1 << 5)
+#define FLASHCTL_NCE            (FLASHCTL_CE0 | FLASHCTL_CE1)
 
 #define TYPE_SL_NAND "sl-nand"
 #define SL_NAND(obj) OBJECT_CHECK(SLNANDState, (obj), TYPE_SL_NAND)
@@ -XXX,XX +XXX,XX @@ static uint64_t sl_read(void *opaque, hwaddr addr, unsigned size)
     int ryby;
 
     switch (addr) {
-#define BSHR(byte, from, to)	((s->ecc.lp[byte] >> (from - to)) & (1 << to))
+#define BSHR(byte, from, to)    ((s->ecc.lp[byte] >> (from - to)) & (1 << to))
     case FLASH_ECCLPLB:
         return BSHR(0, 4, 0) | BSHR(0, 5, 2) | BSHR(0, 6, 4) | BSHR(0, 7, 6) |
                 BSHR(1, 4, 1) | BSHR(1, 5, 3) | BSHR(1, 6, 5) | BSHR(1, 7, 7);
 
-#define BSHL(byte, from, to)	((s->ecc.lp[byte] << (to - from)) & (1 << to))
+#define BSHL(byte, from, to)    ((s->ecc.lp[byte] << (to - from)) & (1 << to))
     case FLASH_ECCLPUB:
         return BSHL(0, 0, 0) | BSHL(0, 1, 2) | BSHL(0, 2, 4) | BSHL(0, 3, 6) |
                 BSHL(1, 0, 1) | BSHL(1, 1, 3) | BSHL(1, 2, 5) | BSHL(1, 3, 7);
@@ -XXX,XX +XXX,XX @@ static void sl_nand_realize(DeviceState *dev, Error **errp)
 
 /* Spitz Keyboard */
 
-#define SPITZ_KEY_STROBE_NUM	11
-#define SPITZ_KEY_SENSE_NUM	7
+#define SPITZ_KEY_STROBE_NUM    11
+#define SPITZ_KEY_SENSE_NUM     7
 
 static const int spitz_gpio_key_sense[SPITZ_KEY_SENSE_NUM] = {
     12, 17, 91, 34, 36, 38, 39
@@ -XXX,XX +XXX,XX @@ static int spitz_keymap[SPITZ_KEY_SENSE_NUM + 1][SPITZ_KEY_STROBE_NUM] = {
     { 0x52, 0x43, 0x01, 0x47, 0x49,  -1 ,  -1 ,  -1 ,  -1 ,  -1 ,  -1  },
 };
 
-#define SPITZ_GPIO_AK_INT	13	/* Remote control */
-#define SPITZ_GPIO_SYNC		16	/* Sync button */
-#define SPITZ_GPIO_ON_KEY	95	/* Power button */
-#define SPITZ_GPIO_SWA		97	/* Lid */
-#define SPITZ_GPIO_SWB		96	/* Tablet mode */
+#define SPITZ_GPIO_AK_INT       13      /* Remote control */
+#define SPITZ_GPIO_SYNC                 16      /* Sync button */
+#define SPITZ_GPIO_ON_KEY       95      /* Power button */
+#define SPITZ_GPIO_SWA          97      /* Lid */
+#define SPITZ_GPIO_SWB          96      /* Tablet mode */
 
 /* The special buttons are mapped to unused keys */
 static const int spitz_gpiomap[5] = {
@@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_keydown(SpitzKeyboardState *s, int keycode)
 #define SPITZ_MOD_CTRL    (1 << 8)
 #define SPITZ_MOD_FN      (1 << 9)
 
-#define QUEUE_KEY(c)	s->fifo[(s->fifopos + s->fifolen ++) & 0xf] = c
+#define QUEUE_KEY(c)    s->fifo[(s->fifopos + s->fifolen ++) & 0xf] = c
 
 static void spitz_keyboard_handler(void *opaque, int keycode)
 {
@@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_handler(void *opaque, int keycode)
     uint16_t code;
     int mapcode;
     switch (keycode) {
-    case 0x2a:	/* Left Shift */
+    case 0x2a:  /* Left Shift */
         s->modifiers |= 1;
         break;
     case 0xaa:
         s->modifiers &= ~1;
         break;
-    case 0x36:	/* Right Shift */
+    case 0x36:  /* Right Shift */
         s->modifiers |= 2;
         break;
     case 0xb6:
         s->modifiers &= ~2;
         break;
-    case 0x1d:	/* Control */
+    case 0x1d:  /* Control */
         s->modifiers |= 4;
         break;
     case 0x9d:
         s->modifiers &= ~4;
         break;
-    case 0x38:	/* Alt */
+    case 0x38:  /* Alt */
         s->modifiers |= 8;
         break;
     case 0xb8:
@@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_realize(DeviceState *dev, Error **errp)
 
 /* LCD backlight controller */
 
-#define LCDTG_RESCTL	0x00
-#define LCDTG_PHACTRL	0x01
-#define LCDTG_DUTYCTRL	0x02
-#define LCDTG_POWERREG0	0x03
-#define LCDTG_POWERREG1	0x04
-#define LCDTG_GPOR3	0x05
-#define LCDTG_PICTRL	0x06
-#define LCDTG_POLCTRL	0x07
+#define LCDTG_RESCTL    0x00
+#define LCDTG_PHACTRL   0x01
+#define LCDTG_DUTYCTRL  0x02
+#define LCDTG_POWERREG0         0x03
+#define LCDTG_POWERREG1         0x04
+#define LCDTG_GPOR3     0x05
+#define LCDTG_PICTRL    0x06
+#define LCDTG_POLCTRL   0x07
 
 typedef struct {
     SSISlave ssidev;
@@ -XXX,XX +XXX,XX @@ static void spitz_lcdtg_realize(SSISlave *dev, Error **errp)
 
 /* SSP devices */
 
-#define CORGI_SSP_PORT		2
+#define CORGI_SSP_PORT          2
 
-#define SPITZ_GPIO_LCDCON_CS	53
-#define SPITZ_GPIO_ADS7846_CS	14
-#define SPITZ_GPIO_MAX1111_CS	20
-#define SPITZ_GPIO_TP_INT	11
+#define SPITZ_GPIO_LCDCON_CS    53
+#define SPITZ_GPIO_ADS7846_CS   14
+#define SPITZ_GPIO_MAX1111_CS   20
+#define SPITZ_GPIO_TP_INT       11
 
 static DeviceState *max1111;
 
@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_gpio_cs(void *opaque, int line, int level)
     s->enable[line] = !level;
 }
 
-#define MAX1111_BATT_VOLT	1
-#define MAX1111_BATT_TEMP	2
-#define MAX1111_ACIN_VOLT	3
+#define MAX1111_BATT_VOLT       1
+#define MAX1111_BATT_TEMP       2
+#define MAX1111_ACIN_VOLT       3
 
-#define SPITZ_BATTERY_TEMP	0xe0	/* About 2.9V */
-#define SPITZ_BATTERY_VOLT	0xd0	/* About 4.0V */
-#define SPITZ_CHARGEON_ACIN	0x80	/* About 5.0V */
+#define SPITZ_BATTERY_TEMP      0xe0    /* About 2.9V */
+#define SPITZ_BATTERY_VOLT      0xd0    /* About 4.0V */
+#define SPITZ_CHARGEON_ACIN     0x80    /* About 5.0V */
 
 static void spitz_adc_temp_on(void *opaque, int line, int level)
 {
@@ -XXX,XX +XXX,XX @@ static void spitz_microdrive_attach(PXA2xxState *cpu, int slot)
 
 /* Wm8750 and Max7310 on I2C */
 
-#define AKITA_MAX_ADDR	0x18
-#define SPITZ_WM_ADDRL	0x1b
-#define SPITZ_WM_ADDRH	0x1a
+#define AKITA_MAX_ADDR  0x18
+#define SPITZ_WM_ADDRL  0x1b
+#define SPITZ_WM_ADDRH  0x1a
 
-#define SPITZ_GPIO_WM	5
+#define SPITZ_GPIO_WM   5
 
 static void spitz_wm8750_addr(void *opaque, int line, int level)
 {
@@ -XXX,XX +XXX,XX @@ static void spitz_out_switch(void *opaque, int line, int level)
     }
 }
 
-#define SPITZ_SCP_LED_GREEN		1
-#define SPITZ_SCP_JK_B			2
-#define SPITZ_SCP_CHRG_ON		3
-#define SPITZ_SCP_MUTE_L		4
-#define SPITZ_SCP_MUTE_R		5
-#define SPITZ_SCP_CF_POWER		6
-#define SPITZ_SCP_LED_ORANGE		7
-#define SPITZ_SCP_JK_A			8
-#define SPITZ_SCP_ADC_TEMP_ON		9
-#define SPITZ_SCP2_IR_ON		1
-#define SPITZ_SCP2_AKIN_PULLUP		2
-#define SPITZ_SCP2_BACKLIGHT_CONT	7
-#define SPITZ_SCP2_BACKLIGHT_ON		8
-#define SPITZ_SCP2_MIC_BIAS		9
+#define SPITZ_SCP_LED_GREEN             1
+#define SPITZ_SCP_JK_B                  2
+#define SPITZ_SCP_CHRG_ON               3
+#define SPITZ_SCP_MUTE_L                4
+#define SPITZ_SCP_MUTE_R                5
+#define SPITZ_SCP_CF_POWER              6
+#define SPITZ_SCP_LED_ORANGE            7
+#define SPITZ_SCP_JK_A                  8
+#define SPITZ_SCP_ADC_TEMP_ON           9
+#define SPITZ_SCP2_IR_ON                1
+#define SPITZ_SCP2_AKIN_PULLUP          2
+#define SPITZ_SCP2_BACKLIGHT_CONT       7
+#define SPITZ_SCP2_BACKLIGHT_ON                 8
+#define SPITZ_SCP2_MIC_BIAS             9
 
 static void spitz_scoop_gpio_setup(PXA2xxState *cpu,
                 DeviceState *scp0, DeviceState *scp1)
@@ -XXX,XX +XXX,XX @@ static void spitz_scoop_gpio_setup(PXA2xxState *cpu,
     qdev_connect_gpio_out(scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
 }
 
-#define SPITZ_GPIO_HSYNC		22
-#define SPITZ_GPIO_SD_DETECT		9
-#define SPITZ_GPIO_SD_WP		81
-#define SPITZ_GPIO_ON_RESET		89
-#define SPITZ_GPIO_BAT_COVER		90
-#define SPITZ_GPIO_CF1_IRQ		105
-#define SPITZ_GPIO_CF1_CD		94
-#define SPITZ_GPIO_CF2_IRQ		106
-#define SPITZ_GPIO_CF2_CD		93
+#define SPITZ_GPIO_HSYNC                22
+#define SPITZ_GPIO_SD_DETECT            9
+#define SPITZ_GPIO_SD_WP                81
+#define SPITZ_GPIO_ON_RESET             89
+#define SPITZ_GPIO_BAT_COVER            90
+#define SPITZ_GPIO_CF1_IRQ              105
+#define SPITZ_GPIO_CF1_CD               94
+#define SPITZ_GPIO_CF2_IRQ              106
+#define SPITZ_GPIO_CF2_CD               93
 
 static int spitz_hsync;
 
@@ -XXX,XX +XXX,XX @@ static void spitz_gpio_setup(PXA2xxState *cpu, int slots)
 /* Board init.  */
 enum spitz_model_e { spitz, akita, borzoi, terrier };
 
-#define SPITZ_RAM	0x04000000
-#define SPITZ_ROM	0x00800000
+#define SPITZ_RAM       0x04000000
+#define SPITZ_ROM       0x00800000
 
 static struct arm_boot_info spitz_binfo = {
     .loader_start = PXA2XX_SDRAM_BASE,
-- 
2.20.1

For the four Spitz-family machines (akita, borzoi, spitz, terrier)
create a proper abstract class SpitzMachineClass which encapsulates
the common behaviour, rather than having them all derive directly
from TYPE_MACHINE:
 * instead of each machine class setting mc->init to a wrapper
   function which calls spitz_common_init() with parameters,
   put that data in the SpitzMachineClass and make spitz_common_init
   the SpitzMachineClass machine-init function
 * move the settings of mc->block_default_type and
   mc->ignore_memory_transaction_failures into the SpitzMachineClass
   class init rather than repeating them in each machine's class init

(The motivation is that we're going to want to keep some state in
the SpitzMachineState so we can connect GPIOs between devices created
in one sub-function of the machine init to devices created in a
different sub-function.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200628142429.17111-3-peter.maydell@linaro.org
---
 hw/arm/spitz.c | 91 ++++++++++++++++++++++++++++++--------------------
 1 file changed, 55 insertions(+), 36 deletions(-)

diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@
 #include "exec/address-spaces.h"
 #include "cpu.h"
 
+enum spitz_model_e { spitz, akita, borzoi, terrier };
+
+typedef struct {
+    MachineClass parent;
+    enum spitz_model_e model;
+    int arm_id;
+} SpitzMachineClass;
+
+typedef struct {
+    MachineState parent;
+} SpitzMachineState;
+
+#define TYPE_SPITZ_MACHINE "spitz-common"
+#define SPITZ_MACHINE(obj) \
+    OBJECT_CHECK(SpitzMachineState, obj, TYPE_SPITZ_MACHINE)
+#define SPITZ_MACHINE_GET_CLASS(obj) \
+    OBJECT_GET_CLASS(SpitzMachineClass, obj, TYPE_SPITZ_MACHINE)
+#define SPITZ_MACHINE_CLASS(klass) \
+    OBJECT_CLASS_CHECK(SpitzMachineClass, klass, TYPE_SPITZ_MACHINE)
+
 #undef REG_FMT
 #define REG_FMT                         "0x%02lx"
 
@@ -XXX,XX +XXX,XX @@ static void spitz_gpio_setup(PXA2xxState *cpu, int slots)
 }
 
 /* Board init.  */
-enum spitz_model_e { spitz, akita, borzoi, terrier };
-
 #define SPITZ_RAM       0x04000000
 #define SPITZ_ROM       0x00800000
 
@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info spitz_binfo = {
     .ram_size = 0x04000000,
 };
 
-static void spitz_common_init(MachineState *machine,
-                              enum spitz_model_e model, int arm_id)
+static void spitz_common_init(MachineState *machine)
 {
+    SpitzMachineClass *smc = SPITZ_MACHINE_GET_CLASS(machine);
+    enum spitz_model_e model = smc->model;
     PXA2xxState *mpu;
     DeviceState *scp0, *scp1 = NULL;
     MemoryRegion *address_space_mem = get_system_memory();
@@ -XXX,XX +XXX,XX @@ static void spitz_common_init(MachineState *machine,
         /* A 4.0 GB microdrive is permanently sitting in CF slot 0.  */
         spitz_microdrive_attach(mpu, 0);
 
-    spitz_binfo.board_id = arm_id;
+    spitz_binfo.board_id = smc->arm_id;
     arm_load_kernel(mpu->cpu, machine, &spitz_binfo);
     sl_bootparam_write(SL_PXA_PARAM_BASE);
 }
 
-static void spitz_init(MachineState *machine)
+static void spitz_common_class_init(ObjectClass *oc, void *data)
 {
-    spitz_common_init(machine, spitz, 0x2c9);
+    MachineClass *mc = MACHINE_CLASS(oc);
+
+    mc->block_default_type = IF_IDE;
+    mc->ignore_memory_transaction_failures = true;
+    mc->init = spitz_common_init;
 }
 
-static void borzoi_init(MachineState *machine)
-{
-    spitz_common_init(machine, borzoi, 0x33f);
-}
-
-static void akita_init(MachineState *machine)
-{
-    spitz_common_init(machine, akita, 0x2e8);
-}
-
-static void terrier_init(MachineState *machine)
-{
-    spitz_common_init(machine, terrier, 0x33f);
-}
+static const TypeInfo spitz_common_info = {
+    .name = TYPE_SPITZ_MACHINE,
+    .parent = TYPE_MACHINE,
+    .abstract = true,
+    .instance_size = sizeof(SpitzMachineState),
+    .class_size = sizeof(SpitzMachineClass),
+    .class_init = spitz_common_class_init,
+};
 
 static void akitapda_class_init(ObjectClass *oc, void *data)
 {
     MachineClass *mc = MACHINE_CLASS(oc);
+    SpitzMachineClass *smc = SPITZ_MACHINE_CLASS(oc);
 
     mc->desc = "Sharp SL-C1000 (Akita) PDA (PXA270)";
-    mc->init = akita_init;
-    mc->ignore_memory_transaction_failures = true;
     mc->default_cpu_type = ARM_CPU_TYPE_NAME("pxa270-c0");
+    smc->model = akita;
+    smc->arm_id = 0x2e8;
 }
 
 static const TypeInfo akitapda_type = {
     .name = MACHINE_TYPE_NAME("akita"),
-    .parent = TYPE_MACHINE,
+    .parent = TYPE_SPITZ_MACHINE,
     .class_init = akitapda_class_init,
 };
 
 static void spitzpda_class_init(ObjectClass *oc, void *data)
 {
     MachineClass *mc = MACHINE_CLASS(oc);
+    SpitzMachineClass *smc = SPITZ_MACHINE_CLASS(oc);
 
     mc->desc = "Sharp SL-C3000 (Spitz) PDA (PXA270)";
-    mc->init = spitz_init;
-    mc->block_default_type = IF_IDE;
-    mc->ignore_memory_transaction_failures = true;
     mc->default_cpu_type = ARM_CPU_TYPE_NAME("pxa270-c0");
+    smc->model = spitz;
+    smc->arm_id = 0x2c9;
 }
 
 static const TypeInfo spitzpda_type = {
     .name = MACHINE_TYPE_NAME("spitz"),
-    .parent = TYPE_MACHINE,
+    .parent = TYPE_SPITZ_MACHINE,
     .class_init = spitzpda_class_init,
 };
 
 static void borzoipda_class_init(ObjectClass *oc, void *data)
 {
     MachineClass *mc = MACHINE_CLASS(oc);
+    SpitzMachineClass *smc = SPITZ_MACHINE_CLASS(oc);
 
     mc->desc = "Sharp SL-C3100 (Borzoi) PDA (PXA270)";
-    mc->init = borzoi_init;
-    mc->block_default_type = IF_IDE;
-    mc->ignore_memory_transaction_failures = true;
     mc->default_cpu_type = ARM_CPU_TYPE_NAME("pxa270-c0");
+    smc->model = borzoi;
+    smc->arm_id = 0x33f;
 }
 
 static const TypeInfo borzoipda_type = {
     .name = MACHINE_TYPE_NAME("borzoi"),
-    .parent = TYPE_MACHINE,
+    .parent = TYPE_SPITZ_MACHINE,
     .class_init = borzoipda_class_init,
 };
 
 static void terrierpda_class_init(ObjectClass *oc, void *data)
 {
     MachineClass *mc = MACHINE_CLASS(oc);
+    SpitzMachineClass *smc = SPITZ_MACHINE_CLASS(oc);
 
     mc->desc = "Sharp SL-C3200 (Terrier) PDA (PXA270)";
-    mc->init = terrier_init;
-    mc->block_default_type = IF_IDE;
-    mc->ignore_memory_transaction_failures = true;
     mc->default_cpu_type = ARM_CPU_TYPE_NAME("pxa270-c5");
+    smc->model = terrier;
+    smc->arm_id = 0x33f;
 }
 
 static const TypeInfo terrierpda_type = {
     .name = MACHINE_TYPE_NAME("terrier"),
-    .parent = TYPE_MACHINE,
+    .parent = TYPE_SPITZ_MACHINE,
     .class_init = terrierpda_class_init,
 };
 
 static void spitz_machine_init(void)
 {
+    type_register_static(&spitz_common_info);
     type_register_static(&akitapda_type);
     type_register_static(&spitzpda_type);
     type_register_static(&borzoipda_type);
-- 
2.20.1

Keep pointers to the MPU and the SSI devices in SpitzMachineState.
We're going to want to make GPIO connections between some of the
SSI devices and the SCPs, so we want to keep hold of a pointer to
those; putting the MPU into the struct allows us to pass just
one thing to spitz_ssp_attach() rather than two.

We have to retain the setting of the global "max1111" variable
for the moment as it is used in spitz_adc_temp_on(); later in
this series of commits we will be able to remove it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-4-peter.maydell@linaro.org
---
 hw/arm/spitz.c | 50 ++++++++++++++++++++++++++++----------------------
 1 file changed, 28 insertions(+), 22 deletions(-)

diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
 
 typedef struct {
     MachineState parent;
+    PXA2xxState *mpu;
+    DeviceState *mux;
+    DeviceState *lcdtg;
+    DeviceState *ads7846;
+    DeviceState *max1111;
 } SpitzMachineState;
 
 #define TYPE_SPITZ_MACHINE "spitz-common"
@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_realize(SSISlave *d, Error **errp)
     s->bus[2] = ssi_create_bus(dev, "ssi2");
 }
 
-static void spitz_ssp_attach(PXA2xxState *cpu)
+static void spitz_ssp_attach(SpitzMachineState *sms)
 {
-    DeviceState *mux;
-    DeviceState *dev;
     void *bus;
 
-    mux = ssi_create_slave(cpu->ssp[CORGI_SSP_PORT - 1], "corgi-ssp");
+    sms->mux = ssi_create_slave(sms->mpu->ssp[CORGI_SSP_PORT - 1], "corgi-ssp");
 
-    bus = qdev_get_child_bus(mux, "ssi0");
-    ssi_create_slave(bus, "spitz-lcdtg");
+    bus = qdev_get_child_bus(sms->mux, "ssi0");
+    sms->lcdtg = ssi_create_slave(bus, "spitz-lcdtg");
 
-    bus = qdev_get_child_bus(mux, "ssi1");
-    dev = ssi_create_slave(bus, "ads7846");
-    qdev_connect_gpio_out(dev, 0,
-                          qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_TP_INT));
+    bus = qdev_get_child_bus(sms->mux, "ssi1");
+    sms->ads7846 = ssi_create_slave(bus, "ads7846");
+    qdev_connect_gpio_out(sms->ads7846, 0,
+                          qdev_get_gpio_in(sms->mpu->gpio, SPITZ_GPIO_TP_INT));
 
-    bus = qdev_get_child_bus(mux, "ssi2");
-    max1111 = ssi_create_slave(bus, "max1111");
-    max111x_set_input(max1111, MAX1111_BATT_VOLT, SPITZ_BATTERY_VOLT);
-    max111x_set_input(max1111, MAX1111_BATT_TEMP, 0);
-    max111x_set_input(max1111, MAX1111_ACIN_VOLT, SPITZ_CHARGEON_ACIN);
+    bus = qdev_get_child_bus(sms->mux, "ssi2");
+    sms->max1111 = ssi_create_slave(bus, "max1111");
+    max1111 = sms->max1111;
+    max111x_set_input(sms->max1111, MAX1111_BATT_VOLT, SPITZ_BATTERY_VOLT);
+    max111x_set_input(sms->max1111, MAX1111_BATT_TEMP, 0);
+    max111x_set_input(sms->max1111, MAX1111_ACIN_VOLT, SPITZ_CHARGEON_ACIN);
 
-    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_LCDCON_CS,
-                        qdev_get_gpio_in(mux, 0));
-    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_ADS7846_CS,
-                        qdev_get_gpio_in(mux, 1));
-    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_MAX1111_CS,
-                        qdev_get_gpio_in(mux, 2));
+    qdev_connect_gpio_out(sms->mpu->gpio, SPITZ_GPIO_LCDCON_CS,
+                        qdev_get_gpio_in(sms->mux, 0));
+    qdev_connect_gpio_out(sms->mpu->gpio, SPITZ_GPIO_ADS7846_CS,
+                        qdev_get_gpio_in(sms->mux, 1));
+    qdev_connect_gpio_out(sms->mpu->gpio, SPITZ_GPIO_MAX1111_CS,
+                        qdev_get_gpio_in(sms->mux, 2));
 }
 
 /* CF Microdrive */
@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info spitz_binfo = {
 static void spitz_common_init(MachineState *machine)
 {
     SpitzMachineClass *smc = SPITZ_MACHINE_GET_CLASS(machine);
+    SpitzMachineState *sms = SPITZ_MACHINE(machine);
     enum spitz_model_e model = smc->model;
     PXA2xxState *mpu;
     DeviceState *scp0, *scp1 = NULL;
@@ -XXX,XX +XXX,XX @@ static void spitz_common_init(MachineState *machine)
     /* Setup CPU & memory */
     mpu = pxa270_init(address_space_mem, spitz_binfo.ram_size,
                       machine->cpu_type);
+    sms->mpu = mpu;
 
     sl_flash_register(mpu, (model == spitz) ? FLASH_128M : FLASH_1024M);
 
@@ -XXX,XX +XXX,XX @@ static void spitz_common_init(MachineState *machine)
     /* Setup peripherals */
     spitz_keyboard_register(mpu);
 
-    spitz_ssp_attach(mpu);
+    spitz_ssp_attach(sms);
 
     scp0 = sysbus_create_simple("scoop", 0x10800000, NULL);
     if (model != akita) {
-- 
2.20.1

Keep pointers to scp0, scp1 in SpitzMachineState, and just pass
that to spitz_scoop_gpio_setup().

(We'll want to use some of the other fields in SpitzMachineState
in that function in the next commit.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-5-peter.maydell@linaro.org
---
 hw/arm/spitz.c | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

Currently the Spitz board uses a nasty hack for the GPIO lines
that pass "bit5" and "power" information to the LCD controller:
the lcdtg realize function sets a global variable to point to
the instance it just realized, and then the functions spitz_bl_power()
and spitz_bl_bit5() use that to find the device they are changing
the internal state of. There is a comment reading:
 FIXME: Implement GPIO properly and remove this hack.
which was added in 2009.

Implement GPIO properly and remove this hack.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-6-peter.maydell@linaro.org
---
 hw/arm/spitz.c | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@ static void spitz_bl_update(SpitzLCDTG *s)
         zaurus_printf("LCD Backlight now off\n");
 }
 
-/* FIXME: Implement GPIO properly and remove this hack.  */
-static SpitzLCDTG *spitz_lcdtg;
-
 static inline void spitz_bl_bit5(void *opaque, int line, int level)
 {
-    SpitzLCDTG *s = spitz_lcdtg;
+    SpitzLCDTG *s = opaque;
     int prev = s->bl_intensity;
 
     if (level)
@@ -XXX,XX +XXX,XX @@ static inline void spitz_bl_bit5(void *opaque, int line, int level)
 
 static inline void spitz_bl_power(void *opaque, int line, int level)
 {
-    SpitzLCDTG *s = spitz_lcdtg;
+    SpitzLCDTG *s = opaque;
     s->bl_power = !!level;
     spitz_bl_update(s);
 }
@@ -XXX,XX +XXX,XX @@ static uint32_t spitz_lcdtg_transfer(SSISlave *dev, uint32_t value)
     return 0;
 }
 
-static void spitz_lcdtg_realize(SSISlave *dev, Error **errp)
+static void spitz_lcdtg_realize(SSISlave *ssi, Error **errp)
 {
-    SpitzLCDTG *s = FROM_SSI_SLAVE(SpitzLCDTG, dev);
+    SpitzLCDTG *s = FROM_SSI_SLAVE(SpitzLCDTG, ssi);
+    DeviceState *dev = DEVICE(s);
 
-    spitz_lcdtg = s;
     s->bl_power = 0;
     s->bl_intensity = 0x20;
+
+    qdev_init_gpio_in_named(dev, spitz_bl_bit5, "bl_bit5", 1);
+    qdev_init_gpio_in_named(dev, spitz_bl_power, "bl_power", 1);
 }
 
 /* SSP devices */
@@ -XXX,XX +XXX,XX @@ static void spitz_out_switch(void *opaque, int line, int level)
     case 3:
         zaurus_printf("Orange LED %s.\n", level ? "on" : "off");
         break;
-    case 4:
-        spitz_bl_bit5(opaque, line, level);
-        break;
-    case 5:
-        spitz_bl_power(opaque, line, level);
-        break;
     case 6:
         spitz_adc_temp_on(opaque, line, level);
         break;
+    default:
+        g_assert_not_reached();
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void spitz_scoop_gpio_setup(SpitzMachineState *sms)
 
     if (sms->scp1) {
         qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_CONT,
-                              outsignals[4]);
+                              qdev_get_gpio_in_named(sms->lcdtg, "bl_bit5", 0));
         qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_ON,
-                              outsignals[5]);
+                              qdev_get_gpio_in_named(sms->lcdtg, "bl_power", 0));
     }
 
     qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
-- 
2.20.1

Add some QOM properties to the max111x ADC device to allow the
initial values to be configured. Currently this is done by
board code calling max111x_set_input() after it creates the
device, which doesn't work on system reset.

This requires us to implement a reset method for this device,
so while we're doing that make sure we reset the other parts
of the device state.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-7-peter.maydell@linaro.org
---
 hw/misc/max111x.c | 57 ++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 47 insertions(+), 10 deletions(-)

diff --git a/hw/misc/max111x.c b/hw/misc/max111x.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/max111x.c
+++ b/hw/misc/max111x.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/ssi/ssi.h"
 #include "migration/vmstate.h"
 #include "qemu/module.h"
+#include "hw/qdev-properties.h"
 
 typedef struct {
     SSISlave parent_obj;
 
     qemu_irq interrupt;
+    /* Values of inputs at system reset (settable by QOM property) */
+    uint8_t reset_input[8];
+
     uint8_t tb1, rb2, rb3;
     int cycle;
 
@@ -XXX,XX +XXX,XX @@ static int max111x_init(SSISlave *d, int inputs)
     qdev_init_gpio_out(dev, &s->interrupt, 1);
 
     s->inputs = inputs;
-    /* TODO: add a user interface for setting these */
-    s->input[0] = 0xf0;
-    s->input[1] = 0xe0;
-    s->input[2] = 0xd0;
-    s->input[3] = 0xc0;
-    s->input[4] = 0xb0;
-    s->input[5] = 0xa0;
-    s->input[6] = 0x90;
-    s->input[7] = 0x80;
-    s->com = 0;
 
     vmstate_register(VMSTATE_IF(dev), VMSTATE_INSTANCE_ID_ANY,
                      &vmstate_max111x, s);
@@ -XXX,XX +XXX,XX @@ void max111x_set_input(DeviceState *dev, int line, uint8_t value)
     s->input[line] = value;
 }
 
+static void max111x_reset(DeviceState *dev)
+{
+    MAX111xState *s = MAX_111X(dev);
+    int i;
+
+    for (i = 0; i < s->inputs; i++) {
+        s->input[i] = s->reset_input[i];
+    }
+    s->com = 0;
+    s->tb1 = 0;
+    s->rb2 = 0;
+    s->rb3 = 0;
+    s->cycle = 0;
+}
+
+static Property max1110_properties[] = {
+    /* Reset values for ADC inputs */
+    DEFINE_PROP_UINT8("input0", MAX111xState, reset_input[0], 0xf0),
+    DEFINE_PROP_UINT8("input1", MAX111xState, reset_input[1], 0xe0),
+    DEFINE_PROP_UINT8("input2", MAX111xState, reset_input[2], 0xd0),
+    DEFINE_PROP_UINT8("input3", MAX111xState, reset_input[3], 0xc0),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static Property max1111_properties[] = {
+    /* Reset values for ADC inputs */
+    DEFINE_PROP_UINT8("input0", MAX111xState, reset_input[0], 0xf0),
+    DEFINE_PROP_UINT8("input1", MAX111xState, reset_input[1], 0xe0),
+    DEFINE_PROP_UINT8("input2", MAX111xState, reset_input[2], 0xd0),
+    DEFINE_PROP_UINT8("input3", MAX111xState, reset_input[3], 0xc0),
+    DEFINE_PROP_UINT8("input4", MAX111xState, reset_input[4], 0xb0),
+    DEFINE_PROP_UINT8("input5", MAX111xState, reset_input[5], 0xa0),
+    DEFINE_PROP_UINT8("input6", MAX111xState, reset_input[6], 0x90),
+    DEFINE_PROP_UINT8("input7", MAX111xState, reset_input[7], 0x80),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
 static void max111x_class_init(ObjectClass *klass, void *data)
 {
     SSISlaveClass *k = SSI_SLAVE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
     k->transfer = max111x_transfer;
+    dc->reset = max111x_reset;
 }
 
 static const TypeInfo max111x_info = {
@@ -XXX,XX +XXX,XX @@ static const TypeInfo max111x_info = {
 static void max1110_class_init(ObjectClass *klass, void *data)
 {
     SSISlaveClass *k = SSI_SLAVE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
     k->realize = max1110_realize;
+    device_class_set_props(dc, max1110_properties);
 }
 
 static const TypeInfo max1110_info = {
@@ -XXX,XX +XXX,XX @@ static const TypeInfo max1110_info = {
 static void max1111_class_init(ObjectClass *klass, void *data)
 {
     SSISlaveClass *k = SSI_SLAVE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
     k->realize = max1111_realize;
+    device_class_set_props(dc, max1111_properties);
 }
 
 static const TypeInfo max1111_info = {
-- 
2.20.1

The max111x is a proper qdev device; we can use dc->vmsd rather than
directly calling vmstate_register().

It's possible that this is a migration compat break, but the only
boards that use this device are the spitz-family ('akita', 'borzoi',
'spitz', 'terrier').

diff --git a/hw/misc/max111x.c b/hw/misc/max111x.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/max111x.c
+++ b/hw/misc/max111x.c
@@ -XXX,XX +XXX,XX @@ static int max111x_init(SSISlave *d, int inputs)
 
     s->inputs = inputs;
 
-    vmstate_register(VMSTATE_IF(dev), VMSTATE_INSTANCE_ID_ANY,
-                     &vmstate_max111x, s);
     return 0;
 }
 
@@ -XXX,XX +XXX,XX @@ static void max111x_class_init(ObjectClass *klass, void *data)
 
     k->transfer = max111x_transfer;
     dc->reset = max111x_reset;
+    dc->vmsd = &vmstate_max111x;
 }
 
 static const TypeInfo max111x_info = {
-- 
2.20.1

Add an ssi_realize_and_unref(), for the benefit of callers
who want to be able to create an SSI device, set QOM properties
on it, and then do the realize-and-unref afterwards.

The API works on the same principle as the recently added
qdev_realize_and_undef(), sysbus_realize_and_undef(), etc.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-9-peter.maydell@linaro.org
---
 include/hw/ssi/ssi.h | 26 ++++++++++++++++++++++++++
 hw/ssi/ssi.c         |  7 ++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/include/hw/ssi/ssi.h b/include/hw/ssi/ssi.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/ssi/ssi.h
+++ b/include/hw/ssi/ssi.h
@@ -XXX,XX +XXX,XX @@ extern const VMStateDescription vmstate_ssi_slave;
 }
 
 DeviceState *ssi_create_slave(SSIBus *bus, const char *name);
+/**
+ * ssi_realize_and_unref: realize and unref an SSI slave device
+ * @dev: SSI slave device to realize
+ * @bus: SSI bus to put it on
+ * @errp: error pointer
+ *
+ * Call 'realize' on @dev, put it on the specified @bus, and drop the
+ * reference to it. Errors are reported via @errp and by returning
+ * false.
+ *
+ * This function is useful if you have created @dev via qdev_new()
+ * (which takes a reference to the device it returns to you), so that
+ * you can set properties on it before realizing it. If you don't need
+ * to set properties then ssi_create_slave() is probably better (as it
+ * does the create, init and realize in one step).
+ *
+ * If you are embedding the SSI slave into another QOM device and
+ * initialized it via some variant on object_initialize_child() then
+ * do not use this function, because that family of functions arrange
+ * for the only reference to the child device to be held by the parent
+ * via the child<> property, and so the reference-count-drop done here
+ * would be incorrect.  (Instead you would want ssi_realize(), which
+ * doesn't currently exist but would be trivial to create if we had
+ * any code that wanted it.)
+ */
+bool ssi_realize_and_unref(DeviceState *dev, SSIBus *bus, Error **errp);
 
 /* Master interface.  */
 SSIBus *ssi_create_bus(DeviceState *parent, const char *name);
diff --git a/hw/ssi/ssi.c b/hw/ssi/ssi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/ssi.c
+++ b/hw/ssi/ssi.c
@@ -XXX,XX +XXX,XX @@ static const TypeInfo ssi_slave_info = {
     .abstract = true,
 };
 
+bool ssi_realize_and_unref(DeviceState *dev, SSIBus *bus, Error **errp)
+{
+    return qdev_realize_and_unref(dev, &bus->parent_obj, errp);
+}
+
 DeviceState *ssi_create_slave(SSIBus *bus, const char *name)
 {
     DeviceState *dev = qdev_new(name);
 
-    qdev_realize_and_unref(dev, &bus->parent_obj, &error_fatal);
+    ssi_realize_and_unref(dev, bus, &error_fatal);
     return dev;
 }
 
-- 
2.20.1

Use the new max111x qdev properties to set the initial input
values rather than calling max111x_set_input(); this means that
on system reset the inputs will correctly return to their initial
values.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200628142429.17111-10-peter.maydell@linaro.org
---
 hw/arm/spitz.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@ static void spitz_ssp_attach(SpitzMachineState *sms)
                           qdev_get_gpio_in(sms->mpu->gpio, SPITZ_GPIO_TP_INT));
 
     bus = qdev_get_child_bus(sms->mux, "ssi2");
-    sms->max1111 = ssi_create_slave(bus, "max1111");
+    sms->max1111 = qdev_new("max1111");
     max1111 = sms->max1111;
-    max111x_set_input(sms->max1111, MAX1111_BATT_VOLT, SPITZ_BATTERY_VOLT);
-    max111x_set_input(sms->max1111, MAX1111_BATT_TEMP, 0);
-    max111x_set_input(sms->max1111, MAX1111_ACIN_VOLT, SPITZ_CHARGEON_ACIN);
+    qdev_prop_set_uint8(sms->max1111, "input1" /* BATT_VOLT */,
+                        SPITZ_BATTERY_VOLT);
+    qdev_prop_set_uint8(sms->max1111, "input2" /* BATT_TEMP */, 0);
+    qdev_prop_set_uint8(sms->max1111, "input3" /* ACIN_VOLT */,
+                        SPITZ_CHARGEON_ACIN);
+    ssi_realize_and_unref(sms->max1111, bus, &error_fatal);
 
     qdev_connect_gpio_out(sms->mpu->gpio, SPITZ_GPIO_LCDCON_CS,
                         qdev_get_gpio_in(sms->mux, 0));
-- 
2.20.1

The max111x ADC device model allows other code to set the level on
the 8 ADC inputs using the max111x_set_input() function.  Replace
this with generic qdev GPIO inputs, which also allow inputs to be set
to arbitrary values.

Using GPIO lines will make it easier for board code to wire things
up, so that if device A wants to set the ADC input it doesn't need to
have a direct pointer to the max111x but can just set that value on
its output GPIO, which is then wired up by the board to the
appropriate max111x input.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-11-peter.maydell@linaro.org
---
 include/hw/ssi/ssi.h |  3 ---
 hw/arm/spitz.c       |  9 +++++----
 hw/misc/max111x.c    | 16 +++++++++-------
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/include/hw/ssi/ssi.h b/include/hw/ssi/ssi.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/ssi/ssi.h
+++ b/include/hw/ssi/ssi.h
@@ -XXX,XX +XXX,XX @@ SSIBus *ssi_create_bus(DeviceState *parent, const char *name);
 
 uint32_t ssi_transfer(SSIBus *bus, uint32_t val);
 
-/* max111x.c */
-void max111x_set_input(DeviceState *dev, int line, uint8_t value);
-
 #endif
diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_gpio_cs(void *opaque, int line, int level)
 
 static void spitz_adc_temp_on(void *opaque, int line, int level)
 {
+    int batt_temp;
+
     if (!max1111)
         return;
 
-    if (level)
-        max111x_set_input(max1111, MAX1111_BATT_TEMP, SPITZ_BATTERY_TEMP);
-    else
-        max111x_set_input(max1111, MAX1111_BATT_TEMP, 0);
+    batt_temp = level ? SPITZ_BATTERY_TEMP : 0;
+
+    qemu_set_irq(qdev_get_gpio_in(max1111, MAX1111_BATT_TEMP), batt_temp);
 }
 
 static void corgi_ssp_realize(SSISlave *d, Error **errp)
diff --git a/hw/misc/max111x.c b/hw/misc/max111x.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/max111x.c
+++ b/hw/misc/max111x.c
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_max111x = {
     }
 };
 
+static void max111x_input_set(void *opaque, int line, int value)
+{
+    MAX111xState *s = MAX_111X(opaque);
+
+    assert(line >= 0 && line < s->inputs);
+    s->input[line] = value;
+}
+
 static int max111x_init(SSISlave *d, int inputs)
 {
     DeviceState *dev = DEVICE(d);
     MAX111xState *s = MAX_111X(dev);
 
     qdev_init_gpio_out(dev, &s->interrupt, 1);
+    qdev_init_gpio_in(dev, max111x_input_set, inputs);
 
     s->inputs = inputs;
 
@@ -XXX,XX +XXX,XX @@ static void max1111_realize(SSISlave *dev, Error **errp)
     max111x_init(dev, 4);
 }
 
-void max111x_set_input(DeviceState *dev, int line, uint8_t value)
-{
-    MAX111xState *s = MAX_111X(dev);
-    assert(line >= 0 && line < s->inputs);
-    s->input[line] = value;
-}
-
 static void max111x_reset(DeviceState *dev)
 {
     MAX111xState *s = MAX_111X(dev);
-- 
2.20.1

Create a header file for the hw/misc/max111x device, in the
usual modern style for QOM devices:
 * definition of the TYPE_ constants and macros
 * definition of the device's state struct so that it can
   be embedded in other structs if desired
 * documentation of the interface

This allows us to use TYPE_MAX_1111 in the spitz.c code rather
than the string "max1111".

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20200628142429.17111-12-peter.maydell@linaro.org
---
 include/hw/misc/max111x.h | 56 +++++++++++++++++++++++++++++++++++++++
 hw/arm/spitz.c            |  3 ++-
 hw/misc/max111x.c         | 24 +----------------
 MAINTAINERS               |  1 +
 4 files changed, 60 insertions(+), 24 deletions(-)
 create mode 100644 include/hw/misc/max111x.h

diff --git a/include/hw/misc/max111x.h b/include/hw/misc/max111x.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/misc/max111x.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Maxim MAX1110/1111 ADC chip emulation.
+ *
+ * Copyright (c) 2006 Openedhand Ltd.
+ * Written by Andrzej Zaborowski <balrog@zabor.org>
+ *
+ * This code is licensed under the GNU GPLv2.
+ *
+ * Contributions after 2012-01-13 are licensed under the terms of the
+ * GNU GPL, version 2 or (at your option) any later version.
+ */
+
+#ifndef HW_MISC_MAX111X_H
+#define HW_MISC_MAX111X_H
+
+#include "hw/ssi/ssi.h"
+
+/*
+ * This is a model of the Maxim MAX1110/1111 ADC chip, which for QEMU
+ * is an SSI slave device. It has either 4 (max1110) or 8 (max1111)
+ * 8-bit ADC channels.
+ *
+ * QEMU interface:
+ *  + GPIO inputs 0..3 (for max1110) or 0..7 (for max1111): set the value
+ *    of each ADC input, as an unsigned 8-bit value
+ *  + GPIO output 0: interrupt line
+ *  + Properties "input0" to "input3" (max1110) or "input0" to "input7"
+ *    (max1111): initial reset values for ADC inputs.
+ *
+ * Known bugs:
+ *  + the interrupt line is not correctly implemented, and will never
+ *    be lowered once it has been asserted.
+ */
+typedef struct {
+    SSISlave parent_obj;
+
+    qemu_irq interrupt;
+    /* Values of inputs at system reset (settable by QOM property) */
+    uint8_t reset_input[8];
+
+    uint8_t tb1, rb2, rb3;
+    int cycle;
+
+    uint8_t input[8];
+    int inputs, com;
+} MAX111xState;
+
+#define TYPE_MAX_111X "max111x"
+
+#define MAX_111X(obj) \
+    OBJECT_CHECK(MAX111xState, (obj), TYPE_MAX_111X)
+
+#define TYPE_MAX_1110 "max1110"
+#define TYPE_MAX_1111 "max1111"
+
+#endif
diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@
 #include "audio/audio.h"
 #include "hw/boards.h"
 #include "hw/sysbus.h"
+#include "hw/misc/max111x.h"
 #include "migration/vmstate.h"
 #include "exec/address-spaces.h"
 #include "cpu.h"
@@ -XXX,XX +XXX,XX @@ static void spitz_ssp_attach(SpitzMachineState *sms)
                           qdev_get_gpio_in(sms->mpu->gpio, SPITZ_GPIO_TP_INT));
 
     bus = qdev_get_child_bus(sms->mux, "ssi2");
-    sms->max1111 = qdev_new("max1111");
+    sms->max1111 = qdev_new(TYPE_MAX_1111);
     max1111 = sms->max1111;
     qdev_prop_set_uint8(sms->max1111, "input1" /* BATT_VOLT */,
                         SPITZ_BATTERY_VOLT);
diff --git a/hw/misc/max111x.c b/hw/misc/max111x.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/max111x.c
+++ b/hw/misc/max111x.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "hw/misc/max111x.h"
 #include "hw/irq.h"
-#include "hw/ssi/ssi.h"
 #include "migration/vmstate.h"
 #include "qemu/module.h"
 #include "hw/qdev-properties.h"
 
-typedef struct {
-    SSISlave parent_obj;
-
-    qemu_irq interrupt;
-    /* Values of inputs at system reset (settable by QOM property) */
-    uint8_t reset_input[8];
-
-    uint8_t tb1, rb2, rb3;
-    int cycle;
-
-    uint8_t input[8];
-    int inputs, com;
-} MAX111xState;
-
-#define TYPE_MAX_111X "max111x"
-
-#define MAX_111X(obj) \
-    OBJECT_CHECK(MAX111xState, (obj), TYPE_MAX_111X)
-
-#define TYPE_MAX_1110 "max1110"
-#define TYPE_MAX_1111 "max1111"
-
 /* Control-byte bitfields */
 #define CB_PD0		(1 << 0)
 #define CB_PD1		(1 << 1)
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: hw/gpio/max7310.c
 F: hw/gpio/zaurus.c
 F: hw/misc/mst_fpga.c
 F: hw/misc/max111x.c
+F: include/hw/misc/max111x.h
 F: include/hw/arm/pxa.h
 F: include/hw/arm/sharpsl.h
 F: include/hw/display/tc6393xb.h
-- 
2.20.1

Currently we have a free-floating set of IRQs and a function
spitz_out_switch() which handle some miscellaneous GPIO lines for the
spitz board.  Encapsulate this behaviour in a simple QOM device.

At this point we can finally remove the 'max1111' global, because the
ADC battery-temperature value is now handled by the misc-gpio device
writing the value to its outbound "adc-temp" GPIO, which the board
code wires up to the appropriate inbound GPIO line on the max1111.

This commit also fixes Coverity issue CID 1421913 (which pointed out
that the 'outsignals' in spitz_scoop_gpio_setup() were leaked),
because it removes the use of the qemu_allocate_irqs() API from this
code entirely.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-13-peter.maydell@linaro.org
---
 hw/arm/spitz.c | 129 +++++++++++++++++++++++++++++++++----------------
 1 file changed, 87 insertions(+), 42 deletions(-)

diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
     DeviceState *max1111;
     DeviceState *scp0;
     DeviceState *scp1;
+    DeviceState *misc_gpio;
 } SpitzMachineState;
 
 #define TYPE_SPITZ_MACHINE "spitz-common"
@@ -XXX,XX +XXX,XX @@ static void spitz_lcdtg_realize(SSISlave *ssi, Error **errp)
 #define SPITZ_GPIO_MAX1111_CS   20
 #define SPITZ_GPIO_TP_INT       11
 
-static DeviceState *max1111;
-
 /* "Demux" the signal based on current chipselect */
 typedef struct {
     SSISlave ssidev;
@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_gpio_cs(void *opaque, int line, int level)
 #define SPITZ_BATTERY_VOLT      0xd0    /* About 4.0V */
 #define SPITZ_CHARGEON_ACIN     0x80    /* About 5.0V */
 
-static void spitz_adc_temp_on(void *opaque, int line, int level)
-{
-    int batt_temp;
-
-    if (!max1111)
-        return;
-
-    batt_temp = level ? SPITZ_BATTERY_TEMP : 0;
-
-    qemu_set_irq(qdev_get_gpio_in(max1111, MAX1111_BATT_TEMP), batt_temp);
-}
-
 static void corgi_ssp_realize(SSISlave *d, Error **errp)
 {
     DeviceState *dev = DEVICE(d);
@@ -XXX,XX +XXX,XX @@ static void spitz_ssp_attach(SpitzMachineState *sms)
 
     bus = qdev_get_child_bus(sms->mux, "ssi2");
     sms->max1111 = qdev_new(TYPE_MAX_1111);
-    max1111 = sms->max1111;
     qdev_prop_set_uint8(sms->max1111, "input1" /* BATT_VOLT */,
                         SPITZ_BATTERY_VOLT);
     qdev_prop_set_uint8(sms->max1111, "input2" /* BATT_TEMP */, 0);
@@ -XXX,XX +XXX,XX @@ static void spitz_akita_i2c_setup(PXA2xxState *cpu)
 
 /* Other peripherals */
 
-static void spitz_out_switch(void *opaque, int line, int level)
+/*
+ * Encapsulation of some miscellaneous GPIO line behaviour for the Spitz boards.
+ *
+ * QEMU interface:
+ *  + named GPIO inputs "green-led", "orange-led", "charging", "discharging":
+ *    these currently just print messages that the line has been signalled
+ *  + named GPIO input "adc-temp-on": set to cause the battery-temperature
+ *    value to be passed to the max111x ADC
+ *  + named GPIO output "adc-temp": the ADC value, to be wired up to the max111x
+ */
+#define TYPE_SPITZ_MISC_GPIO "spitz-misc-gpio"
+#define SPITZ_MISC_GPIO(obj) \
+    OBJECT_CHECK(SpitzMiscGPIOState, (obj), TYPE_SPITZ_MISC_GPIO)
+
+typedef struct SpitzMiscGPIOState {
+    SysBusDevice parent_obj;
+
+    qemu_irq adc_value;
+} SpitzMiscGPIOState;
+
+static void spitz_misc_charging(void *opaque, int n, int level)
 {
-    switch (line) {
-    case 0:
-        zaurus_printf("Charging %s.\n", level ? "off" : "on");
-        break;
-    case 1:
-        zaurus_printf("Discharging %s.\n", level ? "on" : "off");
-        break;
-    case 2:
-        zaurus_printf("Green LED %s.\n", level ? "on" : "off");
-        break;
-    case 3:
-        zaurus_printf("Orange LED %s.\n", level ? "on" : "off");
-        break;
-    case 6:
-        spitz_adc_temp_on(opaque, line, level);
-        break;
-    default:
-        g_assert_not_reached();
-    }
+    zaurus_printf("Charging %s.\n", level ? "off" : "on");
+}
+
+static void spitz_misc_discharging(void *opaque, int n, int level)
+{
+    zaurus_printf("Discharging %s.\n", level ? "off" : "on");
+}
+
+static void spitz_misc_green_led(void *opaque, int n, int level)
+{
+    zaurus_printf("Green LED %s.\n", level ? "off" : "on");
+}
+
+static void spitz_misc_orange_led(void *opaque, int n, int level)
+{
+    zaurus_printf("Orange LED %s.\n", level ? "off" : "on");
+}
+
+static void spitz_misc_adc_temp(void *opaque, int n, int level)
+{
+    SpitzMiscGPIOState *s = SPITZ_MISC_GPIO(opaque);
+    int batt_temp = level ? SPITZ_BATTERY_TEMP : 0;
+
+    qemu_set_irq(s->adc_value, batt_temp);
+}
+
+static void spitz_misc_gpio_init(Object *obj)
+{
+    SpitzMiscGPIOState *s = SPITZ_MISC_GPIO(obj);
+    DeviceState *dev = DEVICE(obj);
+
+    qdev_init_gpio_in_named(dev, spitz_misc_charging, "charging", 1);
+    qdev_init_gpio_in_named(dev, spitz_misc_discharging, "discharging", 1);
+    qdev_init_gpio_in_named(dev, spitz_misc_green_led, "green-led", 1);
+    qdev_init_gpio_in_named(dev, spitz_misc_orange_led, "orange-led", 1);
+    qdev_init_gpio_in_named(dev, spitz_misc_adc_temp, "adc-temp-on", 1);
+
+    qdev_init_gpio_out_named(dev, &s->adc_value, "adc-temp", 1);
 }
 
 #define SPITZ_SCP_LED_GREEN             1
@@ -XXX,XX +XXX,XX @@ static void spitz_out_switch(void *opaque, int line, int level)
 
 static void spitz_scoop_gpio_setup(SpitzMachineState *sms)
 {
-    qemu_irq *outsignals = qemu_allocate_irqs(spitz_out_switch, sms->mpu, 8);
+    DeviceState *miscdev = sysbus_create_simple(TYPE_SPITZ_MISC_GPIO, -1, NULL);
 
-    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_CHRG_ON, outsignals[0]);
-    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_JK_B, outsignals[1]);
-    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_GREEN, outsignals[2]);
-    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_ORANGE, outsignals[3]);
+    sms->misc_gpio = miscdev;
+
+    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_CHRG_ON,
+                          qdev_get_gpio_in_named(miscdev, "charging", 0));
+    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_JK_B,
+                          qdev_get_gpio_in_named(miscdev, "discharging", 0));
+    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_GREEN,
+                          qdev_get_gpio_in_named(miscdev, "green-led", 0));
+    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_LED_ORANGE,
+                          qdev_get_gpio_in_named(miscdev, "orange-led", 0));
+    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_ADC_TEMP_ON,
+                          qdev_get_gpio_in_named(miscdev, "adc-temp-on", 0));
+    qdev_connect_gpio_out_named(miscdev, "adc-temp", 0,
+                                qdev_get_gpio_in(sms->max1111, MAX1111_BATT_TEMP));
 
     if (sms->scp1) {
         qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_CONT,
@@ -XXX,XX +XXX,XX @@ static void spitz_scoop_gpio_setup(SpitzMachineState *sms)
         qdev_connect_gpio_out(sms->scp1, SPITZ_SCP2_BACKLIGHT_ON,
                               qdev_get_gpio_in_named(sms->lcdtg, "bl_power", 0));
     }
-
-    qdev_connect_gpio_out(sms->scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
 }
 
 #define SPITZ_GPIO_HSYNC                22
@@ -XXX,XX +XXX,XX @@ static const TypeInfo spitz_lcdtg_info = {
     .class_init    = spitz_lcdtg_class_init,
 };
 
+static const TypeInfo spitz_misc_gpio_info = {
+    .name = TYPE_SPITZ_MISC_GPIO,
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(SpitzMiscGPIOState),
+    .instance_init = spitz_misc_gpio_init,
+    /*
+     * No class_init required: device has no internal state so does not
+     * need to set up reset or vmstate, and does not have a realize method.
+     */
+};
+
 static void spitz_register_types(void)
 {
     type_register_static(&corgi_ssp_info);
     type_register_static(&spitz_lcdtg_info);
     type_register_static(&spitz_keyboard_info);
     type_register_static(&sl_nand_info);
+    type_register_static(&spitz_misc_gpio_info);
 }
 
 type_init(spitz_register_types)
-- 
2.20.1

Instead of logging guest accesses to invalid register offsets in this
device using zaurus_printf() (which just prints to stderr), use the
usual qemu_log_mask(LOG_GUEST_ERROR,...).

Since this was the only use of the zaurus_printf() macro outside
spitz.c, we can move the definition of that macro from sharpsl.h
to spitz.c.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-14-peter.maydell@linaro.org
---
 include/hw/arm/sharpsl.h |  3 ---
 hw/arm/spitz.c           |  3 +++
 hw/gpio/zaurus.c         | 12 +++++++-----
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/include/hw/arm/sharpsl.h b/include/hw/arm/sharpsl.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/sharpsl.h
+++ b/include/hw/arm/sharpsl.h
@@ -XXX,XX +XXX,XX @@
 
 #include "exec/hwaddr.h"
 
-#define zaurus_printf(format, ...)	\
-    fprintf(stderr, "%s: " format, __func__, ##__VA_ARGS__)
-
 /* zaurus.c */
 
 #define SL_PXA_PARAM_BASE	0xa0000a00
diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
 #define SPITZ_MACHINE_CLASS(klass) \
     OBJECT_CLASS_CHECK(SpitzMachineClass, klass, TYPE_SPITZ_MACHINE)
 
+#define zaurus_printf(format, ...)                              \
+    fprintf(stderr, "%s: " format, __func__, ##__VA_ARGS__)
+
 #undef REG_FMT
 #define REG_FMT                         "0x%02lx"
 
diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/zaurus.c
+++ b/hw/gpio/zaurus.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/sysbus.h"
 #include "migration/vmstate.h"
 #include "qemu/module.h"
-
-#undef REG_FMT
-#define REG_FMT			"0x%02lx"
+#include "qemu/log.h"
 
 /* SCOOP devices */
 
@@ -XXX,XX +XXX,XX @@ static uint64_t scoop_read(void *opaque, hwaddr addr,
     case SCOOP_GPRR:
         return s->gpio_level;
     default:
-        zaurus_printf("Bad register offset " REG_FMT "\n", (unsigned long)addr);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "scoop_read: bad register offset 0x%02" HWADDR_PRIx "\n",
+                      addr);
     }
 
     return 0;
@@ -XXX,XX +XXX,XX @@ static void scoop_write(void *opaque, hwaddr addr,
         scoop_gpio_handler_update(s);
         break;
     default:
-        zaurus_printf("Bad register offset " REG_FMT "\n", (unsigned long)addr);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "scoop_write: bad register offset 0x%02" HWADDR_PRIx "\n",
+                      addr);
     }
 }
 
-- 
2.20.1

Instead of logging guest accesses to invalid register offsets in the
Spitz flash device with zaurus_printf() (which just prints to stderr),
use the usual qemu_log_mask(LOG_GUEST_ERROR,...).

diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/ssi/ssi.h"
 #include "hw/block/flash.h"
 #include "qemu/timer.h"
+#include "qemu/log.h"
 #include "hw/arm/sharpsl.h"
 #include "ui/console.h"
 #include "hw/audio/wm8750.h"
@@ -XXX,XX +XXX,XX @@ typedef struct {
 #define zaurus_printf(format, ...)                              \
     fprintf(stderr, "%s: " format, __func__, ##__VA_ARGS__)
 
-#undef REG_FMT
-#define REG_FMT                         "0x%02lx"
-
 /* Spitz Flash */
 #define FLASH_BASE              0x0c000000
 #define FLASH_ECCLPLB           0x00    /* Line parity 7 - 0 bit */
@@ -XXX,XX +XXX,XX @@ static uint64_t sl_read(void *opaque, hwaddr addr, unsigned size)
         return ecc_digest(&s->ecc, nand_getio(s->nand));
 
     default:
-        zaurus_printf("Bad register offset " REG_FMT "\n", (unsigned long)addr);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "sl_read: bad register offset 0x%02" HWADDR_PRIx "\n",
+                      addr);
     }
     return 0;
 }
@@ -XXX,XX +XXX,XX @@ static void sl_write(void *opaque, hwaddr addr,
         break;
 
     default:
-        zaurus_printf("Bad register offset " REG_FMT "\n", (unsigned long)addr);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "sl_write: bad register offset 0x%02" HWADDR_PRIx "\n",
+                      addr);
     }
 }
 
-- 
2.20.1

Instead of using printf() for logging guest accesses to invalid
register offsets in the pxa2xx PIC device, use the usual
qemu_log_mask(LOG_GUEST_ERROR,...).

This was the only user of the REG_FMT macro in pxa.h, so we can
remove that.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-16-peter.maydell@linaro.org
---
 include/hw/arm/pxa.h | 1 -
 hw/arm/pxa2xx_pic.c  | 9 +++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/include/hw/arm/pxa.h b/include/hw/arm/pxa.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/pxa.h
+++ b/include/hw/arm/pxa.h
@@ -XXX,XX +XXX,XX @@ struct PXA2xxI2SState {
 };
 
 # define PA_FMT			"0x%08lx"
-# define REG_FMT		"0x" TARGET_FMT_plx
 
 PXA2xxState *pxa270_init(MemoryRegion *address_space, unsigned int sdram_size,
                          const char *revision);
diff --git a/hw/arm/pxa2xx_pic.c b/hw/arm/pxa2xx_pic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/pxa2xx_pic.c
+++ b/hw/arm/pxa2xx_pic.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "qemu/module.h"
+#include "qemu/log.h"
 #include "cpu.h"
 #include "hw/arm/pxa.h"
 #include "hw/sysbus.h"
@@ -XXX,XX +XXX,XX @@ static uint64_t pxa2xx_pic_mem_read(void *opaque, hwaddr offset,
     case ICHP:	/* Highest Priority register */
         return pxa2xx_pic_highest(s);
     default:
-        printf("%s: Bad register offset " REG_FMT "\n", __func__, offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "pxa2xx_pic_mem_read: bad register offset 0x%" HWADDR_PRIx
+                      "\n", offset);
         return 0;
     }
 }
@@ -XXX,XX +XXX,XX @@ static void pxa2xx_pic_mem_write(void *opaque, hwaddr offset,
         s->priority[32 + ((offset - IPR32) >> 2)] = value & 0x8000003f;
         break;
     default:
-        printf("%s: Bad register offset " REG_FMT "\n", __func__, offset);
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "pxa2xx_pic_mem_write: bad register offset 0x%"
+                      HWADDR_PRIx "\n", offset);
         return;
     }
     pxa2xx_pic_update(opaque);
-- 
2.20.1

The QOM types "spitz-lcdtg" and "corgi-ssp" are missing the
usual QOM TYPE and casting macros; provide and use them.

In particular, we can safely use the QOM cast macros instead of
FROM_SSI_SLAVE() because in both cases the 'ssidev' field of
the instance state struct is the first field in it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-17-peter.maydell@linaro.org
---
 hw/arm/spitz.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/spitz.c
+++ b/hw/arm/spitz.c
@@ -XXX,XX +XXX,XX @@ static void spitz_keyboard_realize(DeviceState *dev, Error **errp)
 #define LCDTG_PICTRL    0x06
 #define LCDTG_POLCTRL   0x07
 
+#define TYPE_SPITZ_LCDTG "spitz-lcdtg"
+#define SPITZ_LCDTG(obj) OBJECT_CHECK(SpitzLCDTG, (obj), TYPE_SPITZ_LCDTG)
+
 typedef struct {
     SSISlave ssidev;
     uint32_t bl_intensity;
@@ -XXX,XX +XXX,XX @@ static inline void spitz_bl_power(void *opaque, int line, int level)
 
 static uint32_t spitz_lcdtg_transfer(SSISlave *dev, uint32_t value)
 {
-    SpitzLCDTG *s = FROM_SSI_SLAVE(SpitzLCDTG, dev);
+    SpitzLCDTG *s = SPITZ_LCDTG(dev);
     int addr;
     addr = value >> 5;
     value &= 0x1f;
@@ -XXX,XX +XXX,XX @@ static uint32_t spitz_lcdtg_transfer(SSISlave *dev, uint32_t value)
 
 static void spitz_lcdtg_realize(SSISlave *ssi, Error **errp)
 {
-    SpitzLCDTG *s = FROM_SSI_SLAVE(SpitzLCDTG, ssi);
+    SpitzLCDTG *s = SPITZ_LCDTG(ssi);
     DeviceState *dev = DEVICE(s);
 
     s->bl_power = 0;
@@ -XXX,XX +XXX,XX @@ static void spitz_lcdtg_realize(SSISlave *ssi, Error **errp)
 #define SPITZ_GPIO_MAX1111_CS   20
 #define SPITZ_GPIO_TP_INT       11
 
+#define TYPE_CORGI_SSP "corgi-ssp"
+#define CORGI_SSP(obj) OBJECT_CHECK(CorgiSSPState, (obj), TYPE_CORGI_SSP)
+
 /* "Demux" the signal based on current chipselect */
 typedef struct {
     SSISlave ssidev;
@@ -XXX,XX +XXX,XX @@ typedef struct {
 
 static uint32_t corgi_ssp_transfer(SSISlave *dev, uint32_t value)
 {
-    CorgiSSPState *s = FROM_SSI_SLAVE(CorgiSSPState, dev);
+    CorgiSSPState *s = CORGI_SSP(dev);
     int i;
 
     for (i = 0; i < 3; i++) {
@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_gpio_cs(void *opaque, int line, int level)
 static void corgi_ssp_realize(SSISlave *d, Error **errp)
 {
     DeviceState *dev = DEVICE(d);
-    CorgiSSPState *s = FROM_SSI_SLAVE(CorgiSSPState, d);
+    CorgiSSPState *s = CORGI_SSP(d);
 
     qdev_init_gpio_in(dev, corgi_ssp_gpio_cs, 3);
     s->bus[0] = ssi_create_bus(dev, "ssi0");
@@ -XXX,XX +XXX,XX @@ static void spitz_ssp_attach(SpitzMachineState *sms)
 {
     void *bus;
 
-    sms->mux = ssi_create_slave(sms->mpu->ssp[CORGI_SSP_PORT - 1], "corgi-ssp");
+    sms->mux = ssi_create_slave(sms->mpu->ssp[CORGI_SSP_PORT - 1],
+                                TYPE_CORGI_SSP);
 
     bus = qdev_get_child_bus(sms->mux, "ssi0");
-    sms->lcdtg = ssi_create_slave(bus, "spitz-lcdtg");
+    sms->lcdtg = ssi_create_slave(bus, TYPE_SPITZ_LCDTG);
 
     bus = qdev_get_child_bus(sms->mux, "ssi1");
     sms->ads7846 = ssi_create_slave(bus, "ads7846");
@@ -XXX,XX +XXX,XX @@ static void corgi_ssp_class_init(ObjectClass *klass, void *data)
 }
 
 static const TypeInfo corgi_ssp_info = {
-    .name          = "corgi-ssp",
+    .name          = TYPE_CORGI_SSP,
     .parent        = TYPE_SSI_SLAVE,
     .instance_size = sizeof(CorgiSSPState),
     .class_init    = corgi_ssp_class_init,
@@ -XXX,XX +XXX,XX @@ static void spitz_lcdtg_class_init(ObjectClass *klass, void *data)
 }
 
 static const TypeInfo spitz_lcdtg_info = {
-    .name          = "spitz-lcdtg",
+    .name          = TYPE_SPITZ_LCDTG,
     .parent        = TYPE_SSI_SLAVE,
     .instance_size = sizeof(SpitzLCDTG),
     .class_init    = spitz_lcdtg_class_init,
-- 
2.20.1

The FROM_SSI_SLAVE() macro predates QOM and is used as a typesafe way
to cast from an SSISlave* to the instance struct of a subtype of
TYPE_SSI_SLAVE.  Switch to using the QOM cast macros instead, which
have the same effect (by writing the QOM macros if the types were
previously missing them.)

(The FROM_SSI_SLAVE() macro allows the SSISlave member of the
subtype's struct to be anywhere as long as it is named "ssidev",
whereas a QOM cast macro insists that it is the first thing in the
subtype's struct.  This is true for all the types we convert here.)

This removes all the uses of FROM_SSI_SLAVE() so we can delete the
definition.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20200628142429.17111-18-peter.maydell@linaro.org
---
 include/hw/ssi/ssi.h |  2 --
 hw/arm/z2.c          | 11 +++++++----
 hw/display/ads7846.c |  9 ++++++---
 hw/display/ssd0323.c | 10 +++++++---
 hw/sd/ssi-sd.c       |  4 ++--
 5 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/include/hw/ssi/ssi.h b/include/hw/ssi/ssi.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/ssi/ssi.h
+++ b/include/hw/ssi/ssi.h
@@ -XXX,XX +XXX,XX @@ struct SSISlave {
     bool cs;
 };
 
-#define FROM_SSI_SLAVE(type, dev) DO_UPCAST(type, ssidev, dev)
-
 extern const VMStateDescription vmstate_ssi_slave;
 
 #define VMSTATE_SSI_SLAVE(_field, _state) {                          \
diff --git a/hw/arm/z2.c b/hw/arm/z2.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/z2.c
+++ b/hw/arm/z2.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
     int pos;
 } ZipitLCD;
 
+#define TYPE_ZIPIT_LCD "zipit-lcd"
+#define ZIPIT_LCD(obj) OBJECT_CHECK(ZipitLCD, (obj), TYPE_ZIPIT_LCD)
+
 static uint32_t zipit_lcd_transfer(SSISlave *dev, uint32_t value)
 {
-    ZipitLCD *z = FROM_SSI_SLAVE(ZipitLCD, dev);
+    ZipitLCD *z = ZIPIT_LCD(dev);
     uint16_t val;
     if (z->selected) {
         z->buf[z->pos] = value & 0xff;
@@ -XXX,XX +XXX,XX @@ static void z2_lcd_cs(void *opaque, int line, int level)
 
 static void zipit_lcd_realize(SSISlave *dev, Error **errp)
 {
-    ZipitLCD *z = FROM_SSI_SLAVE(ZipitLCD, dev);
+    ZipitLCD *z = ZIPIT_LCD(dev);
     z->selected = 0;
     z->enabled = 0;
     z->pos = 0;
@@ -XXX,XX +XXX,XX @@ static void zipit_lcd_class_init(ObjectClass *klass, void *data)
 }
 
 static const TypeInfo zipit_lcd_info = {
-    .name          = "zipit-lcd",
+    .name          = TYPE_ZIPIT_LCD,
     .parent        = TYPE_SSI_SLAVE,
     .instance_size = sizeof(ZipitLCD),
     .class_init    = zipit_lcd_class_init,
@@ -XXX,XX +XXX,XX @@ static void z2_init(MachineState *machine)
 
     type_register_static(&zipit_lcd_info);
     type_register_static(&aer915_info);
-    z2_lcd = ssi_create_slave(mpu->ssp[1], "zipit-lcd");
+    z2_lcd = ssi_create_slave(mpu->ssp[1], TYPE_ZIPIT_LCD);
     bus = pxa2xx_i2c_bus(mpu->i2c[0]);
     i2c_create_slave(bus, TYPE_AER915, 0x55);
     wm = i2c_create_slave(bus, TYPE_WM8750, 0x1b);
diff --git a/hw/display/ads7846.c b/hw/display/ads7846.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/ads7846.c
+++ b/hw/display/ads7846.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
     int output;
 } ADS7846State;
 
+#define TYPE_ADS7846 "ads7846"
+#define ADS7846(obj) OBJECT_CHECK(ADS7846State, (obj), TYPE_ADS7846)
+
 /* Control-byte bitfields */
 #define CB_PD0		(1 << 0)
 #define CB_PD1		(1 << 1)
@@ -XXX,XX +XXX,XX @@ static void ads7846_int_update(ADS7846State *s)
 
 static uint32_t ads7846_transfer(SSISlave *dev, uint32_t value)
 {
-    ADS7846State *s = FROM_SSI_SLAVE(ADS7846State, dev);
+    ADS7846State *s = ADS7846(dev);
 
     switch (s->cycle ++) {
     case 0:
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_ads7846 = {
 static void ads7846_realize(SSISlave *d, Error **errp)
 {
     DeviceState *dev = DEVICE(d);
-    ADS7846State *s = FROM_SSI_SLAVE(ADS7846State, d);
+    ADS7846State *s = ADS7846(d);
 
     qdev_init_gpio_out(dev, &s->interrupt, 1);
 
@@ -XXX,XX +XXX,XX @@ static void ads7846_class_init(ObjectClass *klass, void *data)
 }
 
 static const TypeInfo ads7846_info = {
-    .name          = "ads7846",
+    .name          = TYPE_ADS7846,
     .parent        = TYPE_SSI_SLAVE,
     .instance_size = sizeof(ADS7846State),
     .class_init    = ads7846_class_init,
diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/display/ssd0323.c
+++ b/hw/display/ssd0323.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
     uint8_t framebuffer[128 * 80 / 2];
 } ssd0323_state;
 
+#define TYPE_SSD0323 "ssd0323"
+#define SSD0323(obj) OBJECT_CHECK(ssd0323_state, (obj), TYPE_SSD0323)
+
+
 static uint32_t ssd0323_transfer(SSISlave *dev, uint32_t data)
 {
-    ssd0323_state *s = FROM_SSI_SLAVE(ssd0323_state, dev);
+    ssd0323_state *s = SSD0323(dev);
 
     switch (s->mode) {
     case SSD0323_DATA:
@@ -XXX,XX +XXX,XX @@ static const GraphicHwOps ssd0323_ops = {
 static void ssd0323_realize(SSISlave *d, Error **errp)
 {
     DeviceState *dev = DEVICE(d);
-    ssd0323_state *s = FROM_SSI_SLAVE(ssd0323_state, d);
+    ssd0323_state *s = SSD0323(d);
 
     s->col_end = 63;
     s->row_end = 79;
@@ -XXX,XX +XXX,XX @@ static void ssd0323_class_init(ObjectClass *klass, void *data)
 }
 
 static const TypeInfo ssd0323_info = {
-    .name          = "ssd0323",
+    .name          = TYPE_SSD0323,
     .parent        = TYPE_SSI_SLAVE,
     .instance_size = sizeof(ssd0323_state),
     .class_init    = ssd0323_class_init,
diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/sd/ssi-sd.c
+++ b/hw/sd/ssi-sd.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
 
 static uint32_t ssi_sd_transfer(SSISlave *dev, uint32_t val)
 {
-    ssi_sd_state *s = FROM_SSI_SLAVE(ssi_sd_state, dev);
+    ssi_sd_state *s = SSI_SD(dev);
 
     /* Special case: allow CMD12 (STOP TRANSMISSION) while reading data.  */
     if (s->mode == SSI_SD_DATA_READ && val == 0x4d) {
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_ssi_sd = {
 
 static void ssi_sd_realize(SSISlave *d, Error **errp)
 {
-    ssi_sd_state *s = FROM_SSI_SLAVE(ssi_sd_state, d);
+    ssi_sd_state *s = SSI_SD(d);
     DeviceState *carddev;
     DriveInfo *dinfo;
     Error *err = NULL;
-- 
2.20.1

Deprecate our TileGX target support:
 * we have no active maintainer for it
 * it has had essentially no contributions (other than tree-wide cleanups
   and similar) since it was first added
 * the Linux kernel dropped support in 2018, as has glibc

Note the deprecation in the manual, but don't try to print a warning
when QEMU runs -- printing unsuppressable messages is more obtrusive
for linux-user mode than it would be for system-emulation mode, and
it doesn't seem worth trying to invent a new suppressible-error
system for linux-user just for this.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20200619154831.26319-1-peter.maydell@linaro.org
---
 docs/system/deprecated.rst | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -XXX,XX +XXX,XX @@ The above, converted to the current supported format::
 
   json:{"file.driver":"rbd", "file.pool":"rbd", "file.image":"name"}
 
+linux-user mode CPUs
+--------------------
+
+``tilegx`` CPUs (since 5.1.0)
+'''''''''''''''''''''''''''''
+
+The ``tilegx`` guest CPU support (which was only implemented in
+linux-user mode) is deprecated and will be removed in a future version
+of QEMU. Support for this CPU was removed from the upstream Linux
+kernel in 2018, and has also been dropped from glibc.
+
 Related binaries
 ----------------
 
-- 
2.20.1