Series comparison

-[PULL 00/11] target-arm queue
+[PULL 00/39] target-arm queue
-target-arm queue: two bug fixes, plus the KVM/SVE patchset,
+The following changes since commit 55ef0b702bc2c90c3c4ed97f97676d8f139e5ca1:
 which is a new feature but one which was in my pre-softfreeze
 pullreq (it just had to be dropped due to an unexpected test failure.)
-thanks
+  Merge remote-tracking branch 'remotes/lvivier-gitlab/tags/linux-user-for-7.0-pull-request' into staging (2022-02-07 10:48:25 +0000)
 -- PMM
 The following changes since commit b7c9a7f353c0e260519bf735ff0d4aa01e72784b:
   Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into staging (2019-10-31 15:57:30 +0000)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191101-1
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220208
-for you to fetch changes up to d9ae7624b659362cb2bb2b04fee53bf50829ca56:
+for you to fetch changes up to 4fd1ebb10593087d45d2f56f7f3d13447d24802c:
-  target/arm: Allow reading flags from FPSCR for M-profile (2019-11-01 08:49:10 +0000)
+  hw/sensor: Add lsm303dlhc magnetometer device (2022-02-08 10:56:29 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * Support SVE in KVM guests
+ * Fix handling of SVE ZCR_LEN when using VHE
- * Don't UNDEF on M-profile 'vmrs apsr_nzcv, fpscr'
+ * xlnx-zynqmp: 'Or' the QSPI / QSPI DMA IRQs
- * Update hflags after boot.c modifies CPU state
+ * Don't ever enable PSCI when booting guest in EL3
  * Adhere to SMCCC 1.3 section 5.2
  * highbank: Fix issues with booting SMP
  * midway: Fix issues booting at all
  * boot: Drop existing dtb /psci node rather than retaining it
  * versal-virt: Always call arm_load_kernel()
  * force flag recalculation when messing with DAIF
  * hw/timer/armv7m_systick: Update clock source before enabling timer
  * hw/arm/smmuv3: Fix device reset
  * hw/intc/arm_gicv3_its: refactorings and minor bug fixes
  * hw/sensor: Add lsm303dlhc magnetometer device
 ----------------------------------------------------------------
-Andrew Jones (9):
+Alex Bennée (1):
-      target/arm/monitor: Introduce qmp_query_cpu_model_expansion
+      arm: force flag recalculation when messing with DAIF
       tests: arm: Introduce cpu feature tests
       target/arm: Allow SVE to be disabled via a CPU property
       target/arm/cpu64: max cpu: Introduce sve<N> properties
       target/arm/kvm64: Add kvm_arch_get/put_sve
       target/arm/kvm64: max cpu: Enable SVE when available
       target/arm/kvm: scratch vcpu: Preserve input kvm_vcpu_init features
       target/arm/cpu64: max cpu: Support sve properties with KVM
       target/arm/kvm: host cpu: Add support for sve<N> properties
 Christophe Lyon (1):
       target/arm: Allow reading flags from FPSCR for M-profile
 Edgar E. Iglesias (1):
-      hw/arm/boot: Rebuild hflags when modifying CPUState at boot
+      hw/arm: versal-virt: Always call arm_load_kernel()
- tests/Makefile.include         |   5 +-
+Eric Auger (1):
- qapi/machine-target.json       |   6 +-
+      hw/arm/smmuv3: Fix device reset
  include/qemu/bitops.h          |   1 +
  target/arm/cpu.h               |  21 ++
  target/arm/kvm_arm.h           |  39 +++
  hw/arm/boot.c                  |   1 +
  target/arm/cpu.c               |  25 +-
  target/arm/cpu64.c             | 364 +++++++++++++++++++++++++--
  target/arm/helper.c            |  10 +-
  target/arm/kvm.c               |  25 +-
  target/arm/kvm32.c             |   6 +-
  target/arm/kvm64.c             | 325 +++++++++++++++++++++---
  target/arm/monitor.c           | 158 ++++++++++++
  target/arm/translate-vfp.inc.c |   5 +-
  tests/arm-cpu-features.c       | 551 +++++++++++++++++++++++++++++++++++++++++
  docs/arm-cpu-features.rst      | 317 ++++++++++++++++++++++++
 files changed, 1795 insertions(+), 64 deletions(-)
  create mode 100644 tests/arm-cpu-features.c
  create mode 100644 docs/arm-cpu-features.rst
+Francisco Iglesias (1):
+      hw/arm/xlnx-zynqmp: 'Or' the QSPI / QSPI DMA IRQs
+Kevin Townsend (1):
+      hw/sensor: Add lsm303dlhc magnetometer device
+Peter Maydell (29):
+      target/arm: make psci-conduit settable after realize
+      cpu.c: Make start-powered-off settable after realize
+      hw/arm/boot: Support setting psci-conduit based on guest EL
+      hw/arm: imx: Don't enable PSCI conduit when booting guest in EL3
+      hw/arm: allwinner: Don't enable PSCI conduit when booting guest in EL3
+      hw/arm/xlnx-zcu102: Don't enable PSCI conduit when booting guest in EL3
+      hw/arm/versal: Let boot.c handle PSCI enablement
+      hw/arm/virt: Let boot.c handle PSCI enablement
+      hw/arm: highbank: For EL3 guests, don't enable PSCI, start all cores
+      arm: tcg: Adhere to SMCCC 1.3 section 5.2
+      hw/arm/highbank: Drop use of secure_board_setup
+      hw/arm/boot: Prevent setting both psci_conduit and secure_board_setup
+      hw/arm/boot: Don't write secondary boot stub if using PSCI
+      hw/arm/highbank: Drop unused secondary boot stub code
+      hw/arm/boot: Drop nb_cpus field from arm_boot_info
+      hw/arm/boot: Drop existing dtb /psci node rather than retaining it
+      hw/intc/arm_gicv3_its: Use address_space_map() to access command queue packets
+      hw/intc/arm_gicv3_its: Keep DTEs as a struct, not a raw uint64_t
+      hw/intc/arm_gicv3_its: Pass DTEntry to update_dte()
+      hw/intc/arm_gicv3_its: Keep CTEs as a struct, not a raw uint64_t
+      hw/intc/arm_gicv3_its: Pass CTEntry to update_cte()
+      hw/intc/arm_gicv3_its: Fix address calculation in get_ite() and update_ite()
+      hw/intc/arm_gicv3_its: Avoid nested ifs in get_ite()
+      hw/intc/arm_gicv3_its: Pass ITE values back from get_ite() via a struct
+      hw/intc/arm_gicv3_its: Make update_ite() use ITEntry
+      hw/intc/arm_gicv3_its: Drop TableDesc and CmdQDesc valid fields
+      hw/intc/arm_gicv3_its: In MAPC with V=0, don't check rdbase field
+      hw/intc/arm_gicv3_its: Don't allow intid 1023 in MAPI/MAPTI
+      hw/intc/arm_gicv3_its: Split error checks
+Richard Henderson (4):
+      target/arm: Fix sve_zcr_len_for_el for VHE mode running
+      target/arm: Tidy sve_exception_el for CPACR_EL1 access
+      target/arm: Fix {fp, sve}_exception_el for VHE mode running
+      target/arm: Use CPTR_TFP with CPTR_EL3 in fp_exception_el
+Richard Petri (1):
+      hw/timer/armv7m_systick: Update clock source before enabling timer
+ hw/intc/gicv3_internal.h               |  23 +-
+ include/hw/arm/boot.h                  |  14 +-
+ include/hw/arm/xlnx-versal.h           |   1 -
+ include/hw/arm/xlnx-zynqmp.h           |   2 +
+ include/hw/intc/arm_gicv3_its_common.h |   2 -
+ cpu.c                                  |  22 +-
+ hw/arm/allwinner-h3.c                  |   9 +-
+ hw/arm/aspeed.c                        |   1 -
+ hw/arm/boot.c                          | 107 ++++-
+ hw/arm/exynos4_boards.c                |   1 -
+ hw/arm/fsl-imx6ul.c                    |   2 -
+ hw/arm/fsl-imx7.c                      |   8 +-
+ hw/arm/highbank.c                      |  72 +---
+ hw/arm/imx25_pdk.c                     |   3 +-
+ hw/arm/kzm.c                           |   1 -
+ hw/arm/mcimx6ul-evk.c                  |   2 +-
+ hw/arm/mcimx7d-sabre.c                 |   2 +-
+ hw/arm/npcm7xx.c                       |   3 -
+ hw/arm/orangepi.c                      |   5 +-
+ hw/arm/raspi.c                         |   1 -
+ hw/arm/realview.c                      |   1 -
+ hw/arm/sabrelite.c                     |   1 -
+ hw/arm/sbsa-ref.c                      |   1 -
+ hw/arm/smmuv3.c                        |   6 +
+ hw/arm/vexpress.c                      |   1 -
+ hw/arm/virt.c                          |  13 +-
+ hw/arm/xilinx_zynq.c                   |   1 -
+ hw/arm/xlnx-versal-virt.c              |  17 +-
+ hw/arm/xlnx-versal.c                   |   5 +-
+ hw/arm/xlnx-zcu102.c                   |   1 +
+ hw/arm/xlnx-zynqmp.c                   |  25 +-
+ hw/intc/arm_gicv3_its.c                | 696 +++++++++++++++------------------
+ hw/sensor/lsm303dlhc_mag.c             | 556 ++++++++++++++++++++++++++
+ hw/timer/armv7m_systick.c              |   8 +-
+ target/arm/cpu.c                       |   6 +-
+ target/arm/helper-a64.c                |   2 +
+ target/arm/helper.c                    | 118 ++++--
+ target/arm/psci.c                      |  35 +-
+ tests/qtest/lsm303dlhc-mag-test.c      | 148 +++++++
+ hw/sensor/Kconfig                      |   4 +
+ hw/sensor/meson.build                  |   1 +
+ tests/qtest/meson.build                |   1 +
+files changed, 1308 insertions(+), 620 deletions(-)
+ create mode 100644 hw/sensor/lsm303dlhc_mag.c
+ create mode 100644 tests/qtest/lsm303dlhc-mag-test.c

-New patch
+[PULL 01/39] target/arm: Fix sve_zcr_len_for_el for VHE mode running
+From: Richard Henderson <richard.henderson@linaro.org>
+When HCR_EL2.{E2H,TGE} == '11', ZCR_EL1 is unused.
+Reported-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Message-id: 20220127063428.30212-2-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper.c | 3 ++-
+file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ uint32_t sve_zcr_len_for_el(CPUARMState *env, int el)
+     ARMCPU *cpu = env_archcpu(env);
+     uint32_t zcr_len = cpu->sve_max_vq - 1;
+-    if (el <= 1) {
++    if (el <= 1 &&
++        (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
+         zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[1]);
+     }
+     if (el <= 2 && arm_feature(env, ARM_FEATURE_EL2)) {
+--
+.25.1

-[PULL 11/11] target/arm: Allow reading flags from FPSCR for M-profile
+[PULL 02/39] target/arm: Tidy sve_exception_el for CPACR_EL1 access
-From: Christophe Lyon <christophe.lyon@linaro.org>
+From: Richard Henderson <richard.henderson@linaro.org>
-rt==15 is a special case when reading the flags: it means the
+Extract entire fields for ZEN and FPEN, rather than testing specific bits.
-destination is APSR. This patch avoids rejecting
+This makes it easier to follow the code versus the ARM spec.
 vmrs apsr_nzcv, fpscr
 as illegal instruction.
-Cc: qemu-stable@nongnu.org
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Christophe Lyon <christophe.lyon@linaro.org>
 Message-id: 20191025095711.10853-1-christophe.lyon@linaro.org
 [PMM: updated the comment]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Message-id: 20220127063428.30212-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-vfp.inc.c | 5 +++--
+ target/arm/helper.c | 36 +++++++++++++++++-------------------
-file changed, 3 insertions(+), 2 deletions(-)
+file changed, 17 insertions(+), 19 deletions(-)
-diff --git a/target/arm/translate-vfp.inc.c b/target/arm/translate-vfp.inc.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-vfp.inc.c
+--- a/target/arm/helper.c
-+++ b/target/arm/translate-vfp.inc.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
+@@ -XXX,XX +XXX,XX @@ int sve_exception_el(CPUARMState *env, int el)
-     if (arm_dc_feature(s, ARM_FEATURE_M)) {
+     uint64_t hcr_el2 = arm_hcr_el2_eff(env);
-         /*
-          * The only M-profile VFP vmrs/vmsr sysreg is FPSCR.
+     if (el <= 1 && (hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
--         * Writes to R15 are UNPREDICTABLE; we choose to undef.
+-        bool disabled = false;
-+         * Accesses to R15 are UNPREDICTABLE; we choose to undef.
+-
-+         * (FPSCR -> r15 is a special case which writes to the PSR flags.)
+-        /* The CPACR.ZEN controls traps to EL1:
-          */
+-         * 0, 2 : trap EL0 and EL1 accesses
--        if (a->rt == 15 || a->reg != ARM_VFP_FPSCR) {
+-         * 1    : trap only EL0 accesses
-+        if (a->rt == 15 && (!a->l || a->reg != ARM_VFP_FPSCR)) {
+-         * 3    : trap no accesses
-             return false;
+-         */
 -        if (!extract32(env->cp15.cpacr_el1, 16, 1)) {
 -            disabled = true;
 -        } else if (!extract32(env->cp15.cpacr_el1, 17, 1)) {
 -            disabled = el == 0;
 -        }
 -        if (disabled) {
 +        /* Check CPACR.ZEN.  */
 +        switch (extract32(env->cp15.cpacr_el1, 16, 2)) {
 +        case 1:
 +            if (el != 0) {
 +                break;
 +            }
 +            /* fall through */
 +        case 0:
 +        case 2:
              /* route_to_el2 */
              return hcr_el2 & HCR_TGE ? 2 : 1;
          }
          /* Check CPACR.FPEN.  */
 -        if (!extract32(env->cp15.cpacr_el1, 20, 1)) {
 -            disabled = true;
 -        } else if (!extract32(env->cp15.cpacr_el1, 21, 1)) {
 -            disabled = el == 0;
 -        }
 -        if (disabled) {
 +        switch (extract32(env->cp15.cpacr_el1, 20, 2)) {
 +        case 1:
 +            if (el != 0) {
 +                break;
 +            }
 +            /* fall through */
 +        case 0:
 +        case 2:
              return 0;
          }
      }
 --
-.20.1
+.25.1

-[PULL 05/11] target/arm/kvm64: Add kvm_arch_get/put_sve
+[PULL 03/39] target/arm: Fix {fp, sve}_exception_el for VHE mode running
-From: Andrew Jones <drjones@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-These are the SVE equivalents to kvm_arch_get/put_fpsimd. Note, the
+When HCR_EL2.E2H is set, the format of CPTR_EL2 changes to
-swabbing is different than it is for fpsmid because the vector format
+look more like CPACR_EL1, with ZEN and FPEN fields instead
-is a little-endian stream of words.
+of TZ and TFP fields.
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reported-by: Zenghui Yu <yuzenghui@huawei.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Tested-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Message-id: 20220127063428.30212-4-richard.henderson@linaro.org
 Message-id: 20191031142734.8590-6-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/kvm64.c | 185 ++++++++++++++++++++++++++++++++++++++-------
+ target/arm/helper.c | 77 +++++++++++++++++++++++++++++++++++----------
-file changed, 156 insertions(+), 29 deletions(-)
+file changed, 60 insertions(+), 17 deletions(-)
-diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm64.c
+--- a/target/arm/helper.c
-+++ b/target/arm/kvm64.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ int kvm_arch_destroy_vcpu(CPUState *cs)
+@@ -XXX,XX +XXX,XX @@ int sve_exception_el(CPUARMState *env, int el)
  bool kvm_arm_reg_syncs_via_cpreg_list(uint64_t regidx)
  {
      /* Return true if the regidx is a register we should synchronize
 -     * via the cpreg_tuples array (ie is not a core reg we sync by
 -     * hand in kvm_arch_get/put_registers())
 +     * via the cpreg_tuples array (ie is not a core or sve reg that
 +     * we sync by hand in kvm_arch_get/put_registers())
       */
      switch (regidx & KVM_REG_ARM_COPROC_MASK) {
      case KVM_REG_ARM_CORE:
 +    case KVM_REG_ARM64_SVE:
          return false;
      default:
          return true;
@@ -XXX,XX +XXX,XX @@ int kvm_arm_cpreg_level(uint64_t regidx)
  static int kvm_arch_put_fpsimd(CPUState *cs)
  {
 -    ARMCPU *cpu = ARM_CPU(cs);
 -    CPUARMState *env = &cpu->env;
 +    CPUARMState *env = &ARM_CPU(cs)->env;
      struct kvm_one_reg reg;
 -    uint32_t fpr;
      int i, ret;
      for (i = 0; i < 32; i++) {
@@ -XXX,XX +XXX,XX @@ static int kvm_arch_put_fpsimd(CPUState *cs)
          }
      }
--    reg.addr = (uintptr_t)(&fpr);
+-    /* CPTR_EL2.  Since TZ and TFP are positive,
--    fpr = vfp_get_fpsr(env);
+-     * they will be zero when EL2 is not present.
--    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
++    /*
--    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
++     * CPTR_EL2 changes format with HCR_EL2.E2H (regardless of TGE).
--    if (ret) {
+      */
--        return ret;
+-    if (el <= 2 && arm_is_el2_enabled(env)) {
-+    return 0;
+-        if (env->cp15.cptr_el[2] & CPTR_TZ) {
-+}
+-            return 2;
 -        }
 -        if (env->cp15.cptr_el[2] & CPTR_TFP) {
 -            return 0;
 +    if (el <= 2) {
 +        if (hcr_el2 & HCR_E2H) {
 +            /* Check CPTR_EL2.ZEN.  */
 +            switch (extract32(env->cp15.cptr_el[2], 16, 2)) {
 +            case 1:
 +                if (el != 0 || !(hcr_el2 & HCR_TGE)) {
 +                    break;
 +                }
 +                /* fall through */
 +            case 0:
 +            case 2:
 +                return 2;
 +            }
 +
-+/*
++            /* Check CPTR_EL2.FPEN.  */
-+ * SVE registers are encoded in KVM's memory in an endianness-invariant format.
++            switch (extract32(env->cp15.cptr_el[2], 20, 2)) {
-+ * The byte at offset i from the start of the in-memory representation contains
++            case 1:
-+ * the bits [(7 + 8 * i) : (8 * i)] of the register value. As this means the
++                if (el == 2 || !(hcr_el2 & HCR_TGE)) {
-+ * lowest offsets are stored in the lowest memory addresses, then that nearly
++                    break;
-+ * matches QEMU's representation, which is to use an array of host-endian
++                }
-+ * uint64_t's, where the lower offsets are at the lower indices. To complete
++                /* fall through */
-+ * the translation we just need to byte swap the uint64_t's on big-endian hosts.
++            case 0:
-+ */
++            case 2:
-+static uint64_t *sve_bswap64(uint64_t *dst, uint64_t *src, int nr)
++                return 0;
-+{
++            }
-+#ifdef HOST_WORDS_BIGENDIAN
++        } else if (arm_is_el2_enabled(env)) {
-+    int i;
++            if (env->cp15.cptr_el[2] & CPTR_TZ) {
-+
++                return 2;
-+    for (i = 0; i < nr; ++i) {
++            }
-+        dst[i] = bswap64(src[i]);
++            if (env->cp15.cptr_el[2] & CPTR_TFP) {
-     }
++                return 0;
++            }
 -    reg.addr = (uintptr_t)(&fpr);
 -    fpr = vfp_get_fpcr(env);
 -    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 +    return dst;
 +#else
 +    return src;
 +#endif
 +}
 +
 +/*
 + * KVM SVE registers come in slices where ZREGs have a slice size of 2048 bits
 + * and PREGS and the FFR have a slice size of 256 bits. However we simply hard
 + * code the slice index to zero for now as it's unlikely we'll need more than
 + * one slice for quite some time.
 + */
 +static int kvm_arch_put_sve(CPUState *cs)
 +{
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +    uint64_t tmp[ARM_MAX_VQ * 2];
 +    uint64_t *r;
 +    struct kvm_one_reg reg;
 +    int n, ret;
 +
 +    for (n = 0; n < KVM_ARM64_SVE_NUM_ZREGS; ++n) {
 +        r = sve_bswap64(tmp, &env->vfp.zregs[n].d[0], cpu->sve_max_vq * 2);
 +        reg.addr = (uintptr_t)r;
 +        reg.id = KVM_REG_ARM64_SVE_ZREG(n, 0);
 +        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +        if (ret) {
 +            return ret;
 +        }
 +    }
 +
 +    for (n = 0; n < KVM_ARM64_SVE_NUM_PREGS; ++n) {
 +        r = sve_bswap64(tmp, r = &env->vfp.pregs[n].p[0],
 +                        DIV_ROUND_UP(cpu->sve_max_vq * 2, 8));
 +        reg.addr = (uintptr_t)r;
 +        reg.id = KVM_REG_ARM64_SVE_PREG(n, 0);
 +        ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
 +        if (ret) {
 +            return ret;
 +        }
 +    }
 +
 +    r = sve_bswap64(tmp, &env->vfp.pregs[FFR_PRED_NUM].p[0],
 +                    DIV_ROUND_UP(cpu->sve_max_vq * 2, 8));
 +    reg.addr = (uintptr_t)r;
 +    reg.id = KVM_REG_ARM64_SVE_FFR(0);
      ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
      if (ret) {
          return ret;
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
  {
      struct kvm_one_reg reg;
      uint64_t val;
 +    uint32_t fpr;
      int i, ret;
      unsigned int el;
@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
          }
      }
--    ret = kvm_arch_put_fpsimd(cs);
+@@ -XXX,XX +XXX,XX @@ uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes)
-+    if (cpu_isar_feature(aa64_sve, cpu)) {
+ int fp_exception_el(CPUARMState *env, int cur_el)
-+        ret = kvm_arch_put_sve(cs);
+ {
-+    } else {
+ #ifndef CONFIG_USER_ONLY
-+        ret = kvm_arch_put_fpsimd(cs);
++    uint64_t hcr_el2;
 +    }
 +    if (ret) {
 +        return ret;
 +    }
 +
-+    reg.addr = (uintptr_t)(&fpr);
+     /* CPACR and the CPTR registers don't exist before v6, so FP is
-+    fpr = vfp_get_fpsr(env);
+      * always accessible
-+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
+      */
-+    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
-+    if (ret) {
+         return 0;
-+        return ret;
+     }
-+    }
 +    hcr_el2 = arm_hcr_el2_eff(env);
 +
-+    reg.addr = (uintptr_t)(&fpr);
+     /* The CPACR controls traps to EL1, or PL1 if we're 32 bit:
-+    fpr = vfp_get_fpcr(env);
+      * 0, 2 : trap EL0 and EL1/PL1 accesses
-+    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
+      * 1    : trap only EL0 accesses
-+    ret = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+      * 3    : trap no accesses
-     if (ret) {
+      * This register is ignored if E2H+TGE are both set.
-         return ret;
+      */
-     }
+-    if ((arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
-@@ -XXX,XX +XXX,XX @@ int kvm_arch_put_registers(CPUState *cs, int level)
++    if ((hcr_el2 & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
+         int fpen = extract32(env->cp15.cpacr_el1, 20, 2);
- static int kvm_arch_get_fpsimd(CPUState *cs)
- {
+         switch (fpen) {
--    ARMCPU *cpu = ARM_CPU(cs);
+@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
 -    CPUARMState *env = &cpu->env;
 +    CPUARMState *env = &ARM_CPU(cs)->env;
      struct kvm_one_reg reg;
 -    uint32_t fpr;
      int i, ret;
      for (i = 0; i < 32; i++) {
@@ -XXX,XX +XXX,XX @@ static int kvm_arch_get_fpsimd(CPUState *cs)
          }
      }
--    reg.addr = (uintptr_t)(&fpr);
+-    /* For the CPTR registers we don't need to guard with an ARM_FEATURE
--    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
+-     * check because zero bits in the registers mean "don't trap".
--    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
++    /*
--    if (ret) {
++     * CPTR_EL2 is present in v7VE or v8, and changes format
--        return ret;
++     * with HCR_EL2.E2H (regardless of TGE).
--    }
+      */
--    vfp_set_fpsr(env, fpr);
+-
-+    return 0;
+-    /* CPTR_EL2 : present in v7VE or v8 */
-+}
+-    if (cur_el <= 2 && extract32(env->cp15.cptr_el[2], 10, 1)
+-        && arm_is_el2_enabled(env)) {
--    reg.addr = (uintptr_t)(&fpr);
+-        /* Trap FP ops at EL2, NS-EL1 or NS-EL0 to EL2 */
--    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
+-        return 2;
-+/*
++    if (cur_el <= 2) {
-+ * KVM SVE registers come in slices where ZREGs have a slice size of 2048 bits
++        if (hcr_el2 & HCR_E2H) {
-+ * and PREGS and the FFR have a slice size of 256 bits. However we simply hard
++            /* Check CPTR_EL2.FPEN.  */
-+ * code the slice index to zero for now as it's unlikely we'll need more than
++            switch (extract32(env->cp15.cptr_el[2], 20, 2)) {
-+ * one slice for quite some time.
++            case 1:
-+ */
++                if (cur_el != 0 || !(hcr_el2 & HCR_TGE)) {
-+static int kvm_arch_get_sve(CPUState *cs)
++                    break;
-+{
++                }
-+    ARMCPU *cpu = ARM_CPU(cs);
++                /* fall through */
-+    CPUARMState *env = &cpu->env;
++            case 0:
-+    struct kvm_one_reg reg;
++            case 2:
-+    uint64_t *r;
++                return 2;
-+    int n, ret;
++            }
-+
++        } else if (arm_is_el2_enabled(env)) {
-+    for (n = 0; n < KVM_ARM64_SVE_NUM_ZREGS; ++n) {
++            if (env->cp15.cptr_el[2] & CPTR_TFP) {
-+        r = &env->vfp.zregs[n].d[0];
++                return 2;
-+        reg.addr = (uintptr_t)r;
++            }
 +        reg.id = KVM_REG_ARM64_SVE_ZREG(n, 0);
 +        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +        if (ret) {
 +            return ret;
 +        }
-+        sve_bswap64(r, r, cpu->sve_max_vq * 2);
-+    }
-+
-+    for (n = 0; n < KVM_ARM64_SVE_NUM_PREGS; ++n) {
-+        r = &env->vfp.pregs[n].p[0];
-+        reg.addr = (uintptr_t)r;
-+        reg.id = KVM_REG_ARM64_SVE_PREG(n, 0);
-+        ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
-+        if (ret) {
-+            return ret;
-+        }
-+        sve_bswap64(r, r, DIV_ROUND_UP(cpu->sve_max_vq * 2, 8));
-+    }
-+
-+    r = &env->vfp.pregs[FFR_PRED_NUM].p[0];
-+    reg.addr = (uintptr_t)r;
-+    reg.id = KVM_REG_ARM64_SVE_FFR(0);
-     ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
-     if (ret) {
-         return ret;
      }
--    vfp_set_fpcr(env, fpr);
-+    sve_bswap64(r, r, DIV_ROUND_UP(cpu->sve_max_vq * 2, 8));
+     /* CPTR_EL3 : present in v8 */
      return 0;
  }
@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
      struct kvm_one_reg reg;
      uint64_t val;
      unsigned int el;
 +    uint32_t fpr;
      int i, ret;
      ARMCPU *cpu = ARM_CPU(cs);
@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cs)
          env->spsr = env->banked_spsr[i];
      }
 -    ret = kvm_arch_get_fpsimd(cs);
 +    if (cpu_isar_feature(aa64_sve, cpu)) {
 +        ret = kvm_arch_get_sve(cs);
 +    } else {
 +        ret = kvm_arch_get_fpsimd(cs);
 +    }
      if (ret) {
          return ret;
      }
 +    reg.addr = (uintptr_t)(&fpr);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpsr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +    vfp_set_fpsr(env, fpr);
 +
 +    reg.addr = (uintptr_t)(&fpr);
 +    reg.id = AARCH64_SIMD_CTRL_REG(fp_regs.fpcr);
 +    ret = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
 +    if (ret) {
 +        return ret;
 +    }
 +    vfp_set_fpcr(env, fpr);
 +
      ret = kvm_get_vcpu_events(cpu);
      if (ret) {
          return ret;
 --
-.20.1
+.25.1

-New patch
+[PULL 04/39] target/arm: Use CPTR_TFP with CPTR_EL3 in fp_exception_el
+From: Richard Henderson <richard.henderson@linaro.org>
+Use the named bit rather than a bare extract32.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Message-id: 20220127063428.30212-5-richard.henderson@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper.c | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ int fp_exception_el(CPUARMState *env, int cur_el)
+     }
+     /* CPTR_EL3 : present in v8 */
+-    if (extract32(env->cp15.cptr_el[3], 10, 1)) {
++    if (env->cp15.cptr_el[3] & CPTR_TFP) {
+         /* Trap all FP ops to EL3 */
+         return 3;
+     }
+--
+.25.1

-New patch
+[PULL 05/39] hw/arm/xlnx-zynqmp: 'Or' the QSPI / QSPI DMA IRQs
+From: Francisco Iglesias <francisco.iglesias@xilinx.com>
+'Or' the IRQs coming from the QSPI and QSPI DMA models. This is done for
+avoiding the situation where one of the models incorrectly deasserts an
+interrupt asserted from the other model (which will result in that the IRQ
+is lost and will not reach guest SW).
+Signed-off-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Luc Michel <luc@lmichel.fr>
+Message-id: 20220203151742.1457-1-francisco.iglesias@xilinx.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/hw/arm/xlnx-zynqmp.h |  2 ++
+ hw/arm/xlnx-zynqmp.c         | 14 ++++++++++++--
+files changed, 14 insertions(+), 2 deletions(-)
+diff --git a/include/hw/arm/xlnx-zynqmp.h b/include/hw/arm/xlnx-zynqmp.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/xlnx-zynqmp.h
++++ b/include/hw/arm/xlnx-zynqmp.h
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/dma/xlnx_csu_dma.h"
+ #include "hw/nvram/xlnx-bbram.h"
+ #include "hw/nvram/xlnx-zynqmp-efuse.h"
++#include "hw/or-irq.h"
+ #define TYPE_XLNX_ZYNQMP "xlnx-zynqmp"
+ OBJECT_DECLARE_SIMPLE_TYPE(XlnxZynqMPState, XLNX_ZYNQMP)
+@@ -XXX,XX +XXX,XX @@ struct XlnxZynqMPState {
+     XlnxZDMA gdma[XLNX_ZYNQMP_NUM_GDMA_CH];
+     XlnxZDMA adma[XLNX_ZYNQMP_NUM_ADMA_CH];
+     XlnxCSUDMA qspi_dma;
++    qemu_or_irq qspi_irq_orgate;
+     char *boot_cpu;
+     ARMCPU *boot_cpu_ptr;
+diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-zynqmp.c
++++ b/hw/arm/xlnx-zynqmp.c
+@@ -XXX,XX +XXX,XX @@
+ #define LQSPI_ADDR          0xc0000000
+ #define QSPI_IRQ            15
+ #define QSPI_DMA_ADDR       0xff0f0800
++#define NUM_QSPI_IRQ_LINES  2
+ #define DP_ADDR             0xfd4a0000
+ #define DP_IRQ              113
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_init(Object *obj)
+     }
+     object_initialize_child(obj, "qspi-dma", &s->qspi_dma, TYPE_XLNX_CSU_DMA);
++    object_initialize_child(obj, "qspi-irq-orgate",
++                            &s->qspi_irq_orgate, TYPE_OR_IRQ);
+ }
+ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+                            gic_spi[adma_ch_intr[i]]);
+     }
++    object_property_set_int(OBJECT(&s->qspi_irq_orgate),
++                            "num-lines", NUM_QSPI_IRQ_LINES, &error_fatal);
++    qdev_realize(DEVICE(&s->qspi_irq_orgate), NULL, &error_fatal);
++    qdev_connect_gpio_out(DEVICE(&s->qspi_irq_orgate), 0, gic_spi[QSPI_IRQ]);
++
+     if (!object_property_set_link(OBJECT(&s->qspi_dma), "dma",
+                                   OBJECT(system_memory), errp)) {
+         return;
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+     }
+     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi_dma), 0, QSPI_DMA_ADDR);
+-    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi_dma), 0, gic_spi[QSPI_IRQ]);
++    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi_dma), 0,
++                       qdev_get_gpio_in(DEVICE(&s->qspi_irq_orgate), 0));
+     if (!object_property_set_link(OBJECT(&s->qspi), "stream-connected-dma",
+                                   OBJECT(&s->qspi_dma), errp)) {
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+     }
+     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 0, QSPI_ADDR);
+     sysbus_mmio_map(SYS_BUS_DEVICE(&s->qspi), 1, LQSPI_ADDR);
+-    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0, gic_spi[QSPI_IRQ]);
++    sysbus_connect_irq(SYS_BUS_DEVICE(&s->qspi), 0,
++                       qdev_get_gpio_in(DEVICE(&s->qspi_irq_orgate), 1));
+     for (i = 0; i < XLNX_ZYNQMP_NUM_QSPI_BUS; i++) {
+         g_autofree gchar *bus_name = g_strdup_printf("qspi%d", i);
+--
+.25.1

-[PULL 03/11] target/arm: Allow SVE to be disabled via a CPU property
+[PULL 06/39] target/arm: make psci-conduit settable after realize
-From: Andrew Jones <drjones@redhat.com>
+We want to allow the psci-conduit property to be set after realize,
 because the parts of the code which are best placed to decide if it's
 OK to enable QEMU's builtin PSCI emulation (the board code and the
 arm_load_kernel() function are distant from the code which creates
 and realizes CPUs (typically inside an SoC object's init and realize
 method) and run afterwards.
-Since 97a28b0eeac14 ("target/arm: Allow VFP and Neon to be disabled via
+Since the DEFINE_PROP_* macros don't have support for creating
-a CPU property") we can disable the 'max' cpu model's VFP and neon
+properties which can be changed after realize, change the property to
-features, but there's no way to disable SVE. Add the 'sve=on|off'
+be created with object_property_add_uint32_ptr(), which is what we
-property to give it that flexibility. We also rename
+already use in this function for creating settable-after-realize
-cpu_max_get/set_sve_vq to cpu_max_get/set_sve_max_vq in order for them
+properties like init-svtor and init-nsvtor.
 to follow the typical *_get/set_<property-name> pattern.
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+Note that it doesn't conceptually make sense to change the setting of
 the property after the machine has been completely initialized,
 beacuse this would mean that the behaviour of the machine when first
 started would differ from its behaviour when the system is
 subsequently reset.  (It would also require the underlying state to
 be migrated, which we don't do.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Tested-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
-Reviewed-by: Beata Michalska <beata.michalska@linaro.org>
+Message-id: 20220127154639.2090164-2-peter.maydell@linaro.org
 Message-id: 20191031142734.8590-4-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c         |  3 ++-
+ target/arm/cpu.c | 6 +++++-
- target/arm/cpu64.c       | 52 ++++++++++++++++++++++++++++++++++------
+file changed, 5 insertions(+), 1 deletion(-)
  target/arm/monitor.c     |  2 +-
  tests/arm-cpu-features.c |  1 +
 files changed, 49 insertions(+), 9 deletions(-)
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(CPUState *s)
+@@ -XXX,XX +XXX,XX @@ void arm_cpu_post_init(Object *obj)
-         env->cp15.cpacr_el1 = deposit64(env->cp15.cpacr_el1, 16, 2, 3);
+                                        OBJ_PROP_FLAG_READWRITE);
-         env->cp15.cptr_el[3] |= CPTR_EZ;
+     }
-         /* with maximum vector length */
--        env->vfp.zcr_el[1] = cpu->sve_max_vq - 1;
++    /* Not DEFINE_PROP_UINT32: we want this to be settable after realize */
-+        env->vfp.zcr_el[1] = cpu_isar_feature(aa64_sve, cpu) ?
++    object_property_add_uint32_ptr(obj, "psci-conduit",
-+                             cpu->sve_max_vq - 1 : 0;
++                                   &cpu->psci_conduit,
-         env->vfp.zcr_el[2] = env->vfp.zcr_el[1];
++                                   OBJ_PROP_FLAG_READWRITE);
-         env->vfp.zcr_el[3] = env->vfp.zcr_el[1];
++
-         /*
+     qdev_property_add_static(DEVICE(obj), &arm_cpu_cfgend_property);
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
+     if (arm_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER)) {
---- a/target/arm/cpu64.c
+@@ -XXX,XX +XXX,XX @@ static ObjectClass *arm_cpu_class_by_name(const char *cpu_model)
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
      define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
  }
--static void cpu_max_get_sve_vq(Object *obj, Visitor *v, const char *name,
+ static Property arm_cpu_properties[] = {
--                               void *opaque, Error **errp)
+-    DEFINE_PROP_UINT32("psci-conduit", ARMCPU, psci_conduit, 0),
-+static void cpu_max_get_sve_max_vq(Object *obj, Visitor *v, const char *name,
+     DEFINE_PROP_UINT64("midr", ARMCPU, midr, 0),
-+                                   void *opaque, Error **errp)
+     DEFINE_PROP_UINT64("mp-affinity", ARMCPU,
- {
+                         mp_affinity, ARM64_AFFINITY_INVALID),
      ARMCPU *cpu = ARM_CPU(obj);
 -    visit_type_uint32(v, name, &cpu->sve_max_vq, errp);
 +    uint32_t value;
 +
 +    /* All vector lengths are disabled when SVE is off. */
 +    if (!cpu_isar_feature(aa64_sve, cpu)) {
 +        value = 0;
 +    } else {
 +        value = cpu->sve_max_vq;
 +    }
 +    visit_type_uint32(v, name, &value, errp);
  }
 -static void cpu_max_set_sve_vq(Object *obj, Visitor *v, const char *name,
 -                               void *opaque, Error **errp)
 +static void cpu_max_set_sve_max_vq(Object *obj, Visitor *v, const char *name,
 +                                   void *opaque, Error **errp)
  {
      ARMCPU *cpu = ARM_CPU(obj);
      Error *err = NULL;
@@ -XXX,XX +XXX,XX @@ static void cpu_max_set_sve_vq(Object *obj, Visitor *v, const char *name,
      error_propagate(errp, err);
  }
 +static void cpu_arm_get_sve(Object *obj, Visitor *v, const char *name,
 +                            void *opaque, Error **errp)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +    bool value = cpu_isar_feature(aa64_sve, cpu);
 +
 +    visit_type_bool(v, name, &value, errp);
 +}
 +
 +static void cpu_arm_set_sve(Object *obj, Visitor *v, const char *name,
 +                            void *opaque, Error **errp)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +    Error *err = NULL;
 +    bool value;
 +    uint64_t t;
 +
 +    visit_type_bool(v, name, &value, &err);
 +    if (err) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +
 +    t = cpu->isar.id_aa64pfr0;
 +    t = FIELD_DP64(t, ID_AA64PFR0, SVE, value);
 +    cpu->isar.id_aa64pfr0 = t;
 +}
 +
  /* -cpu max: if KVM is enabled, like -cpu host (best possible with this host);
   * otherwise, a CPU with as many features enabled as our emulation supports.
   * The version of '-cpu max' for qemu-system-arm is defined in cpu.c;
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
  #endif
          cpu->sve_max_vq = ARM_MAX_VQ;
 -        object_property_add(obj, "sve-max-vq", "uint32", cpu_max_get_sve_vq,
 -                            cpu_max_set_sve_vq, NULL, NULL, &error_fatal);
 +        object_property_add(obj, "sve-max-vq", "uint32", cpu_max_get_sve_max_vq,
 +                            cpu_max_set_sve_max_vq, NULL, NULL, &error_fatal);
 +        object_property_add(obj, "sve", "bool", cpu_arm_get_sve,
 +                            cpu_arm_set_sve, NULL, NULL, &error_fatal);
      }
  }
 diff --git a/target/arm/monitor.c b/target/arm/monitor.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/monitor.c
 +++ b/target/arm/monitor.c
@@ -XXX,XX +XXX,XX @@ GICCapabilityList *qmp_query_gic_capabilities(Error **errp)
   * then the order that considers those dependencies must be used.
   */
  static const char *cpu_model_advertised_features[] = {
 -    "aarch64", "pmu",
 +    "aarch64", "pmu", "sve",
      NULL
  };
 diff --git a/tests/arm-cpu-features.c b/tests/arm-cpu-features.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/arm-cpu-features.c
 +++ b/tests/arm-cpu-features.c
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion(const void *data)
      if (g_str_equal(qtest_get_arch(), "aarch64")) {
          assert_has_feature(qts, "max", "aarch64");
 +        assert_has_feature(qts, "max", "sve");
          assert_has_feature(qts, "cortex-a57", "pmu");
          assert_has_feature(qts, "cortex-a57", "aarch64");
 --
-.20.1
+.25.1

-New patch
+[PULL 07/39] cpu.c: Make start-powered-off settable after realize
+The CPU object's start-powered-off property is currently only
+settable before the CPU object is realized.  For arm machines this is
+awkward, because we would like to decide whether the CPU should be
+powered-off based on how we are booting the guest code, which is
+something done in the machine model code and in common code called by
+the machine model, which runs much later and in completely different
+parts of the codebase from the SoC object code that is responsible
+for creating and realizing the CPU objects.
+Allow start-powered-off to be set after realize.  Since this isn't
+something that's supported by the DEFINE_PROP_* macros, we have to
+switch the property definition to use the
+object_class_property_add_bool() function.
+Note that it doesn't conceptually make sense to change the setting of
+the property after the machine has been completely initialized,
+beacuse this would mean that the behaviour of the machine when first
+started would differ from its behaviour when the system is
+subsequently reset.  (It would also require the underlying state to
+be migrated, which we don't do.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Message-id: 20220127154639.2090164-3-peter.maydell@linaro.org
+---
+ cpu.c | 22 +++++++++++++++++++++-
+file changed, 21 insertions(+), 1 deletion(-)
+diff --git a/cpu.c b/cpu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/cpu.c
++++ b/cpu.c
+@@ -XXX,XX +XXX,XX @@ static Property cpu_common_props[] = {
+     DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
+                      MemoryRegion *),
+ #endif
+-    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
+     DEFINE_PROP_END_OF_LIST(),
+ };
++static bool cpu_get_start_powered_off(Object *obj, Error **errp)
++{
++    CPUState *cpu = CPU(obj);
++    return cpu->start_powered_off;
++}
++
++static void cpu_set_start_powered_off(Object *obj, bool value, Error **errp)
++{
++    CPUState *cpu = CPU(obj);
++    cpu->start_powered_off = value;
++}
++
+ void cpu_class_init_props(DeviceClass *dc)
+ {
++    ObjectClass *oc = OBJECT_CLASS(dc);
++
+     device_class_set_props(dc, cpu_common_props);
++    /*
++     * We can't use DEFINE_PROP_BOOL in the Property array for this
++     * property, because we want this to be settable after realize.
++     */
++    object_class_property_add_bool(oc, "start-powered-off",
++                                   cpu_get_start_powered_off,
++                                   cpu_set_start_powered_off);
+ }
+ void cpu_exec_initfn(CPUState *cpu)
+--
+.25.1

-[PULL 01/11] target/arm/monitor: Introduce qmp_query_cpu_model_expansion
+[PULL 08/39] hw/arm/boot: Support setting psci-conduit based on guest EL
-From: Andrew Jones <drjones@redhat.com>
+Currently we expect board code to set the psci-conduit property on
 CPUs and ensure that secondary CPUs are created with the
 start-powered-off property set to false, if the board wishes to use
 QEMU's builtin PSCI emulation.  This worked OK for the virt board
 where we first wanted to use it, because the virt board directly
 creates its CPUs and is in a reasonable position to set those
 properties.  For other boards which model real hardware and use a
 separate SoC object, however, it is more awkward.  Most PSCI-using
 boards just set the psci-conduit board unconditionally.
-Add support for the query-cpu-model-expansion QMP command to Arm. We
+This was never strictly speaking correct (because you would not be
-do this selectively, only exposing CPU properties which represent
+able to run EL3 guest firmware that itself provided the PSCI
-optional CPU features which the user may want to enable/disable.
+interface, as the QEMU implementation would overrule it), but mostly
-Additionally we restrict the list of queryable cpu models to 'max',
+worked in practice because for non-PSCI SMC calls QEMU would emulate
-'host', or the current type when KVM is in use. And, finally, we only
+the SMC instruction as normal (by trapping to guest EL3).  However,
-implement expansion type 'full', as Arm does not yet have a "base"
+we would like to make our PSCI emulation follow the part of the SMCC
-CPU type. More details and example queries are described in a new
+specification that mandates that SMC calls with unknown function
-document (docs/arm-cpu-features.rst).
+identifiers return a failure code, which means that all SMC calls
 will be handled by the PSCI code and the "emulate as normal" path
 will no longer be taken.
-Note, certainly more features may be added to the list of advertised
+We tried to implement that in commit 9fcd15b9193e81
-features, e.g. 'vfp' and 'neon'. The only requirement is that we can
+("arm: tcg: Adhere to SMCCC 1.3 section 5.2"), but this
-detect invalid configurations and emit failures at QMP query time.
+regressed attempts to run EL3 guest code on the affected boards:
-For 'vfp' and 'neon' this will require some refactoring to share a
+ * mcimx6ul-evk, mcimx7d-sabre, orangepi, xlnx-zcu102
-validation function between the QMP query and the CPU realize
+ * for the case only of EL3 code loaded via -kernel (and
-functions.
+   not via -bios or -pflash), virt and xlnx-versal-virt
 so for the 7.0 release we reverted it (in commit 4825eaae4fdd56f).
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+This commit provides a mechanism that boards can use to arrange that
 psci-conduit is set if running guest code at a low enough EL but not
 if it would be running at the same EL that the conduit implies that
 the QEMU PSCI implementation is using.  (Later commits will convert
 individual board models to use this mechanism.)
 We do this by moving the setting of the psci-conduit and
 start-powered-off properties to arm_load_kernel().  Boards which want
 to potentially use emulated PSCI must set a psci_conduit field in the
 arm_boot_info struct to the type of conduit they want to use (SMC or
 HVC); arm_load_kernel() will then set the CPUs up accordingly if it
 is not going to start the guest code at the same or higher EL as the
 fake QEMU firmware would be at.
 Board/SoC code which uses this mechanism should no longer set the CPU
 psci-conduit property directly.  It should only set the
 start-powered-off property for secondaries if EL3 guest firmware
 running bare metal expects that rather than the alternative "all CPUs
 start executing the firmware at once".
 Note that when calculating whether we are going to run guest
 code at EL3, we ignore the setting of arm_boot_info::secure_board_setup,
 which might cause us to run a stub bit of guest code at EL3 which
 does some board-specific setup before dropping to EL2 or EL1 to
 run the guest kernel. This is OK because only one board that
 enables PSCI sets secure_board_setup (the highbank board), and
 the stub code it writes will behave the same way whether the
 one SMC call it makes is handled by "emulate the SMC" or by
 "PSCI default returns an error code". So we can leave that stub
 code in place until after we've changed the PSCI default behaviour;
 at that point we will remove it.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Reviewed-by: Beata Michalska <beata.michalska@linaro.org>
+Tested-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20191031142734.8590-2-drjones@redhat.com
+Message-id: 20220127154639.2090164-4-peter.maydell@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- qapi/machine-target.json  |   6 +-
+ include/hw/arm/boot.h | 10 +++++++++
- target/arm/monitor.c      | 146 ++++++++++++++++++++++++++++++++++++++
+ hw/arm/boot.c         | 50 +++++++++++++++++++++++++++++++++++++++++++
- docs/arm-cpu-features.rst | 137 +++++++++++++++++++++++++++++++++++
+files changed, 60 insertions(+)
 files changed, 286 insertions(+), 3 deletions(-)
  create mode 100644 docs/arm-cpu-features.rst
-diff --git a/qapi/machine-target.json b/qapi/machine-target.json
+diff --git a/include/hw/arm/boot.h b/include/hw/arm/boot.h
 index XXXXXXX..XXXXXXX 100644
---- a/qapi/machine-target.json
+--- a/include/hw/arm/boot.h
-+++ b/qapi/machine-target.json
++++ b/include/hw/arm/boot.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ struct arm_boot_info {
- ##
+      * the user it should implement this hook.
- { 'struct': 'CpuModelExpansionInfo',
+      */
-   'data': { 'model': 'CpuModelInfo' },
+     void (*modify_dtb)(const struct arm_boot_info *info, void *fdt);
--  'if': 'defined(TARGET_S390X) || defined(TARGET_I386)' }
++    /*
-+  'if': 'defined(TARGET_S390X) || defined(TARGET_I386) || defined(TARGET_ARM)' }
++     * If a board wants to use the QEMU emulated-firmware PSCI support,
++     * it should set this to QEMU_PSCI_CONDUIT_HVC or QEMU_PSCI_CONDUIT_SMC
- ##
++     * as appropriate. arm_load_kernel() will set the psci-conduit and
- # @query-cpu-model-expansion:
++     * start-powered-off properties on the CPUs accordingly.
-@@ -XXX,XX +XXX,XX @@
++     * Note that if the guest image is started at the same exception level
- #   query-cpu-model-expansion while using these is not advised.
++     * as the conduit specifies calls should go to (eg guest firmware booted
- #
++     * to EL3) then PSCI will not be enabled.
- # Some architectures may not support all expansion types. s390x supports
++     */
--# "full" and "static".
++    int psci_conduit;
-+# "full" and "static". Arm only supports "full".
+     /* Used internally by arm_boot.c */
- #
+     int is_linux;
- # Returns: a CpuModelExpansionInfo. Returns an error if expanding CPU models is
+     hwaddr initrd_start;
- #          not supported, if the model cannot be expanded, if the model contains
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@
    'data': { 'type': 'CpuModelExpansionType',
              'model': 'CpuModelInfo' },
    'returns': 'CpuModelExpansionInfo',
 -  'if': 'defined(TARGET_S390X) || defined(TARGET_I386)' }
 +  'if': 'defined(TARGET_S390X) || defined(TARGET_I386) || defined(TARGET_ARM)' }
  ##
  # @CpuDefinitionInfo:
 diff --git a/target/arm/monitor.c b/target/arm/monitor.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/monitor.c
+--- a/hw/arm/boot.c
-+++ b/target/arm/monitor.c
++++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
   */
  #include "qemu/osdep.h"
 +#include "hw/boards.h"
  #include "kvm_arm.h"
 +#include "qapi/error.h"
 +#include "qapi/visitor.h"
 +#include "qapi/qobject-input-visitor.h"
 +#include "qapi/qapi-commands-machine-target.h"
  #include "qapi/qapi-commands-misc-target.h"
 +#include "qapi/qmp/qerror.h"
 +#include "qapi/qmp/qdict.h"
 +#include "qom/qom-qobject.h"
  static GICCapability *gic_cap_new(int version)
  {
-@@ -XXX,XX +XXX,XX @@ GICCapabilityList *qmp_query_gic_capabilities(Error **errp)
+     CPUState *cs;
+     AddressSpace *as = arm_boot_address_space(cpu, info);
-     return head;
++    int boot_el;
- }
++    CPUARMState *env = &cpu->env;
      /*
       * CPU objects (unlike devices) are not automatically reset on system
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
          arm_setup_direct_kernel_boot(cpu, info);
      }
 +    /*
 +     * Disable the PSCI conduit if it is set up to target the same
 +     * or a lower EL than the one we're going to start the guest code in.
 +     * This logic needs to agree with the code in do_cpu_reset() which
 +     * decides whether we're going to boot the guest in the highest
 +     * supported exception level or in a lower one.
 +     */
 +
-+/*
++    /* Boot into highest supported EL ... */
-+ * These are cpu model features we want to advertise. The order here
++    if (arm_feature(env, ARM_FEATURE_EL3)) {
-+ * matters as this is the order in which qmp_query_cpu_model_expansion
++        boot_el = 3;
-+ * will attempt to set them. If there are dependencies between features,
++    } else if (arm_feature(env, ARM_FEATURE_EL2)) {
-+ * then the order that considers those dependencies must be used.
++        boot_el = 2;
-+ */
++    } else {
-+static const char *cpu_model_advertised_features[] = {
++        boot_el = 1;
-+    "aarch64", "pmu",
++    }
-+    NULL
++    /* ...except that if we're booting Linux we adjust the EL we boot into */
-+};
++    if (info->is_linux && !info->secure_boot) {
-+
++        boot_el = arm_feature(env, ARM_FEATURE_EL2) ? 2 : 1;
 +CpuModelExpansionInfo *qmp_query_cpu_model_expansion(CpuModelExpansionType type,
 +                                                     CpuModelInfo *model,
 +                                                     Error **errp)
 +{
 +    CpuModelExpansionInfo *expansion_info;
 +    const QDict *qdict_in = NULL;
 +    QDict *qdict_out;
 +    ObjectClass *oc;
 +    Object *obj;
 +    const char *name;
 +    int i;
 +
 +    if (type != CPU_MODEL_EXPANSION_TYPE_FULL) {
 +        error_setg(errp, "The requested expansion type is not supported");
 +        return NULL;
 +    }
 +
-+    if (!kvm_enabled() && !strcmp(model->name, "host")) {
++    if ((info->psci_conduit == QEMU_PSCI_CONDUIT_HVC && boot_el >= 2) ||
-+        error_setg(errp, "The CPU type '%s' requires KVM", model->name);
++        (info->psci_conduit == QEMU_PSCI_CONDUIT_SMC && boot_el == 3)) {
-+        return NULL;
++        info->psci_conduit = QEMU_PSCI_CONDUIT_DISABLED;
 +    }
 +
-+    oc = cpu_class_by_name(TYPE_ARM_CPU, model->name);
++    if (info->psci_conduit != QEMU_PSCI_CONDUIT_DISABLED) {
-+    if (!oc) {
++        for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
-+        error_setg(errp, "The CPU type '%s' is not a recognized ARM CPU type",
++            Object *cpuobj = OBJECT(cs);
 +                   model->name);
 +        return NULL;
 +    }
 +
-+    if (kvm_enabled()) {
++            object_property_set_int(cpuobj, "psci-conduit", info->psci_conduit,
-+        const char *cpu_type = current_machine->cpu_type;
++                                    &error_abort);
-+        int len = strlen(cpu_type) - strlen(ARM_CPU_TYPE_SUFFIX);
++            /*
-+        bool supported = false;
++             * Secondary CPUs start in PSCI powered-down state. Like the
-+
++             * code in do_cpu_reset(), we assume first_cpu is the primary
-+        if (!strcmp(model->name, "host") || !strcmp(model->name, "max")) {
++             * CPU.
-+            /* These are kvmarm's recommended cpu types */
++             */
-+            supported = true;
++            if (cs != first_cpu) {
-+        } else if (strlen(model->name) == len &&
++                object_property_set_bool(cpuobj, "start-powered-off", true,
-+                   !strncmp(model->name, cpu_type, len)) {
++                                         &error_abort);
-+            /* KVM is enabled and we're using this type, so it works. */
++            }
 +            supported = true;
 +        }
 +        if (!supported) {
 +            error_setg(errp, "We cannot guarantee the CPU type '%s' works "
 +                             "with KVM on this host", model->name);
 +            return NULL;
 +        }
 +    }
 +
-+    if (model->props) {
++    /*
-+        qdict_in = qobject_to(QDict, model->props);
++     * arm_load_dtb() may add a PSCI node so it must be called after we have
-+        if (!qdict_in) {
++     * decided whether to enable PSCI and set the psci-conduit CPU properties.
-+            error_setg(errp, QERR_INVALID_PARAMETER_TYPE, "props", "dict");
++     */
-+            return NULL;
+     if (!info->skip_dtb_autoload && have_dtb(info)) {
-+        }
+         if (arm_load_dtb(info->dtb_start, info, info->dtb_limit, as, ms) < 0) {
-+    }
+             exit(1);
 +
 +    obj = object_new(object_class_get_name(oc));
 +
 +    if (qdict_in) {
 +        Visitor *visitor;
 +        Error *err = NULL;
 +
 +        visitor = qobject_input_visitor_new(model->props);
 +        visit_start_struct(visitor, NULL, NULL, 0, &err);
 +        if (err) {
 +            visit_free(visitor);
 +            object_unref(obj);
 +            error_propagate(errp, err);
 +            return NULL;
 +        }
 +
 +        i = 0;
 +        while ((name = cpu_model_advertised_features[i++]) != NULL) {
 +            if (qdict_get(qdict_in, name)) {
 +                object_property_set(obj, visitor, name, &err);
 +                if (err) {
 +                    break;
 +                }
 +            }
 +        }
 +
 +        if (!err) {
 +            visit_check_struct(visitor, &err);
 +        }
 +        visit_end_struct(visitor, NULL);
 +        visit_free(visitor);
 +        if (err) {
 +            object_unref(obj);
 +            error_propagate(errp, err);
 +            return NULL;
 +        }
 +    }
 +
 +    expansion_info = g_new0(CpuModelExpansionInfo, 1);
 +    expansion_info->model = g_malloc0(sizeof(*expansion_info->model));
 +    expansion_info->model->name = g_strdup(model->name);
 +
 +    qdict_out = qdict_new();
 +
 +    i = 0;
 +    while ((name = cpu_model_advertised_features[i++]) != NULL) {
 +        ObjectProperty *prop = object_property_find(obj, name, NULL);
 +        if (prop) {
 +            Error *err = NULL;
 +            QObject *value;
 +
 +            assert(prop->get);
 +            value = object_property_get_qobject(obj, name, &err);
 +            assert(!err);
 +
 +            qdict_put_obj(qdict_out, name, value);
 +        }
 +    }
 +
 +    if (!qdict_size(qdict_out)) {
 +        qobject_unref(qdict_out);
 +    } else {
 +        expansion_info->model->props = QOBJECT(qdict_out);
 +        expansion_info->model->has_props = true;
 +    }
 +
 +    object_unref(obj);
 +
 +    return expansion_info;
 +}
 diff --git a/docs/arm-cpu-features.rst b/docs/arm-cpu-features.rst
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/docs/arm-cpu-features.rst
@@ -XXX,XX +XXX,XX @@
 +================
 +ARM CPU Features
 +================
 +
 +Examples of probing and using ARM CPU features
 +
 +Introduction
 +============
 +
 +CPU features are optional features that a CPU of supporting type may
 +choose to implement or not.  In QEMU, optional CPU features have
 +corresponding boolean CPU proprieties that, when enabled, indicate
 +that the feature is implemented, and, conversely, when disabled,
 +indicate that it is not implemented. An example of an ARM CPU feature
 +is the Performance Monitoring Unit (PMU).  CPU types such as the
 +Cortex-A15 and the Cortex-A57, which respectively implement ARM
 +architecture reference manuals ARMv7-A and ARMv8-A, may both optionally
 +implement PMUs.  For example, if a user wants to use a Cortex-A15 without
 +a PMU, then the `-cpu` parameter should contain `pmu=off` on the QEMU
 +command line, i.e. `-cpu cortex-a15,pmu=off`.
 +
 +As not all CPU types support all optional CPU features, then whether or
 +not a CPU property exists depends on the CPU type.  For example, CPUs
 +that implement the ARMv8-A architecture reference manual may optionally
 +support the AArch32 CPU feature, which may be enabled by disabling the
 +`aarch64` CPU property.  A CPU type such as the Cortex-A15, which does
 +not implement ARMv8-A, will not have the `aarch64` CPU property.
 +
 +QEMU's support may be limited for some CPU features, only partially
 +supporting the feature or only supporting the feature under certain
 +configurations.  For example, the `aarch64` CPU feature, which, when
 +disabled, enables the optional AArch32 CPU feature, is only supported
 +when using the KVM accelerator and when running on a host CPU type that
 +supports the feature.
 +
 +CPU Feature Probing
 +===================
 +
 +Determining which CPU features are available and functional for a given
 +CPU type is possible with the `query-cpu-model-expansion` QMP command.
 +Below are some examples where `scripts/qmp/qmp-shell` (see the top comment
 +block in the script for usage) is used to issue the QMP commands.
 +
 +(1) Determine which CPU features are available for the `max` CPU type
 +    (Note, we started QEMU with qemu-system-aarch64, so `max` is
 +     implementing the ARMv8-A reference manual in this case)::
 +
 +      (QEMU) query-cpu-model-expansion type=full model={"name":"max"}
 +      { "return": {
 +        "model": { "name": "max", "props": {
 +        "pmu": true, "aarch64": true
 +      }}}}
 +
 +We see that the `max` CPU type has the `pmu` and `aarch64` CPU features.
 +We also see that the CPU features are enabled, as they are all `true`.
 +
 +(2) Let's try to disable the PMU::
 +
 +      (QEMU) query-cpu-model-expansion type=full model={"name":"max","props":{"pmu":false}}
 +      { "return": {
 +        "model": { "name": "max", "props": {
 +        "pmu": false, "aarch64": true
 +      }}}}
 +
 +We see it worked, as `pmu` is now `false`.
 +
 +(3) Let's try to disable `aarch64`, which enables the AArch32 CPU feature::
 +
 +      (QEMU) query-cpu-model-expansion type=full model={"name":"max","props":{"aarch64":false}}
 +      {"error": {
 +       "class": "GenericError", "desc":
 +       "'aarch64' feature cannot be disabled unless KVM is enabled and 32-bit EL1 is supported"
 +      }}
 +
 +It looks like this feature is limited to a configuration we do not
 +currently have.
 +
 +(4) Let's try probing CPU features for the Cortex-A15 CPU type::
 +
 +      (QEMU) query-cpu-model-expansion type=full model={"name":"cortex-a15"}
 +      {"return": {"model": {"name": "cortex-a15", "props": {"pmu": true}}}}
 +
 +Only the `pmu` CPU feature is available.
 +
 +A note about CPU feature dependencies
 +-------------------------------------
 +
 +It's possible for features to have dependencies on other features. I.e.
 +it may be possible to change one feature at a time without error, but
 +when attempting to change all features at once an error could occur
 +depending on the order they are processed.  It's also possible changing
 +all at once doesn't generate an error, because a feature's dependencies
 +are satisfied with other features, but the same feature cannot be changed
 +independently without error.  For these reasons callers should always
 +attempt to make their desired changes all at once in order to ensure the
 +collection is valid.
 +
 +A note about CPU models and KVM
 +-------------------------------
 +
 +Named CPU models generally do not work with KVM.  There are a few cases
 +that do work, e.g. using the named CPU model `cortex-a57` with KVM on a
 +seattle host, but mostly if KVM is enabled the `host` CPU type must be
 +used.  This means the guest is provided all the same CPU features as the
 +host CPU type has.  And, for this reason, the `host` CPU type should
 +enable all CPU features that the host has by default.  Indeed it's even
 +a bit strange to allow disabling CPU features that the host has when using
 +the `host` CPU type, but in the absence of CPU models it's the best we can
 +do if we want to launch guests without all the host's CPU features enabled.
 +
 +Enabling KVM also affects the `query-cpu-model-expansion` QMP command.  The
 +affect is not only limited to specific features, as pointed out in example
 +(3) of "CPU Feature Probing", but also to which CPU types may be expanded.
 +When KVM is enabled, only the `max`, `host`, and current CPU type may be
 +expanded.  This restriction is necessary as it's not possible to know all
 +CPU types that may work with KVM, but it does impose a small risk of users
 +experiencing unexpected errors.  For example on a seattle, as mentioned
 +above, the `cortex-a57` CPU type is also valid when KVM is enabled.
 +Therefore a user could use the `host` CPU type for the current type, but
 +then attempt to query `cortex-a57`, however that query will fail with our
 +restrictions.  This shouldn't be an issue though as management layers and
 +users have been preferring the `host` CPU type for use with KVM for quite
 +some time.  Additionally, if the KVM-enabled QEMU instance running on a
 +seattle host is using the `cortex-a57` CPU type, then querying `cortex-a57`
 +will work.
 +
 +Using CPU Features
 +==================
 +
 +After determining which CPU features are available and supported for a
 +given CPU type, then they may be selectively enabled or disabled on the
 +QEMU command line with that CPU type::
 +
 +  $ qemu-system-aarch64 -M virt -cpu max,pmu=off
 +
 +The example above disables the PMU for the `max` CPU type.
 +
 --
-.20.1
+.25.1

-New patch
+[PULL 09/39] hw/arm: imx: Don't enable PSCI conduit when booting guest in EL3
+Change the iMX-SoC based boards to use the new boot.c functionality
+to allow us to enable psci-conduit only if the guest is being booted
+in EL1 or EL2, so that if the user runs guest EL3 firmware code our
+PSCI emulation doesn't get in its way.
+To do this we stop setting the psci-conduit property on the CPU
+objects in the SoC code, and instead set the psci_conduit field in
+the arm_boot_info struct to tell the common boot loader code that
+we'd like PSCI if the guest is starting at an EL that it makes
+sense with.
+This affects the mcimx6ul-evk and mcimx7d-sabre boards.
+Note that for the mcimx7d board, this means that when running guest
+code at EL3 there is currently no way to power on the secondary CPUs,
+because we do not currently have a model of the system reset
+controller module which should be used to do that for the imx7 SoC,
+only for the imx6 SoC.  (Previously EL3 code which knew it was
+running on QEMU could use a PSCI call to do this.) This doesn't
+affect the imx6ul-evk board because it is uniprocessor.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Acked-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220127154639.2090164-5-peter.maydell@linaro.org
+---
+ hw/arm/fsl-imx6ul.c    | 2 --
+ hw/arm/fsl-imx7.c      | 8 ++++----
+ hw/arm/mcimx6ul-evk.c  | 1 +
+ hw/arm/mcimx7d-sabre.c | 1 +
+files changed, 6 insertions(+), 6 deletions(-)
+diff --git a/hw/arm/fsl-imx6ul.c b/hw/arm/fsl-imx6ul.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/fsl-imx6ul.c
++++ b/hw/arm/fsl-imx6ul.c
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx6ul_realize(DeviceState *dev, Error **errp)
+         return;
+     }
+-    object_property_set_int(OBJECT(&s->cpu), "psci-conduit",
+-                            QEMU_PSCI_CONDUIT_SMC, &error_abort);
+     qdev_realize(DEVICE(&s->cpu), NULL, &error_abort);
+     /*
+diff --git a/hw/arm/fsl-imx7.c b/hw/arm/fsl-imx7.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/fsl-imx7.c
++++ b/hw/arm/fsl-imx7.c
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
+     for (i = 0; i < smp_cpus; i++) {
+         o = OBJECT(&s->cpu[i]);
+-        object_property_set_int(o, "psci-conduit", QEMU_PSCI_CONDUIT_SMC,
+-                                &error_abort);
+-
+         /* On uniprocessor, the CBAR is set to 0 */
+         if (smp_cpus > 1) {
+             object_property_set_int(o, "reset-cbar", FSL_IMX7_A7MPCORE_ADDR,
+@@ -XXX,XX +XXX,XX @@ static void fsl_imx7_realize(DeviceState *dev, Error **errp)
+         }
+         if (i) {
+-            /* Secondary CPUs start in PSCI powered-down state */
++            /*
++             * Secondary CPUs start in powered-down state (and can be
++             * powered up via the SRC system reset controller)
++             */
+             object_property_set_bool(o, "start-powered-off", true,
+                                      &error_abort);
+         }
+diff --git a/hw/arm/mcimx6ul-evk.c b/hw/arm/mcimx6ul-evk.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/mcimx6ul-evk.c
++++ b/hw/arm/mcimx6ul-evk.c
+@@ -XXX,XX +XXX,XX @@ static void mcimx6ul_evk_init(MachineState *machine)
+         .board_id = -1,
+         .ram_size = machine->ram_size,
+         .nb_cpus = machine->smp.cpus,
++        .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
+     };
+     s = FSL_IMX6UL(object_new(TYPE_FSL_IMX6UL));
+diff --git a/hw/arm/mcimx7d-sabre.c b/hw/arm/mcimx7d-sabre.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/mcimx7d-sabre.c
++++ b/hw/arm/mcimx7d-sabre.c
+@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
+         .board_id = -1,
+         .ram_size = machine->ram_size,
+         .nb_cpus = machine->smp.cpus,
++        .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
+     };
+     s = FSL_IMX7(object_new(TYPE_FSL_IMX7));
+--
+.25.1

-New patch
+[PULL 10/39] hw/arm: allwinner: Don't enable PSCI conduit when booting guest in EL3
+Change the allwinner-h3 based board to use the new boot.c
+functionality to allow us to enable psci-conduit only if the guest is
+being booted in EL1 or EL2, so that if the user runs guest EL3
+firmware code our PSCI emulation doesn't get in its way.
+To do this we stop setting the psci-conduit property on the CPU
+objects in the SoC code, and instead set the psci_conduit field in
+the arm_boot_info struct to tell the common boot loader code that
+we'd like PSCI if the guest is starting at an EL that it makes sense
+with.
+This affects the orangepi-pc board.
+This commit leaves the secondary CPUs in the powered-down state if
+the guest is booting at EL3, which is the same behaviour as before
+this commit.  The secondaries can no longer be started by that EL3
+code making a PSCI call but can still be started via the CPU
+Configuration Module registers (which we model in
+hw/misc/allwinner-cpucfg.c).
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-6-peter.maydell@linaro.org
+---
+ hw/arm/allwinner-h3.c | 9 ++++-----
+ hw/arm/orangepi.c     | 1 +
+files changed, 5 insertions(+), 5 deletions(-)
+diff --git a/hw/arm/allwinner-h3.c b/hw/arm/allwinner-h3.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/allwinner-h3.c
++++ b/hw/arm/allwinner-h3.c
+@@ -XXX,XX +XXX,XX @@ static void allwinner_h3_realize(DeviceState *dev, Error **errp)
+     /* CPUs */
+     for (i = 0; i < AW_H3_NUM_CPUS; i++) {
+-        /* Provide Power State Coordination Interface */
+-        qdev_prop_set_int32(DEVICE(&s->cpus[i]), "psci-conduit",
+-                            QEMU_PSCI_CONDUIT_SMC);
+-
+-        /* Disable secondary CPUs */
++        /*
++         * Disable secondary CPUs. Guest EL3 firmware will start
++         * them via CPU reset control registers.
++         */
+         qdev_prop_set_bit(DEVICE(&s->cpus[i]), "start-powered-off",
+                           i > 0);
+diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/orangepi.c
++++ b/hw/arm/orangepi.c
+@@ -XXX,XX +XXX,XX @@ static void orangepi_init(MachineState *machine)
+     }
+     orangepi_binfo.loader_start = h3->memmap[AW_H3_DEV_SDRAM];
+     orangepi_binfo.ram_size = machine->ram_size;
++    orangepi_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+     arm_load_kernel(ARM_CPU(first_cpu), machine, &orangepi_binfo);
+ }
+--
+.25.1

-New patch
+[PULL 11/39] hw/arm/xlnx-zcu102: Don't enable PSCI conduit when booting guest in EL3
+Change the Xilinx ZynqMP-based board xlnx-zcu102 to use the new
+boot.c functionality to allow us to enable psci-conduit only if
+the guest is being booted in EL1 or EL2, so that if the user runs
+guest EL3 firmware code our PSCI emulation doesn't get in its
+way.
+To do this we stop setting the psci-conduit property on the CPU
+objects in the SoC code, and instead set the psci_conduit field in
+the arm_boot_info struct to tell the common boot loader code that
+we'd like PSCI if the guest is starting at an EL that it makes
+sense with.
+Note that this means that EL3 guest code will have no way
+to power on secondary cores, because we don't model any
+kind of power controller that does that on this SoC.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Acked-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220127154639.2090164-7-peter.maydell@linaro.org
+---
+ hw/arm/xlnx-zcu102.c |  1 +
+ hw/arm/xlnx-zynqmp.c | 11 ++++++-----
+files changed, 7 insertions(+), 5 deletions(-)
+diff --git a/hw/arm/xlnx-zcu102.c b/hw/arm/xlnx-zcu102.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-zcu102.c
++++ b/hw/arm/xlnx-zcu102.c
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zcu102_init(MachineState *machine)
+     s->binfo.ram_size = ram_size;
+     s->binfo.loader_start = 0;
+     s->binfo.modify_dtb = zcu102_modify_dtb;
++    s->binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+     arm_load_kernel(s->soc.boot_cpu_ptr, machine, &s->binfo);
+ }
+diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-zynqmp.c
++++ b/hw/arm/xlnx-zynqmp.c
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s,
+         name = object_get_canonical_path_component(OBJECT(&s->rpu_cpu[i]));
+         if (strcmp(name, boot_cpu)) {
+-            /* Secondary CPUs start in PSCI powered-down state */
++            /*
++             * Secondary CPUs start in powered-down state.
++             */
+             object_property_set_bool(OBJECT(&s->rpu_cpu[i]),
+                                      "start-powered-off", true, &error_abort);
+         } else {
+@@ -XXX,XX +XXX,XX @@ static void xlnx_zynqmp_realize(DeviceState *dev, Error **errp)
+     for (i = 0; i < num_apus; i++) {
+         const char *name;
+-        object_property_set_int(OBJECT(&s->apu_cpu[i]), "psci-conduit",
+-                                QEMU_PSCI_CONDUIT_SMC, &error_abort);
+-
+         name = object_get_canonical_path_component(OBJECT(&s->apu_cpu[i]));
+         if (strcmp(name, boot_cpu)) {
+-            /* Secondary CPUs start in PSCI powered-down state */
++            /*
++             * Secondary CPUs start in powered-down state.
++             */
+             object_property_set_bool(OBJECT(&s->apu_cpu[i]),
+                                      "start-powered-off", true, &error_abort);
+         } else {
+--
+.25.1

-New patch
+[PULL 12/39] hw/arm/versal: Let boot.c handle PSCI enablement
+Instead of setting the CPU psci-conduit and start-powered-off
+properties in the xlnx-versal-virt board code, set the arm_boot_info
+psci_conduit field so that the boot.c code can do it.
+This will fix a corner case where we were incorrectly enabling PSCI
+emulation when booting guest code into EL3 because it was an ELF file
+passed to -kernel.  (EL3 guest code started via -bios, -pflash, or
+the generic loader was already being run with PSCI emulation
+disabled.)
+Note that EL3 guest code has no way to turn on the secondary CPUs
+because there's no emulated power controller, but this was already
+true for EL3 guest code run via -bios, -pflash, or the generic
+loader.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-8-peter.maydell@linaro.org
+---
+ include/hw/arm/xlnx-versal.h | 1 -
+ hw/arm/xlnx-versal-virt.c    | 6 ++++--
+ hw/arm/xlnx-versal.c         | 5 +----
+files changed, 5 insertions(+), 7 deletions(-)
+diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/xlnx-versal.h
++++ b/include/hw/arm/xlnx-versal.h
+@@ -XXX,XX +XXX,XX @@ struct Versal {
+     struct {
+         MemoryRegion *mr_ddr;
+-        uint32_t psci_conduit;
+     } cfg;
+ };
+diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-versal-virt.c
++++ b/hw/arm/xlnx-versal-virt.c
+@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
+      * When loading an OS, we turn on QEMU's PSCI implementation with SMC
+      * as the PSCI conduit. When there's no -kernel, we assume the user
+      * provides EL3 firmware to handle PSCI.
++     *
++     * Even if the user provides a kernel filename, arm_load_kernel()
++     * may suppress PSCI if it's going to boot that guest code at EL3.
+      */
+     if (machine->kernel_filename) {
+         psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
+                             TYPE_XLNX_VERSAL);
+     object_property_set_link(OBJECT(&s->soc), "ddr", OBJECT(machine->ram),
+                              &error_abort);
+-    object_property_set_int(OBJECT(&s->soc), "psci-conduit", psci_conduit,
+-                            &error_abort);
+     sysbus_realize(SYS_BUS_DEVICE(&s->soc), &error_fatal);
+     fdt_create(s);
+@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
+     s->binfo.loader_start = 0x0;
+     s->binfo.get_dtb = versal_virt_get_dtb;
+     s->binfo.modify_dtb = versal_virt_modify_dtb;
++    s->binfo.psci_conduit = psci_conduit;
+     if (machine->kernel_filename) {
+         arm_load_kernel(&s->soc.fpd.apu.cpu[0], machine, &s->binfo);
+     } else {
+diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-versal.c
++++ b/hw/arm/xlnx-versal.c
+@@ -XXX,XX +XXX,XX @@ static void versal_create_apu_cpus(Versal *s)
+         object_initialize_child(OBJECT(s), "apu-cpu[*]", &s->fpd.apu.cpu[i],
+                                 XLNX_VERSAL_ACPU_TYPE);
+         obj = OBJECT(&s->fpd.apu.cpu[i]);
+-        object_property_set_int(obj, "psci-conduit", s->cfg.psci_conduit,
+-                                &error_abort);
+         if (i) {
+-            /* Secondary CPUs start in PSCI powered-down state */
++            /* Secondary CPUs start in powered-down state */
+             object_property_set_bool(obj, "start-powered-off", true,
+                                      &error_abort);
+         }
+@@ -XXX,XX +XXX,XX @@ static void versal_init(Object *obj)
+ static Property versal_properties[] = {
+     DEFINE_PROP_LINK("ddr", Versal, cfg.mr_ddr, TYPE_MEMORY_REGION,
+                      MemoryRegion *),
+-    DEFINE_PROP_UINT32("psci-conduit", Versal, cfg.psci_conduit, 0),
+     DEFINE_PROP_END_OF_LIST()
+ };
+--
+.25.1

-New patch
+[PULL 13/39] hw/arm/virt: Let boot.c handle PSCI enablement
+Instead of setting the CPU psci-conduit and start-powered-off
+properties in the virt board code, set the arm_boot_info psci_conduit
+field so that the boot.c code can do it.
+This will fix a corner case where we were incorrectly enabling PSCI
+emulation when booting guest code into EL3 because it was an ELF file
+passed to -kernel or to the generic loader.  (EL3 guest code started
+via -bios or -pflash was already being run with PSCI emulation
+disabled.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-9-peter.maydell@linaro.org
+---
+ hw/arm/virt.c | 12 +-----------
+file changed, 1 insertion(+), 11 deletions(-)
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/virt.c
++++ b/hw/arm/virt.c
+@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
+             object_property_set_bool(cpuobj, "has_el2", false, NULL);
+         }
+-        if (vms->psci_conduit != QEMU_PSCI_CONDUIT_DISABLED) {
+-            object_property_set_int(cpuobj, "psci-conduit", vms->psci_conduit,
+-                                    NULL);
+-
+-            /* Secondary CPUs start in PSCI powered-down state */
+-            if (n > 0) {
+-                object_property_set_bool(cpuobj, "start-powered-off", true,
+-                                         NULL);
+-            }
+-        }
+-
+         if (vmc->kvm_no_adjvtime &&
+             object_property_find(cpuobj, "kvm-no-adjvtime")) {
+             object_property_set_bool(cpuobj, "kvm-no-adjvtime", true, NULL);
+@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
+     vms->bootinfo.get_dtb = machvirt_dtb;
+     vms->bootinfo.skip_dtb_autoload = true;
+     vms->bootinfo.firmware_loaded = firmware_loaded;
++    vms->bootinfo.psci_conduit = vms->psci_conduit;
+     arm_load_kernel(ARM_CPU(first_cpu), machine, &vms->bootinfo);
+     vms->machine_done.notify = virt_machine_done;
+--
+.25.1

-New patch
+[PULL 14/39] hw/arm: highbank: For EL3 guests, don't enable PSCI, start all cores
+Change the highbank/midway boards to use the new boot.c functionality
+to allow us to enable psci-conduit only if the guest is being booted
+in EL1 or EL2, so that if the user runs guest EL3 firmware code our
+PSCI emulation doesn't get in its way.
+To do this we stop setting the psci-conduit and start-powered-off
+properties on the CPU objects in the board code, and instead set the
+psci_conduit field in the arm_boot_info struct to tell the common
+boot loader code that we'd like PSCI if the guest is starting at an
+EL that it makes sense with (in which case it will set these
+properties).
+This means that when running guest code at EL3, all the cores
+will start execution at once on poweron. This matches the
+real hardware behaviour. (A brief description of the hardware
+boot process is in the u-boot documentation for these boards:
+https://u-boot.readthedocs.io/en/latest/board/highbank/highbank.html#boot-process
+ -- in theory one might run the 'a9boot'/'a15boot' secure monitor
+code in QEMU, though we probably don't emulate enough for that.)
+This affects the highbank and midway boards.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-10-peter.maydell@linaro.org
+---
+ hw/arm/highbank.c | 7 +------
+file changed, 1 insertion(+), 6 deletions(-)
+diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/highbank.c
++++ b/hw/arm/highbank.c
+@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
+         object_property_set_int(cpuobj, "psci-conduit", QEMU_PSCI_CONDUIT_SMC,
+                                 &error_abort);
+-        if (n) {
+-            /* Secondary CPUs start in PSCI powered-down state */
+-            object_property_set_bool(cpuobj, "start-powered-off", true,
+-                                     &error_abort);
+-        }
+-
+         if (object_property_find(cpuobj, "reset-cbar")) {
+             object_property_set_int(cpuobj, "reset-cbar", MPCORE_PERIPHBASE,
+                                     &error_abort);
+@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
+     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
+     highbank_binfo.write_board_setup = hb_write_board_setup;
+     highbank_binfo.secure_board_setup = true;
++    highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+     arm_load_kernel(ARM_CPU(first_cpu), machine, &highbank_binfo);
+ }
+--
+.25.1

-[PULL 07/11] target/arm/kvm: scratch vcpu: Preserve input kvm_vcpu_init features
+[PULL 15/39] arm: tcg: Adhere to SMCCC 1.3 section 5.2
-From: Andrew Jones <drjones@redhat.com>
+The SMCCC 1.3 spec section 5.2 says
-kvm_arm_create_scratch_host_vcpu() takes a struct kvm_vcpu_init
+  The Unknown SMC Function Identifier is a sign-extended value of (-1)
-parameter. Rather than just using it as an output parameter to
+  that is returned in the R0, W0 or X0 registers. An implementation must
-pass back the preferred target, use it also as an input parameter,
+  return this error code when it receives:
 allowing a caller to pass a selected target if they wish and to
 also pass cpu features. If the caller doesn't want to select a
 target they can pass -1 for the target which indicates they want
 to use the preferred target and have it passed back like before.
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+    * An SMC or HVC call with an unknown Function Identifier
     * An SMC or HVC call for a removed Function Identifier
     * An SMC64/HVC64 call from AArch32 state
 To comply with these statements, let's always return -1 when we encounter
 an unknown HVC or SMC call.
 [PMM:
  This is a reinstatement of commit 9fcd15b9193e819b, previously
  reverted in commit 4825eaae4fdd56fba0f; we can do this now that we
  have arranged for all the affected board models to not enable the
  PSCI emulation if they are running guest code at EL3. This avoids
  the regressions that caused us to revert the change for 7.0.]
 Signed-off-by: Alexander Graf <agraf@csgraf.de>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
-Tested-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
-Reviewed-by: Beata Michalska <beata.michalska@linaro.org>
+Tested-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20191031142734.8590-8-drjones@redhat.com
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/kvm.c   | 20 +++++++++++++++-----
+ target/arm/psci.c | 35 ++++++-----------------------------
- target/arm/kvm32.c |  6 +++++-
+file changed, 6 insertions(+), 29 deletions(-)
  target/arm/kvm64.c |  6 +++++-
 files changed, 25 insertions(+), 7 deletions(-)
-diff --git a/target/arm/kvm.c b/target/arm/kvm.c
+diff --git a/target/arm/psci.c b/target/arm/psci.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm.c
+--- a/target/arm/psci.c
-+++ b/target/arm/kvm.c
++++ b/target/arm/psci.c
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try,
+@@ -XXX,XX +XXX,XX @@
-                                       int *fdarray,
-                                       struct kvm_vcpu_init *init)
+ bool arm_is_psci_call(ARMCPU *cpu, int excp_type)
  {
--    int ret, kvmfd = -1, vmfd = -1, cpufd = -1;
+-    /* Return true if the r0/x0 value indicates a PSCI call and
-+    int ret = 0, kvmfd = -1, vmfd = -1, cpufd = -1;
+-     * the exception type matches the configured PSCI conduit. This is
+-     * called before the SMC/HVC instruction is executed, to decide whether
-     kvmfd = qemu_open("/dev/kvm", O_RDWR);
+-     * we should treat it as a PSCI call or with the architecturally
-     if (kvmfd < 0) {
++    /*
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try,
++     * Return true if the exception type matches the configured PSCI conduit.
-         goto finish;
++     * This is called before the SMC/HVC instruction is executed, to decide
 +     * whether we should treat it as a PSCI call or with the architecturally
       * defined behaviour for an SMC or HVC (which might be UNDEF or trap
       * to EL2 or to EL3).
       */
 -    CPUARMState *env = &cpu->env;
 -    uint64_t param = is_a64(env) ? env->xregs[0] : env->regs[0];
      switch (excp_type) {
      case EXCP_HVC:
@@ -XXX,XX +XXX,XX @@ bool arm_is_psci_call(ARMCPU *cpu, int excp_type)
          return false;
      }
--    ret = ioctl(vmfd, KVM_ARM_PREFERRED_TARGET, init);
+-    switch (param) {
-+    if (init->target == -1) {
+-    case QEMU_PSCI_0_2_FN_PSCI_VERSION:
-+        struct kvm_vcpu_init preferred;
+-    case QEMU_PSCI_0_2_FN_MIGRATE_INFO_TYPE:
-+
+-    case QEMU_PSCI_0_2_FN_AFFINITY_INFO:
-+        ret = ioctl(vmfd, KVM_ARM_PREFERRED_TARGET, &preferred);
+-    case QEMU_PSCI_0_2_FN64_AFFINITY_INFO:
-+        if (!ret) {
+-    case QEMU_PSCI_0_2_FN_SYSTEM_RESET:
-+            init->target = preferred.target;
+-    case QEMU_PSCI_0_2_FN_SYSTEM_OFF:
-+        }
+-    case QEMU_PSCI_0_1_FN_CPU_ON:
-+    }
+-    case QEMU_PSCI_0_2_FN_CPU_ON:
-     if (ret >= 0) {
+-    case QEMU_PSCI_0_2_FN64_CPU_ON:
-         ret = ioctl(cpufd, KVM_ARM_VCPU_INIT, init);
+-    case QEMU_PSCI_0_1_FN_CPU_OFF:
-         if (ret < 0) {
+-    case QEMU_PSCI_0_2_FN_CPU_OFF:
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try,
+-    case QEMU_PSCI_0_1_FN_CPU_SUSPEND:
-          * creating one kind of guest CPU which is its preferred
+-    case QEMU_PSCI_0_2_FN_CPU_SUSPEND:
-          * CPU type.
+-    case QEMU_PSCI_0_2_FN64_CPU_SUSPEND:
-          */
+-    case QEMU_PSCI_0_1_FN_MIGRATE:
-+        struct kvm_vcpu_init try;
+-    case QEMU_PSCI_0_2_FN_MIGRATE:
-+
+-        return true;
-         while (*cpus_to_try != QEMU_KVM_ARM_TARGET_NONE) {
+-    default:
--            init->target = *cpus_to_try++;
+-        return false;
--            memset(init->features, 0, sizeof(init->features));
+-    }
--            ret = ioctl(cpufd, KVM_ARM_VCPU_INIT, init);
++    return true;
-+            try.target = *cpus_to_try++;
+ }
-+            memcpy(try.features, init->features, sizeof(init->features));
-+            ret = ioctl(cpufd, KVM_ARM_VCPU_INIT, &try);
+ void arm_handle_psci_call(ARMCPU *cpu)
-             if (ret >= 0) {
+@@ -XXX,XX +XXX,XX @@ void arm_handle_psci_call(ARMCPU *cpu)
-                 break;
+         break;
-             }
+     case QEMU_PSCI_0_1_FN_MIGRATE:
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_create_scratch_host_vcpu(const uint32_t *cpus_to_try,
+     case QEMU_PSCI_0_2_FN_MIGRATE:
-         if (ret < 0) {
++    default:
-             goto err;
+         ret = QEMU_PSCI_RET_NOT_SUPPORTED;
-         }
+         break;
-+        init->target = try.target;
+-    default:
-     } else {
+-        g_assert_not_reached();
-         /* Treat a NULL cpus_to_try argument the same as an empty
+     }
-          * list, which means we will fail the call since this must
-diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
+ err:
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm32.c
 +++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
          QEMU_KVM_ARM_TARGET_CORTEX_A15,
          QEMU_KVM_ARM_TARGET_NONE
      };
 -    struct kvm_vcpu_init init;
 +    /*
 +     * target = -1 informs kvm_arm_create_scratch_host_vcpu()
 +     * to use the preferred target
 +     */
 +    struct kvm_vcpu_init init = { .target = -1, };
      if (!kvm_arm_create_scratch_host_vcpu(cpus_to_try, fdarray, &init)) {
          return false;
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
          KVM_ARM_TARGET_CORTEX_A57,
          QEMU_KVM_ARM_TARGET_NONE
      };
 -    struct kvm_vcpu_init init;
 +    /*
 +     * target = -1 informs kvm_arm_create_scratch_host_vcpu()
 +     * to use the preferred target
 +     */
 +    struct kvm_vcpu_init init = { .target = -1, };
      if (!kvm_arm_create_scratch_host_vcpu(cpus_to_try, fdarray, &init)) {
          return false;
 --
-.20.1
+.25.1

-New patch
+[PULL 16/39] hw/arm/highbank: Drop use of secure_board_setup
+Guest code on highbank may make non-PSCI SMC calls in order to
+enable/disable the L2x0 cache controller (see the Linux kernel's
+arch/arm/mach-highbank/highbank.c highbank_l2c310_write_sec()
+function).  The ABI for this is documented in kernel commit
+e56130dcb as being borrowed from the OMAP44xx ROM.  The OMAP44xx TRM
+documents this function ID as having no return value and potentially
+trashing all guest registers except SP and PC. For QEMU's purposes
+(where our L2x0 model is a stub and enabling or disabling it doesn't
+affect the guest behaviour) a simple "do nothing" SMC is fine.
+We currently implement this NOP behaviour using a little bit of
+Secure code we run before jumping to the guest kernel, which is
+written by arm_write_secure_board_setup_dummy_smc().  The code sets
+up a set of Secure vectors where the SMC entry point returns without
+doing anything.
+Now that the PSCI SMC emulation handles all SMC calls (setting r0 to
+an error code if the input r0 function identifier is not recognized),
+we can use that default behaviour as sufficient for the highbank
+cache controller call.  (Because the guest code assumes r0 has no
+interesting value on exit it doesn't matter that we set it to the
+error code).  We can therefore delete the highbank board code that
+sets secure_board_setup to true and writes the secure-code bootstub.
+(Note that because the OMAP44xx ABI puts function-identifiers in
+r12 and PSCI uses r0, we only avoid a clash because Linux's code
+happens to put the function-identifier in both registers. But this
+is true also when the kernel is running on real firmware that
+implements both ABIs as far as I can see.)
+This change fixes in passing booting on the 'midway' board model,
+which has been completely broken since we added support for Hyp
+mode to the Cortex-A15 CPU. When we did that boot.c was made to
+start running the guest code in Hyp mode; this includes the
+board_setup hook, which instantly UNDEFs because the NSACR is
+not accessible from Hyp. (Put another way, we never made the
+secure_board_setup hook support cope with Hyp mode.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-12-peter.maydell@linaro.org
+---
+ hw/arm/highbank.c | 8 --------
+file changed, 8 deletions(-)
+diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/highbank.c
++++ b/hw/arm/highbank.c
+@@ -XXX,XX +XXX,XX @@
+ /* Board init.  */
+-static void hb_write_board_setup(ARMCPU *cpu,
+-                                 const struct arm_boot_info *info)
+-{
+-    arm_write_secure_board_setup_dummy_smc(cpu, info, MVBAR_ADDR);
+-}
+-
+ static void hb_write_secondary(ARMCPU *cpu, const struct arm_boot_info *info)
+ {
+     int n;
+@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
+     highbank_binfo.write_secondary_boot = hb_write_secondary;
+     highbank_binfo.secondary_cpu_reset_hook = hb_reset_secondary;
+     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
+-    highbank_binfo.write_board_setup = hb_write_board_setup;
+-    highbank_binfo.secure_board_setup = true;
+     highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+     arm_load_kernel(ARM_CPU(first_cpu), machine, &highbank_binfo);
+--
+.25.1

-New patch
+[PULL 17/39] hw/arm/boot: Prevent setting both psci_conduit and secure_board_setup
+Now that we have dealt with the one special case (highbank) that needed
+to set both psci_conduit and secure_board_setup, we don't need to
+allow that combination any more. It doesn't make sense in general,
+so use an assertion to ensure we don't add new boards that do it
+by accident without thinking through the consequences.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-13-peter.maydell@linaro.org
+---
+ hw/arm/boot.c | 10 ++++++++++
+file changed, 10 insertions(+)
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/boot.c
++++ b/hw/arm/boot.c
+@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
+      * supported exception level or in a lower one.
+      */
++    /*
++     * If PSCI is enabled, then SMC calls all go to the PSCI handler and
++     * are never emulated to trap into guest code. It therefore does not
++     * make sense for the board to have a setup code fragment that runs
++     * in Secure, because this will probably need to itself issue an SMC of some
++     * kind as part of its operation.
++     */
++    assert(info->psci_conduit == QEMU_PSCI_CONDUIT_DISABLED ||
++           !info->secure_board_setup);
++
+     /* Boot into highest supported EL ... */
+     if (arm_feature(env, ARM_FEATURE_EL3)) {
+         boot_el = 3;
+--
+.25.1

-[PULL 10/11] hw/arm/boot: Rebuild hflags when modifying CPUState at boot
+[PULL 18/39] hw/arm/boot: Don't write secondary boot stub if using PSCI
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+If we're using PSCI emulation to start secondary CPUs, there is no
 point in writing the "secondary boot" stub code, because it will
 never be used -- secondary CPUs start powered-off, and when powered
 on are set to begin execution at the address specified by the guest's
 power-on PSCI call, not at the stub.
-Rebuild hflags when modifying CPUState at boot.
+Move the call to the hook that writes the secondary boot stub code so
 that we can do it only if we're starting a Linux kernel and not using
 PSCI.
-Fixes: e979972a6a
+(None of the users of the hook care about the ordering of its call
-Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+relative to anything else: they only use it to write a rom blob to
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+guest memory.)
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Luc Michel <luc.michel@greensocs.com>
 Message-id: 20191031040830.18800-2-edgar.iglesias@xilinx.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-14-peter.maydell@linaro.org
 ---
- hw/arm/boot.c | 1 +
+ include/hw/arm/boot.h |  3 +++
-file changed, 1 insertion(+)
+ hw/arm/boot.c         | 35 ++++++++++++++++++++++++-----------
 files changed, 27 insertions(+), 11 deletions(-)
+diff --git a/include/hw/arm/boot.h b/include/hw/arm/boot.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/arm/boot.h
++++ b/include/hw/arm/boot.h
+@@ -XXX,XX +XXX,XX @@ struct arm_boot_info {
+      * boot loader/boot ROM code, and secondary_cpu_reset_hook() should
+      * perform any necessary CPU reset handling and set the PC for the
+      * secondary CPUs to point at this boot blob.
++     *
++     * These hooks won't be called if secondary CPUs are booting via
++     * emulated PSCI (see psci_conduit below).
+      */
+     void (*write_secondary_boot)(ARMCPU *cpu,
+                                  const struct arm_boot_info *info);
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/boot.c
 +++ b/hw/arm/boot.c
 @@ -XXX,XX +XXX,XX @@ static void do_cpu_reset(void *opaque)
+                         set_kernel_args(info, as);
+                     }
+                 }
+-            } else {
++            } else if (info->secondary_cpu_reset_hook) {
                  info->secondary_cpu_reset_hook(cpu, info);
              }
          }
-+        arm_rebuild_hflags(env);
+@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
          elf_machine = EM_ARM;
      }
- }
+-    if (!info->secondary_cpu_reset_hook) {
 -        info->secondary_cpu_reset_hook = default_reset_secondary;
 -    }
 -    if (!info->write_secondary_boot) {
 -        info->write_secondary_boot = default_write_secondary;
 -    }
 -
      if (info->nb_cpus == 0)
          info->nb_cpus = 1;
@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
          write_bootloader("bootloader", info->loader_start,
                           primary_loader, fixupcontext, as);
 -        if (info->nb_cpus > 1) {
 -            info->write_secondary_boot(cpu, info);
 -        }
          if (info->write_board_setup) {
              info->write_board_setup(cpu, info);
          }
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
          }
      }
 +    if (info->psci_conduit == QEMU_PSCI_CONDUIT_DISABLED &&
 +        info->is_linux && info->nb_cpus > 1) {
 +        /*
 +         * We're booting Linux but not using PSCI, so for SMP we need
 +         * to write a custom secondary CPU boot loader stub, and arrange
 +         * for the secondary CPU reset to make the accompanying initialization.
 +         */
 +        if (!info->secondary_cpu_reset_hook) {
 +            info->secondary_cpu_reset_hook = default_reset_secondary;
 +        }
 +        if (!info->write_secondary_boot) {
 +            info->write_secondary_boot = default_write_secondary;
 +        }
 +        info->write_secondary_boot(cpu, info);
 +    } else {
 +        /*
 +         * No secondary boot stub; don't use the reset hook that would
 +         * have set the CPU up to call it
 +         */
 +        info->write_secondary_boot = NULL;
 +        info->secondary_cpu_reset_hook = NULL;
 +    }
 +
      /*
       * arm_load_dtb() may add a PSCI node so it must be called after we have
       * decided whether to enable PSCI and set the psci-conduit CPU properties.
 --
-.20.1
+.25.1

-New patch
+[PULL 19/39] hw/arm/highbank: Drop unused secondary boot stub code
+The highbank and midway board code includes boot-stub code for
+handling secondary CPU boot which keeps the secondaries in a pen
+until the primary writes to a known location with the address they
+should jump to.
+This code is never used, because the boards enable QEMU's PSCI
+emulation, so secondary CPUs are kept powered off until the PSCI call
+which turns them on, and then start execution from the address given
+by the guest in that PSCI call.  Delete the unreachable code.
+(The code was wrong for midway in any case -- on the Cortex-A15 the
+GIC CPU interface registers are at a different offset from PERIPHBASE
+compared to the Cortex-A9, and the code baked-in the offsets for
+highbank's A9.)
+Note that this commit implicitly depends on the preceding "Don't
+write secondary boot stub if using PSCI" commit -- the default
+secondary-boot stub code overlaps with one of the highbank-specific
+bootcode rom blobs, so we must suppress the secondary-boot
+stub code entirely, not merely replace the highbank-specific
+version with the default.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-15-peter.maydell@linaro.org
+---
+ hw/arm/highbank.c | 56 -----------------------------------------------
+file changed, 56 deletions(-)
+diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/highbank.c
++++ b/hw/arm/highbank.c
+@@ -XXX,XX +XXX,XX @@
+ /* Board init.  */
+-static void hb_write_secondary(ARMCPU *cpu, const struct arm_boot_info *info)
+-{
+-    int n;
+-    uint32_t smpboot[] = {
+-        0xee100fb0, /* mrc p15, 0, r0, c0, c0, 5 - read current core id */
+-        0xe210000f, /* ands r0, r0, #0x0f */
+-        0xe3a03040, /* mov r3, #0x40 - jump address is 0x40 + 0x10 * core id */
+-        0xe0830200, /* add r0, r3, r0, lsl #4 */
+-        0xe59f2024, /* ldr r2, privbase */
+-        0xe3a01001, /* mov r1, #1 */
+-        0xe5821100, /* str r1, [r2, #256] - set GICC_CTLR.Enable */
+-        0xe3a010ff, /* mov r1, #0xff */
+-        0xe5821104, /* str r1, [r2, #260] - set GICC_PMR.Priority to 0xff */
+-        0xf57ff04f, /* dsb */
+-        0xe320f003, /* wfi */
+-        0xe5901000, /* ldr     r1, [r0] */
+-        0xe1110001, /* tst     r1, r1 */
+-        0x0afffffb, /* beq     <wfi> */
+-        0xe12fff11, /* bx      r1 */
+-        MPCORE_PERIPHBASE   /* privbase: MPCore peripheral base address.  */
+-    };
+-    for (n = 0; n < ARRAY_SIZE(smpboot); n++) {
+-        smpboot[n] = tswap32(smpboot[n]);
+-    }
+-    rom_add_blob_fixed_as("smpboot", smpboot, sizeof(smpboot), SMP_BOOT_ADDR,
+-                          arm_boot_address_space(cpu, info));
+-}
+-
+-static void hb_reset_secondary(ARMCPU *cpu, const struct arm_boot_info *info)
+-{
+-    CPUARMState *env = &cpu->env;
+-
+-    switch (info->nb_cpus) {
+-    case 4:
+-        address_space_stl_notdirty(&address_space_memory,
+-                                   SMP_BOOT_REG + 0x30, 0,
+-                                   MEMTXATTRS_UNSPECIFIED, NULL);
+-        /* fallthrough */
+-    case 3:
+-        address_space_stl_notdirty(&address_space_memory,
+-                                   SMP_BOOT_REG + 0x20, 0,
+-                                   MEMTXATTRS_UNSPECIFIED, NULL);
+-        /* fallthrough */
+-    case 2:
+-        address_space_stl_notdirty(&address_space_memory,
+-                                   SMP_BOOT_REG + 0x10, 0,
+-                                   MEMTXATTRS_UNSPECIFIED, NULL);
+-        env->regs[15] = SMP_BOOT_ADDR;
+-        break;
+-    default:
+-        break;
+-    }
+-}
+-
+ #define NUM_REGS      0x200
+ static void hb_regs_write(void *opaque, hwaddr offset,
+                           uint64_t value, unsigned size)
+@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
+     highbank_binfo.board_id = -1;
+     highbank_binfo.nb_cpus = smp_cpus;
+     highbank_binfo.loader_start = 0;
+-    highbank_binfo.write_secondary_boot = hb_write_secondary;
+-    highbank_binfo.secondary_cpu_reset_hook = hb_reset_secondary;
+     highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
+     highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
+--
+.25.1

-New patch
+[PULL 20/39] hw/arm/boot: Drop nb_cpus field from arm_boot_info
+We use the arm_boot_info::nb_cpus field in only one place, and that
 place can easily get the number of CPUs locally rather than relying
 on the board code to have set the field correctly.  (At least one
 board, xlnx-versal-virt, does not set the field despite having more
 than one CPU.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Tested-by: Cédric Le Goater <clg@kaod.org>
 Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
 Message-id: 20220127154639.2090164-16-peter.maydell@linaro.org
 ---
  include/hw/arm/boot.h   | 1 -
  hw/arm/aspeed.c         | 1 -
  hw/arm/boot.c           | 7 +++----
  hw/arm/exynos4_boards.c | 1 -
  hw/arm/highbank.c       | 1 -
  hw/arm/imx25_pdk.c      | 3 +--
  hw/arm/kzm.c            | 1 -
  hw/arm/mcimx6ul-evk.c   | 1 -
  hw/arm/mcimx7d-sabre.c  | 1 -
  hw/arm/npcm7xx.c        | 3 ---
  hw/arm/orangepi.c       | 4 +---
  hw/arm/raspi.c          | 1 -
  hw/arm/realview.c       | 1 -
  hw/arm/sabrelite.c      | 1 -
  hw/arm/sbsa-ref.c       | 1 -
  hw/arm/vexpress.c       | 1 -
  hw/arm/virt.c           | 1 -
  hw/arm/xilinx_zynq.c    | 1 -
 files changed, 5 insertions(+), 26 deletions(-)
 diff --git a/include/hw/arm/boot.h b/include/hw/arm/boot.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/hw/arm/boot.h
 +++ b/include/hw/arm/boot.h
@@ -XXX,XX +XXX,XX @@ struct arm_boot_info {
      hwaddr smp_loader_start;
      hwaddr smp_bootreg_addr;
      hwaddr gic_cpu_if_addr;
 -    int nb_cpus;
      int board_id;
      /* ARM machines that support the ARM Security Extensions use this field to
       * control whether Linux is booted as secure(true) or non-secure(false).
 diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/aspeed.c
 +++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_init(MachineState *machine)
      aspeed_board_binfo.ram_size = machine->ram_size;
      aspeed_board_binfo.loader_start = sc->memmap[ASPEED_DEV_SDRAM];
 -    aspeed_board_binfo.nb_cpus = sc->num_cpus;
      if (amc->i2c_init) {
          amc->i2c_init(bmc);
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/boot.c
 +++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@ static void arm_setup_direct_kernel_boot(ARMCPU *cpu,
          elf_machine = EM_ARM;
      }
 -    if (info->nb_cpus == 0)
 -        info->nb_cpus = 1;
 -
      /* Assume that raw images are linux kernels, and ELF images are not.  */
      kernel_size = arm_load_elf(info, &elf_entry, &image_low_addr,
                                 &image_high_addr, elf_machine, as);
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
      AddressSpace *as = arm_boot_address_space(cpu, info);
      int boot_el;
      CPUARMState *env = &cpu->env;
 +    int nb_cpus = 0;
      /*
       * CPU objects (unlike devices) are not automatically reset on system
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
       */
      for (cs = first_cpu; cs; cs = CPU_NEXT(cs)) {
          qemu_register_reset(do_cpu_reset, ARM_CPU(cs));
 +        nb_cpus++;
      }
      /*
@@ -XXX,XX +XXX,XX @@ void arm_load_kernel(ARMCPU *cpu, MachineState *ms, struct arm_boot_info *info)
      }
      if (info->psci_conduit == QEMU_PSCI_CONDUIT_DISABLED &&
 -        info->is_linux && info->nb_cpus > 1) {
 +        info->is_linux && nb_cpus > 1) {
          /*
           * We're booting Linux but not using PSCI, so for SMP we need
           * to write a custom secondary CPU boot loader stub, and arrange
 diff --git a/hw/arm/exynos4_boards.c b/hw/arm/exynos4_boards.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/exynos4_boards.c
 +++ b/hw/arm/exynos4_boards.c
@@ -XXX,XX +XXX,XX @@ static unsigned long exynos4_board_ram_size[EXYNOS4_NUM_OF_BOARDS] = {
  static struct arm_boot_info exynos4_board_binfo = {
      .loader_start     = EXYNOS4210_BASE_BOOT_ADDR,
      .smp_loader_start = EXYNOS4210_SMP_BOOT_ADDR,
 -    .nb_cpus          = EXYNOS4210_NCPUS,
      .write_secondary_boot = exynos4210_write_secondary,
  };
 diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/highbank.c
 +++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@ static void calxeda_init(MachineState *machine, enum cxmachines machine_id)
       * clear that the value is meaningless.
       */
      highbank_binfo.board_id = -1;
 -    highbank_binfo.nb_cpus = smp_cpus;
      highbank_binfo.loader_start = 0;
      highbank_binfo.board_setup_addr = BOARD_SETUP_ADDR;
      highbank_binfo.psci_conduit = QEMU_PSCI_CONDUIT_SMC;
 diff --git a/hw/arm/imx25_pdk.c b/hw/arm/imx25_pdk.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/imx25_pdk.c
 +++ b/hw/arm/imx25_pdk.c
@@ -XXX,XX +XXX,XX @@ static void imx25_pdk_init(MachineState *machine)
      imx25_pdk_binfo.ram_size = machine->ram_size;
      imx25_pdk_binfo.loader_start = FSL_IMX25_SDRAM0_ADDR;
 -    imx25_pdk_binfo.board_id = 1771,
 -    imx25_pdk_binfo.nb_cpus = 1;
 +    imx25_pdk_binfo.board_id = 1771;
      for (i = 0; i < FSL_IMX25_NUM_ESDHCS; i++) {
          BusState *bus;
 diff --git a/hw/arm/kzm.c b/hw/arm/kzm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/kzm.c
 +++ b/hw/arm/kzm.c
@@ -XXX,XX +XXX,XX @@ static void kzm_init(MachineState *machine)
      }
      kzm_binfo.ram_size = machine->ram_size;
 -    kzm_binfo.nb_cpus = 1;
      if (!qtest_enabled()) {
          arm_load_kernel(&s->soc.cpu, machine, &kzm_binfo);
 diff --git a/hw/arm/mcimx6ul-evk.c b/hw/arm/mcimx6ul-evk.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/mcimx6ul-evk.c
 +++ b/hw/arm/mcimx6ul-evk.c
@@ -XXX,XX +XXX,XX @@ static void mcimx6ul_evk_init(MachineState *machine)
          .loader_start = FSL_IMX6UL_MMDC_ADDR,
          .board_id = -1,
          .ram_size = machine->ram_size,
 -        .nb_cpus = machine->smp.cpus,
          .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
      };
 diff --git a/hw/arm/mcimx7d-sabre.c b/hw/arm/mcimx7d-sabre.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/mcimx7d-sabre.c
 +++ b/hw/arm/mcimx7d-sabre.c
@@ -XXX,XX +XXX,XX @@ static void mcimx7d_sabre_init(MachineState *machine)
          .loader_start = FSL_IMX7_MMDC_ADDR,
          .board_id = -1,
          .ram_size = machine->ram_size,
 -        .nb_cpus = machine->smp.cpus,
          .psci_conduit = QEMU_PSCI_CONDUIT_SMC,
      };
 diff --git a/hw/arm/npcm7xx.c b/hw/arm/npcm7xx.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/npcm7xx.c
 +++ b/hw/arm/npcm7xx.c
@@ -XXX,XX +XXX,XX @@ static struct arm_boot_info npcm7xx_binfo = {
  void npcm7xx_load_kernel(MachineState *machine, NPCM7xxState *soc)
  {
 -    NPCM7xxClass *sc = NPCM7XX_GET_CLASS(soc);
 -
      npcm7xx_binfo.ram_size = machine->ram_size;
 -    npcm7xx_binfo.nb_cpus = sc->num_cpus;
      arm_load_kernel(&soc->cpu[0], machine, &npcm7xx_binfo);
  }
 diff --git a/hw/arm/orangepi.c b/hw/arm/orangepi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/orangepi.c
 +++ b/hw/arm/orangepi.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/qdev-properties.h"
  #include "hw/arm/allwinner-h3.h"
 -static struct arm_boot_info orangepi_binfo = {
 -    .nb_cpus = AW_H3_NUM_CPUS,
 -};
 +static struct arm_boot_info orangepi_binfo;
  static void orangepi_init(MachineState *machine)
  {
 diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/raspi.c
 +++ b/hw/arm/raspi.c
@@ -XXX,XX +XXX,XX @@ static void setup_boot(MachineState *machine, RaspiProcessorId processor_id,
      s->binfo.board_id = MACH_TYPE_BCM2708;
      s->binfo.ram_size = ram_size;
 -    s->binfo.nb_cpus = machine->smp.cpus;
      if (processor_id <= PROCESSOR_ID_BCM2836) {
          /*
 diff --git a/hw/arm/realview.c b/hw/arm/realview.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/realview.c
 +++ b/hw/arm/realview.c
@@ -XXX,XX +XXX,XX @@ static void realview_init(MachineState *machine,
      memory_region_add_subregion(sysmem, SMP_BOOT_ADDR, ram_hack);
      realview_binfo.ram_size = ram_size;
 -    realview_binfo.nb_cpus = smp_cpus;
      realview_binfo.board_id = realview_board_id[board_type];
      realview_binfo.loader_start = (board_type == BOARD_PB_A8 ? 0x70000000 : 0);
      arm_load_kernel(ARM_CPU(first_cpu), machine, &realview_binfo);
 diff --git a/hw/arm/sabrelite.c b/hw/arm/sabrelite.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/sabrelite.c
 +++ b/hw/arm/sabrelite.c
@@ -XXX,XX +XXX,XX @@ static void sabrelite_init(MachineState *machine)
      }
      sabrelite_binfo.ram_size = machine->ram_size;
 -    sabrelite_binfo.nb_cpus = machine->smp.cpus;
      sabrelite_binfo.secure_boot = true;
      sabrelite_binfo.write_secondary_boot = sabrelite_write_secondary;
      sabrelite_binfo.secondary_cpu_reset_hook = sabrelite_reset_secondary;
 diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/sbsa-ref.c
 +++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)
      create_secure_ec(secure_sysmem);
      sms->bootinfo.ram_size = machine->ram_size;
 -    sms->bootinfo.nb_cpus = smp_cpus;
      sms->bootinfo.board_id = -1;
      sms->bootinfo.loader_start = sbsa_ref_memmap[SBSA_MEM].base;
      sms->bootinfo.get_dtb = sbsa_ref_dtb;
 diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/vexpress.c
 +++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@ static void vexpress_common_init(MachineState *machine)
      }
      daughterboard->bootinfo.ram_size = machine->ram_size;
 -    daughterboard->bootinfo.nb_cpus = machine->smp.cpus;
      daughterboard->bootinfo.board_id = VEXPRESS_BOARD_ID;
      daughterboard->bootinfo.loader_start = daughterboard->loader_start;
      daughterboard->bootinfo.smp_loader_start = map[VE_SRAM];
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
      }
      vms->bootinfo.ram_size = machine->ram_size;
 -    vms->bootinfo.nb_cpus = smp_cpus;
      vms->bootinfo.board_id = -1;
      vms->bootinfo.loader_start = vms->memmap[VIRT_MEM].base;
      vms->bootinfo.get_dtb = machvirt_dtb;
 diff --git a/hw/arm/xilinx_zynq.c b/hw/arm/xilinx_zynq.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/xilinx_zynq.c
 +++ b/hw/arm/xilinx_zynq.c
@@ -XXX,XX +XXX,XX @@ static void zynq_init(MachineState *machine)
      sysbus_mmio_map(busdev, 0, 0xF8007000);
      zynq_binfo.ram_size = machine->ram_size;
 -    zynq_binfo.nb_cpus = 1;
      zynq_binfo.board_id = 0xd32;
      zynq_binfo.loader_start = 0;
      zynq_binfo.board_setup_addr = BOARD_SETUP_ADDR;
 --
 .25.1

-New patch
+[PULL 21/39] hw/arm/boot: Drop existing dtb /psci node rather than retaining it
+If we're using PSCI emulation, we add a /psci node to the device tree
+we pass to the guest.  At the moment, if the dtb already has a /psci
+node in it, we retain it, rather than replacing it. (This behaviour
+was added in commit c39770cd637765 in 2018.)
+This is a problem if the existing node doesn't match our PSCI
+emulation.  In particular, it might specify the wrong method (HVC vs
+SMC), or wrong function IDs for cpu_suspend/cpu_off/etc, in which
+case the guest will not get the behaviour it wants when it makes PSCI
+calls.
+An example of this is trying to boot the highbank or midway board
+models using the device tree supplied in the kernel sources: this
+device tree includes a /psci node that specifies function IDs that
+don't match the (PSCI 0.2 compliant) IDs that QEMU uses.  The dtb
+cpu_suspend function ID happens to match the PSCI 0.2 cpu_off ID, so
+the guest hangs after booting when the kernel tries to idle the CPU
+and instead it gets turned off.
+Instead of retaining an existing /psci node, delete it entirely
+and replace it with a node whose properties match QEMU's PSCI
+emulation behaviour. This matches the way we handle /memory nodes,
+where we also delete any existing nodes and write in ones that
+match the way QEMU is going to behave.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Tested-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Niek Linnenbank <nieklinnenbank@gmail.com>
+Message-id: 20220127154639.2090164-17-peter.maydell@linaro.org
+---
+ hw/arm/boot.c | 7 ++++---
+file changed, 4 insertions(+), 3 deletions(-)
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/boot.c
++++ b/hw/arm/boot.c
+@@ -XXX,XX +XXX,XX @@ static void fdt_add_psci_node(void *fdt)
+     }
+     /*
+-     * If /psci node is present in provided DTB, assume that no fixup
+-     * is necessary and all PSCI configuration should be taken as-is
++     * A pre-existing /psci node might specify function ID values
++     * that don't match QEMU's PSCI implementation. Delete the whole
++     * node and put our own in instead.
+      */
+     rc = fdt_path_offset(fdt, "/psci");
+     if (rc >= 0) {
+-        return;
++        qemu_fdt_nop_node(fdt, "/psci");
+     }
+     qemu_fdt_add_subnode(fdt, "/psci");
+--
+.25.1

-New patch
+[PULL 22/39] hw/arm: versal-virt: Always call arm_load_kernel()
+From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+Always call arm_load_kernel() regardless of kernel_filename being
+set. This is needed because arm_load_kernel() sets up reset for
+the CPUs.
+Fixes: 6f16da53ff (hw/arm: versal: Add a virtual Xilinx Versal board)
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Message-id: 20220130110313.4045351-2-edgar.iglesias@gmail.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/xlnx-versal-virt.c | 11 ++---------
+file changed, 2 insertions(+), 9 deletions(-)
+diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/xlnx-versal-virt.c
++++ b/hw/arm/xlnx-versal-virt.c
+@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
+     s->binfo.get_dtb = versal_virt_get_dtb;
+     s->binfo.modify_dtb = versal_virt_modify_dtb;
+     s->binfo.psci_conduit = psci_conduit;
+-    if (machine->kernel_filename) {
+-        arm_load_kernel(&s->soc.fpd.apu.cpu[0], machine, &s->binfo);
+-    } else {
+-        AddressSpace *as = arm_boot_address_space(&s->soc.fpd.apu.cpu[0],
+-                                                  &s->binfo);
++    if (!machine->kernel_filename) {
+         /* Some boot-loaders (e.g u-boot) don't like blobs at address 0 (NULL).
+          * Offset things by 4K.  */
+         s->binfo.loader_start = 0x1000;
+         s->binfo.dtb_limit = 0x1000000;
+-        if (arm_load_dtb(s->binfo.loader_start,
+-                         &s->binfo, s->binfo.dtb_limit, as, machine) < 0) {
+-            exit(EXIT_FAILURE);
+-        }
+     }
++    arm_load_kernel(&s->soc.fpd.apu.cpu[0], machine, &s->binfo);
+     for (i = 0; i < XLNX_VERSAL_NUM_OSPI_FLASH; i++) {
+         BusState *spi_bus;
+--
+.25.1

-New patch
+[PULL 23/39] arm: force flag recalculation when messing with DAIF
+From: Alex Bennée <alex.bennee@linaro.org>
+The recently introduced debug tests in kvm-unit-tests exposed an error
+in our handling of singlestep cause by stale hflags. This is caught by
+--enable-debug-tcg when running the tests.
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Reported-by: Andrew Jones <drjones@redhat.com>
+Tested-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220202122353.457084-1-alex.bennee@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/helper-a64.c | 2 ++
+file changed, 2 insertions(+)
+diff --git a/target/arm/helper-a64.c b/target/arm/helper-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper-a64.c
++++ b/target/arm/helper-a64.c
+@@ -XXX,XX +XXX,XX @@ void HELPER(msr_i_daifset)(CPUARMState *env, uint32_t imm)
+ {
+     daif_check(env, 0x1e, imm, GETPC());
+     env->daif |= (imm << 6) & PSTATE_DAIF;
++    arm_rebuild_hflags(env);
+ }
+ void HELPER(msr_i_daifclear)(CPUARMState *env, uint32_t imm)
+ {
+     daif_check(env, 0x1f, imm, GETPC());
+     env->daif &= ~((imm << 6) & PSTATE_DAIF);
++    arm_rebuild_hflags(env);
+ }
+ /* Convert a softfloat float_relation_ (as returned by
+--
+.25.1

-New patch
+[PULL 24/39] hw/timer/armv7m_systick: Update clock source before enabling timer
+From: Richard Petri <git@rpls.de>
+Starting the SysTick timer and changing the clock source a the same time
+will result in an error, if the previous clock period was zero. For exmaple,
+on the mps2-tz platforms, no refclk is present. Right after reset, the
+configured ptimer period is zero, and trying to enabling it will turn it off
+right away. E.g., code running on the platform setting
+    SysTick->CTRL  = SysTick_CTRL_CLKSOURCE_Msk | SysTick_CTRL_ENABLE_Msk;
+should change the clock source and enable the timer on real hardware, but
+resulted in an error in qemu.
+Signed-off-by: Richard Petri <git@rpls.de>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20220201192650.289584-1-git@rpls.de
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/timer/armv7m_systick.c | 8 ++++----
+file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/hw/timer/armv7m_systick.c b/hw/timer/armv7m_systick.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/timer/armv7m_systick.c
++++ b/hw/timer/armv7m_systick.c
+@@ -XXX,XX +XXX,XX @@ static MemTxResult systick_write(void *opaque, hwaddr addr,
+         s->control &= 0xfffffff8;
+         s->control |= value & 7;
++        if ((oldval ^ value) & SYSTICK_CLKSOURCE) {
++            systick_set_period_from_clock(s);
++        }
++
+         if ((oldval ^ value) & SYSTICK_ENABLE) {
+             if (value & SYSTICK_ENABLE) {
+                 ptimer_run(s->ptimer, 0);
+@@ -XXX,XX +XXX,XX @@ static MemTxResult systick_write(void *opaque, hwaddr addr,
+                 ptimer_stop(s->ptimer);
+             }
+         }
+-
+-        if ((oldval ^ value) & SYSTICK_CLKSOURCE) {
+-            systick_set_period_from_clock(s);
+-        }
+         ptimer_transaction_commit(s->ptimer);
+         break;
+     }
+--
+.25.1

-New patch
+[PULL 25/39] hw/arm/smmuv3: Fix device reset
+From: Eric Auger <eric.auger@redhat.com>
+We currently miss a bunch of register resets in the device reset
+function. This sometimes prevents the guest from rebooting after
+a system_reset (with virtio-blk-pci). For instance, we may get
+the following errors:
+invalid STE
+smmuv3-iommu-memory-region-0-0 translation failed for iova=0x13a9d2000(SMMU_EVT_C_BAD_STE)
+Invalid read at addr 0x13A9D2000, size 2, region '(null)', reason: rejected
+invalid STE
+smmuv3-iommu-memory-region-0-0 translation failed for iova=0x13a9d2000(SMMU_EVT_C_BAD_STE)
+Invalid write at addr 0x13A9D2000, size 2, region '(null)', reason: rejected
+invalid STE
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Message-id: 20220202111602.627429-1-eric.auger@redhat.com
+Fixes: 10a83cb988 ("hw/arm/smmuv3: Skeleton")
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/smmuv3.c | 6 ++++++
+file changed, 6 insertions(+)
+diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/smmuv3.c
++++ b/hw/arm/smmuv3.c
+@@ -XXX,XX +XXX,XX @@ static void smmuv3_init_regs(SMMUv3State *s)
+     s->features = 0;
+     s->sid_split = 0;
+     s->aidr = 0x1;
++    s->cr[0] = 0;
++    s->cr0ack = 0;
++    s->irq_ctrl = 0;
++    s->gerror = 0;
++    s->gerrorn = 0;
++    s->statusr = 0;
+ }
+ static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf,
+--
+.25.1

-New patch
+[PULL 26/39] hw/intc/arm_gicv3_its: Use address_space_map() to access command queue packets
+Currently the ITS accesses each 8-byte doubleword in a 4-doubleword
 command packet with a separate address_space_ldq_le() call.  This is
 awkward because the individual command processing functions have
 ended up with code to handle "load more doublewords out of the
 packet", which is both unwieldy and also a potential source of bugs
 because it's not obvious when looking at a line that pulls a field
 out of the 'value' variable which of the 4 doublewords that variable
 currently holds.
 Switch to using address_space_map() to map the whole command packet
 at once and fish the four doublewords out of it.  Then each process_*
 function can start with a few lines of code that extract the fields
 it cares about.
 This requires us to split out the guts of process_its_cmd() into a
 new do_process_its_cmd(), because we were previously overloading the
 value and offset arguments as a backdoor way to directly pass the
 devid and eventid from a write to GITS_TRANSLATER.  The new
 do_process_its_cmd() takes those arguments directly, and
 process_its_cmd() is just a wrapper that does the "read fields from
 command packet" part.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220201193207.2771604-2-peter.maydell@linaro.org
 ---
  hw/intc/gicv3_internal.h |   4 +-
  hw/intc/arm_gicv3_its.c  | 208 +++++++++++----------------------------
 files changed, 62 insertions(+), 150 deletions(-)
 diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/gicv3_internal.h
 +++ b/hw/intc/gicv3_internal.h
@@ -XXX,XX +XXX,XX @@ FIELD(GITS_TYPER, CIL, 36, 1)
  #define LPI_CTE_ENABLED          TABLE_ENTRY_VALID_MASK
  #define LPI_PRIORITY_MASK         0xfc
 -#define GITS_CMDQ_ENTRY_SIZE               32
 -#define NUM_BYTES_IN_DW                     8
 +#define GITS_CMDQ_ENTRY_WORDS 4
 +#define GITS_CMDQ_ENTRY_SIZE  (GITS_CMDQ_ENTRY_WORDS * sizeof(uint64_t))
  #define CMD_MASK                  0xff
 diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_its.c
 +++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static uint64_t get_dte(GICv3ITSState *s, uint32_t devid, MemTxResult *res)
   * 3. handling of ITS CLEAR command
   * 4. handling of ITS DISCARD command
   */
 -static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,
 -                                    uint32_t offset, ItsCmdType cmd)
 +static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
 +                                       uint32_t eventid, ItsCmdType cmd)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
 -    uint32_t devid, eventid;
      MemTxResult res = MEMTX_OK;
      bool dte_valid;
      uint64_t dte = 0;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,
      bool cte_valid = false;
      uint64_t rdbase;
 -    if (cmd == NONE) {
 -        devid = offset;
 -    } else {
 -        devid = ((value & DEVID_MASK) >> DEVID_SHIFT);
 -
 -        offset += NUM_BYTES_IN_DW;
 -        value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                     MEMTXATTRS_UNSPECIFIED, &res);
 -    }
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    eventid = (value & EVENTID_MASK);
 -
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: devid %d>=%d",
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_its_cmd(GICv3ITSState *s, uint64_t value,
      }
      return CMD_CONTINUE;
  }
 -
 -static ItsCmdResult process_mapti(GICv3ITSState *s, uint64_t value,
 -                                  uint32_t offset, bool ignore_pInt)
 +static ItsCmdResult process_its_cmd(GICv3ITSState *s, const uint64_t *cmdpkt,
 +                                    ItsCmdType cmd)
 +{
 +    uint32_t devid, eventid;
 +
 +    devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
 +    eventid = cmdpkt[1] & EVENTID_MASK;
 +    return do_process_its_cmd(s, devid, eventid, cmd);
 +}
 +
 +static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
 +                                  bool ignore_pInt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
      uint32_t devid, eventid;
      uint32_t pIntid = 0;
      uint64_t num_eventids;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, uint64_t value,
      uint64_t dte = 0;
      IteEntry ite = {};
 -    devid = ((value & DEVID_MASK) >> DEVID_SHIFT);
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    eventid = (value & EVENTID_MASK);
 +    devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
 +    eventid = cmdpkt[1] & EVENTID_MASK;
      if (ignore_pInt) {
          pIntid = eventid;
      } else {
 -        pIntid = ((value & pINTID_MASK) >> pINTID_SHIFT);
 +        pIntid = (cmdpkt[1] & pINTID_MASK) >> pINTID_SHIFT;
      }
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    icid = value & ICID_MASK;
 +    icid = cmdpkt[2] & ICID_MASK;
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
      return res == MEMTX_OK;
  }
 -static ItsCmdResult process_mapc(GICv3ITSState *s, uint32_t offset)
 +static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
      uint16_t icid;
      uint64_t rdbase;
      bool valid;
 -    MemTxResult res = MEMTX_OK;
 -    uint64_t value;
 -    offset += NUM_BYTES_IN_DW;
 -    offset += NUM_BYTES_IN_DW;
 +    icid = cmdpkt[2] & ICID_MASK;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    icid = value & ICID_MASK;
 -
 -    rdbase = (value & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
 +    rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
      rdbase &= RDBASE_PROCNUM_MASK;
 -    valid = (value & CMD_FIELD_VALID_MASK);
 +    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
      if ((icid >= s->ct.num_entries) || (rdbase >= s->gicv3->num_cpu)) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid,
      return res == MEMTX_OK;
  }
 -static ItsCmdResult process_mapd(GICv3ITSState *s, uint64_t value,
 -                                 uint32_t offset)
 +static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
      uint32_t devid;
      uint8_t size;
      uint64_t itt_addr;
      bool valid;
 -    MemTxResult res = MEMTX_OK;
 -    devid = ((value & DEVID_MASK) >> DEVID_SHIFT);
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    size = (value & SIZE_MASK);
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    itt_addr = (value & ITTADDR_MASK) >> ITTADDR_SHIFT;
 -
 -    valid = (value & CMD_FIELD_VALID_MASK);
 +    devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
 +    size = cmdpkt[1] & SIZE_MASK;
 +    itt_addr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
 +    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
      if ((devid >= s->dt.num_entries) ||
          (size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapd(GICv3ITSState *s, uint64_t value,
      return update_dte(s, devid, valid, size, itt_addr) ? CMD_CONTINUE : CMD_STALL;
  }
 -static ItsCmdResult process_movall(GICv3ITSState *s, uint64_t value,
 -                                   uint32_t offset)
 +static ItsCmdResult process_movall(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
 -    MemTxResult res = MEMTX_OK;
      uint64_t rd1, rd2;
 -    /* No fields in dwords 0 or 1 */
 -    offset += NUM_BYTES_IN_DW;
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 +    rd1 = FIELD_EX64(cmdpkt[2], MOVALL_2, RDBASE1);
 +    rd2 = FIELD_EX64(cmdpkt[3], MOVALL_3, RDBASE2);
 -    rd1 = FIELD_EX64(value, MOVALL_2, RDBASE1);
      if (rd1 >= s->gicv3->num_cpu) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: RDBASE1 %" PRId64
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movall(GICv3ITSState *s, uint64_t value,
                        __func__, rd1, s->gicv3->num_cpu);
          return CMD_CONTINUE;
      }
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -
 -    rd2 = FIELD_EX64(value, MOVALL_3, RDBASE2);
      if (rd2 >= s->gicv3->num_cpu) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: RDBASE2 %" PRId64
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movall(GICv3ITSState *s, uint64_t value,
      return CMD_CONTINUE;
  }
 -static ItsCmdResult process_movi(GICv3ITSState *s, uint64_t value,
 -                                 uint32_t offset)
 +static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    AddressSpace *as = &s->gicv3->dma_as;
      MemTxResult res = MEMTX_OK;
      uint32_t devid, eventid, intid;
      uint16_t old_icid, new_icid;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, uint64_t value,
      uint64_t num_eventids;
      IteEntry ite = {};
 -    devid = FIELD_EX64(value, MOVI_0, DEVICEID);
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -    eventid = FIELD_EX64(value, MOVI_1, EVENTID);
 -
 -    offset += NUM_BYTES_IN_DW;
 -    value = address_space_ldq_le(as, s->cq.base_addr + offset,
 -                                 MEMTXATTRS_UNSPECIFIED, &res);
 -    if (res != MEMTX_OK) {
 -        return CMD_STALL;
 -    }
 -    new_icid = FIELD_EX64(value, MOVI_2, ICID);
 +    devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
 +    eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
 +    new_icid = FIELD_EX64(cmdpkt[2], MOVI_2, ICID);
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
      uint32_t wr_offset = 0;
      uint32_t rd_offset = 0;
      uint32_t cq_offset = 0;
 -    uint64_t data;
      AddressSpace *as = &s->gicv3->dma_as;
 -    MemTxResult res = MEMTX_OK;
      uint8_t cmd;
      int i;
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
      while (wr_offset != rd_offset) {
          ItsCmdResult result = CMD_CONTINUE;
 +        void *hostmem;
 +        hwaddr buflen;
 +        uint64_t cmdpkt[GITS_CMDQ_ENTRY_WORDS];
          cq_offset = (rd_offset * GITS_CMDQ_ENTRY_SIZE);
 -        data = address_space_ldq_le(as, s->cq.base_addr + cq_offset,
 -                                    MEMTXATTRS_UNSPECIFIED, &res);
 -        if (res != MEMTX_OK) {
 +
 +        buflen = GITS_CMDQ_ENTRY_SIZE;
 +        hostmem = address_space_map(as, s->cq.base_addr + cq_offset,
 +                                    &buflen, false, MEMTXATTRS_UNSPECIFIED);
 +        if (!hostmem || buflen != GITS_CMDQ_ENTRY_SIZE) {
 +            if (hostmem) {
 +                address_space_unmap(as, hostmem, buflen, false, 0);
 +            }
              s->creadr = FIELD_DP64(s->creadr, GITS_CREADR, STALLED, 1);
              qemu_log_mask(LOG_GUEST_ERROR,
                            "%s: could not read command at 0x%" PRIx64 "\n",
                            __func__, s->cq.base_addr + cq_offset);
              break;
          }
 +        for (i = 0; i < ARRAY_SIZE(cmdpkt); i++) {
 +            cmdpkt[i] = ldq_le_p(hostmem + i * sizeof(uint64_t));
 +        }
 +        address_space_unmap(as, hostmem, buflen, false, 0);
 -        cmd = (data & CMD_MASK);
 +        cmd = cmdpkt[0] & CMD_MASK;
          trace_gicv3_its_process_command(rd_offset, cmd);
          switch (cmd) {
          case GITS_CMD_INT:
 -            result = process_its_cmd(s, data, cq_offset, INTERRUPT);
 +            result = process_its_cmd(s, cmdpkt, INTERRUPT);
              break;
          case GITS_CMD_CLEAR:
 -            result = process_its_cmd(s, data, cq_offset, CLEAR);
 +            result = process_its_cmd(s, cmdpkt, CLEAR);
              break;
          case GITS_CMD_SYNC:
              /*
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
               */
              break;
          case GITS_CMD_MAPD:
 -            result = process_mapd(s, data, cq_offset);
 +            result = process_mapd(s, cmdpkt);
              break;
          case GITS_CMD_MAPC:
 -            result = process_mapc(s, cq_offset);
 +            result = process_mapc(s, cmdpkt);
              break;
          case GITS_CMD_MAPTI:
 -            result = process_mapti(s, data, cq_offset, false);
 +            result = process_mapti(s, cmdpkt, false);
              break;
          case GITS_CMD_MAPI:
 -            result = process_mapti(s, data, cq_offset, true);
 +            result = process_mapti(s, cmdpkt, true);
              break;
          case GITS_CMD_DISCARD:
 -            result = process_its_cmd(s, data, cq_offset, DISCARD);
 +            result = process_its_cmd(s, cmdpkt, DISCARD);
              break;
          case GITS_CMD_INV:
          case GITS_CMD_INVALL:
@@ -XXX,XX +XXX,XX @@ static void process_cmdq(GICv3ITSState *s)
              }
              break;
          case GITS_CMD_MOVI:
 -            result = process_movi(s, data, cq_offset);
 +            result = process_movi(s, cmdpkt);
              break;
          case GITS_CMD_MOVALL:
 -            result = process_movall(s, data, cq_offset);
 +            result = process_movall(s, cmdpkt);
              break;
          default:
              break;
@@ -XXX,XX +XXX,XX @@ static MemTxResult gicv3_its_translation_write(void *opaque, hwaddr offset,
  {
      GICv3ITSState *s = (GICv3ITSState *)opaque;
      bool result = true;
 -    uint32_t devid = 0;
      trace_gicv3_its_translation_write(offset, data, size, attrs.requester_id);
      switch (offset) {
      case GITS_TRANSLATER:
          if (s->ctlr & R_GITS_CTLR_ENABLED_MASK) {
 -            devid = attrs.requester_id;
 -            result = process_its_cmd(s, data, devid, NONE);
 +            result = do_process_its_cmd(s, attrs.requester_id, data, NONE);
          }
          break;
      default:
 --
 .25.1

-New patch
+[PULL 27/39] hw/intc/arm_gicv3_its: Keep DTEs as a struct, not a raw uint64_t
+In the ITS, a DTE is an entry in the device table, which contains
 multiple fields. Currently the function get_dte() which reads one
 entry from the device table returns it as a raw 64-bit integer,
 which we then pass around in that form, only extracting fields
 from it as we need them.
 Create a real C struct with the same fields as the DTE, and
 populate it in get_dte(), so that that function and update_dte()
 are the only ones that need to care about the in-guest-memory
 format of the DTE.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220201193207.2771604-3-peter.maydell@linaro.org
 ---
  hw/intc/arm_gicv3_its.c | 111 ++++++++++++++++++++--------------------
 file changed, 56 insertions(+), 55 deletions(-)
 diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_its.c
 +++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
      uint64_t itel;
  } IteEntry;
 +typedef struct DTEntry {
 +    bool valid;
 +    unsigned size;
 +    uint64_t ittaddr;
 +} DTEntry;
 +
  /*
   * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options
   * if a command parameter is not correct. These include both "stall
@@ -XXX,XX +XXX,XX @@ static bool get_cte(GICv3ITSState *s, uint16_t icid, uint64_t *cte,
      return FIELD_EX64(*cte, CTE, VALID);
  }
 -static bool update_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
 +static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
                         IteEntry ite)
  {
      AddressSpace *as = &s->gicv3->dma_as;
 -    uint64_t itt_addr;
      MemTxResult res = MEMTX_OK;
 -    itt_addr = FIELD_EX64(dte, DTE, ITTADDR);
 -    itt_addr <<= ITTADDR_SHIFT; /* 256 byte aligned */
 -
 -    address_space_stq_le(as, itt_addr + (eventid * (sizeof(uint64_t) +
 +    address_space_stq_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
                           sizeof(uint32_t))), ite.itel, MEMTXATTRS_UNSPECIFIED,
                           &res);
      if (res == MEMTX_OK) {
 -        address_space_stl_le(as, itt_addr + (eventid * (sizeof(uint64_t) +
 +        address_space_stl_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
                               sizeof(uint32_t))) + sizeof(uint32_t), ite.iteh,
                               MEMTXATTRS_UNSPECIFIED, &res);
      }
@@ -XXX,XX +XXX,XX @@ static bool update_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
      }
  }
 -static bool get_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
 +static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
                      uint16_t *icid, uint32_t *pIntid, MemTxResult *res)
  {
      AddressSpace *as = &s->gicv3->dma_as;
 -    uint64_t itt_addr;
      bool status = false;
      IteEntry ite = {};
 -    itt_addr = FIELD_EX64(dte, DTE, ITTADDR);
 -    itt_addr <<= ITTADDR_SHIFT; /* 256 byte aligned */
 -
 -    ite.itel = address_space_ldq_le(as, itt_addr +
 +    ite.itel = address_space_ldq_le(as, dte->ittaddr +
                                      (eventid * (sizeof(uint64_t) +
                                      sizeof(uint32_t))), MEMTXATTRS_UNSPECIFIED,
                                      res);
      if (*res == MEMTX_OK) {
 -        ite.iteh = address_space_ldl_le(as, itt_addr +
 +        ite.iteh = address_space_ldl_le(as, dte->ittaddr +
                                          (eventid * (sizeof(uint64_t) +
                                          sizeof(uint32_t))) + sizeof(uint32_t),
                                          MEMTXATTRS_UNSPECIFIED, res);
@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, uint64_t dte,
      return status;
  }
 -static uint64_t get_dte(GICv3ITSState *s, uint32_t devid, MemTxResult *res)
 +/*
 + * Read the Device Table entry at index @devid. On success (including
 + * successfully determining that there is no valid DTE for this index),
 + * we return MEMTX_OK and populate the DTEntry struct accordingly.
 + * If there is an error reading memory then we return the error code.
 + */
 +static MemTxResult get_dte(GICv3ITSState *s, uint32_t devid, DTEntry *dte)
  {
 +    MemTxResult res = MEMTX_OK;
      AddressSpace *as = &s->gicv3->dma_as;
 -    uint64_t entry_addr = table_entry_addr(s, &s->dt, devid, res);
 +    uint64_t entry_addr = table_entry_addr(s, &s->dt, devid, &res);
 +    uint64_t dteval;
      if (entry_addr == -1) {
 -        return 0; /* a DTE entry with the Valid bit clear */
 +        /* No L2 table entry, i.e. no valid DTE, or a memory error */
 +        dte->valid = false;
 +        return res;
      }
 -    return address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, res);
 +    dteval = address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, &res);
 +    if (res != MEMTX_OK) {
 +        return res;
 +    }
 +    dte->valid = FIELD_EX64(dteval, DTE, VALID);
 +    dte->size = FIELD_EX64(dteval, DTE, SIZE);
 +    /* DTE word field stores bits [51:8] of the ITT address */
 +    dte->ittaddr = FIELD_EX64(dteval, DTE, ITTADDR) << ITTADDR_SHIFT;
 +    return MEMTX_OK;
  }
  /*
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
                                         uint32_t eventid, ItsCmdType cmd)
  {
      MemTxResult res = MEMTX_OK;
 -    bool dte_valid;
 -    uint64_t dte = 0;
      uint64_t num_eventids;
      uint16_t icid = 0;
      uint32_t pIntid = 0;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
      uint64_t cte = 0;
      bool cte_valid = false;
      uint64_t rdbase;
 +    DTEntry dte;
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
          return CMD_CONTINUE;
      }
 -    dte = get_dte(s, devid, &res);
 -
 -    if (res != MEMTX_OK) {
 +    if (get_dte(s, devid, &dte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    dte_valid = FIELD_EX64(dte, DTE, VALID);
 -
 -    if (!dte_valid) {
 +    if (!dte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
 -                      "invalid dte: %"PRIx64" for %d\n",
 -                      __func__, dte, devid);
 +                      "invalid dte for %d\n", __func__, devid);
          return CMD_CONTINUE;
      }
 -    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
 -
 +    num_eventids = 1ULL << (dte.size + 1);
      if (eventid >= num_eventids) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: eventid %d >= %"
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
          return CMD_CONTINUE;
      }
 -    ite_valid = get_ite(s, eventid, dte, &icid, &pIntid, &res);
 +    ite_valid = get_ite(s, eventid, &dte, &icid, &pIntid, &res);
      if (res != MEMTX_OK) {
          return CMD_STALL;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
      if (cmd == DISCARD) {
          IteEntry ite = {};
          /* remove mapping from interrupt translation table */
 -        return update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL;
 +        return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
      }
      return CMD_CONTINUE;
  }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
      uint32_t pIntid = 0;
      uint64_t num_eventids;
      uint32_t num_intids;
 -    bool dte_valid;
 -    MemTxResult res = MEMTX_OK;
      uint16_t icid = 0;
 -    uint64_t dte = 0;
      IteEntry ite = {};
 +    DTEntry dte;
      devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
      eventid = cmdpkt[1] & EVENTID_MASK;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
          return CMD_CONTINUE;
      }
 -    dte = get_dte(s, devid, &res);
 -
 -    if (res != MEMTX_OK) {
 +    if (get_dte(s, devid, &dte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    dte_valid = FIELD_EX64(dte, DTE, VALID);
 -    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
 +    num_eventids = 1ULL << (dte.size + 1);
      num_intids = 1ULL << (GICD_TYPER_IDBITS + 1);
      if ((icid >= s->ct.num_entries)
 -            || !dte_valid || (eventid >= num_eventids) ||
 +            || !dte.valid || (eventid >= num_eventids) ||
              (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)) &&
               (pIntid != INTID_SPURIOUS))) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes "
                        "icid %d or eventid %d or pIntid %d or"
                        "unmapped dte %d\n", __func__, icid, eventid,
 -                      pIntid, dte_valid);
 +                      pIntid, dte.valid);
          /*
           * in this implementation, in case of error
           * we ignore this command and move onto the next
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
      }
      /* add ite entry to interrupt translation table */
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, dte_valid);
 +    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, true);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, pIntid);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
      ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, icid);
 -    return update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL;
 +    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
  }
  static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
      uint16_t old_icid, new_icid;
      uint64_t old_cte, new_cte;
      uint64_t old_rdbase, new_rdbase;
 -    uint64_t dte;
 -    bool dte_valid, ite_valid, cte_valid;
 +    bool ite_valid, cte_valid;
      uint64_t num_eventids;
      IteEntry ite = {};
 +    DTEntry dte;
      devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
      eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
                        __func__, devid, s->dt.num_entries);
          return CMD_CONTINUE;
      }
 -    dte = get_dte(s, devid, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_dte(s, devid, &dte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    dte_valid = FIELD_EX64(dte, DTE, VALID);
 -    if (!dte_valid) {
 +    if (!dte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
 -                      "invalid dte: %"PRIx64" for %d\n",
 -                      __func__, dte, devid);
 +                      "invalid dte for %d\n", __func__, devid);
          return CMD_CONTINUE;
      }
 -    num_eventids = 1ULL << (FIELD_EX64(dte, DTE, SIZE) + 1);
 +    num_eventids = 1ULL << (dte.size + 1);
      if (eventid >= num_eventids) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: eventid %d >= %"
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
 -    ite_valid = get_ite(s, eventid, dte, &old_icid, &intid, &res);
 +    ite_valid = get_ite(s, eventid, &dte, &old_icid, &intid, &res);
      if (res != MEMTX_OK) {
          return CMD_STALL;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
      ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, intid);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
      ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, new_icid);
 -    return update_ite(s, eventid, dte, ite) ? CMD_CONTINUE : CMD_STALL;
 +    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
  }
  /*
 --
 .25.1

-[PULL 06/11] target/arm/kvm64: max cpu: Enable SVE when available
+[PULL 28/39] hw/intc/arm_gicv3_its: Pass DTEntry to update_dte()
-From: Andrew Jones <drjones@redhat.com>
+Make update_dte() take a DTEntry struct rather than all the fields of
 the new DTE as separate arguments.
-Enable SVE in the KVM guest when the 'max' cpu type is configured
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-and KVM supports it. KVM SVE requires use of the new finalize
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-vcpu ioctl, so we add that now too. For starters SVE can only be
+Message-id: 20220201193207.2771604-4-peter.maydell@linaro.org
-turned on or off, getting all vector lengths the host CPU supports
+---
-when on. We'll add the other SVE CPU properties in later patches.
+ hw/intc/arm_gicv3_its.c | 35 ++++++++++++++++++-----------------
 file changed, 18 insertions(+), 17 deletions(-)
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
 Reviewed-by: Beata Michalska <beata.michalska@linaro.org>
 Message-id: 20191031142734.8590-7-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/kvm_arm.h     | 27 +++++++++++++++++++++++++++
  target/arm/cpu64.c       | 17 ++++++++++++++---
  target/arm/kvm.c         |  5 +++++
  target/arm/kvm64.c       | 20 +++++++++++++++++++-
  tests/arm-cpu-features.c |  4 ++++
 files changed, 69 insertions(+), 4 deletions(-)
 diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm_arm.h
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/target/arm/kvm_arm.h
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
-  */
+     return update_cte(s, icid, valid, rdbase) ? CMD_CONTINUE : CMD_STALL;
- int kvm_arm_vcpu_init(CPUState *cs);
+ }
-+/**
+-static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid,
-+ * kvm_arm_vcpu_finalize
+-                       uint8_t size, uint64_t itt_addr)
-+ * @cs: CPUState
++/*
-+ * @feature: int
++ * Update the Device Table entry for @devid to @dte. Returns true
-+ *
++ * on success, false if there was a memory access error.
 + * Finalizes the configuration of the specified VCPU feature by
 + * invoking the KVM_ARM_VCPU_FINALIZE ioctl. Features requiring
 + * this are documented in the "KVM_ARM_VCPU_FINALIZE" section of
 + * KVM's API documentation.
 + *
 + * Returns: 0 if success else < 0 error code
 + */
-+int kvm_arm_vcpu_finalize(CPUState *cs, int feature);
++static bool update_dte(GICv3ITSState *s, uint32_t devid, const DTEntry *dte)
-+
+ {
- /**
+     AddressSpace *as = &s->gicv3->dma_as;
-  * kvm_arm_register_device:
+     uint64_t entry_addr;
-  * @mr: memory region for this device
+-    uint64_t dte = 0;
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_aarch32_supported(CPUState *cs);
++    uint64_t dteval = 0;
-  */
+     MemTxResult res = MEMTX_OK;
- bool kvm_arm_pmu_supported(CPUState *cs);
+     if (s->dt.valid) {
-+/**
+-        if (valid) {
-+ * bool kvm_arm_sve_supported:
++        if (dte->valid) {
-+ * @cs: CPUState
+             /* add mapping entry to device table */
-+ *
+-            dte = FIELD_DP64(dte, DTE, VALID, 1);
-+ * Returns true if the KVM VCPU can enable SVE and false otherwise.
+-            dte = FIELD_DP64(dte, DTE, SIZE, size);
-+ */
+-            dte = FIELD_DP64(dte, DTE, ITTADDR, itt_addr);
-+bool kvm_arm_sve_supported(CPUState *cs);
++            dteval = FIELD_DP64(dteval, DTE, VALID, 1);
-+
++            dteval = FIELD_DP64(dteval, DTE, SIZE, dte->size);
- /**
++            dteval = FIELD_DP64(dteval, DTE, ITTADDR, dte->ittaddr);
-  * kvm_arm_get_max_vm_ipa_size - Returns the number of bits in the
+         }
-  * IPA address space supported by KVM
+     } else {
-@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_pmu_supported(CPUState *cs)
+         return true;
-     return false;
+@@ -XXX,XX +XXX,XX @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, bool valid,
          /* No L2 table for this index: discard write and continue */
          return true;
      }
 -    address_space_stq_le(as, entry_addr, dte, MEMTXATTRS_UNSPECIFIED, &res);
 +    address_space_stq_le(as, entry_addr, dteval, MEMTXATTRS_UNSPECIFIED, &res);
      return res == MEMTX_OK;
  }
-+static inline bool kvm_arm_sve_supported(CPUState *cs)
+ static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
 +{
 +    return false;
 +}
 +
  static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
  {
-     return -ENOENT;
+     uint32_t devid;
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+-    uint8_t size;
-index XXXXXXX..XXXXXXX 100644
+-    uint64_t itt_addr;
---- a/target/arm/cpu64.c
+-    bool valid;
-+++ b/target/arm/cpu64.c
++    DTEntry dte;
-@@ -XXX,XX +XXX,XX @@ static void cpu_arm_set_sve(Object *obj, Visitor *v, const char *name,
-         return;
+     devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
 -    size = cmdpkt[1] & SIZE_MASK;
 -    itt_addr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
 -    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
 +    dte.size = cmdpkt[1] & SIZE_MASK;
 +    dte.ittaddr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
 +    dte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
      if ((devid >= s->dt.num_entries) ||
 -        (size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
 +        (dte.size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "ITS MAPD: invalid device table attributes "
 -                      "devid %d or size %d\n", devid, size);
 +                      "devid %d or size %d\n", devid, dte.size);
          /*
           * in this implementation, in case of error
           * we ignore this command and move onto the next
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
-+    if (value && kvm_enabled() && !kvm_arm_sve_supported(CPU(cpu))) {
+-    return update_dte(s, devid, valid, size, itt_addr) ? CMD_CONTINUE : CMD_STALL;
-+        error_setg(errp, "'sve' feature not supported by KVM on this host");
++    return update_dte(s, devid, &dte) ? CMD_CONTINUE : CMD_STALL;
 +        return;
 +    }
 +
      t = cpu->isar.id_aa64pfr0;
      t = FIELD_DP64(t, ID_AA64PFR0, SVE, value);
      cpu->isar.id_aa64pfr0 = t;
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
  {
      ARMCPU *cpu = ARM_CPU(obj);
      uint32_t vq;
 +    uint64_t t;
      if (kvm_enabled()) {
          kvm_arm_set_cpu_features_from_host(cpu);
 +        if (kvm_arm_sve_supported(CPU(cpu))) {
 +            t = cpu->isar.id_aa64pfr0;
 +            t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
 +            cpu->isar.id_aa64pfr0 = t;
 +        }
      } else {
 -        uint64_t t;
          uint32_t u;
          aarch64_a57_initfn(obj);
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
          object_property_add(obj, "sve-max-vq", "uint32", cpu_max_get_sve_max_vq,
                              cpu_max_set_sve_max_vq, NULL, NULL, &error_fatal);
 -        object_property_add(obj, "sve", "bool", cpu_arm_get_sve,
 -                            cpu_arm_set_sve, NULL, NULL, &error_fatal);
          for (vq = 1; vq <= ARM_MAX_VQ; ++vq) {
              char name[8];
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
                                  cpu_arm_set_sve_vq, NULL, NULL, &error_fatal);
          }
      }
 +
 +    object_property_add(obj, "sve", "bool", cpu_arm_get_sve,
 +                        cpu_arm_set_sve, NULL, NULL, &error_fatal);
  }
- struct ARMCPUInfo {
+ static ItsCmdResult process_movall(GICv3ITSState *s, const uint64_t *cmdpkt)
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ int kvm_arm_vcpu_init(CPUState *cs)
      return kvm_vcpu_ioctl(cs, KVM_ARM_VCPU_INIT, &init);
  }
 +int kvm_arm_vcpu_finalize(CPUState *cs, int feature)
 +{
 +    return kvm_vcpu_ioctl(cs, KVM_ARM_VCPU_FINALIZE, &feature);
 +}
 +
  void kvm_arm_init_serror_injection(CPUState *cs)
  {
      cap_has_inject_serror_esr = kvm_check_extension(cs->kvm_state,
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_aarch32_supported(CPUState *cpu)
      return kvm_check_extension(s, KVM_CAP_ARM_EL1_32BIT);
  }
 +bool kvm_arm_sve_supported(CPUState *cpu)
 +{
 +    KVMState *s = KVM_STATE(current_machine->accelerator);
 +
 +    return kvm_check_extension(s, KVM_CAP_ARM_SVE);
 +}
 +
  #define ARM_CPU_ID_MPIDR       3, 0, 0, 0, 5
  int kvm_arch_init_vcpu(CPUState *cs)
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
          cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_EL1_32BIT;
      }
      if (!kvm_check_extension(cs->kvm_state, KVM_CAP_ARM_PMU_V3)) {
 -            cpu->has_pmu = false;
 +        cpu->has_pmu = false;
      }
      if (cpu->has_pmu) {
          cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_PMU_V3;
      } else {
          unset_feature(&env->features, ARM_FEATURE_PMU);
      }
 +    if (cpu_isar_feature(aa64_sve, cpu)) {
 +        assert(kvm_arm_sve_supported(cs));
 +        cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_SVE;
 +    }
      /* Do KVM_ARM_VCPU_INIT ioctl */
      ret = kvm_arm_vcpu_init(cs);
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
          return ret;
      }
 +    if (cpu_isar_feature(aa64_sve, cpu)) {
 +        ret = kvm_arm_vcpu_finalize(cs, KVM_ARM_VCPU_SVE);
 +        if (ret) {
 +            return ret;
 +        }
 +    }
 +
      /*
       * When KVM is in use, PSCI is emulated in-kernel and not by qemu.
       * Currently KVM has its own idea about MPIDR assignment, so we
 diff --git a/tests/arm-cpu-features.c b/tests/arm-cpu-features.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/arm-cpu-features.c
 +++ b/tests/arm-cpu-features.c
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
          assert_has_feature(qts, "host", "aarch64");
          assert_has_feature(qts, "host", "pmu");
 +        assert_has_feature(qts, "max", "sve");
 +
          assert_error(qts, "cortex-a15",
              "We cannot guarantee the CPU type 'cortex-a15' works "
              "with KVM on this host", NULL);
      } else {
          assert_has_not_feature(qts, "host", "aarch64");
          assert_has_not_feature(qts, "host", "pmu");
 +
 +        assert_has_not_feature(qts, "max", "sve");
      }
      qtest_quit(qts);
 --
-.20.1
+.25.1

-New patch
+[PULL 29/39] hw/intc/arm_gicv3_its: Keep CTEs as a struct, not a raw uint64_t
+In the ITS, a CTE is an entry in the collection table, which contains
 multiple fields. Currently the function get_cte() which reads one
 entry from the device table returns a success/failure boolean and
 passes back the raw 64-bit integer CTE value via a pointer argument.
 We then extract fields from the CTE as we need them.
 Create a real C struct with the same fields as the CTE, and
 populate it in get_cte(), so that that function and update_cte()
 are the only ones which need to care about the in-guest-memory
 format of the CTE.
 This brings get_cte()'s API into line with get_dte().
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220201193207.2771604-5-peter.maydell@linaro.org
 ---
  hw/intc/arm_gicv3_its.c | 96 ++++++++++++++++++++++-------------------
 file changed, 52 insertions(+), 44 deletions(-)
 diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_its.c
 +++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ typedef struct DTEntry {
      uint64_t ittaddr;
  } DTEntry;
 +typedef struct CTEntry {
 +    bool valid;
 +    uint32_t rdbase;
 +} CTEntry;
 +
  /*
   * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options
   * if a command parameter is not correct. These include both "stall
@@ -XXX,XX +XXX,XX @@ static uint64_t table_entry_addr(GICv3ITSState *s, TableDesc *td,
      return (l2 & ((1ULL << 51) - 1)) + (idx % num_l2_entries) * td->entry_sz;
  }
 -static bool get_cte(GICv3ITSState *s, uint16_t icid, uint64_t *cte,
 -                    MemTxResult *res)
 +/*
 + * Read the Collection Table entry at index @icid. On success (including
 + * successfully determining that there is no valid CTE for this index),
 + * we return MEMTX_OK and populate the CTEntry struct @cte accordingly.
 + * If there is an error reading memory then we return the error code.
 + */
 +static MemTxResult get_cte(GICv3ITSState *s, uint16_t icid, CTEntry *cte)
  {
      AddressSpace *as = &s->gicv3->dma_as;
 -    uint64_t entry_addr = table_entry_addr(s, &s->ct, icid, res);
 +    MemTxResult res = MEMTX_OK;
 +    uint64_t entry_addr = table_entry_addr(s, &s->ct, icid, &res);
 +    uint64_t cteval;
      if (entry_addr == -1) {
 -        return false; /* not valid */
 +        /* No L2 table entry, i.e. no valid CTE, or a memory error */
 +        cte->valid = false;
 +        return res;
      }
 -    *cte = address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, res);
 -    return FIELD_EX64(*cte, CTE, VALID);
 +    cteval = address_space_ldq_le(as, entry_addr, MEMTXATTRS_UNSPECIFIED, &res);
 +    if (res != MEMTX_OK) {
 +        return res;
 +    }
 +    cte->valid = FIELD_EX64(cteval, CTE, VALID);
 +    cte->rdbase = FIELD_EX64(cteval, CTE, RDBASE);
 +    return MEMTX_OK;
  }
  static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
      uint16_t icid = 0;
      uint32_t pIntid = 0;
      bool ite_valid = false;
 -    uint64_t cte = 0;
 -    bool cte_valid = false;
 -    uint64_t rdbase;
      DTEntry dte;
 +    CTEntry cte;
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
          return CMD_CONTINUE;
      }
 -    cte_valid = get_cte(s, icid, &cte, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_cte(s, icid, &cte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!cte_valid) {
 +    if (!cte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
 -                      "%s: invalid command attributes: "
 -                      "invalid cte: %"PRIx64"\n",
 -                      __func__, cte);
 +                      "%s: invalid command attributes: invalid CTE\n",
 +                      __func__);
          return CMD_CONTINUE;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
       * Current implementation only supports rdbase == procnum
       * Hence rdbase physical address is ignored
       */
 -    rdbase = FIELD_EX64(cte, CTE, RDBASE);
 -
 -    if (rdbase >= s->gicv3->num_cpu) {
 +    if (cte.rdbase >= s->gicv3->num_cpu) {
          return CMD_CONTINUE;
      }
      if ((cmd == CLEAR) || (cmd == DISCARD)) {
 -        gicv3_redist_process_lpi(&s->gicv3->cpu[rdbase], pIntid, 0);
 +        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 0);
      } else {
 -        gicv3_redist_process_lpi(&s->gicv3->cpu[rdbase], pIntid, 1);
 +        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 1);
      }
      if (cmd == DISCARD) {
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
      MemTxResult res = MEMTX_OK;
      uint32_t devid, eventid, intid;
      uint16_t old_icid, new_icid;
 -    uint64_t old_cte, new_cte;
 -    uint64_t old_rdbase, new_rdbase;
 -    bool ite_valid, cte_valid;
 +    bool ite_valid;
      uint64_t num_eventids;
      IteEntry ite = {};
      DTEntry dte;
 +    CTEntry old_cte, new_cte;
      devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
      eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
 -    cte_valid = get_cte(s, old_icid, &old_cte, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_cte(s, old_icid, &old_cte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!cte_valid) {
 +    if (!old_cte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
 -                      "invalid cte: %"PRIx64"\n",
 -                      __func__, old_cte);
 +                      "invalid CTE for old ICID 0x%x\n",
 +                      __func__, old_icid);
          return CMD_CONTINUE;
      }
 -    cte_valid = get_cte(s, new_icid, &new_cte, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_cte(s, new_icid, &new_cte) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!cte_valid) {
 +    if (!new_cte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
 -                      "invalid cte: %"PRIx64"\n",
 -                      __func__, new_cte);
 +                      "invalid CTE for new ICID 0x%x\n",
 +                      __func__, new_icid);
          return CMD_CONTINUE;
      }
 -    old_rdbase = FIELD_EX64(old_cte, CTE, RDBASE);
 -    if (old_rdbase >= s->gicv3->num_cpu) {
 +    if (old_cte.rdbase >= s->gicv3->num_cpu) {
          qemu_log_mask(LOG_GUEST_ERROR,
 -                      "%s: CTE has invalid rdbase 0x%"PRIx64"\n",
 -                      __func__, old_rdbase);
 +                      "%s: CTE has invalid rdbase 0x%x\n",
 +                      __func__, old_cte.rdbase);
          return CMD_CONTINUE;
      }
 -    new_rdbase = FIELD_EX64(new_cte, CTE, RDBASE);
 -    if (new_rdbase >= s->gicv3->num_cpu) {
 +    if (new_cte.rdbase >= s->gicv3->num_cpu) {
          qemu_log_mask(LOG_GUEST_ERROR,
 -                      "%s: CTE has invalid rdbase 0x%"PRIx64"\n",
 -                      __func__, new_rdbase);
 +                      "%s: CTE has invalid rdbase 0x%x\n",
 +                      __func__, new_cte.rdbase);
          return CMD_CONTINUE;
      }
 -    if (old_rdbase != new_rdbase) {
 +    if (old_cte.rdbase != new_cte.rdbase) {
          /* Move the LPI from the old redistributor to the new one */
 -        gicv3_redist_mov_lpi(&s->gicv3->cpu[old_rdbase],
 -                             &s->gicv3->cpu[new_rdbase],
 +        gicv3_redist_mov_lpi(&s->gicv3->cpu[old_cte.rdbase],
 +                             &s->gicv3->cpu[new_cte.rdbase],
                               intid);
      }
 --
 .25.1

-[PULL 04/11] target/arm/cpu64: max cpu: Introduce sve<N> properties
+[PULL 30/39] hw/intc/arm_gicv3_its: Pass CTEntry to update_cte()
-From: Andrew Jones <drjones@redhat.com>
+Make update_cte() take a CTEntry struct rather than all the fields
 of the new CTE as separate arguments.
-Introduce cpu properties to give fine control over SVE vector lengths.
+This brings it into line with the update_dte() API.
 We introduce a property for each valid length up to the current
 maximum supported, which is 2048-bits. The properties are named, e.g.
 sve128, sve256, sve384, sve512, ..., where the number is the number of
 bits. See the updates to docs/arm-cpu-features.rst for a description
 of the semantics and for example uses.
-Note, as sve-max-vq is still present and we'd like to be able to
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-support qmp_query_cpu_model_expansion with guests launched with e.g.
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
--cpu max,sve-max-vq=8 on their command lines, then we do allow
+Message-id: 20220201193207.2771604-6-peter.maydell@linaro.org
-sve-max-vq and sve<N> properties to be provided at the same time, but
+---
-this is not recommended, and is why sve-max-vq is not mentioned in the
+ hw/intc/arm_gicv3_its.c | 32 +++++++++++++++++---------------
-document.  If sve-max-vq is provided then it enables all lengths smaller
+file changed, 17 insertions(+), 15 deletions(-)
 than and including the max and disables all lengths larger. It also has
 the side-effect that no larger lengths may be enabled and that the max
 itself cannot be disabled. Smaller non-power-of-two lengths may,
 however, be disabled, e.g. -cpu max,sve-max-vq=4,sve384=off provides a
 guest the vector lengths 128, 256, and 512 bits.
-This patch has been co-authored with Richard Henderson, who reworked
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 the target/arm/cpu64.c changes in order to push all the validation and
 auto-enabling/disabling steps into the finalizer, resulting in a nice
 LOC reduction.
 Signed-off-by: Andrew Jones <drjones@redhat.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Tested-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
 Reviewed-by: Beata Michalska <beata.michalska@linaro.org>
 Message-id: 20191031142734.8590-5-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  include/qemu/bitops.h     |   1 +
  target/arm/cpu.h          |  19 ++++
  target/arm/cpu.c          |  19 ++++
  target/arm/cpu64.c        | 192 ++++++++++++++++++++++++++++++++++++-
  target/arm/helper.c       |  10 +-
  target/arm/monitor.c      |  12 +++
  tests/arm-cpu-features.c  | 194 ++++++++++++++++++++++++++++++++++++++
  docs/arm-cpu-features.rst | 168 +++++++++++++++++++++++++++++++--
 files changed, 606 insertions(+), 9 deletions(-)
 diff --git a/include/qemu/bitops.h b/include/qemu/bitops.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/qemu/bitops.h
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/include/qemu/bitops.h
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
- #define BITS_PER_LONG           (sizeof (unsigned long) * BITS_PER_BYTE)
+     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
  #define BIT(nr)                 (1UL << (nr))
 +#define BIT_ULL(nr)             (1ULL << (nr))
  #define BIT_MASK(nr)            (1UL << ((nr) % BITS_PER_LONG))
  #define BIT_WORD(nr)            ((nr) / BITS_PER_LONG)
  #define BITS_TO_LONGS(nr)       DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(long))
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
  #ifdef TARGET_AARCH64
  # define ARM_MAX_VQ    16
 +void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp);
 +uint32_t arm_cpu_vq_map_next_smaller(ARMCPU *cpu, uint32_t vq);
  #else
  # define ARM_MAX_VQ    1
 +static inline void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp) { }
 +static inline uint32_t arm_cpu_vq_map_next_smaller(ARMCPU *cpu, uint32_t vq)
 +{ return 0; }
  #endif
  typedef struct ARMVectorReg {
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
      /* Used to set the maximum vector length the cpu will support.  */
      uint32_t sve_max_vq;
 +
 +    /*
 +     * In sve_vq_map each set bit is a supported vector length of
 +     * (bit-number + 1) * 16 bytes, i.e. each bit number + 1 is the vector
 +     * length in quadwords.
 +     *
 +     * While processing properties during initialization, corresponding
 +     * sve_vq_init bits are set for bits in sve_vq_map that have been
 +     * set by properties.
 +     */
 +    DECLARE_BITMAP(sve_vq_map, ARM_MAX_VQ);
 +    DECLARE_BITMAP(sve_vq_init, ARM_MAX_VQ);
  };
  void arm_cpu_post_init(Object *obj);
@@ -XXX,XX +XXX,XX @@ static inline int arm_feature(CPUARMState *env, int feature)
      return (env->features & (1ULL << feature)) != 0;
  }
-+void arm_cpu_finalize_features(ARMCPU *cpu, Error **errp);
+-static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
-+
+-                       uint64_t rdbase)
- #if !defined(CONFIG_USER_ONLY)
++/*
- /* Return true if exception levels below EL3 are in secure state,
++ * Update the Collection Table entry for @icid to @cte. Returns true
-  * or would be following an exception return to that level.
++ * on success, false if there was a memory access error.
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
++ */
-index XXXXXXX..XXXXXXX 100644
++static bool update_cte(GICv3ITSState *s, uint16_t icid, const CTEntry *cte)
---- a/target/arm/cpu.c
+ {
-+++ b/target/arm/cpu.c
+     AddressSpace *as = &s->gicv3->dma_as;
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_finalizefn(Object *obj)
+     uint64_t entry_addr;
- #endif
+-    uint64_t cte = 0;
 +    uint64_t cteval = 0;
      MemTxResult res = MEMTX_OK;
      if (!s->ct.valid) {
          return true;
      }
 -    if (valid) {
 +    if (cte->valid) {
          /* add mapping entry to collection table */
 -        cte = FIELD_DP64(cte, CTE, VALID, 1);
 -        cte = FIELD_DP64(cte, CTE, RDBASE, rdbase);
 +        cteval = FIELD_DP64(cteval, CTE, VALID, 1);
 +        cteval = FIELD_DP64(cteval, CTE, RDBASE, cte->rdbase);
      }
      entry_addr = table_entry_addr(s, &s->ct, icid, &res);
@@ -XXX,XX +XXX,XX @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, bool valid,
          return true;
      }
 -    address_space_stq_le(as, entry_addr, cte, MEMTXATTRS_UNSPECIFIED, &res);
 +    address_space_stq_le(as, entry_addr, cteval, MEMTXATTRS_UNSPECIFIED, &res);
      return res == MEMTX_OK;
  }
-+void arm_cpu_finalize_features(ARMCPU *cpu, Error **errp)
+ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
 +{
 +    Error *local_err = NULL;
 +
 +    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
 +        arm_cpu_sve_finalize(cpu, &local_err);
 +        if (local_err != NULL) {
 +            error_propagate(errp, local_err);
 +            return;
 +        }
 +    }
 +}
 +
  static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
  {
-     CPUState *cs = CPU(dev);
+     uint16_t icid;
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
+-    uint64_t rdbase;
-         return;
+-    bool valid;
 +    CTEntry cte;
      icid = cmdpkt[2] & ICID_MASK;
 -    rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
 -    rdbase &= RDBASE_PROCNUM_MASK;
 +    cte.rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
 +    cte.rdbase &= RDBASE_PROCNUM_MASK;
 -    valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
 +    cte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
 -    if ((icid >= s->ct.num_entries) || (rdbase >= s->gicv3->num_cpu)) {
 +    if ((icid >= s->ct.num_entries) || (cte.rdbase >= s->gicv3->num_cpu)) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "ITS MAPC: invalid collection table attributes "
 -                      "icid %d rdbase %" PRIu64 "\n",  icid, rdbase);
 +                      "icid %d rdbase %u\n",  icid, cte.rdbase);
          /*
           * in this implementation, in case of error
           * we ignore this command and move onto the next
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
-+    arm_cpu_finalize_features(cpu, &local_err);
+-    return update_cte(s, icid, valid, rdbase) ? CMD_CONTINUE : CMD_STALL;
-+    if (local_err != NULL) {
++    return update_cte(s, icid, &cte) ? CMD_CONTINUE : CMD_STALL;
 +        error_propagate(errp, local_err);
 +        return;
 +    }
 +
      if (arm_feature(env, ARM_FEATURE_AARCH64) &&
          cpu->has_vfp != cpu->has_neon) {
          /*
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
      define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
  }
-+void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
-+{
-+    /*
-+     * If any vector lengths are explicitly enabled with sve<N> properties,
-+     * then all other lengths are implicitly disabled.  If sve-max-vq is
-+     * specified then it is the same as explicitly enabling all lengths
-+     * up to and including the specified maximum, which means all larger
-+     * lengths will be implicitly disabled.  If no sve<N> properties
-+     * are enabled and sve-max-vq is not specified, then all lengths not
-+     * explicitly disabled will be enabled.  Additionally, all power-of-two
-+     * vector lengths less than the maximum enabled length will be
-+     * automatically enabled and all vector lengths larger than the largest
-+     * disabled power-of-two vector length will be automatically disabled.
-+     * Errors are generated if the user provided input that interferes with
-+     * any of the above.  Finally, if SVE is not disabled, then at least one
-+     * vector length must be enabled.
-+     */
-+    DECLARE_BITMAP(tmp, ARM_MAX_VQ);
-+    uint32_t vq, max_vq = 0;
-+
-+    /*
-+     * Process explicit sve<N> properties.
-+     * From the properties, sve_vq_map<N> implies sve_vq_init<N>.
-+     * Check first for any sve<N> enabled.
-+     */
-+    if (!bitmap_empty(cpu->sve_vq_map, ARM_MAX_VQ)) {
-+        max_vq = find_last_bit(cpu->sve_vq_map, ARM_MAX_VQ) + 1;
-+
-+        if (cpu->sve_max_vq && max_vq > cpu->sve_max_vq) {
-+            error_setg(errp, "cannot enable sve%d", max_vq * 128);
-+            error_append_hint(errp, "sve%d is larger than the maximum vector "
-+                              "length, sve-max-vq=%d (%d bits)\n",
-+                              max_vq * 128, cpu->sve_max_vq,
-+                              cpu->sve_max_vq * 128);
-+            return;
-+        }
-+
-+        /* Propagate enabled bits down through required powers-of-two. */
-+        for (vq = pow2floor(max_vq); vq >= 1; vq >>= 1) {
-+            if (!test_bit(vq - 1, cpu->sve_vq_init)) {
-+                set_bit(vq - 1, cpu->sve_vq_map);
-+            }
-+        }
-+    } else if (cpu->sve_max_vq == 0) {
-+        /*
-+         * No explicit bits enabled, and no implicit bits from sve-max-vq.
-+         */
-+        if (!cpu_isar_feature(aa64_sve, cpu)) {
-+            /* SVE is disabled and so are all vector lengths.  Good. */
-+            return;
-+        }
-+
-+        /* Disabling a power-of-two disables all larger lengths. */
-+        if (test_bit(0, cpu->sve_vq_init)) {
-+            error_setg(errp, "cannot disable sve128");
-+            error_append_hint(errp, "Disabling sve128 results in all vector "
-+                              "lengths being disabled.\n");
-+            error_append_hint(errp, "With SVE enabled, at least one vector "
-+                              "length must be enabled.\n");
-+            return;
-+        }
-+        for (vq = 2; vq <= ARM_MAX_VQ; vq <<= 1) {
-+            if (test_bit(vq - 1, cpu->sve_vq_init)) {
-+                break;
-+            }
-+        }
-+        max_vq = vq <= ARM_MAX_VQ ? vq - 1 : ARM_MAX_VQ;
-+
-+        bitmap_complement(cpu->sve_vq_map, cpu->sve_vq_init, max_vq);
-+        max_vq = find_last_bit(cpu->sve_vq_map, max_vq) + 1;
-+    }
-+
-+    /*
-+     * Process the sve-max-vq property.
-+     * Note that we know from the above that no bit above
-+     * sve-max-vq is currently set.
-+     */
-+    if (cpu->sve_max_vq != 0) {
-+        max_vq = cpu->sve_max_vq;
-+
-+        if (!test_bit(max_vq - 1, cpu->sve_vq_map) &&
-+            test_bit(max_vq - 1, cpu->sve_vq_init)) {
-+            error_setg(errp, "cannot disable sve%d", max_vq * 128);
-+            error_append_hint(errp, "The maximum vector length must be "
-+                              "enabled, sve-max-vq=%d (%d bits)\n",
-+                              max_vq, max_vq * 128);
-+            return;
-+        }
-+
-+        /* Set all bits not explicitly set within sve-max-vq. */
-+        bitmap_complement(tmp, cpu->sve_vq_init, max_vq);
-+        bitmap_or(cpu->sve_vq_map, cpu->sve_vq_map, tmp, max_vq);
-+    }
-+
-+    /*
-+     * We should know what max-vq is now.  Also, as we're done
-+     * manipulating sve-vq-map, we ensure any bits above max-vq
-+     * are clear, just in case anybody looks.
-+     */
-+    assert(max_vq != 0);
-+    bitmap_clear(cpu->sve_vq_map, max_vq, ARM_MAX_VQ - max_vq);
-+
-+    /* Ensure all required powers-of-two are enabled. */
-+    for (vq = pow2floor(max_vq); vq >= 1; vq >>= 1) {
-+        if (!test_bit(vq - 1, cpu->sve_vq_map)) {
-+            error_setg(errp, "cannot disable sve%d", vq * 128);
-+            error_append_hint(errp, "sve%d is required as it "
-+                              "is a power-of-two length smaller than "
-+                              "the maximum, sve%d\n",
-+                              vq * 128, max_vq * 128);
-+            return;
-+        }
-+    }
-+
-+    /*
-+     * Now that we validated all our vector lengths, the only question
-+     * left to answer is if we even want SVE at all.
-+     */
-+    if (!cpu_isar_feature(aa64_sve, cpu)) {
-+        error_setg(errp, "cannot enable sve%d", max_vq * 128);
-+        error_append_hint(errp, "SVE must be enabled to enable vector "
-+                          "lengths.\n");
-+        error_append_hint(errp, "Add sve=on to the CPU property list.\n");
-+        return;
-+    }
-+
-+    /* From now on sve_max_vq is the actual maximum supported length. */
-+    cpu->sve_max_vq = max_vq;
-+}
-+
-+uint32_t arm_cpu_vq_map_next_smaller(ARMCPU *cpu, uint32_t vq)
-+{
-+    uint32_t bitnum;
-+
-+    /*
-+     * We allow vq == ARM_MAX_VQ + 1 to be input because the caller may want
-+     * to find the maximum vq enabled, which may be ARM_MAX_VQ, but this
-+     * function always returns the next smaller than the input.
-+     */
-+    assert(vq && vq <= ARM_MAX_VQ + 1);
-+
-+    bitnum = find_last_bit(cpu->sve_vq_map, vq - 1);
-+    return bitnum == vq - 1 ? 0 : bitnum + 1;
-+}
-+
- static void cpu_max_get_sve_max_vq(Object *obj, Visitor *v, const char *name,
-                                    void *opaque, Error **errp)
- {
-@@ -XXX,XX +XXX,XX @@ static void cpu_max_set_sve_max_vq(Object *obj, Visitor *v, const char *name,
-     error_propagate(errp, err);
- }
-+static void cpu_arm_get_sve_vq(Object *obj, Visitor *v, const char *name,
-+                               void *opaque, Error **errp)
-+{
-+    ARMCPU *cpu = ARM_CPU(obj);
-+    uint32_t vq = atoi(&name[3]) / 128;
-+    bool value;
-+
-+    /* All vector lengths are disabled when SVE is off. */
-+    if (!cpu_isar_feature(aa64_sve, cpu)) {
-+        value = false;
-+    } else {
-+        value = test_bit(vq - 1, cpu->sve_vq_map);
-+    }
-+    visit_type_bool(v, name, &value, errp);
-+}
-+
-+static void cpu_arm_set_sve_vq(Object *obj, Visitor *v, const char *name,
-+                               void *opaque, Error **errp)
-+{
-+    ARMCPU *cpu = ARM_CPU(obj);
-+    uint32_t vq = atoi(&name[3]) / 128;
-+    Error *err = NULL;
-+    bool value;
-+
-+    visit_type_bool(v, name, &value, &err);
-+    if (err) {
-+        error_propagate(errp, err);
-+        return;
-+    }
-+
-+    if (value) {
-+        set_bit(vq - 1, cpu->sve_vq_map);
-+    } else {
-+        clear_bit(vq - 1, cpu->sve_vq_map);
-+    }
-+    set_bit(vq - 1, cpu->sve_vq_init);
-+}
-+
- static void cpu_arm_get_sve(Object *obj, Visitor *v, const char *name,
-                             void *opaque, Error **errp)
- {
-@@ -XXX,XX +XXX,XX @@ static void cpu_arm_set_sve(Object *obj, Visitor *v, const char *name,
- static void aarch64_max_initfn(Object *obj)
- {
-     ARMCPU *cpu = ARM_CPU(obj);
-+    uint32_t vq;
-     if (kvm_enabled()) {
-         kvm_arm_set_cpu_features_from_host(cpu);
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-         cpu->dcz_blocksize = 7; /*  512 bytes */
- #endif
--        cpu->sve_max_vq = ARM_MAX_VQ;
-         object_property_add(obj, "sve-max-vq", "uint32", cpu_max_get_sve_max_vq,
-                             cpu_max_set_sve_max_vq, NULL, NULL, &error_fatal);
-         object_property_add(obj, "sve", "bool", cpu_arm_get_sve,
-                             cpu_arm_set_sve, NULL, NULL, &error_fatal);
-+
-+        for (vq = 1; vq <= ARM_MAX_VQ; ++vq) {
-+            char name[8];
-+            sprintf(name, "sve%d", vq * 128);
-+            object_property_add(obj, name, "bool", cpu_arm_get_sve_vq,
-+                                cpu_arm_set_sve_vq, NULL, NULL, &error_fatal);
-+        }
-     }
- }
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ int sve_exception_el(CPUARMState *env, int el)
-     return 0;
- }
-+static uint32_t sve_zcr_get_valid_len(ARMCPU *cpu, uint32_t start_len)
-+{
-+    uint32_t start_vq = (start_len & 0xf) + 1;
-+
-+    return arm_cpu_vq_map_next_smaller(cpu, start_vq + 1) - 1;
-+}
-+
  /*
-  * Given that SVE is enabled, return the vector length for EL.
-  */
-@@ -XXX,XX +XXX,XX @@ uint32_t sve_zcr_len_for_el(CPUARMState *env, int el)
-     if (arm_feature(env, ARM_FEATURE_EL3)) {
-         zcr_len = MIN(zcr_len, 0xf & (uint32_t)env->vfp.zcr_el[3]);
-     }
--    return zcr_len;
-+
-+    return sve_zcr_get_valid_len(cpu, zcr_len);
- }
- static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-diff --git a/target/arm/monitor.c b/target/arm/monitor.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/monitor.c
-+++ b/target/arm/monitor.c
-@@ -XXX,XX +XXX,XX @@ GICCapabilityList *qmp_query_gic_capabilities(Error **errp)
-     return head;
- }
-+QEMU_BUILD_BUG_ON(ARM_MAX_VQ > 16);
-+
- /*
-  * These are cpu model features we want to advertise. The order here
-  * matters as this is the order in which qmp_query_cpu_model_expansion
-@@ -XXX,XX +XXX,XX @@ GICCapabilityList *qmp_query_gic_capabilities(Error **errp)
-  */
- static const char *cpu_model_advertised_features[] = {
-     "aarch64", "pmu", "sve",
-+    "sve128", "sve256", "sve384", "sve512",
-+    "sve640", "sve768", "sve896", "sve1024", "sve1152", "sve1280",
-+    "sve1408", "sve1536", "sve1664", "sve1792", "sve1920", "sve2048",
-     NULL
- };
-@@ -XXX,XX +XXX,XX @@ CpuModelExpansionInfo *qmp_query_cpu_model_expansion(CpuModelExpansionType type,
-         if (!err) {
-             visit_check_struct(visitor, &err);
-         }
-+        if (!err) {
-+            arm_cpu_finalize_features(ARM_CPU(obj), &err);
-+        }
-         visit_end_struct(visitor, NULL);
-         visit_free(visitor);
-         if (err) {
-@@ -XXX,XX +XXX,XX @@ CpuModelExpansionInfo *qmp_query_cpu_model_expansion(CpuModelExpansionType type,
-             error_propagate(errp, err);
-             return NULL;
-         }
-+    } else {
-+        Error *err = NULL;
-+        arm_cpu_finalize_features(ARM_CPU(obj), &err);
-+        assert(err == NULL);
-     }
-     expansion_info = g_new0(CpuModelExpansionInfo, 1);
-diff --git a/tests/arm-cpu-features.c b/tests/arm-cpu-features.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/arm-cpu-features.c
-+++ b/tests/arm-cpu-features.c
-@@ -XXX,XX +XXX,XX @@
-  * See the COPYING file in the top-level directory.
-  */
- #include "qemu/osdep.h"
-+#include "qemu/bitops.h"
- #include "libqtest.h"
- #include "qapi/qmp/qdict.h"
- #include "qapi/qmp/qjson.h"
-+/*
-+ * We expect the SVE max-vq to be 16. Also it must be <= 64
-+ * for our test code, otherwise 'vls' can't just be a uint64_t.
-+ */
-+#define SVE_MAX_VQ 16
-+
- #define MACHINE     "-machine virt,gic-version=max,accel=tcg "
- #define MACHINE_KVM "-machine virt,gic-version=max,accel=kvm:tcg "
- #define QUERY_HEAD  "{ 'execute': 'query-cpu-model-expansion', " \
-@@ -XXX,XX +XXX,XX @@ static void assert_bad_props(QTestState *qts, const char *cpu_type)
-     qobject_unref(resp);
- }
-+static uint64_t resp_get_sve_vls(QDict *resp)
-+{
-+    QDict *props;
-+    const QDictEntry *e;
-+    uint64_t vls = 0;
-+    int n = 0;
-+
-+    g_assert(resp);
-+    g_assert(resp_has_props(resp));
-+
-+    props = resp_get_props(resp);
-+
-+    for (e = qdict_first(props); e; e = qdict_next(props, e)) {
-+        if (strlen(e->key) > 3 && !strncmp(e->key, "sve", 3) &&
-+            g_ascii_isdigit(e->key[3])) {
-+            char *endptr;
-+            int bits;
-+
-+            bits = g_ascii_strtoll(&e->key[3], &endptr, 10);
-+            if (!bits || *endptr != '\0') {
-+                continue;
-+            }
-+
-+            if (qdict_get_bool(props, e->key)) {
-+                vls |= BIT_ULL((bits / 128) - 1);
-+            }
-+            ++n;
-+        }
-+    }
-+
-+    g_assert(n == SVE_MAX_VQ);
-+
-+    return vls;
-+}
-+
-+#define assert_sve_vls(qts, cpu_type, expected_vls, fmt, ...)          \
-+({                                                                     \
-+    QDict *_resp = do_query(qts, cpu_type, fmt, ##__VA_ARGS__);        \
-+    g_assert(_resp);                                                   \
-+    g_assert(resp_has_props(_resp));                                   \
-+    g_assert(resp_get_sve_vls(_resp) == expected_vls);                 \
-+    qobject_unref(_resp);                                              \
-+})
-+
-+static void sve_tests_default(QTestState *qts, const char *cpu_type)
-+{
-+    /*
-+     * With no sve-max-vq or sve<N> properties on the command line
-+     * the default is to have all vector lengths enabled. This also
-+     * tests that 'sve' is 'on' by default.
-+     */
-+    assert_sve_vls(qts, cpu_type, BIT_ULL(SVE_MAX_VQ) - 1, NULL);
-+
-+    /* With SVE off, all vector lengths should also be off. */
-+    assert_sve_vls(qts, cpu_type, 0, "{ 'sve': false }");
-+
-+    /* With SVE on, we must have at least one vector length enabled. */
-+    assert_error(qts, cpu_type, "cannot disable sve128", "{ 'sve128': false }");
-+
-+    /* Basic enable/disable tests. */
-+    assert_sve_vls(qts, cpu_type, 0x7, "{ 'sve384': true }");
-+    assert_sve_vls(qts, cpu_type, ((BIT_ULL(SVE_MAX_VQ) - 1) & ~BIT_ULL(2)),
-+                   "{ 'sve384': false }");
-+
-+    /*
-+     * ---------------------------------------------------------------------
-+     *               power-of-two(vq)   all-power-            can      can
-+     *                                  of-two(< vq)        enable   disable
-+     * ---------------------------------------------------------------------
-+     * vq < max_vq      no                MUST*              yes      yes
-+     * vq < max_vq      yes               MUST*              yes      no
-+     * ---------------------------------------------------------------------
-+     * vq == max_vq     n/a               MUST*              yes**    yes**
-+     * ---------------------------------------------------------------------
-+     * vq > max_vq      n/a               no                 no       yes
-+     * vq > max_vq      n/a               yes                yes      yes
-+     * ---------------------------------------------------------------------
-+     *
-+     * [*] "MUST" means this requirement must already be satisfied,
-+     *     otherwise 'max_vq' couldn't itself be enabled.
-+     *
-+     * [**] Not testable with the QMP interface, only with the command line.
-+     */
-+
-+    /* max_vq := 8 */
-+    assert_sve_vls(qts, cpu_type, 0x8b, "{ 'sve1024': true }");
-+
-+    /* max_vq := 8, vq < max_vq, !power-of-two(vq) */
-+    assert_sve_vls(qts, cpu_type, 0x8f,
-+                   "{ 'sve1024': true, 'sve384': true }");
-+    assert_sve_vls(qts, cpu_type, 0x8b,
-+                   "{ 'sve1024': true, 'sve384': false }");
-+
-+    /* max_vq := 8, vq < max_vq, power-of-two(vq) */
-+    assert_sve_vls(qts, cpu_type, 0x8b,
-+                   "{ 'sve1024': true, 'sve256': true }");
-+    assert_error(qts, cpu_type, "cannot disable sve256",
-+                 "{ 'sve1024': true, 'sve256': false }");
-+
-+    /* max_vq := 3, vq > max_vq, !all-power-of-two(< vq) */
-+    assert_error(qts, cpu_type, "cannot disable sve512",
-+                 "{ 'sve384': true, 'sve512': false, 'sve640': true }");
-+
-+    /*
-+     * We can disable power-of-two vector lengths when all larger lengths
-+     * are also disabled. We only need to disable the power-of-two length,
-+     * as all non-enabled larger lengths will then be auto-disabled.
-+     */
-+    assert_sve_vls(qts, cpu_type, 0x7, "{ 'sve512': false }");
-+
-+    /* max_vq := 3, vq > max_vq, all-power-of-two(< vq) */
-+    assert_sve_vls(qts, cpu_type, 0x1f,
-+                   "{ 'sve384': true, 'sve512': true, 'sve640': true }");
-+    assert_sve_vls(qts, cpu_type, 0xf,
-+                   "{ 'sve384': true, 'sve512': true, 'sve640': false }");
-+}
-+
-+static void sve_tests_sve_max_vq_8(const void *data)
-+{
-+    QTestState *qts;
-+
-+    qts = qtest_init(MACHINE "-cpu max,sve-max-vq=8");
-+
-+    assert_sve_vls(qts, "max", BIT_ULL(8) - 1, NULL);
-+
-+    /*
-+     * Disabling the max-vq set by sve-max-vq is not allowed, but
-+     * of course enabling it is OK.
-+     */
-+    assert_error(qts, "max", "cannot disable sve1024", "{ 'sve1024': false }");
-+    assert_sve_vls(qts, "max", 0xff, "{ 'sve1024': true }");
-+
-+    /*
-+     * Enabling anything larger than max-vq set by sve-max-vq is not
-+     * allowed, but of course disabling everything larger is OK.
-+     */
-+    assert_error(qts, "max", "cannot enable sve1152", "{ 'sve1152': true }");
-+    assert_sve_vls(qts, "max", 0xff, "{ 'sve1152': false }");
-+
-+    /*
-+     * We can enable/disable non power-of-two lengths smaller than the
-+     * max-vq set by sve-max-vq, but, while we can enable power-of-two
-+     * lengths, we can't disable them.
-+     */
-+    assert_sve_vls(qts, "max", 0xff, "{ 'sve384': true }");
-+    assert_sve_vls(qts, "max", 0xfb, "{ 'sve384': false }");
-+    assert_sve_vls(qts, "max", 0xff, "{ 'sve256': true }");
-+    assert_error(qts, "max", "cannot disable sve256", "{ 'sve256': false }");
-+
-+    qtest_quit(qts);
-+}
-+
-+static void sve_tests_sve_off(const void *data)
-+{
-+    QTestState *qts;
-+
-+    qts = qtest_init(MACHINE "-cpu max,sve=off");
-+
-+    /* SVE is off, so the map should be empty. */
-+    assert_sve_vls(qts, "max", 0, NULL);
-+
-+    /* The map stays empty even if we turn lengths off. */
-+    assert_sve_vls(qts, "max", 0, "{ 'sve128': false }");
-+
-+    /* It's an error to enable lengths when SVE is off. */
-+    assert_error(qts, "max", "cannot enable sve128", "{ 'sve128': true }");
-+
-+    /* With SVE re-enabled we should get all vector lengths enabled. */
-+    assert_sve_vls(qts, "max", BIT_ULL(SVE_MAX_VQ) - 1, "{ 'sve': true }");
-+
-+    /* Or enable SVE with just specific vector lengths. */
-+    assert_sve_vls(qts, "max", 0x3,
-+                   "{ 'sve': true, 'sve128': true, 'sve256': true }");
-+
-+    qtest_quit(qts);
-+}
-+
- static void test_query_cpu_model_expansion(const void *data)
- {
-     QTestState *qts;
-@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion(const void *data)
-     if (g_str_equal(qtest_get_arch(), "aarch64")) {
-         assert_has_feature(qts, "max", "aarch64");
-         assert_has_feature(qts, "max", "sve");
-+        assert_has_feature(qts, "max", "sve128");
-         assert_has_feature(qts, "cortex-a57", "pmu");
-         assert_has_feature(qts, "cortex-a57", "aarch64");
-+        sve_tests_default(qts, "max");
-+
-         /* Test that features that depend on KVM generate errors without. */
-         assert_error(qts, "max",
-                      "'aarch64' feature cannot be disabled "
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
-     qtest_add_data_func("/arm/kvm/query-cpu-model-expansion",
-                         NULL, test_query_cpu_model_expansion_kvm);
-+    if (g_str_equal(qtest_get_arch(), "aarch64")) {
-+        qtest_add_data_func("/arm/max/query-cpu-model-expansion/sve-max-vq-8",
-+                            NULL, sve_tests_sve_max_vq_8);
-+        qtest_add_data_func("/arm/max/query-cpu-model-expansion/sve-off",
-+                            NULL, sve_tests_sve_off);
-+    }
-+
-     return g_test_run();
- }
-diff --git a/docs/arm-cpu-features.rst b/docs/arm-cpu-features.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/arm-cpu-features.rst
-+++ b/docs/arm-cpu-features.rst
-@@ -XXX,XX +XXX,XX @@ block in the script for usage) is used to issue the QMP commands.
-       (QEMU) query-cpu-model-expansion type=full model={"name":"max"}
-       { "return": {
-         "model": { "name": "max", "props": {
--        "pmu": true, "aarch64": true
-+        "sve1664": true, "pmu": true, "sve1792": true, "sve1920": true,
-+        "sve128": true, "aarch64": true, "sve1024": true, "sve": true,
-+        "sve640": true, "sve768": true, "sve1408": true, "sve256": true,
-+        "sve1152": true, "sve512": true, "sve384": true, "sve1536": true,
-+        "sve896": true, "sve1280": true, "sve2048": true
-       }}}}
--We see that the `max` CPU type has the `pmu` and `aarch64` CPU features.
--We also see that the CPU features are enabled, as they are all `true`.
-+We see that the `max` CPU type has the `pmu`, `aarch64`, `sve`, and many
-+`sve<N>` CPU features.  We also see that all the CPU features are
-+enabled, as they are all `true`.  (The `sve<N>` CPU features are all
-+optional SVE vector lengths (see "SVE CPU Properties").  While with TCG
-+all SVE vector lengths can be supported, when KVM is in use it's more
-+likely that only a few lengths will be supported, if SVE is supported at
-+all.)
- (2) Let's try to disable the PMU::
-       (QEMU) query-cpu-model-expansion type=full model={"name":"max","props":{"pmu":false}}
-       { "return": {
-         "model": { "name": "max", "props": {
--        "pmu": false, "aarch64": true
-+        "sve1664": true, "pmu": false, "sve1792": true, "sve1920": true,
-+        "sve128": true, "aarch64": true, "sve1024": true, "sve": true,
-+        "sve640": true, "sve768": true, "sve1408": true, "sve256": true,
-+        "sve1152": true, "sve512": true, "sve384": true, "sve1536": true,
-+        "sve896": true, "sve1280": true, "sve2048": true
-       }}}}
- We see it worked, as `pmu` is now `false`.
-@@ -XXX,XX +XXX,XX @@ We see it worked, as `pmu` is now `false`.
- It looks like this feature is limited to a configuration we do not
- currently have.
--(4) Let's try probing CPU features for the Cortex-A15 CPU type::
-+(4) Let's disable `sve` and see what happens to all the optional SVE
-+    vector lengths::
-+
-+      (QEMU) query-cpu-model-expansion type=full model={"name":"max","props":{"sve":false}}
-+      { "return": {
-+        "model": { "name": "max", "props": {
-+        "sve1664": false, "pmu": true, "sve1792": false, "sve1920": false,
-+        "sve128": false, "aarch64": true, "sve1024": false, "sve": false,
-+        "sve640": false, "sve768": false, "sve1408": false, "sve256": false,
-+        "sve1152": false, "sve512": false, "sve384": false, "sve1536": false,
-+        "sve896": false, "sve1280": false, "sve2048": false
-+      }}}}
-+
-+As expected they are now all `false`.
-+
-+(5) Let's try probing CPU features for the Cortex-A15 CPU type::
-       (QEMU) query-cpu-model-expansion type=full model={"name":"cortex-a15"}
-       {"return": {"model": {"name": "cortex-a15", "props": {"pmu": true}}}}
-@@ -XXX,XX +XXX,XX @@ After determining which CPU features are available and supported for a
- given CPU type, then they may be selectively enabled or disabled on the
- QEMU command line with that CPU type::
--  $ qemu-system-aarch64 -M virt -cpu max,pmu=off
-+  $ qemu-system-aarch64 -M virt -cpu max,pmu=off,sve=on,sve128=on,sve256=on
--The example above disables the PMU for the `max` CPU type.
-+The example above disables the PMU and enables the first two SVE vector
-+lengths for the `max` CPU type.  Note, the `sve=on` isn't actually
-+necessary, because, as we observed above with our probe of the `max` CPU
-+type, `sve` is already on by default.  Also, based on our probe of
-+defaults, it would seem we need to disable many SVE vector lengths, rather
-+than only enabling the two we want.  This isn't the case, because, as
-+disabling many SVE vector lengths would be quite verbose, the `sve<N>` CPU
-+properties have special semantics (see "SVE CPU Property Parsing
-+Semantics").
-+
-+SVE CPU Properties
-+==================
-+
-+There are two types of SVE CPU properties: `sve` and `sve<N>`.  The first
-+is used to enable or disable the entire SVE feature, just as the `pmu`
-+CPU property completely enables or disables the PMU.  The second type
-+is used to enable or disable specific vector lengths, where `N` is the
-+number of bits of the length.  The `sve<N>` CPU properties have special
-+dependencies and constraints, see "SVE CPU Property Dependencies and
-+Constraints" below.  Additionally, as we want all supported vector lengths
-+to be enabled by default, then, in order to avoid overly verbose command
-+lines (command lines full of `sve<N>=off`, for all `N` not wanted), we
-+provide the parsing semantics listed in "SVE CPU Property Parsing
-+Semantics".
-+
-+SVE CPU Property Dependencies and Constraints
-+---------------------------------------------
-+
-+  1) At least one vector length must be enabled when `sve` is enabled.
-+
-+  2) If a vector length `N` is enabled, then all power-of-two vector
-+     lengths smaller than `N` must also be enabled.  E.g. if `sve512`
-+     is enabled, then the 128-bit and 256-bit vector lengths must also
-+     be enabled.
-+
-+SVE CPU Property Parsing Semantics
-+----------------------------------
-+
-+  1) If SVE is disabled (`sve=off`), then which SVE vector lengths
-+     are enabled or disabled is irrelevant to the guest, as the entire
-+     SVE feature is disabled and that disables all vector lengths for
-+     the guest.  However QEMU will still track any `sve<N>` CPU
-+     properties provided by the user.  If later an `sve=on` is provided,
-+     then the guest will get only the enabled lengths.  If no `sve=on`
-+     is provided and there are explicitly enabled vector lengths, then
-+     an error is generated.
-+
-+  2) If SVE is enabled (`sve=on`), but no `sve<N>` CPU properties are
-+     provided, then all supported vector lengths are enabled, including
-+     the non-power-of-two lengths.
-+
-+  3) If SVE is enabled, then an error is generated when attempting to
-+     disable the last enabled vector length (see constraint (1) of "SVE
-+     CPU Property Dependencies and Constraints").
-+
-+  4) If one or more vector lengths have been explicitly enabled and at
-+     at least one of the dependency lengths of the maximum enabled length
-+     has been explicitly disabled, then an error is generated (see
-+     constraint (2) of "SVE CPU Property Dependencies and Constraints").
-+
-+  5) If one or more `sve<N>` CPU properties are set `off`, but no `sve<N>`,
-+     CPU properties are set `on`, then the specified vector lengths are
-+     disabled but the default for any unspecified lengths remains enabled.
-+     Disabling a power-of-two vector length also disables all vector
-+     lengths larger than the power-of-two length (see constraint (2) of
-+     "SVE CPU Property Dependencies and Constraints").
-+
-+  6) If one or more `sve<N>` CPU properties are set to `on`, then they
-+     are enabled and all unspecified lengths default to disabled, except
-+     for the required lengths per constraint (2) of "SVE CPU Property
-+     Dependencies and Constraints", which will even be auto-enabled if
-+     they were not explicitly enabled.
-+
-+  7) If SVE was disabled (`sve=off`), allowing all vector lengths to be
-+     explicitly disabled (i.e. avoiding the error specified in (3) of
-+     "SVE CPU Property Parsing Semantics"), then if later an `sve=on` is
-+     provided an error will be generated.  To avoid this error, one must
-+     enable at least one vector length prior to enabling SVE.
-+
-+SVE CPU Property Examples
-+-------------------------
-+
-+  1) Disable SVE::
-+
-+     $ qemu-system-aarch64 -M virt -cpu max,sve=off
-+
-+  2) Implicitly enable all vector lengths for the `max` CPU type::
-+
-+     $ qemu-system-aarch64 -M virt -cpu max
-+
-+  3) Only enable the 128-bit vector length::
-+
-+     $ qemu-system-aarch64 -M virt -cpu max,sve128=on
-+
-+  4) Disable the 512-bit vector length and all larger vector lengths,
-+     since 512 is a power-of-two.  This results in all the smaller,
-+     uninitialized lengths (128, 256, and 384) defaulting to enabled::
-+
-+     $ qemu-system-aarch64 -M virt -cpu max,sve512=off
-+
-+  5) Enable the 128-bit, 256-bit, and 512-bit vector lengths::
-+
-+     $ qemu-system-aarch64 -M virt -cpu max,sve128=on,sve256=on,sve512=on
-+
-+  6) The same as (5), but since the 128-bit and 256-bit vector
-+     lengths are required for the 512-bit vector length to be enabled,
-+     then allow them to be auto-enabled::
-+
-+     $ qemu-system-aarch64 -M virt -cpu max,sve512=on
-+
-+  7) Do the same as (6), but by first disabling SVE and then re-enabling it::
-+
-+     $ qemu-system-aarch64 -M virt -cpu max,sve=off,sve512=on,sve=on
-+
-+  8) Force errors regarding the last vector length::
-+
-+     $ qemu-system-aarch64 -M virt -cpu max,sve128=off
-+     $ qemu-system-aarch64 -M virt -cpu max,sve=off,sve128=off,sve=on
-+
-+SVE CPU Property Recommendations
-+--------------------------------
-+
-+The examples in "SVE CPU Property Examples" exhibit many ways to select
-+vector lengths which developers may find useful in order to avoid overly
-+verbose command lines.  However, the recommended way to select vector
-+lengths is to explicitly enable each desired length.  Therefore only
-+example's (1), (3), and (5) exhibit recommended uses of the properties.
 --
-.20.1
+.25.1

-New patch
+[PULL 31/39] hw/intc/arm_gicv3_its: Fix address calculation in get_ite() and update_ite()
+In get_ite() and update_ite() we work with a 12-byte in-guest-memory
+table entry, which we intend to handle as an 8-byte value followed by
+a 4-byte value.  Unfortunately the calculation of the address of the
+-byte value is wrong, because we write it as:
+ table_base_address + (index * entrysize) + 4
+(obfuscated by the way the expression has been written)
+when it should be + 8.  This bug meant that we overwrote the top
+bytes of the 8-byte value with the 4-byte value.  There are no
+guest-visible effects because the top half of the 8-byte value
+contains only the doorbell interrupt field, which is used only in
+GICv4, and the two bugs in the "write ITE" and "read ITE" codepaths
+cancel each other out.
+We can't simply change the calculation, because this would break
+migration of a (TCG) guest from the old version of QEMU which had
+in-guest-memory interrupt tables written using the buggy version of
+update_ite().  We must also at the same time change the layout of the
+fields within the ITE_L and ITE_H values so that the in-memory
+locations of the fields we care about (VALID, INTTYPE, INTID and
+ICID) stay the same.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-7-peter.maydell@linaro.org
+---
+ hw/intc/gicv3_internal.h | 19 ++++++++++---------
+ hw/intc/arm_gicv3_its.c  | 28 +++++++++++-----------------
+files changed, 21 insertions(+), 26 deletions(-)
+diff --git a/hw/intc/gicv3_internal.h b/hw/intc/gicv3_internal.h
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/gicv3_internal.h
++++ b/hw/intc/gicv3_internal.h
+@@ -XXX,XX +XXX,XX @@ FIELD(MOVI_2, ICID, 0, 16)
+  * 12 bytes Interrupt translation Table Entry size
+  * as per Table 5.3 in GICv3 spec
+  * ITE Lower 8 Bytes
+- *   Bits:    | 49 ... 26 | 25 ... 2 |   1     |   0    |
+- *   Values:  |  Doorbell |  IntNum  | IntType |  Valid |
++ *   Bits:    | 63 ... 48 | 47 ... 32 | 31 ... 26 | 25 ... 2 |   1     |  0    |
++ *   Values:  | vPEID     | ICID      | unused    |  IntNum  | IntType | Valid |
+  * ITE Higher 4 Bytes
+- *   Bits:    | 31 ... 16 | 15 ...0 |
+- *   Values:  |  vPEID    |  ICID   |
+- * (When Doorbell is unused, as it always is in GICv3, it is 1023)
++ *   Bits:    | 31 ... 25 | 24 ... 0 |
++ *   Values:  | unused    | Doorbell |
++ * (When Doorbell is unused, as it always is for INTYPE_PHYSICAL,
++ * the value of that field in memory cannot be relied upon -- older
++ * versions of QEMU did not correctly write to that memory.)
+  */
+ #define ITS_ITT_ENTRY_SIZE            0xC
+ FIELD(ITE_L, VALID, 0, 1)
+ FIELD(ITE_L, INTTYPE, 1, 1)
+ FIELD(ITE_L, INTID, 2, 24)
+-FIELD(ITE_L, DOORBELL, 26, 24)
+-
+-FIELD(ITE_H, ICID, 0, 16)
+-FIELD(ITE_H, VPEID, 16, 16)
++FIELD(ITE_L, ICID, 32, 16)
++FIELD(ITE_L, VPEID, 48, 16)
++FIELD(ITE_H, DOORBELL, 0, 24)
+ /* Possible values for ITE_L INTTYPE */
+ #define ITE_INTTYPE_VIRTUAL 0
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
+ {
+     AddressSpace *as = &s->gicv3->dma_as;
+     MemTxResult res = MEMTX_OK;
++    hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
+-    address_space_stq_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
+-                         sizeof(uint32_t))), ite.itel, MEMTXATTRS_UNSPECIFIED,
+-                         &res);
++    address_space_stq_le(as, iteaddr, ite.itel, MEMTXATTRS_UNSPECIFIED, &res);
+     if (res == MEMTX_OK) {
+-        address_space_stl_le(as, dte->ittaddr + (eventid * (sizeof(uint64_t) +
+-                             sizeof(uint32_t))) + sizeof(uint32_t), ite.iteh,
++        address_space_stl_le(as, iteaddr + 8, ite.iteh,
+                              MEMTXATTRS_UNSPECIFIED, &res);
+     }
+     if (res != MEMTX_OK) {
+@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
+     AddressSpace *as = &s->gicv3->dma_as;
+     bool status = false;
+     IteEntry ite = {};
++    hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
+-    ite.itel = address_space_ldq_le(as, dte->ittaddr +
+-                                    (eventid * (sizeof(uint64_t) +
+-                                    sizeof(uint32_t))), MEMTXATTRS_UNSPECIFIED,
+-                                    res);
++    ite.itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, res);
+     if (*res == MEMTX_OK) {
+-        ite.iteh = address_space_ldl_le(as, dte->ittaddr +
+-                                        (eventid * (sizeof(uint64_t) +
+-                                        sizeof(uint32_t))) + sizeof(uint32_t),
++        ite.iteh = address_space_ldl_le(as, iteaddr + 8,
+                                         MEMTXATTRS_UNSPECIFIED, res);
+         if (*res == MEMTX_OK) {
+@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
+                 int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
+                 if (inttype == ITE_INTTYPE_PHYSICAL) {
+                     *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
+-                    *icid = FIELD_EX32(ite.iteh, ITE_H, ICID);
++                    *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
+                     status = true;
+                 }
+             }
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, true);
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, pIntid);
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
+-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, icid);
++    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, icid);
++    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
+     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
+ }
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, 1);
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
+     ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, intid);
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, DOORBELL, INTID_SPURIOUS);
+-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, ICID, new_icid);
++    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, new_icid);
++    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
+     return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
+ }
+--
+.25.1

-New patch
+[PULL 32/39] hw/intc/arm_gicv3_its: Avoid nested ifs in get_ite()
+The get_ite() code has some awkward nested if statements; clean
+them up by returning early if the memory accesses fail.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-8-peter.maydell@linaro.org
+---
+ hw/intc/arm_gicv3_its.c | 26 ++++++++++++++------------
+file changed, 14 insertions(+), 12 deletions(-)
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
+     hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
+     ite.itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, res);
++    if (*res != MEMTX_OK) {
++        return false;
++    }
+-    if (*res == MEMTX_OK) {
+-        ite.iteh = address_space_ldl_le(as, iteaddr + 8,
+-                                        MEMTXATTRS_UNSPECIFIED, res);
++    ite.iteh = address_space_ldl_le(as, iteaddr + 8,
++                                    MEMTXATTRS_UNSPECIFIED, res);
++    if (*res != MEMTX_OK) {
++        return false;
++    }
+-        if (*res == MEMTX_OK) {
+-            if (FIELD_EX64(ite.itel, ITE_L, VALID)) {
+-                int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
+-                if (inttype == ITE_INTTYPE_PHYSICAL) {
+-                    *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
+-                    *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
+-                    status = true;
+-                }
+-            }
++    if (FIELD_EX64(ite.itel, ITE_L, VALID)) {
++        int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
++        if (inttype == ITE_INTTYPE_PHYSICAL) {
++            *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
++            *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
++            status = true;
+         }
+     }
+     return status;
+--
+.25.1

-New patch
+[PULL 33/39] hw/intc/arm_gicv3_its: Pass ITE values back from get_ite() via a struct
+In get_ite() we currently return the caller some of the fields of an
 Interrupt Table Entry via a set of pointer arguments, and validate
 some of them internally (interrupt type and valid bit) to return a
 simple true/false 'valid' indication. Define a new ITEntry struct
 which has all the fields that the in-memory ITE has, and bring the
 get_ite() function in to line with get_dte() and get_cte().
 This paves the way for handling virtual interrupts, which will want
 a different subset of the fields in the ITE. Handling them under
 the old "lots of pointer arguments" scheme would have meant a
 confusingly large set of arguments for this function.
 The new struct ITEntry is obviously confusably similar to the
 existing IteEntry struct, whose fields are the raw 12 bytes
 of the in-memory ITE. In the next commit we will make update_ite()
 use ITEntry instead of IteEntry, which will allow us to delete
 the IteEntry struct and remove the confusion.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220201193207.2771604-9-peter.maydell@linaro.org
 ---
  hw/intc/arm_gicv3_its.c | 102 ++++++++++++++++++++++------------------
 file changed, 55 insertions(+), 47 deletions(-)
 diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/arm_gicv3_its.c
 +++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ typedef struct CTEntry {
      uint32_t rdbase;
  } CTEntry;
 +typedef struct ITEntry {
 +    bool valid;
 +    int inttype;
 +    uint32_t intid;
 +    uint32_t doorbell;
 +    uint32_t icid;
 +    uint32_t vpeid;
 +} ITEntry;
 +
 +
  /*
   * The ITS spec permits a range of CONSTRAINED UNPREDICTABLE options
   * if a command parameter is not correct. These include both "stall
@@ -XXX,XX +XXX,XX @@ static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
      }
  }
 -static bool get_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
 -                    uint16_t *icid, uint32_t *pIntid, MemTxResult *res)
 +/*
 + * Read the Interrupt Table entry at index @eventid from the table specified
 + * by the DTE @dte. On success, we return MEMTX_OK and populate the ITEntry
 + * struct @ite accordingly. If there is an error reading memory then we return
 + * the error code.
 + */
 +static MemTxResult get_ite(GICv3ITSState *s, uint32_t eventid,
 +                           const DTEntry *dte, ITEntry *ite)
  {
      AddressSpace *as = &s->gicv3->dma_as;
 -    bool status = false;
 -    IteEntry ite = {};
 +    MemTxResult res = MEMTX_OK;
 +    uint64_t itel;
 +    uint32_t iteh;
      hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
 -    ite.itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, res);
 -    if (*res != MEMTX_OK) {
 -        return false;
 +    itel = address_space_ldq_le(as, iteaddr, MEMTXATTRS_UNSPECIFIED, &res);
 +    if (res != MEMTX_OK) {
 +        return res;
      }
 -    ite.iteh = address_space_ldl_le(as, iteaddr + 8,
 -                                    MEMTXATTRS_UNSPECIFIED, res);
 -    if (*res != MEMTX_OK) {
 -        return false;
 +    iteh = address_space_ldl_le(as, iteaddr + 8, MEMTXATTRS_UNSPECIFIED, &res);
 +    if (res != MEMTX_OK) {
 +        return res;
      }
 -    if (FIELD_EX64(ite.itel, ITE_L, VALID)) {
 -        int inttype = FIELD_EX64(ite.itel, ITE_L, INTTYPE);
 -        if (inttype == ITE_INTTYPE_PHYSICAL) {
 -            *pIntid = FIELD_EX64(ite.itel, ITE_L, INTID);
 -            *icid = FIELD_EX64(ite.itel, ITE_L, ICID);
 -            status = true;
 -        }
 -    }
 -    return status;
 +    ite->valid = FIELD_EX64(itel, ITE_L, VALID);
 +    ite->inttype = FIELD_EX64(itel, ITE_L, INTTYPE);
 +    ite->intid = FIELD_EX64(itel, ITE_L, INTID);
 +    ite->icid = FIELD_EX64(itel, ITE_L, ICID);
 +    ite->vpeid = FIELD_EX64(itel, ITE_L, VPEID);
 +    ite->doorbell = FIELD_EX64(iteh, ITE_H, DOORBELL);
 +    return MEMTX_OK;
  }
  /*
@@ -XXX,XX +XXX,XX @@ static MemTxResult get_dte(GICv3ITSState *s, uint32_t devid, DTEntry *dte)
  static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
                                         uint32_t eventid, ItsCmdType cmd)
  {
 -    MemTxResult res = MEMTX_OK;
      uint64_t num_eventids;
 -    uint16_t icid = 0;
 -    uint32_t pIntid = 0;
 -    bool ite_valid = false;
      DTEntry dte;
      CTEntry cte;
 +    ITEntry ite;
      if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
          return CMD_CONTINUE;
      }
 -    ite_valid = get_ite(s, eventid, &dte, &icid, &pIntid, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_ite(s, eventid, &dte, &ite) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!ite_valid) {
 +    if (!ite.valid || ite.inttype != ITE_INTTYPE_PHYSICAL) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: invalid ITE\n",
                        __func__);
          return CMD_CONTINUE;
      }
 -    if (icid >= s->ct.num_entries) {
 +    if (ite.icid >= s->ct.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid ICID 0x%x in ITE (table corrupted?)\n",
 -                      __func__, icid);
 +                      __func__, ite.icid);
          return CMD_CONTINUE;
      }
 -    if (get_cte(s, icid, &cte) != MEMTX_OK) {
 +    if (get_cte(s, ite.icid, &cte) != MEMTX_OK) {
          return CMD_STALL;
      }
      if (!cte.valid) {
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
      }
      if ((cmd == CLEAR) || (cmd == DISCARD)) {
 -        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 0);
 +        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], ite.intid, 0);
      } else {
 -        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], pIntid, 1);
 +        gicv3_redist_process_lpi(&s->gicv3->cpu[cte.rdbase], ite.intid, 1);
      }
      if (cmd == DISCARD) {
 -        IteEntry ite = {};
 +        IteEntry itee = {};
          /* remove mapping from interrupt translation table */
 -        return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 +        return update_ite(s, eventid, &dte, itee) ? CMD_CONTINUE : CMD_STALL;
      }
      return CMD_CONTINUE;
  }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movall(GICv3ITSState *s, const uint64_t *cmdpkt)
  static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
  {
 -    MemTxResult res = MEMTX_OK;
 -    uint32_t devid, eventid, intid;
 -    uint16_t old_icid, new_icid;
 -    bool ite_valid;
 +    uint32_t devid, eventid;
 +    uint16_t new_icid;
      uint64_t num_eventids;
      IteEntry ite = {};
      DTEntry dte;
      CTEntry old_cte, new_cte;
 +    ITEntry old_ite;
      devid = FIELD_EX64(cmdpkt[0], MOVI_0, DEVICEID);
      eventid = FIELD_EX64(cmdpkt[1], MOVI_1, EVENTID);
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
 -    ite_valid = get_ite(s, eventid, &dte, &old_icid, &intid, &res);
 -    if (res != MEMTX_OK) {
 +    if (get_ite(s, eventid, &dte, &old_ite) != MEMTX_OK) {
          return CMD_STALL;
      }
 -    if (!ite_valid) {
 +    if (!old_ite.valid || old_ite.inttype != ITE_INTTYPE_PHYSICAL) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: invalid ITE\n",
                        __func__);
          return CMD_CONTINUE;
      }
 -    if (old_icid >= s->ct.num_entries) {
 +    if (old_ite.icid >= s->ct.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid ICID 0x%x in ITE (table corrupted?)\n",
 -                      __func__, old_icid);
 +                      __func__, old_ite.icid);
          return CMD_CONTINUE;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          return CMD_CONTINUE;
      }
 -    if (get_cte(s, old_icid, &old_cte) != MEMTX_OK) {
 +    if (get_cte(s, old_ite.icid, &old_cte) != MEMTX_OK) {
          return CMD_STALL;
      }
      if (!old_cte.valid) {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: invalid command attributes: "
                        "invalid CTE for old ICID 0x%x\n",
 -                      __func__, old_icid);
 +                      __func__, old_ite.icid);
          return CMD_CONTINUE;
      }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
          /* Move the LPI from the old redistributor to the new one */
          gicv3_redist_mov_lpi(&s->gicv3->cpu[old_cte.rdbase],
                               &s->gicv3->cpu[new_cte.rdbase],
 -                             intid);
 +                             old_ite.intid);
      }
      /* Update the ICID field in the interrupt translation table entry */
      ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, 1);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, intid);
 +    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, old_ite.intid);
      ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, new_icid);
      ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
      return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
 --
 .25.1

-[PULL 09/11] target/arm/kvm: host cpu: Add support for sve<N> properties
+[PULL 34/39] hw/intc/arm_gicv3_its: Make update_ite() use ITEntry
-From: Andrew Jones <drjones@redhat.com>
+Make the update_ite() struct use the new ITEntry struct, so that
 callers don't need to assemble the in-memory ITE data themselves, and
 only get_ite() and update_ite() need to care about that in-memory
 layout.  We can then drop the no-longer-used IteEntry struct
 definition.
-Allow cpu 'host' to enable SVE when it's available, unless the
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-user chooses to disable it with the added 'sve=off' cpu property.
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Also give the user the ability to select vector lengths with the
+Message-id: 20220201193207.2771604-10-peter.maydell@linaro.org
-sve<N> properties. We don't adopt 'max' cpu's other sve property,
+---
-sve-max-vq, because that property is difficult to use with KVM.
+ hw/intc/arm_gicv3_its.c | 62 +++++++++++++++++++++--------------------
-That property assumes all vector lengths in the range from 1 up
+file changed, 32 insertions(+), 30 deletions(-)
 to and including the specified maximum length are supported, but
 there may be optional lengths not supported by the host in that
 range. With KVM one must be more specific when enabling vector
 lengths.
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Tested-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
 Message-id: 20191031142734.8590-10-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/cpu.h          |  2 ++
  target/arm/cpu.c          |  3 +++
  target/arm/cpu64.c        | 33 +++++++++++++++++----------------
  target/arm/kvm64.c        | 14 +++++++++++++-
  tests/arm-cpu-features.c  | 17 ++++++++---------
  docs/arm-cpu-features.rst | 19 ++++++++++++-------
 files changed, 55 insertions(+), 33 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/target/arm/cpu.h
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@ int aarch64_cpu_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
+@@ -XXX,XX +XXX,XX @@ typedef enum ItsCmdType {
- void aarch64_sve_narrow_vq(CPUARMState *env, unsigned vq);
+     INTERRUPT = 3,
- void aarch64_sve_change_el(CPUARMState *env, int old_el,
+ } ItsCmdType;
-                            int new_el, bool el0_a64);
-+void aarch64_add_sve_properties(Object *obj);
+-typedef struct {
- #else
+-    uint32_t iteh;
- static inline void aarch64_sve_narrow_vq(CPUARMState *env, unsigned vq) { }
+-    uint64_t itel;
- static inline void aarch64_sve_change_el(CPUARMState *env, int o,
+-} IteEntry;
-                                          int n, bool a)
+-
- { }
+ typedef struct DTEntry {
-+static inline void aarch64_add_sve_properties(Object *obj) { }
+     bool valid;
- #endif
+     unsigned size;
+@@ -XXX,XX +XXX,XX @@ static MemTxResult get_cte(GICv3ITSState *s, uint16_t icid, CTEntry *cte)
- #if !defined(CONFIG_TCG)
+     return MEMTX_OK;
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_host_initfn(Object *obj)
      ARMCPU *cpu = ARM_CPU(obj);
      kvm_arm_set_cpu_features_from_host(cpu);
 +    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
 +        aarch64_add_sve_properties(obj);
 +    }
      arm_cpu_post_init(obj);
  }
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
++/*
-index XXXXXXX..XXXXXXX 100644
++ * Update the Interrupt Table entry at index @evinted in the table specified
---- a/target/arm/cpu64.c
++ * by the dte @dte. Returns true on success, false if there was a memory
-+++ b/target/arm/cpu64.c
++ * access error.
-@@ -XXX,XX +XXX,XX @@ static void cpu_arm_set_sve(Object *obj, Visitor *v, const char *name,
++ */
-     cpu->isar.id_aa64pfr0 = t;
+ static bool update_ite(GICv3ITSState *s, uint32_t eventid, const DTEntry *dte,
 -                       IteEntry ite)
 +                       const ITEntry *ite)
  {
      AddressSpace *as = &s->gicv3->dma_as;
      MemTxResult res = MEMTX_OK;
      hwaddr iteaddr = dte->ittaddr + eventid * ITS_ITT_ENTRY_SIZE;
 +    uint64_t itel = 0;
 +    uint32_t iteh = 0;
 -    address_space_stq_le(as, iteaddr, ite.itel, MEMTXATTRS_UNSPECIFIED, &res);
 -
 -    if (res == MEMTX_OK) {
 -        address_space_stl_le(as, iteaddr + 8, ite.iteh,
 -                             MEMTXATTRS_UNSPECIFIED, &res);
 +    if (ite->valid) {
 +        itel = FIELD_DP64(itel, ITE_L, VALID, 1);
 +        itel = FIELD_DP64(itel, ITE_L, INTTYPE, ite->inttype);
 +        itel = FIELD_DP64(itel, ITE_L, INTID, ite->intid);
 +        itel = FIELD_DP64(itel, ITE_L, ICID, ite->icid);
 +        itel = FIELD_DP64(itel, ITE_L, VPEID, ite->vpeid);
 +        iteh = FIELD_DP32(iteh, ITE_H, DOORBELL, ite->doorbell);
      }
 +
 +    address_space_stq_le(as, iteaddr, itel, MEMTXATTRS_UNSPECIFIED, &res);
      if (res != MEMTX_OK) {
          return false;
 -    } else {
 -        return true;
      }
 +    address_space_stl_le(as, iteaddr + 8, iteh, MEMTXATTRS_UNSPECIFIED, &res);
 +    return res == MEMTX_OK;
  }
-+void aarch64_add_sve_properties(Object *obj)
+ /*
-+{
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult do_process_its_cmd(GICv3ITSState *s, uint32_t devid,
 +    uint32_t vq;
 +
 +    object_property_add(obj, "sve", "bool", cpu_arm_get_sve,
 +                        cpu_arm_set_sve, NULL, NULL, &error_fatal);
 +
 +    for (vq = 1; vq <= ARM_MAX_VQ; ++vq) {
 +        char name[8];
 +        sprintf(name, "sve%d", vq * 128);
 +        object_property_add(obj, name, "bool", cpu_arm_get_sve_vq,
 +                            cpu_arm_set_sve_vq, NULL, NULL, &error_fatal);
 +    }
 +}
 +
  /* -cpu max: if KVM is enabled, like -cpu host (best possible with this host);
   * otherwise, a CPU with as many features enabled as our emulation supports.
   * The version of '-cpu max' for qemu-system-arm is defined in cpu.c;
@@ -XXX,XX +XXX,XX @@ static void cpu_arm_set_sve(Object *obj, Visitor *v, const char *name,
  static void aarch64_max_initfn(Object *obj)
  {
      ARMCPU *cpu = ARM_CPU(obj);
 -    uint32_t vq;
 -    uint64_t t;
      if (kvm_enabled()) {
          kvm_arm_set_cpu_features_from_host(cpu);
 -        if (kvm_arm_sve_supported(CPU(cpu))) {
 -            t = cpu->isar.id_aa64pfr0;
 -            t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
 -            cpu->isar.id_aa64pfr0 = t;
 -        }
      } else {
 +        uint64_t t;
          uint32_t u;
          aarch64_a57_initfn(obj);
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
  #endif
      }
--    object_property_add(obj, "sve", "bool", cpu_arm_get_sve,
+     if (cmd == DISCARD) {
--                        cpu_arm_set_sve, NULL, NULL, &error_fatal);
+-        IteEntry itee = {};
-+    aarch64_add_sve_properties(obj);
++        ITEntry ite = {};
-     object_property_add(obj, "sve-max-vq", "uint32", cpu_max_get_sve_max_vq,
+         /* remove mapping from interrupt translation table */
-                         cpu_max_set_sve_max_vq, NULL, NULL, &error_fatal);
+-        return update_ite(s, eventid, &dte, itee) ? CMD_CONTINUE : CMD_STALL;
 +        ite.valid = false;
 +        return update_ite(s, eventid, &dte, &ite) ? CMD_CONTINUE : CMD_STALL;
      }
      return CMD_CONTINUE;
  }
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
      uint64_t num_eventids;
      uint32_t num_intids;
      uint16_t icid = 0;
 -    IteEntry ite = {};
      DTEntry dte;
 +    ITEntry ite;
      devid = (cmdpkt[0] & DEVID_MASK) >> DEVID_SHIFT;
      eventid = cmdpkt[1] & EVENTID_MASK;
@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
      }
      /* add ite entry to interrupt translation table */
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, true);
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, pIntid);
 -    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, icid);
 -    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
 -
--    for (vq = 1; vq <= ARM_MAX_VQ; ++vq) {
+-    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
--        char name[8];
++    ite.valid = true;
--        sprintf(name, "sve%d", vq * 128);
++    ite.inttype = ITE_INTTYPE_PHYSICAL;
--        object_property_add(obj, name, "bool", cpu_arm_get_sve_vq,
++    ite.intid = pIntid;
--                            cpu_arm_set_sve_vq, NULL, NULL, &error_fatal);
++    ite.icid = icid;
--    }
++    ite.doorbell = INTID_SPURIOUS;
 +    ite.vpeid = 0;
 +    return update_ite(s, eventid, &dte, &ite) ? CMD_CONTINUE : CMD_STALL;
  }
- struct ARMCPUInfo {
+ /*
-diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
-index XXXXXXX..XXXXXXX 100644
+     uint32_t devid, eventid;
---- a/target/arm/kvm64.c
+     uint16_t new_icid;
-+++ b/target/arm/kvm64.c
+     uint64_t num_eventids;
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
+-    IteEntry ite = {};
-      * and then query that CPU for the relevant ID registers.
+     DTEntry dte;
-      */
+     CTEntry old_cte, new_cte;
-     int fdarray[3];
+     ITEntry old_ite;
-+    bool sve_supported;
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_movi(GICv3ITSState *s, const uint64_t *cmdpkt)
      uint64_t features = 0;
 +    uint64_t t;
      int err;
      /* Old kernels may not know about the PREFERRED_TARGET ioctl: however
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
                                ARM64_SYS_REG(3, 0, 0, 3, 2));
      }
-+    sve_supported = ioctl(fdarray[0], KVM_CHECK_EXTENSION, KVM_CAP_ARM_SVE) > 0;
+     /* Update the ICID field in the interrupt translation table entry */
-+
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, VALID, 1);
-     kvm_arm_destroy_scratch_host_vcpu(fdarray);
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTTYPE, ITE_INTTYPE_PHYSICAL);
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, INTID, old_ite.intid);
-     if (err < 0) {
+-    ite.itel = FIELD_DP64(ite.itel, ITE_L, ICID, new_icid);
-         return false;
+-    ite.iteh = FIELD_DP32(ite.iteh, ITE_H, DOORBELL, INTID_SPURIOUS);
-     }
+-    return update_ite(s, eventid, &dte, ite) ? CMD_CONTINUE : CMD_STALL;
++    old_ite.icid = new_icid;
--   /* We can assume any KVM supporting CPU is at least a v8
++    return update_ite(s, eventid, &dte, &old_ite) ? CMD_CONTINUE : CMD_STALL;
-+    /* Add feature bits that can't appear until after VCPU init. */
+ }
-+    if (sve_supported) {
-+        t = ahcf->isar.id_aa64pfr0;
+ /*
 +        t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
 +        ahcf->isar.id_aa64pfr0 = t;
 +    }
 +
 +    /*
 +     * We can assume any KVM supporting CPU is at least a v8
       * with VFPv4+Neon; this in turn implies most of the other
       * feature bits.
       */
 diff --git a/tests/arm-cpu-features.c b/tests/arm-cpu-features.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/arm-cpu-features.c
 +++ b/tests/arm-cpu-features.c
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
              "We cannot guarantee the CPU type 'cortex-a15' works "
              "with KVM on this host", NULL);
 -        assert_has_feature(qts, "max", "sve");
 -        resp = do_query_no_props(qts, "max");
 +        assert_has_feature(qts, "host", "sve");
 +        resp = do_query_no_props(qts, "host");
          kvm_supports_sve = resp_get_feature(resp, "sve");
          vls = resp_get_sve_vls(resp);
          qobject_unref(resp);
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
              sprintf(max_name, "sve%d", max_vq * 128);
              /* Enabling a supported length is of course fine. */
 -            assert_sve_vls(qts, "max", vls, "{ %s: true }", max_name);
 +            assert_sve_vls(qts, "host", vls, "{ %s: true }", max_name);
              /* Get the next supported length smaller than max-vq. */
              vq = 64 - __builtin_clzll(vls & ~BIT_ULL(max_vq - 1));
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
                   * We have at least one length smaller than max-vq,
                   * so we can disable max-vq.
                   */
 -                assert_sve_vls(qts, "max", (vls & ~BIT_ULL(max_vq - 1)),
 +                assert_sve_vls(qts, "host", (vls & ~BIT_ULL(max_vq - 1)),
                                 "{ %s: false }", max_name);
                  /*
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
                   */
                  sprintf(name, "sve%d", vq * 128);
                  error = g_strdup_printf("cannot disable %s", name);
 -                assert_error(qts, "max", error,
 +                assert_error(qts, "host", error,
                               "{ %s: true, %s: false }",
                               max_name, name);
                  g_free(error);
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
              vq = __builtin_ffsll(vls);
              sprintf(name, "sve%d", vq * 128);
              error = g_strdup_printf("cannot disable %s", name);
 -            assert_error(qts, "max", error, "{ %s: false }", name);
 +            assert_error(qts, "host", error, "{ %s: false }", name);
              g_free(error);
              /* Get an unsupported length. */
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
              if (vq <= SVE_MAX_VQ) {
                  sprintf(name, "sve%d", vq * 128);
                  error = g_strdup_printf("cannot enable %s", name);
 -                assert_error(qts, "max", error, "{ %s: true }", name);
 +                assert_error(qts, "host", error, "{ %s: true }", name);
                  g_free(error);
              }
          } else {
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
      } else {
          assert_has_not_feature(qts, "host", "aarch64");
          assert_has_not_feature(qts, "host", "pmu");
 -
 -        assert_has_not_feature(qts, "max", "sve");
 +        assert_has_not_feature(qts, "host", "sve");
      }
      qtest_quit(qts);
 diff --git a/docs/arm-cpu-features.rst b/docs/arm-cpu-features.rst
 index XXXXXXX..XXXXXXX 100644
 --- a/docs/arm-cpu-features.rst
 +++ b/docs/arm-cpu-features.rst
@@ -XXX,XX +XXX,XX @@ SVE CPU Property Examples
       $ qemu-system-aarch64 -M virt -cpu max
 -  3) Only enable the 128-bit vector length::
 +  3) When KVM is enabled, implicitly enable all host CPU supported vector
 +     lengths with the `host` CPU type::
 +
 +     $ qemu-system-aarch64 -M virt,accel=kvm -cpu host
 +
 +  4) Only enable the 128-bit vector length::
       $ qemu-system-aarch64 -M virt -cpu max,sve128=on
 -  4) Disable the 512-bit vector length and all larger vector lengths,
 +  5) Disable the 512-bit vector length and all larger vector lengths,
       since 512 is a power-of-two.  This results in all the smaller,
       uninitialized lengths (128, 256, and 384) defaulting to enabled::
       $ qemu-system-aarch64 -M virt -cpu max,sve512=off
 -  5) Enable the 128-bit, 256-bit, and 512-bit vector lengths::
 +  6) Enable the 128-bit, 256-bit, and 512-bit vector lengths::
       $ qemu-system-aarch64 -M virt -cpu max,sve128=on,sve256=on,sve512=on
 -  6) The same as (5), but since the 128-bit and 256-bit vector
 +  7) The same as (6), but since the 128-bit and 256-bit vector
       lengths are required for the 512-bit vector length to be enabled,
       then allow them to be auto-enabled::
       $ qemu-system-aarch64 -M virt -cpu max,sve512=on
 -  7) Do the same as (6), but by first disabling SVE and then re-enabling it::
 +  8) Do the same as (7), but by first disabling SVE and then re-enabling it::
       $ qemu-system-aarch64 -M virt -cpu max,sve=off,sve512=on,sve=on
 -  8) Force errors regarding the last vector length::
 +  9) Force errors regarding the last vector length::
       $ qemu-system-aarch64 -M virt -cpu max,sve128=off
       $ qemu-system-aarch64 -M virt -cpu max,sve=off,sve128=off,sve=on
@@ -XXX,XX +XXX,XX @@ The examples in "SVE CPU Property Examples" exhibit many ways to select
  vector lengths which developers may find useful in order to avoid overly
  verbose command lines.  However, the recommended way to select vector
  lengths is to explicitly enable each desired length.  Therefore only
 -example's (1), (3), and (5) exhibit recommended uses of the properties.
 +example's (1), (4), and (6) exhibit recommended uses of the properties.
 --
-.20.1
+.25.1

-New patch
+[PULL 35/39] hw/intc/arm_gicv3_its: Drop TableDesc and CmdQDesc valid fields
+Currently we track in the TableDesc and CmdQDesc structs the state of
+the GITS_BASER<n> and GITS_CBASER Valid bits.  However we aren't very
+consistent abut checking the valid field: we test it in update_cte()
+and update_dte(), but not anywhere else we look things up in tables.
+The GIC specification says that it is UNPREDICTABLE if a guest fails
+to set any of these Valid bits before enabling the ITS via
+GITS_CTLR.Enabled.  So we can choose to handle Valid == 0 as
+equivalent to a zero-length table.  This is in fact how we're already
+catching this case in most of the table-access paths: when Valid is 0
+we leave the num_entries fields in TableDesc or CmdQDesc set to zero,
+and then the out-of-bounds check "index >= num_entries" that we have
+to do anyway before doing any of these table lookups will always be
+true, catching the no-valid-table case without any extra code.
+So we can remove the checks on the valid field from update_cte()
+and update_dte(): since these happen after the bounds check there
+was never any case when the test could fail. That means the valid
+fields would be entirely unused, so just remove them.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-11-peter.maydell@linaro.org
+---
+ include/hw/intc/arm_gicv3_its_common.h |  2 --
+ hw/intc/arm_gicv3_its.c                | 31 ++++++++++++--------------
+files changed, 14 insertions(+), 19 deletions(-)
+diff --git a/include/hw/intc/arm_gicv3_its_common.h b/include/hw/intc/arm_gicv3_its_common.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/intc/arm_gicv3_its_common.h
++++ b/include/hw/intc/arm_gicv3_its_common.h
+@@ -XXX,XX +XXX,XX @@
+ #define GITS_TRANSLATER  0x0040
+ typedef struct {
+-    bool valid;
+     bool indirect;
+     uint16_t entry_sz;
+     uint32_t page_sz;
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+ } TableDesc;
+ typedef struct {
+-    bool valid;
+     uint32_t num_entries;
+     uint64_t base_addr;
+ } CmdQDesc;
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static bool update_cte(GICv3ITSState *s, uint16_t icid, const CTEntry *cte)
+     uint64_t cteval = 0;
+     MemTxResult res = MEMTX_OK;
+-    if (!s->ct.valid) {
+-        return true;
+-    }
+-
+     if (cte->valid) {
+         /* add mapping entry to collection table */
+         cteval = FIELD_DP64(cteval, CTE, VALID, 1);
+@@ -XXX,XX +XXX,XX @@ static bool update_dte(GICv3ITSState *s, uint32_t devid, const DTEntry *dte)
+     uint64_t dteval = 0;
+     MemTxResult res = MEMTX_OK;
+-    if (s->dt.valid) {
+-        if (dte->valid) {
+-            /* add mapping entry to device table */
+-            dteval = FIELD_DP64(dteval, DTE, VALID, 1);
+-            dteval = FIELD_DP64(dteval, DTE, SIZE, dte->size);
+-            dteval = FIELD_DP64(dteval, DTE, ITTADDR, dte->ittaddr);
+-        }
+-    } else {
+-        return true;
++    if (dte->valid) {
++        /* add mapping entry to device table */
++        dteval = FIELD_DP64(dteval, DTE, VALID, 1);
++        dteval = FIELD_DP64(dteval, DTE, SIZE, dte->size);
++        dteval = FIELD_DP64(dteval, DTE, ITTADDR, dte->ittaddr);
+     }
+     entry_addr = table_entry_addr(s, &s->dt, devid, &res);
+@@ -XXX,XX +XXX,XX @@ static void extract_table_params(GICv3ITSState *s)
+         }
+         memset(td, 0, sizeof(*td));
+-        td->valid = FIELD_EX64(value, GITS_BASER, VALID);
+         /*
+          * If GITS_BASER<n>.Valid is 0 for any <n> then we will not process
+          * interrupts. (GITS_TYPER.HCC is 0 for this implementation, so we
+@@ -XXX,XX +XXX,XX @@ static void extract_table_params(GICv3ITSState *s)
+          * for the register corresponding to the Collection table but we
+          * still have to process interrupts using non-memory-backed
+          * Collection table entries.)
++         * The specification makes it UNPREDICTABLE to enable the ITS without
++         * marking each BASER<n> as valid. We choose to handle these as if
++         * the table was zero-sized, so commands using the table will fail
++         * and interrupts requested via GITS_TRANSLATER writes will be ignored.
++         * This happens automatically by leaving the num_entries field at
++         * zero, which will be caught by the bounds checks we have before
++         * every table lookup anyway.
+          */
+-        if (!td->valid) {
++        if (!FIELD_EX64(value, GITS_BASER, VALID)) {
+             continue;
+         }
+         td->page_sz = page_sz;
+@@ -XXX,XX +XXX,XX @@ static void extract_cmdq_params(GICv3ITSState *s)
+     num_pages = FIELD_EX64(value, GITS_CBASER, SIZE) + 1;
+     memset(&s->cq, 0 , sizeof(s->cq));
+-    s->cq.valid = FIELD_EX64(value, GITS_CBASER, VALID);
+-    if (s->cq.valid) {
++    if (FIELD_EX64(value, GITS_CBASER, VALID)) {
+         s->cq.num_entries = (num_pages * GITS_PAGE_SIZE_4K) /
+                              GITS_CMDQ_ENTRY_SIZE;
+         s->cq.base_addr = FIELD_EX64(value, GITS_CBASER, PHYADDR);
+--
+.25.1

-New patch
+[PULL 36/39] hw/intc/arm_gicv3_its: In MAPC with V=0, don't check rdbase field
+In the MAPC command, if V=0 this is a request to delete a collection
+table entry and the rdbase field of the command packet will not be
+used.  In particular, the specification says that the "UNPREDICTABLE
+if rdbase is not valid" only applies for V=1.
+We were doing a check-and-log-guest-error on rdbase regardless of
+whether the V bit was set, and also (harmlessly but confusingly)
+storing the contents of the rdbase field into the updated collection
+table entry.  Update the code so that if V=0 we don't check or use
+the rdbase field value.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-12-peter.maydell@linaro.org
+---
+ hw/intc/arm_gicv3_its.c | 24 ++++++++++++------------
+file changed, 12 insertions(+), 12 deletions(-)
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapc(GICv3ITSState *s, const uint64_t *cmdpkt)
+     CTEntry cte;
+     icid = cmdpkt[2] & ICID_MASK;
+-
+-    cte.rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
+-    cte.rdbase &= RDBASE_PROCNUM_MASK;
+-
+     cte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
++    if (cte.valid) {
++        cte.rdbase = (cmdpkt[2] & R_MAPC_RDBASE_MASK) >> R_MAPC_RDBASE_SHIFT;
++        cte.rdbase &= RDBASE_PROCNUM_MASK;
++    } else {
++        cte.rdbase = 0;
++    }
+-    if ((icid >= s->ct.num_entries) || (cte.rdbase >= s->gicv3->num_cpu)) {
++    if (icid >= s->ct.num_entries) {
++        qemu_log_mask(LOG_GUEST_ERROR, "ITS MAPC: invalid ICID 0x%d", icid);
++        return CMD_CONTINUE;
++    }
++    if (cte.valid && cte.rdbase >= s->gicv3->num_cpu) {
+         qemu_log_mask(LOG_GUEST_ERROR,
+-                      "ITS MAPC: invalid collection table attributes "
+-                      "icid %d rdbase %u\n",  icid, cte.rdbase);
+-        /*
+-         * in this implementation, in case of error
+-         * we ignore this command and move onto the next
+-         * command in the queue
+-         */
++                      "ITS MAPC: invalid RDBASE %u ", cte.rdbase);
+         return CMD_CONTINUE;
+     }
+--
+.25.1

-New patch
+[PULL 37/39] hw/intc/arm_gicv3_its: Don't allow intid 1023 in MAPI/MAPTI
+When handling MAPI/MAPTI, we allow the supplied interrupt ID to be
+either 1023 or something in the valid LPI range.  This is a mistake:
+only a real valid LPI is allowed.  (The general behaviour of the ITS
+is that most interrupt ID fields require a value in the LPI range;
+the exception is that fields specifying a doorbell value, which are
+all in GICv4 commands, allow also 1023 to mean "no doorbell".)
+Remove the condition that incorrectly allows 1023 here.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20220201193207.2771604-13-peter.maydell@linaro.org
+---
+ hw/intc/arm_gicv3_its.c | 3 +--
+file changed, 1 insertion(+), 2 deletions(-)
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
+     if ((icid >= s->ct.num_entries)
+             || !dte.valid || (eventid >= num_eventids) ||
+-            (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)) &&
+-             (pIntid != INTID_SPURIOUS))) {
++            (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)))) {
+         qemu_log_mask(LOG_GUEST_ERROR,
+                       "%s: invalid command attributes "
+                       "icid %d or eventid %d or pIntid %d or"
+--
+.25.1

-[PULL 08/11] target/arm/cpu64: max cpu: Support sve properties with KVM
+[PULL 38/39] hw/intc/arm_gicv3_its: Split error checks
-From: Andrew Jones <drjones@redhat.com>
+In most of the ITS command processing, we check different error
 possibilities one at a time and log them appropriately. In
 process_mapti() and process_mapd() we have code which checks
 multiple error cases at once, which means the logging is less
 specific than it could be. Split those cases up.
-Extend the SVE vq map initialization and validation with KVM's
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-supported vector lengths when KVM is enabled. In order to determine
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-and select supported lengths we add two new KVM functions for getting
+Message-id: 20220201193207.2771604-14-peter.maydell@linaro.org
-and setting the KVM_REG_ARM64_SVE_VLS pseudo-register.
+---
  hw/intc/arm_gicv3_its.c | 52 ++++++++++++++++++++++++-----------------
 file changed, 31 insertions(+), 21 deletions(-)
-This patch has been co-authored with Richard Henderson, who reworked
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 the target/arm/cpu64.c changes in order to push all the validation and
 auto-enabling/disabling steps into the finalizer, resulting in a nice
 LOC reduction.
 Signed-off-by: Andrew Jones <drjones@redhat.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Tested-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
 Message-id: 20191031142734.8590-9-drjones@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/kvm_arm.h      |  12 +++
  target/arm/cpu64.c        | 176 ++++++++++++++++++++++++++++----------
  target/arm/kvm64.c        | 100 +++++++++++++++++++++-
  tests/arm-cpu-features.c  | 104 +++++++++++++++++++++-
  docs/arm-cpu-features.rst |  45 +++++++---
 files changed, 379 insertions(+), 58 deletions(-)
 diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm_arm.h
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/target/arm/kvm_arm.h
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@ typedef struct ARMHostCPUFeatures {
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapti(GICv3ITSState *s, const uint64_t *cmdpkt,
-  */
+     num_eventids = 1ULL << (dte.size + 1);
- bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf);
+     num_intids = 1ULL << (GICD_TYPER_IDBITS + 1);
-+/**
+-    if ((icid >= s->ct.num_entries)
-+ * kvm_arm_sve_get_vls:
+-            || !dte.valid || (eventid >= num_eventids) ||
-+ * @cs: CPUState
+-            (((pIntid < GICV3_LPI_INTID_START) || (pIntid >= num_intids)))) {
-+ * @map: bitmap to fill in
++    if (icid >= s->ct.num_entries) {
-+ *
+         qemu_log_mask(LOG_GUEST_ERROR,
-+ * Get all the SVE vector lengths supported by the KVM host, setting
+-                      "%s: invalid command attributes "
-+ * the bits corresponding to their length in quadwords minus one
+-                      "icid %d or eventid %d or pIntid %d or"
-+ * (vq - 1) in @map up to ARM_MAX_VQ.
+-                      "unmapped dte %d\n", __func__, icid, eventid,
-+ */
+-                      pIntid, dte.valid);
-+void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map);
+-        /*
-+
+-         * in this implementation, in case of error
- /**
+-         * we ignore this command and move onto the next
-  * kvm_arm_set_cpu_features_from_host:
+-         * command in the queue
-  * @cpu: ARMCPU to set the features for
+-         */
-@@ -XXX,XX +XXX,XX @@ static inline int kvm_arm_vgic_probe(void)
++                      "%s: invalid ICID 0x%x >= 0x%x\n",
- static inline void kvm_arm_pmu_set_irq(CPUState *cs, int irq) {}
++                      __func__, icid, s->ct.num_entries);
- static inline void kvm_arm_pmu_init(CPUState *cs) {}
++        return CMD_CONTINUE;
 +static inline void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map) {}
  #endif
  static inline const char *gic_class_name(void)
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
       * any of the above.  Finally, if SVE is not disabled, then at least one
       * vector length must be enabled.
       */
 +    DECLARE_BITMAP(kvm_supported, ARM_MAX_VQ);
      DECLARE_BITMAP(tmp, ARM_MAX_VQ);
      uint32_t vq, max_vq = 0;
 +    /* Collect the set of vector lengths supported by KVM. */
 +    bitmap_zero(kvm_supported, ARM_MAX_VQ);
 +    if (kvm_enabled() && kvm_arm_sve_supported(CPU(cpu))) {
 +        kvm_arm_sve_get_vls(CPU(cpu), kvm_supported);
 +    } else if (kvm_enabled()) {
 +        assert(!cpu_isar_feature(aa64_sve, cpu));
 +    }
 +
-     /*
++    if (!dte.valid) {
-      * Process explicit sve<N> properties.
++        qemu_log_mask(LOG_GUEST_ERROR,
-      * From the properties, sve_vq_map<N> implies sve_vq_init<N>.
++                      "%s: no valid DTE for devid 0x%x\n", __func__, devid);
-@@ -XXX,XX +XXX,XX @@ void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
++        return CMD_CONTINUE;
              return;
          }
 -        /* Propagate enabled bits down through required powers-of-two. */
 -        for (vq = pow2floor(max_vq); vq >= 1; vq >>= 1) {
 -            if (!test_bit(vq - 1, cpu->sve_vq_init)) {
 -                set_bit(vq - 1, cpu->sve_vq_map);
 +        if (kvm_enabled()) {
 +            /*
 +             * For KVM we have to automatically enable all supported unitialized
 +             * lengths, even when the smaller lengths are not all powers-of-two.
 +             */
 +            bitmap_andnot(tmp, kvm_supported, cpu->sve_vq_init, max_vq);
 +            bitmap_or(cpu->sve_vq_map, cpu->sve_vq_map, tmp, max_vq);
 +        } else {
 +            /* Propagate enabled bits down through required powers-of-two. */
 +            for (vq = pow2floor(max_vq); vq >= 1; vq >>= 1) {
 +                if (!test_bit(vq - 1, cpu->sve_vq_init)) {
 +                    set_bit(vq - 1, cpu->sve_vq_map);
 +                }
              }
          }
      } else if (cpu->sve_max_vq == 0) {
@@ -XXX,XX +XXX,XX @@ void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
              return;
          }
 -        /* Disabling a power-of-two disables all larger lengths. */
 -        if (test_bit(0, cpu->sve_vq_init)) {
 -            error_setg(errp, "cannot disable sve128");
 -            error_append_hint(errp, "Disabling sve128 results in all vector "
 -                              "lengths being disabled.\n");
 -            error_append_hint(errp, "With SVE enabled, at least one vector "
 -                              "length must be enabled.\n");
 -            return;
 -        }
 -        for (vq = 2; vq <= ARM_MAX_VQ; vq <<= 1) {
 -            if (test_bit(vq - 1, cpu->sve_vq_init)) {
 -                break;
 +        if (kvm_enabled()) {
 +            /* Disabling a supported length disables all larger lengths. */
 +            for (vq = 1; vq <= ARM_MAX_VQ; ++vq) {
 +                if (test_bit(vq - 1, cpu->sve_vq_init) &&
 +                    test_bit(vq - 1, kvm_supported)) {
 +                    break;
 +                }
              }
 +            max_vq = vq <= ARM_MAX_VQ ? vq - 1 : ARM_MAX_VQ;
 +            bitmap_andnot(cpu->sve_vq_map, kvm_supported,
 +                          cpu->sve_vq_init, max_vq);
 +            if (max_vq == 0 || bitmap_empty(cpu->sve_vq_map, max_vq)) {
 +                error_setg(errp, "cannot disable sve%d", vq * 128);
 +                error_append_hint(errp, "Disabling sve%d results in all "
 +                                  "vector lengths being disabled.\n",
 +                                  vq * 128);
 +                error_append_hint(errp, "With SVE enabled, at least one "
 +                                  "vector length must be enabled.\n");
 +                return;
 +            }
 +        } else {
 +            /* Disabling a power-of-two disables all larger lengths. */
 +            if (test_bit(0, cpu->sve_vq_init)) {
 +                error_setg(errp, "cannot disable sve128");
 +                error_append_hint(errp, "Disabling sve128 results in all "
 +                                  "vector lengths being disabled.\n");
 +                error_append_hint(errp, "With SVE enabled, at least one "
 +                                  "vector length must be enabled.\n");
 +                return;
 +            }
 +            for (vq = 2; vq <= ARM_MAX_VQ; vq <<= 1) {
 +                if (test_bit(vq - 1, cpu->sve_vq_init)) {
 +                    break;
 +                }
 +            }
 +            max_vq = vq <= ARM_MAX_VQ ? vq - 1 : ARM_MAX_VQ;
 +            bitmap_complement(cpu->sve_vq_map, cpu->sve_vq_init, max_vq);
          }
 -        max_vq = vq <= ARM_MAX_VQ ? vq - 1 : ARM_MAX_VQ;
 -        bitmap_complement(cpu->sve_vq_map, cpu->sve_vq_init, max_vq);
          max_vq = find_last_bit(cpu->sve_vq_map, max_vq) + 1;
      }
@@ -XXX,XX +XXX,XX @@ void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
      assert(max_vq != 0);
      bitmap_clear(cpu->sve_vq_map, max_vq, ARM_MAX_VQ - max_vq);
 -    /* Ensure all required powers-of-two are enabled. */
 -    for (vq = pow2floor(max_vq); vq >= 1; vq >>= 1) {
 -        if (!test_bit(vq - 1, cpu->sve_vq_map)) {
 -            error_setg(errp, "cannot disable sve%d", vq * 128);
 -            error_append_hint(errp, "sve%d is required as it "
 -                              "is a power-of-two length smaller than "
 -                              "the maximum, sve%d\n",
 -                              vq * 128, max_vq * 128);
 +    if (kvm_enabled()) {
 +        /* Ensure the set of lengths matches what KVM supports. */
 +        bitmap_xor(tmp, cpu->sve_vq_map, kvm_supported, max_vq);
 +        if (!bitmap_empty(tmp, max_vq)) {
 +            vq = find_last_bit(tmp, max_vq) + 1;
 +            if (test_bit(vq - 1, cpu->sve_vq_map)) {
 +                if (cpu->sve_max_vq) {
 +                    error_setg(errp, "cannot set sve-max-vq=%d",
 +                               cpu->sve_max_vq);
 +                    error_append_hint(errp, "This KVM host does not support "
 +                                      "the vector length %d-bits.\n",
 +                                      vq * 128);
 +                    error_append_hint(errp, "It may not be possible to use "
 +                                      "sve-max-vq with this KVM host. Try "
 +                                      "using only sve<N> properties.\n");
 +                } else {
 +                    error_setg(errp, "cannot enable sve%d", vq * 128);
 +                    error_append_hint(errp, "This KVM host does not support "
 +                                      "the vector length %d-bits.\n",
 +                                      vq * 128);
 +                }
 +            } else {
 +                error_setg(errp, "cannot disable sve%d", vq * 128);
 +                error_append_hint(errp, "The KVM host requires all "
 +                                  "supported vector lengths smaller "
 +                                  "than %d bits to also be enabled.\n",
 +                                  max_vq * 128);
 +            }
              return;
          }
 +    } else {
 +        /* Ensure all required powers-of-two are enabled. */
 +        for (vq = pow2floor(max_vq); vq >= 1; vq >>= 1) {
 +            if (!test_bit(vq - 1, cpu->sve_vq_map)) {
 +                error_setg(errp, "cannot disable sve%d", vq * 128);
 +                error_append_hint(errp, "sve%d is required as it "
 +                                  "is a power-of-two length smaller than "
 +                                  "the maximum, sve%d\n",
 +                                  vq * 128, max_vq * 128);
 +                return;
 +            }
 +        }
      }
      /*
@@ -XXX,XX +XXX,XX @@ static void cpu_max_set_sve_max_vq(Object *obj, Visitor *v, const char *name,
  {
      ARMCPU *cpu = ARM_CPU(obj);
      Error *err = NULL;
 +    uint32_t max_vq;
 -    visit_type_uint32(v, name, &cpu->sve_max_vq, &err);
 -
 -    if (!err && (cpu->sve_max_vq == 0 || cpu->sve_max_vq > ARM_MAX_VQ)) {
 -        error_setg(&err, "unsupported SVE vector length");
 -        error_append_hint(&err, "Valid sve-max-vq in range [1-%d]\n",
 -                          ARM_MAX_VQ);
 +    visit_type_uint32(v, name, &max_vq, &err);
 +    if (err) {
 +        error_propagate(errp, err);
 +        return;
      }
 -    error_propagate(errp, err);
 +
 +    if (kvm_enabled() && !kvm_arm_sve_supported(CPU(cpu))) {
 +        error_setg(errp, "cannot set sve-max-vq");
 +        error_append_hint(errp, "SVE not supported by KVM on this host\n");
 +        return;
 +    }
 +
-+    if (max_vq == 0 || max_vq > ARM_MAX_VQ) {
++    if (eventid >= num_eventids) {
-+        error_setg(errp, "unsupported SVE vector length");
++        qemu_log_mask(LOG_GUEST_ERROR,
-+        error_append_hint(errp, "Valid sve-max-vq in range [1-%d]\n",
++                      "%s: invalid event ID 0x%x >= 0x%" PRIx64 "\n",
-+                          ARM_MAX_VQ);
++                      __func__, eventid, num_eventids);
-+        return;
++        return CMD_CONTINUE;
 +    }
 +
-+    cpu->sve_max_vq = max_vq;
++    if (pIntid < GICV3_LPI_INTID_START || pIntid >= num_intids) {
- }
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: invalid interrupt ID 0x%x\n", __func__, pIntid);
- static void cpu_arm_get_sve_vq(Object *obj, Visitor *v, const char *name,
+         return CMD_CONTINUE;
@@ -XXX,XX +XXX,XX @@ static void cpu_arm_set_sve_vq(Object *obj, Visitor *v, const char *name,
          return;
      }
-+    if (value && kvm_enabled() && !kvm_arm_sve_supported(CPU(cpu))) {
+@@ -XXX,XX +XXX,XX @@ static ItsCmdResult process_mapd(GICv3ITSState *s, const uint64_t *cmdpkt)
-+        error_setg(errp, "cannot enable %s", name);
+     dte.ittaddr = (cmdpkt[2] & ITTADDR_MASK) >> ITTADDR_SHIFT;
-+        error_append_hint(errp, "SVE not supported by KVM on this host\n");
+     dte.valid = cmdpkt[2] & CMD_FIELD_VALID_MASK;
-+        return;
 -    if ((devid >= s->dt.num_entries) ||
 -        (dte.size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS))) {
 +    if (devid >= s->dt.num_entries) {
          qemu_log_mask(LOG_GUEST_ERROR,
 -                      "ITS MAPD: invalid device table attributes "
 -                      "devid %d or size %d\n", devid, dte.size);
 -        /*
 -         * in this implementation, in case of error
 -         * we ignore this command and move onto the next
 -         * command in the queue
 -         */
 +                      "ITS MAPD: invalid device ID field 0x%x >= 0x%x\n",
 +                      devid, s->dt.num_entries);
 +        return CMD_CONTINUE;
 +    }
 +
-     if (value) {
++    if (dte.size > FIELD_EX64(s->typer, GITS_TYPER, IDBITS)) {
-         set_bit(vq - 1, cpu->sve_vq_map);
++        qemu_log_mask(LOG_GUEST_ERROR,
-     } else {
++                      "ITS MAPD: invalid size %d\n", dte.size);
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+         return CMD_CONTINUE;
          cpu->ctr = 0x80038003; /* 32 byte I and D cacheline size, VIPT icache */
          cpu->dcz_blocksize = 7; /*  512 bytes */
  #endif
 -
 -        object_property_add(obj, "sve-max-vq", "uint32", cpu_max_get_sve_max_vq,
 -                            cpu_max_set_sve_max_vq, NULL, NULL, &error_fatal);
 -
 -        for (vq = 1; vq <= ARM_MAX_VQ; ++vq) {
 -            char name[8];
 -            sprintf(name, "sve%d", vq * 128);
 -            object_property_add(obj, name, "bool", cpu_arm_get_sve_vq,
 -                                cpu_arm_set_sve_vq, NULL, NULL, &error_fatal);
 -        }
      }
-     object_property_add(obj, "sve", "bool", cpu_arm_get_sve,
-                         cpu_arm_set_sve, NULL, NULL, &error_fatal);
-+    object_property_add(obj, "sve-max-vq", "uint32", cpu_max_get_sve_max_vq,
-+                        cpu_max_set_sve_max_vq, NULL, NULL, &error_fatal);
-+
-+    for (vq = 1; vq <= ARM_MAX_VQ; ++vq) {
-+        char name[8];
-+        sprintf(name, "sve%d", vq * 128);
-+        object_property_add(obj, name, "bool", cpu_arm_get_sve_vq,
-+                            cpu_arm_set_sve_vq, NULL, NULL, &error_fatal);
-+    }
- }
- struct ARMCPUInfo {
-diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm64.c
-+++ b/target/arm/kvm64.c
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_sve_supported(CPUState *cpu)
-     return kvm_check_extension(s, KVM_CAP_ARM_SVE);
- }
-+QEMU_BUILD_BUG_ON(KVM_ARM64_SVE_VQ_MIN != 1);
-+
-+void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map)
-+{
-+    /* Only call this function if kvm_arm_sve_supported() returns true. */
-+    static uint64_t vls[KVM_ARM64_SVE_VLS_WORDS];
-+    static bool probed;
-+    uint32_t vq = 0;
-+    int i, j;
-+
-+    bitmap_clear(map, 0, ARM_MAX_VQ);
-+
-+    /*
-+     * KVM ensures all host CPUs support the same set of vector lengths.
-+     * So we only need to create the scratch VCPUs once and then cache
-+     * the results.
-+     */
-+    if (!probed) {
-+        struct kvm_vcpu_init init = {
-+            .target = -1,
-+            .features[0] = (1 << KVM_ARM_VCPU_SVE),
-+        };
-+        struct kvm_one_reg reg = {
-+            .id = KVM_REG_ARM64_SVE_VLS,
-+            .addr = (uint64_t)&vls[0],
-+        };
-+        int fdarray[3], ret;
-+
-+        probed = true;
-+
-+        if (!kvm_arm_create_scratch_host_vcpu(NULL, fdarray, &init)) {
-+            error_report("failed to create scratch VCPU with SVE enabled");
-+            abort();
-+        }
-+        ret = ioctl(fdarray[2], KVM_GET_ONE_REG, &reg);
-+        kvm_arm_destroy_scratch_host_vcpu(fdarray);
-+        if (ret) {
-+            error_report("failed to get KVM_REG_ARM64_SVE_VLS: %s",
-+                         strerror(errno));
-+            abort();
-+        }
-+
-+        for (i = KVM_ARM64_SVE_VLS_WORDS - 1; i >= 0; --i) {
-+            if (vls[i]) {
-+                vq = 64 - clz64(vls[i]) + i * 64;
-+                break;
-+            }
-+        }
-+        if (vq > ARM_MAX_VQ) {
-+            warn_report("KVM supports vector lengths larger than "
-+                        "QEMU can enable");
-+        }
-+    }
-+
-+    for (i = 0; i < KVM_ARM64_SVE_VLS_WORDS; ++i) {
-+        if (!vls[i]) {
-+            continue;
-+        }
-+        for (j = 1; j <= 64; ++j) {
-+            vq = j + i * 64;
-+            if (vq > ARM_MAX_VQ) {
-+                return;
-+            }
-+            if (vls[i] & (1UL << (j - 1))) {
-+                set_bit(vq - 1, map);
-+            }
-+        }
-+    }
-+}
-+
-+static int kvm_arm_sve_set_vls(CPUState *cs)
-+{
-+    uint64_t vls[KVM_ARM64_SVE_VLS_WORDS] = {0};
-+    struct kvm_one_reg reg = {
-+        .id = KVM_REG_ARM64_SVE_VLS,
-+        .addr = (uint64_t)&vls[0],
-+    };
-+    ARMCPU *cpu = ARM_CPU(cs);
-+    uint32_t vq;
-+    int i, j;
-+
-+    assert(cpu->sve_max_vq <= KVM_ARM64_SVE_VQ_MAX);
-+
-+    for (vq = 1; vq <= cpu->sve_max_vq; ++vq) {
-+        if (test_bit(vq - 1, cpu->sve_vq_map)) {
-+            i = (vq - 1) / 64;
-+            j = (vq - 1) % 64;
-+            vls[i] |= 1UL << j;
-+        }
-+    }
-+
-+    return kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
-+}
-+
- #define ARM_CPU_ID_MPIDR       3, 0, 0, 0, 5
- int kvm_arch_init_vcpu(CPUState *cs)
-@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
-     if (cpu->kvm_target == QEMU_KVM_ARM_TARGET_NONE ||
-         !object_dynamic_cast(OBJECT(cpu), TYPE_AARCH64_CPU)) {
--        fprintf(stderr, "KVM is not supported for this guest CPU type\n");
-+        error_report("KVM is not supported for this guest CPU type");
-         return -EINVAL;
-     }
-@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
-     }
-     if (cpu_isar_feature(aa64_sve, cpu)) {
-+        ret = kvm_arm_sve_set_vls(cs);
-+        if (ret) {
-+            return ret;
-+        }
-         ret = kvm_arm_vcpu_finalize(cs, KVM_ARM_VCPU_SVE);
-         if (ret) {
-             return ret;
-diff --git a/tests/arm-cpu-features.c b/tests/arm-cpu-features.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/arm-cpu-features.c
-+++ b/tests/arm-cpu-features.c
-@@ -XXX,XX +XXX,XX @@ static QDict *resp_get_props(QDict *resp)
-     return qdict;
- }
-+static bool resp_get_feature(QDict *resp, const char *feature)
-+{
-+    QDict *props;
-+
-+    g_assert(resp);
-+    g_assert(resp_has_props(resp));
-+    props = resp_get_props(resp);
-+    g_assert(qdict_get(props, feature));
-+    return qdict_get_bool(props, feature);
-+}
-+
- #define assert_has_feature(qts, cpu_type, feature)                     \
- ({                                                                     \
-     QDict *_resp = do_query_no_props(qts, cpu_type);                   \
-@@ -XXX,XX +XXX,XX @@ static void sve_tests_sve_off(const void *data)
-     qtest_quit(qts);
- }
-+static void sve_tests_sve_off_kvm(const void *data)
-+{
-+    QTestState *qts;
-+
-+    qts = qtest_init(MACHINE_KVM "-cpu max,sve=off");
-+
-+    /*
-+     * We don't know if this host supports SVE so we don't
-+     * attempt to test enabling anything. We only test that
-+     * everything is disabled (as it should be with sve=off)
-+     * and that using sve<N>=off to explicitly disable vector
-+     * lengths is OK too.
-+     */
-+    assert_sve_vls(qts, "max", 0, NULL);
-+    assert_sve_vls(qts, "max", 0, "{ 'sve128': false }");
-+
-+    qtest_quit(qts);
-+}
-+
- static void test_query_cpu_model_expansion(const void *data)
- {
-     QTestState *qts;
-@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
-     }
-     if (g_str_equal(qtest_get_arch(), "aarch64")) {
-+        bool kvm_supports_sve;
-+        char max_name[8], name[8];
-+        uint32_t max_vq, vq;
-+        uint64_t vls;
-+        QDict *resp;
-+        char *error;
-+
-         assert_has_feature(qts, "host", "aarch64");
-         assert_has_feature(qts, "host", "pmu");
--        assert_has_feature(qts, "max", "sve");
--
-         assert_error(qts, "cortex-a15",
-             "We cannot guarantee the CPU type 'cortex-a15' works "
-             "with KVM on this host", NULL);
-+
-+        assert_has_feature(qts, "max", "sve");
-+        resp = do_query_no_props(qts, "max");
-+        kvm_supports_sve = resp_get_feature(resp, "sve");
-+        vls = resp_get_sve_vls(resp);
-+        qobject_unref(resp);
-+
-+        if (kvm_supports_sve) {
-+            g_assert(vls != 0);
-+            max_vq = 64 - __builtin_clzll(vls);
-+            sprintf(max_name, "sve%d", max_vq * 128);
-+
-+            /* Enabling a supported length is of course fine. */
-+            assert_sve_vls(qts, "max", vls, "{ %s: true }", max_name);
-+
-+            /* Get the next supported length smaller than max-vq. */
-+            vq = 64 - __builtin_clzll(vls & ~BIT_ULL(max_vq - 1));
-+            if (vq) {
-+                /*
-+                 * We have at least one length smaller than max-vq,
-+                 * so we can disable max-vq.
-+                 */
-+                assert_sve_vls(qts, "max", (vls & ~BIT_ULL(max_vq - 1)),
-+                               "{ %s: false }", max_name);
-+
-+                /*
-+                 * Smaller, supported vector lengths cannot be disabled
-+                 * unless all larger, supported vector lengths are also
-+                 * disabled.
-+                 */
-+                sprintf(name, "sve%d", vq * 128);
-+                error = g_strdup_printf("cannot disable %s", name);
-+                assert_error(qts, "max", error,
-+                             "{ %s: true, %s: false }",
-+                             max_name, name);
-+                g_free(error);
-+            }
-+
-+            /*
-+             * The smallest, supported vector length is required, because
-+             * we need at least one vector length enabled.
-+             */
-+            vq = __builtin_ffsll(vls);
-+            sprintf(name, "sve%d", vq * 128);
-+            error = g_strdup_printf("cannot disable %s", name);
-+            assert_error(qts, "max", error, "{ %s: false }", name);
-+            g_free(error);
-+
-+            /* Get an unsupported length. */
-+            for (vq = 1; vq <= max_vq; ++vq) {
-+                if (!(vls & BIT_ULL(vq - 1))) {
-+                    break;
-+                }
-+            }
-+            if (vq <= SVE_MAX_VQ) {
-+                sprintf(name, "sve%d", vq * 128);
-+                error = g_strdup_printf("cannot enable %s", name);
-+                assert_error(qts, "max", error, "{ %s: true }", name);
-+                g_free(error);
-+            }
-+        } else {
-+            g_assert(vls == 0);
-+        }
-     } else {
-         assert_has_not_feature(qts, "host", "aarch64");
-         assert_has_not_feature(qts, "host", "pmu");
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
-                             NULL, sve_tests_sve_max_vq_8);
-         qtest_add_data_func("/arm/max/query-cpu-model-expansion/sve-off",
-                             NULL, sve_tests_sve_off);
-+        qtest_add_data_func("/arm/kvm/query-cpu-model-expansion/sve-off",
-+                            NULL, sve_tests_sve_off_kvm);
-     }
-     return g_test_run();
-diff --git a/docs/arm-cpu-features.rst b/docs/arm-cpu-features.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/arm-cpu-features.rst
-+++ b/docs/arm-cpu-features.rst
-@@ -XXX,XX +XXX,XX @@ SVE CPU Property Dependencies and Constraints
-) At least one vector length must be enabled when `sve` is enabled.
--  2) If a vector length `N` is enabled, then all power-of-two vector
--     lengths smaller than `N` must also be enabled.  E.g. if `sve512`
--     is enabled, then the 128-bit and 256-bit vector lengths must also
--     be enabled.
-+  2) If a vector length `N` is enabled, then, when KVM is enabled, all
-+     smaller, host supported vector lengths must also be enabled.  If
-+     KVM is not enabled, then only all the smaller, power-of-two vector
-+     lengths must be enabled.  E.g. with KVM if the host supports all
-+     vector lengths up to 512-bits (128, 256, 384, 512), then if `sve512`
-+     is enabled, the 128-bit vector length, 256-bit vector length, and
-+     384-bit vector length must also be enabled. Without KVM, the 384-bit
-+     vector length would not be required.
-+
-+  3) If KVM is enabled then only vector lengths that the host CPU type
-+     support may be enabled.  If SVE is not supported by the host, then
-+     no `sve*` properties may be enabled.
- SVE CPU Property Parsing Semantics
- ----------------------------------
-@@ -XXX,XX +XXX,XX @@ SVE CPU Property Parsing Semantics
-      an error is generated.
-) If SVE is enabled (`sve=on`), but no `sve<N>` CPU properties are
--     provided, then all supported vector lengths are enabled, including
--     the non-power-of-two lengths.
-+     provided, then all supported vector lengths are enabled, which when
-+     KVM is not in use means including the non-power-of-two lengths, and,
-+     when KVM is in use, it means all vector lengths supported by the host
-+     processor.
-) If SVE is enabled, then an error is generated when attempting to
-      disable the last enabled vector length (see constraint (1) of "SVE
-@@ -XXX,XX +XXX,XX @@ SVE CPU Property Parsing Semantics
-      has been explicitly disabled, then an error is generated (see
-      constraint (2) of "SVE CPU Property Dependencies and Constraints").
--  5) If one or more `sve<N>` CPU properties are set `off`, but no `sve<N>`,
-+  5) When KVM is enabled, if the host does not support SVE, then an error
-+     is generated when attempting to enable any `sve*` properties (see
-+     constraint (3) of "SVE CPU Property Dependencies and Constraints").
-+
-+  6) When KVM is enabled, if the host does support SVE, then an error is
-+     generated when attempting to enable any vector lengths not supported
-+     by the host (see constraint (3) of "SVE CPU Property Dependencies and
-+     Constraints").
-+
-+  7) If one or more `sve<N>` CPU properties are set `off`, but no `sve<N>`,
-      CPU properties are set `on`, then the specified vector lengths are
-      disabled but the default for any unspecified lengths remains enabled.
--     Disabling a power-of-two vector length also disables all vector
--     lengths larger than the power-of-two length (see constraint (2) of
--     "SVE CPU Property Dependencies and Constraints").
-+     When KVM is not enabled, disabling a power-of-two vector length also
-+     disables all vector lengths larger than the power-of-two length.
-+     When KVM is enabled, then disabling any supported vector length also
-+     disables all larger vector lengths (see constraint (2) of "SVE CPU
-+     Property Dependencies and Constraints").
--  6) If one or more `sve<N>` CPU properties are set to `on`, then they
-+  8) If one or more `sve<N>` CPU properties are set to `on`, then they
-      are enabled and all unspecified lengths default to disabled, except
-      for the required lengths per constraint (2) of "SVE CPU Property
-      Dependencies and Constraints", which will even be auto-enabled if
-      they were not explicitly enabled.
--  7) If SVE was disabled (`sve=off`), allowing all vector lengths to be
-+  9) If SVE was disabled (`sve=off`), allowing all vector lengths to be
-      explicitly disabled (i.e. avoiding the error specified in (3) of
-      "SVE CPU Property Parsing Semantics"), then if later an `sve=on` is
-      provided an error will be generated.  To avoid this error, one must
 --
-.20.1
+.25.1

-[PULL 02/11] tests: arm: Introduce cpu feature tests
+[PULL 39/39] hw/sensor: Add lsm303dlhc magnetometer device
-From: Andrew Jones <drjones@redhat.com>
+From: Kevin Townsend <kevin.townsend@linaro.org>
-Now that Arm CPUs have advertised features lets add tests to ensure
+This commit adds emulation of the magnetometer on the LSM303DLHC.
-we maintain their expected availability with and without KVM.
+It allows the magnetometer's X, Y and Z outputs to be set via the
 mag-x, mag-y and mag-z properties, as well as the 12-bit
 temperature output via the temperature property. Sensor can be
 enabled with 'CONFIG_LSM303DLHC_MAG=y'.
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Kevin Townsend <kevin.townsend@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Message-id: 20220130095032.35392-1-kevin.townsend@linaro.org
-Message-id: 20191031142734.8590-3-drjones@redhat.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- tests/Makefile.include   |   5 +-
+ hw/sensor/lsm303dlhc_mag.c        | 556 ++++++++++++++++++++++++++++++
- tests/arm-cpu-features.c | 253 +++++++++++++++++++++++++++++++++++++++
+ tests/qtest/lsm303dlhc-mag-test.c | 148 ++++++++
-files changed, 257 insertions(+), 1 deletion(-)
+ hw/sensor/Kconfig                 |   4 +
- create mode 100644 tests/arm-cpu-features.c
+ hw/sensor/meson.build             |   1 +
  tests/qtest/meson.build           |   1 +
 files changed, 710 insertions(+)
  create mode 100644 hw/sensor/lsm303dlhc_mag.c
  create mode 100644 tests/qtest/lsm303dlhc-mag-test.c
-diff --git a/tests/Makefile.include b/tests/Makefile.include
+diff --git a/hw/sensor/lsm303dlhc_mag.c b/hw/sensor/lsm303dlhc_mag.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/Makefile.include
 +++ b/tests/Makefile.include
@@ -XXX,XX +XXX,XX @@ check-qtest-sparc64-$(CONFIG_ISA_TESTDEV) = tests/endianness-test$(EXESUF)
  check-qtest-sparc64-y += tests/prom-env-test$(EXESUF)
  check-qtest-sparc64-y += tests/boot-serial-test$(EXESUF)
 +check-qtest-arm-y += tests/arm-cpu-features$(EXESUF)
  check-qtest-arm-y += tests/microbit-test$(EXESUF)
  check-qtest-arm-y += tests/m25p80-test$(EXESUF)
  check-qtest-arm-y += tests/test-arm-mptimer$(EXESUF)
@@ -XXX,XX +XXX,XX @@ check-qtest-arm-y += tests/boot-serial-test$(EXESUF)
  check-qtest-arm-y += tests/hexloader-test$(EXESUF)
  check-qtest-arm-$(CONFIG_PFLASH_CFI02) += tests/pflash-cfi02-test$(EXESUF)
 -check-qtest-aarch64-y = tests/numa-test$(EXESUF)
 +check-qtest-aarch64-y += tests/arm-cpu-features$(EXESUF)
 +check-qtest-aarch64-y += tests/numa-test$(EXESUF)
  check-qtest-aarch64-y += tests/boot-serial-test$(EXESUF)
  check-qtest-aarch64-y += tests/migration-test$(EXESUF)
  # TODO: once aarch64 TCG is fixed on ARM 32 bit host, make test unconditional
@@ -XXX,XX +XXX,XX @@ tests/test-qapi-util$(EXESUF): tests/test-qapi-util.o $(test-util-obj-y)
  tests/numa-test$(EXESUF): tests/numa-test.o
  tests/vmgenid-test$(EXESUF): tests/vmgenid-test.o tests/boot-sector.o tests/acpi-utils.o
  tests/cdrom-test$(EXESUF): tests/cdrom-test.o tests/boot-sector.o $(libqos-obj-y)
 +tests/arm-cpu-features$(EXESUF): tests/arm-cpu-features.o
  tests/migration/stress$(EXESUF): tests/migration/stress.o
      $(call quiet-command, $(LINKPROG) -static -O3 $(PTHREAD_LIB) -o $@ $< ,"LINK","$(TARGET_DIR)$@")
 diff --git a/tests/arm-cpu-features.c b/tests/arm-cpu-features.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/tests/arm-cpu-features.c
++++ b/hw/sensor/lsm303dlhc_mag.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * Arm CPU feature test cases
++ * LSM303DLHC I2C magnetometer.
 + *
-+ * Copyright (c) 2019 Red Hat Inc.
++ * Copyright (C) 2021 Linaro Ltd.
-+ * Authors:
++ * Written by Kevin Townsend <kevin.townsend@linaro.org>
 + *  Andrew Jones <drjones@redhat.com>
 + *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * Based on: https://www.st.com/resource/en/datasheet/lsm303dlhc.pdf
-+ * See the COPYING file in the top-level directory.
++ *
-+ */
++ * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +
 +/*
 + * The I2C address associated with this device is set on the command-line when
 + * initialising the machine, but the following address is standard: 0x1E.
 + *
 + * Get and set functions for 'mag-x', 'mag-y' and 'mag-z' assume that
 + * 1 = 0.001 uT. (NOTE the 1 gauss = 100 uT, so setting a value of 100,000
 + * would be equal to 1 gauss or 100 uT.)
 + *
 + * Get and set functions for 'temperature' assume that 1 = 0.001 C, so 23.6 C
 + * would be equal to 23600.
 + */
 +
 +#include "qemu/osdep.h"
-+#include "libqtest.h"
++#include "hw/i2c/i2c.h"
 +#include "migration/vmstate.h"
 +#include "qapi/error.h"
 +#include "qapi/visitor.h"
 +#include "qemu/module.h"
 +#include "qemu/log.h"
 +#include "qemu/bswap.h"
 +
 +enum LSM303DLHCMagReg {
 +    LSM303DLHC_MAG_REG_CRA          = 0x00,
 +    LSM303DLHC_MAG_REG_CRB          = 0x01,
 +    LSM303DLHC_MAG_REG_MR           = 0x02,
 +    LSM303DLHC_MAG_REG_OUT_X_H      = 0x03,
 +    LSM303DLHC_MAG_REG_OUT_X_L      = 0x04,
 +    LSM303DLHC_MAG_REG_OUT_Z_H      = 0x05,
 +    LSM303DLHC_MAG_REG_OUT_Z_L      = 0x06,
 +    LSM303DLHC_MAG_REG_OUT_Y_H      = 0x07,
 +    LSM303DLHC_MAG_REG_OUT_Y_L      = 0x08,
 +    LSM303DLHC_MAG_REG_SR           = 0x09,
 +    LSM303DLHC_MAG_REG_IRA          = 0x0A,
 +    LSM303DLHC_MAG_REG_IRB          = 0x0B,
 +    LSM303DLHC_MAG_REG_IRC          = 0x0C,
 +    LSM303DLHC_MAG_REG_TEMP_OUT_H   = 0x31,
 +    LSM303DLHC_MAG_REG_TEMP_OUT_L   = 0x32
 +};
 +
 +typedef struct LSM303DLHCMagState {
 +    I2CSlave parent_obj;
 +    uint8_t cra;
 +    uint8_t crb;
 +    uint8_t mr;
 +    int16_t x;
 +    int16_t z;
 +    int16_t y;
 +    int16_t x_lock;
 +    int16_t z_lock;
 +    int16_t y_lock;
 +    uint8_t sr;
 +    uint8_t ira;
 +    uint8_t irb;
 +    uint8_t irc;
 +    int16_t temperature;
 +    int16_t temperature_lock;
 +    uint8_t len;
 +    uint8_t buf;
 +    uint8_t pointer;
 +} LSM303DLHCMagState;
 +
 +#define TYPE_LSM303DLHC_MAG "lsm303dlhc_mag"
 +OBJECT_DECLARE_SIMPLE_TYPE(LSM303DLHCMagState, LSM303DLHC_MAG)
 +
 +/*
 + * Conversion factor from Gauss to sensor values for each GN gain setting,
 + * in units "lsb per Gauss" (see data sheet table 3). There is no documented
 + * behaviour if the GN setting in CRB is incorrectly set to 0b000;
 + * we arbitrarily make it the same as 0b001.
 + */
 +uint32_t xy_gain[] = { 1100, 1100, 855, 670, 450, 400, 330, 230 };
 +uint32_t z_gain[] = { 980, 980, 760, 600, 400, 355, 295, 205 };
 +
 +static void lsm303dlhc_mag_get_x(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    /* Convert to uT where 1000 = 1 uT. Conversion factor depends on gain. */
 +    int64_t value = muldiv64(s->x, 100000, xy_gain[gm]);
 +    visit_type_int(v, name, &value, errp);
 +}
 +
 +static void lsm303dlhc_mag_get_y(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    /* Convert to uT where 1000 = 1 uT. Conversion factor depends on gain. */
 +    int64_t value = muldiv64(s->y, 100000, xy_gain[gm]);
 +    visit_type_int(v, name, &value, errp);
 +}
 +
 +static void lsm303dlhc_mag_get_z(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    /* Convert to uT where 1000 = 1 uT. Conversion factor depends on gain. */
 +    int64_t value = muldiv64(s->z, 100000, z_gain[gm]);
 +    visit_type_int(v, name, &value, errp);
 +}
 +
 +static void lsm303dlhc_mag_set_x(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +    int64_t reg;
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    if (!visit_type_int(v, name, &value, errp)) {
 +        return;
 +    }
 +
 +    reg = muldiv64(value, xy_gain[gm], 100000);
 +
 +    /* Make sure we are within a 12-bit limit. */
 +    if (reg > 2047 || reg < -2048) {
 +        error_setg(errp, "value %" PRId64 " out of register's range", value);
 +        return;
 +    }
 +
 +    s->x = (int16_t)reg;
 +}
 +
 +static void lsm303dlhc_mag_set_y(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +    int64_t reg;
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    if (!visit_type_int(v, name, &value, errp)) {
 +        return;
 +    }
 +
 +    reg = muldiv64(value, xy_gain[gm], 100000);
 +
 +    /* Make sure we are within a 12-bit limit. */
 +    if (reg > 2047 || reg < -2048) {
 +        error_setg(errp, "value %" PRId64 " out of register's range", value);
 +        return;
 +    }
 +
 +    s->y = (int16_t)reg;
 +}
 +
 +static void lsm303dlhc_mag_set_z(Object *obj, Visitor *v, const char *name,
 +                                 void *opaque, Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +    int64_t reg;
 +    int gm = extract32(s->crb, 5, 3);
 +
 +    if (!visit_type_int(v, name, &value, errp)) {
 +        return;
 +    }
 +
 +    reg = muldiv64(value, z_gain[gm], 100000);
 +
 +    /* Make sure we are within a 12-bit limit. */
 +    if (reg > 2047 || reg < -2048) {
 +        error_setg(errp, "value %" PRId64 " out of register's range", value);
 +        return;
 +    }
 +
 +    s->z = (int16_t)reg;
 +}
 +
 +/*
 + * Get handler for the temperature property.
 + */
 +static void lsm303dlhc_mag_get_temperature(Object *obj, Visitor *v,
 +                                           const char *name, void *opaque,
 +                                           Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +
 +    /* Convert to 1 lsb = 0.125 C to 1 = 0.001 C for 'temperature' property. */
 +    value = s->temperature * 125;
 +
 +    visit_type_int(v, name, &value, errp);
 +}
 +
 +/*
 + * Set handler for the temperature property.
 + */
 +static void lsm303dlhc_mag_set_temperature(Object *obj, Visitor *v,
 +                                           const char *name, void *opaque,
 +                                           Error **errp)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(obj);
 +    int64_t value;
 +
 +    if (!visit_type_int(v, name, &value, errp)) {
 +        return;
 +    }
 +
 +    /* Input temperature is in 0.001 C units. Convert to 1 lsb = 0.125 C. */
 +    value /= 125;
 +
 +    if (value > 2047 || value < -2048) {
 +        error_setg(errp, "value %" PRId64 " lsb is out of range", value);
 +        return;
 +    }
 +
 +    s->temperature = (int16_t)value;
 +}
 +
 +/*
 + * Callback handler whenever a 'I2C_START_RECV' (read) event is received.
 + */
 +static void lsm303dlhc_mag_read(LSM303DLHCMagState *s)
 +{
 +    /*
 +     * Set the LOCK bit whenever a new read attempt is made. This will be
 +     * cleared in I2C_FINISH. Note that DRDY is always set to 1 in this driver.
 +     */
 +    s->sr = 0x3;
 +
 +    /*
 +     * Copy the current X/Y/Z and temp. values into the locked registers so
 +     * that 'mag-x', 'mag-y', 'mag-z' and 'temperature' can continue to be
 +     * updated via QOM, etc., without corrupting the current read event.
 +     */
 +    s->x_lock = s->x;
 +    s->z_lock = s->z;
 +    s->y_lock = s->y;
 +    s->temperature_lock = s->temperature;
 +}
 +
 +/*
 + * Callback handler whenever a 'I2C_FINISH' event is received.
 + */
 +static void lsm303dlhc_mag_finish(LSM303DLHCMagState *s)
 +{
 +    /*
 +     * Clear the LOCK bit when the read attempt terminates.
 +     * This bit is initially set in the I2C_START_RECV handler.
 +     */
 +    s->sr = 0x1;
 +}
 +
 +/*
 + * Callback handler when a device attempts to write to a register.
 + */
 +static void lsm303dlhc_mag_write(LSM303DLHCMagState *s)
 +{
 +    switch (s->pointer) {
 +    case LSM303DLHC_MAG_REG_CRA:
 +        s->cra = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_CRB:
 +        /* Make sure gain is at least 1, falling back to 1 on an error. */
 +        if (s->buf >> 5 == 0) {
 +            s->buf = 1 << 5;
 +        }
 +        s->crb = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_MR:
 +        s->mr = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_SR:
 +        s->sr = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRA:
 +        s->ira = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRB:
 +        s->irb = s->buf;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRC:
 +        s->irc = s->buf;
 +        break;
 +    default:
 +        qemu_log_mask(LOG_GUEST_ERROR, "reg is read-only: 0x%02X", s->buf);
 +        break;
 +    }
 +}
 +
 +/*
 + * Low-level master-to-slave transaction handler.
 + */
 +static int lsm303dlhc_mag_send(I2CSlave *i2c, uint8_t data)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
 +
 +    if (s->len == 0) {
 +        /* First byte is the reg pointer */
 +        s->pointer = data;
 +        s->len++;
 +    } else if (s->len == 1) {
 +        /* Second byte is the new register value. */
 +        s->buf = data;
 +        lsm303dlhc_mag_write(s);
 +    } else {
 +        g_assert_not_reached();
 +    }
 +
 +    return 0;
 +}
 +
 +/*
 + * Low-level slave-to-master transaction handler (read attempts).
 + */
 +static uint8_t lsm303dlhc_mag_recv(I2CSlave *i2c)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
 +    uint8_t resp;
 +
 +    switch (s->pointer) {
 +    case LSM303DLHC_MAG_REG_CRA:
 +        resp = s->cra;
 +        break;
 +    case LSM303DLHC_MAG_REG_CRB:
 +        resp = s->crb;
 +        break;
 +    case LSM303DLHC_MAG_REG_MR:
 +        resp = s->mr;
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_X_H:
 +        resp = (uint8_t)(s->x_lock >> 8);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_X_L:
 +        resp = (uint8_t)(s->x_lock);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_Z_H:
 +        resp = (uint8_t)(s->z_lock >> 8);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_Z_L:
 +        resp = (uint8_t)(s->z_lock);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_Y_H:
 +        resp = (uint8_t)(s->y_lock >> 8);
 +        break;
 +    case LSM303DLHC_MAG_REG_OUT_Y_L:
 +        resp = (uint8_t)(s->y_lock);
 +        break;
 +    case LSM303DLHC_MAG_REG_SR:
 +        resp = s->sr;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRA:
 +        resp = s->ira;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRB:
 +        resp = s->irb;
 +        break;
 +    case LSM303DLHC_MAG_REG_IRC:
 +        resp = s->irc;
 +        break;
 +    case LSM303DLHC_MAG_REG_TEMP_OUT_H:
 +        /* Check if the temperature sensor is enabled or not (CRA & 0x80). */
 +        if (s->cra & 0x80) {
 +            resp = (uint8_t)(s->temperature_lock >> 8);
 +        } else {
 +            resp = 0;
 +        }
 +        break;
 +    case LSM303DLHC_MAG_REG_TEMP_OUT_L:
 +        if (s->cra & 0x80) {
 +            resp = (uint8_t)(s->temperature_lock & 0xff);
 +        } else {
 +            resp = 0;
 +        }
 +        break;
 +    default:
 +        resp = 0;
 +        break;
 +    }
 +
 +    /*
 +     * The address pointer on the LSM303DLHC auto-increments whenever a byte
 +     * is read, without the master device having to request the next address.
 +     *
 +     * The auto-increment process has the following logic:
 +     *
 +     *   - if (s->pointer == 8) then s->pointer = 3
 +     *   - else: if (s->pointer == 12) then s->pointer = 0
 +     *   - else: s->pointer += 1
 +     *
 +     * Reading an invalid address return 0.
 +     */
 +    if (s->pointer == LSM303DLHC_MAG_REG_OUT_Y_L) {
 +        s->pointer = LSM303DLHC_MAG_REG_OUT_X_H;
 +    } else if (s->pointer == LSM303DLHC_MAG_REG_IRC) {
 +        s->pointer = LSM303DLHC_MAG_REG_CRA;
 +    } else {
 +        s->pointer++;
 +    }
 +
 +    return resp;
 +}
 +
 +/*
 + * Bus state change handler.
 + */
 +static int lsm303dlhc_mag_event(I2CSlave *i2c, enum i2c_event event)
 +{
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
 +
 +    switch (event) {
 +    case I2C_START_SEND:
 +        break;
 +    case I2C_START_RECV:
 +        lsm303dlhc_mag_read(s);
 +        break;
 +    case I2C_FINISH:
 +        lsm303dlhc_mag_finish(s);
 +        break;
 +    case I2C_NACK:
 +        break;
 +    }
 +
 +    s->len = 0;
 +    return 0;
 +}
 +
 +/*
 + * Device data description using VMSTATE macros.
 + */
 +static const VMStateDescription vmstate_lsm303dlhc_mag = {
 +    .name = "LSM303DLHC_MAG",
 +    .version_id = 0,
 +    .minimum_version_id = 0,
 +    .fields = (VMStateField[]) {
 +
 +        VMSTATE_I2C_SLAVE(parent_obj, LSM303DLHCMagState),
 +        VMSTATE_UINT8(len, LSM303DLHCMagState),
 +        VMSTATE_UINT8(buf, LSM303DLHCMagState),
 +        VMSTATE_UINT8(pointer, LSM303DLHCMagState),
 +        VMSTATE_UINT8(cra, LSM303DLHCMagState),
 +        VMSTATE_UINT8(crb, LSM303DLHCMagState),
 +        VMSTATE_UINT8(mr, LSM303DLHCMagState),
 +        VMSTATE_INT16(x, LSM303DLHCMagState),
 +        VMSTATE_INT16(z, LSM303DLHCMagState),
 +        VMSTATE_INT16(y, LSM303DLHCMagState),
 +        VMSTATE_INT16(x_lock, LSM303DLHCMagState),
 +        VMSTATE_INT16(z_lock, LSM303DLHCMagState),
 +        VMSTATE_INT16(y_lock, LSM303DLHCMagState),
 +        VMSTATE_UINT8(sr, LSM303DLHCMagState),
 +        VMSTATE_UINT8(ira, LSM303DLHCMagState),
 +        VMSTATE_UINT8(irb, LSM303DLHCMagState),
 +        VMSTATE_UINT8(irc, LSM303DLHCMagState),
 +        VMSTATE_INT16(temperature, LSM303DLHCMagState),
 +        VMSTATE_INT16(temperature_lock, LSM303DLHCMagState),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +/*
 + * Put the device into post-reset default state.
 + */
 +static void lsm303dlhc_mag_default_cfg(LSM303DLHCMagState *s)
 +{
 +    /* Set the device into is default reset state. */
 +    s->len = 0;
 +    s->pointer = 0;         /* Current register. */
 +    s->buf = 0;             /* Shared buffer. */
 +    s->cra = 0x10;          /* Temp Enabled = 0, Data Rate = 15.0 Hz. */
 +    s->crb = 0x20;          /* Gain = +/- 1.3 Gauss. */
 +    s->mr = 0x3;            /* Operating Mode = Sleep. */
 +    s->x = 0;
 +    s->z = 0;
 +    s->y = 0;
 +    s->x_lock = 0;
 +    s->z_lock = 0;
 +    s->y_lock = 0;
 +    s->sr = 0x1;            /* DRDY = 1. */
 +    s->ira = 0x48;
 +    s->irb = 0x34;
 +    s->irc = 0x33;
 +    s->temperature = 0;     /* Default to 0 degrees C (0/8 lsb = 0 C). */
 +    s->temperature_lock = 0;
 +}
 +
 +/*
 + * Callback handler when DeviceState 'reset' is set to true.
 + */
 +static void lsm303dlhc_mag_reset(DeviceState *dev)
 +{
 +    I2CSlave *i2c = I2C_SLAVE(dev);
 +    LSM303DLHCMagState *s = LSM303DLHC_MAG(i2c);
 +
 +    /* Set the device into its default reset state. */
 +    lsm303dlhc_mag_default_cfg(s);
 +}
 +
 +/*
 + * Initialisation of any public properties.
 + */
 +static void lsm303dlhc_mag_initfn(Object *obj)
 +{
 +    object_property_add(obj, "mag-x", "int",
 +                lsm303dlhc_mag_get_x,
 +                lsm303dlhc_mag_set_x, NULL, NULL);
 +
 +    object_property_add(obj, "mag-y", "int",
 +                lsm303dlhc_mag_get_y,
 +                lsm303dlhc_mag_set_y, NULL, NULL);
 +
 +    object_property_add(obj, "mag-z", "int",
 +                lsm303dlhc_mag_get_z,
 +                lsm303dlhc_mag_set_z, NULL, NULL);
 +
 +    object_property_add(obj, "temperature", "int",
 +                lsm303dlhc_mag_get_temperature,
 +                lsm303dlhc_mag_set_temperature, NULL, NULL);
 +}
 +
 +/*
 + * Set the virtual method pointers (bus state change, tx/rx, etc.).
 + */
 +static void lsm303dlhc_mag_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +    I2CSlaveClass *k = I2C_SLAVE_CLASS(klass);
 +
 +    dc->reset = lsm303dlhc_mag_reset;
 +    dc->vmsd = &vmstate_lsm303dlhc_mag;
 +    k->event = lsm303dlhc_mag_event;
 +    k->recv = lsm303dlhc_mag_recv;
 +    k->send = lsm303dlhc_mag_send;
 +}
 +
 +static const TypeInfo lsm303dlhc_mag_info = {
 +    .name = TYPE_LSM303DLHC_MAG,
 +    .parent = TYPE_I2C_SLAVE,
 +    .instance_size = sizeof(LSM303DLHCMagState),
 +    .instance_init = lsm303dlhc_mag_initfn,
 +    .class_init = lsm303dlhc_mag_class_init,
 +};
 +
 +static void lsm303dlhc_mag_register_types(void)
 +{
 +    type_register_static(&lsm303dlhc_mag_info);
 +}
 +
 +type_init(lsm303dlhc_mag_register_types)
 diff --git a/tests/qtest/lsm303dlhc-mag-test.c b/tests/qtest/lsm303dlhc-mag-test.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/qtest/lsm303dlhc-mag-test.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QTest testcase for the LSM303DLHC I2C magnetometer
 + *
 + * Copyright (C) 2021 Linaro Ltd.
 + * Written by Kevin Townsend <kevin.townsend@linaro.org>
 + *
 + * Based on: https://www.st.com/resource/en/datasheet/lsm303dlhc.pdf
 + *
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +
 +#include "qemu/osdep.h"
 +#include "libqtest-single.h"
 +#include "libqos/qgraph.h"
 +#include "libqos/i2c.h"
 +#include "qapi/qmp/qdict.h"
-+#include "qapi/qmp/qjson.h"
++
-+
++#define LSM303DLHC_MAG_TEST_ID        "lsm303dlhc_mag-test"
-+#define MACHINE     "-machine virt,gic-version=max,accel=tcg "
++#define LSM303DLHC_MAG_REG_CRA        0x00
-+#define MACHINE_KVM "-machine virt,gic-version=max,accel=kvm:tcg "
++#define LSM303DLHC_MAG_REG_CRB        0x01
-+#define QUERY_HEAD  "{ 'execute': 'query-cpu-model-expansion', " \
++#define LSM303DLHC_MAG_REG_OUT_X_H    0x03
-+                    "  'arguments': { 'type': 'full', "
++#define LSM303DLHC_MAG_REG_OUT_Z_H    0x05
-+#define QUERY_TAIL  "}}"
++#define LSM303DLHC_MAG_REG_OUT_Y_H    0x07
-+
++#define LSM303DLHC_MAG_REG_IRC        0x0C
-+static bool kvm_enabled(QTestState *qts)
++#define LSM303DLHC_MAG_REG_TEMP_OUT_H 0x31
-+{
++
-+    QDict *resp, *qdict;
++static int qmp_lsm303dlhc_mag_get_property(const char *id, const char *prop)
-+    bool enabled;
++{
-+
++    QDict *response;
-+    resp = qtest_qmp(qts, "{ 'execute': 'query-kvm' }");
++    int ret;
-+    g_assert(qdict_haskey(resp, "return"));
++
-+    qdict = qdict_get_qdict(resp, "return");
++    response = qmp("{ 'execute': 'qom-get', 'arguments': { 'path': %s, "
-+    g_assert(qdict_haskey(qdict, "enabled"));
++                   "'property': %s } }", id, prop);
-+    enabled = qdict_get_bool(qdict, "enabled");
++    g_assert(qdict_haskey(response, "return"));
-+    qobject_unref(resp);
++    ret = qdict_get_int(response, "return");
-+
++    qobject_unref(response);
-+    return enabled;
++    return ret;
 +}
 +
-+static QDict *do_query_no_props(QTestState *qts, const char *cpu_type)
++static void qmp_lsm303dlhc_mag_set_property(const char *id, const char *prop,
-+{
++                                            int value)
-+    return qtest_qmp(qts, QUERY_HEAD "'model': { 'name': %s }"
++{
-+                          QUERY_TAIL, cpu_type);
++    QDict *response;
-+}
++
-+
++    response = qmp("{ 'execute': 'qom-set', 'arguments': { 'path': %s, "
-+static QDict *do_query(QTestState *qts, const char *cpu_type,
++                   "'property': %s, 'value': %d } }", id, prop, value);
-+                       const char *fmt, ...)
++    g_assert(qdict_haskey(response, "return"));
-+{
++    qobject_unref(response);
-+    QDict *resp;
++}
 +
-+    if (fmt) {
++static void send_and_receive(void *obj, void *data, QGuestAllocator *alloc)
-+        QDict *args;
++{
-+        va_list ap;
++    int64_t value;
-+
++    QI2CDevice *i2cdev = (QI2CDevice *)obj;
-+        va_start(ap, fmt);
++
-+        args = qdict_from_vjsonf_nofail(fmt, ap);
++    /* Check default value for CRB */
-+        va_end(ap);
++    g_assert_cmphex(i2c_get8(i2cdev, LSM303DLHC_MAG_REG_CRB), ==, 0x20);
 +
-+        resp = qtest_qmp(qts, QUERY_HEAD "'model': { 'name': %s, "
++    /* Set x to 1.0 gauss and verify the value */
-+                                                    "'props': %p }"
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-x", 100000);
-+                              QUERY_TAIL, cpu_type, args);
++    value = qmp_lsm303dlhc_mag_get_property(
-+    } else {
++        LSM303DLHC_MAG_TEST_ID, "mag-x");
-+        resp = do_query_no_props(qts, cpu_type);
++    g_assert_cmpint(value, ==, 100000);
-+    }
++
-+
++    /* Set y to 1.5 gauss and verify the value */
-+    return resp;
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-y", 150000);
-+}
++    value = qmp_lsm303dlhc_mag_get_property(
-+
++        LSM303DLHC_MAG_TEST_ID, "mag-y");
-+static const char *resp_get_error(QDict *resp)
++    g_assert_cmpint(value, ==, 150000);
-+{
++
-+    QDict *qdict;
++    /* Set z to 0.5 gauss and verify the value */
-+
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-z", 50000);
-+    g_assert(resp);
++    value = qmp_lsm303dlhc_mag_get_property(
-+
++        LSM303DLHC_MAG_TEST_ID, "mag-z");
-+    qdict = qdict_get_qdict(resp, "error");
++    g_assert_cmpint(value, ==, 50000);
-+    if (qdict) {
++
-+        return qdict_get_str(qdict, "desc");
++    /* Set temperature to 23.6 C and verify the value */
-+    }
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID,
-+
++        "temperature", 23600);
-+    return NULL;
++    value = qmp_lsm303dlhc_mag_get_property(
-+}
++        LSM303DLHC_MAG_TEST_ID, "temperature");
-+
++    /* Should return 23.5 C due to 0.125°C steps. */
-+#define assert_error(qts, cpu_type, expected_error, fmt, ...)          \
++    g_assert_cmpint(value, ==, 23500);
-+({                                                                     \
++
-+    QDict *_resp;                                                      \
++    /* Read raw x axis registers (1 gauss = 1100 at +/-1.3 g gain) */
-+    const char *_error;                                                \
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_OUT_X_H);
-+                                                                       \
++    g_assert_cmphex(value, ==, 1100);
-+    _resp = do_query(qts, cpu_type, fmt, ##__VA_ARGS__);               \
++
-+    g_assert(_resp);                                                   \
++    /* Read raw y axis registers (1.5 gauss = 1650 at +/- 1.3 g gain = ) */
-+    _error = resp_get_error(_resp);                                    \
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_OUT_Y_H);
-+    g_assert(_error);                                                  \
++    g_assert_cmphex(value, ==, 1650);
-+    g_assert(g_str_equal(_error, expected_error));                     \
++
-+    qobject_unref(_resp);                                              \
++    /* Read raw z axis registers (0.5 gauss = 490 at +/- 1.3 g gain = ) */
-+})
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_OUT_Z_H);
-+
++    g_assert_cmphex(value, ==, 490);
-+static bool resp_has_props(QDict *resp)
++
-+{
++    /* Read raw temperature registers with temp disabled (CRA = 0x10) */
-+    QDict *qdict;
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_TEMP_OUT_H);
-+
++    g_assert_cmphex(value, ==, 0);
-+    g_assert(resp);
++
-+
++    /* Enable temperature reads (CRA = 0x90) */
-+    if (!qdict_haskey(resp, "return")) {
++    i2c_set8(i2cdev, LSM303DLHC_MAG_REG_CRA, 0x90);
-+        return false;
++
-+    }
++    /* Read raw temp registers (23.5 C = 188 at 1 lsb = 0.125 C) */
-+    qdict = qdict_get_qdict(resp, "return");
++    value = i2c_get16(i2cdev, LSM303DLHC_MAG_REG_TEMP_OUT_H);
-+
++    g_assert_cmphex(value, ==, 188);
-+    if (!qdict_haskey(qdict, "model")) {
++}
-+        return false;
++
-+    }
++static void reg_wraparound(void *obj, void *data, QGuestAllocator *alloc)
-+    qdict = qdict_get_qdict(qdict, "model");
++{
-+
++    uint8_t value[4];
-+    return qdict_haskey(qdict, "props");
++    QI2CDevice *i2cdev = (QI2CDevice *)obj;
-+}
++
-+
++    /* Set x to 1.0 gauss, and y to 1.5 gauss for known test values */
-+static QDict *resp_get_props(QDict *resp)
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-x", 100000);
-+{
++    qmp_lsm303dlhc_mag_set_property(LSM303DLHC_MAG_TEST_ID, "mag-y", 150000);
-+    QDict *qdict;
++
-+
++    /* Check that requesting 4 bytes starting at Y_H wraps around to X_L */
-+    g_assert(resp);
++    i2c_read_block(i2cdev, LSM303DLHC_MAG_REG_OUT_Y_H, value, 4);
-+    g_assert(resp_has_props(resp));
++    /* 1.5 gauss = 1650 lsb = 0x672 */
-+
++    g_assert_cmphex(value[0], ==, 0x06);
-+    qdict = qdict_get_qdict(resp, "return");
++    g_assert_cmphex(value[1], ==, 0x72);
-+    qdict = qdict_get_qdict(qdict, "model");
++    /* 1.0 gauss = 1100 lsb = 0x44C */
-+    qdict = qdict_get_qdict(qdict, "props");
++    g_assert_cmphex(value[2], ==, 0x04);
-+
++    g_assert_cmphex(value[3], ==, 0x4C);
-+    return qdict;
++
-+}
++    /* Check that requesting LSM303DLHC_MAG_REG_IRC wraps around to CRA */
-+
++    i2c_read_block(i2cdev, LSM303DLHC_MAG_REG_IRC, value, 2);
-+#define assert_has_feature(qts, cpu_type, feature)                     \
++    /* Default value for IRC = 0x33 */
-+({                                                                     \
++    g_assert_cmphex(value[0], ==, 0x33);
-+    QDict *_resp = do_query_no_props(qts, cpu_type);                   \
++    /* Default value for CRA = 0x10 */
-+    g_assert(_resp);                                                   \
++    g_assert_cmphex(value[1], ==, 0x10);
-+    g_assert(resp_has_props(_resp));                                   \
++}
-+    g_assert(qdict_get(resp_get_props(_resp), feature));               \
++
-+    qobject_unref(_resp);                                              \
++static void lsm303dlhc_mag_register_nodes(void)
-+})
++{
-+
++    QOSGraphEdgeOptions opts = {
-+#define assert_has_not_feature(qts, cpu_type, feature)                 \
++        .extra_device_opts = "id=" LSM303DLHC_MAG_TEST_ID ",address=0x1e"
-+({                                                                     \
++    };
-+    QDict *_resp = do_query_no_props(qts, cpu_type);                   \
++    add_qi2c_address(&opts, &(QI2CAddress) { 0x1E });
-+    g_assert(_resp);                                                   \
++
-+    g_assert(!resp_has_props(_resp) ||                                 \
++    qos_node_create_driver("lsm303dlhc_mag", i2c_device_create);
-+             !qdict_get(resp_get_props(_resp), feature));              \
++    qos_node_consumes("lsm303dlhc_mag", "i2c-bus", &opts);
-+    qobject_unref(_resp);                                              \
++
-+})
++    qos_add_test("tx-rx", "lsm303dlhc_mag", send_and_receive, NULL);
-+
++    qos_add_test("regwrap", "lsm303dlhc_mag", reg_wraparound, NULL);
-+static void assert_type_full(QTestState *qts)
++}
-+{
++libqos_init(lsm303dlhc_mag_register_nodes);
-+    const char *error;
+diff --git a/hw/sensor/Kconfig b/hw/sensor/Kconfig
-+    QDict *resp;
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/hw/sensor/Kconfig
-+    resp = qtest_qmp(qts, "{ 'execute': 'query-cpu-model-expansion', "
++++ b/hw/sensor/Kconfig
-+                            "'arguments': { 'type': 'static', "
+@@ -XXX,XX +XXX,XX @@ config ADM1272
-+                                           "'model': { 'name': 'foo' }}}");
+ config MAX34451
-+    g_assert(resp);
+     bool
-+    error = resp_get_error(resp);
+     depends on I2C
-+    g_assert(error);
++
-+    g_assert(g_str_equal(error,
++config LSM303DLHC_MAG
-+                         "The requested expansion type is not supported"));
++    bool
-+    qobject_unref(resp);
++    depends on I2C
-+}
+diff --git a/hw/sensor/meson.build b/hw/sensor/meson.build
-+
+index XXXXXXX..XXXXXXX 100644
-+static void assert_bad_props(QTestState *qts, const char *cpu_type)
+--- a/hw/sensor/meson.build
-+{
++++ b/hw/sensor/meson.build
-+    const char *error;
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_DPS310', if_true: files('dps310.c'))
-+    QDict *resp;
+ softmmu_ss.add(when: 'CONFIG_EMC141X', if_true: files('emc141x.c'))
-+
+ softmmu_ss.add(when: 'CONFIG_ADM1272', if_true: files('adm1272.c'))
-+    resp = qtest_qmp(qts, "{ 'execute': 'query-cpu-model-expansion', "
+ softmmu_ss.add(when: 'CONFIG_MAX34451', if_true: files('max34451.c'))
-+                            "'arguments': { 'type': 'full', "
++softmmu_ss.add(when: 'CONFIG_LSM303DLHC_MAG', if_true: files('lsm303dlhc_mag.c'))
-+                                           "'model': { 'name': %s, "
+diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
-+                                                      "'props': false }}}",
+index XXXXXXX..XXXXXXX 100644
-+                     cpu_type);
+--- a/tests/qtest/meson.build
-+    g_assert(resp);
++++ b/tests/qtest/meson.build
-+    error = resp_get_error(resp);
+@@ -XXX,XX +XXX,XX @@ qos_test_ss.add(
-+    g_assert(error);
+   'eepro100-test.c',
-+    g_assert(g_str_equal(error,
+   'es1370-test.c',
-+                         "Invalid parameter type for 'props', expected: dict"));
+   'ipoctal232-test.c',
-+    qobject_unref(resp);
++  'lsm303dlhc-mag-test.c',
-+}
+   'max34451-test.c',
-+
+   'megasas-test.c',
-+static void test_query_cpu_model_expansion(const void *data)
+   'ne2000-test.c',
 +{
 +    QTestState *qts;
 +
 +    qts = qtest_init(MACHINE "-cpu max");
 +
 +    /* Test common query-cpu-model-expansion input validation */
 +    assert_type_full(qts);
 +    assert_bad_props(qts, "max");
 +    assert_error(qts, "foo", "The CPU type 'foo' is not a recognized "
 +                 "ARM CPU type", NULL);
 +    assert_error(qts, "max", "Parameter 'not-a-prop' is unexpected",
 +                 "{ 'not-a-prop': false }");
 +    assert_error(qts, "host", "The CPU type 'host' requires KVM", NULL);
 +
 +    /* Test expected feature presence/absence for some cpu types */
 +    assert_has_feature(qts, "max", "pmu");
 +    assert_has_feature(qts, "cortex-a15", "pmu");
 +    assert_has_not_feature(qts, "cortex-a15", "aarch64");
 +
 +    if (g_str_equal(qtest_get_arch(), "aarch64")) {
 +        assert_has_feature(qts, "max", "aarch64");
 +        assert_has_feature(qts, "cortex-a57", "pmu");
 +        assert_has_feature(qts, "cortex-a57", "aarch64");
 +
 +        /* Test that features that depend on KVM generate errors without. */
 +        assert_error(qts, "max",
 +                     "'aarch64' feature cannot be disabled "
 +                     "unless KVM is enabled and 32-bit EL1 "
 +                     "is supported",
 +                     "{ 'aarch64': false }");
 +    }
 +
 +    qtest_quit(qts);
 +}
 +
 +static void test_query_cpu_model_expansion_kvm(const void *data)
 +{
 +    QTestState *qts;
 +
 +    qts = qtest_init(MACHINE_KVM "-cpu max");
 +
 +    /*
 +     * These tests target the 'host' CPU type, so KVM must be enabled.
 +     */
 +    if (!kvm_enabled(qts)) {
 +        qtest_quit(qts);
 +        return;
 +    }
 +
 +    if (g_str_equal(qtest_get_arch(), "aarch64")) {
 +        assert_has_feature(qts, "host", "aarch64");
 +        assert_has_feature(qts, "host", "pmu");
 +
 +        assert_error(qts, "cortex-a15",
 +            "We cannot guarantee the CPU type 'cortex-a15' works "
 +            "with KVM on this host", NULL);
 +    } else {
 +        assert_has_not_feature(qts, "host", "aarch64");
 +        assert_has_not_feature(qts, "host", "pmu");
 +    }
 +
 +    qtest_quit(qts);
 +}
 +
 +int main(int argc, char **argv)
 +{
 +    g_test_init(&argc, &argv, NULL);
 +
 +    qtest_add_data_func("/arm/query-cpu-model-expansion",
 +                        NULL, test_query_cpu_model_expansion);
 +    qtest_add_data_func("/arm/kvm/query-cpu-model-expansion",
 +                        NULL, test_query_cpu_model_expansion_kvm);
 +
 +    return g_test_run();
 +}
 --
-.20.1
+.25.1

target-arm queue: two bug fixes, plus the KVM/SVE patchset,
which is a new feature but one which was in my pre-softfreeze
pullreq (it just had to be dropped due to an unexpected test failure.)

thanks
-- PMM

The following changes since commit b7c9a7f353c0e260519bf735ff0d4aa01e72784b:

Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into staging (2019-10-31 15:57:30 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20191101-1

for you to fetch changes up to d9ae7624b659362cb2bb2b04fee53bf50829ca56:

target/arm: Allow reading flags from FPSCR for M-profile (2019-11-01 08:49:10 +0000)

----------------------------------------------------------------
target-arm queue:
 * Support SVE in KVM guests
 * Don't UNDEF on M-profile 'vmrs apsr_nzcv, fpscr'
 * Update hflags after boot.c modifies CPU state

----------------------------------------------------------------
Andrew Jones (9):
      target/arm/monitor: Introduce qmp_query_cpu_model_expansion
      tests: arm: Introduce cpu feature tests
      target/arm: Allow SVE to be disabled via a CPU property
      target/arm/cpu64: max cpu: Introduce sve<N> properties
      target/arm/kvm64: Add kvm_arch_get/put_sve
      target/arm/kvm64: max cpu: Enable SVE when available
      target/arm/kvm: scratch vcpu: Preserve input kvm_vcpu_init features
      target/arm/cpu64: max cpu: Support sve properties with KVM
      target/arm/kvm: host cpu: Add support for sve<N> properties

Christophe Lyon (1):
      target/arm: Allow reading flags from FPSCR for M-profile

Edgar E. Iglesias (1):
      hw/arm/boot: Rebuild hflags when modifying CPUState at boot