Series comparison

-[PULL 00/12] target-arm queue
+[PULL 00/33] target-arm queue
-The following changes since commit 6eeea6725a70e6fcb5abba0764496bdab07ddfb3:
+Hi; here's the first target-arm pullreq for the 7.0 cycle.
-  Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2020-10-06' into staging (2020-10-06 21:13:34 +0100)
+thanks
 -- PMM
 The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:
   Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging (2021-12-14 12:46:18 -0800)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201008
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211215
-for you to fetch changes up to ba118c26e16a97e6ff6de8184057d3420ce16a23:
+for you to fetch changes up to aed176558806674d030a8305d989d4e6a5073359:
-  target/arm: Make '-cpu max' have a 48-bit PA (2020-10-08 15:24:32 +0100)
+  tests/acpi: add expected blob for VIOT test on virt machine (2021-12-15 10:35:26 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- * hw/ssi/npcm7xx_fiu: Fix handling of unsigned integer
+ * ITS: error reporting cleanup
- * hw/arm/fsl-imx25: Fix a typo
+ * aspeed: improve documentation
- * hw/arm/sbsa-ref : Fix SMMUv3 Initialisation
+ * Fix STM32F2XX USART data register readout
- * hw/arm/sbsa-ref : allocate IRQs for SMMUv3
+ * allow emulated GICv3 to be disabled in non-TCG builds
- * hw/char/bcm2835_aux: Allow less than 32-bit accesses
+ * fix exception priority for singlestep, misaligned PC, bp, etc
- * hw/arm/virt: Implement kvm-steal-time
+ * Correct calculation of tlb range invalidate length
- * target/arm: Make '-cpu max' have a 48-bit PA
+ * npcm7xx_emc: fix missing queue_flush
  * virt: Add VIOT ACPI table for virtio-iommu
  * target/i386: Use assert() to sanity-check b1 in SSE decode
  * Don't include qemu-common unnecessarily
 ----------------------------------------------------------------
-Andrew Jones (6):
+Alex Bennée (1):
-      linux headers: sync to 5.9-rc7
+      hw/intc: clean-up error reporting for failed ITS cmd
       target/arm/kvm: Make uncalled stubs explicitly unreachable
       hw/arm/virt: Move post cpu realize check into its own function
       hw/arm/virt: Move kvm pmu setup to virt_cpu_post_init
       tests/qtest: Restore aarch64 arm-cpu-features test
       hw/arm/virt: Implement kvm-steal-time
-Graeme Gregory (2):
+Jean-Philippe Brucker (8):
-      hw/arm/sbsa-ref : Fix SMMUv3 Initialisation
+      hw/arm/virt-acpi-build: Add VIOT table for virtio-iommu
-      hw/arm/sbsa-ref : allocate IRQs for SMMUv3
+      hw/arm/virt: Remove device tree restriction for virtio-iommu
       hw/arm/virt: Reject instantiation of multiple IOMMUs
       hw/arm/virt: Use object_property_set instead of qdev_prop_set
       tests/acpi: allow updates of VIOT expected data files
       tests/acpi: add test case for VIOT
       tests/acpi: add expected blobs for VIOT test on q35 machine
       tests/acpi: add expected blob for VIOT test on virt machine
-Peter Maydell (1):
+Joel Stanley (4):
-      target/arm: Make '-cpu max' have a 48-bit PA
+      docs: aspeed: Add new boards
       docs: aspeed: Update OpenBMC image URL
       docs: aspeed: Give an example of booting a kernel
       docs: aspeed: ADC is now modelled
-Philippe Mathieu-Daudé (3):
+Olivier Hériveaux (1):
-      hw/ssi/npcm7xx_fiu: Fix handling of unsigned integer
+      Fix STM32F2XX USART data register readout
       hw/arm/fsl-imx25: Fix a typo
       hw/char/bcm2835_aux: Allow less than 32-bit accesses
- docs/system/arm/cpu-features.rst |  11 ++++
+Patrick Venture (1):
- include/hw/arm/fsl-imx25.h       |   2 +-
+      hw/net: npcm7xx_emc fix missing queue_flush
  include/hw/arm/virt.h            |   5 ++
  linux-headers/linux/kvm.h        |   6 ++-
  target/arm/cpu.h                 |   4 ++
  target/arm/kvm_arm.h             |  94 ++++++++++++++++++++++++++-------
  hw/arm/sbsa-ref.c                |   3 +-
  hw/arm/virt.c                    | 110 ++++++++++++++++++++++++++++-----------
  hw/char/bcm2835_aux.c            |   4 +-
  hw/ssi/npcm7xx_fiu.c             |  12 ++---
  target/arm/cpu.c                 |   8 +++
  target/arm/cpu64.c               |   4 ++
  target/arm/kvm.c                 |  16 ++++++
  target/arm/kvm64.c               |  64 +++++++++++++++++++++--
  target/arm/monitor.c             |   2 +-
  tests/qtest/arm-cpu-features.c   |  25 +++++++--
  hw/ssi/trace-events              |   2 +-
  tests/qtest/meson.build          |   3 +-
 files changed, 303 insertions(+), 72 deletions(-)
+Peter Maydell (6):
+      target/i386: Use assert() to sanity-check b1 in SSE decode
+      include/hw/i386: Don't include qemu-common.h in .h files
+      target/hexagon/cpu.h: don't include qemu-common.h
+      target/rx/cpu.h: Don't include qemu-common.h
+      hw/arm: Don't include qemu-common.h unnecessarily
+      target/arm: Correct calculation of tlb range invalidate length
+Philippe Mathieu-Daudé (2):
+      hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c
+      hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector
+Richard Henderson (10):
+      target/arm: Hoist pc_next to a local variable in aarch64_tr_translate_insn
+      target/arm: Hoist pc_next to a local variable in arm_tr_translate_insn
+      target/arm: Hoist pc_next to a local variable in thumb_tr_translate_insn
+      target/arm: Split arm_pre_translate_insn
+      target/arm: Advance pc for arch single-step exception
+      target/arm: Split compute_fsr_fsc out of arm_deliver_fault
+      target/arm: Take an exception if PC is misaligned
+      target/arm: Assert thumb pc is aligned
+      target/arm: Suppress bp for exceptions with more priority
+      tests/tcg: Add arm and aarch64 pc alignment tests
+ docs/system/arm/aspeed.rst        |  26 ++++++++++++----
+ include/hw/i386/microvm.h         |   1 -
+ include/hw/i386/x86.h             |   1 -
+ target/arm/helper.h               |   1 +
+ target/arm/syndrome.h             |   5 +++
+ target/hexagon/cpu.h              |   1 -
+ target/rx/cpu.h                   |   1 -
+ hw/arm/boot.c                     |   1 -
+ hw/arm/digic_boards.c             |   1 -
+ hw/arm/highbank.c                 |   1 -
+ hw/arm/npcm7xx_boards.c           |   1 -
+ hw/arm/sbsa-ref.c                 |   1 -
+ hw/arm/stm32f405_soc.c            |   1 -
+ hw/arm/vexpress.c                 |   1 -
+ hw/arm/virt-acpi-build.c          |   7 +++++
+ hw/arm/virt.c                     |  21 ++++++-------
+ hw/char/stm32f2xx_usart.c         |   3 +-
+ hw/intc/arm_gicv3.c               |   2 +-
+ hw/intc/arm_gicv3_cpuif.c         |  10 +-----
+ hw/intc/arm_gicv3_cpuif_common.c  |  22 +++++++++++++
+ hw/intc/arm_gicv3_its.c           |  39 +++++++++++++++--------
+ hw/net/npcm7xx_emc.c              |  18 +++++------
+ hw/virtio/virtio-iommu-pci.c      |  12 ++------
+ linux-user/aarch64/cpu_loop.c     |  46 ++++++++++++++++------------
+ linux-user/hexagon/cpu_loop.c     |   1 +
+ target/arm/debug_helper.c         |  23 ++++++++++++++
+ target/arm/gdbstub.c              |   9 ++++--
+ target/arm/helper.c               |   6 ++--
+ target/arm/machine.c              |  10 ++++++
+ target/arm/tlb_helper.c           |  63 ++++++++++++++++++++++++++++----------
+ target/arm/translate-a64.c        |  23 ++++++++++++--
+ target/arm/translate.c            |  58 ++++++++++++++++++++++++++---------
+ target/i386/tcg/translate.c       |  12 ++------
+ tests/qtest/bios-tables-test.c    |  38 +++++++++++++++++++++++
+ tests/tcg/aarch64/pcalign-a64.c   |  37 ++++++++++++++++++++++
+ tests/tcg/arm/pcalign-a32.c       |  46 ++++++++++++++++++++++++++++
+ hw/arm/Kconfig                    |   1 +
+ hw/intc/Kconfig                   |   5 +++
+ hw/intc/meson.build               |  11 ++++---
+ tests/data/acpi/q35/DSDT.viot     | Bin 0 -> 9398 bytes
+ tests/data/acpi/q35/VIOT.viot     | Bin 0 -> 112 bytes
+ tests/data/acpi/virt/VIOT         | Bin 0 -> 88 bytes
+ tests/tcg/aarch64/Makefile.target |   4 +--
+ tests/tcg/arm/Makefile.target     |   4 +++
+files changed, 429 insertions(+), 145 deletions(-)
+ create mode 100644 hw/intc/arm_gicv3_cpuif_common.c
+ create mode 100644 tests/tcg/aarch64/pcalign-a64.c
+ create mode 100644 tests/tcg/arm/pcalign-a32.c
+ create mode 100644 tests/data/acpi/q35/DSDT.viot
+ create mode 100644 tests/data/acpi/q35/VIOT.viot
+ create mode 100644 tests/data/acpi/virt/VIOT

-New patch
+[PULL 01/33] hw/intc: clean-up error reporting for failed ITS cmd
+From: Alex Bennée <alex.bennee@linaro.org>
+While trying to debug a GIC ITS failure I saw some guest errors that
+had poor formatting as well as leaving me confused as to what failed.
+As most of the checks aren't possible without a valid dte split that
+check apart and then check the other conditions in steps. This avoids
+us relying on undefined data.
+I still get a failure with the current kvm-unit-tests but at least I
+know (partially) why now:
+  Exception return from AArch64 EL1 to AArch64 EL1 PC 0x40080588
+  PASS: gicv3: its-trigger: inv/invall: dev2/eventid=20 now triggers an LPI
+  ITS: MAPD devid=2 size = 0x8 itt=0x40430000 valid=0
+  INT dev_id=2 event_id=20
+  process_its_cmd: invalid command attributes: invalid dte: 0 for 2 (MEM_TX: 0)
+  PASS: gicv3: its-trigger: mapd valid=false: no LPI after device unmap
+  SUMMARY: 6 tests, 1 unexpected failures
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20211112170454.3158925-1-alex.bennee@linaro.org
+Cc: Shashi Mallela <shashi.mallela@linaro.org>
+Cc: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/intc/arm_gicv3_its.c | 39 +++++++++++++++++++++++++++------------
+file changed, 27 insertions(+), 12 deletions(-)
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_its.c
++++ b/hw/intc/arm_gicv3_its.c
+@@ -XXX,XX +XXX,XX @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset,
+         if (res != MEMTX_OK) {
+             return result;
+         }
++    } else {
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: invalid command attributes: "
++                      "invalid dte: %"PRIx64" for %d (MEM_TX: %d)\n",
++                      __func__, dte, devid, res);
++        return result;
+     }
+-    if ((devid > s->dt.maxids.max_devids) || !dte_valid || !ite_valid ||
+-            !cte_valid || (eventid > max_eventid)) {
++
++    /*
++     * In this implementation, in case of guest errors we ignore the
++     * command and move onto the next command in the queue.
++     */
++    if (devid > s->dt.maxids.max_devids) {
+         qemu_log_mask(LOG_GUEST_ERROR,
+-                      "%s: invalid command attributes "
+-                      "devid %d or eventid %d or invalid dte %d or"
+-                      "invalid cte %d or invalid ite %d\n",
+-                      __func__, devid, eventid, dte_valid, cte_valid,
+-                      ite_valid);
+-        /*
+-         * in this implementation, in case of error
+-         * we ignore this command and move onto the next
+-         * command in the queue
+-         */
++                      "%s: invalid command attributes: devid %d>%d",
++                      __func__, devid, s->dt.maxids.max_devids);
++
++    } else if (!dte_valid || !ite_valid || !cte_valid) {
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: invalid command attributes: "
++                      "dte: %s, ite: %s, cte: %s\n",
++                      __func__,
++                      dte_valid ? "valid" : "invalid",
++                      ite_valid ? "valid" : "invalid",
++                      cte_valid ? "valid" : "invalid");
++    } else if (eventid > max_eventid) {
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: invalid command attributes: eventid %d > %d\n",
++                      __func__, eventid, max_eventid);
+     } else {
+         /*
+          * Current implementation only supports rdbase == procnum
+--
+.25.1

-New patch
+[PULL 02/33] docs: aspeed: Add new boards
+From: Joel Stanley <joel@jms.id.au>
+Add X11, FP5280G2, G220A, Rainier and Fuji. Mention that Swift will be
+removed in v7.0.
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Message-id: 20211117065752.330632-2-joel@jms.id.au
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/aspeed.rst | 7 ++++++-
+file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/aspeed.rst
++++ b/docs/system/arm/aspeed.rst
+@@ -XXX,XX +XXX,XX @@ AST2400 SoC based machines :
+ - ``palmetto-bmc``         OpenPOWER Palmetto POWER8 BMC
+ - ``quanta-q71l-bmc``      OpenBMC Quanta BMC
++- ``supermicrox11-bmc``    Supermicro X11 BMC
+ AST2500 SoC based machines :
+@@ -XXX,XX +XXX,XX @@ AST2500 SoC based machines :
+ - ``romulus-bmc``          OpenPOWER Romulus POWER9 BMC
+ - ``witherspoon-bmc``      OpenPOWER Witherspoon POWER9 BMC
+ - ``sonorapass-bmc``       OCP SonoraPass BMC
+-- ``swift-bmc``            OpenPOWER Swift BMC POWER9
++- ``swift-bmc``            OpenPOWER Swift BMC POWER9 (to be removed in v7.0)
++- ``fp5280g2-bmc``         Inspur FP5280G2 BMC
++- ``g220a-bmc``            Bytedance G220A BMC
+ AST2600 SoC based machines :
+ - ``ast2600-evb``          Aspeed AST2600 Evaluation board (Cortex-A7)
+ - ``tacoma-bmc``           OpenPOWER Witherspoon POWER9 AST2600 BMC
++- ``rainier-bmc``          IBM Rainier POWER10 BMC
++- ``fuji-bmc``             Facebook Fuji BMC
+ Supported devices
+ -----------------
+--
+.25.1

-[PULL 03/12] hw/arm/sbsa-ref : Fix SMMUv3 Initialisation
+[PULL 03/33] docs: aspeed: Update OpenBMC image URL
-From: Graeme Gregory <graeme@nuviainc.com>
+From: Joel Stanley <joel@jms.id.au>
-SMMUv3 has an error in a previous patch where an i was transposed to a 1
+This is the latest URL for the OpenBMC CI. The old URL still works, but
-meaning interrupts would not have been correctly assigned to the SMMUv3
+redirects.
 instance.
-Fixes: 48ba18e6d3f3 ("hw/arm/sbsa-ref: Simplify by moving the gic in the machine state")
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Signed-off-by: Graeme Gregory <graeme@nuviainc.com>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20211117065752.330632-3-joel@jms.id.au
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 20201007100732.4103790-2-graeme@nuviainc.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/sbsa-ref.c | 2 +-
+ docs/system/arm/aspeed.rst | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/sbsa-ref.c
+--- a/docs/system/arm/aspeed.rst
-+++ b/hw/arm/sbsa-ref.c
++++ b/docs/system/arm/aspeed.rst
-@@ -XXX,XX +XXX,XX @@ static void create_smmu(const SBSAMachineState *sms, PCIBus *bus)
+@@ -XXX,XX +XXX,XX @@ The Aspeed machines can be started using the ``-kernel`` option to
-     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
+ load a Linux kernel or from a firmware. Images can be downloaded from
-     for (i = 0; i < NUM_SMMU_IRQS; i++) {
+ the OpenBMC jenkins :
-         sysbus_connect_irq(SYS_BUS_DEVICE(dev), i,
--                           qdev_get_gpio_in(sms->gic, irq + 1));
+-   https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/distro=ubuntu,label=docker-builder
-+                           qdev_get_gpio_in(sms->gic, irq + i));
++   https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/
-     }
- }
+ or directly from the OpenBMC GitHub release repository :
 --
-.20.1
+.25.1

-New patch
+[PULL 04/33] docs: aspeed: Give an example of booting a kernel
+From: Joel Stanley <joel@jms.id.au>
+A common use case for the ASPEED machine is to boot a Linux kernel.
+Provide a full example command line.
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Message-id: 20211117065752.330632-4-joel@jms.id.au
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/aspeed.rst | 15 ++++++++++++---
+file changed, 12 insertions(+), 3 deletions(-)
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/aspeed.rst
++++ b/docs/system/arm/aspeed.rst
+@@ -XXX,XX +XXX,XX @@ Missing devices
+ Boot options
+ ------------
+-The Aspeed machines can be started using the ``-kernel`` option to
+-load a Linux kernel or from a firmware. Images can be downloaded from
+-the OpenBMC jenkins :
++The Aspeed machines can be started using the ``-kernel`` and ``-dtb`` options
++to load a Linux kernel or from a firmware. Images can be downloaded from the
++OpenBMC jenkins :
+    https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/
+@@ -XXX,XX +XXX,XX @@ or directly from the OpenBMC GitHub release repository :
+    https://github.com/openbmc/openbmc/releases
++To boot a kernel directly from a Linux build tree:
++
++.. code-block:: bash
++
++  $ qemu-system-arm -M ast2600-evb -nographic \
++        -kernel arch/arm/boot/zImage \
++        -dtb arch/arm/boot/dts/aspeed-ast2600-evb.dtb \
++        -initrd rootfs.cpio
++
+ The image should be attached as an MTD drive. Run :
+ .. code-block:: bash
+--
+.25.1

-New patch
+[PULL 05/33] docs: aspeed: ADC is now modelled
+From: Joel Stanley <joel@jms.id.au>
+Move it to the supported list.
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Message-id: 20211117065752.330632-5-joel@jms.id.au
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ docs/system/arm/aspeed.rst | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
+index XXXXXXX..XXXXXXX 100644
+--- a/docs/system/arm/aspeed.rst
++++ b/docs/system/arm/aspeed.rst
+@@ -XXX,XX +XXX,XX @@ Supported devices
+  * Front LEDs (PCA9552 on I2C bus)
+  * LPC Peripheral Controller (a subset of subdevices are supported)
+  * Hash/Crypto Engine (HACE) - Hash support only. TODO: HMAC and RSA
++ * ADC
+ Missing devices
+ ---------------
+  * Coprocessor support
+- * ADC (out of tree implementation)
+  * PWM and Fan Controller
+  * Slave GPIO Controller
+  * Super I/O Controller
+--
+.25.1

-New patch
+[PULL 06/33] Fix STM32F2XX USART data register readout
+From: Olivier Hériveaux <olivier.heriveaux@ledger.fr>
+Fix issue where the data register may be overwritten by next character
+reception before being read and returned.
+Signed-off-by: Olivier Hériveaux <olivier.heriveaux@ledger.fr>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20211128120723.4053-1-olivier.heriveaux@ledger.fr
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/char/stm32f2xx_usart.c | 3 ++-
+file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/hw/char/stm32f2xx_usart.c b/hw/char/stm32f2xx_usart.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/char/stm32f2xx_usart.c
++++ b/hw/char/stm32f2xx_usart.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t stm32f2xx_usart_read(void *opaque, hwaddr addr,
+         return retvalue;
+     case USART_DR:
+         DB_PRINT("Value: 0x%" PRIx32 ", %c\n", s->usart_dr, (char) s->usart_dr);
++        retvalue = s->usart_dr & 0x3FF;
+         s->usart_sr &= ~USART_SR_RXNE;
+         qemu_chr_fe_accept_input(&s->chr);
+         qemu_set_irq(s->irq, 0);
+-        return s->usart_dr & 0x3FF;
++        return retvalue;
+     case USART_BRR:
+         return s->usart_brr;
+     case USART_CR1:
+--
+.25.1

-New patch
+[PULL 07/33] hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+gicv3_set_gicv3state() is used by arm_gicv3_common.c in
+arm_gicv3_common_realize(). Since we want to restrict
+arm_gicv3_cpuif.c to TCG, extract gicv3_set_gicv3state()
+to a new file. Add this file to the meson 'specific'
+source set, since it needs access to "cpu.h".
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20211115223619.2599282-2-philmd@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/intc/arm_gicv3_cpuif.c        | 10 +---------
+ hw/intc/arm_gicv3_cpuif_common.c | 22 ++++++++++++++++++++++
+ hw/intc/meson.build              |  1 +
+files changed, 24 insertions(+), 9 deletions(-)
+ create mode 100644 hw/intc/arm_gicv3_cpuif_common.c
+diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3_cpuif.c
++++ b/hw/intc/arm_gicv3_cpuif.c
+@@ -XXX,XX +XXX,XX @@
+ /*
+- * ARM Generic Interrupt Controller v3
++ * ARM Generic Interrupt Controller v3 (emulation)
+  *
+  * Copyright (c) 2016 Linaro Limited
+  * Written by Peter Maydell
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/irq.h"
+ #include "cpu.h"
+-void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
+-{
+-    ARMCPU *arm_cpu = ARM_CPU(cpu);
+-    CPUARMState *env = &arm_cpu->env;
+-
+-    env->gicv3state = (void *)s;
+-};
+-
+ static GICv3CPUState *icc_cs_from_env(CPUARMState *env)
+ {
+     return env->gicv3state;
+diff --git a/hw/intc/arm_gicv3_cpuif_common.c b/hw/intc/arm_gicv3_cpuif_common.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/hw/intc/arm_gicv3_cpuif_common.c
+@@ -XXX,XX +XXX,XX @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++/*
++ * ARM Generic Interrupt Controller v3
++ *
++ * Copyright (c) 2016 Linaro Limited
++ * Written by Peter Maydell
++ *
++ * This code is licensed under the GPL, version 2 or (at your option)
++ * any later version.
++ */
++
++#include "qemu/osdep.h"
++#include "gicv3_internal.h"
++#include "cpu.h"
++
++void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
++{
++    ARMCPU *arm_cpu = ARM_CPU(cpu);
++    CPUARMState *env = &arm_cpu->env;
++
++    env->gicv3state = (void *)s;
++};
+diff --git a/hw/intc/meson.build b/hw/intc/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/meson.build
++++ b/hw/intc/meson.build
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
+ specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
+ specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
++specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
+ specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
+ specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
+ specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
+--
+.25.1

-New patch
+[PULL 08/33] hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+The TYPE_ARM_GICV3 device is an emulated one.  When using
+KVM, it is recommended to use the TYPE_KVM_ARM_GICV3 device
+(which uses in-kernel support).
+When using --with-devices-FOO, it is possible to build a
+binary with a specific set of devices. When this binary is
+restricted to KVM accelerator, the TYPE_ARM_GICV3 device is
+irrelevant, and it is desirable to remove it from the binary.
+Therefore introduce the CONFIG_ARM_GIC_TCG Kconfig selector
+which select the files required to have the TYPE_ARM_GICV3
+device, but also allowing to de-select this device.
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20211115223619.2599282-3-philmd@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/intc/arm_gicv3.c |  2 +-
+ hw/intc/Kconfig     |  5 +++++
+ hw/intc/meson.build | 10 ++++++----
+files changed, 12 insertions(+), 5 deletions(-)
+diff --git a/hw/intc/arm_gicv3.c b/hw/intc/arm_gicv3.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/arm_gicv3.c
++++ b/hw/intc/arm_gicv3.c
+@@ -XXX,XX +XXX,XX @@
+ /*
+- * ARM Generic Interrupt Controller v3
++ * ARM Generic Interrupt Controller v3 (emulation)
+  *
+  * Copyright (c) 2015 Huawei.
+  * Copyright (c) 2016 Linaro Limited
+diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/Kconfig
++++ b/hw/intc/Kconfig
+@@ -XXX,XX +XXX,XX @@ config APIC
+     select MSI_NONBROKEN
+     select I8259
++config ARM_GIC_TCG
++    bool
++    default y
++    depends on ARM_GIC && TCG
++
+ config ARM_GIC_KVM
+     bool
+     default y
+diff --git a/hw/intc/meson.build b/hw/intc/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/intc/meson.build
++++ b/hw/intc/meson.build
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_ARM_GIC', if_true: files(
+   'arm_gic.c',
+   'arm_gic_common.c',
+   'arm_gicv2m.c',
+-  'arm_gicv3.c',
+   'arm_gicv3_common.c',
+-  'arm_gicv3_dist.c',
+   'arm_gicv3_its_common.c',
+-  'arm_gicv3_redist.c',
++))
++softmmu_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files(
++  'arm_gicv3.c',
++  'arm_gicv3_dist.c',
+   'arm_gicv3_its.c',
++  'arm_gicv3_redist.c',
+ ))
+ softmmu_ss.add(when: 'CONFIG_ETRAXFS', if_true: files('etraxfs_pic.c'))
+ softmmu_ss.add(when: 'CONFIG_HEATHROW_PIC', if_true: files('heathrow_pic.c'))
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
+ specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
+ specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
+ specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
+-specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
++specific_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files('arm_gicv3_cpuif.c'))
+ specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
+ specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
+ specific_ss.add(when: 'CONFIG_ARM_V7M', if_true: files('armv7m_nvic.c'))
+--
+.25.1

-New patch
+[PULL 09/33] target/arm: Hoist pc_next to a local variable in aarch64_tr_translate_insn
+From: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/translate-a64.c | 7 ++++---
+file changed, 4 insertions(+), 3 deletions(-)
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-a64.c
++++ b/target/arm/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *s = container_of(dcbase, DisasContext, base);
+     CPUARMState *env = cpu->env_ptr;
++    uint64_t pc = s->base.pc_next;
+     uint32_t insn;
+     if (s->ss_active && !s->pstate_ss) {
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+         return;
+     }
+-    s->pc_curr = s->base.pc_next;
+-    insn = arm_ldl_code(env, &s->base, s->base.pc_next, s->sctlr_b);
++    s->pc_curr = pc;
++    insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
+     s->insn = insn;
+-    s->base.pc_next += 4;
++    s->base.pc_next = pc + 4;
+     s->fp_access_checked = false;
+     s->sve_access_checked = false;
+--
+.25.1

-New patch
+[PULL 10/33] target/arm: Hoist pc_next to a local variable in arm_tr_translate_insn
+From: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/translate.c | 9 +++++----
+file changed, 5 insertions(+), 4 deletions(-)
+diff --git a/target/arm/translate.c b/target/arm/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.c
++++ b/target/arm/translate.c
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+     CPUARMState *env = cpu->env_ptr;
++    uint32_t pc = dc->base.pc_next;
+     unsigned int insn;
+     if (arm_pre_translate_insn(dc)) {
+-        dc->base.pc_next += 4;
++        dc->base.pc_next = pc + 4;
+         return;
+     }
+-    dc->pc_curr = dc->base.pc_next;
+-    insn = arm_ldl_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
++    dc->pc_curr = pc;
++    insn = arm_ldl_code(env, &dc->base, pc, dc->sctlr_b);
+     dc->insn = insn;
+-    dc->base.pc_next += 4;
++    dc->base.pc_next = pc + 4;
+     disas_arm_insn(dc, insn);
+     arm_post_translate_insn(dc);
+--
+.25.1

-New patch
+[PULL 11/33] target/arm: Hoist pc_next to a local variable in thumb_tr_translate_insn
+From: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/translate.c | 16 ++++++++--------
+file changed, 8 insertions(+), 8 deletions(-)
+diff --git a/target/arm/translate.c b/target/arm/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.c
++++ b/target/arm/translate.c
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+     CPUARMState *env = cpu->env_ptr;
++    uint32_t pc = dc->base.pc_next;
+     uint32_t insn;
+     bool is_16bit;
+     if (arm_pre_translate_insn(dc)) {
+-        dc->base.pc_next += 2;
++        dc->base.pc_next = pc + 2;
+         return;
+     }
+-    dc->pc_curr = dc->base.pc_next;
+-    insn = arm_lduw_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
++    dc->pc_curr = pc;
++    insn = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
+     is_16bit = thumb_insn_is_16bit(dc, dc->base.pc_next, insn);
+-    dc->base.pc_next += 2;
++    pc += 2;
+     if (!is_16bit) {
+-        uint32_t insn2 = arm_lduw_code(env, &dc->base, dc->base.pc_next,
+-                                       dc->sctlr_b);
+-
++        uint32_t insn2 = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
+         insn = insn << 16 | insn2;
+-        dc->base.pc_next += 2;
++        pc += 2;
+     }
++    dc->base.pc_next = pc;
+     dc->insn = insn;
+     if (dc->pstate_il) {
+--
+.25.1

-[PULL 10/12] tests/qtest: Restore aarch64 arm-cpu-features test
+[PULL 12/33] target/arm: Split arm_pre_translate_insn
-From: Andrew Jones <drjones@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-arm-cpu-features got dropped from the AArch64 tests during the meson
+Create arm_check_ss_active and arm_check_kernelpage.
 conversion shuffle.
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reverse the order of the tests.  While it doesn't matter in practice,
-Message-id: 20201001061718.101915-6-drjones@redhat.com
+because only user-only has a kernel page and user-only never sets
 ss_active, ss_active has priority over execution exceptions and it
 is best to keep them in the proper order.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- tests/qtest/meson.build | 3 ++-
+ target/arm/translate.c | 10 +++++++---
-file changed, 2 insertions(+), 1 deletion(-)
+file changed, 7 insertions(+), 3 deletions(-)
-diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/meson.build
+--- a/target/arm/translate.c
-+++ b/tests/qtest/meson.build
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ qtests_aarch64 = \
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
-   (cpu != 'arm' ? ['bios-tables-test'] : []) +                                                  \
+     dc->insn_start = tcg_last_op();
-   (config_all_devices.has_key('CONFIG_TPM_TIS_SYSBUS') ? ['tpm-tis-device-test'] : []) +        \
+ }
-   (config_all_devices.has_key('CONFIG_TPM_TIS_SYSBUS') ? ['tpm-tis-device-swtpm-test'] : []) +  \
--  ['numa-test',
+-static bool arm_pre_translate_insn(DisasContext *dc)
-+  ['arm-cpu-features',
++static bool arm_check_kernelpage(DisasContext *dc)
-+   'numa-test',
+ {
-    'boot-serial-test',
+ #ifdef CONFIG_USER_ONLY
-    'migration-test']
+     /* Intercept jump to the magic kernel page.  */
+@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
          return true;
      }
  #endif
 +    return false;
 +}
 +static bool arm_check_ss_active(DisasContext *dc)
 +{
      if (dc->ss_active && !dc->pstate_ss) {
          /* Singlestep state is Active-pending.
           * If we're in this state at the start of a TB then either
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      uint32_t pc = dc->base.pc_next;
      unsigned int insn;
 -    if (arm_pre_translate_insn(dc)) {
 +    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
          dc->base.pc_next = pc + 4;
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      uint32_t insn;
      bool is_16bit;
 -    if (arm_pre_translate_insn(dc)) {
 +    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
          dc->base.pc_next = pc + 2;
          return;
      }
 --
-.20.1
+.25.1

-[PULL 05/12] hw/char/bcm2835_aux: Allow less than 32-bit accesses
+[PULL 13/33] target/arm: Advance pc for arch single-step exception
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Richard Henderson <richard.henderson@linaro.org>
-The "BCM2835 ARM Peripherals" datasheet [*] chapter 2
+The size of the code covered by a TranslationBlock cannot be 0;
-("Auxiliaries: UART1 & SPI1, SPI2"), list the register
+this is checked via assert in tb_gen_code.
 sizes as 3/8/16/32 bits. We assume this means this
 peripheral allows 8-bit accesses.
-This was not an issue until commit 5d971f9e67 which reverted
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ("memory: accept mismatching sizes in memory_region_access_valid").
 The model is implemented as 32-bit accesses (see commit 97398d900c,
 all registers are 32-bit) so replace MemoryRegionOps.valid as
 MemoryRegionOps.impl, and re-introduce MemoryRegionOps.valid
 with a 8/32-bit range.
 [*] https://www.raspberrypi.org/app/uploads/2012/02/BCM2835-ARM-Peripherals.pdf
 Fixes: 97398d900c ("bcm2835_aux: add emulation of BCM2835 AUX (aka UART1) block")
 Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20201002181032.1899463-1-f4bug@amsat.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/char/bcm2835_aux.c | 4 +++-
+ target/arm/translate-a64.c | 1 +
-file changed, 3 insertions(+), 1 deletion(-)
+file changed, 1 insertion(+)
-diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/char/bcm2835_aux.c
+--- a/target/arm/translate-a64.c
-+++ b/hw/char/bcm2835_aux.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps bcm2835_aux_ops = {
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-     .read = bcm2835_aux_read,
+         assert(s->base.num_insns == 1);
-     .write = bcm2835_aux_write,
+         gen_swstep_exception(s, 0, 0);
-     .endianness = DEVICE_NATIVE_ENDIAN,
+         s->base.is_jmp = DISAS_NORETURN;
--    .valid.min_access_size = 4,
++        s->base.pc_next = pc + 4;
-+    .impl.min_access_size = 4,
+         return;
-+    .impl.max_access_size = 4,
+     }
 +    .valid.min_access_size = 1,
      .valid.max_access_size = 4,
  };
 --
-.20.1
+.25.1

-[PULL 02/12] hw/arm/fsl-imx25: Fix a typo
+[PULL 14/33] target/arm: Split compute_fsr_fsc out of arm_deliver_fault
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+We will reuse this section of arm_deliver_fault for
-Message-id: 20201002080935.1660005-1-f4bug@amsat.org
+raising pc alignment faults.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/fsl-imx25.h | 2 +-
+ target/arm/tlb_helper.c | 45 +++++++++++++++++++++++++----------------
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 28 insertions(+), 17 deletions(-)
-diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
+diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/fsl-imx25.h
+--- a/target/arm/tlb_helper.c
-+++ b/include/hw/arm/fsl-imx25.h
++++ b/target/arm/tlb_helper.c
-@@ -XXX,XX +XXX,XX @@ struct FslIMX25State {
+@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
-  * 0xBB00_0000 0xBB00_0FFF 4 Kbytes     NAND flash main area buffer
+     return syn;
-  * 0xBB00_1000 0xBB00_11FF 512 B        NAND flash spare area buffer
+ }
-  * 0xBB00_1200 0xBB00_1DFF 3 Kbytes     Reserved
-- * 0xBB00_1E00 0xBB00_1FFF 512 B        NAND flash control regisers
+-static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
-+ * 0xBB00_1E00 0xBB00_1FFF 512 B        NAND flash control registers
+-                                            MMUAccessType access_type,
-  * 0xBB01_2000 0xBFFF_FFFF 96 Mbytes (minus 8 Kbytes) Reserved
+-                                            int mmu_idx, ARMMMUFaultInfo *fi)
-  * 0xC000_0000 0xFFFF_FFFF 1024 Mbytes  Reserved
++static uint32_t compute_fsr_fsc(CPUARMState *env, ARMMMUFaultInfo *fi,
-  */
++                                int target_el, int mmu_idx, uint32_t *ret_fsc)
  {
 -    CPUARMState *env = &cpu->env;
 -    int target_el;
 -    bool same_el;
 -    uint32_t syn, exc, fsr, fsc;
      ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
 -
 -    target_el = exception_target_el(env);
 -    if (fi->stage2) {
 -        target_el = 2;
 -        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
 -        if (arm_is_secure_below_el3(env) && fi->s1ns) {
 -            env->cp15.hpfar_el2 |= HPFAR_NS;
 -        }
 -    }
 -    same_el = (arm_current_el(env) == target_el);
 +    uint32_t fsr, fsc;
      if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
          arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
@@ -XXX,XX +XXX,XX @@ static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
          fsc = 0x3f;
      }
 +    *ret_fsc = fsc;
 +    return fsr;
 +}
 +
 +static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
 +                                            MMUAccessType access_type,
 +                                            int mmu_idx, ARMMMUFaultInfo *fi)
 +{
 +    CPUARMState *env = &cpu->env;
 +    int target_el;
 +    bool same_el;
 +    uint32_t syn, exc, fsr, fsc;
 +
 +    target_el = exception_target_el(env);
 +    if (fi->stage2) {
 +        target_el = 2;
 +        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
 +        if (arm_is_secure_below_el3(env) && fi->s1ns) {
 +            env->cp15.hpfar_el2 |= HPFAR_NS;
 +        }
 +    }
 +    same_el = (arm_current_el(env) == target_el);
 +
 +    fsr = compute_fsr_fsc(env, fi, target_el, mmu_idx, &fsc);
 +
      if (access_type == MMU_INST_FETCH) {
          syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
          exc = EXCP_PREFETCH_ABORT;
 --
-.20.1
+.25.1

-New patch
+[PULL 15/33] target/arm: Take an exception if PC is misaligned
+From: Richard Henderson <richard.henderson@linaro.org>
 For A64, any input to an indirect branch can cause this.
 For A32, many indirect branch paths force the branch to be aligned,
 but BXWritePC does not.  This includes the BX instruction but also
 other interworking changes to PC.  Prior to v8, this case is UNDEFINED.
 With v8, this is CONSTRAINED UNPREDICTABLE and may either raise an
 exception or force align the PC.
 We choose to raise an exception because we have the infrastructure,
 it makes the generated code for gen_bx simpler, and it has the
 possibility of catching more guest bugs.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/helper.h           |  1 +
  target/arm/syndrome.h         |  5 ++++
  linux-user/aarch64/cpu_loop.c | 46 ++++++++++++++++++++---------------
  target/arm/tlb_helper.c       | 18 ++++++++++++++
  target/arm/translate-a64.c    | 15 ++++++++++++
  target/arm/translate.c        | 22 ++++++++++++++++-
 files changed, 87 insertions(+), 20 deletions(-)
 diff --git a/target/arm/helper.h b/target/arm/helper.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.h
 +++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(sel_flags, TCG_CALL_NO_RWG_SE,
  DEF_HELPER_2(exception_internal, void, env, i32)
  DEF_HELPER_4(exception_with_syndrome, void, env, i32, i32, i32)
  DEF_HELPER_2(exception_bkpt_insn, void, env, i32)
 +DEF_HELPER_2(exception_pc_alignment, noreturn, env, tl)
  DEF_HELPER_1(setend, void, env)
  DEF_HELPER_2(wfi, void, env, i32)
  DEF_HELPER_1(wfe, void, env)
 diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/syndrome.h
 +++ b/target/arm/syndrome.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_illegalstate(void)
      return (EC_ILLEGALSTATE << ARM_EL_EC_SHIFT) | ARM_EL_IL;
  }
 +static inline uint32_t syn_pcalignment(void)
 +{
 +    return (EC_PCALIGNMENT << ARM_EL_EC_SHIFT) | ARM_EL_IL;
 +}
 +
  #endif /* TARGET_ARM_SYNDROME_H */
 diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/aarch64/cpu_loop.c
 +++ b/linux-user/aarch64/cpu_loop.c
@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
              break;
          case EXCP_PREFETCH_ABORT:
          case EXCP_DATA_ABORT:
 -            /* We should only arrive here with EC in {DATAABORT, INSNABORT}. */
              ec = syn_get_ec(env->exception.syndrome);
 -            assert(ec == EC_DATAABORT || ec == EC_INSNABORT);
 -
 -            /* Both EC have the same format for FSC, or close enough. */
 -            fsc = extract32(env->exception.syndrome, 0, 6);
 -            switch (fsc) {
 -            case 0x04 ... 0x07: /* Translation fault, level {0-3} */
 -                si_signo = TARGET_SIGSEGV;
 -                si_code = TARGET_SEGV_MAPERR;
 +            switch (ec) {
 +            case EC_DATAABORT:
 +            case EC_INSNABORT:
 +                /* Both EC have the same format for FSC, or close enough. */
 +                fsc = extract32(env->exception.syndrome, 0, 6);
 +                switch (fsc) {
 +                case 0x04 ... 0x07: /* Translation fault, level {0-3} */
 +                    si_signo = TARGET_SIGSEGV;
 +                    si_code = TARGET_SEGV_MAPERR;
 +                    break;
 +                case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
 +                case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
 +                    si_signo = TARGET_SIGSEGV;
 +                    si_code = TARGET_SEGV_ACCERR;
 +                    break;
 +                case 0x11: /* Synchronous Tag Check Fault */
 +                    si_signo = TARGET_SIGSEGV;
 +                    si_code = TARGET_SEGV_MTESERR;
 +                    break;
 +                case 0x21: /* Alignment fault */
 +                    si_signo = TARGET_SIGBUS;
 +                    si_code = TARGET_BUS_ADRALN;
 +                    break;
 +                default:
 +                    g_assert_not_reached();
 +                }
                  break;
 -            case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
 -            case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
 -                si_signo = TARGET_SIGSEGV;
 -                si_code = TARGET_SEGV_ACCERR;
 -                break;
 -            case 0x11: /* Synchronous Tag Check Fault */
 -                si_signo = TARGET_SIGSEGV;
 -                si_code = TARGET_SEGV_MTESERR;
 -                break;
 -            case 0x21: /* Alignment fault */
 +            case EC_PCALIGNMENT:
                  si_signo = TARGET_SIGBUS;
                  si_code = TARGET_BUS_ADRALN;
                  break;
 diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tlb_helper.c
 +++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "cpu.h"
  #include "internals.h"
  #include "exec/exec-all.h"
 +#include "exec/helper-proto.h"
  static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
                                              unsigned int target_el,
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
      arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
  }
 +void helper_exception_pc_alignment(CPUARMState *env, target_ulong pc)
 +{
 +    ARMMMUFaultInfo fi = { .type = ARMFault_Alignment };
 +    int target_el = exception_target_el(env);
 +    int mmu_idx = cpu_mmu_index(env, true);
 +    uint32_t fsc;
 +
 +    env->exception.vaddress = pc;
 +
 +    /*
 +     * Note that the fsc is not applicable to this exception,
 +     * since any syndrome is pcalignment not insn_abort.
 +     */
 +    env->exception.fsr = compute_fsr_fsc(env, &fi, target_el, mmu_idx, &fsc);
 +    raise_exception(env, EXCP_PREFETCH_ABORT, syn_pcalignment(), target_el);
 +}
 +
  #if !defined(CONFIG_USER_ONLY)
  /*
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      uint64_t pc = s->base.pc_next;
      uint32_t insn;
 +    /* Singlestep exceptions have the highest priority. */
      if (s->ss_active && !s->pstate_ss) {
          /* Singlestep state is Active-pending.
           * If we're in this state at the start of a TB then either
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 +    if (pc & 3) {
 +        /*
 +         * PC alignment fault.  This has priority over the instruction abort
 +         * that we would receive from a translation fault via arm_ldl_code.
 +         * This should only be possible after an indirect branch, at the
 +         * start of the TB.
 +         */
 +        assert(s->base.num_insns == 1);
 +        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
 +        s->base.is_jmp = DISAS_NORETURN;
 +        s->base.pc_next = QEMU_ALIGN_UP(pc, 4);
 +        return;
 +    }
 +
      s->pc_curr = pc;
      insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
      s->insn = insn;
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      uint32_t pc = dc->base.pc_next;
      unsigned int insn;
 -    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
 +    /* Singlestep exceptions have the highest priority. */
 +    if (arm_check_ss_active(dc)) {
 +        dc->base.pc_next = pc + 4;
 +        return;
 +    }
 +
 +    if (pc & 3) {
 +        /*
 +         * PC alignment fault.  This has priority over the instruction abort
 +         * that we would receive from a translation fault via arm_ldl_code
 +         * (or the execution of the kernelpage entrypoint). This should only
 +         * be possible after an indirect branch, at the start of the TB.
 +         */
 +        assert(dc->base.num_insns == 1);
 +        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
 +        dc->base.is_jmp = DISAS_NORETURN;
 +        dc->base.pc_next = QEMU_ALIGN_UP(pc, 4);
 +        return;
 +    }
 +
 +    if (arm_check_kernelpage(dc)) {
          dc->base.pc_next = pc + 4;
          return;
      }
 --
 .25.1

-New patch
+[PULL 16/33] target/arm: Assert thumb pc is aligned
+From: Richard Henderson <richard.henderson@linaro.org>
+Misaligned thumb PC is architecturally impossible.
+Assert is better than proceeding, in case we've missed
+something somewhere.
+Expand a comment about aligning the pc in gdbstub.
+Fail an incoming migrate if a thumb pc is misaligned.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/gdbstub.c   |  9 +++++++--
+ target/arm/machine.c   | 10 ++++++++++
+ target/arm/translate.c |  3 +++
+files changed, 20 insertions(+), 2 deletions(-)
+diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/gdbstub.c
++++ b/target/arm/gdbstub.c
+@@ -XXX,XX +XXX,XX @@ int arm_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n)
+     tmp = ldl_p(mem_buf);
+-    /* Mask out low bit of PC to workaround gdb bugs.  This will probably
+-       cause problems if we ever implement the Jazelle DBX extensions.  */
++    /*
++     * Mask out low bits of PC to workaround gdb bugs.
++     * This avoids an assert in thumb_tr_translate_insn, because it is
++     * architecturally impossible to misalign the pc.
++     * This will probably cause problems if we ever implement the
++     * Jazelle DBX extensions.
++     */
+     if (n == 15) {
+         tmp &= ~1;
+     }
+diff --git a/target/arm/machine.c b/target/arm/machine.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/machine.c
++++ b/target/arm/machine.c
+@@ -XXX,XX +XXX,XX @@ static int cpu_post_load(void *opaque, int version_id)
+             return -1;
+         }
+     }
++
++    /*
++     * Misaligned thumb pc is architecturally impossible.
++     * We have an assert in thumb_tr_translate_insn to verify this.
++     * Fail an incoming migrate to avoid this assert.
++     */
++    if (!is_a64(env) && env->thumb && (env->regs[15] & 1)) {
++        return -1;
++    }
++
+     if (!kvm_enabled()) {
+         pmu_op_finish(&cpu->env);
+     }
+diff --git a/target/arm/translate.c b/target/arm/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.c
++++ b/target/arm/translate.c
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+     uint32_t insn;
+     bool is_16bit;
++    /* Misaligned thumb PC is architecturally impossible. */
++    assert((dc->base.pc_next & 1) == 0);
++
+     if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
+         dc->base.pc_next = pc + 2;
+         return;
+--
+.25.1

-New patch
+[PULL 17/33] target/arm: Suppress bp for exceptions with more priority
+From: Richard Henderson <richard.henderson@linaro.org>
+Both single-step and pc alignment faults have priority over
+breakpoint exceptions.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/debug_helper.c | 23 +++++++++++++++++++++++
+file changed, 23 insertions(+)
+diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/debug_helper.c
++++ b/target/arm/debug_helper.c
+@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
+ {
+     ARMCPU *cpu = ARM_CPU(cs);
+     CPUARMState *env = &cpu->env;
++    target_ulong pc;
+     int n;
+     /*
+@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
+         return false;
+     }
++    /*
++     * Single-step exceptions have priority over breakpoint exceptions.
++     * If single-step state is active-pending, suppress the bp.
++     */
++    if (arm_singlestep_active(env) && !(env->pstate & PSTATE_SS)) {
++        return false;
++    }
++
++    /*
++     * PC alignment faults have priority over breakpoint exceptions.
++     */
++    pc = is_a64(env) ? env->pc : env->regs[15];
++    if ((is_a64(env) || !env->thumb) && (pc & 3) != 0) {
++        return false;
++    }
++
++    /*
++     * Instruction aborts have priority over breakpoint exceptions.
++     * TODO: We would need to look up the page for PC and verify that
++     * it is present and executable.
++     */
++
+     for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
+         if (bp_wp_matches(cpu, n, false)) {
+             return true;
+--
+.25.1

-New patch
+[PULL 18/33] tests/tcg: Add arm and aarch64 pc alignment tests
+From: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ tests/tcg/aarch64/pcalign-a64.c   | 37 +++++++++++++++++++++++++
+ tests/tcg/arm/pcalign-a32.c       | 46 +++++++++++++++++++++++++++++++
+ tests/tcg/aarch64/Makefile.target |  4 +--
+ tests/tcg/arm/Makefile.target     |  4 +++
+files changed, 89 insertions(+), 2 deletions(-)
+ create mode 100644 tests/tcg/aarch64/pcalign-a64.c
+ create mode 100644 tests/tcg/arm/pcalign-a32.c
+diff --git a/tests/tcg/aarch64/pcalign-a64.c b/tests/tcg/aarch64/pcalign-a64.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tests/tcg/aarch64/pcalign-a64.c
+@@ -XXX,XX +XXX,XX @@
++/* Test PC misalignment exception */
++
++#include <assert.h>
++#include <signal.h>
++#include <stdlib.h>
++#include <stdio.h>
++
++static void *expected;
++
++static void sigbus(int sig, siginfo_t *info, void *vuc)
++{
++    assert(info->si_code == BUS_ADRALN);
++    assert(info->si_addr == expected);
++    exit(EXIT_SUCCESS);
++}
++
++int main()
++{
++    void *tmp;
++
++    struct sigaction sa = {
++        .sa_sigaction = sigbus,
++        .sa_flags = SA_SIGINFO
++    };
++
++    if (sigaction(SIGBUS, &sa, NULL) < 0) {
++        perror("sigaction");
++        return EXIT_FAILURE;
++    }
++
++    asm volatile("adr %0, 1f + 1\n\t"
++                 "str %0, %1\n\t"
++                 "br  %0\n"
++                 "1:"
++                 : "=&r"(tmp), "=m"(expected));
++    abort();
++}
+diff --git a/tests/tcg/arm/pcalign-a32.c b/tests/tcg/arm/pcalign-a32.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tests/tcg/arm/pcalign-a32.c
+@@ -XXX,XX +XXX,XX @@
++/* Test PC misalignment exception */
++
++#ifdef __thumb__
++#error "This test must be compiled for ARM"
++#endif
++
++#include <assert.h>
++#include <signal.h>
++#include <stdlib.h>
++#include <stdio.h>
++
++static void *expected;
++
++static void sigbus(int sig, siginfo_t *info, void *vuc)
++{
++    assert(info->si_code == BUS_ADRALN);
++    assert(info->si_addr == expected);
++    exit(EXIT_SUCCESS);
++}
++
++int main()
++{
++    void *tmp;
++
++    struct sigaction sa = {
++        .sa_sigaction = sigbus,
++        .sa_flags = SA_SIGINFO
++    };
++
++    if (sigaction(SIGBUS, &sa, NULL) < 0) {
++        perror("sigaction");
++        return EXIT_FAILURE;
++    }
++
++    asm volatile("adr %0, 1f + 2\n\t"
++                 "str %0, %1\n\t"
++                 "bx  %0\n"
++                 "1:"
++                 : "=&r"(tmp), "=m"(expected));
++
++    /*
++     * From v8, it is CONSTRAINED UNPREDICTABLE whether BXWritePC aligns
++     * the address or not.  If so, we can legitimately fall through.
++     */
++    return EXIT_SUCCESS;
++}
+diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/tcg/aarch64/Makefile.target
++++ b/tests/tcg/aarch64/Makefile.target
+@@ -XXX,XX +XXX,XX @@ VPATH         += $(ARM_SRC)
+ AARCH64_SRC=$(SRC_PATH)/tests/tcg/aarch64
+ VPATH         += $(AARCH64_SRC)
+-# Float-convert Tests
+-AARCH64_TESTS=fcvt
++# Base architecture tests
++AARCH64_TESTS=fcvt pcalign-a64
+ fcvt: LDFLAGS+=-lm
+diff --git a/tests/tcg/arm/Makefile.target b/tests/tcg/arm/Makefile.target
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/tcg/arm/Makefile.target
++++ b/tests/tcg/arm/Makefile.target
+@@ -XXX,XX +XXX,XX @@ run-fcvt: fcvt
+     $(call run-test,fcvt,$(QEMU) $<,"$< on $(TARGET_NAME)")
+     $(call diff-out,fcvt,$(ARM_SRC)/fcvt.ref)
++# PC alignment test
++ARM_TESTS += pcalign-a32
++pcalign-a32: CFLAGS+=-marm
++
+ ifeq ($(CONFIG_ARM_COMPATIBLE_SEMIHOSTING),y)
+ # Semihosting smoke test for linux-user
+--
+.25.1

-New patch
+[PULL 19/33] target/i386: Use assert() to sanity-check b1 in SSE decode
+In the SSE decode function gen_sse(), we combine a byte
+'b' and a value 'b1' which can be [0..3], and switch on them:
+   b |= (b1 << 8);
+   switch (b) {
+   ...
+   default:
+   unknown_op:
+       gen_unknown_opcode(env, s);
+       return;
+   }
+In three cases inside this switch, we were then also checking for
+ "if (b1 >= 2) { goto unknown_op; }".
+However, this can never happen, because the 'case' values in each place
+are 0x0nn or 0x1nn and the switch will have directed the b1 == (2, 3)
+cases to the default already.
+This check was added in commit c045af25a52e9 in 2010; the added code
+was unnecessary then as well, and was apparently intended only to
+ensure that we never accidentally ended up indexing off the end
+of an sse_op_table with only 2 entries as a result of future bugs
+in the decode logic.
+Change the checks to assert() instead, and make sure they're always
+immediately before the array access they are protecting.
+Fixes: Coverity CID 1460207
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/i386/tcg/translate.c | 12 +++---------
+file changed, 3 insertions(+), 9 deletions(-)
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
+         case 0x171: /* shift xmm, im */
+         case 0x172:
+         case 0x173:
+-            if (b1 >= 2) {
+-                goto unknown_op;
+-            }
+             val = x86_ldub_code(env, s);
+             if (is_xmm) {
+                 tcg_gen_movi_tl(s->T0, val);
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
+                                 offsetof(CPUX86State, mmx_t0.MMX_L(1)));
+                 op1_offset = offsetof(CPUX86State,mmx_t0);
+             }
++            assert(b1 < 2);
+             sse_fn_epp = sse_op_table2[((b - 1) & 3) * 8 +
+                                        (((modrm >> 3)) & 7)][b1];
+             if (!sse_fn_epp) {
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
+             rm = modrm & 7;
+             reg = ((modrm >> 3) & 7) | REX_R(s);
+             mod = (modrm >> 6) & 3;
+-            if (b1 >= 2) {
+-                goto unknown_op;
+-            }
++            assert(b1 < 2);
+             sse_fn_epp = sse_op_table6[b].op[b1];
+             if (!sse_fn_epp) {
+                 goto unknown_op;
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
+             rm = modrm & 7;
+             reg = ((modrm >> 3) & 7) | REX_R(s);
+             mod = (modrm >> 6) & 3;
+-            if (b1 >= 2) {
+-                goto unknown_op;
+-            }
++            assert(b1 < 2);
+             sse_fn_eppi = sse_op_table7[b].op[b1];
+             if (!sse_fn_eppi) {
+                 goto unknown_op;
+--
+.25.1

-New patch
+[PULL 20/33] include/hw/i386: Don't include qemu-common.h in .h files
+The qemu-common.h header is not supposed to be included from any
+other header files, only from .c files (as documented in a comment at
+the start of it).
+include/hw/i386/x86.h and include/hw/i386/microvm.h break this rule.
+In fact, the include is not required at all, so we can just drop it
+from both files.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20211129200510.1233037-2-peter.maydell@linaro.org
+---
+ include/hw/i386/microvm.h | 1 -
+ include/hw/i386/x86.h     | 1 -
+files changed, 2 deletions(-)
+diff --git a/include/hw/i386/microvm.h b/include/hw/i386/microvm.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/i386/microvm.h
++++ b/include/hw/i386/microvm.h
+@@ -XXX,XX +XXX,XX @@
+ #ifndef HW_I386_MICROVM_H
+ #define HW_I386_MICROVM_H
+-#include "qemu-common.h"
+ #include "exec/hwaddr.h"
+ #include "qemu/notify.h"
+diff --git a/include/hw/i386/x86.h b/include/hw/i386/x86.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/i386/x86.h
++++ b/include/hw/i386/x86.h
+@@ -XXX,XX +XXX,XX @@
+ #ifndef HW_I386_X86_H
+ #define HW_I386_X86_H
+-#include "qemu-common.h"
+ #include "exec/hwaddr.h"
+ #include "qemu/notify.h"
+--
+.25.1

-New patch
+[PULL 21/33] target/hexagon/cpu.h: don't include qemu-common.h
+The qemu-common.h header is not supposed to be included from any
+other header files, only from .c files (as documented in a comment at
+the start of it).
+Move the include to linux-user/hexagon/cpu_loop.c, which needs it for
+the declaration of cpu_exec_step_atomic().
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
+Message-id: 20211129200510.1233037-3-peter.maydell@linaro.org
+---
+ target/hexagon/cpu.h          | 1 -
+ linux-user/hexagon/cpu_loop.c | 1 +
+files changed, 1 insertion(+), 1 deletion(-)
+diff --git a/target/hexagon/cpu.h b/target/hexagon/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/hexagon/cpu.h
++++ b/target/hexagon/cpu.h
+@@ -XXX,XX +XXX,XX @@ typedef struct CPUHexagonState CPUHexagonState;
+ #include "fpu/softfloat-types.h"
+-#include "qemu-common.h"
+ #include "exec/cpu-defs.h"
+ #include "hex_regs.h"
+ #include "mmvec/mmvec.h"
+diff --git a/linux-user/hexagon/cpu_loop.c b/linux-user/hexagon/cpu_loop.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/hexagon/cpu_loop.c
++++ b/linux-user/hexagon/cpu_loop.c
+@@ -XXX,XX +XXX,XX @@
+  */
+ #include "qemu/osdep.h"
++#include "qemu-common.h"
+ #include "qemu.h"
+ #include "user-internals.h"
+ #include "cpu_loop-common.h"
+--
+.25.1

-[PULL 12/12] target/arm: Make '-cpu max' have a 48-bit PA
+[PULL 22/33] target/rx/cpu.h: Don't include qemu-common.h
-QEMU supports a 48-bit physical address range, but we don't currently
+The qemu-common.h header is not supposed to be included from any
-expose it in the '-cpu max' ID registers (you get the same range as
+other header files, only from .c files (as documented in a comment at
-Cortex-A57, which is 44 bits).
+the start of it).
-Set the ID_AA64MMFR0.PARange field to indicate 48 bits.
+Nothing actually relies on target/rx/cpu.h including it, so we can
 just drop the include.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20201001160116.18095-1-peter.maydell@linaro.org
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
 Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
 Message-id: 20211129200510.1233037-4-peter.maydell@linaro.org
 ---
- target/arm/cpu64.c | 4 ++++
+ target/rx/cpu.h | 1 -
-file changed, 4 insertions(+)
+file changed, 1 deletion(-)
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+diff --git a/target/rx/cpu.h b/target/rx/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
+--- a/target/rx/cpu.h
-+++ b/target/arm/cpu64.c
++++ b/target/rx/cpu.h
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@
-         t = FIELD_DP64(t, ID_AA64PFR1, MTE, 2);
+ #define RX_CPU_H
-         cpu->isar.id_aa64pfr1 = t;
+ #include "qemu/bitops.h"
-+        t = cpu->isar.id_aa64mmfr0;
+-#include "qemu-common.h"
-+        t = FIELD_DP64(t, ID_AA64MMFR0, PARANGE, 5); /* PARange: 48 bits */
+ #include "hw/registerfields.h"
-+        cpu->isar.id_aa64mmfr0 = t;
+ #include "cpu-qom.h"
-+
          t = cpu->isar.id_aa64mmfr1;
          t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* HPD */
          t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1);
 --
-.20.1
+.25.1

-[PULL 04/12] hw/arm/sbsa-ref : allocate IRQs for SMMUv3
+[PULL 23/33] hw/arm: Don't include qemu-common.h unnecessarily
-From: Graeme Gregory <graeme@nuviainc.com>
+A lot of C files in hw/arm include qemu-common.h when they don't
 need anything from it. Drop the include lines.
-Original commit did not allocate IRQs for the SMMUv3 in the irqmap
+omap1.c, pxa2xx.c and strongarm.c retain the include because they
-effectively using irq 0->3 (shared with other devices). Assuming
+use it for the prototype of qemu_get_timedate().
 original intent was to allocate unique IRQs then add an allocation
 to the irqmap.
-Fixes: e9fdf453240 ("hw/arm: Add arm SBSA reference machine, devices part")
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Graeme Gregory <graeme@nuviainc.com>
+Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
-Message-id: 20201007100732.4103790-3-graeme@nuviainc.com
+Message-id: 20211129200510.1233037-5-peter.maydell@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/sbsa-ref.c | 1 +
+ hw/arm/boot.c           | 1 -
-file changed, 1 insertion(+)
+ hw/arm/digic_boards.c   | 1 -
  hw/arm/highbank.c       | 1 -
  hw/arm/npcm7xx_boards.c | 1 -
  hw/arm/sbsa-ref.c       | 1 -
  hw/arm/stm32f405_soc.c  | 1 -
  hw/arm/vexpress.c       | 1 -
  hw/arm/virt.c           | 1 -
 files changed, 8 deletions(-)
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/boot.c
++++ b/hw/arm/boot.c
+@@ -XXX,XX +XXX,XX @@
+  */
+ #include "qemu/osdep.h"
+-#include "qemu-common.h"
+ #include "qemu/datadir.h"
+ #include "qemu/error-report.h"
+ #include "qapi/error.h"
+diff --git a/hw/arm/digic_boards.c b/hw/arm/digic_boards.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/digic_boards.c
++++ b/hw/arm/digic_boards.c
+@@ -XXX,XX +XXX,XX @@
+ #include "qemu/osdep.h"
+ #include "qapi/error.h"
+-#include "qemu-common.h"
+ #include "qemu/datadir.h"
+ #include "hw/boards.h"
+ #include "qemu/error-report.h"
+diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/highbank.c
++++ b/hw/arm/highbank.c
+@@ -XXX,XX +XXX,XX @@
+  */
+ #include "qemu/osdep.h"
+-#include "qemu-common.h"
+ #include "qemu/datadir.h"
+ #include "qapi/error.h"
+ #include "hw/sysbus.h"
+diff --git a/hw/arm/npcm7xx_boards.c b/hw/arm/npcm7xx_boards.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/npcm7xx_boards.c
++++ b/hw/arm/npcm7xx_boards.c
+@@ -XXX,XX +XXX,XX @@
+ #include "hw/qdev-core.h"
+ #include "hw/qdev-properties.h"
+ #include "qapi/error.h"
+-#include "qemu-common.h"
+ #include "qemu/datadir.h"
+ #include "qemu/units.h"
+ #include "sysemu/blockdev.h"
 diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/sbsa-ref.c
 +++ b/hw/arm/sbsa-ref.c
-@@ -XXX,XX +XXX,XX @@ static const int sbsa_ref_irqmap[] = {
+@@ -XXX,XX +XXX,XX @@
-     [SBSA_SECURE_UART_MM] = 9,
+  */
-     [SBSA_AHCI] = 10,
-     [SBSA_EHCI] = 11,
+ #include "qemu/osdep.h"
-+    [SBSA_SMMU] = 12, /* ... to 15 */
+-#include "qemu-common.h"
- };
+ #include "qemu/datadir.h"
+ #include "qapi/error.h"
- static uint64_t sbsa_ref_cpu_mp_affinity(SBSAMachineState *sms, int idx)
+ #include "qemu/error-report.h"
 diff --git a/hw/arm/stm32f405_soc.c b/hw/arm/stm32f405_soc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/stm32f405_soc.c
 +++ b/hw/arm/stm32f405_soc.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qapi/error.h"
 -#include "qemu-common.h"
  #include "exec/address-spaces.h"
  #include "sysemu/sysemu.h"
  #include "hw/arm/stm32f405_soc.h"
 diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/vexpress.c
 +++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qapi/error.h"
 -#include "qemu-common.h"
  #include "qemu/datadir.h"
  #include "cpu.h"
  #include "hw/sysbus.h"
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
 -#include "qemu-common.h"
  #include "qemu/datadir.h"
  #include "qemu/units.h"
  #include "qemu/option.h"
 --
-.20.1
+.25.1

-New patch
+[PULL 24/33] target/arm: Correct calculation of tlb range invalidate length
+The calculation of the length of TLB range invalidate operations
+in tlbi_aa64_range_get_length() is incorrect in two ways:
+ * the NUM field is 5 bits, but we read only 4 bits
+ * we miscalculate the page_shift value, because of an
+   off-by-one error:
+    TG 0b00 is invalid
+    TG 0b01 is 4K granule size == 4096 == 2^12
+    TG 0b10 is 16K granule size == 16384 == 2^14
+    TG 0b11 is 64K granule size == 65536 == 2^16
+   so page_shift should be (TG - 1) * 2 + 12
+Thanks to the bug report submitter Cha HyunSoo for identifying
+both these errors.
+Fixes: 84940ed82552d3c ("target/arm: Add support for FEAT_TLBIRANGE")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/734
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20211130173257.1274194-1-peter.maydell@linaro.org
+---
+ target/arm/helper.c | 6 +++---
+file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t tlbi_aa64_range_get_length(CPUARMState *env,
+     uint64_t exponent;
+     uint64_t length;
+-    num = extract64(value, 39, 4);
++    num = extract64(value, 39, 5);
+     scale = extract64(value, 44, 2);
+     page_size_granule = extract64(value, 46, 2);
+-    page_shift = page_size_granule * 2 + 12;
+-
+     if (page_size_granule == 0) {
+         qemu_log_mask(LOG_GUEST_ERROR, "Invalid page size granule %d\n",
+                       page_size_granule);
+         return 0;
+     }
++    page_shift = (page_size_granule - 1) * 2 + 12;
++
+     exponent = (5 * scale) + 1;
+     length = (num + 1) << (exponent + page_shift);
+--
+.25.1

-New patch
+[PULL 25/33] hw/net: npcm7xx_emc fix missing queue_flush
+From: Patrick Venture <venture@google.com>
+The rx_active boolean change to true should always trigger a try_read
+call that flushes the queue.
+Signed-off-by: Patrick Venture <venture@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20211203221002.1719306-1-venture@google.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/net/npcm7xx_emc.c | 18 ++++++++----------
+file changed, 8 insertions(+), 10 deletions(-)
+diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/net/npcm7xx_emc.c
++++ b/hw/net/npcm7xx_emc.c
+@@ -XXX,XX +XXX,XX @@ static void emc_halt_rx(NPCM7xxEMCState *emc, uint32_t mista_flag)
+     emc_set_mista(emc, mista_flag);
+ }
++static void emc_enable_rx_and_flush(NPCM7xxEMCState *emc)
++{
++    emc->rx_active = true;
++    qemu_flush_queued_packets(qemu_get_queue(emc->nic));
++}
++
+ static void emc_set_next_tx_descriptor(NPCM7xxEMCState *emc,
+                                        const NPCM7xxEMCTxDesc *tx_desc,
+                                        uint32_t desc_addr)
+@@ -XXX,XX +XXX,XX @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1)
+     return len;
+ }
+-static void emc_try_receive_next_packet(NPCM7xxEMCState *emc)
+-{
+-    if (emc_can_receive(qemu_get_queue(emc->nic))) {
+-        qemu_flush_queued_packets(qemu_get_queue(emc->nic));
+-    }
+-}
+-
+ static uint64_t npcm7xx_emc_read(void *opaque, hwaddr offset, unsigned size)
+ {
+     NPCM7xxEMCState *emc = opaque;
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
+             emc->regs[REG_MGSTA] |= REG_MGSTA_RXHA;
+         }
+         if (value & REG_MCMDR_RXON) {
+-            emc->rx_active = true;
++            emc_enable_rx_and_flush(emc);
+         } else {
+             emc_halt_rx(emc, 0);
+         }
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
+         break;
+     case REG_RSDR:
+         if (emc->regs[REG_MCMDR] & REG_MCMDR_RXON) {
+-            emc->rx_active = true;
+-            emc_try_receive_next_packet(emc);
++            emc_enable_rx_and_flush(emc);
+         }
+         break;
+     case REG_MIIDA:
+--
+.25.1

-New patch
+[PULL 26/33] hw/arm/virt-acpi-build: Add VIOT table for virtio-iommu
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+When a virtio-iommu is instantiated, describe it using the ACPI VIOT
+table.
+Acked-by: Igor Mammedov <imammedo@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Message-id: 20211210170415.583179-2-jean-philippe@linaro.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/arm/virt-acpi-build.c | 7 +++++++
+ hw/arm/Kconfig           | 1 +
+files changed, 8 insertions(+)
+diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/virt-acpi-build.c
++++ b/hw/arm/virt-acpi-build.c
+@@ -XXX,XX +XXX,XX @@
+ #include "kvm_arm.h"
+ #include "migration/vmstate.h"
+ #include "hw/acpi/ghes.h"
++#include "hw/acpi/viot.h"
+ #define ARM_SPI_BASE 32
+@@ -XXX,XX +XXX,XX @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
+     }
+ #endif
++    if (vms->iommu == VIRT_IOMMU_VIRTIO) {
++        acpi_add_table(table_offsets, tables_blob);
++        build_viot(ms, tables_blob, tables->linker, vms->virtio_iommu_bdf,
++                   vms->oem_id, vms->oem_table_id);
++    }
++
+     /* XSDT is pointed to by RSDP */
+     xsdt = tables_blob->len;
+     build_xsdt(tables_blob, tables->linker, table_offsets, vms->oem_id,
+diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/arm/Kconfig
++++ b/hw/arm/Kconfig
+@@ -XXX,XX +XXX,XX @@ config ARM_VIRT
+     select DIMM
+     select ACPI_HW_REDUCED
+     select ACPI_APEI
++    select ACPI_VIOT
+ config CHEETAH
+     bool
+--
+.25.1

-[PULL 11/12] hw/arm/virt: Implement kvm-steal-time
+[PULL 27/33] hw/arm/virt: Remove device tree restriction for virtio-iommu
-From: Andrew Jones <drjones@redhat.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-We add the kvm-steal-time CPU property and implement it for machvirt.
+virtio-iommu is now supported with ACPI VIOT as well as device tree.
-A tiny bit of refactoring was also done to allow pmu and pvtime to
+Remove the restriction that prevents from instantiating a virtio-iommu
-use the same vcpu device helper functions.
+device under ACPI.
+Acked-by: Igor Mammedov <imammedo@redhat.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Message-id: 20201001061718.101915-7-drjones@redhat.com
+Message-id: 20211210170415.583179-3-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/cpu-features.rst | 11 ++++++
+ hw/arm/virt.c                | 10 ++--------
- include/hw/arm/virt.h            |  5 +++
+ hw/virtio/virtio-iommu-pci.c | 12 ++----------
- target/arm/cpu.h                 |  4 ++
+files changed, 4 insertions(+), 18 deletions(-)
  target/arm/kvm_arm.h             | 43 +++++++++++++++++++++
  hw/arm/virt.c                    | 43 +++++++++++++++++++--
  target/arm/cpu.c                 |  8 ++++
  target/arm/kvm.c                 | 16 ++++++++
  target/arm/kvm64.c               | 64 +++++++++++++++++++++++++++++---
  target/arm/monitor.c             |  2 +-
  tests/qtest/arm-cpu-features.c   | 25 +++++++++++--
 files changed, 208 insertions(+), 13 deletions(-)
-diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/cpu-features.rst
-+++ b/docs/system/arm/cpu-features.rst
-@@ -XXX,XX +XXX,XX @@ the list of KVM VCPU features and their descriptions.
-                            adjustment, also restoring the legacy (pre-5.0)
-                            behavior.
-+  kvm-steal-time           Since v5.2, kvm-steal-time is enabled by
-+                           default when KVM is enabled, the feature is
-+                           supported, and the guest is 64-bit.
-+
-+                           When kvm-steal-time is enabled a 64-bit guest
-+                           can account for time its CPUs were not running
-+                           due to the host not scheduling the corresponding
-+                           VCPU threads.  The accounting statistics may
-+                           influence the guest scheduler behavior and/or be
-+                           exposed to the guest userspace.
-+
- SVE CPU Properties
- ==================
-diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/virt.h
-+++ b/include/hw/arm/virt.h
-@@ -XXX,XX +XXX,XX @@
- #define PPI(irq) ((irq) + 16)
-+/* See Linux kernel arch/arm64/include/asm/pvclock-abi.h */
-+#define PVTIME_SIZE_PER_CPU 64
-+
- enum {
-     VIRT_FLASH,
-     VIRT_MEM,
-@@ -XXX,XX +XXX,XX @@ enum {
-     VIRT_PCDIMM_ACPI,
-     VIRT_ACPI_GED,
-     VIRT_NVDIMM_ACPI,
-+    VIRT_PVTIME,
-     VIRT_LOWMEMMAP_LAST,
- };
-@@ -XXX,XX +XXX,XX @@ struct VirtMachineClass {
-     bool no_highmem_ecam;
-     bool no_ged;   /* Machines < 4.2 has no support for ACPI GED device */
-     bool kvm_no_adjvtime;
-+    bool no_kvm_steal_time;
-     bool acpi_expose_flash;
- };
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
-+++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@
- #include "hw/registerfields.h"
- #include "cpu-qom.h"
- #include "exec/cpu-defs.h"
-+#include "qapi/qapi-types-common.h"
- /* ARM processors have a weak memory model */
- #define TCG_GUEST_DEFAULT_MO      (0)
-@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
-     bool kvm_vtime_dirty;
-     uint64_t kvm_vtime;
-+    /* KVM steal time */
-+    OnOffAuto kvm_steal_time;
-+
-     /* Uniprocessor system with MP extensions */
-     bool mp_is_up;
-diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm_arm.h
-+++ b/target/arm/kvm_arm.h
-@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
-  */
- void kvm_arm_add_vcpu_properties(Object *obj);
-+/**
-+ * kvm_arm_steal_time_finalize:
-+ * @cpu: ARMCPU for which to finalize kvm-steal-time
-+ * @errp: Pointer to Error* for error propagation
-+ *
-+ * Validate the kvm-steal-time property selection and set its default
-+ * based on KVM support and guest configuration.
-+ */
-+void kvm_arm_steal_time_finalize(ARMCPU *cpu, Error **errp);
-+
-+/**
-+ * kvm_arm_steal_time_supported:
-+ *
-+ * Returns: true if KVM can enable steal time reporting
-+ * and false otherwise.
-+ */
-+bool kvm_arm_steal_time_supported(void);
-+
- /**
-  * kvm_arm_aarch32_supported:
-  *
-@@ -XXX,XX +XXX,XX @@ int kvm_arm_vgic_probe(void);
- void kvm_arm_pmu_set_irq(CPUState *cs, int irq);
- void kvm_arm_pmu_init(CPUState *cs);
-+
-+/**
-+ * kvm_arm_pvtime_init:
-+ * @cs: CPUState
-+ * @ipa: Per-vcpu guest physical base address of the pvtime structures
-+ *
-+ * Initializes PVTIME for the VCPU, setting the PVTIME IPA to @ipa.
-+ */
-+void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa);
-+
- int kvm_arm_set_irq(int cpu, int irqtype, int irq, int level);
- #else
-@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_sve_supported(void)
-     return false;
- }
-+static inline bool kvm_arm_steal_time_supported(void)
-+{
-+    return false;
-+}
-+
- /*
-  * These functions should never actually be called without KVM support.
-  */
-@@ -XXX,XX +XXX,XX @@ static inline void kvm_arm_pmu_init(CPUState *cs)
-     g_assert_not_reached();
- }
-+static inline void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa)
-+{
-+    g_assert_not_reached();
-+}
-+
-+static inline void kvm_arm_steal_time_finalize(ARMCPU *cpu, Error **errp)
-+{
-+    g_assert_not_reached();
-+}
-+
- static inline void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map)
- {
-     g_assert_not_reached();
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static const MemMapEntry base_memmap[] = {
+@@ -XXX,XX +XXX,XX @@ static HotplugHandler *virt_machine_get_hotplug_handler(MachineState *machine,
-     [VIRT_PCDIMM_ACPI] =        { 0x09070000, MEMORY_HOTPLUG_IO_LEN },
+     MachineClass *mc = MACHINE_GET_CLASS(machine);
-     [VIRT_ACPI_GED] =           { 0x09080000, ACPI_GED_EVT_SEL_LEN },
-     [VIRT_NVDIMM_ACPI] =        { 0x09090000, NVDIMM_ACPI_IO_LEN},
+     if (device_is_dynamic_sysbus(mc, dev) ||
-+    [VIRT_PVTIME] =             { 0x090a0000, 0x00010000 },
+-       (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM))) {
-     [VIRT_MMIO] =               { 0x0a000000, 0x00000200 },
++        object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM) ||
-     /* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
++        object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
-     [VIRT_PLATFORM_BUS] =       { 0x0c000000, 0x02000000 },
+         return HOTPLUG_HANDLER(machine);
@@ -XXX,XX +XXX,XX @@ static void finalize_gic_version(VirtMachineState *vms)
   * virt_cpu_post_init() must be called after the CPUs have
   * been realized and the GIC has been created.
   */
 -static void virt_cpu_post_init(VirtMachineState *vms)
 +static void virt_cpu_post_init(VirtMachineState *vms, int max_cpus,
 +                               MemoryRegion *sysmem)
  {
 -    bool aarch64, pmu;
 +    bool aarch64, pmu, steal_time;
      CPUState *cpu;
      aarch64 = object_property_get_bool(OBJECT(first_cpu), "aarch64", NULL);
      pmu = object_property_get_bool(OBJECT(first_cpu), "pmu", NULL);
 +    steal_time = object_property_get_bool(OBJECT(first_cpu),
 +                                          "kvm-steal-time", NULL);
      if (kvm_enabled()) {
 +        hwaddr pvtime_reg_base = vms->memmap[VIRT_PVTIME].base;
 +        hwaddr pvtime_reg_size = vms->memmap[VIRT_PVTIME].size;
 +
 +        if (steal_time) {
 +            MemoryRegion *pvtime = g_new(MemoryRegion, 1);
 +            hwaddr pvtime_size = max_cpus * PVTIME_SIZE_PER_CPU;
 +
 +            /* The memory region size must be a multiple of host page size. */
 +            pvtime_size = REAL_HOST_PAGE_ALIGN(pvtime_size);
 +
 +            if (pvtime_size > pvtime_reg_size) {
 +                error_report("pvtime requires a %ld byte memory region for "
 +                             "%d CPUs, but only %ld has been reserved",
 +                             pvtime_size, max_cpus, pvtime_reg_size);
 +                exit(1);
 +            }
 +
 +            memory_region_init_ram(pvtime, NULL, "pvtime", pvtime_size, NULL);
 +            memory_region_add_subregion(sysmem, pvtime_reg_base, pvtime);
 +        }
 +
          CPU_FOREACH(cpu) {
              if (pmu) {
                  assert(arm_feature(&ARM_CPU(cpu)->env, ARM_FEATURE_PMU));
@@ -XXX,XX +XXX,XX @@ static void virt_cpu_post_init(VirtMachineState *vms)
                  }
                  kvm_arm_pmu_init(cpu);
              }
 +            if (steal_time) {
 +                kvm_arm_pvtime_init(cpu, pvtime_reg_base +
 +                                         cpu->cpu_index * PVTIME_SIZE_PER_CPU);
 +            }
          }
      } else {
          if (aarch64 && vms->highmem) {
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
              object_property_set_bool(cpuobj, "kvm-no-adjvtime", true, NULL);
          }
 +        if (vmc->no_kvm_steal_time &&
 +            object_property_find(cpuobj, "kvm-steal-time")) {
 +            object_property_set_bool(cpuobj, "kvm-steal-time", false, NULL);
 +        }
 +
          if (vmc->no_pmu && object_property_find(cpuobj, "pmu")) {
              object_property_set_bool(cpuobj, "pmu", false, NULL);
          }
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
      create_gic(vms);
 -    virt_cpu_post_init(vms);
 +    virt_cpu_post_init(vms, possible_cpus->len, sysmem);
      fdt_add_pmu_nodes(vms);
@@ -XXX,XX +XXX,XX @@ DEFINE_VIRT_MACHINE_AS_LATEST(5, 2)
  static void virt_machine_5_1_options(MachineClass *mc)
  {
 +    VirtMachineClass *vmc = VIRT_MACHINE_CLASS(OBJECT_CLASS(mc));
 +
      virt_machine_5_2_options(mc);
      compat_props_add(mc->compat_props, hw_compat_5_1, hw_compat_5_1_len);
 +    vmc->no_kvm_steal_time = true;
  }
  DEFINE_VIRT_MACHINE(5, 1)
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_finalize_features(ARMCPU *cpu, Error **errp)
              return;
          }
      }
-+
+-    if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
-+    if (kvm_enabled()) {
+-        VirtMachineState *vms = VIRT_MACHINE(machine);
-+        kvm_arm_steal_time_finalize(cpu, &local_err);
+-
-+        if (local_err != NULL) {
+-        if (!vms->bootinfo.firmware_loaded || !virt_is_acpi_enabled(vms)) {
-+            error_propagate(errp, local_err);
+-            return HOTPLUG_HANDLER(machine);
-+            return;
+-        }
-+        }
+-    }
 +    }
  }
  static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ static void kvm_no_adjvtime_set(Object *obj, bool value, Error **errp)
      ARM_CPU(obj)->kvm_adjvtime = !value;
  }
 +static bool kvm_steal_time_get(Object *obj, Error **errp)
 +{
 +    return ARM_CPU(obj)->kvm_steal_time != ON_OFF_AUTO_OFF;
 +}
 +
 +static void kvm_steal_time_set(Object *obj, bool value, Error **errp)
 +{
 +    ARM_CPU(obj)->kvm_steal_time = value ? ON_OFF_AUTO_ON : ON_OFF_AUTO_OFF;
 +}
 +
  /* KVM VCPU properties should be prefixed with "kvm-". */
  void kvm_arm_add_vcpu_properties(Object *obj)
  {
@@ -XXX,XX +XXX,XX @@ void kvm_arm_add_vcpu_properties(Object *obj)
                                          "the virtual counter. VM stopped time "
                                          "will be counted.");
      }
 +
 +    cpu->kvm_steal_time = ON_OFF_AUTO_AUTO;
 +    object_property_add_bool(obj, "kvm-steal-time", kvm_steal_time_get,
 +                             kvm_steal_time_set);
 +    object_property_set_description(obj, "kvm-steal-time",
 +                                    "Set off to disable KVM steal time.");
  }
  bool kvm_arm_pmu_supported(void)
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@
  #include <linux/kvm.h>
  #include "qemu-common.h"
 +#include "qapi/error.h"
  #include "cpu.h"
  #include "qemu/timer.h"
  #include "qemu/error-report.h"
@@ -XXX,XX +XXX,XX @@ static CPUWatchpoint *find_hw_watchpoint(CPUState *cpu, target_ulong addr)
      return NULL;
  }
--static bool kvm_arm_pmu_set_attr(CPUState *cs, struct kvm_device_attr *attr)
+diff --git a/hw/virtio/virtio-iommu-pci.c b/hw/virtio/virtio-iommu-pci.c
-+static bool kvm_arm_set_device_attr(CPUState *cs, struct kvm_device_attr *attr,
+index XXXXXXX..XXXXXXX 100644
-+                                    const char *name)
+--- a/hw/virtio/virtio-iommu-pci.c
- {
++++ b/hw/virtio/virtio-iommu-pci.c
-     int err;
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
+     VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
-     err = kvm_vcpu_ioctl(cs, KVM_HAS_DEVICE_ATTR, attr);
-     if (err != 0) {
+     if (!qdev_get_machine_hotplug_handler(DEVICE(vpci_dev))) {
--        error_report("PMU: KVM_HAS_DEVICE_ATTR: %s", strerror(-err));
+-        MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
-+        error_report("%s: KVM_HAS_DEVICE_ATTR: %s", name, strerror(-err));
+-
-         return false;
+-        error_setg(errp,
-     }
+-                   "%s machine fails to create iommu-map device tree bindings",
+-                   mc->name);
-     err = kvm_vcpu_ioctl(cs, KVM_SET_DEVICE_ATTR, attr);
+-        error_append_hint(errp,
-     if (err != 0) {
+-                          "Check your machine implements a hotplug handler "
--        error_report("PMU: KVM_SET_DEVICE_ATTR: %s", strerror(-err));
+-                          "for the virtio-iommu-pci device\n");
-+        error_report("%s: KVM_SET_DEVICE_ATTR: %s", name, strerror(-err));
+-        error_append_hint(errp, "Check the guest is booted without FW or with "
-         return false;
+-                          "-no-acpi\n");
-     }
++        error_setg(errp, "Check your machine implements a hotplug handler "
++                         "for the virtio-iommu-pci device");
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_init(CPUState *cs)
      if (!ARM_CPU(cs)->has_pmu) {
          return;
      }
--    if (!kvm_arm_pmu_set_attr(cs, &attr)) {
+     for (int i = 0; i < s->nb_reserved_regions; i++) {
 +    if (!kvm_arm_set_device_attr(cs, &attr, "PMU")) {
          error_report("failed to init PMU");
          abort();
      }
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_set_irq(CPUState *cs, int irq)
      if (!ARM_CPU(cs)->has_pmu) {
          return;
      }
 -    if (!kvm_arm_pmu_set_attr(cs, &attr)) {
 +    if (!kvm_arm_set_device_attr(cs, &attr, "PMU")) {
          error_report("failed to set irq for PMU");
          abort();
      }
  }
 +void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa)
 +{
 +    struct kvm_device_attr attr = {
 +        .group = KVM_ARM_VCPU_PVTIME_CTRL,
 +        .attr = KVM_ARM_VCPU_PVTIME_IPA,
 +        .addr = (uint64_t)&ipa,
 +    };
 +
 +    if (ARM_CPU(cs)->kvm_steal_time == ON_OFF_AUTO_OFF) {
 +        return;
 +    }
 +    if (!kvm_arm_set_device_attr(cs, &attr, "PVTIME IPA")) {
 +        error_report("failed to init PVTIME IPA");
 +        abort();
 +    }
 +}
 +
  static int read_sys_reg32(int fd, uint32_t *pret, uint64_t id)
  {
      uint64_t ret;
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
      return true;
  }
 +void kvm_arm_steal_time_finalize(ARMCPU *cpu, Error **errp)
 +{
 +    bool has_steal_time = kvm_arm_steal_time_supported();
 +
 +    if (cpu->kvm_steal_time == ON_OFF_AUTO_AUTO) {
 +        if (!has_steal_time || !arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
 +            cpu->kvm_steal_time = ON_OFF_AUTO_OFF;
 +        } else {
 +            cpu->kvm_steal_time = ON_OFF_AUTO_ON;
 +        }
 +    } else if (cpu->kvm_steal_time == ON_OFF_AUTO_ON) {
 +        if (!has_steal_time) {
 +            error_setg(errp, "'kvm-steal-time' cannot be enabled "
 +                             "on this host");
 +            return;
 +        } else if (!arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
 +            /*
 +             * DEN0057A chapter 2 says "This specification only covers
 +             * systems in which the Execution state of the hypervisor
 +             * as well as EL1 of virtual machines is AArch64.". And,
 +             * to ensure that, the smc/hvc calls are only specified as
 +             * smc64/hvc64.
 +             */
 +            error_setg(errp, "'kvm-steal-time' cannot be enabled "
 +                             "for AArch32 guests");
 +            return;
 +        }
 +    }
 +}
 +
  bool kvm_arm_aarch32_supported(void)
  {
      return kvm_check_extension(kvm_state, KVM_CAP_ARM_EL1_32BIT);
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_sve_supported(void)
      return kvm_check_extension(kvm_state, KVM_CAP_ARM_SVE);
  }
 +bool kvm_arm_steal_time_supported(void)
 +{
 +    return kvm_check_extension(kvm_state, KVM_CAP_STEAL_TIME);
 +}
 +
  QEMU_BUILD_BUG_ON(KVM_ARM64_SVE_VQ_MIN != 1);
  void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map)
 diff --git a/target/arm/monitor.c b/target/arm/monitor.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/monitor.c
 +++ b/target/arm/monitor.c
@@ -XXX,XX +XXX,XX @@ static const char *cpu_model_advertised_features[] = {
      "sve128", "sve256", "sve384", "sve512",
      "sve640", "sve768", "sve896", "sve1024", "sve1152", "sve1280",
      "sve1408", "sve1536", "sve1664", "sve1792", "sve1920", "sve2048",
 -    "kvm-no-adjvtime",
 +    "kvm-no-adjvtime", "kvm-steal-time",
      NULL
  };
 diff --git a/tests/qtest/arm-cpu-features.c b/tests/qtest/arm-cpu-features.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/qtest/arm-cpu-features.c
 +++ b/tests/qtest/arm-cpu-features.c
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion(const void *data)
      assert_set_feature(qts, "max", "pmu", true);
      assert_has_not_feature(qts, "max", "kvm-no-adjvtime");
 +    assert_has_not_feature(qts, "max", "kvm-steal-time");
      if (g_str_equal(qtest_get_arch(), "aarch64")) {
          assert_has_feature_enabled(qts, "max", "aarch64");
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
      assert_set_feature(qts, "host", "kvm-no-adjvtime", false);
      if (g_str_equal(qtest_get_arch(), "aarch64")) {
 +        bool kvm_supports_steal_time;
          bool kvm_supports_sve;
          char max_name[8], name[8];
          uint32_t max_vq, vq;
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
          QDict *resp;
          char *error;
 +        assert_error(qts, "cortex-a15",
 +            "We cannot guarantee the CPU type 'cortex-a15' works "
 +            "with KVM on this host", NULL);
 +
          assert_has_feature_enabled(qts, "host", "aarch64");
          /* Enabling and disabling pmu should always work. */
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
          assert_set_feature(qts, "host", "pmu", false);
          assert_set_feature(qts, "host", "pmu", true);
 -        assert_error(qts, "cortex-a15",
 -            "We cannot guarantee the CPU type 'cortex-a15' works "
 -            "with KVM on this host", NULL);
 -
 +        /*
 +         * Some features would be enabled by default, but they're disabled
 +         * because this instance of KVM doesn't support them. Test that the
 +         * features are present, and, when enabled, issue further tests.
 +         */
 +        assert_has_feature(qts, "host", "kvm-steal-time");
          assert_has_feature(qts, "host", "sve");
 +
          resp = do_query_no_props(qts, "host");
 +        kvm_supports_steal_time = resp_get_feature(resp, "kvm-steal-time");
          kvm_supports_sve = resp_get_feature(resp, "sve");
          vls = resp_get_sve_vls(resp);
          qobject_unref(resp);
 +        if (kvm_supports_steal_time) {
 +            /* If we have steal-time then we should be able to toggle it. */
 +            assert_set_feature(qts, "host", "kvm-steal-time", false);
 +            assert_set_feature(qts, "host", "kvm-steal-time", true);
 +        }
 +
          if (kvm_supports_sve) {
              g_assert(vls != 0);
              max_vq = 64 - __builtin_clzll(vls);
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
          assert_has_not_feature(qts, "host", "aarch64");
          assert_has_not_feature(qts, "host", "pmu");
          assert_has_not_feature(qts, "host", "sve");
 +        assert_has_not_feature(qts, "host", "kvm-steal-time");
      }
      qtest_quit(qts);
 --
-.20.1
+.25.1

-[PULL 09/12] hw/arm/virt: Move kvm pmu setup to virt_cpu_post_init
+[PULL 28/33] hw/arm/virt: Reject instantiation of multiple IOMMUs
-From: Andrew Jones <drjones@redhat.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Move the KVM PMU setup part of fdt_add_pmu_nodes() to
+We do not support instantiating multiple IOMMUs. Before adding a
-virt_cpu_post_init(), which is a more appropriate location. Now
+virtio-iommu, check that no other IOMMU is present. This will detect
-fdt_add_pmu_nodes() is also named more appropriately, because it
+both "iommu=smmuv3" machine parameter and another virtio-iommu instance.
 no longer does anything but fdt node creation.
-No functional change intended.
+Fixes: 70e89132c9 ("hw/arm/virt: Add the virtio-iommu device tree mappings")
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Message-id: 20201001061718.101915-5-drjones@redhat.com
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-4-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 34 ++++++++++++++++++----------------
+ hw/arm/virt.c | 5 +++++
-file changed, 18 insertions(+), 16 deletions(-)
+file changed, 5 insertions(+)
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static void fdt_add_gic_node(VirtMachineState *vms)
+@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
+         hwaddr db_start = 0, db_end = 0;
- static void fdt_add_pmu_nodes(const VirtMachineState *vms)
+         char *resv_prop_str;
- {
--    CPUState *cpu;
++        if (vms->iommu != VIRT_IOMMU_NONE) {
--    ARMCPU *armcpu;
++            error_setg(errp, "virt machine does not support multiple IOMMUs");
-+    ARMCPU *armcpu = ARM_CPU(first_cpu);
++            return;
      uint32_t irqflags = GIC_FDT_IRQ_FLAGS_LEVEL_HI;
 -    CPU_FOREACH(cpu) {
 -        armcpu = ARM_CPU(cpu);
 -        if (!arm_feature(&armcpu->env, ARM_FEATURE_PMU)) {
 -            return;
 -        }
 -        if (kvm_enabled()) {
 -            if (kvm_irqchip_in_kernel()) {
 -                kvm_arm_pmu_set_irq(cpu, PPI(VIRTUAL_PMU_IRQ));
 -            }
 -            kvm_arm_pmu_init(cpu);
 -        }
 +    if (!arm_feature(&armcpu->env, ARM_FEATURE_PMU)) {
 +        assert(!object_property_get_bool(OBJECT(armcpu), "pmu", NULL));
 +        return;
      }
      if (vms->gic_version == VIRT_GIC_VERSION_2) {
@@ -XXX,XX +XXX,XX @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms)
                               (1 << vms->smp_cpus) - 1);
      }
 -    armcpu = ARM_CPU(qemu_get_cpu(0));
      qemu_fdt_add_subnode(vms->fdt, "/pmu");
      if (arm_feature(&armcpu->env, ARM_FEATURE_V8)) {
          const char compat[] = "arm,armv8-pmuv3";
@@ -XXX,XX +XXX,XX @@ static void finalize_gic_version(VirtMachineState *vms)
   */
  static void virt_cpu_post_init(VirtMachineState *vms)
  {
 -    bool aarch64;
 +    bool aarch64, pmu;
 +    CPUState *cpu;
      aarch64 = object_property_get_bool(OBJECT(first_cpu), "aarch64", NULL);
 +    pmu = object_property_get_bool(OBJECT(first_cpu), "pmu", NULL);
 -    if (!kvm_enabled()) {
 +    if (kvm_enabled()) {
 +        CPU_FOREACH(cpu) {
 +            if (pmu) {
 +                assert(arm_feature(&ARM_CPU(cpu)->env, ARM_FEATURE_PMU));
 +                if (kvm_irqchip_in_kernel()) {
 +                    kvm_arm_pmu_set_irq(cpu, PPI(VIRTUAL_PMU_IRQ));
 +                }
 +                kvm_arm_pmu_init(cpu);
 +            }
 +        }
-+    } else {
++
-         if (aarch64 && vms->highmem) {
+         switch (vms->msi_controller) {
-             int requested_pa_size = 64 - clz64(vms->highest_gpa);
+         case VIRT_MSI_CTRL_NONE:
-             int pamax = arm_pamax(ARM_CPU(first_cpu));
+             return;
 --
-.20.1
+.25.1

-[PULL 08/12] hw/arm/virt: Move post cpu realize check into its own function
+[PULL 29/33] hw/arm/virt: Use object_property_set instead of qdev_prop_set
-From: Andrew Jones <drjones@redhat.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-We'll add more to this new function in coming patches so we also
+To propagate errors to the caller of the pre_plug callback, use the
-state the gic must be created and call it below create_gic().
+object_poperty_set*() functions directly instead of the qdev_prop_set*()
 helpers.
-No functional change intended.
+Suggested-by: Igor Mammedov <imammedo@redhat.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Message-id: 20201001061718.101915-4-drjones@redhat.com
+Message-id: 20211210170415.583179-5-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/virt.c | 43 +++++++++++++++++++++++++++----------------
+ hw/arm/virt.c | 5 +++--
-file changed, 27 insertions(+), 16 deletions(-)
+file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static void finalize_gic_version(VirtMachineState *vms)
+@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
                                          db_start, db_end,
                                          VIRTIO_IOMMU_RESV_MEM_T_MSI);
 -        qdev_prop_set_uint32(dev, "len-reserved-regions", 1);
 -        qdev_prop_set_string(dev, "reserved-regions[0]", resv_prop_str);
 +        object_property_set_uint(OBJECT(dev), "len-reserved-regions", 1, errp);
 +        object_property_set_str(OBJECT(dev), "reserved-regions[0]",
 +                                resv_prop_str, errp);
          g_free(resv_prop_str);
      }
  }
-+/*
-+ * virt_cpu_post_init() must be called after the CPUs have
-+ * been realized and the GIC has been created.
-+ */
-+static void virt_cpu_post_init(VirtMachineState *vms)
-+{
-+    bool aarch64;
-+
-+    aarch64 = object_property_get_bool(OBJECT(first_cpu), "aarch64", NULL);
-+
-+    if (!kvm_enabled()) {
-+        if (aarch64 && vms->highmem) {
-+            int requested_pa_size = 64 - clz64(vms->highest_gpa);
-+            int pamax = arm_pamax(ARM_CPU(first_cpu));
-+
-+            if (pamax < requested_pa_size) {
-+                error_report("VCPU supports less PA bits (%d) than "
-+                             "requested by the memory map (%d)",
-+                             pamax, requested_pa_size);
-+                exit(1);
-+            }
-+        }
-+    }
-+}
-+
- static void machvirt_init(MachineState *machine)
- {
-     VirtMachineState *vms = VIRT_MACHINE(machine);
-@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
-     fdt_add_timer_nodes(vms);
-     fdt_add_cpu_nodes(vms);
--   if (!kvm_enabled()) {
--        ARMCPU *cpu = ARM_CPU(first_cpu);
--        bool aarch64 = object_property_get_bool(OBJECT(cpu), "aarch64", NULL);
--
--        if (aarch64 && vms->highmem) {
--            int requested_pa_size, pamax = arm_pamax(cpu);
--
--            requested_pa_size = 64 - clz64(vms->highest_gpa);
--            if (pamax < requested_pa_size) {
--                error_report("VCPU supports less PA bits (%d) than requested "
--                            "by the memory map (%d)", pamax, requested_pa_size);
--                exit(1);
--            }
--        }
--    }
--
-     memory_region_add_subregion(sysmem, vms->memmap[VIRT_MEM].base,
-                                 machine->ram);
-     if (machine->device_memory) {
-@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
-     create_gic(vms);
-+    virt_cpu_post_init(vms);
-+
-     fdt_add_pmu_nodes(vms);
-     create_uart(vms, VIRT_UART, sysmem, serial_hd(0));
 --
-.20.1
+.25.1

-[PULL 06/12] linux headers: sync to 5.9-rc7
+[PULL 30/33] tests/acpi: allow updates of VIOT expected data files
-From: Andrew Jones <drjones@redhat.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Update against Linux 5.9-rc7.
+Create empty data files and allow updates for the upcoming VIOT tests.
-Cc: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20201001061718.101915-2-drjones@redhat.com
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-6-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-headers/linux/kvm.h | 6 ++++--
+ tests/qtest/bios-tables-test-allowed-diff.h | 3 +++
-file changed, 4 insertions(+), 2 deletions(-)
+ tests/data/acpi/q35/DSDT.viot               | 0
  tests/data/acpi/q35/VIOT.viot               | 0
  tests/data/acpi/virt/VIOT                   | 0
 files changed, 3 insertions(+)
  create mode 100644 tests/data/acpi/q35/DSDT.viot
  create mode 100644 tests/data/acpi/q35/VIOT.viot
  create mode 100644 tests/data/acpi/virt/VIOT
-diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
---- a/linux-headers/linux/kvm.h
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
-+++ b/linux-headers/linux/kvm.h
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
-@@ -XXX,XX +XXX,XX @@ struct kvm_ppc_resize_hpt {
+@@ -1 +1,4 @@
- #define KVM_VM_PPC_HV 1
+ /* List of comma-separated changed AML files to ignore */
- #define KVM_VM_PPC_PR 2
++"tests/data/acpi/virt/VIOT",
++"tests/data/acpi/q35/DSDT.viot",
--/* on MIPS, 0 forces trap & emulate, 1 forces VZ ASE */
++"tests/data/acpi/q35/VIOT.viot",
--#define KVM_VM_MIPS_TE        0
+diff --git a/tests/data/acpi/q35/DSDT.viot b/tests/data/acpi/q35/DSDT.viot
-+/* on MIPS, 0 indicates auto, 1 forces VZ ASE, 2 forces trap & emulate */
+new file mode 100644
-+#define KVM_VM_MIPS_AUTO    0
+index XXXXXXX..XXXXXXX
- #define KVM_VM_MIPS_VZ        1
+diff --git a/tests/data/acpi/q35/VIOT.viot b/tests/data/acpi/q35/VIOT.viot
-+#define KVM_VM_MIPS_TE        2
+new file mode 100644
+index XXXXXXX..XXXXXXX
- #define KVM_S390_SIE_PAGE_OFFSET 1
+diff --git a/tests/data/acpi/virt/VIOT b/tests/data/acpi/virt/VIOT
+new file mode 100644
-@@ -XXX,XX +XXX,XX @@ struct kvm_ppc_resize_hpt {
+index XXXXXXX..XXXXXXX
  #define KVM_CAP_LAST_CPU 184
  #define KVM_CAP_SMALLER_MAXPHYADDR 185
  #define KVM_CAP_S390_DIAG318 186
 +#define KVM_CAP_STEAL_TIME 187
  #ifdef KVM_CAP_IRQ_ROUTING
 --
-.20.1
+.25.1

-[PULL 07/12] target/arm/kvm: Make uncalled stubs explicitly unreachable
+[PULL 31/33] tests/acpi: add test case for VIOT
-From: Andrew Jones <drjones@redhat.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-When we compile without KVM support !defined(CONFIG_KVM) we generate
+Add two test cases for VIOT, one on the q35 machine and the other on
-stubs for functions that the linker will still encounter. Sometimes
+virt. To test complex topologies the q35 test has two PCIe buses that
-these stubs can be executed safely and are placed in paths where they
+bypass the IOMMU (and are therefore not described by VIOT), and two
-get executed with or without KVM. Other functions should never be
+buses that are translated by virtio-iommu.
 called without KVM. Those functions should be guarded by kvm_enabled(),
 but should also be robust to refactoring mistakes. Putting a
 g_assert_not_reached() in the function should help. Additionally,
 the g_assert_not_reached() calls may actually help the linker remove
 some code.
 We remove the stubs for kvm_arm_get/put_virtual_time(), as they aren't
 necessary at all - the only caller is in kvm.c
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Andrew Jones <drjones@redhat.com>
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Message-id: 20201001061718.101915-3-drjones@redhat.com
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-7-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/kvm_arm.h | 51 +++++++++++++++++++++++++++-----------------
+ tests/qtest/bios-tables-test.c | 38 ++++++++++++++++++++++++++++++++++
-file changed, 32 insertions(+), 19 deletions(-)
+file changed, 38 insertions(+)
-diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
+diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm_arm.h
+--- a/tests/qtest/bios-tables-test.c
-+++ b/target/arm/kvm_arm.h
++++ b/tests/qtest/bios-tables-test.c
-@@ -XXX,XX +XXX,XX @@ int kvm_arm_set_irq(int cpu, int irqtype, int irq, int level);
+@@ -XXX,XX +XXX,XX @@ static void test_acpi_virt_tcg(void)
+     free_test_data(&data);
  #else
 -static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
 -{
 -    /*
 -     * This should never actually be called in the "not KVM" case,
 -     * but set up the fields to indicate an error anyway.
 -     */
 -    cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
 -    cpu->host_cpu_probe_failed = true;
 -}
 -
 -static inline void kvm_arm_add_vcpu_properties(Object *obj) {}
 -
 +/*
 + * It's safe to call these functions without KVM support.
 + * They should either do nothing or return "not supported".
 + */
  static inline bool kvm_arm_aarch32_supported(void)
  {
      return false;
@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_sve_supported(void)
      return false;
  }
-+/*
++static void test_acpi_q35_viot(void)
 + * These functions should never actually be called without KVM support.
 + */
 +static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
 +{
-+    g_assert_not_reached();
++    test_data data = {
 +        .machine = MACHINE_Q35,
 +        .variant = ".viot",
 +    };
 +
 +    /*
 +     * To keep things interesting, two buses bypass the IOMMU.
 +     * VIOT should only describes the other two buses.
 +     */
 +    test_acpi_one("-machine default_bus_bypass_iommu=on "
 +                  "-device virtio-iommu-pci "
 +                  "-device pxb-pcie,bus_nr=0x10,id=pcie.100,bus=pcie.0 "
 +                  "-device pxb-pcie,bus_nr=0x20,id=pcie.200,bus=pcie.0,bypass_iommu=on "
 +                  "-device pxb-pcie,bus_nr=0x30,id=pcie.300,bus=pcie.0",
 +                  &data);
 +    free_test_data(&data);
 +}
 +
-+static inline void kvm_arm_add_vcpu_properties(Object *obj)
++static void test_acpi_virt_viot(void)
 +{
-+    g_assert_not_reached();
++    test_data data = {
 +        .machine = "virt",
 +        .uefi_fl1 = "pc-bios/edk2-aarch64-code.fd",
 +        .uefi_fl2 = "pc-bios/edk2-arm-vars.fd",
 +        .cd = "tests/data/uefi-boot-images/bios-tables-test.aarch64.iso.qcow2",
 +        .ram_start = 0x40000000ULL,
 +        .scan_len = 128ULL * 1024 * 1024,
 +    };
 +
 +    test_acpi_one("-cpu cortex-a57 "
 +                  "-device virtio-iommu-pci", &data);
 +    free_test_data(&data);
 +}
 +
- static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
+ static void test_oem_fields(test_data *data)
  {
--    return -ENOENT;
+     int i;
-+    g_assert_not_reached();
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
- }
+             qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic);
+             qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar);
- static inline int kvm_arm_vgic_probe(void)
+         }
- {
++        qtest_add_func("acpi/q35/viot", test_acpi_q35_viot);
--    return 0;
+     } else if (strcmp(arch, "aarch64") == 0) {
-+    g_assert_not_reached();
+         if (has_tcg) {
- }
+             qtest_add_func("acpi/virt", test_acpi_virt_tcg);
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
--static inline void kvm_arm_pmu_set_irq(CPUState *cs, int irq) {}
+             qtest_add_func("acpi/virt/memhp", test_acpi_virt_tcg_memhp);
--static inline void kvm_arm_pmu_init(CPUState *cs) {}
+             qtest_add_func("acpi/virt/pxb", test_acpi_virt_tcg_pxb);
-+static inline void kvm_arm_pmu_set_irq(CPUState *cs, int irq)
+             qtest_add_func("acpi/virt/oem-fields", test_acpi_oem_fields_virt);
-+{
++            qtest_add_func("acpi/virt/viot", test_acpi_virt_viot);
-+    g_assert_not_reached();
+         }
-+}
+     }
+     ret = g_test_run();
 -static inline void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map) {}
 +static inline void kvm_arm_pmu_init(CPUState *cs)
 +{
 +    g_assert_not_reached();
 +}
 +
 +static inline void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map)
 +{
 +    g_assert_not_reached();
 +}
 -static inline void kvm_arm_get_virtual_time(CPUState *cs) {}
 -static inline void kvm_arm_put_virtual_time(CPUState *cs) {}
  #endif
  static inline const char *gic_class_name(void)
 --
-.20.1
+.25.1

-New patch
+[PULL 32/33] tests/acpi: add expected blobs for VIOT test on q35 machine
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Add expected blobs of the VIOT and DSDT table for the VIOT test on the
 q35 machine.
 Since the test instantiates a virtio device and two PCIe expander
 bridges, DSDT.viot has more blocks than the base DSDT.
 The VIOT table generated for the q35 test is:
 [000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
 [004h 0004   4]                 Table Length : 00000070
 [008h 0008   1]                     Revision : 00
 [009h 0009   1]                     Checksum : 3D
 [00Ah 0010   6]                       Oem ID : "BOCHS "
 [010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001
 [024h 0036   2]                   Node count : 0003
 [026h 0038   2]                  Node offset : 0030
 [028h 0040   8]                     Reserved : 0000000000000000
 [030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
 [031h 0049   1]                     Reserved : 00
 [032h 0050   2]                       Length : 0010
 [034h 0052   2]                  PCI Segment : 0000
 [036h 0054   2]               PCI BDF number : 0010
 [038h 0056   8]                     Reserved : 0000000000000000
 [040h 0064   1]                         Type : 01 [PCI Range]
 [041h 0065   1]                     Reserved : 00
 [042h 0066   2]                       Length : 0018
 [044h 0068   4]               Endpoint start : 00003000
 [048h 0072   2]            PCI Segment start : 0000
 [04Ah 0074   2]              PCI Segment end : 0000
 [04Ch 0076   2]                PCI BDF start : 3000
 [04Eh 0078   2]                  PCI BDF end : 30FF
 [050h 0080   2]                  Output node : 0030
 [052h 0082   6]                     Reserved : 000000000000
 [058h 0088   1]                         Type : 01 [PCI Range]
 [059h 0089   1]                     Reserved : 00
 [05Ah 0090   2]                       Length : 0018
 [05Ch 0092   4]               Endpoint start : 00001000
 [060h 0096   2]            PCI Segment start : 0000
 [062h 0098   2]              PCI Segment end : 0000
 [064h 0100   2]                PCI BDF start : 1000
 [066h 0102   2]                  PCI BDF end : 10FF
 [068h 0104   2]                  Output node : 0030
 [06Ah 0106   6]                     Reserved : 000000000000
 And the DSDT diff is:
@@ -XXX,XX +XXX,XX @@
   *
   * Disassembling to symbolic ASL+ operators
   *
 - * Disassembly of tests/data/acpi/q35/DSDT, Fri Dec 10 15:03:08 2021
 + * Disassembly of /tmp/aml-H9Y5D1, Fri Dec 10 15:02:27 2021
   *
   * Original Table Header:
   *     Signature        "DSDT"
 - *     Length           0x00002061 (8289)
 + *     Length           0x000024B6 (9398)
   *     Revision         0x01 **** 32-bit table (V1), no 64-bit math support
 - *     Checksum         0xFA
 + *     Checksum         0xA7
   *     OEM ID           "BOCHS "
   *     OEM Table ID     "BXPC    "
   *     OEM Revision     0x00000001 (1)
@@ -XXX,XX +XXX,XX @@
          }
      }
 +    Scope (\_SB)
 +    {
 +        Device (PC30)
 +        {
 +            Name (_UID, 0x30)  // _UID: Unique ID
 +            Name (_BBN, 0x30)  // _BBN: BIOS Bus Number
 +            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
 +            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
 +            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
 +            {
 +                CreateDWordField (Arg3, Zero, CDW1)
 +                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
 +                {
 +                    CreateDWordField (Arg3, 0x04, CDW2)
 +                    CreateDWordField (Arg3, 0x08, CDW3)
 +                    Local0 = CDW3 /* \_SB_.PC30._OSC.CDW3 */
 +                    Local0 &= 0x1F
 +                    If ((Arg1 != One))
 +                    {
 +                        CDW1 |= 0x08
 +                    }
 +
 +                    If ((CDW3 != Local0))
 +                    {
 +                        CDW1 |= 0x10
 +                    }
 +
 +                    CDW3 = Local0
 +                }
 +                Else
 +                {
 +                    CDW1 |= 0x04
 +                }
 +
 +                Return (Arg3)
 +            }
 +
 +            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
 +            {
 +                Local0 = Package (0x80){}
 +                Local1 = Zero
 +                While ((Local1 < 0x80))
 +                {
 +                    Local2 = (Local1 >> 0x02)
 +                    Local3 = ((Local1 + Local2) & 0x03)
 +                    If ((Local3 == Zero))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKD,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == One))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKA,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x02))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKB,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x03))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKC,
 +                                Zero
 +                            }
 +                    }
 +
 +                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
 +                    Local4 [One] = (Local1 & 0x03)
 +                    Local0 [Local1] = Local4
 +                    Local1++
 +                }
 +
 +                Return (Local0)
 +            }
 +
 +            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 +            {
 +                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 +                    0x0000,             // Granularity
 +                    0x0030,             // Range Minimum
 +                    0x0030,             // Range Maximum
 +                    0x0000,             // Translation Offset
 +                    0x0001,             // Length
 +                    ,, )
 +            })
 +        }
 +    }
 +
 +    Scope (\_SB)
 +    {
 +        Device (PC20)
 +        {
 +            Name (_UID, 0x20)  // _UID: Unique ID
 +            Name (_BBN, 0x20)  // _BBN: BIOS Bus Number
 +            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
 +            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
 +            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
 +            {
 +                CreateDWordField (Arg3, Zero, CDW1)
 +                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
 +                {
 +                    CreateDWordField (Arg3, 0x04, CDW2)
 +                    CreateDWordField (Arg3, 0x08, CDW3)
 +                    Local0 = CDW3 /* \_SB_.PC20._OSC.CDW3 */
 +                    Local0 &= 0x1F
 +                    If ((Arg1 != One))
 +                    {
 +                        CDW1 |= 0x08
 +                    }
 +
 +                    If ((CDW3 != Local0))
 +                    {
 +                        CDW1 |= 0x10
 +                    }
 +
 +                    CDW3 = Local0
 +                }
 +                Else
 +                {
 +                    CDW1 |= 0x04
 +                }
 +
 +                Return (Arg3)
 +            }
 +
 +            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
 +            {
 +                Local0 = Package (0x80){}
 +                Local1 = Zero
 +                While ((Local1 < 0x80))
 +                {
 +                    Local2 = (Local1 >> 0x02)
 +                    Local3 = ((Local1 + Local2) & 0x03)
 +                    If ((Local3 == Zero))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKD,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == One))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKA,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x02))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKB,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x03))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKC,
 +                                Zero
 +                            }
 +                    }
 +
 +                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
 +                    Local4 [One] = (Local1 & 0x03)
 +                    Local0 [Local1] = Local4
 +                    Local1++
 +                }
 +
 +                Return (Local0)
 +            }
 +
 +            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 +            {
 +                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 +                    0x0000,             // Granularity
 +                    0x0020,             // Range Minimum
 +                    0x0020,             // Range Maximum
 +                    0x0000,             // Translation Offset
 +                    0x0001,             // Length
 +                    ,, )
 +            })
 +        }
 +    }
 +
 +    Scope (\_SB)
 +    {
 +        Device (PC10)
 +        {
 +            Name (_UID, 0x10)  // _UID: Unique ID
 +            Name (_BBN, 0x10)  // _BBN: BIOS Bus Number
 +            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
 +            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
 +            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
 +            {
 +                CreateDWordField (Arg3, Zero, CDW1)
 +                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
 +                {
 +                    CreateDWordField (Arg3, 0x04, CDW2)
 +                    CreateDWordField (Arg3, 0x08, CDW3)
 +                    Local0 = CDW3 /* \_SB_.PC10._OSC.CDW3 */
 +                    Local0 &= 0x1F
 +                    If ((Arg1 != One))
 +                    {
 +                        CDW1 |= 0x08
 +                    }
 +
 +                    If ((CDW3 != Local0))
 +                    {
 +                        CDW1 |= 0x10
 +                    }
 +
 +                    CDW3 = Local0
 +                }
 +                Else
 +                {
 +                    CDW1 |= 0x04
 +                }
 +
 +                Return (Arg3)
 +            }
 +
 +            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
 +            {
 +                Local0 = Package (0x80){}
 +                Local1 = Zero
 +                While ((Local1 < 0x80))
 +                {
 +                    Local2 = (Local1 >> 0x02)
 +                    Local3 = ((Local1 + Local2) & 0x03)
 +                    If ((Local3 == Zero))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKD,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == One))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKA,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x02))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKB,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x03))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKC,
 +                                Zero
 +                            }
 +                    }
 +
 +                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
 +                    Local4 [One] = (Local1 & 0x03)
 +                    Local0 [Local1] = Local4
 +                    Local1++
 +                }
 +
 +                Return (Local0)
 +            }
 +
 +            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 +            {
 +                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 +                    0x0000,             // Granularity
 +                    0x0010,             // Range Minimum
 +                    0x0010,             // Range Maximum
 +                    0x0000,             // Translation Offset
 +                    0x0001,             // Length
 +                    ,, )
 +            })
 +        }
 +    }
 +
      Scope (\_SB.PCI0)
      {
          Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
@@ -XXX,XX +XXX,XX @@
              WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 x0000,             // Granularity
 x0000,             // Range Minimum
 -                0x00FF,             // Range Maximum
 +                0x000F,             // Range Maximum
 x0000,             // Translation Offset
 -                0x0100,             // Length
 +                0x0010,             // Length
                  ,, )
              IO (Decode16,
 x0CF8,             // Range Minimum
@@ -XXX,XX +XXX,XX @@
                  }
              }
 +            Device (S10)
 +            {
 +                Name (_ADR, 0x00020000)  // _ADR: Address
 +            }
 +
 +            Device (S18)
 +            {
 +                Name (_ADR, 0x00030000)  // _ADR: Address
 +            }
 +
 +            Device (S20)
 +            {
 +                Name (_ADR, 0x00040000)  // _ADR: Address
 +            }
 +
 +            Device (S28)
 +            {
 +                Name (_ADR, 0x00050000)  // _ADR: Address
 +            }
 +
              Method (PCNT, 0, NotSerialized)
              {
              }
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-8-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  tests/qtest/bios-tables-test-allowed-diff.h |   2 --
  tests/data/acpi/q35/DSDT.viot               | Bin 0 -> 9398 bytes
  tests/data/acpi/q35/VIOT.viot               | Bin 0 -> 112 bytes
 files changed, 2 deletions(-)
 diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/qtest/bios-tables-test-allowed-diff.h
 +++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -XXX,XX +XXX,XX @@
  /* List of comma-separated changed AML files to ignore */
  "tests/data/acpi/virt/VIOT",
 -"tests/data/acpi/q35/DSDT.viot",
 -"tests/data/acpi/q35/VIOT.viot",
 diff --git a/tests/data/acpi/q35/DSDT.viot b/tests/data/acpi/q35/DSDT.viot
 index XXXXXXX..XXXXXXX 100644
 GIT binary patch
 literal 9398
 zcmeHNO>7&-8J*>iv|O&FB}G~Oi$yp||57BBoWHhc5OS9yDTx$CQgH$r;8Idr*-4Q_
 z5(9Az1F`}niVsB-)<KW7p`g9Br(A2Gm-gmc1N78GFS!;)e2V(MnH_0{q<{#yMgn&C
 zn|*J-d9yqFhO_H6z19~`FlPL*u<DkZ*}|)JH;X@mF-FI<cPg<fti9tEN*yB^i5czN
 zNq&q?!OZ;BE3B7{KWzJ-`Tn~f`9?Qj8~2^N8{Oc8J%57{==w%rS#;nOCp*nTr@iZ1
 zb+?i;JLQUJ=O0?8*>S~D)a>NF1~WVB6^~_B#yhJ`H+JU@=6aXs`?Yv)J2h=N?drcS
 zeLZ*n<<Bm^n}6`jfBx#u8&(W}1?)}iF9o#mZ~E2+zwdn7yK3AbIzKnxpZ>JRPm3~#
 z&ICS{+_OayRW-l=Mtk=~uaS3o8z<_udd|(wqg`&JnVPfCe>BUOO`Su3e>pff_^UW%
 z&JE^NO`)=Amg~iqRB1pPscP?(>#ZuY8GHCmlEvD$9g3%4Db~Dfz2SATnddvrR-Oe^
 z;s;dJec!hnzi)ri^I6YN9vtkm{^TdUF8h7gX8-<Qe4p)GQ=)AtYx2VcwdLVAEXEjG
 z^Mj|UHPqkj-LsWuzQem1>F3atdZn=zv3$#RmZzSHN+6-yyU#8cJb=YDilX&sl}vNm
 znkgAR^O<3kj4if>{ly5fwRfMWuC5=lrlvKPX~i#654Cp}R_d*JS$9laZ$ra6)<ns8
 zFZy28G%xP(nit&F>LDi%G<tIc=TY=gl$jSD&Uv!Yat~XR46h%rI$!}a%!|xG7u8Zn
 zeY8_|n=K>xz_v_W8VX$W-Fg-qFWcT}7MCyz{%%{ia7hZ>Law-k6NOr}VI&_48U=2l
 zwqDKFE8eTwwozDdms#e?x?5a|v>&JF;2_v0L~z5n%BYU^52<*cWuD4|GYUm@1+?))
 zte^45>Rz)t*<T5V#={r>@t@{%?^i#W{i=HAZ*Dc9y59Va-+#P!jrGs;u38a{fLr`N
 zvT@rUu>DljxJ?^&Z?-?vyJn3C>3D=qux{Y*bs5|5n)Qmi$TD^Zdn4GU$ocJS2Hh-<
 z`xPI^^+v0nUVdjMos8k`WGl7hA`{03ju%<lrgAHSpd^DRf-*}_#Ly0mB!LSfVgWcQ
 z&T$@~G9)JI=hz5m0vkrel+Xy{Oh7pkAu-V!j*W7rY(bO}Q$nMH2`FbGB&N)QaV4<4
 zo)~9JXiP9=;}NPl<C@MmXG&;XFlFNrsyfFsonxFSp<}vEgsRSQP3O3#b6nSnP}ON_
 zI!#Tdsp~|j>ckUB>FI=~GokB5sOq#dotCE4(sd$KbtW~PNlj-`*NIToiD#j5J#9^=
 zt?NXn>YUJYPG~wObe#xQos*i*NloXZt`niEb4t@WrRki~bs|)CI+{*L)9L6s5vn><
 zn$DD_Go|Z9sOn5>I@6lYw5}7Os&iV?Ij!lO)^#FOb!If38BJ$K*NIToIiu;E(R9w}
 zIuWWmPiZ<&X*y5oIuWWmF_XaEC!a&Jn$B5WCqh-{X-(&8P3LJ{Cqh-{8P3dyPr@^t
 zSqL9?X9Uwd3W@23*s~h*tj0X6GZCuHa~kuU#yqDp5vt7d8uPryJg+kms?5hU=3^T3
 zF`bD}WnSP+=`t5MQ$FJ_2&Q~+BP6E0f^%BVIW6a$o)e+SX~IDBih-7z6{O~7YTy`&
 zLjy&Cv?7QikV#>n0>>@MV8oK`Gmun34-FKdlm-J8SZSaNlnhir4-FI{S|bfqV8e)V
 zss<{chX#reE#g=hsKAC%sF6d-Km}BWs!kZFsFpKfpbC@>6rprQGEjt4Ck#|zITHq|
 zK*>M_l;<P^MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=xY&!axO<
 zGhv_#lnhirIg<<&q0|Wj6<E%MfhtfkPyyvkGEjt4Ck#|zITHq|K*>M_lrzad5lWpf
 zP=V!47^ngz0~JutBm+e#b;3XemNQ|X3X}{~Ksl2P6rt1!0~J`#gn=qhGEf2KOfpb}
 zQYQ>lU^x>8szAv=1(Y+%KoLrvFi?TzOc<yFB?A>u&LjgxD0RX>1(q{mpbC@>R6seC
 z3>2Z%2?G^a&V+#~P%=;f<xDbAgi<FARA4z12C6{GKn0XD$v_cGoiI>=<xCi;0wn_#
 zP|hR+MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=rz^3{+q_69%e4
 z$v_2^Gs!>^N}VuJf#pmXr~)Me6;RG314Srx!axxz28u{EP=u<1B2)}iVZuNaCK;&0
 zBm-5LFi?dF167!0pbC==RAItE6($T+VUmF=Ofpb~2?JG_Fi?d_2C6X0Kouqo6p_5T
 zFi=FeV!SiSKoR0H$dH(_Z(*Q_WZ%L-5y`$K14StNmJAdjmWs}HV4<vU_xO+1efmLq
 zZ;W>N_U)fP6Qy6Nw5mbt9Y(#emWSi66=>tq#xoh#Ue=0qyhxi8ZOUe5y0V7VfPUhp
 zwX=;ymc+i5%sg9Ja~lZ&8oAV@mHc>&CHP9v4R(jhtT?un;O4e9#pno)Xkh7OWgK&a
 zyj=3Iv0OuoK_;5rOr5f(Kb~ZXDBO+V`OWYo#_C08imwChQxnjdd?wZLDou8aj;$SD
 zGDYiA3<$Tu<JnHL(KPOChi#zrR32t83}naR$+ym4P_h?z_5#|cW-nw$XD_sOtE62l
 zrD3@*)NVyiklt0&yF9%+klsBey&I<Y2E<!f(E8TuJte)z(|ZHyy<^gQVfx}=`q&B5
 z7nSryp1wGczIaUfVwiq$Fn#<4=@*ssi#+|}K>EdF(l3VTOM~ghPLRH&q%ZOGrGfON
 zW73zx^yR_y<0nX8R??Sw`tm^f@-gYlNFSp|*<gA{q?Zp5Oe-+l#rmyYmKozi9y=P>
 zVReJU*h=ZuVXiS$ohTbw-O#v9>(yZbGE|)?8(H1ZIKvV!jWa0>vy!3eMA^vdhQ>`s
 zuMSg{q3T50$m)j1!HixV<}X9liL#N^4c*tL^y)CF8LCc{jjV3yKAqL8!%SzWI#H%q
 z=bSrQ&)%JCRttF5g4Zf`6l?y@>PzD7MA^D>wBlcH6r1ucwJ<p0O%rZ?JzIY3-QdmZ
 zzs|n>`a5r3e|z)wcUaqS>nqFQ-8x}eCF4u`OWUxqst-@1rSmUs%WmKP5e0dcb?e2N
 z;Z|x*!);VwF|Yuhqs^khqOM!@u*jY!WYldISF(V6`BoNd&6Qfk3>X#SuD^7J>p_D=
 zBPa51y^_n#=cpOt#Zf$ya$Ae9Mfz56n|<i!a=ELS@)%a{^NIH3SDuN<R~sah1km#P
 zU@?*f%<rG=4W1wgfi;C?_n|W@%lm$&8YfvNOJodIg&IcIpIJQRHr<+ej11GQ6)&eF
 z2Lam*jIH}#y0>KnY%4JQfOYS$*uU%f#@$U6`N8I3N-lV?5ErFCdv~xDmu2(wexld4
 z4v^;aVAT2k6GJ^m*FD(Wqc(Qg^)6a<?}h$zLoj}4;PP!+(O{@!a1y-hoAhF_7!z+6
 zslpAmNtYbjHrw-~#SPVk_FUf>-Obg6yV`8o$8_`PyJe_;bY5_EMBfBfWU!Q=*9HsG
 z%_Cda{@_Krr!oHVhv9+y+T5qR8zZ2aZ>5r!$*|f$^U%yBUYfR&B!+EYy_PwL!BeUi
 zJH^}r3r9Q+B)X@Z)fk=P13w&7x#wBtXTZ)g>WITPg5r&pQc!nmyrmk#S(>>b9xnNr
 zx_b#v9Xv-Y><Wb%?S^0Xe&<)bbKl_=Z|3C$tf|F<bYzE*mfHB;uC)`q-?buaBe?l?
 zcLTpK*k<49Z32`K?|nSBMFqxTK^_IE-li2fEGdK~(ZdoKBl6ab4a;Hler#`xvEXJG
 zb?<E%EZExfX>jcOVhS*0rS~RS1dA#xhkv@Nct@#q?LyeKS<$uFec!bw>{@uu$gZ6a
 zyVen1i{1BKd%~`D7|m$;U0a<I*3I7%^N%N%lGYdU_GS!gaR8T$NA@GzFi~z`l7hdl
 zarZy6590|88pi(1zq;V(>38zM0sT&<zX;R5$1w3;`_JMG`;&I&0Y23DMx1%@(w(R9
 z4M$j;D5J+Gy%fijRQsctzFKf&cv|BAz#YLq3CZJWDdtL4u1u1|mkdcUp7|sxJC+?Y
 z_@@s`v3j}Q7*z>6X~cwUxUL8G1KT)_XTp!KAbs;vCp{K3&~_X@+ew=-D}v`2MbFV0
 zQsVsL=rXi-pI*G|iiz;VTCutgUs)hDzV1+4?8KcoP3xROf<M%qC6lgVdpFt4<-|uM
 z=#rl_b1#YjSIl6Toj2z_hOZcKupkdE(LozC(fN=FY(x|sk)ym|;Rq2E1xJWD%Z!ol
 Gu>S+TT-130
 literal 0
 HcmV?d00001
 diff --git a/tests/data/acpi/q35/VIOT.viot b/tests/data/acpi/q35/VIOT.viot
 index XXXXXXX..XXXXXXX 100644
 GIT binary patch
 literal 112
 zcmWIZ^baXu00LVle`k+i1*eDrX9XZ&1PX!JAex!M0Hgv8m>C3sGzdcgBZCA3T-xBj
 Q0Zb)W9Hva*zW_`e0M!8s0RR91
 literal 0
 HcmV?d00001
 --
 .25.1

-[PULL 01/12] hw/ssi/npcm7xx_fiu: Fix handling of unsigned integer
+[PULL 33/33] tests/acpi: add expected blob for VIOT test on virt machine
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Fix integer handling issues handling issue reported by Coverity:
+The VIOT blob contains the following:
-  hw/ssi/npcm7xx_fiu.c: 162 in npcm7xx_fiu_flash_read()
+[000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
-  >>>     CID 1432730:  Integer handling issues  (NEGATIVE_RETURNS)
+[004h 0004   4]                 Table Length : 00000058
-  >>>     "npcm7xx_fiu_cs_index(fiu, f)" is passed to a parameter that cannot be negative.
+[008h 0008   1]                     Revision : 00
-npcm7xx_fiu_select(fiu, npcm7xx_fiu_cs_index(fiu, f));
+[009h 0009   1]                     Checksum : 66
 [00Ah 0010   6]                       Oem ID : "BOCHS "
 [010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001
-  hw/ssi/npcm7xx_fiu.c: 221 in npcm7xx_fiu_flash_write()
+[024h 0036   2]                   Node count : 0002
-cs_id = npcm7xx_fiu_cs_index(fiu, f);
+[026h 0038   2]                  Node offset : 0030
-trace_npcm7xx_fiu_flash_write(DEVICE(fiu)->canonical_path, cs_id, addr,
+[028h 0040   8]                     Reserved : 0000000000000000
 size, v);
   >>>     CID 1432729:  Integer handling issues  (NEGATIVE_RETURNS)
   >>>     "cs_id" is passed to a parameter that cannot be negative.
 npcm7xx_fiu_select(fiu, cs_id);
-Since the index of the flash can not be negative, return an
+[030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
-unsigned type.
+[031h 0049   1]                     Reserved : 00
 [032h 0050   2]                       Length : 0010
-Reported-by: Coverity (CID 1432729 & 1432730: NEGATIVE_RETURNS)
+[034h 0052   2]                  PCI Segment : 0000
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+[036h 0054   2]               PCI BDF number : 0008
-Reviewed-by: Havard Skinnemoen <hskinnemoen@google.com>
+[038h 0056   8]                     Reserved : 0000000000000000
-Message-id: 20200919132435.310527-1-f4bug@amsat.org
 [040h 0064   1]                         Type : 01 [PCI Range]
 [041h 0065   1]                     Reserved : 00
 [042h 0066   2]                       Length : 0018
 [044h 0068   4]               Endpoint start : 00000000
 [048h 0072   2]            PCI Segment start : 0000
 [04Ah 0074   2]              PCI Segment end : 0000
 [04Ch 0076   2]                PCI BDF start : 0000
 [04Eh 0078   2]                  PCI BDF end : 00FF
 [050h 0080   2]                  Output node : 0030
 [052h 0082   6]                     Reserved : 000000000000
 Acked-by: Ani Sinha <ani@anisinha.ca>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-9-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/ssi/npcm7xx_fiu.c | 12 ++++++------
+ tests/qtest/bios-tables-test-allowed-diff.h |   1 -
- hw/ssi/trace-events  |  2 +-
+ tests/data/acpi/virt/VIOT                   | Bin 0 -> 88 bytes
-files changed, 7 insertions(+), 7 deletions(-)
+files changed, 1 deletion(-)
-diff --git a/hw/ssi/npcm7xx_fiu.c b/hw/ssi/npcm7xx_fiu.c
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/npcm7xx_fiu.c
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
-+++ b/hw/ssi/npcm7xx_fiu.c
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
-@@ -XXX,XX +XXX,XX @@ enum NPCM7xxFIURegister {
+@@ -1,2 +1 @@
-  * Returns the index of flash in the fiu->flash array. This corresponds to the
+ /* List of comma-separated changed AML files to ignore */
-  * chip select ID of the flash.
+-"tests/data/acpi/virt/VIOT",
-  */
+diff --git a/tests/data/acpi/virt/VIOT b/tests/data/acpi/virt/VIOT
 -static int npcm7xx_fiu_cs_index(NPCM7xxFIUState *fiu, NPCM7xxFIUFlash *flash)
 +static unsigned npcm7xx_fiu_cs_index(NPCM7xxFIUState *fiu,
 +                                     NPCM7xxFIUFlash *flash)
  {
      int index = flash - fiu->flash;
@@ -XXX,XX +XXX,XX @@ static int npcm7xx_fiu_cs_index(NPCM7xxFIUState *fiu, NPCM7xxFIUFlash *flash)
  }
  /* Assert the chip select specified in the UMA Control/Status Register. */
 -static void npcm7xx_fiu_select(NPCM7xxFIUState *s, int cs_id)
 +static void npcm7xx_fiu_select(NPCM7xxFIUState *s, unsigned cs_id)
  {
      trace_npcm7xx_fiu_select(DEVICE(s)->canonical_path, cs_id);
      if (cs_id < s->cs_count) {
          qemu_irq_lower(s->cs_lines[cs_id]);
 +        s->active_cs = cs_id;
      } else {
          qemu_log_mask(LOG_GUEST_ERROR,
                        "%s: UMA to CS%d; this module has only %d chip selects",
                        DEVICE(s)->canonical_path, cs_id, s->cs_count);
 -        cs_id = -1;
 +        s->active_cs = -1;
      }
 -
 -    s->active_cs = cs_id;
  }
  /* Deassert the currently active chip select. */
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_fiu_flash_write(void *opaque, hwaddr addr, uint64_t v,
      NPCM7xxFIUFlash *f = opaque;
      NPCM7xxFIUState *fiu = f->fiu;
      uint32_t dwr_cfg;
 -    int cs_id;
 +    unsigned cs_id;
      int i;
      if (fiu->active_cs != -1) {
 diff --git a/hw/ssi/trace-events b/hw/ssi/trace-events
 index XXXXXXX..XXXXXXX 100644
---- a/hw/ssi/trace-events
+GIT binary patch
-+++ b/hw/ssi/trace-events
+literal 88
-@@ -XXX,XX +XXX,XX @@ npcm7xx_fiu_deselect(const char *id, int cs) "%s deselect CS%d"
+zcmWIZ^bd((0D?3pe`k+i1*eDrX9XZ&1PX!JAexE60Hgv8m>C3sGzXN&z`)2L0cSHX
- npcm7xx_fiu_ctrl_read(const char *id, uint64_t addr, uint32_t data) "%s offset: 0x%04" PRIx64 " value: 0x%08" PRIx32
+I{D-Rq0Q5fy0RR91
- npcm7xx_fiu_ctrl_write(const char *id, uint64_t addr, uint32_t data) "%s offset: 0x%04" PRIx64 " value: 0x%08" PRIx32
- npcm7xx_fiu_flash_read(const char *id, int cs, uint64_t addr, unsigned int size, uint64_t value) "%s[%d] offset: 0x%08" PRIx64 " size: %u value: 0x%" PRIx64
+literal 0
--npcm7xx_fiu_flash_write(const char *id, int cs, uint64_t addr, unsigned int size, uint64_t value) "%s[%d] offset: 0x%08" PRIx64 " size: %u value: 0x%" PRIx64
+HcmV?d00001
-+npcm7xx_fiu_flash_write(const char *id, unsigned cs, uint64_t addr, unsigned int size, uint64_t value) "%s[%d] offset: 0x%08" PRIx64 " size: %u value: 0x%" PRIx64
 --
-.20.1
+.25.1

The following changes since commit 6eeea6725a70e6fcb5abba0764496bdab07ddfb3:

Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2020-10-06' into staging (2020-10-06 21:13:34 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201008

for you to fetch changes up to ba118c26e16a97e6ff6de8184057d3420ce16a23:

target/arm: Make '-cpu max' have a 48-bit PA (2020-10-08 15:24:32 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/ssi/npcm7xx_fiu: Fix handling of unsigned integer
 * hw/arm/fsl-imx25: Fix a typo
 * hw/arm/sbsa-ref : Fix SMMUv3 Initialisation
 * hw/arm/sbsa-ref : allocate IRQs for SMMUv3
 * hw/char/bcm2835_aux: Allow less than 32-bit accesses
 * hw/arm/virt: Implement kvm-steal-time
 * target/arm: Make '-cpu max' have a 48-bit PA

----------------------------------------------------------------
Andrew Jones (6):
      linux headers: sync to 5.9-rc7
      target/arm/kvm: Make uncalled stubs explicitly unreachable
      hw/arm/virt: Move post cpu realize check into its own function
      hw/arm/virt: Move kvm pmu setup to virt_cpu_post_init
      tests/qtest: Restore aarch64 arm-cpu-features test
      hw/arm/virt: Implement kvm-steal-time

Graeme Gregory (2):
      hw/arm/sbsa-ref : Fix SMMUv3 Initialisation
      hw/arm/sbsa-ref : allocate IRQs for SMMUv3

Peter Maydell (1):
      target/arm: Make '-cpu max' have a 48-bit PA

Philippe Mathieu-Daudé (3):
      hw/ssi/npcm7xx_fiu: Fix handling of unsigned integer
      hw/arm/fsl-imx25: Fix a typo
      hw/char/bcm2835_aux: Allow less than 32-bit accesses

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Fix integer handling issues handling issue reported by Coverity:

hw/ssi/npcm7xx_fiu.c: 162 in npcm7xx_fiu_flash_read()
  >>>     CID 1432730:  Integer handling issues  (NEGATIVE_RETURNS)
  >>>     "npcm7xx_fiu_cs_index(fiu, f)" is passed to a parameter that cannot be negative.
  162         npcm7xx_fiu_select(fiu, npcm7xx_fiu_cs_index(fiu, f));

hw/ssi/npcm7xx_fiu.c: 221 in npcm7xx_fiu_flash_write()
  218         cs_id = npcm7xx_fiu_cs_index(fiu, f);
  219         trace_npcm7xx_fiu_flash_write(DEVICE(fiu)->canonical_path, cs_id, addr,
  220                                       size, v);
  >>>     CID 1432729:  Integer handling issues  (NEGATIVE_RETURNS)
  >>>     "cs_id" is passed to a parameter that cannot be negative.
  221         npcm7xx_fiu_select(fiu, cs_id);

Since the index of the flash can not be negative, return an
unsigned type.

Reported-by: Coverity (CID 1432729 & 1432730: NEGATIVE_RETURNS)
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Havard Skinnemoen <hskinnemoen@google.com>
Message-id: 20200919132435.310527-1-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/ssi/npcm7xx_fiu.c | 12 ++++++------
 hw/ssi/trace-events  |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/hw/ssi/npcm7xx_fiu.c b/hw/ssi/npcm7xx_fiu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/npcm7xx_fiu.c
+++ b/hw/ssi/npcm7xx_fiu.c
@@ -XXX,XX +XXX,XX @@ enum NPCM7xxFIURegister {
  * Returns the index of flash in the fiu->flash array. This corresponds to the
  * chip select ID of the flash.
  */
-static int npcm7xx_fiu_cs_index(NPCM7xxFIUState *fiu, NPCM7xxFIUFlash *flash)
+static unsigned npcm7xx_fiu_cs_index(NPCM7xxFIUState *fiu,
+                                     NPCM7xxFIUFlash *flash)
 {
     int index = flash - fiu->flash;
 
@@ -XXX,XX +XXX,XX @@ static int npcm7xx_fiu_cs_index(NPCM7xxFIUState *fiu, NPCM7xxFIUFlash *flash)
 }
 
 /* Assert the chip select specified in the UMA Control/Status Register. */
-static void npcm7xx_fiu_select(NPCM7xxFIUState *s, int cs_id)
+static void npcm7xx_fiu_select(NPCM7xxFIUState *s, unsigned cs_id)
 {
     trace_npcm7xx_fiu_select(DEVICE(s)->canonical_path, cs_id);
 
     if (cs_id < s->cs_count) {
         qemu_irq_lower(s->cs_lines[cs_id]);
+        s->active_cs = cs_id;
     } else {
         qemu_log_mask(LOG_GUEST_ERROR,
                       "%s: UMA to CS%d; this module has only %d chip selects",
                       DEVICE(s)->canonical_path, cs_id, s->cs_count);
-        cs_id = -1;
+        s->active_cs = -1;
     }
-
-    s->active_cs = cs_id;
 }
 
 /* Deassert the currently active chip select. */
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_fiu_flash_write(void *opaque, hwaddr addr, uint64_t v,
     NPCM7xxFIUFlash *f = opaque;
     NPCM7xxFIUState *fiu = f->fiu;
     uint32_t dwr_cfg;
-    int cs_id;
+    unsigned cs_id;
     int i;
 
     if (fiu->active_cs != -1) {
diff --git a/hw/ssi/trace-events b/hw/ssi/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/ssi/trace-events
+++ b/hw/ssi/trace-events
@@ -XXX,XX +XXX,XX @@ npcm7xx_fiu_deselect(const char *id, int cs) "%s deselect CS%d"
 npcm7xx_fiu_ctrl_read(const char *id, uint64_t addr, uint32_t data) "%s offset: 0x%04" PRIx64 " value: 0x%08" PRIx32
 npcm7xx_fiu_ctrl_write(const char *id, uint64_t addr, uint32_t data) "%s offset: 0x%04" PRIx64 " value: 0x%08" PRIx32
 npcm7xx_fiu_flash_read(const char *id, int cs, uint64_t addr, unsigned int size, uint64_t value) "%s[%d] offset: 0x%08" PRIx64 " size: %u value: 0x%" PRIx64
-npcm7xx_fiu_flash_write(const char *id, int cs, uint64_t addr, unsigned int size, uint64_t value) "%s[%d] offset: 0x%08" PRIx64 " size: %u value: 0x%" PRIx64
+npcm7xx_fiu_flash_write(const char *id, unsigned cs, uint64_t addr, unsigned int size, uint64_t value) "%s[%d] offset: 0x%08" PRIx64 " size: %u value: 0x%" PRIx64
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201002080935.1660005-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/fsl-imx25.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/hw/arm/fsl-imx25.h b/include/hw/arm/fsl-imx25.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/fsl-imx25.h
+++ b/include/hw/arm/fsl-imx25.h
@@ -XXX,XX +XXX,XX @@ struct FslIMX25State {
  * 0xBB00_0000 0xBB00_0FFF 4 Kbytes     NAND flash main area buffer
  * 0xBB00_1000 0xBB00_11FF 512 B        NAND flash spare area buffer
  * 0xBB00_1200 0xBB00_1DFF 3 Kbytes     Reserved
- * 0xBB00_1E00 0xBB00_1FFF 512 B        NAND flash control regisers
+ * 0xBB00_1E00 0xBB00_1FFF 512 B        NAND flash control registers
  * 0xBB01_2000 0xBFFF_FFFF 96 Mbytes (minus 8 Kbytes) Reserved
  * 0xC000_0000 0xFFFF_FFFF 1024 Mbytes  Reserved
  */
-- 
2.20.1

From: Graeme Gregory <graeme@nuviainc.com>

SMMUv3 has an error in a previous patch where an i was transposed to a 1
meaning interrupts would not have been correctly assigned to the SMMUv3
instance.

Fixes: 48ba18e6d3f3 ("hw/arm/sbsa-ref: Simplify by moving the gic in the machine state")
Signed-off-by: Graeme Gregory <graeme@nuviainc.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20201007100732.4103790-2-graeme@nuviainc.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/sbsa-ref.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static void create_smmu(const SBSAMachineState *sms, PCIBus *bus)
     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
     for (i = 0; i < NUM_SMMU_IRQS; i++) {
         sysbus_connect_irq(SYS_BUS_DEVICE(dev), i,
-                           qdev_get_gpio_in(sms->gic, irq + 1));
+                           qdev_get_gpio_in(sms->gic, irq + i));
     }
 }
 
-- 
2.20.1

From: Graeme Gregory <graeme@nuviainc.com>

Original commit did not allocate IRQs for the SMMUv3 in the irqmap
effectively using irq 0->3 (shared with other devices). Assuming
original intent was to allocate unique IRQs then add an allocation
to the irqmap.

Fixes: e9fdf453240 ("hw/arm: Add arm SBSA reference machine, devices part")
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Graeme Gregory <graeme@nuviainc.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20201007100732.4103790-3-graeme@nuviainc.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/sbsa-ref.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static const int sbsa_ref_irqmap[] = {
     [SBSA_SECURE_UART_MM] = 9,
     [SBSA_AHCI] = 10,
     [SBSA_EHCI] = 11,
+    [SBSA_SMMU] = 12, /* ... to 15 */
 };
 
 static uint64_t sbsa_ref_cpu_mp_affinity(SBSAMachineState *sms, int idx)
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The "BCM2835 ARM Peripherals" datasheet [*] chapter 2
("Auxiliaries: UART1 & SPI1, SPI2"), list the register
sizes as 3/8/16/32 bits. We assume this means this
peripheral allows 8-bit accesses.

This was not an issue until commit 5d971f9e67 which reverted
("memory: accept mismatching sizes in memory_region_access_valid").

The model is implemented as 32-bit accesses (see commit 97398d900c,
all registers are 32-bit) so replace MemoryRegionOps.valid as
MemoryRegionOps.impl, and re-introduce MemoryRegionOps.valid
with a 8/32-bit range.

[*] https://www.raspberrypi.org/app/uploads/2012/02/BCM2835-ARM-Peripherals.pdf

Fixes: 97398d900c ("bcm2835_aux: add emulation of BCM2835 AUX (aka UART1) block")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201002181032.1899463-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/bcm2835_aux.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/bcm2835_aux.c
+++ b/hw/char/bcm2835_aux.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps bcm2835_aux_ops = {
     .read = bcm2835_aux_read,
     .write = bcm2835_aux_write,
     .endianness = DEVICE_NATIVE_ENDIAN,
-    .valid.min_access_size = 4,
+    .impl.min_access_size = 4,
+    .impl.max_access_size = 4,
+    .valid.min_access_size = 1,
     .valid.max_access_size = 4,
 };
 
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

Update against Linux 5.9-rc7.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Message-id: 20201001061718.101915-2-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-headers/linux/kvm.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -XXX,XX +XXX,XX @@ struct kvm_ppc_resize_hpt {
 #define KVM_VM_PPC_HV 1
 #define KVM_VM_PPC_PR 2
 
-/* on MIPS, 0 forces trap & emulate, 1 forces VZ ASE */
-#define KVM_VM_MIPS_TE		0
+/* on MIPS, 0 indicates auto, 1 forces VZ ASE, 2 forces trap & emulate */
+#define KVM_VM_MIPS_AUTO	0
 #define KVM_VM_MIPS_VZ		1
+#define KVM_VM_MIPS_TE		2
 
 #define KVM_S390_SIE_PAGE_OFFSET 1
 
@@ -XXX,XX +XXX,XX @@ struct kvm_ppc_resize_hpt {
 #define KVM_CAP_LAST_CPU 184
 #define KVM_CAP_SMALLER_MAXPHYADDR 185
 #define KVM_CAP_S390_DIAG318 186
+#define KVM_CAP_STEAL_TIME 187
 
 #ifdef KVM_CAP_IRQ_ROUTING
 
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

When we compile without KVM support !defined(CONFIG_KVM) we generate
stubs for functions that the linker will still encounter. Sometimes
these stubs can be executed safely and are placed in paths where they
get executed with or without KVM. Other functions should never be
called without KVM. Those functions should be guarded by kvm_enabled(),
but should also be robust to refactoring mistakes. Putting a
g_assert_not_reached() in the function should help. Additionally,
the g_assert_not_reached() calls may actually help the linker remove
some code.

We remove the stubs for kvm_arm_get/put_virtual_time(), as they aren't
necessary at all - the only caller is in kvm.c

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Message-id: 20201001061718.101915-3-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm_arm.h | 51 +++++++++++++++++++++++++++-----------------
 1 file changed, 32 insertions(+), 19 deletions(-)

diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ int kvm_arm_set_irq(int cpu, int irqtype, int irq, int level);
 
 #else
 
-static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
-{
-    /*
-     * This should never actually be called in the "not KVM" case,
-     * but set up the fields to indicate an error anyway.
-     */
-    cpu->kvm_target = QEMU_KVM_ARM_TARGET_NONE;
-    cpu->host_cpu_probe_failed = true;
-}
-
-static inline void kvm_arm_add_vcpu_properties(Object *obj) {}
-
+/*
+ * It's safe to call these functions without KVM support.
+ * They should either do nothing or return "not supported".
+ */
 static inline bool kvm_arm_aarch32_supported(void)
 {
     return false;
@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_sve_supported(void)
     return false;
 }
 
+/*
+ * These functions should never actually be called without KVM support.
+ */
+static inline void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu)
+{
+    g_assert_not_reached();
+}
+
+static inline void kvm_arm_add_vcpu_properties(Object *obj)
+{
+    g_assert_not_reached();
+}
+
 static inline int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
 {
-    return -ENOENT;
+    g_assert_not_reached();
 }
 
 static inline int kvm_arm_vgic_probe(void)
 {
-    return 0;
+    g_assert_not_reached();
 }
 
-static inline void kvm_arm_pmu_set_irq(CPUState *cs, int irq) {}
-static inline void kvm_arm_pmu_init(CPUState *cs) {}
+static inline void kvm_arm_pmu_set_irq(CPUState *cs, int irq)
+{
+    g_assert_not_reached();
+}
 
-static inline void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map) {}
+static inline void kvm_arm_pmu_init(CPUState *cs)
+{
+    g_assert_not_reached();
+}
+
+static inline void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map)
+{
+    g_assert_not_reached();
+}
 
-static inline void kvm_arm_get_virtual_time(CPUState *cs) {}
-static inline void kvm_arm_put_virtual_time(CPUState *cs) {}
 #endif
 
 static inline const char *gic_class_name(void)
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

We'll add more to this new function in coming patches so we also
state the gic must be created and call it below create_gic().

No functional change intended.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Message-id: 20201001061718.101915-4-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 43 +++++++++++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 16 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void finalize_gic_version(VirtMachineState *vms)
     }
 }
 
+/*
+ * virt_cpu_post_init() must be called after the CPUs have
+ * been realized and the GIC has been created.
+ */
+static void virt_cpu_post_init(VirtMachineState *vms)
+{
+    bool aarch64;
+
+    aarch64 = object_property_get_bool(OBJECT(first_cpu), "aarch64", NULL);
+
+    if (!kvm_enabled()) {
+        if (aarch64 && vms->highmem) {
+            int requested_pa_size = 64 - clz64(vms->highest_gpa);
+            int pamax = arm_pamax(ARM_CPU(first_cpu));
+
+            if (pamax < requested_pa_size) {
+                error_report("VCPU supports less PA bits (%d) than "
+                             "requested by the memory map (%d)",
+                             pamax, requested_pa_size);
+                exit(1);
+            }
+        }
+    }
+}
+
 static void machvirt_init(MachineState *machine)
 {
     VirtMachineState *vms = VIRT_MACHINE(machine);
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
     fdt_add_timer_nodes(vms);
     fdt_add_cpu_nodes(vms);
 
-   if (!kvm_enabled()) {
-        ARMCPU *cpu = ARM_CPU(first_cpu);
-        bool aarch64 = object_property_get_bool(OBJECT(cpu), "aarch64", NULL);
-
-        if (aarch64 && vms->highmem) {
-            int requested_pa_size, pamax = arm_pamax(cpu);
-
-            requested_pa_size = 64 - clz64(vms->highest_gpa);
-            if (pamax < requested_pa_size) {
-                error_report("VCPU supports less PA bits (%d) than requested "
-                            "by the memory map (%d)", pamax, requested_pa_size);
-                exit(1);
-            }
-        }
-    }
-
     memory_region_add_subregion(sysmem, vms->memmap[VIRT_MEM].base,
                                 machine->ram);
     if (machine->device_memory) {
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
 
     create_gic(vms);
 
+    virt_cpu_post_init(vms);
+
     fdt_add_pmu_nodes(vms);
 
     create_uart(vms, VIRT_UART, sysmem, serial_hd(0));
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

Move the KVM PMU setup part of fdt_add_pmu_nodes() to
virt_cpu_post_init(), which is a more appropriate location. Now
fdt_add_pmu_nodes() is also named more appropriately, because it
no longer does anything but fdt node creation.

No functional change intended.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Message-id: 20201001061718.101915-5-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void fdt_add_gic_node(VirtMachineState *vms)
 
 static void fdt_add_pmu_nodes(const VirtMachineState *vms)
 {
-    CPUState *cpu;
-    ARMCPU *armcpu;
+    ARMCPU *armcpu = ARM_CPU(first_cpu);
     uint32_t irqflags = GIC_FDT_IRQ_FLAGS_LEVEL_HI;
 
-    CPU_FOREACH(cpu) {
-        armcpu = ARM_CPU(cpu);
-        if (!arm_feature(&armcpu->env, ARM_FEATURE_PMU)) {
-            return;
-        }
-        if (kvm_enabled()) {
-            if (kvm_irqchip_in_kernel()) {
-                kvm_arm_pmu_set_irq(cpu, PPI(VIRTUAL_PMU_IRQ));
-            }
-            kvm_arm_pmu_init(cpu);
-        }
+    if (!arm_feature(&armcpu->env, ARM_FEATURE_PMU)) {
+        assert(!object_property_get_bool(OBJECT(armcpu), "pmu", NULL));
+        return;
     }
 
     if (vms->gic_version == VIRT_GIC_VERSION_2) {
@@ -XXX,XX +XXX,XX @@ static void fdt_add_pmu_nodes(const VirtMachineState *vms)
                              (1 << vms->smp_cpus) - 1);
     }
 
-    armcpu = ARM_CPU(qemu_get_cpu(0));
     qemu_fdt_add_subnode(vms->fdt, "/pmu");
     if (arm_feature(&armcpu->env, ARM_FEATURE_V8)) {
         const char compat[] = "arm,armv8-pmuv3";
@@ -XXX,XX +XXX,XX @@ static void finalize_gic_version(VirtMachineState *vms)
  */
 static void virt_cpu_post_init(VirtMachineState *vms)
 {
-    bool aarch64;
+    bool aarch64, pmu;
+    CPUState *cpu;
 
     aarch64 = object_property_get_bool(OBJECT(first_cpu), "aarch64", NULL);
+    pmu = object_property_get_bool(OBJECT(first_cpu), "pmu", NULL);
 
-    if (!kvm_enabled()) {
+    if (kvm_enabled()) {
+        CPU_FOREACH(cpu) {
+            if (pmu) {
+                assert(arm_feature(&ARM_CPU(cpu)->env, ARM_FEATURE_PMU));
+                if (kvm_irqchip_in_kernel()) {
+                    kvm_arm_pmu_set_irq(cpu, PPI(VIRTUAL_PMU_IRQ));
+                }
+                kvm_arm_pmu_init(cpu);
+            }
+        }
+    } else {
         if (aarch64 && vms->highmem) {
             int requested_pa_size = 64 - clz64(vms->highest_gpa);
             int pamax = arm_pamax(ARM_CPU(first_cpu));
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

arm-cpu-features got dropped from the AArch64 tests during the meson
conversion shuffle.

Signed-off-by: Andrew Jones <drjones@redhat.com>
Message-id: 20201001061718.101915-6-drjones@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/meson.build | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/meson.build
+++ b/tests/qtest/meson.build
@@ -XXX,XX +XXX,XX @@ qtests_aarch64 = \
   (cpu != 'arm' ? ['bios-tables-test'] : []) +                                                  \
   (config_all_devices.has_key('CONFIG_TPM_TIS_SYSBUS') ? ['tpm-tis-device-test'] : []) +        \
   (config_all_devices.has_key('CONFIG_TPM_TIS_SYSBUS') ? ['tpm-tis-device-swtpm-test'] : []) +  \
-  ['numa-test',
+  ['arm-cpu-features',
+   'numa-test',
    'boot-serial-test',
    'migration-test']
 
-- 
2.20.1

From: Andrew Jones <drjones@redhat.com>

We add the kvm-steal-time CPU property and implement it for machvirt.
A tiny bit of refactoring was also done to allow pmu and pvtime to
use the same vcpu device helper functions.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Andrew Jones <drjones@redhat.com>
Message-id: 20201001061718.101915-7-drjones@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/cpu-features.rst | 11 ++++++
 include/hw/arm/virt.h            |  5 +++
 target/arm/cpu.h                 |  4 ++
 target/arm/kvm_arm.h             | 43 +++++++++++++++++++++
 hw/arm/virt.c                    | 43 +++++++++++++++++++--
 target/arm/cpu.c                 |  8 ++++
 target/arm/kvm.c                 | 16 ++++++++
 target/arm/kvm64.c               | 64 +++++++++++++++++++++++++++++---
 target/arm/monitor.c             |  2 +-
 tests/qtest/arm-cpu-features.c   | 25 +++++++++++--
 10 files changed, 208 insertions(+), 13 deletions(-)

diff --git a/docs/system/arm/cpu-features.rst b/docs/system/arm/cpu-features.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/cpu-features.rst
+++ b/docs/system/arm/cpu-features.rst
@@ -XXX,XX +XXX,XX @@ the list of KVM VCPU features and their descriptions.
                            adjustment, also restoring the legacy (pre-5.0)
                            behavior.
 
+  kvm-steal-time           Since v5.2, kvm-steal-time is enabled by
+                           default when KVM is enabled, the feature is
+                           supported, and the guest is 64-bit.
+
+                           When kvm-steal-time is enabled a 64-bit guest
+                           can account for time its CPUs were not running
+                           due to the host not scheduling the corresponding
+                           VCPU threads.  The accounting statistics may
+                           influence the guest scheduler behavior and/or be
+                           exposed to the guest userspace.
+
 SVE CPU Properties
 ==================
 
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -XXX,XX +XXX,XX @@
 
 #define PPI(irq) ((irq) + 16)
 
+/* See Linux kernel arch/arm64/include/asm/pvclock-abi.h */
+#define PVTIME_SIZE_PER_CPU 64
+
 enum {
     VIRT_FLASH,
     VIRT_MEM,
@@ -XXX,XX +XXX,XX @@ enum {
     VIRT_PCDIMM_ACPI,
     VIRT_ACPI_GED,
     VIRT_NVDIMM_ACPI,
+    VIRT_PVTIME,
     VIRT_LOWMEMMAP_LAST,
 };
 
@@ -XXX,XX +XXX,XX @@ struct VirtMachineClass {
     bool no_highmem_ecam;
     bool no_ged;   /* Machines < 4.2 has no support for ACPI GED device */
     bool kvm_no_adjvtime;
+    bool no_kvm_steal_time;
     bool acpi_expose_flash;
 };
 
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@
 #include "hw/registerfields.h"
 #include "cpu-qom.h"
 #include "exec/cpu-defs.h"
+#include "qapi/qapi-types-common.h"
 
 /* ARM processors have a weak memory model */
 #define TCG_GUEST_DEFAULT_MO      (0)
@@ -XXX,XX +XXX,XX @@ struct ARMCPU {
     bool kvm_vtime_dirty;
     uint64_t kvm_vtime;
 
+    /* KVM steal time */
+    OnOffAuto kvm_steal_time;
+
     /* Uniprocessor system with MP extensions */
     bool mp_is_up;
 
diff --git a/target/arm/kvm_arm.h b/target/arm/kvm_arm.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm_arm.h
+++ b/target/arm/kvm_arm.h
@@ -XXX,XX +XXX,XX @@ void kvm_arm_set_cpu_features_from_host(ARMCPU *cpu);
  */
 void kvm_arm_add_vcpu_properties(Object *obj);
 
+/**
+ * kvm_arm_steal_time_finalize:
+ * @cpu: ARMCPU for which to finalize kvm-steal-time
+ * @errp: Pointer to Error* for error propagation
+ *
+ * Validate the kvm-steal-time property selection and set its default
+ * based on KVM support and guest configuration.
+ */
+void kvm_arm_steal_time_finalize(ARMCPU *cpu, Error **errp);
+
+/**
+ * kvm_arm_steal_time_supported:
+ *
+ * Returns: true if KVM can enable steal time reporting
+ * and false otherwise.
+ */
+bool kvm_arm_steal_time_supported(void);
+
 /**
  * kvm_arm_aarch32_supported:
  *
@@ -XXX,XX +XXX,XX @@ int kvm_arm_vgic_probe(void);
 
 void kvm_arm_pmu_set_irq(CPUState *cs, int irq);
 void kvm_arm_pmu_init(CPUState *cs);
+
+/**
+ * kvm_arm_pvtime_init:
+ * @cs: CPUState
+ * @ipa: Per-vcpu guest physical base address of the pvtime structures
+ *
+ * Initializes PVTIME for the VCPU, setting the PVTIME IPA to @ipa.
+ */
+void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa);
+
 int kvm_arm_set_irq(int cpu, int irqtype, int irq, int level);
 
 #else
@@ -XXX,XX +XXX,XX @@ static inline bool kvm_arm_sve_supported(void)
     return false;
 }
 
+static inline bool kvm_arm_steal_time_supported(void)
+{
+    return false;
+}
+
 /*
  * These functions should never actually be called without KVM support.
  */
@@ -XXX,XX +XXX,XX @@ static inline void kvm_arm_pmu_init(CPUState *cs)
     g_assert_not_reached();
 }
 
+static inline void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa)
+{
+    g_assert_not_reached();
+}
+
+static inline void kvm_arm_steal_time_finalize(ARMCPU *cpu, Error **errp)
+{
+    g_assert_not_reached();
+}
+
 static inline void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map)
 {
     g_assert_not_reached();
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static const MemMapEntry base_memmap[] = {
     [VIRT_PCDIMM_ACPI] =        { 0x09070000, MEMORY_HOTPLUG_IO_LEN },
     [VIRT_ACPI_GED] =           { 0x09080000, ACPI_GED_EVT_SEL_LEN },
     [VIRT_NVDIMM_ACPI] =        { 0x09090000, NVDIMM_ACPI_IO_LEN},
+    [VIRT_PVTIME] =             { 0x090a0000, 0x00010000 },
     [VIRT_MMIO] =               { 0x0a000000, 0x00000200 },
     /* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
     [VIRT_PLATFORM_BUS] =       { 0x0c000000, 0x02000000 },
@@ -XXX,XX +XXX,XX @@ static void finalize_gic_version(VirtMachineState *vms)
  * virt_cpu_post_init() must be called after the CPUs have
  * been realized and the GIC has been created.
  */
-static void virt_cpu_post_init(VirtMachineState *vms)
+static void virt_cpu_post_init(VirtMachineState *vms, int max_cpus,
+                               MemoryRegion *sysmem)
 {
-    bool aarch64, pmu;
+    bool aarch64, pmu, steal_time;
     CPUState *cpu;
 
     aarch64 = object_property_get_bool(OBJECT(first_cpu), "aarch64", NULL);
     pmu = object_property_get_bool(OBJECT(first_cpu), "pmu", NULL);
+    steal_time = object_property_get_bool(OBJECT(first_cpu),
+                                          "kvm-steal-time", NULL);
 
     if (kvm_enabled()) {
+        hwaddr pvtime_reg_base = vms->memmap[VIRT_PVTIME].base;
+        hwaddr pvtime_reg_size = vms->memmap[VIRT_PVTIME].size;
+
+        if (steal_time) {
+            MemoryRegion *pvtime = g_new(MemoryRegion, 1);
+            hwaddr pvtime_size = max_cpus * PVTIME_SIZE_PER_CPU;
+
+            /* The memory region size must be a multiple of host page size. */
+            pvtime_size = REAL_HOST_PAGE_ALIGN(pvtime_size);
+
+            if (pvtime_size > pvtime_reg_size) {
+                error_report("pvtime requires a %ld byte memory region for "
+                             "%d CPUs, but only %ld has been reserved",
+                             pvtime_size, max_cpus, pvtime_reg_size);
+                exit(1);
+            }
+
+            memory_region_init_ram(pvtime, NULL, "pvtime", pvtime_size, NULL);
+            memory_region_add_subregion(sysmem, pvtime_reg_base, pvtime);
+        }
+
         CPU_FOREACH(cpu) {
             if (pmu) {
                 assert(arm_feature(&ARM_CPU(cpu)->env, ARM_FEATURE_PMU));
@@ -XXX,XX +XXX,XX @@ static void virt_cpu_post_init(VirtMachineState *vms)
                 }
                 kvm_arm_pmu_init(cpu);
             }
+            if (steal_time) {
+                kvm_arm_pvtime_init(cpu, pvtime_reg_base +
+                                         cpu->cpu_index * PVTIME_SIZE_PER_CPU);
+            }
         }
     } else {
         if (aarch64 && vms->highmem) {
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
             object_property_set_bool(cpuobj, "kvm-no-adjvtime", true, NULL);
         }
 
+        if (vmc->no_kvm_steal_time &&
+            object_property_find(cpuobj, "kvm-steal-time")) {
+            object_property_set_bool(cpuobj, "kvm-steal-time", false, NULL);
+        }
+
         if (vmc->no_pmu && object_property_find(cpuobj, "pmu")) {
             object_property_set_bool(cpuobj, "pmu", false, NULL);
         }
@@ -XXX,XX +XXX,XX @@ static void machvirt_init(MachineState *machine)
 
     create_gic(vms);
 
-    virt_cpu_post_init(vms);
+    virt_cpu_post_init(vms, possible_cpus->len, sysmem);
 
     fdt_add_pmu_nodes(vms);
 
@@ -XXX,XX +XXX,XX @@ DEFINE_VIRT_MACHINE_AS_LATEST(5, 2)
 
 static void virt_machine_5_1_options(MachineClass *mc)
 {
+    VirtMachineClass *vmc = VIRT_MACHINE_CLASS(OBJECT_CLASS(mc));
+
     virt_machine_5_2_options(mc);
     compat_props_add(mc->compat_props, hw_compat_5_1, hw_compat_5_1_len);
+    vmc->no_kvm_steal_time = true;
 }
 DEFINE_VIRT_MACHINE(5, 1)
 
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ void arm_cpu_finalize_features(ARMCPU *cpu, Error **errp)
             return;
         }
     }
+
+    if (kvm_enabled()) {
+        kvm_arm_steal_time_finalize(cpu, &local_err);
+        if (local_err != NULL) {
+            error_propagate(errp, local_err);
+            return;
+        }
+    }
 }
 
 static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ static void kvm_no_adjvtime_set(Object *obj, bool value, Error **errp)
     ARM_CPU(obj)->kvm_adjvtime = !value;
 }
 
+static bool kvm_steal_time_get(Object *obj, Error **errp)
+{
+    return ARM_CPU(obj)->kvm_steal_time != ON_OFF_AUTO_OFF;
+}
+
+static void kvm_steal_time_set(Object *obj, bool value, Error **errp)
+{
+    ARM_CPU(obj)->kvm_steal_time = value ? ON_OFF_AUTO_ON : ON_OFF_AUTO_OFF;
+}
+
 /* KVM VCPU properties should be prefixed with "kvm-". */
 void kvm_arm_add_vcpu_properties(Object *obj)
 {
@@ -XXX,XX +XXX,XX @@ void kvm_arm_add_vcpu_properties(Object *obj)
                                         "the virtual counter. VM stopped time "
                                         "will be counted.");
     }
+
+    cpu->kvm_steal_time = ON_OFF_AUTO_AUTO;
+    object_property_add_bool(obj, "kvm-steal-time", kvm_steal_time_get,
+                             kvm_steal_time_set);
+    object_property_set_description(obj, "kvm-steal-time",
+                                    "Set off to disable KVM steal time.");
 }
 
 bool kvm_arm_pmu_supported(void)
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@
 #include <linux/kvm.h>
 
 #include "qemu-common.h"
+#include "qapi/error.h"
 #include "cpu.h"
 #include "qemu/timer.h"
 #include "qemu/error-report.h"
@@ -XXX,XX +XXX,XX @@ static CPUWatchpoint *find_hw_watchpoint(CPUState *cpu, target_ulong addr)
     return NULL;
 }
 
-static bool kvm_arm_pmu_set_attr(CPUState *cs, struct kvm_device_attr *attr)
+static bool kvm_arm_set_device_attr(CPUState *cs, struct kvm_device_attr *attr,
+                                    const char *name)
 {
     int err;
 
     err = kvm_vcpu_ioctl(cs, KVM_HAS_DEVICE_ATTR, attr);
     if (err != 0) {
-        error_report("PMU: KVM_HAS_DEVICE_ATTR: %s", strerror(-err));
+        error_report("%s: KVM_HAS_DEVICE_ATTR: %s", name, strerror(-err));
         return false;
     }
 
     err = kvm_vcpu_ioctl(cs, KVM_SET_DEVICE_ATTR, attr);
     if (err != 0) {
-        error_report("PMU: KVM_SET_DEVICE_ATTR: %s", strerror(-err));
+        error_report("%s: KVM_SET_DEVICE_ATTR: %s", name, strerror(-err));
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_init(CPUState *cs)
     if (!ARM_CPU(cs)->has_pmu) {
         return;
     }
-    if (!kvm_arm_pmu_set_attr(cs, &attr)) {
+    if (!kvm_arm_set_device_attr(cs, &attr, "PMU")) {
         error_report("failed to init PMU");
         abort();
     }
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_set_irq(CPUState *cs, int irq)
     if (!ARM_CPU(cs)->has_pmu) {
         return;
     }
-    if (!kvm_arm_pmu_set_attr(cs, &attr)) {
+    if (!kvm_arm_set_device_attr(cs, &attr, "PMU")) {
         error_report("failed to set irq for PMU");
         abort();
     }
 }
 
+void kvm_arm_pvtime_init(CPUState *cs, uint64_t ipa)
+{
+    struct kvm_device_attr attr = {
+        .group = KVM_ARM_VCPU_PVTIME_CTRL,
+        .attr = KVM_ARM_VCPU_PVTIME_IPA,
+        .addr = (uint64_t)&ipa,
+    };
+
+    if (ARM_CPU(cs)->kvm_steal_time == ON_OFF_AUTO_OFF) {
+        return;
+    }
+    if (!kvm_arm_set_device_attr(cs, &attr, "PVTIME IPA")) {
+        error_report("failed to init PVTIME IPA");
+        abort();
+    }
+}
+
 static int read_sys_reg32(int fd, uint32_t *pret, uint64_t id)
 {
     uint64_t ret;
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
     return true;
 }
 
+void kvm_arm_steal_time_finalize(ARMCPU *cpu, Error **errp)
+{
+    bool has_steal_time = kvm_arm_steal_time_supported();
+
+    if (cpu->kvm_steal_time == ON_OFF_AUTO_AUTO) {
+        if (!has_steal_time || !arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
+            cpu->kvm_steal_time = ON_OFF_AUTO_OFF;
+        } else {
+            cpu->kvm_steal_time = ON_OFF_AUTO_ON;
+        }
+    } else if (cpu->kvm_steal_time == ON_OFF_AUTO_ON) {
+        if (!has_steal_time) {
+            error_setg(errp, "'kvm-steal-time' cannot be enabled "
+                             "on this host");
+            return;
+        } else if (!arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
+            /*
+             * DEN0057A chapter 2 says "This specification only covers
+             * systems in which the Execution state of the hypervisor
+             * as well as EL1 of virtual machines is AArch64.". And,
+             * to ensure that, the smc/hvc calls are only specified as
+             * smc64/hvc64.
+             */
+            error_setg(errp, "'kvm-steal-time' cannot be enabled "
+                             "for AArch32 guests");
+            return;
+        }
+    }
+}
+
 bool kvm_arm_aarch32_supported(void)
 {
     return kvm_check_extension(kvm_state, KVM_CAP_ARM_EL1_32BIT);
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_sve_supported(void)
     return kvm_check_extension(kvm_state, KVM_CAP_ARM_SVE);
 }
 
+bool kvm_arm_steal_time_supported(void)
+{
+    return kvm_check_extension(kvm_state, KVM_CAP_STEAL_TIME);
+}
+
 QEMU_BUILD_BUG_ON(KVM_ARM64_SVE_VQ_MIN != 1);
 
 void kvm_arm_sve_get_vls(CPUState *cs, unsigned long *map)
diff --git a/target/arm/monitor.c b/target/arm/monitor.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/monitor.c
+++ b/target/arm/monitor.c
@@ -XXX,XX +XXX,XX @@ static const char *cpu_model_advertised_features[] = {
     "sve128", "sve256", "sve384", "sve512",
     "sve640", "sve768", "sve896", "sve1024", "sve1152", "sve1280",
     "sve1408", "sve1536", "sve1664", "sve1792", "sve1920", "sve2048",
-    "kvm-no-adjvtime",
+    "kvm-no-adjvtime", "kvm-steal-time",
     NULL
 };
 
diff --git a/tests/qtest/arm-cpu-features.c b/tests/qtest/arm-cpu-features.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/arm-cpu-features.c
+++ b/tests/qtest/arm-cpu-features.c
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion(const void *data)
     assert_set_feature(qts, "max", "pmu", true);
 
     assert_has_not_feature(qts, "max", "kvm-no-adjvtime");
+    assert_has_not_feature(qts, "max", "kvm-steal-time");
 
     if (g_str_equal(qtest_get_arch(), "aarch64")) {
         assert_has_feature_enabled(qts, "max", "aarch64");
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
     assert_set_feature(qts, "host", "kvm-no-adjvtime", false);
 
     if (g_str_equal(qtest_get_arch(), "aarch64")) {
+        bool kvm_supports_steal_time;
         bool kvm_supports_sve;
         char max_name[8], name[8];
         uint32_t max_vq, vq;
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
         QDict *resp;
         char *error;
 
+        assert_error(qts, "cortex-a15",
+            "We cannot guarantee the CPU type 'cortex-a15' works "
+            "with KVM on this host", NULL);
+
         assert_has_feature_enabled(qts, "host", "aarch64");
 
         /* Enabling and disabling pmu should always work. */
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
         assert_set_feature(qts, "host", "pmu", false);
         assert_set_feature(qts, "host", "pmu", true);
 
-        assert_error(qts, "cortex-a15",
-            "We cannot guarantee the CPU type 'cortex-a15' works "
-            "with KVM on this host", NULL);
-
+        /*
+         * Some features would be enabled by default, but they're disabled
+         * because this instance of KVM doesn't support them. Test that the
+         * features are present, and, when enabled, issue further tests.
+         */
+        assert_has_feature(qts, "host", "kvm-steal-time");
         assert_has_feature(qts, "host", "sve");
+
         resp = do_query_no_props(qts, "host");
+        kvm_supports_steal_time = resp_get_feature(resp, "kvm-steal-time");
         kvm_supports_sve = resp_get_feature(resp, "sve");
         vls = resp_get_sve_vls(resp);
         qobject_unref(resp);
 
+        if (kvm_supports_steal_time) {
+            /* If we have steal-time then we should be able to toggle it. */
+            assert_set_feature(qts, "host", "kvm-steal-time", false);
+            assert_set_feature(qts, "host", "kvm-steal-time", true);
+        }
+
         if (kvm_supports_sve) {
             g_assert(vls != 0);
             max_vq = 64 - __builtin_clzll(vls);
@@ -XXX,XX +XXX,XX @@ static void test_query_cpu_model_expansion_kvm(const void *data)
         assert_has_not_feature(qts, "host", "aarch64");
         assert_has_not_feature(qts, "host", "pmu");
         assert_has_not_feature(qts, "host", "sve");
+        assert_has_not_feature(qts, "host", "kvm-steal-time");
     }
 
     qtest_quit(qts);
-- 
2.20.1

QEMU supports a 48-bit physical address range, but we don't currently
expose it in the '-cpu max' ID registers (you get the same range as
Cortex-A57, which is 44 bits).

Set the ID_AA64MMFR0.PARange field to indicate 48 bits.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201001160116.18095-1-peter.maydell@linaro.org
---
 target/arm/cpu64.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
         t = FIELD_DP64(t, ID_AA64PFR1, MTE, 2);
         cpu->isar.id_aa64pfr1 = t;
 
+        t = cpu->isar.id_aa64mmfr0;
+        t = FIELD_DP64(t, ID_AA64MMFR0, PARANGE, 5); /* PARange: 48 bits */
+        cpu->isar.id_aa64mmfr0 = t;
+
         t = cpu->isar.id_aa64mmfr1;
         t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* HPD */
         t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1);
-- 
2.20.1

Hi; here's the first target-arm pullreq for the 7.0 cycle.

thanks
-- PMM

The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:

Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging (2021-12-14 12:46:18 -0800)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211215

for you to fetch changes up to aed176558806674d030a8305d989d4e6a5073359:

tests/acpi: add expected blob for VIOT test on virt machine (2021-12-15 10:35:26 +0000)

----------------------------------------------------------------
target-arm queue:
 * ITS: error reporting cleanup
 * aspeed: improve documentation
 * Fix STM32F2XX USART data register readout
 * allow emulated GICv3 to be disabled in non-TCG builds
 * fix exception priority for singlestep, misaligned PC, bp, etc
 * Correct calculation of tlb range invalidate length
 * npcm7xx_emc: fix missing queue_flush
 * virt: Add VIOT ACPI table for virtio-iommu
 * target/i386: Use assert() to sanity-check b1 in SSE decode
 * Don't include qemu-common unnecessarily

----------------------------------------------------------------
Alex Bennée (1):
      hw/intc: clean-up error reporting for failed ITS cmd

Jean-Philippe Brucker (8):
      hw/arm/virt-acpi-build: Add VIOT table for virtio-iommu
      hw/arm/virt: Remove device tree restriction for virtio-iommu
      hw/arm/virt: Reject instantiation of multiple IOMMUs
      hw/arm/virt: Use object_property_set instead of qdev_prop_set
      tests/acpi: allow updates of VIOT expected data files
      tests/acpi: add test case for VIOT
      tests/acpi: add expected blobs for VIOT test on q35 machine
      tests/acpi: add expected blob for VIOT test on virt machine

Joel Stanley (4):
      docs: aspeed: Add new boards
      docs: aspeed: Update OpenBMC image URL
      docs: aspeed: Give an example of booting a kernel
      docs: aspeed: ADC is now modelled

Olivier Hériveaux (1):
      Fix STM32F2XX USART data register readout

Patrick Venture (1):
      hw/net: npcm7xx_emc fix missing queue_flush

Peter Maydell (6):
      target/i386: Use assert() to sanity-check b1 in SSE decode
      include/hw/i386: Don't include qemu-common.h in .h files
      target/hexagon/cpu.h: don't include qemu-common.h
      target/rx/cpu.h: Don't include qemu-common.h
      hw/arm: Don't include qemu-common.h unnecessarily
      target/arm: Correct calculation of tlb range invalidate length

Philippe Mathieu-Daudé (2):
      hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c
      hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector

Richard Henderson (10):
      target/arm: Hoist pc_next to a local variable in aarch64_tr_translate_insn
      target/arm: Hoist pc_next to a local variable in arm_tr_translate_insn
      target/arm: Hoist pc_next to a local variable in thumb_tr_translate_insn
      target/arm: Split arm_pre_translate_insn
      target/arm: Advance pc for arch single-step exception
      target/arm: Split compute_fsr_fsc out of arm_deliver_fault
      target/arm: Take an exception if PC is misaligned
      target/arm: Assert thumb pc is aligned
      target/arm: Suppress bp for exceptions with more priority
      tests/tcg: Add arm and aarch64 pc alignment tests

docs/system/arm/aspeed.rst        |  26 ++++++++++++----
 include/hw/i386/microvm.h         |   1 -
 include/hw/i386/x86.h             |   1 -
 target/arm/helper.h               |   1 +
 target/arm/syndrome.h             |   5 +++
 target/hexagon/cpu.h              |   1 -
 target/rx/cpu.h                   |   1 -
 hw/arm/boot.c                     |   1 -
 hw/arm/digic_boards.c             |   1 -
 hw/arm/highbank.c                 |   1 -
 hw/arm/npcm7xx_boards.c           |   1 -
 hw/arm/sbsa-ref.c                 |   1 -
 hw/arm/stm32f405_soc.c            |   1 -
 hw/arm/vexpress.c                 |   1 -
 hw/arm/virt-acpi-build.c          |   7 +++++
 hw/arm/virt.c                     |  21 ++++++-------
 hw/char/stm32f2xx_usart.c         |   3 +-
 hw/intc/arm_gicv3.c               |   2 +-
 hw/intc/arm_gicv3_cpuif.c         |  10 +-----
 hw/intc/arm_gicv3_cpuif_common.c  |  22 +++++++++++++
 hw/intc/arm_gicv3_its.c           |  39 +++++++++++++++--------
 hw/net/npcm7xx_emc.c              |  18 +++++------
 hw/virtio/virtio-iommu-pci.c      |  12 ++------
 linux-user/aarch64/cpu_loop.c     |  46 ++++++++++++++++------------
 linux-user/hexagon/cpu_loop.c     |   1 +
 target/arm/debug_helper.c         |  23 ++++++++++++++
 target/arm/gdbstub.c              |   9 ++++--
 target/arm/helper.c               |   6 ++--
 target/arm/machine.c              |  10 ++++++
 target/arm/tlb_helper.c           |  63 ++++++++++++++++++++++++++++----------
 target/arm/translate-a64.c        |  23 ++++++++++++--
 target/arm/translate.c            |  58 ++++++++++++++++++++++++++---------
 target/i386/tcg/translate.c       |  12 ++------
 tests/qtest/bios-tables-test.c    |  38 +++++++++++++++++++++++
 tests/tcg/aarch64/pcalign-a64.c   |  37 ++++++++++++++++++++++
 tests/tcg/arm/pcalign-a32.c       |  46 ++++++++++++++++++++++++++++
 hw/arm/Kconfig                    |   1 +
 hw/intc/Kconfig                   |   5 +++
 hw/intc/meson.build               |  11 ++++---
 tests/data/acpi/q35/DSDT.viot     | Bin 0 -> 9398 bytes
 tests/data/acpi/q35/VIOT.viot     | Bin 0 -> 112 bytes
 tests/data/acpi/virt/VIOT         | Bin 0 -> 88 bytes
 tests/tcg/aarch64/Makefile.target |   4 +--
 tests/tcg/arm/Makefile.target     |   4 +++
 44 files changed, 429 insertions(+), 145 deletions(-)
 create mode 100644 hw/intc/arm_gicv3_cpuif_common.c
 create mode 100644 tests/tcg/aarch64/pcalign-a64.c
 create mode 100644 tests/tcg/arm/pcalign-a32.c
 create mode 100644 tests/data/acpi/q35/DSDT.viot
 create mode 100644 tests/data/acpi/q35/VIOT.viot
 create mode 100644 tests/data/acpi/virt/VIOT

From: Alex Bennée <alex.bennee@linaro.org>

While trying to debug a GIC ITS failure I saw some guest errors that
had poor formatting as well as leaving me confused as to what failed.
As most of the checks aren't possible without a valid dte split that
check apart and then check the other conditions in steps. This avoids
us relying on undefined data.

I still get a failure with the current kvm-unit-tests but at least I
know (partially) why now:

Exception return from AArch64 EL1 to AArch64 EL1 PC 0x40080588
  PASS: gicv3: its-trigger: inv/invall: dev2/eventid=20 now triggers an LPI
  ITS: MAPD devid=2 size = 0x8 itt=0x40430000 valid=0
  INT dev_id=2 event_id=20
  process_its_cmd: invalid command attributes: invalid dte: 0 for 2 (MEM_TX: 0)
  PASS: gicv3: its-trigger: mapd valid=false: no LPI after device unmap
  SUMMARY: 6 tests, 1 unexpected failures

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211112170454.3158925-1-alex.bennee@linaro.org
Cc: Shashi Mallela <shashi.mallela@linaro.org>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_its.c | 39 +++++++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset,
         if (res != MEMTX_OK) {
             return result;
         }
+    } else {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid command attributes: "
+                      "invalid dte: %"PRIx64" for %d (MEM_TX: %d)\n",
+                      __func__, dte, devid, res);
+        return result;
     }
 
-    if ((devid > s->dt.maxids.max_devids) || !dte_valid || !ite_valid ||
-            !cte_valid || (eventid > max_eventid)) {
+
+    /*
+     * In this implementation, in case of guest errors we ignore the
+     * command and move onto the next command in the queue.
+     */
+    if (devid > s->dt.maxids.max_devids) {
         qemu_log_mask(LOG_GUEST_ERROR,
-                      "%s: invalid command attributes "
-                      "devid %d or eventid %d or invalid dte %d or"
-                      "invalid cte %d or invalid ite %d\n",
-                      __func__, devid, eventid, dte_valid, cte_valid,
-                      ite_valid);
-        /*
-         * in this implementation, in case of error
-         * we ignore this command and move onto the next
-         * command in the queue
-         */
+                      "%s: invalid command attributes: devid %d>%d",
+                      __func__, devid, s->dt.maxids.max_devids);
+
+    } else if (!dte_valid || !ite_valid || !cte_valid) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid command attributes: "
+                      "dte: %s, ite: %s, cte: %s\n",
+                      __func__,
+                      dte_valid ? "valid" : "invalid",
+                      ite_valid ? "valid" : "invalid",
+                      cte_valid ? "valid" : "invalid");
+    } else if (eventid > max_eventid) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid command attributes: eventid %d > %d\n",
+                      __func__, eventid, max_eventid);
     } else {
         /*
          * Current implementation only supports rdbase == procnum
-- 
2.25.1

From: Joel Stanley <joel@jms.id.au>

Add X11, FP5280G2, G220A, Rainier and Fuji. Mention that Swift will be
removed in v7.0.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20211117065752.330632-2-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/aspeed.rst | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/aspeed.rst
+++ b/docs/system/arm/aspeed.rst
@@ -XXX,XX +XXX,XX @@ AST2400 SoC based machines :
 
 - ``palmetto-bmc``         OpenPOWER Palmetto POWER8 BMC
 - ``quanta-q71l-bmc``      OpenBMC Quanta BMC
+- ``supermicrox11-bmc``    Supermicro X11 BMC
 
 AST2500 SoC based machines :
 
@@ -XXX,XX +XXX,XX @@ AST2500 SoC based machines :
 - ``romulus-bmc``          OpenPOWER Romulus POWER9 BMC
 - ``witherspoon-bmc``      OpenPOWER Witherspoon POWER9 BMC
 - ``sonorapass-bmc``       OCP SonoraPass BMC
-- ``swift-bmc``            OpenPOWER Swift BMC POWER9
+- ``swift-bmc``            OpenPOWER Swift BMC POWER9 (to be removed in v7.0)
+- ``fp5280g2-bmc``         Inspur FP5280G2 BMC
+- ``g220a-bmc``            Bytedance G220A BMC
 
 AST2600 SoC based machines :
 
 - ``ast2600-evb``          Aspeed AST2600 Evaluation board (Cortex-A7)
 - ``tacoma-bmc``           OpenPOWER Witherspoon POWER9 AST2600 BMC
+- ``rainier-bmc``          IBM Rainier POWER10 BMC
+- ``fuji-bmc``             Facebook Fuji BMC
 
 Supported devices
 -----------------
-- 
2.25.1

From: Joel Stanley <joel@jms.id.au>

A common use case for the ASPEED machine is to boot a Linux kernel.
Provide a full example command line.

Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Joel Stanley <joel@jms.id.au>
Message-id: 20211117065752.330632-4-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/aspeed.rst | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/aspeed.rst
+++ b/docs/system/arm/aspeed.rst
@@ -XXX,XX +XXX,XX @@ Missing devices
 Boot options
 ------------
 
-The Aspeed machines can be started using the ``-kernel`` option to
-load a Linux kernel or from a firmware. Images can be downloaded from
-the OpenBMC jenkins :
+The Aspeed machines can be started using the ``-kernel`` and ``-dtb`` options
+to load a Linux kernel or from a firmware. Images can be downloaded from the
+OpenBMC jenkins :
 
    https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/
 
@@ -XXX,XX +XXX,XX @@ or directly from the OpenBMC GitHub release repository :
 
    https://github.com/openbmc/openbmc/releases
 
+To boot a kernel directly from a Linux build tree:
+
+.. code-block:: bash
+
+  $ qemu-system-arm -M ast2600-evb -nographic \
+        -kernel arch/arm/boot/zImage \
+        -dtb arch/arm/boot/dts/aspeed-ast2600-evb.dtb \
+        -initrd rootfs.cpio
+
 The image should be attached as an MTD drive. Run :
 
 .. code-block:: bash
-- 
2.25.1

From: Olivier Hériveaux <olivier.heriveaux@ledger.fr>

Fix issue where the data register may be overwritten by next character
reception before being read and returned.

Signed-off-by: Olivier Hériveaux <olivier.heriveaux@ledger.fr>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20211128120723.4053-1-olivier.heriveaux@ledger.fr
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/stm32f2xx_usart.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/char/stm32f2xx_usart.c b/hw/char/stm32f2xx_usart.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/stm32f2xx_usart.c
+++ b/hw/char/stm32f2xx_usart.c
@@ -XXX,XX +XXX,XX @@ static uint64_t stm32f2xx_usart_read(void *opaque, hwaddr addr,
         return retvalue;
     case USART_DR:
         DB_PRINT("Value: 0x%" PRIx32 ", %c\n", s->usart_dr, (char) s->usart_dr);
+        retvalue = s->usart_dr & 0x3FF;
         s->usart_sr &= ~USART_SR_RXNE;
         qemu_chr_fe_accept_input(&s->chr);
         qemu_set_irq(s->irq, 0);
-        return s->usart_dr & 0x3FF;
+        return retvalue;
     case USART_BRR:
         return s->usart_brr;
     case USART_CR1:
-- 
2.25.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

gicv3_set_gicv3state() is used by arm_gicv3_common.c in
arm_gicv3_common_realize(). Since we want to restrict
arm_gicv3_cpuif.c to TCG, extract gicv3_set_gicv3state()
to a new file. Add this file to the meson 'specific'
source set, since it needs access to "cpu.h".

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211115223619.2599282-2-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_cpuif.c        | 10 +---------
 hw/intc/arm_gicv3_cpuif_common.c | 22 ++++++++++++++++++++++
 hw/intc/meson.build              |  1 +
 3 files changed, 24 insertions(+), 9 deletions(-)
 create mode 100644 hw/intc/arm_gicv3_cpuif_common.c

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@
 /*
- * ARM Generic Interrupt Controller v3
+ * ARM Generic Interrupt Controller v3 (emulation)
  *
  * Copyright (c) 2016 Linaro Limited
  * Written by Peter Maydell
@@ -XXX,XX +XXX,XX @@
 #include "hw/irq.h"
 #include "cpu.h"
 
-void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
-{
-    ARMCPU *arm_cpu = ARM_CPU(cpu);
-    CPUARMState *env = &arm_cpu->env;
-
-    env->gicv3state = (void *)s;
-};
-
 static GICv3CPUState *icc_cs_from_env(CPUARMState *env)
 {
     return env->gicv3state;
diff --git a/hw/intc/arm_gicv3_cpuif_common.c b/hw/intc/arm_gicv3_cpuif_common.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/intc/arm_gicv3_cpuif_common.c
@@ -XXX,XX +XXX,XX @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * ARM Generic Interrupt Controller v3
+ *
+ * Copyright (c) 2016 Linaro Limited
+ * Written by Peter Maydell
+ *
+ * This code is licensed under the GPL, version 2 or (at your option)
+ * any later version.
+ */
+
+#include "qemu/osdep.h"
+#include "gicv3_internal.h"
+#include "cpu.h"
+
+void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+
+    env->gicv3state = (void *)s;
+};
diff --git a/hw/intc/meson.build b/hw/intc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/meson.build
+++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
 
 specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
 specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
+specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
 specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
-- 
2.25.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

The TYPE_ARM_GICV3 device is an emulated one.  When using
KVM, it is recommended to use the TYPE_KVM_ARM_GICV3 device
(which uses in-kernel support).

When using --with-devices-FOO, it is possible to build a
binary with a specific set of devices. When this binary is
restricted to KVM accelerator, the TYPE_ARM_GICV3 device is
irrelevant, and it is desirable to remove it from the binary.

Therefore introduce the CONFIG_ARM_GIC_TCG Kconfig selector
which select the files required to have the TYPE_ARM_GICV3
device, but also allowing to de-select this device.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211115223619.2599282-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3.c |  2 +-
 hw/intc/Kconfig     |  5 +++++
 hw/intc/meson.build | 10 ++++++----
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/hw/intc/arm_gicv3.c b/hw/intc/arm_gicv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3.c
+++ b/hw/intc/arm_gicv3.c
@@ -XXX,XX +XXX,XX @@
 /*
- * ARM Generic Interrupt Controller v3
+ * ARM Generic Interrupt Controller v3 (emulation)
  *
  * Copyright (c) 2015 Huawei.
  * Copyright (c) 2016 Linaro Limited
diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/Kconfig
+++ b/hw/intc/Kconfig
@@ -XXX,XX +XXX,XX @@ config APIC
     select MSI_NONBROKEN
     select I8259
 
+config ARM_GIC_TCG
+    bool
+    default y
+    depends on ARM_GIC && TCG
+
 config ARM_GIC_KVM
     bool
     default y
diff --git a/hw/intc/meson.build b/hw/intc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/meson.build
+++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_ARM_GIC', if_true: files(
   'arm_gic.c',
   'arm_gic_common.c',
   'arm_gicv2m.c',
-  'arm_gicv3.c',
   'arm_gicv3_common.c',
-  'arm_gicv3_dist.c',
   'arm_gicv3_its_common.c',
-  'arm_gicv3_redist.c',
+))
+softmmu_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files(
+  'arm_gicv3.c',
+  'arm_gicv3_dist.c',
   'arm_gicv3_its.c',
+  'arm_gicv3_redist.c',
 ))
 softmmu_ss.add(when: 'CONFIG_ETRAXFS', if_true: files('etraxfs_pic.c'))
 softmmu_ss.add(when: 'CONFIG_HEATHROW_PIC', if_true: files('heathrow_pic.c'))
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
 specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
 specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
-specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
+specific_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files('arm_gicv3_cpuif.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
 specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
 specific_ss.add(when: 'CONFIG_ARM_V7M', if_true: files('armv7m_nvic.c'))
-- 
2.25.1