Series comparison

-[PULL 00/20] target-arm queue
+[PULL 00/35] target-arm queue
-A grab-bag of minor stuff for the end of the year. My to-review
+Hi; here's the first arm pullreq for the 8.2 cycle. These are
-queue is not empty, but it it at least in single figures...
+pretty much all bug fixes (mostly for the experimental FEAT_RME),
 rather than any major features.
 -- PMM
-The following changes since commit 5bfbd8170ce7acb98a1834ff49ed7340b0837144:
+The following changes since commit b0dd9a7d6dd15a6898e9c585b521e6bec79b25aa:
-  Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.0-pull-request' into staging (2020-12-14 20:32:38 +0000)
+  Open 8.2 development tree (2023-08-22 07:14:07 -0700)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201215
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230824
-for you to fetch changes up to 23af268566069183285bebbdf95b1b37cb7c0942:
+for you to fetch changes up to cd1e4db73646006039f25879af3bff55b2295ff3:
-  hw/block/m25p80: Fix Numonyx fast read dummy cycle count (2020-12-15 13:39:30 +0000)
+  target/arm: Fix 64-bit SSRA (2023-08-22 17:31:14 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * gdbstub: Correct misparsing of vCont C/S requests
+ * hw/gpio/nrf51: implement DETECT signal
- * openrisc: Move pic_cpu code into CPU object proper
+ * accel/kvm: Specify default IPA size for arm64
- * nios2: Move IIC code into CPU object proper
+ * ptw: refactor, fix some FEAT_RME bugs
- * Improve reporting of ROM overlap errors
+ * target/arm: Adjust PAR_EL1.SH for Device and Normal-NC memory types
- * xlnx-versal: Add USB support
+ * target/arm/helper: Implement CNTHCTL_EL2.CNT[VP]MASK
- * hw/misc/zynq_slcr: Avoid #DIV/0! error
+ * Fix SME ST1Q
- * Numonyx: Fix dummy cycles and check for SPI mode on cmds
+ * Fix 64-bit SSRA
 ----------------------------------------------------------------
-Joe Komlodi (4):
+Akihiko Odaki (6):
-      hw/block/m25p80: Make Numonyx config field names more accurate
+      kvm: Introduce kvm_arch_get_default_type hook
-      hw/block/m25p80: Fix when VCFG XIP bit is set for Numonyx
+      accel/kvm: Specify default IPA size for arm64
-      hw/block/m25p80: Check SPI mode before running some Numonyx commands
+      mips: Report an error when KVM_VM_MIPS_VZ is unavailable
-      hw/block/m25p80: Fix Numonyx fast read dummy cycle count
+      accel/kvm: Use negative KVM type for error propagation
       accel/kvm: Free as when an error occurred
       accel/kvm: Make kvm_dirty_ring_reaper_init() void
-Peter Maydell (11):
+Chris Laplante (6):
-      gdbstub: Correct misparsing of vCont C/S requests
+      hw/gpio/nrf51: implement DETECT signal
-      hw/openrisc/openrisc_sim: Use IRQ splitter when connecting IRQ to multiple CPUs
+      qtest: factor out qtest_install_gpio_out_intercept
-      hw/openrisc/openrisc_sim: Abstract out "get IRQ x of CPU y"
+      qtest: implement named interception of out-GPIO
-      target/openrisc: Move pic_cpu code into CPU object proper
+      qtest: bail from irq_intercept_in if name is specified
-      target/nios2: Move IIC code into CPU object proper
+      qtest: irq_intercept_[out/in]: return FAIL if no intercepts are installed
-      target/nios2: Move nios2_check_interrupts() into target/nios2
+      qtest: microbit-test: add tests for nRF51 DETECT
       target/nios2: Use deposit32() to update ipending register
       hw/core/loader.c: Track last-seen ROM in rom_check_and_register_reset()
       hw/core/loader.c: Improve reporting of ROM overlap errors
       elf_ops.h: Don't truncate name of the ROM blobs we create
       elf_ops.h: Be more verbose with ROM blob names
-Philippe Mathieu-Daudé (1):
+Jean-Philippe Brucker (6):
-      hw/misc/zynq_slcr: Avoid #DIV/0! error
+      target/arm/ptw: Load stage-2 tables from realm physical space
       target/arm/helper: Fix tlbmask and tlbbits for TLBI VAE2*
       target/arm: Skip granule protection checks for AT instructions
       target/arm: Pass security space rather than flag for AT instructions
       target/arm/helper: Check SCR_EL3.{NSE, NS} encoding for AT instructions
       target/arm/helper: Implement CNTHCTL_EL2.CNT[VP]MASK
-Sai Pavan Boddu (2):
+Peter Maydell (15):
-      usb: Add versal-usb2-ctrl-regs module
+      target/arm/ptw: Don't set fi->s1ptw for UnsuppAtomicUpdate fault
-      usb: xlnx-usb-subsystem: Add xilinx usb subsystem
+      target/arm/ptw: Don't report GPC faults on stage 1 ptw as stage2 faults
       target/arm/ptw: Set s1ns bit in fault info more consistently
       target/arm/ptw: Pass ptw into get_phys_addr_pmsa*() and get_phys_addr_disabled()
       target/arm/ptw: Pass ARMSecurityState to regime_translation_disabled()
       target/arm/ptw: Pass an ARMSecuritySpace to arm_hcr_el2_eff_secstate()
       target/arm: Pass an ARMSecuritySpace to arm_is_el2_enabled_secstate()
       target/arm/ptw: Only fold in NSTable bit effects in Secure state
       target/arm/ptw: Remove last uses of ptw->in_secure
       target/arm/ptw: Remove S1Translate::in_secure
       target/arm/ptw: Drop S1Translate::out_secure
       target/arm/ptw: Set attributes correctly for MMU disabled data accesses
       target/arm/ptw: Check for block descriptors at invalid levels
       target/arm/ptw: Report stage 2 fault level for stage 2 faults on stage 1 ptw
       target/arm: Adjust PAR_EL1.SH for Device and Normal-NC memory types
-Vikram Garhwal (2):
+Richard Henderson (2):
-      usb: Add DWC3 model
+      target/arm: Fix SME ST1Q
-      arm: xlnx-versal: Connect usb to virt-versal
+      target/arm: Fix 64-bit SSRA
- include/hw/arm/xlnx-versal.h                |   9 +
+ include/hw/gpio/nrf51_gpio.h |   1 +
- include/hw/elf_ops.h                        |   5 +-
+ include/sysemu/kvm.h         |   2 +
- include/hw/usb/hcd-dwc3.h                   |  55 +++
+ target/arm/cpu.h             |  19 ++--
- include/hw/usb/xlnx-usb-subsystem.h         |  45 ++
+ target/arm/internals.h       |  25 ++---
- include/hw/usb/xlnx-versal-usb2-ctrl-regs.h |  45 ++
+ target/mips/kvm_mips.h       |   9 --
- target/nios2/cpu.h                          |   3 -
+ tests/qtest/libqtest.h       |  11 +++
- target/openrisc/cpu.h                       |   1 -
+ accel/kvm/kvm-all.c          |  19 ++--
- gdbstub.c                                   |   2 +-
+ hw/arm/virt.c                |   2 +-
- hw/arm/xlnx-versal-virt.c                   |  55 +++
+ hw/gpio/nrf51_gpio.c         |  14 ++-
- hw/arm/xlnx-versal.c                        |  26 ++
+ hw/mips/loongson3_virt.c     |   2 -
- hw/block/m25p80.c                           | 158 +++++--
+ hw/ppc/spapr.c               |   2 +-
- hw/core/loader.c                            |  67 ++-
+ softmmu/qtest.c              |  52 +++++++---
- hw/intc/nios2_iic.c                         |  95 ----
+ target/arm/cpu.c             |   6 ++
- hw/misc/zynq_slcr.c                         |   5 +
+ target/arm/helper.c          | 207 ++++++++++++++++++++++++++++----------
- hw/nios2/10m50_devboard.c                   |  13 +-
+ target/arm/kvm.c             |   7 ++
- hw/nios2/cpu_pic.c                          |  67 ---
+ target/arm/ptw.c             | 231 ++++++++++++++++++++++++++-----------------
- hw/openrisc/openrisc_sim.c                  |  46 +-
+ target/arm/tcg/sme_helper.c  |   2 +-
- hw/openrisc/pic_cpu.c                       |  61 ---
+ target/arm/tcg/translate.c   |   2 +-
- hw/usb/hcd-dwc3.c                           | 689 ++++++++++++++++++++++++++++
+ target/i386/kvm/kvm.c        |   5 +
- hw/usb/xlnx-usb-subsystem.c                 |  94 ++++
+ target/mips/kvm.c            |   3 +-
- hw/usb/xlnx-versal-usb2-ctrl-regs.c         | 229 +++++++++
+ target/ppc/kvm.c             |   5 +
- softmmu/vl.c                                |   1 -
+ target/riscv/kvm.c           |   5 +
- target/nios2/cpu.c                          |  29 ++
+ target/s390x/kvm/kvm.c       |   5 +
- target/nios2/op_helper.c                    |   9 +
+ tests/qtest/libqtest.c       |   6 ++
- target/openrisc/cpu.c                       |  32 ++
+ tests/qtest/microbit-test.c  |  44 +++++++++
- MAINTAINERS                                 |   1 -
+ target/arm/trace-events      |   7 +-
- hw/intc/meson.build                         |   1 -
+files changed, 494 insertions(+), 199 deletions(-)
  hw/nios2/meson.build                        |   2 +-
  hw/openrisc/Kconfig                         |   1 +
  hw/openrisc/meson.build                     |   2 +-
  hw/usb/Kconfig                              |  10 +
  hw/usb/meson.build                          |   3 +
 files changed, 1557 insertions(+), 304 deletions(-)
  create mode 100644 include/hw/usb/hcd-dwc3.h
  create mode 100644 include/hw/usb/xlnx-usb-subsystem.h
  create mode 100644 include/hw/usb/xlnx-versal-usb2-ctrl-regs.h
  delete mode 100644 hw/intc/nios2_iic.c
  delete mode 100644 hw/nios2/cpu_pic.c
  delete mode 100644 hw/openrisc/pic_cpu.c
  create mode 100644 hw/usb/hcd-dwc3.c
  create mode 100644 hw/usb/xlnx-usb-subsystem.c
  create mode 100644 hw/usb/xlnx-versal-usb2-ctrl-regs.c

-New patch
+[PULL 01/35] hw/gpio/nrf51: implement DETECT signal
+From: Chris Laplante <chris@laplante.io>
+Implement nRF51 DETECT signal in the GPIO peripheral.
+The reference manual makes mention of a per-pin DETECT signal, but these
+are not exposed to the user. See https://devzone.nordicsemi.com/f/nordic-q-a/39858/gpio-per-pin-detect-signal-available
+for more information. Currently, I don't see a reason to model these.
+Signed-off-by: Chris Laplante <chris@laplante.io>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230728160324.1159090-2-chris@laplante.io
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ include/hw/gpio/nrf51_gpio.h |  1 +
+ hw/gpio/nrf51_gpio.c         | 14 +++++++++++++-
+files changed, 14 insertions(+), 1 deletion(-)
+diff --git a/include/hw/gpio/nrf51_gpio.h b/include/hw/gpio/nrf51_gpio.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/gpio/nrf51_gpio.h
++++ b/include/hw/gpio/nrf51_gpio.h
+@@ -XXX,XX +XXX,XX @@ struct NRF51GPIOState {
+     uint32_t old_out_connected;
+     qemu_irq output[NRF51_GPIO_PINS];
++    qemu_irq detect;
+ };
+diff --git a/hw/gpio/nrf51_gpio.c b/hw/gpio/nrf51_gpio.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/gpio/nrf51_gpio.c
++++ b/hw/gpio/nrf51_gpio.c
+@@ -XXX,XX +XXX,XX @@ static void update_state(NRF51GPIOState *s)
+     int pull;
+     size_t i;
+     bool connected_out, dir, connected_in, out, in, input;
++    bool assert_detect = false;
+     for (i = 0; i < NRF51_GPIO_PINS; i++) {
+         pull = pull_value(s->cnf[i]);
+@@ -XXX,XX +XXX,XX @@ static void update_state(NRF51GPIOState *s)
+                 qemu_log_mask(LOG_GUEST_ERROR,
+                               "GPIO pin %zu short circuited\n", i);
+             }
+-            if (!connected_in) {
++            if (connected_in) {
++                uint32_t detect_config = extract32(s->cnf[i], 16, 2);
++                if ((detect_config == 2) && (in == 1)) {
++                    assert_detect = true;
++                }
++                if ((detect_config == 3) && (in == 0)) {
++                    assert_detect = true;
++                }
++            } else {
+                 /*
+                  * Floating input: the output stimulates IN if connected,
+                  * otherwise pull-up/pull-down resistors put a value on both
+@@ -XXX,XX +XXX,XX @@ static void update_state(NRF51GPIOState *s)
+         }
+         update_output_irq(s, i, connected_out, out);
+     }
++
++    qemu_set_irq(s->detect, assert_detect);
+ }
+ /*
+@@ -XXX,XX +XXX,XX @@ static void nrf51_gpio_init(Object *obj)
+     qdev_init_gpio_in(DEVICE(s), nrf51_gpio_set, NRF51_GPIO_PINS);
+     qdev_init_gpio_out(DEVICE(s), s->output, NRF51_GPIO_PINS);
++    qdev_init_gpio_out_named(DEVICE(s), &s->detect, "detect", 1);
+ }
+ static void nrf51_gpio_class_init(ObjectClass *klass, void *data)
+--
+.34.1

-[PULL 20/20] hw/block/m25p80: Fix Numonyx fast read dummy cycle count
+[PULL 02/35] qtest: factor out qtest_install_gpio_out_intercept
-From: Joe Komlodi <joe.komlodi@xilinx.com>
+From: Chris Laplante <chris@laplante.io>
-Numonyx chips determine the number of cycles to wait based on bits 7:4
+Signed-off-by: Chris Laplante <chris@laplante.io>
-in the volatile configuration register.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230728160324.1159090-3-chris@laplante.io
 However, if these bits are 0x0 or 0xF, the number of dummy cycles to
 wait is 10 for QIOR and QIOR4 commands or when in QIO mode, and otherwise 8 for
 the currently supported fast read commands. [1]
 [1]
 https://www.micron.com/-/media/client/global/documents/products/data-sheet/nor-flash/serial-nor/mt25q/die-rev-b/mt25q_qlkt_u_02g_cbb_0.pdf?rev=9b167fbf2b3645efba6385949a72e453
 Signed-off-by: Joe Komlodi <komlodi@xilinx.com>
 Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
 Message-id: 1605568264-26376-5-git-send-email-komlodi@xilinx.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/block/m25p80.c | 30 +++++++++++++++++++++++++++---
+ softmmu/qtest.c | 16 ++++++++++------
-file changed, 27 insertions(+), 3 deletions(-)
+file changed, 10 insertions(+), 6 deletions(-)
-diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
+diff --git a/softmmu/qtest.c b/softmmu/qtest.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/block/m25p80.c
+--- a/softmmu/qtest.c
-+++ b/hw/block/m25p80.c
++++ b/softmmu/qtest.c
-@@ -XXX,XX +XXX,XX @@ static uint8_t numonyx_mode(Flash *s)
+@@ -XXX,XX +XXX,XX @@ void qtest_set_command_cb(bool (*pc_cb)(CharBackend *chr, gchar **words))
-     }
+     process_command_cb = pc_cb;
  }
-+static uint8_t numonyx_extract_cfg_num_dummies(Flash *s)
++static void qtest_install_gpio_out_intercept(DeviceState *dev, const char *name, int n)
 +{
-+    uint8_t num_dummies;
++    qemu_irq *disconnected = g_new0(qemu_irq, 1);
-+    uint8_t mode;
++    qemu_irq icpt = qemu_allocate_irq(qtest_irq_handler,
-+    assert(get_man(s) == MAN_NUMONYX);
++                                      disconnected, n);
 +
-+    mode = numonyx_mode(s);
++    *disconnected = qdev_intercept_gpio_out(dev, icpt, name, n);
 +    num_dummies = extract32(s->volatile_cfg, 4, 4);
 +
 +    if (num_dummies == 0x0 || num_dummies == 0xf) {
 +        switch (s->cmd_in_progress) {
 +        case QIOR:
 +        case QIOR4:
 +            num_dummies = 10;
 +            break;
 +        default:
 +            num_dummies = (mode == MODE_QIO) ? 10 : 8;
 +            break;
 +        }
 +    }
 +
 +    return num_dummies;
 +}
 +
- static void decode_fast_read_cmd(Flash *s)
+ static void qtest_process_command(CharBackend *chr, gchar **words)
  {
-     s->needed_bytes = get_addr_length(s);
+     const gchar *command;
-@@ -XXX,XX +XXX,XX @@ static void decode_fast_read_cmd(Flash *s)
+@@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words)
-         s->needed_bytes += 8;
+             if (words[0][14] == 'o') {
-         break;
+                 int i;
-     case MAN_NUMONYX:
+                 for (i = 0; i < ngl->num_out; ++i) {
--        s->needed_bytes += extract32(s->volatile_cfg, 4, 4);
+-                    qemu_irq *disconnected = g_new0(qemu_irq, 1);
-+        s->needed_bytes += numonyx_extract_cfg_num_dummies(s);
+-                    qemu_irq icpt = qemu_allocate_irq(qtest_irq_handler,
-         break;
+-                                                      disconnected, i);
-     case MAN_MACRONIX:
+-
-         if (extract32(s->volatile_cfg, 6, 2) == 1) {
+-                    *disconnected = qdev_intercept_gpio_out(dev, icpt,
-@@ -XXX,XX +XXX,XX @@ static void decode_dio_read_cmd(Flash *s)
+-                                                            ngl->name, i);
-                                     );
++                    qtest_install_gpio_out_intercept(dev, ngl->name, i);
-         break;
+                 }
-     case MAN_NUMONYX:
+             } else {
--        s->needed_bytes += extract32(s->volatile_cfg, 4, 4);
+                 qemu_irq_intercept_in(ngl->in, qtest_irq_handler,
 +        s->needed_bytes += numonyx_extract_cfg_num_dummies(s);
          break;
      case MAN_MACRONIX:
          switch (extract32(s->volatile_cfg, 6, 2)) {
@@ -XXX,XX +XXX,XX @@ static void decode_qio_read_cmd(Flash *s)
                                      );
          break;
      case MAN_NUMONYX:
 -        s->needed_bytes += extract32(s->volatile_cfg, 4, 4);
 +        s->needed_bytes += numonyx_extract_cfg_num_dummies(s);
          break;
      case MAN_MACRONIX:
          switch (extract32(s->volatile_cfg, 6, 2)) {
 --
-.20.1
+.34.1

-[PULL 19/20] hw/block/m25p80: Check SPI mode before running some Numonyx commands
+[PULL 03/35] qtest: implement named interception of out-GPIO
-From: Joe Komlodi <joe.komlodi@xilinx.com>
+From: Chris Laplante <chris@laplante.io>
-Some Numonyx flash commands cannot be executed in DIO and QIO mode, such as
+Adds qtest_irq_intercept_out_named method, which utilizes a new optional
-trying to do DPP or DOR when in QIO mode.
+name parameter to the irq_intercept_out qtest command.
-Signed-off-by: Joe Komlodi <komlodi@xilinx.com>
+Signed-off-by: Chris Laplante <chris@laplante.io>
-Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
+Message-id: 20230728160324.1159090-4-chris@laplante.io
-Message-id: 1605568264-26376-4-git-send-email-komlodi@xilinx.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/block/m25p80.c | 114 ++++++++++++++++++++++++++++++++++++++--------
+ tests/qtest/libqtest.h | 11 +++++++++++
-file changed, 95 insertions(+), 19 deletions(-)
+ softmmu/qtest.c        | 18 ++++++++++--------
  tests/qtest/libqtest.c |  6 ++++++
 files changed, 27 insertions(+), 8 deletions(-)
-diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
+diff --git a/tests/qtest/libqtest.h b/tests/qtest/libqtest.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/block/m25p80.c
+--- a/tests/qtest/libqtest.h
-+++ b/hw/block/m25p80.c
++++ b/tests/qtest/libqtest.h
-@@ -XXX,XX +XXX,XX @@ typedef enum {
+@@ -XXX,XX +XXX,XX @@ void qtest_irq_intercept_in(QTestState *s, const char *string);
-     MAN_GENERIC,
+  */
- } Manufacturer;
+ void qtest_irq_intercept_out(QTestState *s, const char *string);
-+typedef enum {
++/**
-+    MODE_STD = 0,
++ * qtest_irq_intercept_out_named:
-+    MODE_DIO = 1,
++ * @s: #QTestState instance to operate on.
-+    MODE_QIO = 2
++ * @qom_path: QOM path of a device.
-+} SPIMode;
++ * @name: Name of the GPIO out pin
 + *
 + * Associate a qtest irq with the named GPIO-out pin of the device
 + * whose path is specified by @string and whose name is @name.
 + */
 +void qtest_irq_intercept_out_named(QTestState *s, const char *qom_path, const char *name);
 +
- #define M25P80_INTERNAL_DATA_BUFFER_SZ 16
+ /**
+  * qtest_set_irq_in:
- struct Flash {
+  * @s: QTestState instance to operate on.
-@@ -XXX,XX +XXX,XX @@ static void reset_memory(Flash *s)
+diff --git a/softmmu/qtest.c b/softmmu/qtest.c
-     trace_m25p80_reset_done(s);
+index XXXXXXX..XXXXXXX 100644
 --- a/softmmu/qtest.c
 +++ b/softmmu/qtest.c
@@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words)
          || strcmp(words[0], "irq_intercept_in") == 0) {
          DeviceState *dev;
          NamedGPIOList *ngl;
 +        bool is_outbound;
          g_assert(words[1]);
 +        is_outbound = words[0][14] == 'o';
          dev = DEVICE(object_resolve_path(words[1], NULL));
          if (!dev) {
              qtest_send_prefix(chr);
@@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words)
          }
          QLIST_FOREACH(ngl, &dev->gpios, node) {
 -            /* We don't support intercept of named GPIOs yet */
 -            if (ngl->name) {
 -                continue;
 -            }
 -            if (words[0][14] == 'o') {
 -                int i;
 -                for (i = 0; i < ngl->num_out; ++i) {
 -                    qtest_install_gpio_out_intercept(dev, ngl->name, i);
 +            /* We don't support inbound interception of named GPIOs yet */
 +            if (is_outbound) {
 +                /* NULL is valid and matchable, for "unnamed GPIO" */
 +                if (g_strcmp0(ngl->name, words[2]) == 0) {
 +                    int i;
 +                    for (i = 0; i < ngl->num_out; ++i) {
 +                        qtest_install_gpio_out_intercept(dev, ngl->name, i);
 +                    }
                  }
              } else {
                  qemu_irq_intercept_in(ngl->in, qtest_irq_handler,
 diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/qtest/libqtest.c
 +++ b/tests/qtest/libqtest.c
@@ -XXX,XX +XXX,XX @@ void qtest_irq_intercept_out(QTestState *s, const char *qom_path)
      qtest_rsp(s);
  }
-+static uint8_t numonyx_mode(Flash *s)
++void qtest_irq_intercept_out_named(QTestState *s, const char *qom_path, const char *name)
 +{
-+    if (!(s->enh_volatile_cfg & EVCFG_QUAD_IO_DISABLED)) {
++    qtest_sendf(s, "irq_intercept_out %s %s\n", qom_path, name);
-+        return MODE_QIO;
++    qtest_rsp(s);
 +    } else if (!(s->enh_volatile_cfg & EVCFG_DUAL_IO_DISABLED)) {
 +        return MODE_DIO;
 +    } else {
 +        return MODE_STD;
 +    }
 +}
 +
- static void decode_fast_read_cmd(Flash *s)
+ void qtest_irq_intercept_in(QTestState *s, const char *qom_path)
  {
-     s->needed_bytes = get_addr_length(s);
+     qtest_sendf(s, "irq_intercept_in %s\n", qom_path);
@@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value)
      case ERASE4_32K:
      case ERASE_SECTOR:
      case ERASE4_SECTOR:
 -    case READ:
 -    case READ4:
 -    case DPP:
 -    case QPP:
 -    case QPP_4:
      case PP:
      case PP4:
 -    case PP4_4:
      case DIE_ERASE:
      case RDID_90:
      case RDID_AB:
@@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value)
          s->len = 0;
          s->state = STATE_COLLECTING_DATA;
          break;
 +    case READ:
 +    case READ4:
 +        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) == MODE_STD) {
 +            s->needed_bytes = get_addr_length(s);
 +            s->pos = 0;
 +            s->len = 0;
 +            s->state = STATE_COLLECTING_DATA;
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
 +                          "DIO or QIO mode\n", s->cmd_in_progress);
 +        }
 +        break;
 +    case DPP:
 +        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_QIO) {
 +            s->needed_bytes = get_addr_length(s);
 +            s->pos = 0;
 +            s->len = 0;
 +            s->state = STATE_COLLECTING_DATA;
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
 +                          "QIO mode\n", s->cmd_in_progress);
 +        }
 +        break;
 +    case QPP:
 +    case QPP_4:
 +    case PP4_4:
 +        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_DIO) {
 +            s->needed_bytes = get_addr_length(s);
 +            s->pos = 0;
 +            s->len = 0;
 +            s->state = STATE_COLLECTING_DATA;
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
 +                          "DIO mode\n", s->cmd_in_progress);
 +        }
 +        break;
      case FAST_READ:
      case FAST_READ4:
 +        decode_fast_read_cmd(s);
 +        break;
      case DOR:
      case DOR4:
 +        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_QIO) {
 +            decode_fast_read_cmd(s);
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
 +                          "QIO mode\n", s->cmd_in_progress);
 +        }
 +        break;
      case QOR:
      case QOR4:
 -        decode_fast_read_cmd(s);
 +        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_DIO) {
 +            decode_fast_read_cmd(s);
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
 +                          "DIO mode\n", s->cmd_in_progress);
 +        }
          break;
      case DIOR:
      case DIOR4:
 -        decode_dio_read_cmd(s);
 +        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_QIO) {
 +            decode_dio_read_cmd(s);
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
 +                          "QIO mode\n", s->cmd_in_progress);
 +        }
          break;
      case QIOR:
      case QIOR4:
 -        decode_qio_read_cmd(s);
 +        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_DIO) {
 +            decode_qio_read_cmd(s);
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
 +                          "DIO mode\n", s->cmd_in_progress);
 +        }
          break;
      case WRSR:
@@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value)
          break;
      case JEDEC_READ:
 -        trace_m25p80_populated_jedec(s);
 -        for (i = 0; i < s->pi->id_len; i++) {
 -            s->data[i] = s->pi->id[i];
 -        }
 -        for (; i < SPI_NOR_MAX_ID_LEN; i++) {
 -            s->data[i] = 0;
 -        }
 +        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) == MODE_STD) {
 +            trace_m25p80_populated_jedec(s);
 +            for (i = 0; i < s->pi->id_len; i++) {
 +                s->data[i] = s->pi->id[i];
 +            }
 +            for (; i < SPI_NOR_MAX_ID_LEN; i++) {
 +                s->data[i] = 0;
 +            }
 -        s->len = SPI_NOR_MAX_ID_LEN;
 -        s->pos = 0;
 -        s->state = STATE_READING_DATA;
 +            s->len = SPI_NOR_MAX_ID_LEN;
 +            s->pos = 0;
 +            s->state = STATE_READING_DATA;
 +        } else {
 +            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute JEDEC read "
 +                          "in DIO or QIO mode\n");
 +        }
          break;
      case RDCR:
 --
-.20.1
+.34.1

-New patch
+[PULL 04/35] qtest: bail from irq_intercept_in if name is specified
+From: Chris Laplante <chris@laplante.io>
+Named interception of in-GPIOs is not supported yet.
+Signed-off-by: Chris Laplante <chris@laplante.io>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-id: 20230728160324.1159090-5-chris@laplante.io
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ softmmu/qtest.c | 8 ++++++++
+file changed, 8 insertions(+)
+diff --git a/softmmu/qtest.c b/softmmu/qtest.c
+index XXXXXXX..XXXXXXX 100644
+--- a/softmmu/qtest.c
++++ b/softmmu/qtest.c
+@@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words)
+         || strcmp(words[0], "irq_intercept_in") == 0) {
+         DeviceState *dev;
+         NamedGPIOList *ngl;
++        bool is_named;
+         bool is_outbound;
+         g_assert(words[1]);
++        is_named = words[2] != NULL;
+         is_outbound = words[0][14] == 'o';
+         dev = DEVICE(object_resolve_path(words[1], NULL));
+         if (!dev) {
+@@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words)
+             return;
+         }
++        if (is_named && !is_outbound) {
++            qtest_send_prefix(chr);
++            qtest_send(chr, "FAIL Interception of named in-GPIOs not yet supported\n");
++            return;
++        }
++
+         if (irq_intercept_dev) {
+             qtest_send_prefix(chr);
+             if (irq_intercept_dev != dev) {
+--
+.34.1

-New patch
+[PULL 05/35] qtest: irq_intercept_[out/in]: return FAIL if no intercepts are installed
+From: Chris Laplante <chris@laplante.io>
+This is much better than just silently failing with OK.
+Signed-off-by: Chris Laplante <chris@laplante.io>
+Message-id: 20230728160324.1159090-6-chris@laplante.io
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ softmmu/qtest.c | 12 ++++++++++--
+file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/softmmu/qtest.c b/softmmu/qtest.c
+index XXXXXXX..XXXXXXX 100644
+--- a/softmmu/qtest.c
++++ b/softmmu/qtest.c
+@@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words)
+         NamedGPIOList *ngl;
+         bool is_named;
+         bool is_outbound;
++        bool interception_succeeded = false;
+         g_assert(words[1]);
+         is_named = words[2] != NULL;
+@@ -XXX,XX +XXX,XX @@ static void qtest_process_command(CharBackend *chr, gchar **words)
+                     for (i = 0; i < ngl->num_out; ++i) {
+                         qtest_install_gpio_out_intercept(dev, ngl->name, i);
+                     }
++                    interception_succeeded = true;
+                 }
+             } else {
+                 qemu_irq_intercept_in(ngl->in, qtest_irq_handler,
+                                       ngl->num_in);
++                interception_succeeded = true;
+             }
+         }
+-        irq_intercept_dev = dev;
++
+         qtest_send_prefix(chr);
+-        qtest_send(chr, "OK\n");
++        if (interception_succeeded) {
++            irq_intercept_dev = dev;
++            qtest_send(chr, "OK\n");
++        } else {
++            qtest_send(chr, "FAIL No intercepts installed\n");
++        }
+     } else if (strcmp(words[0], "set_irq_in") == 0) {
+         DeviceState *dev;
+         qemu_irq irq;
+--
+.34.1

-[PULL 13/20] usb: Add DWC3 model
+[PULL 06/35] qtest: microbit-test: add tests for nRF51 DETECT
-From: Vikram Garhwal <fnu.vikram@xilinx.com>
+From: Chris Laplante <chris@laplante.io>
-This patch adds skeleton model of dwc3 usb controller attached to
+Exercise the DETECT mechanism of the GPIO peripheral.
 xhci-sysbus device. It defines global register space of DWC3 controller,
 global registers control the AXI/AHB interfaces properties, external FIFO
 support and event count support. All of which are unimplemented at
 present,we are only supporting core reset and read of ID register.
-Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
+Signed-off-by: Chris Laplante <chris@laplante.io>
-Signed-off-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+Message-id: 20230728160324.1159090-7-chris@laplante.io
-Message-id: 1607023357-5096-3-git-send-email-sai.pavan.boddu@xilinx.com
+[PMM: fixed coding style nits]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/usb/hcd-dwc3.h |  55 +++
+ tests/qtest/microbit-test.c | 44 +++++++++++++++++++++++++++++++++++++
- hw/usb/hcd-dwc3.c         | 689 ++++++++++++++++++++++++++++++++++++++
+file changed, 44 insertions(+)
  hw/usb/Kconfig            |   5 +
  hw/usb/meson.build        |   1 +
 files changed, 750 insertions(+)
  create mode 100644 include/hw/usb/hcd-dwc3.h
  create mode 100644 hw/usb/hcd-dwc3.c
-diff --git a/include/hw/usb/hcd-dwc3.h b/include/hw/usb/hcd-dwc3.h
+diff --git a/tests/qtest/microbit-test.c b/tests/qtest/microbit-test.c
-new file mode 100644
+index XXXXXXX..XXXXXXX 100644
-index XXXXXXX..XXXXXXX
+--- a/tests/qtest/microbit-test.c
---- /dev/null
++++ b/tests/qtest/microbit-test.c
-+++ b/include/hw/usb/hcd-dwc3.h
+@@ -XXX,XX +XXX,XX @@ static void test_nrf51_gpio(void)
-@@ -XXX,XX +XXX,XX @@
+     qtest_quit(qts);
-+/*
+ }
-+ * QEMU model of the USB DWC3 host controller emulation.
-+ *
++static void test_nrf51_gpio_detect(void)
-+ * Copyright (c) 2020 Xilinx Inc.
++{
-+ *
++    QTestState *qts = qtest_init("-M microbit");
-+ * Written by Vikram Garhwal<fnu.vikram@xilinx.com>
++    int i;
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +#ifndef HCD_DWC3_H
 +#define HCD_DWC3_H
 +
-+#include "hw/usb/hcd-xhci.h"
++    /* Connect input buffer on pins 1-7, configure SENSE for high level */
-+#include "hw/usb/hcd-xhci-sysbus.h"
++    for (i = 1; i <= 7; i++) {
-+
++        qtest_writel(qts, NRF51_GPIO_BASE + NRF51_GPIO_REG_CNF_START + i * 4,
-+#define TYPE_USB_DWC3 "usb_dwc3"
++                     deposit32(0, 16, 2, 2));
 +
 +#define USB_DWC3(obj) \
 +     OBJECT_CHECK(USBDWC3, (obj), TYPE_USB_DWC3)
 +
 +#define USB_DWC3_R_MAX ((0x530 / 4) + 1)
 +#define DWC3_SIZE 0x10000
 +
 +typedef struct USBDWC3 {
 +    SysBusDevice parent_obj;
 +    MemoryRegion iomem;
 +    XHCISysbusState sysbus_xhci;
 +
 +    uint32_t regs[USB_DWC3_R_MAX];
 +    RegisterInfo regs_info[USB_DWC3_R_MAX];
 +
 +    struct {
 +        uint8_t     mode;
 +        uint32_t    dwc_usb3_user;
 +    } cfg;
 +
 +} USBDWC3;
 +
 +#endif
 diff --git a/hw/usb/hcd-dwc3.c b/hw/usb/hcd-dwc3.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/usb/hcd-dwc3.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QEMU model of the USB DWC3 host controller emulation.
 + *
 + * This model defines global register space of DWC3 controller. Global
 + * registers control the AXI/AHB interfaces properties, external FIFO support
 + * and event count support. All of which are unimplemented at present. We are
 + * only supporting core reset and read of ID register.
 + *
 + * Copyright (c) 2020 Xilinx Inc. Vikram Garhwal<fnu.vikram@xilinx.com>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "hw/sysbus.h"
 +#include "hw/register.h"
 +#include "qemu/bitops.h"
 +#include "qemu/log.h"
 +#include "qom/object.h"
 +#include "migration/vmstate.h"
 +#include "hw/qdev-properties.h"
 +#include "hw/usb/hcd-dwc3.h"
 +#include "qapi/error.h"
 +
 +#ifndef USB_DWC3_ERR_DEBUG
 +#define USB_DWC3_ERR_DEBUG 0
 +#endif
 +
 +#define HOST_MODE           1
 +#define FIFO_LEN         0x1000
 +
 +REG32(GSBUSCFG0, 0x00)
 +    FIELD(GSBUSCFG0, DATRDREQINFO, 28, 4)
 +    FIELD(GSBUSCFG0, DESRDREQINFO, 24, 4)
 +    FIELD(GSBUSCFG0, DATWRREQINFO, 20, 4)
 +    FIELD(GSBUSCFG0, DESWRREQINFO, 16, 4)
 +    FIELD(GSBUSCFG0, RESERVED_15_12, 12, 4)
 +    FIELD(GSBUSCFG0, DATBIGEND, 11, 1)
 +    FIELD(GSBUSCFG0, DESBIGEND, 10, 1)
 +    FIELD(GSBUSCFG0, RESERVED_9_8, 8, 2)
 +    FIELD(GSBUSCFG0, INCR256BRSTENA, 7, 1)
 +    FIELD(GSBUSCFG0, INCR128BRSTENA, 6, 1)
 +    FIELD(GSBUSCFG0, INCR64BRSTENA, 5, 1)
 +    FIELD(GSBUSCFG0, INCR32BRSTENA, 4, 1)
 +    FIELD(GSBUSCFG0, INCR16BRSTENA, 3, 1)
 +    FIELD(GSBUSCFG0, INCR8BRSTENA, 2, 1)
 +    FIELD(GSBUSCFG0, INCR4BRSTENA, 1, 1)
 +    FIELD(GSBUSCFG0, INCRBRSTENA, 0, 1)
 +REG32(GSBUSCFG1, 0x04)
 +    FIELD(GSBUSCFG1, RESERVED_31_13, 13, 19)
 +    FIELD(GSBUSCFG1, EN1KPAGE, 12, 1)
 +    FIELD(GSBUSCFG1, PIPETRANSLIMIT, 8, 4)
 +    FIELD(GSBUSCFG1, RESERVED_7_0, 0, 8)
 +REG32(GTXTHRCFG, 0x08)
 +    FIELD(GTXTHRCFG, RESERVED_31, 31, 1)
 +    FIELD(GTXTHRCFG, RESERVED_30, 30, 1)
 +    FIELD(GTXTHRCFG, USBTXPKTCNTSEL, 29, 1)
 +    FIELD(GTXTHRCFG, RESERVED_28, 28, 1)
 +    FIELD(GTXTHRCFG, USBTXPKTCNT, 24, 4)
 +    FIELD(GTXTHRCFG, USBMAXTXBURSTSIZE, 16, 8)
 +    FIELD(GTXTHRCFG, RESERVED_15, 15, 1)
 +    FIELD(GTXTHRCFG, RESERVED_14, 14, 1)
 +    FIELD(GTXTHRCFG, RESERVED_13_11, 11, 3)
 +    FIELD(GTXTHRCFG, RESERVED_10_0, 0, 11)
 +REG32(GRXTHRCFG, 0x0c)
 +    FIELD(GRXTHRCFG, RESERVED_31_30, 30, 2)
 +    FIELD(GRXTHRCFG, USBRXPKTCNTSEL, 29, 1)
 +    FIELD(GRXTHRCFG, RESERVED_28, 28, 1)
 +    FIELD(GRXTHRCFG, USBRXPKTCNT, 24, 4)
 +    FIELD(GRXTHRCFG, USBMAXRXBURSTSIZE, 19, 5)
 +    FIELD(GRXTHRCFG, RESERVED_18_16, 16, 3)
 +    FIELD(GRXTHRCFG, RESERVED_15, 15, 1)
 +    FIELD(GRXTHRCFG, RESERVED_14_13, 13, 2)
 +    FIELD(GRXTHRCFG, RESVISOCOUTSPC, 0, 13)
 +REG32(GCTL, 0x10)
 +    FIELD(GCTL, PWRDNSCALE, 19, 13)
 +    FIELD(GCTL, MASTERFILTBYPASS, 18, 1)
 +    FIELD(GCTL, BYPSSETADDR, 17, 1)
 +    FIELD(GCTL, U2RSTECN, 16, 1)
 +    FIELD(GCTL, FRMSCLDWN, 14, 2)
 +    FIELD(GCTL, PRTCAPDIR, 12, 2)
 +    FIELD(GCTL, CORESOFTRESET, 11, 1)
 +    FIELD(GCTL, U1U2TIMERSCALE, 9, 1)
 +    FIELD(GCTL, DEBUGATTACH, 8, 1)
 +    FIELD(GCTL, RAMCLKSEL, 6, 2)
 +    FIELD(GCTL, SCALEDOWN, 4, 2)
 +    FIELD(GCTL, DISSCRAMBLE, 3, 1)
 +    FIELD(GCTL, U2EXIT_LFPS, 2, 1)
 +    FIELD(GCTL, GBLHIBERNATIONEN, 1, 1)
 +    FIELD(GCTL, DSBLCLKGTNG, 0, 1)
 +REG32(GPMSTS, 0x14)
 +REG32(GSTS, 0x18)
 +    FIELD(GSTS, CBELT, 20, 12)
 +    FIELD(GSTS, RESERVED_19_12, 12, 8)
 +    FIELD(GSTS, SSIC_IP, 11, 1)
 +    FIELD(GSTS, OTG_IP, 10, 1)
 +    FIELD(GSTS, BC_IP, 9, 1)
 +    FIELD(GSTS, ADP_IP, 8, 1)
 +    FIELD(GSTS, HOST_IP, 7, 1)
 +    FIELD(GSTS, DEVICE_IP, 6, 1)
 +    FIELD(GSTS, CSRTIMEOUT, 5, 1)
 +    FIELD(GSTS, BUSERRADDRVLD, 4, 1)
 +    FIELD(GSTS, RESERVED_3_2, 2, 2)
 +    FIELD(GSTS, CURMOD, 0, 2)
 +REG32(GUCTL1, 0x1c)
 +    FIELD(GUCTL1, RESUME_OPMODE_HS_HOST, 10, 1)
 +REG32(GSNPSID, 0x20)
 +REG32(GGPIO, 0x24)
 +    FIELD(GGPIO, GPO, 16, 16)
 +    FIELD(GGPIO, GPI, 0, 16)
 +REG32(GUID, 0x28)
 +REG32(GUCTL, 0x2c)
 +    FIELD(GUCTL, REFCLKPER, 22, 10)
 +    FIELD(GUCTL, NOEXTRDL, 21, 1)
 +    FIELD(GUCTL, RESERVED_20_18, 18, 3)
 +    FIELD(GUCTL, SPRSCTRLTRANSEN, 17, 1)
 +    FIELD(GUCTL, RESBWHSEPS, 16, 1)
 +    FIELD(GUCTL, RESERVED_15, 15, 1)
 +    FIELD(GUCTL, USBHSTINAUTORETRYEN, 14, 1)
 +    FIELD(GUCTL, ENOVERLAPCHK, 13, 1)
 +    FIELD(GUCTL, EXTCAPSUPPTEN, 12, 1)
 +    FIELD(GUCTL, INSRTEXTRFSBODI, 11, 1)
 +    FIELD(GUCTL, DTCT, 9, 2)
 +    FIELD(GUCTL, DTFT, 0, 9)
 +REG32(GBUSERRADDRLO, 0x30)
 +REG32(GBUSERRADDRHI, 0x34)
 +REG32(GHWPARAMS0, 0x40)
 +    FIELD(GHWPARAMS0, GHWPARAMS0_31_24, 24, 8)
 +    FIELD(GHWPARAMS0, GHWPARAMS0_23_16, 16, 8)
 +    FIELD(GHWPARAMS0, GHWPARAMS0_15_8, 8, 8)
 +    FIELD(GHWPARAMS0, GHWPARAMS0_7_6, 6, 2)
 +    FIELD(GHWPARAMS0, GHWPARAMS0_5_3, 3, 3)
 +    FIELD(GHWPARAMS0, GHWPARAMS0_2_0, 0, 3)
 +REG32(GHWPARAMS1, 0x44)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_31, 31, 1)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_30, 30, 1)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_29, 29, 1)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_28, 28, 1)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_27, 27, 1)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_26, 26, 1)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_25_24, 24, 2)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_23, 23, 1)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_22_21, 21, 2)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_20_15, 15, 6)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_14_12, 12, 3)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_11_9, 9, 3)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_8_6, 6, 3)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_5_3, 3, 3)
 +    FIELD(GHWPARAMS1, GHWPARAMS1_2_0, 0, 3)
 +REG32(GHWPARAMS2, 0x48)
 +REG32(GHWPARAMS3, 0x4c)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_31, 31, 1)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_30_23, 23, 8)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_22_18, 18, 5)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_17_12, 12, 6)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_11, 11, 1)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_10, 10, 1)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_9_8, 8, 2)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_7_6, 6, 2)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_5_4, 4, 2)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_3_2, 2, 2)
 +    FIELD(GHWPARAMS3, GHWPARAMS3_1_0, 0, 2)
 +REG32(GHWPARAMS4, 0x50)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_31_28, 28, 4)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_27_24, 24, 4)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_23, 23, 1)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_22, 22, 1)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_21, 21, 1)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_20_17, 17, 4)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_16_13, 13, 4)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_12, 12, 1)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_11, 11, 1)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_10_9, 9, 2)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_8_7, 7, 2)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_6, 6, 1)
 +    FIELD(GHWPARAMS4, GHWPARAMS4_5_0, 0, 6)
 +REG32(GHWPARAMS5, 0x54)
 +    FIELD(GHWPARAMS5, GHWPARAMS5_31_28, 28, 4)
 +    FIELD(GHWPARAMS5, GHWPARAMS5_27_22, 22, 6)
 +    FIELD(GHWPARAMS5, GHWPARAMS5_21_16, 16, 6)
 +    FIELD(GHWPARAMS5, GHWPARAMS5_15_10, 10, 6)
 +    FIELD(GHWPARAMS5, GHWPARAMS5_9_4, 4, 6)
 +    FIELD(GHWPARAMS5, GHWPARAMS5_3_0, 0, 4)
 +REG32(GHWPARAMS6, 0x58)
 +    FIELD(GHWPARAMS6, GHWPARAMS6_31_16, 16, 16)
 +    FIELD(GHWPARAMS6, BUSFLTRSSUPPORT, 15, 1)
 +    FIELD(GHWPARAMS6, BCSUPPORT, 14, 1)
 +    FIELD(GHWPARAMS6, OTG_SS_SUPPORT, 13, 1)
 +    FIELD(GHWPARAMS6, ADPSUPPORT, 12, 1)
 +    FIELD(GHWPARAMS6, HNPSUPPORT, 11, 1)
 +    FIELD(GHWPARAMS6, SRPSUPPORT, 10, 1)
 +    FIELD(GHWPARAMS6, GHWPARAMS6_9_8, 8, 2)
 +    FIELD(GHWPARAMS6, GHWPARAMS6_7, 7, 1)
 +    FIELD(GHWPARAMS6, GHWPARAMS6_6, 6, 1)
 +    FIELD(GHWPARAMS6, GHWPARAMS6_5_0, 0, 6)
 +REG32(GHWPARAMS7, 0x5c)
 +    FIELD(GHWPARAMS7, GHWPARAMS7_31_16, 16, 16)
 +    FIELD(GHWPARAMS7, GHWPARAMS7_15_0, 0, 16)
 +REG32(GDBGFIFOSPACE, 0x60)
 +    FIELD(GDBGFIFOSPACE, SPACE_AVAILABLE, 16, 16)
 +    FIELD(GDBGFIFOSPACE, RESERVED_15_9, 9, 7)
 +    FIELD(GDBGFIFOSPACE, FIFO_QUEUE_SELECT, 0, 9)
 +REG32(GUCTL2, 0x9c)
 +    FIELD(GUCTL2, RESERVED_31_26, 26, 6)
 +    FIELD(GUCTL2, EN_HP_PM_TIMER, 19, 7)
 +    FIELD(GUCTL2, NOLOWPWRDUR, 15, 4)
 +    FIELD(GUCTL2, RST_ACTBITLATER, 14, 1)
 +    FIELD(GUCTL2, RESERVED_13, 13, 1)
 +    FIELD(GUCTL2, DISABLECFC, 11, 1)
 +REG32(GUSB2PHYCFG, 0x100)
 +    FIELD(GUSB2PHYCFG, U2_FREECLK_EXISTS, 30, 1)
 +    FIELD(GUSB2PHYCFG, ULPI_LPM_WITH_OPMODE_CHK, 29, 1)
 +    FIELD(GUSB2PHYCFG, RESERVED_25, 25, 1)
 +    FIELD(GUSB2PHYCFG, LSTRD, 22, 3)
 +    FIELD(GUSB2PHYCFG, LSIPD, 19, 3)
 +    FIELD(GUSB2PHYCFG, ULPIEXTVBUSINDIACTOR, 18, 1)
 +    FIELD(GUSB2PHYCFG, ULPIEXTVBUSDRV, 17, 1)
 +    FIELD(GUSB2PHYCFG, RESERVED_16, 16, 1)
 +    FIELD(GUSB2PHYCFG, ULPIAUTORES, 15, 1)
 +    FIELD(GUSB2PHYCFG, RESERVED_14, 14, 1)
 +    FIELD(GUSB2PHYCFG, USBTRDTIM, 10, 4)
 +    FIELD(GUSB2PHYCFG, XCVRDLY, 9, 1)
 +    FIELD(GUSB2PHYCFG, ENBLSLPM, 8, 1)
 +    FIELD(GUSB2PHYCFG, PHYSEL, 7, 1)
 +    FIELD(GUSB2PHYCFG, SUSPENDUSB20, 6, 1)
 +    FIELD(GUSB2PHYCFG, FSINTF, 5, 1)
 +    FIELD(GUSB2PHYCFG, ULPI_UTMI_SEL, 4, 1)
 +    FIELD(GUSB2PHYCFG, PHYIF, 3, 1)
 +    FIELD(GUSB2PHYCFG, TOUTCAL, 0, 3)
 +REG32(GUSB2I2CCTL, 0x140)
 +REG32(GUSB2PHYACC_ULPI, 0x180)
 +    FIELD(GUSB2PHYACC_ULPI, RESERVED_31_27, 27, 5)
 +    FIELD(GUSB2PHYACC_ULPI, DISUIPIDRVR, 26, 1)
 +    FIELD(GUSB2PHYACC_ULPI, NEWREGREQ, 25, 1)
 +    FIELD(GUSB2PHYACC_ULPI, VSTSDONE, 24, 1)
 +    FIELD(GUSB2PHYACC_ULPI, VSTSBSY, 23, 1)
 +    FIELD(GUSB2PHYACC_ULPI, REGWR, 22, 1)
 +    FIELD(GUSB2PHYACC_ULPI, REGADDR, 16, 6)
 +    FIELD(GUSB2PHYACC_ULPI, EXTREGADDR, 8, 8)
 +    FIELD(GUSB2PHYACC_ULPI, REGDATA, 0, 8)
 +REG32(GTXFIFOSIZ0, 0x200)
 +    FIELD(GTXFIFOSIZ0, TXFSTADDR_N, 16, 16)
 +    FIELD(GTXFIFOSIZ0, TXFDEP_N, 0, 16)
 +REG32(GTXFIFOSIZ1, 0x204)
 +    FIELD(GTXFIFOSIZ1, TXFSTADDR_N, 16, 16)
 +    FIELD(GTXFIFOSIZ1, TXFDEP_N, 0, 16)
 +REG32(GTXFIFOSIZ2, 0x208)
 +    FIELD(GTXFIFOSIZ2, TXFSTADDR_N, 16, 16)
 +    FIELD(GTXFIFOSIZ2, TXFDEP_N, 0, 16)
 +REG32(GTXFIFOSIZ3, 0x20c)
 +    FIELD(GTXFIFOSIZ3, TXFSTADDR_N, 16, 16)
 +    FIELD(GTXFIFOSIZ3, TXFDEP_N, 0, 16)
 +REG32(GTXFIFOSIZ4, 0x210)
 +    FIELD(GTXFIFOSIZ4, TXFSTADDR_N, 16, 16)
 +    FIELD(GTXFIFOSIZ4, TXFDEP_N, 0, 16)
 +REG32(GTXFIFOSIZ5, 0x214)
 +    FIELD(GTXFIFOSIZ5, TXFSTADDR_N, 16, 16)
 +    FIELD(GTXFIFOSIZ5, TXFDEP_N, 0, 16)
 +REG32(GRXFIFOSIZ0, 0x280)
 +    FIELD(GRXFIFOSIZ0, RXFSTADDR_N, 16, 16)
 +    FIELD(GRXFIFOSIZ0, RXFDEP_N, 0, 16)
 +REG32(GRXFIFOSIZ1, 0x284)
 +    FIELD(GRXFIFOSIZ1, RXFSTADDR_N, 16, 16)
 +    FIELD(GRXFIFOSIZ1, RXFDEP_N, 0, 16)
 +REG32(GRXFIFOSIZ2, 0x288)
 +    FIELD(GRXFIFOSIZ2, RXFSTADDR_N, 16, 16)
 +    FIELD(GRXFIFOSIZ2, RXFDEP_N, 0, 16)
 +REG32(GEVNTADRLO_0, 0x300)
 +REG32(GEVNTADRHI_0, 0x304)
 +REG32(GEVNTSIZ_0, 0x308)
 +    FIELD(GEVNTSIZ_0, EVNTINTRPTMASK, 31, 1)
 +    FIELD(GEVNTSIZ_0, RESERVED_30_16, 16, 15)
 +    FIELD(GEVNTSIZ_0, EVENTSIZ, 0, 16)
 +REG32(GEVNTCOUNT_0, 0x30c)
 +    FIELD(GEVNTCOUNT_0, EVNT_HANDLER_BUSY, 31, 1)
 +    FIELD(GEVNTCOUNT_0, RESERVED_30_16, 16, 15)
 +    FIELD(GEVNTCOUNT_0, EVNTCOUNT, 0, 16)
 +REG32(GEVNTADRLO_1, 0x310)
 +REG32(GEVNTADRHI_1, 0x314)
 +REG32(GEVNTSIZ_1, 0x318)
 +    FIELD(GEVNTSIZ_1, EVNTINTRPTMASK, 31, 1)
 +    FIELD(GEVNTSIZ_1, RESERVED_30_16, 16, 15)
 +    FIELD(GEVNTSIZ_1, EVENTSIZ, 0, 16)
 +REG32(GEVNTCOUNT_1, 0x31c)
 +    FIELD(GEVNTCOUNT_1, EVNT_HANDLER_BUSY, 31, 1)
 +    FIELD(GEVNTCOUNT_1, RESERVED_30_16, 16, 15)
 +    FIELD(GEVNTCOUNT_1, EVNTCOUNT, 0, 16)
 +REG32(GEVNTADRLO_2, 0x320)
 +REG32(GEVNTADRHI_2, 0x324)
 +REG32(GEVNTSIZ_2, 0x328)
 +    FIELD(GEVNTSIZ_2, EVNTINTRPTMASK, 31, 1)
 +    FIELD(GEVNTSIZ_2, RESERVED_30_16, 16, 15)
 +    FIELD(GEVNTSIZ_2, EVENTSIZ, 0, 16)
 +REG32(GEVNTCOUNT_2, 0x32c)
 +    FIELD(GEVNTCOUNT_2, EVNT_HANDLER_BUSY, 31, 1)
 +    FIELD(GEVNTCOUNT_2, RESERVED_30_16, 16, 15)
 +    FIELD(GEVNTCOUNT_2, EVNTCOUNT, 0, 16)
 +REG32(GEVNTADRLO_3, 0x330)
 +REG32(GEVNTADRHI_3, 0x334)
 +REG32(GEVNTSIZ_3, 0x338)
 +    FIELD(GEVNTSIZ_3, EVNTINTRPTMASK, 31, 1)
 +    FIELD(GEVNTSIZ_3, RESERVED_30_16, 16, 15)
 +    FIELD(GEVNTSIZ_3, EVENTSIZ, 0, 16)
 +REG32(GEVNTCOUNT_3, 0x33c)
 +    FIELD(GEVNTCOUNT_3, EVNT_HANDLER_BUSY, 31, 1)
 +    FIELD(GEVNTCOUNT_3, RESERVED_30_16, 16, 15)
 +    FIELD(GEVNTCOUNT_3, EVNTCOUNT, 0, 16)
 +REG32(GHWPARAMS8, 0x500)
 +REG32(GTXFIFOPRIDEV, 0x510)
 +    FIELD(GTXFIFOPRIDEV, RESERVED_31_N, 6, 26)
 +    FIELD(GTXFIFOPRIDEV, GTXFIFOPRIDEV, 0, 6)
 +REG32(GTXFIFOPRIHST, 0x518)
 +    FIELD(GTXFIFOPRIHST, RESERVED_31_16, 3, 29)
 +    FIELD(GTXFIFOPRIHST, GTXFIFOPRIHST, 0, 3)
 +REG32(GRXFIFOPRIHST, 0x51c)
 +    FIELD(GRXFIFOPRIHST, RESERVED_31_16, 3, 29)
 +    FIELD(GRXFIFOPRIHST, GRXFIFOPRIHST, 0, 3)
 +REG32(GDMAHLRATIO, 0x524)
 +    FIELD(GDMAHLRATIO, RESERVED_31_13, 13, 19)
 +    FIELD(GDMAHLRATIO, HSTRXFIFO, 8, 5)
 +    FIELD(GDMAHLRATIO, RESERVED_7_5, 5, 3)
 +    FIELD(GDMAHLRATIO, HSTTXFIFO, 0, 5)
 +REG32(GFLADJ, 0x530)
 +    FIELD(GFLADJ, GFLADJ_REFCLK_240MHZDECR_PLS1, 31, 1)
 +    FIELD(GFLADJ, GFLADJ_REFCLK_240MHZ_DECR, 24, 7)
 +    FIELD(GFLADJ, GFLADJ_REFCLK_LPM_SEL, 23, 1)
 +    FIELD(GFLADJ, RESERVED_22, 22, 1)
 +    FIELD(GFLADJ, GFLADJ_REFCLK_FLADJ, 8, 14)
 +    FIELD(GFLADJ, GFLADJ_30MHZ_SDBND_SEL, 7, 1)
 +    FIELD(GFLADJ, GFLADJ_30MHZ, 0, 6)
 +
 +#define DWC3_GLOBAL_OFFSET 0xC100
 +static void reset_csr(USBDWC3 * s)
 +{
 +    int i = 0;
 +    /*
 +     * We reset all CSR regs except GCTL, GUCTL, GSTS, GSNPSID, GGPIO, GUID,
 +     * GUSB2PHYCFGn registers and GUSB3PIPECTLn registers. We will skip PHY
 +     * register as we don't implement them.
 +     */
 +    for (i = 0; i < USB_DWC3_R_MAX; i++) {
 +        switch (i) {
 +        case R_GCTL:
 +            break;
 +        case R_GSTS:
 +            break;
 +        case R_GSNPSID:
 +            break;
 +        case R_GGPIO:
 +            break;
 +        case R_GUID:
 +            break;
 +        case R_GUCTL:
 +            break;
 +        case R_GHWPARAMS0...R_GHWPARAMS7:
 +            break;
 +        case R_GHWPARAMS8:
 +            break;
 +        default:
 +            register_reset(&s->regs_info[i]);
 +            break;
 +        }
 +    }
 +
-+    xhci_sysbus_reset(DEVICE(&s->sysbus_xhci));
++    qtest_irq_intercept_out_named(qts, "/machine/nrf51/gpio", "detect");
 +
 +    for (i = 1; i <= 7; i++) {
 +        /* Set pin high */
 +        qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", i, 1);
 +        uint32_t actual = qtest_readl(qts, NRF51_GPIO_BASE + NRF51_GPIO_REG_IN);
 +        g_assert_cmpuint(actual, ==, 1 << i);
 +
 +        /* Check that DETECT is high */
 +        g_assert_true(qtest_get_irq(qts, 0));
 +
 +        /* Set pin low, check that DETECT goes low. */
 +        qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", i, 0);
 +        actual = qtest_readl(qts, NRF51_GPIO_BASE + NRF51_GPIO_REG_IN);
 +        g_assert_cmpuint(actual, ==, 0x0);
 +        g_assert_false(qtest_get_irq(qts, 0));
 +    }
 +
 +    /* Set pin 0 high, check that DETECT doesn't fire */
 +    qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", 0, 1);
 +    g_assert_false(qtest_get_irq(qts, 0));
 +    qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", 0, 0);
 +
 +    /* Set pins 1, 2, and 3 high, then set 3 low. Check DETECT is still high */
 +    for (i = 1; i <= 3; i++) {
 +        qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", i, 1);
 +    }
 +    g_assert_true(qtest_get_irq(qts, 0));
 +    qtest_set_irq_in(qts, "/machine/nrf51", "unnamed-gpio-in", 3, 0);
 +    g_assert_true(qtest_get_irq(qts, 0));
 +}
 +
-+static void usb_dwc3_gctl_postw(RegisterInfo *reg, uint64_t val64)
+ static void timer_task(QTestState *qts, hwaddr task)
-+{
+ {
-+    USBDWC3 *s = USB_DWC3(reg->opaque);
+     qtest_writel(qts, NRF51_TIMER_BASE + task, NRF51_TRIGGER_TASK);
-+
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
-+    if (ARRAY_FIELD_EX32(s->regs, GCTL, CORESOFTRESET)) {
-+        reset_csr(s);
+     qtest_add_func("/microbit/nrf51/uart", test_nrf51_uart);
-+    }
+     qtest_add_func("/microbit/nrf51/gpio", test_nrf51_gpio);
-+}
++    qtest_add_func("/microbit/nrf51/gpio_detect", test_nrf51_gpio_detect);
-+
+     qtest_add_func("/microbit/nrf51/nvmc", test_nrf51_nvmc);
-+static void usb_dwc3_guid_postw(RegisterInfo *reg, uint64_t val64)
+     qtest_add_func("/microbit/nrf51/timer", test_nrf51_timer);
-+{
+     qtest_add_func("/microbit/microbit/i2c", test_microbit_i2c);
 +    USBDWC3 *s = USB_DWC3(reg->opaque);
 +
 +    s->regs[R_GUID] = s->cfg.dwc_usb3_user;
 +}
 +
 +static const RegisterAccessInfo usb_dwc3_regs_info[] = {
 +    {   .name = "GSBUSCFG0",  .addr = A_GSBUSCFG0,
 +        .ro = 0xf300,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GSBUSCFG1",  .addr = A_GSBUSCFG1,
 +        .reset = 0x300,
 +        .ro = 0xffffe0ff,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GTXTHRCFG",  .addr = A_GTXTHRCFG,
 +        .ro = 0xd000ffff,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GRXTHRCFG",  .addr = A_GRXTHRCFG,
 +        .ro = 0xd007e000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GCTL",  .addr = A_GCTL,
 +        .reset = 0x30c13004, .post_write = usb_dwc3_gctl_postw,
 +    },{ .name = "GPMSTS",  .addr = A_GPMSTS,
 +        .ro = 0xfffffff,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GSTS",  .addr = A_GSTS,
 +        .reset = 0x7e800000,
 +        .ro = 0xffffffcf,
 +        .w1c = 0x30,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GUCTL1",  .addr = A_GUCTL1,
 +        .reset = 0x198a,
 +        .ro = 0x7800,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GSNPSID",  .addr = A_GSNPSID,
 +        .reset = 0x5533330a,
 +        .ro = 0xffffffff,
 +    },{ .name = "GGPIO",  .addr = A_GGPIO,
 +        .ro = 0xffff,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GUID",  .addr = A_GUID,
 +        .reset = 0x12345678, .post_write = usb_dwc3_guid_postw,
 +    },{ .name = "GUCTL",  .addr = A_GUCTL,
 +        .reset = 0x0c808010,
 +        .ro = 0x1c8000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GBUSERRADDRLO",  .addr = A_GBUSERRADDRLO,
 +        .ro = 0xffffffff,
 +    },{ .name = "GBUSERRADDRHI",  .addr = A_GBUSERRADDRHI,
 +        .ro = 0xffffffff,
 +    },{ .name = "GHWPARAMS0",  .addr = A_GHWPARAMS0,
 +        .ro = 0xffffffff,
 +    },{ .name = "GHWPARAMS1",  .addr = A_GHWPARAMS1,
 +        .ro = 0xffffffff,
 +    },{ .name = "GHWPARAMS2",  .addr = A_GHWPARAMS2,
 +        .ro = 0xffffffff,
 +    },{ .name = "GHWPARAMS3",  .addr = A_GHWPARAMS3,
 +        .ro = 0xffffffff,
 +    },{ .name = "GHWPARAMS4",  .addr = A_GHWPARAMS4,
 +        .ro = 0xffffffff,
 +    },{ .name = "GHWPARAMS5",  .addr = A_GHWPARAMS5,
 +        .ro = 0xffffffff,
 +    },{ .name = "GHWPARAMS6",  .addr = A_GHWPARAMS6,
 +        .ro = 0xffffffff,
 +    },{ .name = "GHWPARAMS7",  .addr = A_GHWPARAMS7,
 +        .ro = 0xffffffff,
 +    },{ .name = "GDBGFIFOSPACE",  .addr = A_GDBGFIFOSPACE,
 +        .reset = 0xa0000,
 +        .ro = 0xfffffe00,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GUCTL2",  .addr = A_GUCTL2,
 +        .reset = 0x40d,
 +        .ro = 0x2000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GUSB2PHYCFG",  .addr = A_GUSB2PHYCFG,
 +        .reset = 0x40102410,
 +        .ro = 0x1e014030,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GUSB2I2CCTL",  .addr = A_GUSB2I2CCTL,
 +        .ro = 0xffffffff,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GUSB2PHYACC_ULPI",  .addr = A_GUSB2PHYACC_ULPI,
 +        .ro = 0xfd000000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GTXFIFOSIZ0",  .addr = A_GTXFIFOSIZ0,
 +        .reset = 0x2c7000a,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GTXFIFOSIZ1",  .addr = A_GTXFIFOSIZ1,
 +        .reset = 0x2d10103,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GTXFIFOSIZ2",  .addr = A_GTXFIFOSIZ2,
 +        .reset = 0x3d40103,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GTXFIFOSIZ3",  .addr = A_GTXFIFOSIZ3,
 +        .reset = 0x4d70083,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GTXFIFOSIZ4",  .addr = A_GTXFIFOSIZ4,
 +        .reset = 0x55a0083,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GTXFIFOSIZ5",  .addr = A_GTXFIFOSIZ5,
 +        .reset = 0x5dd0083,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GRXFIFOSIZ0",  .addr = A_GRXFIFOSIZ0,
 +        .reset = 0x1c20105,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GRXFIFOSIZ1",  .addr = A_GRXFIFOSIZ1,
 +        .reset = 0x2c70000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GRXFIFOSIZ2",  .addr = A_GRXFIFOSIZ2,
 +        .reset = 0x2c70000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTADRLO_0",  .addr = A_GEVNTADRLO_0,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTADRHI_0",  .addr = A_GEVNTADRHI_0,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTSIZ_0",  .addr = A_GEVNTSIZ_0,
 +        .ro = 0x7fff0000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTCOUNT_0",  .addr = A_GEVNTCOUNT_0,
 +        .ro = 0x7fff0000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTADRLO_1",  .addr = A_GEVNTADRLO_1,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTADRHI_1",  .addr = A_GEVNTADRHI_1,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTSIZ_1",  .addr = A_GEVNTSIZ_1,
 +        .ro = 0x7fff0000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTCOUNT_1",  .addr = A_GEVNTCOUNT_1,
 +        .ro = 0x7fff0000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTADRLO_2",  .addr = A_GEVNTADRLO_2,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTADRHI_2",  .addr = A_GEVNTADRHI_2,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTSIZ_2",  .addr = A_GEVNTSIZ_2,
 +        .ro = 0x7fff0000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTCOUNT_2",  .addr = A_GEVNTCOUNT_2,
 +        .ro = 0x7fff0000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTADRLO_3",  .addr = A_GEVNTADRLO_3,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTADRHI_3",  .addr = A_GEVNTADRHI_3,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTSIZ_3",  .addr = A_GEVNTSIZ_3,
 +        .ro = 0x7fff0000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GEVNTCOUNT_3",  .addr = A_GEVNTCOUNT_3,
 +        .ro = 0x7fff0000,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GHWPARAMS8",  .addr = A_GHWPARAMS8,
 +        .ro = 0xffffffff,
 +    },{ .name = "GTXFIFOPRIDEV",  .addr = A_GTXFIFOPRIDEV,
 +        .ro = 0xffffffc0,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GTXFIFOPRIHST",  .addr = A_GTXFIFOPRIHST,
 +        .ro = 0xfffffff8,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GRXFIFOPRIHST",  .addr = A_GRXFIFOPRIHST,
 +        .ro = 0xfffffff8,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GDMAHLRATIO",  .addr = A_GDMAHLRATIO,
 +        .ro = 0xffffe0e0,
 +        .unimp = 0xffffffff,
 +    },{ .name = "GFLADJ",  .addr = A_GFLADJ,
 +        .reset = 0xc83f020,
 +        .rsvd = 0x40,
 +        .ro = 0x400040,
 +        .unimp = 0xffffffff,
 +    }
 +};
 +
 +static void usb_dwc3_reset(DeviceState *dev)
 +{
 +    USBDWC3 *s = USB_DWC3(dev);
 +    unsigned int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(s->regs_info); ++i) {
 +        switch (i) {
 +        case R_GHWPARAMS0...R_GHWPARAMS7:
 +            break;
 +        case R_GHWPARAMS8:
 +            break;
 +        default:
 +            register_reset(&s->regs_info[i]);
 +        };
 +    }
 +
 +    xhci_sysbus_reset(DEVICE(&s->sysbus_xhci));
 +}
 +
 +static const MemoryRegionOps usb_dwc3_ops = {
 +    .read = register_read_memory,
 +    .write = register_write_memory,
 +    .endianness = DEVICE_LITTLE_ENDIAN,
 +    .valid = {
 +        .min_access_size = 4,
 +        .max_access_size = 4,
 +    },
 +};
 +
 +static void usb_dwc3_realize(DeviceState *dev, Error **errp)
 +{
 +    USBDWC3 *s = USB_DWC3(dev);
 +    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 +    Error *err = NULL;
 +
 +    sysbus_realize(SYS_BUS_DEVICE(&s->sysbus_xhci), &err);
 +    if (err) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +
 +    memory_region_add_subregion(&s->iomem, 0,
 +         sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->sysbus_xhci), 0));
 +    sysbus_init_mmio(sbd, &s->iomem);
 +
 +    /*
 +     * Device Configuration
 +     */
 +    s->regs[R_GHWPARAMS0] = 0x40204048 | s->cfg.mode;
 +    s->regs[R_GHWPARAMS1] = 0x222493b;
 +    s->regs[R_GHWPARAMS2] = 0x12345678;
 +    s->regs[R_GHWPARAMS3] = 0x618c088;
 +    s->regs[R_GHWPARAMS4] = 0x47822004;
 +    s->regs[R_GHWPARAMS5] = 0x4202088;
 +    s->regs[R_GHWPARAMS6] = 0x7850c20;
 +    s->regs[R_GHWPARAMS7] = 0x0;
 +    s->regs[R_GHWPARAMS8] = 0x478;
 +}
 +
 +static void usb_dwc3_init(Object *obj)
 +{
 +    USBDWC3 *s = USB_DWC3(obj);
 +    RegisterInfoArray *reg_array;
 +
 +    memory_region_init(&s->iomem, obj, TYPE_USB_DWC3, DWC3_SIZE);
 +    reg_array =
 +        register_init_block32(DEVICE(obj), usb_dwc3_regs_info,
 +                              ARRAY_SIZE(usb_dwc3_regs_info),
 +                              s->regs_info, s->regs,
 +                              &usb_dwc3_ops,
 +                              USB_DWC3_ERR_DEBUG,
 +                              USB_DWC3_R_MAX * 4);
 +    memory_region_add_subregion(&s->iomem,
 +                                DWC3_GLOBAL_OFFSET,
 +                                &reg_array->mem);
 +    object_initialize_child(obj, "dwc3-xhci", &s->sysbus_xhci,
 +                            TYPE_XHCI_SYSBUS);
 +    qdev_alias_all_properties(DEVICE(&s->sysbus_xhci), obj);
 +
 +    s->cfg.mode = HOST_MODE;
 +}
 +
 +static const VMStateDescription vmstate_usb_dwc3 = {
 +    .name = "usb-dwc3",
 +    .version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT32_ARRAY(regs, USBDWC3, USB_DWC3_R_MAX),
 +        VMSTATE_UINT8(cfg.mode, USBDWC3),
 +        VMSTATE_UINT32(cfg.dwc_usb3_user, USBDWC3),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +
 +static Property usb_dwc3_properties[] = {
 +    DEFINE_PROP_UINT32("DWC_USB3_USERID", USBDWC3, cfg.dwc_usb3_user,
 +                       0x12345678),
 +    DEFINE_PROP_END_OF_LIST(),
 +};
 +
 +static void usb_dwc3_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +
 +    dc->reset = usb_dwc3_reset;
 +    dc->realize = usb_dwc3_realize;
 +    dc->vmsd = &vmstate_usb_dwc3;
 +    device_class_set_props(dc, usb_dwc3_properties);
 +}
 +
 +static const TypeInfo usb_dwc3_info = {
 +    .name          = TYPE_USB_DWC3,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(USBDWC3),
 +    .class_init    = usb_dwc3_class_init,
 +    .instance_init = usb_dwc3_init,
 +};
 +
 +static void usb_dwc3_register_types(void)
 +{
 +    type_register_static(&usb_dwc3_info);
 +}
 +
 +type_init(usb_dwc3_register_types)
 diff --git a/hw/usb/Kconfig b/hw/usb/Kconfig
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/usb/Kconfig
 +++ b/hw/usb/Kconfig
@@ -XXX,XX +XXX,XX @@ config IMX_USBPHY
      bool
      default y
      depends on USB
 +
 +config USB_DWC3
 +    bool
 +    select USB_XHCI_SYSBUS
 +    select REGISTER
 diff --git a/hw/usb/meson.build b/hw/usb/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/usb/meson.build
 +++ b/hw/usb/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_USB_XHCI_SYSBUS', if_true: files('hcd-xhci-sysbus.c
  softmmu_ss.add(when: 'CONFIG_USB_XHCI_NEC', if_true: files('hcd-xhci-nec.c'))
  softmmu_ss.add(when: 'CONFIG_USB_MUSB', if_true: files('hcd-musb.c'))
  softmmu_ss.add(when: 'CONFIG_USB_DWC2', if_true: files('hcd-dwc2.c'))
 +softmmu_ss.add(when: 'CONFIG_USB_DWC3', if_true: files('hcd-dwc3.c'))
  softmmu_ss.add(when: 'CONFIG_TUSB6010', if_true: files('tusb6010.c'))
  softmmu_ss.add(when: 'CONFIG_IMX', if_true: files('chipidea.c'))
 --
-.20.1
+.34.1

-New patch
+[PULL 07/35] kvm: Introduce kvm_arch_get_default_type hook
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
 kvm_arch_get_default_type() returns the default KVM type. This hook is
 particularly useful to derive a KVM type that is valid for "none"
 machine model, which is used by libvirt to probe the availability of
 KVM.
 For MIPS, the existing mips_kvm_type() is reused. This function ensures
 the availability of VZ which is mandatory to use KVM on the current
 QEMU.
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
 Message-id: 20230727073134.134102-2-akihiko.odaki@daynix.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 [PMM: added doc comment for new function]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 ---
  include/sysemu/kvm.h     | 2 ++
  target/mips/kvm_mips.h   | 9 ---------
  accel/kvm/kvm-all.c      | 4 +++-
  hw/mips/loongson3_virt.c | 2 --
  target/arm/kvm.c         | 5 +++++
  target/i386/kvm/kvm.c    | 5 +++++
  target/mips/kvm.c        | 2 +-
  target/ppc/kvm.c         | 5 +++++
  target/riscv/kvm.c       | 5 +++++
  target/s390x/kvm/kvm.c   | 5 +++++
 files changed, 31 insertions(+), 13 deletions(-)
 diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/sysemu/kvm.h
 +++ b/include/sysemu/kvm.h
@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_registers(CPUState *cpu);
  int kvm_arch_put_registers(CPUState *cpu, int level);
 +int kvm_arch_get_default_type(MachineState *ms);
 +
  int kvm_arch_init(MachineState *ms, KVMState *s);
  int kvm_arch_init_vcpu(CPUState *cpu);
 diff --git a/target/mips/kvm_mips.h b/target/mips/kvm_mips.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/mips/kvm_mips.h
 +++ b/target/mips/kvm_mips.h
@@ -XXX,XX +XXX,XX @@ void kvm_mips_reset_vcpu(MIPSCPU *cpu);
  int kvm_mips_set_interrupt(MIPSCPU *cpu, int irq, int level);
  int kvm_mips_set_ipi_interrupt(MIPSCPU *cpu, int irq, int level);
 -#ifdef CONFIG_KVM
 -int mips_kvm_type(MachineState *machine, const char *vm_type);
 -#else
 -static inline int mips_kvm_type(MachineState *machine, const char *vm_type)
 -{
 -    return 0;
 -}
 -#endif
 -
  #endif /* KVM_MIPS_H */
 diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/kvm/kvm-all.c
 +++ b/accel/kvm/kvm-all.c
@@ -XXX,XX +XXX,XX @@ static int kvm_init(MachineState *ms)
      KVMState *s;
      const KVMCapabilityInfo *missing_cap;
      int ret;
 -    int type = 0;
 +    int type;
      uint64_t dirty_log_manual_caps;
      qemu_mutex_init(&kml_slots_lock);
@@ -XXX,XX +XXX,XX @@ static int kvm_init(MachineState *ms)
          type = mc->kvm_type(ms, kvm_type);
      } else if (mc->kvm_type) {
          type = mc->kvm_type(ms, NULL);
 +    } else {
 +        type = kvm_arch_get_default_type(ms);
      }
      do {
 diff --git a/hw/mips/loongson3_virt.c b/hw/mips/loongson3_virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/mips/loongson3_virt.c
 +++ b/hw/mips/loongson3_virt.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/datadir.h"
  #include "qapi/error.h"
  #include "elf.h"
 -#include "kvm_mips.h"
  #include "hw/char/serial.h"
  #include "hw/intc/loongson_liointc.h"
  #include "hw/mips/mips.h"
@@ -XXX,XX +XXX,XX @@ static void loongson3v_machine_class_init(ObjectClass *oc, void *data)
      mc->max_cpus = LOONGSON_MAX_VCPUS;
      mc->default_ram_id = "loongson3.highram";
      mc->default_ram_size = 1600 * MiB;
 -    mc->kvm_type = mips_kvm_type;
      mc->minimum_page_bits = 14;
      mc->default_nic = "virtio-net-pci";
  }
 diff --git a/target/arm/kvm.c b/target/arm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm.c
 +++ b/target/arm/kvm.c
@@ -XXX,XX +XXX,XX @@ int kvm_arm_get_max_vm_ipa_size(MachineState *ms, bool *fixed_ipa)
      return ret > 0 ? ret : 40;
  }
 +int kvm_arch_get_default_type(MachineState *ms)
 +{
 +    return 0;
 +}
 +
  int kvm_arch_init(MachineState *ms, KVMState *s)
  {
      int ret = 0;
 diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/kvm/kvm.c
 +++ b/target/i386/kvm/kvm.c
@@ -XXX,XX +XXX,XX @@ static void register_smram_listener(Notifier *n, void *unused)
                                   &smram_address_space, 1, "kvm-smram");
  }
 +int kvm_arch_get_default_type(MachineState *ms)
 +{
 +    return 0;
 +}
 +
  int kvm_arch_init(MachineState *ms, KVMState *s)
  {
      uint64_t identity_base = 0xfffbc000;
 diff --git a/target/mips/kvm.c b/target/mips/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/mips/kvm.c
 +++ b/target/mips/kvm.c
@@ -XXX,XX +XXX,XX @@ int kvm_arch_msi_data_to_gsi(uint32_t data)
      abort();
  }
 -int mips_kvm_type(MachineState *machine, const char *vm_type)
 +int kvm_arch_get_default_type(MachineState *machine)
  {
  #if defined(KVM_CAP_MIPS_VZ)
      int r;
 diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/ppc/kvm.c
 +++ b/target/ppc/kvm.c
@@ -XXX,XX +XXX,XX @@ static int kvm_ppc_register_host_cpu_type(void);
  static void kvmppc_get_cpu_characteristics(KVMState *s);
  static int kvmppc_get_dec_bits(void);
 +int kvm_arch_get_default_type(MachineState *ms)
 +{
 +    return 0;
 +}
 +
  int kvm_arch_init(MachineState *ms, KVMState *s)
  {
      cap_interrupt_unset = kvm_check_extension(s, KVM_CAP_PPC_UNSET_IRQ);
 diff --git a/target/riscv/kvm.c b/target/riscv/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/kvm.c
 +++ b/target/riscv/kvm.c
@@ -XXX,XX +XXX,XX @@ int kvm_arch_add_msi_route_post(struct kvm_irq_routing_entry *route,
      return 0;
  }
 +int kvm_arch_get_default_type(MachineState *ms)
 +{
 +    return 0;
 +}
 +
  int kvm_arch_init(MachineState *ms, KVMState *s)
  {
      return 0;
 diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/kvm/kvm.c
 +++ b/target/s390x/kvm/kvm.c
@@ -XXX,XX +XXX,XX @@ static void ccw_machine_class_foreach(ObjectClass *oc, void *opaque)
      mc->default_cpu_type = S390_CPU_TYPE_NAME("host");
  }
 +int kvm_arch_get_default_type(MachineState *ms)
 +{
 +    return 0;
 +}
 +
  int kvm_arch_init(MachineState *ms, KVMState *s)
  {
      object_class_foreach(ccw_machine_class_foreach, TYPE_S390_CCW_MACHINE,
 --
 .34.1

-New patch
+[PULL 08/35] accel/kvm: Specify default IPA size for arm64
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+Before this change, the default KVM type, which is used for non-virt
+machine models, was 0.
+The kernel documentation says:
+> On arm64, the physical address size for a VM (IPA Size limit) is
+> limited to 40bits by default. The limit can be configured if the host
+> supports the extension KVM_CAP_ARM_VM_IPA_SIZE. When supported, use
+> KVM_VM_TYPE_ARM_IPA_SIZE(IPA_Bits) to set the size in the machine type
+> identifier, where IPA_Bits is the maximum width of any physical
+> address used by the VM. The IPA_Bits is encoded in bits[7-0] of the
+> machine type identifier.
+>
+> e.g, to configure a guest to use 48bit physical address size::
+>
+>     vm_fd = ioctl(dev_fd, KVM_CREATE_VM, KVM_VM_TYPE_ARM_IPA_SIZE(48));
+>
+> The requested size (IPA_Bits) must be:
+>
+>  ==   =========================================================
+>   0   Implies default size, 40bits (for backward compatibility)
+>   N   Implies N bits, where N is a positive integer such that,
+>       32 <= N <= Host_IPA_Limit
+>  ==   =========================================================
+> Host_IPA_Limit is the maximum possible value for IPA_Bits on the host
+> and is dependent on the CPU capability and the kernel configuration.
+> The limit can be retrieved using KVM_CAP_ARM_VM_IPA_SIZE of the
+> KVM_CHECK_EXTENSION ioctl() at run-time.
+>
+> Creation of the VM will fail if the requested IPA size (whether it is
+> implicit or explicit) is unsupported on the host.
+https://docs.kernel.org/virt/kvm/api.html#kvm-create-vm
+So if Host_IPA_Limit < 40, specifying 0 as the type will fail. This
+actually confused libvirt, which uses "none" machine model to probe the
+KVM availability, on M2 MacBook Air.
+Fix this by using Host_IPA_Limit as the default type when
+KVM_CAP_ARM_VM_IPA_SIZE is available.
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Message-id: 20230727073134.134102-3-akihiko.odaki@daynix.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/kvm.c | 4 +++-
+file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/target/arm/kvm.c b/target/arm/kvm.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/kvm.c
++++ b/target/arm/kvm.c
+@@ -XXX,XX +XXX,XX @@ int kvm_arm_get_max_vm_ipa_size(MachineState *ms, bool *fixed_ipa)
+ int kvm_arch_get_default_type(MachineState *ms)
+ {
+-    return 0;
++    bool fixed_ipa;
++    int size = kvm_arm_get_max_vm_ipa_size(ms, &fixed_ipa);
++    return fixed_ipa ? 0 : size;
+ }
+ int kvm_arch_init(MachineState *ms, KVMState *s)
+--
+.34.1

-[PULL 07/20] target/nios2: Use deposit32() to update ipending register
+[PULL 09/35] mips: Report an error when KVM_VM_MIPS_VZ is unavailable
-In nios2_cpu_set_irq(), use deposit32() rather than raw shift-and-mask
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
 operations to set the appropriate bit in the ipending register.
+On MIPS, QEMU requires KVM_VM_MIPS_VZ type for KVM. Report an error in
+such a case as other architectures do when an error occurred during KVM
+type decision.
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Message-id: 20230727073134.134102-4-akihiko.odaki@daynix.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-id: 20201129174022.26530-4-peter.maydell@linaro.org
 ---
- target/nios2/cpu.c | 3 +--
+ target/mips/kvm.c | 1 +
-file changed, 1 insertion(+), 2 deletions(-)
+file changed, 1 insertion(+)
-diff --git a/target/nios2/cpu.c b/target/nios2/cpu.c
+diff --git a/target/mips/kvm.c b/target/mips/kvm.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/nios2/cpu.c
+--- a/target/mips/kvm.c
-+++ b/target/nios2/cpu.c
++++ b/target/mips/kvm.c
-@@ -XXX,XX +XXX,XX @@ static void nios2_cpu_set_irq(void *opaque, int irq, int level)
+@@ -XXX,XX +XXX,XX @@ int kvm_arch_get_default_type(MachineState *machine)
-     CPUNios2State *env = &cpu->env;
+     }
-     CPUState *cs = CPU(cpu);
+ #endif
--    env->regs[CR_IPENDING] &= ~(1 << irq);
++    error_report("KVM_VM_MIPS_VZ type is not available");
--    env->regs[CR_IPENDING] |= !!level << irq;
+     return -1;
-+    env->regs[CR_IPENDING] = deposit32(env->regs[CR_IPENDING], irq, 1, !!level);
+ }
      env->irq_pending = env->regs[CR_IPENDING] & env->regs[CR_IENABLE];
 --
-.20.1
+.34.1

-[PULL 04/20] target/openrisc: Move pic_cpu code into CPU object proper
+[PULL 10/35] accel/kvm: Use negative KVM type for error propagation
-The openrisc code uses an old style of interrupt handling, where a
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
 separate standalone set of qemu_irqs invoke a function
 openrisc_pic_cpu_handler() which signals the interrupt to the CPU
 proper by directly calling cpu_interrupt() and cpu_reset_interrupt().
 Because CPU objects now inherit (indirectly) from TYPE_DEVICE, they
 can have GPIO input lines themselves, and the neater modern way to
 implement this is to simply have the CPU object itself provide the
 input IRQ lines.
-Create GPIO inputs to the OpenRISC CPU object, and make the only user
+On MIPS, kvm_arch_get_default_type() returns a negative value when an
-of cpu_openrisc_pic_init() wire up directly to those instead.
+error occurred so handle the case. Also, let other machines return
 negative values when errors occur and declare returning a negative
 value as the correct way to propagate an error that happened when
 determining KVM type.
-This allows us to delete the hw/openrisc/pic_cpu.c file entirely.
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
 Message-id: 20230727073134.134102-5-akihiko.odaki@daynix.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 ---
  accel/kvm/kvm-all.c | 5 +++++
  hw/arm/virt.c       | 2 +-
  hw/ppc/spapr.c      | 2 +-
 files changed, 7 insertions(+), 2 deletions(-)
-This fixes a trivial memory leak reported by Coverity of the IRQs
+diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
 allocated in cpu_openrisc_pic_init().
 Fixes: Coverity CID 1421934
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Stafford Horne <shorne@gmail.com>
 Message-id: 20201127225127.14770-4-peter.maydell@linaro.org
 ---
  target/openrisc/cpu.h      |  1 -
  hw/openrisc/openrisc_sim.c |  3 +-
  hw/openrisc/pic_cpu.c      | 61 --------------------------------------
  target/openrisc/cpu.c      | 32 ++++++++++++++++++++
  hw/openrisc/meson.build    |  2 +-
 files changed, 34 insertions(+), 65 deletions(-)
  delete mode 100644 hw/openrisc/pic_cpu.c
 diff --git a/target/openrisc/cpu.h b/target/openrisc/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/openrisc/cpu.h
+--- a/accel/kvm/kvm-all.c
-+++ b/target/openrisc/cpu.h
++++ b/accel/kvm/kvm-all.c
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUOpenRISCState {
+@@ -XXX,XX +XXX,XX @@ static int kvm_init(MachineState *ms)
-     uint32_t picmr;         /* Interrupt mask register */
+         type = kvm_arch_get_default_type(ms);
-     uint32_t picsr;         /* Interrupt contrl register*/
+     }
- #endif
--    void *irq[32];          /* Interrupt irq input */
++    if (type < 0) {
- } CPUOpenRISCState;
++        ret = -EINVAL;
++        goto err;
  /**
 diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/openrisc/openrisc_sim.c
 +++ b/hw/openrisc/openrisc_sim.c
@@ -XXX,XX +XXX,XX @@ static void main_cpu_reset(void *opaque)
  static qemu_irq get_cpu_irq(OpenRISCCPU *cpus[], int cpunum, int irq_pin)
  {
 -    return cpus[cpunum]->env.irq[irq_pin];
 +    return qdev_get_gpio_in_named(DEVICE(cpus[cpunum]), "IRQ", irq_pin);
  }
  static void openrisc_sim_net_init(hwaddr base, hwaddr descriptors,
@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_init(MachineState *machine)
              fprintf(stderr, "Unable to find CPU definition!\n");
              exit(1);
          }
 -        cpu_openrisc_pic_init(cpus[n]);
          cpu_openrisc_clock_init(cpus[n]);
 diff --git a/hw/openrisc/pic_cpu.c b/hw/openrisc/pic_cpu.c
 deleted file mode 100644
 index XXXXXXX..XXXXXXX
 --- a/hw/openrisc/pic_cpu.c
 +++ /dev/null
@@ -XXX,XX +XXX,XX @@
 -/*
 - * OpenRISC Programmable Interrupt Controller support.
 - *
 - * Copyright (c) 2011-2012 Jia Liu <proljc@gmail.com>
 - *                         Feng Gao <gf91597@gmail.com>
 - *
 - * This library is free software; you can redistribute it and/or
 - * modify it under the terms of the GNU Lesser General Public
 - * License as published by the Free Software Foundation; either
 - * version 2.1 of the License, or (at your option) any later version.
 - *
 - * This library is distributed in the hope that it will be useful,
 - * but WITHOUT ANY WARRANTY; without even the implied warranty of
 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 - * Lesser General Public License for more details.
 - *
 - * You should have received a copy of the GNU Lesser General Public
 - * License along with this library; if not, see <http://www.gnu.org/licenses/>.
 - */
 -
 -#include "qemu/osdep.h"
 -#include "hw/irq.h"
 -#include "cpu.h"
 -
 -/* OpenRISC pic handler */
 -static void openrisc_pic_cpu_handler(void *opaque, int irq, int level)
 -{
 -    OpenRISCCPU *cpu = (OpenRISCCPU *)opaque;
 -    CPUState *cs = CPU(cpu);
 -    uint32_t irq_bit;
 -
 -    if (irq > 31 || irq < 0) {
 -        return;
 -    }
 -
 -    irq_bit = 1U << irq;
 -
 -    if (level) {
 -        cpu->env.picsr |= irq_bit;
 -    } else {
 -        cpu->env.picsr &= ~irq_bit;
 -    }
 -
 -    if (cpu->env.picsr & cpu->env.picmr) {
 -        cpu_interrupt(cs, CPU_INTERRUPT_HARD);
 -    } else {
 -        cpu_reset_interrupt(cs, CPU_INTERRUPT_HARD);
 -        cpu->env.picsr = 0;
 -    }
 -}
 -
 -void cpu_openrisc_pic_init(OpenRISCCPU *cpu)
 -{
 -    int i;
 -    qemu_irq *qi;
 -    qi = qemu_allocate_irqs(openrisc_pic_cpu_handler, cpu, NR_IRQS);
 -
 -    for (i = 0; i < NR_IRQS; i++) {
 -        cpu->env.irq[i] = qi[i];
 -    }
 -}
 diff --git a/target/openrisc/cpu.c b/target/openrisc/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/openrisc/cpu.c
 +++ b/target/openrisc/cpu.c
@@ -XXX,XX +XXX,XX @@ static void openrisc_cpu_reset(DeviceState *dev)
  #endif
  }
 +#ifndef CONFIG_USER_ONLY
 +static void openrisc_cpu_set_irq(void *opaque, int irq, int level)
 +{
 +    OpenRISCCPU *cpu = (OpenRISCCPU *)opaque;
 +    CPUState *cs = CPU(cpu);
 +    uint32_t irq_bit;
 +
 +    if (irq > 31 || irq < 0) {
 +        return;
 +    }
 +
-+    irq_bit = 1U << irq;
+     do {
-+
+         ret = kvm_ioctl(s, KVM_CREATE_VM, type);
-+    if (level) {
+     } while (ret == -EINTR);
-+        cpu->env.picsr |= irq_bit;
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-+    } else {
+index XXXXXXX..XXXXXXX 100644
-+        cpu->env.picsr &= ~irq_bit;
+--- a/hw/arm/virt.c
-+    }
++++ b/hw/arm/virt.c
-+
+@@ -XXX,XX +XXX,XX @@ static int virt_kvm_type(MachineState *ms, const char *type_str)
-+    if (cpu->env.picsr & cpu->env.picmr) {
+                      "require an IPA range (%d bits) larger than "
-+        cpu_interrupt(cs, CPU_INTERRUPT_HARD);
+                      "the one supported by the host (%d bits)",
-+    } else {
+                      requested_pa_size, max_vm_pa_size);
-+        cpu_reset_interrupt(cs, CPU_INTERRUPT_HARD);
+-        exit(1);
-+        cpu->env.picsr = 0;
++        return -1;
-+    }
+     }
-+}
+     /*
-+#endif
+      * We return the requested PA log size, unless KVM only supports
-+
+diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
- static void openrisc_cpu_realizefn(DeviceState *dev, Error **errp)
+index XXXXXXX..XXXXXXX 100644
- {
+--- a/hw/ppc/spapr.c
-     CPUState *cs = CPU(dev);
++++ b/hw/ppc/spapr.c
-@@ -XXX,XX +XXX,XX @@ static void openrisc_cpu_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static int spapr_kvm_type(MachineState *machine, const char *vm_type)
-     OpenRISCCPU *cpu = OPENRISC_CPU(obj);
+     }
-     cpu_set_cpustate_pointers(cpu);
+     error_report("Unknown kvm-type specified '%s'", vm_type);
-+
+-    exit(1);
-+#ifndef CONFIG_USER_ONLY
++    return -1;
 +    qdev_init_gpio_in_named(DEVICE(cpu), openrisc_cpu_set_irq, "IRQ", NR_IRQS);
 +#endif
  }
- /* CPU models */
+ /*
 diff --git a/hw/openrisc/meson.build b/hw/openrisc/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/openrisc/meson.build
 +++ b/hw/openrisc/meson.build
@@ -XXX,XX +XXX,XX @@
  openrisc_ss = ss.source_set()
 -openrisc_ss.add(files('pic_cpu.c', 'cputimer.c'))
 +openrisc_ss.add(files('cputimer.c'))
  openrisc_ss.add(when: 'CONFIG_OR1K_SIM', if_true: files('openrisc_sim.c'))
  hw_arch += {'openrisc': openrisc_ss}
 --
-.20.1
+.34.1

-New patch
+[PULL 11/35] accel/kvm: Free as when an error occurred
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+An error may occur after s->as is allocated, for example if the
+KVM_CREATE_VM ioctl call fails.
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Message-id: 20230727073134.134102-6-akihiko.odaki@daynix.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+[PMM: tweaked commit message]
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ accel/kvm/kvm-all.c | 1 +
+file changed, 1 insertion(+)
+diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/kvm/kvm-all.c
++++ b/accel/kvm/kvm-all.c
+@@ -XXX,XX +XXX,XX @@ err:
+     if (s->fd != -1) {
+         close(s->fd);
+     }
++    g_free(s->as);
+     g_free(s->memory_listener.slots);
+     return ret;
+--
+.34.1

-[PULL 05/20] target/nios2: Move IIC code into CPU object proper
+[PULL 12/35] accel/kvm: Make kvm_dirty_ring_reaper_init() void
-The Nios2 architecture supports two different interrupt controller
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
 options:
- * The IIC (Internal Interrupt Controller) is part of the CPU itself;
+The returned value was always zero and had no meaning.
    it has 32 IRQ input lines and no NMI support.  Interrupt status is
    queried and controlled via the CPU's ipending and istatus
    registers.
- * The EIC (External Interrupt Controller) interface allows the CPU
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
-   to connect to an external interrupt controller.  The interface
+Message-id: 20230727073134.134102-7-akihiko.odaki@daynix.com
-   allows the interrupt controller to present a packet of information
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-   containing:
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-    - handler address
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-    - interrupt level
+---
-    - register set
+ accel/kvm/kvm-all.c | 9 ++-------
-    - NMI mode
+file changed, 2 insertions(+), 7 deletions(-)
-QEMU does not model an EIC currently.  We do model the IIC, but its
+diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
 implementation is split across code in hw/nios2/cpu_pic.c and
 hw/intc/nios2_iic.c.  The code in those two files has no state of its
 own -- the IIC state is in the Nios2CPU state struct.
 Because CPU objects now inherit (indirectly) from TYPE_DEVICE, they
 can have GPIO input lines themselves, so we can implement the IIC
 directly in the CPU object the same way that real hardware does.
 Create named "IRQ" GPIO inputs to the Nios2 CPU object, and make the
 only user of the IIC wire up directly to those instead.
 Note that the old code had an "NMI" concept which was entirely unused
 and also as far as I can see not architecturally correct, since only
 the EIC has a concept of an NMI.
 This fixes a Coverity-reported trivial memory leak of the IRQ array
 allocated in nios2_cpu_pic_init().
 Fixes: Coverity CID 1421916
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Message-id: 20201129174022.26530-2-peter.maydell@linaro.org
 Reviewed-by: Wentong Wu <wentong.wu@intel.com>
 Tested-by: Wentong Wu <wentong.wu@intel.com>
 ---
  target/nios2/cpu.h        |  1 -
  hw/intc/nios2_iic.c       | 95 ---------------------------------------
  hw/nios2/10m50_devboard.c | 13 +-----
  hw/nios2/cpu_pic.c        | 31 -------------
  target/nios2/cpu.c        | 30 +++++++++++++
  MAINTAINERS               |  1 -
  hw/intc/meson.build       |  1 -
 files changed, 32 insertions(+), 140 deletions(-)
  delete mode 100644 hw/intc/nios2_iic.c
 diff --git a/target/nios2/cpu.h b/target/nios2/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/nios2/cpu.h
+--- a/accel/kvm/kvm-all.c
-+++ b/target/nios2/cpu.h
++++ b/accel/kvm/kvm-all.c
-@@ -XXX,XX +XXX,XX @@ void nios2_cpu_do_unaligned_access(CPUState *cpu, vaddr addr,
+@@ -XXX,XX +XXX,XX @@ static void *kvm_dirty_ring_reaper_thread(void *data)
-                                    MMUAccessType access_type,
+     return NULL;
-                                    int mmu_idx, uintptr_t retaddr);
+ }
--qemu_irq *nios2_cpu_pic_init(Nios2CPU *cpu);
+-static int kvm_dirty_ring_reaper_init(KVMState *s)
- void nios2_check_interrupts(CPUNios2State *env);
++static void kvm_dirty_ring_reaper_init(KVMState *s)
+ {
- void do_nios2_semihosting(CPUNios2State *env);
+     struct KVMDirtyRingReaper *r = &s->reaper;
-diff --git a/hw/intc/nios2_iic.c b/hw/intc/nios2_iic.c
-deleted file mode 100644
+     qemu_thread_create(&r->reaper_thr, "kvm-reaper",
-index XXXXXXX..XXXXXXX
+                        kvm_dirty_ring_reaper_thread,
---- a/hw/intc/nios2_iic.c
+                        s, QEMU_THREAD_JOINABLE);
 +++ /dev/null
@@ -XXX,XX +XXX,XX @@
 -/*
 - * QEMU Altera Internal Interrupt Controller.
 - *
 - * Copyright (c) 2012 Chris Wulff <crwulff@gmail.com>
 - *
 - * This library is free software; you can redistribute it and/or
 - * modify it under the terms of the GNU Lesser General Public
 - * License as published by the Free Software Foundation; either
 - * version 2.1 of the License, or (at your option) any later version.
 - *
 - * This library is distributed in the hope that it will be useful,
 - * but WITHOUT ANY WARRANTY; without even the implied warranty of
 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 - * Lesser General Public License for more details.
 - *
 - * You should have received a copy of the GNU Lesser General Public
 - * License along with this library; if not, see
 - * <http://www.gnu.org/licenses/lgpl-2.1.html>
 - */
 -
--#include "qemu/osdep.h"
+-    return 0;
--#include "qemu/module.h"
+ }
--#include "qapi/error.h"
--
+ static int kvm_dirty_ring_init(KVMState *s)
--#include "hw/irq.h"
+@@ -XXX,XX +XXX,XX @@ static int kvm_init(MachineState *ms)
 -#include "hw/sysbus.h"
 -#include "cpu.h"
 -#include "qom/object.h"
 -
 -#define TYPE_ALTERA_IIC "altera,iic"
 -OBJECT_DECLARE_SIMPLE_TYPE(AlteraIIC, ALTERA_IIC)
 -
 -struct AlteraIIC {
 -    SysBusDevice  parent_obj;
 -    void         *cpu;
 -    qemu_irq      parent_irq;
 -};
 -
 -static void update_irq(AlteraIIC *pv)
 -{
 -    CPUNios2State *env = &((Nios2CPU *)(pv->cpu))->env;
 -
 -    qemu_set_irq(pv->parent_irq,
 -                 env->regs[CR_IPENDING] & env->regs[CR_IENABLE]);
 -}
 -
 -static void irq_handler(void *opaque, int irq, int level)
 -{
 -    AlteraIIC *pv = opaque;
 -    CPUNios2State *env = &((Nios2CPU *)(pv->cpu))->env;
 -
 -    env->regs[CR_IPENDING] &= ~(1 << irq);
 -    env->regs[CR_IPENDING] |= !!level << irq;
 -
 -    update_irq(pv);
 -}
 -
 -static void altera_iic_init(Object *obj)
 -{
 -    AlteraIIC *pv = ALTERA_IIC(obj);
 -
 -    qdev_init_gpio_in(DEVICE(pv), irq_handler, 32);
 -    sysbus_init_irq(SYS_BUS_DEVICE(obj), &pv->parent_irq);
 -}
 -
 -static void altera_iic_realize(DeviceState *dev, Error **errp)
 -{
 -    struct AlteraIIC *pv = ALTERA_IIC(dev);
 -
 -    pv->cpu = object_property_get_link(OBJECT(dev), "cpu", &error_abort);
 -}
 -
 -static void altera_iic_class_init(ObjectClass *klass, void *data)
 -{
 -    DeviceClass *dc = DEVICE_CLASS(klass);
 -
 -    /* Reason: needs to be wired up, e.g. by nios2_10m50_ghrd_init() */
 -    dc->user_creatable = false;
 -    dc->realize = altera_iic_realize;
 -}
 -
 -static TypeInfo altera_iic_info = {
 -    .name          = TYPE_ALTERA_IIC,
 -    .parent        = TYPE_SYS_BUS_DEVICE,
 -    .instance_size = sizeof(AlteraIIC),
 -    .instance_init = altera_iic_init,
 -    .class_init    = altera_iic_class_init,
 -};
 -
 -static void altera_iic_register(void)
 -{
 -    type_register_static(&altera_iic_info);
 -}
 -
 -type_init(altera_iic_register)
 diff --git a/hw/nios2/10m50_devboard.c b/hw/nios2/10m50_devboard.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/nios2/10m50_devboard.c
 +++ b/hw/nios2/10m50_devboard.c
@@ -XXX,XX +XXX,XX @@ static void nios2_10m50_ghrd_init(MachineState *machine)
      ram_addr_t tcm_size = 0x1000;    /* 1 kiB, but QEMU limit is 4 kiB */
      ram_addr_t ram_base = 0x08000000;
      ram_addr_t ram_size = 0x08000000;
 -    qemu_irq *cpu_irq, irq[32];
 +    qemu_irq irq[32];
      int i;
      /* Physical TCM (tb_ram_1k) with alias at 0xc0000000 */
@@ -XXX,XX +XXX,XX @@ static void nios2_10m50_ghrd_init(MachineState *machine)
      /* Create CPU -- FIXME */
      cpu = NIOS2_CPU(cpu_create(TYPE_NIOS2_CPU));
 -
 -    /* Register: CPU interrupt controller (PIC) */
 -    cpu_irq = nios2_cpu_pic_init(cpu);
 -
 -    /* Register: Internal Interrupt Controller (IIC) */
 -    dev = qdev_new("altera,iic");
 -    object_property_add_const_link(OBJECT(dev), "cpu", OBJECT(cpu));
 -    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
 -    sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, cpu_irq[0]);
      for (i = 0; i < 32; i++) {
 -        irq[i] = qdev_get_gpio_in(dev, i);
 +        irq[i] = qdev_get_gpio_in_named(DEVICE(cpu), "IRQ", i);
      }
-     /* Register: Altera 16550 UART */
+     if (s->kvm_dirty_ring_size) {
-diff --git a/hw/nios2/cpu_pic.c b/hw/nios2/cpu_pic.c
+-        ret = kvm_dirty_ring_reaper_init(s);
-index XXXXXXX..XXXXXXX 100644
+-        if (ret) {
---- a/hw/nios2/cpu_pic.c
+-            goto err;
 +++ b/hw/nios2/cpu_pic.c
@@ -XXX,XX +XXX,XX @@
  #include "boot.h"
 -static void nios2_pic_cpu_handler(void *opaque, int irq, int level)
 -{
 -    Nios2CPU *cpu = opaque;
 -    CPUNios2State *env = &cpu->env;
 -    CPUState *cs = CPU(cpu);
 -    int type = irq ? CPU_INTERRUPT_NMI : CPU_INTERRUPT_HARD;
 -
 -    if (type == CPU_INTERRUPT_HARD) {
 -        env->irq_pending = level;
 -
 -        if (level && (env->regs[CR_STATUS] & CR_STATUS_PIE)) {
 -            env->irq_pending = 0;
 -            cpu_interrupt(cs, type);
 -        } else if (!level) {
 -            env->irq_pending = 0;
 -            cpu_reset_interrupt(cs, type);
 -        }
--    } else {
++        kvm_dirty_ring_reaper_init(s);
 -        if (level) {
 -            cpu_interrupt(cs, type);
 -        } else {
 -            cpu_reset_interrupt(cs, type);
 -        }
 -    }
 -}
 -
  void nios2_check_interrupts(CPUNios2State *env)
  {
      if (env->irq_pending &&
@@ -XXX,XX +XXX,XX @@ void nios2_check_interrupts(CPUNios2State *env)
          cpu_interrupt(env_cpu(env), CPU_INTERRUPT_HARD);
      }
- }
--
+     if (kvm_check_extension(kvm_state, KVM_CAP_BINARY_STATS_FD)) {
 -qemu_irq *nios2_cpu_pic_init(Nios2CPU *cpu)
 -{
 -    return qemu_allocate_irqs(nios2_pic_cpu_handler, cpu, 2);
 -}
 diff --git a/target/nios2/cpu.c b/target/nios2/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/nios2/cpu.c
 +++ b/target/nios2/cpu.c
@@ -XXX,XX +XXX,XX @@ static void nios2_cpu_reset(DeviceState *dev)
  #endif
  }
 +#ifndef CONFIG_USER_ONLY
 +static void nios2_cpu_set_irq(void *opaque, int irq, int level)
 +{
 +    Nios2CPU *cpu = opaque;
 +    CPUNios2State *env = &cpu->env;
 +    CPUState *cs = CPU(cpu);
 +
 +    env->regs[CR_IPENDING] &= ~(1 << irq);
 +    env->regs[CR_IPENDING] |= !!level << irq;
 +
 +    env->irq_pending = env->regs[CR_IPENDING] & env->regs[CR_IENABLE];
 +
 +    if (env->irq_pending && (env->regs[CR_STATUS] & CR_STATUS_PIE)) {
 +        env->irq_pending = 0;
 +        cpu_interrupt(cs, CPU_INTERRUPT_HARD);
 +    } else if (!env->irq_pending) {
 +        cpu_reset_interrupt(cs, CPU_INTERRUPT_HARD);
 +    }
 +}
 +#endif
 +
  static void nios2_cpu_initfn(Object *obj)
  {
      Nios2CPU *cpu = NIOS2_CPU(obj);
@@ -XXX,XX +XXX,XX @@ static void nios2_cpu_initfn(Object *obj)
  #if !defined(CONFIG_USER_ONLY)
      mmu_init(&cpu->env);
 +
 +    /*
 +     * These interrupt lines model the IIC (internal interrupt
 +     * controller). QEMU does not currently support the EIC
 +     * (external interrupt controller) -- if we did it would be
 +     * a separate device in hw/intc with a custom interface to
 +     * the CPU, and boards using it would not wire up these IRQ lines.
 +     */
 +    qdev_init_gpio_in_named(DEVICE(cpu), nios2_cpu_set_irq, "IRQ", 32);
  #endif
  }
 diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ M: Marek Vasut <marex@denx.de>
  S: Maintained
  F: target/nios2/
  F: hw/nios2/
 -F: hw/intc/nios2_iic.c
  F: disas/nios2.c
  F: default-configs/nios2-softmmu.mak
 diff --git a/hw/intc/meson.build b/hw/intc/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/meson.build
 +++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ specific_ss.add(when: 'CONFIG_IBEX', if_true: files('ibex_plic.c'))
  specific_ss.add(when: 'CONFIG_IOAPIC', if_true: files('ioapic.c'))
  specific_ss.add(when: 'CONFIG_LOONGSON_LIOINTC', if_true: files('loongson_liointc.c'))
  specific_ss.add(when: 'CONFIG_MIPS_CPS', if_true: files('mips_gic.c'))
 -specific_ss.add(when: 'CONFIG_NIOS2', if_true: files('nios2_iic.c'))
  specific_ss.add(when: 'CONFIG_OMAP', if_true: files('omap_intc.c'))
  specific_ss.add(when: 'CONFIG_OMPIC', if_true: files('ompic.c'))
  specific_ss.add(when: 'CONFIG_OPENPIC_KVM', if_true: files('openpic_kvm.c'))
 --
-.20.1
+.34.1

-New patch
+[PULL 13/35] target/arm/ptw: Don't set fi->s1ptw for UnsuppAtomicUpdate fault
+For an Unsupported Atomic Update fault where the stage 1 translation
+table descriptor update can't be done because it's to an unsupported
+memory type, this is a stage 1 abort (per the Arm ARM R_VSXXT).  This
+means we should not set fi->s1ptw, because this will cause the code
+in the get_phys_addr_lpae() error-exit path to mark it as stage 2.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230807141514.19075-2-peter.maydell@linaro.org
+---
+ target/arm/ptw.c | 1 -
+file changed, 1 deletion(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t arm_casq_ptw(CPUARMState *env, uint64_t old_val,
+     if (unlikely(!host)) {
+         fi->type = ARMFault_UnsuppAtomicUpdate;
+-        fi->s1ptw = true;
+         return 0;
+     }
+--
+.34.1

-New patch
+[PULL 14/35] target/arm/ptw: Don't report GPC faults on stage 1 ptw as stage2 faults
+In S1_ptw_translate() we set up the ARMMMUFaultInfo if the attempt to
+translate the page descriptor address into a physical address fails.
+This used to only be possible if we are doing a stage 2 ptw for that
+descriptor address, and so the code always sets fi->stage2 and
+fi->s1ptw to true.  However, with FEAT_RME it is also possible for
+the lookup of the page descriptor address to fail because of a
+Granule Protection Check fault.  These should not be reported as
+stage 2, otherwise arm_deliver_fault() will incorrectly set
+HPFAR_EL2.  Similarly the s1ptw bit should only be set for stage 2
+faults on stage 1 translation table walks, i.e.  not for GPC faults.
+Add a comment to the the other place where we might detect a
+stage2-fault-on-stage-1-ptw, in arm_casq_ptw(), noting why we know in
+that case that it must really be a stage 2 fault and not a GPC fault.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230807141514.19075-3-peter.maydell@linaro.org
+---
+ target/arm/ptw.c | 10 ++++++++--
+file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
+         fi->type = ARMFault_GPCFOnWalk;
+     }
+     fi->s2addr = addr;
+-    fi->stage2 = true;
+-    fi->s1ptw = true;
++    fi->stage2 = regime_is_stage2(s2_mmu_idx);
++    fi->s1ptw = fi->stage2;
+     fi->s1ns = !is_secure;
+     return false;
+ }
+@@ -XXX,XX +XXX,XX @@ static uint64_t arm_casq_ptw(CPUARMState *env, uint64_t old_val,
+         env->tlb_fi = NULL;
+         if (unlikely(flags & TLB_INVALID_MASK)) {
++            /*
++             * We know this must be a stage 2 fault because the granule
++             * protection table does not separately track read and write
++             * permission, so all GPC faults are caught in S1_ptw_translate():
++             * we only get here for "readable but not writeable".
++             */
+             assert(fi->type != ARMFault_None);
+             fi->s2addr = ptw->out_virt;
+             fi->stage2 = true;
+--
+.34.1

-[PULL 08/20] hw/core/loader.c: Track last-seen ROM in rom_check_and_register_reset()
+[PULL 15/35] target/arm/ptw: Set s1ns bit in fault info more consistently
-In rom_check_and_register_reset() we detect overlaps by looking at
+The s1ns bit in ARMMMUFaultInfo is documented as "true if
-whether the ROM blob we're currently examining is in the same address
+we faulted on a non-secure IPA while in secure state". Both the
-space and starts before the previous ROM blob ends.  (This works
+places which look at this bit only do so after having confirmed
-because the ROM list is kept sorted in order by AddressSpace and then
+that this is a stage 2 fault and we're dealing with Secure EL2,
-by address.)
+which leaves the ptw.c code free to set the bit to any random
 value in the other cases.
-Instead of keeping the AddressSpace and last address of the previous ROM
+Instead of taking advantage of that freedom, consistently
-blob in local variables, just keep a pointer to it.
+make the bit be set to false for the "not a stage 2 fault
+for Secure EL2" cases. This removes some cases where we
-This will allow us to print more useful information when we do detect
+were using an 'is_secure' boolean and leaving the reader
-an overlap.
+guessing about whether that was the right thing for Realm
 and Root cases.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20201129203923.10622-2-peter.maydell@linaro.org
+Message-id: 20230807141514.19075-4-peter.maydell@linaro.org
 ---
- hw/core/loader.c | 23 +++++++++++++++--------
+ target/arm/ptw.c | 19 +++++++++++++++----
-file changed, 15 insertions(+), 8 deletions(-)
+file changed, 15 insertions(+), 4 deletions(-)
-diff --git a/hw/core/loader.c b/hw/core/loader.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/core/loader.c
+--- a/target/arm/ptw.c
-+++ b/hw/core/loader.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static void rom_reset(void *unused)
+@@ -XXX,XX +XXX,XX @@ static ARMSecuritySpace S2_security_space(ARMSecuritySpace s1_space,
      }
  }
-+/* Return true if two consecutive ROMs in the ROM list overlap */
++static bool fault_s1ns(ARMSecuritySpace space, ARMMMUIdx s2_mmu_idx)
 +static bool roms_overlap(Rom *last_rom, Rom *this_rom)
 +{
-+    if (!last_rom) {
++    /*
-+        return false;
++     * For stage 2 faults in Secure EL22, S1NS indicates
-+    }
++     * whether the faulting IPA is in the Secure or NonSecure
-+    return last_rom->as == this_rom->as &&
++     * IPA space. For all other kinds of fault, it is false.
-+        last_rom->addr + last_rom->romsize > this_rom->addr;
++     */
 +    return space == ARMSS_Secure && regime_is_stage2(s2_mmu_idx)
 +        && s2_mmu_idx == ARMMMUIdx_Stage2_S;
 +}
 +
- int rom_check_and_register_reset(void)
+ /* Translate a S1 pagetable walk through S2 if needed.  */
- {
+ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
--    hwaddr addr = 0;
+                              hwaddr addr, ARMMMUFaultInfo *fi)
-     MemoryRegionSection section;
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
--    Rom *rom;
+             fi->s2addr = addr;
--    AddressSpace *as = NULL;
+             fi->stage2 = true;
-+    Rom *rom, *last_rom = NULL;
+             fi->s1ptw = true;
+-            fi->s1ns = !is_secure;
-     QTAILQ_FOREACH(rom, &roms, next) {
++            fi->s1ns = fault_s1ns(ptw->in_space, s2_mmu_idx);
-         if (rom->fw_file) {
+             return false;
              continue;
          }
-         if (!rom->mr) {
+     }
--            if ((addr > rom->addr) && (as == rom->as)) {
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-+            if (roms_overlap(last_rom, rom)) {
+     fi->s2addr = addr;
-                 fprintf(stderr, "rom: requested regions overlap "
+     fi->stage2 = regime_is_stage2(s2_mmu_idx);
-                         "(rom %s. free=0x" TARGET_FMT_plx
+     fi->s1ptw = fi->stage2;
-                         ", addr=0x" TARGET_FMT_plx ")\n",
+-    fi->s1ns = !is_secure;
--                        rom->name, addr, rom->addr);
++    fi->s1ns = fault_s1ns(ptw->in_space, s2_mmu_idx);
-+                        rom->name, last_rom->addr + last_rom->romsize,
+     return false;
-+                        rom->addr);
+ }
-                 return -1;
-             }
+@@ -XXX,XX +XXX,XX @@ static uint64_t arm_casq_ptw(CPUARMState *env, uint64_t old_val,
--            addr  = rom->addr;
+             fi->s2addr = ptw->out_virt;
--            addr += rom->romsize;
+             fi->stage2 = true;
--            as = rom->as;
+             fi->s1ptw = true;
-+            last_rom = rom;
+-            fi->s1ns = !ptw->in_secure;
 +            fi->s1ns = fault_s1ns(ptw->in_space, ptw->in_ptw_idx);
              return 0;
          }
-         section = memory_region_find(rom->mr ? rom->mr : get_system_memory(),
-                                      rom->addr, 1);
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
      fi->level = level;
      /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2.  */
      fi->stage2 = fi->s1ptw || regime_is_stage2(mmu_idx);
 -    fi->s1ns = mmu_idx == ARMMMUIdx_Stage2;
 +    fi->s1ns = fault_s1ns(ptw->in_space, mmu_idx);
      return true;
  }
 --
-.20.1
+.34.1

-New patch
+[PULL 16/35] target/arm/ptw: Pass ptw into get_phys_addr_pmsa*() and get_phys_addr_disabled()
+In commit 6d2654ffacea813916176 we created the S1Translate struct and
+used it to plumb through various arguments that we were previously
+passing one-at-a-time to get_phys_addr_v5(), get_phys_addr_v6(), and
+get_phys_addr_lpae().  Extend that pattern to get_phys_addr_pmsav5(),
+get_phys_addr_pmsav7(), get_phys_addr_pmsav8() and
+get_phys_addr_disabled(), so that all the get_phys_addr_* functions
+we call from get_phys_addr_nogpc() take the S1Translate struct rather
+than the mmu_idx and is_secure bool.
+(This refactoring is a prelude to having the called functions look
+at ptw->is_space rather than using an is_secure boolean.)
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230807141514.19075-5-peter.maydell@linaro.org
+---
+ target/arm/ptw.c | 57 ++++++++++++++++++++++++++++++------------------
+file changed, 36 insertions(+), 21 deletions(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+     return true;
+ }
+-static bool get_phys_addr_pmsav5(CPUARMState *env, uint32_t address,
+-                                 MMUAccessType access_type, ARMMMUIdx mmu_idx,
+-                                 bool is_secure, GetPhysAddrResult *result,
++static bool get_phys_addr_pmsav5(CPUARMState *env,
++                                 S1Translate *ptw,
++                                 uint32_t address,
++                                 MMUAccessType access_type,
++                                 GetPhysAddrResult *result,
+                                  ARMMMUFaultInfo *fi)
+ {
+     int n;
+     uint32_t mask;
+     uint32_t base;
++    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
+     bool is_user = regime_is_user(env, mmu_idx);
++    bool is_secure = arm_space_is_secure(ptw->in_space);
+     if (regime_translation_disabled(env, mmu_idx, is_secure)) {
+         /* MPU disabled.  */
+@@ -XXX,XX +XXX,XX @@ static bool pmsav7_use_background_region(ARMCPU *cpu, ARMMMUIdx mmu_idx,
+     return regime_sctlr(env, mmu_idx) & SCTLR_BR;
+ }
+-static bool get_phys_addr_pmsav7(CPUARMState *env, uint32_t address,
+-                                 MMUAccessType access_type, ARMMMUIdx mmu_idx,
+-                                 bool secure, GetPhysAddrResult *result,
++static bool get_phys_addr_pmsav7(CPUARMState *env,
++                                 S1Translate *ptw,
++                                 uint32_t address,
++                                 MMUAccessType access_type,
++                                 GetPhysAddrResult *result,
+                                  ARMMMUFaultInfo *fi)
+ {
+     ARMCPU *cpu = env_archcpu(env);
+     int n;
++    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
+     bool is_user = regime_is_user(env, mmu_idx);
++    bool secure = arm_space_is_secure(ptw->in_space);
+     result->f.phys_addr = address;
+     result->f.lg_page_size = TARGET_PAGE_BITS;
+@@ -XXX,XX +XXX,XX @@ void v8m_security_lookup(CPUARMState *env, uint32_t address,
+     }
+ }
+-static bool get_phys_addr_pmsav8(CPUARMState *env, uint32_t address,
+-                                 MMUAccessType access_type, ARMMMUIdx mmu_idx,
+-                                 bool secure, GetPhysAddrResult *result,
++static bool get_phys_addr_pmsav8(CPUARMState *env,
++                                 S1Translate *ptw,
++                                 uint32_t address,
++                                 MMUAccessType access_type,
++                                 GetPhysAddrResult *result,
+                                  ARMMMUFaultInfo *fi)
+ {
+     V8M_SAttributes sattrs = {};
++    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
++    bool secure = arm_space_is_secure(ptw->in_space);
+     bool ret;
+     if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
+@@ -XXX,XX +XXX,XX @@ static ARMCacheAttrs combine_cacheattrs(uint64_t hcr,
+  * MMU disabled.  S1 addresses within aa64 translation regimes are
+  * still checked for bounds -- see AArch64.S1DisabledOutput().
+  */
+-static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
++static bool get_phys_addr_disabled(CPUARMState *env,
++                                   S1Translate *ptw,
++                                   target_ulong address,
+                                    MMUAccessType access_type,
+-                                   ARMMMUIdx mmu_idx, bool is_secure,
+                                    GetPhysAddrResult *result,
+                                    ARMMMUFaultInfo *fi)
+ {
++    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
++    bool is_secure = arm_space_is_secure(ptw->in_space);
+     uint8_t memattr = 0x00;    /* Device nGnRnE */
+     uint8_t shareability = 0;  /* non-shareable */
+     int r_el;
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
+     case ARMMMUIdx_Phys_Root:
+     case ARMMMUIdx_Phys_Realm:
+         /* Checking Phys early avoids special casing later vs regime_el. */
+-        return get_phys_addr_disabled(env, address, access_type, mmu_idx,
+-                                      is_secure, result, fi);
++        return get_phys_addr_disabled(env, ptw, address, access_type,
++                                      result, fi);
+     case ARMMMUIdx_Stage1_E0:
+     case ARMMMUIdx_Stage1_E1:
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
+         if (arm_feature(env, ARM_FEATURE_V8)) {
+             /* PMSAv8 */
+-            ret = get_phys_addr_pmsav8(env, address, access_type, mmu_idx,
+-                                       is_secure, result, fi);
++            ret = get_phys_addr_pmsav8(env, ptw, address, access_type,
++                                       result, fi);
+         } else if (arm_feature(env, ARM_FEATURE_V7)) {
+             /* PMSAv7 */
+-            ret = get_phys_addr_pmsav7(env, address, access_type, mmu_idx,
+-                                       is_secure, result, fi);
++            ret = get_phys_addr_pmsav7(env, ptw, address, access_type,
++                                       result, fi);
+         } else {
+             /* Pre-v7 MPU */
+-            ret = get_phys_addr_pmsav5(env, address, access_type, mmu_idx,
+-                                       is_secure, result, fi);
++            ret = get_phys_addr_pmsav5(env, ptw, address, access_type,
++                                       result, fi);
+         }
+         qemu_log_mask(CPU_LOG_MMU, "PMSA MPU lookup for %s at 0x%08" PRIx32
+                       " mmu_idx %u -> %s (prot %c%c%c)\n",
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
+     /* Definitely a real MMU, not an MPU */
+     if (regime_translation_disabled(env, mmu_idx, is_secure)) {
+-        return get_phys_addr_disabled(env, address, access_type, mmu_idx,
+-                                      is_secure, result, fi);
++        return get_phys_addr_disabled(env, ptw, address, access_type,
++                                      result, fi);
+     }
+     if (regime_using_lpae_format(env, mmu_idx)) {
+--
+.34.1

-New patch
+[PULL 17/35] target/arm/ptw: Pass ARMSecurityState to regime_translation_disabled()
+Plumb the ARMSecurityState through to regime_translation_disabled()
+rather than just a bool is_secure.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230807141514.19075-6-peter.maydell@linaro.org
+---
+ target/arm/ptw.c | 15 ++++++++-------
+file changed, 8 insertions(+), 7 deletions(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx, int ttbrn)
+ /* Return true if the specified stage of address translation is disabled */
+ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
+-                                        bool is_secure)
++                                        ARMSecuritySpace space)
+ {
+     uint64_t hcr_el2;
++    bool is_secure = arm_space_is_secure(space);
+     if (arm_feature(env, ARM_FEATURE_M)) {
+         switch (env->v7m.mpu_ctrl[is_secure] &
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav5(CPUARMState *env,
+     uint32_t base;
+     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
+     bool is_user = regime_is_user(env, mmu_idx);
+-    bool is_secure = arm_space_is_secure(ptw->in_space);
+-    if (regime_translation_disabled(env, mmu_idx, is_secure)) {
++    if (regime_translation_disabled(env, mmu_idx, ptw->in_space)) {
+         /* MPU disabled.  */
+         result->f.phys_addr = address;
+         result->f.prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_pmsav7(CPUARMState *env,
+     result->f.lg_page_size = TARGET_PAGE_BITS;
+     result->f.prot = 0;
+-    if (regime_translation_disabled(env, mmu_idx, secure) ||
++    if (regime_translation_disabled(env, mmu_idx, ptw->in_space) ||
+         m_is_ppb_region(env, address)) {
+         /*
+          * MPU disabled or M profile PPB access: use default memory map.
+@@ -XXX,XX +XXX,XX @@ bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
+      * are done in arm_v7m_load_vector(), which always does a direct
+      * read using address_space_ldl(), rather than going via this function.
+      */
+-    if (regime_translation_disabled(env, mmu_idx, secure)) { /* MPU disabled */
++    if (regime_translation_disabled(env, mmu_idx, arm_secure_to_space(secure))) {
++        /* MPU disabled */
+         hit = true;
+     } else if (m_is_ppb_region(env, address)) {
+         hit = true;
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
+          */
+         ptw->in_mmu_idx = mmu_idx = s1_mmu_idx;
+         if (arm_feature(env, ARM_FEATURE_EL2) &&
+-            !regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
++            !regime_translation_disabled(env, ARMMMUIdx_Stage2, ptw->in_space)) {
+             return get_phys_addr_twostage(env, ptw, address, access_type,
+                                           result, fi);
+         }
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
+     /* Definitely a real MMU, not an MPU */
+-    if (regime_translation_disabled(env, mmu_idx, is_secure)) {
++    if (regime_translation_disabled(env, mmu_idx, ptw->in_space)) {
+         return get_phys_addr_disabled(env, ptw, address, access_type,
+                                       result, fi);
+     }
+--
+.34.1

-New patch
+[PULL 18/35] target/arm/ptw: Pass an ARMSecuritySpace to arm_hcr_el2_eff_secstate()
+arm_hcr_el2_eff_secstate() takes a bool secure, which it uses to
+determine whether EL2 is enabled in the current security state.
+With the advent of FEAT_RME this is no longer sufficient, because
+EL2 can be enabled for Secure state but not for Root, and both
+of those will pass 'secure == true' in the callsites in ptw.c.
+As it happens in all of our callsites in ptw.c we either avoid making
+the call or else avoid using the returned value if we're doing a
+translation for Root, so this is not a behaviour change even if the
+experimental FEAT_RME is enabled.  But it is less confusing in the
+ptw.c code if we avoid the use of a bool secure that duplicates some
+of the information in the ArmSecuritySpace argument.
+Make arm_hcr_el2_eff_secstate() take an ARMSecuritySpace argument
+instead. Because we always want to know the HCR_EL2 for the
+security state defined by the current effective value of
+SCR_EL3.{NSE,NS}, it makes no sense to pass ARMSS_Root here,
+and we assert that callers don't do that.
+To avoid the assert(), we thus push the call to
+arm_hcr_el2_eff_secstate() down into the cases in
+regime_translation_disabled() that need it, rather than calling the
+function and ignoring the result for the Root space translations.
+All other calls to this function in ptw.c are already in places
+where we have confirmed that the mmu_idx is a stage 2 translation
+or that the regime EL is not 3.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230807141514.19075-7-peter.maydell@linaro.org
+---
+ target/arm/cpu.h    |  2 +-
+ target/arm/helper.c |  8 +++++---
+ target/arm/ptw.c    | 15 +++++++--------
+files changed, 13 insertions(+), 12 deletions(-)
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.h
++++ b/target/arm/cpu.h
+@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_el2_enabled(CPUARMState *env)
+  * "for all purposes other than a direct read or write access of HCR_EL2."
+  * Not included here is HCR_RW.
+  */
+-uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, bool secure);
++uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, ARMSecuritySpace space);
+ uint64_t arm_hcr_el2_eff(CPUARMState *env);
+ uint64_t arm_hcrx_el2_eff(CPUARMState *env);
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static void hcr_writelow(CPUARMState *env, const ARMCPRegInfo *ri,
+  * Bits that are not included here:
+  * RW       (read from SCR_EL3.RW as needed)
+  */
+-uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, bool secure)
++uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, ARMSecuritySpace space)
+ {
+     uint64_t ret = env->cp15.hcr_el2;
+-    if (!arm_is_el2_enabled_secstate(env, secure)) {
++    assert(space != ARMSS_Root);
++
++    if (!arm_is_el2_enabled_secstate(env, arm_space_is_secure(space))) {
+         /*
+          * "This register has no effect if EL2 is not enabled in the
+          * current Security state".  This is ARMv8.4-SecEL2 speak for
+@@ -XXX,XX +XXX,XX @@ uint64_t arm_hcr_el2_eff(CPUARMState *env)
+     if (arm_feature(env, ARM_FEATURE_M)) {
+         return 0;
+     }
+-    return arm_hcr_el2_eff_secstate(env, arm_is_secure_below_el3(env));
++    return arm_hcr_el2_eff_secstate(env, arm_security_space_below_el3(env));
+ }
+ /*
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
+                                         ARMSecuritySpace space)
+ {
+     uint64_t hcr_el2;
+-    bool is_secure = arm_space_is_secure(space);
+     if (arm_feature(env, ARM_FEATURE_M)) {
++        bool is_secure = arm_space_is_secure(space);
+         switch (env->v7m.mpu_ctrl[is_secure] &
+                 (R_V7M_MPU_CTRL_ENABLE_MASK | R_V7M_MPU_CTRL_HFNMIENA_MASK)) {
+         case R_V7M_MPU_CTRL_ENABLE_MASK:
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
+         }
+     }
+-    hcr_el2 = arm_hcr_el2_eff_secstate(env, is_secure);
+     switch (mmu_idx) {
+     case ARMMMUIdx_Stage2:
+     case ARMMMUIdx_Stage2_S:
+         /* HCR.DC means HCR.VM behaves as 1 */
++        hcr_el2 = arm_hcr_el2_eff_secstate(env, space);
+         return (hcr_el2 & (HCR_DC | HCR_VM)) == 0;
+     case ARMMMUIdx_E10_0:
+     case ARMMMUIdx_E10_1:
+     case ARMMMUIdx_E10_1_PAN:
+         /* TGE means that EL0/1 act as if SCTLR_EL1.M is zero */
++        hcr_el2 = arm_hcr_el2_eff_secstate(env, space);
+         if (hcr_el2 & HCR_TGE) {
+             return true;
+         }
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
+     case ARMMMUIdx_Stage1_E1:
+     case ARMMMUIdx_Stage1_E1_PAN:
+         /* HCR.DC means SCTLR_EL1.M behaves as 0 */
++        hcr_el2 = arm_hcr_el2_eff_secstate(env, space);
+         if (hcr_el2 & HCR_DC) {
+             return true;
+         }
+@@ -XXX,XX +XXX,XX @@ static bool fault_s1ns(ARMSecuritySpace space, ARMMMUIdx s2_mmu_idx)
+ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
+                              hwaddr addr, ARMMMUFaultInfo *fi)
+ {
+-    bool is_secure = ptw->in_secure;
+     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
+     ARMMMUIdx s2_mmu_idx = ptw->in_ptw_idx;
+     uint8_t pte_attrs;
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
+     }
+     if (regime_is_stage2(s2_mmu_idx)) {
+-        uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure);
++        uint64_t hcr = arm_hcr_el2_eff_secstate(env, ptw->in_space);
+         if ((hcr & HCR_PTW) && S2_attrs_are_device(hcr, pte_attrs)) {
+             /*
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env,
+                                    ARMMMUFaultInfo *fi)
+ {
+     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
+-    bool is_secure = arm_space_is_secure(ptw->in_space);
+     uint8_t memattr = 0x00;    /* Device nGnRnE */
+     uint8_t shareability = 0;  /* non-shareable */
+     int r_el;
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env,
+         /* Fill in cacheattr a-la AArch64.TranslateAddressS1Off. */
+         if (r_el == 1) {
+-            uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure);
++            uint64_t hcr = arm_hcr_el2_eff_secstate(env, ptw->in_space);
+             if (hcr & HCR_DC) {
+                 if (hcr & HCR_DCT) {
+                     memattr = 0xf0;  /* Tagged, Normal, WB, RWA */
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+ {
+     hwaddr ipa;
+     int s1_prot, s1_lgpgsz;
+-    bool is_secure = ptw->in_secure;
+     ARMSecuritySpace in_space = ptw->in_space;
+     bool ret, ipa_secure;
+     ARMCacheAttrs cacheattrs1;
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+     }
+     /* Combine the S1 and S2 cache attributes. */
+-    hcr = arm_hcr_el2_eff_secstate(env, is_secure);
++    hcr = arm_hcr_el2_eff_secstate(env, in_space);
+     if (hcr & HCR_DC) {
+         /*
+          * HCR.DC forces the first stage attributes to
+--
+.34.1

-New patch
+[PULL 19/35] target/arm: Pass an ARMSecuritySpace to arm_is_el2_enabled_secstate()
+Pass an ARMSecuritySpace instead of a bool secure to
+arm_is_el2_enabled_secstate(). This doesn't change behaviour.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230807141514.19075-8-peter.maydell@linaro.org
+---
+ target/arm/cpu.h    | 13 ++++++++-----
+ target/arm/helper.c |  2 +-
+files changed, 9 insertions(+), 6 deletions(-)
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.h
++++ b/target/arm/cpu.h
+@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env)
+ /*
+  * Return true if the current security state has AArch64 EL2 or AArch32 Hyp.
+- * This corresponds to the pseudocode EL2Enabled()
++ * This corresponds to the pseudocode EL2Enabled().
+  */
+-static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, bool secure)
++static inline bool arm_is_el2_enabled_secstate(CPUARMState *env,
++                                               ARMSecuritySpace space)
+ {
++    assert(space != ARMSS_Root);
+     return arm_feature(env, ARM_FEATURE_EL2)
+-           && (!secure || (env->cp15.scr_el3 & SCR_EEL2));
++           && (space != ARMSS_Secure || (env->cp15.scr_el3 & SCR_EEL2));
+ }
+ static inline bool arm_is_el2_enabled(CPUARMState *env)
+ {
+-    return arm_is_el2_enabled_secstate(env, arm_is_secure_below_el3(env));
++    return arm_is_el2_enabled_secstate(env, arm_security_space_below_el3(env));
+ }
+ #else
+@@ -XXX,XX +XXX,XX @@ static inline bool arm_is_secure(CPUARMState *env)
+     return false;
+ }
+-static inline bool arm_is_el2_enabled_secstate(CPUARMState *env, bool secure)
++static inline bool arm_is_el2_enabled_secstate(CPUARMState *env,
++                                               ARMSecuritySpace space)
+ {
+     return false;
+ }
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ uint64_t arm_hcr_el2_eff_secstate(CPUARMState *env, ARMSecuritySpace space)
+     assert(space != ARMSS_Root);
+-    if (!arm_is_el2_enabled_secstate(env, arm_space_is_secure(space))) {
++    if (!arm_is_el2_enabled_secstate(env, space)) {
+         /*
+          * "This register has no effect if EL2 is not enabled in the
+          * current Security state".  This is ARMv8.4-SecEL2 speak for
+--
+.34.1

-New patch
+[PULL 20/35] target/arm/ptw: Only fold in NSTable bit effects in Secure state
+When we do a translation in Secure state, the NSTable bits in table
+descriptors may downgrade us to NonSecure; we update ptw->in_secure
+and ptw->in_space accordingly.  We guard that check correctly with a
+conditional that means it's only applied for Secure stage 1
+translations.  However, later on in get_phys_addr_lpae() we fold the
+effects of the NSTable bits into the final descriptor attributes
+bits, and there we do it unconditionally regardless of the CPU state.
+That means that in Realm state (where in_secure is false) we will set
+bit 5 in attrs, and later use it to decide to output to non-secure
+space.
+We don't in fact need to do this folding in at all any more (since
+commit 2f1ff4e7b9f30c): if an NSTable bit was set then we have
+already set ptw->in_space to ARMSS_NonSecure, and in that situation
+we don't look at attrs bit 5.  The only thing we still need to deal
+with is the real NS bit in the final descriptor word, so we can just
+drop the code that ORed in the NSTable bit.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230807141514.19075-9-peter.maydell@linaro.org
+---
+ target/arm/ptw.c | 3 +--
+file changed, 1 insertion(+), 2 deletions(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+      * Extract attributes from the (modified) descriptor, and apply
+      * table descriptors. Stage 2 table descriptors do not include
+      * any attribute fields. HPD disables all the table attributes
+-     * except NSTable.
++     * except NSTable (which we have already handled).
+      */
+     attrs = new_descriptor & (MAKE_64BIT_MASK(2, 10) | MAKE_64BIT_MASK(50, 14));
+     if (!regime_is_stage2(mmu_idx)) {
+-        attrs |= !ptw->in_secure << 5; /* NS */
+         if (!param.hpd) {
+             attrs |= extract64(tableattrs, 0, 2) << 53;     /* XN, PXN */
+             /*
+--
+.34.1

-New patch
+[PULL 21/35] target/arm/ptw: Remove last uses of ptw->in_secure
+Replace the last uses of ptw->in_secure with appropriate
+checks on ptw->in_space.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230807141514.19075-10-peter.maydell@linaro.org
+---
+ target/arm/ptw.c | 11 +++++++----
+file changed, 7 insertions(+), 4 deletions(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
+                                       ARMMMUFaultInfo *fi)
+ {
+     ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
+-    bool is_secure = ptw->in_secure;
+     ARMMMUIdx s1_mmu_idx;
+     /*
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
+      * cannot upgrade a NonSecure translation regime's attributes
+      * to Secure or Realm.
+      */
+-    result->f.attrs.secure = is_secure;
+     result->f.attrs.space = ptw->in_space;
++    result->f.attrs.secure = arm_space_is_secure(ptw->in_space);
+     switch (mmu_idx) {
+     case ARMMMUIdx_Phys_S:
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_nogpc(CPUARMState *env, S1Translate *ptw,
+     case ARMMMUIdx_Stage1_E0:
+     case ARMMMUIdx_Stage1_E1:
+     case ARMMMUIdx_Stage1_E1_PAN:
+-        /* First stage lookup uses second stage for ptw. */
+-        ptw->in_ptw_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
++        /*
++         * First stage lookup uses second stage for ptw; only
++         * Secure has both S and NS IPA and starts with Stage2_S.
++         */
++        ptw->in_ptw_idx = (ptw->in_space == ARMSS_Secure) ?
++            ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+         break;
+     case ARMMMUIdx_Stage2:
+--
+.34.1

-New patch
+[PULL 22/35] target/arm/ptw: Remove S1Translate::in_secure
+We no longer look at the in_secure field of the S1Translate struct
+anyway, so we can remove it and all the code which sets it.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20230807141514.19075-11-peter.maydell@linaro.org
+---
+ target/arm/ptw.c | 13 -------------
+file changed, 13 deletions(-)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
++++ b/target/arm/ptw.c
+@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
+      *    value being Stage2 vs Stage2_S distinguishes those.
+      */
+     ARMSecuritySpace in_space;
+-    /*
+-     * in_secure: whether the translation regime is a Secure one.
+-     * This is always equal to arm_space_is_secure(in_space).
+-     * If a Secure ptw is "downgraded" to NonSecure by an NSTable bit,
+-     * this field is updated accordingly.
+-     */
+-    bool in_secure;
+     /*
+      * in_debug: is this a QEMU debug access (gdbstub, etc)? Debug
+      * accesses will not update the guest page table access flags
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
+         S1Translate s2ptw = {
+             .in_mmu_idx = s2_mmu_idx,
+             .in_ptw_idx = ptw_idx_for_stage_2(env, s2_mmu_idx),
+-            .in_secure = arm_space_is_secure(s2_space),
+             .in_space = s2_space,
+             .in_debug = true,
+         };
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+         QEMU_BUILD_BUG_ON(ARMMMUIdx_Phys_S + 1 != ARMMMUIdx_Phys_NS);
+         QEMU_BUILD_BUG_ON(ARMMMUIdx_Stage2_S + 1 != ARMMMUIdx_Stage2);
+         ptw->in_ptw_idx += 1;
+-        ptw->in_secure = false;
+         ptw->in_space = ARMSS_NonSecure;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+     ptw->in_s1_is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
+     ptw->in_mmu_idx = ipa_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+-    ptw->in_secure = ipa_secure;
+     ptw->in_space = ipa_space;
+     ptw->in_ptw_idx = ptw_idx_for_stage_2(env, ptw->in_mmu_idx);
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
+ {
+     S1Translate ptw = {
+         .in_mmu_idx = mmu_idx,
+-        .in_secure = is_secure,
+         .in_space = arm_secure_to_space(is_secure),
+     };
+     return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi);
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
+     }
+     ptw.in_space = ss;
+-    ptw.in_secure = arm_space_is_secure(ss);
+     return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi);
+ }
+@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
+     S1Translate ptw = {
+         .in_mmu_idx = mmu_idx,
+         .in_space = ss,
+-        .in_secure = arm_space_is_secure(ss),
+         .in_debug = true,
+     };
+     GetPhysAddrResult res = {};
+--
+.34.1

-[PULL 11/20] elf_ops.h: Be more verbose with ROM blob names
+[PULL 23/35] target/arm/ptw: Drop S1Translate::out_secure
-Instead of making the ROM blob name something like:
+We only use S1Translate::out_secure in two places, where we are
-  phdr #0: /home/petmay01/linaro/qemu-misc-tests/ldmia-fault.axf
+setting up MemTxAttrs for a page table load. We can use
-make it a little more self-explanatory for people who don't know
+arm_space_is_secure(ptw->out_space) instead, which guarantees
-ELF format details:
+that we're setting the MemTxAttrs secure and space fields
-  /home/petmay01/linaro/qemu-misc-tests/ldmia-fault.axf ELF program header segment 0
+consistently, and allows us to drop the out_secure field in
 S1Translate entirely.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20201129203923.10622-5-peter.maydell@linaro.org
+Message-id: 20230807141514.19075-12-peter.maydell@linaro.org
 ---
- include/hw/elf_ops.h | 3 ++-
+ target/arm/ptw.c | 7 ++-----
-file changed, 2 insertions(+), 1 deletion(-)
+file changed, 2 insertions(+), 5 deletions(-)
-diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/elf_ops.h
+--- a/target/arm/ptw.c
-+++ b/include/hw/elf_ops.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static int glue(load_elf, SZ)(const char *name, int fd,
+@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
-             if (mem_size != 0) {
+      * Stage 2 is indicated by in_mmu_idx set to ARMMMUIdx_Stage2{,_S}.
-                 if (load_rom) {
+      */
-                     g_autofree char *label =
+     bool in_s1_is_el0;
--                        g_strdup_printf("phdr #%d: %s", i, name);
+-    bool out_secure;
-+                        g_strdup_printf("%s ELF program header segment %d",
+     bool out_rw;
-+                                        name, i);
+     bool out_be;
+     ARMSecuritySpace out_space;
-                     /*
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-                      * rom_add_elf_program() takes its own reference to
+         pte_attrs = s2.cacheattrs.attrs;
          ptw->out_host = NULL;
          ptw->out_rw = false;
 -        ptw->out_secure = s2.f.attrs.secure;
          ptw->out_space = s2.f.attrs.space;
      } else {
  #ifdef CONFIG_TCG
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
          ptw->out_phys = full->phys_addr | (addr & ~TARGET_PAGE_MASK);
          ptw->out_rw = full->prot & PAGE_WRITE;
          pte_attrs = full->pte_attrs;
 -        ptw->out_secure = full->attrs.secure;
          ptw->out_space = full->attrs.space;
  #else
          g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw,
      } else {
          /* Page tables are in MMIO. */
          MemTxAttrs attrs = {
 -            .secure = ptw->out_secure,
              .space = ptw->out_space,
 +            .secure = arm_space_is_secure(ptw->out_space),
          };
          AddressSpace *as = arm_addressspace(cs, attrs);
          MemTxResult result = MEMTX_OK;
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw,
      } else {
          /* Page tables are in MMIO. */
          MemTxAttrs attrs = {
 -            .secure = ptw->out_secure,
              .space = ptw->out_space,
 +            .secure = arm_space_is_secure(ptw->out_space),
          };
          AddressSpace *as = arm_addressspace(cs, attrs);
          MemTxResult result = MEMTX_OK;
 --
-.20.1
+.34.1

-[PULL 10/20] elf_ops.h: Don't truncate name of the ROM blobs we create
+[PULL 24/35] target/arm/ptw: Set attributes correctly for MMU disabled data accesses
-Currently the load_elf code assembles the ROM blob name into a
+When the MMU is disabled, data accesses should be Device nGnRnE,
-local 128 byte fixed-size array. Use g_strdup_printf() instead so
+Outer Shareable, Untagged.  We handle the other cases from
-that we don't truncate the pathname if it happens to be long.
+AArch64.S1DisabledOutput() correctly but missed this one.
-(This matters mostly for monitor 'info roms' output and for the
+Device nGnRnE is memattr == 0, so the only part we were missing
-error messages if ROM blobs overlap.)
+was that shareability should be set to 2 for both insn fetches
 and data accesses.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20201129203923.10622-4-peter.maydell@linaro.org
+Message-id: 20230807141514.19075-13-peter.maydell@linaro.org
 ---
- include/hw/elf_ops.h | 4 ++--
+ target/arm/ptw.c | 12 +++++++-----
-file changed, 2 insertions(+), 2 deletions(-)
+file changed, 7 insertions(+), 5 deletions(-)
-diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/elf_ops.h
+--- a/target/arm/ptw.c
-+++ b/include/hw/elf_ops.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static int glue(load_elf, SZ)(const char *name, int fd,
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env,
-     uint64_t addr, low = (uint64_t)-1, high = 0;
+                 }
-     GMappedFile *mapped_file = NULL;
+             }
-     uint8_t *data = NULL;
+         }
--    char label[128];
+-        if (memattr == 0 && access_type == MMU_INST_FETCH) {
-     int ret = ELF_LOAD_FAILED;
+-            if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
+-                memattr = 0xee;  /* Normal, WT, RA, NT */
-     if (read(fd, &ehdr, sizeof(ehdr)) != sizeof(ehdr))
+-            } else {
-@@ -XXX,XX +XXX,XX @@ static int glue(load_elf, SZ)(const char *name, int fd,
+-                memattr = 0x44;  /* Normal, NC, No */
-              */
++        if (memattr == 0) {
-             if (mem_size != 0) {
++            if (access_type == MMU_INST_FETCH) {
-                 if (load_rom) {
++                if (regime_sctlr(env, mmu_idx) & SCTLR_I) {
--                    snprintf(label, sizeof(label), "phdr #%d: %s", i, name);
++                    memattr = 0xee;  /* Normal, WT, RA, NT */
-+                    g_autofree char *label =
++                } else {
-+                        g_strdup_printf("phdr #%d: %s", i, name);
++                    memattr = 0x44;  /* Normal, NC, No */
++                }
-                     /*
+             }
-                      * rom_add_elf_program() takes its own reference to
+             shareability = 2; /* outer shareable */
          }
 --
-.20.1
+.34.1

-[PULL 06/20] target/nios2: Move nios2_check_interrupts() into target/nios2
+[PULL 25/35] target/arm/ptw: Check for block descriptors at invalid levels
-The function nios2_check_interrupts)() looks only at CPU-internal
+The architecture doesn't permit block descriptors at any arbitrary
-state; it belongs in target/nios2, not hw/nios2.  Move it into the
+level of the page table walk; it depends on the granule size which
-same file as its only caller, so it can just be local to that file.
+levels are permitted.  We implemented only a partial version of this
 check which assumes that block descriptors are valid at all levels
 except level 3, which meant that we wouldn't deliver the Translation
 fault for all cases of this sort of guest page table error.
-This removes the only remaining code from cpu_pic.c, so we can delete
+Implement the logic corresponding to the pseudocode
-that file entirely.
+AArch64.DecodeDescriptorType() and AArch64.BlockDescSupported().
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20201129174022.26530-3-peter.maydell@linaro.org
+Message-id: 20230807141514.19075-14-peter.maydell@linaro.org
 Reviewed-by: Wentong Wu <wentong.wu@intel.com>
 Tested-by: Wentong Wu <wentong.wu@intel.com>
 ---
- target/nios2/cpu.h       |  2 --
+ target/arm/ptw.c | 25 +++++++++++++++++++++++--
- hw/nios2/cpu_pic.c       | 36 ------------------------------------
+file changed, 23 insertions(+), 2 deletions(-)
  target/nios2/op_helper.c |  9 +++++++++
  hw/nios2/meson.build     |  2 +-
 files changed, 10 insertions(+), 39 deletions(-)
  delete mode 100644 hw/nios2/cpu_pic.c
-diff --git a/target/nios2/cpu.h b/target/nios2/cpu.h
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/nios2/cpu.h
+--- a/target/arm/ptw.c
-+++ b/target/nios2/cpu.h
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ void nios2_cpu_do_unaligned_access(CPUState *cpu, vaddr addr,
+@@ -XXX,XX +XXX,XX @@ static int check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, uint64_t tcr,
-                                    MMUAccessType access_type,
+     return INT_MIN;
                                     int mmu_idx, uintptr_t retaddr);
 -void nios2_check_interrupts(CPUNios2State *env);
 -
  void do_nios2_semihosting(CPUNios2State *env);
  #define CPU_RESOLVING_TYPE TYPE_NIOS2_CPU
 diff --git a/hw/nios2/cpu_pic.c b/hw/nios2/cpu_pic.c
 deleted file mode 100644
 index XXXXXXX..XXXXXXX
 --- a/hw/nios2/cpu_pic.c
 +++ /dev/null
@@ -XXX,XX +XXX,XX @@
 -/*
 - * Altera Nios2 CPU PIC
 - *
 - * Copyright (c) 2016 Marek Vasut <marek.vasut@gmail.com>
 - *
 - * This library is free software; you can redistribute it and/or
 - * modify it under the terms of the GNU Lesser General Public
 - * License as published by the Free Software Foundation; either
 - * version 2.1 of the License, or (at your option) any later version.
 - *
 - * This library is distributed in the hope that it will be useful,
 - * but WITHOUT ANY WARRANTY; without even the implied warranty of
 - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 - * Lesser General Public License for more details.
 - *
 - * You should have received a copy of the GNU Lesser General Public
 - * License along with this library; if not, see
 - * <http://www.gnu.org/licenses/lgpl-2.1.html>
 - */
 -
 -#include "qemu/osdep.h"
 -#include "cpu.h"
 -#include "hw/irq.h"
 -
 -#include "qemu/config-file.h"
 -
 -#include "boot.h"
 -
 -void nios2_check_interrupts(CPUNios2State *env)
 -{
 -    if (env->irq_pending &&
 -        (env->regs[CR_STATUS] & CR_STATUS_PIE)) {
 -        env->irq_pending = 0;
 -        cpu_interrupt(env_cpu(env), CPU_INTERRUPT_HARD);
 -    }
 -}
 diff --git a/target/nios2/op_helper.c b/target/nios2/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/nios2/op_helper.c
 +++ b/target/nios2/op_helper.c
@@ -XXX,XX +XXX,XX @@ void helper_mmu_write(CPUNios2State *env, uint32_t rn, uint32_t v)
      mmu_write(env, rn, v);
  }
-+static void nios2_check_interrupts(CPUNios2State *env)
++static bool lpae_block_desc_valid(ARMCPU *cpu, bool ds,
 +                                  ARMGranuleSize gran, int level)
 +{
-+    if (env->irq_pending &&
++    /*
-+        (env->regs[CR_STATUS] & CR_STATUS_PIE)) {
++     * See pseudocode AArch46.BlockDescSupported(): block descriptors
-+        env->irq_pending = 0;
++     * are not valid at all levels, depending on the page size.
-+        cpu_interrupt(env_cpu(env), CPU_INTERRUPT_HARD);
++     */
 +    switch (gran) {
 +    case Gran4K:
 +        return (level == 0 && ds) || level == 1 || level == 2;
 +    case Gran16K:
 +        return (level == 1 && ds) || level == 2;
 +    case Gran64K:
 +        return (level == 1 && arm_pamax(cpu) == 52) || level == 2;
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
- void helper_check_interrupts(CPUNios2State *env)
+ /**
- {
+  * get_phys_addr_lpae: perform one stage of page table walk, LPAE format
-     qemu_mutex_lock_iothread();
+  *
-diff --git a/hw/nios2/meson.build b/hw/nios2/meson.build
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-index XXXXXXX..XXXXXXX 100644
+     new_descriptor = descriptor;
---- a/hw/nios2/meson.build
-+++ b/hw/nios2/meson.build
+  restart_atomic_update:
-@@ -XXX,XX +XXX,XX @@
+-    if (!(descriptor & 1) || (!(descriptor & 2) && (level == 3))) {
- nios2_ss = ss.source_set()
+-        /* Invalid, or the Reserved level 3 encoding */
--nios2_ss.add(files('boot.c', 'cpu_pic.c'))
++    if (!(descriptor & 1) ||
-+nios2_ss.add(files('boot.c'))
++        (!(descriptor & 2) &&
- nios2_ss.add(when: 'CONFIG_NIOS2_10M50', if_true: files('10m50_devboard.c'))
++         !lpae_block_desc_valid(cpu, param.ds, param.gran, level))) {
- nios2_ss.add(when: 'CONFIG_NIOS2_GENERIC_NOMMU', if_true: files('generic_nommu.c'))
++        /* Invalid, or a block descriptor at an invalid level */
          goto do_translation_fault;
      }
 --
-.20.1
+.34.1

-[PULL 02/20] hw/openrisc/openrisc_sim: Use IRQ splitter when connecting IRQ to multiple CPUs
+[PULL 26/35] target/arm/ptw: Report stage 2 fault level for stage 2 faults on stage 1 ptw
-openrisc_sim_net_init() attempts to connect the IRQ line from the
+When we report faults due to stage 2 faults during a stage 1
-ethernet device to both CPUs in an SMP configuration by simply caling
+page table walk, the 'level' parameter should be the level
-sysbus_connect_irq() for it twice.  This doesn't work, because the
+of the walk in stage 2 that faulted, not the level of the
-second connection simply overrides the first.
+walk in stage 1. Correct the reporting of these faults.
 Fix this by creating a TYPE_SPLIT_IRQ to split the IRQ in the SMP
 case.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Stafford Horne <shorne@gmail.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20201127225127.14770-2-peter.maydell@linaro.org
+Message-id: 20230807141514.19075-15-peter.maydell@linaro.org
 ---
- hw/openrisc/openrisc_sim.c | 13 +++++++++++--
+ target/arm/ptw.c | 10 +++++++---
- hw/openrisc/Kconfig        |  1 +
+file changed, 7 insertions(+), 3 deletions(-)
 files changed, 12 insertions(+), 2 deletions(-)
-diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/openrisc/openrisc_sim.c
+--- a/target/arm/ptw.c
-+++ b/hw/openrisc/openrisc_sim.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
- #include "hw/sysbus.h"
+  do_translation_fault:
- #include "sysemu/qtest.h"
+     fi->type = ARMFault_Translation;
- #include "sysemu/reset.h"
+  do_fault:
-+#include "hw/core/split-irq.h"
+-    fi->level = level;
+-    /* Tag the error as S2 for failed S1 PTW at S2 or ordinary S2.  */
- #define KERNEL_LOAD_ADDR 0x100
+-    fi->stage2 = fi->s1ptw || regime_is_stage2(mmu_idx);
++    if (fi->s1ptw) {
-@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_net_init(hwaddr base, hwaddr descriptors,
++        /* Retain the existing stage 2 fi->level */
++        assert(fi->stage2);
      s = SYS_BUS_DEVICE(dev);
      sysbus_realize_and_unref(s, &error_fatal);
 -    for (i = 0; i < num_cpus; i++) {
 -        sysbus_connect_irq(s, 0, cpu_irqs[i][irq_pin]);
 +    if (num_cpus > 1) {
 +        DeviceState *splitter = qdev_new(TYPE_SPLIT_IRQ);
 +        qdev_prop_set_uint32(splitter, "num-lines", num_cpus);
 +        qdev_realize_and_unref(splitter, NULL, &error_fatal);
 +        for (i = 0; i < num_cpus; i++) {
 +            qdev_connect_gpio_out(splitter, i, cpu_irqs[i][irq_pin]);
 +        }
 +        sysbus_connect_irq(s, 0, qdev_get_gpio_in(splitter, 0));
 +    } else {
-+        sysbus_connect_irq(s, 0, cpu_irqs[0][irq_pin]);
++        fi->level = level;
-     }
++        fi->stage2 = regime_is_stage2(mmu_idx);
-     sysbus_mmio_map(s, 0, base);
++    }
-     sysbus_mmio_map(s, 1, descriptors);
+     fi->s1ns = fault_s1ns(ptw->in_space, mmu_idx);
-diff --git a/hw/openrisc/Kconfig b/hw/openrisc/Kconfig
+     return true;
-index XXXXXXX..XXXXXXX 100644
+ }
 --- a/hw/openrisc/Kconfig
 +++ b/hw/openrisc/Kconfig
@@ -XXX,XX +XXX,XX @@ config OR1K_SIM
      select SERIAL
      select OPENCORES_ETH
      select OMPIC
 +    select SPLIT_IRQ
 --
-.20.1
+.34.1

-[PULL 09/20] hw/core/loader.c: Improve reporting of ROM overlap errors
+[PULL 27/35] target/arm: Adjust PAR_EL1.SH for Device and Normal-NC memory types
-In rom_check_and_register_reset() we report to the user if there is
+The PAR_EL1.SH field documents that for the cases of:
-a "ROM region overlap". This has a couple of problems:
+ * Device memory
- * the reported information is not very easy to intepret
+ * Normal memory with both Inner and Outer Non-Cacheable
- * the function just prints the overlap to stderr (and relies on
+the field should be 0b10 rather than whatever was in the
-   its single callsite in vl.c to do an error_report() and exit)
+translation table descriptor field. (In the pseudocode this
- * only the first overlap encountered is diagnosed
+is handled by PAREncodeShareability().) Perform this
+adjustment when assembling a PAR value.
 Make this function use error_report() and error_printf() and
 report a more user-friendly report with all the overlaps
 diagnosed.
 Sample old output:
 rom: requested regions overlap (rom dtb. free=0x0000000000008000, addr=0x0000000000000000)
 qemu-system-aarch64: rom check and register reset failed
 Sample new output:
 qemu-system-aarch64: Some ROM regions are overlapping
 These ROM regions might have been loaded by direct user request or by default.
 They could be BIOS/firmware images, a guest kernel, initrd or some other file loaded into guest memory.
 Check whether you intended to load all this guest code, and whether it has been built to load to the correct addresses.
 The following two regions overlap (in the cpu-memory-0 address space):
   phdr #0: /home/petmay01/linaro/qemu-misc-tests/ldmia-fault.axf (addresses 0x0000000000000000 - 0x0000000000008000)
   dtb (addresses 0x0000000000000000 - 0x0000000000100000)
 The following two regions overlap (in the cpu-memory-0 address space):
   phdr #1: /home/petmay01/linaro/qemu-misc-tests/bad-psci-call.axf (addresses 0x0000000040000000 - 0x0000000040000010)
   phdr #0: /home/petmay01/linaro/qemu-misc-tests/bp-test.elf (addresses 0x0000000040000000 - 0x0000000040000020)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20201129203923.10622-3-peter.maydell@linaro.org
+Message-id: 20230807141514.19075-16-peter.maydell@linaro.org
 ---
- hw/core/loader.c | 48 ++++++++++++++++++++++++++++++++++++++++++------
+ target/arm/helper.c | 15 ++++++++++++++-
- softmmu/vl.c     |  1 -
+file changed, 14 insertions(+), 1 deletion(-)
 files changed, 42 insertions(+), 7 deletions(-)
-diff --git a/hw/core/loader.c b/hw/core/loader.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/core/loader.c
+--- a/target/arm/helper.c
-+++ b/hw/core/loader.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static bool roms_overlap(Rom *last_rom, Rom *this_rom)
+@@ -XXX,XX +XXX,XX @@ static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri,
          last_rom->addr + last_rom->romsize > this_rom->addr;
  }
-+static const char *rom_as_name(Rom *rom)
+ #ifdef CONFIG_TCG
 +static int par_el1_shareability(GetPhysAddrResult *res)
 +{
-+    const char *name = rom->as ? rom->as->name : NULL;
++    /*
-+    return name ?: "anonymous";
++     * The PAR_EL1.SH field must be 0b10 for Device or Normal-NC
 +     * memory -- see pseudocode PAREncodeShareability().
 +     */
 +    if (((res->cacheattrs.attrs & 0xf0) == 0) ||
 +        res->cacheattrs.attrs == 0x44 || res->cacheattrs.attrs == 0x40) {
 +        return 2;
 +    }
 +    return res->cacheattrs.shareability;
 +}
 +
-+static void rom_print_overlap_error_header(void)
+ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
-+{
+                              MMUAccessType access_type, ARMMMUIdx mmu_idx,
-+    error_report("Some ROM regions are overlapping");
+                              bool is_secure)
-+    error_printf(
+@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
-+        "These ROM regions might have been loaded by "
+                 par64 |= (1 << 9); /* NS */
 +        "direct user request or by default.\n"
 +        "They could be BIOS/firmware images, a guest kernel, "
 +        "initrd or some other file loaded into guest memory.\n"
 +        "Check whether you intended to load all this guest code, and "
 +        "whether it has been built to load to the correct addresses.\n");
 +}
 +
 +static void rom_print_one_overlap_error(Rom *last_rom, Rom *rom)
 +{
 +    error_printf(
 +        "\nThe following two regions overlap (in the %s address space):\n",
 +        rom_as_name(rom));
 +    error_printf(
 +        "  %s (addresses 0x" TARGET_FMT_plx " - 0x" TARGET_FMT_plx ")\n",
 +        last_rom->name, last_rom->addr, last_rom->addr + last_rom->romsize);
 +    error_printf(
 +        "  %s (addresses 0x" TARGET_FMT_plx " - 0x" TARGET_FMT_plx ")\n",
 +        rom->name, rom->addr, rom->addr + rom->romsize);
 +}
 +
  int rom_check_and_register_reset(void)
  {
      MemoryRegionSection section;
      Rom *rom, *last_rom = NULL;
 +    bool found_overlap = false;
      QTAILQ_FOREACH(rom, &roms, next) {
          if (rom->fw_file) {
@@ -XXX,XX +XXX,XX @@ int rom_check_and_register_reset(void)
          }
          if (!rom->mr) {
              if (roms_overlap(last_rom, rom)) {
 -                fprintf(stderr, "rom: requested regions overlap "
 -                        "(rom %s. free=0x" TARGET_FMT_plx
 -                        ", addr=0x" TARGET_FMT_plx ")\n",
 -                        rom->name, last_rom->addr + last_rom->romsize,
 -                        rom->addr);
 -                return -1;
 +                if (!found_overlap) {
 +                    found_overlap = true;
 +                    rom_print_overlap_error_header();
 +                }
 +                rom_print_one_overlap_error(last_rom, rom);
 +                /* Keep going through the list so we report all overlaps */
              }
-             last_rom = rom;
+             par64 |= (uint64_t)res.cacheattrs.attrs << 56; /* ATTR */
-         }
+-            par64 |= res.cacheattrs.shareability << 7; /* SH */
-@@ -XXX,XX +XXX,XX @@ int rom_check_and_register_reset(void)
++            par64 |= par_el1_shareability(&res) << 7; /* SH */
-         rom->isrom = int128_nz(section.size) && memory_region_is_rom(section.mr);
+         } else {
-         memory_region_unref(section.mr);
+             uint32_t fsr = arm_fi_to_lfsc(&fi);
      }
 +    if (found_overlap) {
 +        return -1;
 +    }
 +
      qemu_register_reset(rom_reset, NULL);
      roms_loaded = 1;
      return 0;
 diff --git a/softmmu/vl.c b/softmmu/vl.c
 index XXXXXXX..XXXXXXX 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
@@ -XXX,XX +XXX,XX @@ static void qemu_machine_creation_done(void)
      qemu_run_machine_init_done_notifiers();
      if (rom_check_and_register_reset() != 0) {
 -        error_report("rom check and register reset failed");
          exit(1);
      }
 --
-.20.1
+.34.1

-[PULL 17/20] hw/block/m25p80: Make Numonyx config field names more accurate
+[PULL 28/35] target/arm/ptw: Load stage-2 tables from realm physical space
-From: Joe Komlodi <joe.komlodi@xilinx.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-The previous naming of the configuration registers made it sound like that if
+In realm state, stage-2 translation tables are fetched from the realm
-the bits were set the settings would be enabled, while the opposite is true.
+physical address space (R_PGRQD).
-Signed-off-by: Joe Komlodi <komlodi@xilinx.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1605568264-26376-2-git-send-email-komlodi@xilinx.com
+Message-id: 20230809123706.1842548-2-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/block/m25p80.c | 12 ++++++------
+ target/arm/ptw.c | 26 ++++++++++++++++++--------
-file changed, 6 insertions(+), 6 deletions(-)
+file changed, 18 insertions(+), 8 deletions(-)
-diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/block/m25p80.c
+--- a/target/arm/ptw.c
-+++ b/hw/block/m25p80.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ typedef struct FlashPartInfo {
+@@ -XXX,XX +XXX,XX @@ static ARMMMUIdx ptw_idx_for_stage_2(CPUARMState *env, ARMMMUIdx stage2idx)
- #define VCFG_WRAP_SEQUENTIAL 0x2
- #define NVCFG_XIP_MODE_DISABLED (7 << 9)
+     /*
- #define NVCFG_XIP_MODE_MASK (7 << 9)
+      * We're OK to check the current state of the CPU here because
--#define VCFG_XIP_MODE_ENABLED (1 << 3)
+-     * (1) we always invalidate all TLBs when the SCR_EL3.NS bit changes
-+#define VCFG_XIP_MODE_DISABLED (1 << 3)
++     * (1) we always invalidate all TLBs when the SCR_EL3.NS or SCR_EL3.NSE bit
- #define CFG_DUMMY_CLK_LEN 4
++     * changes.
- #define NVCFG_DUMMY_CLK_POS 12
+      * (2) there's no way to do a lookup that cares about Stage 2 for a
- #define VCFG_DUMMY_CLK_POS 4
+      * different security state to the current one for AArch64, and AArch32
-@@ -XXX,XX +XXX,XX @@ typedef struct FlashPartInfo {
+      * never has a secure EL2. (AArch32 ATS12NSO[UP][RW] allow EL3 to do
- #define EVCFG_VPP_ACCELERATOR (1 << 3)
+      * an NS stage 1+2 lookup while the NS bit is 0.)
- #define EVCFG_RESET_HOLD_ENABLED (1 << 4)
+      */
- #define NVCFG_DUAL_IO_MASK (1 << 2)
+-    if (!arm_is_secure_below_el3(env) || !arm_el_is_aa64(env, 3)) {
--#define EVCFG_DUAL_IO_ENABLED (1 << 6)
++    if (!arm_el_is_aa64(env, 3)) {
-+#define EVCFG_DUAL_IO_DISABLED (1 << 6)
+         return ARMMMUIdx_Phys_NS;
- #define NVCFG_QUAD_IO_MASK (1 << 3)
+     }
--#define EVCFG_QUAD_IO_ENABLED (1 << 7)
+-    if (stage2idx == ARMMMUIdx_Stage2_S) {
-+#define EVCFG_QUAD_IO_DISABLED (1 << 7)
+-        s2walk_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
- #define NVCFG_4BYTE_ADDR_MASK (1 << 0)
+-    } else {
- #define NVCFG_LOWER_SEGMENT_MASK (1 << 1)
+-        s2walk_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
+-    }
-@@ -XXX,XX +XXX,XX @@ static void reset_memory(Flash *s)
+-    return s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
-         s->volatile_cfg |= VCFG_WRAP_SEQUENTIAL;
-         if ((s->nonvolatile_cfg & NVCFG_XIP_MODE_MASK)
++    switch (arm_security_space_below_el3(env)) {
-                                 != NVCFG_XIP_MODE_DISABLED) {
++    case ARMSS_NonSecure:
--            s->volatile_cfg |= VCFG_XIP_MODE_ENABLED;
++        return ARMMMUIdx_Phys_NS;
-+            s->volatile_cfg |= VCFG_XIP_MODE_DISABLED;
++    case ARMSS_Realm:
-         }
++        return ARMMMUIdx_Phys_Realm;
-         s->volatile_cfg |= deposit32(s->volatile_cfg,
++    case ARMSS_Secure:
-                             VCFG_DUMMY_CLK_POS,
++        if (stage2idx == ARMMMUIdx_Stage2_S) {
-@@ -XXX,XX +XXX,XX @@ static void reset_memory(Flash *s)
++            s2walk_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
-         s->enh_volatile_cfg |= EVCFG_VPP_ACCELERATOR;
++        } else {
-         s->enh_volatile_cfg |= EVCFG_RESET_HOLD_ENABLED;
++            s2walk_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
-         if (s->nonvolatile_cfg & NVCFG_DUAL_IO_MASK) {
++        }
--            s->enh_volatile_cfg |= EVCFG_DUAL_IO_ENABLED;
++        return s2walk_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
-+            s->enh_volatile_cfg |= EVCFG_DUAL_IO_DISABLED;
++    default:
-         }
++        g_assert_not_reached();
-         if (s->nonvolatile_cfg & NVCFG_QUAD_IO_MASK) {
++    }
--            s->enh_volatile_cfg |= EVCFG_QUAD_IO_ENABLED;
+ }
-+            s->enh_volatile_cfg |= EVCFG_QUAD_IO_DISABLED;
-         }
+ static bool regime_translation_big_endian(CPUARMState *env, ARMMMUIdx mmu_idx)
          if (!(s->nonvolatile_cfg & NVCFG_4BYTE_ADDR_MASK)) {
              s->four_bytes_address_mode = true;
 --
-.20.1
+.34.1

-[PULL 14/20] usb: xlnx-usb-subsystem: Add xilinx usb subsystem
+[PULL 29/35] target/arm/helper: Fix tlbmask and tlbbits for TLBI VAE2*
-From: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-This model is a top level integration wrapper for hcd-dwc3 and
+When HCR_EL2.E2H is enabled, TLB entries are formed using the EL2&0
-versal-usb2-ctrl-regs modules, this is used by xilinx versal soc's and
+translation regime, instead of the EL2 translation regime. The TLB VAE2*
-future xilinx usb subsystems would also be part of it.
+instructions invalidate the regime that corresponds to the current value
 of HCR_EL2.E2H.
-Signed-off-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
+At the moment we only invalidate the EL2 translation regime. This causes
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+problems with RMM, which issues TLBI VAE2IS instructions with
 HCR_EL2.E2H enabled. Update vae2_tlbmask() to take HCR_EL2.E2H into
 account.
 Add vae2_tlbbits() as well, since the top-byte-ignore configuration is
 different between the EL2&0 and EL2 regime.
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1607023357-5096-4-git-send-email-sai.pavan.boddu@xilinx.com
+Message-id: 20230809123706.1842548-3-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/usb/xlnx-usb-subsystem.h | 45 ++++++++++++++
+ target/arm/helper.c | 50 ++++++++++++++++++++++++++++++++++++---------
- hw/usb/xlnx-usb-subsystem.c         | 94 +++++++++++++++++++++++++++++
+file changed, 40 insertions(+), 10 deletions(-)
  hw/usb/Kconfig                      |  5 ++
  hw/usb/meson.build                  |  1 +
 files changed, 145 insertions(+)
  create mode 100644 include/hw/usb/xlnx-usb-subsystem.h
  create mode 100644 hw/usb/xlnx-usb-subsystem.c
-diff --git a/include/hw/usb/xlnx-usb-subsystem.h b/include/hw/usb/xlnx-usb-subsystem.h
+diff --git a/target/arm/helper.c b/target/arm/helper.c
-new file mode 100644
+index XXXXXXX..XXXXXXX 100644
-index XXXXXXX..XXXXXXX
+--- a/target/arm/helper.c
---- /dev/null
++++ b/target/arm/helper.c
-+++ b/include/hw/usb/xlnx-usb-subsystem.h
+@@ -XXX,XX +XXX,XX @@ static int vae1_tlbmask(CPUARMState *env)
-@@ -XXX,XX +XXX,XX @@
+     return mask;
-+/*
+ }
-+ * QEMU model of the Xilinx usb subsystem
-+ *
++static int vae2_tlbmask(CPUARMState *env)
-+ * Copyright (c) 2020 Xilinx Inc. Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
++{
-+ *
++    uint64_t hcr = arm_hcr_el2_eff(env);
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
++    uint16_t mask;
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
-+#ifndef _XLNX_VERSAL_USB_SUBSYSTEM_H_
++    if (hcr & HCR_E2H) {
-+#define _XLNX_VERSAL_USB_SUBSYSTEM_H_
++        mask = ARMMMUIdxBit_E20_2 |
-+
++               ARMMMUIdxBit_E20_2_PAN |
-+#include "hw/usb/xlnx-versal-usb2-ctrl-regs.h"
++               ARMMMUIdxBit_E20_0;
-+#include "hw/usb/hcd-dwc3.h"
++    } else {
-+
++        mask = ARMMMUIdxBit_E2;
 +#define TYPE_XILINX_VERSAL_USB2 "xlnx.versal-usb2"
 +
 +#define VERSAL_USB2(obj) \
 +     OBJECT_CHECK(VersalUsb2, (obj), TYPE_XILINX_VERSAL_USB2)
 +
 +typedef struct VersalUsb2 {
 +    SysBusDevice parent_obj;
 +    MemoryRegion dwc3_mr;
 +    MemoryRegion usb2Ctrl_mr;
 +
 +    VersalUsb2CtrlRegs usb2Ctrl;
 +    USBDWC3 dwc3;
 +} VersalUsb2;
 +
 +#endif
 diff --git a/hw/usb/xlnx-usb-subsystem.c b/hw/usb/xlnx-usb-subsystem.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/hw/usb/xlnx-usb-subsystem.c
@@ -XXX,XX +XXX,XX @@
 +/*
 + * QEMU model of the Xilinx usb subsystem
 + *
 + * Copyright (c) 2020 Xilinx Inc. Sai Pavan Boddu <sai.pava.boddu@xilinx.com>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "hw/sysbus.h"
 +#include "hw/irq.h"
 +#include "hw/register.h"
 +#include "qemu/bitops.h"
 +#include "qemu/log.h"
 +#include "qom/object.h"
 +#include "qapi/error.h"
 +#include "hw/qdev-properties.h"
 +#include "hw/usb/xlnx-usb-subsystem.h"
 +
 +static void versal_usb2_realize(DeviceState *dev, Error **errp)
 +{
 +    VersalUsb2 *s = VERSAL_USB2(dev);
 +    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
 +    Error *err = NULL;
 +
 +    sysbus_realize(SYS_BUS_DEVICE(&s->dwc3), &err);
 +    if (err) {
 +        error_propagate(errp, err);
 +        return;
 +    }
-+    sysbus_realize(SYS_BUS_DEVICE(&s->usb2Ctrl), &err);
++    return mask;
 +    if (err) {
 +        error_propagate(errp, err);
 +        return;
 +    }
 +    sysbus_init_mmio(sbd, &s->dwc3_mr);
 +    sysbus_init_mmio(sbd, &s->usb2Ctrl_mr);
 +    qdev_pass_gpios(DEVICE(&s->dwc3.sysbus_xhci), dev, SYSBUS_DEVICE_GPIO_IRQ);
 +}
 +
-+static void versal_usb2_init(Object *obj)
+ /* Return 56 if TBI is enabled, 64 otherwise. */
  static int tlbbits_for_regime(CPUARMState *env, ARMMMUIdx mmu_idx,
                                uint64_t addr)
@@ -XXX,XX +XXX,XX @@ static int vae1_tlbbits(CPUARMState *env, uint64_t addr)
      return tlbbits_for_regime(env, mmu_idx, addr);
  }
 +static int vae2_tlbbits(CPUARMState *env, uint64_t addr)
 +{
-+    VersalUsb2 *s = VERSAL_USB2(obj);
++    uint64_t hcr = arm_hcr_el2_eff(env);
 +    ARMMMUIdx mmu_idx;
 +
-+    object_initialize_child(obj, "versal.dwc3", &s->dwc3,
++    /*
-+                            TYPE_USB_DWC3);
++     * Only the regime of the mmu_idx below is significant.
-+    object_initialize_child(obj, "versal.usb2-ctrl", &s->usb2Ctrl,
++     * Regime EL2&0 has two ranges with separate TBI configuration, while EL2
-+                            TYPE_XILINX_VERSAL_USB2_CTRL_REGS);
++     * only has one.
-+    memory_region_init_alias(&s->dwc3_mr, obj, "versal.dwc3_alias",
++     */
-+                             &s->dwc3.iomem, 0, DWC3_SIZE);
++    if (hcr & HCR_E2H) {
-+    memory_region_init_alias(&s->usb2Ctrl_mr, obj, "versal.usb2Ctrl_alias",
++        mmu_idx = ARMMMUIdx_E20_2;
-+                             &s->usb2Ctrl.iomem, 0, USB2_REGS_R_MAX * 4);
++    } else {
-+    qdev_alias_all_properties(DEVICE(&s->dwc3), obj);
++        mmu_idx = ARMMMUIdx_E2;
-+    qdev_alias_all_properties(DEVICE(&s->dwc3.sysbus_xhci), obj);
++    }
-+    object_property_add_alias(obj, "dma", OBJECT(&s->dwc3.sysbus_xhci), "dma");
++
 +    return tlbbits_for_regime(env, mmu_idx, addr);
 +}
 +
-+static void versal_usb2_class_init(ObjectClass *klass, void *data)
+ static void tlbi_aa64_vmalle1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+{
+                                       uint64_t value)
-+    DeviceClass *dc = DEVICE_CLASS(klass);
+ {
-+
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae2_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+    dc->realize = versal_usb2_realize;
+      * flush-last-level-only.
-+}
+      */
-+
+     CPUState *cs = env_cpu(env);
-+static const TypeInfo versal_usb2_info = {
+-    int mask = e2_tlbmask(env);
-+    .name          = TYPE_XILINX_VERSAL_USB2,
++    int mask = vae2_tlbmask(env);
-+    .parent        = TYPE_SYS_BUS_DEVICE,
+     uint64_t pageaddr = sextract64(value << 12, 0, 56);
-+    .instance_size = sizeof(VersalUsb2),
++    int bits = vae2_tlbbits(env, pageaddr);
-+    .class_init    = versal_usb2_class_init,
-+    .instance_init = versal_usb2_init,
+-    tlb_flush_page_by_mmuidx(cs, pageaddr, mask);
-+};
++    tlb_flush_page_bits_by_mmuidx(cs, pageaddr, mask, bits);
-+
+ }
-+static void versal_usb_types(void)
-+{
+ static void tlbi_aa64_vae3_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+    type_register_static(&versal_usb2_info);
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae2is_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+}
+                                    uint64_t value)
-+
+ {
-+type_init(versal_usb_types)
+     CPUState *cs = env_cpu(env);
-diff --git a/hw/usb/Kconfig b/hw/usb/Kconfig
++    int mask = vae2_tlbmask(env);
-index XXXXXXX..XXXXXXX 100644
+     uint64_t pageaddr = sextract64(value << 12, 0, 56);
---- a/hw/usb/Kconfig
+-    int bits = tlbbits_for_regime(env, ARMMMUIdx_E2, pageaddr);
-+++ b/hw/usb/Kconfig
++    int bits = vae2_tlbbits(env, pageaddr);
-@@ -XXX,XX +XXX,XX @@ config USB_DWC3
-     bool
+-    tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr,
-     select USB_XHCI_SYSBUS
+-                                                  ARMMMUIdxBit_E2, bits);
-     select REGISTER
++    tlb_flush_page_bits_by_mmuidx_all_cpus_synced(cs, pageaddr, mask, bits);
-+
+ }
-+config XLNX_USB_SUBSYS
-+    bool
+ static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+    default y if XLNX_VERSAL
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae1is_write(CPUARMState *env,
-+    select USB_DWC3
+     do_rvae_write(env, value, vae1_tlbmask(env), true);
-diff --git a/hw/usb/meson.build b/hw/usb/meson.build
+ }
-index XXXXXXX..XXXXXXX 100644
---- a/hw/usb/meson.build
+-static int vae2_tlbmask(CPUARMState *env)
-+++ b/hw/usb/meson.build
+-{
-@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_TUSB6010', if_true: files('tusb6010.c'))
+-    return ARMMMUIdxBit_E2;
- softmmu_ss.add(when: 'CONFIG_IMX', if_true: files('chipidea.c'))
+-}
- softmmu_ss.add(when: 'CONFIG_IMX_USBPHY', if_true: files('imx-usb-phy.c'))
+-
- specific_ss.add(when: 'CONFIG_XLNX_VERSAL', if_true: files('xlnx-versal-usb2-ctrl-regs.c'))
+ static void tlbi_aa64_rvae2_write(CPUARMState *env,
-+specific_ss.add(when: 'CONFIG_XLNX_USB_SUBSYS', if_true: files('xlnx-usb-subsystem.c'))
+                                   const ARMCPRegInfo *ri,
+                                   uint64_t value)
  # emulated usb devices
  softmmu_ss.add(when: 'CONFIG_USB', if_true: files('dev-hub.c'))
 --
-.20.1
+.34.1

-[PULL 15/20] arm: xlnx-versal: Connect usb to virt-versal
+[PULL 30/35] target/arm: Skip granule protection checks for AT instructions
-From: Vikram Garhwal <fnu.vikram@xilinx.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Connect VersalUsb2 subsystem to xlnx-versal SOC, its placed
+GPC checks are not performed on the output address for AT instructions,
-in iou of lpd domain and configure it as dual port host controller.
+as stated by ARM DDI 0487J in D8.12.2:
 Add the respective guest dts nodes for "xlnx-versal-virt" machine.
-Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
+  When populating PAR_EL1 with the result of an address translation
-Signed-off-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
+  instruction, granule protection checks are not performed on the final
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
+  output address of a successful translation.
-Message-id: 1607023357-5096-5-git-send-email-sai.pavan.boddu@xilinx.com
 Rename get_phys_addr_with_secure(), since it's only used to handle AT
 instructions.
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20230809123706.1842548-4-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/xlnx-versal.h |  9 ++++++
+ target/arm/internals.h | 25 ++++++++++++++-----------
- hw/arm/xlnx-versal-virt.c    | 55 ++++++++++++++++++++++++++++++++++++
+ target/arm/helper.c    |  8 ++++++--
- hw/arm/xlnx-versal.c         | 26 +++++++++++++++++
+ target/arm/ptw.c       | 11 ++++++-----
-files changed, 90 insertions(+)
+files changed, 26 insertions(+), 18 deletions(-)
-diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/xlnx-versal.h
+--- a/target/arm/internals.h
-+++ b/include/hw/arm/xlnx-versal.h
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ typedef struct GetPhysAddrResult {
- #include "hw/net/cadence_gem.h"
+ } GetPhysAddrResult;
- #include "hw/rtc/xlnx-zynqmp-rtc.h"
- #include "qom/object.h"
+ /**
-+#include "hw/usb/xlnx-usb-subsystem.h"
+- * get_phys_addr_with_secure: get the physical address for a virtual address
++ * get_phys_addr: get the physical address for a virtual address
- #define TYPE_XLNX_VERSAL "xlnx-versal"
+  * @env: CPUARMState
- OBJECT_DECLARE_SIMPLE_TYPE(Versal, XLNX_VERSAL)
+  * @address: virtual address to get physical address for
-@@ -XXX,XX +XXX,XX @@ struct Versal {
+  * @access_type: 0 for read, 1 for write, 2 for execute
-             PL011State uart[XLNX_VERSAL_NR_UARTS];
+  * @mmu_idx: MMU index indicating required translation regime
-             CadenceGEMState gem[XLNX_VERSAL_NR_GEMS];
+- * @is_secure: security state for the access
-             XlnxZDMA adma[XLNX_VERSAL_NR_ADMAS];
+  * @result: set on translation success.
-+            VersalUsb2 usb;
+  * @fi: set to fault info if the translation fails
-         } iou;
+  *
-     } lpd;
+@@ -XXX,XX +XXX,XX @@ typedef struct GetPhysAddrResult {
+  *  * for PSMAv5 based systems we don't bother to return a full FSR format
-@@ -XXX,XX +XXX,XX @@ struct Versal {
+  *    value.
+  */
- #define VERSAL_UART0_IRQ_0         18
+-bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
- #define VERSAL_UART1_IRQ_0         19
+-                               MMUAccessType access_type,
-+#define VERSAL_USB0_IRQ_0          22
+-                               ARMMMUIdx mmu_idx, bool is_secure,
- #define VERSAL_GEM0_IRQ_0          56
+-                               GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
- #define VERSAL_GEM0_WAKE_IRQ_0     57
++bool get_phys_addr(CPUARMState *env, target_ulong address,
- #define VERSAL_GEM1_IRQ_0          58
++                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
-@@ -XXX,XX +XXX,XX @@ struct Versal {
++                   GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
- #define MM_OCM                      0xfffc0000U
+     __attribute__((nonnull));
- #define MM_OCM_SIZE                 0x40000
+ /**
-+#define MM_USB2_CTRL_REGS           0xFF9D0000
+- * get_phys_addr: get the physical address for a virtual address
-+#define MM_USB2_CTRL_REGS_SIZE      0x10000
++ * get_phys_addr_with_secure_nogpc: get the physical address for a virtual
-+
++ *                                  address
-+#define MM_USB_0                    0xFE200000
+  * @env: CPUARMState
-+#define MM_USB_0_SIZE               0x10000
+  * @address: virtual address to get physical address for
-+
+  * @access_type: 0 for read, 1 for write, 2 for execute
- #define MM_TOP_DDR                  0x0
+  * @mmu_idx: MMU index indicating required translation regime
- #define MM_TOP_DDR_SIZE             0x80000000U
++ * @is_secure: security state for the access
- #define MM_TOP_DDR_2                0x800000000ULL
+  * @result: set on translation success.
-diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
+  * @fi: set to fault info if the translation fails
   *
 - * Similarly, but use the security regime of @mmu_idx.
 + * Similar to get_phys_addr, but use the given security regime and don't perform
 + * a Granule Protection Check on the resulting address.
   */
 -bool get_phys_addr(CPUARMState *env, target_ulong address,
 -                   MMUAccessType access_type, ARMMMUIdx mmu_idx,
 -                   GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 +bool get_phys_addr_with_secure_nogpc(CPUARMState *env, target_ulong address,
 +                                     MMUAccessType access_type,
 +                                     ARMMMUIdx mmu_idx, bool is_secure,
 +                                     GetPhysAddrResult *result,
 +                                     ARMMMUFaultInfo *fi)
      __attribute__((nonnull));
  bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/xlnx-versal-virt.c
+--- a/target/arm/helper.c
-+++ b/hw/arm/xlnx-versal-virt.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ struct VersalVirt {
+@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
-         uint32_t ethernet_phy[2];
+     ARMMMUFaultInfo fi = {};
-         uint32_t clk_125Mhz;
+     GetPhysAddrResult res = {};
-         uint32_t clk_25Mhz;
-+        uint32_t usb;
+-    ret = get_phys_addr_with_secure(env, value, access_type, mmu_idx,
-+        uint32_t dwc;
+-                                    is_secure, &res, &fi);
-     } phandle;
++    /*
-     struct arm_boot_info binfo;
++     * I_MXTJT: Granule protection checks are not performed on the final address
++     * of a successful translation.
-@@ -XXX,XX +XXX,XX @@ static void fdt_create(VersalVirt *s)
++     */
-     s->phandle.clk_25Mhz = qemu_fdt_alloc_phandle(s->fdt);
++    ret = get_phys_addr_with_secure_nogpc(env, value, access_type, mmu_idx,
-     s->phandle.clk_125Mhz = qemu_fdt_alloc_phandle(s->fdt);
++                                          is_secure, &res, &fi);
-+    s->phandle.usb = qemu_fdt_alloc_phandle(s->fdt);
+     /*
-+    s->phandle.dwc = qemu_fdt_alloc_phandle(s->fdt);
+      * ATS operations only do S1 or S1+S2 translations, so we never
-     /* Create /chosen node for load_dtb.  */
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-     qemu_fdt_add_subnode(s->fdt, "/chosen");
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static void fdt_add_timer_nodes(VersalVirt *s)
++++ b/target/arm/ptw.c
-                      compat, sizeof(compat));
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_gpc(CPUARMState *env, S1Translate *ptw,
      return false;
  }
-+static void fdt_add_usb_xhci_nodes(VersalVirt *s)
+-bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
-+{
+-                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
-+    const char clocknames[] = "bus_clk\0ref_clk";
+-                               bool is_secure, GetPhysAddrResult *result,
-+    const char irq_name[] = "dwc_usb3";
+-                               ARMMMUFaultInfo *fi)
-+    const char compatVersalDWC3[] = "xlnx,versal-dwc3";
++bool get_phys_addr_with_secure_nogpc(CPUARMState *env, target_ulong address,
-+    const char compatDWC3[] = "snps,dwc3";
++                                     MMUAccessType access_type,
-+    char *name = g_strdup_printf("/usb@%" PRIx32, MM_USB2_CTRL_REGS);
++                                     ARMMMUIdx mmu_idx, bool is_secure,
-+
++                                     GetPhysAddrResult *result,
-+    qemu_fdt_add_subnode(s->fdt, name);
++                                     ARMMMUFaultInfo *fi)
 +    qemu_fdt_setprop(s->fdt, name, "compatible",
 +                         compatVersalDWC3, sizeof(compatVersalDWC3));
 +    qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
 +                                 2, MM_USB2_CTRL_REGS,
 +                                 2, MM_USB2_CTRL_REGS_SIZE);
 +    qemu_fdt_setprop(s->fdt, name, "clock-names",
 +                         clocknames, sizeof(clocknames));
 +    qemu_fdt_setprop_cells(s->fdt, name, "clocks",
 +                               s->phandle.clk_25Mhz, s->phandle.clk_125Mhz);
 +    qemu_fdt_setprop(s->fdt, name, "ranges", NULL, 0);
 +    qemu_fdt_setprop_cell(s->fdt, name, "#address-cells", 2);
 +    qemu_fdt_setprop_cell(s->fdt, name, "#size-cells", 2);
 +    qemu_fdt_setprop_cell(s->fdt, name, "phandle", s->phandle.usb);
 +    g_free(name);
 +
 +    name = g_strdup_printf("/usb@%" PRIx32 "/dwc3@%" PRIx32,
 +                           MM_USB2_CTRL_REGS, MM_USB_0);
 +    qemu_fdt_add_subnode(s->fdt, name);
 +    qemu_fdt_setprop(s->fdt, name, "compatible",
 +                     compatDWC3, sizeof(compatDWC3));
 +    qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
 +                                 2, MM_USB_0, 2, MM_USB_0_SIZE);
 +    qemu_fdt_setprop(s->fdt, name, "interrupt-names",
 +                     irq_name, sizeof(irq_name));
 +    qemu_fdt_setprop_cells(s->fdt, name, "interrupts",
 +                               GIC_FDT_IRQ_TYPE_SPI, VERSAL_USB0_IRQ_0,
 +                               GIC_FDT_IRQ_FLAGS_LEVEL_HI);
 +    qemu_fdt_setprop_cell(s->fdt, name,
 +                          "snps,quirk-frame-length-adjustment", 0x20);
 +    qemu_fdt_setprop_cells(s->fdt, name, "#stream-id-cells", 1);
 +    qemu_fdt_setprop_string(s->fdt, name, "dr_mode", "host");
 +    qemu_fdt_setprop_string(s->fdt, name, "phy-names", "usb3-phy");
 +    qemu_fdt_setprop(s->fdt, name, "snps,dis_u2_susphy_quirk", NULL, 0);
 +    qemu_fdt_setprop(s->fdt, name, "snps,dis_u3_susphy_quirk", NULL, 0);
 +    qemu_fdt_setprop(s->fdt, name, "snps,refclk_fladj", NULL, 0);
 +    qemu_fdt_setprop(s->fdt, name, "snps,mask_phy_reset", NULL, 0);
 +    qemu_fdt_setprop_cell(s->fdt, name, "phandle", s->phandle.dwc);
 +    qemu_fdt_setprop_string(s->fdt, name, "maximum-speed", "high-speed");
 +    g_free(name);
 +}
 +
  static void fdt_add_uart_nodes(VersalVirt *s)
  {
-     uint64_t addrs[] = { MM_UART1, MM_UART0 };
+     S1Translate ptw = {
-@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
+         .in_mmu_idx = mmu_idx,
-     fdt_add_gic_nodes(s);
+         .in_space = arm_secure_to_space(is_secure),
-     fdt_add_timer_nodes(s);
+     };
-     fdt_add_zdma_nodes(s);
+-    return get_phys_addr_gpc(env, &ptw, address, access_type, result, fi);
-+    fdt_add_usb_xhci_nodes(s);
++    return get_phys_addr_nogpc(env, &ptw, address, access_type, result, fi);
      fdt_add_sd_nodes(s);
      fdt_add_rtc_node(s);
      fdt_add_cpu_nodes(s, psci_conduit);
 diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/xlnx-versal.c
 +++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@ static void versal_create_uarts(Versal *s, qemu_irq *pic)
      }
  }
-+static void versal_create_usbs(Versal *s, qemu_irq *pic)
+ bool get_phys_addr(CPUARMState *env, target_ulong address,
 +{
 +    DeviceState *dev;
 +    MemoryRegion *mr;
 +
 +    object_initialize_child(OBJECT(s), "usb2", &s->lpd.iou.usb,
 +                            TYPE_XILINX_VERSAL_USB2);
 +    dev = DEVICE(&s->lpd.iou.usb);
 +
 +    object_property_set_link(OBJECT(dev), "dma", OBJECT(&s->mr_ps),
 +                             &error_abort);
 +    qdev_prop_set_uint32(dev, "intrs", 1);
 +    qdev_prop_set_uint32(dev, "slots", 2);
 +
 +    sysbus_realize(SYS_BUS_DEVICE(dev), &error_fatal);
 +
 +    mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
 +    memory_region_add_subregion(&s->mr_ps, MM_USB_0, mr);
 +
 +    sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[VERSAL_USB0_IRQ_0]);
 +
 +    mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 1);
 +    memory_region_add_subregion(&s->mr_ps, MM_USB2_CTRL_REGS, mr);
 +}
 +
  static void versal_create_gems(Versal *s, qemu_irq *pic)
  {
      int i;
@@ -XXX,XX +XXX,XX @@ static void versal_realize(DeviceState *dev, Error **errp)
      versal_create_apu_cpus(s);
      versal_create_apu_gic(s, pic);
      versal_create_uarts(s, pic);
 +    versal_create_usbs(s, pic);
      versal_create_gems(s, pic);
      versal_create_admas(s, pic);
      versal_create_sds(s, pic);
 --
-.20.1
+.34.1

-[PULL 16/20] hw/misc/zynq_slcr: Avoid #DIV/0! error
+[PULL 31/35] target/arm: Pass security space rather than flag for AT instructions
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Malicious user can set the feedback divisor for the PLLs
+At the moment we only handle Secure and Nonsecure security spaces for
-to zero, triggering a floating-point exception (SIGFPE).
+the AT instructions. Add support for Realm and Root.
-As the datasheet [*] is not clear how hardware behaves
+For AArch64, arm_security_space() gives the desired space. ARM DDI0487J
-when these bits are zeroes, use the maximum divisor
+says (R_NYXTL):
-possible (128) to avoid the software FPE.
+  If EL3 is implemented, then when an address translation instruction
-[*] Zynq-7000 TRM, UG585 (v1.12.2)
+  that applies to an Exception level lower than EL3 is executed, the
-    B.28 System Level Control Registers (slcr)
+  Effective value of SCR_EL3.{NSE, NS} determines the target Security
-    -> "Register (slcr) ARM_PLL_CTRL"
+  state that the instruction applies to.
-.10.4 PLLs
-    -> "Software-Controlled PLL Update"
+For AArch32, some instructions can access NonSecure space from Secure,
+so we still need to pass the state explicitly to do_ats_write().
-Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts")
-Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-id: 20230809123706.1842548-5-jean-philippe@linaro.org
 Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Reviewed-by: Damien Hedde <damien.hedde@greensocs.com>
 Message-id: 20201210141610.884600-1-f4bug@amsat.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/misc/zynq_slcr.c | 5 +++++
+ target/arm/internals.h | 18 +++++++++---------
-file changed, 5 insertions(+)
+ target/arm/helper.c    | 27 ++++++++++++---------------
+ target/arm/ptw.c       | 12 ++++++------
-diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
+files changed, 27 insertions(+), 30 deletions(-)
 diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/zynq_slcr.c
+--- a/target/arm/internals.h
-+++ b/hw/misc/zynq_slcr.c
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static uint64_t zynq_slcr_compute_pll(uint64_t input, uint32_t ctrl_reg)
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
-         return 0;
+     __attribute__((nonnull));
  /**
 - * get_phys_addr_with_secure_nogpc: get the physical address for a virtual
 - *                                  address
 + * get_phys_addr_with_space_nogpc: get the physical address for a virtual
 + *                                 address
   * @env: CPUARMState
   * @address: virtual address to get physical address for
   * @access_type: 0 for read, 1 for write, 2 for execute
   * @mmu_idx: MMU index indicating required translation regime
 - * @is_secure: security state for the access
 + * @space: security space for the access
   * @result: set on translation success.
   * @fi: set to fault info if the translation fails
   *
 - * Similar to get_phys_addr, but use the given security regime and don't perform
 + * Similar to get_phys_addr, but use the given security space and don't perform
   * a Granule Protection Check on the resulting address.
   */
 -bool get_phys_addr_with_secure_nogpc(CPUARMState *env, target_ulong address,
 -                                     MMUAccessType access_type,
 -                                     ARMMMUIdx mmu_idx, bool is_secure,
 -                                     GetPhysAddrResult *result,
 -                                     ARMMMUFaultInfo *fi)
 +bool get_phys_addr_with_space_nogpc(CPUARMState *env, target_ulong address,
 +                                    MMUAccessType access_type,
 +                                    ARMMMUIdx mmu_idx, ARMSecuritySpace space,
 +                                    GetPhysAddrResult *result,
 +                                    ARMMMUFaultInfo *fi)
      __attribute__((nonnull));
  bool pmsav8_mpu_lookup(CPUARMState *env, uint32_t address,
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static int par_el1_shareability(GetPhysAddrResult *res)
  static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
 -                             bool is_secure)
 +                             ARMSecuritySpace ss)
  {
      bool ret;
      uint64_t par64;
@@ -XXX,XX +XXX,XX @@ static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
       * I_MXTJT: Granule protection checks are not performed on the final address
       * of a successful translation.
       */
 -    ret = get_phys_addr_with_secure_nogpc(env, value, access_type, mmu_idx,
 -                                          is_secure, &res, &fi);
 +    ret = get_phys_addr_with_space_nogpc(env, value, access_type, mmu_idx, ss,
 +                                         &res, &fi);
      /*
       * ATS operations only do S1 or S1+S2 translations, so we never
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
      uint64_t par64;
      ARMMMUIdx mmu_idx;
      int el = arm_current_el(env);
 -    bool secure = arm_is_secure_below_el3(env);
 +    ARMSecuritySpace ss = arm_security_space(env);
      switch (ri->opc2 & 6) {
      case 0:
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
          switch (el) {
          case 3:
              mmu_idx = ARMMMUIdx_E3;
 -            secure = true;
              break;
          case 2:
 -            g_assert(!secure);  /* ARMv8.4-SecEL2 is 64-bit only */
 +            g_assert(ss != ARMSS_Secure);  /* ARMv8.4-SecEL2 is 64-bit only */
              /* fall through */
          case 1:
              if (ri->crm == 9 && (env->uncached_cpsr & CPSR_PAN)) {
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
          switch (el) {
          case 3:
              mmu_idx = ARMMMUIdx_E10_0;
 -            secure = true;
              break;
          case 2:
 -            g_assert(!secure);  /* ARMv8.4-SecEL2 is 64-bit only */
 +            g_assert(ss != ARMSS_Secure);  /* ARMv8.4-SecEL2 is 64-bit only */
              mmu_idx = ARMMMUIdx_Stage1_E0;
              break;
          case 1:
@@ -XXX,XX +XXX,XX @@ static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
      case 4:
          /* stage 1+2 NonSecure PL1: ATS12NSOPR, ATS12NSOPW */
          mmu_idx = ARMMMUIdx_E10_1;
 -        secure = false;
 +        ss = ARMSS_NonSecure;
          break;
      case 6:
          /* stage 1+2 NonSecure PL0: ATS12NSOUR, ATS12NSOUW */
          mmu_idx = ARMMMUIdx_E10_0;
 -        secure = false;
 +        ss = ARMSS_NonSecure;
          break;
      default:
          g_assert_not_reached();
      }
-+    /* Consider zero feedback as maximum divide ratio possible */
+-    par64 = do_ats_write(env, value, access_type, mmu_idx, secure);
-+    if (!mult) {
++    par64 = do_ats_write(env, value, access_type, mmu_idx, ss);
-+        mult = 1 << R_xxx_PLL_CTRL_PLL_FPDIV_LENGTH;
-+    }
+     A32_BANKED_CURRENT_REG_SET(env, par, par64);
-+
+ #else
-     /* frequency multiplier -> period division */
+@@ -XXX,XX +XXX,XX @@ static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri,
-     return input / mult;
+     uint64_t par64;
      /* There is no SecureEL2 for AArch32. */
 -    par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2, false);
 +    par64 = do_ats_write(env, value, access_type, ARMMMUIdx_E2,
 +                         ARMSS_NonSecure);
      A32_BANKED_CURRENT_REG_SET(env, par, par64);
  #else
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
  #ifdef CONFIG_TCG
      MMUAccessType access_type = ri->opc2 & 1 ? MMU_DATA_STORE : MMU_DATA_LOAD;
      ARMMMUIdx mmu_idx;
 -    int secure = arm_is_secure_below_el3(env);
      uint64_t hcr_el2 = arm_hcr_el2_eff(env);
      bool regime_e20 = (hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE);
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
              break;
          case 6: /* AT S1E3R, AT S1E3W */
              mmu_idx = ARMMMUIdx_E3;
 -            secure = true;
              break;
          default:
              g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
      }
      env->cp15.par_el[1] = do_ats_write(env, value, access_type,
 -                                       mmu_idx, secure);
 +                                       mmu_idx, arm_security_space(env));
  #else
      /* Handled by hardware accelerator. */
      g_assert_not_reached();
 diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/ptw.c
 +++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_gpc(CPUARMState *env, S1Translate *ptw,
      return false;
  }
 -bool get_phys_addr_with_secure_nogpc(CPUARMState *env, target_ulong address,
 -                                     MMUAccessType access_type,
 -                                     ARMMMUIdx mmu_idx, bool is_secure,
 -                                     GetPhysAddrResult *result,
 -                                     ARMMMUFaultInfo *fi)
 +bool get_phys_addr_with_space_nogpc(CPUARMState *env, target_ulong address,
 +                                    MMUAccessType access_type,
 +                                    ARMMMUIdx mmu_idx, ARMSecuritySpace space,
 +                                    GetPhysAddrResult *result,
 +                                    ARMMMUFaultInfo *fi)
  {
      S1Translate ptw = {
          .in_mmu_idx = mmu_idx,
 -        .in_space = arm_secure_to_space(is_secure),
 +        .in_space = space,
      };
      return get_phys_addr_nogpc(env, &ptw, address, access_type, result, fi);
  }
 --
-.20.1
+.34.1

-[PULL 03/20] hw/openrisc/openrisc_sim: Abstract out "get IRQ x of CPU y"
+[PULL 32/35] target/arm/helper: Check SCR_EL3.{NSE, NS} encoding for AT instructions
-We're about to refactor the OpenRISC pic_cpu code in a way that means
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
 that just grabbing the whole qemu_irq[] array of inbound IRQs for a
 CPU won't be possible any more.  Abstract out a function for "return
 the qemu_irq for IRQ x input of CPU y" so we can more easily replace
 the implementation.
+The AT instruction is UNDEFINED if the {NSE,NS} configuration is
+invalid. Add a function to check this on all AT instructions that apply
+to an EL lower than 3.
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Message-id: 20230809123706.1842548-6-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Stafford Horne <shorne@gmail.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20201127225127.14770-3-peter.maydell@linaro.org
 ---
- hw/openrisc/openrisc_sim.c | 38 +++++++++++++++++++++-----------------
+ target/arm/helper.c | 38 +++++++++++++++++++++++++++-----------
-file changed, 21 insertions(+), 17 deletions(-)
+file changed, 27 insertions(+), 11 deletions(-)
-diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/openrisc/openrisc_sim.c
+--- a/target/arm/helper.c
-+++ b/hw/openrisc/openrisc_sim.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void main_cpu_reset(void *opaque)
+@@ -XXX,XX +XXX,XX @@ static void ats1h_write(CPUARMState *env, const ARMCPRegInfo *ri,
-     cpu_set_pc(cs, boot_info.bootstrap_pc);
+ #endif /* CONFIG_TCG */
  }
-+static qemu_irq get_cpu_irq(OpenRISCCPU *cpus[], int cpunum, int irq_pin)
++static CPAccessResult at_e012_access(CPUARMState *env, const ARMCPRegInfo *ri,
 +                                     bool isread)
 +{
-+    return cpus[cpunum]->env.irq[irq_pin];
++    /*
 +     * R_NYXTL: instruction is UNDEFINED if it applies to an Exception level
 +     * lower than EL3 and the combination SCR_EL3.{NSE,NS} is reserved. This can
 +     * only happen when executing at EL3 because that combination also causes an
 +     * illegal exception return. We don't need to check FEAT_RME either, because
 +     * scr_write() ensures that the NSE bit is not set otherwise.
 +     */
 +    if ((env->cp15.scr_el3 & (SCR_NSE | SCR_NS)) == SCR_NSE) {
 +        return CP_ACCESS_TRAP;
 +    }
 +    return CP_ACCESS_OK;
 +}
 +
- static void openrisc_sim_net_init(hwaddr base, hwaddr descriptors,
+ static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri,
--                                  int num_cpus, qemu_irq **cpu_irqs,
+                                      bool isread)
 +                                  int num_cpus, OpenRISCCPU *cpus[],
                                    int irq_pin, NICInfo *nd)
  {
-     DeviceState *dev;
+@@ -XXX,XX +XXX,XX @@ static CPAccessResult at_s1e2_access(CPUARMState *env, const ARMCPRegInfo *ri,
-@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_net_init(hwaddr base, hwaddr descriptors,
+         !(env->cp15.scr_el3 & (SCR_NS | SCR_EEL2))) {
-         qdev_prop_set_uint32(splitter, "num-lines", num_cpus);
+         return CP_ACCESS_TRAP;
          qdev_realize_and_unref(splitter, NULL, &error_fatal);
          for (i = 0; i < num_cpus; i++) {
 -            qdev_connect_gpio_out(splitter, i, cpu_irqs[i][irq_pin]);
 +            qdev_connect_gpio_out(splitter, i, get_cpu_irq(cpus, i, irq_pin));
          }
          sysbus_connect_irq(s, 0, qdev_get_gpio_in(splitter, 0));
      } else {
 -        sysbus_connect_irq(s, 0, cpu_irqs[0][irq_pin]);
 +        sysbus_connect_irq(s, 0, get_cpu_irq(cpus, 0, irq_pin));
      }
-     sysbus_mmio_map(s, 0, base);
+-    return CP_ACCESS_OK;
-     sysbus_mmio_map(s, 1, descriptors);
++    return at_e012_access(env, ri, isread);
  }
- static void openrisc_sim_ompic_init(hwaddr base, int num_cpus,
+ static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
--                                    qemu_irq **cpu_irqs, int irq_pin)
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
-+                                    OpenRISCCPU *cpus[], int irq_pin)
+       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0,
- {
+       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
-     DeviceState *dev;
+       .fgt = FGT_ATS1E1R,
-     SysBusDevice *s;
+-      .writefn = ats_write64 },
-@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_ompic_init(hwaddr base, int num_cpus,
++      .accessfn = at_e012_access, .writefn = ats_write64 },
-     s = SYS_BUS_DEVICE(dev);
+     { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64,
-     sysbus_realize_and_unref(s, &error_fatal);
+       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1,
-     for (i = 0; i < num_cpus; i++) {
+       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
--        sysbus_connect_irq(s, i, cpu_irqs[i][irq_pin]);
+       .fgt = FGT_ATS1E1W,
-+        sysbus_connect_irq(s, i, get_cpu_irq(cpus, i, irq_pin));
+-      .writefn = ats_write64 },
-     }
++      .accessfn = at_e012_access, .writefn = ats_write64 },
-     sysbus_mmio_map(s, 0, base);
+     { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64,
- }
+       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2,
-@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_init(MachineState *machine)
+       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
- {
+       .fgt = FGT_ATS1E0R,
-     ram_addr_t ram_size = machine->ram_size;
+-      .writefn = ats_write64 },
-     const char *kernel_filename = machine->kernel_filename;
++      .accessfn = at_e012_access, .writefn = ats_write64 },
--    OpenRISCCPU *cpu = NULL;
+     { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
-+    OpenRISCCPU *cpus[2] = {};
+       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
-     MemoryRegion *ram;
+       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
--    qemu_irq *cpu_irqs[2];
+       .fgt = FGT_ATS1E0W,
-     qemu_irq serial_irq;
+-      .writefn = ats_write64 },
-     int n;
++      .accessfn = at_e012_access, .writefn = ats_write64 },
-     unsigned int smp_cpus = machine->smp.cpus;
+     { .name = "AT_S12E1R", .state = ARM_CP_STATE_AA64,
+       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 4,
-     assert(smp_cpus >= 1 && smp_cpus <= 2);
+       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
-     for (n = 0; n < smp_cpus; n++) {
+-      .writefn = ats_write64 },
--        cpu = OPENRISC_CPU(cpu_create(machine->cpu_type));
++      .accessfn = at_e012_access, .writefn = ats_write64 },
--        if (cpu == NULL) {
+     { .name = "AT_S12E1W", .state = ARM_CP_STATE_AA64,
-+        cpus[n] = OPENRISC_CPU(cpu_create(machine->cpu_type));
+       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 5,
-+        if (cpus[n] == NULL) {
+       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
-             fprintf(stderr, "Unable to find CPU definition!\n");
+-      .writefn = ats_write64 },
-             exit(1);
++      .accessfn = at_e012_access, .writefn = ats_write64 },
-         }
+     { .name = "AT_S12E0R", .state = ARM_CP_STATE_AA64,
--        cpu_openrisc_pic_init(cpu);
+       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 6,
--        cpu_irqs[n] = (qemu_irq *) cpu->env.irq;
+       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
-+        cpu_openrisc_pic_init(cpus[n]);
+-      .writefn = ats_write64 },
++      .accessfn = at_e012_access, .writefn = ats_write64 },
--        cpu_openrisc_clock_init(cpu);
+     { .name = "AT_S12E0W", .state = ARM_CP_STATE_AA64,
-+        cpu_openrisc_clock_init(cpus[n]);
+       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 7,
+       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
--        qemu_register_reset(main_cpu_reset, cpu);
+-      .writefn = ats_write64 },
-+        qemu_register_reset(main_cpu_reset, cpus[n]);
++      .accessfn = at_e012_access, .writefn = ats_write64 },
-     }
+     /* AT S1E2* are elsewhere as they UNDEF from EL3 if EL2 is not present */
+     { .name = "AT_S1E3R", .state = ARM_CP_STATE_AA64,
-     ram = g_malloc(sizeof(*ram));
+       .opc0 = 1, .opc1 = 6, .crn = 7, .crm = 8, .opc2 = 0,
-@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_init(MachineState *machine)
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo ats1e1_reginfo[] = {
+       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 0,
-     if (nd_table[0].used) {
+       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
-         openrisc_sim_net_init(0x92000000, 0x92000400, smp_cpus,
+       .fgt = FGT_ATS1E1RP,
--                              cpu_irqs, 4, nd_table);
+-      .writefn = ats_write64 },
-+                              cpus, 4, nd_table);
++      .accessfn = at_e012_access, .writefn = ats_write64 },
-     }
+     { .name = "AT_S1E1WP", .state = ARM_CP_STATE_AA64,
+       .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 1,
-     if (smp_cpus > 1) {
+       .access = PL1_W, .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC,
--        openrisc_sim_ompic_init(0x98000000, smp_cpus, cpu_irqs, 1);
+       .fgt = FGT_ATS1E1WP,
-+        openrisc_sim_ompic_init(0x98000000, smp_cpus, cpus, 1);
+-      .writefn = ats_write64 },
++      .accessfn = at_e012_access, .writefn = ats_write64 },
--        serial_irq = qemu_irq_split(cpu_irqs[0][2], cpu_irqs[1][2]);
+ };
-+        serial_irq = qemu_irq_split(get_cpu_irq(cpus, 0, 2),
-+                                    get_cpu_irq(cpus, 1, 2));
+ static const ARMCPRegInfo ats1cp_reginfo[] = {
      } else {
 -        serial_irq = cpu_irqs[0][2];
 +        serial_irq = get_cpu_irq(cpus, 0, 2);
      }
      serial_mm_init(get_system_memory(), 0x90000000, 0, serial_irq,
 --
-.20.1
+.34.1

-[PULL 12/20] usb: Add versal-usb2-ctrl-regs module
+[PULL 33/35] target/arm/helper: Implement CNTHCTL_EL2.CNT[VP]MASK
-From: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-This module emulates control registers of versal usb2 controller, this is added
+When FEAT_RME is implemented, these bits override the value of
-just to make guest happy. In general this module would control the phy-reset
+CNT[VP]_CTL_EL0.IMASK in Realm and Root state. Move the IRQ state update
-signal from usb controller, data coherency of the transactions, signals
+into a new gt_update_irq() function and test those bits every time we
-the host system errors received from controller.
+recompute the IRQ state.
-Signed-off-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
+Since we're removing the IRQ state from some trace events, add a new
-Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
+trace event for gt_update_irq().
-Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20230809123706.1842548-7-jean-philippe@linaro.org
 [PMM: only register change hook if not USER_ONLY and if TCG]
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 1607023357-5096-2-git-send-email-sai.pavan.boddu@xilinx.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/usb/xlnx-versal-usb2-ctrl-regs.h |  45 ++++
+ target/arm/cpu.h        |  4 +++
- hw/usb/xlnx-versal-usb2-ctrl-regs.c         | 229 ++++++++++++++++++++
+ target/arm/cpu.c        |  6 ++++
- hw/usb/meson.build                          |   1 +
+ target/arm/helper.c     | 65 ++++++++++++++++++++++++++++++++++-------
-files changed, 275 insertions(+)
+ target/arm/trace-events |  7 +++--
- create mode 100644 include/hw/usb/xlnx-versal-usb2-ctrl-regs.h
+files changed, 68 insertions(+), 14 deletions(-)
- create mode 100644 hw/usb/xlnx-versal-usb2-ctrl-regs.c
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
-diff --git a/include/hw/usb/xlnx-versal-usb2-ctrl-regs.h b/include/hw/usb/xlnx-versal-usb2-ctrl-regs.h
+index XXXXXXX..XXXXXXX 100644
-new file mode 100644
+--- a/target/arm/cpu.h
-index XXXXXXX..XXXXXXX
++++ b/target/arm/cpu.h
---- /dev/null
+@@ -XXX,XX +XXX,XX @@ struct ArchCPU {
-+++ b/include/hw/usb/xlnx-versal-usb2-ctrl-regs.h
+ };
-@@ -XXX,XX +XXX,XX @@
-+/*
+ unsigned int gt_cntfrq_period_ns(ARMCPU *cpu);
-+ * QEMU model of the VersalUsb2CtrlRegs Register control/Status block for
++void gt_rme_post_el_change(ARMCPU *cpu, void *opaque);
-+ * USB2.0 controller
-+ *
+ void arm_cpu_post_init(Object *obj);
-+ * Copyright (c) 2020 Xilinx Inc. Vikram Garhwal <fnu.vikram@xilinx.com>
-+ *
+@@ -XXX,XX +XXX,XX @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ #define HSTR_TTEE (1 << 16)
-+ * of this software and associated documentation files (the "Software"), to deal
+ #define HSTR_TJDBX (1 << 17)
-+ * in the Software without restriction, including without limitation the rights
-+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++#define CNTHCTL_CNTVMASK      (1 << 18)
-+ * copies of the Software, and to permit persons to whom the Software is
++#define CNTHCTL_CNTPMASK      (1 << 19)
-+ * furnished to do so, subject to the following conditions:
++
-+ *
+ /* Return the current FPSCR value.  */
-+ * The above copyright notice and this permission notice shall be included in
+ uint32_t vfp_get_fpscr(CPUARMState *env);
-+ * all copies or substantial portions of the Software.
+ void vfp_set_fpscr(CPUARMState *env, uint32_t val);
-+ *
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+index XXXXXXX..XXXXXXX 100644
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+--- a/target/arm/cpu.c
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++++ b/target/arm/cpu.c
-+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+         set_feature(env, ARM_FEATURE_VBAR);
-+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+     }
-+ * THE SOFTWARE.
-+ */
++#ifndef CONFIG_USER_ONLY
-+
++    if (tcg_enabled() && cpu_isar_feature(aa64_rme, cpu)) {
-+#ifndef _XLNX_USB2_REGS_H_
++        arm_register_el_change_hook(cpu, &gt_rme_post_el_change, 0);
-+#define _XLNX_USB2_REGS_H_
++    }
 +
 +#define TYPE_XILINX_VERSAL_USB2_CTRL_REGS "xlnx.versal-usb2-ctrl-regs"
 +
 +#define XILINX_VERSAL_USB2_CTRL_REGS(obj) \
 +     OBJECT_CHECK(VersalUsb2CtrlRegs, (obj), TYPE_XILINX_VERSAL_USB2_CTRL_REGS)
 +
 +#define USB2_REGS_R_MAX ((0x78 / 4) + 1)
 +
 +typedef struct VersalUsb2CtrlRegs {
 +    SysBusDevice parent_obj;
 +    MemoryRegion iomem;
 +    qemu_irq irq_ir;
 +
 +    uint32_t regs[USB2_REGS_R_MAX];
 +    RegisterInfo regs_info[USB2_REGS_R_MAX];
 +} VersalUsb2CtrlRegs;
 +
 +#endif
-diff --git a/hw/usb/xlnx-versal-usb2-ctrl-regs.c b/hw/usb/xlnx-versal-usb2-ctrl-regs.c
++
-new file mode 100644
+     register_cp_regs_for_features(cpu);
-index XXXXXXX..XXXXXXX
+     arm_cpu_register_gdb_regs_for_features(cpu);
---- /dev/null
-+++ b/hw/usb/xlnx-versal-usb2-ctrl-regs.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@
+index XXXXXXX..XXXXXXX 100644
-+/*
+--- a/target/arm/helper.c
-+ * QEMU model of the VersalUsb2CtrlRegs Register control/Status block for
++++ b/target/arm/helper.c
-+ * USB2.0 controller
+@@ -XXX,XX +XXX,XX @@ static uint64_t gt_get_countervalue(CPUARMState *env)
-+ *
+     return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / gt_cntfrq_period_ns(cpu);
-+ * This module should control phy_reset, permanent device plugs, frame length
+ }
-+ * time adjust & setting of coherency paths. None of which are emulated in
-+ * present model.
++static void gt_update_irq(ARMCPU *cpu, int timeridx)
 + *
 + * Copyright (c) 2020 Xilinx Inc. Vikram Garhwal <fnu.vikram@xilinx.com>
 + *
 + * Permission is hereby granted, free of charge, to any person obtaining a copy
 + * of this software and associated documentation files (the "Software"), to deal
 + * in the Software without restriction, including without limitation the rights
 + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 + * copies of the Software, and to permit persons to whom the Software is
 + * furnished to do so, subject to the following conditions:
 + *
 + * The above copyright notice and this permission notice shall be included in
 + * all copies or substantial portions of the Software.
 + *
 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 + * THE SOFTWARE.
 + */
 +
 +#include "qemu/osdep.h"
 +#include "hw/sysbus.h"
 +#include "hw/irq.h"
 +#include "hw/register.h"
 +#include "qemu/bitops.h"
 +#include "qemu/log.h"
 +#include "qom/object.h"
 +#include "migration/vmstate.h"
 +#include "hw/usb/xlnx-versal-usb2-ctrl-regs.h"
 +
 +#ifndef XILINX_VERSAL_USB2_CTRL_REGS_ERR_DEBUG
 +#define XILINX_VERSAL_USB2_CTRL_REGS_ERR_DEBUG 0
 +#endif
 +
 +REG32(BUS_FILTER, 0x30)
 +    FIELD(BUS_FILTER, BYPASS, 0, 4)
 +REG32(PORT, 0x34)
 +    FIELD(PORT, HOST_SMI_BAR_WR, 4, 1)
 +    FIELD(PORT, HOST_SMI_PCI_CMD_REG_WR, 3, 1)
 +    FIELD(PORT, HOST_MSI_ENABLE, 2, 1)
 +    FIELD(PORT, PWR_CTRL_PRSNT, 1, 1)
 +    FIELD(PORT, HUB_PERM_ATTACH, 0, 1)
 +REG32(JITTER_ADJUST, 0x38)
 +    FIELD(JITTER_ADJUST, FLADJ, 0, 6)
 +REG32(BIGENDIAN, 0x40)
 +    FIELD(BIGENDIAN, ENDIAN_GS, 0, 1)
 +REG32(COHERENCY, 0x44)
 +    FIELD(COHERENCY, USB_COHERENCY, 0, 1)
 +REG32(XHC_BME, 0x48)
 +    FIELD(XHC_BME, XHC_BME, 0, 1)
 +REG32(REG_CTRL, 0x60)
 +    FIELD(REG_CTRL, SLVERR_ENABLE, 0, 1)
 +REG32(IR_STATUS, 0x64)
 +    FIELD(IR_STATUS, HOST_SYS_ERR, 1, 1)
 +    FIELD(IR_STATUS, ADDR_DEC_ERR, 0, 1)
 +REG32(IR_MASK, 0x68)
 +    FIELD(IR_MASK, HOST_SYS_ERR, 1, 1)
 +    FIELD(IR_MASK, ADDR_DEC_ERR, 0, 1)
 +REG32(IR_ENABLE, 0x6c)
 +    FIELD(IR_ENABLE, HOST_SYS_ERR, 1, 1)
 +    FIELD(IR_ENABLE, ADDR_DEC_ERR, 0, 1)
 +REG32(IR_DISABLE, 0x70)
 +    FIELD(IR_DISABLE, HOST_SYS_ERR, 1, 1)
 +    FIELD(IR_DISABLE, ADDR_DEC_ERR, 0, 1)
 +REG32(USB3, 0x78)
 +
 +static void ir_update_irq(VersalUsb2CtrlRegs *s)
 +{
-+    bool pending = s->regs[R_IR_STATUS] & ~s->regs[R_IR_MASK];
++    CPUARMState *env = &cpu->env;
-+    qemu_set_irq(s->irq_ir, pending);
++    uint64_t cnthctl = env->cp15.cnthctl_el2;
 +    ARMSecuritySpace ss = arm_security_space(env);
 +    /* ISTATUS && !IMASK */
 +    int irqstate = (env->cp15.c14_timer[timeridx].ctl & 6) == 4;
 +
 +    /*
 +     * If bit CNTHCTL_EL2.CNT[VP]MASK is set, it overrides IMASK.
 +     * It is RES0 in Secure and NonSecure state.
 +     */
 +    if ((ss == ARMSS_Root || ss == ARMSS_Realm) &&
 +        ((timeridx == GTIMER_VIRT && (cnthctl & CNTHCTL_CNTVMASK)) ||
 +         (timeridx == GTIMER_PHYS && (cnthctl & CNTHCTL_CNTPMASK)))) {
 +        irqstate = 0;
 +    }
 +
 +    qemu_set_irq(cpu->gt_timer_outputs[timeridx], irqstate);
 +    trace_arm_gt_update_irq(timeridx, irqstate);
 +}
 +
-+static void ir_status_postw(RegisterInfo *reg, uint64_t val64)
++void gt_rme_post_el_change(ARMCPU *cpu, void *ignored)
 +{
-+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(reg->opaque);
 +    /*
-+     * TODO: This should also clear USBSTS.HSE field in USB XHCI register.
++     * Changing security state between Root and Secure/NonSecure, which may
-+     * May be combine both the modules.
++     * happen when switching EL, can change the effective value of CNTHCTL_EL2
 +     * mask bits. Update the IRQ state accordingly.
 +     */
-+    ir_update_irq(s);
++    gt_update_irq(cpu, GTIMER_VIRT);
 +    gt_update_irq(cpu, GTIMER_PHYS);
 +}
 +
-+static uint64_t ir_enable_prew(RegisterInfo *reg, uint64_t val64)
+ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
  {
      ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx];
@@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
          /* Note that this must be unsigned 64 bit arithmetic: */
          int istatus = count - offset >= gt->cval;
          uint64_t nexttick;
 -        int irqstate;
          gt->ctl = deposit32(gt->ctl, 2, 1, istatus);
 -        irqstate = (istatus && !(gt->ctl & 2));
 -        qemu_set_irq(cpu->gt_timer_outputs[timeridx], irqstate);
 -
          if (istatus) {
              /* Next transition is when count rolls back over to zero */
              nexttick = UINT64_MAX;
@@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
          } else {
              timer_mod(cpu->gt_timer[timeridx], nexttick);
          }
 -        trace_arm_gt_recalc(timeridx, irqstate, nexttick);
 +        trace_arm_gt_recalc(timeridx, nexttick);
      } else {
          /* Timer disabled: ISTATUS and timer output always clear */
          gt->ctl &= ~4;
 -        qemu_set_irq(cpu->gt_timer_outputs[timeridx], 0);
          timer_del(cpu->gt_timer[timeridx]);
          trace_arm_gt_recalc_disabled(timeridx);
      }
 +    gt_update_irq(cpu, timeridx);
  }
  static void gt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
           * IMASK toggled: don't need to recalculate,
           * just set the interrupt line based on ISTATUS
           */
 -        int irqstate = (oldval & 4) && !(value & 2);
 -
 -        trace_arm_gt_imask_toggle(timeridx, irqstate);
 -        qemu_set_irq(cpu->gt_timer_outputs[timeridx], irqstate);
 +        trace_arm_gt_imask_toggle(timeridx);
 +        gt_update_irq(cpu, timeridx);
      }
  }
@@ -XXX,XX +XXX,XX @@ static void gt_virt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
      gt_ctl_write(env, ri, GTIMER_VIRT, value);
  }
 +static void gt_cnthctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
 +                             uint64_t value)
 +{
-+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(reg->opaque);
++    ARMCPU *cpu = env_archcpu(env);
-+    uint32_t val = val64;
++    uint32_t oldval = env->cp15.cnthctl_el2;
 +
-+    s->regs[R_IR_MASK] &= ~val;
++    raw_write(env, ri, value);
-+    ir_update_irq(s);
++
-+    return 0;
++    if ((oldval ^ value) & CNTHCTL_CNTVMASK) {
-+}
++        gt_update_irq(cpu, GTIMER_VIRT);
-+
++    } else if ((oldval ^ value) & CNTHCTL_CNTPMASK) {
-+static uint64_t ir_disable_prew(RegisterInfo *reg, uint64_t val64)
++        gt_update_irq(cpu, GTIMER_PHYS);
 +{
 +    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(reg->opaque);
 +    uint32_t val = val64;
 +
 +    s->regs[R_IR_MASK] |= val;
 +    ir_update_irq(s);
 +    return 0;
 +}
 +
 +static const RegisterAccessInfo usb2_ctrl_regs_regs_info[] = {
 +    {   .name = "BUS_FILTER",  .addr = A_BUS_FILTER,
 +        .rsvd = 0xfffffff0,
 +    },{ .name = "PORT",  .addr = A_PORT,
 +        .rsvd = 0xffffffe0,
 +    },{ .name = "JITTER_ADJUST",  .addr = A_JITTER_ADJUST,
 +        .reset = 0x20,
 +        .rsvd = 0xffffffc0,
 +    },{ .name = "BIGENDIAN",  .addr = A_BIGENDIAN,
 +        .rsvd = 0xfffffffe,
 +    },{ .name = "COHERENCY",  .addr = A_COHERENCY,
 +        .rsvd = 0xfffffffe,
 +    },{ .name = "XHC_BME",  .addr = A_XHC_BME,
 +        .reset = 0x1,
 +        .rsvd = 0xfffffffe,
 +    },{ .name = "REG_CTRL",  .addr = A_REG_CTRL,
 +        .rsvd = 0xfffffffe,
 +    },{ .name = "IR_STATUS",  .addr = A_IR_STATUS,
 +        .rsvd = 0xfffffffc,
 +        .w1c = 0x3,
 +        .post_write = ir_status_postw,
 +    },{ .name = "IR_MASK",  .addr = A_IR_MASK,
 +        .reset = 0x3,
 +        .rsvd = 0xfffffffc,
 +        .ro = 0x3,
 +    },{ .name = "IR_ENABLE",  .addr = A_IR_ENABLE,
 +        .rsvd = 0xfffffffc,
 +        .pre_write = ir_enable_prew,
 +    },{ .name = "IR_DISABLE",  .addr = A_IR_DISABLE,
 +        .rsvd = 0xfffffffc,
 +        .pre_write = ir_disable_prew,
 +    },{ .name = "USB3",  .addr = A_USB3,
 +    }
 +};
 +
 +static void usb2_ctrl_regs_reset_init(Object *obj, ResetType type)
 +{
 +    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(obj);
 +    unsigned int i;
 +
 +    for (i = 0; i < ARRAY_SIZE(s->regs_info); ++i) {
 +        register_reset(&s->regs_info[i]);
 +    }
 +}
 +
-+static void usb2_ctrl_regs_reset_hold(Object *obj)
+ static void gt_cntvoff_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+{
+                               uint64_t value)
-+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(obj);
+ {
-+
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
-+    ir_update_irq(s);
+        * reset values as IMPDEF. We choose to reset to 3 to comply with
-+}
+        * both ARMv7 and ARMv8.
-+
+        */
-+static const MemoryRegionOps usb2_ctrl_regs_ops = {
+-      .access = PL2_RW, .resetvalue = 3,
-+    .read = register_read_memory,
++      .access = PL2_RW, .type = ARM_CP_IO, .resetvalue = 3,
-+    .write = register_write_memory,
++      .writefn = gt_cnthctl_write, .raw_writefn = raw_write,
-+    .endianness = DEVICE_LITTLE_ENDIAN,
+       .fieldoffset = offsetof(CPUARMState, cp15.cnthctl_el2) },
-+    .valid = {
+     { .name = "CNTVOFF_EL2", .state = ARM_CP_STATE_AA64,
-+        .min_access_size = 4,
+       .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 0, .opc2 = 3,
-+        .max_access_size = 4,
+diff --git a/target/arm/trace-events b/target/arm/trace-events
-+    },
+index XXXXXXX..XXXXXXX 100644
-+};
+--- a/target/arm/trace-events
-+
++++ b/target/arm/trace-events
-+static void usb2_ctrl_regs_init(Object *obj)
+@@ -XXX,XX +XXX,XX @@
-+{
+ # See docs/devel/tracing.rst for syntax documentation.
-+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(obj);
-+    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
+ # helper.c
-+    RegisterInfoArray *reg_array;
+-arm_gt_recalc(int timer, int irqstate, uint64_t nexttick) "gt recalc: timer %d irqstate %d next tick 0x%" PRIx64
-+
+-arm_gt_recalc_disabled(int timer) "gt recalc: timer %d irqstate 0 timer disabled"
-+    memory_region_init(&s->iomem, obj, TYPE_XILINX_VERSAL_USB2_CTRL_REGS,
++arm_gt_recalc(int timer, uint64_t nexttick) "gt recalc: timer %d next tick 0x%" PRIx64
-+                       USB2_REGS_R_MAX * 4);
++arm_gt_recalc_disabled(int timer) "gt recalc: timer %d timer disabled"
-+    reg_array =
+ arm_gt_cval_write(int timer, uint64_t value) "gt_cval_write: timer %d value 0x%" PRIx64
-+        register_init_block32(DEVICE(obj), usb2_ctrl_regs_regs_info,
+ arm_gt_tval_write(int timer, uint64_t value) "gt_tval_write: timer %d value 0x%" PRIx64
-+                              ARRAY_SIZE(usb2_ctrl_regs_regs_info),
+ arm_gt_ctl_write(int timer, uint64_t value) "gt_ctl_write: timer %d value 0x%" PRIx64
-+                              s->regs_info, s->regs,
+-arm_gt_imask_toggle(int timer, int irqstate) "gt_ctl_write: timer %d IMASK toggle, new irqstate %d"
-+                              &usb2_ctrl_regs_ops,
++arm_gt_imask_toggle(int timer) "gt_ctl_write: timer %d IMASK toggle"
-+                              XILINX_VERSAL_USB2_CTRL_REGS_ERR_DEBUG,
+ arm_gt_cntvoff_write(uint64_t value) "gt_cntvoff_write: value 0x%" PRIx64
-+                              USB2_REGS_R_MAX * 4);
++arm_gt_update_irq(int timer, int irqstate) "gt_update_irq: timer %d irqstate %d"
-+    memory_region_add_subregion(&s->iomem,
-+                                0x0,
+ # kvm.c
-+                                &reg_array->mem);
+ kvm_arm_fixup_msi_route(uint64_t iova, uint64_t gpa) "MSI iova = 0x%"PRIx64" is translated into 0x%"PRIx64
 +    sysbus_init_mmio(sbd, &s->iomem);
 +    sysbus_init_irq(sbd, &s->irq_ir);
 +}
 +
 +static const VMStateDescription vmstate_usb2_ctrl_regs = {
 +    .name = TYPE_XILINX_VERSAL_USB2_CTRL_REGS,
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .fields = (VMStateField[]) {
 +        VMSTATE_UINT32_ARRAY(regs, VersalUsb2CtrlRegs, USB2_REGS_R_MAX),
 +        VMSTATE_END_OF_LIST(),
 +    }
 +};
 +
 +static void usb2_ctrl_regs_class_init(ObjectClass *klass, void *data)
 +{
 +    DeviceClass *dc = DEVICE_CLASS(klass);
 +    ResettableClass *rc = RESETTABLE_CLASS(klass);
 +
 +    rc->phases.enter = usb2_ctrl_regs_reset_init;
 +    rc->phases.hold  = usb2_ctrl_regs_reset_hold;
 +    dc->vmsd = &vmstate_usb2_ctrl_regs;
 +}
 +
 +static const TypeInfo usb2_ctrl_regs_info = {
 +    .name          = TYPE_XILINX_VERSAL_USB2_CTRL_REGS,
 +    .parent        = TYPE_SYS_BUS_DEVICE,
 +    .instance_size = sizeof(VersalUsb2CtrlRegs),
 +    .class_init    = usb2_ctrl_regs_class_init,
 +    .instance_init = usb2_ctrl_regs_init,
 +};
 +
 +static void usb2_ctrl_regs_register_types(void)
 +{
 +    type_register_static(&usb2_ctrl_regs_info);
 +}
 +
 +type_init(usb2_ctrl_regs_register_types)
 diff --git a/hw/usb/meson.build b/hw/usb/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/usb/meson.build
 +++ b/hw/usb/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_USB_DWC2', if_true: files('hcd-dwc2.c'))
  softmmu_ss.add(when: 'CONFIG_TUSB6010', if_true: files('tusb6010.c'))
  softmmu_ss.add(when: 'CONFIG_IMX', if_true: files('chipidea.c'))
  softmmu_ss.add(when: 'CONFIG_IMX_USBPHY', if_true: files('imx-usb-phy.c'))
 +specific_ss.add(when: 'CONFIG_XLNX_VERSAL', if_true: files('xlnx-versal-usb2-ctrl-regs.c'))
  # emulated usb devices
  softmmu_ss.add(when: 'CONFIG_USB', if_true: files('dev-hub.c'))
 --
-.20.1
+.34.1

-[PULL 18/20] hw/block/m25p80: Fix when VCFG XIP bit is set for Numonyx
+[PULL 34/35] target/arm: Fix SME ST1Q
-From: Joe Komlodi <joe.komlodi@xilinx.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-VCFG XIP is set (disabled) when the NVCFG XIP bits are all set (disabled).
+A typo, noted in the bug report, resulting in an
 incorrect write offset.
-Signed-off-by: Joe Komlodi <komlodi@xilinx.com>
+Cc: qemu-stable@nongnu.org
-Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
+Fixes: 7390e0e9ab8 ("target/arm: Implement SME LD1, ST1")
-Message-id: 1605568264-26376-3-git-send-email-komlodi@xilinx.com
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1833
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-id: 20230818214255.146905-1-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/block/m25p80.c | 2 +-
+ target/arm/tcg/sme_helper.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
+diff --git a/target/arm/tcg/sme_helper.c b/target/arm/tcg/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/block/m25p80.c
+--- a/target/arm/tcg/sme_helper.c
-+++ b/hw/block/m25p80.c
++++ b/target/arm/tcg/sme_helper.c
-@@ -XXX,XX +XXX,XX @@ static void reset_memory(Flash *s)
+@@ -XXX,XX +XXX,XX @@ static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
-         s->volatile_cfg |= VCFG_DUMMY;
+ {                                                                           \
-         s->volatile_cfg |= VCFG_WRAP_SEQUENTIAL;
+     uint64_t *ptr = za + off;                                               \
-         if ((s->nonvolatile_cfg & NVCFG_XIP_MODE_MASK)
+     HOST(host, ptr[BE]);                                                    \
--                                != NVCFG_XIP_MODE_DISABLED) {
+-    HOST(host + 1, ptr[!BE]);                                               \
-+                                == NVCFG_XIP_MODE_DISABLED) {
++    HOST(host + 8, ptr[!BE]);                                               \
-             s->volatile_cfg |= VCFG_XIP_MODE_DISABLED;
+ }                                                                           \
-         }
+ static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
-         s->volatile_cfg |= deposit32(s->volatile_cfg,
+ {                                                                           \
 --
-.20.1
+.34.1

-[PULL 01/20] gdbstub: Correct misparsing of vCont C/S requests
+[PULL 35/35] target/arm: Fix 64-bit SSRA
-In the vCont packet, two of the command actions (C and S) take an
+From: Richard Henderson <richard.henderson@linaro.org>
 argument specifying the signal to be sent to the process/thread, which is
 sent as an ASCII string of two hex digits which immediately follow the
 'C' or 'S' character.
-Our code for parsing this packet accidentally skipped the first of the
+Typo applied byte-wise shift instead of double-word shift.
 two bytes of the signal value, because it started parsing the hex string
 at 'p + 1' when the preceding code had already moved past the 'C' or
 'S' with "cur_action = *p++".
-This meant that we would only do the right thing for signals below
+Cc: qemu-stable@nongnu.org
-, and would misinterpret the rest.  For instance, when the debugger
+Fixes: 631e565450c ("target/arm: Create gen_gvec_[us]sra")
-wants to send the process a SIGPROF (27 on x86-64) we mangle this into
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1737
-a SIGSEGV (11).
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Remove the accidental double increment.
+Message-id: 20230821022025.397682-1-richard.henderson@linaro.org
 Fixes: https://bugs.launchpad.net/qemu/+bug/1773743
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-id: 20201121210342.10089-1-peter.maydell@linaro.org
 ---
- gdbstub.c | 2 +-
+ target/arm/tcg/translate.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/gdbstub.c b/gdbstub.c
+diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/gdbstub.c
+--- a/target/arm/tcg/translate.c
-+++ b/gdbstub.c
++++ b/target/arm/tcg/translate.c
-@@ -XXX,XX +XXX,XX @@ static int gdb_handle_vcont(const char *p)
+@@ -XXX,XX +XXX,XX @@ void gen_gvec_ssra(unsigned vece, uint32_t rd_ofs, uint32_t rm_ofs,
-         cur_action = *p++;
+           .vece = MO_32 },
-         if (cur_action == 'C' || cur_action == 'S') {
+         { .fni8 = gen_ssra64_i64,
-             cur_action = qemu_tolower(cur_action);
+           .fniv = gen_ssra_vec,
--            res = qemu_strtoul(p + 1, &p, 16, &tmp);
+-          .fno = gen_helper_gvec_ssra_b,
-+            res = qemu_strtoul(p, &p, 16, &tmp);
++          .fno = gen_helper_gvec_ssra_d,
-             if (res) {
+           .prefer_i64 = TCG_TARGET_REG_BITS == 64,
-                 goto out;
+           .opt_opc = vecop_list,
-             }
+           .load_dest = true,
 --
-.20.1
+.34.1

A grab-bag of minor stuff for the end of the year. My to-review
queue is not empty, but it it at least in single figures...

-- PMM

The following changes since commit 5bfbd8170ce7acb98a1834ff49ed7340b0837144:

Merge remote-tracking branch 'remotes/vivier2/tags/trivial-branch-for-6.0-pull-request' into staging (2020-12-14 20:32:38 +0000)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20201215

for you to fetch changes up to 23af268566069183285bebbdf95b1b37cb7c0942:

hw/block/m25p80: Fix Numonyx fast read dummy cycle count (2020-12-15 13:39:30 +0000)

----------------------------------------------------------------
target-arm queue:
 * gdbstub: Correct misparsing of vCont C/S requests
 * openrisc: Move pic_cpu code into CPU object proper
 * nios2: Move IIC code into CPU object proper
 * Improve reporting of ROM overlap errors
 * xlnx-versal: Add USB support
 * hw/misc/zynq_slcr: Avoid #DIV/0! error
 * Numonyx: Fix dummy cycles and check for SPI mode on cmds

----------------------------------------------------------------
Joe Komlodi (4):
      hw/block/m25p80: Make Numonyx config field names more accurate
      hw/block/m25p80: Fix when VCFG XIP bit is set for Numonyx
      hw/block/m25p80: Check SPI mode before running some Numonyx commands
      hw/block/m25p80: Fix Numonyx fast read dummy cycle count

Peter Maydell (11):
      gdbstub: Correct misparsing of vCont C/S requests
      hw/openrisc/openrisc_sim: Use IRQ splitter when connecting IRQ to multiple CPUs
      hw/openrisc/openrisc_sim: Abstract out "get IRQ x of CPU y"
      target/openrisc: Move pic_cpu code into CPU object proper
      target/nios2: Move IIC code into CPU object proper
      target/nios2: Move nios2_check_interrupts() into target/nios2
      target/nios2: Use deposit32() to update ipending register
      hw/core/loader.c: Track last-seen ROM in rom_check_and_register_reset()
      hw/core/loader.c: Improve reporting of ROM overlap errors
      elf_ops.h: Don't truncate name of the ROM blobs we create
      elf_ops.h: Be more verbose with ROM blob names

Philippe Mathieu-Daudé (1):
      hw/misc/zynq_slcr: Avoid #DIV/0! error

Sai Pavan Boddu (2):
      usb: Add versal-usb2-ctrl-regs module
      usb: xlnx-usb-subsystem: Add xilinx usb subsystem

Vikram Garhwal (2):
      usb: Add DWC3 model
      arm: xlnx-versal: Connect usb to virt-versal

include/hw/arm/xlnx-versal.h                |   9 +
 include/hw/elf_ops.h                        |   5 +-
 include/hw/usb/hcd-dwc3.h                   |  55 +++
 include/hw/usb/xlnx-usb-subsystem.h         |  45 ++
 include/hw/usb/xlnx-versal-usb2-ctrl-regs.h |  45 ++
 target/nios2/cpu.h                          |   3 -
 target/openrisc/cpu.h                       |   1 -
 gdbstub.c                                   |   2 +-
 hw/arm/xlnx-versal-virt.c                   |  55 +++
 hw/arm/xlnx-versal.c                        |  26 ++
 hw/block/m25p80.c                           | 158 +++++--
 hw/core/loader.c                            |  67 ++-
 hw/intc/nios2_iic.c                         |  95 ----
 hw/misc/zynq_slcr.c                         |   5 +
 hw/nios2/10m50_devboard.c                   |  13 +-
 hw/nios2/cpu_pic.c                          |  67 ---
 hw/openrisc/openrisc_sim.c                  |  46 +-
 hw/openrisc/pic_cpu.c                       |  61 ---
 hw/usb/hcd-dwc3.c                           | 689 ++++++++++++++++++++++++++++
 hw/usb/xlnx-usb-subsystem.c                 |  94 ++++
 hw/usb/xlnx-versal-usb2-ctrl-regs.c         | 229 +++++++++
 softmmu/vl.c                                |   1 -
 target/nios2/cpu.c                          |  29 ++
 target/nios2/op_helper.c                    |   9 +
 target/openrisc/cpu.c                       |  32 ++
 MAINTAINERS                                 |   1 -
 hw/intc/meson.build                         |   1 -
 hw/nios2/meson.build                        |   2 +-
 hw/openrisc/Kconfig                         |   1 +
 hw/openrisc/meson.build                     |   2 +-
 hw/usb/Kconfig                              |  10 +
 hw/usb/meson.build                          |   3 +
 32 files changed, 1557 insertions(+), 304 deletions(-)
 create mode 100644 include/hw/usb/hcd-dwc3.h
 create mode 100644 include/hw/usb/xlnx-usb-subsystem.h
 create mode 100644 include/hw/usb/xlnx-versal-usb2-ctrl-regs.h
 delete mode 100644 hw/intc/nios2_iic.c
 delete mode 100644 hw/nios2/cpu_pic.c
 delete mode 100644 hw/openrisc/pic_cpu.c
 create mode 100644 hw/usb/hcd-dwc3.c
 create mode 100644 hw/usb/xlnx-usb-subsystem.c
 create mode 100644 hw/usb/xlnx-versal-usb2-ctrl-regs.c

In the vCont packet, two of the command actions (C and S) take an
argument specifying the signal to be sent to the process/thread, which is
sent as an ASCII string of two hex digits which immediately follow the
'C' or 'S' character.

Our code for parsing this packet accidentally skipped the first of the
two bytes of the signal value, because it started parsing the hex string
at 'p + 1' when the preceding code had already moved past the 'C' or
'S' with "cur_action = *p++".

This meant that we would only do the right thing for signals below
10, and would misinterpret the rest.  For instance, when the debugger
wants to send the process a SIGPROF (27 on x86-64) we mangle this into
a SIGSEGV (11).

Remove the accidental double increment.

Fixes: https://bugs.launchpad.net/qemu/+bug/1773743
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20201121210342.10089-1-peter.maydell@linaro.org
---
 gdbstub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gdbstub.c b/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -XXX,XX +XXX,XX @@ static int gdb_handle_vcont(const char *p)
         cur_action = *p++;
         if (cur_action == 'C' || cur_action == 'S') {
             cur_action = qemu_tolower(cur_action);
-            res = qemu_strtoul(p + 1, &p, 16, &tmp);
+            res = qemu_strtoul(p, &p, 16, &tmp);
             if (res) {
                 goto out;
             }
-- 
2.20.1

openrisc_sim_net_init() attempts to connect the IRQ line from the
ethernet device to both CPUs in an SMP configuration by simply caling
sysbus_connect_irq() for it twice.  This doesn't work, because the
second connection simply overrides the first.

Fix this by creating a TYPE_SPLIT_IRQ to split the IRQ in the SMP
case.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stafford Horne <shorne@gmail.com>
Message-id: 20201127225127.14770-2-peter.maydell@linaro.org
---
 hw/openrisc/openrisc_sim.c | 13 +++++++++++--
 hw/openrisc/Kconfig        |  1 +
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/openrisc/openrisc_sim.c
+++ b/hw/openrisc/openrisc_sim.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/sysbus.h"
 #include "sysemu/qtest.h"
 #include "sysemu/reset.h"
+#include "hw/core/split-irq.h"
 
 #define KERNEL_LOAD_ADDR 0x100
 
@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_net_init(hwaddr base, hwaddr descriptors,
 
     s = SYS_BUS_DEVICE(dev);
     sysbus_realize_and_unref(s, &error_fatal);
-    for (i = 0; i < num_cpus; i++) {
-        sysbus_connect_irq(s, 0, cpu_irqs[i][irq_pin]);
+    if (num_cpus > 1) {
+        DeviceState *splitter = qdev_new(TYPE_SPLIT_IRQ);
+        qdev_prop_set_uint32(splitter, "num-lines", num_cpus);
+        qdev_realize_and_unref(splitter, NULL, &error_fatal);
+        for (i = 0; i < num_cpus; i++) {
+            qdev_connect_gpio_out(splitter, i, cpu_irqs[i][irq_pin]);
+        }
+        sysbus_connect_irq(s, 0, qdev_get_gpio_in(splitter, 0));
+    } else {
+        sysbus_connect_irq(s, 0, cpu_irqs[0][irq_pin]);
     }
     sysbus_mmio_map(s, 0, base);
     sysbus_mmio_map(s, 1, descriptors);
diff --git a/hw/openrisc/Kconfig b/hw/openrisc/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/openrisc/Kconfig
+++ b/hw/openrisc/Kconfig
@@ -XXX,XX +XXX,XX @@ config OR1K_SIM
     select SERIAL
     select OPENCORES_ETH
     select OMPIC
+    select SPLIT_IRQ
-- 
2.20.1

We're about to refactor the OpenRISC pic_cpu code in a way that means
that just grabbing the whole qemu_irq[] array of inbound IRQs for a
CPU won't be possible any more.  Abstract out a function for "return
the qemu_irq for IRQ x input of CPU y" so we can more easily replace
the implementation.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stafford Horne <shorne@gmail.com>
Message-id: 20201127225127.14770-3-peter.maydell@linaro.org
---
 hw/openrisc/openrisc_sim.c | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/openrisc/openrisc_sim.c
+++ b/hw/openrisc/openrisc_sim.c
@@ -XXX,XX +XXX,XX @@ static void main_cpu_reset(void *opaque)
     cpu_set_pc(cs, boot_info.bootstrap_pc);
 }
 
+static qemu_irq get_cpu_irq(OpenRISCCPU *cpus[], int cpunum, int irq_pin)
+{
+    return cpus[cpunum]->env.irq[irq_pin];
+}
+
 static void openrisc_sim_net_init(hwaddr base, hwaddr descriptors,
-                                  int num_cpus, qemu_irq **cpu_irqs,
+                                  int num_cpus, OpenRISCCPU *cpus[],
                                   int irq_pin, NICInfo *nd)
 {
     DeviceState *dev;
@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_net_init(hwaddr base, hwaddr descriptors,
         qdev_prop_set_uint32(splitter, "num-lines", num_cpus);
         qdev_realize_and_unref(splitter, NULL, &error_fatal);
         for (i = 0; i < num_cpus; i++) {
-            qdev_connect_gpio_out(splitter, i, cpu_irqs[i][irq_pin]);
+            qdev_connect_gpio_out(splitter, i, get_cpu_irq(cpus, i, irq_pin));
         }
         sysbus_connect_irq(s, 0, qdev_get_gpio_in(splitter, 0));
     } else {
-        sysbus_connect_irq(s, 0, cpu_irqs[0][irq_pin]);
+        sysbus_connect_irq(s, 0, get_cpu_irq(cpus, 0, irq_pin));
     }
     sysbus_mmio_map(s, 0, base);
     sysbus_mmio_map(s, 1, descriptors);
 }
 
 static void openrisc_sim_ompic_init(hwaddr base, int num_cpus,
-                                    qemu_irq **cpu_irqs, int irq_pin)
+                                    OpenRISCCPU *cpus[], int irq_pin)
 {
     DeviceState *dev;
     SysBusDevice *s;
@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_ompic_init(hwaddr base, int num_cpus,
     s = SYS_BUS_DEVICE(dev);
     sysbus_realize_and_unref(s, &error_fatal);
     for (i = 0; i < num_cpus; i++) {
-        sysbus_connect_irq(s, i, cpu_irqs[i][irq_pin]);
+        sysbus_connect_irq(s, i, get_cpu_irq(cpus, i, irq_pin));
     }
     sysbus_mmio_map(s, 0, base);
 }
@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_init(MachineState *machine)
 {
     ram_addr_t ram_size = machine->ram_size;
     const char *kernel_filename = machine->kernel_filename;
-    OpenRISCCPU *cpu = NULL;
+    OpenRISCCPU *cpus[2] = {};
     MemoryRegion *ram;
-    qemu_irq *cpu_irqs[2];
     qemu_irq serial_irq;
     int n;
     unsigned int smp_cpus = machine->smp.cpus;
 
     assert(smp_cpus >= 1 && smp_cpus <= 2);
     for (n = 0; n < smp_cpus; n++) {
-        cpu = OPENRISC_CPU(cpu_create(machine->cpu_type));
-        if (cpu == NULL) {
+        cpus[n] = OPENRISC_CPU(cpu_create(machine->cpu_type));
+        if (cpus[n] == NULL) {
             fprintf(stderr, "Unable to find CPU definition!\n");
             exit(1);
         }
-        cpu_openrisc_pic_init(cpu);
-        cpu_irqs[n] = (qemu_irq *) cpu->env.irq;
+        cpu_openrisc_pic_init(cpus[n]);
 
-        cpu_openrisc_clock_init(cpu);
+        cpu_openrisc_clock_init(cpus[n]);
 
-        qemu_register_reset(main_cpu_reset, cpu);
+        qemu_register_reset(main_cpu_reset, cpus[n]);
     }
 
     ram = g_malloc(sizeof(*ram));
@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_init(MachineState *machine)
 
     if (nd_table[0].used) {
         openrisc_sim_net_init(0x92000000, 0x92000400, smp_cpus,
-                              cpu_irqs, 4, nd_table);
+                              cpus, 4, nd_table);
     }
 
     if (smp_cpus > 1) {
-        openrisc_sim_ompic_init(0x98000000, smp_cpus, cpu_irqs, 1);
+        openrisc_sim_ompic_init(0x98000000, smp_cpus, cpus, 1);
 
-        serial_irq = qemu_irq_split(cpu_irqs[0][2], cpu_irqs[1][2]);
+        serial_irq = qemu_irq_split(get_cpu_irq(cpus, 0, 2),
+                                    get_cpu_irq(cpus, 1, 2));
     } else {
-        serial_irq = cpu_irqs[0][2];
+        serial_irq = get_cpu_irq(cpus, 0, 2);
     }
 
     serial_mm_init(get_system_memory(), 0x90000000, 0, serial_irq,
-- 
2.20.1

The openrisc code uses an old style of interrupt handling, where a
separate standalone set of qemu_irqs invoke a function
openrisc_pic_cpu_handler() which signals the interrupt to the CPU
proper by directly calling cpu_interrupt() and cpu_reset_interrupt().
Because CPU objects now inherit (indirectly) from TYPE_DEVICE, they
can have GPIO input lines themselves, and the neater modern way to
implement this is to simply have the CPU object itself provide the
input IRQ lines.

Create GPIO inputs to the OpenRISC CPU object, and make the only user
of cpu_openrisc_pic_init() wire up directly to those instead.

This allows us to delete the hw/openrisc/pic_cpu.c file entirely.

This fixes a trivial memory leak reported by Coverity of the IRQs
allocated in cpu_openrisc_pic_init().

Fixes: Coverity CID 1421934
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stafford Horne <shorne@gmail.com>
Message-id: 20201127225127.14770-4-peter.maydell@linaro.org
---
 target/openrisc/cpu.h      |  1 -
 hw/openrisc/openrisc_sim.c |  3 +-
 hw/openrisc/pic_cpu.c      | 61 --------------------------------------
 target/openrisc/cpu.c      | 32 ++++++++++++++++++++
 hw/openrisc/meson.build    |  2 +-
 5 files changed, 34 insertions(+), 65 deletions(-)
 delete mode 100644 hw/openrisc/pic_cpu.c

diff --git a/target/openrisc/cpu.h b/target/openrisc/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/cpu.h
+++ b/target/openrisc/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUOpenRISCState {
     uint32_t picmr;         /* Interrupt mask register */
     uint32_t picsr;         /* Interrupt contrl register*/
 #endif
-    void *irq[32];          /* Interrupt irq input */
 } CPUOpenRISCState;
 
 /**
diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/openrisc/openrisc_sim.c
+++ b/hw/openrisc/openrisc_sim.c
@@ -XXX,XX +XXX,XX @@ static void main_cpu_reset(void *opaque)
 
 static qemu_irq get_cpu_irq(OpenRISCCPU *cpus[], int cpunum, int irq_pin)
 {
-    return cpus[cpunum]->env.irq[irq_pin];
+    return qdev_get_gpio_in_named(DEVICE(cpus[cpunum]), "IRQ", irq_pin);
 }
 
 static void openrisc_sim_net_init(hwaddr base, hwaddr descriptors,
@@ -XXX,XX +XXX,XX @@ static void openrisc_sim_init(MachineState *machine)
             fprintf(stderr, "Unable to find CPU definition!\n");
             exit(1);
         }
-        cpu_openrisc_pic_init(cpus[n]);
 
         cpu_openrisc_clock_init(cpus[n]);
 
diff --git a/hw/openrisc/pic_cpu.c b/hw/openrisc/pic_cpu.c
deleted file mode 100644
index XXXXXXX..XXXXXXX
--- a/hw/openrisc/pic_cpu.c
+++ /dev/null
@@ -XXX,XX +XXX,XX @@
-/*
- * OpenRISC Programmable Interrupt Controller support.
- *
- * Copyright (c) 2011-2012 Jia Liu <proljc@gmail.com>
- *                         Feng Gao <gf91597@gmail.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "qemu/osdep.h"
-#include "hw/irq.h"
-#include "cpu.h"
-
-/* OpenRISC pic handler */
-static void openrisc_pic_cpu_handler(void *opaque, int irq, int level)
-{
-    OpenRISCCPU *cpu = (OpenRISCCPU *)opaque;
-    CPUState *cs = CPU(cpu);
-    uint32_t irq_bit;
-
-    if (irq > 31 || irq < 0) {
-        return;
-    }
-
-    irq_bit = 1U << irq;
-
-    if (level) {
-        cpu->env.picsr |= irq_bit;
-    } else {
-        cpu->env.picsr &= ~irq_bit;
-    }
-
-    if (cpu->env.picsr & cpu->env.picmr) {
-        cpu_interrupt(cs, CPU_INTERRUPT_HARD);
-    } else {
-        cpu_reset_interrupt(cs, CPU_INTERRUPT_HARD);
-        cpu->env.picsr = 0;
-    }
-}
-
-void cpu_openrisc_pic_init(OpenRISCCPU *cpu)
-{
-    int i;
-    qemu_irq *qi;
-    qi = qemu_allocate_irqs(openrisc_pic_cpu_handler, cpu, NR_IRQS);
-
-    for (i = 0; i < NR_IRQS; i++) {
-        cpu->env.irq[i] = qi[i];
-    }
-}
diff --git a/target/openrisc/cpu.c b/target/openrisc/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/cpu.c
+++ b/target/openrisc/cpu.c
@@ -XXX,XX +XXX,XX @@ static void openrisc_cpu_reset(DeviceState *dev)
 #endif
 }
 
+#ifndef CONFIG_USER_ONLY
+static void openrisc_cpu_set_irq(void *opaque, int irq, int level)
+{
+    OpenRISCCPU *cpu = (OpenRISCCPU *)opaque;
+    CPUState *cs = CPU(cpu);
+    uint32_t irq_bit;
+
+    if (irq > 31 || irq < 0) {
+        return;
+    }
+
+    irq_bit = 1U << irq;
+
+    if (level) {
+        cpu->env.picsr |= irq_bit;
+    } else {
+        cpu->env.picsr &= ~irq_bit;
+    }
+
+    if (cpu->env.picsr & cpu->env.picmr) {
+        cpu_interrupt(cs, CPU_INTERRUPT_HARD);
+    } else {
+        cpu_reset_interrupt(cs, CPU_INTERRUPT_HARD);
+        cpu->env.picsr = 0;
+    }
+}
+#endif
+
 static void openrisc_cpu_realizefn(DeviceState *dev, Error **errp)
 {
     CPUState *cs = CPU(dev);
@@ -XXX,XX +XXX,XX @@ static void openrisc_cpu_initfn(Object *obj)
     OpenRISCCPU *cpu = OPENRISC_CPU(obj);
 
     cpu_set_cpustate_pointers(cpu);
+
+#ifndef CONFIG_USER_ONLY
+    qdev_init_gpio_in_named(DEVICE(cpu), openrisc_cpu_set_irq, "IRQ", NR_IRQS);
+#endif
 }
 
 /* CPU models */
diff --git a/hw/openrisc/meson.build b/hw/openrisc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/openrisc/meson.build
+++ b/hw/openrisc/meson.build
@@ -XXX,XX +XXX,XX @@
 openrisc_ss = ss.source_set()
-openrisc_ss.add(files('pic_cpu.c', 'cputimer.c'))
+openrisc_ss.add(files('cputimer.c'))
 openrisc_ss.add(when: 'CONFIG_OR1K_SIM', if_true: files('openrisc_sim.c'))
 
 hw_arch += {'openrisc': openrisc_ss}
-- 
2.20.1

The Nios2 architecture supports two different interrupt controller
options:

* The IIC (Internal Interrupt Controller) is part of the CPU itself;
   it has 32 IRQ input lines and no NMI support.  Interrupt status is
   queried and controlled via the CPU's ipending and istatus
   registers.

* The EIC (External Interrupt Controller) interface allows the CPU
   to connect to an external interrupt controller.  The interface
   allows the interrupt controller to present a packet of information
   containing:
    - handler address
    - interrupt level
    - register set
    - NMI mode

QEMU does not model an EIC currently.  We do model the IIC, but its
implementation is split across code in hw/nios2/cpu_pic.c and
hw/intc/nios2_iic.c.  The code in those two files has no state of its
own -- the IIC state is in the Nios2CPU state struct.

Because CPU objects now inherit (indirectly) from TYPE_DEVICE, they
can have GPIO input lines themselves, so we can implement the IIC
directly in the CPU object the same way that real hardware does.

Create named "IRQ" GPIO inputs to the Nios2 CPU object, and make the
only user of the IIC wire up directly to those instead.

Note that the old code had an "NMI" concept which was entirely unused
and also as far as I can see not architecturally correct, since only
the EIC has a concept of an NMI.

This fixes a Coverity-reported trivial memory leak of the IRQ array
allocated in nios2_cpu_pic_init().

Fixes: Coverity CID 1421916
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201129174022.26530-2-peter.maydell@linaro.org
Reviewed-by: Wentong Wu <wentong.wu@intel.com>
Tested-by: Wentong Wu <wentong.wu@intel.com>
---
 target/nios2/cpu.h        |  1 -
 hw/intc/nios2_iic.c       | 95 ---------------------------------------
 hw/nios2/10m50_devboard.c | 13 +-----
 hw/nios2/cpu_pic.c        | 31 -------------
 target/nios2/cpu.c        | 30 +++++++++++++
 MAINTAINERS               |  1 -
 hw/intc/meson.build       |  1 -
 7 files changed, 32 insertions(+), 140 deletions(-)
 delete mode 100644 hw/intc/nios2_iic.c

diff --git a/target/nios2/cpu.h b/target/nios2/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/nios2/cpu.h
+++ b/target/nios2/cpu.h
@@ -XXX,XX +XXX,XX @@ void nios2_cpu_do_unaligned_access(CPUState *cpu, vaddr addr,
                                    MMUAccessType access_type,
                                    int mmu_idx, uintptr_t retaddr);
 
-qemu_irq *nios2_cpu_pic_init(Nios2CPU *cpu);
 void nios2_check_interrupts(CPUNios2State *env);
 
 void do_nios2_semihosting(CPUNios2State *env);
diff --git a/hw/intc/nios2_iic.c b/hw/intc/nios2_iic.c
deleted file mode 100644
index XXXXXXX..XXXXXXX
--- a/hw/intc/nios2_iic.c
+++ /dev/null
@@ -XXX,XX +XXX,XX @@
-/*
- * QEMU Altera Internal Interrupt Controller.
- *
- * Copyright (c) 2012 Chris Wulff <crwulff@gmail.com>
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, see
- * <http://www.gnu.org/licenses/lgpl-2.1.html>
- */
-
-#include "qemu/osdep.h"
-#include "qemu/module.h"
-#include "qapi/error.h"
-
-#include "hw/irq.h"
-#include "hw/sysbus.h"
-#include "cpu.h"
-#include "qom/object.h"
-
-#define TYPE_ALTERA_IIC "altera,iic"
-OBJECT_DECLARE_SIMPLE_TYPE(AlteraIIC, ALTERA_IIC)
-
-struct AlteraIIC {
-    SysBusDevice  parent_obj;
-    void         *cpu;
-    qemu_irq      parent_irq;
-};
-
-static void update_irq(AlteraIIC *pv)
-{
-    CPUNios2State *env = &((Nios2CPU *)(pv->cpu))->env;
-
-    qemu_set_irq(pv->parent_irq,
-                 env->regs[CR_IPENDING] & env->regs[CR_IENABLE]);
-}
-
-static void irq_handler(void *opaque, int irq, int level)
-{
-    AlteraIIC *pv = opaque;
-    CPUNios2State *env = &((Nios2CPU *)(pv->cpu))->env;
-
-    env->regs[CR_IPENDING] &= ~(1 << irq);
-    env->regs[CR_IPENDING] |= !!level << irq;
-
-    update_irq(pv);
-}
-
-static void altera_iic_init(Object *obj)
-{
-    AlteraIIC *pv = ALTERA_IIC(obj);
-
-    qdev_init_gpio_in(DEVICE(pv), irq_handler, 32);
-    sysbus_init_irq(SYS_BUS_DEVICE(obj), &pv->parent_irq);
-}
-
-static void altera_iic_realize(DeviceState *dev, Error **errp)
-{
-    struct AlteraIIC *pv = ALTERA_IIC(dev);
-
-    pv->cpu = object_property_get_link(OBJECT(dev), "cpu", &error_abort);
-}
-
-static void altera_iic_class_init(ObjectClass *klass, void *data)
-{
-    DeviceClass *dc = DEVICE_CLASS(klass);
-
-    /* Reason: needs to be wired up, e.g. by nios2_10m50_ghrd_init() */
-    dc->user_creatable = false;
-    dc->realize = altera_iic_realize;
-}
-
-static TypeInfo altera_iic_info = {
-    .name          = TYPE_ALTERA_IIC,
-    .parent        = TYPE_SYS_BUS_DEVICE,
-    .instance_size = sizeof(AlteraIIC),
-    .instance_init = altera_iic_init,
-    .class_init    = altera_iic_class_init,
-};
-
-static void altera_iic_register(void)
-{
-    type_register_static(&altera_iic_info);
-}
-
-type_init(altera_iic_register)
diff --git a/hw/nios2/10m50_devboard.c b/hw/nios2/10m50_devboard.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/nios2/10m50_devboard.c
+++ b/hw/nios2/10m50_devboard.c
@@ -XXX,XX +XXX,XX @@ static void nios2_10m50_ghrd_init(MachineState *machine)
     ram_addr_t tcm_size = 0x1000;    /* 1 kiB, but QEMU limit is 4 kiB */
     ram_addr_t ram_base = 0x08000000;
     ram_addr_t ram_size = 0x08000000;
-    qemu_irq *cpu_irq, irq[32];
+    qemu_irq irq[32];
     int i;
 
     /* Physical TCM (tb_ram_1k) with alias at 0xc0000000 */
@@ -XXX,XX +XXX,XX @@ static void nios2_10m50_ghrd_init(MachineState *machine)
 
     /* Create CPU -- FIXME */
     cpu = NIOS2_CPU(cpu_create(TYPE_NIOS2_CPU));
-
-    /* Register: CPU interrupt controller (PIC) */
-    cpu_irq = nios2_cpu_pic_init(cpu);
-
-    /* Register: Internal Interrupt Controller (IIC) */
-    dev = qdev_new("altera,iic");
-    object_property_add_const_link(OBJECT(dev), "cpu", OBJECT(cpu));
-    sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
-    sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, cpu_irq[0]);
     for (i = 0; i < 32; i++) {
-        irq[i] = qdev_get_gpio_in(dev, i);
+        irq[i] = qdev_get_gpio_in_named(DEVICE(cpu), "IRQ", i);
     }
 
     /* Register: Altera 16550 UART */
diff --git a/hw/nios2/cpu_pic.c b/hw/nios2/cpu_pic.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/nios2/cpu_pic.c
+++ b/hw/nios2/cpu_pic.c
@@ -XXX,XX +XXX,XX @@
 
 #include "boot.h"
 
-static void nios2_pic_cpu_handler(void *opaque, int irq, int level)
-{
-    Nios2CPU *cpu = opaque;
-    CPUNios2State *env = &cpu->env;
-    CPUState *cs = CPU(cpu);
-    int type = irq ? CPU_INTERRUPT_NMI : CPU_INTERRUPT_HARD;
-
-    if (type == CPU_INTERRUPT_HARD) {
-        env->irq_pending = level;
-
-        if (level && (env->regs[CR_STATUS] & CR_STATUS_PIE)) {
-            env->irq_pending = 0;
-            cpu_interrupt(cs, type);
-        } else if (!level) {
-            env->irq_pending = 0;
-            cpu_reset_interrupt(cs, type);
-        }
-    } else {
-        if (level) {
-            cpu_interrupt(cs, type);
-        } else {
-            cpu_reset_interrupt(cs, type);
-        }
-    }
-}
-
 void nios2_check_interrupts(CPUNios2State *env)
 {
     if (env->irq_pending &&
@@ -XXX,XX +XXX,XX @@ void nios2_check_interrupts(CPUNios2State *env)
         cpu_interrupt(env_cpu(env), CPU_INTERRUPT_HARD);
     }
 }
-
-qemu_irq *nios2_cpu_pic_init(Nios2CPU *cpu)
-{
-    return qemu_allocate_irqs(nios2_pic_cpu_handler, cpu, 2);
-}
diff --git a/target/nios2/cpu.c b/target/nios2/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/nios2/cpu.c
+++ b/target/nios2/cpu.c
@@ -XXX,XX +XXX,XX @@ static void nios2_cpu_reset(DeviceState *dev)
 #endif
 }
 
+#ifndef CONFIG_USER_ONLY
+static void nios2_cpu_set_irq(void *opaque, int irq, int level)
+{
+    Nios2CPU *cpu = opaque;
+    CPUNios2State *env = &cpu->env;
+    CPUState *cs = CPU(cpu);
+
+    env->regs[CR_IPENDING] &= ~(1 << irq);
+    env->regs[CR_IPENDING] |= !!level << irq;
+
+    env->irq_pending = env->regs[CR_IPENDING] & env->regs[CR_IENABLE];
+
+    if (env->irq_pending && (env->regs[CR_STATUS] & CR_STATUS_PIE)) {
+        env->irq_pending = 0;
+        cpu_interrupt(cs, CPU_INTERRUPT_HARD);
+    } else if (!env->irq_pending) {
+        cpu_reset_interrupt(cs, CPU_INTERRUPT_HARD);
+    }
+}
+#endif
+
 static void nios2_cpu_initfn(Object *obj)
 {
     Nios2CPU *cpu = NIOS2_CPU(obj);
@@ -XXX,XX +XXX,XX @@ static void nios2_cpu_initfn(Object *obj)
 
 #if !defined(CONFIG_USER_ONLY)
     mmu_init(&cpu->env);
+
+    /*
+     * These interrupt lines model the IIC (internal interrupt
+     * controller). QEMU does not currently support the EIC
+     * (external interrupt controller) -- if we did it would be
+     * a separate device in hw/intc with a custom interface to
+     * the CPU, and boards using it would not wire up these IRQ lines.
+     */
+    qdev_init_gpio_in_named(DEVICE(cpu), nios2_cpu_set_irq, "IRQ", 32);
 #endif
 }
 
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ M: Marek Vasut <marex@denx.de>
 S: Maintained
 F: target/nios2/
 F: hw/nios2/
-F: hw/intc/nios2_iic.c
 F: disas/nios2.c
 F: default-configs/nios2-softmmu.mak
 
diff --git a/hw/intc/meson.build b/hw/intc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/meson.build
+++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ specific_ss.add(when: 'CONFIG_IBEX', if_true: files('ibex_plic.c'))
 specific_ss.add(when: 'CONFIG_IOAPIC', if_true: files('ioapic.c'))
 specific_ss.add(when: 'CONFIG_LOONGSON_LIOINTC', if_true: files('loongson_liointc.c'))
 specific_ss.add(when: 'CONFIG_MIPS_CPS', if_true: files('mips_gic.c'))
-specific_ss.add(when: 'CONFIG_NIOS2', if_true: files('nios2_iic.c'))
 specific_ss.add(when: 'CONFIG_OMAP', if_true: files('omap_intc.c'))
 specific_ss.add(when: 'CONFIG_OMPIC', if_true: files('ompic.c'))
 specific_ss.add(when: 'CONFIG_OPENPIC_KVM', if_true: files('openpic_kvm.c'))
-- 
2.20.1

The function nios2_check_interrupts)() looks only at CPU-internal
state; it belongs in target/nios2, not hw/nios2.  Move it into the
same file as its only caller, so it can just be local to that file.

This removes the only remaining code from cpu_pic.c, so we can delete
that file entirely.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201129174022.26530-3-peter.maydell@linaro.org
Reviewed-by: Wentong Wu <wentong.wu@intel.com>
Tested-by: Wentong Wu <wentong.wu@intel.com>
---
 target/nios2/cpu.h       |  2 --
 hw/nios2/cpu_pic.c       | 36 ------------------------------------
 target/nios2/op_helper.c |  9 +++++++++
 hw/nios2/meson.build     |  2 +-
 4 files changed, 10 insertions(+), 39 deletions(-)
 delete mode 100644 hw/nios2/cpu_pic.c

In rom_check_and_register_reset() we detect overlaps by looking at
whether the ROM blob we're currently examining is in the same address
space and starts before the previous ROM blob ends.  (This works
because the ROM list is kept sorted in order by AddressSpace and then
by address.)

Instead of keeping the AddressSpace and last address of the previous ROM
blob in local variables, just keep a pointer to it.

This will allow us to print more useful information when we do detect
an overlap.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201129203923.10622-2-peter.maydell@linaro.org
---
 hw/core/loader.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/hw/core/loader.c b/hw/core/loader.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -XXX,XX +XXX,XX @@ static void rom_reset(void *unused)
     }
 }
 
+/* Return true if two consecutive ROMs in the ROM list overlap */
+static bool roms_overlap(Rom *last_rom, Rom *this_rom)
+{
+    if (!last_rom) {
+        return false;
+    }
+    return last_rom->as == this_rom->as &&
+        last_rom->addr + last_rom->romsize > this_rom->addr;
+}
+
 int rom_check_and_register_reset(void)
 {
-    hwaddr addr = 0;
     MemoryRegionSection section;
-    Rom *rom;
-    AddressSpace *as = NULL;
+    Rom *rom, *last_rom = NULL;
 
     QTAILQ_FOREACH(rom, &roms, next) {
         if (rom->fw_file) {
             continue;
         }
         if (!rom->mr) {
-            if ((addr > rom->addr) && (as == rom->as)) {
+            if (roms_overlap(last_rom, rom)) {
                 fprintf(stderr, "rom: requested regions overlap "
                         "(rom %s. free=0x" TARGET_FMT_plx
                         ", addr=0x" TARGET_FMT_plx ")\n",
-                        rom->name, addr, rom->addr);
+                        rom->name, last_rom->addr + last_rom->romsize,
+                        rom->addr);
                 return -1;
             }
-            addr  = rom->addr;
-            addr += rom->romsize;
-            as = rom->as;
+            last_rom = rom;
         }
         section = memory_region_find(rom->mr ? rom->mr : get_system_memory(),
                                      rom->addr, 1);
-- 
2.20.1

In rom_check_and_register_reset() we report to the user if there is
a "ROM region overlap". This has a couple of problems:
 * the reported information is not very easy to intepret
 * the function just prints the overlap to stderr (and relies on
   its single callsite in vl.c to do an error_report() and exit)
 * only the first overlap encountered is diagnosed

Make this function use error_report() and error_printf() and
report a more user-friendly report with all the overlaps
diagnosed.

Sample old output:

rom: requested regions overlap (rom dtb. free=0x0000000000008000, addr=0x0000000000000000)
qemu-system-aarch64: rom check and register reset failed

Sample new output:

qemu-system-aarch64: Some ROM regions are overlapping
These ROM regions might have been loaded by direct user request or by default.
They could be BIOS/firmware images, a guest kernel, initrd or some other file loaded into guest memory.
Check whether you intended to load all this guest code, and whether it has been built to load to the correct addresses.

The following two regions overlap (in the cpu-memory-0 address space):
  phdr #0: /home/petmay01/linaro/qemu-misc-tests/ldmia-fault.axf (addresses 0x0000000000000000 - 0x0000000000008000)
  dtb (addresses 0x0000000000000000 - 0x0000000000100000)

The following two regions overlap (in the cpu-memory-0 address space):
  phdr #1: /home/petmay01/linaro/qemu-misc-tests/bad-psci-call.axf (addresses 0x0000000040000000 - 0x0000000040000010)
  phdr #0: /home/petmay01/linaro/qemu-misc-tests/bp-test.elf (addresses 0x0000000040000000 - 0x0000000040000020)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201129203923.10622-3-peter.maydell@linaro.org
---
 hw/core/loader.c | 48 ++++++++++++++++++++++++++++++++++++++++++------
 softmmu/vl.c     |  1 -
 2 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/hw/core/loader.c b/hw/core/loader.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -XXX,XX +XXX,XX @@ static bool roms_overlap(Rom *last_rom, Rom *this_rom)
         last_rom->addr + last_rom->romsize > this_rom->addr;
 }
 
+static const char *rom_as_name(Rom *rom)
+{
+    const char *name = rom->as ? rom->as->name : NULL;
+    return name ?: "anonymous";
+}
+
+static void rom_print_overlap_error_header(void)
+{
+    error_report("Some ROM regions are overlapping");
+    error_printf(
+        "These ROM regions might have been loaded by "
+        "direct user request or by default.\n"
+        "They could be BIOS/firmware images, a guest kernel, "
+        "initrd or some other file loaded into guest memory.\n"
+        "Check whether you intended to load all this guest code, and "
+        "whether it has been built to load to the correct addresses.\n");
+}
+
+static void rom_print_one_overlap_error(Rom *last_rom, Rom *rom)
+{
+    error_printf(
+        "\nThe following two regions overlap (in the %s address space):\n",
+        rom_as_name(rom));
+    error_printf(
+        "  %s (addresses 0x" TARGET_FMT_plx " - 0x" TARGET_FMT_plx ")\n",
+        last_rom->name, last_rom->addr, last_rom->addr + last_rom->romsize);
+    error_printf(
+        "  %s (addresses 0x" TARGET_FMT_plx " - 0x" TARGET_FMT_plx ")\n",
+        rom->name, rom->addr, rom->addr + rom->romsize);
+}
+
 int rom_check_and_register_reset(void)
 {
     MemoryRegionSection section;
     Rom *rom, *last_rom = NULL;
+    bool found_overlap = false;
 
     QTAILQ_FOREACH(rom, &roms, next) {
         if (rom->fw_file) {
@@ -XXX,XX +XXX,XX @@ int rom_check_and_register_reset(void)
         }
         if (!rom->mr) {
             if (roms_overlap(last_rom, rom)) {
-                fprintf(stderr, "rom: requested regions overlap "
-                        "(rom %s. free=0x" TARGET_FMT_plx
-                        ", addr=0x" TARGET_FMT_plx ")\n",
-                        rom->name, last_rom->addr + last_rom->romsize,
-                        rom->addr);
-                return -1;
+                if (!found_overlap) {
+                    found_overlap = true;
+                    rom_print_overlap_error_header();
+                }
+                rom_print_one_overlap_error(last_rom, rom);
+                /* Keep going through the list so we report all overlaps */
             }
             last_rom = rom;
         }
@@ -XXX,XX +XXX,XX @@ int rom_check_and_register_reset(void)
         rom->isrom = int128_nz(section.size) && memory_region_is_rom(section.mr);
         memory_region_unref(section.mr);
     }
+    if (found_overlap) {
+        return -1;
+    }
+
     qemu_register_reset(rom_reset, NULL);
     roms_loaded = 1;
     return 0;
diff --git a/softmmu/vl.c b/softmmu/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -XXX,XX +XXX,XX @@ static void qemu_machine_creation_done(void)
     qemu_run_machine_init_done_notifiers();
 
     if (rom_check_and_register_reset() != 0) {
-        error_report("rom check and register reset failed");
         exit(1);
     }
 
-- 
2.20.1

Currently the load_elf code assembles the ROM blob name into a
local 128 byte fixed-size array. Use g_strdup_printf() instead so
that we don't truncate the pathname if it happens to be long.
(This matters mostly for monitor 'info roms' output and for the
error messages if ROM blobs overlap.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201129203923.10622-4-peter.maydell@linaro.org
---
 include/hw/elf_ops.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/elf_ops.h
+++ b/include/hw/elf_ops.h
@@ -XXX,XX +XXX,XX @@ static int glue(load_elf, SZ)(const char *name, int fd,
     uint64_t addr, low = (uint64_t)-1, high = 0;
     GMappedFile *mapped_file = NULL;
     uint8_t *data = NULL;
-    char label[128];
     int ret = ELF_LOAD_FAILED;
 
     if (read(fd, &ehdr, sizeof(ehdr)) != sizeof(ehdr))
@@ -XXX,XX +XXX,XX @@ static int glue(load_elf, SZ)(const char *name, int fd,
              */
             if (mem_size != 0) {
                 if (load_rom) {
-                    snprintf(label, sizeof(label), "phdr #%d: %s", i, name);
+                    g_autofree char *label =
+                        g_strdup_printf("phdr #%d: %s", i, name);
 
                     /*
                      * rom_add_elf_program() takes its own reference to
-- 
2.20.1

Instead of making the ROM blob name something like:
  phdr #0: /home/petmay01/linaro/qemu-misc-tests/ldmia-fault.axf
make it a little more self-explanatory for people who don't know
ELF format details:
  /home/petmay01/linaro/qemu-misc-tests/ldmia-fault.axf ELF program header segment 0

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201129203923.10622-5-peter.maydell@linaro.org
---
 include/hw/elf_ops.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/hw/elf_ops.h b/include/hw/elf_ops.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/elf_ops.h
+++ b/include/hw/elf_ops.h
@@ -XXX,XX +XXX,XX @@ static int glue(load_elf, SZ)(const char *name, int fd,
             if (mem_size != 0) {
                 if (load_rom) {
                     g_autofree char *label =
-                        g_strdup_printf("phdr #%d: %s", i, name);
+                        g_strdup_printf("%s ELF program header segment %d",
+                                        name, i);
 
                     /*
                      * rom_add_elf_program() takes its own reference to
-- 
2.20.1

From: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>

This module emulates control registers of versal usb2 controller, this is added
just to make guest happy. In general this module would control the phy-reset
signal from usb controller, data coherency of the transactions, signals
the host system errors received from controller.

Signed-off-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1607023357-5096-2-git-send-email-sai.pavan.boddu@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/usb/xlnx-versal-usb2-ctrl-regs.h |  45 ++++
 hw/usb/xlnx-versal-usb2-ctrl-regs.c         | 229 ++++++++++++++++++++
 hw/usb/meson.build                          |   1 +
 3 files changed, 275 insertions(+)
 create mode 100644 include/hw/usb/xlnx-versal-usb2-ctrl-regs.h
 create mode 100644 hw/usb/xlnx-versal-usb2-ctrl-regs.c

diff --git a/include/hw/usb/xlnx-versal-usb2-ctrl-regs.h b/include/hw/usb/xlnx-versal-usb2-ctrl-regs.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/usb/xlnx-versal-usb2-ctrl-regs.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU model of the VersalUsb2CtrlRegs Register control/Status block for
+ * USB2.0 controller
+ *
+ * Copyright (c) 2020 Xilinx Inc. Vikram Garhwal <fnu.vikram@xilinx.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef _XLNX_USB2_REGS_H_
+#define _XLNX_USB2_REGS_H_
+
+#define TYPE_XILINX_VERSAL_USB2_CTRL_REGS "xlnx.versal-usb2-ctrl-regs"
+
+#define XILINX_VERSAL_USB2_CTRL_REGS(obj) \
+     OBJECT_CHECK(VersalUsb2CtrlRegs, (obj), TYPE_XILINX_VERSAL_USB2_CTRL_REGS)
+
+#define USB2_REGS_R_MAX ((0x78 / 4) + 1)
+
+typedef struct VersalUsb2CtrlRegs {
+    SysBusDevice parent_obj;
+    MemoryRegion iomem;
+    qemu_irq irq_ir;
+
+    uint32_t regs[USB2_REGS_R_MAX];
+    RegisterInfo regs_info[USB2_REGS_R_MAX];
+} VersalUsb2CtrlRegs;
+
+#endif
diff --git a/hw/usb/xlnx-versal-usb2-ctrl-regs.c b/hw/usb/xlnx-versal-usb2-ctrl-regs.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/usb/xlnx-versal-usb2-ctrl-regs.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU model of the VersalUsb2CtrlRegs Register control/Status block for
+ * USB2.0 controller
+ *
+ * This module should control phy_reset, permanent device plugs, frame length
+ * time adjust & setting of coherency paths. None of which are emulated in
+ * present model.
+ *
+ * Copyright (c) 2020 Xilinx Inc. Vikram Garhwal <fnu.vikram@xilinx.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/sysbus.h"
+#include "hw/irq.h"
+#include "hw/register.h"
+#include "qemu/bitops.h"
+#include "qemu/log.h"
+#include "qom/object.h"
+#include "migration/vmstate.h"
+#include "hw/usb/xlnx-versal-usb2-ctrl-regs.h"
+
+#ifndef XILINX_VERSAL_USB2_CTRL_REGS_ERR_DEBUG
+#define XILINX_VERSAL_USB2_CTRL_REGS_ERR_DEBUG 0
+#endif
+
+REG32(BUS_FILTER, 0x30)
+    FIELD(BUS_FILTER, BYPASS, 0, 4)
+REG32(PORT, 0x34)
+    FIELD(PORT, HOST_SMI_BAR_WR, 4, 1)
+    FIELD(PORT, HOST_SMI_PCI_CMD_REG_WR, 3, 1)
+    FIELD(PORT, HOST_MSI_ENABLE, 2, 1)
+    FIELD(PORT, PWR_CTRL_PRSNT, 1, 1)
+    FIELD(PORT, HUB_PERM_ATTACH, 0, 1)
+REG32(JITTER_ADJUST, 0x38)
+    FIELD(JITTER_ADJUST, FLADJ, 0, 6)
+REG32(BIGENDIAN, 0x40)
+    FIELD(BIGENDIAN, ENDIAN_GS, 0, 1)
+REG32(COHERENCY, 0x44)
+    FIELD(COHERENCY, USB_COHERENCY, 0, 1)
+REG32(XHC_BME, 0x48)
+    FIELD(XHC_BME, XHC_BME, 0, 1)
+REG32(REG_CTRL, 0x60)
+    FIELD(REG_CTRL, SLVERR_ENABLE, 0, 1)
+REG32(IR_STATUS, 0x64)
+    FIELD(IR_STATUS, HOST_SYS_ERR, 1, 1)
+    FIELD(IR_STATUS, ADDR_DEC_ERR, 0, 1)
+REG32(IR_MASK, 0x68)
+    FIELD(IR_MASK, HOST_SYS_ERR, 1, 1)
+    FIELD(IR_MASK, ADDR_DEC_ERR, 0, 1)
+REG32(IR_ENABLE, 0x6c)
+    FIELD(IR_ENABLE, HOST_SYS_ERR, 1, 1)
+    FIELD(IR_ENABLE, ADDR_DEC_ERR, 0, 1)
+REG32(IR_DISABLE, 0x70)
+    FIELD(IR_DISABLE, HOST_SYS_ERR, 1, 1)
+    FIELD(IR_DISABLE, ADDR_DEC_ERR, 0, 1)
+REG32(USB3, 0x78)
+
+static void ir_update_irq(VersalUsb2CtrlRegs *s)
+{
+    bool pending = s->regs[R_IR_STATUS] & ~s->regs[R_IR_MASK];
+    qemu_set_irq(s->irq_ir, pending);
+}
+
+static void ir_status_postw(RegisterInfo *reg, uint64_t val64)
+{
+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(reg->opaque);
+    /*
+     * TODO: This should also clear USBSTS.HSE field in USB XHCI register.
+     * May be combine both the modules.
+     */
+    ir_update_irq(s);
+}
+
+static uint64_t ir_enable_prew(RegisterInfo *reg, uint64_t val64)
+{
+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(reg->opaque);
+    uint32_t val = val64;
+
+    s->regs[R_IR_MASK] &= ~val;
+    ir_update_irq(s);
+    return 0;
+}
+
+static uint64_t ir_disable_prew(RegisterInfo *reg, uint64_t val64)
+{
+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(reg->opaque);
+    uint32_t val = val64;
+
+    s->regs[R_IR_MASK] |= val;
+    ir_update_irq(s);
+    return 0;
+}
+
+static const RegisterAccessInfo usb2_ctrl_regs_regs_info[] = {
+    {   .name = "BUS_FILTER",  .addr = A_BUS_FILTER,
+        .rsvd = 0xfffffff0,
+    },{ .name = "PORT",  .addr = A_PORT,
+        .rsvd = 0xffffffe0,
+    },{ .name = "JITTER_ADJUST",  .addr = A_JITTER_ADJUST,
+        .reset = 0x20,
+        .rsvd = 0xffffffc0,
+    },{ .name = "BIGENDIAN",  .addr = A_BIGENDIAN,
+        .rsvd = 0xfffffffe,
+    },{ .name = "COHERENCY",  .addr = A_COHERENCY,
+        .rsvd = 0xfffffffe,
+    },{ .name = "XHC_BME",  .addr = A_XHC_BME,
+        .reset = 0x1,
+        .rsvd = 0xfffffffe,
+    },{ .name = "REG_CTRL",  .addr = A_REG_CTRL,
+        .rsvd = 0xfffffffe,
+    },{ .name = "IR_STATUS",  .addr = A_IR_STATUS,
+        .rsvd = 0xfffffffc,
+        .w1c = 0x3,
+        .post_write = ir_status_postw,
+    },{ .name = "IR_MASK",  .addr = A_IR_MASK,
+        .reset = 0x3,
+        .rsvd = 0xfffffffc,
+        .ro = 0x3,
+    },{ .name = "IR_ENABLE",  .addr = A_IR_ENABLE,
+        .rsvd = 0xfffffffc,
+        .pre_write = ir_enable_prew,
+    },{ .name = "IR_DISABLE",  .addr = A_IR_DISABLE,
+        .rsvd = 0xfffffffc,
+        .pre_write = ir_disable_prew,
+    },{ .name = "USB3",  .addr = A_USB3,
+    }
+};
+
+static void usb2_ctrl_regs_reset_init(Object *obj, ResetType type)
+{
+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(obj);
+    unsigned int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->regs_info); ++i) {
+        register_reset(&s->regs_info[i]);
+    }
+}
+
+static void usb2_ctrl_regs_reset_hold(Object *obj)
+{
+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(obj);
+
+    ir_update_irq(s);
+}
+
+static const MemoryRegionOps usb2_ctrl_regs_ops = {
+    .read = register_read_memory,
+    .write = register_write_memory,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+    },
+};
+
+static void usb2_ctrl_regs_init(Object *obj)
+{
+    VersalUsb2CtrlRegs *s = XILINX_VERSAL_USB2_CTRL_REGS(obj);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
+    RegisterInfoArray *reg_array;
+
+    memory_region_init(&s->iomem, obj, TYPE_XILINX_VERSAL_USB2_CTRL_REGS,
+                       USB2_REGS_R_MAX * 4);
+    reg_array =
+        register_init_block32(DEVICE(obj), usb2_ctrl_regs_regs_info,
+                              ARRAY_SIZE(usb2_ctrl_regs_regs_info),
+                              s->regs_info, s->regs,
+                              &usb2_ctrl_regs_ops,
+                              XILINX_VERSAL_USB2_CTRL_REGS_ERR_DEBUG,
+                              USB2_REGS_R_MAX * 4);
+    memory_region_add_subregion(&s->iomem,
+                                0x0,
+                                &reg_array->mem);
+    sysbus_init_mmio(sbd, &s->iomem);
+    sysbus_init_irq(sbd, &s->irq_ir);
+}
+
+static const VMStateDescription vmstate_usb2_ctrl_regs = {
+    .name = TYPE_XILINX_VERSAL_USB2_CTRL_REGS,
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(regs, VersalUsb2CtrlRegs, USB2_REGS_R_MAX),
+        VMSTATE_END_OF_LIST(),
+    }
+};
+
+static void usb2_ctrl_regs_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    ResettableClass *rc = RESETTABLE_CLASS(klass);
+
+    rc->phases.enter = usb2_ctrl_regs_reset_init;
+    rc->phases.hold  = usb2_ctrl_regs_reset_hold;
+    dc->vmsd = &vmstate_usb2_ctrl_regs;
+}
+
+static const TypeInfo usb2_ctrl_regs_info = {
+    .name          = TYPE_XILINX_VERSAL_USB2_CTRL_REGS,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(VersalUsb2CtrlRegs),
+    .class_init    = usb2_ctrl_regs_class_init,
+    .instance_init = usb2_ctrl_regs_init,
+};
+
+static void usb2_ctrl_regs_register_types(void)
+{
+    type_register_static(&usb2_ctrl_regs_info);
+}
+
+type_init(usb2_ctrl_regs_register_types)
diff --git a/hw/usb/meson.build b/hw/usb/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/meson.build
+++ b/hw/usb/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_USB_DWC2', if_true: files('hcd-dwc2.c'))
 softmmu_ss.add(when: 'CONFIG_TUSB6010', if_true: files('tusb6010.c'))
 softmmu_ss.add(when: 'CONFIG_IMX', if_true: files('chipidea.c'))
 softmmu_ss.add(when: 'CONFIG_IMX_USBPHY', if_true: files('imx-usb-phy.c'))
+specific_ss.add(when: 'CONFIG_XLNX_VERSAL', if_true: files('xlnx-versal-usb2-ctrl-regs.c'))
 
 # emulated usb devices
 softmmu_ss.add(when: 'CONFIG_USB', if_true: files('dev-hub.c'))
-- 
2.20.1

From: Vikram Garhwal <fnu.vikram@xilinx.com>

This patch adds skeleton model of dwc3 usb controller attached to
xhci-sysbus device. It defines global register space of DWC3 controller,
global registers control the AXI/AHB interfaces properties, external FIFO
support and event count support. All of which are unimplemented at
present,we are only supporting core reset and read of ID register.

Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
Signed-off-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1607023357-5096-3-git-send-email-sai.pavan.boddu@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/usb/hcd-dwc3.h |  55 +++
 hw/usb/hcd-dwc3.c         | 689 ++++++++++++++++++++++++++++++++++++++
 hw/usb/Kconfig            |   5 +
 hw/usb/meson.build        |   1 +
 4 files changed, 750 insertions(+)
 create mode 100644 include/hw/usb/hcd-dwc3.h
 create mode 100644 hw/usb/hcd-dwc3.c

diff --git a/include/hw/usb/hcd-dwc3.h b/include/hw/usb/hcd-dwc3.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/usb/hcd-dwc3.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU model of the USB DWC3 host controller emulation.
+ *
+ * Copyright (c) 2020 Xilinx Inc.
+ *
+ * Written by Vikram Garhwal<fnu.vikram@xilinx.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#ifndef HCD_DWC3_H
+#define HCD_DWC3_H
+
+#include "hw/usb/hcd-xhci.h"
+#include "hw/usb/hcd-xhci-sysbus.h"
+
+#define TYPE_USB_DWC3 "usb_dwc3"
+
+#define USB_DWC3(obj) \
+     OBJECT_CHECK(USBDWC3, (obj), TYPE_USB_DWC3)
+
+#define USB_DWC3_R_MAX ((0x530 / 4) + 1)
+#define DWC3_SIZE 0x10000
+
+typedef struct USBDWC3 {
+    SysBusDevice parent_obj;
+    MemoryRegion iomem;
+    XHCISysbusState sysbus_xhci;
+
+    uint32_t regs[USB_DWC3_R_MAX];
+    RegisterInfo regs_info[USB_DWC3_R_MAX];
+
+    struct {
+        uint8_t     mode;
+        uint32_t    dwc_usb3_user;
+    } cfg;
+
+} USBDWC3;
+
+#endif
diff --git a/hw/usb/hcd-dwc3.c b/hw/usb/hcd-dwc3.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/usb/hcd-dwc3.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU model of the USB DWC3 host controller emulation.
+ *
+ * This model defines global register space of DWC3 controller. Global
+ * registers control the AXI/AHB interfaces properties, external FIFO support
+ * and event count support. All of which are unimplemented at present. We are
+ * only supporting core reset and read of ID register.
+ *
+ * Copyright (c) 2020 Xilinx Inc. Vikram Garhwal<fnu.vikram@xilinx.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/sysbus.h"
+#include "hw/register.h"
+#include "qemu/bitops.h"
+#include "qemu/log.h"
+#include "qom/object.h"
+#include "migration/vmstate.h"
+#include "hw/qdev-properties.h"
+#include "hw/usb/hcd-dwc3.h"
+#include "qapi/error.h"
+
+#ifndef USB_DWC3_ERR_DEBUG
+#define USB_DWC3_ERR_DEBUG 0
+#endif
+
+#define HOST_MODE           1
+#define FIFO_LEN         0x1000
+
+REG32(GSBUSCFG0, 0x00)
+    FIELD(GSBUSCFG0, DATRDREQINFO, 28, 4)
+    FIELD(GSBUSCFG0, DESRDREQINFO, 24, 4)
+    FIELD(GSBUSCFG0, DATWRREQINFO, 20, 4)
+    FIELD(GSBUSCFG0, DESWRREQINFO, 16, 4)
+    FIELD(GSBUSCFG0, RESERVED_15_12, 12, 4)
+    FIELD(GSBUSCFG0, DATBIGEND, 11, 1)
+    FIELD(GSBUSCFG0, DESBIGEND, 10, 1)
+    FIELD(GSBUSCFG0, RESERVED_9_8, 8, 2)
+    FIELD(GSBUSCFG0, INCR256BRSTENA, 7, 1)
+    FIELD(GSBUSCFG0, INCR128BRSTENA, 6, 1)
+    FIELD(GSBUSCFG0, INCR64BRSTENA, 5, 1)
+    FIELD(GSBUSCFG0, INCR32BRSTENA, 4, 1)
+    FIELD(GSBUSCFG0, INCR16BRSTENA, 3, 1)
+    FIELD(GSBUSCFG0, INCR8BRSTENA, 2, 1)
+    FIELD(GSBUSCFG0, INCR4BRSTENA, 1, 1)
+    FIELD(GSBUSCFG0, INCRBRSTENA, 0, 1)
+REG32(GSBUSCFG1, 0x04)
+    FIELD(GSBUSCFG1, RESERVED_31_13, 13, 19)
+    FIELD(GSBUSCFG1, EN1KPAGE, 12, 1)
+    FIELD(GSBUSCFG1, PIPETRANSLIMIT, 8, 4)
+    FIELD(GSBUSCFG1, RESERVED_7_0, 0, 8)
+REG32(GTXTHRCFG, 0x08)
+    FIELD(GTXTHRCFG, RESERVED_31, 31, 1)
+    FIELD(GTXTHRCFG, RESERVED_30, 30, 1)
+    FIELD(GTXTHRCFG, USBTXPKTCNTSEL, 29, 1)
+    FIELD(GTXTHRCFG, RESERVED_28, 28, 1)
+    FIELD(GTXTHRCFG, USBTXPKTCNT, 24, 4)
+    FIELD(GTXTHRCFG, USBMAXTXBURSTSIZE, 16, 8)
+    FIELD(GTXTHRCFG, RESERVED_15, 15, 1)
+    FIELD(GTXTHRCFG, RESERVED_14, 14, 1)
+    FIELD(GTXTHRCFG, RESERVED_13_11, 11, 3)
+    FIELD(GTXTHRCFG, RESERVED_10_0, 0, 11)
+REG32(GRXTHRCFG, 0x0c)
+    FIELD(GRXTHRCFG, RESERVED_31_30, 30, 2)
+    FIELD(GRXTHRCFG, USBRXPKTCNTSEL, 29, 1)
+    FIELD(GRXTHRCFG, RESERVED_28, 28, 1)
+    FIELD(GRXTHRCFG, USBRXPKTCNT, 24, 4)
+    FIELD(GRXTHRCFG, USBMAXRXBURSTSIZE, 19, 5)
+    FIELD(GRXTHRCFG, RESERVED_18_16, 16, 3)
+    FIELD(GRXTHRCFG, RESERVED_15, 15, 1)
+    FIELD(GRXTHRCFG, RESERVED_14_13, 13, 2)
+    FIELD(GRXTHRCFG, RESVISOCOUTSPC, 0, 13)
+REG32(GCTL, 0x10)
+    FIELD(GCTL, PWRDNSCALE, 19, 13)
+    FIELD(GCTL, MASTERFILTBYPASS, 18, 1)
+    FIELD(GCTL, BYPSSETADDR, 17, 1)
+    FIELD(GCTL, U2RSTECN, 16, 1)
+    FIELD(GCTL, FRMSCLDWN, 14, 2)
+    FIELD(GCTL, PRTCAPDIR, 12, 2)
+    FIELD(GCTL, CORESOFTRESET, 11, 1)
+    FIELD(GCTL, U1U2TIMERSCALE, 9, 1)
+    FIELD(GCTL, DEBUGATTACH, 8, 1)
+    FIELD(GCTL, RAMCLKSEL, 6, 2)
+    FIELD(GCTL, SCALEDOWN, 4, 2)
+    FIELD(GCTL, DISSCRAMBLE, 3, 1)
+    FIELD(GCTL, U2EXIT_LFPS, 2, 1)
+    FIELD(GCTL, GBLHIBERNATIONEN, 1, 1)
+    FIELD(GCTL, DSBLCLKGTNG, 0, 1)
+REG32(GPMSTS, 0x14)
+REG32(GSTS, 0x18)
+    FIELD(GSTS, CBELT, 20, 12)
+    FIELD(GSTS, RESERVED_19_12, 12, 8)
+    FIELD(GSTS, SSIC_IP, 11, 1)
+    FIELD(GSTS, OTG_IP, 10, 1)
+    FIELD(GSTS, BC_IP, 9, 1)
+    FIELD(GSTS, ADP_IP, 8, 1)
+    FIELD(GSTS, HOST_IP, 7, 1)
+    FIELD(GSTS, DEVICE_IP, 6, 1)
+    FIELD(GSTS, CSRTIMEOUT, 5, 1)
+    FIELD(GSTS, BUSERRADDRVLD, 4, 1)
+    FIELD(GSTS, RESERVED_3_2, 2, 2)
+    FIELD(GSTS, CURMOD, 0, 2)
+REG32(GUCTL1, 0x1c)
+    FIELD(GUCTL1, RESUME_OPMODE_HS_HOST, 10, 1)
+REG32(GSNPSID, 0x20)
+REG32(GGPIO, 0x24)
+    FIELD(GGPIO, GPO, 16, 16)
+    FIELD(GGPIO, GPI, 0, 16)
+REG32(GUID, 0x28)
+REG32(GUCTL, 0x2c)
+    FIELD(GUCTL, REFCLKPER, 22, 10)
+    FIELD(GUCTL, NOEXTRDL, 21, 1)
+    FIELD(GUCTL, RESERVED_20_18, 18, 3)
+    FIELD(GUCTL, SPRSCTRLTRANSEN, 17, 1)
+    FIELD(GUCTL, RESBWHSEPS, 16, 1)
+    FIELD(GUCTL, RESERVED_15, 15, 1)
+    FIELD(GUCTL, USBHSTINAUTORETRYEN, 14, 1)
+    FIELD(GUCTL, ENOVERLAPCHK, 13, 1)
+    FIELD(GUCTL, EXTCAPSUPPTEN, 12, 1)
+    FIELD(GUCTL, INSRTEXTRFSBODI, 11, 1)
+    FIELD(GUCTL, DTCT, 9, 2)
+    FIELD(GUCTL, DTFT, 0, 9)
+REG32(GBUSERRADDRLO, 0x30)
+REG32(GBUSERRADDRHI, 0x34)
+REG32(GHWPARAMS0, 0x40)
+    FIELD(GHWPARAMS0, GHWPARAMS0_31_24, 24, 8)
+    FIELD(GHWPARAMS0, GHWPARAMS0_23_16, 16, 8)
+    FIELD(GHWPARAMS0, GHWPARAMS0_15_8, 8, 8)
+    FIELD(GHWPARAMS0, GHWPARAMS0_7_6, 6, 2)
+    FIELD(GHWPARAMS0, GHWPARAMS0_5_3, 3, 3)
+    FIELD(GHWPARAMS0, GHWPARAMS0_2_0, 0, 3)
+REG32(GHWPARAMS1, 0x44)
+    FIELD(GHWPARAMS1, GHWPARAMS1_31, 31, 1)
+    FIELD(GHWPARAMS1, GHWPARAMS1_30, 30, 1)
+    FIELD(GHWPARAMS1, GHWPARAMS1_29, 29, 1)
+    FIELD(GHWPARAMS1, GHWPARAMS1_28, 28, 1)
+    FIELD(GHWPARAMS1, GHWPARAMS1_27, 27, 1)
+    FIELD(GHWPARAMS1, GHWPARAMS1_26, 26, 1)
+    FIELD(GHWPARAMS1, GHWPARAMS1_25_24, 24, 2)
+    FIELD(GHWPARAMS1, GHWPARAMS1_23, 23, 1)
+    FIELD(GHWPARAMS1, GHWPARAMS1_22_21, 21, 2)
+    FIELD(GHWPARAMS1, GHWPARAMS1_20_15, 15, 6)
+    FIELD(GHWPARAMS1, GHWPARAMS1_14_12, 12, 3)
+    FIELD(GHWPARAMS1, GHWPARAMS1_11_9, 9, 3)
+    FIELD(GHWPARAMS1, GHWPARAMS1_8_6, 6, 3)
+    FIELD(GHWPARAMS1, GHWPARAMS1_5_3, 3, 3)
+    FIELD(GHWPARAMS1, GHWPARAMS1_2_0, 0, 3)
+REG32(GHWPARAMS2, 0x48)
+REG32(GHWPARAMS3, 0x4c)
+    FIELD(GHWPARAMS3, GHWPARAMS3_31, 31, 1)
+    FIELD(GHWPARAMS3, GHWPARAMS3_30_23, 23, 8)
+    FIELD(GHWPARAMS3, GHWPARAMS3_22_18, 18, 5)
+    FIELD(GHWPARAMS3, GHWPARAMS3_17_12, 12, 6)
+    FIELD(GHWPARAMS3, GHWPARAMS3_11, 11, 1)
+    FIELD(GHWPARAMS3, GHWPARAMS3_10, 10, 1)
+    FIELD(GHWPARAMS3, GHWPARAMS3_9_8, 8, 2)
+    FIELD(GHWPARAMS3, GHWPARAMS3_7_6, 6, 2)
+    FIELD(GHWPARAMS3, GHWPARAMS3_5_4, 4, 2)
+    FIELD(GHWPARAMS3, GHWPARAMS3_3_2, 2, 2)
+    FIELD(GHWPARAMS3, GHWPARAMS3_1_0, 0, 2)
+REG32(GHWPARAMS4, 0x50)
+    FIELD(GHWPARAMS4, GHWPARAMS4_31_28, 28, 4)
+    FIELD(GHWPARAMS4, GHWPARAMS4_27_24, 24, 4)
+    FIELD(GHWPARAMS4, GHWPARAMS4_23, 23, 1)
+    FIELD(GHWPARAMS4, GHWPARAMS4_22, 22, 1)
+    FIELD(GHWPARAMS4, GHWPARAMS4_21, 21, 1)
+    FIELD(GHWPARAMS4, GHWPARAMS4_20_17, 17, 4)
+    FIELD(GHWPARAMS4, GHWPARAMS4_16_13, 13, 4)
+    FIELD(GHWPARAMS4, GHWPARAMS4_12, 12, 1)
+    FIELD(GHWPARAMS4, GHWPARAMS4_11, 11, 1)
+    FIELD(GHWPARAMS4, GHWPARAMS4_10_9, 9, 2)
+    FIELD(GHWPARAMS4, GHWPARAMS4_8_7, 7, 2)
+    FIELD(GHWPARAMS4, GHWPARAMS4_6, 6, 1)
+    FIELD(GHWPARAMS4, GHWPARAMS4_5_0, 0, 6)
+REG32(GHWPARAMS5, 0x54)
+    FIELD(GHWPARAMS5, GHWPARAMS5_31_28, 28, 4)
+    FIELD(GHWPARAMS5, GHWPARAMS5_27_22, 22, 6)
+    FIELD(GHWPARAMS5, GHWPARAMS5_21_16, 16, 6)
+    FIELD(GHWPARAMS5, GHWPARAMS5_15_10, 10, 6)
+    FIELD(GHWPARAMS5, GHWPARAMS5_9_4, 4, 6)
+    FIELD(GHWPARAMS5, GHWPARAMS5_3_0, 0, 4)
+REG32(GHWPARAMS6, 0x58)
+    FIELD(GHWPARAMS6, GHWPARAMS6_31_16, 16, 16)
+    FIELD(GHWPARAMS6, BUSFLTRSSUPPORT, 15, 1)
+    FIELD(GHWPARAMS6, BCSUPPORT, 14, 1)
+    FIELD(GHWPARAMS6, OTG_SS_SUPPORT, 13, 1)
+    FIELD(GHWPARAMS6, ADPSUPPORT, 12, 1)
+    FIELD(GHWPARAMS6, HNPSUPPORT, 11, 1)
+    FIELD(GHWPARAMS6, SRPSUPPORT, 10, 1)
+    FIELD(GHWPARAMS6, GHWPARAMS6_9_8, 8, 2)
+    FIELD(GHWPARAMS6, GHWPARAMS6_7, 7, 1)
+    FIELD(GHWPARAMS6, GHWPARAMS6_6, 6, 1)
+    FIELD(GHWPARAMS6, GHWPARAMS6_5_0, 0, 6)
+REG32(GHWPARAMS7, 0x5c)
+    FIELD(GHWPARAMS7, GHWPARAMS7_31_16, 16, 16)
+    FIELD(GHWPARAMS7, GHWPARAMS7_15_0, 0, 16)
+REG32(GDBGFIFOSPACE, 0x60)
+    FIELD(GDBGFIFOSPACE, SPACE_AVAILABLE, 16, 16)
+    FIELD(GDBGFIFOSPACE, RESERVED_15_9, 9, 7)
+    FIELD(GDBGFIFOSPACE, FIFO_QUEUE_SELECT, 0, 9)
+REG32(GUCTL2, 0x9c)
+    FIELD(GUCTL2, RESERVED_31_26, 26, 6)
+    FIELD(GUCTL2, EN_HP_PM_TIMER, 19, 7)
+    FIELD(GUCTL2, NOLOWPWRDUR, 15, 4)
+    FIELD(GUCTL2, RST_ACTBITLATER, 14, 1)
+    FIELD(GUCTL2, RESERVED_13, 13, 1)
+    FIELD(GUCTL2, DISABLECFC, 11, 1)
+REG32(GUSB2PHYCFG, 0x100)
+    FIELD(GUSB2PHYCFG, U2_FREECLK_EXISTS, 30, 1)
+    FIELD(GUSB2PHYCFG, ULPI_LPM_WITH_OPMODE_CHK, 29, 1)
+    FIELD(GUSB2PHYCFG, RESERVED_25, 25, 1)
+    FIELD(GUSB2PHYCFG, LSTRD, 22, 3)
+    FIELD(GUSB2PHYCFG, LSIPD, 19, 3)
+    FIELD(GUSB2PHYCFG, ULPIEXTVBUSINDIACTOR, 18, 1)
+    FIELD(GUSB2PHYCFG, ULPIEXTVBUSDRV, 17, 1)
+    FIELD(GUSB2PHYCFG, RESERVED_16, 16, 1)
+    FIELD(GUSB2PHYCFG, ULPIAUTORES, 15, 1)
+    FIELD(GUSB2PHYCFG, RESERVED_14, 14, 1)
+    FIELD(GUSB2PHYCFG, USBTRDTIM, 10, 4)
+    FIELD(GUSB2PHYCFG, XCVRDLY, 9, 1)
+    FIELD(GUSB2PHYCFG, ENBLSLPM, 8, 1)
+    FIELD(GUSB2PHYCFG, PHYSEL, 7, 1)
+    FIELD(GUSB2PHYCFG, SUSPENDUSB20, 6, 1)
+    FIELD(GUSB2PHYCFG, FSINTF, 5, 1)
+    FIELD(GUSB2PHYCFG, ULPI_UTMI_SEL, 4, 1)
+    FIELD(GUSB2PHYCFG, PHYIF, 3, 1)
+    FIELD(GUSB2PHYCFG, TOUTCAL, 0, 3)
+REG32(GUSB2I2CCTL, 0x140)
+REG32(GUSB2PHYACC_ULPI, 0x180)
+    FIELD(GUSB2PHYACC_ULPI, RESERVED_31_27, 27, 5)
+    FIELD(GUSB2PHYACC_ULPI, DISUIPIDRVR, 26, 1)
+    FIELD(GUSB2PHYACC_ULPI, NEWREGREQ, 25, 1)
+    FIELD(GUSB2PHYACC_ULPI, VSTSDONE, 24, 1)
+    FIELD(GUSB2PHYACC_ULPI, VSTSBSY, 23, 1)
+    FIELD(GUSB2PHYACC_ULPI, REGWR, 22, 1)
+    FIELD(GUSB2PHYACC_ULPI, REGADDR, 16, 6)
+    FIELD(GUSB2PHYACC_ULPI, EXTREGADDR, 8, 8)
+    FIELD(GUSB2PHYACC_ULPI, REGDATA, 0, 8)
+REG32(GTXFIFOSIZ0, 0x200)
+    FIELD(GTXFIFOSIZ0, TXFSTADDR_N, 16, 16)
+    FIELD(GTXFIFOSIZ0, TXFDEP_N, 0, 16)
+REG32(GTXFIFOSIZ1, 0x204)
+    FIELD(GTXFIFOSIZ1, TXFSTADDR_N, 16, 16)
+    FIELD(GTXFIFOSIZ1, TXFDEP_N, 0, 16)
+REG32(GTXFIFOSIZ2, 0x208)
+    FIELD(GTXFIFOSIZ2, TXFSTADDR_N, 16, 16)
+    FIELD(GTXFIFOSIZ2, TXFDEP_N, 0, 16)
+REG32(GTXFIFOSIZ3, 0x20c)
+    FIELD(GTXFIFOSIZ3, TXFSTADDR_N, 16, 16)
+    FIELD(GTXFIFOSIZ3, TXFDEP_N, 0, 16)
+REG32(GTXFIFOSIZ4, 0x210)
+    FIELD(GTXFIFOSIZ4, TXFSTADDR_N, 16, 16)
+    FIELD(GTXFIFOSIZ4, TXFDEP_N, 0, 16)
+REG32(GTXFIFOSIZ5, 0x214)
+    FIELD(GTXFIFOSIZ5, TXFSTADDR_N, 16, 16)
+    FIELD(GTXFIFOSIZ5, TXFDEP_N, 0, 16)
+REG32(GRXFIFOSIZ0, 0x280)
+    FIELD(GRXFIFOSIZ0, RXFSTADDR_N, 16, 16)
+    FIELD(GRXFIFOSIZ0, RXFDEP_N, 0, 16)
+REG32(GRXFIFOSIZ1, 0x284)
+    FIELD(GRXFIFOSIZ1, RXFSTADDR_N, 16, 16)
+    FIELD(GRXFIFOSIZ1, RXFDEP_N, 0, 16)
+REG32(GRXFIFOSIZ2, 0x288)
+    FIELD(GRXFIFOSIZ2, RXFSTADDR_N, 16, 16)
+    FIELD(GRXFIFOSIZ2, RXFDEP_N, 0, 16)
+REG32(GEVNTADRLO_0, 0x300)
+REG32(GEVNTADRHI_0, 0x304)
+REG32(GEVNTSIZ_0, 0x308)
+    FIELD(GEVNTSIZ_0, EVNTINTRPTMASK, 31, 1)
+    FIELD(GEVNTSIZ_0, RESERVED_30_16, 16, 15)
+    FIELD(GEVNTSIZ_0, EVENTSIZ, 0, 16)
+REG32(GEVNTCOUNT_0, 0x30c)
+    FIELD(GEVNTCOUNT_0, EVNT_HANDLER_BUSY, 31, 1)
+    FIELD(GEVNTCOUNT_0, RESERVED_30_16, 16, 15)
+    FIELD(GEVNTCOUNT_0, EVNTCOUNT, 0, 16)
+REG32(GEVNTADRLO_1, 0x310)
+REG32(GEVNTADRHI_1, 0x314)
+REG32(GEVNTSIZ_1, 0x318)
+    FIELD(GEVNTSIZ_1, EVNTINTRPTMASK, 31, 1)
+    FIELD(GEVNTSIZ_1, RESERVED_30_16, 16, 15)
+    FIELD(GEVNTSIZ_1, EVENTSIZ, 0, 16)
+REG32(GEVNTCOUNT_1, 0x31c)
+    FIELD(GEVNTCOUNT_1, EVNT_HANDLER_BUSY, 31, 1)
+    FIELD(GEVNTCOUNT_1, RESERVED_30_16, 16, 15)
+    FIELD(GEVNTCOUNT_1, EVNTCOUNT, 0, 16)
+REG32(GEVNTADRLO_2, 0x320)
+REG32(GEVNTADRHI_2, 0x324)
+REG32(GEVNTSIZ_2, 0x328)
+    FIELD(GEVNTSIZ_2, EVNTINTRPTMASK, 31, 1)
+    FIELD(GEVNTSIZ_2, RESERVED_30_16, 16, 15)
+    FIELD(GEVNTSIZ_2, EVENTSIZ, 0, 16)
+REG32(GEVNTCOUNT_2, 0x32c)
+    FIELD(GEVNTCOUNT_2, EVNT_HANDLER_BUSY, 31, 1)
+    FIELD(GEVNTCOUNT_2, RESERVED_30_16, 16, 15)
+    FIELD(GEVNTCOUNT_2, EVNTCOUNT, 0, 16)
+REG32(GEVNTADRLO_3, 0x330)
+REG32(GEVNTADRHI_3, 0x334)
+REG32(GEVNTSIZ_3, 0x338)
+    FIELD(GEVNTSIZ_3, EVNTINTRPTMASK, 31, 1)
+    FIELD(GEVNTSIZ_3, RESERVED_30_16, 16, 15)
+    FIELD(GEVNTSIZ_3, EVENTSIZ, 0, 16)
+REG32(GEVNTCOUNT_3, 0x33c)
+    FIELD(GEVNTCOUNT_3, EVNT_HANDLER_BUSY, 31, 1)
+    FIELD(GEVNTCOUNT_3, RESERVED_30_16, 16, 15)
+    FIELD(GEVNTCOUNT_3, EVNTCOUNT, 0, 16)
+REG32(GHWPARAMS8, 0x500)
+REG32(GTXFIFOPRIDEV, 0x510)
+    FIELD(GTXFIFOPRIDEV, RESERVED_31_N, 6, 26)
+    FIELD(GTXFIFOPRIDEV, GTXFIFOPRIDEV, 0, 6)
+REG32(GTXFIFOPRIHST, 0x518)
+    FIELD(GTXFIFOPRIHST, RESERVED_31_16, 3, 29)
+    FIELD(GTXFIFOPRIHST, GTXFIFOPRIHST, 0, 3)
+REG32(GRXFIFOPRIHST, 0x51c)
+    FIELD(GRXFIFOPRIHST, RESERVED_31_16, 3, 29)
+    FIELD(GRXFIFOPRIHST, GRXFIFOPRIHST, 0, 3)
+REG32(GDMAHLRATIO, 0x524)
+    FIELD(GDMAHLRATIO, RESERVED_31_13, 13, 19)
+    FIELD(GDMAHLRATIO, HSTRXFIFO, 8, 5)
+    FIELD(GDMAHLRATIO, RESERVED_7_5, 5, 3)
+    FIELD(GDMAHLRATIO, HSTTXFIFO, 0, 5)
+REG32(GFLADJ, 0x530)
+    FIELD(GFLADJ, GFLADJ_REFCLK_240MHZDECR_PLS1, 31, 1)
+    FIELD(GFLADJ, GFLADJ_REFCLK_240MHZ_DECR, 24, 7)
+    FIELD(GFLADJ, GFLADJ_REFCLK_LPM_SEL, 23, 1)
+    FIELD(GFLADJ, RESERVED_22, 22, 1)
+    FIELD(GFLADJ, GFLADJ_REFCLK_FLADJ, 8, 14)
+    FIELD(GFLADJ, GFLADJ_30MHZ_SDBND_SEL, 7, 1)
+    FIELD(GFLADJ, GFLADJ_30MHZ, 0, 6)
+
+#define DWC3_GLOBAL_OFFSET 0xC100
+static void reset_csr(USBDWC3 * s)
+{
+    int i = 0;
+    /*
+     * We reset all CSR regs except GCTL, GUCTL, GSTS, GSNPSID, GGPIO, GUID,
+     * GUSB2PHYCFGn registers and GUSB3PIPECTLn registers. We will skip PHY
+     * register as we don't implement them.
+     */
+    for (i = 0; i < USB_DWC3_R_MAX; i++) {
+        switch (i) {
+        case R_GCTL:
+            break;
+        case R_GSTS:
+            break;
+        case R_GSNPSID:
+            break;
+        case R_GGPIO:
+            break;
+        case R_GUID:
+            break;
+        case R_GUCTL:
+            break;
+        case R_GHWPARAMS0...R_GHWPARAMS7:
+            break;
+        case R_GHWPARAMS8:
+            break;
+        default:
+            register_reset(&s->regs_info[i]);
+            break;
+        }
+    }
+
+    xhci_sysbus_reset(DEVICE(&s->sysbus_xhci));
+}
+
+static void usb_dwc3_gctl_postw(RegisterInfo *reg, uint64_t val64)
+{
+    USBDWC3 *s = USB_DWC3(reg->opaque);
+
+    if (ARRAY_FIELD_EX32(s->regs, GCTL, CORESOFTRESET)) {
+        reset_csr(s);
+    }
+}
+
+static void usb_dwc3_guid_postw(RegisterInfo *reg, uint64_t val64)
+{
+    USBDWC3 *s = USB_DWC3(reg->opaque);
+
+    s->regs[R_GUID] = s->cfg.dwc_usb3_user;
+}
+
+static const RegisterAccessInfo usb_dwc3_regs_info[] = {
+    {   .name = "GSBUSCFG0",  .addr = A_GSBUSCFG0,
+        .ro = 0xf300,
+        .unimp = 0xffffffff,
+    },{ .name = "GSBUSCFG1",  .addr = A_GSBUSCFG1,
+        .reset = 0x300,
+        .ro = 0xffffe0ff,
+        .unimp = 0xffffffff,
+    },{ .name = "GTXTHRCFG",  .addr = A_GTXTHRCFG,
+        .ro = 0xd000ffff,
+        .unimp = 0xffffffff,
+    },{ .name = "GRXTHRCFG",  .addr = A_GRXTHRCFG,
+        .ro = 0xd007e000,
+        .unimp = 0xffffffff,
+    },{ .name = "GCTL",  .addr = A_GCTL,
+        .reset = 0x30c13004, .post_write = usb_dwc3_gctl_postw,
+    },{ .name = "GPMSTS",  .addr = A_GPMSTS,
+        .ro = 0xfffffff,
+        .unimp = 0xffffffff,
+    },{ .name = "GSTS",  .addr = A_GSTS,
+        .reset = 0x7e800000,
+        .ro = 0xffffffcf,
+        .w1c = 0x30,
+        .unimp = 0xffffffff,
+    },{ .name = "GUCTL1",  .addr = A_GUCTL1,
+        .reset = 0x198a,
+        .ro = 0x7800,
+        .unimp = 0xffffffff,
+    },{ .name = "GSNPSID",  .addr = A_GSNPSID,
+        .reset = 0x5533330a,
+        .ro = 0xffffffff,
+    },{ .name = "GGPIO",  .addr = A_GGPIO,
+        .ro = 0xffff,
+        .unimp = 0xffffffff,
+    },{ .name = "GUID",  .addr = A_GUID,
+        .reset = 0x12345678, .post_write = usb_dwc3_guid_postw,
+    },{ .name = "GUCTL",  .addr = A_GUCTL,
+        .reset = 0x0c808010,
+        .ro = 0x1c8000,
+        .unimp = 0xffffffff,
+    },{ .name = "GBUSERRADDRLO",  .addr = A_GBUSERRADDRLO,
+        .ro = 0xffffffff,
+    },{ .name = "GBUSERRADDRHI",  .addr = A_GBUSERRADDRHI,
+        .ro = 0xffffffff,
+    },{ .name = "GHWPARAMS0",  .addr = A_GHWPARAMS0,
+        .ro = 0xffffffff,
+    },{ .name = "GHWPARAMS1",  .addr = A_GHWPARAMS1,
+        .ro = 0xffffffff,
+    },{ .name = "GHWPARAMS2",  .addr = A_GHWPARAMS2,
+        .ro = 0xffffffff,
+    },{ .name = "GHWPARAMS3",  .addr = A_GHWPARAMS3,
+        .ro = 0xffffffff,
+    },{ .name = "GHWPARAMS4",  .addr = A_GHWPARAMS4,
+        .ro = 0xffffffff,
+    },{ .name = "GHWPARAMS5",  .addr = A_GHWPARAMS5,
+        .ro = 0xffffffff,
+    },{ .name = "GHWPARAMS6",  .addr = A_GHWPARAMS6,
+        .ro = 0xffffffff,
+    },{ .name = "GHWPARAMS7",  .addr = A_GHWPARAMS7,
+        .ro = 0xffffffff,
+    },{ .name = "GDBGFIFOSPACE",  .addr = A_GDBGFIFOSPACE,
+        .reset = 0xa0000,
+        .ro = 0xfffffe00,
+        .unimp = 0xffffffff,
+    },{ .name = "GUCTL2",  .addr = A_GUCTL2,
+        .reset = 0x40d,
+        .ro = 0x2000,
+        .unimp = 0xffffffff,
+    },{ .name = "GUSB2PHYCFG",  .addr = A_GUSB2PHYCFG,
+        .reset = 0x40102410,
+        .ro = 0x1e014030,
+        .unimp = 0xffffffff,
+    },{ .name = "GUSB2I2CCTL",  .addr = A_GUSB2I2CCTL,
+        .ro = 0xffffffff,
+        .unimp = 0xffffffff,
+    },{ .name = "GUSB2PHYACC_ULPI",  .addr = A_GUSB2PHYACC_ULPI,
+        .ro = 0xfd000000,
+        .unimp = 0xffffffff,
+    },{ .name = "GTXFIFOSIZ0",  .addr = A_GTXFIFOSIZ0,
+        .reset = 0x2c7000a,
+        .unimp = 0xffffffff,
+    },{ .name = "GTXFIFOSIZ1",  .addr = A_GTXFIFOSIZ1,
+        .reset = 0x2d10103,
+        .unimp = 0xffffffff,
+    },{ .name = "GTXFIFOSIZ2",  .addr = A_GTXFIFOSIZ2,
+        .reset = 0x3d40103,
+        .unimp = 0xffffffff,
+    },{ .name = "GTXFIFOSIZ3",  .addr = A_GTXFIFOSIZ3,
+        .reset = 0x4d70083,
+        .unimp = 0xffffffff,
+    },{ .name = "GTXFIFOSIZ4",  .addr = A_GTXFIFOSIZ4,
+        .reset = 0x55a0083,
+        .unimp = 0xffffffff,
+    },{ .name = "GTXFIFOSIZ5",  .addr = A_GTXFIFOSIZ5,
+        .reset = 0x5dd0083,
+        .unimp = 0xffffffff,
+    },{ .name = "GRXFIFOSIZ0",  .addr = A_GRXFIFOSIZ0,
+        .reset = 0x1c20105,
+        .unimp = 0xffffffff,
+    },{ .name = "GRXFIFOSIZ1",  .addr = A_GRXFIFOSIZ1,
+        .reset = 0x2c70000,
+        .unimp = 0xffffffff,
+    },{ .name = "GRXFIFOSIZ2",  .addr = A_GRXFIFOSIZ2,
+        .reset = 0x2c70000,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTADRLO_0",  .addr = A_GEVNTADRLO_0,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTADRHI_0",  .addr = A_GEVNTADRHI_0,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTSIZ_0",  .addr = A_GEVNTSIZ_0,
+        .ro = 0x7fff0000,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTCOUNT_0",  .addr = A_GEVNTCOUNT_0,
+        .ro = 0x7fff0000,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTADRLO_1",  .addr = A_GEVNTADRLO_1,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTADRHI_1",  .addr = A_GEVNTADRHI_1,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTSIZ_1",  .addr = A_GEVNTSIZ_1,
+        .ro = 0x7fff0000,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTCOUNT_1",  .addr = A_GEVNTCOUNT_1,
+        .ro = 0x7fff0000,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTADRLO_2",  .addr = A_GEVNTADRLO_2,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTADRHI_2",  .addr = A_GEVNTADRHI_2,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTSIZ_2",  .addr = A_GEVNTSIZ_2,
+        .ro = 0x7fff0000,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTCOUNT_2",  .addr = A_GEVNTCOUNT_2,
+        .ro = 0x7fff0000,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTADRLO_3",  .addr = A_GEVNTADRLO_3,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTADRHI_3",  .addr = A_GEVNTADRHI_3,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTSIZ_3",  .addr = A_GEVNTSIZ_3,
+        .ro = 0x7fff0000,
+        .unimp = 0xffffffff,
+    },{ .name = "GEVNTCOUNT_3",  .addr = A_GEVNTCOUNT_3,
+        .ro = 0x7fff0000,
+        .unimp = 0xffffffff,
+    },{ .name = "GHWPARAMS8",  .addr = A_GHWPARAMS8,
+        .ro = 0xffffffff,
+    },{ .name = "GTXFIFOPRIDEV",  .addr = A_GTXFIFOPRIDEV,
+        .ro = 0xffffffc0,
+        .unimp = 0xffffffff,
+    },{ .name = "GTXFIFOPRIHST",  .addr = A_GTXFIFOPRIHST,
+        .ro = 0xfffffff8,
+        .unimp = 0xffffffff,
+    },{ .name = "GRXFIFOPRIHST",  .addr = A_GRXFIFOPRIHST,
+        .ro = 0xfffffff8,
+        .unimp = 0xffffffff,
+    },{ .name = "GDMAHLRATIO",  .addr = A_GDMAHLRATIO,
+        .ro = 0xffffe0e0,
+        .unimp = 0xffffffff,
+    },{ .name = "GFLADJ",  .addr = A_GFLADJ,
+        .reset = 0xc83f020,
+        .rsvd = 0x40,
+        .ro = 0x400040,
+        .unimp = 0xffffffff,
+    }
+};
+
+static void usb_dwc3_reset(DeviceState *dev)
+{
+    USBDWC3 *s = USB_DWC3(dev);
+    unsigned int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->regs_info); ++i) {
+        switch (i) {
+        case R_GHWPARAMS0...R_GHWPARAMS7:
+            break;
+        case R_GHWPARAMS8:
+            break;
+        default:
+            register_reset(&s->regs_info[i]);
+        };
+    }
+
+    xhci_sysbus_reset(DEVICE(&s->sysbus_xhci));
+}
+
+static const MemoryRegionOps usb_dwc3_ops = {
+    .read = register_read_memory,
+    .write = register_write_memory,
+    .endianness = DEVICE_LITTLE_ENDIAN,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+    },
+};
+
+static void usb_dwc3_realize(DeviceState *dev, Error **errp)
+{
+    USBDWC3 *s = USB_DWC3(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+    Error *err = NULL;
+
+    sysbus_realize(SYS_BUS_DEVICE(&s->sysbus_xhci), &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
+
+    memory_region_add_subregion(&s->iomem, 0,
+         sysbus_mmio_get_region(SYS_BUS_DEVICE(&s->sysbus_xhci), 0));
+    sysbus_init_mmio(sbd, &s->iomem);
+
+    /*
+     * Device Configuration
+     */
+    s->regs[R_GHWPARAMS0] = 0x40204048 | s->cfg.mode;
+    s->regs[R_GHWPARAMS1] = 0x222493b;
+    s->regs[R_GHWPARAMS2] = 0x12345678;
+    s->regs[R_GHWPARAMS3] = 0x618c088;
+    s->regs[R_GHWPARAMS4] = 0x47822004;
+    s->regs[R_GHWPARAMS5] = 0x4202088;
+    s->regs[R_GHWPARAMS6] = 0x7850c20;
+    s->regs[R_GHWPARAMS7] = 0x0;
+    s->regs[R_GHWPARAMS8] = 0x478;
+}
+
+static void usb_dwc3_init(Object *obj)
+{
+    USBDWC3 *s = USB_DWC3(obj);
+    RegisterInfoArray *reg_array;
+
+    memory_region_init(&s->iomem, obj, TYPE_USB_DWC3, DWC3_SIZE);
+    reg_array =
+        register_init_block32(DEVICE(obj), usb_dwc3_regs_info,
+                              ARRAY_SIZE(usb_dwc3_regs_info),
+                              s->regs_info, s->regs,
+                              &usb_dwc3_ops,
+                              USB_DWC3_ERR_DEBUG,
+                              USB_DWC3_R_MAX * 4);
+    memory_region_add_subregion(&s->iomem,
+                                DWC3_GLOBAL_OFFSET,
+                                &reg_array->mem);
+    object_initialize_child(obj, "dwc3-xhci", &s->sysbus_xhci,
+                            TYPE_XHCI_SYSBUS);
+    qdev_alias_all_properties(DEVICE(&s->sysbus_xhci), obj);
+
+    s->cfg.mode = HOST_MODE;
+}
+
+static const VMStateDescription vmstate_usb_dwc3 = {
+    .name = "usb-dwc3",
+    .version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(regs, USBDWC3, USB_DWC3_R_MAX),
+        VMSTATE_UINT8(cfg.mode, USBDWC3),
+        VMSTATE_UINT32(cfg.dwc_usb3_user, USBDWC3),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static Property usb_dwc3_properties[] = {
+    DEFINE_PROP_UINT32("DWC_USB3_USERID", USBDWC3, cfg.dwc_usb3_user,
+                       0x12345678),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void usb_dwc3_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->reset = usb_dwc3_reset;
+    dc->realize = usb_dwc3_realize;
+    dc->vmsd = &vmstate_usb_dwc3;
+    device_class_set_props(dc, usb_dwc3_properties);
+}
+
+static const TypeInfo usb_dwc3_info = {
+    .name          = TYPE_USB_DWC3,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(USBDWC3),
+    .class_init    = usb_dwc3_class_init,
+    .instance_init = usb_dwc3_init,
+};
+
+static void usb_dwc3_register_types(void)
+{
+    type_register_static(&usb_dwc3_info);
+}
+
+type_init(usb_dwc3_register_types)
diff --git a/hw/usb/Kconfig b/hw/usb/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/Kconfig
+++ b/hw/usb/Kconfig
@@ -XXX,XX +XXX,XX @@ config IMX_USBPHY
     bool
     default y
     depends on USB
+
+config USB_DWC3
+    bool
+    select USB_XHCI_SYSBUS
+    select REGISTER
diff --git a/hw/usb/meson.build b/hw/usb/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/meson.build
+++ b/hw/usb/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_USB_XHCI_SYSBUS', if_true: files('hcd-xhci-sysbus.c
 softmmu_ss.add(when: 'CONFIG_USB_XHCI_NEC', if_true: files('hcd-xhci-nec.c'))
 softmmu_ss.add(when: 'CONFIG_USB_MUSB', if_true: files('hcd-musb.c'))
 softmmu_ss.add(when: 'CONFIG_USB_DWC2', if_true: files('hcd-dwc2.c'))
+softmmu_ss.add(when: 'CONFIG_USB_DWC3', if_true: files('hcd-dwc3.c'))
 
 softmmu_ss.add(when: 'CONFIG_TUSB6010', if_true: files('tusb6010.c'))
 softmmu_ss.add(when: 'CONFIG_IMX', if_true: files('chipidea.c'))
-- 
2.20.1

From: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>

This model is a top level integration wrapper for hcd-dwc3 and
versal-usb2-ctrl-regs modules, this is used by xilinx versal soc's and
future xilinx usb subsystems would also be part of it.

Signed-off-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1607023357-5096-4-git-send-email-sai.pavan.boddu@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/usb/xlnx-usb-subsystem.h | 45 ++++++++++++++
 hw/usb/xlnx-usb-subsystem.c         | 94 +++++++++++++++++++++++++++++
 hw/usb/Kconfig                      |  5 ++
 hw/usb/meson.build                  |  1 +
 4 files changed, 145 insertions(+)
 create mode 100644 include/hw/usb/xlnx-usb-subsystem.h
 create mode 100644 hw/usb/xlnx-usb-subsystem.c

diff --git a/include/hw/usb/xlnx-usb-subsystem.h b/include/hw/usb/xlnx-usb-subsystem.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/hw/usb/xlnx-usb-subsystem.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU model of the Xilinx usb subsystem
+ *
+ * Copyright (c) 2020 Xilinx Inc. Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef _XLNX_VERSAL_USB_SUBSYSTEM_H_
+#define _XLNX_VERSAL_USB_SUBSYSTEM_H_
+
+#include "hw/usb/xlnx-versal-usb2-ctrl-regs.h"
+#include "hw/usb/hcd-dwc3.h"
+
+#define TYPE_XILINX_VERSAL_USB2 "xlnx.versal-usb2"
+
+#define VERSAL_USB2(obj) \
+     OBJECT_CHECK(VersalUsb2, (obj), TYPE_XILINX_VERSAL_USB2)
+
+typedef struct VersalUsb2 {
+    SysBusDevice parent_obj;
+    MemoryRegion dwc3_mr;
+    MemoryRegion usb2Ctrl_mr;
+
+    VersalUsb2CtrlRegs usb2Ctrl;
+    USBDWC3 dwc3;
+} VersalUsb2;
+
+#endif
diff --git a/hw/usb/xlnx-usb-subsystem.c b/hw/usb/xlnx-usb-subsystem.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/usb/xlnx-usb-subsystem.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU model of the Xilinx usb subsystem
+ *
+ * Copyright (c) 2020 Xilinx Inc. Sai Pavan Boddu <sai.pava.boddu@xilinx.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/sysbus.h"
+#include "hw/irq.h"
+#include "hw/register.h"
+#include "qemu/bitops.h"
+#include "qemu/log.h"
+#include "qom/object.h"
+#include "qapi/error.h"
+#include "hw/qdev-properties.h"
+#include "hw/usb/xlnx-usb-subsystem.h"
+
+static void versal_usb2_realize(DeviceState *dev, Error **errp)
+{
+    VersalUsb2 *s = VERSAL_USB2(dev);
+    SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+    Error *err = NULL;
+
+    sysbus_realize(SYS_BUS_DEVICE(&s->dwc3), &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
+    sysbus_realize(SYS_BUS_DEVICE(&s->usb2Ctrl), &err);
+    if (err) {
+        error_propagate(errp, err);
+        return;
+    }
+    sysbus_init_mmio(sbd, &s->dwc3_mr);
+    sysbus_init_mmio(sbd, &s->usb2Ctrl_mr);
+    qdev_pass_gpios(DEVICE(&s->dwc3.sysbus_xhci), dev, SYSBUS_DEVICE_GPIO_IRQ);
+}
+
+static void versal_usb2_init(Object *obj)
+{
+    VersalUsb2 *s = VERSAL_USB2(obj);
+
+    object_initialize_child(obj, "versal.dwc3", &s->dwc3,
+                            TYPE_USB_DWC3);
+    object_initialize_child(obj, "versal.usb2-ctrl", &s->usb2Ctrl,
+                            TYPE_XILINX_VERSAL_USB2_CTRL_REGS);
+    memory_region_init_alias(&s->dwc3_mr, obj, "versal.dwc3_alias",
+                             &s->dwc3.iomem, 0, DWC3_SIZE);
+    memory_region_init_alias(&s->usb2Ctrl_mr, obj, "versal.usb2Ctrl_alias",
+                             &s->usb2Ctrl.iomem, 0, USB2_REGS_R_MAX * 4);
+    qdev_alias_all_properties(DEVICE(&s->dwc3), obj);
+    qdev_alias_all_properties(DEVICE(&s->dwc3.sysbus_xhci), obj);
+    object_property_add_alias(obj, "dma", OBJECT(&s->dwc3.sysbus_xhci), "dma");
+}
+
+static void versal_usb2_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+
+    dc->realize = versal_usb2_realize;
+}
+
+static const TypeInfo versal_usb2_info = {
+    .name          = TYPE_XILINX_VERSAL_USB2,
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(VersalUsb2),
+    .class_init    = versal_usb2_class_init,
+    .instance_init = versal_usb2_init,
+};
+
+static void versal_usb_types(void)
+{
+    type_register_static(&versal_usb2_info);
+}
+
+type_init(versal_usb_types)
diff --git a/hw/usb/Kconfig b/hw/usb/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/Kconfig
+++ b/hw/usb/Kconfig
@@ -XXX,XX +XXX,XX @@ config USB_DWC3
     bool
     select USB_XHCI_SYSBUS
     select REGISTER
+
+config XLNX_USB_SUBSYS
+    bool
+    default y if XLNX_VERSAL
+    select USB_DWC3
diff --git a/hw/usb/meson.build b/hw/usb/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/usb/meson.build
+++ b/hw/usb/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_TUSB6010', if_true: files('tusb6010.c'))
 softmmu_ss.add(when: 'CONFIG_IMX', if_true: files('chipidea.c'))
 softmmu_ss.add(when: 'CONFIG_IMX_USBPHY', if_true: files('imx-usb-phy.c'))
 specific_ss.add(when: 'CONFIG_XLNX_VERSAL', if_true: files('xlnx-versal-usb2-ctrl-regs.c'))
+specific_ss.add(when: 'CONFIG_XLNX_USB_SUBSYS', if_true: files('xlnx-usb-subsystem.c'))
 
 # emulated usb devices
 softmmu_ss.add(when: 'CONFIG_USB', if_true: files('dev-hub.c'))
-- 
2.20.1

From: Vikram Garhwal <fnu.vikram@xilinx.com>

Connect VersalUsb2 subsystem to xlnx-versal SOC, its placed
in iou of lpd domain and configure it as dual port host controller.
Add the respective guest dts nodes for "xlnx-versal-virt" machine.

Signed-off-by: Vikram Garhwal <fnu.vikram@xilinx.com>
Signed-off-by: Sai Pavan Boddu <sai.pavan.boddu@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1607023357-5096-5-git-send-email-sai.pavan.boddu@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/xlnx-versal.h |  9 ++++++
 hw/arm/xlnx-versal-virt.c    | 55 ++++++++++++++++++++++++++++++++++++
 hw/arm/xlnx-versal.c         | 26 +++++++++++++++++
 3 files changed, 90 insertions(+)

diff --git a/include/hw/arm/xlnx-versal.h b/include/hw/arm/xlnx-versal.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/xlnx-versal.h
+++ b/include/hw/arm/xlnx-versal.h
@@ -XXX,XX +XXX,XX @@
 #include "hw/net/cadence_gem.h"
 #include "hw/rtc/xlnx-zynqmp-rtc.h"
 #include "qom/object.h"
+#include "hw/usb/xlnx-usb-subsystem.h"
 
 #define TYPE_XLNX_VERSAL "xlnx-versal"
 OBJECT_DECLARE_SIMPLE_TYPE(Versal, XLNX_VERSAL)
@@ -XXX,XX +XXX,XX @@ struct Versal {
             PL011State uart[XLNX_VERSAL_NR_UARTS];
             CadenceGEMState gem[XLNX_VERSAL_NR_GEMS];
             XlnxZDMA adma[XLNX_VERSAL_NR_ADMAS];
+            VersalUsb2 usb;
         } iou;
     } lpd;
 
@@ -XXX,XX +XXX,XX @@ struct Versal {
 
 #define VERSAL_UART0_IRQ_0         18
 #define VERSAL_UART1_IRQ_0         19
+#define VERSAL_USB0_IRQ_0          22
 #define VERSAL_GEM0_IRQ_0          56
 #define VERSAL_GEM0_WAKE_IRQ_0     57
 #define VERSAL_GEM1_IRQ_0          58
@@ -XXX,XX +XXX,XX @@ struct Versal {
 #define MM_OCM                      0xfffc0000U
 #define MM_OCM_SIZE                 0x40000
 
+#define MM_USB2_CTRL_REGS           0xFF9D0000
+#define MM_USB2_CTRL_REGS_SIZE      0x10000
+
+#define MM_USB_0                    0xFE200000
+#define MM_USB_0_SIZE               0x10000
+
 #define MM_TOP_DDR                  0x0
 #define MM_TOP_DDR_SIZE             0x80000000U
 #define MM_TOP_DDR_2                0x800000000ULL
diff --git a/hw/arm/xlnx-versal-virt.c b/hw/arm/xlnx-versal-virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal-virt.c
+++ b/hw/arm/xlnx-versal-virt.c
@@ -XXX,XX +XXX,XX @@ struct VersalVirt {
         uint32_t ethernet_phy[2];
         uint32_t clk_125Mhz;
         uint32_t clk_25Mhz;
+        uint32_t usb;
+        uint32_t dwc;
     } phandle;
     struct arm_boot_info binfo;
 
@@ -XXX,XX +XXX,XX @@ static void fdt_create(VersalVirt *s)
     s->phandle.clk_25Mhz = qemu_fdt_alloc_phandle(s->fdt);
     s->phandle.clk_125Mhz = qemu_fdt_alloc_phandle(s->fdt);
 
+    s->phandle.usb = qemu_fdt_alloc_phandle(s->fdt);
+    s->phandle.dwc = qemu_fdt_alloc_phandle(s->fdt);
     /* Create /chosen node for load_dtb.  */
     qemu_fdt_add_subnode(s->fdt, "/chosen");
 
@@ -XXX,XX +XXX,XX @@ static void fdt_add_timer_nodes(VersalVirt *s)
                      compat, sizeof(compat));
 }
 
+static void fdt_add_usb_xhci_nodes(VersalVirt *s)
+{
+    const char clocknames[] = "bus_clk\0ref_clk";
+    const char irq_name[] = "dwc_usb3";
+    const char compatVersalDWC3[] = "xlnx,versal-dwc3";
+    const char compatDWC3[] = "snps,dwc3";
+    char *name = g_strdup_printf("/usb@%" PRIx32, MM_USB2_CTRL_REGS);
+
+    qemu_fdt_add_subnode(s->fdt, name);
+    qemu_fdt_setprop(s->fdt, name, "compatible",
+                         compatVersalDWC3, sizeof(compatVersalDWC3));
+    qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
+                                 2, MM_USB2_CTRL_REGS,
+                                 2, MM_USB2_CTRL_REGS_SIZE);
+    qemu_fdt_setprop(s->fdt, name, "clock-names",
+                         clocknames, sizeof(clocknames));
+    qemu_fdt_setprop_cells(s->fdt, name, "clocks",
+                               s->phandle.clk_25Mhz, s->phandle.clk_125Mhz);
+    qemu_fdt_setprop(s->fdt, name, "ranges", NULL, 0);
+    qemu_fdt_setprop_cell(s->fdt, name, "#address-cells", 2);
+    qemu_fdt_setprop_cell(s->fdt, name, "#size-cells", 2);
+    qemu_fdt_setprop_cell(s->fdt, name, "phandle", s->phandle.usb);
+    g_free(name);
+
+    name = g_strdup_printf("/usb@%" PRIx32 "/dwc3@%" PRIx32,
+                           MM_USB2_CTRL_REGS, MM_USB_0);
+    qemu_fdt_add_subnode(s->fdt, name);
+    qemu_fdt_setprop(s->fdt, name, "compatible",
+                     compatDWC3, sizeof(compatDWC3));
+    qemu_fdt_setprop_sized_cells(s->fdt, name, "reg",
+                                 2, MM_USB_0, 2, MM_USB_0_SIZE);
+    qemu_fdt_setprop(s->fdt, name, "interrupt-names",
+                     irq_name, sizeof(irq_name));
+    qemu_fdt_setprop_cells(s->fdt, name, "interrupts",
+                               GIC_FDT_IRQ_TYPE_SPI, VERSAL_USB0_IRQ_0,
+                               GIC_FDT_IRQ_FLAGS_LEVEL_HI);
+    qemu_fdt_setprop_cell(s->fdt, name,
+                          "snps,quirk-frame-length-adjustment", 0x20);
+    qemu_fdt_setprop_cells(s->fdt, name, "#stream-id-cells", 1);
+    qemu_fdt_setprop_string(s->fdt, name, "dr_mode", "host");
+    qemu_fdt_setprop_string(s->fdt, name, "phy-names", "usb3-phy");
+    qemu_fdt_setprop(s->fdt, name, "snps,dis_u2_susphy_quirk", NULL, 0);
+    qemu_fdt_setprop(s->fdt, name, "snps,dis_u3_susphy_quirk", NULL, 0);
+    qemu_fdt_setprop(s->fdt, name, "snps,refclk_fladj", NULL, 0);
+    qemu_fdt_setprop(s->fdt, name, "snps,mask_phy_reset", NULL, 0);
+    qemu_fdt_setprop_cell(s->fdt, name, "phandle", s->phandle.dwc);
+    qemu_fdt_setprop_string(s->fdt, name, "maximum-speed", "high-speed");
+    g_free(name);
+}
+
 static void fdt_add_uart_nodes(VersalVirt *s)
 {
     uint64_t addrs[] = { MM_UART1, MM_UART0 };
@@ -XXX,XX +XXX,XX @@ static void versal_virt_init(MachineState *machine)
     fdt_add_gic_nodes(s);
     fdt_add_timer_nodes(s);
     fdt_add_zdma_nodes(s);
+    fdt_add_usb_xhci_nodes(s);
     fdt_add_sd_nodes(s);
     fdt_add_rtc_node(s);
     fdt_add_cpu_nodes(s, psci_conduit);
diff --git a/hw/arm/xlnx-versal.c b/hw/arm/xlnx-versal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/xlnx-versal.c
+++ b/hw/arm/xlnx-versal.c
@@ -XXX,XX +XXX,XX @@ static void versal_create_uarts(Versal *s, qemu_irq *pic)
     }
 }
 
+static void versal_create_usbs(Versal *s, qemu_irq *pic)
+{
+    DeviceState *dev;
+    MemoryRegion *mr;
+
+    object_initialize_child(OBJECT(s), "usb2", &s->lpd.iou.usb,
+                            TYPE_XILINX_VERSAL_USB2);
+    dev = DEVICE(&s->lpd.iou.usb);
+
+    object_property_set_link(OBJECT(dev), "dma", OBJECT(&s->mr_ps),
+                             &error_abort);
+    qdev_prop_set_uint32(dev, "intrs", 1);
+    qdev_prop_set_uint32(dev, "slots", 2);
+
+    sysbus_realize(SYS_BUS_DEVICE(dev), &error_fatal);
+
+    mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 0);
+    memory_region_add_subregion(&s->mr_ps, MM_USB_0, mr);
+
+    sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[VERSAL_USB0_IRQ_0]);
+
+    mr = sysbus_mmio_get_region(SYS_BUS_DEVICE(dev), 1);
+    memory_region_add_subregion(&s->mr_ps, MM_USB2_CTRL_REGS, mr);
+}
+
 static void versal_create_gems(Versal *s, qemu_irq *pic)
 {
     int i;
@@ -XXX,XX +XXX,XX @@ static void versal_realize(DeviceState *dev, Error **errp)
     versal_create_apu_cpus(s);
     versal_create_apu_gic(s, pic);
     versal_create_uarts(s, pic);
+    versal_create_usbs(s, pic);
     versal_create_gems(s, pic);
     versal_create_admas(s, pic);
     versal_create_sds(s, pic);
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Malicious user can set the feedback divisor for the PLLs
to zero, triggering a floating-point exception (SIGFPE).

As the datasheet [*] is not clear how hardware behaves
when these bits are zeroes, use the maximum divisor
possible (128) to avoid the software FPE.

[*] Zynq-7000 TRM, UG585 (v1.12.2)
    B.28 System Level Control Registers (slcr)
    -> "Register (slcr) ARM_PLL_CTRL"
    25.10.4 PLLs
    -> "Software-Controlled PLL Update"

Fixes: 38867cb7ec9 ("hw/misc/zynq_slcr: add clock generation for uarts")
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Damien Hedde <damien.hedde@greensocs.com>
Message-id: 20201210141610.884600-1-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/zynq_slcr.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/misc/zynq_slcr.c b/hw/misc/zynq_slcr.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/zynq_slcr.c
+++ b/hw/misc/zynq_slcr.c
@@ -XXX,XX +XXX,XX @@ static uint64_t zynq_slcr_compute_pll(uint64_t input, uint32_t ctrl_reg)
         return 0;
     }
 
+    /* Consider zero feedback as maximum divide ratio possible */
+    if (!mult) {
+        mult = 1 << R_xxx_PLL_CTRL_PLL_FPDIV_LENGTH;
+    }
+
     /* frequency multiplier -> period division */
     return input / mult;
 }
-- 
2.20.1

From: Joe Komlodi <joe.komlodi@xilinx.com>

The previous naming of the configuration registers made it sound like that if
the bits were set the settings would be enabled, while the opposite is true.

Signed-off-by: Joe Komlodi <komlodi@xilinx.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
Message-id: 1605568264-26376-2-git-send-email-komlodi@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/block/m25p80.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -XXX,XX +XXX,XX @@ typedef struct FlashPartInfo {
 #define VCFG_WRAP_SEQUENTIAL 0x2
 #define NVCFG_XIP_MODE_DISABLED (7 << 9)
 #define NVCFG_XIP_MODE_MASK (7 << 9)
-#define VCFG_XIP_MODE_ENABLED (1 << 3)
+#define VCFG_XIP_MODE_DISABLED (1 << 3)
 #define CFG_DUMMY_CLK_LEN 4
 #define NVCFG_DUMMY_CLK_POS 12
 #define VCFG_DUMMY_CLK_POS 4
@@ -XXX,XX +XXX,XX @@ typedef struct FlashPartInfo {
 #define EVCFG_VPP_ACCELERATOR (1 << 3)
 #define EVCFG_RESET_HOLD_ENABLED (1 << 4)
 #define NVCFG_DUAL_IO_MASK (1 << 2)
-#define EVCFG_DUAL_IO_ENABLED (1 << 6)
+#define EVCFG_DUAL_IO_DISABLED (1 << 6)
 #define NVCFG_QUAD_IO_MASK (1 << 3)
-#define EVCFG_QUAD_IO_ENABLED (1 << 7)
+#define EVCFG_QUAD_IO_DISABLED (1 << 7)
 #define NVCFG_4BYTE_ADDR_MASK (1 << 0)
 #define NVCFG_LOWER_SEGMENT_MASK (1 << 1)
 
@@ -XXX,XX +XXX,XX @@ static void reset_memory(Flash *s)
         s->volatile_cfg |= VCFG_WRAP_SEQUENTIAL;
         if ((s->nonvolatile_cfg & NVCFG_XIP_MODE_MASK)
                                 != NVCFG_XIP_MODE_DISABLED) {
-            s->volatile_cfg |= VCFG_XIP_MODE_ENABLED;
+            s->volatile_cfg |= VCFG_XIP_MODE_DISABLED;
         }
         s->volatile_cfg |= deposit32(s->volatile_cfg,
                             VCFG_DUMMY_CLK_POS,
@@ -XXX,XX +XXX,XX @@ static void reset_memory(Flash *s)
         s->enh_volatile_cfg |= EVCFG_VPP_ACCELERATOR;
         s->enh_volatile_cfg |= EVCFG_RESET_HOLD_ENABLED;
         if (s->nonvolatile_cfg & NVCFG_DUAL_IO_MASK) {
-            s->enh_volatile_cfg |= EVCFG_DUAL_IO_ENABLED;
+            s->enh_volatile_cfg |= EVCFG_DUAL_IO_DISABLED;
         }
         if (s->nonvolatile_cfg & NVCFG_QUAD_IO_MASK) {
-            s->enh_volatile_cfg |= EVCFG_QUAD_IO_ENABLED;
+            s->enh_volatile_cfg |= EVCFG_QUAD_IO_DISABLED;
         }
         if (!(s->nonvolatile_cfg & NVCFG_4BYTE_ADDR_MASK)) {
             s->four_bytes_address_mode = true;
-- 
2.20.1

From: Joe Komlodi <joe.komlodi@xilinx.com>

VCFG XIP is set (disabled) when the NVCFG XIP bits are all set (disabled).

Signed-off-by: Joe Komlodi <komlodi@xilinx.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
Message-id: 1605568264-26376-3-git-send-email-komlodi@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/block/m25p80.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -XXX,XX +XXX,XX @@ static void reset_memory(Flash *s)
         s->volatile_cfg |= VCFG_DUMMY;
         s->volatile_cfg |= VCFG_WRAP_SEQUENTIAL;
         if ((s->nonvolatile_cfg & NVCFG_XIP_MODE_MASK)
-                                != NVCFG_XIP_MODE_DISABLED) {
+                                == NVCFG_XIP_MODE_DISABLED) {
             s->volatile_cfg |= VCFG_XIP_MODE_DISABLED;
         }
         s->volatile_cfg |= deposit32(s->volatile_cfg,
-- 
2.20.1

From: Joe Komlodi <joe.komlodi@xilinx.com>

Some Numonyx flash commands cannot be executed in DIO and QIO mode, such as
trying to do DPP or DOR when in QIO mode.

Signed-off-by: Joe Komlodi <komlodi@xilinx.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
Message-id: 1605568264-26376-4-git-send-email-komlodi@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/block/m25p80.c | 114 ++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 95 insertions(+), 19 deletions(-)

diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -XXX,XX +XXX,XX @@ typedef enum {
     MAN_GENERIC,
 } Manufacturer;
 
+typedef enum {
+    MODE_STD = 0,
+    MODE_DIO = 1,
+    MODE_QIO = 2
+} SPIMode;
+
 #define M25P80_INTERNAL_DATA_BUFFER_SZ 16
 
 struct Flash {
@@ -XXX,XX +XXX,XX @@ static void reset_memory(Flash *s)
     trace_m25p80_reset_done(s);
 }
 
+static uint8_t numonyx_mode(Flash *s)
+{
+    if (!(s->enh_volatile_cfg & EVCFG_QUAD_IO_DISABLED)) {
+        return MODE_QIO;
+    } else if (!(s->enh_volatile_cfg & EVCFG_DUAL_IO_DISABLED)) {
+        return MODE_DIO;
+    } else {
+        return MODE_STD;
+    }
+}
+
 static void decode_fast_read_cmd(Flash *s)
 {
     s->needed_bytes = get_addr_length(s);
@@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value)
     case ERASE4_32K:
     case ERASE_SECTOR:
     case ERASE4_SECTOR:
-    case READ:
-    case READ4:
-    case DPP:
-    case QPP:
-    case QPP_4:
     case PP:
     case PP4:
-    case PP4_4:
     case DIE_ERASE:
     case RDID_90:
     case RDID_AB:
@@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value)
         s->len = 0;
         s->state = STATE_COLLECTING_DATA;
         break;
+    case READ:
+    case READ4:
+        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) == MODE_STD) {
+            s->needed_bytes = get_addr_length(s);
+            s->pos = 0;
+            s->len = 0;
+            s->state = STATE_COLLECTING_DATA;
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
+                          "DIO or QIO mode\n", s->cmd_in_progress);
+        }
+        break;
+    case DPP:
+        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_QIO) {
+            s->needed_bytes = get_addr_length(s);
+            s->pos = 0;
+            s->len = 0;
+            s->state = STATE_COLLECTING_DATA;
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
+                          "QIO mode\n", s->cmd_in_progress);
+        }
+        break;
+    case QPP:
+    case QPP_4:
+    case PP4_4:
+        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_DIO) {
+            s->needed_bytes = get_addr_length(s);
+            s->pos = 0;
+            s->len = 0;
+            s->state = STATE_COLLECTING_DATA;
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
+                          "DIO mode\n", s->cmd_in_progress);
+        }
+        break;
 
     case FAST_READ:
     case FAST_READ4:
+        decode_fast_read_cmd(s);
+        break;
     case DOR:
     case DOR4:
+        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_QIO) {
+            decode_fast_read_cmd(s);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
+                          "QIO mode\n", s->cmd_in_progress);
+        }
+        break;
     case QOR:
     case QOR4:
-        decode_fast_read_cmd(s);
+        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_DIO) {
+            decode_fast_read_cmd(s);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
+                          "DIO mode\n", s->cmd_in_progress);
+        }
         break;
 
     case DIOR:
     case DIOR4:
-        decode_dio_read_cmd(s);
+        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_QIO) {
+            decode_dio_read_cmd(s);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
+                          "QIO mode\n", s->cmd_in_progress);
+        }
         break;
 
     case QIOR:
     case QIOR4:
-        decode_qio_read_cmd(s);
+        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) != MODE_DIO) {
+            decode_qio_read_cmd(s);
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute cmd %x in "
+                          "DIO mode\n", s->cmd_in_progress);
+        }
         break;
 
     case WRSR:
@@ -XXX,XX +XXX,XX @@ static void decode_new_cmd(Flash *s, uint32_t value)
         break;
 
     case JEDEC_READ:
-        trace_m25p80_populated_jedec(s);
-        for (i = 0; i < s->pi->id_len; i++) {
-            s->data[i] = s->pi->id[i];
-        }
-        for (; i < SPI_NOR_MAX_ID_LEN; i++) {
-            s->data[i] = 0;
-        }
+        if (get_man(s) != MAN_NUMONYX || numonyx_mode(s) == MODE_STD) {
+            trace_m25p80_populated_jedec(s);
+            for (i = 0; i < s->pi->id_len; i++) {
+                s->data[i] = s->pi->id[i];
+            }
+            for (; i < SPI_NOR_MAX_ID_LEN; i++) {
+                s->data[i] = 0;
+            }
 
-        s->len = SPI_NOR_MAX_ID_LEN;
-        s->pos = 0;
-        s->state = STATE_READING_DATA;
+            s->len = SPI_NOR_MAX_ID_LEN;
+            s->pos = 0;
+            s->state = STATE_READING_DATA;
+        } else {
+            qemu_log_mask(LOG_GUEST_ERROR, "M25P80: Cannot execute JEDEC read "
+                          "in DIO or QIO mode\n");
+        }
         break;
 
     case RDCR:
-- 
2.20.1

From: Joe Komlodi <joe.komlodi@xilinx.com>

Numonyx chips determine the number of cycles to wait based on bits 7:4
in the volatile configuration register.

However, if these bits are 0x0 or 0xF, the number of dummy cycles to
wait is 10 for QIOR and QIOR4 commands or when in QIO mode, and otherwise 8 for
the currently supported fast read commands. [1]

[1]
https://www.micron.com/-/media/client/global/documents/products/data-sheet/nor-flash/serial-nor/mt25q/die-rev-b/mt25q_qlkt_u_02g_cbb_0.pdf?rev=9b167fbf2b3645efba6385949a72e453

Signed-off-by: Joe Komlodi <komlodi@xilinx.com>
Reviewed-by: Francisco Iglesias <francisco.iglesias@xilinx.com>
Message-id: 1605568264-26376-5-git-send-email-komlodi@xilinx.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/block/m25p80.c | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -XXX,XX +XXX,XX @@ static uint8_t numonyx_mode(Flash *s)
     }
 }
 
+static uint8_t numonyx_extract_cfg_num_dummies(Flash *s)
+{
+    uint8_t num_dummies;
+    uint8_t mode;
+    assert(get_man(s) == MAN_NUMONYX);
+
+    mode = numonyx_mode(s);
+    num_dummies = extract32(s->volatile_cfg, 4, 4);
+
+    if (num_dummies == 0x0 || num_dummies == 0xf) {
+        switch (s->cmd_in_progress) {
+        case QIOR:
+        case QIOR4:
+            num_dummies = 10;
+            break;
+        default:
+            num_dummies = (mode == MODE_QIO) ? 10 : 8;
+            break;
+        }
+    }
+
+    return num_dummies;
+}
+
 static void decode_fast_read_cmd(Flash *s)
 {
     s->needed_bytes = get_addr_length(s);
@@ -XXX,XX +XXX,XX @@ static void decode_fast_read_cmd(Flash *s)
         s->needed_bytes += 8;
         break;
     case MAN_NUMONYX:
-        s->needed_bytes += extract32(s->volatile_cfg, 4, 4);
+        s->needed_bytes += numonyx_extract_cfg_num_dummies(s);
         break;
     case MAN_MACRONIX:
         if (extract32(s->volatile_cfg, 6, 2) == 1) {
@@ -XXX,XX +XXX,XX @@ static void decode_dio_read_cmd(Flash *s)
                                     );
         break;
     case MAN_NUMONYX:
-        s->needed_bytes += extract32(s->volatile_cfg, 4, 4);
+        s->needed_bytes += numonyx_extract_cfg_num_dummies(s);
         break;
     case MAN_MACRONIX:
         switch (extract32(s->volatile_cfg, 6, 2)) {
@@ -XXX,XX +XXX,XX @@ static void decode_qio_read_cmd(Flash *s)
                                     );
         break;
     case MAN_NUMONYX:
-        s->needed_bytes += extract32(s->volatile_cfg, 4, 4);
+        s->needed_bytes += numonyx_extract_cfg_num_dummies(s);
         break;
     case MAN_MACRONIX:
         switch (extract32(s->volatile_cfg, 6, 2)) {
-- 
2.20.1

Hi; here's the first arm pullreq for the 8.2 cycle. These are
pretty much all bug fixes (mostly for the experimental FEAT_RME),
rather than any major features.

-- PMM

The following changes since commit b0dd9a7d6dd15a6898e9c585b521e6bec79b25aa:

Open 8.2 development tree (2023-08-22 07:14:07 -0700)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230824

for you to fetch changes up to cd1e4db73646006039f25879af3bff55b2295ff3:

target/arm: Fix 64-bit SSRA (2023-08-22 17:31:14 +0100)

----------------------------------------------------------------
target-arm queue:
 * hw/gpio/nrf51: implement DETECT signal
 * accel/kvm: Specify default IPA size for arm64
 * ptw: refactor, fix some FEAT_RME bugs
 * target/arm: Adjust PAR_EL1.SH for Device and Normal-NC memory types
 * target/arm/helper: Implement CNTHCTL_EL2.CNT[VP]MASK
 * Fix SME ST1Q
 * Fix 64-bit SSRA

----------------------------------------------------------------
Akihiko Odaki (6):
      kvm: Introduce kvm_arch_get_default_type hook
      accel/kvm: Specify default IPA size for arm64
      mips: Report an error when KVM_VM_MIPS_VZ is unavailable
      accel/kvm: Use negative KVM type for error propagation
      accel/kvm: Free as when an error occurred
      accel/kvm: Make kvm_dirty_ring_reaper_init() void

Chris Laplante (6):
      hw/gpio/nrf51: implement DETECT signal
      qtest: factor out qtest_install_gpio_out_intercept
      qtest: implement named interception of out-GPIO
      qtest: bail from irq_intercept_in if name is specified
      qtest: irq_intercept_[out/in]: return FAIL if no intercepts are installed
      qtest: microbit-test: add tests for nRF51 DETECT

Jean-Philippe Brucker (6):
      target/arm/ptw: Load stage-2 tables from realm physical space
      target/arm/helper: Fix tlbmask and tlbbits for TLBI VAE2*
      target/arm: Skip granule protection checks for AT instructions
      target/arm: Pass security space rather than flag for AT instructions
      target/arm/helper: Check SCR_EL3.{NSE, NS} encoding for AT instructions
      target/arm/helper: Implement CNTHCTL_EL2.CNT[VP]MASK

Peter Maydell (15):
      target/arm/ptw: Don't set fi->s1ptw for UnsuppAtomicUpdate fault
      target/arm/ptw: Don't report GPC faults on stage 1 ptw as stage2 faults
      target/arm/ptw: Set s1ns bit in fault info more consistently
      target/arm/ptw: Pass ptw into get_phys_addr_pmsa*() and get_phys_addr_disabled()
      target/arm/ptw: Pass ARMSecurityState to regime_translation_disabled()
      target/arm/ptw: Pass an ARMSecuritySpace to arm_hcr_el2_eff_secstate()
      target/arm: Pass an ARMSecuritySpace to arm_is_el2_enabled_secstate()
      target/arm/ptw: Only fold in NSTable bit effects in Secure state
      target/arm/ptw: Remove last uses of ptw->in_secure
      target/arm/ptw: Remove S1Translate::in_secure
      target/arm/ptw: Drop S1Translate::out_secure
      target/arm/ptw: Set attributes correctly for MMU disabled data accesses
      target/arm/ptw: Check for block descriptors at invalid levels
      target/arm/ptw: Report stage 2 fault level for stage 2 faults on stage 1 ptw
      target/arm: Adjust PAR_EL1.SH for Device and Normal-NC memory types

Richard Henderson (2):
      target/arm: Fix SME ST1Q
      target/arm: Fix 64-bit SSRA